Privacy statement of Zebrabox

We, the Zebrabox Services SA (Eichenstrasse 4a, 8808 Pfäffikon SZ, registered in the commercial register under number CHE-114.055.433), are the operator of the website www.zebrabox.es (website) and are, except otherwise stated in this privacy policy, together with the operator of our local site, IURIS CAPITAL SERVICES SL (CL VALLIRANA Num63 PBJ PTA1 (BARCELONA), Spain), as joint controllers  responsible for the data processing operations set out in this privacy statement. Where reference is made below to "we" or "us", unless otherwise stated, both controllers are referred to.

Contact
Legal notice
GTC
Frequently asked questions
Privacy statement

We, the Zebrabox Services SA (Eichenstrasse 4a, 8808 Pfäffikon SZ, registered in the commercial register under number CHE-114.055.433), are the operator of the website www.zebrabox.es (website) and are, except otherwise stated in this privacy policy, together with the operator of our local site, Spaze Opco 1 S.L (Calle Laureà Miró, 375. Nave 1, Sant Feliu de Llobregal, España), as joint controllers  responsible for the data processing operations set out in this privacy statement. Where reference is made below to "we" or "us", unless otherwise stated, both controllers are referred to.

To ensure that you are aware of the personal data we collect from you and the purposes for which we use it, please read the information below. We are guided in our data protection by the legal requirements of Spanish data protection law, in particular Law 3/2018 of 5 December on the Protection of Personal Data and Digital Rights, which implements the provisions of the General Data Protection Regulation and refers to it in some provisions, as well as the GDPR and the Swiss Federal Data Protection Act (FADP).

Please note that the following information may be reviewed and modified from time to time. We therefore recommend consulting this data protection declaration regularly. Furthermore, other companies are responsible under data protection law for individual data processing operations listed below or are mutually responsible with us, so that in these cases the information of these providers is also authoritative.

Status: September 2023

If you have any questions regarding data protection or would like to exercise your rights, please contact our data protection correspondent by sending an email to the following address: privacidad@zebrabox.es

You can contact our EU data protection representative at:

MLL EU-GDPR GmbH
Ganghoferstrasse 37
DE-80339 Munich

If you contact us via our contact addresses and channels (e.g. by e-mail, telephone or contact formula), your personal data will be processed. The data you have provided us with, such as your title, name, e-mail address, postal address and telephone number and your enquiry (esp. location concerned, category of enquiry, message) are processed. In addition, the time of receipt of the enquiry is documented. Mandatory information is marked with an asterisk (*) in contact forms. Depending on the enquiry, we will also ask you for further details if you have not already provided them to us yourself, such as:

  • Vehicle rental: esp. rental period, pick-up location, number of drivers, driver's licence copies, payment method and payment details;
  • Packaging material: desired product, quantity, pick-up location, payment method and payment information;
  • Moves: Date of move, previous and new address, details on planning the move and transport (e.g. furniture, living space, floor, etc.), method of payment and payment details;
  • Reception of goods: number of parcels, location concerned, deposit or collection, payment method and payment details;
  • File destruction: quantity of files, location concerned, desired time, payment method and payment details;
  • Archive systems: boltless shelving type and quantity, details for creating customised shelving systems, rent or purchase, payment method and payment details.

 

We process this data in order to comply with your request (e.g. to provide you with information about our products and services, to support you in the performance of your contract, to incorporate your feedback in the improvement of our products and services, etc.).

The legal basis for this data processing is our legitimate interest in terms of Art. 6 para. 1 lit. f GDPR in the fulfilment of your request or, if your request is directed towards the conclusion or execution of a contract, the necessity for the performance of the pre-contractual or contractual measures in terms of Art. 6 para. 1 lit. b GDPR.

On our website you have the possibility to rent a Zebrabox or to be put on a waiting list for the rental of a Zebrabox. For this purpose, we collect the following data, whereby mandatory data are marked with an asterisk (*) in the booking process:

  • Personal details:
    • Title
    • Surname and first name
    • Postal address
    • Date of birth
    • Company in the case of corporate clients
  • E-mail address
  • Telephone number
  • Product data:
    • Details of the desired zebra box (type, size, time period, reason for storage)
    • Value of goods
    • Storage goods

 

We use the personal details to verify your identity before concluding a contract. We need your e-mail address to confirm your booking and for future communication with you - which is necessary to process the contract. The telephone number is used - after successful verification by means of a delivered validation code - to deliver the access code in the form of a QR code. We save your data together with the peripheral data of the booking (e.g. time, booking number etc.), details of the product (e.g. size, exact location, identification number of the Zebrabox), the data on payment (e.g. selected payment method, confirmation of payment and time; see also section 6) as well as the information on the processing and fulfilment of the contract (e.g. rectification of problems, use of customer service etc.) in our CRM database (see also section 7) to ensure correct booking processing and fulfilment of the contract.

