Data Protection Policy
Overview
Welcome to www.vitalabo.com! Pursuant to Art 13, Art 14 GDPR and § 165 para 3 TKG, we'll comprehensively inform you about how your data is processed in this section. Please familiarise yourself with how your personal data (hereinafter referred to as "data") is processed and why, when you:
- Visit our website
- Subscribe to our online advertising channels
- Contact us
- Use our webshop
- Have a business relationship with us, as well as:
- How long your data will be stored
- Which data we collect from other sources (Art 14 GDPR)
- Whether automated decision-making takes place
- What rights you have in regard to data processing and
- Who the data controller is, the contact details of our Data Protection Officer, and how you can contact us.
For residents of Switzerland: The declarations in this Data Protection Policy also apply mutatis mutandis to persons resident in Switzerland and also fulfil all the data requirements stipulated in Art. 19 of the Swiss Data Protection Act. The terms "personal data", "processing" and "processor" in the Swiss Data Protection Act correspond to the terms "personal data", "processing" and "processor" in the GDPR.
For residents of the United Kingdom: The declarations in this Data Protection Policy also apply mutatis mutandis to persons resident in the United Kingdom and also fulfil the data requirements stipulated in the UK-GDPR.
We may make changes to this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal or regulatory reasons.
1) What data do we process when you visit our website?
When you visit our website, the following categories of your data may be processed:
- Selected language
- Browser type
- Type of end device used to access the site
- Operating system
- Country
- Date, time and duration of access
- IP address
- Pages visited on our website, including entry and exit pages
- Data that you enter via a contact form
These categories of data are processed only to the extent necessary in each case. The processing of this data is justified by our legitimate interest in operating our website (Art 6 Para 1 lit f GDPR).
For the operation of our website, it may be necessary for us to transmit your data to the following recipients:
Service provider and data protection information of the provider | Description | Place of processing | Legal bases for data transmission |
Hetzner Online Ltd | Website hosting including backup storage | EU/EEA | Order processing according to Art. 28 GDPR |
Consent to Cookies and other Third-Party Services and Matching Customer Data with Online Advertising Providers
You can manage your consent or revocations of the options described in this section at any time through our "privacy settings" banner. This is the pop-up window that appears when you visit our website for the first time and which you can also call up at any time later by clicking on the ‘Privacy settings’ link in the footer section at the bottom of our website. In all cases, however, the data processing carried out up to the time of cancellation remains justified.
The above categories of data which are processed when you visit our website, may also be processed by so-called "cookies" or other "third-party services". Cookies are small text files that are stored on your device and may include, for example, personal settings, preferences, or browsing history, which can then quickly be retrieved by the web server at a later time.
Cookies required for technical purposes exclusively ensure the functionality of our website and do not require your consent. They allow you to add items to your shopping basket or enable you to log into your customer account, for example. We use these cookies required for technical purposes exclusively to the extent that is absolutely necessary. The use of these cookies required for technical purposes is determined by pre-contractual measures (Art 6 Para 1 lit b GDPR) or is justified by our overriding legitimate interest in the functionality of our website (Art 6 Para 1 lit f GDPR).
In addition to these cookies required for technical purposes, we may also use "third-party services" (e.g. "marketing cookies", "analytics cookies", "non-essential cookies", "pixel", "fingerprinting", "local/session storage" or similar technologies) if we have your prior, voluntary approval to do so. These services enable us to better understand and evaluate your interests. With the help of these services, we can merge your surfing behaviour beyond the boundaries of our website with data from other websites. This data allows us to better understand the interests of visitors to our websites and to address them in a more targeted manner. To this end, the categories of your data required for the purpose will also be transmitted to the respective service provider. We respect that not every visitor to our website wants this. Therefore, we only process your data through these third-party services if you give us your prior consent to do so.
