Data privacy statement

Data protection is a matter of trust, and we highly value your trust in us. In order to ensure safe handling of your personal data, we strictly observe all legal provisions and would like to inform you about how we collect and use data. The following data privacy statement tells you what data we collect and to which purpose, and how we process these data.

I. Name and address of the controller LEDON GmbH is the controller within the meaning of the General Data Protection Regulation (GDPR) and other data protection provisions. You can contact us as follows:

LEDON GmbH

Morgenstraße 11

6890 Lustenau

Austria

Tel.: +43 (0) 5577 21550

E-mail: datenschutz@ledon.at

Website: www.ledon.at

II. General information on data processing Scope of processing of personal data

Basically, we process personal data only to the extent this is required to provide an operational website as well as our contents and services. Personal data is processed on a regular basis with the consent of the data subject only. The only exception is when it is not possible to obtain prior consent for practical reasons and when processing data is permitted by law.

Legal basis for processing personal data

To the extent that we obtain consent from data subjects when processing their personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data required in order to fulfil a contract, where the contractual party is the data subject, Article 6(1)(b) of the GDPR serves as the legal basis. This also applies to data processing operations required in order to carry out pre-contractual measures.

To the extent that personal data must be processed in order to fulfil a legal obligation with which our company must comply, Article 6(1)(c) of the GDPR serves as the legal basis.

If personal data must be processed due to the vital interests of the data subject or another natural person, Article 6(1)(d) of the GDPR serves as the legal basis.

If personal data must be processed in order to safeguard the legitimate interests of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not override the aforementioned legitimate interests, Article 6(1)(f) of the GDPR serves as the legal basis for such processing.

Data erasure and storage period

The data subject’s personal data will be erased or blocked once the purpose for which they were stored has lapsed. Data may be stored if this is provided for by European or national legislators in Union regulations, laws or other legislation with which the controller must comply. Data will also be blocked or erased if a storage period provided by the standards referred to lapses, unless it is required for the data to remain stored in order to conclude or fulfil a contract.

III. Provision of the website and generation of log files Description and scope of data processing

Every time our website is viewed, our system automatically collects data and information from the accessing computer’s system.

This includes the following data:

(1) The type and version of the browser used

(2) The user’s operating system

(3) The user’s Internet service provider

(4) The user’s IP address

(5) Date and time of access

(6) Websites from which the user’s system reaches our website

(7) Websites accessed via our website by the user’s system

These data are also stored in our system’s log files. These data will not be stored together with other personal data relating to the user.

Legal basis for data processing

The legal basis for the temporary storage of data and log files is Article 6(1)(f) of the GDPR.

Purpose of data processing

The system needs to temporarily store the IP address in order for the user’s computer to be able to access the website. The user’s IP address needs to be stored for the duration of the session.

The log files are stored in order to ensure proper functioning of the website. In addition, we use the data to optimise the website and ensure the safety of our IT systems. In this context, the data will not be analysed for marketing purposes.

Our legitimate interest in data processing in accordance with Article 6(1)(f) of the GDPR is based on these purposes.

Storage period

The data will be erased once they are no longer required for the purpose for which they were collected. As regards data collected for the provision of the website, this purpose ends at the same time as the Internet session.

As regards the data stored in log files, this is the case no later than after seven days. Storage for a longer period may be possible. In this case, the IP addresses of the users are erased or modified, so that it is no longer possible to allocate the accessing client.

Opt-out and removal

It is essential to collect data to provide the website and store the data in log files in order for the website to operate correctly. Therefore the user does not have an opt-out option.

IV. Use of cookies a) Description and scope of data processing

Our website uses cookies. Cookies are text files stored in the Internet browser or on the user’s computer system by the Internet browser. When a user views a website, a cookie may be stored on the user’s operating system. This cookie contains a character string that clearly identifies the browser next time the website is viewed.

We use cookies to make our website more user-friendly. For some elements of our website it is required for the accessing browser to be identified even after switching to another page.

The following data will be stored in and transferred with cookies:

(1) Language settings

(2) Articles placed in a shopping cart

(3) Log-in information

On our website we also use cookies that allow us to analyse the users’ surfing behaviour.

