DATA PROTECTION DECLARATION
Last update: August 2020
La Katz GmbH, Campus 2, Jakov-Lind-Straße 2, 1020 Vienna, Austria ("we") operates the website https://lakatz.com/ ("Website" or "Online Shop") and is the controller under data protection law for any and all data processing operations outlined subsequently.
Thank you for your interest in our Website and/or our social media presences. The protection of your privacy is very important to us and we would like to inform you accordingly about your rights and opportunities in order to effectively support a trusting business relationship. Our data protection practice is in accordance with the General Data Protection Regulation of the European Union ("GDPR") in conjunction with the Austrian Data Protection Act ("DSG"), the Austrian Telecommunications Act 2003 ("TKG") and other relevant legal provisions. The following declaration is intended to provide you with comprehensive information in the sense of Art 13 GDPR on how we deal with your data and what rights you have. Information may be either collected directly from you by means of inputs and dispositions or due to accessing one of our offers.
Data protection laws are generally relevant in case any processing of personal data is concerned. The terms used within the scope of this Data Protection Declaration are defined in and by the GDPR. As such, the broad definition of "processing" of personal data means any operation or set of operations performed on personal data, such as, but not limited to, recording, organization, storage, alteration, and transmission of personal data. Any information allowing us or third parties, in a review or by additional knowledge, to potentially identify you in person can be considered personal data.
1. Data processing operations
1.1 Processing of access data when visiting our Website
(a) Type and extent of data processing: You can visit our Website without providing any personal information. When you access our Website, only certain access data are processed automatically in so-called server log files. In particular, the following data are processed in this context: (i) name of visited website; (ii) browser type/version used; (iii) operating system of the user; (iv) previously visited website (referrer URL); (v) time of the server request; (vi) data volume transferred; (vii) host name of the accessing computer (IP address used in anonymised form). This information does not allow us to identify you personally; however, IP addresses are considered personal data within the meaning of the GDPR. As a mere website visitor, you can inform yourself about our offers and activities without any obligation and without the possibility for us to link such data to your person.
(b) Legal basis and purpose: The purpose of this data processing operation is to establish and maintain technical security in regards of our Website, to improve the Website's quality and to generate non-personal statistical information. The processing is based on our legitimate interest (Art 6 para 1 lit f GDPR) in achieving the mentioned purposes.
(c) Storage period: The server log files are, in general, automatically deleted after fourteen (14) days, at the latest.
1.2 Contact requests
(a) Type and extent of data processing: When contacting us via the contact form provided on our Website in the section "Get in Touch", we will use your data as indicated in order to process your contact request and deal with it. The data processing involved is necessary to issue a response in respect of your request, as we would otherwise not be able to contact you. Details whose indication is mandatory are marked with a *-symbol; certain additional information may be provided voluntarily. Moreover, the respective elucidations of this point apply accordingly to the processing of data being entailed by direct contact requests executed via contact details provided in the imprint of our Website respectively in this Data Protection Declaration, without making use of the contact form.
(b) Legal basis and purpose: Purpose of the data processing is to enable us an exchange with users of the Website as well as (potential) customers. We answer your request on the basis of our legitimate interest (Art 6 para 1 lit f GDPR) in maintaining a properly functioning contact system, which is a prerequisite for the provision of any services. In case of repeated contact requests respectively the establishment of a customer relationship, we may also store your data for the purpose of cultivating existing/returning contacts, which you will be informed of in accordance with the requirements of data protection law.
(c) Storage period: We delete your requests as well as your contact data if the request has been answered conclusively. Your data are, in general, stored for a period of six (6) months and subsequently erased if we do not receive follow-up requests and if the data must not be further processed for different purposes (e.g. due to the establishment of a customer relationship).
1.3 Customer orders
(a) Type and extent of data processing: Should you have decided to make use of our offer, you will be required to provide certain information for the execution of a purchase contract. Hence, if you purchase a product, you must provide the following personal data: (i) full name; (ii) email address; (iii) shipping/billing address.
(b) Legal basis and purpose: We are processing your data for the purpose of conducting our business activity and to be able to provide our services as offered. The processing is necessary to fulfil the purchase contract concluded with you and is, thus, based on Art 6 para 1 lit b GDPR.
