Privacy policy for the online store of corporate benefits Vouchers AG 

EU countries, Switzerland 

 

In the following, we provide information about the processing of personal data when using our website. 

Personal data is all data that can be related to you personally, e.g. name, address, email addresses, user behavior. In this way, we would like to inform you about our processing operations and at the same time comply with the legal obligations, in particular those arising from the EU General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (DSG) – depending on their applicability. 

 

1. Name and address of the controller and the data protection officer

The controller within the meaning of the EU General Data Protection Regulation (GDPR) and the Swiss Data Protection Act (DPA) is 

corporate benefits Vouchers AG 
Schwanengasse 3 
3011 Berne, Switzerland 
Phone: +41 31 301 3939 
E-mail: privacy@cbv-ag.ch

Country store Spain: 
corporate benefits vouchers Iberica S.L 
Castillo de Fuensaldaña, 4-101 
28232 Las Rozas, Madrid 

For further information on the person responsible, please refer to the imprint of this website (see our imprint

 

2. Contact details of the data protection officer

The data protection officer can be contacted at 

EU countries: 
TÜV Informationstechnik GmbH 
TÜV NORD Group 
IT Security, Business Security & Privacy  
At TÜV 1 
45141 Essen 

Phone 0201 - 8999-461 
Fax 0201 - 8999-666 
E-mail: privacyguard@tuvit.de 

Switzerland: 
corporate benefits Vouchers AG 
Schwanengasse 3 
3011 Berne, Switzerland 

Phone: +41 31 301 3939 
E-mail: privacy@cbv-ag.ch

 

3. General information on data processing 

We collect and process your data exclusively for specific purposes. These may result from technical necessities, contractual requirements or explicit user requests.


3.1 Legal basis for the processing of personal data 

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a GDPR / Art. 4 para. 5 / Art. 13 para. 2 lit. a FADP serves as the legal basis. 

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR / Art. 13 para. 2 lit. a FADP serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures. 

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which we are subject, Art. 6 para. 1 lit. c GDPR / Art. 4 para. 3 FADP serves as the legal basis. 

If the processing is necessary to safeguard a legitimate interest of us or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f GDPR / Art. 13 para. 1 FADP serves as the legal basis for the processing.


3.2 Data erasure and storage duration 

We comply with our legal obligations to erase personal data even without a specific request from our customers. These obligations arise, among other things, from Art. 17 GDPR, which regulates the right to erasure (“right to be forgotten”). 

However, there is personal data that is exempt from this deletion obligation. In certain cases, we are obliged by other laws to continue to store this data. Such retention obligations arise, for example, from Section 257 of the German Commercial Code (HGB) and Section 147 of the German Fiscal Code (AO). In these cases, we store the data exclusively to fulfill the respective statutory retention obligations. 
After expiry of the legally prescribed retention periods, we will delete, destroy or anonymize the data concerned immediately and without further request.

 

4. Data processing for the provision of the website and log files 

4.1 Description and scope of data processing 

When using the website for information purposes, i.e. simply viewing it without registering and without providing us with any other information, we process the personal data that your browser transmits to our server. The data described below is technically necessary for us to display our website to you and to ensure stability and security and must therefore be processed by us: 

The following data is collected:

  • the operating system 
  • Language and version of the browser software
  • the Internet service provider
  • the IP address of the device 
  • Date and time of access 
  • Time zone difference to Greenwich Mean Time (GMT)
  • Previously visited page 
  • Names of the downloaded files
  • Amount of data transferred 
  • Access status codes (Http status codes)

Server-side log files are processed to protect the website and ensure availability. These logs contain information such as IP addresses and access times in order to detect and ward off attacks (e.g. DDoS) or technical errors. The log data is used strictly for the intended purpose and is deleted after seven days. It is not stored permanently. The log data is analyzed exclusively on the server side, without access to the user's end device. 

