LuminaVital Lichttherapie Anwendungen
is a Line of the CBS GmbH
1210 Vienna, Karl Waldbrunnerplatz 1, Austria,
Telephon: 0043 664 4678057
Reg. no.: FN 129963y
Legal venue: Landesgericht Salzburg
UID-No: ATU 38298800
Member of the Chamber of Commerce in Vienna
Responsible holder of this site
1210 Vienna, Karl Waldbrunnerplatz 1, Austria
For contacts from Austria and Germany: Lumina Vital GmbH, Lichttherapie Anwendungen, Opernring 1 |R 745, 1010 Vienna (Austria)- tel. per Austria: 0662 89 00 15, tel. per Germania: 0043 662 89 00 15 E-Mail: firstname.lastname@example.org
For contacts from Italy: Lumina Vital S.R.L., Applicazioni della fototerapia, Piazza Principale 35, 39040 Ora (BZ) (Italy)- tel: 338/8112686 E-Mail: email@example.com
Warwitzstraße 9 a 5023 Salzburg (Austria) e Bruno Buozzi Straße 14 a 39100 Bolzano (BZ) (Italy)
Dorfstraße 12, 39040 Varna (BZ) (Italy)
Design + text: Ausserhofer Webdesign
The content and graphic of this website is protected by copyright.
Written permission must be gained in advance before reproducing any of the web site content. This applies particularly to texts and text extracts.
Other graphic material is either free common (pixabay) or protected by the copyright of the cited sources.
Thank you for your interest in our company. Privacy is a very high priority for the management at LuminaVital. Fundamentally, the use of our website is possible without giving any personal data. However, if a Data Subject wants to take advantage of specific services from our company via our website, processing of some personal data may be required. If processing of personal data is required and there is no legal basis for such processing, we generally obtain consent from the Data Subject.
As Controller, Rüdiger Hubmann has implemented many technical and organisational measures to ensure the most complete protection possible of personal data processed via this website. However, internet-based data transfers may exhibit security vulnerabilities, so that absolute protection cannot be guaranteed. For this reason, Data Subjects are entitled to provide their personal data by alternative means, such as by phone.
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (hereafter “Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data Subject
A Data Subject is any identified or identifiable natural person whose personal data is processed by the Controller.
Processing is any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.
Profiling is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation is the processing of personal data in such a manner that the personal data can no longer be associated with a specific Data Subject without reference to additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
A Controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the Controller or the specific criteria for their nomination may be provided for by Union or Member State law.
A Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
A recipient is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, regardless of whether this is a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third party
A third party is a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process personal data.
Consent is any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he or she, by a statement or by a clear affirmative action, agrees to the processing of personal data relating to him or her.
2. Name and address of Controller
The Controller in the sense of the General Data Protection Regulation and other applicable data protection legislation or other data protection-related regulations in the Member States of the European Union is:
Schnepfenstraße 9, 5302 Henndorf am Wallersee/Austria
3. Name and address of Data Protection Officer
The Data Protection Officer for the Controller is:
Schnepfenstraße 9, 5302 Henndorf am Wallersee/Austria
Any Data Subject can contact our Data Protection Officer directly at any time for any questions or concerns about privacy.
Numerous websites and servers used cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier for the cookie. It consists of a string of characters by which websites and servers can be associated with the specific web browser in which the cookie is stored. This allows the websites and servers visited to distinguish the individual browser of the Data Subject from other web browsers which contain other cookies. A specific web browser can be recognised and identified by its unique cookie ID.
By using cookies, we can provide users of this website with more user-friendly services, which would not be possible without placing the cookies.
The Data Subject can at any time prevent our website from setting cookies through the relevant settings of their web browser, and thus permanently object to the setting of cookies. Moreover, using a web browser or other software, you can at any time delete cookies that have already been set. This can be done in all current web browsers. If the Data Subject deactivates the setting of cookies in their web browser, some of the functions of our website may become unavailable under certain circumstances.
5. Collection of general data and information
At each visit by a Data Subject or automated system, our website records a range of general data and information. These general data and information are stored in the server logfiles. Data liable to be collected can be (1) the browser type used and versions, (2) the operating system of the accessing system, (3) the website from which the accessing system accesses our website (so-called referrer), (4) the website subpages that are accessed by an accessing system, (5) the date and time of an access to the website, (6) an Internet Protocol address (IP address), (7) the Internet Service Provider of the accessing system and (8) various similar data and information which relate to security in cases of cyberattacks.
