Privacy Policy according to Article 13 of the GDPR

Last updated:
24 March 2021

Thank you for your interest in the information on our website!

This Privacy Policy is intended to help inform the users of our website about the type, scope and purposes of the processing of personal data. Personal data in this context is understood as all information which can be used to personally identify you as a user of our website, including your IP address and information stored in cookies.

In a general section of this Privacy Policy, we also provide you with information on data protection that generally applies to our processing of data, including data collection on our website. In particular, your rights as the data subject are explained.

The terms used in our Privacy Policy and our data protection practices are based on the provisions of the EU General Data Protection Regulation (“GDPR”) and other relevant national legal provisions.

Controller within the meaning of the GDPR

COLOP Arts & Crafts

Schnellewindgasse 8
4700 Eupen

T: +32 (0)87 74 22 82

Data collection on our website

Personal data is collected from you when you expressly provide it to us, while other data, such as technical data in particular, is collected automatically when you visit our website. Some of this data is collected to ensure the correct functioning of our website. Other data may be used for analytical purposes. However, it is possible to use the basic functions of our website without having to provide any personal information at all.

Technologies used on our website


Our website uses the AdScale service, which is provided by Ströer Digital Media GmbH, Ströer Allee. 1, 50999 Cologne, Germany (“AdScale”).

AdScale uses technical features, in particular cookies, to display ads that are relevant to you. The advertising is optimised for you by collecting and processing your usage behaviour based on predicted interests. Third-party companies also use cookies for this purpose on behalf of AdScale. This allows AdScale to analyse the use of online advertising that might be of interest to you according to your preferences. Under no circumstances will data such as your name, address or e-mail address be stored. If your IP address is recorded, it will be anonymised immediately.

The processing of your data is based on your consent in accordance with Article 6 (1) (a) of the GDPR. You can also opt out of the use of this service by clicking on the following link:

For more information about the data privacy of this service, please visit


We use cookies to make our website more functional and user-friendly. Some cookies remain stored on your terminal device.

Cookies are small data packages that are exchanged between your browser and the/our web server when you visit our website. These do not cause any damage and they simply ensure that the visitor to our website is recognised during a subsequent visit. Cookies can only store information supplied by your browser, i.e. information that you yourself have entered into the browser or that is available on the website. Cookies cannot execute codes and cannot be used to access your terminal device.

The next time you visit our website on the same terminal device, the information stored in cookies may subsequently be sent back either to us (“first-party cookie”) or to a third-party web application to which the cookie belongs (“third-party cookie”). By using the stored and returned information, the respective web application recognises that you have previously called up and visited our website via the browser of your terminal device.

Cookies contain the following information:

  • cookie name
  • name of the server from which the cookie originated
  • cookie ID number
  • a date on which the cookie will be automatically deleted

Depending on the respective purpose and function of cookies, we divide them into the following categories:

  • Technically necessary cookies, which ensure the technical operation and basic functions of our website. These types of cookies are used, for example, to retain your preferences as you navigate the site; or they can ensure that important information is retained throughout your session (e.g. login, shopping cart).
  • Statistical cookies to understand how visitors interact with our website by collecting and analysing exclusively anonymous information. This allows us to gain valuable insights that help us optimise both the website and our products and services.
  • Marketing cookies to set targeted advertising activities for users on our website.
  • Unclassified cookies are cookies that we are currently trying to classify together with the providers of the individual cookies.

Depending on the storage period, we also divide cookies into session cookies and persistent cookies. Session cookies store information used during your current browser session. These cookies are automatically deleted when the browser is closed. No information remains on your terminal device. Persistent cookies store information between two visits to the website. Based on this information, you will be recognised as a returning visitor on your next visit and the website will respond accordingly. The lifetime of a persistent cookie is determined by the cookie provider.

The use of technically necessary cookies is based on our legitimate interest in the technically flawless operation and error-free functioning of our website in accordance with Article 6 (1) (f) of the GDPR. Our website cannot function properly without these cookies. The use of statistical and marketing cookies requires your consent in accordance with Article 6 (1) (a) of the GDPR. In accordance with Article 7 (3) of the GDPR, you can withdraw your consent to the use of cookies at any time with effect for the future. Your consent is voluntary. No disadvantages will arise for you should you not grant your consent. You will find more information about the cookies we actually use (in particular, their purpose and storage periods) in this Privacy Policy and in the information about the cookies we use, which is provided in our cookie banner.

