Hilfe - Alle Produkte & Anleitungen
Hilfe - Alle Produkte & Anleitungen
Breadcrumbs

Privacy Notice for Operators

Non-binding translation
This is an informational English translation. The legally binding version is the German original.

Note: This document is intended for all users/operators of a bessa software system: service providers, retail businesses, hospitality businesses, accommodation and hotel businesses.

Privacy Notice for bessa Operators

Last updated: 01/11/2025

1. Controller for Data Processing

As an operator of the bessa software system, you are the controller within the meaning of Art. 4 No. 7 GDPR for the processing of your customers' personal data.

Your processor:
meisterwork GmbH
Rosentaler Straße 1
9020 Klagenfurt am Wörthersee, Austria
E-mail: support@bessa.app
Tel: +43 720 317 836

Industries: Hospitality, retail, services, accommodation and hotels

2. Your Role and Responsibility as Operator

As a user of the bessa software, you are the controller for the processing of your customers' data. This means:

  • You decide on the purposes and means of data processing

  • You decide which modules you use (Sales Point, customer loyalty, online orders, etc.)

  • You are responsible for compliance with the GDPR vis-à-vis your customers

  • You must inform your customers about the data processing

  • You are the point of contact for the data subject rights of your customers

meisterwork GmbH acts as a processor and processes the data exclusively on your instructions in the context of the use of the software.

3. Data Processing by bessa

The modular bessa software system can process different data depending on the functions used. Not all data categories are relevant for every operator – it depends on which modules you use (Sales Point, customer loyalty, online orders, etc.).

3.1 Categories of Data Processed

The following data categories may be processed in the bessa system:

Customer master data:

  • Last name, first name, title

  • Contact data (e-mail, telephone, address)

  • Customer number

  • Date of birth (optional)

Transaction data:

  • Orders and purchase history

  • Invoice data

  • Merchant and customer receipts

  • Delivery addresses

Payment data:

  • Payment status (paid / open)

  • Payment method (cash, card, etc.)

  • IMPORTANT: Sensitive payment data (credit card numbers, bank details) is NOT stored in the bessa system, but is processed exclusively via the PCI-DSS-certified partner Stripe

Customer loyalty data:

  • Point balances

  • Digital stamp passes

  • Vouchers and discounts

  • Preferences and favourites

Hospitality / accommodation-specific data:

  • Room number for internal billing

  • Consumption in restaurant, bar, spa, wellness

  • Additional services (minibar, parking, etc.)

  • Company data for business travellers for invoicing

IMPORTANT NOTE for hospitality: bessa does NOT process ID, passport or registration data. This sensitive data must be managed via your separate Property Management System (PMS), which fulfils the statutory reporting obligations. In the hospitality sector, bessa primarily serves to bill additional services and can be used modularly.

Communication data:

  • Newsletter sign-ups

  • Push notification settings

  • Feedback and reviews

  • Support requests

3.2 Purposes of Processing

The specific purposes depend on the modules used:

  • Point-of-sale module: Processing of orders and payments

  • Customer loyalty module: Management of loyalty programmes and points systems

  • Online ordering module: Processing of digital orders

  • All modules: Invoicing and accounting

  • Marketing functions: Communication with customers (with consent)

  • Compliance with statutory retention obligations

  • System optimisation and error analysis

  • Hospitality / accommodation: Billing of hotel additional services, internal billing via room numbers, management of restaurant, bar and spa revenue, billing of tourism / city taxes (without guest data)

Processing is carried out on the basis of:

  • Art. 6(1)(b) GDPR (performance of contract)

  • Art. 6(1)(c) GDPR (legal obligations, e.g. tax law)

  • Art. 6(1)(a) GDPR (consent for marketing)

  • Art. 6(1)(f) GDPR (legitimate interests)

4. Technical and Organisational Measures

4.1 Our Security Measures as Processor

  • Hosting: AWS Frankfurt (Germany) – GDPR-compliant

  • Encryption: SSL/TLS for all data transmissions

  • Access control: Role-based authorisations

  • Data separation: Multi-tenant architecture (tenant isolation)

  • Backup: Daily automatic data backups

  • Availability: 99.5% guaranteed system availability

  • Payment security: No storage of sensitive payment data; processing via PCI-DSS-certified partner Stripe

4.2 Your Security Measures as Operator

As a controller, you should implement the following measures:

  • Strong passwords and regular rotation

  • Activation of two-factor authentication

  • Training your employees in data protection

  • Access rights based on the principle of least privilege

  • Regular review of data accuracy

  • Secure storage of printouts

5. Storage Period and Deletion

5.1 Statutory Retention Periods

  • Invoice data: 7 years (Austria) / 10 years (Germany)

  • Booking documents: 7 years

  • Business correspondence: 6-7 years

  • Point-of-sale data: In accordance with RKSV / KassenSichV

5.2 Deletion Concept

  • After the statutory periods expire, data is automatically marked for deletion

  • Customer master data with no business relationship: deletion after 3 years of inactivity

  • Marketing consents: review every 2 years

  • Immediate deletion at the customer's request (where legally permissible)

Note for hospitality: Registration forms and guest data pursuant to the Registration Act are NOT processed in bessa and must be retained in your separate PMS system in accordance with statutory periods.