(c) Storage period: Data collected in the course of the placement of orders in our Online-Shop are stored for the period of one (1) year and will be erased thereafter, as long as follow-up contact has not been established in the meantime. Longer storage periods may be the result of legal storage obligations (cf. point 1.5) or in case legal claims are assumed.
(a) Type and extent of data processing: You may subscribe to our newsletter via the Website. To do so, you must provide your email address. The newsletter provides you with news about our company and services; it will solely be sent to email addresses having been indicated by interested users themselves. If you no longer wish to receive the newsletter, you can of course unsubscribe at any time by clicking on the "Unsubscribe" button at the end of each newsletter or by notifying us of your wish via the contact address specified under point 5. We also use the newsletter for statistical evaluations in connection with your personal data and assess the performance of the newsletter by analysing opening and click behavior as well as information on the technical deliverability of the newsletter.
For delivery of the newsletter we use the newsletter service "Mailchimp", which is operated by The Rocket Science Group LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA. Hence, your voluntarily provided data will be saved on servers of The Rocket Sci-ence Group LLC; in particular, that might entail a processing of your data in the USA. Your data will solely be used to deliver the newsletter you have subscribed to. The Rocket Science Group LLC acts as our processor in this context and is strictly bound to our instructions.
(b) Legal basis and purpose: The data mentioned above are processed in the form of a newsletter for the purpose of direct marketing and are necessary to send the newsletter and contact you in the correct manner. A newsletter or other electronic advertisements will in no case be sent without your prior approval, which we obtain in accordance with § 107 para 2 TKG via the registration mask on our Website. Each and every analysis of the newsletter's performance is conducted for the purpose of evaluating success and reach on the legal basis of our legitimate interest in producing newsletter statistics that are easy to handle and effective in marketing terms in a cost-efficient manner (Art 6 para 1 lit f GDPR).
(c) Storage period: All data having been collected for the delivery of the newsletter shall be erased within fourteen (14) days after a potential cancellation of the subscription, as long as no legal retention periods demand otherwise and the data are not lawfully processed for other purposes as well.
1.5 Legal retention and documentation periods
(a) Type and extent of data processing: Even after an active customer relationship with us ceases to exist, we may not be allowed to delete all of your data due to legal requirements. Within this context, different types of data are affected to a varying extent. This concerns, in particular, your settlement data which are to be stored on the basis of safekeeping and documentation obligations pursuant to the Austrian Federal Fiscal Code (BAO) as well as the Austrian Corporate Code (UGB).
(b) Legal basis and purpose: We process your data in this context on the basis of Art 6 para 1 lit c GDPR (legal obligation). Said processing of your data is conducted for the purpose of complying with our own statutory duties.
(c) Storage period: Due to legal safekeeping and documentation obligations, your settlement data are generally stored for a period of seven (7) years. In case the data in question are relevant for a pending (tax) proceeding, they might be stored for longer periods.
On our Website, we use so-called "cookies". Cookies are small data sets that are stored on your end device. They help us to make our offer more user-friendly, attractive and secure.
They are placed by a web server and sent back to it as soon as a new connection is established in order to recognise the user and his settings. In this sense, a cookie is a small local text file that assigns a specific identity consisting of numbers and letters to your end device. Under no circumstances can cookies access or interact with data stored locally on your device. Different types of cookies have different functions. For example, cookies can enable you to access and navigate websites faster and more efficiently. Cookies help to maintain the functionality of websites with regard to state of the art functions and user
experience (e.g. by saving the resolution of a requesting device so that a website can be displayed correctly); on the other hand, they are also used for targeted and cost-saving marketing measures. Cookies which are not technically necessary to maintain the proper functioning of the Website are stored on your end device due to your visit of our Website on the basis of your consent according to § 96 para 3 TKG in conjunction with Art 6 para 1 lit a GDPR subject to our cookie consent solution. They can be set either directly by us or by third parties who provide services for us (third-party cookies).
Cookies always contain the following information:
– name of the cookie;
– name of the server the cookie originates from;
– ID number of the cookie;
– an end date at the end of which the cookie is automatically deleted.