On the basis of your prior voluntary consent, we may also send you targeted ads external to our websites via the advertising channels of the online advertising providers listed below, but only if you are already registered with these providers or use their services (‘matching of customer data’ or ‘customer match’). For this purpose, we use your personal data in encrypted form to match it with the customer database of the respective providers. For this purpose, only data anonymised with an encryption process is used, which means that providers who do not already have your data will never receive your data. This is ensured by the fact that before your data is transmitted to the providers, we encrypt your data using a hash procedure, which results in a non-reversible character string (‘hash value’) that does not allow any conclusions to be drawn about your data. Only this hash value is transmitted to the providers. The providers encrypt their data using the same method. We then compare our hash value with the hash value of the provider. If our hash value matches that of one or more providers, we can be certain that you are already using the services of the respective provider and that we can therefore send you targeted ads via their advertising channels.
In order to offer you such ads through external online advertising providers, the following categories of data may be processed in addition to the data processed during your visit to our website:
- E-mail address
- Telephone number
- First name
- Last name
- Country
- Postcode
- Shopping behaviour and favourite products
Your consent to the processing of your data by services that process your data within the EU or the EEA, or in other countries for which there is a valid EU adequacy decision pursuant to Art. 45 GDPR, are based on Art 6 Para 1 lit a GDPR. Such an adequacy decision ensures an adequate level of data protection based on the European Commission's standards.
On July 10, 2023, the European Commission published a decision regarding adequacy for the USA. According to the EU-US Data Privacy Framework (EU-US DPF), data transfers to service providers in the USA are adequate if they are certified as per the Data Privacy Framework (DPF) Program.
Your consent to data processing via services that process your data in countries outside of the EU or EEA that do not have an adequacy decision, or, by services in the United States that have not yet been "Data Privacy Framework Program (DPF)" certified, is based on Art 6 para 1 lit. a in connection with Art 49(1)(a) of the GDPR (exceptions for specific cases). Your rights concerning the processing of your data in such cases cannot be guaranteed, which we hereby expressly point out before you give your consent.
Subject to your prior consent, the following third-party services may be activated on our websites with their respective cookies which are not required for technical purposes. You can find out which of these third-party services are available for selection at www.vitalabo.com directly in our "privacy settings" banner.
Service | Description | Duration of storage (maximum) | Place of processing | Legal Basis for Data Transfer | Service provider and data protection information of the provider |
Adform | Performance analysis and optimisation of online advertising campaigns | 180 days | EU/EEA | Data processing per Art. 28 GDPR | Adform A/S |
Adition | Performance analysis and optimisation of online advertising campaigns | 180 days | EU/EEA | Data processing per Art. 28 GDPR | Virtual Minds GmbH |
AdUp | Creating personalised advertising offers | 12 months | EU/EEA | Data processing per Art. 28 GDPR | Axel Springer Teaser Ad Gmbh |
AWIN | Targeted display of online advertising | 30 days | EU/EEA | Joint responsibility per Art. 26 GDPR under the conclusion of a joint responsibility agreement. Both parties are contact points for the exercise of rights according to Art.15-20 GDPR | AWIN AG |
Brevo | Analysis and statistical evaluation of the website | 24 months | EU/EEA | Data processing according to Art. 28 GDPR | SendinBlue GmbH |
Clarity | Analysis and statistical evaluation of the website | 12 months | EU/EEA, USA | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Microsoft Corporation |
creativecdn.com | Creating personalised advertising offers | 12 months | EU/EEA | Joint responsibility per Art. 26 GDPR under the conclusion of a joint responsibility agreement. Both parties are contact points for the exercise of rights according to Art.15-20 GDPR | RTB House S.A. |
Criteo | Creating personalised advertising offers | 13 months | EU/EEA | Joint responsibility per Art. 26 GDPR under the conclusion of a joint responsibility agreement. Both parties are contact points for the exercise of rights according to Art.15-20 GDPR | Criteo SA |
Floodlght | Performance analysis and optimisation of online advertising campaigns (the provider may use the data collected to contextualise and personalise ads on its own advertising network, especially if you are logged into an existing account from the service) | 2 years | EU/EEA, USA | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Google Ireland Limited |
Freshchat | Possibility to contact customer service via chat. | 400 days | EU/EEA, USA | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Freshworks Inc. |
Freshdesk | Possibility to contact customer service via a phone service. | 400 days | EU/EEA, USA | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Freshworks Inc. |
