Privacy Policy

Delica AG places great importance on protecting your privacy and your personal data as well as the necessary data security and thus collects, processes and uses your personal data only in line with the principles described below as well as the stipulations of the EU General Data Protection Regulation and the nationally applicable data protection laws.

Content

I. Name and Address of the Controller
II. Name and Address of the Data Protection Officer and the EU/EEA Representative
III. Your Personal Data
IV. General Information on Data Processing
V. Data Protection Settings via ACRIS
VI. Provision of the Website and Creation of Log Files
VII. Use of Cookies
VIII. Communications & Events
         VIII.1 E-Mail Contact and Use of the Contact Form
IX. Website Analytics Services
      IX.1 Google Analytics and Google Optimize
X. Rights of the Data Subject
XI. Automated Decision-Making and Profiling
XII. Links to Other Websites
XIII. Security
XIV. Availability and Changes

I. Name and Address of the Controller

The controller in the sense of the EU General Data Protection Regulation (“GDPR”) and other national data protection laws of the EU Member States as well as other applicable data protection regulations for the operation of the website (hereinafter “website”) is:
Delica AG
Bresteneggstrasse 4
CH-5033 Buchs
Telephone: +41 800 506 506 (Switzerland)
E-mail: info@cafe-royal.com
(hereinafter “company” or “we”).

As responsible contact person for data protection, specifically for questions regarding the collection, processing or use of your data as well as the assertion of your data subject rights (data information, data erasure or objection to data processing), you can contact us by e-mail or letter to the aforementioned contact details or to our data protection officer. You may also use these contact details to obtain information in relation to your personal data at any time and free of charge.

II. Name and Address of the Data Protection Officer and the EU/EEA Representative

You can reach the data protection officer of the controller at:
Café Royal Data Protection
E-mail: datenschutz-caferoyal@delica.com
(hereinafter “DPO”)

You can contact the EU/EEA representative of the controller at:
Delica Deutschland GmbH
Königsallee 63-65
40215 Düsseldorf
Germany
E-mail: datenschutz-caferoyal@delica.com

III. Your Personal Data

‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter “data subject”). You are not required to communicate personal data to us when visiting our website. Personal data, such as your name, phone number, mail and e-mail address, date of birth and phone number, will be captured only if you provide us with such data voluntarily or consented to it being captured. For technically required data, please see the explanation under „VI. Provision of the Website and Creation of Log Files” and “VII. Use of Cookies“.

IV. General Information on Data Processing

1. Scope of Personal Data Processing
We process personal data (hereinafter also “data”) of website visitors to the extent that this is necessary to provide a functional website as well as our contents and services.
Personal data of visitors to our website is regularly processed only after the user consented to such processing and the handling of the purchasing and ordering process has been completed. This does not apply in cases in which processing of the data is permitted under legal regulations or technically required.
As a visitor, you can decide for yourself whether or not you want to give your consent to the collection and processing of your personal data by technical measures on our Consent Management Platform (“CMP” for short), which is controlled by you via our cookie banner (see section “V. Data protection settings via ACRIS”). Transparent information on the technical measures taken and on the recipient of your data is provided on our CMP. We would like to point out that certain data processing operations are necessary for setting up and ensuring the security of our website as well as technically required for individual data processing operations so that consent to such data processing is not possible.

2. Legal Basis for Personal Data Processing
To the extent that we obtain consent from the data subject for processing operations of personal data, point (a) of Art. 6(1) GDPR serves as legal basis.
If processing personal data is necessary for the performance of a contract to which the data subject is party, point (b) of Art. 6(1) GDPR serves as a legal basis. This also applies to processing methods required to take steps prior to entering into a contract.

Where personal data processing is necessary for compliance with a legal obligation to which our company is subject, point (c) of Art. 6(1) GDPR serves as a legal basis.
If processing is necessary in order to protect the vital interests of the data subject or of another natural person, point (d) of Art. 6(1) GDPR serves as a legal basis.
Where the processing is necessary for the purposes of a legitimate interest pursued by our company or by a third party, except where such interest is overridden by the interests or fundamental rights and freedoms of the data subject, point (f) of Art. 6(1) GDPR serves as legal basis for such processing.

