Privacy Policy

Privacy Policy in accordance with Art. 13, 14 GDPR - Fulfilment of information obligations

1 Controller

The controller in accordance with Art. 4 (7) EU General Data Protection Regulation (GDPR) is

ROS Retail Outlet Shopping GmbH

Hoher Markt 4/2/1F

1010 Vienna

Tel: +43 1 34 34 304

Email: office@ros-management.com  

The company has appointed an external Data Protection Officer who can be contacted at the following email address: datenschutz-ros@meineberater.at.

2 General Data processing

2.1 Data processing in accordance with Art 13 GDPR

We process the data that data subjects provide to us, for example in the context of an enquiry by E-mail, for the purpose of initiating and concluding a contract or a business relationship.

2.2 Data processing in accordance with Art 14 GDPR

In addition, we process data of persons who may be part of a contractual relationship, which we have permissibly received in the context of information provided by third parties (e.g., managing directors provide us with the data of their employees or colleagues).

2.3         Data Subjects

We process the following data from contracting parties (e.g. competition participants, recipients of business news): first and last name, E-mail address, date of birth.

We process the following data from contact persons of tenants: Company, title and name of contact person, business address data and contact data, bank details, contract data.

We process the following data from suppliers and business partners that is required for the initiation or conclusion of a contract: Company, title and names of contact persons, business address data and contact data, bank details, contract data.

We process the following data from event participants: Name, contact data and address data.

2.4         Recipients of personal data

Recipients of personal data will only be third parties if it is necessary for the fulfilling of a contract or if it is required by law.

2.5         Data retention

1.      Expiration of contractual obligations: If there are contractual provisions that prescribe how long personal data must be retained, the data controller ensures that these deadlines are met. Once these deadlines have expired, the data is deleted or anonymized by the data controller.

2.      Withdrawal of consent: If a person withdraws consent to the processing of their personal data, the data controller deletes this data unless there is another legal basis for processing.

3.      Expiration of legal obligations: In some cases, there may be exceptions that not only allow but even require the data controller to continue retaining personal data for a defined period, such as the storage of tax or accounting records. After these statutory deadlines have expired, the data controller also ensures that the data is anonymized or deleted.

2.6         Contact by E-mail

When you contact us by E-mail, the data you provide will be stored by us in order to answer your questions. We delete the data accruing in this context after the processing is no longer necessary or restrict the processing if there are legal retention periods.

Legal basis: Art. 6 para. 1 lit. f GDPR

2.7         Publication of the names of originators

We are required by law to disclose names of creators of image data (photos or videos) whenever we publish image data. We automatically delete this personal data as soon as we stop using the image data.

2.8         Legal basis

The below points are the legal basis of data processing:

·        Initiation and fulfilment of the contract in accordance with Art. 6 para. 1 lit. b GDPR.

·        Legal obligations in accordance with Art. 6 para. 1 lit. c GDPR, (for example, legally prescribed storage and documentation obligations).

·        Legitimate interests of our company within the meaning of Art. 6 para. 1 lit. f GDPR (for example usage of software).

·        Art 6 para. 1 lit. a GDPR when obtaining consent (for example when processing image data or for advertising purposes).

3         Data processing of competition participants

If you take part in our competitions, we will process your data in order to carry out the competition, to determine and notify the winner and to send the prize offered. For this purpose, we need to process your name and your E-Mail address. Without this data, you cannot participate in the competition. In this context we also need your date of birth, as participants must be at least 18 years old.

If you also provide your telephone number, we will use this data to contact you by telephone if you have not responded to the previous E-Mail prize notification. However, this data is not necessary for entering the competition.

The data will be deleted after the winner has been determined and the competition has been completed.

When you enter our competition, you enter into a contract with us, in that you get the chance to win a prize, while we process your data in return. The processing of your data is thus necessary for the performance of the contract to which you are party (Art. 6 para. 1 lit. b GDPR).

4         Data processing via our website

4.1         Contact

If you have asked us to contact you via our web form or if you have sent us a message, we store the data that is required to contact you. This is your name and your E-Mail address. We additionally process data that you provide to us voluntarily. We delete the data as soon as storage is no longer necessary or you object to the processing. The processing of your data for this purpose is based on our legitimate interest in replying to our client’s inquiries and questions (Art. 6 para. 1 lit. f GDPR).

4.2         Business News

You have the possibility to subscribe to our ROS Outlet Business News. Therefor we need your first and last name as well as your E-mail address. You can cancel the receipt of the Business News at any time. Once you have unsubscribed, we will no longer use your data to send you the Business News. If we do not have any business relationship with you and are not subject to any statutory retention obligations, your data will be deleted after you have unsubscribed from Business News.

Legal basis: Art. 6 para. 1 lit. a GDPR

4.3         Applicants

If you send us your application documents, we will process your personal data contained therein as well as your CV and references for the purpose of personnel selection and filling the position. In the event of a rejection, we will delete your documents after the legal retention periods have expired. The processing of your data is necessary to take steps at your request prior to entering into a contract with you (Art. 6 para. 1 lit. b GDPR).