The legal basis for this data processing is the fulfilment of a contract with you according to Art. 6 para. 1 lit. b GDPR.

The provision of data (e.g. reason for storage, knowledge of Zebrabox) that is not marked as mandatory is voluntary. We process this data in order to customise our products and services to your personal needs as best as possible, to facilitate the processing of contracts, to contact you by alternative means of communication if necessary, regarding the fulfilment of the contract or for statistical collection and evaluation in order to optimise our products and services. 

The legal foundation for this data processing is your consent in terms of Art. 6 para. 1 lit. a GDPR. You can revoke your consent by notifying us at any time.

You can add your access code to the wallet on your (iOS or Android) smartphone using the "PassKit" app, so that you can find the code more easily and have it to hand more quickly. In this case, with your consent, we will transmit the following data to PassKit, Inc (6/F Golden Sun Centre Sheung Wan Hong Kong): Customer number, first name, last name and location of the booked Zebrabox. The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time with effect for the future by informing us. For any other processing of your data by PassKit, Inc., please see their data protection policy.

For the transmission of contract-relevant customer information by e-mail, we use the software application Mailchimp of Intuit Inc. (2700 Coast Avenue, Mountain View, CA 94043, USA). Therefore, at most, your data will be stored in a database of the Intuit Inc., which may allow Intuit Inc. to access your data if this is necessary for the provision of the software and for the assistance in the use of the software. Information on the processing of data by third parties and any transfer abroad can be found in section 9 of this data protection policy. The legal justification for the transfer of data is our legitimate interest in the use of third-party services within the meaning of Art. 6 para. 1 lit. f GDPR.

Intuit Inc. may wish to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). Intuit Inc. is the controller for these data processing operations and must ensure compliance with data protection laws in connection with these data processing operations. Information about data processing by Intuit Inc. can be found by following the link: www.intuit.com/privacy/statement/

In order to prevent, detect and prosecute unlawful and abusive behaviour by customers, we require identification by means of an official identity document for the booking of a Zebrabox. In this respect, biometric data, i.e. data requiring special protection, may be processed.

You can either identify yourself online or visit one of our locations and have one of our employees carry out the verification. During the inspection at our location, we verify whether you are the person in the photo on the ID document and whether the data on the ID document matches the data entered in the booking process (see point 4). We subsequently save a copy of the ID document.

For the online identification we use the solution "PXL Ident" of the PXL Vision AG (Rautistrasse 33, 8047 Zürich, Switzerland (PXL)). In this context, we redirect you to the web or mobile app and PXL receives the information that you have made a booking for a Zebrabox as well as other technical data associated with the call-up of the website or app (see in particular section 8.1 regarding log file data). We receive information from PXL about whether the identification was successful or not, as well as a copy of the ID card used. The legal basis for the data processing performed by us as the data protection controller is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in protecting our property and the property of our customers as well as in protecting our legal claims and the legal claims of our customers.

For the further data processing within the scope of online identification, PXL is the data protection controller. PXL will only process your data for online identification with your express consent in accordance with Art. 6 para. 1 lit. a and Art. 9 para. 2 lit. a GDPR as the legal basis. You can revoke your consent at any time with effect for the future by notifying PXL. You can find detailed information here: https://www.pxl-vision.com/en/privacy-policy-daego.

When you submit bookings on our website, depending on the service and the desired payment method - in addition to the information mentioned in section 6 - you may be required to provide further data, such as your credit card information or the login to your payment service provider. This information, as well as the fact that you have made a booking with us for the amount and time concerned, will be forwarded to the respective payment service providers (e.g. payment solution providers, credit card issuers and credit card acquirers). Please also always observe the information of the respective company, especially the data protection policy and the general terms and conditions. The legal basis for our data processing is the fulfilment of a contract in accordance with Art. 6 para. 1 lit. b GDPR.

