Back to the top

Vitra’s Privacy Policy


I. Data protection provisions for the vitra.com website

Vitra International AG takes the protection of your personal data very seriously. The purpose of this Privacy Policy is to inform you of the type of personal data that will be collected when you use our website vitra.com, as well as how we will process, use, and protect such data.


1. Scope

1.1
Use of the vitra.com website is subject to the Privacy Policy set out below. This website is a service provided by Vitra International AG, Klünenfeldstr. 22, 4127 Birsfelden, Basel-Landschaft, Switzerland (hereinafter “Vitra”). Where relevant, Vitra is the controller pursuant to Art. 4 of the EU General Data Protection Regulation (hereinafter “GDPR”).

1.2
Protecting your personal data is important to us, in particular, with regard to respecting your personal rights in connection with the processing and use of such data. The term “personal data” refers to information regarding the personal and/or factual circumstances of an identified or identifiable natural person. This includes, for example, the person’s name, postal address, email address and/or telephone number, as well as user data such as the IP address. We collect, process, and use your personal data in compliance with the relevant laws.


2. Automated data collection and processing by your browser

2.1
As with every website, our server automatically collects the following information and temporarily saves it in server log files, which are transmitted by your browser – unless you have deactivated such function:

- the IP address of the computer transmitting the request
- the client’s file request
- the http response code
- the volume of data transmitted
- the website from which you access our website (referrer URL)
- the date and time of the server request
- the type, version and language of your browser
- the operating system on the computer transmitting the request

Our server log files are not evaluated based on personal use. At no time can the provider allocate this data to specific persons. This data is not combined with other data sources.

2.2
Our website uses Google Analytics, a web analytics service offered by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”). Google Analytics uses text files called cookies, which are saved on your computer to facilitate analysis of your use of our website. The information collected by the cookies relates to your operating system, browser and IP address, the website you accessed previously (referrer URL), and the date and time of your visit to our website. The information generated by cookies regarding your use of this website is usually transmitted to and saved on a Google server in the United States. If and when IP anonymisation is activated on this website, Google will nevertheless truncate your IP address for transmission among member states of the European Union or to other member states of the Agreement on the European Economic Area. Only in exceptional cases will your full IP address be transmitted to a Google server in the United States and then truncated there. At the request of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide the provider of the website with other services relating to website activity and Internet use. The IP address transmitted from your browser as part of Google Analytics will not be merged with any other data held by Google.

You may refuse the use of cookies by selecting the appropriate settings on your browser software; however, please note that in this case you may not be able to use the full functionality of this website. In addition, you can object to Google’s collection of data generated by cookies relating to your use of the website (including your IP address) as well as to its dissemination of the data. To do this, download and install the browser plug-in available under the following link https://tools.google.com/dlpage/gaoptout

We use Google Analytics to analyse and regularly enhance the use of our website. The statistics derived through this allow us to improve our offerings and make them more interesting for you, the user. If we ask for your consent, the legal basis for processing is Art. 6 Para. 1 lit. a) GDPR. Otherwise, the legal basis for the use of Google Analytics is Art. 6 Para. 1 s. 1 lit. f) GDPR.

Information regarding the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; terms of use, overview of data protection, as well as the privacy policy.

2.3
Retargeting: Our website makes use of retargeting technology. We use this technology to enhance the website’s appeal to you. This technology enables us to address Internet users who have shown an interest in our shop and our products in the past through advertising on our partners’ websites. We believe that personalised and interest-oriented advertising tends to be more interesting to Internet users than non-targeted advertising. These advertisements are displayed on our respective partners’ websites, based on cookie technology and an analysis of visitors’ prior use of the Internet. This form of advertising is entirely pseudonymous. No usage profiles will be consolidated with your personal data. By using our website, you consent to cookies being used to capture, save and use your user-related data. Your data will be saved in cookies beyond the end of your browser session so that it can be retrieved, for example, when you visit the website again. You can revoke your consent at any time with immediate effect by setting your browser so that cookies no longer are accepted. If we ask users for consent, the legal basis for processing is Art. 6 Para. 1 lit. a) GDPR. Otherwise, the legal basis for the use of retargeting technology is Art. 6 Para. 1 s. 1 lit. f) GDPR.

2.4
DoubleClick by Google is a service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”). DoubleClick by Google uses cookies to present you with advertisements that are relevant to you. To this end, your browser is allocated a pseudonymous identification number (ID), which is used to verify which advertisements were displayed in your browser and which of them were clicked. These cookies do not contain any personal information. Google and its partner websites use DoubleClick cookies only to run advertisements based on prior visits to our or other websites. Google transmits the information generated by cookies to a server located in the USA, where it is saved and analysed. Google transmits such data to third parties only if required by law or in the context of contract-related data processing. In any case, your data will not be consolidated with other data captured by Google. By using our website, you consent to your personal data being processed by Google and to the aforementioned nature and purpose of data processing. You may refuse the use of cookies by selecting the appropriate settings on your browser software; however, please note that in this case you may not be able to use the full functionality of our website. In addition, you can object to Google’s collection of data generated by cookies and data that relates to your use of the website, as well as to Google’s processing of this data. To do so, please open this link and download and install the browser plug-in from the DoubleClick Deactivation Add-On section. Alternatively, you can deactivate DoubleClick cookies on Digital Advertising Alliance’s website under the following link. If we ask users for consent, the legal basis for processing is Art. 6 Para. 1 lit. a) GDPR. Otherwise, the legal basis for processing your data is Art. 6 Para. 1 s. 1 lit. f) GDPR. For more information on DoubleClick by Google, please refer to https://www.google.de/doubleclick and http://support.google.com/adsense.

Information regarding the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; terms of use, overview of data protection, as well as the privacy policy.

2.5
Google Forms: We use the Google Forms service from Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”) to carry out surveys or for online forms. Google Forms makes it possible to design and evaluate surveys and online forms. In addition to the respective personal data that you enter in the respective forms, information on your operating system, browser, date and time of your visit, referrer URL and your IP address is recorded. Your personal data will be processed by Google on our behalf. The legal basis for the processing of data by Google is Art. 28 GDPR.

