Data protection - VIVAMAYR Online Shop

Data protection preamble

We are pleased that you would like to know more about the aspects of our website relating to data protection.

We, VIVAMAYR Marketing GmbH, would like you to see our website and its data protection design as a customer-oriented, understandable mark of quality.

Consequently, you will be informed which of your personal data is processed in our systems. Personal data is the information which can be attributed to a person, either directly or indirectly.

 

1. Downloading the website

To download our website, various pieces of information are exchanged between your end device and our server.

The information which is transmitted to the server of this website is as follows:

  • The IP address of the requesting device,
  • Date and time of the download, time difference to Greenwich Mean Time (GMT),
  • Name and URL of the file downloaded,
  • Website/application from which the request originated (referrer URL),
  • Content of the request,
  • Access status / http status code,
  • The respective volume of data transmitted,
  • Website, from which the request originated,
  • Browser used,
  • Operating system and its interface,
  • Language and version of the browser software.

These logfiles are saved for the following purposes:

  • To guarantee a frictionless establishment of a connection,
  • To guarantee comfortable use of our website/application,
  • To evaluate system security and -stability.

This legitimate interest constitutes the legal basis for processing within the meaning of Article 6(1)(f) GDPR.

Transmission of data and storage period

Data is only transmitted to security authorities and competent courts if there has been unlawful usage. The data is stored for up to three years within the meaning of §§ 1293 et. seq. Austrian Civil Code.

The server is made available to us by a service provider which has been contractually bound to do so according to Article 28 GDPR.

 

2. Online orders

Purpose of processing the data, legal basis

We process your data for the purpose of performing the contract according to Art 6(1)(b) GDPR, to fulfil the following purposes:

  • To deliver the products you have requested,
  • To make queries on interrupting the delivery, to record and process complaints, update data and change orders,
  • To send the order confirmation by post or by email,
  • To create and send invoices and collect unpaid invoice amounts (dunning process).

The following data which is required to perform the contract is saved for the purposes of executing the contract: name, billing address, delivery address, product, delivery details, contact details, correspondence.

Add-on for payment details

You can use various systems to pay our invoices; the legal basis for using this data is Art 6(1)(b) GDPR.

Your payment details are encrypted during the ordering process and transmitted via the internet. Due to an add-on integrated into the order process, we cannot view your payment details at any time and are therefore not the processors of this data. It is processed exclusively by these payment service providers:

PAYPAL
PayPal (Europe) S.à r.l. et Cie, S.C.A.
22-24 Boulevard Royal
L-2449Luxembourg
Luxembourg
Privacy policy and GTCs

MPAY24
mPAY24 GmbH
Grüngasse 16
A-1050 Vienna
Austria
Privacy policy and GTCs

STRIPE
510 Townsend Street
San Francisco
CA 94103
USA
Privacy policy and GTCs
Privacy Shield

Transmission of data and storage period

The legal basis for transmitting data to the payment services providers you select (for the purposes of debiting the purchase price) is set out in § 96(3) Telecommunications Act in conjunction with Art 6(1)(a) and (b) GDPR. The legal bases for transmitting data to shipping companies we engage (for the purposes of delivering the goods) and our tax consultant (to fulfil our tax law obligations) is set out in § 96(3) Telecommunications Act in conjunction with Art 6(1)(b) and (f) GDPR.

If you stop the sale process, the data you have entered will be deleted.

If you conclude a contract, all data under the contractual relationship will be stored until the expiry of the tax law retention period (7 years).

Furthermore, names, addresses, goods purchased, and dates of purchase will be stored until the expiry of the product liability period (10 years).

 

3. Sending newsletters

Purposes of processing data/legal bases:

The newsletter includes special offers, goods and services offered by VIVAMAYR Marketing GmbH, VIVAMAYR Altaussee GmbH and VIVAMAYR Maria Wörth BetriebsGmbH.

