Here we would like to describe whether and how we process your personal data and those of your employees. "We" as the controller within the meaning of the General Data Protection Regulation ("GDPR") are:

MEINDIENSTPLAN GmbH
FN 483121y
Gschmeidlerstraße 45, 2020 Hollabrunn
Austria
office@meindienstplan.at

Status: 14.03.2022

1. general information on data processing and legal bases

1.1 This privacy policy describes the nature, scope and purpose of the processing of personal data within our range of services and the websites, applications, functions and content associated with them (hereinafter collectively referred to as "services"). This statement applies regardless of the domains, systems, platforms and devices used (e.g. desktop or mobile or offline).

1.2 The definitions of the terms used here, such as "personal data" or their "processing" can be found in Art 4 GDPR.

1.3 We process personal data only in compliance with the legal provisions (in particular Art 6 para 1 DSGVO). Accordingly, data is only processed if a legal permission exists; in particular, if the data processing is necessary for the fulfillment of our contractual services (e.g. processing of requests, management of time records) as well as our online services or is required by law or if there is a consent from you or the employees as users of MEP Mobile or if there is an overriding legitimate interest on our part (e.g. interest in the analysis and optimization of our online services).

2. categories of data processed and legal basis for processing

2.1 The personal data you provide during registration (in particular e-mail address) will be processed by us exclusively with your (revocable) consent pursuant to Art 6 para 1 lit a DSGVO.

2.2 Otherwise, we process the following of your personal data within the scope of our offer for the performance of the contract (Art 6 para 1 lit b DSGVO) or on the basis of our overriding legitimate interest (Art 6 para 1 lit f DSGVO):

• Inventory data (e.g. names and addresses of customer contact persons, telephone number, e-mail address)

• Contract data (e.g. agreed service packages, names of clerks, payment information)

• Usage data (e.g. log-ins at the terminal)

• Content data (e.g. entries in the time recording system, duty rosters)

• Support data (requests in case of errors, error logs)

3. purposes of data processing

3.1 The personal data mentioned in point 2 are processed for the following purposes
:

• for the proper execution of the contractual relationship concluded with the customer and the fulfillment of the contractually ordered modules;

• to provide you with our services and to further improve them and make them more user-friendly for you;

• to improve the user-friendliness of our applications on the basis of anonymized analyses of user behavior;

• to process and respond to your requests in the event of an error.

3.2 Your personal data used in each case originates from the information you yourself provide during the ordering process or is automatically collected when you visit the website (e.g. IP address).

4. transfer of data to third parties and third-party providers

4.1 Data is only passed on within the framework of legal requirements. Accordingly, we only pass on data if this is necessary, e.g. on the basis of Art 6 para 1 lit b DSGVO for the execution of the contract or due to an overriding legitimate interest in accordance with Art 6 para 1 lit f DSGVO in an economic and effective operation.

4.2 If we use subcontractors, they are located in the EU or the EEA. A transfer to third countries does not take place.

4.3 For the above purposes, we transfer your personal data to the following recipients or categories of recipients:

• IT service provider

• Web host

• Payment service provider

• Financial services provider

5. duration of storage

5.1 The data stored by us will be deleted or completely anonymized as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention obligations or the data is required for the clarification of legal disputes.

5.2 According to § 132 BAO we are legally obliged to keep accounting documents (e.g. invoices, receipts) for a period of at least 7 years (longer in case of legal disputes).

5.3 Your employee data will be deleted within 60 days if you so wish and request in writing.

6. use of the app for employees / use of your employees' data

6.1 In addition to our online offer, we provide your employees with a mobile app that they can download onto their smartphones. You remain the sole controller of the data processed there. We process the data only in accordance with your instructions within the scope of the services we offer and on the basis of the order processing agreement concluded with you.

