This statement describes how we, the members of the franchise system “PRESS THE BUTTON”, i.e. the companies listed under “franchisees and studio operators”, (“we”) process your personal data as joint controllers (Art. 26 DS-GVO). The declaration is addressed to our existing and former customers, the persons taken by our customers to photo shoots (e.g. family members, friends) as well as our employees.
1. Purposes of the data processing
We process your personal data for the following purposes:
- Customer management: Recording of booked appointments, creation of data records for the management of photo shoots, creation of director cards for the processing of photo shoots, invoicing / accounting, cash book, management of cross-participant (system-wide) customer accounts, to which, for example, picture credits can also be credited, joint marketing campaigns.
- Direct advertising: administration of approvals for direct customer information
- Voucher management: issuing and use of vouchers issued by participants of the franchise system, which can also be redeemed by customers at other participants of the franchise system.
- Employee data management: Creation and management of service contracts, flexitime agreements, data protection declarations, confidentiality declarations, declarations on the assignment of the right to use the work, working time records, recording of wage components and costs for a transparency database.
Insofar as we collect your personal data from you ourselves, the provision of your data is generally voluntary. However, we will not be able to fulfil our mission, or not completely, if you do not provide your personal data.
2. Legal bases of the processing
If you are an interested party or potential future customer, we will only process your contact data for the purpose of direct marketing by sending you electronic mail or contacting you by telephone with your consent pursuant to Art. 6 (1) a of the General Data Protection Regulation (“DSGVO”).
If you are our customer, we process your personal data because this is necessary to fulfil the contract concluded with you (Art. 6 para. 1 lit. b DSGVO).
Otherwise, we process your personal data on the basis of our overriding legitimate interest in achieving the purposes stated under point 1 (Art. 6 (1) (f) DSGVO).
3. Joint Data Processing Agreement as Joint Controllers
The operation of the franchise system requires the contracting parties to process data of their customers and other data subjects on an ongoing basis. The services towards the customers of the franchise system are primarily provided by the franchisees. However, the franchisees depend on the central data processing by the franchisor to provide their contractual services to their customers. We therefore operate our data processing primarily as joint data processing within the meaning of Art 26 DS-GVO. To this end, we have stipulated in a transparent manner in an agreement which of us fulfils which obligation in accordance with the GDPR. For the text of this agreement, please see “Agreement on Joint Data Processing as Joint Controllers under Article 26 of the GDPR”.
4. Transmission of your personal data
Insofar as this is absolutely necessary for the purposes mentioned under point 1, we will transfer your personal data to the following recipients:
- IT service providers used by us as well as other service providers
- Administrative authorities, courts and public corporations,
- auditors for the purposes of bookkeeping, the preparation of annual financial statements or auditing,
- other recipients specified by the customer (e.g. family members or friends of the customer),
5. Storage period
We generally store your personal data until the termination of the business relationship in the context of which we (i.e. at least one member of our franchise system) have collected your data or until the expiry of the applicable statutory limitation and retention periods; furthermore, until the termination of any legal disputes in which the data is required as evidence. Insofar as you are a customer, former customer, interested party or potential future customer or a contact person at one of the aforementioned, we store your personal data for the purposes of marketing until you object or revoke your consent, insofar as the marketing measure is based on your consent.
- Session cookies (cookie PHPSESSID), which are required for a session and for login. This is a unique identifier that is sent by the browser to the server with every request so that the server can resolve the actual data (e.g. the user data of the logged-in user or the address during an order process). The session data on the server is automatically deleted at the end of the session. Session cookies are automatically deleted by the browser after closing.
- Cookie userIdentifer, stores a user ID for logging errors. This cookie remains for one year in order to be able to track a user in the long term. It is mainly used, for example, to be able to clearly identify a user between the individual sessions after errors have occurred in the logs. -> The data of our cookies are not transmitted to third parties.
->Only anonymised IP addresses are transmitted to Google by us!
->The transmission of the data generated by the Google cookie and related to the use of our websites (incl. IP addresses) to Google as well as the processing of this data by Google can be prevented by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=de.
-> Google hidden ReCapture: An invisible service that determines whether the website visitor is a bot (independent program) or a human being. In some cases, such as voting, bots on our pages are excluded from the right to participate in a vote in order to avoid abuse.
