The requirements of the EU General Data Protection Regulation (hereinafter: GDPR) apply throughout Europe. We wish to inform you about the processing of personal data carried out by our company in accordance with this regulation (cf. Arts 13 and 14 GDPR). Should you have any questions or comments about this Data Protection Policy, please feel free to send them at any time to the e-mail address given in No. 2 or 3.

Table of Contents:

I. Overview

1. Scope of application

2. Data controller

3. Data Protection Officer

4. Data security

II. Data processing activities in detail

1. General information on data processing

2. Accessing the website/application

3. Contact form

4. Prize game

5. Facebook fan page / Instagram Newsletter

6. Tea orders

7. Customer account

III. Data subject’s rights

1. Right to object

2. Right of access

3. Right to rectification

4. Right to erasure (“right to be forgotten”)

5. Right to restriction of processing

6. Right to data portability

7. Right to withdraw consent

8. Right of lodge a complaint

IV. Glossary

I. Overview

In this section of the Data Protection Policy (DPP), you will find information on the scope of application, the data controller, his or her data protection officer and on data security.

1. Scope of application

On this particular page, we inform you of the type, scope and purpose of the personal data collected by www.milford.de, which is processed both when you visit this homepage and during other processing under our responsibility, which is not related to this homepage. Data processing by Ostfriesische Tee Gesellschaft GmbH & Co. KG can essentially be divided into two categories:

• For the purpose of contract processing, all data required for the execution of a contract with Ostfriesische Tee Gesellschaft GmbH & Co. KG will be processed. If any external service providers are also involved in the processing of the contract, e.g., agencies or payment service providers, your data will be passed on to them to the extent necessary in each particular case.

• When you access the Ostfriesische Tee Gesellschaft GmbH & Co. KG website/application, various pieces of information are exchanged between your terminal device and our server. This may also involve personal data. The information collected in this way is used, inter alia, to optimise our website or to display advertising in the browser of your terminal device.

• This Data Protection Policy applies to the following offerings:

• our online offering available at www.milford.de

• whenever otherwise referred to in this DPP in any of our offerings (e.g., websites, subdomains, mobile applications, web services or third-party integrations), regardless of the way you access or use it.

All of these offerings are also collectively referred to as “Services”.

2. Data controller

The data controller – i.e., the person who determines the purposes and means of processing personal data in connection with the Services – is:

Ostfriesische Tee Gesellschaft GmbH & Co. KG, Bosteler Feld 6, 21218 Seevetal, GERMANY, Tel.: +49-(0)4105504-0, Fax: +49-(0)4105 624 -0 2212, E-mail: info@milford.de

3. Data protection officer

Contact form: https://www.dsextern.en/enquiries


DS EXTERN GmbH

Dipl.-Kfm. Marc Althaus

Frapanweg 22

D-22589 Hamburg

4. Data security

In order to develop the measures required by Art. 32 GDPR and thus achieve a level of security appropriate to the risk, we have established the information security standard in conformity with VdS 10000 in our company.

The guidelines of VdS 10000 - Cyber-Security for Small and Medium-Sized Enterprises (SMEs) of VDS Schadenverhütung GmbH contain specifications and assistance for the implementation of an information security management system as well as concrete measures for organisational as well as technical protection of IT infrastructures. They are designed with the objective of ensuring an appropriate level of security.

II. Data processing activities in detail

In this section of the Data Protection Policy, we inform you in detail about the processing of personal data within the scope of our services. For improved transparency, we organise this information according to specific functionalities of our services. During normal use of the services, different functionalities and thus also different instances of processing may come into play one after the other or simultaneously.

1. General information on data processing

The following applies to all processing activities described below, except as otherwise stated:

a. No obligation to provide personal data

There is neither a contractual nor a statutory obligation to make any personal data available. You are not obliged by law to provide any data.

b. Consequences of failure to provide such data

In the case of necessary data (data marked as mandatory when entered), failure to provide such data will mean that the service in question cannot be rendered. Other than that, failure to provide us with data may mean that our services cannot be provided in the same form and quality.

c. Consent

In various cases, you also have the option of giving us your consent (possibly for part of the data) to further processing in connection with the processing instances described below. In this case, we will notify you separately in connection with the submission of the respective declaration of consent about all modalities and the scope of consent and about the purposes we pursue with these processing activities.

d. Transfer of personal data to third countries

If we transfer data to third countries, i.e., countries outside the European Union, then such transfer takes place exclusively in compliance with the permissibility requirements regulated by legislation. The permissibility requirements are governed by Arts. 44 - 49 GDPR.

e. Hosting with external service providers

Our data processing is carried out to a large extent using what are known as hosting service providers, who provide us with storage space and processing capacity in their data centres and also process personal data on our behalf according to our instructions. These service providers either process data exclusively in the EU or we have guaranteed an adequate level of data protection with the aid of the EU standard data protection clauses.