In order to avoid payment incidents, the necessary data, in particular your personal details, may also be transmitted to a credit agency for the automated assessment of your solvency. In this context, the credit agency may assign you a so-called score value. This is an estimate of the future risk of default, e.g. based on a percentage. The value is collected using mathematical-statistical procedures and including data of the credit agency from other sources.  In this context, automated decision-making (and profiling with or without high risk) may also occur, which may result in the payment method "invoice" not being made available to you. If the legal requirement is met, you have the right to express your point of view and request a review of the decision by a natural person. The legal basis for this data processing is our legitimate interest according to Art. 6 para. 1 lit. f GDPR in avoiding payment defaults.

If a clear assignment to your person is possible, we will store and link the data described in this data protection policy, i.e. especially your personal details, your approaches, your contract data and your surfing behaviour on our websites in a central database. This serves the efficient administration of customer data, allows us to adequately process your requests and enables the efficient provision of the services requested by you and the processing of the related contracts. Legally, this data processing is based on our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the efficient management of user data.

We also analyse this data in order to further develop our products and services to meet your needs and to be able to display and suggest the most relevant information and offers to you. We also use methods that predict possible interests and future bookings based on your use of our website. Part of these analyses could be considered as profiling (with or without high risk). The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in carrying out marketing activities.

For central data storage and analysis in the CRM system, we use a software application provided by Uniserv B.V. (Korte Hogendijk 14, 1506 MA Zaandam, Netherlands). Therefore, at most, your data will be held in a database by Uniserv, which may allow Uniserv to access your data where necessary to provide the software and to assist you in using the software. Information on the processing of data by third parties and any transfer abroad can be found in section 9 of this data protection declaration. Further information about data processing in connection with Uniserv can be accessed here. Legally, the transfer of data is based on our legitimate interest in the use of third-party services in accordance with Art. 6 para. 1 lit. f GDPR.

Uniserv may wish to use some of this data for its own purposes (e.g. for statistical analyses for product optimisation). Uniserv is the controller for these data processing operations and must ensure compliance with data protection laws regarding these data processing operations. Information about data processing by Uniserv can be accessed here.

This chapter covers the following data processing operations:

8.1 Data processing while visiting our website (log file Data)
8.2 Cookies
8.3 Tracking and web analysis tools
8.4 Online advertising and targeting
8.5 Social Media

When visiting our website, the web servers temporarily store every access in a Logfile. The following data is collected without you intervention and stored until it is automatically deleted by us:

  • IP address of the requesting computer;
  • Date and time of access;
  • Name and URL of the file accessed;
  • Website from which the access was made, if necessary with the used search word;
  • Operating system of your computer and the browser you are using (including type, version and language settings);
  • Type of device in the instance of access by mobile phones;
  • City or region, from which the access was made; and 
  • Name of your internet access provider.

 

The collection and processing of these data is made for the purpose of our website (connection establishment), to permanently guarantee system security and stability, to enable error and performance analysis and optimisation of our website (see section 8.3. regarding the last points). In case of an attack on the network infrastructure of the website or if there is any suspicion of other unauthorised or improper use of the website, the IP address as well as the other data will be evaluated for the purpose of investigation and prevention and, if necessary, used to identify the user concerned in proceedings for civil or criminal prosecution. The purposes described above are our legitimate interest as defined by Art. 6 para. 1 lit. f GDPR and thus the legal basis for data processing. 

To operate our website, we use the services of our hosting provider iquer.net GmbH & Co. KG, Klingenderstraße 5, 33100 Paderborn, Germany. Therefore, your data will most likely be stored in a database of iquer, which may allow them to access your data if this is necessary for the purpose of providing the software and supporting you while using the software. Information on the processing of data by third parties and any transfer abroad can be found in section 9 of the privacy policy. Further information on data processing related to iquer can be found at https://www.iquer.net/datacenter/. The legal basis for the transfer of data is our justified interest as defined in Art. 6 para. 1 lit. f GDPR for the use of third-party services. It is possible that iquer would like to use some of this data for its own purposes (e.g. for statistical analysis for product optimisation). For these data processing activities, iquer is he responsible party and must ensure that the data protection laws are respected in connection with these data processing activities. Information about data processing by iquer can be found at https://www.iquer.net/datacenter/

Eventually, when you visit our website, we use cookies as well as other applications and tools that are built on the use of cookies. Within this context, the data described here may also be processed. You will find mor detail regarding this in the other subsequent sections of this data protection declaration, specifically section 8.2 below.

