Data protection

I. Legal framework, responsible body, definitions
II. data subject rights
III General information on data processing (data processing for informational use of the website, technical background, cookies, etc.)
IV. Special notes on data processing in the context of the use of additional functions
V. Other

I. General information, responsible body and legal framework

1. Content of the data protection declaration, legal framework and data processing principles.
We have aligned this Privacy Policy with both the Swiss Data Protection Act and the European General Data Protection Regulation - “GDPR”. The GDPR is regarded worldwide as a benchmark for strong data protection. However, whether and to what extent the GDPR is applicable depends on the individual case.
In this data protection declaration, we inform you how and for what purpose we collect, process and use which of your personal data (we speak of personal data, cf. the definition below in section 3 lit. a)).
Specifically, we inform you here, among other things,
which personal data we collect and process
for what purposes we use your personal data;
who has access to your personal data;
how long we process your personal data;
what rights you have regarding your personal data;
and how you can contact us.
We take the protection of your personal data very seriously and treat your personal data confidentially and in accordance with the legal data protection regulations (Swiss Data Protection Act (“DSG”), DSGVO and German Federal Data Protection Act “BDSG") as well as this privacy policy.
2. Responsible body
The data controller is responsible under data protection law for a specific data processing operation. The responsible body is the natural or legal person who alone or jointly with others decides on the purposes and means of the processing of personal data (e.g. names, e-mail addresses or similar).
The responsible body (hereinafter also “we”, “us”, “our”) within the meaning of the Data Protection Act is:

Lüscher-Color-Diagnostik AG,
Rauracherstr. 191
CH 4125 Riehen

The contact details of our representative in the EU according to Art. 27 DSGVO are as follows:

Orth Kluth Rechtsanwälte PartG mbB,
Kaistr. 6,
40221 Düsseldorf

3. Definitions
Our data protection declaration is based on the terms used by the European Directive and Ordinance Maker when enacting the General Data Protection Regulation (DSGVO). We would like to explain essential terms below:
(a) Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(b) Data subject means any identified or identifiable natural person whose personal data is processed by the controller.
(c) 'processing' means any operation or set of operations which is performed upon personal data, whether by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
(d) Restriction of processing means the marking of stored personal data with the aim of limiting their future processing.
(e) profiling means any automated processing of personal data which consists in using personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or change of location.
(f) 'pseudonymisation' means the processing of personal data in such a way that the personal data can no longer be related to a specific data subject without additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.
(g) Controller or controller means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.
(h) Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of and under the instructions of the controller in accordance with Article 28 GDPR.
(i) Recipient means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients.
(j) third party means a natural or legal person, public authority, agency or any other body apart from the data subject, the controller, the processor, and the persons who, under the direct authority of the controller or the processor, are authorized to process the personal data.
(k) 'consent' means any freely given specific and informed indication of the data subject's wishes, in the form of a statement or other unambiguous affirmative act, by which the data subject signifies his or her agreement to personal data relating to him or her being processed.

II. Data subject rights pursuant to Art. 15 et seq. and Art. 77 DSGVO and Art. 25 et seq. DSG

1. Right to object to data collection in special cases and to direct marketing (Art. 21 DSGVO)
If the data processing is based on Art. 6 (1) e) or f) DSGVO, you are entitled to object to the processing of personal data relating to you at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. The respective legal basis on which processing is based can be found in this data protection declaration.
If you object, we will no longer process your personal data concerned unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is for the establishment, exercise, or defense of legal claims.
If your personal data is processed for the purpose of direct marketing, you are entitled to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing. If you object, your personal data will subsequently no longer be used for the purpose of direct advertising.
2. revocation of your consent to data processing.Many data processing operations are only possible with your express consent. We obtain this from you before the start of the data processing that requires your consent. You can revoke this consent at any time. Insofar as it is not already possible to revoke consent by clicking on links or adjusting browser settings, it is sufficient to send us an informal message by e-mail. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.
3. right of appeal to the competent supervisory authority
Data subjects have the right to lodge a complaint with the competent supervisory authority in the event of violations of data protection law.
The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).
In Germany, the competent supervisory authority for data protection issues in the European Union is the State Data Protection Commissioner of the federal state in which our company has its headquarters.
A list of data protection commissioners and their contact details can be found at the following link:
The data protection authority responsible for us is:

State Commissioner for Data Protection and Freedom of Information
North Rhine-Westphalia
PO Box 20 04 44
40102 Düsseldorf
Tel.: 0211/38424-0
Fax: 0211/38424-999

4. Right to data portability
You are entitled to have data that we process automatically based on your consent or in fulfillment of a contract handed over to you or to another person responsible, in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done insofar as it is technically feasible.
5 Information, correction, blocking, deletion
Within the framework of the applicable legal provisions, you have the right at any time to free information about your stored personal data, its origin and recipient and the purpose of the data processing and, if applicable, a right to correction, blocking, or deletion of this data. For this purpose, as well as for further questions on the subject of personal data, you can contact us at any time at the address given in section I.2 above.

III. Data processing for informational use of the website, technical background, cookies, etc.

We collect and process the personal data listed below in sections 3 to 7 for the purposes, based on the legal grounds and for the duration stated therein.
1. Legal basis and storage period
Insofar as you have consented to us processing your personal data within the meaning of Art. 4 No. 1 DSGVO, Art. 6 Para. 1 lit. a) DSGVO serves as the legal basis for the processing. The processing of personal data which we need to fulfil contractual or pre-contractual obligations is based on Art. 6 (1) (b) DSGVO. If the processing is necessary to safeguard our legitimate interests or those of a third party and the interests, fundamental freedoms and fundamental rights of the data subject do not outweigh these, Art. 6 (1) f) DSGVO serves as the legal basis for us to process personal data.
For the processing operations carried out by us, we indicate below the applicable legal basis in each case. A processing operation may also be based on several legal bases.
For the processing operations carried out by us, we indicate below in each case how long the data will be stored by us and when it will be deleted or blocked. Unless an explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies.
However, storage may take place beyond the specified time in the event of a (threatened) legal dispute with you or other legal proceedings or if storage is provided for by statutory regulations to which we are subject as the responsible party (e.g. § 257 HGB, § 147 AO). If the storage period prescribed by the legal regulations expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.
2. Data security
We use appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties, considering the state of the art, implementation costs and the nature, scope, context, and purpose of the processing, as well as the existing risks of a data breach (including its probability and impact) for the data subject. Our security measures are continuously improved in line with technological developments.
We will be happy to provide you with more detailed information on request. Please contact our data protection officer (see above).
3. data processed during the (informational) use of the website
Inevitably, we can only provide you with the benefits of our Internet offer if certain data relating to you, which is necessary for the operation of the website, is collected by us when you use it.
We collect this data if this is necessary for the fulfillment of the contract between you and us (including in the form of terms of use for this Internet offer) (Art. 6 para. 1 lit. b) DSGVO) or your consent has been given (Art. 6 para. 1 lit. a) DSGVO). Furthermore, we collect this data if this is necessary for the functioning of the website and your interest in the protection of your personal data does not outweigh this (Art. 6 para. 1 lit. f) DSGVO).
We collect and process the following data from you:
Device information: Access data includes the IP address, device ID, device type, device-specific settings, the date, and time of the retrieval, time zone, the amount of data transferred and the message whether the data exchange was complete, crash of the terminal device, browser type and operating system. This access data is processed to make the operation of the website technically possible.Information with your consent: We process other information (e.g., geolocation data, personal data such as name and e-mail address, etc.) if you allow us to do so.
4. Contacting us
When you (proactively) contact us, the data you provide will be stored by us to answer your inquiry. The provision of certain truthful data is required to process your inquiry, further details are voluntary. Mandatory data required to answer your inquiry are marked as such, the remaining data are provided voluntarily. The processing of the above data is based on your consent, which you have expressed by contacting us, in accordance with Art. 6 para. 1 lit. a) DSGVO and, insofar as special categories of personal data (e.g., health data or other “sensitive” data) are concerned, in accordance with Art. 9 para. 2 lit. a) DSGVO. The collected personal data will be deleted immediately after the complete processing of your request, unless it is required for the initiation or execution of a contract with you pursuant to Art. 6 para. 1 lit. b) DSGVO.
5 Automated processing operations and use of cookies
Cookies may be used in the operation of our website. Cookies are small text files that are stored on the device memory of your end device and, if applicable, assigned to the mobile device you are using and through which certain information flows to the body that sets the cookie. Cookies cannot execute programs or transfer viruses to your end device and therefore cannot cause any damage. They serve to make our internet offer more user-friendly and effective overall, i.e., more pleasant for you.
Cookies cannot directly identify a user, but they can contain data that make it possible to recognize the device used. In some cases, however, cookies only contain information on certain settings that are not personally identifiable.
A distinction is made between session cookies, which are deleted again as soon as you close your internet session, and permanent cookies, which are stored beyond the individual session.
Regarding their function, a distinction is made between cookies:
Technically necessary cookies: these are absolutely necessary to move around within our website, to use basic functions and to ensure the security of the website; they do not collect information about you for marketing purposes nor do they store which websites you have visited;Performance cookies: these collect information about how you use our website, which pages you visit and, for example They do not collect any information that could identify you - all information collected is anonymous and is only used to improve our website and to find out what interests our users;Advertising Cookies, Targeting Cookies: These are used to provide users with tailored advertising or offers from third parties and to measure the effectiveness of these offers;Sharing Cookies: These are used to improve the interactivity of websites with other services (e.g. social networks). Any use of cookies that is not absolutely technically necessary constitutes data processing that is only permitted with your express and active consent pursuant to Art. 6 para. 1 p. 1 lit. a) DSGVO, § 25 para. 1 TTDSG (in Switzerland also permitted without consent if reference is made to the possibility of rejecting this data processing, Art. 45c lit. b of the Swiss Telecommunications Act (FMG)). This applies in particular to the use of advertising, targeting or sharing cookies. In addition, we only pass on your personal data processed by cookies to third parties if you have given your express consent to this in accordance with Art. 6 para. 1 p. 1 lit. a) DSGVO, § 25 para. 1 TTDSG, in Switzerland only if you have not refused this, Art. 45c lit. b of the Swiss Telecommunications Act (FMG).
The following technically necessary cookies may be used on our website:
Cookie name: [necessary_opt_in]; Purpose and stored data: [Stores consent to set technically necessary cookies]; Validity period: Session Cookie name: [session_cookie]; Purpose and stored data: [Contains only reference ID to shopping cart content and personal preferences]; Validity period: We do not use session advertising, targeting or sharing cookies.

