Datenschutzerklärung

A. General Information

1. Controller

Europe Pen GmbH
Belziger Straße 31b, 06889 Lutherstadt Wittenberg, Germany
Represented by: Fabian Frank
Tel.: +49 (0) 3491-6245180
Data protection e-mail: privacy@europe-pen.com
Websites: https://pen.eu and https://europe-pen.com

This policy applies to all sites and online profiles referencing it (the “websites”). Our services are aimed exclusively at business customers (B2B), associations, and public bodies.

2. Mandatory vs. voluntary data

We collect only the data necessary to initiate, perform, and complete contracts. Additional fields are marked as voluntary; not providing them has no adverse effects but may delay processes.

3. Legal bases

• Contract / pre-contract (Art. 6(1)(b) GDPR): e.g., account & order data, payment processing, customer support.
• Legitimate interests (Art. 6(1)(f) GDPR): e.g., IT security, fraud/abuse prevention, asserting legal claims, strictly necessary cookies, internal optimisation.
• Consent (Art. 6(1)(a) GDPR): e.g., newsletter tracking, marketing cookies, web analytics. You can withdraw consent at any time with future effect.
• Legal obligation (Art. 6(1)(c) GDPR): e.g., commercial and tax retention duties.

National references:
Germany: GDPR applies; German commercial/tax retention may apply (HGB/AO).
Spain: LOPDGDD supplements GDPR.
France: Loi Informatique et Libertés supplements GDPR.

4. Direct marketing to existing customers (B2B)

If we obtained your e-mail in connection with a sale, we may send occasional e-mails about similar products/services. Legal basis: Art. 6(1)(f) GDPR together with Art. 21 LSSI-CE (Spain) and Art. L34-5 CPCE (France). You can object at any time via the unsubscribe link in each e-mail or by contacting privacy@europe-pen.com

5. Recipients and processors

We share data only where a legal basis exists. Typical recipients include:

• Hosting/IT: e.g., STRATO GmbH / IONOS SE
• Newsletter: Brevo (Sendinblue GmbH)
• Web analytics: Google Analytics (consent-based)
• Payment providers & banks: Stripe; Billie; PayPal; Amazon Pay (and the Stripe-supported methods listed below)
• ERP / order handling: JTL-Wawi
• Credit checks: mediaFinanz GmbH
• Printing and logistics providers (order fulfilment)

We conclude data processing agreements (Art. 28 GDPR). Transfers to third countries (if any) rely on appropriate safeguards such as EU Standard Contractual Clauses.
We do not sell personal data.

6. Data from third sources

We may process data provided by customers (e.g., delivery/recipient data, print content) or drawn from public registers/credit agencies (e.g., commercial register, mediaFinanz) where needed for fulfilment or risk assessment.

7. Retention

Data are stored only as long as necessary for the respective purpose. Statutory retention periods (e.g., under German HGB/AO) apply. We may retain data to assert/defend claims within limitation periods (generally 3 years, up to 30 years in exceptional cases).

8. Security

We apply appropriate technical and organisational measures. Data in transit are encrypted (HTTPS). Alternative channels (e.g., post) are available.

9. Necessity of provision

Certain data are required for registration, orders, processing, billing, or use of our services. Without them, handling may not be possible.

10. Automated decision-making

We do not conduct solely automated decision-making within Art. 22 GDPR.

B. Processing activities on the website / shop

1. Visiting our websites

a) IP / security logs – To prevent and analyse attacks, we store your browser-transmitted IP for up to 7 days, then delete/anonymise it. Basis: Art. 6(1)(f) GDPR.
b) Usage logs – Requested URL/file, date/time, data volume, status, browser type, IP; purposes: stability, security, quality assurance. Basis: Art. 6(1)(f) GDPR.