The following data may be transferred in this manner:

(1) Search terms entered

(2) Frequency of page views

(3) Making use of website functions

The user data collected in this manner will be pseudonymised by technical means. Hence, it will no longer be possible to allocate the data to the accessing user. The data will not be stored together with other personal data of users. When accessing our website, an information banner will inform the users about the use of cookies for analytical purposes and reference to this data privacy statement will be made. In this context, it will be explained how the storage of cookies can be blocked in the browser settings.

When accessing our website, users will see an info banner informing them about the use of cookies for analytical purposes, and their consent to their personal data used in this context being processed will be obtained. In this banner, reference to this data privacy statement will also be made.

b) Legal basis for data processing

The legal basis for processing personal data using cookies required for technical reasons is Article 6(1)(f) of the GDPR. The legal basis for processing data using cookies for analytical purposes with consent being granted by the user is Article 6(1)(a) of the GDPR.

c) Purpose of data processing

The purpose of using cookies required for technical reasons is to make it easier for users to use a website. Some functions of our website cannot be offered without the use of cookies. These functions require the browser to be recognised also after switching to another page.

We require cookies for the following applications:

(1) Shopping cart

(2) Adopting language settings

(3) Remembering keywords

User data collected via cookies required for technical reasons will not be used for creating user profiles.

Analytical cookies are used for the purpose of improving the quality of our website and its contents. Analytical cookies inform us about the way the website is used, so that we can optimise our offer on an on-going basis.

Our legitimate interest in processing personal data in accordance with Article 6(1)(f) of the GDPR is based on these purposes.

d) Storage period, opt-out and removal

Cookies are stored on the user’s computer and sent by the latter to our website. Therefore you, as the user, have full control over how cookies are used. By changing the settings in your browser, you can disable or restrict the transfer of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, you may not be able to use some of the website’s functions and they may not work fully.

V. Newsletter Description and scope of data processing

You may subscribe to a free newsletter on our website. In this case, the data entered in the newsletter subscription screen will be sent to us.

(1) E-mail

(2) First name

(3) Surname

(4) Company, if any

In addition, the following data will be collected during subscription:

(1) Date and time of registration

In the context of the subscription process, you will be asked to consent to the data being processed (double opt-in process) and reference will be made to this data privacy statement.

In the context of data processing required to send newsletters, such data will not be passed on to third parties, but only be used for sending the newsletter.

For sending the newsletter, the newsletter service eboxx® info letter system is used.

This tool provides us with the details you enter into the dialog box, but we do not collect any further personal data from you. If you want to unsubscribe from the newsletter, you may do so using the “Unsubscribe newsletter” link in the newsletter.

Legal basis for data processing

The legal basis for processing data following subscription to the newsletter by the user with consent being granted by the user is Article 6(1)(a) of the GDPR.

Purpose of data processing

The user’s e-mail address is collected in order to deliver the newsletter. The collection of other personal data in the context of the subscription process serves to prevent misuse of the services or the e-mail address used.

Storage period

The data will be erased once they are no longer required for the purpose for which they were collected. The user’s e-mail address will thus be stored for the period of time the newsletter subscription is active. After unsubscription from the newsletter, no more information will be sent to the user automatically. The user’s data will remain stored until the user requires their manual erasure from the distribution list.

Opt-out and removal

Users may cancel their subscription to the newsletter at any time. Every newsletter includes a “Unsubscribe newsletter” link for this purpose. This allows users to withdraw their consent to storage of the personal data collected during the subscription process. This withdrawal will be effected manually upon the user’s additional request.

VI. Contact form and e-mail contact Description and scope of data processing

Our website includes a contact form that may be used to contact us electronically. If a user chooses this option, the data entered in the contact screen will be sent to and stored by us. This includes the following information:

(1) First name

(2) Surname

(3) E-mail

(4) Telephone number

(5) Company, if any

(6) Department / function, if any

(7) Message text

At the time the message is sent, the following data will also be stored:

(1) Date and time of contact request

In the context of sending the message, you will be asked to consent to the data being processed.