Processing usually takes place within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. However, it cannot be ruled out that data transfers to the USA may occur.

Information regarding the third-party provider: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland; https://policies.google.com/privacy

2.6
Bing Ads: We use Microsoft Advertising, a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (hereinafter “Microsoft”) on our website. Microsoft Advertising helps us to analyse the user behaviour of visitors to our website, if users have reached our website via a Microsoft advertisement. To do this, Microsoft places cookies on the visitor's devices when a visitor has come to our site via Microsoft's services. This is how Microsoft and we can recognise when someone has reached us through an advertisement on a Microsoft website. The only information we receive is the total number of users who came to our site via a Microsoft advertisement. No personal information of the users is communicated.

We use Bing Ads to analyse and regularly enhance the use of our website. The statistics derived through this allow us to improve our offerings and make them more interesting for you, the user. If we ask users for consent, the legal basis for processing is Art. 6 Para. 1 lit. a) GDPR. The legal basis for the use of Bing Ads is Art. 6 Para. 1 s. 1 lit. f) GDPR.

You may refuse the use of cookies by selecting the appropriate settings on your browser software; however, please note that in this case you may not be able to use the full functionality of this website. You can also object to the use of your data with Microsoft directly: https://about.ads.microsoft.com/en-us/resources/policies/opt-out-of-the-microsoft-advertising-optimization-program.

Information regarding the third-party provider: Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052, USA; privacy policy.

2.7
LinkedIn marketing services: We use the marketing services of the social network LinkedIn from LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter “LinkedIn”) within our website. These services make use of cookies, which are text files that are stored on your computer. This enables us to analyse your use of the website. For example, we can measure the success of our advertisements and show users products that they were previously interested in. This includes e.g. information about the operating system, the browser, the website you previously called up (referrer URL), which websites the user visited, which offers the user clicked on, and the date and time of your visit to our website.

The information generated by cookies regarding your use of this website is transmitted anonymously to a LinkedIn server in the USA and saved there. LinkedIn thus does not save the name or the email address of the respective user. Instead, the above-mentioned data is only assigned to the person with whom the cookie was generated. This does not apply if the user has allowed LinkedIn to process the data without pseudonymisation or if they have a LinkedIn account.

You may refuse the use of cookies by selecting the appropriate settings on your browser software; however, please note that in this case you may not be able to use the full functionality of this website. You can also object to the use of your data with LinkedIn directly: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

We use LinkedIn Analytics to analyse and regularly enhance the use of our website. The statistics derived through this allow us to improve our offerings and make them more interesting for you, the user. All LinkedIn companies have adopted the standard contractual clauses to ensure that the data traffic to the USA and Singapore necessary for the development, operation and maintenance of the services takes place in a lawful manner. If we ask users for consent, the legal basis for processing is Art. 6 Para. 1 lit. a) GDPR. The legal basis for the use of LinkedIn Analytics Art. 6 Para 1 s. 1 lit. f) GDPR.

Information regarding the third-party provider: LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2 Ireland; terms of use und privacy policy.

2.8
Polyfill.io: We use Polyfill, a service of the Financial Times Limited, Bracken House, 1 Friday Street, London, EC4M 9BT, United Kingdom on our website. Polyfill reloads Java-Script code. If JavaScript is activated in your browser and no JavaScript blocker is installed, your browser will transmit personal data to Polyfill. This includes, for example, information about your browser, your IP address and the URL of the requesting website. Polyfill does not save your IP address after the downloaded code has been provided. To prevent JavaScript from being executed, you can adjust the settings in your browser or install a JavaScript blocker.

The purpose of using Polyfill is to enable visitors to our website to have the same flawless user experience – regardless of the different browser types. The legal basis for the use of Polyfill is Art. 6 Para 1 s. 1 lit. f) GDPR.

Information regarding the third-party provider: The Financial Times Limited, Bracken House, 1 Friday Street, London, EC4M 9BT, United Kingdom; terms of use, privacy policy.

2.9
Google Maps: We use Google Maps from Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”) on this website. This enables us to show you interactive maps directly on the website and enables you to conveniently use the map function. The legal basis for the use of Google Maps is Art. 6 Para. 1 s. 1 lit. f) GDPR.

When you visit the website, Google is informed that you have accessed the corresponding subpage of our website. In addition, the data mentioned in Section 2.1 of this Privacy Policy will be transmitted. This takes place regardless of whether Google provides a user account that you are logged into, or whether there is no user account. If you are logged into Google, your data will be assigned directly to your account. If you do not want your profile to be assigned to Google, you must log out before activating the button. Google stores your data as user profiles and uses them for the purposes of advertising, market research and/or the needs-based design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have a right to object to the creation of these user profiles, but you must contact Google to exercise this right.

Further information on the purpose and scope of data collection and its processing by the plug-in provider can be found in the provider's privacy statements. You will also find there further information on your rights and setting options to protect your privacy: https://policies.google.com/privacy. Google also processes your personal data in the USA.

2.10
Vimeo: This website uses plugins from the Vimeo video portal from Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA (hereinafter “Vimeo”).

We use Vimeo in the “do-not-track mode”. According to Vimeo, this mode prevents the player from following all data of the playback session. According to Vimeo, this has the same effect as activating a do-not-track header in the browser: https://vimeo.zendesk.com/hc/en-us/articles/360001494447-Using-Player-Parameters.

Vimeo is used in the interest of an appealing presentation of our website. This represents a legitimate interest within the meaning of Art. 6 Para. 1 lit. f) GDPR.