You can also set your Internet browser to generally prevent the saving of cookies on your terminal device or to ask you each time whether you agree to cookies being placed. Once cookies have been placed, you can delete them at any time. You can find out how this works in detail by going to the “Help” function of your browser.

Please note that as a result of a general deactivation of cookies, the functioning of our website may be restricted.


Our website uses the Facebook Pixel service of the social network Facebook, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (“Facebook”), for the analysis, optimisation and economic operation of our online offer.

ATTENTION! As part of this service, data transmission to the USA takes place or cannot be ruled out.

With the help of Facebook Pixel, it is possible for Facebook to determine the visitors to our website as a target group for the display of advertisements (so-called “Facebook ads”). Accordingly, we use Facebook Pixel to display Facebook ads placed by us only to those Facebook users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited) that we transmit to Facebook (so-called “custom audiences”). By using Facebook Pixel, we also wish to make sure that our Facebook ads match the potential interest of the users and are not seen as a nuisance. Facebook Pixel also allows us to track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users are redirected to our website after clicking on a Facebook ad (so-called “conversion”).

Your actions are stored in one or more cookies. These cookies allow Facebook to match your user data (such as IP address and user ID) with your Facebook account data. The collected data is anonymous, not accessible by us and can only be used for advertising purposes. You can prevent the linking to your account by logging out of Facebook before you take any action.

The processing of your data is based on your consent within the meaning of Article 6 (1) (a) of the GDPR. You can withdraw this consent at any time with effect for the future.

For more information about how Facebook processes personal data, including the legal bases on which Facebook relies and how data subjects can exercise their rights against Facebook, please see Facebook’s Data Policy available at:

To set what types of ads you are shown on Facebook, you can go to the page set up by Facebook and follow the instructions there about usage-based advertising settings
The settings are platform-independent, which means that they are applied across all devices, such as desktop computers or mobile devices.

For general guidance on the display of Facebook ads, please visit

For specific information and details about Facebook Pixel and how it works, visit Facebook’s help section:

Google Analytics

Our website uses the functions of the Google Analytics web analysis service for the purpose of analysing usage behaviour and optimising our website. The provider of this service is Google Ireland Limited, Barrow Street, Dublin 4, Ireland (“Google”).

ATTENTION! As part of this service, data transmission to the USA takes place or cannot be ruled out.

Google Analytics uses cookies, which enable an analysis of the use of our website.

Information about the use of the website, such as browser type/version, operating system used, the previously visited page, host name of the accessing computer (IP address) and time of the server request, are usually transmitted to a Google server and stored there. For this purpose, we have concluded an order processing contract with Google in accordance with Article 28 of the GDPR.

On our behalf, Google will use this information to evaluate the use of our website, to compile reports on the activities on our website and to provide us with other services related to the use of our website and the Internet. According to information provided by Google, the IP address transmitted by your browser is not merged with other Google data.

We use Google Analytics exclusively with IP anonymisation enabled by adding the code “anonymizeIP” to this website. This guarantees that your IP address is masked so that all data is collected anonymously. Only in exceptional cases will Google transmit the complete IP address to a server and truncate it there.

During your visit to our website, among other things, the following data is collected:

– the pages you have visited, your “click path”
– achievement of “website goals” (conversions, e.g. newsletter registrations, downloads, purchases)
– your user behaviour (e.g. clicks, visit duration, bounce rates)
– your approximate location (region)
– your IP address (in truncated form)
– technical information about your browser and the terminal devices used (e.g. language settings, screen resolution)
– your internet provider
– the referrer URL (the website/advertising material via which you reach our website)

The data about the use of our website will be erased immediately following the expiry of the retention period set by us in each case. Google Analytics provides us with the following options in respect of the retention period: 14 months, 26 months, 38 months, 50 months, no automatic erasure. You can ask us at any time about the current retention period set by us.

The processing of your data using Google Analytics is based on your express consent within the meaning of Article 6 (1) (a) of the GDPR. You can withdraw your consent at any time with effect for the future.

In addition, you can prevent the collection of data by downloading and installing the browser plugin available at the following link

You can find out exactly where Google data centres are located here:

For more information about Google’s use of your data and your ability to change your settings or to opt out, please visit Google’s Privacy Policy available at:

Google Fonts

Our website uses so-called web fonts, which are provided by Google, for the uniform display of fonts. Google Fonts is a service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

ATTENTION! As part of this service, data transmission to the USA takes place or cannot be ruled out.

