PRIVACY POLICY.

1. Definitions
This privacy policy is based on the following terms from the General Data Protection Regulation, which we have defined for ease of understanding.  

  • GDPR refers to the Regulation (EU) 2016/679 of the European Parliament and of the European Council dated 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
  • The recipient is a natural or legal person, public authority, agency or any other body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the context of a particular enquiry, in accordance with Union or Member State law, shall not be regarded as recipients; the processing of such data by public authorities shall comply with the applicable rules on data protection and the purposes of the processing;
  • Personal data refers to any information relating to an identified or identifiable natural person (“data subject’s personal data”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.  
  • The data controller is the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union law or Member State law, the controller or the specific criteria for its nomination may be determined by Union law or Member State law. For the data processing activities described in this privacy policy, BMW Lifestyle Store is the data controller unless otherwise specified (see Article 1.2.).  
  • Processing refers to any operation or set of operations which is performed on personal data or on a set of personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
  • The processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the data controller.

2. PURPOSES, LEGAL GROUNDS AND RETENTION PERIODS FOR OUR PROCESSING OF YOUR PERSONAL DATA
We may only process personal data for a reason specified in the GDPR and only as long as and to the extent that it is necessary for purposes specified in this section of the privacy policy or based on legal requirements. Such a reason is called a basis. The possible bases are listed in Article 6 of the GDPR. In the following, we indicate per processing purpose on which legal basis we process, for which purposes and for how long we (must) store your personal data.

2.1. Processing of your data when you visit our websites
If you visit our websites to learn more about our products and services, without registering for a customer account, purchasing products in our online shop or otherwise actively transferring information to us (for information purposes only), we process your personal data for the following purposes and on the following legal bases:
 
2.1.1. Provision of websites and IT security
We process your personal data that is technically necessary to enable us to make our websites available and to ensure stability and security when you visit them. This includes the following personal data:

  • IP address
  • Type and version of the browser
  • Operating system and platform
  • The full Uniform Resource Locator (URL)

For security purposes, this personal data is stored in server log files, which are automatically deleted after 30 days. This data processing is technically necessary to enable you to use our websites (legal basis: Article 6(1)(b) GDPR) and for our legitimate interest in ensuring IT security (legal basis: Article 6(1)(f) GDPR). 
 
2.1.2. Provision of localised websites
We also process your personal data that is technically necessary to enable us to provide you with a localised version of the websites, in particular with regard to language. This data processing is necessary for our legitimate interest in adapting our website to your needs (legal basis: Article 6(1)(f) GDPR). For security purposes, this personal data is stored in server log files, which are automatically deleted after 30 days.

2.1.3. Website analysis

In this case, a permanent opt-out cookie (name: “ga-disable-UA-[…]”) is set in the browser you are currently using, which prevents your data from being recorded when you visit our websites with this specific browser in the future. If you use a different browser, Google Analytics is in principle enabled, unless the opt-out cookie is also set in this browser. Please note that Google Analytics will be re-enabled if you delete the above opt-out cookie from your browser.

2.1.4. Individual recommendations on our websites
When you visit our web pages, we use Google AdWords to process data on your user behaviour, such as products viewed, contents of your shopping cart, etc., in order to show you individual recommendations on our websitesate interest in creating a better user experience by providing customised recommendations (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.
Unsubscribe from individual recommendations:
You can object to this data processing by clicking on the following unsubscribe link:

2.1.6. Use of cookies
We use cookies on our website. Cookies are small text files that are stored in the browsers of your end devices when you visit our websites. Cookies allow your actions and settings on our websites to be tracked, saved and recognised for the duration of the browser session or even beyond. In addition, cookies and their respective cookie identifiers ensure that your browser is recognised. After leaving the website, you can, for example, restore the contents of your shopping basket or see the last viewed products. For more information on the use of cookies on our websites, the cookie categories and for individual settings, please see our cookie settings. This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.

2.1.7. Customer service
Depending on the subject of your request, we rely on your personal data stored in our systems in the context of other data processing activities (e.g. data that you have provided during a purchase or when addressing our customer service for any reason). We will also collect data from external sources (e.g. logistics service providers as part of the tracking of your shipment or a request) if and to the extent necessary to fulfil your request. Within the scope of the requests regarding a (pre-)contractual relationship with you, this data processing is necessary for the performance of a contract (provision of customer service) with you (legal basis: Article 6 para. 1 lit. b GDPR). If you want to exercise your rights against us, the corresponding data processing is necessary in order to comply with a legal obligation (legal basis: Art. 6(1)(c) GDPR). If you wish to receive information or make a complaint about our products and services, the respective data processing is necessary for our legitimate interest in responding to your information request/complaint (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 12 months.

2.2. E-mail marketing

2.2.1. Sending the e-mail newsletter to subscribers
If you have subscribed to our e-mail newsletter, we will send you newsletters from time to time to inform you about our products, services and offers. This data processing is based on your consent (legal basis: Article 6(1)(a) GDPR). This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.
Withdrawal of consent:
You can withdraw your consent and subscription to our newsletter at any time by sending an e-mail with your unsubscribe request to our customer service ({insert email address}) and/or by clicking on the “Unsubscribe” link at the bottom of each newsletter. These data will be processed until the consent is withdrawn.