Information regarding the third-party provider: Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA; privacy policy

2.11
Flowbox: We use the Flowbox service provided by Flowbox AB, Riddargatan 17D, 114 57 Stockholm, Sweden (hereinafter “Flowbox”) to display social media content. User names on the respective social media platforms (e.g. Instagram) and content (photos in particular) are processed by Flowbox and displayed on the websites into which Flowbox is integrated. The legal basis is the legitimate interest of Vitra and Flowbox (Art. 6 Para. 1 lit. f) GDPR). Flowbox also analyses the use of the content displayed. Flowbox also uses cookies as part of this analysis. The legal basis is your consent when you give consent to cookies (Art. 6 Para. 1 lit. a) GDPR). Further information regarding data processing undertaken by Flowbox can be found at https://getflowbox.com/privacy.

Information regarding the third-party provider: Flowbox AB, Riddargatan 17D, 114 57 Stockholm; privacy policy


3. Collection and processing of data provided voluntarily

3.1
When you provide us with personal data by email, in our online shop or via the contact form available on our website, this is voluntary. This data is used to fulfil our contractual relationship, to process your inquiries and orders, for our own market or opinion research and for our own advertising by postal mail. Your data will be used for our own advertising by email only if you have given us consent to do so. We delete the data that arises in this context after its storage is no longer required, or we limit processing if there are statutory retention requirements. The legal basis for this is Art. 6 Para. 1 lit. b) GDPR or Art. 6 Para. 1 lit. f) GDPR.

3.2
When you register in our online shop and create a customer profile, we save the customer account information you provided (in particular, your name, billing and delivery addresses, telephone number, payment information and email address) so that you do not have to re-enter your data every time you place an order. You can update or delete your profile at any time. The legal basis for this is Art. 6 Para. 1 s. 1 lit. b) GDPR.

3.3
We work with zenloop GmbH, Pappelallee 78/79, 10437 Berlin to carry out customer surveys. Zenloop is a business-to-business software-as-a-service platform that enables us to collect and analyse feedback from our customers via our online shop. This makes it possible for us to improve and align our offerings to the needs of our customers. When using the feedback tool, zenloop records the public IP address, device and browser data, as well as the website from which we use the feedback platform. Zenloop also uses cookies and other similar technology to collect aggregated data about users. In addition, zenloop collects your survey responses. The legal basis for data processing by zenloop is Art. 6 Para. 1 lit. f ) GDPR. We have concluded an order processing agreement with zenloop in accordance with Art. 28 GDPR and have ensured to our satisfaction that zenloop carries out suitable technical and organisational measures in such a way that processing takes place in accordance with the requirements of the GDPR and guarantees the protection of your rights.

Information regarding the third-party provider: zenloop GmbH, Pappelallee 78/79, 10437 Berlin, Germany. For further information, please consult their privacy policy at https://www.zenloop.com/en/legal/privacy

3.4
If you would like to subscribe to our newsletter, please provide your valid email address and your country of origin, and confirm that you are in agreement with the following (the legal basis is Art. 6 Para. 1 s. 1 lit. a) GDPR):

“I agree that Vitra International AG and the companies linked below may process and use the data I have entered to send me an email newsletter to inform me about furniture and home accessories, as well as ongoing company promotions and events. I also agree that Vitra International AG and the companies linked below may transmit my email address to selected social networks (Facebook, Instagram, LinkedIn, Twitter, Pinterest and Google AdWords) in order to show me personalised advertising. I can find a list of the companies in question here. I can revoke this agreement at any time by sending written notification to Vitra International AG at Klünenfeldstr. 22, 4127 Birsfelden, Basel-Landschaft, Switzerland or to privacy@vitra.com. In the event that I revoke consent, the data I have entered will be deleted at all the companies in question and will no longer be used for sending the newsletter."

3.5
On the basis of your consent in accordance with Section 3.4, we work together with Facebook, Instagram, LinkedIn, Twitter, Pinterest and Google AdWords for the purpose of personalised advertising in social networks. These companies will receive your email address with your consent. If we place advertisements in the respective medium, they will be shown to you. We have no influence on further processing in the social networks. You can find more information on this in the respective provider’s privacy policy.

The legal basis for the processing is Art. 6 Para. 1 lit. a) GDPR.

Information regarding the third-party provider:

Facebook: Facebook Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland; privacy policy; https://www.facebook.com/privacy/explanation

Google Ad Words: Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, 1001; privacy policy: https://privacy.microsoft.com/en-us/privacystatement

Instagram: Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland; privacy policy; https://de-de.facebook.com/help/instagram/519522125107875

LinkedIn: LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2 Ireland; privacy policy; https://www.linkedin.com/legal/privacy-policy

Pinterest: Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103, USA; privacy policy; https://policy.pinterest.com/en/privacy-policy

Twitter: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; privacy policy: https://twitter.com/en/privacy

3.6
We store your personal data as an individual customer profile in our CRM system. You provide us with such personal data by making a purchase order via our online shop, via our sales staff or when you enter data in your preference center on vitra.com. Processing of such data is based on a legitimate interest in accordance with Art. 6 Para. 1 lit. f) GDPR to remain in contact with you and to provide you with relevant offers and content based on your previous purchases and interests. If you have consented to receiving our newsletter and depending on your cookie settings, we may also link further information about your usage behavior on our website or newsletter to your customer profile (legal basis Art. 6 Para. 1 lit. a) GDPR).

By linking this data, we can better understand your personal interests and thus adapt contents of our mailing to you based on your interests, invite you to relevant events and approach you selectively via our sales team. You will only be contacted by telephone or by individualized newsletter if you have given us your consent. Furthermore, we use this data for our own market research and to improve our products and services.

We use the cloud provider Salesforce (Salesforce Germany GmbH, Erika-Mann-Straße 31, 80636 Munich, Germany, which is a daughter company of salesforce.com Inc., The Landmark @ One Market, Suite 300, San Francisco, CA 94105, USA). The CRM system is operated by Salesforce on servers in the European Union. A transfer of the data to Salesforce takes place within the scope of an order processing according to Art. 28 GDPR. In the event that salesforce.com Inc. is granted access to data in the course of providing the service, EU standard contractual clauses were concluded with Salesforce on the basis of Art. 46 Para. 2 lit. c) GDPR.