When using this general data and information, we draw no conclusions about the Data Subject. Instead, this information is used to (1) correctly deliver the content of our website, (2) optimise the website contents and advertisement, (3) ensure continuing functionality of our information technology systems and our website’s technology and (4) provide law enforcement agencies with the information that they require for prosecution in the case of a cyberattack. These anonymously-collected data and information are therefore evaluated both statistically and with the aim of improving data protection and data security in our company, ultimately to ensure the best possible protection for the personal data processed by us. The anonymous data in the server logfiles are stored separately from all personal data given by a Data Subject.
6. Contact options via website
For legal reasons, our website contains information allowing fast electronic contact with our company and direct communication with us, which also includes a general address for electronic mail (email address). If a Data Subject gets in contact with the Controller by email or contact form, the personal data transmitted by the Data Subject will automatically be stored. These personal data, transmitted voluntarily by a Data Subject to the Controller are stored for the purposes of processing or for contacting the Data Subject. These personal data are not shared with third parties.
7. Routine deletion and locking of personal data
The Controller processes and retains the Data Subject’s personal data only for the period required to fulfil the purpose of retaining it or for the period intended under European directives and regulations or the laws and regulations of another legislature to which the Controller is subject.
If the purpose of retaining it no longer applies, or the retention period under European directives and regulations or those of another relevant legislature expires, the personal data will be locked or deleted routinely and in accordance with applicable laws and regulations.
8. Rights of the Data Subject
a) Right to confirmation
All Data Subjects have the right, granted by the European directives and regulations, to obtain from the Controller confirmation as to whether or not personal data concerning them are being processed. If a Data Subject wishes to exercise this right to confirmation, he or she can do so at any time by contacting an employee of the Controller.
b) Right of access
All Data Subjects have the right, granted by the European directives and regulations, at any time to receive from the Controller free access to the personal data stored about them and to receive a copy of this information. Moreover, European directives and regulations grant the Data Subject access to the following information:
- the purposes of the processing
- the categories of personal data concerned
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
- where possible, the envisaged period for which the personal data will be retained, or, if not possible, the criteria used to determine that period
- the existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the Data Subject or to object to such processing
- the right to lodge a complaint with a supervisory authority
- where the personal data are not collected from the Data Subject: any available information as to their source
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the Data Subject
Furthermore, the Data Subject has the right to be informed whether personal data are transferred to a third country or to an international organisation. If this is the case, the Data Subject also has the right to be informed of the appropriate safeguards relating to the transfer.
If a Data Subject wishes to exercise this right of access, he or she can do so at any time by contacting an employee of the Controller.
c) Right to rectification
All Data Subjects have the right, granted by the European directives and regulations, to obtain the rectification without undue delay of inaccurate personal data concerning them. Furthermore, the Data Subject has the right, taking into account the purposes of the processing, to have incomplete personal data completed, including by means of providing a supplementary statement.
If a Data Subject wishes to exercise this right to rectification, he or she can do so at any time by contacting an employee of the Controller.
d) Right to erasure (Right to be forgotten)
All Data Subjects have the right, granted by the European directives and regulations, to obtain from the Controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies and if processing is not compulsory:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- The Data Subject withdraws consent on which the processing is based according to letter (a) of Article 6 (1) of the GDPR, or letter (a) of Article 9 (2) of the GDPR, and where there is no other legal ground for the processing.
- The Data Subject objects to the processing pursuant to Article 21 (1) of the GDPR and there are no overriding legitimate grounds for the processing, or the Data Subject objects to the processing pursuant to Article 21 (2) of the GDPR.
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a statutory obligation in Union or Member State law to which the Controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8 (1) of the GDPR.
If one of the grounds above applies and a Data Subject wishes to obtain deletion of personal data stored at us, he or she can at any time apply to an employee of the Controller or himself for this. The employee will arrange for the deletion without undue delay.
Where we have made the personal data public and our company as Controller under Article 17 (1) of the GDPR is obliged to erase the personal data, we, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform any other Controllers involved in the processing of such data that the Data Subject has requested the erasure of any links to, or copy or replication of, those personal data, unless that processing is required by law. Our employee will take the necessary steps on a case-by-case basis.
e) Right to restriction of processing
All Data Subjects have the right, granted by the European directives and regulations, to obtain from the Controller restriction of processing where one of the following applies:
- The accuracy of the personal data is contested by the Data Subject, for a period enabling the Controller to verify the accuracy of the personal data
- The processing is unlawful and the Data Subject opposes the erasure of the personal data and requests the restriction of their use instead.
- The Controller no longer needs the personal data for the purposes of the processing, but they are required by the Data Subject for the establishment, exercise or defence of legal claims.
- The Data Subject has objected to processing pursuant to Article 21 (1) of the GDPR, pending verification of whether the legitimate interests of the Controller override those of the Data Subject.
