Privacy policy

We, Carrera Toys GmbH ("Carrera/we"), are pleased that you are visiting our website. In the following provisions, we inform you about the nature, scope and purpose of the collection and use of your personal data on this website as well as in the context of the services we offer.

Personal data is any information relating to an identified or identifiable natural person. This includes, in particular, your name, address and e-mail address.

Please read the Privacy Policy carefully before using this website. We reserve the right to amend parts of this Privacy Policy at our sole discretion and as required by law. Therefore, please check this Privacy Policy periodically for any changes.

1. Data processing to enable the use of the website

Every time you access the content of our website, connection data is transmitted to our web server. This connection data includes:

  • the IP address (Internet Protocol address) of the respective users,
  • the date and time of the request,
  • the referrer URL,
  • Device numbers such as UDID (Unique Device Identifier) and comparable device numbers, device information (e.g. device type) and
  • the browser type/version.

This connection data is not used to draw conclusions about the person of the user or combined with data from other data sources, but is used to provide the website. The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. f GDPR. After 7 days at the latest, the data will be anonymized by shortening the IP address at the domain level.

2. Data processing on request

As a rule, it is possible to use our website without providing any personal data. You are not obliged to access this website or provide any personal data. However, the provision of personal data is required, for example, to receive newsletters or in the case of registration. If you do not provide us with personal data for the purposes listed below, you may not be able to use the functionalities of this website or any of these services.

2.1. Merchant service "B2B Portal"

If you register with us as a dealer and use the dealer service or the B2B portal on our website, your details will be processed by us for this purpose. Details about the B2B portal can be found in the instructions in our portal under https://b2b.carrera-revell.com.

Your personal data is processed on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR.

2.2. Newsletter

If you have expressly consented, you will receive our newsletter. To receive our newsletter, it is sufficient to provide your e-mail address. The provision of any additional personal information is voluntary, marked accordingly (*) and serves only to personalize the newsletter for you.

To subscribe to our newsletter, we use the so-called double opt-in procedure. This means that after your registration, we will send you an e-mail to the e-mail address provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month.

The processing of your personal data is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. There is no legal or contractual obligation to provide the personal data. The only consequence of not giving consent is that you will not receive an e-mail newsletter. You can revoke your consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal. There is a link at the end of each newsletter to exercise your right of withdrawal. Alternatively, you can revoke your consent at any time, e.g. by sending an e-mail to shop@carrera-toys.com.

As part of the registration for a newsletter, we also store your IP address and the time of registration in order to be able to fulfil our legal documentation obligation. In this case, the legal basis for data processing is Art. 6 para. 1 sentence 1 lit. c GDPR.

2.3. Registration as a customer

If you would like to register with us as a customer, we will collect the necessary mandatory information (name, country, e-mail address, password) from you, which will be marked accordingly (*). The submission of any additional information about yourself is voluntary.

Registration is not necessary, but it will make the ordering process easier for you for future orders, as you can reuse the data you have already saved. Alternatively, you can place an order as a guest. In this case, with the exception of a password, we will collect the same data from you as when you registered. However, this data is not stored in a customer account for you, so you do not have access to a customer account.

After registration, the login is done by entering your e-mail address and password. Please always make sure that you log out before leaving the website.

When using a password, please take appropriate security measures. For example, a password should be at least 8 characters long and, if possible, always consist of a combination of letters in upper and lower case, numbers and special characters. In this respect, trivial passwords such as "ABC" or keyboard sequences (e.g. "qwert" or "asdfgh"), all kinds of names (e.g. of friends, acquaintances, colleagues, family members, pets), city and building names, cartoon characters, car brands, license plates, terms, dates of birth, telephone numbers, common abbreviations, etc. are problematic.

The processing of your personal data is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. Please note that in the event of a revocation, any bonus points collected will be forfeited without replacement.

In addition, your IP address and the time of registration will be stored by us as part of the registration. This is necessary to ensure the security of our information technology systems. In this case, the legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. f GDPR.

2.4. Login

If you are registered as a customer, you can access your customer account via the login function on this website. The login is done by entering your e-mail address and password.

Login data must be kept strictly confidential. If a disclosure has nevertheless taken place, for example to enable access to certain data by third parties in an emergency, the password must be changed immediately. For your own protection, it is prohibited to reuse passwords that have already been used.

In addition, your IP address and the time of access are stored by us as part of a login. This is necessary to ensure the security of our information technology systems.

