top of page

Data protection

Information obligations according to Art. 13 and 14 General Data Protection Regulation (GDPR)

We hereby inform you about the processing of your personal data ("data") as well as about your data protection claims and rights (effective from May 25, 2018):


1. Who is responsible for data processing and who can you contact?

Responsible for data processing is:


Michael Haidl

Wilhelmstrasse 15-17/25

1120 Vienna



If you have any questions or concerns about the processing of your data, or discover an error on our website, you can contact us.

2. Which data is processed and from which sources does this data come?

We process your data that we receive from you as part of the business relationship. This is the case, for example, if you tell us when you register or visit our website In addition, we process the data that we receive from our contractual partners and credit agencies (namely KSV 1870). We never collect and process special types of personal data.


Personal data includes:

  • Your personal details: e.g. name, address, e-mail address, telephone number, date of birth and gender

  • Data about your 18FLAGS purchases, purchase date and time, item, quantity and price

  • Data about your means of payment: e.g. credit/debit card company, card number, cardholder name, expiry date, etc.


3. For what purposes is the data processed and for how long?

We process your data in accordance with data protection and legal regulations for specific purposes and for a specific period of time. We have listed the most important purposes and the respective processing times below. If we collect data from you for purposes that go beyond this, we will inform you of this separately when it is collected:


Shopping at 18FLAGS

We process the data you provide when you make a purchase for the purpose of fulfilling our contractual obligations to you. This also includes, for example, the delivery of the goods you have bought or ordered online. In addition, data processing takes place to handle the creation and sending of invoices by e-mail or post and receipt of payment, to ensure punctual and smooth delivery and to inform you about delivery dates and/or changes to the delivery. We store this data until we have fulfilled our obligations; in addition, only as long as there is a legal obligation to do so or we need data to enforce or defend against legal claims.


Processing of payments by payment service providers


Payment with Paypal

If you want to pay for your order in the 18FLAGS online shop with PayPal – as far as possible – the amount to be paid by you, along with your first and last name, delivery address, e-mail address, telephone number and IP address, will be sent to PayPal (ie to the PayPal ( Europe) S.à rl et Cie, SCA, 22-24 Boulevard Royal, L-2449 Luxembourg) so that you can authorize the payment to us via PayPal. (You need a PayPal account for this). PayPal also offers the option of processing virtual payments via credit cards if a user does not have a PayPal account.

The legal basis for the associated data processing is Art. 6 Para. 1 b) GDPR, ie the processing of your data is necessary to fulfill the agreement on paying for your purchase via PayPal.

The data transmitted to PayPal may be transmitted to credit agencies by PayPal. This transmission serves to check identity and creditworthiness. You can find more information about data protection at PayPal on the PayPal website at Payment with PayPal is voluntary, 18FLAGS provides you with a number of other payment options.

The personal data collected is processed on the basis of our legitimate interest, namely to offer you effective and secure payment options and to prevent credit card misuse and fraud in this context.


Payment by bank transfer for supported banks

In the 18FLAGS online shop we offer you payment by bank transfer. If you decide to use a bank transfer, as part of your payment you will transmit the personal data required to process the purchase (first and last name) as well as your order number and the total amount of the order to process the transfer. This data is collected so that your payment can be made by bank transfer for your order.

The personal data collected is processed on the basis of our legitimate interest, namely to offer you effective and secure payment options and to prevent credit card misuse and fraud in this context.


18FLAGS customer service

If you contact us with inquiries or concerns and provide your data for this purpose, this data will only be used to answer your inquiries or fulfill your concerns.

The data you provide for IKEA customer service will only be stored by us for as long as this answer or fulfillment lasts. We will also contact you via text message and email to update you on the status of your request. In addition, we only store it for as long as there is a legal obligation to do so or we need data to enforce or defend against legal claims.


18FLAGS Cookies, Analysis Services and Marketing

Cookies are used on the websites of 18FLAGS. We use your 18FLAGS customer profile data (date of purchase, time, item, quantity, prices), any participation by you in 18FLAGS competitions, 18FLAGS events, any receipt of e-mail newsletters from 18FLAGS and your use of 18FLAGS services for our own purposes statistical purposes, to make our products and services even more attractive, to form customer groups and to create general and/or customer group-specific offers.