To receive our newsletter, you need a valid email address. We will check the email address you specify (double opt-in) to see whether you are actually the owner of that email address or whether the owner of the email address has consented to receiving the newsletter. When you subscribe to our newsletter, we save your IP address and the date and time of your registration. This serves to protect us in case a third party misuses your email address and subscribes to our newsletter without your knowledge. Your email address is only added to our distribution list when you click on the confirmation link.

With your consent, we will record your usage behaviour on the websites we operate and regarding the newsletters we send.

For this, we use eyepin.

The legal basis for this is the provision of the relevant consent according to Art 6(1)(a) GDPR.

Consent

Consent to the newsletter
Regarding the use of your personal data to receive our newsletter, you will be asked for consent at the appropriate point as follows: “I consent to receiving the newsletter, which contains information about VIVAMAYR’s products and services. You can find further information about the sending of the newsletter in our privacy policy

Recipient/categories of recipients

Eyepin is contractually obliged to send the newsletter as an external contract processor according to Article 28 GDPR.

Storage period/ criteria for determining the storage period

The storage period lasts until consent is revoked or after 3 years at the latest, if you are no longer our customer.

Termination/revocation

You can terminate or revoke your subscription to our newsletter free of charge at any time. You can find details on how to unsubscribe in the individual newsletters. Unsubscribe here.

If you raise an objection, the relevant contact address will be blocked for further data processing for marketing purposes.

For technical reasons and due to the necessary lead time for advertisements, it is possible that you will still receive advertising materials despite having raised an objection. This does not mean that we have failed to act on your objection, but that the advertisement was being processed in parallel. Thank you for your understanding!

 

4. Cookies

General information

We use cookies which are technically necessary within the meaning of § 96(3) Telecommunications Act and pursuant to Art 6(1)(a) and (f) GDPR to optimise our website.

Cookies are small files which are saved on your end device (laptop, Tablet, Smartphone or similar) when you visit our website; they do not harm your end device and do not cause any damage (unlike Trojan horses, viruses and other malware). The use of cookies does not mean that we can identify you but that we can make your user experience more pleasant.

  • We use session cookies to identify which pages of our website you have already visited or whether you have logged in using your customer account.
  • Temporary cookies are used to make the website more user friendly and are saved on your end device for a certain period of time. If you return to our website, the information and settings you entered earlier are automatically recognised so that you do not have to re-enter them.
  • Static cookies are used to optimise our service offer, for statistical purposes and to display customer-specific information. Users of our websites are recognised upon return visits.

Usually, cookies are accepted automatically by your browser. If you do not want to accept any cookies or be informed when any new cookies are saved, you can adjust the configuration of your browser.

We would like to highlight that completely opting out of cookies can result in certain features of our website not being available.

You can find an overview of the cookies used and further information (e.g., on the storage period) and possibilities for raising objections in our cookies overview.

Transmission of data to the USA:

The following categories of data are transmitted in pseudonymised form to the recipients, which all have a EU-US Privacy Shield certification.

  • Browser type/-version,
  • Operating system used,
  • Referrer-URL (the site visited immediately beforehand),
  • Hostname of the accessing computer (IP address),
  • Time of the server request.

According to Art. 6(1)(a) GDPR, the legal basis for this processing is your consent to the use of the cookies and analytics tools specified.

You can object to the use of cookies which serve the purposes of measuring reach as well as advertising purposes, on the opt-out pages of the Network advertising initiative and the US American websites or the European websites.

Google Analytics

Purposes of processing data/legal bases:

We use Google Analytics, a web analysis tool belonging to Google Inc. to help structure our website in a user-friendly way and continually optimise it. (Google). The legal basis for this is your consent pursuant to Art 6(1)(a) GDPR. Pseudonymised user profiles are set up and cookies are used. The following information is provided regarding cookies:

  • Browser type/-version,
  • Operating system used,
  • Referrer-URL (the site visited immediately beforehand),
  • Hostname of the accessing computer (IP address),
  • Time of the server request.

This information serves the purpose of evaluating use of the website, compiling reports on the website’s activities and, if required, requesting services and user-friendly design of the website.

