As of October 2021
- Responsible and contact
The controller of the processing of your personal data in connection with the purchase of vouchers by corporate customers and when visiting this website within the meaning of the General Data Protection Regulation (GDPR) is
Gymondo GmbH (hereinafter "Gymondo")
For information and suggestions on the subject, our data protection team is available at the e-mail firstname.lastname@example.org with pleasure. We expressly point out that if you use this e-mail address, the contents will not be exclusively noted by our data protection officer. If you wish to exchange confidential information, please therefore first contact the data protection officer directly via this e-mail address.
- Collection, processing and use of personal data
We offer companies the opportunity to purchase training vouchers for employees in our online store.
For this purpose, you provide your contact information such as first name and last name, business e-mail address, telephone number, company name, tax number and payment information as part of the ordering process. In the further course, we may collect, process and use your provided personal data for the purpose of establishing the corresponding contract, for contract execution and processing as well as for billing purposes. The legal basis for the aforementioned data processing is Art. 6 para. 1 lit. b DSGVO. The data will be stored for the duration of the business relationship.
2.2 Contract management and billing
We process the data required within the scope of the contractually owed scope of services, in particular for the implementation of business relationships, for the conclusion of contracts, for the processing of orders, for deliveries or services.
In the context of billing, we collect information on offers, orders, services rendered and invoice items as well as information on bank details. Contact data may also be processed in the process. The legal basis is Art. 6 para. 1 lit. b DSGVO. The data will be stored for the duration of the business relationship, but at least as long as it is necessary for the legal and accounting obligations.
2.3 Controlling and Reporting
We also use your information on orders, services rendered and invoice items for internal cost and performance accounting, controlling and internal reporting, which serves our corporate management and planning. The legal basis for this is Art. 6 para 1 lit. f DSGVO.
2.4 Log files
Whenever you use the Website, certain information is automatically transmitted by your Internet browser and stored by us in so-called log files.
The log files are stored by us exclusively for the determination of faults and for security reasons (e.g. for the clarification of attack attempts) for 7 to 10 days and then deleted. Log files whose further storage is required for evidentiary purposes are exempt from deletion until the final clarification of the respective incident and may be passed on to investigating authorities in individual cases. This data processing is carried out to protect our legitimate interests on the basis of Art. 6 para. 1 lit. f DSGVO.
In particular, the following information is stored in the log files:
- Shortened IP address (Internet Protocol address) of the end device from which the online offer is accessed;
- Internet address of the website from which the online offer was accessed (so-called origin or referrer URL);
- Name of the service provider through which access to the online offer is made;
- Name of the retrieved files or information;
- Date and time and duration of the retrieval;
- Operating system and information about the Internet browser used, including installed add-ons (e.g. for Flash Player);
- http status code (e.g. "request successful" or "requested file not found").
- Disclosure of data to third parties; service providers
In principle, only we process the personal data collected from you. A transfer to third parties only occurs if we are legally obliged to do so (Art. 6 para. 1 lit. c DSGVO) or to protect your or our interests (Art. 6 para. 1 lit. f DSGVO) or to fulfill our contractual obligations (Art. 6 para. 1 lit. b DSGVO), for example by involving external service providers as well as consultants and auditors.
External service providers are bound by instructions and receive your data only to the extent and for the period required for the provision of services. Agreements are always concluded with external consultants and auditors, which ensure the confidentiality of all information.
Your data may be passed on to the following recipients in particular: Group companies, IT service providers (eg for customer data management or for newsletter dispatch), subcontractors (eg in the performance of services contractually agreed with you), disposal service providers, authorities and agencies, banks.
If these service providers process your data outside the European Union, this may result in your data being transferred to a country with a lower data protection standard than in the European Union (so-called third country). In this case, Gymondo will ensure that the service providers concerned guarantee an equivalent level of data protection by contract or otherwise (for example, by concluding Standard Contractual Clauses). Alternativ stützt sich Gymondo bei Datenübermittlungen in Drittländer auf eine der Ausnahmen nach Art. 49 DSGVO.
For the provision of our online store, we use the service provider Shopify International Limited, 2nd Floor, 1-2 Victoria Buildings Haddington Road, Dublin 4, D04 XN32, Ireland ("Shopify") on the basis of commissioned data processing. When you create a user account or make a purchase in our Corporate Health webshop, this data is processed on Shopify's servers.
