Privacy Policy

 

We, XXXLdigital, are committed to protecting your personal data and collect and use your personal data exclusively within the scope of the applicable legal provisions.


Hereinafter, you are provided with an overview of how XXXLdigital ensures this protection and what kind of data is collected and for what purpose. The privacy statement is available on our website at any time.

Data processing at XXXLdigital

I. General

XXXLdigital takes on the digital part of XXXLutz Group and, within the context of the internet presence https://www.xxxl.digital, acts through XXXLutz KG, Römerstraße 39, 4600 Wels, Austria.

II. Controller/data protection officer

Name and address of the controller

The controller according to the General Data Protection Regulation and other national data protection laws of the Member States as well as other data protection provisions is:

XXXLutz KG
Römerstraße 39
4600 Wels
Austria
E-mail: kundenservice@xxxlutz.at
Website: www.xxxlutz.at

Data protection officer of the controller

XXXLutz KG
Datenschutzbeauftragter
Römerstraße 39
4600 Wels
Austria
E-mail: datenschutz@xxxlutz.at
Website: www.xxxlutz.at

III. General information on data processing

1. Scope of personal data processing

As a general rule, we process our users’ personal data only to the extent necessary for providing a functional website, our content and services. In line with legal requirements, our users’ personal data is processed only upon consent by the user. An exception applies in cases where it is not possible to obtain the prior consent for factual reasons, and the data's processing is permitted by legal provisions.

2. Legal basis for processing personal data

If we obtain consent of the data subject for processing operations of personal data, point (a) of Article 6(1) of the EU General Data Protection Regulation (GDPR) serves as a legal basis. When processing personal data is necessary for fulfilling a contract with its contractual party being the data subject, point (b) of Article 6(1) of the GDPR serves as a legal basis. This also applies to processing operations which are necessary for performing pre-contractual measures.

If processing personal data is required to meet a legal obligation which our company is subject to, point (c) of Article 6(1) of the GDPR serves as a legal basis.

In case of processing being necessary in order to protect the vital interests of the data subject or of another natural person, point (d) of Article 6(1) of the GDPR serves as a legal basis.

If processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, and if the data subject’s interests and fundamental rights and freedoms do not override the aforementioned interests, point (f) of Article 6(1) of the GDPR serves as a legal basis for the processing.

3. Data deletion and storage duration

The data subject’s personal data is deleted or made unavailable as soon as the purpose for the storage is no longer given. Storage is also possible if it is provided for by European or national legislators in harmonised regulations, laws or other provisions which the controller is subject to. Data is also made unavailable or deleted if a storage term expires which is prescribed by the aforementioned standards, unless there is a necessity to continue the data storage for concluding or fulfilling a contract.

IV. Provision of the website and creation of log files

1. Description and scope of the data processing

Every time our website is accessed, our system automatically collects data and information from the computer system of the calling computer. In this context, the following data is collected:

  1. Information on the browser type and version used

  2. The user’s operating system

  3. The user’s internet service provider

  4. The user’s IP address

  5. Date and time of access

  6. Websites from which the user's system accesses our website

  7. Websites accessed by the user's system via our website

The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.

2. Legal basis for data processing

The legal basis for temporary storage of the data and log files is point (f) of Article 6(1) GDPR.

3. Purpose of the data processing

The temporary storage of the IP address by the system is necessary for delivering the website to the user's computer. To do so, the user's IP address must be stored for the session’s duration. The data is stored in log files to ensure the website’s functionality. The data also serves as a means to optimise the website and to ensure the safety of our information technology systems. In this regard, the data is not evaluated for marketing purposes.

These purposes are also our legitimate interest for the data processing according to point (f) of Article 6(1) GDPR.

4. Storage duration

The data is deleted as soon as it is no longer required for achieving the purpose of its collection. As for the collection of data for providing the website, this is the case when the respective session has ended.

As for the storage of data in log files, this is the case no later than after seven days. It is possible to store data beyond this. If so, the users’ IP addresses are deleted or alienated so that identifying the calling client is no longer possible.