6. Group of recipients; transfer to third countries
Within our company, the departments responsible for processing the requests have access to your data. In addition, we use external service providers, in particular order processors, in accordance with Art. 28 DSGVO or Art. 9 para. 1 DSG (Switzerland), insofar as we cannot or cannot reasonably perform services ourselves. These external service providers are primarily providers of IT services and telecommunications services. If certain service providers are explicitly mentioned, you will also find further information in the data protection declarations of the service providers.
A transfer to third countries outside the European Economic Area (EEA) only takes place under certain conditions within the framework of Art. 44 et seq. DSGVO or in Switzerland according to Art. 16ff. DSG.
Some third countries — including Switzerland, for example — have been certified by the European Commission as providing data protection comparable to the EEA standard by means of so-called adequacy decisions (a list of these countries and a copy of the adequacy decisions can be obtained here: However, in other third countries to which personal data may be transferred, there may not be a consistently high level of data protection due to a lack of legal provisions. If this is the case, we ensure that data protection is sufficiently guaranteed. This is possible through binding company regulations, standard data protection clauses of the European Commission for the protection of personal data (available at, certificates or recognized codes of conduct.
7. Minors
Our website is not intended for children. Persons under the age of 16 may not transmit any personal data to us or submit declarations of consent without the consent of their legal guardians. We would like to urge parents and guardians and minors to comply with the requirements of the GDPR and not to circumvent any age restrictions.
8. No automated decision-making (including profiling)
We do not intend to use any personal data collected from you for any automated decision-making process (including profiling).

IV. Special information on data processing in the context of the use of additional functions

Payment process
For your purchase in our online shop, we offer you a choice of the following payment methods: VISA or Master Card credit card, TWINT, PayPal, bank transfer (prepayment).
To process the transaction, including billing, we process your payment data such as bank and credit card details for the purpose of payment processing and billing according to the selected payment method. For the processing of the transaction, your data required for the processing of the transaction will be passed on to the necessary extent to payment service providers and — if necessary — to debt collection service providers.
The legal basis for the processing of your personal data in connection with the order and billing is Art. 6 para. 1 b) DSGVO. In addition, please note the section on the group of recipients and third country transfer, as well as the data protection declarations of the respective payment service providers.

V. Other
We reserve the right to change these data protection provisions at any time in compliance with the legal requirements.