We also set a session cookie every time you log in. This session cookie prevents automatic logout during the active use of the account or related services. After logging out, the session cookie is automatically deleted within a few minutes.

The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. f GDPR and, insofar as your contractual relationship is concerned, Art. 6 para. 1 sentence 1 lit. b and/or f GDPR.

2.5. Wish list

If you, as a customer (see No. 2.4. f.) , you can add individual products from the shop to your wish list. Until you unsubscribe, you will be able to access this wishlist and see all the products you have added. In this case, the legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. f GDPR. When you unsubscribe as a customer, the wish list will be automatically deleted.

2.6. Ordering in the shop

When you place an order with us, we process the following data from you:

  • Registration data from the customer account or Your guest data,
  • Purchase data (order/shopping cart),
  • Payment data (payment method, account and credit card details, billing addresses)

Your personal data is processed on the basis of Art. 6 para. 1 sentence 1 lit. b GDPR.

2.7. Competitions

If you wish to participate in a competition offered by us via the website, you must first create an account. The provision of your data is necessary for the purpose of carrying out the competition. After completion of the competition, this data or the account will be deleted, provided that there are no statutory retention obligations.

The processing of your personal data is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR. There is no legal or contractual obligation to provide the personal data. The only consequence of your non-consent is that you will not be able to participate in the competition. You can revoke your consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of the processing carried out on the basis of the consent before its withdrawal.

3. Data processing for the needs-based design of the website and tracking

In order to make the use of our website as pleasant as possible for you, we use so-called web tracking systems. Cookies are usually used for this purpose, i.e. small text files that are sent to your browser by a web server and stored on your computer's hard drive. This enables us to recognise the device you are using when using our shop. In this way, it is possible for us to determine, for example, whether you are logged in, have an active shopping cart and what the content of the shopping cart is. The session cookies used for the use of the shop are deleted after the end of the browser session. Other cookies remain on your device and allow us to recognize your device on your next visit.

Most browsers are set to automatically accept cookies. You can disable the storage of cookies in your browser and have the option of deleting them from your hard drive at any time. However, you can also use your browser to prevent the setting of certain cookies (e.g. third-party cookies), for example if you want to prevent web tracking. You can find more information about this in the help function of your browser. 

We would also like to point out that you can also install a plugin in your browser to protect your privacy, which offers the possibility to prevent tracking - e.g. AdBlock, Ghostery or NoScript (please note the privacy policy of the respective plugin provider). 

Finally, we would like to point out that if cookies are deactivated, it may not be possible to use all functions of this website to their full extent. Please also note that deactivation may have to be done for each browser and for each device.

Details of the cookies used on the website can be found in the cookie banner as well as in the following provisions. The legal basis for the processing of your data is as follows, insofar as it is set out in the following provisions in No. 4.1. et seq., from Art. 6 para. 1 sentence 1 lit. f GDPR. Our legitimate interest lies in the needs-based design of the website. 

3.1 Cookie consent with Cookiebot

In order to be able to administer your consent to the use of tracking tools, we use the cookie consent technology "Cookiebot". The provider of this technology is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark, website: https://www.cookiebot.com/de/  ("Usercentrics"). In this context, in addition to the connection data, the granting or rejection of your consent or the revocation of consent will be transmitted to Usercentrics. In order to be able to make the appropriate assignment, Usercentrics also places a cookie in your browser.

Cookiebot is used to obtain the legally required consents for the use of cookies. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c GDPR.

3.2. Google Analytics Universal

Our website uses the tracking tool "Google Analytics". This is a service provided by Google Ireland Limited, a company incorporated and operated under the laws of Ireland with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). This tracking tool helps us to make the website more interesting for you and to improve the user experience. In this case, data about the use of our website is stored in pseudonymous user profiles. Cookies may also be used for this purpose. In addition, data from different devices, sessions and interactions can be linked to a so-called "user ID". The information generated is usually transmitted to a Google server in the USA and stored there. We would like to point out that Google Analytics has been extended to include the "anonymizeIp" function on our website. As a result, your IP address will first be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area and only then transmitted to a Google server in the USA.

The shortening of the IP address is an additional measure in accordance with Art. 25 (1) GDPR for the protection of users, but it does not lead to the complete data processing being carried out anonymously. For example, when using Google Analytics, in addition to the IP address, other usage data is also collected, which is to be evaluated as personal data, such as identification features of the individual users, which also allow a link to an existing Google account, for example.