Cookies are information files that your web browser stores on your computer’s hard drive or memory when you visit our website. Cookies have assigned identification numbers that are used to identify your browser and to read the information contained in the cookie. 

Among other things, cookies help to make visiting our website easier, more pleasant and more meaningful. We use cookies for various reasons that are required, that is “technically necessary”, for your desired use of the website. For example, we use cookies to provide the booking functions or to temporarily save your entries when filling our a form on the website so that you do not have to re-type them when calling up another sub-page. Furthermore, cookies also perform other technical functions required for the operation of the website, such as so-called load balancing, meaning the distribution of the performance load of the page to different web servers in order to relieve the server. Cookies are also used for security purposes, e.g. to prevent the unauthorised posting of content. Finally, we also use cookies as part of the design and programming of our website, e.g. to enable the uploading of scrips or codes. 

The legal basis for this data processing is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in providing a user-friendly and up-to-date website. 

Most internet browsers accept cookies automatically. However, when accessing our website, in accordance with Art. 6 of Law 3/2016 and Art. 7 of the GDPR, we ask for your consent to the cookies that we use which are not technically necessary, especially when using third-party cookies for marketing purposes. You can adjust your preferences for cookies by using the corresponding buttons in the cookie banner or on our cookies site. Details regarding the services and data processing associated with each cookie can be found within the cookie banner, on our cookies site and in the following sections of this Privacy Policy.

You may also be able to configure your browser so that no cookies are stored on your computer or so that a message appears whenever you receive a new cookie. On the following pages you will find explanations of how you can configure the processing of cookies in selected browsers.

 

Disabling cookies may prevent you from using all the features of our website.

8.3.1 General information on tracking

In order to design our website according to requirements and to continuously optimise it, we use the web analysis services listed below. In this context, pseudonymised user profiles are created and cookies are used (please also note section 8.2). The information generated by the cookie about your use of this website is usually transmitted together with the log file data mentioned in section 9.1 to a server of the service provider, where it is stored and processed. This may involve a transfer to servers abroad, e.g. the USA (see section 9, especially regarding the lack of an adequate level of data protection and the provided guarantees). 

By processing the data, we obtain among other things the following information: 

  • Navigation path followed by a visitor on the page (incl. Content viewed and products selected or purchased, or services booked);
  • Time spent on the website or sub-page;
  • Subpage on which the visitor leaves the website;
  • Country, region or city, from where the website is accessed; 
  • Terminal device (type, version, colour depth, resolution, width and height of the browser window); and
  • Returning or new visitors. 

 

On our behalf, the provider will use this information to evaluate the use of the website, specifically to generate reports on website activity and to provide other services related to the use of the website and the internet for the purposes of market research and demand-oriented design of these websites. For these processing operations, up to a certain extent, we and the providers may be regarded as jointly responsible parties under data protection law. 

The legal basis of these data processing operations with the following services is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. Some of the data processing could also be evaluated as profiling (with or without high risk), to which your consent also extends. You can revoke your consent or refuse the processing at any time by rejecting or switching of the relevant cookies in your web browser settings (see section 8.2) or by making use of the service-specific options described below. 

For the continued processing of the data by the corresponding provider as the (only) responsible party under data protection law, especially any possible forwarding of this information to third parties, e.g. to authorities based on national legal regulation, please refer to the respective data protection information of the provider. 

8.3.2 Google Analytics

We use the web analysis service Google Analytics from Google Ireland Limited (Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland) or Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google).

Deviating from the description in section 8.3.1, IP addresses are not logged or stored in Google Analytics (in the version “Google Analytics 4” applied here). In case of accesses originating from the EU, IP address data are only used to obtain location data and are then deleted immediately. When collection measurement data in Google Analytics, all IP searches take place on EU-based servers before the traffic is passed on to Analytics servers for further processing. In Google Analytics regional data centres are used. If a connection is made in Google Analytics to the nearest available Google data centre, the measurement data is sent to Analytics via an encrypted HTTPS connection. At these centres the data is then further encrypted before being forwarded to Analytics’ processing servers and made available on the platform. Based on the IP-addresses, the most suitable local data centre is then determined. This may also result in data being transferred to servers abroad, e.g. the USA (see section 9.2, particularly on the lack of an adequate level of data protection and the provided guarantees). 