Alternatively, you may contact us via the e-mail address provided. In this case, the user’s personal data transmitted in the e-mail will be stored. These data will not be passed on to third parties. They will only be used to process the e-mail conversation.

Legal basis for data processing

The legal basis for processing data with consent being granted by the user is Article 6(1)(a) of the GDPR.

The legal basis for processing data transmitted in an e-mail is Article 6(1)(f) of the GDPR. If the purpose of the e-mail contact is to conclude a contract, then the additional legal basis for processing the data is Article 6(1)(b) of the GDPR.

Purpose of data processing

We use the personal data entered in the contact screen only for handling the contact request. If contact is requested by e-mail, the legitimate interest required in order to process the data is also based on this request. All other personal data processed during the sending process are used to prevent misuse of the contact form and ensure the security of our IT systems.

Storage period

The data will be erased once they are no longer required for the purpose for which they were collected. For personal data entered into the contact form screen and those sent by e-mail, this will be the case when the conversation with the user has finished. The conversation is deemed to be finished when it can reasonably be understood from the circumstances that the matter in question has been conclusively settled.

Opt-out and removal

Users may withdraw their consent for their personal data to be processed at any time. If users contact us by e-mail, they can object to their personal data being stored at any time. However, if this is the case, the conversation cannot be continued. The consent to the processing of personal data and the storage of personal data may be withdrawn in writing by e-mail sent to datenschutz@ledon.at. All personal data stored in the context of the contact request will then be erased.

VII. Web analysis Scope of processing of personal data

We use Google Analytics, a web analysis service of Google Inc. (“Google”). Google uses cookies. As a rule, the information generated by the cookie regarding the use of the online content by the users is transferred to and stored on a server operated by Google in the USA.

Google will use this information on our behalf to analyse the use of our online content by the users, to compile reports on the activities within the scope of this online content, and to provide to us additional services associated with the use of this online content and the use of the Internet in general. In the process, the processed data may be used to generate pseudonymous usage profiles of the users.

We use Google Analytics only with IP anonymisation enabled. That means that the user’s IP address will be truncated by Google within the member states of the European Union or in other signatories of the treaty on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the USA to be truncated there. The IP address sent by the user’s browser will not be combined with any other Google data.

Users can also prevent the storage of cookies by choosing appropriate settings in their browser software; in addition, users may prevent the transmission of the data generated by the cookie and relating to their use of the online content to Google as well as the processing of such data by Google by downloading and installing the browser plug-in available at the following link:

http://tools.google.com/dlpage/gaoptout?hl=de

For more information on the use of data for advertising purposes by Google, on settings and withdrawal options, please see the Google websites:

https://www.google.com/intl/de/policies/privacy/partners/

(“How Google uses information from sites or apps that use our services”),

http://www.google.com/policies/technologies/ads

(“How Google uses data in advertising”),

http://www.google.de/settings/ads

(“How to manage information used by Google to show you advertisements”) and

http://www.google.com/ads/preferences/

(“How you can control which advertisements Google shows you”)

The software stores a cookie on the user’s computer (for cookies see above). If individual pages of our website are viewed, the following data will be stored:

(1) Two bytes of the IP address of the accessing system of the user

(2) The viewed website

(3) The website from which the user has accessed the website that is viewed (referrer)

(4) The subpages that are accessed from the website that is viewed

(5) The time spent on the website

(6) The frequency the website is viewed with

The software runs exclusively on the servers of our website. The personal data of users will only be stored there. No data will be passed on to third parties.

The software settings ensure that the IP addresses will not be stored in full, but that 2 bytes of the IP address will be masked (for instance, 192.168.xxx.xxx). Hence, it will no longer be possible to allocate the truncated IP address to the accessing computer.

Legal basis for processing personal data

The legal basis for processing personal data of users is Article 6(1)(f) of the GDPR.

Purpose of data processing

By processing our users’ personal data, we are able to analyse their surfing behaviour. By analysing the data obtained, we are able to collect information about the usage of the individual components of our website. This helps us to improve our website and its user-friendliness on an on-going basis. Our legitimate interest in processing personal data in accordance with Article 6(1)(f) of the GDPR is also based on these purposes. By anonymisation of the IP address, the users’ interest in the protection of their personal data is sufficiently taken account of.