For the purpose of displaying web fonts, the browser you are using must establish a connection with Google servers. When this happens, Google is informed that our website has been accessed via your IP address. The IP address of the terminal device browser of the visitor to our website is also stored by Google. If your browser does not support web fonts, instead, a standard font will be used on your terminal device.

Together with each Google Font request, information such as language settings, screen resolution, version and browser name are automatically transmitted to Google servers in addition to the IP address. The usage data collected allows Google to determine the popularity of each font. Google publishes the results on internal analysis pages (e.g. Google Analytics).

Thanks to Google Fonts, we can use fonts on our own website and do not need to upload them onto our server. Google Fonts is an important component which ensures the high quality of our website. All Google Fonts are automatically optimised for the web, which saves data volume and is a great advantage, especially when using mobile devices. When you visit us, the low file size ensures fast loading times. Furthermore, Google Fonts are secure web fonts which support all major browsers.

The processing of your data is therefore based on our legitimate interest in a uniform and appealing presentation of our online offer. This represents a legitimate interest within the meaning of Article 6 (1) (f) of the GDPR.

Google stores requests for CSS assets on its servers for one day. This allows us to use fonts with the help of a Google stylesheet. The font files are stored by Google for one year. To have this data erased earlier, you must contact Google Support (

You can find out exactly where Google data centres are located here:

Further information on Google Web Fonts can be found at: and in Google’s Privacy Policy:

Google reCAPTCHA

Our website uses the reCAPTCHA service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”) for protection against misuse by non-human visitors (bots) and to prevent spam.

ATTENTION! As part of this service, data transmission to the USA takes place or cannot be ruled out.

When reCAPTCHA starts, your browser connects to Google servers. When this happens, Google is informed that our website has been accessed via your IP address.

reCAPTCHA is used to check whether the data entered on our website has been entered by a human or by an automated program. To do this, reCAPTCHA analyses the behaviour of the website visitor based on various characteristics. This analysis starts automatically as soon as the website visitor enters our website. reCAPTCHA evaluates various information for the purposes of this analysis.

According to our information, the following data is processed by Google:

  • the address of the page the visitor has come from
  • IP address
  • information about the operating system
  • cookies
  • mouse and keyboard behaviour
  • date and language settings
  • all Java Script objects
  • screen resolution

The data collected during the analysis is forwarded to Google and used by Google. The reCAPTCHA analysis takes place completely in the background.

Cookies are used for the processing of the service. These cookies require a unique identifier for tracking purposes. According to Google, the IP address is not merged with other data from other Google services, unless you are logged into your Google account while using the reCAPTCHA plugin.

You can find out exactly where Google data centres are located here:
For more information about Google reCAPTCHA, click here:

Please see the following link for Google’s Privacy Policy:

Google Tag Manager

Our website uses the Google Tag Manager service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”).

ATTENTION! As part of this service, data transmission to the USA takes place or cannot be ruled out.

When Google Tag Manager starts, your browser connects to Google servers. When this happens, Google is informed that our website has been accessed via your IP address.

Tag Manager is a service that allows us to manage website tags via an interface. This allows us to include code snippets such as tracking codes or conversion pixels on websites without interfering with the source code. The data is only forwarded by Tag Manager, and is not collected or stored. Tag Manager itself is a cookie-less domain and does not process any personal data, as it exclusively serves the purpose of managing other services in our online offer. Tag Manager takes care of resolving other tags which may, in turn, collect data. However, Tag Manager does not access this data. If the user opts for deactivation at the domain or cookie level, this remains in place for all tracking tags implemented using Tag Manager.

You can find out exactly where Google data centres are located here:

Further information on data protection can be found on the following Google web pages:

Privacy Policy:
FAQ Google Tag Manager:
Google Tag Manager Terms of Service:


As part of the hosting of our website, all data to be processed in connection with the operation of our website is stored. This is necessary to enable the operation of the website. We therefore process the data accordingly on the basis of our legitimate interest in optimising our website offer pursuant to Article 6 (1) (f) of the GDPR. For the purpose of the provision of our website, we use the services of web hosting providers to whom we make the aforementioned data available within the framework of order processing in accordance with Article 28 of the GDPR.