For this purpose, we also use the technical extension “Google Signals”, which also enables cross-device tracking. This makes it possible to associate a single website visitor with different end devices. However, this only happens if the visitor has logged into a Google service when visiting the website and has also activated the “personalised advertising” option in their Google account settings. Even then, we di bi gave access to any personal data or user profiles; they remain anonymous to us. If you do not wish to use “Google Signals”, you can deactivate the “personalised advertising” option in your Google account settings. 

Users can prevent the collection of the data generated by the cookie and related to the website usage by the user concerned (incl. the IP-address) by Google as well as the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en. This will save an opt-out cookie on the user’s terminal device. If the users delete cookies (see section 9 Cookies), the link must be clicked again.

8.4.1 In General

We use services of different companies to provide you with interesting online offerings. In the process, your user behaviour on our website and websites of other providers is analysed in order to subsequently be able to show you online advertising that is individually tailored to you. 

Most of the technologies used to track your user behaviour (tracking) and for the targeted display of advertising (targeting) work with cookies (see also section 8.2) or similar technologies and unique identifiers can be recognised across different websites. Depending on the service provider, it may also be possible for you to be recognised online even when you are using different end devices (e.g. laptop and smartphone). That may be the case, for example, if you have registered for a service that you use with multiple devices. 

For these purposes, the data that is generated when website are called up (log file data, see section 8.1) and when cookies are used (section 8.2) may reach the companies involved in the advertising networks and be processed by them. The data is also disclosed to potential countries all over the world (refer to section 10, especially on the lack of an adequate level of data protection and the provided guarantees). Furthermore, the following data is included in the section of the advertising that is potentially most relevant to you: 

  • Personal information you provided when registering or using an advertiser’s service (e.g. your gender, age range); and
  • User behaviour (e.g. search requests, interactions with advertisements, type of websites visited, products or services viewed and purchased, newsletters subscribed to). 

 

We and our service providers use this data to identify whether you belong to the target group we address and take this into account when selecting the advertisements. For example, after you have visited our site, you may be shown ads of the products or services you consulted when you visited out pages (re-targeting) Depending on the extent of the data, it is possible that a profile of a user is created, which is evaluated automatically, I.e. with so-called profiling, whereby the ads are selected according to the information stored in the profile, such as membership of a certain demographic segments or potential interests or behaviour. Such advertisements may be displayed to you on different channels, which, in addition to our website or app (as part of onsite and in-app marketing), include advertisements delivered through the online advertising networks we use, such as Google. 

The data may then be analysed for the purpose of calculating the bill with the service provider as well as for assessing the effectiveness of advertising measures in order to improve our understanding regarding the needs of our users and costumers and to improve future campaigns. Such analysis may also involve the information that the taking of an action (e.g. visiting certain sections of our website or sending information) is due to a certain advertising ad. We also receive aggregated reports from service providers of ad activity and information about how users interact with our website and ads.

The legal basis for these data processing operations is your consent within the meaning of Art. 6 para.1 lit. a. Some of the data processing could also be evaluated as profiling (with or without high risk), to which your consent also extends. You can revoke your consent or refuse the processing at any time by rejecting or switching of the relevant cookies in your web browser settings (see section 8.2). You will also find further options by blocking advertising in the information provided by the respective service provider. 

8.4.2 Google Ads

This website uses the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (Google) for online advertising, as explained in section 8.4.1. Google uses cookies (cf. this list) as well as similar technologies and unique identifiers (e.g. advertising ID), to enable your browser to be recognised when visiting other websites. The information generated thereby about your visit to these websites (including your IP address) will be transmitted to and stored by Google on servers in the United States (see section 10, especially regarding the lack of an adequate level of data protection and the provided guarantees). Google will process the data by name to display personalised advertising to you on Google services (e.g. the search engine). Further information on data protection at Google can be found here.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 of Law 3/2018, which refers to the definition of consent in Art. 4 no. 11 of the GDPR. You can revoke your consent at any time by rejecting or switching off the relevant cookies in your web browser settings (see section 8.2). Further options for blocking advertising can be found here

8.4.3 Microsoft Advertising / Bing Ads

The website uses services of Microsoft Corporation (One Microsoft Way, Redmond WA 98052-6399, USA (Microsoft)) for online advertising, as explained in section 8.4.1. In doing so, Microsoft uses cookies (cf. this list) and unique identifiers (e.g. advertising ID or the UET tag) which enable your browser to be recognised when you visit other websites. The information thus generated about your visit to these websites (including your IP address) will be transmitted to and stored by Microsoft on servers in the United States (see section 9, especially regarding the lack of an adequate level of data protection and the provided guarantees). Microsoft will process the data by name in order to display personalised advertising to you on Microsoft services (e.g. the search engine). Further information on data protection at Microsoft can be found here

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time by rejecting or switching off the relevant cookies in your web browser settings (see section 8.2). Further options for blocking advertising can be found here.

