Privacy Policy
§ 1 Controller and Data Protection Officer
1.1 Controller within the Meaning of the GDPR
The controller within the meaning of Article 4 no. 7 GDPR and other national data protection laws of the EU Member States is:
Timothée Kammies
Ochsenstr. 83
76327 Pfinztal
Germany
Telephone: +49 160 4195415
E-mail: info@tkammies.com
Website: https://www.tkammies.com
Please direct data protection requests to: privacy@tkammies.com.
1.2 Data Protection Officer
There is no statutory obligation to appoint a data protection officer for this business. Nevertheless, within the scope of its overall data protection responsibility, the controller has appointed an external data protection officer.
External Data Protection Officer: Dr. Dominik Güneri, LL.M., AdviZZr Rechtsanwaltsgesellschaft mbH, Gotenstraße 2, 75177 Pforzheim, Germany.
For questions regarding data protection and the exercise of your rights, you can contact the Data Protection Officer at privacy@tkammies.com (attn. Data Protection Officer) or by post at the address stated above.
§ 2 Scope and Definitions
2.1 Material Scope
This privacy policy applies to the processing of personal data in the context of visiting and using the website www.tkammies.com (hereinafter “Website”) and the services offered through it, in particular online appointment booking and contact via the contact form.
The legal notice for the video production business is available at www.tkammies.com/imprint. A separate privacy policy applies to the SaaS platform and app tkammies Studio at https://tkammies.studio/datenschutz.
2.2 Definitions
This privacy policy uses the terms of the GDPR. An explanation can be found in particular in Article 4 GDPR. For clarity, the most important terms are briefly explained below:
Personal data is any information relating to an identified or identifiable natural person (Article 4 no. 1 GDPR).
Processing is any operation performed on personal data, with or without the aid of automated procedures (Article 4 no. 2 GDPR).
Controller is the person who, alone or jointly with others, determines the purposes and means of the processing (Article 4 no. 7 GDPR).
Processor is the person who processes personal data on behalf of the controller (Article 4 no. 8 GDPR).
Third country is any country outside the European Union and the European Economic Area.
§ 3 Rights of Data Subjects
As a data subject, you have the following rights. You can assert these informally vis-à-vis the controller at any time (contact details see § 1).
3.1 Right of Access (Article 15 GDPR)
You have the right to obtain information as to whether and which personal data we process about you, as well as all further information referred to in Article 15 (1) GDPR.
3.2 Right to Rectification (Article 16 GDPR)
You have the right to request the rectification of inaccurate data concerning you and the completion of incomplete data.
3.3 Right to Erasure (Article 17 GDPR)
You have the right to request the erasure of data concerning you, insofar as one of the grounds referred to in Article 17 (1) GDPR applies. Erasure may be excluded insofar as statutory retention obligations conflict with it.
3.4 Right to Restriction of Processing (Article 18 GDPR)
Under the conditions of Article 18 GDPR, you can request that the processing of your data be restricted.
3.5 Right to Data Portability (Article 20 GDPR)
You have the right to receive the data concerning you in a structured, commonly used and machine-readable format, or to request its transmission to another controller, insofar as the conditions of Article 20 GDPR are met.
3.6 Right to Object (Article 21 GDPR)
Insofar as the processing of your data takes place on the basis of legitimate interests (Article 6 (1) point (f) GDPR), you have the right to object to the processing at any time on grounds relating to your particular situation.
You can object at any time, without giving reasons, to the processing of your data for the purpose of direct marketing (Article 21 (2) GDPR).
3.7 Right of Withdrawal (Article 7 (3) GDPR)
Insofar as the processing is based on your consent, you can withdraw it at any time with effect for the future. The lawfulness of the processing carried out up to the withdrawal remains unaffected by the withdrawal.
3.8 Right to Lodge a Complaint with a Supervisory Authority (Article 77 GDPR)
You have the right to lodge a complaint with a data protection supervisory authority if you are of the opinion that the processing of your data infringes the GDPR. The supervisory authority with local jurisdiction over the controller is named in § 18 of this privacy policy.