7. Your rights in connection with personal data
You are entitled, inter alia, (i) to verify whether and which personal data we process about you and to obtain copies of such data, (ii) to request the rectification, integration or erasure of your personal data where it is inaccurate or not processed in accordance with the law, (iii) to request us to restrict the processing of your personal data, (iv) object in certain circumstances to the processing of your personal data or withdraw consent previously given for the processing, where withdrawal does not affect the lawfulness of the processing carried out prior to withdrawal, (v) request data portability where you are our customer (vi) know the identity of third parties to whom your personal data is transferred and (vii) lodge a complaint with the data protection authority.
8. Our contact details
If you have any questions about this statement or wish to make any requests, please contact our franchisor as the central point of contact for data protection issues for the “PRESS THE BUTTON” franchise system:
PRESS THE BUTTON GmbH
+43 1 391 0 391 0
Geschäftsführer: Martin Arbeithuber, firstname.lastname@example.org
The franchisees and studio operators of PRESS THE BUTTON GmbH
Joint Data Processing Agreement as Joint Controllers under Art 26 of the GDPR
- PRESS THE BUTTON GmbH, a limited liability company under Austrian law with its registered office in Wels, Austria, and its business address at 4600 Wels, Anzengruberstraße 10, Austria, registered in the commercial register of the Regional Court of Wels under FN 438323 v, hereinafter also referred to as the “franchisor”, operates a franchise system under the brand name “PRESS THE BUTTON” for the operation of professional do-it-yourself photo studios with predefined lighting and camera settings.
- Participants in the franchise system are furthermore the franchisees. The currently existing Franchisees are listed in Schedule 1 to this Agreement and are parties to this Agreement. The Franchisees from time to time in existence are also referred to in this Agreement as “Franchisees” or, together with “the Franchisor”, as the “Parties”.
- The operation of the franchise system requires the Contracting Parties to process data of their customers and other data subjects on an ongoing basis. The services to the customers of the franchise system are primarily provided by the franchisees. However, the franchisees depend on the central data processing by the franchisor to provide their contractual services to their customers.
In particular, the following business transactions are carried out via data processing provided by the franchisor (purposes of data processing):
A. Customer management: recording of booked appointments, creation of data records for the management of photo shoots, creation of director cards for the processing of photo shoots, invoicing / accounting, cash book, management of cross-participant (system-wide) customer accounts to which, for example, picture credits can also be credited, joint marketing campaigns B. Direct advertising: administration of consent for direct customer information C. Voucher administration: issue and use of vouchers which are issued by one participant of the franchise system and can also be redeemed by customers at other participants of the franchise system. D. Employee data management: Creation and management of service contracts, flexitime agreements, data protection declarations, confidentiality declarations, declarations on the assignment of the right to use the work, working time records, recording of wage components and costs for a transparency database.
- The following categories of data are processed (means of data processing): A. Clients: Name, address, e-mail address(es), date of birth, telephone number, consent to direct marketing, invoicing & billing data, cash book, support data, statistical data, picture of the customer B. Prospective clients: Name, address, e-mail address(es), consent to direct marketing, statistical data C. Employees: Name, address, e-mail address(es), date of birth, telephone number, consent to direct marketing, bank details, national insurance number, agreed working hours, invoicing & accounting data, cash book, support data, statistical data, image of employee D. Franchise partners: Name, address, email address(es), date of birth, telephone number, E. Consent to direct marketing, bank details, invoicing & billing data, cash book, supervision data, statistical data, picture of franchise partner F. Potential franchise partner: Name, address, e-mail address(es), telephone number, consent to direct advertising, support data, statistical data.
- With regard to this data processing, the franchisor is jointly responsible with the franchisees in terms of data protection law. The contractual partners therefore carry out the data processing as joint controllers within the meaning of Article 26 of the GDPR.
- Against this background, the contractual partners, as jointly responsible parties, enter into the following agreement:
⎯ The franchisor shall take over the operational management of the above-mentioned
data processing listed above. The determination of the data concerned takes place either online via the platform operated by the franchisor for the franchise system under the URL www.pressthebutton.net (or its national counterparts) or in personal customer or data subject contact via the franchisees. The data is then processed both by the studio concerned in local terms (and thus the franchisee who operates this studio) and by the franchisor with regard to the provision of central services such as the determination of KPIs and workfow optimisation of the franchise system.