8.4.4 Yieldlab

The website uses services of Virtual Minds GmbH (Ellen-Gottlieb-Str. 16, 79106 Freiburg i. Breisgau, Germany (Yieldlab)) for online advertising, as explained in section 8.4.1. In doing so, Yieldlab uses cookies and unique identifiers (e.g. Mobile Advertisement ID (MAID)), which allow your browser to be recognised when visiting other websites. The information thus generated about your visit to these websites (including your IP address) is transmitted to ad stored on servers operated by Yieldlab in Germany, among other places, and may also be transmitted to other countries (cf. in this regard, especially the lack of an adequate level of data protection and the provided guarantees, section 9). Yieldlab will process the data by name in order to display personalised advertising to you on websites and services of affiliated companies, namely from the media industry. Further information on data protection at Yieldlab can be found here.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR. You can revoke your consent at any time by rejecting or switching off the relevant cookies in your web browser settings (see section 8.2). Further options for blocking advertising can be found here.

8.4.5 Meta Pixel and Custom Audience

The website uses the advertising services of Meta Platform Ireland Limited (4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, (Meta)) for online advertising, as explained in section 9.4.1. Meta uses technologies such as cookies and the so-called meta pixel, which enable your browser to be recognised when visiting other websites. The information thus generated about your visit to these websites (including your IP address) is transmitted to Meta’s servers in the USA, among other places, and stored there (cf. section 10, especially on the lack of an adequate level of data protection and the provided guarantees). Meta will process the data by name in order to display personalised advertising to you on Meta services (e.g. Facebook or Instagram). In doing so, we use the targeting functions offered by Meta, namely Website Custom Audiences, which enables us to recognise you on Meta services after you have visited our website and to display targeted advertising to you. Further information on data protection at Meta can be found here and here.

The legal basis for this data processing is your consent within the meaning of Art. 6 para. 1 lit. a GDPR You can revoke your consent at any time by rejecting or switching off the relevant cookies in the settings of your web browser (see section 8.2). Further options for blocking advertising can be found here

8.5.1 Social Media Profile

On our website, we have included links to our profiles in the social networks of the following providers: 

  • Meta Platforms Ireland Limited (Facebook and Instagram), 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, Privacy Policy
  • LinkedIn Unlimited Company, Wilton Place, Dublin 2, Ireland, Privacy Policy;
  • Google Ireland Limited (YouTube) Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, Privacy Policy.

 

By clicking on the icons of the social networks, you will automatically be redirected to our profile in the respective network. This establishes a direct connection between your browser and the server of the respective social network. As a result, the network receives data described in the section on log files (section 9.1), specifically the information that you have visited on our website with your IP address and have clicked on the link. This may also result in data being transferred to servers abroad e.g. in the USA (see section 10, especially on the lack of an adequate level of data protection and the provided guarantees.

If you click on a link to a network while you are logged into your user account with the network in question, the content of our website directly to your account. If you want to prevent this, you should log out before clicking on the relevant links. A connection between your access to our website and your user account takes place in any case if you log in to the respective network after clicking on the link. The respective provider is responsible under data protection law for the associated data processing. Therefore, please read the data protection information on the website of the network. 

The legal basis for any data processing attributed to us is our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in the use and advertising of our social media profiles. 

8.5.2 Social Media Plugins

On our website you can use social media plugins from the providers listed below. 

  • Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland, Privacy Policy;

 

We use social media plugins to make it easier for you to share content from our website. The social media plugins help us to increase visibility of our content on social networks and thus contribute to better marketing. 

The plugins are deactivated by default on our websites and therefore do not send any data to the social networks when you merely visit our website. To increase data protection, we have integrated the plugins in such a way that a connection is not automatically established with the networks’ servers. Only when you activate the plugins by clicking on them and thus give your consent to the transmission and further processing of data by the providers of the social networks, will your browser establish a direct connection to the servers of the respective social network. 