5. Possibility of objection and removal

Collecting data for the provision of the website and storing the data in log files is absolutely necessary for operating the website. Accordingly, the user has no possibility to object.

V. Use of cookies and integration of external content

Cookies and similar technology such as pixels, tags or beacons (“cookies”) are used to make our offer as pleasant as possible for you. Cookies are small text files that enable user recognition and analysis of your use of our website.

 The majority of the cookies we use are automatically deleted from your hard drive at the end of the browser session ("session cookies"). Session cookies are needed, for example, to provide you with a shopping cart feature across multiple pages. Additionally, we use cookies that remain on your hard drive even after the end of the session (“persistent cookies”). When visiting our site the next time, the system automatically recognises that you have already been with us and which inputs and settings you prefer. In particular, these cookies help us make our offer more user-friendly, effective and secure.

 You can also change cookie settings in your browser settings or at www.youronlinechoices.com. If you refuse cookies, certain pages on our website or provided functionalities may not be available.

VI. Transfer to third countries

Where we transfer your personal data to countries outside the European Economic Area (EEA) or use processors in such countries (for example, in the USA), we implement the standards and safeguards required by law. We achieve this, for example, by agreeing on the so-called EU standard contractual clauses. Please contact us as set out in clause 1 to learn more about the specific security mechanisms we use.

VII. Easy Apply

XXXLdigital takes on the digital part of XXXLutz Group and acts through these companies:

  • XXXLutz KG, Römerstraße 39, 4600 Wels, Austria

  • XXXLutz Verwaltungs GmbH, Römerstraße 39, 4600 Wels, Austria

  • XXXL-Zentralverwaltungs-GmbH & Co. KG

  • XK-Vertriebs-GmbH & Co. KG

  • XXXL-Wareneinkaufs-GmbH & Co. KG each located in:  Mergentheimer Str. 59, 97084 Würzburg, Germany

  • XXXLutz Digital, S.L., Torre Mapfre, Planta 10, Carrer de la Marina 16-18, 08005 Barcelona, Spain

  • XLMX obchodni s.r.o., Nárožní 1390/4, 158 00 Praha 5, Czech Republic

  • XLSK Nabytok s.r.o., Galvaniho 11, 821 04 Bratislava, Slovakia

When applying via Easy Apply, it is indispensable that data is also exchanged between the companies. For this reason, processes are not limited to the area of a single company of XXXLutz Group, but also extend to other companies from the XXXLutz group of companies. The above-mentioned companies therefore work together and act as so-called joint controllers in the sense of data protection law.

VIII. Rights of the data subject

If your personal data is processed, you are a data subject in line with the GDPR and you have the following rights against the controller:

1. Right of access

You may request confirmation from the controller as to whether personal data relating to you is being processed by us.

If there is such processing, you can request information from the controller about the following:

  1. the purposes of the processing of the personal data;

  2. the categories of personal data which are processed;

  3. the recipients or categories of recipients to whom the personal data has been or will be disclosed;

  4. the envisaged period for which the personal data will be stored, or, if specific information on this is not possible, criteria used to determine that period;

  5. the existence of a right to rectify or erase personal data that concerns you, a right to restriction of the processing by the controller or a right to object such processing;

  6. the right to lodge a complaint with a supervisory authority;

  7. any available information as to the source of the data, where the personal data is not collected from the data subject;

  8. the existence of automated decision-making, including profiling, in line with Article 22(1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You are entitled to request information as to whether the personal data that concerns you is transmitted to a third country or an international organisation. In this regard, you can request to be informed on the safeguards according to Article 46 GDPR in connection with the transmission.

2. Right to rectification

You are entitled to have the controller rectify and/or complete personal data if the processed personal data which concerns you is inaccurate or incomplete. The controller is obligated to carry out the rectification without delay.

3. Right to restriction of processing

You may request the restriction of the processing of personal data which concerns you on the following conditions:

  1. if you contest the accuracy of the personal data which concerns you for a period enabling the controller to verify the accuracy of the personal data;

  2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;

  3. the controller no longer needs the personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of legal claims, or

  4. if you have objected to processing according to Article 21(1) GDPR, pending the verification whether the legitimate grounds of the controller override yours.