When you contact us, your data will be used to process the contact request and its handling in the context of the fulfilment of pre-contractual rights and obligations pursuant to Article 6 (1) (b) of the GDPR. The processing of your data is necessary for the handling and responding to your request, as we would otherwise not be able to answer your request or could only provide a limited response. The information may be stored in a database of customers and prospective customers on the basis of our legitimate interest in direct marketing pursuant to Article 6 (1) (f) of the GDPR.

We will erase your request and your contact data as soon as your enquiry has been conclusively resolved and provided that its erasure does not conflict with any statutory retention periods, e.g. in the context of subsequent contract processing. This is usually the case when there has been no contact with you for three years.

LinkedIn Conversion Tracking (Marketing)

Our website uses LinkedIn Conversion Tracking, which is a web analytics service provided by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA.

ATTENTION! As part of this service, data transmission to the USA takes place or cannot be ruled out.

The information collected by the LinkedIn Insight tag about your use of our website is encrypted.

Your data is processed on the basis of your consent in accordance with Article 6 (1) (a) of the GDPR. This consent can be withdrawn at any time with effect for the future.

LinkedIn members also have the possibility to opt out of LinkedIn Conversion Tracking and block and delete cookies or disable demographic features by visiting the following link: LinkedIn settings do not offer a separate opt-out option for third-party impressions or click tracking for campaigns running on LinkedIn, as all such campaigns respect LinkedIn members’ preferences.

We use LinkedIn Conversion Tracking to analyse and regularly improve the use of our website. The statistics thus obtained enable us to improve our offer and make it more interesting for you as a user.

More information from the third-party provider:

Server log files

For technical reasons, in particular to ensure the functionality and security of our website, we process technically necessary data concerning access to our website in so-called server log files, which your browser automatically transmits to us.

The access data we process includes:

  • name of the accessed website
  • type and version of browser used
  • operating system used by the visitor
  • the website previously visited by the visitor (referrer URL)
  • time of the server request
  • data volume transferred
  • host name of the accessing computer (IP address)

This data is not assigned to any natural person and is only used for statistical evaluations and for the operation and improvement of our website, as well as for the security and optimisation of our Internet offer. The data is only transmitted to our website host, and is not linked or merged with other data sources. If there is any suspicion of illegal use of our website, we reserve the right to check this data retrospectively. The processing of such data is based on our legitimate interest in the technically error-free presentation and optimisation of our website pursuant to Article 6 (1) (f) of the GDPR.

The access data is erased shortly after the purpose has been fulfilled, usually after a few days, insofar as no further storage is required for evidential purposes. Otherwise, the data will be kept until such a time as any incident has been conclusively resolved.

SSL encryption

For your visit on our website, we use the common SSL procedure (Secure Socket Layer) in connection with the highest encryption level supported by your browser. The transmission of an individual page of our website in encrypted form is indicated by a key or padlock symbol displayed in the status bar of your browser. The use of this procedure is based on our legitimate interest in the use of suitable encryption techniques pursuant to Article 6 (1) (f) of the GDPR.

We also use appropriate technical and organisational security measures in accordance with Article 32 of the GDPR to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorised access by third parties. Our security measures are continuously improved in line with technological developments and the state of the art.


Videos of the “Vimeo” platform of the provider Vimeo Inc, Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA (“Vimeo”) are embedded on our website.

ATTENTION! As part of this service, data transmission to the USA takes place or cannot be ruled out.

If you call up web pages of our online offer that contain a Vimeo plugin, a connection will be established with Vimeo servers and the plugin will thus be displayed. This transmits your IP address to the Vimeo server, as well as information about the specific pages of our website which you have visited. If you are logged in as a Vimeo member, Vimeo will assign this information to your personal user account. When you use the plugin, e.g. when you click on the start button of a video, this information will also be assigned to your user account. You can prevent this assignment by logging out of your Vimeo user account before using our website.

Should you wish to prevent the transmission and storage of data about you and your behaviour on our website by Vimeo, you must log out of Vimeo before you visit our website.

For more information, in particular on the collection and use of data by Vimeo, please refer to Vimeo’s Privacy Policy available at:


To obtain consent for the use of cookies and tools on our website in accordance with data protection regulations, we use the Consent Banner from DataReporter WebCare. This is a service provided by DataReporter GmbH, Zeileisstraße 6, 4600 Wels, Austria (“DataReporter”).

For more information about this company, please visit The Consent Banner records and stores the decision of the respective user of our website. Our Consent Banner guarantees that no statistical and marketing cookies are placed on the user’s device unless they have given their explicit consent to their use.