The content of the plugin is transmitted directly to your browser by the social network and integrated into the website by the browser. This provides the respective provider the information about your browser having accessed the corresponding page of our website, regardless of whether you have an account with this social network or are currently logged into it. This information (including your IP address and the other log file data (section 8.1)) is transmitted by your browser directly to a server of the provider (usually in the USA) and stored there ((please refer to section 9, especially on the lack of an adequate level of data protection and the provided guarantees). We have no influence on the scope of the data that the provider collects with the plugin altohugh from a data protection perspective we can be considered jointly responsible with the providers up to a certain extent. 

If you are logged into the social network, it can assign your visit to our website from our user account. If you interact with the plugins, the corresponding information is also transmitted directly to a server of the provider and stored there. The information (e.g. that you like a product or service from us) may also be published on the social network and possibly displayed to other users of the social network. The provider of the social network may use this information for the purpose of placing advertisement and designing the respective content to meet the needs of the user. For this purpose, usage, interest and relationship profiles could be created, e.g. in order to automatically evaluate your use of our website with regard to the advertisements displayed to you on the social network (especially by means of profiling), to inform other users about your activities on our website and to provide other services associated with the use of the social network. The purpose and scope of the data collection and the further processing and use of the data bn the providers of the social networks as well as your rights in this regard and setting options for protecting your privacy can be found directly in the data protection information of the respective provider. 

If you do not want the provider of the social network to assign the data collected via our website to your user account, you must log out of the social network before activating the plugins. You consent within the meaning of Art. 6 para. 1 lit.a GDPR forms the legal basis the data processing described. Some of the data processing could also be assessed as profiling (with or without high risk), to which your consent also extends. You can revoke your consent at any time by declaring your revocation to the provider of the plugin in accordance with the information of their data protection notices. 

9.1 Disclosure to and access by third parties

Without the support of other companies, we would not be able to provide our products and services in the intended format. In order for us to be able to use the services of these companies, it is also necessary to pass on your personal data to these companies to a certain extent. Sharing is done with selected third-party service providers and only to the extent necessary for the optimal provision of our services. 

Several third-party service providers are already explicitly mentioned in this privacy policy. Your data will also be passed on if this is necessary to process the contractual relationship, such as to removal companies or providers of document shredding services. The legal basis for these disclosures is the necessity for the execution of a contract within the meaning of Art. 6 para. 1 lit. b GDPR. The third-party service providers are responsible for these data processing operations within the meaning of the Data Protection Act and not us. It is the responsibility for these third-party service providers to inform you about their own data processing activities – which go beyond the transfer of data for the provision of services – and to comply with data protection laws. 

Moreover, we may transfer personal data to third party providers of shipping, printing, security, IT support, data management, data backup, cloud and storage services where this is necessary for the use of the third-party services. Our legitimate interest within the meaning of Art. 6 para. 1 lit. f GDPR in using third-party services provides the legal basis for this data processing. 

In addition, your data may be passed on, especially to authorities, legal advisors or collection agencies, if we are legally obliged to do so or if this is necessary to protect our rights, specifically to enforce claims arising from our relationship with you. Data may also be disclosed if another company intends to acquire our company or parts thereof and such disclosure is necessary to carry out due diligence or to complete the transaction. Our legitimate interest within the meaning of Art. 6 para. 1 lit. F GDPR in the protection of our rights and compliance with our obligations or the sale of our company or parts thereof provides the legal basis for this data processing. 

9.2 Transfer of personal data abroad 

We are also entitled to transfer your personal data to third parties abroad, if this is necessary to carry out the data processing mentioned in this data protection declaration. Individual data transfers have already been mentioned in the preceding sections (see in particular section 8). It goes without saying that the legal provisions on the disclosure of personal data to third parties are being observed. The countries to which data is transferred include those that have ana adequate level of data protection according to a decision by the Federal Council and the EU Commission (such as the member states of the EEA or, form the EU’s perspective, Switzerland), but also countries (such as the USA) whose level of data protection is not considered adequate (see annex 1 of the Data Protection Ordinance (DPA) and the EU Commission’s website). If the country in question does not have an adequate level of data protection, we ensure that your data is adequately protected at these companies by means of suitable guarantees, unless an exception is specified in the individual case for the data processing (cf. Art 49 GDPR). Unless otherwise stated, these are the choice of companies certified under the Privacy Framework Agreement or standard contractual clauses within the meaning of Art. 46 para. 2 lit. c GDPR, which can be accessed on the websites of the Federal Data Protection and Information Commissioner (FDPIC) and the EU Commission. If you have any questions about the measures taken, please contact out contact person for data protection (see point 2). 