Storage period

The data will be erased once they are no longer required for our recording purposes. This will be the case three years after they have been collected at the latest.

Opt-out and removal

Cookies are saved on the user’s computer and sent by the latter to our website. Therefore you, as the user, have full control over how cookies are used. By changing the settings in your browser, you can disable or restrict the transfer of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, you may not be able to use some of the website’s functions and they may not work fully.

On our website, we offer our users an opt-out option relating to the analysis procedure. For this purpose, just follow the link at http://tools.google.com/dlpage/gaoptout?hl=de. Then another cookie will be stored on your system that tells our system not to store the data of that user. If this cookie is deleted from the user’s system at some point in time, the opt-out cookie must be set again.

For more detailed information on the privacy settings, please click the following link: https://myaccount.google.com/privacy

VIII. E-Commerce Scope of processing of personal data

Please note that in order to facilitate shopping in our webshop and for the purpose of later implementation of the contract, the IP data of the address owner will be stored by the webshop operator using cookies. We use personal data in individual cases for processing orders, delivering goods, verifying creditworthiness and implementing payments, in order to prevent misuse of our website.

Legal basis for processing personal data

Data will be processed based on the legal provisions of Section 96(3) TKG [Austrian Telecommunications Act] and Art. 6(1)(a) (consent) and/or (b) (required for performance of a contract) of the GDPR.

Purpose of data processing

For the purpose of implementing contracts, the following personal data will be stored by us:

(1) E-mail

(2) First name

(3) Surname

(4) Billing address

(5) Delivery address, if deviating from above

(6) Contact person, if any

(7) Optional e-mail address for copy of order/invoice, if any

The data provided by you are required for contract performance and/or for implementing pre-contractual measures. Without these data, we will not be able to conclude a contract with you. No data will be transmitted to third parties, except for the transmission of credit card data to implementing banks / payment service providers for the purpose of transferring the purchase price, to the shipping/mail-order company commissioned by us with delivering the goods and to our tax consultant to comply with our obligations in terms of tax law.

Storage period

In the event that a contract is concluded, all data arising from the contractual relationship will be stored until expiry of retention period under tax law (7 years). The data involving name, address, purchased goods and date of purchase will be stored until expiry of product liability (10 years).

Passing on personal data to third parties

Within the scope of contract conclusion and for handling orders, we will pass on personal data to service providers. This is mainly required for packaging and dispatch of products ordered, for processing returns and for accounting purposes. The data passed on in this manner may be used by the contractors commissioned by us only for the purpose of performing their tasks. They are not permitted to use this information in any other way.

Moreover, we pass on personal data to business information service providers in order to verify the financial standing and creditworthiness of individuals by checking address and creditworthiness data stored in their databases. We perform checks for creditworthiness in order to exclude problems associated with payment transactions. Thus, data exchange between us and the business information service providers will protect us from financial losses.

We commission external payment service providers to handle payment transactions. If, within the scope of the ordering process, you have decided to buy goods from us via one of the payment service providers, you have consented to us passing on your personal data required for implementing the purchase associated with your order to the payment service provider in question. Such data will be transmitted so as to allow the payment service provider to conduct identity and creditworthiness checks in order to process your purchase in the manner requested by you. If necessary, the payment service provider will pass on personal data to affiliated companies and service providers or subcontractors, to the extent this is required to fulfil contractual obligations or data must be processed within the scope of an order. Data subjects are entitled to withdraw their consent to their personal data being handled by the payment service provider at any time. Such withdrawal shall not apply to personal data that must necessarily be processed, used or transmitted for handling payment transactions (in accordance with the contract). Of course, you may obtain information about your personal data stored by the payment service provider at any time. If so desired by you as the buyer or if you want to communicate any changes with regard to the data stored, you may directly contact the payment service provider in question.

When it comes to initiating and implementing collection proceedings, we will hand over to a licenced collection company the address data of the customer as well as any order, delivery and billing data associated with the outstanding invoice.