If one of the provisions above applies and a Data Subject wishes to obtain restriction of personal data stored at us, he or she can at any time apply to an employee of the Controller or himself for this. The employee will arrange for the restriction of processing without undue delay.
f) Right to data portability
All Data Subjects have the right, granted by the European directives and regulations, to receive the personal data concerning him or her, which he or she has provided to a Controller, in a structured, commonly used and machine-readable format. They also have the right to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where the processing is based on consent pursuant to letter (a) of Article 6 (1) of the GDPR or letter (a) of Article 9 (2) of the GDPR or on a contract pursuant to letter (b) of Article 6 (1) of the GDPR; and the processing is carried out by automated means, unless processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
Furthermore, in exercising his or her right to data portability under Article 20 (1) of the GDPR, the Data Subject has the right to have those personal data transmitted directly from one Controller to another, where technically feasible, and where the rights and freedoms of others are not adversely affected.
To exercise the right to data portability, the Data Subject can apply at any time to an employee of us or the controller himself.
g) Right to object
All Data Subjects have the right, granted by the European directives and regulations, to object at any time, on grounds relating to their particular situation, to the processing of their personal data based on letter (e) or (f) of Article 6 (1) of the GDPR. This also applies to profiling based on those provisions.
In cases of objection, we will no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the Data Subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed by us for direct marketing purposes, the Data Subject has the right to object at any time to processing of their personal data for such purposes. This also applies to profiling to the extent that it is related to direct marketing activities. Where the Data Subject objects to processing by us for direct marketing purposes, we will no longer process the personal data for such purposes.
Moreover, the Data Subject has the right, on grounds relating to his or her particular situation, to object to the processing of personal data concerning them which are processed at us for scientific or historical research purposes or statistical purposes pursuant to Article 89 (1) of the GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
To exercise the right to object, the Data Subject can apply directly to an employee or the controller himself. The Data Subject is also free, in the context of the use of information society services, and notwithstanding Directive 2002/58/EC, to exercise his or her right to object by automated means using technical specifications.
h) Automated individual decision-making, including profiling
All Data Subjects have the right, granted by the European guidelines and regulations, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless the decision (1) is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller, or (2) is authorised by European Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard the Data Subject’s rights and freedoms and legitimate interests or (3) is based on the Data Subject’s explicit consent.
If the decision (1) is necessary for entering into, or performance of, a contract between the Data Subject and a Data Controller or (2) is based on the Data Subject’s explicit consent, we shall implement suitable measures to safeguard the Data Subject’s rights, freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express their point of view and to contest the decision.
If a Data Subject wishes to exercise their rights relating to automated individual decision-making, he or she can do so at any time by contacting an employee of the Controller.
i) Right to withdraw consent
All Data Subjects have the right, granted by the European guidelines and regulations, to withdraw consent at any time to the processing of personal data.
If Data Subjects wish to exercise their right to withdraw consent, they can do so at any time by contacting an employee of the Controller.
The Controller has incorporated tools from Facebook into this website. Facebook is a social network.
A social network is a social meeting point run on the internet, an online community which generally lets users communicate among each other and interact in a virtual space. A social network can act as a platform for the exchange of opinions and experiences or allow the internet community to provide personal or company-related information. Among other things, Facebook allows users of the social network to set up private profiles, upload photos, and network via friend requests.
The operating company for Facebook is Facebook, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA. For Data Subjects who live outside the USA and Canada, the Controller for personal data is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Every time the Data Subject visits one of the individual pages of this website, which is managed by the Controller and on which a Facebook tool (Facebook Plug-In) has been incorporated, the web browser of the Data Subject’s IT system is automatically prompted by that Facebook tool to download a copy of the corresponding tool from Facebook. An overview of all Facebook plugins can be found at: https://developers.facebook.com/docs/plugins. As part of this technical process, Facebook receives information on which specific sub-page of our website is visited by the Data Subject.
If the Data Subject is logged in to Facebook, with each visit to our website Facebook recognises which specific subpages are visited by the Data Subject for as long as they stay on our website. This information is collected by Facebook tools and Facebook associates it with the respective Facebook account of the Data Subject. If the Data Subject clicks one of the Facebook buttons incorporated into our website, for example a “Like” button, or if the Data Subject makes a comment, Facebook assigns this information to the Data Subject’s personal Facebook account and retains these personal data.
Facebook therefore receives information via the Facebook tools that the Data Subject has visited our website if the Data Subject is logged in to Facebook at the same time; this takes place independently of whether the Data Subject clicks the Facebook tool or not. If the Data Subject does not want to transmit such information to Facebook, he or she can prevent transmission by being logged out of his or her Facebook account before visiting our website.