3. Data Erasure and Retention Period
The data subject’s personal data will be erased or blocked once the purpose of retention ceases to be relevant. In addition, data may be retained if this is provided for by the European or national legislator in legal EU regulations, laws or other regulations to which the controller is subject. The data will also be blocked for further processing or erased once a legally prescribed retention period expires, unless further retention of the data is required for the performance of a contract.

V. Data Protection Settings via ACRIS

We use the services of ACRIS E-Commerce GmbH, Am Pfenningberg 60, 4040 Linz, Austria (hereinafter “ACRIS”), for the provision of a Consent Management Platform (in short: “CMP”), i.e. a system that regulates the use of third-party providers, technical measures as well as cookies following a consent given or refused.
The CMP ensures that no measures subject to a consent requirement are taken or carried out without prior consent. For this purpose, our CMP processes certain data for the provision and management of the CMP, such as
(1) your anonymised (hashed) IP address when collected by ACRIS,
(2) a randomly generated unique ID as well as
(3) your given consents or individual data protection settings saved in a cookie consent text file, and uses both the local memory (also called ‘local storage’) on your end device and the setting of several consent cookies to retain such information locally. The retention period is the period of time during which the data processed by the CMP is retained for the purpose of consent management. The consent data (consent given and withdrawal of consent) is kept for 30 days. No new consent is required within this period unless new systems are introduced or it is necessary to obtain new consent due to statutory or legal frame-work conditions. The purpose of data processing by ACRIS is to provide and manage the consents given by our website visitors in a data protection compliant manner. Using ACRIS serves the website visitor to give an informed consent, to prove consents given and not given as well as to administrate the individual data protection settings of our website visitors. Data is processed for the purpose of obtaining the website visitor's consent, providing withdrawal and objection options, providing evidence of the consent obtained (time of consent, end device used) and identifying the user to manage their individual data protection settings. The use of a consent management platform as well as the management and retention of your consents to the processing of your personal data are based on our legal obligation to provide a website that complies with data protection laws (point (c) of Art. 6(1) GDPR). The legal basis for engaging the ACRIS service provider is also point (f) of Art. 6(1) GDPR. Our legitimate interest includes the legally secure documentation and verifiability of consents as well as the control of our analysis campaigns on the basis of your consent given by engaging specialised processors and ensuring the relating technical implementation. Processing data to provide a CMP solution is mandatory to operate the website. The user has no possibility to object as long as we are legally obliged to obtain the user's consent to certain data processing operations.

VI. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing
Where the website is merely used for information purposes, we will collect the technically required personal data transferred by your browser to our server or provider only for being able to display our website to you as well as to ensure its stability and safety.To ensure the hosting, technical provision and maintenance of our website, we engaged the company Delica Deutschland GmbH, Königsallee 62-65, 40215 Düsseldorf, Germany (hereinafter “MID”). MID ensures the necessary protection of your data on our behalf in accordance with the applicable data protection regulations and processes it exclusively in accordance with our instructions.The following data is processed in log files in this context:

(1) the used browser type and version (where you consented to its transfer in your browser settings),
2) the operating system,
3) date and time of the server request,
4) the number of visits,
5) the time spent on the website,
6) the previously accessed website (where you consented to its transfer in your browser settings),
7) the IP address of the users.The data is hosted on certified Google Cloud servers of the Google Cloud Platform, a service of Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (hereinafter “Google”).

Hosting location is the Google Cloud in Germany, specifically in the Frankfurt am Main region. We would like to point out that Google operates in a multi-tenant environment, so data is replicated between multiple geographically dispersed data centres. The log files set out here to countries outside the EU are transferred only as part of the website hosting. Legal bases for this are the EU standard contractual clauses provided by Google in the context of hosting (see https://cloud.google.com/security/gdpr/resource-center/contracts-and-terms?hl=de).

We use this information collected from the user and the user's terminal device exclusively for the purpose described in this Privacy Policy and for optimising the service. The data is neither used further nor disseminated to third parties without authorisation. Such data is not retained together with other personal data of you.

2. Legal Basis for Data Processing
Legal basis for the temporary retention of the data and the log files is point (f) of Art. 6(1) GDPR.