As an example, Cookies can be differentiated according to type and purpose as follows:
– Essential cookies: Such cookies are technically required for the operation of the Website and are essential to navigate the Website and to use its full range of
functions (e.g. to access protected areas of the digital appearance). Essential
cookies are always first-party cookies. They can only be deactivated in the settings of your browser by rejecting all cookies without exception (see below)
– Statistic cookies: Such cookies are used to collect information about the user
behavior on websites. In particular, the following information may be stored:
accessed sub-pages (duration and frequency); order of pages visited; search terms used having led to the visit of the respective website; mouse movements (scrolling and clicking); country and region of access. These cookies allow to determine what a user is interested in and thereby adapt the content and functionality of the website to individual user needs. The cookies can be deactivated via your browser settings (see below).
– Marketing cookies: These cookies are used to analyse user behavior and display
personalised advertising based on the interests determined. Among other things,
they collect information about previously visited websites. They are usually third-
party cookies; however it is becoming increasingly common to also use tracking
cookies in the form of first-party cookies. The cookies can be deactivated via the
settings of your browser (see below).
With regard to the storage period cookies can be further differentiated as follows:
– Session cookies: Such cookies will be deleted without any action on your part as soon as you close your current browser session. Such cookies, for example, allow you to remain logged in to your password-protected customer account during navigation on websites by assigning you a specific session ID. In respect of our cookie consent solution, session cookies can be recognised by the indication
– Persistent cookies: Such cookies (e.g. to save your language settings) remain stored on your end device until a previously defined expiration date or until you have them manually removed. Among other things, they enable cross-session user tracking. In respect of our cookie consent solution, persistent cookies can be recognised by the time specification under "Duration".
Furthermore, cookies may be differentiated by their subject of attribution:
– First-party cookies: Such cookies are used by ourselves and placed directly from our Website. Browsers generally do not make them accessible across domains which is why the user can only be recognised by the page from which the cookie originates. However, first-party cookies are increasingly utilised in the course of the use of third-party services in the sense of point 1.7 as well; thus, third parties may eventually be enabled to access information stored in such cookies as well.
– Third-party cookies: Such cookies are not placed by the website operator itself, but by third parties when visiting a specific Website, in particular, for advertising
purposes (e.g. to track surfing behavior). They allow, for example, to evaluate different page views as well as their frequency.
Most browsers automatically accept cookies. However, you have the option to customize your browser settings so that cookies are either generally declined or only allowed in certain ways (e.g., limiting refusal to third party cookies). However, if you change your browser's cookie settings, some websites may no longer be fully usable. The setting options for the most common browsers can be found under the following links:
Internet Explorer™: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
1.7 Third-party services
The following third-party services (analysis tools, social plugins, etc.) are used on our Website. They help us to extend the website functionality for our users and/or to perform evaluations regarding our offerings/services. Such implementation requires the processing of no less than your IP address, as being necessary to have the desired contents delivered to your browser.
1.7.1 Google Analytics
In the context of the application of Google Analytics, your IP address as well as other client data, namely information about your use of our Website, for example, browser type/version, operating system, the previously visited website or the time of the server request, are transferred to and stored on Google servers. Based on our instructions, Google Ireland will use the information collected to analyse the use of our Website, draft reports on website activities and provide us with further services connected to the use of our Website and the Internet. The data concerning the use of our Website are deleted automatically after the retention period of fourteen (14) months, which we provided for, has expired.
The IP address transmitted by your browser in the context of Google Analytics is not merged with other Google data. In order to protect you as comprehensive as possible, we utilise IP anonymisation by extending the code of our website by "anonymizeIP". This ensures masking of your IP address, wherefore all data concerned are collected anonymously. Only in exceptional cases will the full IP address be transmitted to a Google server and shortened there. Google intends to process data of users of the European Economic Area, where possible, in data centres situated in Europe; however, an outsourcing of processing activities to group companies may take place, wherefore a processing of your data in the USA by Google Ireland's parent company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA is possible. An overview of Google Ireland's respectively Google LLC's data centres can be viewed at: https://www.google.com/about/datacenters/inside/locations/?hl=en.