For this purpose, we store information on the extent of the use of cookies confirmed by the user. The user’s decision can be withdrawn at any time by accessing the cookies settings and managing the declaration of consent. Existing cookies will be deleted after withdrawal of consent. A cookie is also placed to store information about the status of the user’s consent, which is indicated in the cookie details. Furthermore, the IP address of the respective user is transmitted to DataReporter servers when this service is called up. The IP address is neither stored nor associated with any other data of the user, and it is only used for the correct execution of the service. The use of the above data is therefore based on our legitimate interest in the legally compliant design of our website pursuant to Article 6 (1) (f) of the GDPR.

For more information, please refer to DataReporter’s Privacy Policy available at: Please feel free to send enquiries about this service to


Our website uses the “YouTube” service to embed videos. The provider of the service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“YouTube”).

ATTENTION! As part of this service, data transmission to the USA takes place or cannot be ruled out.

As soon as a page with embedded YouTube videos is called up by you, a connection to YouTube servers is established. This tells YouTube which pages you are visiting.

YouTube’s applicable Privacy Policy can be found at:, Opt-out option:


Description and scope of data processing
Our website offers you the possibility of subscribing to a free newsletter. When you register for the newsletter, the data from the input mask will be transmitted to our newsletter service provider Mailchimp of Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA.

Privacy Policy: Rocket Science Group, LLC is certified under the EU-US Privacy Shield (

In addition, the following data is collected during registration:

  • IP address of the calling computer
  • date and time of your registration
  • e-mail address

The data requested in the registration process is required to complete your registration for the newsletter. The registration for the newsletter is logged. After registration, you will receive a message to the email address provided by you, in which you will be asked to confirm the registration (“double opt-in”). This is necessary to prevent third parties from registering using your email address.

You can withdraw your consent to receiving the newsletter at any time and thus unsubscribe from the newsletter.

We store the registration data for as long as it is needed to send you the newsletter. We store the log data of the registration and the shipping address for as long as there may be an interest in providing evidence of the consent originally given; These are usually the limitation periods for civil law claims, i.e. a maximum of three years.

The legal basis for sending the newsletter is your consent pursuant to Article 6 (1) (a) in conjunction with Article 7 of the GDPR in conjunction with Section 7 (2) No 3 of the German Act against Unfair Competition (UWG). The legal basis for logging the registration is our legitimate interest in proving that the newsletter was sent to you based on your consent.

You can cancel your registration at any time without incurring any costs other than the transmission costs according to the basic rates. A notification in text form using the contact details provided under Section 1 (e.g. e-mail, fax, letter) is sufficient for this purpose. Of course, you will also find an unsubscribe link in every newsletter.

General information on data protection

The following principles apply not only to the collection of data on our website, but also generally to other processing of personal data.

Personal data

Personal data is understood as information that can be assigned to you individually. Examples include, but are not limited to, your address, name, postal address, email address or phone number. Information such as the number of users who visit a given website is not understood as personal data, as it is not assigned to one person.

Legal basis for the processing of personal data

Unless more specific information is provided in this Privacy Policy (e.g. in the case of the technologies used), we may process your personal data based on the following legal grounds:

  • Consent pursuant to Article 6 (1) (a) of the GDPR – The data subject has given their consent to the processing of their personal data for one or more specific purposes.
  • Contract performance and pre-contractual measures pursuant to Article 6 (1) (b) of the GDPR – Processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures.
  • Legal obligation pursuant to Article 6 (1) (c) of the GDPR – Processing is necessary for compliance with a legal obligation.
  • Protection of vital interests pursuant to Article 6 (1) (d) of the GDPR – Processing is necessary to protect the vital interests of the data subject or another natural person.
  • Legitimate interests pursuant to Article 6 (1) (f) of the GDPR – Processing is necessary to protect the legitimate interests of the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject override these.

Please note that in addition to the provisions of the GDPR, the national data protection regulations in your or our home country may apply.

Transmission of personal data

Your personal data will only be transmitted to third parties for the purposes listed in this Privacy Policy.

We will only share your personal information with third parties if:

  • you have given your express consent to this in accordance with Article 6 (1) (a) of the GDPR,
  • the disclosure is necessary in accordance with Article 6 (1) (f) of the GDPR for the protection of legitimate interests as well as for the establishment, exercise or defence of legal claims and where there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your data,
  • there is a legal obligation for the disclosure according to Article 6 (1) (c) of the GDPR and this is legally permissible and/or
  • the disclosure is necessary in accordance with Article 6 (1) (b) of the GDPR for the processing of contractual relationships with you.