2. Cookies & consent management (CookieYes)

We use the consent tool of CookieYes Limited, 3 Wellington Place, Leeds, LS1 4AP, United Kingdom to collect, manage, and document your consents.
Processed data: shortened/anonymised IP, consent status, date/time, browser information, and the URL where consent was given.
Purposes: proof of consent (Art. 7(1) GDPR) and legal compliance (Art. 6(1)(c) GDPR), plus our legitimate interest in a compliant, user-friendly setup (Art. 6(1)(f) GDPR).
Preferences are stored in a CookieYes cookie and deleted when no longer required.
More info: https://www.cookieyes.com/privacy-policy/

3. Web analytics (Google Analytics) – consent-based

With your consent, we use Google Analytics for reach measurement and statistics. Cookies are set; usage data are processed; IPs are anonymised. Basis: Art. 6(1)(a) GDPR. Consent can be withdrawn via the consent tool at any time.

4. Business account registration (B2B)

To create an account, we process business contact data and credentials (e-mail, password; billing/shipping address). Mandatory fields are indicated. Passwords are stored encrypted and cannot be viewed by our staff. IP and timestamp of registration are logged.
Bases: Art. 6(1)(b) GDPR (orders/returns) and, where features are optional, Art. 6(1)(a) GDPR.
ERP: order/master data are processed in JTL-Wawi (processor).

5. Orders & payment methods

a) General
We process data to fulfil orders and process payments (Art. 6(1)(b) GDPR) and, where applicable, for fraud prevention (Art. 6(1)(f) GDPR). Depending on the method, this includes name, billing/shipping address, e-mail (and phone if needed), order number, amount, currency, payment details, IP and device data for anti-fraud. We transmit only what is necessary to the selected payment provider.

b) Stripe (Card, Billie, Link, Apple Pay, Google Pay, Revolut Pay, EPS)
Provider: Stripe Payments Europe Limited, 1 Grand Canal Street Lower, Grand Canal Dock, Dublin 2, Ireland.
Stripe processes payment data (e.g., card number, name, IBAN/BIC, amount, currency, transaction ID) as an independent controller to execute the payment and for fraud prevention.
Stripe supports Card, Billie, Link, Apple Pay, Google Pay, Revolut Pay, EPS; depending on your choice, Stripe forwards data to the relevant provider:

• Apple Pay (Apple Distribution International Ltd., Cork, IE) – Privacy: https://support.apple.com/de-de/HT203027
• Google Pay (Google Ireland Ltd., Dublin, IE) – Privacy: https://policies.google.com/privacy
• Revolut Pay (Revolut Ltd., London, UK) – Privacy: https://www.revolut.com/de-DE/help/privacy-policy
• EPS (PSA Payment Services Austria GmbH, Vienna, AT) – Privacy: https://eps-ueberweisung.at/de/datenschutzerklaerung

Stripe may transfer data internationally (e.g., to the USA) under EU Standard Contractual Clauses (Art. 46 GDPR).
More info: https://stripe.com/de/privacy

c) PayPal
Provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22–24 Boulevard Royal, L-2449 Luxembourg.
We transmit the necessary data (amount, billing details, e-mail, transaction ID, IP). PayPal may perform credit checks.
Bases: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (fraud prevention).
Privacy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full

d) Amazon Pay
Provider: Amazon Payments Europe S.C.A., 38 avenue J.F. Kennedy, L-1855 Luxembourg.
Amazon verifies identity, executes payment, and prevents fraud. We receive payment confirmation, not full card/bank data.
Privacy: https://pay.amazon.de/help/201212490

e) Billie (B2B – invoice/factoring via Stripe)
Provider: Billie GmbH, Charlottenstraße 4, 10969 Berlin.
May involve identity and credit checks. We (or Stripe) transmit necessary company/contact and order/invoice data.
Bases: Art. 6(1)(b) GDPR and Art. 6(1)(f) GDPR (risk management).
Privacy: https://www.billie.io/datenschutz

f) Credit checks (mediaFinanz)
Provider: mediaFinanz GmbH, Weiße Breite 5, 49084 Osnabrück, Germany.
We may request credit reports before risk-bearing contracts, transmitting only the necessary business data (name, address, contact, order value).
Basis: Art. 6(1)(f) GDPR (legitimate interest in payment security).
Privacy: https://www.mediafinanz.de/datenschutz/

g) Feedback from payment providers
We receive only technical status information necessary for fulfilment (e.g., successful authorisation, transaction ID). We do not store full card numbers on our systems.

h) Security
Payment transmissions use TLS/SSL; gateways comply with PCI-DSS.