§ 4 Principles of Data Processing
4.1 Lawfulness of Processing
The controller processes personal data only insofar as a legal basis under Article 6 (1) GDPR exists. The following are particularly relevant:
- Article 6 (1) point (a) GDPR, consent of the data subject, e.g. for non-strictly-necessary cookies and for playing embedded YouTube videos;
- Article 6 (1) point (b) GDPR, performance of a contract or pre-contractual measures, e.g. for online appointment bookings and specific project requests;
- Article 6 (1) point (c) GDPR, legal obligations, e.g. commercial-law and tax-law retention obligations;
- Article 6 (1) point (f) GDPR, legitimate interests, in particular in the secure operation of the website, the defense against attacks, the answering of general requests and the controller’s external presentation.
4.2 Data Minimization and Purpose Limitation
The controller processes personal data exclusively for the purposes stated in this privacy policy and limits itself to the extent necessary for this. Further processing for other purposes takes place only if an independent legal basis exists for this or the requirements of compatible further processing under Article 6 (4) GDPR are met.
4.3 Transparency
This privacy policy fulfills the information obligations under Articles 13 and 14 GDPR. It is updated in the event of feature extensions or the integration of new third-party services; the respective applicable version is available at www.tkammies.com/privacy-policy.
§ 5 Hosting and Provision of the Website (Wix)
5.1 Hosting Platform Used
The website www.tkammies.com is operated on the hosting platform of Wix.com Ltd., Namal Tel Aviv Street 6, 6350671 Tel Aviv, Israel (hereinafter “Wix”). Wix provides all technical functions required to deliver the website, including the hosting infrastructure, the Content Delivery Network (CDN), the security and performance components used, and the modules “Online Appointment Booking”, “Contact Form” and “Blog” described separately below.
5.2 Data Processed
Each time the website is accessed, technically necessary data is transmitted to Wix’s servers and processed there, in particular:
- IP address of the accessing device;
- date and time of access;
- the specific URL accessed and the referrer (previously visited page);
- browser type and version, operating system, language and, where applicable, screen resolution;
- technical cookies and local-storage entries for session management, cross-site-request-forgery protection and load balancing.
5.3 Legal Basis
The legal basis for the processing associated with hosting is Article 6 (1) point (f) GDPR. The controller’s legitimate interest lies in the reliable, fail-safe and attack-resistant provision of the website and its features.
5.4 Processing on Behalf and the Wix Group
Wix acts on the basis of a data processing agreement under Article 28 GDPR. To provide its services, Wix uses group companies and third-party service providers, including Wix.com Inc. (USA), Wix Online Platform Limited (Ireland), Wix.Com Germany GmbH (Germany) and other Wix companies in Luxembourg, Lithuania, the United Kingdom, Brazil, Mexico, India and Ukraine. Third-party service providers are used in particular for cloud hosting, content delivery, e-mail sending and security services. Wix provides the respective current sub-processor list at https://support.wix.com/en/article/list-of-wixs-sub-processors.
5.5 Third-Country Transfer
In the context of Wix hosting, a transfer of personal data to third countries takes place, in particular to Israel (main processor) and to the USA. For the transfer to Israel, there is an adequacy decision of the European Commission (Implementing Decision 2011/61/EU of 31 January 2011, confirmed by Implementing Decision (EU) 2024/365 of 15 January 2024); an adequate level of data protection within the meaning of Article 45 GDPR therefore exists. For transfers to the USA and other third countries, Wix has concluded Standard Contractual Clauses pursuant to Article 46 (2) point (c) GDPR in conjunction with Implementing Decision (EU) 2021/914.
5.6 Further Information
Further information on data processing by Wix can be found in Wix’s privacy policy at https://www.wix.com/about/privacy and in the publicly available data processing agreement at https://www.wix.com/about/privacy-dpa-users.
§ 6 Server Log Files
6.1 Data Processed
Each time the website is accessed, access data is automatically recorded and stored in so-called server log files. This includes the data referred to in § 5 (2). A merging of this data with other data sources or a personal evaluation does not take place.
6.2 Purpose and Legal Basis
The processing takes place for the purpose of ensuring a smooth connection setup, guaranteeing convenient use of the website, evaluating system security and stability, and averting and investigating abusive access. The legal basis is Article 6 (1) point (f) GDPR.
6.3 Storage Period
Server log files are generally deleted after 30 days. Longer storage takes place only insofar as this is necessary to investigate a specific incident (e.g. an attack on the website); in that case, the data records concerned are stored until the investigation is concluded and then deleted.
§ 7 Cookies and Similar Technologies
7.1 General
This website uses cookies and similar technologies (e.g. local storage, session storage). Cookies are small text files that the browser stores on the visitor’s device and that serve to identify the browser, store user settings and ensure the functionality of the website.
