Privacy notice in accordance with the EU-General-Data-Protection-Regulation
Last updated: May 2018
Thank you for visiting our website and for your interest in the services of Blackhawk Network GmbH. The protection and security of our customers’ and users’ data is important to us. We have therefore designed our business processes and the services offered on this website in such a way that as little personal data as possible is collected or processed. The following data protection declaration explains what personal data this is, for what purpose this data is used and how we protect it against unauthorized or unlawful use. By using this website and/or ordering the services offered, you agree to the data practices described in this data protection declaration.
We, Blackhawk Network GmbH, are the provider of this website and controller of the personal data we collect on this website or in connection with the services offered on this website within the meaning of Art. 1 GDPR (EU General Data Protection Regulation).
Our company is located at Gereonstr. 43-65, 50670 Cologne. We are a wholly owned subsidiary of Blackhawk Network Holding Inc, 6220 Stoneridge Mall Road, Pleasanton, CA 94588, USA.
If you have any questions, suggestions or complaints regarding data protection, please write to our corporate data protection officer at the above address, or by email to email@example.com.
Which data do we collect?
When you open a web page
- IP address,
- Time stamp of the access,
- Requested resource,
- Name and version of the browser software
When you use our contact form
- E-mail address
- Content of your request in text form
When you order gift cards or codes:
- First name and surname
- If necessary also a company name
- Deviating recipient name, if applicable
- e-mail address
- Deviating delivery email address, if applicable
- Postal address
- Deviating delivery address, if applicable
- Telephone number
If you make a payment to us, we additionally store the
- Invoice/booking number
and – if the payment method “Bank Transfer” or “Sofort” is selected – your
- Account details (IBAN)
When you contact our customer service
- Telephone number
- e-mail address (if applicable)
- Content of your request in text form
(customer service data)
If you register as a customer in order to be able to complete future orders without re-entering all order data, we additionally record a personal password, which is immediately encrypted so that only you know your password in plain text.
We may collect further data if and insofar as you have expressly given us your consent in individual cases.
From which sources do we collect this data?
Usually we collect browser, contact, customer service and order data directly from you when you open our website and enter data in the respective order or contact form or in conversation with our customer service.
We also offer the possibility to deliver gift cards and gift codes directly to the recipient. Therefore, you may receive a gift card from us that was purchased for you by a third party rather than you. Your name and (e-mail) address were then given to us by this third party. In this case, we assume that you accept the gift and agree to the direct delivery. If this is not the case, please contact us at the above address.
When placing an order, do not identify any third parties as recipients if they do not agree to the gift or direct delivery.
We usually do not collect payment details directly from you, but only receive it from the respective payment service provider when the payment you have instructed is being executed. For the payment method “Bank Transfer” from your house bank, for the payment method “Paypal” from PayPal (Europe) S.à r.l. et Cie, S.C.A. and for the payment method “Sofort” from Klarna Bank AB. If you pay by “PayPal or “Sofort”, we will upon completion of the order process forward you directly to the website of the chosen payment service provider for entering your payment order. The processing of your data by the payment service provider is based on our own legal relationship between you and the payment service provider, outside our area of responsibility and the subject of this data protection notice.
For what purposes and on what legal bases?
We use your data to answer your inquiries, execute and fulfil orders and carry out payment transactions including issuing invoices; on the legal basis of Art 6 Para. 1 b) and c) GDPR, in connection with the respective donation or purchase contract.
In addition, we use your data within the scope of the necessary balancing of interests to protect legitimate interests within the meaning of Art. 6 para. 1 f) GDPR and to fulfil legal obligations within the meaning of Art. 6 para. 1 c) GDPR; in particular to guarantee IT security and IT operation, to assert legal claims and defence in legal disputes, to prevent criminal offences, to comply with due diligence and risk management under anti money laundering law and to fulfil legal retention obligations. The legal basis for such use are Articles 6 Paragraph 1 c) and f) GDPR, where applicable in connection with further legal provisions, in particular Art 32 GDPR, §§ 4 – 17 of the Anti-Money-Laundering Act, § 257 of the Trade Act, § 147 Tax Act and § 14b VAT Act.
If and to the extent that you have expressly given your consent for further purposes in individual cases, we will use your data for these purposes on the legal basis of Article 6 a) GDPR in connection with the respective consent.