Meta-Pixel | Performance analysis and optimisation of online advertising campaigns (the provider may use the data collected to contextualise and personalise ads on its own advertising network, especially if you are logged into an existing account from the service) | 3 months | EU/EEA/USA | Joint responsibility per Art. 26 GDPR under the conclusion of a joint responsibility agreement with certification of the service provider as per the Data Privacy Framework (DPF) Program. The provider is the contact point for exercising the rights as stipulated in Art 15-20 GDPR. | Meta Platforms Ireland Limited |
Flashtalking | Targeted display of online advertising | 60 months | EU/EEA | Data processing per Art. 28 GDPR | Simplicity Marketing Ltd |
Google Ads | Targeted display of online advertising (The provider may use the data collected to contextualise and personalise the ads of its own advertising network, especially if you are logged into an existing account of the service) | 3 months | EU/EEA, US | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Google Ireland Limited |
Google Analytics | Analysis and statistical evaluation of the website (under privacy-protecting settings, in particular, the deactivation of Google Signals, User ID, personalised ads, data sharing for Google products and services, and the restriction on collection of location and device data from individual regions). | maximum 14 months | EU/EEA, US | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Google Ireland Limited |
Google Consent Mode | Upstream interface for legally binding consent to the provider as per the Digital Markets Act for all its marketing and advertising services. Implemented in the basic version, according to which no data is transmitted to the provider in the event of refusal. | 14 months | EU/EEA, US | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Google Ireland Limited |
Google Customer Reviews | Participation in surveys | 90 gays | EU/EEA, US | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Google Ireland Limited |
Google Tag Manager | Integration of Google Tag Manager for easy reloading of services | 24 months | EU/EEA, US | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Google Ireland Limited |
Hotjar | Optimisation of our online offers and website presentation | 12 months | EU/EEA | Data processing per Art. 28 GDPR | Hotjar Ltd. |
Hubspot | Optimisation of our online offers | 6 months | EU/EEA, US | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | HubSpot, Inc. |
Microsoft Advertising | Targeted display of online advertising (The provider may use the data collected to contextualise and personalise the ads of its own advertising network, especially if you are logged into an existing account of the service) | 13 months | EU/EEA, US | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Microsoft Corporation |
Omniconvert | Optimisation of our online offers and website presentation | 6 months | EU/EEA | Data processing according to Art. 28 GDPR | Omniconvert SRL |
Pinterest Tag | Performance measurement and targeted display of online advertising | 180 days | EU/EEA, US | Data processing per Art. 28 GDPR under conclusion of the final standard data protection clauses as per Art. 46 Para. 3 lit a GDPR | Pinterest Inc. |
Sovendus | Display and performance measurement of Sovendus voucher offers | 30 days | EU/EEA | Joint responsibility per Art. 26 GDPR. Both parties are contact points for exercising their rights according to Art. 15-20 GDPR. | Sovendus GmbH |
TikTok Pixel | Measuring the success and optimisation of online advertising (The provider may use the data collected to contextualise and personalise the ads of its own advertising network, especially if you are logged into an existing account of the service) | 13 months | EU/EEA, US, Malaysia, Singapore | Joint responsibility per Art. 26 GDPR under the conclusion of an agreement on joint responsibility, including the final standard data protection clauses as per Art. 46 Para. 3 lit a GDPR. The provider is the point of contact for exercising rights as per Articles 15-20 GDPR. | TikTok Technology Limited |
twiago | Optimising our online offers | 30 days | EU/EEA | Data processing per Art. 28 GDPR | twiago GmbH |
uptain | Creation of personalised advertising and business offers | 12 months | EU/EEA | Data processing per Art. 28 GDPR | uptain GmbH |
Vimeo | Playing Vimeo video services | 24 months | USA | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Vimeo.com, Inc. |
Youtube | Playing YouTube videos. The service is implemented in the "extended data protection mode", which excludes "Tracking" by the provider and only transmits data that is absolutely essential for playing videos. | 24 months | EU/EEA, USA | Data processing per Art. 28 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. | Google Ireland Limited |
Zemanta | Optimising our advertising campaigns | 3 months | EU/EEA, UA | Joint responsibility according to Art. 26 GDPR with certification of the service provider as per the Data Privacy Framework (DPF) Program. Both parties are the point of contact for exercising rights per Art. 15-20 GDPR. | Outbrain Inc. |
Subject to your prior voluntary consent, we may send you targeted ads via the channels of the following online advertising providers after a successful ‘matching of customer data’ has been completed.