6.2 Only those personal employee data are processed which are transmitted by you or entered by the employee directly in the app. Any additional data processing that we carry out in our function as the responsible party can be found in the app's privacy policy, available at http://www.meindienstplan.at/at/datenschutz/app. Your employee will be informed about the privacy policy, as well as about any updates to the provisions accordingly, and must agree in order to be able to use the app.

6.3 The usual procedure regarding the transfer and processing of personal employee data is as follows:

• The master data of the employees is entered and maintained by the restaurant manager/operations manager in the web application of "MEIN DIENSTPLAN".

• Duty and vacation planning is also carried out in the web application of "MEIN DIENSTPLAN".

• For each employee a user account can be linked in the master data in "MY SERVICE PLAN", if there is no account for the employee's e-mail address yet, it will be automatically prepared and the employee will receive an e-mail with a link to complete his registration and choose a password.

• The employee has to choose a password of at least 8 digits (incl. upper and lower case letters, min. 1 number) himself and thus completes the registration.

• The employee will then receive a confirmation link to the email address they have provided to confirm registration.

6.4 The following personal data of your employees are at least necessary
to perform duty scheduling:

• First and last name

• Main work area (e.g. lobby, service), skills (Skills)

• E-mail address of the employee

• Date of birth of the employee

• Information on the employment relationship (entry date, weekly hours, reporting days, vacation entitlement)

In order to use all of the packages and features offered by our services, it may be necessary to provide all of the employee's personal information in detail, including:

• Social security number

• Country, zip code, city, address

• Citizenship and type of citizen

• Gender

• Pregnant Yes/No

• 50% Disability present Yes/No

• Driver's license yes/no incl. possible expiration date

• First aid course yes/no incl. possible expiration date

• Password (appropriately encrypted; no possibility of inference to the plaintext password)

• Bank details (IBAN, BIC)

6.5 The personal employee data thus collected shall be processed for the following purposes:

• To perform the services you have booked

• To ensure a correct representation of all duty times and break times

• To ensure data security and fraud prevention

• in anonymous form for the creation of statistics and for the improvement of the services we offer

6.6 Legal basis: The processing of the personal employee data provided by you is carried out in accordance with Art 6 para 1 lit b DSGVO (fulfillment of a contractual obligation).

6.7 For the above purposes, we transfer the personal employee data to the following recipients:

• IT service providers used by us

• Providers commissioned by us for data storage

• Tax consultants or payroll offices commissioned by us (if the contract concluded includes a package for payroll accounting)

7. your rights in connection with the processing of personal data

7.1 You have the right to (i) check whether and which personal data we have stored about you and to obtain copies of this data (access), (ii) request the correction, amendment or deletion of your personal data that is incorrect or not processed in accordance with the law (rectification), (iii) request us to restrict the processing (restriction), and (iv) in certain circumstances object to the processing of your personal data or withdraw the consent previously given for the processing (e.g. newsletter registration).(v) to request data transfer (data transfer), (vi) to know the recipients or categories of recipients to whom your personal data are transferred, and (vii) to lodge a complaint with the Austrian data protection authority (www.dsb.gv.at) (right to lodge a complaint).

8. subcontractor

8.1 For the automated processing of the payment transaction, MD meinDienstplan GmbH uses the payment service provider Stripe Payments Europe Limited (for details see point 9).

8.2 The Content Delivery Network of Cloudflare Germany GmbH is used to deliver the web applications and websites (for details see item 10).

8.3 The backup of all data as well as the program logic takes place in data centers within the EU on rented server infrastructure of the following subcontractors:

• netcup GmbH
  Daimlerstraße 25
  76185 Karlsruhe
  https://www.netcup.de

• DigitalOcean, LLC
  101 Avenue of the Americas, 10th Floor
  New York NY 10013
  United States of America
  https://www.digitalocean.com

• Amazon Web Services, Inc.
  410 Terrry Avenue North
  Seattle WA 98109
  United States of America
  https://aws.amazon.com

• Hetzner Online GmbH
  Industriestrasse 25
  91710 Gunzenhausen
  Germany
  https://www.hetzner.com

