Data Privacy Statement
For website users, subscribers of the newsletter as well as customers of VAP Restaurants GmbH: The following information is used to inform you about the nature, scope and purpose of the collection and use of personal data and also informs you about your rights in the collection and processing of your personal data. This information is provided in accordance with Articles 13 and 14 of the General Data Protection Regulation (DSGVO). This privacy information is intended for (i) users of the website www.vapiano.at, (ii) subscribers to the newsletter, and (iii) customers who order food and beverages for self-pickup (“Takeaway Customer”).
1. Who is responsible for data processing and who can you contact if you have any questions?
The data controller is:
VAP restaurants GmbH FN 436137 d Karl-Popper-Straße 2b/Top 9, 6th floor A-1100 Vienna (hereinafter “VAP Restaurants”)
2. What data is processed and where does this data come from?
We process your information in different ways and for different purposes, depending whether you are (i) a user of the website, (ii) a subscriber to the newsletter, or (iii) a Takeaway customer.
If you are a user of the website:
When using the website (even without registration) cookies (or as we call it: Cantuccini) and google analytics are used. For more information, see item 6.
If you are a subscriber to the newsletter:
When you sign up for the free newsletter on our website (see item 7 for more information), your personal data will be processed. This includes first name, last name, email address, time of retrieval, IP address, browser type and operating system.
If you are a Takeaway Customer:
If you order food and beverages for pickup, the personal data provided by you as part of the initiation of the contractual relationship will be processed. This includes first name, last name, email address and phone number. Payment is processed by the payment service provider “Concardis” (Concardis GmbH, Helfmann-Park 7, 657690 Eschborn, Germany). The data protection information of Concardis can be found here.
3. On what legal basis and for what purpose is the data processing carried out?
If you are a user of the website:
We process your personal data
1) on the basis of your consent (Article 6 paragraph 1 letter a of the DSGVO): (i) Restaurant Finder for the purpose of identifying all nearby VAPIANO restaurants, and (ii) tracking user behavior on the website (for more information on Google Analytics and cookies, see item 6.). You have the right to withdraw this consent at any time. This does not affect the legality of the data processing carried out up to that date. 2) for the fulfilment of legal obligations (Article 6 paragraph 1 letter c of the DSGVO): The processing of personal data also takes place for the purpose of fulfilling various legal obligations, such as out legal obligation under Section 96 (3) TKG as well as for the purpose of providing information to law enforcement authorities and courts in the event of an investigation. 3) due to legitimate interests, provided that your right to keep the data confidential does not prevail in relation to our interest in processing (Article 6 paragraph 1 letter f of the DSGVO). Our legitimate interests are to ensure the security of website operation, to improve & analyze our website and to increase the user experience. You can object to the processing of personal data for advertising purposes at any time (see item 6 for details on Google Analytics and cookies).
If you are a subscriber to the newsletter:
We process your personal data on the basis of your express consent (Article 6 paragraph 1 letter a of the DSGVO) because you have registered as a subscriber for the newsletter (for more information please see item 7.). You have the right to withdraw this consent at any time. This does not affect the legality of the data processing carried up to that date.
If you are a Takeaway customer:
We process your personal data for the fulfilment of (pre-)contractual obligations (Article 6 paragraph 1 letter b of the DSGVO) in particular for the fulfilment of our (pre-)contractual obligations in the context of the contractual relationship, such as the performance of (pre-)contractual protection, care and information obligations, the provision of services, as well as, the settlement of claims arising from the contract, accounting, etc. Without this data, we cannot fulfill the contract with you.
4. To whom will your data be shared?
The data relevant in induvial cases is transferred on the basis of the statutory provisions or contractual agreement and, where necessary, for the execution of contacts, inter alia, to the following bodies:
If you are a user of the website:
- Courts and law enforcement agencies
- Other authorities
- Legal representatives or lawyers and third parties involved in legal services.
If you are a subscriber to the newsletter:
- Courts and law enforcement agencies
- Other authorities
- Legal representatives or lawyers and third parties involved in legal services.