To create a customer account, the following mandatory information is collected as part of the registration process:

  • e-mail address (used in combination with the password to log in) 
  • Password (assigned by yourself)

If you visit our online store as a logged-in user from an employee, club or association portal of one of our partner companies, e.g. by clicking on one of our offers there, the partner company will also send us an individual user ID that is assigned to your account. 
For the purposes of fraud prevention, a fingerprint of your device or browser is processed together with the payment data with the help of a processor. This serves to protect you and us in order to prevent misuse of your payment method. 
Depending on the offer or claim, identification data, such as date of birth or photograph, may also be required. 
All other personal details are voluntary. 


4.2 Legal basis for data processing 

The legal basis is the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR or Art. 13 para. 1 FADP.


4.3 Purpose of data processing 

Temporary storage of the IP address by the system is necessary to enable delivery of the website and the corresponding content to the user's device. For this purpose, the user's IP address must remain stored for the duration of the session. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. The user ID is required to ensure that you have an account with one of our partner companies and are therefore authorized to access our offers. These purposes also constitute our legitimate interest in data processing.


4.4 Duration of storage 

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website and the user ID, this is the case when the respective session has ended. If the data is stored in log files, this is the case after 7 days at the latest.

 

5. E-mail contact and telephone contact 

5.1 Description and scope of data processing 

You can contact us via the e-mail address(es) provided on our website. In this case, the personal data transmitted with the e-mail will be stored and processed. 

You can also contact us using the telephone numbers provided. If you contact us by telephone, we generally collect the data that you provide to us or that is automatically transmitted with your call in the form of call notes. This includes your name, your request and your telephone number. 


5.2 Legal basis for data processing 

The legal basis for the processing of data transmitted in the course of sending a message by e-mail or contact form is Art. 6 para. 1 lit. f GDPR / Art. 13 para. 1 FADP. If the message is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR / Art. 13 para. 2 lit. a FADP. 


5.3 Purpose of data processing 

The processing of personal data serves us to process the contact. This also constitutes the necessary legitimate interest in processing the data. 


5.4 Duration of storage 

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent by email or contact form, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified. 

If data is generated in the course of communication that we are obliged to retain or store due to e.g. tax, budgetary or other regulations, it will only be deleted after the respective statutory retention or storage periods have expired. The legal basis for this storage is Art. 6 para. 1 lit. c GDPR / Art. 4 para. 3 FADP. 

 

6. Orders in our online store 

6.1 Description and scope of data processing 

To create a customer account, the following mandatory information is collected as part of the registration process: 

  • e-mail address (used in combination with the password to log in) 
  • Password (assigned by yourself) 

No personal customer account can be created without this data. All other personal details are voluntary. We store your data in your user account. 

When you order vouchers in our online store, we process the data that you transmit to us as part of the respective order. This can be seen from the requested form fields and includes, in particular, name, delivery and billing address (inventory data), payment method and which vouchers were purchased and at what price. 

In order to process your payments, the payment data (such as amount, reference number, payment description, payer) will be forwarded to the relevant payment service providers. 

That is with us: 
Mollie HQ, Keizergracht 126, 1015CW, Amsterdam, The Netherlands. You can find out how Mollie HQ processes your data here https://www.mollie.com/de/privacy 

In addition, we store the following data if you provide it:
- First name
- Surname
- Organisation (only if you are a customer as an organisation and not as a private individual)
- Street and house number
- Postcode
- Town
- Region
- Country
For deliveries, we also store the corresponding delivery addresses, in particular
- First name
- Surname
- Street and house number
- Postcode
- town
- Region
- Country
- Telephone number

We also store the inventory data for your user ID, which our partner company transmits to us when you access our online store from there as a logged-in user. This enables us to recognize you when you visit our online store again via the partner company's website and allows us to display your order history and pre-fill the inventory data in the form fields. 