8.4 All server locations are within the EU, for completeness the locations per subcontractor (if applicable) are listed here:

• netcup GmbH
  Data Center Nuremberg (DE)

• DigitalOcean, LLC
  Data Center FRA1 - Frankfurt (DE)

• Amazon Web Services, Inc.
  Zones: eu-central-1a, eu-central-1b, eu-central-1c
  Region: Europe, Frankfurt (DE)

• Hetzner Online GmbH
  not applicable as only domains are managed via Hetzner Online GmbH

9. stripe Payments Europe Limited

9.1 We offer the possibility to process the payment transaction via the payment service provider Stripe Payments Europe Limited (1 Grand Canal Street Lower, Grand Canal Dock, Dublin, D02 H210, Ireland). This corresponds to our legitimate interest in offering an efficient and secure
payment method (Art. 6 para. 1 lit. f DSGVO). In this context, we share the following data with Stripe to the extent necessary for the performance of the contract (Art. 6 para. 1 lit b. DSGVO): Cardholder name, email address, customer number, invoice number, bank details, credit card details, credit card validity period, credit card verification number (CVC), date and time of the transaction, transaction amount, name of the provider, location. The processing of the data provided under this section is not required by law or contract. Without the transmission of your personal data, we will not be able to make a payment via Stripe, but this will not affect your contractual relationship with MD meinDienstplan GmbH as you, as a customer, will still have the option to make all payments manually.

9.2 Stripe has a dual role as controller and processor in data processing activities. As a controller, Stripe uses your submitted data to fulfill regulatory obligations. This corresponds to Stripe's legitimate interest (pursuant to Art. 6. para. 1 lit. f DSGVO) and serves the performance of the contract (ge. Art. 6. para. 1 lit. b DSGVO). We have no influence on this process. Stripe acts as an order processor in order to be able to complete transactions within the payment networks. Within the scope of the order processing relationship, Stripe acts exclusively according to our instructions and has been contractually obligated within the meaning of Art. 28 DSGVO to comply with the provisions of data protection law.

9.3 Stripe has implemented compliance measures for international data transfers. These apply to all global activities where Stripe processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information about opting out and opting in with Stripe, please visit: https://stripe.com/privacy-center/legal

9.4. address of the provider:

• Stripe Payments Europe Limited
  1 Grand Canal Street Lower, Grand Canal Dock
  Dublin, D02 H210
  Ireland

10. cloudflare Germany GmbH

10.1 We use the Content Delivery Network (CDN) of Cloudflare Germany GmbH, Rosental 7, c/o Mindspace, 80331 Munich, Germany (Cloudflare) to increase the security and delivery speed of our services, which is in our legitimate interest (Art. 6 para. 1 lit. f DSGVO). A CDN is a network of distributed servers that is able to deliver optimized content to the website user. For this purpose, personal data (e.g. cookies, IP address, etc.) may be processed in server log files.

10.2 Cloudflare is the recipient of this data and acts as a processor for us. This corresponds to our legitimate interest within the meaning of Art. 6 (1) p. 1 lit. f DSGVO not to operate a CDN ourselves. You have the right to object to the processing, whether the objection is successful is to be determined in the context of a balancing of interests. You can find more information about objection and removal options vis-à-vis Cloudflare at www.cloudflare.com.

10.3 Cloudflare has implemented compliance measures for international data transfers. These apply to all global activities where Cloudflare processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit https://www.cloudflare.com/cloudflare_customer_SCCs-German.pdf

11. modification of the privacy policy

11.1 Since, for example, the legal situation or our services including the associated data processing may change, we reserve the right to adapt this privacy policy accordingly. However, this only applies with regard to declarations on data processing. Insofar as we require your consent for data processing or parts of this data protection declaration contain regulations of the contractual relationship with the users, the changes will only be made with your consent.

11.2 Please inform yourself regularly about the current content of our privacy policy.