4. Transmission to third parties

4.1
If you have given us personal data, this will not be passed on to third parties. Any transfer that takes place will only be

- with your consent
- as part of processing your inquiries, your orders and the use of our services to commissioned subcontractors, who only receive the necessary data for the execution of this order and use it for a specific purpose
- as part of order data processing in accordance with the statutory provisions to service providers bound by instructions
- as part of the fulfilment of legal obligations to entities entitled to receive information.

4.2
As part of our handling of the payment method you selected in our online shop, your data will be transmitted to third parties as follows:

a) To process payments made by credit card, EPS (Electronic Payment Standard), PayPal or RatePAY (buying on account), we will transmit your data to our partner Adyen BV, Simon Carmiggelstraat 6 – 50, 1011 DJ Amsterdam, the Netherlands. In addition to the data regarding your order and the shipping and payment methods you have requested, we will forward the following categories of personal data to this payment service provider:

- your name
- your gender
- your billing address
- your email address
- your IP address
- your customer ID

Responsibility regarding your data lies with the relevant payment service provider (PayPal, RatePAY etc.). The legal basis for the transfer is the execution of the contract (Art. 6 Para. 1 s. 1 lit. b) GDPR). Please know that this provider will transmit your personal data to other parties as required to process payments, including – but not limited to – the credit institutions, banks and credit card providers involved. These parties will then also process your personal data to handle your payments. For customers based in Germany, the payment service provider will request additional information from SCHUFA Holding AG, Kormoranweg 5, 65201 Wiesbaden, Germany (hereinafter “SCHUFA”) and to this end will provide SCHUFA with information regarding the customer’s name, billing address and gender. The legal basis is Art. 6 Para. 1 lit. f) GDPR.

b) If you select payment on account during the course of the ordering process, please note that we will transmit your payment data for payment processing services to RatePAY GmbH, Schlüterstr. 39, 10629 Berlin, Germany.

The option for payment on account is conditional on a mathematical statistical assessment of your credit risk by RatePAY GmbH. We transmit the personal data RatePAY GmbH requires to perform this credit check. In particular, these are your first and last name, postal address, date of birth, gender, email address, IP address and telephone number, as well as the data required to process the payment on account related to your order – for example, the quantity of products, product numbers, invoiced amount and amount of tax as a percentage. RatePAY uses this data to obtain information from one or more credit reporting agencies (such as SCHUFA HOLDING AG) for the purpose of checking your identity and creditworthiness. The list of credit agencies with which RatePAY exchanges data can be viewed at https://www.ratepay.com/legal-creditagencies. The data is passed on in accordance with Art. 6 Para. 1 lit. f) GDPR, based on legitimate interests.

Further information on the payment service offered by RatePAY and the data protection provisions can be found at https://www.ratepay.com/legal.

You can at any time request information about the data that RatePAY GmbH has stored about you, or inform the company of changes to this data. You can find detailed information on the processing of your personal data by RatePAY GmbH, on the credit check carried out and on your rights at https://www.ratepay.com.

c) In order to be able to offer you the payment options provided by Klarna AB, Sveavägen 46, 11134 Stockholm, Sweden (hereinafter “Klarna”), we will transmit your personal data, such as contact details and order data, to Klarna. This enables Klarna to first assess whether you can use the payment options offered by Klarna and to adapt the payment options to your needs. The legal basis for this is the legitimate interest of Klarna (Art. 6 Para. 1 lit. f) GDPR). Klarna processes your data for payment processing as part of the execution of the contract (Art. 6 Para. 1 lit. b) GDPR). General information about Klarna can be found here. Klarna will handle your personal details in accordance with the applicable data protection regulations and in accordance with the information in Klarna's data protection regulations.

d) If you choose the “Apple Pay” payment method provided by Apple Distribution International (Apple), Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, your payment details will be passed to Apple in encrypted form for payment processing. Apple encrypts this data again with a developer-specific key before the data is passed to the payment processor of the payment card stored in Apple Pay for the purposes of carrying out the payment. The encryption ensures that only we can access the payment data. After payment has been made, Apple sends us your device account number and a transaction-specific, dynamic security code to confirm the payment. The legal basis for the transfer is the execution of the contract (Art. 6 Para. 1 s. 1 lit. b) GDPR).

Apple retains anonymised transaction data, including the approximate purchase amount, approximate date and approximate time, and whether the transaction was successfully completed. Anonymisation completely rules out the possibility of this data being connected with an individual. Apple uses the anonymised data to improve Apple Pay and other Apple products and services.

When you use Apple Pay on iPhone or Apple Watch to complete a purchase you made through Safari on Mac, Mac and the authorisation device communicate via an encrypted channel on the Apple servers. Apple does not process or store any of this information in a format with which you can be identified. You can disable the ability to use Apple Pay on your Mac in your iPhone settings. Go to “Wallet & Apple Pay” and deselect “Allow payments on Mac”. Further details regarding data protection with Apple Pay can be found at https://support.apple.com/en-us/HT203027

e) Please note that we transmit all data regarding extrajudicial and judicial collection measures relating to overdue and uncontested claims to SCHUFA (Art. 6 Para. 1 s. 1 lit. f) GDPR). If SCHUFA is provided with similar data relating to other contractual relationships after we have transmitted such information, we may be informed of this too. SCHUFA’s contracting partners primarily include credit institutions, credit card providers and leasing companies. Moreover, SCHUFA releases information to retail, telecommunication and other companies that offer goods and services on credit. Data is transmitted as specified above only if this is permitted after weighing the interests of all parties involved. Along with the aforementioned information, SCHUFA can provide its contracting partners with a probability value for credit risk assessment, calculated based on data saved in SCHUFA’s systems (score procedure). You have the right to obtain information from SCHUFA regarding the saved data relating to you. SCHUFA’s address is: SCHUFA Holding AG, Verbraucherservicezentrum Hannover, Postfach 56 40, 30056 Hannover, Germany. You can find more information about SCHUFA, data processing by SCHUFA and your right to obtain information at https://www.schufa.de/en/data-privacy/.