If you are a Takeaway customer:
- Courts and law enforcement agencies
- Other authorities
- Legal representatives or lawyers and third parties involved in legal services
If the above-mentioned recipients of your personal data are located outside the EEA (European Economic Area) and that the country concerned has not been determined by a decision of the EU Commission that it has an adequate level of data protection, we shall ensure that the transfer is based on standard contractual clauses (currently 2010/87/EC and/or 2004/915/EC) or otherwise in accordance with Articles 46, 47 or 49 of the DSGVO).
In addition, processors commissioned by us receive your data for the purpose of fulfilling the respective service, such as the IT service provider “MailChimp” when registering for the newsletter: the email is sent via Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.
All processors are contractually obliged to treat your data confidentially and to process it only within the scope of our commissioning.
5. How long will your data be processed and stored?
We will process your personal data for as long as necessary. In the case of Takeaway customers, the personal data will be stored for 18 months. As soon as your data is no longer needed, it will be anonymized.
In any case, we store the personal data necessary for the performance of the contract for the duration of the entire business relationship, as well as, in accordance with the statutory retention and documentation obligations (e.g. in accordance with the Business Code or the Federal Tax Code). In addition, we consider the statutory limitation periods, which, for example, according to the General Civil Code (ABGB) can be up to 30 years in certain cases.
6. Data processing in connection with the use of the website
Cookies
Our website uses so-called cookies (or as we call it: Cantuccini) if you have given your consent (Article 6(1) (a) DSGVO). These are small text files that are temporarily stored on your device with the help of the browser and stored by your browser. They do not cause any harm but make websites more user-friendly. Some cookies remain stored on your device until you delete them. They allow us to recognize your browser the next time you visit. If you do not wish to do so, you can set up your browser to inform you about the setting cookies and you only allow this on a case-by-case basis. When disabling cookies, the functionality of our website may be limited.
Restaurant Finder
Under the tab “Restaurants” you will find the “Restaurant Finder”. There you can specify a postal code or city so that you can see all nearby VAPIANO restaurants. You can also view the location in the “Restaurant Finder” area. When you access the Google Maps map material, permanent cookies are set, provided that you have given your consent (Article 6 (1) (a) DSGVO). You can set your browser to inform you about the placement of cookies. This makes the use of cookies transparent for you. By accessing the map material of Google Maps, information about your use (especially the IP address of your device) can be transmitted to a Google Inc. server in the USA and stored there. VAPIANO has no influence on further processing of data by Google Inc. We do not use your data to create a suer profile of you. For more information, see the Google Maps Terms of Use, available at the bottom right of the Google Maps map, if you want to use the service.
Google Analytics
Our website uses functions of the web analytics service: Google Analytics (Google LLC, Mountain View, CA, USA) on the basis of your consent (Article 6 (1) (a) DSGVO)
Google Analytics uses so-called “cookies”, text files that are stored on your computer and which enable an analysis of your use of the website. We use Google Analytics exclusively with the code “gat._anonymizelp()” to ensure an anonymized collection of IP addresses (so-called IP masking). The information generated by the cookie about your use of this website is usually transmitted to a Google server in the USA and stored there. However, if IP anonymization is activated on this website, your IP address will be truncated by Google within member states of the European Union or in other contracting states of the agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compile reports on website activity and provide other services relating to website activity and the internet usage to the website operator. The IP address transmitted by your browser within the scope of Google Analytics will not be merged with other data from Google. You can prevent the storage of cookies by setting your browser; accordingly, however, we would like to point out that in this case you may not be able to use all functions of this website to the full extent.
You can also prevent the collection data generated by the cookie and related to your use of the website (including the IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available at the following link http://tools.google.com/dlpage/gaoptout?hl=de
You can find more information about Google’s terms of use and privacy at http://www.google.com/analytics/terms/de.html or visit https://www.google.de/intl/de/policies/.