9.3 Information on data transfers to the USA

Some of the third-party service providers mentioned in this privacy policy are based in the USA. In the interests of integrity, we would like to point out for users who are resident or domiciled in Switzerland or the EU that there are surveillance measures taken by US authorities in the USA which generally enable the storage of all personal data of all persons whose data has been transferred from Switzerland or the EU to the USA. This is done without any differentiation, limitation or exception based on the objective pursued and without any objective criterion that would make it possible to limit the access of the US authorities to the data and their subsequent use to very specific, strictly limited purposes that are capable of justifying the intrusion associated with both the access to and the use of these data. Furthermore, we would like to point out that in the USA, data subjects from Switzerland or the EU do not have any legal remedies or effective legal protection against general access rights of US authorities that would allow them to obtain access to the data concerning them and to obtain their correction or deletion. We explicitly draw your attention to this legal and factual situation in order to enable you to make an appropriately informed decision to consent to or object to the use of your data. 

We would also like to point out to users resident in Switzerland or a member state of the EU that, from the point of view of the European Union and Switzerland, the USA does not have an adequate level of data protection, partly because of the statements made in this section. Insofar as we have explained in this privacy policy that recipients of data (such as Google) are based in the USA, we will ensure that your data is adequately protected with our third-party service providers by choosing companies that are certified under the Privacy Framework Agreement or contractual arrangements with these companies, as well as any additional appropriate guarantees that may be required.

We only store personal data for as long as is required to carry out the processing operations explained in this data protection declaration within the scope of our legitimate interest. For contractual data, storage is required by mandatory legal retention obligations. Requirements obliging us to retain data result from accounting regulations and tax law provisions. According to these regulations, business communication, concluded contracts and accounting vouchers must be stored for up to 10 years. As soon as we no longer need this data to provide services for you, that data will be blocked. This means that the data may then only be used if this is necessary to fulfil the retention obligations or to defend and enforce our legal interests. The data will be deleted as soon as there is no longer any obligation to retain the data and no longer any legitimate interest in retaining it.

We use appropriate technical and organizational security measures to protect your personal data stored with us against loss and unlawful processing, specifically unauthorized access by third parties. Our employees and the service companies commissioned by us are obliged by us to maintain confidentiality and data protection. Furthermore, these persons are only granted access to personal data to the extent necessary to fulfil their duties.

Our security measures are continuously adapted in line with technological developments. However, the transmission of information via the Internet and electronic means of communication always involves certain security risks and we cannot therefore provide an absolute guarantee for the security of information transmitted by this means.

As long as the legal requirements are fulfilled, you have the following rights as a person affected by data processing:

Right of access: You have the right to request access to your personal data stored by us at any time and free of charge whenever we process it. This gives you the opportunity to check exactly what personal data we are processing concerning you and whether we are processing it in accordance with the applicable data protection regulations.

Right to rectification: You have the right to request that inaccurate or incomplete personal data be rectified and to be informed of the rectification. In this case, we will also inform the recipients of the data concerned about the adjustments we have made, unless this is impossible or involves disproportionate effort.

Right to deletion: You have the right to have your personal data deleted under certain circumstances. In individual cases, particularly in the case of statutory retention obligations, the right to deletion may be excluded. In this case, the deletion may be replaced by blocking the data if the conditions are met.

Right to restriction of processing: You have the right to demand the restriction of the processing of your personal data.

Right to data transmission: You have the right to obtain without charge from us the personal data you have provided to us in a readable format.

Right to review: In the event of automated individual decisions, you have the right to express your point of view and request a review of the decision by a natural person.

Right to object: You can object to data processing at any time, especially in the case of data processing in connection with direct marketing (e.g. marketing e-mails).

Right of revocation: Generally, you have the right to revoke any consent you have given at any time. However, processing activities based on your consent in the past will not become unlawful as a result of your revocation.

To exercise these rights, please send us an e-mail to the following address: privacidad@zebrabox.es

Right of complaint: You have the right to lodge a complaint against a competent supervisory authority, e.g. about the way in which your personal data is processed.