5. Cookies

5.1
In order to learn about your individual preferences and adjust our offerings optimally to best meet your needs, we use so-called “cookies” on our website vitra.com. Cookies are small text files that are saved on your computer or mobile device and that your computer or mobile device can retrieve at a later time. The information stored in the cookie is sent back to the website that generated it (first-party cookie) or to a service provided by an external provider (third-party cookie) when the website is subsequently accessed from the same device. The first-party cookies we use are required to provide the content of the website so that you can use the services on our website. Third-party cookies are additional cookies that are used for marketing purposes or to optimise performance. These are only set with your consent. Further information can be found in the above information under Sections 2 and 3 for the respective tools.

5.2
Cookies do not harm your computer or mobile device and do not contain any viruses. If you do not, as a rule, want to have cookies stored on your computer, regardless of your consent in accordance with Section 5.1, please change your browser settings so that either cookies cannot be stored, or you have to give your express consent beforehand. Please note that you may have to change the settings in each browser you use for accessing this website and that you may not have access to all the functions of this website if you object to the use of cookies.


6. Vitra Professionals

If you provide us with personal data when using Vitra Professionals, this is generally done on a voluntary basis. This data is used to fulfil our contractual relationship, to process your inquiries and orders, for our own market or opinion research and for our own advertising by postal mail. Your data will be used for our own advertising by email only if you have given us consent to do so. We delete the data that arises in this context after its storage is no longer required, or we limit processing if there are statutory retention requirements. The legal basis for this is Art. 6 Para. 1 lit. b) GDPR or Art. 6 Para. 1 lit. f) GDPR.

If you register as a specialist retailer with Vitra Professionals and create a profile for your company or your employees, we will save the account information you have entered (in particular the name, email address and country of origin) so that you do not have to enter it again with each operation. You can update or delete your profile(s) at any time. The legal basis for this is Art. 6 Para. 1 s. 1 lit. b) GDPR.

Personal data that has been communicated to us via our website will only be stored until the purpose for which it was entrusted to us is fulfilled. After completion of the contract, your data will be blocked and deleted once the tax and commercial law regulations have expired, unless you have expressly consented to the use of data beyond this. If mandatory retention periods under commercial and tax law have to be observed, the duration of the storage of certain data can be up to ten years.


II. Privacy policy for social networks

1. Facebook
In this section, we would like to inform you about the collection, processing and use of your data via Vitra's Facebook page (https://de-de.facebook.com/vitra).

The Facebook page is provided by Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland, a subsidiary of Facebook, Inc. (hereinafter “Facebook”).

Facebook is in principle responsible for the collection and processing of personal user data on Facebook. Please note that Facebook can collect and process certain data even if you do not have your own Facebook user account. Further information on data processing by Facebook can be found in their privacy policy.

As the operator of the Facebook page, only the public information on your profile is visible to us. The scope of this information depends on your personal settings in your user account. If you contact us on a voluntary basis via a Fan Page (for example via the comment or message function), personal data can be processed by us for purposes of interaction and communication.

It is conceivable that some of the information collected will also be processed outside the European Union by Facebook Inc. based in the USA.

We do not pass on any personal data ourselves. The personal data is processed by us on a legal basis, since we have an overriding legitimate interest in interacting with you (Art. 6 Para. 1 lit.f) GDPR). In this context, we would like to point out that your contributions in the publicly accessible areas can be viewed by both Facebook users and third parties, and that we have no influence on how they use the information available to them.

Facebook users can use the settings for advertising preferences to influence the extent to which their user behaviour may be recorded when visiting our Instagram page. The Facebook and Instagram settings or the form to exercise your right of objection offer further options.

You can also prevent your information from being processed by means of the cookies used by Facebook, by not allowing cookies from third-party providers or those from Facebook in your own browser settings.

When you visit our Fan Page, Facebook collects specific usage data by setting a cookie and storing the IP address, which Facebook processes according to partially pre-set criteria for statistical information in different categories (e.g. number of followers, age structure, demographics) and provides to us. These so-called “insights” are only transmitted to us in anonymised form. We use these statistics to collect information about our products and to make our contributions as targeted as possible. The processing is therefore based on a legitimate interest in accordance with Art. 6 Para. 1 lit. f) GDPR.

In principle, we and Facebook are responsible for processing the data from these insights. However, Facebook has given us a commitment to assume primary responsibility for processing the insights and, in particular, to fulfil all obligations under the GDPR to protect the rights of the data subjects. You can view the agreement on which this obligation is based (“Page Insights Supplement”) here.

2. Instagram
In this section, we would like to inform you about the collection, processing and use of your data via Vitra’s Instagram profile (https://www.instagram.com/vitra).

The Instagram profile is provided by Facebook Ireland Ltd, 4 Grand Canal Square, Dublin 2, Ireland, a subsidiary of Facebook, Inc. (hereinafter “Facebook”).

Facebook is in principle responsible for the collection and processing of personal user data on Instagram. Please note that Facebook can collect and process certain data even if you do not have your own Instagram user account. Further information on data processing by Facebook can be found in their Privacy policy.

As the operator of the Instagram page, only the public information on your profile is visible to us. The scope of this information depends on your personal settings in your Instagram profile. If you contact us on a voluntary basis via a Fan Page (for example via the comment function), personal data can be processed by us for purposes of interaction and communication.

It is conceivable that some of the information collected will also be processed outside the European Union by Facebook Inc. based in the USA.

We do not pass on any personal data ourselves. The personal data is processed by us on the basis of legal principles, since we have an overriding legitimate interest in interacting with you and enabling orderly interaction of the Fan Page community (Art. 6 Para. 1 lit. f) GDPR). In this context, we would like to point out that your contributions in the publicly accessible areas can be viewed by both Facebook users and third parties, and that we have no influence on how they use the information available to them.

Instagram users can use the settings for advertising preferences to influence the extent to which their user behaviour may be recorded when visiting our Instagram page. The Facebook and Instagram settings or the form to exercise your right of objection offer further options. You can also prevent your information from being processed by means of the cookies used by Facebook, by not allowing cookies from third-party providers or those from Facebook in your own browser settings.