Should you consent to be kept on record with us for contact at a later date, we will approach you with a separate request to provide consent. If you explicitly give us this consent, we will store your application documents. If there is no further opportunity to fill a position with us within one year, we will delete all of your applicant data one year after you have sent us your consent. The processing of your data for this purpose is based on your consent (Art 6 para 1 lit a GDPR).

5         Data processing when visiting our website

5.1         Informative use of the website

In the case of informative use of the website, we only process the personal data that your browser transmits to our server (server log files). The processing of your data is technically necessary for us to operate our website and to ensure its stability and security.

This data includes:

·        IP address
·        Date and time of the request
·        Time zone difference to Coordinated Universal Time (UTC)
·        Content of the request (specific page)
·        Access status/HTTP status code
·        Website from which the request came
·        browser
·        Operating system and its interface
·        Language and version of the browser software.

This data is not merged with personal data sources. We reserve the right to check this data retrospectively if we become aware of concrete indications of unlawful use and to pass on the data to the law enforcement authorities if there has been a hack attack. The data will not be passed on to third parties beyond this. The processing of this data is based on our legitimate interest to ensure core website functionality.

Legal basis: Art. 6 para. 1 lit. f GDPR

5.2         Cookies

In addition to the processing of data mentioned above, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard drive in relation to the browser you are using and which provide the party setting the cookie (in this case, us) with certain information. Cookies cannot execute programs or transmit viruses to your computer.

The cookie allows you to be recognised when you visit the website without having to re-enter data that you have already entered previously.

The information contained in the cookies is used, for example, to determine whether you are logged in or which data you have already entered, or to recognise you as a user when a connection is established between our web server and your browser. With most web browsers, cookies are automatically accepted.

By using our websites, you agree to the use of these cookies, insofar as cookies are accepted according to your browser settings.

5.2.1        Transient cookies

Transient cookies are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID, with which various requests from your browser can be assigned to the joint session. This enables your computer to be recognised when you return to our website. The session cookies are deleted when you log out or close the browser.

5.2.2        Persistent cookies

Persistent cookies are automatically deleted after a predefined period of time, which may differ depending on the cookie. You can delete the cookies at any time in the security settings of your browser.

5.2.3       Third-party cookies

These originate from providers other than the website operator. They can be used, for example, to collect information for advertising, custom content and web statistics.

5.2.4       Browser

Most browsers are set by default to accept all cookies. You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of our website may be limited.

You can remove cookies stored on your PC yourself at any time by deleting the temporary internet files.

The use of technical cookies is necessary for the legitimate purpose of ensuring the operation of our website (Art. 6 para. 1 lit. f GDPR), while all other cookies process your data based on your consent  (Art. 6 para. 1 lit. a GDPR).

Find the full list of cookies here: ros-management.com/cookies

6         Social Media

We operate social media channels such as Instagram, YouTube and LinkedIn. When visiting our social media presence, personal data, including the IP address, is processed by the respective provider and cookies are used for data collection. Which information exactly is transmitted, please refer to the Privacy Policy of the respective service. There you will also find information about contact options as well as for various settings.

We focus on comprehensive customer satisfaction and use these services primarily to be able to get in touch or to communicate with you.

In the case of services with a US connection, the data collected is usually sent to a server in the USA and stored there. We have no influence or possibility of control over the type and scope of the data processed by these services, the type of processing and use or the transfer of this data to third parties. For options to restrict the processing of this data in the respective settings of these services, please refer to the detailed descriptions of the Privacy Policy of the respective providers.

The providers of the social media services and we concluded respective agreements - in most cases these are agreements on joint responsibility for data processing. The use of social media is based on our legitimate, operational interest.

Legal basis: Art. 6 para. 1 lit. f GDPR

7       Squarespace

Our website is hosted on infrastructure provided by Squarespace, Inc., located at 225 Varick Street, FL 12, NY 10014.

Squarespace provides an online tool that we use to design and host our website. All Squarespace websites use visitor data to function properly. This may include your IP address, your device and browser, the last website you visited before coming to our websites, which pages you visit on our websites and how long you spend on them, as well as other identifiers of your devices. The personal data collected on this websiteis is stored on a cloud server in the USA. Squarespace will only process your data to the extent that it is necessary for the fulfilment of their service obligations.

By using this service, the transfer of personal data to the United States occurs or cannot be ruled out. Squarespace, Inc. has certified itself under the EU-U.S. Data Privacy Framework for the transfer of personal data from the EU to the United States. The European Commission has determined that there is an adequate level of protection for personal data transferred from the EU to a company in the United States certified under the EU-U.S. Data Privacy Framework. Consequently, the data transfer is permissible in accordance with Article 45 of the GDPR.