With the procedure described under point 1.6 you can prevent the storage of cookies by a corresponding setting of your browser software (possibly limited to third party cookies). You can also prevent Google Ireland from collecting data generated by cookies and relating to your use of the Website (including your IP address) and from processing this data by downloading an appropriate browser plug-in (available for Microsoft Internet Explorer 11, Google Chrome, Mozilla Firefox, Apple Safari and Opera) and installing it (https://tools.google.com/dlpage/gaoptout?hl=en).
For further information on data usage by Google Ireland and affiliated companies as well as your options in terms of settings and objection, please review the data protection declaration of Google at https://policies.google.com/privacy?hl=en.
Should you decide to purchase products in our online shop, you or we may have to commission a payment service provider to carry out the transaction. During this process, certain (personal) (payment) data will be transmitted. We have no control over the storage and processing of these data. The data are transmitted exclusively for the purpose of fulfilling the contract that you have concluded with us (Art 6 para 1 lit b GDPR). In some cases, the selected payment service providers also collect such data themselves, in particular if you (have to) create an account with them. Insofar, the data protection declaration of the respective provider applies; our Data Protection Declaration is merely intended to provide you with information about which recipients may receive your payment data. Payment service providers act as independent controllers in the sense of the GDPR and are thus not providing their services on our account based on our express instructions.
2.1. Credit card; Maestro
If you choose to pay by credit card or Maestro, you will provide your card details at the same time as you place your order. Your transaction will be secured by means of a 3-D Secure security layer. The payment transaction is carried out by the credit card company/financial institution and your card is debited accordingly. Certain data are transferred and processed to the respective credit card company/financial institution. Please also review the credit card company's data protection declaration and general terms and conditions.
2.2. Immediate transfer
If you choose to pay by immediate transfer (Sofortüberweisung), you will be redirected to the website of the online provider Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden after placing your order. After your legitimation, personal data and account details will be transmitted to Klarna Bank AB (publ). This data will enable Klarna Bank AB (publ) to check your account balance, among other things. In this respect, please also review the additional data protection information and the general terms and conditions of Klarna Bank AB (publ), on which you will be informed separately when using the service.
2.3. Apple Pay
You may also pay on our Website using Apple Pay, a service of Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. Ultimately, Apple Pay uses your credit or debit card to execute the transaction on the basis of agreements with the respective financial institution. Certain of your payment data will be transferred to Apple Distribution International Ltd. in encrypted form in the course of the payment process. Please also review the data protection declaration and general terms and conditions provided to customers of Apple Pay.
2.4. Google Pay
You may also pay on our Website using Google Pay, a service of Google Ireland (see point 1.7.1). Ultimately, Google Pay uses your credit or debit card to execute the transaction on the basis of agreements with the respective financial institution. Certain of your payment data will be transferred to Google Ireland in encrypted form in the course of the payment process. Please also review the data protection declaration and general terms and conditions provided to customers of Google Pay.
3. Transfer of your personal data; recipients
For the purposes explained in this Data Protection Declaration, we will transfer your (personal) data to the following recipients or make them available to them:
Within our organisation, your data will only be provided to those entities or employees who need them to fulfil their contractual or legal obligations or otherwise to lawfully process your data on our behalf.
Furthermore, (external) processors deployed by us receive your data if they need such data to provide their respective services (whereby the mere possibility to access personal data is sufficient). All processors are contractually obliged to keep your data confidential and to process it only within the scope of service provision. This includes the following categories of recipients:
(i) website evaluation/analysis (see point 1.7)
(ii) mailing dispatch (newsletter; see point 1.4)
Currently deployed processors are referenced in the course of the description of the different data processing operations conducted under point 1.
All deployed processors are bound to our data protection practice and will treat your personal data strictly confidential. Under no circumstances will processors unlawfully transfer your data to third parties or use it for any other purpose than to fulfil their obligations to us or to comply with our explicit instructions.