By shortening your IP address, it becomes impossible to attribute it to you.

You have the option to prevent Google from recording and processing the data generates by the cookie which relates to your use of the website (incl. your IP address) by downloading and installing this browser add-on. In the case of mobile end devices, you can follow this link to prevent Google Analytics from recording cookies. We would like to highlight that, in such cases, some features of this website may not be fully available.

You can find further information on data protection in connection with Google Analytics on the website of Google Analytics.

Transmission of data to the USA:

The information generated by the cookie is transmitted to a Google server in the USA and saved there. Under no circumstances will your IP address be combined with other data of Google. This information may also be transmitted to third parties if this is prescribed by law or to the extent that third parties process this data pursuant to a contract.

Storage period:

The statistically processed data is stored in anonymous form; it is not possible to infer your IP address from it. Reports from Google Analytics do not contain any references to individual people.

YouTube components with expanded data protection mode

Purposes of processing data/legal bases:

For a more user-friendly experience and to display videos, we use YouTube, a web services provider of Google Inc. (Google). We have a legitimate interest under Art 6(1)(a) and (f) GDPR.

The following information is provided regarding cookies:

  • Browser type/-version,
  • Operating system used,
  • Referrer-URL (the site visited immediately beforehand),
  • Hostname of the accessing computer (IP address),
  • Time of the server request.

Transmission of data to the USA:

The information generated by the cookie is transmitted to a Google server in the USA and saved there. Under no circumstances will your IP address be combined with other data of Google. This information may also be transmitted to third parties if this is prescribed by law or to the extent that third parties process this data pursuant to a contract.

On our website, we use components (videos) of YouTube, a company belonging to Google Inc.. In this regard, we use the “expanded data protection mode“ provided by YouTube.

If you download a page which allows you to watch a video, a connection to the YouTube servers is established. When you watch the video, YouTube collects information about which of our web pages you have visited. If you are logged into YouTube at the same time, this information is attributed to your membership account with YouTube. You can prevent this from happening by logging out of your membership account before visiting our website.

Storage period:

The cookies used here and the information they contain are saved according to the cookie terms and deleted promptly when an objection is raised.

Use of reCAPTCHA

Purposes of processing data/legal bases:

We use reCAPTCHA to protect our input forms within the meaning of Art. 6(1)(f) GDPR.  By using this service, the misuse of machine processing can be prevented.

Here, referrer-URLs, the IP address, the behavior of the visitors to the website, information about operating systems, browsers and retention times, cookies, viewing instructions and scripts, the input behavior of users and mouse movements in the area of the “reCAPTCHA” check box are transmitted to “Google”.

Transmission of data to the USA:

The information generated by the cookie is transmitted to a Google server in the USA and saved there. Under no circumstances will your IP address be combined with other data of Google. This information may also be transmitted to third parties if this is prescribed by law or to the extent that third parties process this data pursuant to a contract.

If you do not wish data about you and your conduct on our websites to be transmitted and saved by “Google”, please log out of “Google” before you visit our website or use the reCAPTCHA plug-in.

The information received due to the use of the “reCAPTCHA” service is compliant with the Google terms of use: https://www.google.com/intl/de/policies/privacy/.

Storage period:

The cookies used here and the information they contain are saved according to the following cookie terms and deleted promptly upon an objection being raised.

 

5. Security measures

According to Art 32 GDPR, we take technical and organisational security measures to protect the rights and freedoms of people.

 

6. Your rights

Pursuant to the General Data Protection Regulation and the Data Protection Act, you have the following rights and legal remedies as a data subject in relation to data processing:

Right of access (Art. 15 EU GDPR)
You have the right to request information from us as to whether, and if so, which personal data concerning you is processed in our systems. For your own protection, it is possible that you have to disclose your identity in an appropriate way; this serves the purpose of preventing third parties from gaining access to your data.

