Data Privacy Statement
This data protection statement applies to the website of the LAYA Solutions GmbH, LAYA Data GmbH and LAYA Media GmbH, which can be accessed under the domain layagroup.de. Data protection and data security when using our website are very important to us. We would therefore like to inform you at this point which of your personal data we collect when you visit our website and for what purposes it is used.
I. Joint Controllers
Joint controllers for the operation of the website within the meaning of the EU General Data Protection Regulation (hereinafter: GDPR) and other national data protection laws of the member states as well as other data protection provisions are:
LAYA Solutions GmbH
LAYA Data GmbH
LAYA Media GmbH
The joint controllers are all three part of the SIGNA group. Each of the responsible parties offers services that are used by other companies (our customers). The individual companies cover different areas, so that it can make sense for customers to use the services of each of the joint controllers at the same time. For this reason, they have decided to operate a joint website.
The joint controllers also intend to ensure transparency with regard to marketing campaigns on behalf of customers. They therefore want to offer those affected customers a platform that provides information about the activities of the individual responsible parties.
The point of contact for person affected is the LAYA Solutions GmbH:
LAYA Solutions GmbH
Notwithstanding the foregoing, affected people may exercise their rights with and against each of the joint controllers.
II. Privacy Officer
The following external data protection officer has been appointed for each of the jointly responsible parties:
LAYA Solutions GmbH: firstname.lastname@example.org
LAYA Media GmbH: email@example.com
LAYA Data GmbH: firstname.lastname@example.org
III. Principles of data processing
Personal data is any information relating to an identified or identifiable natural person. This includes, for example, information such as your name, age, address, telephone number, date of birth, e-mail address, IP address or user behavior. Information for which we cannot establish a link to your person (or can only do so with a disproportionate effort), e.g. by anonymizing the information, is not personal data. The processing of personal data (e.g. the collection, retrieval, use, storage or transmission) always requires a legal basis or your consent. Processed personal data will be deleted as soon as the purpose of the processing has been achieved and there are no longer any legally required retention obligations to be met.
If we process your personal data for the provision of certain offers, you could find more information about the specific processes, the scope and purpose of the data processing, the legal basis for the processing and the respective storage period below.
IV. Processing Operations
1. Provision and usage of the website
a. Type and scope of data processing
When you call up and use our website, we collect the personal data that your browser automatically transmits to our server. This information is temporarily stored in a so-called log file and anonymized after the end of the session. A storage of this personal data together with other personal data of the user does not take place. If you use our website, we collect the following personal data that is technically necessary for us to display our website to you and to ensure its stability and security:
- IP address of the requesting computer
- Date and time of access
- Website from which the access is made (Referrer-URL)
- Browser and version used
- Operating system of your computer and the name of your access provider
b. Legal basis
Art. 6 para. 1 p. 1 lit. f GDPR serves as the legal basis for the aforementioned data processing. The processing of the personal data is necessary for the provision of a website and thus serves to protect a legitimate interest of our company.
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.
The storage in log files is done to ensure the functionality of the website. In addition, we use the personal data to optimize the website and to ensure the security of our information technology systems. An evaluation of the personal data for marketing purposes does not take place in this context.
c. Storage duration
The personal data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the event of the collection of personal data for the provision of the website, this is the case when the respective session has ended. The collection of personal data for the provision of the website and the storage of personal data in log files is absolutely necessary for the operation of the website. Consequently, you have no right to object. As soon as the aforementioned personal data is no longer required to display the website, it will be deleted. Further storage may take place in individual cases if this is required by law.
If you have any questions or other issues regarding one of the customer programs, please contact the respective GALERIA or SportScheck contact addresses, who will be happy to help you and are the point of contact for all data protection-related inquiries. You can find the relevant contact details at:
If you directly contact us as LAYA Group, we will process your data in order to process your request. In this respect, the following applies:
a. Type and scope of data processing
You have the option to contact us electronically or by mail. For this purpose, the personal data you provide will be transmitted to us or to the responsible department. The following personal data will be processed:
- E-Mail address
- Potentially other personal data contained in the message
People involved in the processing of your data:
- The department responsible for your request in each case
- Potentially our IT service providers within the framework of order processing
- Potentially affiliated companies, insofar as the inquiry relates to them.
b. Legal basis
The legal basis for the processing of personal data is Art. 6 para. 1 p. 1 lit. f GDPR. There is a legitimate interest on our part to answer inquiries that you have sent us via the contact form or via e-mail. Should your request be directed towards the conclusion of a sponsorship or other contract, Art. 6 para. 1 p. 1 lit. b GDPR serves as an additional legal basis.