⎯ The franchisor acts as a single point of contact for the affected persons. Notwithstanding the foregoing, Data Subjects may exercise their rights under data protection law with and against any of the Participants.
⎯ The franchisees must immediately transmit to the franchisor all requests for information, requests for correction, requests for deletion, requests for surrender, objections and any other declarations of data subjects relevant under data protection law in the event of any other liability for damages. The franchisor shall take over the processing of all declarations relevant under data protection law. Franchisees shall support the franchisor in this regard to the best of their ability at their own expense.
⎯ The franchisor is responsible for compliance with the information obligations pursuant to Art 13 and Art 14 of the Data Protection Act. The franchisees undertake to support the franchisor in the exercise of the information duties to the best of their ability at their own expense.
⎯ The franchisor also uniformly makes the decision on all declarations relevant under data protection law. There is no obligation to consult or coordinate with the franchisees.
⎯ The franchisor assumes the obligations regarding data protection impact assessment and risk assessment (Art 24 in conjunction with Art 32 of the GDPR), consultation with the supervisory authority (Art 36 of the GDPR), documentation of the selection of technical and organisational measures (Art 24 of the GDPR) including their review and updating with regard to joint data processing (in each case as applicable), the use of processors or sub-processors and their review (Art 28 GDPR), the maintenance of the register of processing activities (Art 30 GDPR), the process in the event of notifiable data breaches (Art 33, 34 GDPR) and the appointment of a data protection officer (Art 37 GDPR).
⎯ The franchisees undertake to ensure a high standard of technical-organisational measures in the area of data protection in their area; this in particular by ensuring confidentiality; this in particular by means of access control. The franchisees shall monitor the effectiveness of the technical and organisational measures they have taken on a regular basis and also on an ad hoc basis. In the event that there is a need for optimisation and/or change, they will inform the franchisor in each case.
⎯ For the purposes of Art 26 (3) DS-GVO, the contracting parties shall make the internal compensation arrangement that the responsible party remains responsible for its own data protection law responsibilities and indemnifies and holds harmless the other participants (contracting parties) in this respect. Insofar as the franchisor assumes responsibility under data protection law in accordance with this agreement and is dependent on the cooperation and support of a franchisee in order to fulfil its obligations, the franchisee concerned shall be obliged to pay damages if it fails to fulfil its obligation to cooperate and support. For data breakdowns and data leaks (and any damages resulting therefrom), the party in whose sphere the cause of the data breakdown or data leak lies shall be exclusively liable and shall indemnify and hold harmless all other contractual partners.
⎯ In terms of civil law, all data is the property of the franchisor. The franchisees have no right to have the data deleted, to have the data handed over or similar. In particular, the data remains with the franchisor (insofar as permissible under data protection law) if a franchisee leaves the franchise system. To the extent permissible under data protection law, however, the departing franchisees receive a copy of the data that was processed by them.
⎯ All contracting parties are obliged to maintain confidentiality about data they obtain when processing data. They undertake to observe the same confidentiality rules as they would be obliged to observe themselves as (sole) data controllers. The franchisees are obliged to inform the franchisor of any special secrecy rules. The franchisees shall oblige all employees in writing to treat all data of the joint data processing operations confidentially. This obligation of the employees is to be proven upon request of the franchisor.
- This Agreement shall be effective as of 25.5.2018 and for the duration of the franchise relationship and may not be terminated by ordinary notice during the term of the respective franchise agreement between the Franchisee and the Franchisor. The agreement may be amended with effect for all franchisees if the franchisor and the majority of franchisees (calculated according to the number of studios) (which idZ also includes the franchisor’s studios if and as long as the franchisor itself operates studios) agree to such an amendment.
- All contracting parties acknowledge and agree that this agreement is made available to the data subjects pursuant to Art 26 (2) of the GDPR.
- This Agreement shall be governed by Austrian law to the exclusion of the conflict of laws rules of private international law and the UN Convention on Contracts for the International Sale of Goods. This agreement is not a contract in favour of third parties; protective effects in favour of third parties are excluded as far as legally possible.