2.2.2. E-mails for direct marketing to existing customers
After purchasing items, regardless of whether you have subscribed to our newsletter (see Article 2.2.1), we may send you marketing emails for similar products and services. This data processing is based on our legitimate interest to advertise our products and services (legal basis: Article 6(1)(f) GDPR).This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.
Objection to e-mails for direct marketing:

2.2.3. Personalising emails with targeted marketing for existing customers
If you are a customer, we may personalise our targeted marketing e-mails sent to you based on your preference/interest profile derived from data from your previous purchase(s) over the past two years. This data processing is necessary in view of our legitimate interest to tailor our targeted marketing e-mails to your preferences and interests and thus to make our e-mail marketing efforts more efficient (legal basis: Art. 6(1)(f) GDPR. This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.
Objection to our newsletter/targeted marketing

2.3. Product ratings and reviews
We offer you the opportunity to rate any (purchased) products on our websites where we work with Trustpilot as a third party processor. Your feedback helps other customers to make the right purchase decision and enables us to continuously improve our products. If you would like to submit a review for one of our products, you will receive an invitation from Trustpilot and the following data will be processed: your email address, the name under which the review will be submitted and also the content of your review (e.g. the product being reviewed, the star rating, title and text of the review, recommendation). Your e-mail address is processed to verify and establish your identity. If you have given your consent to Trustpilot before submitting your review, you agree to Trustpilot’s terms and conditions and an account will be created. In this case, Trustpilot is the data controller for the data you provide. See also Trustpilot Legal – privacy policy. As your (star) rating and the content of your rating may be published with your consent alongside your given name, please ensure that you do not include any personal information that you do not wish to be made public.
This data processing in providing this opportunity for feedback is necessary for our legitimate interest in providing customer service and recommendation marketing (Article 6(1)(f) GDPR). This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below. Data processing when you agree to the publication of the assessment is based on your prior consent to publication (Article 6(1)(a) GDPR). These data will be kept until the consent is withdrawn.

2.4. Registration and creation of a customer account
When you visit our websites, you can create a customer account. The registration for a customer account requires you to provide personal data. Mandatory fields are marked as such in the form. This data processing is necessary for the performance of a contract (provision of a customer account) with you (legal basis: Article 6(1)(b) GDPR). We retain this data for as long as you are an active customer of ours. According to the law, we have to keep the data related to contractual relationship for 7 years. If you do not log in for 7 years, your account will automatically be deleted. In addition, you can review, modify or delete your data yourself in the account environment or make a request as described in Articles 5 to 7.

2.5. Data processing in the case of orders in the online shop
In addition, we process your personal data in connection with the purchase of items in our online shop.

2.5.1. Purchase and payment of goods in the online shop
We process your personal data (such as contact details, shipping and payment information) when you purchase items from the online shop. If you purchase items for another person (a third party), we will process the third party’s personal data (name and contact details) for the purpose of shipping the items to that third party. Make sure you are authorised to provide such data. This data processing is necessary for the performance of a contract with you (legal basis: Article 6(1)(b) GDPR). According to the law, we must retain the data related to contractual relationships for 7 years.

2.5.2.Emails about an abandoned shopping cart
If you have started an order process with your customer account, but have not yet completed it, we will send you a reminder e-mail to the e-mail address stored in the customer account with regard to the purchase process you initiated. This data processing is necessary for our legitimate interest to remind you of any purchasing processes you have not yet completed (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.
Objection to e-mails about an abandoned shopping cart:

2.5.3. Fraud and credit check
We check, based on your device and predefined rules, whether the order should be categorised as suspicious with regard to fraud. If fraud is suspected, we will additionally carry out an individual check of the order. The result of this manual fraud check may be positive, which would lead to the order being approved. However, if the suspicion of fraud persists, we may decide to cancel the order, depending on the specific case. This data processing is necessary for our legitimate interest in preventing payment defaults and fraud (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.

2.5.4. Cancellation of purchase
In all cases of cancellation of the purchase (e.g. withdrawal from the contract), we will process your personal data for the return of the items and the refund of the purchase price. This data processing is necessary for the performance of a contract with you (legal basis: Article 6(1)(b) GDPR) and/or to comply with a legal obligation (legal basis: Article 6(1)(c) GDPR). According to the law, we must retain the data related to contractual relationships for 7 years.

2.5.5. Emails inviting product ratings and reviews
We would like to know if you are satisfied with your purchased items from BMW Lifestyle Store. For this purpose, we process your e-mail and purchase data (e.g. purchased and the date of purchase) in order to be able to send you an e-mail within one month after the purchase, inviting you to review the purchased products (further information on data processing regarding the submission of product reviews can be found in Article 2.3). This data processing is necessary for our legitimate interest in providing good customer service and marketing (legal basis: Article 6(1)(f) GDPR).
You can object to invitation emails for product ratings and reviews by sending an email to {insert email address}. If you have already received an e-mail inviting you to evaluate the product, you may refuse to receive such e-mails in future by clicking on the “Unsubscribe” link in each invitation e-mail. This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.