6. Newsletter (Brevo / Sendinblue)

We may send occasional e-mails about similar offers based on your prior purchases. Basis: Art. 6(1)(f) GDPR in conjunction with Art. 21 LSSI-CE (Spain) and Art. L34-5 CPCE (France) for existing customers.
Required data: e-mail (optionally name for personalisation). For technical reasons, we also process IP, date, and time upon sign-up/sending.
Delivery via Brevo (Sendinblue GmbH); open/click rates may be measured in a pseudonymised way to improve content (consent-based).
You can object at any time free of charge via the unsubscribe link or by e-mail to privacy@europe-pen.com

7. Contact & callback forms / e-mail contact

We process the data you provide to handle your request. Mandatory fields are indicated; IP and timestamp are processed for technical/log purposes.
Bases: Art. 6(1)(b) GDPR (pre-contractual communication) and Art. 6(1)(f) GDPR (general enquiries).

8. Contests (optional, occasional)

We process the data specified in the contest terms only for organisation and winner notification; IP/date/time may be logged for legal/technical safeguards. Without the required fields, participation is not possible.
Basis: Art. 6(1)(b) GDPR.

9. Product reviews

After a purchase, you may review the products (participation is voluntary). Basis: your consent (Art. 6(1)(a) GDPR) or—within an existing customer relationship—our legitimate interest in publishing authentic opinions (Art. 6(1)(f) GDPR).
Publicly displayed data:

• First name abbreviated (initial) + full last name.
• Optional content: review text, rating, etc.
  Reviews appear on the product page and are public. You may request modification or deletion at privacy@europe-pen.com

10. Blog

Commenting may require registration (name, e-mail). The display name can be public; other data are not. No disclosure to third parties.
Basis: Art. 6(1)(b) / Art. 6(1)(f) GDPR.

11. Social media presences

We maintain company pages on Facebook (Meta), Instagram (Meta) and LinkedIn to communicate with users and present our business.
In addition to Europe Pen GmbH, platform operators act as joint controllers.

• Facebook (Meta Platforms Ireland Ltd., Dublin, IE) – Privacy: https://www.facebook.com/about/privacy
• Instagram (Meta Platforms Ireland Ltd., Dublin, IE) – Privacy: https://help.instagram.com/519522125107875
• LinkedIn (LinkedIn Ireland Unlimited Company, Dublin, IE) – Privacy: https://www.linkedin.com/legal/privacy-policy
• Basis: Art. 6(1)(f) GDPR (communication/public presence). Where the platform collects consent, the basis is Art. 6(1)(a) GDPR.
  Operators may process usage data (IP, device, interactions) and transfer outside the EU (e.g., USA). We do not control scope/purposes; please consult their privacy notices.
  We receive aggregated/anonymous statistics (“Insights”) to improve our content.
• Rights requests: preferably contact the platform operator (controller of the data). You may also contact us at privacy@europe-pen.com —we will assist.

12. Printing & shipping

To fulfil printing/production and delivery orders, we share necessary data with printing and shipping providers (e.g., delivery address, production data). Basis: Art. 6(1)(b) GDPR.

C. Your rights

Subject to legal conditions, you have the following rights (Arts. 15–22 GDPR; Spain’s LOPDGDD Title III; France’s Loi Informatique et Libertés):

1. Access (Art. 15)
2. Rectification (Art. 16)
3. Erasure (Art. 17)
4. Restriction (Art. 18)
5. Portability (Art. 20)
6. Objection (Art. 21)—especially to direct marketing
7. Complaint to a supervisory authority (Art. 77 GDPR).

Contact for rights: privacy@europe-pen.com

Supervisory authorities:

• Germany: competent State (Land) authority for our registered office.
• France: CNIL – www.cnil.fr
• Spain: AEPD – www.aepd.es
• Other EU Member States: your national authority.

D. Updates to this policy

We may update this policy when services or laws change. Material changes affecting your rights will be communicated appropriately (e.g., on the website or by e-mail).