Data Protection Information  


With this data protection information and in accordance with the General Data Protection Regulation (hereinafter: “GDPR”), the Sanrio GmbH (hereinafter: “Sanrio” or “we”) informs the persons visiting our website (hereinafter “website”), using the services provided on our website and/or purchasing goods on our website (hereinafter: “visitors”) about the processing of their personal data. Furthermore, we inform visitors about the data protection rights they are entitled to as a data subject.


Contact details of the Controller:   

Being the Controller within the meaning of the data protection laws, Sanrio is responsible for the processing of personal data on the website.

You can find our contact details below: 

Sanrio GmbH
Zwischen den Toren 9
21465 Wentorf bei Hamburg 



Tel.: +49(0)405477960


You can contact our Data Protection Officer using the above-mentioned address or the following e-mail address: 


Categories of personal data and source of personal data 


You will find below an overview of the categories of personal data we typically process when visitors are using the website. Please note that not all categories of data, that are listed below, are being processed in every case, by every visitor, and on every visit. Please also note, that when reference is made to a specific category of data, it does not automatically imply that all elements included in in the category of personal are being processed. The personal data we process also depend on the personal data submitted by visitors during different activities on our website. This means that for example when a visitor subscribes for our newsletter, less personal data will be processed than in case of orders on our web shop. The classification of the information into different categories of personal data aims at better understanding what information are typically processed. 


  1. Names (this includes the name and surname)

  2. Personal contact details (this includes the e-mail address, the shipping address (address, postal code, city, country), the billing address (address, postal code, city, country) and the phone number)


  1. Order details (this includes the shipping methods, the items ordered, the total amount of the order, the currency)
  2. Bank account and payment data (this includes the type of credit card and details regarding the credit card (card number, name on card (holder), expiration data, security code) 
  3. IT system data (this includes technical data related to the use of the website)


We usually collect the above-mentioned personal data directly from you when you use our website.  


Purposes of the processing and legal basis for the processing 

  1. Operation of the website

When accessing our website, we automatically process the following IT system data that are technically necessary for the operation of our website and in order to offer you the content on our website

  • your shortened IP address 
  • time and date of your access
  • name of your Internet Service Provider
  • the type of browser you are using


We need to process this data temporarily in order to operate our website and to assure the functionalities of the content of our website. This processing also serves us for the creation of statistical data regarding the use of our website. Furthermore, we process this data in order to assure the security of our IT-systems.

This data processing is based on Art. 6 (1) (f) GDPR (legitimate interests). 

Our interest is to offer the technical functionalities and the content of our website, to assure the security of the website and to gain statistical knowledge of the visitors’ behavior on our website. 


For information regarding the use of cookies, please see our Cookies-Policy [Link]


  1. Administration of the newsletter

For the purpose of administrating and sending out our newsletter, we process your contact details (this means your e-mail address) when you subscribe for receiving our newsletter. 

The purpose of this data processing is to send out an e-mail newsletter including information regarding our products, offers and company news. 

This data processing is based on Art. 6 (1) (a) GDPR (consent). 

Your consent can be withdrawn at any time without giving reason. For details, please see below Section “Rights of the data subject”.


  1. Operation of the webshop and fulfilment of contracts 

Visitors can order specific products via our webshop on the website. During the order process and in the course of the conclusion of the contract, we process the names, personal contact details and the bank account and payment data provided by the visitor as well as the order details. 

The purpose of this processing is to enter into a contract with the visitor and to fulfill and to deliver the order. 

This data processing is based on Art. 6 (1) (b) GDPR (performance of a contract). 


Recipients of the personal data 

Generally, persons and bodies may have access to personal data only as it is necessary to fulfill their tasks for us. Within the Sanrio Group, personal data may be transferred to companies, whose departments perform central functions within the Sanrio Group (usually, with regard to the website, this includes the sales and marketing departments). 

We also work together with carefully chosen external service providers. They support us in helping us to fulfil our different legal/contractual obligations, more specifically in the following areas: 

  • IT Services (in particular, for setting up and maintaining the technical infrastructure for the website)
  • E-Commerce Services (in particular for administrating the newsletter)
  • Logistics Services (in particular, for the delivery of the products purchased on the webshop) 
  • Banking and Financial Services (in particular for the execution of payments on the the webshop)

Within the framework of our cooperation with these service providers, we may make available, in specific cases, personal data of visitors. Provided that the legal conditions are met, a data processing agreement has been concluded with each service provider. Those data processing agreements commit external service providers to process personal data strictly on our instructions and to comply with data protection requirements and to adopt appropriate measures to ensure the protection of the personal data.  

Exceptionally, personal data of visitors may be transferred to third parties, as far as it is necessary to fulfil our legal/contractual obligations. In such specific cases, we may disclose your personal data to the third parties such as:

  • Public Authorities (such as financial authorities, law enforcement authorities, courts)
  • Auditors and tax consultants (if it is necessary from an accounting point of view) 
  • Lawyers (if it is necessary to receive legal advice and/or in case of a legal disputes).