7.2 Categories
The controller distinguishes between technically necessary and non-technically-necessary cookies:
Technically necessary cookies are required for the operation of the website, e.g. to store your consent status for the cookie banner, for session management, for protection against cross-site request forgery (CSRF) and for load balancing. These cookies are set without consent being required.
Non-technically-necessary cookies serve convenience, statistics or marketing purposes. These cookies are set exclusively after your express consent.
7.3 Legal Bases
The legal basis for storing and accessing information on visitors’ devices is Section 25 TDDDG:
- Section 25 (2) no. 2 TDDDG for technically necessary cookies (strictly required for the provision of the service expressly requested by the user);
- Section 25 (1) TDDDG for other cookies, the setting of which requires your prior consent.
Insofar as personal data is processed via the information thus obtained, the subsequent processing is based on Article 6 (1) point (a) GDPR (consent) or Article 6 (1) point (f) GDPR (legitimate interest in secure operation).
7.4 Cookies Used (Wix Platform)
The cookies used are essentially set by the hosting platform Wix. Wix uses, among others, technically necessary cookies for session management (“XSRF-TOKEN”, “hs”, “smSession”), for load balancing (“server-session-bind”) and for cache control (“ssr-caching”). Wix provides a complete and up-to-date overview at https://support.wix.com/en/article/cookies-and-your-wix-site.
7.5 Withdrawal and Management of Consent
You can withdraw consent given at any time with effect for the future. To do so, open the cookie banner by clicking the “Cookie Settings” link in the footer of the website. In addition, you can set your browser to generally prevent or restrict the setting of cookies; in this case, restrictions to the usability of the website may occur.
§ 8 Contact and Contact Form
8.1 Contact Form
A contact form is provided on the website. Via this form, visitors can transmit requests to the controller. The following data is processed in this context:
- first name and surname;
- e-mail address;
- content of the message;
- time of sending and technical metadata (IP address, browser).
8.2 Purpose and Legal Basis
The processing takes place for the purpose of handling your request. The legal basis is Article 6 (1) point (b) GDPR, insofar as the request is directed at the conclusion or performance of a contract; otherwise Article 6 (1) point (f) GDPR, whereby the legitimate interest lies in the effective answering of general requests.
8.3 Technical Provision
The contact form is provided via the “Wix Forms” module and is thus processed via the hosting infrastructure described in § 5. No transmission of the data to third parties beyond this takes place.
8.4 Storage Period
The data collected in the context of contact is stored until the respective request is concluded and thereafter until the expiry of any statutory retention or limitation periods. For requests that do not lead to the conclusion of a contract, the data is deleted at the latest three years after the conclusion of the correspondence, insofar as no longer retention obligations exist.
8.5 Contact by E-Mail
When contacting us by e-mail to the address stated in the legal notice, the data transmitted (e-mail address, content of the message, timestamp) is stored for the purpose of handling the request. The legal basis and storage period correspond to the statements under 8.2 and 8.4.
§ 9 Online Appointment Booking (Wix Bookings)
9.1 How It Works
Via the “Book Online” area, the website offers the option to arrange free consultation appointments (video production or photography) online. The appointment booking is handled via the “Wix Bookings” module of Wix.com Ltd. and is part of the Wix platform described in § 5.
9.2 Data Processed
In the context of appointment booking, the following data is processed in particular:
- first name and surname;
- e-mail address, telephone number where applicable;
- chosen service and desired appointment;
- optional remarks of the user;
- technical metadata of the booking request.
9.3 Purposes and Legal Basis
The processing takes place for the purpose of carrying out the pre-contractual measure “appointment arrangement”. The legal basis is Article 6 (1) point (b) GDPR. Insofar as the controller, where corresponding consent exists, sends appointment confirmations or reminders by e-mail, this is based on Article 6 (1) point (b) GDPR as necessary accompanying communication for the booked service.
9.4 Storage Period
Booking data is generally stored for a period of 36 months from the appointment in order to enable follow-up queries, re-bookings and tax-law or commercial-law evidentiary obligations. Insofar as an order arises from a booking, the commercial-law and tax-law retention periods apply (generally six or ten years).