3. Data Processing Purpose
Temporary retention of the IP address by the system is necessary to ensure that the website contents can be delivered to the terminal used by the user. To this end, the user's IP address must remain retained for the duration of the session.All of the aforementioned information ((1) - (7)) is retained in log files to ensure the functionality of the website. In addition, the data serves us to optimise the website and to ensure the necessary security of our IT systems. The data is not evaluated for marketing purposes.

4. Retention Period
The users’ IP addresses will be made anonymous once they are no longer required to achieve the purpose of their collection. This is the case at the end of the user's respective session. In this case, it is no longer possible to assign the accessing client.The maximum retention period of the log files for the aforementioned purposes is 30 days.

5. Objection and Elimination Option
Capture of the data to provide the website and to retain the data in log files is absolutely necessary to ensure the operation of the website. The user has no option to object.

VII. Use of Cookies

1. Description and Scope of Data Processing
Our website uses cookies. Cookies are text files retained in or by the web browser on the user’s computer system. Where a user accesses a website, a cookie may be retained on the user’s terminal. Such cookie contains a characteristic string allowing to unequivocally identify the browser the next time the website is accessed. Some of the cookies we use will be erased again after the end of the browser session, meaning when you have closed your browser (“session cookies”). Other cookies remain on your terminal and allow us to recognise your browser the next time you visit our website.When users access our website, we inform them via an information banner (see section “V. Data Protection Settings via ACRIS”) about the use of cookies (essential or technically necessary cookies as well as statistics and marketing cookies) and have technically set up the consent required under data protection law for setting cookies requiring consent. Except for essential or technically necessary cookies, consent must always be given in advance for cookies to be set on your end device. The same applies to other technical measures, such as the use of Google Analytics, on our website. The user is also referred to this Privacy Policy via the info banner.With the following information, we provide you an overview of the cookies used, their period of validity as well as the respective withdrawal/opt-out options. Furthermore, we would like to point out that you can adjust your cookie settings at any time and withdraw your consent for the future at any time.

(a) Essential cookies:
We use cookies to make our website more user-friendly. Some elements of our website require the accessing browser to also remain identifiable after changing to a different website.The following essential or technically required cookies will be retained on your terminal and transferred to us upon each page view:

(1) __cfduid (validity: session),
2) _cfduid (validity: session),
3) __cflb (validity: session),
4) _cf_bm (validity: session),
5) csrf.* (validity: session),
6) session-.* (validity: session),
7) timezone (validity: session),
8) sw-states (validity: 1 year),
9) sw-cache-hash (validity: 1 year),
10) sw-currency (Validity: 1 year),
11) cookie-preference (validity: 30 days),
12) acris_cookie_landing_page (validity: 1 year),
13) acris_cookie_referrer (validity: 1 year),
14) acris_cookie_acc (validity: 30 days),
15) JSESSIONID (validity: session),
16) captcha.basic-captcha.validate (validity: session),
17) wishlist-enabled (validity: 1 year).

Technically necessary, ‘essential’ cookies serve to ensure that you can smoothly visit our website. This includes the provision of our website via our hosting service provider (cf. (1) - (4)), the use of the shop as a registered customer, the provision of the login area, the provision of your shopping cart, securing the page navigation and payment methods (cf. (5) - (10) and (15) - (16)) or the saving of your individual cookie settings (cf. (11) - (14) and (17)) for our website. These cookies are necessary to ensure a secure visit to the shop and our website and cannot be disabled.These cookies contain no personal data, which means they do not serve the purpose of personal identification.

(b) Statistics cookies:We also use cookies on our website that allow us to analyse the surfing behaviour of our users.

In this way, in addition to the data listed in (a) Essential cookies, further information of the following categories is transferred:(1) search terms entered
2) frequency of page views
3) use of website function
4) duration of visitThe user data collected in this way is anonymised by technical precautions. It is thus no longer possible to assign the data to the accessing user. The data is not retained together with other personal data of the users.The statistics cookies are used for the purpose of improving the quality of our website and its contents. By placing the statistics cookies, we learn how the website is used and can thus constantly optimise our offering. To get a description of the technical measures used, the cookies set, the mode of operation, the purpose and the objection options, please refer to the explanations for each analysis tool under “IX. Website Analytics Services”.