3. Twitter
In this section, we would like to inform you about the collection, processing and use of your data via Vitra’s Twitter account (https://www.twitter.com/vitra).

The Twitter account is provided by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, a subsidiary of Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103 USA (hereinafter “Twitter”).

Twitter is in principle responsible for the collection and processing of personal user data on Twitter. Please note that Twitter can collect and process certain data even if you do not have your own Twitter account. Further information on data processing by Twitter can be found in their privacy policy.

As the operator of the Twitter account, only the public information on your profile is visible to us. The scope of this information depends on your personal settings in your Twitter profile. If you contact us on a voluntary basis via a Fan Page (for example via the comment function), personal data can be processed by us for purposes of interaction and communication.

It is conceivable that some of the information collected will also be processed outside the European Union by Twitter Inc. based in the USA.

We do not pass on any personal data ourselves. The personal data is processed by us on the basis of legal principles, since we have an overriding legitimate interest in interacting with you and enabling an orderly interaction of the Twitter community (Art. 6 Para. 1 lit. f) GDPR). In this context, we would like to point out that your contributions in the publicly accessible areas can be viewed by both Twitter users and third parties, and that we have no influence on how they use the information available to them.

Twitter users can use their settings to influence the extent to which their user behaviour may be recorded. You can find more information at https://twitter.com/en/privacy.

You can also prevent your information from being processed by means of the cookies used by Twitter, by not allowing cookies from third-party providers or those from Twitter in your own browser settings.

4. YouTube
In this section, we would like to inform you about the collection, processing and use of your data via Vitra’s YouTube account (https://www.youtube.com/vitra).

The YouTube account is provided by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC (hereinafter “YouTube”) is a subsidiary of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA (hereinafter “Google”).

YouTube is in principle responsible for the collection and processing of personal user data on YouTube. Please note that YouTube can collect and process certain data even if you do not have your own YouTube account. Further information on data processing by YouTube can be found in their privacy policy.

As the operator of the YouTube account, only the public information on your profile is visible to us. The scope of this information depends on your personal settings in your YouTube profile. If you contact us on a voluntary basis via YouTube (for example via the comment function), personal data can be processed by us for purposes of interaction and communication.

It is conceivable that some of the information collected will also be processed outside the European Union by YouTube and Google based in the USA.

We do not pass on any personal data ourselves. The personal data is processed by us on the basis of legal principles, since we have an overriding legitimate interest in interacting with you and enabling an orderly interaction of the YouTube community (Art. 6 Para. 1 lit. f) GDPR). In this context, we would like to point out that your contributions in the publicly accessible areas can be viewed by both YouTube users and third parties, and that we have no influence on how they use the information available to them.

YouTube users can use their settings to influence the extent to which their user behaviour may be recorded. You can object to the use for advertising purposes here: https://adssettings.google.com/authenticated.

You can also prevent your information from being processed by means of the cookies used by YouTube and Google, by not allowing cookies from third-party providers or those from YouTube and Google in your own browser settings.

5. Pinterest
In this section, we would like to inform you about the collection, processing and use of your data via Vitra’s Pinterest account (https://www.pinterest.com/vitra).

The Pinterest account is provided by Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103, USA (hereinafter “Pinterest”).

Pinterest is in principle responsible for the collection and processing of personal user data on Pinterest. Please note that Pinterest can collect and process certain data even if you do not have your own Pinterest account. Further information on data processing by Pinterest can be found in their privacy policy.

As the operator of the Pinterest account, only the public information on your profile is visible to us. The scope of this information depends on your personal settings in your Pinterest account. If you contact us on a voluntary basis via the Pinterest website (for example via the comment function), personal data can be processed by us for purposes of interaction and communication.

It is conceivable that some of the information collected will also be processed outside the European Union by Pinterest Inc. based in the USA. If Pinterest transfers personal data from the EEA to a country that does not have adequate protection regulations, Pinterest takes appropriate measures to protect your data (e.g. through standard contractual clauses).

We do not pass on any personal data ourselves. The personal data is processed by us on the basis of legal principles, since we have an overriding legitimate interest in interacting with you and enabling an orderly interaction of the Pinterest community (Art. 6 Para. 1 lit. f) GDPR). In this context, we would like to point out that your contributions in the publicly accessible areas can be viewed by both Pinterest users and third parties, and that we have no influence on how they use the information available to them.

Pinterest users can use their settings to influence the extent to which their user behaviour may be recorded. You can find more information at https://policy.pinterest.com/en/cookies.

You can also prevent your information from being processed by means of the cookies used by Pinterest, by not allowing cookies from third-party providers or those from Pinterest in your own browser settings.

6. LinkedIn
In this section, we would like to inform you about the collection, processing and use of your data via Vitra’s LinkedIn account (https://www.linkedin.com/company/vitra).

The LinkedIn profile is provided by LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland, a subsidiary of LinkedIn Inc., U.S.A. (hereinafter “LinkedIn”).

LinkedIn is in principle responsible for the collection and processing of personal user data on LinkedIn. Please note that LinkedIn can collect and process certain data even if you do not have your own LinkedIn account. Further information on data processing by LinkedIn can be found in their privacy policy.

As the operator of the LinkedIn profile, only the public information on your profile is visible to us. The scope of this information depends on your personal settings in your LinkedIn profile. If you contact us on a voluntary basis via a Fan Page (for example via the comment function), personal data can be processed by us for purposes of interaction and communication.

It is conceivable that some of the information collected will also be processed outside the European Union by LinkedIn Inc. based in the USA. All LinkedIn companies have adopted the standard contractual clauses to ensure that the data traffic to the USA and Singapore necessary for the development, operation and maintenance of the services takes place in a lawful manner.

We do not pass on any personal data ourselves. The personal data is processed by us on a legal basis, since we have an overriding legitimate interest in interacting with you (Art. 6 Para. 1 lit. f) GDPR). In this context, we would like to point out that your contributions in the publicly accessible areas can be viewed by both LinkedIn users and third parties, and that we have no influence on how they use the information available to them.