Facebook’s published data policy, which is available at https://facebook.com/about/privacy/, gives more information about the collection, processing and use of personal data by Facebook. It also explains which settings Facebook offers for protecting the Data Subject’s privacy. In addition, various applications are available which can be used by the Data Subject to suppress data transmission to Facebook.
The Controller has incorporated the Google Analytics tool (with anonymisation function) into this website. Google Analytics is a web analytics service. Web analytics is the collection, compilation and evaluation of data on the behaviour of website visitors. Among other things, a web analytics service records the website from which a Data Subject has come (so-called referrer site), the website subpages accessed, and how often and for how long a subpage is viewed. Web analytics is predominantly used to optimise a website and for cost-benefit analysis of internet advertising.
The operating company for the Google Analytics tool is Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
The Controller uses the “_gat._anonymizeIp” function for web analytics via Google Analytics. Using this function, Google shortens and anonymises the IP address of the Data Subject’s internet connection, if access to our website is from a Member State of the European Union or from another Country party to the Agreement on the European Economic Area.
The purpose of the Google Analytics tool is to analyse visitor flows to our website. Google uses the data and information collected for, among other things, evaluating the usage of our website, creating online reports for us which show activity on our web pages, and supplying other services relating to the usage of our website.
The cookies allow personal information to be stored, such as the time and place of access and the frequency of visits to our website by the Data Subject. Each time the Data Subject visits our website, these personal data, including the IP address of the internet connection used, are transmitted to Google in the United States of America, where Google stores them. Under certain circumstances, Google may transfer the personal data thus collected to third parties.
The Data Subject can prevent our website from setting cookies at any time by changing the relevant settings of their web browser, and thus permanently object to the setting of cookies, as already described above. This browser setting would also prevent Google from setting cookies on the Data Subject’s IT system. Also, cookies that have has already been set by Google Analytics can be deleted at any time through the web browser or another software programme.
11. Legal basis for processing
Article 6 (1) letter (a) of the GDPR serves as our company’s legal basis for processing activities done for such purposes for which we require the Data Subject’s consent. If the processing of personal data is necessary for fulfilling a contract in which the Data Subject is a party, e.g. the processing of data necessary for the delivery of goods or provision of other services or considerations, processing will be based on Article 6 (1) letter (b) of the GDPR. The same applies to the processing of data which is necessary for carrying out pre-contractual measures, e.g. in cases of enquiries about our products or services. If our company is subject to a statutory duty that requires the processing of personal, such as for example compliance with tax requirements, processing is based on Article 6 (1) letter (c) of the GDPR. In rare cases, processing of personal data could be necessary to protect the vital interests of the Data Subject or another natural person. For example, this could be the case if a visitor to our business were injured and their name, health insurance data or other vital information had to be passed to a doctor, hospital or other third party. Then processing would be based on Article 6 (1) letter (d) of the GDPR. Lastly, processing may be based on Article 6 (1) letter (f) of the GDPR. This is the legal basis for processing activities which are not covered by any of the previous legal bases, if processing is necessary for the safeguarding of a legitimate interest of our company or of a third party, insofar as the interests, rights and freedoms of the Data Subject are not overridden. Such processing activities are allowed as specifically provided for by the European legislators. In this regard, the view was taken that a legitimate interest could be assumed if the Data Subject is a customer of the Controller (GDPR recital 47, second sentence).
12. Legitimate interests for processing which are pursued by the Controller or a third party
Where the processing of personal data is based on Article 6 (1) letter (f) of the GDPR, it is in our legitimate interest to carry out our business for the benefit of all our employees and shareholders.
13. Personal data retention period
Personal data are stored and retained for a period the duration of which is based on the current statutory retention period. After this time has elapsed, the corresponding data are routinely deleted, provided that they are no longer necessary for contract performance or conclusion.
14. Statutory or contractual requirements for provision of personal data; contract requirements; obligation of the Data Subject to provide personal data; possible consequences of failure to provide data
We should like to make it clear that the provision of certain personal data is a statutory requirement (e.g. tax laws) or can result from contractual obligations (e.g. information about the contracting party). In some cases, it may be necessary for a Data Subject to make personal data available to us, the processing of which is necessary in relation to a contract. The Data Subject is, for example, obliged to provide us with personal data if our company enters into a contract with him or her. Failure to provide the personal data would result in the parties being unable to enter into or perform the contract. Before providing any personal data, the Data Subject must apply to one of our employees, who will clarify to the Data Subject, on a case-by-case basis, whether the provision of personal data is a legal or contractual requirement and necessary for entering into a contract, and what consequences may arise from failure to provide personal data.
15. Existence of automated decision-making
As a responsible company, we do not undertake automated decision-making or profiling activities.