PRIVACY POLICY

1. Introduction

With the following information, we would like to provide you, as the “data subject,” with an overview of the processing of your personal data by us and your rights under data protection laws. The use of our website is generally possible without entering personal data. However, if you wish to use special services of our company via our website, processing of personal data may become necessary. If the processing of personal data is required and there is no legal basis for such processing, we generally obtain your consent.

The processing of personal data, such as your name, address, or email address, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in accordance with the country-specific data protection regulations applicable to “Zimmermann-Graeff & Müller GmbH.” Through this privacy policy, we would like to inform you about the scope and purpose of the personal data we collect, use, and process.

As the controller, we have implemented numerous technical and organizational measures to ensure the most complete protection possible for the personal data processed through this website. However, internet-based data transmissions can generally have security gaps, so absolute protection cannot be guaranteed. For this reason, you are free to transmit personal data to us via alternative means, such as by telephone or post.

You too can take simple and easy-to-implement measures to protect yourself against unauthorized access to your data by third parties. Therefore, we would like to provide you with some tips on the secure handling of your data:

  • Protect your account (login, user, or customer account) and your IT system (computer, laptop, tablet, or mobile device) with secure passwords.
  • Only you should have access to the passwords.
  • Ensure that you only use your passwords for one account (login, user, or customer account).
  • Do not use one password for different websites, applications, or online services.
  • Especially when using publicly accessible IT systems or those shared with other people: you should definitely log out after every login to a website, application, or online service.

Passwords should consist of at least 12 characters and be chosen so that they cannot be easily guessed. Therefore, they should not contain common everyday words, your own name, or the names of relatives, but should include uppercase and lowercase letters, numbers, and special characters.

2. Controller

The controller within the meaning of the GDPR is:

Michel Schneider Nachf. Weinkellerei und Weingroßhandel GmbH
Managing Directors: Joseph Helfrich, Frédéric Helfrich, Matthias Schwunk
Kurfürstenstraße 11
76887 Bad Bergzabern

Phone: 06542/419-0
Email: info@zgm.de

Representatives of the controller: Joseph Helfrich, Frédéric Helfrich, Matthias Schwunk, Horst Hillesheim

3. Data Protection Officer

You can reach the data protection officer as follows:
Stefan Auer

Phone: 0911 148986 50
Fax: 0911 148986 59
Email: office@ascon-datenschutz.de

You can contact our data protection officer directly at any time with any questions or suggestions regarding data protection.

4. Definitions

The privacy policy is based on the terminology used by the European legislator when enacting the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to explain the terminology used in advance.

We use the following terms, among others, in this privacy policy:

  1. Personal Data: Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  2. Data Subject: A data subject is any identified or identifiable natural person whose personal data is processed by the controller (our company).
  3. Processing: Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  4. Restriction of Processing: Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
  5. Profiling: Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
  6. Pseudonymization: Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
  7. Processor: Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
  8. Recipient: Recipient means a natural or legal person, public authority, agency, or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
  9. Third Party: Third party means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
  10. Consent: Consent of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

5. Legal Basis for Processing

Art. 6 (1) lit. a GDPR (in conjunction with Section 25 (1) TDDDG (formerly TTDSG)) serves our company as the legal basis for processing operations for which we obtain consent for a specific processing purpose.

If the processing of personal data is necessary for the performance of a contract to which you are a party, as is the case, for example, with processing operations necessary for the delivery of goods or the provision of any other service or consideration, the processing is based on Art. 6 (1) lit. b GDPR. The same applies to such processing operations that are necessary to carry out pre-contractual measures, for example in cases of inquiries about our products or services.

If our company is subject to a legal obligation by which processing of personal data becomes necessary, such as for the fulfillment of tax obligations, the processing is based on Art. 6 (1) lit. c GDPR.

In rare cases, the processing of personal data could become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured in our company and then his name, age, health insurance data, or other vital information had to be passed on to a doctor, a hospital, or other third parties. Then the processing would be based on Art. 6 (1) lit. d GDPR.

Ultimately, processing operations could be based on Art. 6 (1) lit. f GDPR. Processing operations that are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of our company or a third party, provided that the interests, fundamental rights, and freedoms of the data subject do not prevail. Such processing operations are permitted to us in particular because they were specifically mentioned by the European legislator. In this respect, it took the view that a legitimate interest could be assumed if you are a customer of our company (Recital 47 Sentence 2 GDPR).

Our offer is generally aimed at adults. Persons under the age of 16 may not transmit any personal data to us without the consent of their parents or legal guardians. We do not request personal data from children and adolescents, do not collect them, and do not pass them on to third parties.

6. Transfer of Data to Third Parties

A transfer of your personal data to third parties for purposes other than those listed below does not take place.

We only pass on your personal data to third parties if:

  1. You have given us your express consent according to Art. 6 (1) lit. a GDPR,
  2. The transfer is permissible according to Art. 6 (1) lit. f GDPR to protect our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data,
  3. In the event that there is a legal obligation for the transfer according to Art. 6 (1) lit. c GDPR, and
  4. This is legally permissible and required according to Art. 6 (1) lit. b GDPR for the processing of contractual relationships with you.