Service | Place of processing | Provider and data privacy information of the provider |
Criteo audience match | EU/EEA | Criteo (Criteo SA) |
Google Customer Match | EU/EEA, USA | Google (Google Ireland Limited) |
LinkedIn Matched Audiences | EU/EEA, USA | LinkedIn (LinkedIn Ireland Unlimited Company) |
Meta Custom Audiences | EU/EEA, USA | Meta (Meta Platforms Ireland Limited) |
Microsoft Customer Match | EU/EEA, USA | Bing (Microsoft Corporation) |
Pinterest customer list | EU/EEA | Pinterest (Pinterest Europe Ltd.) |
TikTok Custom Audience | EU/EEA, USA, Malaysia, Singapore | TikTok (TikTok Technology Limited) |
Click Fraud Technology and Bot Detection
If you reach our website by clicking on advertisements displayed via search engines, we can use services to analyse and prevent "click fraud". Click fraud occurs when clicks on ads are generated by automated tools or when multiple clicks on ads are unlikely to be driven by genuine interest.
Service | Description | Duration of storage | Place of processing | Legal Basis for Data Processing and Data Transmission | Service Provider and Data Protection Information of the Provider |
Ads Defender | Analysis of clicks on Google Ads, transmission of the IP address to Google Ireland Limited if click fraud is suspected | 365 days | EU/EEA | Overriding legitimate interests (Art. 6 Para. 1 lit f GDPR; you can submit your objection to the processing per Art. 21 GDPR here in the form of an "opt-out"), data processing as per Art. 28 GDPR | Hurra Communications GmbH |
If our firewall detects suspicious click behaviour based on preset parameters and a potential attack on our systems cannot be ruled out, we reserve the right to carry out an automatic internal Captcha verification. The authenticity of your enquiry will be verified by asking you to solve a simple picture puzzle. This is carried out without transferring data to third parties. This is justified by our overriding legitimate interest in the security of our systems (Article 6(1)(f) GDPR).
2) What data do we process when you subscribe to our online advertising channels?
E-mail Newsletter
The following categories of data may be processed (in addition to the data processed during your visit to our website) when you subscribe to our e-mail newsletters:
- E-mail address
- Favourite products that match your personal choice
The processing of this data is based on your voluntary consent (Art 6 Para 1 lit a GDPR). You can revoke this consent at any time by unsubscribing via the link provided in each newsletter or via your existing customer account, whereby the data processed up to the time of revocation remains justified. You are not obliged to provide this data, but we cannot provide you with a newsletter subscription without it.
In order to send our e-mail newsletters, it may be necessary for us to transmit your data to the following recipients:
Service provider and data protection information of the provider | Description | Place of processing | Legal bases for data transmission |
Amazon Web Services EMEA SARL | Sending the e-mail newsletter | EU/EEA | Data processing according to Art. 28 GDPR |
SendinBlue GmbH | Sending the e-mail newsletter | EU/EEA | Data processing according to Art. 28 GDPR |
3) What data do we process when you contact us?