2. Legal Basis for Data Processing
The legal basis for personal data processing using technically required cookies (cf. (a)) is point (f) of Art. 6(1) ) GDPR.The legal basis for the processing of personal data using cookies for statistical purposes or for personalisation (cf. (b)) based on your given consent via the cookie banner is point (a) of Art. 6(1) GDPR.

3. Data Processing Purpose
Essential or technically required cookies are used to allow you to use our websites. Some functions of our website cannot be provided without using cookies. These require that the browser is recognised even after a change to a different website. The user data collected by essential or technically required cookies is not used to create user profiles.For information on the purpose of cookies for statistical purposes and the possibilities for objecting to them (see (b)), please refer to the information provided under “IX. Website Analytics Services”.

4. Retention Period, Objection and Elimination Option
Cookies are retained on the user’s computer and transferred from there to our website. Consequently, you also have full control over the use of cookies as a user. By changing the settings in your web browser, you can disable or limit the transfer of cookies. Cookies existing on your computer may be erased at any time. This can also be done automatically. If cookies are disabled for our website, it might no longer be possible to use all functions of the website in full.You can change your cookie usage settings made via our cookie banner at any time here: cookie settings. By removing the tick from “Active” in the sliders, you disable the respective cookies or technical measures.

VIII. Communications & Events

VIII.1 E-Mail Contact and Use of the Contact Form

1. Description and Scope of Data Processing
We can be contacted using a contact form on our website. The user's personal data submitted will be transferred to our support staff in all cases.

We use the tool "Freshdesk" of the provider Freshworks, Inc., 2950 S. Delaware Street, Suite 201, San Mateo, California 94403, USA (hereinafter: "Freshdesk"). If you send us a contact request by mail, your contact request will be organised via a ticket system. Processing the contact request via a ticket system enables us to provide a high quality of service.

The Freshdesk servers that we use to process your request are in the EU. Nevertheless, due to the company's US connection, access to the data by US authorities cannot be ruled out. The required data protection agreement for commissioned processing in accordance with Art. 28 DSGVO with the valid standard data protection clauses has been concluded with Freshdesk. Through this, Freshdesk undertakes to protect the data of our users and to process it exclusively on our behalf in accordance with the applicable data protection regulations. Freshdesk has provided a sample of the GCU at https://www.freshworks.com/data-processing-addendum/. Further information on Freshdesk and the provider Freshworks can be found on the website: https://www.freshworks.com/privacy/.

The scope of the processed personal data and the piece of personal data processible in a given case depends on the information entered in the compulsory fields of the contact form. This includes, in particular, the following data:

(1) your title;
2) your first name* and surname*;
3) your communications data (e-mail address*, phone number);
4) your address details (country),
5) resulting correspondence (subject*, message*).

If you provide us with further personal data via the comment field, this will be treated as strictly confi- dential and will only be made available to the employees entrusted to handle your request.

Your data or the resulting correspondence is exclusively processed by us. It may be necessary to forward the data to one of our trading or product partners to handle your concern. In principle, only the data or information about the product is affected by such forwarding. If it is necessary for us in individual cases to pass the data provided by you on to the trading or product partner, we will inform you of this in advance and, if necessary, obtain your consent. In addition, the data is not forwarded to third parties. The data is exclusively used for the conversation started by you so that we can use your contact options communicated to us to contact you in relation to your request. Mandatory (*) and optional information is clearly indicated in the contact forms.

2. Legal Basis and Purpose of Data Processing
Legal basis for the processing of data transferred in the course of sending an e-mail or via the contact form is point (f) of Art. 6(1) GDPR. If the contact established by the user is aimed at concluding a contract, point (b) of Art. 6(1) GDPR can be stated as the legal basis for processing.

3. Data Processing Purpose
Processing your personal data voluntarily provided to us by e-mail or contact form serves us only to handle the established contact, complaint or request.

4. Retention Period
The data will be erased once it is no longer required to achieve the purpose of its collection. This applies to the personal data transferred by e-mail or via our contact form once the respective conversation with the user has been terminated. Your entries in our contact form will be erased from our web server by the system after seven days. The conversation is deemed terminated once it can be seen from the circumstances that the relevant issue has been resolved conclusively.