LinkedIn users can use their settings to influence the extent to which their user behaviour may be recorded. You can find more information at https://www.linkedin.com/psettings.

You can also prevent your information from being processed by means of the cookies used by LinkedIn, by not allowing cookies from third-party providers or those from LinkedIn in your own browser settings.


III. Data protection provisions for the Vitra Campus app

In this section, we would like to inform you about the collection, processing and use of your data via the Vitra Campus app.

1. Downloading the app
When the Vitra Campus app is downloaded from the respective app store, the necessary data (e.g. user name, email address, device code) is transmitted to the app store operator. The app store operator alone is responsible for data processing. We have no influence on the type and scope of the data processed by the respective app store operator or the disclosure of this data to third parties.

2. Automated collection and processing of user data

2.1.
Every time the Vitra Campus app is used, our server automatically and temporarily collects information in the server log files that are transmitted by the Vitra Campus app. If you want to use the Vitra Campus app, we collect the following data, which is technically necessary for us to show you our content and to ensure stability and security (the legal basis is Art. 6 Para. 1 s. 1 lit. f) GDPR):

- IP address of the terminal device
- device model
- app version used
- operating software (iOS version)

There is no personalised evaluation of the server log files. At no time can the provider allocate this data to specific persons. This data is not combined with other data sources.

2.2
We use the Google Analytics analysis service provided by Google Ireland Ltd in our Vitra Campus app to analyse and regularly improve the use of the Vitra Campus app. The information contained in Section 2.2 of this Privacy Policy applies correspondingly.

2.3
We use the Google Firebase service provided by Google. This service is there to provide certain functionalities, improve the app and correct errors in the app. The data collected for this purpose is made available to us in anonymised form. The information that is recorded concerns whether a crash has occurred, which line of code caused the crash and the type and operating system of the mobile device concerned. This data is used exclusively to reproduce errors in the app and to be able to correct them during future development. No personal data is transmitted. The Firebase privacy policy can be viewed here: https://firebase.google.com/terms/data-processing-terms

The processing is based on a legitimate interest in accordance with Art. 6 Para. 1 lit. f) GDPR.

3. Data processing as part of the features offered

3.1 Product scanner
The Vitra Campus app enables you to identify Vitra products with the product scanner. When you use the product scanner, you take a photo or transfer the image from the camera so that we can show you further information about the respective product and about complementary or comparable products.

We collect your location data in order to be able to offer you this feature. To do this, you must allow the Vitra Campus app to access your location. However, we only record the location recorded by your device if the Vitra Campus app is open. If location recording is active, this is indicated by a compass symbol on your device. You can allow or decline recording of your location at any time in the settings of your operating system.

The legal basis of this data processing is Art. 6 Para. 1 s. 1 lit. b) GDPR. The photos will be deleted immediately after processing and will not be used for any purpose other than to provide the product scanner functions described.

3.2 Consultations
You can get in touch with one of our Vitra product experts through the Vitra Campus app and arrange a personal consultation. If you make use of this option, the data entered in the contact form will be transmitted to us and processed accordingly. The personal data you provide (e.g. first and last name, email address) will only be processed to deal with your request. Further processing (e.g. use for advertising by email, analysis of your interests for advertising purposes, disclosure to third parties) will only take place if you have given us your consent. We delete the data that arises in this context after its storage is no longer required, or we limit processing if there are statutory retention requirements. The legal basis for this is Art. 6 Para. 1 lit. b) GDPR or Art. 6 Para. 1 lit. a) GDPR.

3.3 Campus map
You have the option of using our campus map to view the surroundings on the Vitra Campus and in individual buildings accessible to visitors (e.g. VitraHaus). In order to be able to offer you this feature, we use the Apple Maps application and record your location data (GPS data). To do this, you must allow the Vitra Campus app to access your location. However, we only record the location recorded by your device if the Vitra Campus app is open. If location recording is active, this is indicated by a compass symbol on your device.

This function cannot be performed without location recording. The Apple Maps terms of use can be found at https://www.apple.com/legal/internet-services/maps/terms-en.html. We only collect your location data to show you your current location on the campus map (Art. 6 Para. 1 lit. b) GDPR). You can allow or decline recording of your location at any time in the settings of your operating system.

3.4 Tickets
You have the opportunity to buy tickets for the Vitra Design Museum. We use the Reservix ticket platform provided by Reservix GmbH, Humboldtstraße 2, 79098 Freiburg im Breisgau, Germany for online ticket sales. The legal basis for this is Art. 6 Para. 1 lit. f) GDPR. Our legitimate interest lies in offering a simple, safe and user-friendly way for our visitors to buy tickets online. Detailed information regarding how we process your data can be found in the Reservix privacy policy at https://www.reservix.net/files/data/docs/Datenschutzerklaerung_Reservix.pdf.

Information regarding the third-party provider:

Apple: Apple Distribution International Ltd., Hollyhill Industrial Estate, Hollyhill, Cork, Ireland. https://www.apple.com/legal/privacy

Google: Google: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. https://policies.google.com/privacy

Reservix: Reservix GmbH, Humboldtstraße 2, 79098 Freiburg im Breisgau, Germany. https://www.reservix.net/files/data/docs/Datenschutzerklaerung_Reservix.pdf.


IV. Video surveillance, Vitra Campus Weil am Rhein

Controller: Vitra Services GmbH, Charles-Eames-Strasse 2, 79576 Weil am Rhein. The Data Protection Officer can be contacted at: dsb@vitra.com

Purposes and legal bases of the data processing: prevention of vandalism and theft, the right to allow or deny access to premises, Art. 6 Para. 1 f) GDPR

The legitimate interests pursued are: protection of property, Art. 13 Para. 1 lit. d) GDPR
Duration of storage: 72 h


V. Data protection information for online meetings, conference calls and webinars via Microsoft Teams

In this section, we would like to inform you about the processing of personal data by Vitra International AG in connection with the use of Microsoft Teams.