On our behalf, Google will use the information received to evaluate your use of our website, to compile reports on website activity and to provide us with other services related to website activity and internet usage. The pseudonymised user profiles will not be merged with personal data about the bearer of the pseudonym without a separate consent.

For more information about Google Analytics, see:

https://support.google.com/analytics/answer/2790010?hl=de 

Please note that Google also has independent access to your data collected via Google Analytics and may also use this data for its own purposes. For example, Google may combine this data with other data about you, such as search history, personal account, usage data of other devices and any other data that Google has about you.

The legal basis for the use of Google Analytics is your consent, based on § 25 (1) sentence 1 TTDSG for the storage and access to information in terminal equipment as well as Art. 6 (1) sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner. Please note that Google is a company from the United States. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by U.S. authorities for control and surveillance purposes. The new EU standard data protection clauses have been agreed as appropriate safeguards to ensure an adequate level of protection of data transfers.

3.3 Google Analytics 4

Our website uses the tracking tool "Google Analytics". This is a service provided by Google Ireland Limited, a company incorporated and operated under the laws of Ireland with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter referred to as "Google"). This tracking tool helps us to make the website more interesting for you and to improve the user experience. In this case, data about the use of our website is stored in pseudonymous user profiles. Cookies may also be used for this purpose. In addition, data from different devices, sessions and interactions can be linked to a so-called "user ID". As a rule, the generated information is first sent to a Google server within the EU.

By default, Google provides for automatic anonymization of users' IP addresses as soon as user data is collected. In addition, the IP addresses are neither logged nor stored by Google. However, the shortening of IP addresses does not mean that the complete data processing is carried out anonymously. For example, when using Google Analytics, usage data is collected that is to be evaluated as personal data, such as identification features of individual users, which also allow a link to an existing Google account, for example.

On our behalf, Google will use the information obtained via Google Analytics to evaluate your use of our website, to compile reports on website activity and to provide us with other services related to website activity and internet usage. The pseudonymised user profiles will not be merged with personal data about the bearer of the pseudonym without a separate consent.

For more information about Google Analytics, see:

https://support.google.com/analytics/answer/12017362

Please note that Google also has independent access to your data collected via Google Analytics and may also use this data for its own purposes. For example, Google may combine this data with other data about you, such as search history, personal account, usage data of other devices and any other data that Google has about you.

The legal basis for the use of Google Analytics is your consent, based on § 25 (1) sentence 1 TTDSG for the storage and access to information in terminal equipment as well as Art. 6 (1) sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner. Please note that Google is a company from the United States. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by U.S. authorities for control and surveillance purposes. The new EU standard data protection clauses have been agreed as appropriate safeguards to ensure an adequate level of protection of data transfers.

3.4. YouTube

Our website uses plugins from YouTube, which is operated by Google. If you visit one of our websites equipped with a YouTube plugin and actively click on the corresponding field, a connection to YouTube's servers is established. In doing so, the YouTube server is informed which of our websites you have visited. If you are logged in to your YouTube account, you allow YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

The legal basis for the use of YouTube is your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment as well as Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data.  You give your consent via our cookie banner. Please note that the provider is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by U.S. authorities for control and surveillance purposes. If you still want to consent to the use of this tool, you can select this via the cookie banner.

Further information on the handling of user data can be found in YouTube's privacy policy at: https://www.google.de/intl/de/policies/privacy.

3.5. Google Tag Manager

We use the Google Tag Manager "GTM". Through this service from Google, website tags can be managed via an interface. However, the GTM only implements tags. In this respect, no cookies are used. The GTM only triggers other tags, which in turn may collect data, but the GTM does not access that data. The data is evaluated exclusively in the respective tool (see the tools listed in section 4 for details). However, the GTM collects your IP address as well as the online identifiers (including cookie identifiers), which may also be transmitted to Google in the United States. Additional information on the GTM can be found at https://support.google.com/tagmanager/answer/6102821?hl=de

The legal basis for the use of GTM is your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment as well as Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner. Please note that the provider is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by U.S. authorities for control and surveillance purposes. The new EU standard data protection clauses have been agreed as appropriate safeguards to ensure an adequate level of protection of data transfers.