Cooperation with processors

We carefully select our service providers who process personal data on our behalf. Whenever we instruct third parties to process personal data on the basis of an order processing contract, we do so in accordance with Article 28 of the GDPR.

Transmission to third countries

If we process data in a third country or do so in the context of using third-party services or the disclosure or transmission of data to other persons or companies, this will only be done for the reasons outlined above in respect of the transmission of data.

Subject to explicit consent or contractual necessity, we only process or allow data to be processed in such third countries which have a recognised level of data protection, or we do so on the basis of special guarantees, such as contractual obligation through so-called standard contractual clauses of the EU Commission, the existence of certifications or binding internal data protection regulations in accordance with Articles 44-49 of the GDPR.

Data transmission to the USA / discontinuation of the EU-US Privacy Shield

We would like to expressly point out that as of 16 July 2020, due to a legal dispute between a private individual and the Irish supervisory authority, the so-called “EU-US Privacy Shield”, an adequacy decision of the EU Commission pursuant to Article 45 of the GDPR, based on which the USA was confirmed to have an adequate level of data protection under certain circumstances, is no longer valid with immediate effect.

The EU-US Privacy Shield is therefore no longer a valid legal basis for the transmission of personal data to the USA.

If we transfer data to the USA at all or if we use a service provider based in the USA, we make an explicit reference to this in this Privacy Policy (see in particular the description of the technologies used on our website).

What can the transmission of personal data to the USA mean for you as a user and what are the risks in this context?

Risks for you as a user are, in any case, the powers of the US Intelligence Services and the legal situation in the USA, which currently no longer ensure an adequate level of data protection according to the ECJ. Among other things, these risks concern the following:

  • Section 702 of the Foreign Intelligence Surveillance Act (FISA) provides no limits on the surveillance activities of the intelligence agencies and no safeguards for non-US citizens.
  • Presidential Policy Directive 28 (PPD-28) does not provide data subjects with effective remedies against measures taken by the US authorities and does not stipulate barriers for ensuring the proportionality of any measures taken.
  • the Ombudsman provided for in the EU-US Privacy Shield does not have sufficient independence from the executive branch of the government; they may not issue the intelligence services with binding instructions.

Legally compliant transmission of data to the USA on the basis of standard contractual clauses?
Although the standard contractual clauses adopted by the Commission in 2010 (2010/87/EU of 05/02/2010), Article 46 (2) (c) of the GDPR, remain valid, a level of protection of personal data which is equivalent to that in the European Union must be ensured. Therefore, not only the contractual relationships with our service providers are relevant here, but also the possibility of access to the data by authorities in the USA and the legal system there (legislation and jurisdiction, administrative practice of the authorities).

The standard contractual clauses are not binding on the authorities in the USA and are therefore not sufficient to provide adequate protection in cases where the authorities are authorised under US law to interfere with the rights of data subjects without additional action by us and our service provider.

Legally compliant transmission of data to the USA based on your consent?

It is currently disputed whether informed consent and thus a deliberate and conscious restriction of parts of your own fundamental right to data protection is at all legally possible.

What measures do we take to ensure that data transmission to the USA is compliant with the law?

Where US providers offer this option, we choose to have data processed on EU servers. This should technically ensure that the data is located within the European Union and that access by US authorities is not possible.

Furthermore, we are carefully examining European alternatives to the US tools used. However, this is a process that will not happen overnight, as this is also associated with technical and economic consequences for us. US service providers will only continue to be used if, for technical and/or economic reasons, it is impossible for us to use European tools and/or to discontinue the use of the US tools immediately.

We take the following measures in respect of the continued use of US tools:

As far as possible, your consent will be requested before a US tool is used and you will be informed transparently in advance about how a particular service works. The risks involved in the transmission of data to the USA are explained here.

We endeavour to conclude standard contractual clauses with US service providers and to demand additional guarantees. In particular, we require the use of technologies that make it impossible to access data, e.g. the use of encryption that cannot be decoded even by US services or anonymisation or pseudonymisation of the data, in cases where the service provider alone can assign data to a particular data subject. At the same time, we require additional information from the service provider whenever data is actually accessed by third parties and/or instruct the service provider not to grant access to data until all legal remedies have been exhausted by the service provider.