3.2 Disclosure of data to credit institutions and payment service providers
We use the payment service provider "Shopify Payments" for payment processing if you have chosen a payment method offered via Shopify Payments. Payments can be processed through the following payment providers in addition to the credit card option:
- PayPal (Europe) S.a r.l. and Cie, S.C.A., 22-24 Boulevard Royal, 2449 Luxembourg, Luxembourg ("PayPal"). For more information, please see the Privacy Statement from PayPal.
- Apple Pay, Apple Inc. One Apple Park Way, Cupertino, California, USA, 95014 ("Apple Pay"). For more information, please see the Privacy Notice from Apple on Apple Pay.
- Google Pay, Google Payment Ireland Limited, 70 Sir John Rogerson's Quay, Dublin 2, Ireland ("Google Pay"). For more information, please see the Google Pay privacy notices or. Payments and the Google's privacy notice.
- Duration of storage; retention periods
We store your data for as long as is necessary for the provision of our online offer and the associated services or we have a legitimate interest in the continued storage. In all other cases, we delete your personal data with the exception of data that we must retain in order to comply with contractual or statutory (e.g., tax or commercial) retention periods (e.g., invoices). Thereby, contractual retention periods may also result from contracts with third parties (e.g. owners of copyrights and ancillary copyrights).
We block data that is subject to a retention period until the expiration of the period.
- Your Rights
6.1 How can you exercise your rights?
Please use the information in the "Responsible and Contact" section to assert your rights. In doing so, please ensure that we are able to uniquely identify you.
Alternatively, to correct the data you provided during registration or for your advertising objection, you may also use the settings options in your user account.
Please note that your data will initially only be blocked if the deletion is opposed by retention periods.
6.2 Your rights of access and rectification
You may request that we confirm whether we are processing personal data relating to you and you have a right of access in respect of your data that we are processing. If your data is inaccurate or incomplete, you may request that your data be corrected or completed. If we have disclosed your data to third parties, we will inform them of the rectification to the extent required by law.
6.3 Ihr Recht auf Löschung
You may, if the legal requirements are met, request that we delete your personal data immediately. This is particularly the case if
- your personal data are no longer needed for the purposes for which they were collected; the legal basis for the processing was solely your consent and you have revoked it;
- You have objected to the processing for advertising purposes ("advertising objection");
- You have objected to processing based on the legal basis of balancing interests on personal grounds and we cannot demonstrate that there are overriding legitimate grounds for processing;
- your personal data have been processed unlawfully; or
- Your personal data must be erased in order to comply with legal requirements.
If we have disclosed your data to third parties, we will inform them of the deletion to the extent required by law.
Please note that your right to erasure is subject to limitations. For example, we do not have to or are not allowed to delete data that we still have to retain due to legal retention periods. Also, data that we need to assert, exercise or defend legal claims are excluded from your right to delete.
6.4 Your right to restrict processing
You may, if the legal requirements are met, request us to restrict processing. Dies ist insbesondere der Fall, wenn
- the accuracy of your personal data is contested by you, and then until we have had the opportunity to verify the accuracy;
- the processing is not lawful and you request restriction of use instead of erasure (see the previous section for this); we no longer need your data for the purposes of processing, but you need it to assert, exercise or defend your legal claims;
- you have objected on personal grounds, and then until it is determined whether your interests are overridden.
When there is a right to restrict processing, we mark the data concerned to ensure in this way that it will only be processed within the narrow limits that apply to such restricted data (namely, in particular, for the defense of legal claims or with your consent)
6.5 Your right to data portability
You have the right to obtain personal data that you have given us for the performance of a contract or based on consent, in a transferable format. In this case, you may also request that we transfer this data directly to a third party, insofar as this is technically feasible.
6.6 Your right to withdraw consent
If you have given us consent to process your data, you may revoke this consent at any time with effect for the future. The legality of the processing of your data until the revocation remains unaffected.
6.7 Your right to object to direct marketing
You may also object at any time to the processing of your personal data for advertising purposes ("advertising objection"). Please take into account that for organizational reasons there may be an overlap between your revocation and the use of your data in the context of an already running campaign.
6.8 Your right to object on personal grounds
You have the right to object to the processing of data by us for reasons arising from your particular situation, insofar as this is based on the legal basis of legitimate interest. We will then stop processing your data, unless we can prove - in accordance with the legal requirements - compelling reasons for further processing that are worthy of protection and which outweigh your rights.
6.9 Right to complain to the supervisory authority
You have the right to lodge a complaint with a data protection authority. To do this, you can contact the data protection authority responsible for your place of residence or your state or the data protection authority responsible for us. This is the:
Berlin Commissioner for Data Protection and Freedom of Information