Legal basis: Art. 6 para. 1 lit. f GDPR 

8         Adobe Fonts

We use the Adobe Typekit service to design our website. This is a service provided by Adobe Systems Software Ireland Companies, 4-6 Riverwalk, Citywest Business Campus, Dublin 24, Ireland.  

Adobe Typekit gives us access to a library of fonts. In order to include the fonts we use, your browser must connect to an Adobe server in the US and download the font required for our website. For this purpose, Adobe processes your IP address. For more information on data processing by Adobe, please refer to Adobe's privacy policy, accessible here: https://www.adobe.com/de/privacy/policy.html .

Accessing the libraries automatically establishes a connection with the font library operator. For details on how Adobe Fonts handles your data, please consults its Privacy Policy: https://www.adobe.com/uk/privacy/policies/adobe-fonts.html.

Adobe Inc. has certified itself under the EU-U.S. Data Privacy Framework for the transfer of personal data from the EU to the United States. The European Commission has determined that there is an adequate level of protection for personal data transferred from the EU to a company in the United States certified under the EU-U.S. Data Privacy Framework. Consequently, the data transfer is permissible in accordance with Article 45 of the GDPR.

Legal basis: Art. 6 para. 1 lit. a GDPR

9         Google Services

We have signed a contract with Google Ireland Limited ("Google"), a company incorporated and operated under the laws of Ireland (registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. Nevertheless, it may happen that data is transmitted from Europe to the USA, over which we as a company have no influence.

Google has certified itself under the EU-U.S. Data Privacy Framework for the transfer of personal data from the EU to the United States. The European Commission has determined that there is an adequate level of protection for personal data transferred from the EU to a company in the United States certified under the EU-U.S. Data Privacy Framework. Consequently, the data transfer is permissible in accordance with Article 45 of the GDPR.

The processing of your data is based on your consent (Art 6 para 1 lit a GDPR).

9.1       Google Fonts

We use Google Fonts on our Website. To ensure a uniform and appealing display of the fonts and icons, your browser loads the required fonts into your browser cache. To do this, it is necessary for the browser you are using to contact the Google Fonts servers, which results in Google Fonts becoming aware that our website has been accessed via your IP address.

You can find out what data is collected by Google and what it is used for at https://policies.google.com/privacy?hl=en

9.2       Google Maps

On this website, we use the Google Maps service. This allows us to show you interactive maps directly on the website and enables you to use the map function conveniently. By visiting the website, Google receives the information that you have called up the corresponding sub-page of our website. In addition, the data already mentioned under the point "Informational use of the website" will be transmitted. This occurs regardless of whether Google provides a user account via which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not want your data to be associated with your Google profile, you must log out before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or designing its website in line with requirements. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, and you must contact Google to exercise this right.

For more information on the purpose and scope of data collection and processing by the plug-in provider, please refer to the provider's privacy policy. There you will also find further information on your rights in this regard and setting options for protecting your privacy: https://policies.google.com/privacy?hl=en&gl=en.

10    Youtube

We operate a YouTube channel and have embedded YouTube videos on our website, which are stored on http://www.YouTube.com. The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube videos in extended data protection mode. With this setting, YouTube does not store cookies when you access our website. A connection to YouTube's servers is only established when you start playing the embedded videos. YouTube uses cookies for data collection and statistical data analysis. This allows YouTube to know which pages you visit. If you are logged in to YouTube, your data is directly associated with your account. YouTube uses your data for advertising and market research purposes.

By using this service, there is a transfer of personal data to the USA, or such a transfer cannot be ruled out. Google has certified itself under the EU-U.S. Privacy Shield Framework for the transfer of personal data from the EU to the USA. The European Commission has determined that there is an adequate level of protection for personal data transferred from the EU to a company in the USA certified under the EU-U.S. Privacy Shield Framework, making data transfer in accordance with Article 45 of the GDPR permissible.

By consenting to data processing by YouTube, you agree that YouTube may load additional cookies and services, especially from Google.

For more information on data protection at "YouTube," please refer to the provider's privacy policy at: https://www.google.de/intl/en/policies/privacy/

Legal basis: Art 6 para 1 lit a GDPR

11    Your rights

You have the following rights in relation to personal data relating to you:

·        Right of access, right to rectification and erasure

·        Right to restriction of processing

·        Right to object to processing

·        Right to data portability

Please direct your enquiries and requests by E-mail to office@ros-management.com or contact us using the contact details provided.

If you believe that we have violated Austrian or European data protection law in the processing of your data and have thereby infringed your rights, please contact us so that we can clarify any issues.

You also have the right to complain to the supervisory authority, which is the Austrian data protection authority:

Austrian Data Protection Authority, Barichgasse 40 - 42, 1030 Vienna, Telephone: +43 1 52 152-0

Email: dsb@dsb.gv.at

12    Changes to this Privacy Policy

We reserve the right to modify this Privacy Policy at any time. Changes to this Privacy Policy will be published by us on this page. Please refer to the current version of our Privacy Policy in this regard.