We only store the personal data processed for this purpose until the purpose has been fulfilled. In addition, we only store it for as long as there is a legal obligation to do so or we need data to enforce or defend against legal claims.


4. On what legal basis do we process your data?


4.1 Based on your consent (Art 6 Para 1 lit a GDPR):

If you have given us your consent to the processing of your data, this processing will only take place in accordance with the purposes specified in the respective declaration of consent and to the extent agreed therein.

You can revoke your consent at any time with effect for the future in writing by e-mail or letter to our contact address given under point 1. The revocation of the consent does not affect the legality of the processing of your data based on your consent until the revocation.


4.2 To fulfill contractual obligations (Art 6 Para 1 lit b GDPR):

Your data is processed to fulfill our contractual obligations to you. For example, we need your name and address in order to be able to send you goods ordered online and to issue you with an invoice for your order. If there are delivery problems or if you have any concerns or inquiries for us, we need your e-mail address or telephone number, for example, so that we can get in touch with you.


4.3 To fulfill legal obligations (Art 6 Para 1 lit c GDPR):

The processing of your data may be necessary due to legal obligations to which we are subject (in particular for the storage of business letters and contract documents). Such obligations may arise, for example, from the following laws:

  • Corporate Code (UGB)

  • Federal Fiscal Code (BAO)

  • General Civil Code (ABGB)


4.4 To protect legitimate interests (Art 6 Para 1 lit f GDPR):

Should it be necessary to safeguard our legitimate interests or those of a third party, we can process your data:

  • Your date of birth is processed, for example, in order to be able to clearly identify you in order to prevent confusion. For example, we can ensure in our database that we have only recorded you as a person once.

  • Our legitimate interest in processing your data also exists for our own  marketing purposes, for customer loyalty or legally permissible direct advertising.

  • In addition, there is a legitimate interest in the processing of your data for administrative purposes within the 18FLAGS company and in the context of legal prosecution.

  • Your data may also be processed to determine your creditworthiness and default risk with credit agencies or if we are processing the inquiries or concerns you have communicated to us.

Your data can therefore be processed on the basis of these legitimate interests at best in addition to the legal basis of your consent, ie even if you have revoked any consent.


5. Who receives your data?

Your data will be transmitted to the following recipients:

  • Service providers used by us (as processors), such as (IT or payment service providers, suppliers and logistics companies) if they need your data to fulfill their respective tasks. These service providers are contractually obliged to treat your data confidentially and to process it only to the extent necessary for the provision of services.

  • If we are legally obliged to do so, we also pass on your data to public bodies and authorities.

  • If necessary, the data can be passed on to the following recipients:
    - To secure evidence in criminal cases: security authorities or courts
    - For security purposes: security authorities
    - For evidentiary purposes in civil matters: courts
    - To process insurance claims: insurance companies
    - For the purpose of law enforcement: lawyers, authorities and other bodies.


6. Are you obliged to provide data?

In order to make use of a service from us - be it a purchase - it is necessary for you to provide the data that we need to carry out our contractual obligations towards you and for voluntary services. These are, for example, your name and address in order to be able to deliver an order to you and to be able to issue you an invoice. If you do not provide this necessary data, we will generally not be able to provide the service you are looking for (e.g. purchase).

7. Is there automated decision-making including profiling?

No, we do not use automated decision-making according to Art. 22 GDPR to make a decision about the establishment and implementation of business relationships or other decisions that would significantly affect you in a similar way.


8. Your rights in connection with the processing of personal data

You can request information from us as to whether and which personal data we have stored about you and receive copies of this data, request the correction, addition or deletion of your personal data that is incorrect or not processed in accordance with the law, request from us restrict the processing of your personal data, object to the processing of your personal data in certain circumstances or withdraw the consent previously given for the processing, request data that you have given us in a transferable format and report it to the Austrian Data Protection Authority ( lodge a complaint.

To assert all of the aforementioned rights, please send us a letter to the contact address given above.

As of December 2021

bottom of page