Storage period

Unless an explicit storage period is specified at the time of collection (e.g. in the context of a declaration of consent), pursuant to Article 5 (1) (e) of the GDPR, we are obliged to erase personal data as soon as the purpose of the processing has been fulfilled. In this context, we would like to point out that statutory retention obligations constitute a legitimate purpose for the processing of personal data.

As a matter of principle, we store and retain data in personal form until the termination of a business relationship or until the expiry of applicable guarantee, warranty or limitation periods, and furthermore until the termination of any legal disputes in which the data is required as evidence, or in any case until the expiry of the third year following the last contact with a business partner.

Rights of data subjects

Data subjects have the right:

  • in accordance with Article 15 of the GDPR, to request information about your personal data processed by us. In particular, you can obtain information about the purposes of the processing, the category of the personal data, the categories of recipients to whom your data has been or will be disclosed, the envisaged storage period, the existence of the right to rectification, erasure, restriction of processing or the right to object, the right to lodge an appeal, the origin of your data, if it is not collected by us, as well as the existence of automated decision-making, including profiling, and, where appropriate, meaningful information regarding the details of such a process;
  • in accordance with Article 16 of the GDPR, to demand the immediate rectification of incorrect personal data or completion of your personal data stored by us;
  • in accordance with Article 17 of the GDPR, to demand the erasure of your personal data stored with us, unless the processing is required for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims;
  • in accordance with Article 18 of the GDPR, to obtain from us restriction of the processing of your personal data if you contest the accuracy of the data, if the processing is unlawful, but you oppose the erasure of the personal data and if we no longer need the data, but it is required by you for the establishment, exercise or defence of legal claim or if you have objected to processing in accordance with Article 21 of the GDPR;
  • in accordance with Article 20 of the GDPR, to receive your personal data, which you have provided to us, in a structured, commonly used and machine-readable format or to request that it be transferred to another controller;
  • in accordance with Article 21 of the GDPR, insofar as your personal data is processed on the basis of our legitimate interest, to object to the processing of your personal data, where there are grounds for doing so which arise from your particular situation or where the objection concerns direct marketing. In the latter case, you have a general right of objection, which we will implement without asking you to state your particular situation.
  • in accordance with Article 7 (3) of the GDPR, to withdraw your consent at any time. As a result, in future, we will no longer be allowed to continue the data processing based on this consent. Among other things, you have the option to withdraw your consent to the use of cookies on our website with effect for the future by accessing our cookie settings.
  • in accordance with Article 77 of the GDPR, to lodge a complaint with a supervisory authority regarding unlawful processing of your data by us. To do so, you can normally contact the supervisory authority of your usual place of residence, place of work or the registered office of our company.

The competent supervisory authority for COLOP Arts & Crafts is:

Commission de la protection de la vie privée
Rue de la Presse 35, 1000 Bruxelles, Belgium
Tel.: +32 2 274 48 00,

How to exercise your rights as a data subject

You should be able to decide for yourself how your personal data is used. Therefore, should you wish to exercise one of your aforementioned rights, you are welcome to contact us by email at or by post or telephone.

For identification purposes, please send a copy of an official photo ID together with your application and support us in specifying your request by answering questions from our responsible employees regarding the processing of your personal data. In your request, please state the type of your relationship with us (employee, applicant, visitor, supplier, customer, etc.) and the relevant period. This will help us to promptly process your request.

Protection of personal data

The security of your personal data is very important to us. In accordance with Article 32 of the GDPR, we therefore take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons.

The measures include, in particular, ensuring the confidentiality, integrity and availability of the data by controlling physical access to the data, as well as the access, input, disclosure, ensuring availability of the data and its separation. We have also established procedures to ensure the exercise of the rights of data subjects, erasure of data and our response to data threats. Furthermore, we are guided by the protection of personal data during the development or selection of hardware and software, in accordance with the principles of “data protection by design” and “data protection by default” set out in Article 25 of the GDPR.

We also share our understanding of data security with the processors we use.

Topicality of this Privacy Policy

Due to further developments or changed legal requirements, it may become necessary to adapt this Privacy Policy from time to time. The current version of our Privacy Policy can be accessed on this page and printed out by you at any time.

Should you have any questions concerning data protection, you can reach us at or by using the other contact details listed in this Privacy Policy.

24 March 2021

Download as PDF