§ 10 Embedded YouTube Videos
10.1 How It Works
On individual subpages of the website (in particular in the “Portfolio” area), videos are embedded that are stored on YouTube’s servers and can be played directly from the website. The provider of the YouTube platform for users in the European Economic Area (EEA) is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
10.2 Data Processed
When accessing a page with an embedded YouTube video, the visitor’s browser establishes a connection to the YouTube servers. In this context, in particular the IP address, browser type, operating system, referrer URL and timestamp are transmitted to YouTube. If you are simultaneously logged in to a Google service, Google may associate the connection with your user account there. When playing a video, cookies and similar technologies are also set on your device.
10.3 Legal Basis
The processing takes place exclusively after your consent. The legal basis is Article 6 (1) point (a) GDPR and Section 25 (1) TDDDG. You can withdraw your consent at any time with effect for the future by reopening the cookie banner via the “Cookie Settings” link in the footer and adjusting your selection.
10.4 Third-Country Transfer
The data associated with playing YouTube videos may be transferred to the USA. Google LLC, Mountain View, is certified under the EU-U.S. Data Privacy Framework (Article 45 GDPR in conjunction with Implementing Decision (EU) 2023/1795). In addition, Standard Contractual Clauses pursuant to Article 46 (2) point (c) GDPR are in place between Google Ireland Limited and Google LLC.
10.5 Further Information
Further information on data processing by YouTube and Google can be found in Google’s privacy policy at https://policies.google.com/privacy.
§ 11 Linked Social Media Profiles
11.1 Links
The website contains links to the controller’s profiles on Instagram, YouTube and LinkedIn. These are exclusively linked buttons, not embedded plugins. A data transmission to the named platforms takes place only when you actively click on one of these buttons and are forwarded to the respective platform.
11.2 Data Processing after Click
By clicking on one of the linked buttons, you leave the website www.tkammies.com. For the data processing taking place from the moment the third-party page is accessed, the respective platform operator, possibly jointly with the controller as the holder of the profile there, is responsible. The controller has no influence on the content and scope of this processing.
11.3 Controllers of the Platforms
- Instagram: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. Privacy policy: https://privacycenter.instagram.com/policy/.
- YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy policy: https://policies.google.com/privacy.
- LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Privacy policy: https://www.linkedin.com/legal/privacy-policy.
11.4 Legal Basis of the Controller
Insofar as data processing operations are attributable to the controller in connection with the operation of its profiles on the named platforms (e.g. maintaining its external presentation), this is based on Article 6 (1) point (f) GDPR. The legitimate interest lies in the contemporary information of potential clients and principals.
§ 12 Recipients and Processors
12.1 Overview of Recipients
The overview below names the categories of recipients to which personal data is disclosed in the context of operating the website, as well as the relevant processors:
| Recipient | Purpose / Function | Location | Role |
|---|---|---|---|
| Wix.com Ltd. (incl. group and sub-processors) | Hosting, CDN, contact form, online appointment booking, blog | Israel / USA / EU, among others | Processor |
| Google Ireland Limited / Google LLC | Embedded YouTube videos | Ireland / USA | Independent controller |
12.2 Processing on Behalf under Article 28 GDPR
Insofar as recipients process personal data on behalf of the controller, this takes place on the basis of a data processing agreement under Article 28 GDPR. The essential processing on behalf is carried out by Wix as hosting and platform operator.
12.3 No Disclosure for Advertising Purposes
A disclosure of personal data to third parties for advertising, market or opinion research purposes does not take place.
§ 13 International Data Transfers
13.1 Transfers to Third Countries
In the context of the processing described under §§ 5, 10 and 12, personal data is partly transferred to third countries within the meaning of Article 44 GDPR. The relevant receiving countries are in particular Israel (Wix main processor), the United States (US sub-processors of Wix and Google LLC in the context of YouTube) and other locations of the Wix group.
13.2 Transfer to Israel
For transfers to Israel, there is an adequacy decision of the European Commission. This was issued by Implementing Decision 2011/61/EU of 31 January 2011 and maintained, after re-evaluation, by Commission Implementing Decision (EU) 2024/365 of 15 January 2024. The transfer therefore takes place pursuant to Article 45 GDPR and does not require additional safeguards.
13.3 Transfer to the USA
For transfers to recipients in the United States, the following safeguards are in place:
- EU-U.S. Data Privacy Framework: Insofar as the respective recipient is certified under the EU-U.S. Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023), the transfer takes place on the basis of the adequacy decision pursuant to Article 45 GDPR. This concerns in particular Google LLC in the context of the YouTube integration.