f. Transfer to government authorities

We transfer personal data to government authorities (including law enforcement authorities) if this is necessary for the fulfilment of a legal obligation to which we are subject (legal basis: Art. 6 (1) (c) GDPR) or it is necessary for the assertion, exercise or defence of legal claims (legal basis: Art. 6 (1) (f) GDPR).

g . Duration of storage

We do not store your data longer than we need it for the respective processing purposes. If the data is no longer required for compliance with contractual or statutory obligations, such data will regularly be erased unless their further storage subject to time limits remains necessary for the following reasons, e.g.:

• fulfilment of retention obligations under commercial and tax law

• obtaining evidence for legal disputes within the scope of the statutory limitation provisions

It is likewise possible for us to continue storing your data with us provided you have given us your express consent to do so.

h. Categories of recipients

In addition to the categories of recipients explicitly listed below, personal data will also be transferred to the following categories of recipients: shipping service providers, telephone service and fax providers.

i. Data categories

• Account data: login/user ID and password

• Personal master data: title, salutation/gender, first name, surname

• Address data: street, building number, addenda to addresses, if any, postal code, location, country

• Contact data: telephone number, e-mail address(es)

• Login data: information about the service through which you have registered; time of and technical information on registration, confirmation and deregistration; data provided by you when registering

• Ordering data: products ordered, prices, payment and delivery information

• Payment data: data on other payment services such as PayPal, Concardis, bookingkit

• Access data: date and time of visiting our service; the page from which the accessing system arrived at our site; pages viewed during use; data for session identification (session ID); in addition, the following information of the accessing computer system: Internet Protocol (IP) address used, browser type and version, device type, operating system and similar technical information.

• Free text: all entries are possible

2. Viewing the website/application

This describes how we process your personal data when you access our services. In particular, we point out that the transfer of access data to external content providers (see under b.) is unavoidable due to the technical functioning of information transmission on the Internet.

Cookies/services used

Information on the cookies/services we use can be found under “Cookie settings”

a. Information on processing

b. Recipient(s) of personal data

3. Contact form

We describe here what happens to your personal data in connection with the use of our contact forms:

a. Information on processing

4. Sweepstakes

How we process your personal data when you participate in our sweepstakes can be found here:

a. Information on processing

b. Recipient(s) of personal data

5. Facebook fan Page / Instagram

Instagram presence

At https://www.instagram.com/milford_tee/, we operate a presence on the platform “Instagram.com”, in turn operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (“Facebook”). The Instagram privacy policy is available here: https://help.instagram.com/519522125107875/

Access to and any interaction on our Instagram presence leads to personal data being processed, and it makes no difference whether you have an account with Instagram or Facebook or not.

If you are logged in with your Facebook account while accessing our Instagram presence, Facebook - as operator of Instagram and/or its affiliated companies may combine the information about access to our Instagram presence with your account information and may use this to create profiles. If you do not wish to be profiled in this way, please log out before accessing our Instagram website.

Facebook provides us with statistical data on the use of our Instagram presence via the “Instagram Insights” tool. This is data such as gender, age range, page views, interactions, paid activity information, reach, accounts reached, impressions and impressions per day. The following is important to know: from such data, we cannot conclude which individual visitors have accessed our Instagram presence. Our use of the data generated by “Instagram Insights” is based on Article 6 (1) (f) GDPR, with our legitimate interests being to make our Instagram presence more attractive and to provide it with content that is relevant to various interests.

As we and Facebook are jointly responsible for the processing of your data on our Instagram presence, we have entered into an agreement with Facebook, the content of which you can view here: https://www.facebook.com/legal/terms/page_controller_addendum.

As a data subject, you are entitled to the rights set out in section III of this data protection policy. You can choose to assert these against us (see section 1.2 above), or directly against Facebook at https://help.instagram.com/contact/186020218683230. If you assert your rights against us, we will forward your enquiries in accordance with our agreement with Facebook to them.

Facebook fan page

At https://www.facebook.com/MilfordTee, we operate a fan page on the social network “Facebook.com”, in turn operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (“Facebook”). Facebook's privacy policy can be found at: https://www.facebook.com/about/privacy

Access to and any interaction on our Facebook fan page leads to personal data being processed, and it makes no difference whether you have an account with Facebook or not.

If you are logged in with your Facebook account while accessing our Facebook fan page, Facebook and/or its affiliated companies may combine the information about the access to our Instagram website with your account information and may use this to create profiles. If you do not wish to be profiled in this way, please log out from your Facebook account before accessing our Facebook fan page.