When you contact us, the following categories of your data may be processed (in addition to the data processed during your visit to our website):
- Name
- Contact details
- E-mail address
- Telephone number
- Any order data
- Correspondence data, including any data you provide to us during communication
We process this data for the following purposes:
- Handling customer enquiries, customer care and other customer support services via e-mail, chat or telephone.
These categories of data are processed to the extent necessary for each case. The processing of this data is justified by our overriding legitimate interest in efficient and satisfactory communication (Art 6 Para 1 lit f GDPR).
For this purpose, it may be necessary for us to transmit your data to the following recipients:
Service provider and data protection information of the provider | Description | Place of processing | Legal bases for data transmission |
Freshworks Inc | Customer inquiries and customer care services via email or chat | EU/EEA, occasionally USA if you contact us via social media platforms | Data processing per Art. 28 GDPR under certification of the service provider as per the Data Privacy Framework (DPF) Program |
CallOne GmbH | Customer inquiries and customer care services via telephone | EU/EEA | Data processing per Art. 28 GDPR |
4) What data do we process when you use our webshop?
When you use our webshop, the following categories of your data may be processed (in addition to the data processed during your visit to our website):
- Name
- Contact details
- Billing and shipping address
- E-mail address
- Telephone number
- Order and delivery data
- Account and payment data
- Assigned account number
- Data that you enter via a contact form
- Correspondence data, including all data you provide in connection with your order
- Date of birth (in the case of legally required proof of age)
We process this data for the following purposes:
- Processing the entire contractual relationship with you
- Transfer of orders to payment service providers
- Commissioning shipping or forwarding services, including drop-shipping
- Communication for processing orders
- Legally required storage as defined by the § 132 BAO (Federal Fiscal Code)
- Legally permitted direct advertising (e.g.: per mail, e-mail, satisfaction surveys, congratulatory letters, statistical evaluations); We would like to expressly inform you that you can object to the processing of your data for the purpose of direct advertising
- Legally mandated notifications pertaining to product safety
- Prevention and clarification of cases of fraud or attempted fraud
- Assertion and defence of legal claims
Processing these categories of data occurs to the extent necessary in each case and required for the fulfilment of the contract (Art 6 para 1 lit b GDPR), required for the fulfilment of our legal obligations (Art 6 para 1 lit c GDPR) or is justified by our overriding legitimate interest in smoothly running our business (Art 6 para 1 lit f GDPR).
It may be necessary for us to transmit your data to the following categories of recipients as required for the use in our webshop:
Service provider and data protection information of the provider | Description | Place of processing | Legal bases for data processing and data transmission |
Credit card companies, banks, payment providers (Data protection information according to teh website of the selected provider) | Payment processing for your order | Usually EU/EEA – but also third countries in exceptional cases | Fulfilment of contract (Art 6 Para 1 lit b GDPR). If the recipient is in a third country without a valid adequacy decision – Art 49 Para 1 b and e GDPR |
Logistics service provider (Data protection information according to the website of the selected provider) |
Transportation and delivery of orders | Usually EU/EEA – but also third countries in exceptional cases | Fulfilment of contract (Art 6 Para 1 lit b GDPR). If the recipient is in a third country without a valid adequacy decision – Art 49 Para 1 b and e GDPR |
Drop-shipping or Drop-shipping Service Provider (Data protection information according to the website of the selected provider) |
Execution of orders for products that are not in stock and transfer to logistics service providers for transport | Usually EU/EEA – but also third countries in exceptional cases | Fulfilment of contract (Art 6 Para 1 lit b GDPR). If the recipient is in a third country without a valid adequacy decision – Art 49 Para 1 b and e GDPR |
Debt Collection Service Provider (Data protection information according to the website of the respective service provider) | If necessary, for collecting outstanding debts | Usually EU/EEA countries, but also third countries in exceptional cases | Overriding legitimate interests (Art 6 Para 1 lit f GDPR). If the recipients are in a third country (non-EU) without valid adequacy decisions - Art. 49 Para 1 lit e GDPR |
Amazon Web Services EMEA SARL | Sending automated emails | EU/EEA | Overriding legitimate interests (Art 6 Para 1 lit f GDPR), data processing in accordance with Art 28 GDPR |
Customer Account
You have the option of registering for a customer account. If you do so, the following categories of your data may also be processed:
- Order history and wish lists
- Product data (ratings, testimonials, questions, and answers about products)
- Assigned customer number
- Customer segmentation
We process this data for the following purposes:
- Storage of your information in your customer account, including the publication of your ratings, reviews, questions, and answers about products, insofar as you do this independently
- Customer segmentation carried out to offer benefits or discounts.