Transfers of personal data to third countries 

Exceptionally, we may transfer some personal data to our Headquarter located in Japan. Such transfers of data are based on a so-called adequacy decision adopted by the European Commission, which ensures that Japan provides an adequate level of protection. More information on the adequacy decisions can be found here: 


Duration of storage of the personal data 

We usually keep your personal data for no longer than is necessary for the respective above-mentioned purposes. However, we would like to inform you that, in specific cases and where it appears necessary, we may keep certain personal data for a longer period of time than is necessary for the respective above-mentioned purposes, namely, we may keep some personal data for the duration of the statutory periods of limitation according to German Civil Law(usually, three years, in specific cases however, up to 30 years). We also keep some personal data where required by law, e.g. legal retention periods (for example in commercial law and tax law, usually no longer than 10 years). 

Please note that we do not have influence on the legal retention obligations and that we are obliged, in some cases and irrespective of whether the personal data are still necessary for the purposes, to keep your personal data. 

We will of course take all necessary measures to ensure that in these cases the documents and information relate to your person only to the extent necessary to fulfil the purposes pursued with the retention periods laid down by law (e.g. fiscal/tax documentation). The retention periods laid down by law for personal data may be subject to amendments after the data have been collected for the first time. Furthermore, the exact nature of the retention obligations and the requirements related to the deletion of data are regularly precised and further developed in courts’ decisions and opinions of the different data protection supervisory authorities. We regularly check if the storage of some specific data is still allowed or if all or some personal data have to be deleted. 

In case your personal data have to be deleted, especially if the retention of the data is no longer necessary for the above-mentioned purposes and a further retention of data is no longer permissible for other reasons, your data will be deleted by us. You do not have to take any action for the deletion of your personal data. 

If you consider that some personal data concerning your person should no longer be kept by us, you are naturally entitled to make use at any time of your right to erasure, which is described in more details below.  


Necessity to provide your personal data

Please note that it may be necessary for you as visitor to provide us with some personal data. In particular, you have to provide us with your e-mail address in case that you would like to receive newsletters and we need names, personal contact details as well as bank account and payment data of you wish to enter a contract via our webshop. If you do not provide us with the necessary personal data, you might not receive the newsletter and/or place orders on our webshop.   


Automated individual decision-making

We do not use automated decision-making within the meaning of Art. 22 GDPR. 


Rights of the data subjects 

You have a range of rights with regard to the processing of your personal data. To exercise these rights, which are described in more details below, please contact our Data Protection Officer using the above-mentioned contact details. 

Right to withdraw your consent 

If you have given us your consent for the processing of your data, you can withdraw it at any time, free of charge and without providing any specific reason. Please note that the withdrawal shall not affect the lawfulness of processing based on your consent that took place before your withdrawal.    


Other rights

Where the legal requirements are met and provided that no derogations apply, you are entitled, pursuant to Art. 15-21 GDPR and Art. 77 GDPR, to the following rights:   

  • Right to object to processing: in case the processing is based on our legitimate interests within the meaning of Art. 6(1)(f) GDPR: you are entitled to object at any time the processing for direct marketing purposes. You are also entitled to object at any time on grounds of particular reasons, to processings that are based on our legitimate interests, Art. 21 GDPR. 


  • Right of access: you are entitled, at any time, to obtain from us information about the personal data concerning your person we do process and to ask us to provide you with a copy of your personal data, Art. 15 GDPR. 

  • Right to rectification: you are entitled to obtain the rectification of inaccurate personal data and to have incomplete personal data completed, Art. 16 GDPR. 


  • Right to obtain erasure of your personal data: please note that by way of exception, you are not entitled to exercise your right to obtain erasure of your personal data in case those data are necessary for the execution of contracts, for the establishment, exercise and defense of legal claims and in case any legal, statutory, contract-related retention obligations apply, Art. 17 GDPR. 


  • Right to restriction of processing: you are entitled, under certain circumstances, to obtain restriction of processing, e.g. if you contest the accuracy of your personal data, the processing is unlawful or if you object to the processing. In that case, processing of your personal data will be without your consent very restricted: it will for example still be possible to process your personal data for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person, Art. 18 GDPR.  


  • Right to data portability: you are entitled to receive your personal data, which you provided to us, in a structured, commonly used and machine readable format and, where technically feasible, you are entitled to have your data transmitted directly to a third party, Art. 20 GDPR. 


Right to lodge a complaint with a supervisory authority 

You have the right to lodge a complaint with a supervisory authority at any time. For example, you may want to lodge a complaint if you consider that a processing is unlawful or if you consider that we did not grant the above-described rights to the extent necessary. 


Version: January 2020