GDPR Audited Website seal

Privacy Policy

We are very pleased about your visit to our website. Data protection has a particularly high priority for us. The use of our website is possible without any indication of personal data. However, if a data subject wants to use special services via our website, processing of personal data could become necessary. If the processing of personal data is necessary and if there is no legal basis for such processing, we will generally obtain the consent of the data subject.

The processing of personal data, such as the name, address, e-mail address, or telephone number of a data subject shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the applicable country-specific data protection regulations. By means of this data protection declaration, we would like to inform you and the public about the type, scope and purpose of the personal data we collect, use and process. Furthermore, data subjects are informed of their rights by means of this data protection declaration.

As the controller, the CXP Commerce Experts GmbH has implemented numerous technical and organizational measures (TOM) to ensure the most complete protection of personal data processed through this website. Nevertheless, Internet-based data transmissions can always be subject to security vulnerabilities, so that absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means, for example by telephone.

Name and address of the controller

The responsible party within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is:

CXP Commerce Experts GmbH
Management: Siegfried Schuele, Mathias Duda and Andreas Wagner
At the lap gate 3
75172 Pforzheim
Phone: +49 7231 203 676-5
E-mail: info[at]

Questions about our data protection

Any data subject may contact us directly at any time with any questions or suggestions regarding data protection:

Collection of general data and information

Our Internet pages collect a series of general data and information each time the Internet pages are accessed by a data subject or an automated system. This general data and information is stored in the log files of the server.

For example, the following can be recorded
(1) browser types and versions used,
(2) the operating system used by the accessing system,
(3) the website from which an accessing system arrives at our website (so-called referrer),
(4) the sub-websites that are accessed via an accessing system on our website,
(5) the date and time of any access to the Website,
(6) an Internet Protocol (IP) address,
(7) the Internet service provider of the accessing system and
(8) other similar data and information that serve to avert danger in the event of attacks on our information technology systems.

When using these general data and information, no conclusions are drawn about the data subject.
Rather, this information is needed to
(1) to deliver and display the contents of our website correctly,
(2) to optimize the content of our website and the advertising for it,
(3) to ensure the permanent functionality of our information technology systems and the technology of our website, and
(4) to provide law enforcement authorities with information necessary for prosecution in the event of a cyberattack.
Therefore, the data controller analyzes anonymously collected data and information on one hand for statistical purposes and on the other hand for the purpose of increasing data protection and data security, so as to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject.

Legal basis of processing

Article 6 (1) a) DSGVO serves as our legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, as is the case, for example, with processing operations that are necessary for a delivery of goods or the provision of another service or consideration, the processing is based on Article 6 (1) (b) DSGVO. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services. If we are subject to a legal obligation by which the processing of personal data becomes necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 (1) c) DSGVO. In rare cases, the processing of personal data might become necessary to protect vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were to be injured on our premises and as a result his or her name, age, health insurance data or other vital information had to be passed on to a doctor, hospital or other third party. In that case, the processing would be based on Art. 6(1)(d) DSGVO. Finally, processing operations could be based on Art. 6(1)(f) DSGVO. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of us or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if the data subject is a customer of the controller (recital 47, sentence 2 DSGVO). If the processing of personal data is based on Article 6 (1) (f) DSGVO, our legitimate interest is the performance of our business activities for the benefit of the well-being of all our employees and our shareholders.

Duration for which the personal data are stored

The criterion for the duration of the storage of personal data is the respective statutory retention period. After expiry of the period, the corresponding data is routinely deleted, provided that it is no longer required for the fulfillment or initiation of the contract or that no further statutory or legal requirements stand in the way of the deletion.

Routine deletion and blocking of personal data

The controller shall process and store personal data of the data subject only for the period necessary to achieve the purpose of storage or where provided for by the European Directive and Regulation or other legislator in laws or regulations to which the controller is subject.
If the purpose of storage no longer applies or if a storage period prescribed by the European Directive and Regulation or another competent legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

Legal or contractual regulations for the provision of personal data

We would like to inform you that the provision of personal data is partly required by law (e.g. tax regulations) or may also result from contractual or pre-contractual regulations (e.g. information on the contractual partner). Sometimes, in order to conclude a contract, it may be necessary for a data subject to provide us with personal data that must subsequently be processed by us. For example, the data subject is obliged to provide us with personal data if we conclude a contract with him or her. Failure to provide the personal data would mean that the contract with the data subject could not be concluded. Before providing personal data by the data subject, the data subject must contact one of our employees. Our employee will explain to the data subject on a case-by-case basis whether the provision of the personal data is required by law or contract or is necessary for the conclusion of the contract, whether there is an obligation to provide the personal data, and what the consequences of not providing the personal data would be.

Registration on our website / use of input masks and forms

The data subject has the possibility to register on the website of the controller by providing personal data or to enter personal data in input masks. This may be necessary, for example, for the receipt of a newsletter, contact via contact form, registration for participation in events or other similar registration options. Which personal data is transmitted to the data controller in this context results from the respective input mask used for the registration. The personal data entered by the data subject are collected and stored exclusively for internal use by the controller and for its own purposes. The controller may arrange for the data to be transferred to one or more processors, for example a parcel service provider, who will also use the personal data exclusively for an internal use attributable to the controller.
When you contact us (e.g. via contact form), personal data is collected. This data is stored and used exclusively for the purpose of responding to your request and the associated technical administration. The legal basis for processing the data is our legitimate interest in responding to your request pursuant to Art. 6 (1) lit. f) DSGVO. If the purpose of your contact is the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b) DSGVO. Your data will be deleted after final processing of your request, this is the case when it can be seen that the matter concerned has been conclusively clarified and provided that no statutory or legal retention obligations prevent the deletion.
By registering on the website of the controller, the IP address assigned by the Internet service provider (ISP) of the data subject, the date and the time of registration are also stored. The storage of this data takes place against the background that only in this way can the misuse of our services be prevented and, if necessary, this data makes it possible to clarify crimes that have been committed. In this respect, the storage of this data is necessary for the protection of the data controller. As a matter of principle, this data is not passed on to third parties unless there is a legal or statutory obligation to pass it on or the passing on serves the purpose of criminal prosecution.
The registration of the data subject by voluntarily providing personal data serves the purpose of the controller to offer the data subject content or services which, due to the nature of the matter, can only be offered to registered users or those who explicitly request this. These persons are free to modify the personal data provided at any time or to have it completely deleted from the data stock of the controller.
The controller shall provide any data subject at any time, upon request, with information about what personal data is stored about the data subject. Furthermore, the controller shall correct or delete personal data at the request or indication of the data subject, insofar as this does not conflict with any statutory or legal retention obligations. The entire staff of the controller shall be available to the data subject as contact persons in this context.

Recipients or categories of recipients

Depending on the purpose of the collection of the personal data, we transmit this data, for example, to the following recipients or categories of recipients, or they are directly involved in the processing of the personal data:

  • Provider
  • IT service provider
  • other recipients depending on used tools

Third country transfer

Depending on the collection purpose of the personal data, a third country transfer takes place as follows:

  • Gravatar
  • vimeo