Lastly, we may transfer your data to independent controllers, as far as this is necessary in the course of our business activity in order to provide our services. Such controllers may be payment service providers mentioned in point 2 as well as the Österreichische Post AG, Rochusplatz 1, 1030 Vienna, Austria, commissioned with the delivery of products ordered via our Online Shop. Also, a transfer of certain of your data to our tax advisor or – in exceptional cases – authorities/courts in the course of their statutory competence might take place.
4. Rights of the data subject
4.1 Rights of the data subject in a narrow sense
A central aspect of data protection regulations is the implementation of adequate options allowing you to dispose of your own personal data, even after processing of said personal data has already commenced. For this purpose, a series of rights of the data subject are set in place. We shall comply with your corresponding requests to exercise your rights without undue delay and in any event within one (1) month of receipt of the request. Please direct your request to the following email address: firstname.lastname@example.org
Specifically, the following rights are stipulated:
(a) Should you exercise your right of access, we shall confirm whether we are processing your personal data and provide you with all relevant information in this regard, to the extent permitted by law. For this purpose, we will send you (i) copies of the data (emails, database excerpts, etc.), as well as information on (ii) concretely processed data, (iii) processing purposes, (iv) categories of processed data, (v) recipients, (vi) the storage period or the criteria for determining it, (vii) the origin of the data and (viii) any further information depending on the individual case. Please note, however, that we cannot hand over any documents that could impair the rights of other persons.
(b) With the right to rectification you may request that we rectify wrongly recorded data, data that have become inaccurate or incomplete (for the purpose of the respective processing). Your request will then be examined and the data processing affected may be restricted for the duration of the examination upon request.
(c) The right to erasure may be exercised (i) in the absence of a need with regard to the purpose of processing, (ii) in the event of revocation of a consent given by you, (iii) in the event of an objection with regard to your particular situation, insofar as the data processing concerned is based on the legitimate interests of us (balance of interests), (iv) in the event of unlawful data processing, (v) in the event of a legal obligation to erase, and (vi) in the event of processing data of minors under the age of sixteen (16) respectively under the lower age stipulated by the respective EU/EEA Member State from which our Website is accessed (Austria: fourteen  years).
(d) A right to restriction of processing, after the exercise of which affected data may only be stored, exists (only) in special cases. In addition to the possibility of restricting the duration of data corrections, (i) unlawful data processing (unless deletion is required) and (ii) the duration of the examination of a particular objection request are also covered.
(e) If we process your data on the basis of your express, prior consent, you have the right to withdraw such consent at any time. This concerns in particular a previously given consent for the delivery of our newsletter (see point 1.4). Processing activities being validly based on the consent of the data subject and hence conducted in accordance with the GDPR, do not become unlawful retroactively in case such consent is withdrawn; thus, withdrawal of consent solely effects subsequent processing activities.
(f) You also have the right to object to data processing at any time on grounds relating to your particular situation. This applies to all cases of data processing based on our legitimate interests pursuant to Art 6 para 1 lit f GDPR (balance of interests).
(g) You have the right to lodge a complaint with the relevant national supervisory authority (see point 4.2).
(h) A right to data portability, after the exercise of which the data concerned may be obtained in a structured, common and machine-readable format or upon request directly communicated to another controller. However, such right only covers those of your personal data, which we process due to your consent given on the basis of Art 6 para 1 lit a GDPR or due to a contract concluded with you on the basis of Art 6 para 1 lit b GDPR.
Please also note that we may be unable to comply with your request due to compelling reasons worthy of protection for the processing (balance of interests) or a processing due to the assertion, exercise or defense of legal claims (on our part). The same applies in the case of excessive requests, whereby here as well as in the case of descendants of manifestly unfounded requests a fee may be charged.
4.2 Right to lodge a complaint
If you take the view that we violate applicable data protection laws when processing your data, you have the right to file a complaint with a national supervisory authority. The concrete requirements for such a complaint in Austria are based on Section 24 DSG. However, we would ask you to contact us in advance in order to clarify any questions or problems.
The contact details of the Austrian Data Protection Authority are as follows:
Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna, Austria
Phone: +43 1 52 152-0
5. Contact details regarding data protection issues
For data protection questions, messages or requests, please use the following contact address:
La Katz GmbH