3.6. Address Validation

To reduce delivery errors, we use Google's Address Validation API. The Address Validation API can be used to determine whether an entered address points to a real location or contains any errors. For this purpose, your IP address and the content you have entered in the address field will be transmitted to Google. If, for example, the address entered is incomplete, a correction recommendation is made via the Address Validation API, which you can accept. Alternatively, you will be asked to correct the address you entered.

The legal basis for the use of the Address Validation API is your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment as well as Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner. Please note that the provider is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by U.S. authorities for control and surveillance purposes. The new EU standard data protection clauses have been agreed as appropriate safeguards to ensure an adequate level of protection of data transfers.

3.7. AWIN

We have integrated "AWIN" into our website. AWIN is an affiliate marketing software provided by AWIN AG, Eichhornstraße 3, 10785 Berlin, Germany. AWIN allows registered providers ("Advertisers") to advertise their online goods and services through programs. For this purpose, the registered persons with AWIN (so-called "publishers") make their advertising space, such as websites, available to the "advertisers". We are registered with AWIN as a "publisher", i.e. we provide the "advertisers" with advertising space (through links) on our website.

As part of its tracking services, AWIN stores cookies on the end devices of users who visit or use websites or other online offers of advertisers (e.g. when placing an online order) to document transactions. These cookies are used for the sole purpose of correctly attributing the success of an advertising medium and the corresponding billing within the network. In the AWIN tracking cookies, an individual sequence of digits, which cannot be assigned to the individual user, is stored, which documents the affiliate program of an advertiser, the publisher and the time of the user's action (click or view). In doing so, AWIN also collects information about the device from which an action is performed, e.g. the operating system and the browser.

The legal basis for the use of AWIN is your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment as well as Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner.

For more information on AWIN's use of data, please refer to the company's privacy policy: https://www.awin.com/de/rechtliches

3.8. Country.is

In order to be able to redirect the user to the webshop that suits him or her (e.g. the US webshop), we use the so-called geo-location of "Country.is". Country.is is an open-source geolocation API that determines a user's country (and nothing else) based on their IP address. IP-based geolocation is the mapping of an IP address or MAC address to the real-world geographic location of a computer or mobile device connected to the Internet. Geolocation is the process of mapping IP addresses to country, region (city), latitude/longitude, ISP, and domain name, among others. On this basis, the user is automatically redirected to the webshop that is suitable for him/her.

3.9. Azure Content Delivery Network

On our website we use "Azur Content Delivery Network" from Microsoft, a service of Microsoft Ireland Operations Ltd., One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

With Azur Content Delivery Network , we can reduce load times and improve performance for our high-bandwidth website content by distributing user requests and serving them directly from Microsoft servers. When you access website content, you connect to Microsoft servers, whereby your IP address and, if applicable, browser data such as your user agent, but also the time and date of your visit to the website are transmitted. This data will be processed exclusively for the purposes mentioned above and to maintain the security and functionality of Azur Content Delivery Network. The specific storage period of the processed data cannot be influenced by us, but is specified by Microsoft. Additional information can be found at: https://azure.microsoft.com/de-de/support/legal/.

The legal basis for the use of Azur Content Delivery Network is your consent, based on § 25 (1) sentence 1 TTDSG for the storage and access to information in terminal equipment as well as Art. 6 (1) sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner. Please note that the provider is a company from the USA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by U.S. authorities for control and surveillance purposes. The new EU standard data protection clauses have been agreed as appropriate safeguards to ensure an adequate level of protection of data transfers.

3.10. Findologic

On our website, we use the service of Findologic GmbH, Jakob-Haringer-Str. 5a, 5020 Salzburg ("Findologic") to provide a search function for our articles as well as for navigation. Cookies are used for the aforementioned service and various data are transmitted to Findologic. This includes, in particular, the IP address and browser data of the users as well as related behavioral data resulting from the search queries. On the one hand, this allows us to optimize the shopping experience for our users and, on the other hand, to better understand which products our users are most interested in. For further information on Findologic's privacy policy, please visit: https://findologic.com/datenschutz/  

The legal basis for the use of Findologic is your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment as well as Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner.