This data is processed based on your voluntary consent (Art 6 para 1 lit a GDPR) and is justified by our overriding legitimate interest in evaluating our product reviews and customer segmentation (Art. 6 Para. 1 lit f GDPR). ou may revoke your consent to the storage of your customer account at any time, whereby the data processed up to the time of revocation remains justified. To delete your customer account and all personal data stored in it, you can select the menu item "Delete my customer account" in your customer account. You are not obliged to register for a customer account, but we cannot provide you with the additional services mentioned above without a customer account.
In connection with testimonials or questions & answers about products, we may be legally required by the EU regulations for digital services (Digital Services Act) to contact you due to a restriction on content provided by you (Art 6 para 1 lit c GDPR).
Sovendus Voucher Network
Based on your prior voluntary consent (Art. 6(1)(a) GDPR) through our "Cookie Banner" (see Section 1), we can display offers by the Sovendus coupon network after completing an order. For this purpose, the pseudonymised, encrypted hash value of your email address and your IP address will be transmitted to Sovendus GmbH, Hermann-Veit-Str. 6, 76135 Karlsruhe, Germany (Legal basis Sovendus: Art. 6(1)(f) GDPR). Sovendus will use the pseudonymised hash value of your email address to take into consideration any objections to advertising from Sovendus (Art. 21(3), Art. 6(1)(c) GDPR). The IP address will be used by Sovendus exclusively for data security purposes and will generally be anonymised after seven days (Art. 6(1)(f) GDPR). Furthermore, for billing purposes, the pseudonymised order number, order value with currency, session ID, coupon code, and timestamp will be transmitted to Sovendus (Art. 6(1)(f) GDPR). If you wish to accept a Sovendus voucher and have not objected to advertising material being sent to your email address, and you click on the coupon banner displayed only in this instance, we will also transmit encrypted information such as your name, postal code, country, and email address to Sovendus for use in the preparation of your voucher (Art. 6(1)(b), (f) GDPR). For further information on how Sovendus processes your data, please refer to Sovendus' online data privacy policy.
5) Which data do we process if you have a business relationship with us?
If you have a business relationship with us as a partner or supplier, we may process the following categories of your data:
- Name
- Company data
- Contact details
- E-mail address
- Telephone number
- Business data, order, delivery and invoice data
- Correspondence data, including all data that you provide to us in connection with our business relationship.
We process this data for the following purposes:
- The initiation, maintenance and processing of our entire business relationship with you (e.g. pre-contractual obligations, invoicing of services, dispatch of documents, communication for processing the contract).
- Legally required storage as defined by the § 132 BAO (Federal Fiscal Code)
- Internal administration and management of our business relationship to the extent required (e.g.: Processing your business case, forwarding business cases to various departments, filing, archiving purposes, correspondence with you).
- Assertion and defence of legal claims
These categories of data are processed to the extent necessary in each case. If you do not provide us with this data, we will unfortunately not be able to process your business transaction.
Processing this data is necessary for the contractual fulfilment of our business relationship (Art 6 Para 1 lit b GDPR), necessary for the fulfilment of our legal obligations in connection with retention periods (Art 6 para 1 lit c GDPR) or justified by our overriding legitimate interest smoothly running our business (Art 6 Para 1 lit f GDPR).
6) How long will your data be stored?