Right to access information, opt-out and removal

Basically, you are entitled to access information, rectification, erasure, restriction of processing, data portability, withdrawal and revocation. If you believe that the processing of your personal data is in violation of data protection legislation or that your data protection rights have been infringed in any other way, you may lodge a complaint with the data protection authority of your country.

IX. Rights of the data subject If personal data regarding you are processed, you are the data subject as defined in the GDPR and you have the following rights vis-à-vis the controller:

Right to access

You may request confirmation from the controller of whether personal data regarding you are processed by us.

If this is the case, you may request the following information from the controller:

(1) the purposes for which the personal data are processed;

(2) the categories of personal data that are processed;

(3) the recipients and/or categories of recipients to whom your personal data have been or will be revealed;

(4) the intended storage period of the personal data concerning you or, if this cannot be specified, the criteria for determining the storage period;

(5) that you have the right to request your personal data to be rectified or erased, to limit the amount of processing by the controller or to withdraw your consent to your data being processed;

(6) the existence of a right to lodge a complaint with a supervisory authority;

(7) all available information about the source of the data, if the personal data were not collected from the data subject;

(8) that there is automated decision-making including profiling pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, significant information about the logic involved and the significance, as well as the envisaged consequences of this processing for the data subject.

You have the right to request information about whether your personal data have been transferred to a third country or international organisation.

Right to rectification

You have a right to ask the controller to rectify and/or complete processed personal data concerning you that are inaccurate or incomplete.

Right to restriction of processing

You can request restriction of processing of personal data concerning you if one of the following conditions applies:

(1) if you contest the accuracy of your personal data for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you reject the erasure of the personal data and request the restriction of their use instead;

(3) the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defence of legal claims, or

(4) you have objected to processing pursuant to Article 21(1) of the GDPR pending verification of whether the legitimate grounds of the controller override yours.

If the processing of the personal data concerning you was restricted, such data, with the exception of storage, can only be processed with your consent or for the establishment, exercise or defence of legal claims or to defend the rights of another natural or legal person or for reasons of important public interest of the Union or a member state. If processing was restricted under the conditions mentioned above, you will be informed by the controller before the restriction of processing is suspended.

Right to erasure

a) Right to be forgotten

You have the right to request from the controller erasure of your personal data without undue delay and the controller is obliged to erase these data without undue delay if one of the following reasons applies:

(1) Your personal data are no longer required for the purposes for which they were collected or otherwise processed.

(2) You withdraw your consent on which the processing was based according to Article 6(1)(a) or Article 9(2)(a) of the GDPR and there is no other legal basis for processing.

(3) You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.

(4) The personal data concerning you have been unlawfully processed.

(5) The personal data concerning you have to be erased for compliance with a legal obligation in Union law or the law of a member state by which the controller is governed.

(6) The personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

b) Information to third parties

If the controller has made the personal data concerning you public and is obliged pursuant to Article 17(1) of the GDPR to erase them, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers processing the personal data that you as the data subject have requested erasure by such controllers of any links to, or copy or replication of, such personal data.

c) Exceptions

The right to erasure does not exist if processing is necessary

(1) to exercise the right of freedom of expression and information;

(2) for compliance with a legal obligation which requires processing by Union or member state law by which the data controller is governed or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(3) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR to the extent that the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

(4) for the establishment, exercise or defence of legal claims.

Right to notification

If you have exercised your right to request from the controller the rectification, erasure or restriction of processing, the controller shall communicate any rectification or erasure of data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to request to be informed by the controller about these recipients.

Right to data portability

You have the right to receive personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, if

(1) the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR and

(2) the processing is carried out by automated means.

In exercising this right you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This must not affect the freedoms and rights of others.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to object

You have the right to object, for reasons relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) of the GDPR.

The controller will no longer process the personal data concerning you unless the data controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to processing of personal data concerning you for such marketing.

Right to withdraw consent under data protection law

You have the right to withdraw your consent under data protection law at any time. By withdrawing the consent, the lawfulness of the consent-based data processing effected until the withdrawal shall not be affected.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy in accordance with Article 78 of the GDPR.