Cookiebot
A web service from Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark (hereinafter Cookiebot.com) is reloaded on our website. We use this data to ensure the full functionality of our website. In this context, your browser may transmit personal data to cookiebot.com. the legal basis for data processing is Art. The legitimate interest is in an error-free function of the website. The data will be deleted as soon as the purpose of their collection has been fulfilled. For more information on the handling of the transferred data, please refer to cookiebot.com’s privacy policy: www.cookiebot.com/de/privacy-policy/. You can prevent cookiebot.com from collecting and processing your data by disabling script code from running in your browser or by installing a script blocker in your browser (you can find such blocker at www.noscript.net oder www.ghostery.com).
The following information is stored in our Cookiebot account:
- The user’s IP address in anonymized form (the last three digits are set to “0”).
- The date and time of consent.
- The user’s browser
- The URL from which the consent was sent.
- An anonymous, random, and encrypted key value.
- The state of consent of the user, which serves as proof of consent.
The key and consent status are also stored in the user’s browser in the cookie “CookieConsent”, so that the website can automatically read and respect the user’s consent for all subsequent page requests and future user sessions for up to 12 months. You have the possibility to view and change your consent level at any time. This can be found later on this page.
Special Buttons
On our website we use various social buttons in the form of a link: Facebook, Instagram, and Spotify. When you visit our site, no data is transmitted to the social media services. Profile formation by third parties is therefore excluded. However, we do not want to deny these opportunities to those visitors who would like to use social buttons. We therefore offer you the possibility to use social buttons at various points on our website. This gives you the opportunity to reach our social media presence via the social buttons or to share content i.e. posts. Please note that clicking on the social button will result in certain data being transferred to the social media service (e.g. the VAPIANO website accessed where the social button is located; the date and time of clicking on the social button; information about the browser and operating system used; your current IP address).
By clicking on the button, you give your consent (Article 6 (1) (a) DSGVO) for data processing to the social media service. If you are already logged into the social media service at the time of clicking the social button, it is also able to determine your username and possibly even your real name from the above data. This data can also be processed by the social media service in countries outside the European Union. We have no influence on the scope, nature, and purpose of the data processing by the social media service. Please note that the social media service with the above data is quite capable of creating pseudonymized and even individualized usage profiles.
Further information on data protection can be found regarding Facebook here regarding Instagram here and regarding Spotify here.
7. Data processing in connection with the newsletter subscription
To allow you to subscribe to our newsletter, we use a double opt-in procedure. This means that you must first expressly confirm to us when you subscribe to the newsletter and agree to the associated processing of our personal data. Then you will receive a notification email from us with a link to confirm your registration for the newsletter.
8. What rights do you have?
Right to Information
If we process personal data about your, you have the right to information about the processing purposes, the categories of personal data processed, the recipients of this personal data, retention period, the rights to which you are entitled, the origin of the personal data and the existence of automated decision-making.
Correction and Deletion
You are entitled to request the correction of incorrect or incomplete personal data that concerns you. You are entitled to request the deletion of personal data that concerns you, provided that the processing of the data is not lawful and that no legal obligations on our part speak against the deletion.
Restriction of Processing
You may request, in certain cases the restriction of the processing of your data.
Data Transmission
You are entitled to request the transfer of your data that you have provided to us in a structured, common, and machine-readable format. You have the right that the personal data is transmitted by us directly to a controller, insofar as this is technically feasible
Opposition
For reasons arising from your particular situation, you are entitled to object at any time to the processing of personal data that concerns you. If you object, we will not process any information that affects you unless we can prove that our reasons for processing outweigh your interests.
Complaint
If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you can complain to the supervisory authority. In Austria, this is the data protection authority (www.dsb.gv.at).
Contact
To exercise your rights in relation to your data processed by us, please contact:
VAP restaurants GmbH FN 436137 d Karl-Popper-Straße 2b/Top 9, 6. Stock A-1100 Wien info@vapiano.at
Definitions
Definitions of the terms used (i.e. “personal data” or “processing”) can be found in Article 4 of the DSGVO