5. Objection and Elimination Option
The user may withdraw their consent to personal data processing at any time. If the user contacts us by e-mail or via the form, they may object to the retention of their personal data at any time. In such a case, the conversation cannot be continued. Such withdrawal can also be declared at any time via the contact details under I. and II. See also our comments under section “X. Rights of the Data Subject”. All personal data retained in the course of contact will be erased in this case.

IX. Website Analytics Services

We use statistics and analytics services as well as services from third-party providers on our website to evaluate and analyse your use of our website. In this process, personal data is often passed on to the third-party providers or is analysed automatically. The nature, scope and purpose of such processing of personal data are listed and explained below:

IX.1 Google Analytics and Google Optimize

1. Description and Scope of Data Processing
Using the Google Tag Manager, we have integrated functions of the Google Analytics web analytics service of the Google Inc., 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (hereinafter “Google” or “Google Analytics”), into our website. We also use the Google Optimize service to increase the attractiveness, content and functionality of our website by displaying new website functions and content to a percentage of our users and statistically evaluating the change in usage. Google Optimize is a sub-service of Google Analytics.
Google uses “cookies” “third-party cookies”. These are text files that are stored on your computer or the device you are using (tablet, smartphone etc.) and make it possible to analyse your use of our website (see VII. Use of Cookies).

The following statistics cookies are set:
(1) _ga (validity: 2 years),
2) _gid (validity: 1 day),
3) _gat_.+ (validity: 1 minute),
4) _dc_gtm_UA-.+ (validity: 1 minute),
5) ga-disable-UA-.+ (validity: 1 minute),
6) __utm(a|b|c|d|t|v|x|z) (validity: session),
7) _gat (validity: 1 minute),
8) _swag_ga_.* (validity: 2 years),
9) _gac.*. (validity: 90 days),

By using the features provided in the website analytics services, Google can assign data, sessions and interactions across multiple devices to an anonymised user ID and thus analyse the activities of an anonymised user across devices.The information generated by the cookies about your use of this website (including your IP address) will also be transferred to and stored by Google on servers in the United States. Google will use this information to evaluate your use of the website, compile reports on website activity for website operators and provide other services relating to website activities and web usage. Google may also transfer this information to third parties, where required to do so by law or where such third parties process the information on behalf of Google. With IP anonymisation being enabled on our website, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before its transfer to exclude any direct personal reference. IP anonymisation is not set up by Google at system level outside the European Union or European Economic Area.You can object to the collection, retention and use of information by Google at any time with effect for the future by installing the disabling add-on provided by Google.We concluded the order processing agreement required under data protection law as per Article 28 GDPR with Google. In this agreement, Google undertakes to protect our users' data and to process it exclusively on our behalf in accordance with the applicable data protection regulations.You can find more information on how Google Analytics handles user data, for example, in Google's Privacy Policy: https://support.google.com/analytics/answer/6004245?hl=en.

2. Purpose and Legal Basis of Data Processing
We use Google's analytics and tracking technologies on the basis of your consent via our cookie banner (point (a) of Art. 6(1) GDPR)

• for the purpose of monitoring the correct functioning of our website or service,
• for the purpose of KPI reporting in our business reports,
• for the purpose of automated content playout,
• for the purpose of statistically capturing usage and conduct of data analyses to optimise the usability, performance and content of our website,
• for the purpose of debugging technical errors,
• for the purpose of evaluating key performance indicators,
• for the purpose of product optimisation.

3. Retention Period
Sessions are basically terminated after 30 minutes of inactivity and campaigns after six months. The time limit for campaigns can be a maximum of two years.

4. Withdrawal, Objection and Elimination Option
You can object to the collection, retention and use of information by Google / withdraw your consent given via the cookie banner at any time with effect for the future as follows:
a) You can object by installing the disabling add-on provided by Google. You can find more information on this at https://tools.google.com/dlpage/gaoptout?hl=en-GB.
b) Alternatively, you can prevent the storage of cookies set by Google by customising your browser software accordingly.
c) By changing the Google Analytics slider in the CMP, you prevent technical measures from being carried out by Google and cookies from being set.We would like to point out, however, that you might not be able to use all functions of the website to their full extent after disabling or opting out.