Facebook provides us with statistical data on the use of our Facebook fan page via the “Facebook Insights” tool. This is data such as gender, age range, page views, interactions, paid activity information, reach, accounts reached, impressions and impressions per day. The following is important to know: from such data, we cannot conclude which individual visitors have accessed our Facebook presence. Our use of the data generated by “Facebook Insights” is based on Article 6 (1) (f) GDPR, with our legitimate interests being to make our Facebook presence more attractive and to provide it with content that is relevant to various interests.

As we and Facebook are jointly responsible for the processing of your data on our Facebook presence, we have entered into an agreement with Facebook, the content of which you can view here: https://www.facebook.com/legal/terms/page_controller_addendum.

As a data subject, you are entitled to the rights set out in section III of this Data Protection Policy. You can choose to assert these against us (see section 1.2 above), or directly against Facebook at https://help.facebook.com/contact/186020218683230. If you assert your rights against us, we will forward your enquiries in accordance with our agreement with Facebook to them.

6. Newsletter

We describe here what happens to your personal data in connection with a subscription to our newsletter:

a. Information on processing

E-mail address (mandatory)

Unsubscribing from the newsletter is possible at any time and can be done via a link provided to this end in the newsletter.

b. Recipient(s) of personal data

7. Tea orders

The following information describes how your personal data is processed when you order tea via our shop.

7.1 Information on processing

8. Customer account

The following information describes how your personal data is processed when you register for a customer account

8.1 Information on processing

III Data subject’s rights

1. Right to object

If we process your personal data for the purpose of direct marketing, you have the right to object at any time with future effect to the processing of personal data concerning you for the purpose of such marketing, insofar as it is related to such direct marketing.

You also have the right to object, on grounds relating to your particular situation, at any time with effect for the future, to the processing of personal data concerning you which is carried out pursuant to Art. 6 (1) (e) or (f) GDPR.

You can exercise the right to object free of charge.

You can reach us via the contact details mentioned under I.2

2. Right of access

You have the right to know whether personal data concerning you is processed by us, which personal data this is, if any, as well as further information according to Art. 15 GDPR.

3. Right to rectification

You have the right to request that we rectify any inaccurate personal data relating to you without undue delay (Art. 16 GDPR). Taking account of the purpose of processing, you have the right to request the completion of incomplete personal data - also by means of a supplementary declaration.

4. Right to erasure (“right to be forgotten”)

You have the right to request that we erase personal data relating to you without undue delay, provided one of the reasons set out in Art. 17 (1) GDPR applies and processing is necessary for one of the purposes stipulated in Art. 17 (3) GDPR.

5. Right to restriction of processing

You are entitled to request a restriction in the processing of your personal data if one of the conditions stipulated in Art. 18 (1) (a) to (d) GDPR is met.

6. Right to data portability

You have the right to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format. Moreover, you have the right to transmit such data to another controller without hindrance by us or to arrange for direct transmission by us to take place, provided that this is technically feasible. This should always apply if the basis of the data processing is consent or a contract and the data is processed automatically. Accordingly, this does not apply to data available in paper form only.

7. Right to withdraw consent

Insofar as the processing is based on your consent, you have the right to withdraw such consent at any time. The lawfulness of data processed on the basis of your consent until the time of withdrawal shall not be affected.

8. Right to lodge a complaint

You have a right to lodge a complaint with a supervisory authority.

IV. Glossary

Processor: a natural or legal person , public authority, agency or other body that processes personal data on behalf of the controller.

Browser: computer program for displaying websites (e.g., Chrome, Firefox, Safari)

Cookies: The term “cookie” actually had its origins in the English vocabulary and its original meaning can be translated into German as “Keks” (=biscuit or cookie). In the context of the World Wide Web, however, a cookie describes a small text file that is stored locally on users’ computers when they visit a website. This file stores data about the users’ behaviour. If the browser is opened and the corresponding website is visited repeatedly, the cookie is used and, with the aid of the data stored, provides the web server with information about the users’ surfing behaviour.

Cookies in this context are not ‘real’ cookies, but information that a website stores locally on the visitor’s computer in a small text file. This can include settings already made by the user on a page, but also information that the website has collected completely independently from the user. These locally stored text files can later be read from the same web server from which they were created. Most browsers accept cookies automatically. You can manage cookies using the browser functions (mostly under “Options” or “Settings”). This may disable the storage of cookies, make it dependent on your consent in individual cases or otherwise restrict it. You can also delete cookies at any time.

Third countries: a country which is not bound by the legal requirements of the EU General Data Protection Regulation (country outside the EEA).

Personal data: all information relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Services: our offers to which this data protection policy applies (see scope of application).

Processing: any operation or set of operations performed in connection with personal data, whether or not by automatic means, such as collection, recording, organisation, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other form of provision, alignment or combination, restriction, erasure or destruction.

Seevetal, 1 January 2022