3.11. Facebook Pixel

In the case of the so-called "Meta Pixel", an invisible Meta pixel is integrated into our website, which is used by Meta Platforms Ireland Limited (formerly Facebook Ireland Limited), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Meta") to analyse the online behaviour of each website visitor. The Meta pixel makes it possible to transmit customer data such as first name, last name, email address, etc. to Facebook and enrich it with existing tracking data. For example, it is possible to collect data from non-Facebook users or to record users who are not logged in to Facebook while visiting a website. As a result, website visitors are tracked via Meta, which deliberately prevents the storage of third-party cookies. For example, if you add a vehicle to your shopping cart and cancel the purchase process, Meta will receive this information. We then have the opportunity to target you with an advertisement on Facebook. However, it is also possible to use the Meta pixel to acquire new customers in a targeted manner and to address new people who are similar to website visitors.

In addition to us, Meta itself is also responsible for data processing. Meta's processing of the data is carried out in accordance with Meta's Data Use Policy. For details, see Meta's Data Usage Policy . For specific information and details about the Meta Pixel and how it works, see the help section of Meta.

In this respect, we are jointly responsible with Meta for the processing of your personal data within the meaning of Art. 26 GDPR. In this case, you can assert your rights (see Section 11) against us as well as against Meta. However, Meta serves as the first port of call. We have entered into a joint controllership agreement with Meta for the processing of personal data. These can be viewed at the following link: https://www.facebook.com/legal/controller_addendum.  

The legal basis for the use of the Meta-Pixel is your consent, based on § 25 para. 1 sentence 1 TTDSG for the storage and access to information in terminal equipment as well as Art. 6 para. 1 sentence 1 lit. a GDPR for our further processing of your data. You give your consent via our cookie banner. Please note that Meta is a company from the United States. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by U.S. authorities for control and surveillance purposes. In the event that data is transferred to Meta Platforms Inc. in the USA, the new standard data protection clauses have been agreed between Meta Platforms Ireland Limited and Meta Platforms Inc.  

3.12 Vimeo

This website uses plugins from the video portal Vimeo. The provider is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.

When you visit one of our pages equipped with Vimeo videos, a connection to Vimeo's servers is established. In doing so, the Vimeo server is informed which of our pages you have visited. In addition, Vimeo obtains your IP address. However, we have set Vimeo so that Vimeo will not track your user activity and will not set cookies.

The use of Vimeo is in the interest of an appealing presentation of our online offers. This constitutes a legitimate interest within the meaning of Art. 6 (1) (f) GDPR. If a corresponding consent has been requested, the processing is carried out exclusively on the basis of Art. 6 (1) (a) GDPR; the consent can be revoked at any time.

The transfer of data to the USA is based on the EU Commission's standard contractual clauses and, according to Vimeo, on "legitimate business interests". Details can be found here: https://vimeo.com/privacy.

For more information on the handling of user data, please refer to Vimeo's privacy policy at: https://vimeo.com/privacy.

4. Links to other websites

Our website contains links to other websites such as the Carrera Club website or to social networks (Facebook, YouTube, Instagram). These websites are partly operated by us and partly by third parties. If you follow the links, information may be transmitted to these third parties in the latter case. The purpose and scope of data collection by third-party websites as well as the further processing and use of your data there, as well as your rights in this regard and setting options to protect your privacy, can be found in the respective data protection notices of the operators.

5. Data transfer

We only pass on your personal data to third parties or other recipients if this is necessary for the provision of services, if you have given your consent, if there is a legal obligation or if the data transfer is permissible on the basis of another legal basis. Data is passed on, for example, to the respective payment or shipping service provider, service providers for the provision of marketing services (e.g. e-mail marketing), technical service providers or – in the case of a corporate transaction – to interested parties/buyers, etc. To the extent necessary, we have concluded agreements with the recipients of your data on order processing in accordance with Art. 28 GDPR.

In addition, please note the separate privacy policy of the  payment methods.

Klarna: https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/privacy

VISA: www.visaeurope.com

MasterCard: https://www.mastercard.de/de-de.html

Stripe: https://stripe.com/de/privacy

6. Social Media Presence

6.1. Data processing by Carrera and legal basis

Our social media presences (Facebook, Twitter, YouTube, LinkedIn, Xing and Instagram) serve the purpose of informing you about Carrera and Revell as well as about new developments, services and products from us. Depending on the offer of the respective providers, you have, for example, the opportunity for different interactions (commenting, recommendation, etc.), e.g. in connection with our social media presence. User interaction is an important criterion for us in order to conduct targeted marketing. For example, we can determine which posts are preferred to be read. We therefore also use the statistics determined by the providers for our own purposes. Insofar as we process personal data of the users, the legal basis for this is Art. 6 para. 1 sentence 1 lit. f GDPR. In this case, our legitimate interest consists in particular in providing targeted information / advertising. You will be informed separately by the providers about the legal basis on which the providers process your data for their own purposes.