If the processing of the personal data which concerns you has been restricted, such personal data – with the exception of storage – is processed only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the processing has been restricted in line with the aforementioned conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure

a) Obligation to erasure

You can request the controller to erase personal data which concerns you without undue delay and the controller is obligated to erase this data without undue delay if one of the following grounds applies:

  1. the personal data is no longer necessary for to the purposes for which it was collected or otherwise processed;

  2. you withdraw your consent on which the processing is based according to point (a) of Article 6(1) or point (a) of Article 9(2) GDPR and there is no other legal ground for the processing;

  3. you object to the processing according to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing according to Article 21(2) GDPR;

  4. the personal data which concerns you has been unlawfully processed;

  5. the personal data which concerns you has to be erased for compliance with a legal obligation in Union or Member State law which the controller is subject to;

  6. the personal data which concerns you has been collected in relation to the offer of information society services referred to in Article 8(1) GDPR.

b) Information to third parties

If the controller has made the personal data public and is obligated to erase it according to Article 17(1) GDPR, the controller, taking into account available technology and the cost of implementation, is to take reasonable steps, including technical measures, to inform controllers processing the personal data on you having requested the erasure by such controllers of any links to or copy or replication of this personal data.

c) Derogations

The right to erasure does not apply to the extent that processing is necessary

  1. for exercising the right of freedom of expression and information;

  2. for compliance with a legal obligation which requires processing by Union or Member State law which the controller is subject to or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

  3. for reasons of public interest in the field of public health according to points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;

  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes according to Article 89(1) GDPR in so far as the right referred to in Section a) is likely to render the achievement of the objectives of that processing impossible or seriously impair it; or

  5. for the establishment, exercise or defence of legal claims.

5. Right to information

If you have exercised the right to have the controller rectify, erase or restrict the processing, the controller is obligated to communicate this rectification or erasure of the data or restriction on the use to all recipients to whom the personal data which concerns you has been disclosed, unless this proves to be impossible or would involve a disproportionate effort.

You are entitled to have the controller inform you about these recipients.

6. Right to data portability

You are entitled to receive the personal data which concerns you and which you have provided to a controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, if

  1. the processing is based on consent according to point (a) of Article 6(1) GDPR or point (a) of Article 9(2) GDPR or on a contract according to point (b) of Article 6(1) GDPR and

  2. the processing is carried out by automated means.

In exercising this right, you are also entitled to have the personal data which concerns you transmitted directly from one controller to another, where technically feasible. This is not to adversely affect the rights and freedoms of others.

The right to data portability does not apply to the processing of personal data if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

On grounds relating to your particular situation, you are at any time entitled to object to the processing of personal data which concerns you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.

The controller is no longer to process the personal data which concerns you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

Where personal data which concerns you is processed for direct marketing purposes, you are entitled to object at any time to the processing of personal data which concerns you for such marketing; this includes profiling to the extent that it is related to such direct marketing.

If you object to the processing for direct marketing purposes, the personal data which concerns you is no longer processed for such purposes.

In the context of the use of information society services – notwithstanding Directive 2002/58/EC – you may exercise your right to object by automated means using technical specifications.

8. Right to revoke the declaration of consent on data protection

You are entitled to revoke your declaration of consent on data protection at any time. Revoking the consent does not affect the lawfulness of the processing carried out based on the consent until it was revoked.

9. Automated individual decision-making including profiling

You are entitled not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you. This does not apply, if the decision

  1. is necessary for entering into, or performance of, a contract between you and the data controller,

  2. is authorised by Union or Member State law which the controller is subject to and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or

  3. is based on your explicit consent.

However, these decisions must not be based on special categories of personal data referred to in Article 9(1) GDPR, unless point (a) or (g) of Article 9(2) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in (1) and (3), the controller is to implement suitable measures to safeguard your rights and freedoms and legitimate interests, which at least includes the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you are entitled to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you believe processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged is to inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.

Informations about cookies