Data Privacy Statement
I. Joint controllers and scope
The joint controllers bearing responsibility for the operation of this website within the meaning of the EU General Data Protection (hereinafter referred to as GDPR) and other national data protection laws of the Member States as well as other data protection regulations are:
LAYA Solutions GmbH
LAYA Data GmbH
LAYA Media GmbH
The joint controllers are the affiliated companies. Each of the controllers offers services that are used by other companies (our customers). The respective controllers cover different sectors so that it may be expedient for customers to use services provided by each of the joint controllers at the same time. For this reason, the joint controllers have decided to maintain a joint website and presence.
The joint controllers also aim to afford transparency in relation to the marketing campaigns conducted on behalf of customers. Within the context of these marketing campaigns, they therefore wish to provide data subjects with a platform offering information on the activities of the individual controllers.
The contact for data subjects is LAYA Solutions GmbH:
LAYA Solutions GmbH
Notwithstanding this, data subjects may exercise their rights in respect of and against each of the joint controllers.
II. Data protection officer
A Data Protection Officer has been appointed for each of the jointly responsible parties. You can contact the Data Protection Officer at the above postal address with the addition “The Data Protection Officer” or by e-mail at:
LAYA Solutions GmbH: firstname.lastname@example.org
LAYA Media GmbH: email@example.com
LAYA Data GmbH: firstname.lastname@example.org
III. Data processing principles
Personal data are any information relating to an identified or identifiable natural person. This includes information such as your name, age, address, telephone number, date of birth, e-mail address, IP address and user behaviour. Information that cannot (or only by expending a disproportionate amount of effort) be related to your person such as anonymised information, are not deemed personal data. The processing of personal data (including collection, querying, usage, storage and transmission) shall always be subject to legal basis or your consent. Processed personal data shall be deleted as soon as the purpose of the processing has been achieved and any prescribed legal retention obligations are no longer constituted.
If we process your personal data for the provision of certain services, we shall inform you in the following of the specific processes, the scope and purpose of data processing, the legal basis for the processing, and the respective retention period.
IV. Individual processing operations
1. Provision and usage of the website
a. Nature and scope of data processing
When you access and use our website, we collect the personal data that your browser automatically transfers to our server. This information is temporarily stored in a so-called log file and is anonymised at the end of the session. This personal data is not stored together with any other of the user’s personal data. When you use our website, we collect the following personal data that we require for technical reasons in order to display our website to you and to ensure its stability and security:
- IP address of the requesting computer
- Date and time of access
- Website from which the access is made (referrer URL)
- Browser used and version used
- The operating system of your computer and the name of your access provider
b. Legal basis
Article 6 (1) f) GDPR serves as legal basis for the said data processing. Processing of the said personal data is necessary for the provision of a website and therefore serves to protect the legitimate interest of our company.
The temporary storage of the IP address by the system is necessary in order to enable the website to be accessed by the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.
Log files are stored in order to ensure the functionality of the website. In addition, the personal data helps us to optimise the website and to ensure the security of our information technology systems. The evaluation of personal data for marketing purposes does not take place within this context.
c. Retention period
Personal data shall be deleted as soon as they are no longer necessary for the purpose of their collection. In case of the collection of personal data for the provision of the website, this shall be when the respective session has ended. The collection of personal data for the provision of the website and the storage of personal data in log files is essential to the operation of the website. As such, you therefore have no right of objection. As soon as the said personal data are no longer required to display the website, they are deleted. Storage may be continued in individual cases should this be required by law.
If you have any questions or other inquiries about a bonus scheme, please contact the listed GALERIA or SportCheck contact addresses. They will be happy to assist you and are your contact for all privacy inquiries relating to the respective programme. The relevant contact details are listed below:
If you contact us directly, we will process your data in order to deal with your inquiry. The following applies in this respect:
a. Nature and scope of data processing
We offer you a contact form on our website which you can use to contact us by electronic means. The personal data you enter in the form shall be passed on to us or the relevant department. If you use the contact form, we will process the following personal data provided by you:
- E-mail address
- First and last name
- Any other personal data contained in the message
The following parties are involved in the processing of your data:
- The department responsible for your inquiry;
- Possibly our IT service providers within the scope of commissioned data processing;
- Possibly affiliated companies should the inquiry concern them.
b. Legal basis
The legal basis for processing the personal data is constituted by Article 6 (1) f) GDPR. We hold a legitimate interest in answering any queries you have sent to us via the contact form or e-mail. If your inquiry is in connection with the conclusion of a business partnership or another agreement, a further legal basis is constituted by Article 6 (1) b) GDPR.