There is also a legitimate interest within the meaning of Art. 6 (1) p. 1 lit. f GDPR to process personal data during the submission process in order to protect the contact form and our information technology systems.
c. Storage duration
After processing your request, the personal data will be deleted, unless contractual or legal retention periods prevent deletion.
You have the option to object to the processing of personal data at any time. The objection is to be addressed to any of the aforementioned responsible companies. In such a case, your request cannot be processed further. All personal data, stored in the course of contacting, will be deleted in this case, unless contractual or legal retention periods prevent deletion.
V. Transfer of personal data
We will only share your personal data with third parties if:
- you have given your explicit consent to this in accordance with Art. 6 para. 1 p. 1 lit. a GDPR,
- this is legally permissible and necessary for the fulfillment of a contractual relationship with you according to Art. 6 para. 1 p. 1 lit. b GDPR,
- there is a legal obligation to disclose personal data pursuant to Art. 6 (1) sentence 1 lit. c GDPR, or
- the disclosure is necessary in accordance with Art. 6 para. 1 p. 1 lit. f GDPR for the protection of legitimate business interests, as well as for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding legitimate interest in the non-disclosure of your personal data.
Our website contains hyperlinks to websites of other providers. When you activate these hyperlinks, you will be redirected from our website directly to the website of the other provider. You will recognize this, among other things, by the change of URL. We cannot take over any responsibility for the confidential handling of your personal data on these third-party websites, as we have no influence on whether these companies comply with data protection regulations. Please inform yourself about the handling of your personal data by these companies directly on these websites.
VII. Data subject rights
The GDPR gives you as a data subject of a processing of personal data the following rights:
- In accordance with Art. 15 GDPR, you can request information about your personal data processed by us. In particular, you can request information about the processing purposes, the categories of personal data, the categories of recipients to whom your personal data have been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data, if not collected by us, about a transfer to third countries or international organizations, as well as about the existence of automated decision-making, including profiling, and, if applicable, meaningful information about its details.
- Pursuant to Art. 16 GDPR, you may immediately request the correction of any inaccurate personal data concerning you or the completion of your personal data stored by us.
- Pursuant to Art. 17 GDPR, you may request the deletion of your personal data stored by us, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defense of legal claims.
- According to Art. 18 GDPR, you may request the restriction of the processing of your personal data if you dispute the accuracy of the data, the processing is unlawful, we no longer need the data and you object to their deletion because you need them for the assertion, exercise or defense of legal claims. You also have the right under Art. 18 GDPR, if you have objected to the processing in accordance with Art. 21 GDPR.
- Pursuant to Art. 20 GDPR, you may request to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or you may request that it be transferred to another controller.
- In accordance with Art. 7 (3) GDPR, you may revoke your consent at any time. This has the consequence that we may no longer continue the data processing based on this consent for the future.
- In accordance with Art. 77 GDPR, you have the right to complain to a supervisory authority. As a rule, you can contact the supervisory authority of your usual place of residence, your place of work or our company headquarters.
VIII. Right of objection
When your personal data is processed based on legitimate interests pursuant to Art. 6 (1) p. 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are reasons for doing so that arise from your particular situation or the objection is directed against direct advertising. In the case of direct advertising, you have a general right of objection, which will be implemented by us without giving specific reasons.
IX. Data security and security measures
We are committed to protecting your privacy and treating your personal data confidentially. To prevent manipulation, loss or misuse of your personal data stored with us, we take extensive technical and organizational security precautions that are regularly reviewed and adapted to technological progress. This includes, among other things, the use of recognized encryption methods (SSL or TLS). However, we would like to point out that, due to the structure of the Internet, it is possible that the rules of data protection and the above-mentioned security measures are not observed by other persons or institutions not within our area of responsibility. In particular, personal data disclosed in unencrypted form, for example by e-mail, can be read by third parties. We have no technical influence on this. It is the user’s responsibility to protect the personal data he or she provides against misuse by encrypting it or in any other way.