When generating a voucher code, we store the following personal data to protect against misuse (e.g. commercial resale): 

  • Voucher code 
  • Offer 
  • Company portal where the voucher code is offered 
  • First name 
  • Surname 
  • E-mail address 
  • Time of purchase (date & time) 
  • IP address of the user


6.2 Legal basis for data processing 

The legal basis for the processing of the data is Art. 6 para. 1 lit. b and f GDPR / Art. 13 para. 1 and 2 lit. a FADP. 


6.3 Purpose of data processing and duration of storage 

We use the data of the respective order to process and invoice it. We also store the user ID, your inventory data and the content of your orders in order to be able to display your order history and to relieve you of the need to fill in the form fields again for further orders. 
The aforementioned purposes and the prevention of misuse also constitute our legitimate interest in the processing of data in accordance with Art. 6 para. 1 lit. f GDPR / Art. 13 para. 1 FADP. 

We store the inventory data and your order history in our online store until the end of the third calendar year following your last order. The data will then be deleted from our online store. In addition, we delete data relating to orders at the end of the third calendar year following the respective order. 

The data that we store for the prevention of misuse will be deleted one year after the order. 

After execution, invoicing and payment of an order, we also store the data in our accounting systems for as long as we are obliged to do so due to tax, commercial or other regulations. Only then will the data be permanently deleted. The legal basis for this storage is Art. 6 para. 1 lit. c GDPR / Art. 4 para. 3 FADP. 

 

7.    Cookies 

We use cookies on our website. Cookies are small text files that are automatically stored on your end device. The cookies we use are all deleted again at the end of the browser session, i.e. after you close your browser (so-called session cookies). These cookies are necessary to provide certain technical functions of our website, in particular to ensure that you are continuously recognized by our website as an authorized user during your visit. This is also the purpose of this data processing. The legal basis for this processing is Art. 6 para. 1 sentence 1 lit. f GDPR / Art. 13 para. 1 FADP. 

 

8. Categories of recipients of personal data 

The data required for payment processing is passed on to the respective payment companies. 

For the provision of our website and the contact options offered, the online store, we use various service providers, including host providers, e-mail providers, who process the data stored with them exclusively on our behalf as processors in accordance with Art. 28 GDPR / Art. 10a DSG.


9. Rights of the data subject 

If your personal data is processed, you are a data subject within the meaning of the GDPR and the FADP and you have the following rights vis-à-vis the controller (where applicable, if other requirements set out in the relevant provisions are met):

  • The right to information in accordance with Art. 15 GDPR / Art. 8 DSG 
  • The right to rectification pursuant to Art. 16 GDPR / Art. 15 para. 1 FADP 
  • The right to erasure ("right to be forgotten") pursuant to Art. 17 GDPR / Art. 15 para. 1 FADP 
  • The right to restriction of processing pursuant to Art. 18 GDPR / Art. 15 para. 1 FADP 
  • The right to information pursuant to Art. 19 GDPR (not provided for under the FADP) 
  • The right to data portability pursuant to Art. 20 GDPR (not provided for under the FADP) 
  • The right not to be subject to an automated decision pursuant to Art. 22 GDPR (not provided for under the FADP) 
  • The right to withdraw consent to the processing of personal data in accordance with Art. 7 para. 3 GDPR / Art. 4 para. 5 FADP

To assert these rights, please use the contact details provided. 

Without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR or the DPA. 

 

10. Right of objection 

Insofar as we process personal data as explained above in order to safeguard our legitimate interests, which predominate in the context of a balancing of interests, you can object to this processing with effect for the future, but only if there are reasons arising from your particular situation. If the processing is carried out for direct marketing purposes, you can exercise this right at any time, even if there are no grounds. 

After you have legitimately exercised your right to object, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or if the processing serves the establishment, exercise or defense of legal claims. This restriction does not apply if the processing is carried out for direct marketing purposes. 

 

Berne, December 2024 
corporate benefits Vouchers AG