- Standard Contractual Clauses: Insofar as DPF certification does not exist, or does not exist for the respective processing, Standard Contractual Clauses pursuant to Implementing Decision (EU) 2021/914 are concluded with the recipient (Article 46 (2) point (c) GDPR). According to its public statements, Wix has concluded such Standard Contractual Clauses with its US sub-processors.
13.4 Transfer to Other Third Countries
A transfer to other third countries is possible within the Wix group, in particular to the United Kingdom, Ukraine, India, Mexico and Brazil. For these transfers, according to Wix’s statements, Standard Contractual Clauses pursuant to Article 46 (2) point (c) GDPR are concluded, insofar as no independent adequacy decision exists (UK: adequacy decision of 28 June 2021).
13.5 Copy of the Safeguards
A copy of the relevant Standard Contractual Clauses and further information on the safeguards taken can be requested via the contact details stated in § 1.
§ 14 Storage Period
Personal data is stored only for as long as is necessary for the respective purposes or as statutory retention obligations prescribe. Thereafter, the data is deleted or anonymized.
14.1 Specific Storage Periods
In detail, insofar as not regulated otherwise in the foregoing paragraphs, the following storage periods apply:
- Server log files: generally 30 days (§ 6 (3));
- Contact form and e-mail requests: until the request is concluded, thereafter up to three years, insofar as no longer retention obligations exist (§ 8 (4));
- Online appointment booking: up to 36 months from the appointment; in the case of order processing, the commercial-law and tax-law retention periods apply (§ 9 (4));
- Cookie consents: until withdrawal, at most twelve months;
- Contract data and invoices: statutory retention periods under Section 257 HGB (six years) and Section 147 AO (ten years).
14.2 Extension in the Event of Disputes
Storage beyond the stated periods takes place only if this is necessary for the pursuit or defense of legal claims; in that case, the data records concerned are stored until the legally binding conclusion of the proceedings and thereafter until the expiry of the limitation period.
§ 15 Security of Data Processing
The controller takes appropriate technical and organizational measures under Article 32 GDPR to ensure the security of the processing. These include in particular:
- encryption of data transmission by means of TLS 1.2 or higher (HTTPS) for the entire website;
- assignment and management of access rights according to the least-privilege principle;
- regular updating of the software used by the hosting platform Wix;
- securing of the Wix admin account by strong passwords and multi-factor authentication;
- regular backups by the hosting platform;
- review of the sub-processors with regard to data processing agreements and supplementary safeguards (cf. § 5 (4) and § 13).
The measures are reviewed on an ad hoc basis and upon the occurrence of material changes, and adapted to the state of the art.
§ 16 Automated Decision-Making and Profiling
A decision based solely on automated processing within the meaning of Article 22 (1) GDPR that produces legal effects concerning you or similarly significantly affects you does not take place.
Profiling within the meaning of Article 4 no. 4 GDPR also does not take place.
§ 17 Processing of Minors’ Data
The services offered via the website are aimed exclusively at persons who have reached the age of 16. A deliberate collection or processing of personal data of children under 16 years of age does not take place. If the controller becomes aware that, contrary to this provision, personal data of a child is being processed, the data concerned is deleted without undue delay.
§ 18 Right to Lodge a Complaint
Without prejudice to any other administrative or judicial remedy, every data subject has the right to lodge a complaint with a data protection supervisory authority, in particular in the Member State of their residence, place of work or the place of the alleged infringement, if they are of the opinion that the processing of the personal data concerning them infringes the GDPR (Article 77 GDPR).
18.1 Competent Supervisory Authority
The supervisory authority with local jurisdiction over the controller is:
The State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg
Lautenschlagerstraße 20
70173 Stuttgart
Telephone: +49 (0) 711 615541-0
E-mail: poststelle@lfdi.bwl.de
Internet: https://www.baden-wuerttemberg.datenschutz.de
§ 19 Changes to this Privacy Policy
The controller reserves the right to adapt this privacy policy if this becomes necessary due to new features, changed legal bases or new legal requirements. The respective current version is available at www.tkammies.com/privacy-policy. You will be informed separately, in an appropriate manner, of material changes affecting your rights.
§ 20 Contact and Status
For questions regarding this privacy policy or the exercise of your rights as a data subject, please contact the controller at the contact details stated in § 1.
20.1 Status
This privacy policy has the status of 15 June 2026 (v1.1: external data protection officer named in § 1.2; otherwise unchanged from the status of 21 May 2026).