2.6. Other processing

2.6.1. Performing internal audits
Your personal data may be processed in the context of audits conducted in relation to the organisation of BMW Lifestyle Store, both at home and abroad. During this process, depending on the case, we also rely on data from other sources (e.g. credit bureaus).  
Your data may also be processed appropriately under certain circumstances in order to identify and correct misconduct within the company and to implement compliance programs and measures. This data processing is necessary in order to comply with our legal obligations (legal basis: Article 6(1)(c) GDPR) and/or for our legitimate interest to monitor processes and efficiency within BMW Lifestyle Store, to correct misconduct and fraud cases, to enforce and/or defend our rights and to find out about possible criminal offences (legal basis: Article 6(1)(f) GDPR). According to the law, we must retain the data related to contractual relationships for 7 years.

2.6.2. Performing analyses
Based on your data, which we process in accordance with the meaning of Article 2 of this privacy policy, we can perform analyses. These serve as a basis for our business decisions, to improve our products and services, to adapt to the needs of our customers and to carry out marketing activities. The analyses made on this basis are no longer personal, so it is no longer possible to trace them back to you. This data processing is necessary for our legitimate interest to improve our products and services and to conduct marketing activities (legal basis: Article 6(1)(f) GDPR). This data will be kept for a maximum of 24 months or until a decision to unsubscribe is made as described below.

2.7. Protecting your data
We secure our website and other systems against loss, destruction, unauthorized access, modification or distribution of your data by unauthorized persons by implementing the appropriate technical and organizational measures. Furthermore, your personal data is transmitted to us in encrypted format. This applies to your order and when you log in as a customer. We use the SSL (Secure Socket Layer) coding system.

3. Retention and deletion of your personal data
We will only store your personal data for as long and as far as is necessary for the purposes mentioned in this privacy policy (Article 2) or as long and as far as we are legally obliged to do so, legal storage periods can be up to 10 years in some cases.

5. Right to object to data processing on the basis of legitimate interests
We process your personal data within the meaning of Article 2, based on our legitimate interest to ensure IT security on our websites, to adapt our website to your needs, to perform analyses and marketing activities, to inform you about our products and services, to remind you about purchases that have not yet been completed, to extend the reach of our products and marketing activities, to prevent fraud and abuse, to prevent non-payment, to take care of our customers, to secure, strengthen and improve our legitimate interest (including in court if necessary) and to carry out our international management and cooperation. Please contact [email protected] for information on the balancing of interests by BMW Lifestyle Store. Notwithstanding the specific possibilities to object to the processing of data described in Article 2 (e.g. the links to unsubscribe), you have the right to object at any time to the processing of your personal data on the basis of our legitimate interests in accordance with Article 6(1)(f) GDPR for reasons relating to your particular situation by sending an e-mail to [email protected]. We will then no longer process your data for these purposes, unless our legitimate interests for processing outweigh them or the processing is for the establishment, exercise, or substantiation of legal claims. If you object to the processing of your data, we will process the personal data collected in this context in order to respond to your request. This data processing is necessary in order to fulfil a legal obligation (legal basis: Article 6(1)(c) GDPR).

 6. Right to withdraw consent
If you have given us permission to process your personal data, you can withdraw this permission at any time. The withdrawal of your consent is effective for the future and does not affect the lawfulness of processing based on consent before the withdrawal. Unless specifically provided for in Article 2, please send your withdrawal of consent to [email protected].
If you withdraw your consent, we will process your personal data collected in this context in order to respond to your request. This data processing is necessary in order to fulfil a legal obligation (legal basis: Article 6(1)(c) GDPR). 

7. Your other data protection rights
In accordance with the GDPR, you can demand that we:

  • Provide you with information on your personal data that we process (Article 15 GDPR)
  • Rectify your personal data stored on our systems (Article 16 GDPR)
  • Delete your data (Article 17 GDPR)
  • Restrict your data (Article 18 GDPR)
  • Export your data (Article 20 GDPR)

Please send your request with at least your first and last name by e-mail to [email protected] or in writing to stichd sportmerchandising bv, de Oude Hulst 1 5211 HC ‘s-Hertogenbosch, the Netherlands.If you exercise these rights against us, we will process your personal data to respond to your request. This data processing is necessary in order to fulfil a legal obligation (legal basis: Article 6(1)(c) under GDPR). Regardless of your rights mentioned above, you may lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data by BMW Lifestyle Store is in breach of the GDPR (Article 77 GDPR).

8. Changes to this privacy policy
The provisions of this privacy policy, including the information on cookies referred to, apply to the version in force at the time the online shop is used. We reserve the right to supplement and amend the content of this privacy policy. The updated privacy policy shall apply from the time it is published on our websites. In the event of substantial or material changes to the privacy policy, in particular changes that affect the processing of your personal data already collected by us, we will inform you in advance (e.g. by e-mail or via our websites).