1. Purpose of processing
We use the “Microsoft Teams” tool to hold telephone conferences, online meetings, video conferences and/or webinars (hereinafter “online meetings”).

2. Data controller
Vitra International AG, Klünenfeldstrasse 22, 4127 Birsfelden, Basel-Landschaft, Switzerland (hereinafter “Vitra”) is responsible for data processing that is directly related to the performance of online meetings.

Microsoft Teams is a service provided by Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052, USA and its affiliated companies (hereinafter collectively “Microsoft”). In order to be able to provide you with this service, Microsoft acts for us as a processor within the framework of Art. 28 GDPR.

Please note that this data protection notice only informs you about how Vitra processes your personal data if you participate in online meetings with us. You can find more information about how Microsoft processes your personal data under https://www.microsoft.com/en-us/microsoft-365/blog/2020/04/06/microsofts-commitment-privacy-security-microsoft-teams as well as the Microsoft Online Services Terms of Use.

Note: If you access the Microsoft Teams website, Microsoft is responsible for data processing. To use Microsoft Teams, you only need to access the website to download the software for using Microsoft Teams.

If you do not want to or cannot use the Microsoft Teams app, you can also use Microsoft Teams via your browser. The service is then also provided via the Microsoft Teams website.

3. Which data is processed?
When we use Microsoft Teams, we automatically process certain information that you transmit to us. The scope of the processed data also depends on the details of the data you provide before or while participating in an online meeting.

The following personal data is processed:

- IP address of the requesting end device
- information about the user: e.g. display name, business contact details such as email address, profile picture (optional), preferred language
- meeting metadata: e.g. date, time, meeting ID, phone numbers, location
- Text, audio and video data: You may have the option of using the chat function in an online meeting. In that case, the text entries you make are processed in order to display them in the online meeting. In order to enable video display and audio playback, the data from the microphone of your end device and any video camera on the end device is processed accordingly for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the Microsoft Teams applications.

4. Scope of processing
We use Microsoft Teams to conduct online meetings. If we want to record online meetings, we will inform you of this transparently in advance and

– if necessary – ask for your consent.

If this is required for the purpose of logging the results of an online meeting, we will log the chat content. However, this will usually not be the case.

We do not use automated decision-making within the meaning of Art. 22 GDPR (“Profiling”).

5. Legal basis for data processing
If personal data is processed by employees of Vitra International AG within the employment context, Section 26 Para. 1 BDSG (the German Federal Data Protection Act) is the legal basis for data processing. If, in connection with the use of Microsoft Teams, personal data is not required for establishment, implementation or termination of the employment relationship, but is an elementary component in the use of Microsoft Teams, Art. 6 Para. 1 lit. f) GDPR is the legal basis for data processing. Our interest in these cases is in the effective implementation of online meetings.

In all other respects, the legal basis for data processing when conducting online meetings is Art. 6 Para. 1 lit. b) GDPR, if as the meetings are held in the context of contractual relationships.

If there is no contractual relationship, the legal basis is Art. 6 Para. 1 lit. f) GDPR. Here, too, we are interested in the effective implementation of online meetings.

6. Recipients/disclosure of data
If you have given us personal data, this will in principal not be passed on to third parties. A transfer only takes place

- with your consent
- in the context of a legitimate interest, if the data disclosed during a meeting is intended to be passed on. Please note that content from online meetings as well as from physical meetings is often in fact used to share information with customers, interested parties or third parties;
- as part of order data processing, in accordance with the statutory provisions, to Microsoft as a service provider bound by instructions;
- in the context of a legitimate interest within our group of companies for internal administrative purposes, including joint customer service, if necessary;
- as part of processing your concerns to commissioned subcontractors, who only receive the necessary data for the execution of this order and use this for a specific purpose;
- as part of the fulfilment of legal obligations to entities entitled to receive information.

7. Data processing outside the European Union
There is no data processing outside the European Union (EU), as we have limited our storage location to data centres in the European Union.

Likewise, processing by Microsoft usually takes place within member states of the European Union or in other signatory states to the Agreement on the European Economic Area. If personal data is transmitted to the USA as part of order processing, we have agreed standard contractual clauses with Microsoft.

8. Right to object
You have the right under Art. 21 GDPR to object at any time to the processing – among other reasons, based on Art. 6 Para. 1 lit. e) or f) GDPR – of personal data relating to you for reasons that arise from your particular situation. We will then stop processing your personal data, unless we can demonstrate compelling legitimate reasons for the processing that outweigh your interests, rights and freedoms, or if the processing serves to assert, exercise or defend legal claims.

9. Deletion of data
We generally delete personal data if there is no requirement for further storage. A requirement may in particular exist if the data is still required for purposes of fulfilling contractual services, checking warranty and – where applicable – guarantee claims and to be able to grant or defend these. In the case of statutory retention requirements, deletion can only be considered after the respective retention obligation has expired.


V. Your rights

1.
You may receive information about the data we have stored about you and about its origin, recipients or categories of recipients to whom this data is passed on and the purpose of storage – free of charge, at any time without giving reasons.

2.
In addition, you have the right to correct, block and delete your personal data in accordance with the statutory provisions. If you have given your consent to the use of data, you can revoke this at any time and without giving reasons. If your data is processed on the basis of legitimate interests in accordance with Art. 6 Para. 1 lit f) GDPR, you have the right to object in accordance with Art. 21 GDPR. You also have the right to data portability. You furthermore have the right to complain to a data protection supervisory authority about our processing of your personal data.

3.
Please send your requests for information, objections to data processing and other inquiries to Vitra International AG, Klünenfeldstraße 22, 4127 Birsfelden, Basel-Landschaft, Switzerland or to the email address privacy@vitra.com.

4.
For any questions in connection with data protection, you can also contact our data protection officer, Mr. Simon Brandmeier, who can be reached at dsb@vitra.com.

Last updated: November 13th, 2020