No use for advertising purposes and no profiling
We do not use your data for advertising purposes unless you have expressly and separately requested us to inform you about our products, services and prices. In no case we pass your data on to third parties for their own advertising purposes.
The data collected by us on this website or in connection with the services offered on this website will not be used for Automated individual decision-making including profiling within the meaning of Art 22 GDPR.
Transfer to third parties
For the purpose of delivering ordered gift cards, we transmit your address to the commissioned forwarder (e.g. Deutsche Post AG).
Processing in third countries
As part of an international group of companies with operations in various countries worldwide, we also use the facilities of our affiliated companies within the Blackhawk Group to provide our services. However, we remain controller within the meaning of the GDPR. Your data may therefore also be processed at locations in third countries outside the European Economic Area. Blackhawk ensures that your data is protected at all facilities in accordance with the high data protection level of the GDPR, as we have provided appropriate guarantees in the sense of Art 46 GDPR at all sites, which can be effectively enforced by the parties concerned.
During your visit to this website, data may be stored on your computer in the form of so-called ‘cookies’. Our ‘cookies’ serve the user-friendliness and the smooth navigation through our web pages. With the exception of a web analysis cookie (see below under Web Analysis Tools), all our cookies are so-called session cookies, which are deleted at the end of your visit to our website. We do not use so-called ‘targeting’ or ‘advertising’ cookies’, which serve advertising purposes, on this website.
You have the option of managing the storage of cookies via the settings of your web browser. If you refuse or block the storage of cookies by our websites, you can still access our websites, but many functions will not function or will not function correctly.
This website uses Google Analytics, a web analysis service of Google Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (“Google”). Google Analytics uses ‘cookies’ which enable an analysis of the use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there. The data is used in aggregated form, i.e. not assigned to you personally. Our websites are configured in such a way that your IP address is usually shortened by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area, so that it can no longer be clearly allocated to your Internet connection. In exceptional cases, however, the full IP address is transmitted to a Google server in the USA, where it is also shortened. On our behalf, Google will use this information to evaluate the use of the website, to compile reports on website activity and to provide us with other services relating to website and Internet use. The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. The legal basis for the use of Google Analytics is § 15 para. 3 TMG and Art. 6 para. 1 f) DSGVO. The data sent by us and linked to cookies or user IDs are automatically deleted after 14 months.
You can prevent the storage of Google Analytics cookies too via the settings of your web browser, but many functions of this website will not function or will not function correctly without cookies. Alternatively, you can prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
Duration of storage
We process and store your personal data as long as it is necessary for the fulfilment of our contractual and legal obligations. As a rule, we store order data until all claims arising from the respective contractual relationship become statute-barred. As far as your personal data is contained in issued invoices, electronic booking documents or commercial letters, we keep these for 10 years according to § 257 Trade Act, § 147 Tax Act as well as § 14b VAT Act.
Rights of the user
You have the right to access the personal data stored about you pursuant to Article 15 GDPR, the right to rectification of your personal data if we have stored them incorrectly pursuant to Article 16 GDPR, the right to erasure if there is no longer any right to storage pursuant to Article 17 GDPR, the right to restriction of processing pursuant to Article 18 GDPR, the right to object pursuant to Article 21 GDPR and the right to data portability pursuant to Article 20 GDPR. The restrictions according to §§ 34 and 35 of the Federal Data Protection Act (BDSG) apply to the right to information and the right of deletion. In addition, there is a right of appeal to a data protection supervisory authority (Article 77 DSGVO in conjunction with § 19 BDSG).
You can revoke your given consent to the processing of personal data at any time. This also applies to the revocation of declarations of consent issued to us prior to the validity of the GDPR, i.e. before 25 May 2018.
To exercise the rights under Articles 16-18, 20 and 21 GDPR, or any other questions, suggestions or complaints relating to data protection, please contact our corporate data protection officer at the above address.
Blackhawk Network GmbH
Corporate Data Protection Officer
Or by email to
To exercise your right of appeal under Article 77 DSGVO in conjunction with § 19 BDSG, please contact the competent data protection supervisory authority. Your competent supervisory authority depends on your state of residence, your work or the alleged infringement. A list of supervisory authorities (for the non-public sector) with addresses can be found at: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html .
This post is also available in: German