As further described below, for some data processing activities we act as joint controller together with the Business. We determined our respective responsibilities in a joint controller agreement in accordance with Art. 26 GDPR.
For questions regarding the Processing of Your Personal Data by the Business you visit please contact CHEERFY using the contact details provided during registration in the event you cannot directly contact the Business.
Personal Data: means any information relating to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number or location data.
Basic Profile Information: means Personal Data you provide us with during the registration process and while using our Services which will include, inter alia: your name, date of birth, age, sex, photographic material, city and/or country of residence and/or birth, email address, phone number, credentials to access some or all of this information on your social network profiles (Facebook or LinkedIn) as well as information that is publicly available on those profiles.
Business Specific Information: means Personal Data collected through surveys and during your visit to a Business’ premise, including inter alia: date, time, duration and frequency of your visits, your presence at a Business Premises, your preferences observed by the Business as well as information we collect when you visit our website or use our mobile applications like, inter alia: the full Uniform Resource Locators (URL) clickstream to, through and from our Services (including date and time), page response times on websites, download errors, the length of visits to certain areas, page and mobile application interaction information (such as scrolling, clicks and mouse-overs), and the methods you are using to browse away from pages.
Device Information: means Personal Data relating to technical information that is automatically collected in order to provide the service to you such as the Internet protocol (IP) address used to connect to the internet, login information, browser type and version, time zone setting, browser plug-in types and versions, device model, operating system and platform as well as the MAC (Medium Access Control) address of your device, which is a unique identifier assigned by the device manufacturer.
Processing: means any operation which is performed on Personal Data, such as collection, recording, organising, structuring, storing, adaptation or any kind of disclosure or other use.
Businesses: means the businesses who have subscribed the CHEERFY Business service.
Business Affiliates: means any entity controlling, controlled by, or under common control with the Business, any entity operating under the same brand as the Business or the owner of the venue visited.
Sponsor: means any entity who pays in part or in full the subscriptions of Businesses to the CHEERFY Business service.
2. INFORMATION ON HOW CHEERFY USES YOUR PERSONAL DATA
2.1. Purposes of the Processing
In this section, we have set out information about the Personal Data we Process, the purposes we use the Personal Data for and the legal bases for the Processing of your Personal Data.
2.1.1. If you want to use our Services you need to register at a Business by connecting with a Wi-Fi device (e.g. a smartphone, tablet, or computer) to the Wi-Fi Network owned by each Business visited. During the registration process and while using our Services you provide us with Basic Profile Information and Business Specific Information. The legal basis for this Processing of your Personal Data is the execution of the Terms and Conditions.
2.1.2. During your visits to a Business’ premises we will collect Business Specific Information. The legal basis for this Processing of your Personal Data is the execution of the Terms and Conditions as well as our legitimate interest to maintain the CHEERFY Services targeted towards specific End Users and Businesses.
2.1.3. When you visit our website or use our mobile applications, we will collect additional Business Specific Information. The legal basis for this Processing is the execution of the Terms and Conditions as well as our legitimate interests to analyse the usage of our Services and to enhance your user experience.
2.1.4. If you are browsing through the internet during your visit to a Business’ premises, we will never monitor your activity. Please note a Business may restrict at its own discretion access to certain websites.
2.1.5. Additionally, CHEERFY will collect any phone number that is used to call our customer service as well. The legal basis for this Processing of your Personal Data are the execution of the Terms and Conditions as well as our legitimate interest to provide you with adequate customer support.
2.1.6. While you use our Services, we may automatically collect Device Information. The legal basis for this Processing is the execution of the Terms and Conditions.
2.1.7. In order to distinguish one End User from another, we may use your Device Information to automatically identify you at your arrival at a Business’ premises and authenticate your device when you are using our Services. The legal basis for this Processing is our legitimate interest to increase the usability of our Services and to provide our Services in a more user-friendly way.
2.1.8. To enhance your experience while using our Services and to provide you with targeted Services and information, CHEERFY Processes certain Personal Data to send you information and direct advertising via electronic messages for goods or services similar to the ones you have already obtained and to analyse the acceptance of the electronic advertising (e.g. by recording whether you have read an electronic message or clicked on links). The legal basis for this Processing of your Personal Data is the execution of the Terms and Conditions.
2.2. Disclosure of Personal Data
In this section, we have set out information about the parties to whom your Personal Data may be disclosed and the legal basis for the disclosure.
2.2.1. Please note that Business Specific Information will only be shared with the specific Business which you visited while this information was collected and its Business.
The legal basis for this disclosure of your Personal Data to Businesses and their Business Affiliates is the execution of the Terms and Conditions. To ensure that the transfer does not disproportionately interfere with your rights and freedoms, and in order to determine the respective responsibilities for compliance with the obligations under GDPR, an agreement was concluded between us and the above mentioned parties. This agreement constitutes an arrangement between joint controllers in the meaning of Art. 26 GDPR and regulates (i) the transfer of the Personal Data collected and the limitation of use of such transferred Personal Data for the provision of our Services, (ii) technical and organisational measures to be taken by us and the third parties to protect the transferred Personal Data and (iii) your rights with regards to the transferred Personal Data as described below and the fact that those rights can be exercised against us or any of the third parties. Particularly, the agreement stipulates that each of us will handle the data processing activities in our own discretion and, even though we are separately responsible for complying with data protection requirements, we will assist each other where necessary.
2.2.2. Please note that, within the scope of our Processing activities mentioned above, we will disclose your Personal Data to other Processors residing in the EU that will assist us in providing our Services and Process your Personal Data on our behalf and under our control. The legal basis for this disclosure of your Personal Data is Art. 28 GDPR.