An additional legitimate interest is constituted within the meaning of Article 6 (1) f) GDPR in order to protect the contact form and our IT systems during the personal data transmission process.
c. Retention period
After processing your inquiry, your personal data shall be deleted unless deletion is precluded by contractual or legal retention periods.
You have the possibility of objecting to the processing of your personal data at any time. You must lodge your objection with one of the aforementioned controllers. In this event, your inquiry cannot be processed further. All personal data stored in the course of the communication shall be deleted in this case unless deletion is precluded by contractual or legal retention periods.
V. Passing on personal data
We shall only pass on your personal data to third parties if:
- You have given your express consent in accordance with Article 6 (1) a) GDPR
- This is legally permissible and is necessary for the fulfilment of a contractual relationship with you in accordance with Article 6 (1) b) GDPR,
- In accordance with Article 6 (1) c) GDPR, a legal obligation to pass on personal data is constituted or
- in accordance with Article 6 (1) f) GDPR, passing on your personal data is necessary to protect legitimate business interests, as well as for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding legitimate interest in your personal data not being passed on.
Our website contains so-called hyperlinks to the websites of other providers. On activating these hyperlinks, you will be redirected from our website directly to the website of the other providers. This can be detected by the change of URL. We cannot accept responsibility for the confidential handling of your personal data on these third-party websites, because we have no influence on the compliance of these companies with the data protection regulations. Please refer to the websites of these companies for information on how they handle your personal data.
VII. Data subject rights
Under the GDPR, as a data subject you hold the following rights in relation to the processing your personal data:
- In accordance with Article 15 GDPR, you may request information about our processing of your personal data. In particular, you may request information on the processing purposes, the categories of personal data, the categories of recipients to whom your personal data has been or shall be disclosed, the planned retention period, entitlement to a right to rectification, deletion, restriction of processing or objection, entitlement to a right of complaint, on the origin of your data insofar as they were not collected by us, on transmission to third countries or to international organisations as well as information about automated decision making including profiling and, if necessary, significant information relating to the details thereof.
- In accordance with Article 16 GDPR, you may request the correction of any inaccurate data concerning you or the completion of your personal data stored by us without delay.
- • In accordance with Article 17 GDPR, you may request the deletion of your personal data stored with us, providing that processing is not required for the exercise of the right to freedom of expression and information, for the fulfilment of a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims.
- In accordance with Article 18 GDPR, you may request that the processing of your personal data is restricted in the case that you dispute its correctness, processing is unlawful, we no longer required the data and you refuse to have them deleted because you need them for the assertion, exercise or defence of legal claims. You are also entitled to the right under Article 18 GDPR if you have lodged an objection to processing in accordance with Article 21 GDPR.
- In accordance with Article 20 GDPR, you may require us to provide you with the personal data that you have given us in a structured, commonly used and machine readable format or you may request us to transmit this data to another controller.
- In accordance with Article 7, 3 GDPR, you may revoke your consent to us at any time. Consequently, we may no longer continue with the processing of your personal data based on this consent in the future.
- In accordance with Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority. You may generally apply to the supervisory authority at your usual place of residence, at your place of work or at our company headquarters.
VIII. Right of objection
In the processing of your personal data on the basis of legitimate interests in accordance with Article 6 (1) f) GDPR, in accordance with Article 21, you have the right to lodge and objection to the processing of your personal data providing that reasons are constituted arising from your particular situation or from your objection to your personal data being used for direct marketing purposes. In case of direct marketing, you have a general right of objection that shall be implemented by us without you giving any special reasons.
IX. Data security and security measures
We pledge to protect your privacy and to treat your personal data confidentially. In order to avoid any manipulation, loss or misuse of your personal data stored by us, we take extensive technical and organisational security measures which are checked regularly and adapted in line with technological advances. This also includes the use of recognised encryption methods (SSL or TLS). However, we should like to point out that due to the structure of the internet it is possible that data protection rules and aforementioned security measures are not observed by other persons or institutions who are not subject to our sphere of responsibility. In particular, personal data passed on in unencrypted form via e-mail, for example, can be read by third parties. We have no technical control over this. It is the responsibility of the user to protect the personal data provided by them from misuse by encryption or other means.