6.2. Shared responsibility

In individual cases, we are jointly responsible with the social media providers for the processing of your personal data. In this case, you can assert your rights (see section 11) against us as well as against the social media provider. However, the first point of contact is the social media provider.

We have entered into a joint controllership agreement with Meta (formerly Facebook) for the processing of personal data. This applies with regard to the processing of so-called "insights data". These are page statistics, in particular on the interactions of Facebook users. Details of the Insights data can be found here. Our agreement with Meta can be viewed at the following link .

Please note that Meta also processes your data outside the EU/EEA. According to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by U.S. authorities for control and surveillance purposes.

With regard to the storage period of the data processed by us for our own purposes, we refer to our explanations under No. 9. In all other respects, please refer to the privacy policy of the respective social media provider.

7. Data transfer to countries outside the EU

To the extent necessary for our purposes, we will also transfer your data to recipients outside the EU if you have given your consent, if there is a legal obligation or if the data transfer is permissible on the basis of another legal basis. In this way, your data will also be transmitted to recipients based in the USA as part of data processing. Please note, however, that according to a recent ruling by the European Court of Justice (ECJ), there is no adequate level of data protection in the USA and thus a risk to the protection of your data. For example, under certain conditions, your data may be processed by U.S. authorities for control and surveillance purposes. Incidentally, we would like to refer to Art. 49 GDPR with regard to the legal basis for the transfer of data. An adequate level of data protection will be ensured in the future by concluding the new so-called EU standard data protection clauses.

8. Duration for which personal data will be stored / Criteria for determining the duration

As a matter of principle, your personal data will be stored by us for as long as it is necessary for the aforementioned purposes of processing, as long as there are no compelling reasons worthy of protection on the part of Carrera in the event of an objection or as long as there is no other legal basis for data processing in the event of a revocation.

However, in certain cases, e.g. if there is a legal obligation to retain it, your personal data will not be deleted immediately, but will be blocked first.

9. Security measures to protect your personal data

We protect your data from unauthorized access, loss or destruction by means of technical and organizational measures. Our security measures are continuously improved in line with technological developments. Our employees and all persons involved in data processing are obliged to comply with data protection-related laws and to handle personal data confidentially. Our employees are trained accordingly.

To protect the personal data of our users, we use a secure online transmission method called "Secure Socket Layer" (SSL) transmission. You can recognize this by the fact that an "s" ("https://") or a green, closed lock symbol is http:// displayed on the address component. By clicking on the icon, you will get information about the SSL certificate you are using. The display of the icon depends on the browser version you are using. SSL encryption ensures the encrypted and complete transmission of your data.

10. Your rights

Within the framework of the legal requirements, you are generally entitled to the following from Carrera:

  • confirmation as to whether your personal data is being processed by Carrera,
  • information about this data and the circumstances of the processing,
  • rectification if this data is incorrect,
  • erasure, insofar as there is no justification for the processing and no obligation to store it (any longer),
  • restriction of processing in special cases specified by law,
  • Objection in the case of data processing on the basis of Art. 6 para. 1 sentence 1 lit. f. GDPR and
  • Transmission of your personal data – to the extent that you have provided it – to you or a third party in a structured, commonly used and machine-readable format.

To the extent that the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time, with the consequence that the processing of your personal data will become inadmissible in the future. However, this does not affect the lawfulness of the processing carried out on the basis of consent before its withdrawal.

Please send your specific request in writing or by e-mail to our data protection officer, clearly identifying yourself:

krupna LEGAL

Dr. Karsten Krupna
Turntable 7
20354 Hamburg

E-mail: datenschutz@carrera-toys.com

Insofar as we process your data with third parties under joint responsibility within the meaning of Art. 26 GDPR, the third party is centrally responsible for exercising all rights of data subjects. However, you are free to assert your rights against us.

Finally, we would like to draw your attention to your right to lodge a complaint with the supervisory authority (Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, dsb@dsb.gv.at).

11. No automated individual decision

We do not use your personal data for automated individual decisions.

12. Changes to the Privacy Policy

New legal requirements, business decisions or technical developments may require changes to our privacy policy. The privacy policy will then be amended accordingly. You can always find the latest version on our website.

Last updated: 21.06.2023