We only store your data for as long as is necessary for the purposes for which we collected your data. In this context, statutory retention obligations must be taken into account (for example, for reasons of tax law, contracts, order data or other documents from a contractual relationship must generally be retained for a period of seven years (§ 132 BAO)). Your name, address, purchased goods and date of purchase are also stored until the product liability expires (after 10 years according to § 13 Product Liability Law). In justified individual cases, such as for the assertion and defence of legal claims, we may also store your data for up to 30 years after the termination of the business relationship.
We store the data that we process in the context of contacting you for up to three years from the time you last contacted us.
7) Collection of data from other sources (Art 14 GDPR)
Data is only collected from other sources if you wish to enter into a business relationship with us as a partner or supplier in accordance with point 5. For this purpose, it may be necessary to carry out research on the business partner. This will only be done to the extent required. In this context, data may be retrieved and processed from the following sources:
Source | Public? | Affected Data | Purpose/Justification |
Company website | Yes | Contact/structure data | Contact for business purposes |
Contractor | No | Name, address, phone no. | Contract fulfilment, delivery |
8) Does automated decision-making or profiling take place (Art 13 (2) (f) of the GDPR)?
No automated decision-making takes place on our website. However, over the order process, it is possible that the respective payment service provider uses profiling for fraud detection.
9) What rights do you have in regard to data processing?
We would like to inform you that, provided that the legal requirements are met, you have the right to:
- request information about what personal data we're processing (see Art 15 GDPR for more details)
- demand the correction or completion of incorrect or incomplete data concerning you (see Art 16 GDPR for details)
- delete your data (see Art 17 GDPR for details), provided there are no legitimate reasons to the contrary
- restrict the processing of your data (see Art. 18 GDPR for details)
- data portability - receipt of the data you have provided in a structured, common and machine-readable format (see Art. 20 of the GDPR).
- object to the processing of your data based on Article 6(1)(e) or (f) of the GDPR (see Art 21 of the GDPR). This applies particularly to the processing of your data for advertising purposes.
If we process your data on the basis of your consent, you have the right to revoke this consent at any time. This will not affect the lawfulness of the data processed up to that point (Art 7 (3) GDPR).
If, contrary to expectations, your right to lawful processing of your data is violated, please contact us. We will endeavour to deal with your request promptly, at the latest within the statutory period of one month. You also always have the right to lodge a complaint with the supervisory authority responsible for data protection matters.
10) Who is responsible for data protection and how can you contact us?
The person responsible for Data Processing as presented here (as stipulated in Art 4 Z 7 GDPR) is:
niceshops GmbH
Saaz 99
8341 Paldau
Austria
global@vitalabo.com
CEO: Roland Fink, Mag. Christoph Schreiner, Barbara Unterkofler
Joint responsibility within the niceshops Group, or via commissioned processing by the niceshops Group, and your rights:
This website is operated by the niceshops Group, an Austrian e-commerce company that specialises in the development of online shops in various product segments.
The data processing outlined in this privacy statement can be carried out:
- under joint responsibility within the niceshops Group as per Art 26 GDPR (if necessary, we'd be happy to provide you with the essential contents of the relevant agreement upon request)
or:
- in the form of commissioned order processing as per Art 28 GDPR, where the niceshops Group processes the orders.
In both cases, you are free to assert your rights with all parties.
Contact information of the Data Protection Officer at the niceshops Group:
Email: privacy@niceshops.com
Post: niceshops GmbH, c/o the Data Protection Officer, Annenstrasse 23, 8020 Graz, Austria.
For persons and authorities in the United Kingdom, a representative has been appointed for data protection matters of the niceshops Group as stipulated in Art 27 United Kingdom General Data Protection Regulation (UK GDPR). The contact details of our representative are:
Email: info@rgdp.co.uk
Post: RGDP LLP, Level 2, One Edinburgh Quay, 133 Fountainbridge, Edinburgh, EH3 9QG, Scotland.
When contacting our representative, please state "niceshops / www.vitalabo.com" in the subject line so your request can be promptly assigned.
Any use of this privacy policy, or parts of it, without the consent of the author constitutes a violation of copyright.