You will receive the following information (non-exhaustive list):

  • the categories of personal data being processed;
  • the recipient or categories of recipients to whom/which the personal data concerned has been or will be disclosed;
  • the planned duration of storage of the personal data concerned or, if it is not possible to make any specific statements about this, criteria for determining the term of storage;
  • the existence of a right to rectification or erasure of the personal data concerning you, a right of the controller to restrict processing or a right to raise an objection to this processing;
  • all available information about the origin of the data if personal data is not collected directly from the data subject;
  • the existence of automated individual decision-making including profiling pursuant to Article 22(1) and (4) GDPR and – at least in these cases – conclusive information about the logic involved and the range of the desired effects of such processing for the data subject.

If personal data is transmitted to a third country or an international organisation, you have the right to information about the appropriate safeguards pursuant to Article 46 GDPR in connection with the transmission.

Right to rectification (Art. 16) and erasure (Art. 17 EU-GDPR)
If we process data concerning you which is inaccurate, you have the right to have this rectified. Taking into account the purposes of data processing, you can request to have incomplete personal data supplemented and your data erased, as long as the criteria under Art. 17 EU GDPR have been fulfilled.

If the following reasons exist, the data will be erased without undue delay:

  • you revoke your consent on which processing was based pursuant to Art. 6(1)(a) or Art 9(2)(a) GDPR and there is no other legal basis for processing;
  • you raise an objection to the processing pursuant to Art 21(1) or (2) GDPR and there are no overriding legitimate reasons for the processing within the meaning of Art 21(1) GDPR;
  • the personal data was processing unlawfully;
  • the erasure of the personal data is required to perform a legal obligation;
  • the personal data was collected in relation to services provided by an information society pursuant to Art 8(1) GDPR.

If we have made personal data public and are obliged to erase it, we will take appropriate measures – taking into account the available technology and the costs of implementation – to inform the third parties processing your data that you may also request them to erase all links to this personal data or to copies or replicas of this personal data.

Right to restrict processing (Art. 18 EU GDPR)
According to the legal requirements, you have the right to have the processing of all personal data collected restricted. This data is only processed based on your consent or to enforce legal claims.

These requirements are as follows:

  • you dispute the accuracy of the personal data;
  • the processing is unlawful and you request the use of personal data to be restricted;
  • we no longer need the personal data for the purposes of processing, we must still retain it for the purposes of enforcing, exercising or mounting a defence against legal claims, or
  • you raise an objection to processing pursuant to Art 21(1) GDPR, as long as it is uncertain whether our legitimate reasons override yours.

Right to data portability (Art. 20 EU GDPR)
You can request the unhindered and unrestricted transmission of data to third parties; data which you have provided yourself will be transmitted.

This is only possible if

  • the processing is based on consent pursuant to Art 6(1)(a) or Art 9(2)(a) GDPR or a contract pursuant to Art 6(1)(b) GDPR, and
  • the processing is done with the aid of automated procedures.

Right to object (Art. 21 EU GDPR)
In principle, you have the right to raise an objection to the processing of your personal data free of charge. Only if we can demonstrate compelling legitimate grounds for the processing which override your interests, freedoms and rights may we continue to process the data in spite of the objection. You cannot object to our enforcement, exercise and defence of our legal claims using your personal data. You can object to the processing of data for direct marketing purposes at any time with effect for the future.

Revocation of consent
You also have the right to at any time revoke any consent which you have given to your personal data being processed. The data which we processed prior to the revocation is in our systems lawfully; the revocation only enters into effect after consent has been received and processing in the period until revocation is lawful.

If you take a measure to exercise the above-specified rights under the GDPR, VIVAMAYR must give its opinion on the measure requested or comply with the request without undue delay, but in any case, within one month of receiving your request.

We will respond to all appropriate enquiries within the scope of the law free of charge and as soon as possible.

If you believe that the processing of your data breaches data protection law or otherwise breaches your rights under data protection law, you can lodge a complaint with the supervisory authority. In Austria, the competent authority is the Data Protection Authority.

We would like to highlight that statutory retention obligations may conflict with erasure or revocation.