In order to protect your data and, if necessary, to enable us to transfer data to third countries (outside the EU/EEA), we have concluded data processing agreements based on the Standard Contractual Clauses of the European Commission. If the Standard Contractual Clauses are not sufficient to establish an adequate level of security, your consent according to Art. 49 (1) lit. a GDPR can serve as the legal basis for the transfer to third countries. This sometimes does not apply to data transfers to third countries for which the European Commission has issued an adequacy decision according to Art. 45 GDPR.

Within the framework of the processing operations described in this privacy policy, personal data may be transferred to the USA. Companies in the USA only have an adequate level of data protection if they have certified themselves under the EU-US Data Privacy Framework and the adequacy decision of the EU Commission according to Art. 45 GDPR therefore applies. We have explicitly mentioned this for the service providers concerned in the privacy policy. To protect your data in all other cases, we have concluded data processing agreements based on the Standard Contractual Clauses of the European Commission.

7. Technology

7.1 SSL/TLS Encryption
This site uses SSL or TLS encryption to ensure the security of data processing and to protect the transmission of confidential content, such as orders, login data, or contact requests that you send to us as the operator. You can recognize an encrypted connection by the fact that the address line of the browser changes from “http://” to “https://” and by the lock symbol in your browser line. We use this technology to protect your transmitted data.

7.2 Hosting by IONOS
We host our website with IONOS SE, Elgendorfer Str. 57, 56410 Montabaur (hereinafter referred to as IONOS). When you visit our website, your personal data (e.g., IP addresses in log files) are processed on IONOS’s servers. The use of IONOS is based on Art. 6 (1) lit. f GDPR. We have a legitimate interest in the most reliable presentation, provision, and security of our website. We have concluded a data processing agreement (AVV) according to Art. 28 GDPR with IONOS.

8. Cookies

8.1 General Information on Cookies
Cookies are small files that your browser automatically creates and that are stored on your IT system (laptop, tablet, smartphone, etc.) when you visit our site. The cookie stores information that arises in connection with the specific end device used. However, this does not mean that we gain direct knowledge of your identity. The use of cookies serves to make the use of our offer more pleasant for you (Session Cookies) or to optimize user-friendliness (Temporary Cookies) and for statistical purposes.

8.2 Notes on Avoiding Cookies in Common Browsers
You can delete cookies, allow only selected cookies, or completely deactivate cookies via your browser settings. (Links to Chrome, Safari, Firefox, and Edge support pages were provided in the source text).

9. Newsletter Mailing

9.1 Newsletter Mailing to Existing Customers
If you have provided us with your email address when purchasing goods or services, we reserve the right to regularly send you offers for similar goods or services from our range by email. According to Section 7 (3) UWG, we do not need to obtain separate consent from you for this. Processing is based solely on our legitimate interest in personalized direct advertising according to Art. 6 (1) lit. f GDPR. You can object to this use at any time.

10. Our Activities in Social Networks

To communicate with you and inform you about our services, we are represented on social media with our own pages. When you visit one of our social media pages, we are jointly responsible for the processing with the provider of the respective social media platform in the sense of Art. 26 GDPR.

10.1 Facebook / 10.2 Instagram
(Joint) Controller in Europe: Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Meta may process content from adult users in the EU (photos, posts, comments) to train its own AI models, unless an objection is made. This is based on legitimate interest (Art. 6 (1) lit. f GDPR). We as a company have no influence on this specific processing.

11. Your Rights as a Data Subject

11.1 Right to Confirmation: You have the right to request confirmation as to whether personal data concerning you are being processed.

11.2 Right of Access (Art. 15 GDPR): You have the right to obtain free information about your stored personal data and a copy of this data.

11.3 Right to Rectification (Art. 16 GDPR): You have the right to request the rectification of inaccurate personal data.

11.4 Right to Erasure (Art. 17 GDPR): You have the right to demand that personal data concerning you be deleted immediately, provided one of the legal reasons applies.

11.5 Right to Restriction of Processing (Art. 18 GDPR): You have the right to request the restriction of processing under certain conditions.

11.6 Right to Data Portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format.

11.7 Right to Object (Art. 21 GDPR): You have the right to object to the processing of your personal data at any time for reasons arising from your particular situation. This also applies to direct marketing and related profiling.

11.8 Right to Withdraw Consent: You have the right to withdraw your consent to the processing of personal data at any time with effect for the future.

11.9 Right to Lodge a Complaint: You have the right to complain to a data protection supervisory authority.

12. Routine Storage, Erasure, and Blocking of Personal Data

We process and store your personal data only for the period necessary to achieve the storage purpose or as provided for by law. If the purpose no longer applies or a storage period expires, the data is routinely blocked or deleted.

13. Duration of Storage

The criterion for the duration of storage is the respective legal retention period. After the period has expired, the corresponding data are routinely deleted, provided they are no longer required for contract fulfillment or contract initiation.

14. Validity and Changes to the Privacy Policy

This privacy policy is currently valid and is dated: January 2026.

Due to the further development of our website or changed legal requirements, it may be necessary to change this privacy policy. The current version can be accessed and printed at any time at: https://michel-schneider-weine.com/datenschutz.