X. Rights of the Data Subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the responsible entity or the controller. The recipient of your data subject requests is Delica Deutschland GmbH as the EU/EEA representative of the responsible entity.

1. Right of Access
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you is being processed by the controller, and, where that is the case, access to the following information:
(1) the purposes of the processing of such personal data;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom the personal data concerning you has been or will be disclosed;
(4) the envisaged period for which the personal data will be retained, or, if specific information on this cannot be provided, the criteria used to determine the retention period;
(5) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority.
You have the right to demand communication of whether the personal data concerning you is transferred to a third country or an international organisation. In this context, you may request to be advised of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.
To exercise your right to free access, please contact us directly using the contact details in our site notice or contact our EU/EEA representative (cf. sections I and II).

2. Right to Rectification
You have the right to obtain from the controller rectification and/or completion where the personal data processed concerning you is inaccurate or incomplete. The controller has to perform rectification without delay.

3. Right to Restriction of Processing
You may demand restriction of the processing of personal data concerning you under the following conditions:
(1) if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
(3) the controller no longer needs the personal data for the purposes of processing, but it is required by you for the establishment, exercise or defence of legal claims; or
(4) if you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of you.
Where the processing of the personal data concerning you has been restricted, such personal data will, with the exception of retention, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. Right to Erasure
a) Duty of Erasure
You may obtain from the controller the erasure of personal data concerning you without undue delay and the controller is then obliged to erase such data without undue delay where one of the following grounds applies:
(1) The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
(2) You withdraw your consent on which the processing is based under point (a) of Art. 6(1) GDPR, and where there is no other legal ground for the processing.
(3) You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
(4) The personal data concerning you has been unlawfully processed.
(5) The personal data concerning you has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) The personal data concerning you has been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.

b) Information to Third Parties
Where the controller has made the personal data public and is obliged pursuant to Art. 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, this personal data.

c) Exceptions
The right to erasure does not apply to the extent that the processing is necessary
(1) to exercise the right to freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for the establishment, exercise or defence of legal claims.

5. Right to Information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to communicate such rectification or erasure of the data or restriction of processing to all recipients to whom the personal data concerning you has been disclosed, unless this proves to be impossible or would involve a disproportionate effort. You have the right to be informed of these recipients by the controller.

6. Right to Data Portability
You have the right to receive the personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where
(1) the processing is based on consent pursuant to point (a) of Art. 6(1) GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you further have the right to have the personal data transferred directly from one controller to another, where technically feasible. Such right must not adversely affect the rights and freedoms of others.
The right to data portability does not apply to any processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to Object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) GDPR.In addition, you have the right to object at any time to processing of personal data concerning you for direct marketing, which includes profiling to the extent that it is related to such direct marketing.The controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

8. Right to Withdraw Consent Given Under Data Protection Law
You have the right to withdraw your consent given under data protection law at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

9. Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.The data protection authority responsible for the EU/EEA representative is the North Rhine-Westphalia State Data Protection and Freedom of Information Officer, P.O. Box 20 04 44, 40102 Düsseldorf; further information on the Internet at https://www.ldi.nrw.de/index.php.The competent supervisory authority in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC).

XI. Automated Decision-Making and Profiling

As a conscientious company, we neither perform any profiling nor use any automatic decision-making.

XII. Links to Other Websites

This Privacy Policy applies exclusively to the Café Royal website or shop. The websites on this presence may contain links to websites of products of Delica AG or of the Migros-Genossenschafts-Bund or third parties. These websites are not covered by our Privacy Policy. When you leave the web presence of the website, it is recommended to carefully read the data protection provisions of every website that collects personal data.

XIII. Security

We take the necessary security measures to protect your personal data against any unlawful or accidental access or any erasure, modification or loss as well as against unauthorised dissemination. We encrypt your data during its transmission via our website and use SSL (Secure Socket Layer) or TLS (Transport Layer Security) connections. We secure our website and our other systems and personal data by appropriate technical and organisational measures, in particular against loss, destruction, unauthorised access, modification or dissemination to third parties.

XIV. Availability and Changes