To ensure that your Personal Data will be used only to the extent necessary and in compliance with legal requirements and our instructions, we have bound our Processors by concluding Data Processing Agreements with them. This way, we made sure that your Personal Data will be Processed only for the purposes mentioned above.
2.2.3. Please note that your data may be transferred to a third country outside the European Economic Area (EEA). Those countries may not provide an adequate level of data protection. CHEERFY shall ensure that such a transfer will be performed either to countries which have adequate level of data protection (according to the European Commission’s Adequacy decisions) or CHEERFY will conclude Standard Contractual Clauses with each recipient that reside in a country which is not covered by an Adequacy decision of the European Commission. The Standard Contractual Clauses can be viewed here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en
2.3. Retention periods
We strive to limit our Processing activities with respect to your Personal Data. Your Personal Data will, therefore, be retained only for as long as you remain registered for our Services and, if applicable, as long as required by statutory retention requirements. If you close your CHEERFY account, we will delete all Personal Data we hold about you.
2.4. Registration for our Services
2.5. Automated decision making
We use your Personal Data to perform automated decision making including profiling. These decisions are used to provide the CHEERFY Services targeted with respect to specific End Users and Businesses and are based on products and services that each Business considers relevant to you based on your Personal Data and your visits to the Business Premises.
2.6. Data security
Please note that the transmission of information via the Internet is not completely secure. Although we will do our best to protect all Personal Data, we cannot guarantee its security when it is transmitted via our Services; any transmission takes place at your own risk. However, once we have received your Personal Data, we will use strict procedures and security features to prevent unauthorised access.
The CHEERFY mobile applications and website may, from time to time, contain links to and from the mobile applications and websites of our partner networks, advertisers and affiliates. These mobile applications and websites have their own Privacy Policies and we do not accept any responsibility or liability for these Policies. Please check the respective Privacy Policies before you submit any Personal Data to these websites and mobile applications.
3. INFORMATON ON HOW THE BUSINESS USES YOUR PERSONAL DATA
3.1. Purposes of the Processing
3.1.1. The Business processes the Business Profile Information and the Business Specific Information they receive from us to evaluate its customers behaviour as well as frequency of visits and length of stay. The processing serves the Business’ legitimate interest to analyse its customers to be able to adapt the service accordingly.
3.1.2. The Business uses the Business Profile Information and the Business Specific Information they receive from us to evaluate its customers profile to be able to provide you with the best-customized service on every visit. The legal basis is the Business’ legitimate interest to adapt its services to your specific needs and thereby increase your satisfaction.
3.1.3. The Business uses the Business Profile Information and the Business Specific Information to create and provide you with a personalised loyalty plan through electronic messages offering you rewards, special offers, gifts or information that match your preferences. The processing is based on the Business’ legitimate interest in building customer loyalty.
3.1.4. Further, you might receive personalised messages from the Business with feedback surveys and other surveys. The legal basis is Business’ legitimate interest to increase customer satisfaction.
3.2. Disclosure of Personal Data
3.2.1. For the above-mentioned purposes, it might be necessary for the Business to share your data with service providers that support the Business in providing its services. The service provider will process your Personal Data only on behalf of the Business. The legal basis for the data access is Art. 28 GDPR in accordance with the respective data processing agreement.
3.2.2. Where necessary for the above-mentioned purposes the Business might share your Personal Data with its Business Affiliates. The legal basis is the Business’ legitimate interest to improve its service throughout its Business Affiliates.
3.2.3. Where a data recipient is located outside the EEA the Business will implement adequate safeguards for the cross-border transfer in accordance with GDPR.
3.3. Retention periods
The Business will retain your Personal Data only as long as necessary for the purposes set out above. Legal retention obligations remain unaffected.
4. YOUR RIGHTS
In this section, we have set out information about your rights regarding our Processing of your Personal Data. Depending on the specifics of the case, you may be entitled to exercise some or all of the following rights. You may:
4.1. require (i) information whether your Personal Data is retained and (ii) access to and/or (iii) duplicates of your Personal Data retained, including the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed and where possible, the envisaged period for which the Personal Data will be stored, or, if not possible, the criteria used to determine that period;
4.2. receive your Personal Data in a structured, commonly used and machine-readable format and transmit your Personal Data to another controller without our hindrance; where technically feasible you may have the right to have the Personal Data transmitted directly from us to another controller;
4.3. request proper rectification, erasure or restriction of your Personal Data, e.g. because it is incomplete or inaccurate, it is no longer needed for the purposes for which it was collected, the consent on which the Processing was based has been withdrawn, or you have taken advantage of an existing right to object to the Data Processing; in case the Personal Data is Processed by third parties, your request for rectification, erasure or restriction will be forwarded also to such third parties unless this proves impossible or involves disproportionate effort;
4.4. refuse to provide and, without impact to data Processing activities that have taken place before such withdrawal or to any other existing legal justification of the Processing activity in question, withdraw your consent to Processing of your Personal Data at any time;
4.5. take legal actions in relation to any potential breach of your rights regarding the Processing of your Personal Data, as well as to lodge complaints before the competent Data Protection Regulators; and/or
4.6. require to not be subject to any automated decision making, including profiling (automatic decisions based on Data Processing by automatic means, for the purpose of assessing several personal aspects) which produce legal effects on you or affects you with similar significance.
Additionally, you shall be entitled to object to the Processing of your Personal Data: at any time, if your Personal Data is used for direct marketing purposes; and based on grounds relating to your particular situation, if your Personal Data is Processed for other purposes.
Finally, please be informed about your right to lodge a complaint before the corresponding authority in the event that you consider that the Processing of your personal information is not compliant with the applicable data protection legislation. The contact data of every data protection authorities in the European Union is available in the webpage: https://edpb.europa.eu/about-edpb/board/members_en
Last updated: 23rd August 2019