6. Data Transfers and Subprocessors

6.1 Service Providers Used (Subprocessors)

  • Amazon Web Services (AWS): Cloud infrastructure (Frankfurt, EU)

  • Google Ireland Ltd.: Analytics, Cloud Messaging, Crashlytics (EU)

  • Atlassian: Support ticket system Jira (EU)

  • Stripe Payments Europe Ltd.: Secure payment processing, PCI-DSS-certified (EU)

  • Resellers: First-level support (see separate DPA)

  • Tax advisors / accountants: Read access for tax purposes (see separate DPA)

Note on tax advisors / accountants: If you grant your tax advisor or accountant access to bessa, they act as your processor. The access is read-only and serves tax / accounting purposes only. A separate agreement governs the details.

6.2 Third-Country Transfers

In principle, all data is processed within the EU. Should third-country transfers become necessary, they are only carried out on the basis of:

  • EU standard contractual clauses

  • Adequacy decisions of the EU Commission

  • Your express consent

7. Your Obligations as Operator

7.1 Information Obligations (Art. 13/14 GDPR)

You must inform your customers about:

  • Your identity as the controller

  • Purposes and legal bases of the processing

  • Storage period of the data

  • Data subject rights

  • Use of bessa as a processor

Note: Use our sample privacy notice for end customers (see appendix).

You need consent for the following processing activities:

  • Newsletter dispatch

  • Push notifications

  • Marketing campaigns

  • Profiling beyond what is necessary

7.3 Ensuring Data Subject Rights

You must respond to your customers' requests regarding:

  • Right of access (Art. 15 GDPR)

  • Rectification (Art. 16 GDPR)

  • Erasure (Art. 17 GDPR)

  • Restriction (Art. 18 GDPR)

  • Data portability (Art. 20 GDPR)

  • Objection (Art. 21 GDPR)

Support: bessa offers functions for exporting and managing customer data. If required, we provide technical support to help you fulfil these obligations.

7.4 Reporting Personal Data Breaches

In the event of a personal data breach, you must:

  1. Inform the supervisory authority within 72 hours

  2. Inform the affected individuals if there is a high risk

  3. Document the breach

7.5 Special Notes for Hospitality / Accommodation

Integration with PMS systems:

  • bessa only processes billing data for additional services

  • Guest registration and reporting obligations are handled via your PMS system

  • Make sure both systems are configured in a data-protection-compliant manner

  • Ensure clear separation of responsibilities

For invoicing:

  • Use only the guest data necessary for the invoice

  • Separate billing data from registration data

  • Inform guests about the processing of data for additional services

8. Data Protection Compliance Functions in bessa

8.1 Available Tools (Depending on Modules Used)

  • Data export: Full export of customer data

  • Deletion functions: Individual records or bulk deletion

  • Consent management: Documentation of consents

  • Access log: Traceability of changes

  • Rights management: Granular control of authorisations

  • Module management: Activation of only the required functions

8.2 Compliance Features

  • RKSV compliance (Austria)

  • KassenSichV compliance (Germany)

  • Tamper-proof storage

  • Signed receipts

  • Export interfaces for tax authorities

  • Hospitality-specific: Room-number-based billing, interfaces to PMS systems for invoice export, separate management of point-of-sale and guest data

9. Incident Response Plan

In the event of a personal data breach:

9.1 Immediate Measures (0-24 hours)

  1. Containment: Close the security gap

  2. Documentation: Record nature, scope and time

  3. Assessment: Carry out a risk analysis

  4. Information: Contact support@bessa.app

9.2 Reporting Obligations (24-72 hours)

  1. Reporting to authorities: To the competent data protection authority

  2. Information to data subjects: In case of high risk

  3. Documentation: Complete record

9.3 Follow-Up

  1. Cause analysis: Root-cause analysis

  2. Measures: Improvement of security

  3. Training: Raising employee awareness

10. Support and Contact

10.1 Support

Technical support and data protection enquiries:

  • E-mail: support@bessa.app

  • Tel: +43 720 317 836

10.2 Resources

  • Sample privacy notice for your customers

  • Consent templates

  • Training materials

  • Data protection FAQ

10.3 Supervisory Authorities

Austria:
Österreichische Datenschutzbehörde
https://www.dsb.gv.at

Germany:
Der Bundesbeauftragte für den Datenschutz
https://www.bfdi.bund.de

11. Changes to This Privacy Notice

We reserve the right to amend this privacy notice in order to adapt it to changes in the legal framework or to changes in the service. You can always find the current version at:

12. Glossary

Controller: Determines the purposes and means of data processing (you as operator)
Processor: Processes data on behalf of the controller (meisterwork GmbH)
Data subject: Person whose data is processed (your customers / guests)
DPA: Data Processing Agreement pursuant to Art. 28 GDPR
bessa: Modular software system with functions for Sales Point, customer loyalty, online orders, etc.
PMS: Property Management System (for guest registration / reporting obligations in hotels)
PCI-DSS: Payment Card Industry Data Security Standard (security standard for payment data)

Important note: This privacy notice provides information on data processing in the context of using bessa. As an operator, you are obliged to create your own privacy notice for your customers. Feel free to use our sample template for this purpose.

This privacy notice does not replace legal advice. For specific questions, we recommend consulting a data protection expert.