Privacy Policy
Last updated: March 2026
1. Data Controller
Easy Vending GmbH
Weisslhofweg 12, 5400 Hallein, Austria
Phone: +43 5 77 09
Email: office@easyvending.at
Easy Vending GmbH is the sole data controller within the meaning of Art. 4(7) GDPR for the operation of the easyID service.
2. Purposes and Data Processing
easyID processes data for the purpose of legally required age verification at vending machines, pursuant to § 2a TNRSG and provincial youth protection laws. Age verification is required by law. Without successful verification, the vending machine cannot dispense age-restricted products. Verification is carried out using one of the following methods.
2.1 Age Verification with ID Austria
ID Austria transmits exclusively Boolean age attributes (over 14/16/18/21 years). No date of birth is requested.
| Data | Used | Stored |
|---|---|---|
| Age attributes (over 14/16/18/21) | Yes — adopted directly | Verification result in billing (7 yrs) |
| Date of birth | Not requested | No |
| Name, bPK | No | No |
2.2 Age Verification with EU-Login (eIDAS)
Nationals of other EU/EEA member states may identify themselves via EU-Login. If Boolean age attributes are included in the token, they are adopted directly. Otherwise, the date of birth is used for age calculation in working memory and discarded immediately thereafter. Name and personal identifier are not processed.
| Data | Used | Stored |
|---|---|---|
| Age attributes (over 14/16/18/21, if available) | Yes — preferentially adopted directly | Verification result in billing (7 yrs) |
| Date of birth (MDS) | Only as fallback — calculated in RAM, immediately discarded | No |
| Name, identifier (MDS) | No | No |
Parties involved: The eIDAS node of your home country (authentication) and the Austrian eIDAS node of the BMI (forwarding). Data processing within the eIDAS infrastructure is subject to the respective national and European data protection legislation.
2.3 Age Verification by Document Check
Alternatively, you can verify your age by capturing a valid identity document (national ID card, passport, or driving licence) via camera and transmitting it to the server for verification. This method is available in the browser — both via the easyID app and directly after scanning the QR code at the vending machine. The transmitted image is processed exclusively in working memory and is never stored on any permanent medium.
| Data | Processed | Stored |
|---|---|---|
| Image of identity document | Yes — in RAM for 2–5 sec. | No — discarded immediately |
| Date of birth (from MRZ) | Yes — age calculation in RAM | No — discarded immediately |
| Name, document number | No | No |
| Document type and issuing state | Yes — for format identification | Optionally in audit log (without personal reference) |
| Age verification (result) | Yes | Verification result in billing (7 yrs) |
2.4 easyID Mobile App
The easyID app allows you to set up an age proof once and then use it repeatedly by scanning a QR code at the vending machine. Biometric confirmation (Face ID, fingerprint, or device PIN) is required before each verification. Biometric data is processed exclusively on the device and is not transmitted to the easyID server. Easy Vending GmbH has no access to this data.
| Data | Storage Location | Purpose |
|---|---|---|
| App token (identifier without personal reference) | Secure device storage (iOS Keychain / Android Keystore) | Reusable age proof |
| Language setting | Local storage | User preference |
The app stores neither name, date of birth, document number, nor any other personal data. All stored data can be deleted at any time via the app settings; this revokes the tokens both locally and on the server.
2.5 Website Visits and Contact
The website is operated on a dedicated server of Easy Vending GmbH in Austria. No personal data is stored in log files when visiting the website. If you contact us by email or via the support form, your information will be processed for the purpose of handling your inquiry (Art. 6(1)(b) GDPR).
3. Legal Basis
| Processing | Legal Basis |
|---|---|
| Age verification (all methods) | Art. 6(1)(c) GDPR in conjunction with § 2a TNRSG and provincial youth protection laws |
| ID Austria attribute transmission | § 4(2) E-GovG (consent of the user to the ID Austria system) |
| EU-Login / eIDAS | Regulation (EU) No. 910/2014 |
| Contact | Art. 6(1)(b) GDPR |
| IT security (session protection, rate limiting) | Art. 6(1)(f) GDPR (legitimate interest in preventing misuse of the service) |
4. Recipients
| Recipient | Which Data |
|---|---|
| Machine operator | Verification result (over 14/16/18/21: yes/no) — no name, no date of birth |
| ID Austria system (BMI) | Technical protocol data of the authentication (under the authority of the BMI) |
| eIDAS node (for EU-Login) | eIDAS Minimum Data Set (under the authority of the respective authorities) |
The easyID infrastructure is operated on dedicated servers of Easy Vending GmbH. Currently, no external processors within the meaning of Art. 28 GDPR are engaged.
5. Transfer to Third Countries
There is no transfer of personal data to third countries. All processing takes place on servers in Austria.
6. Retention Periods
| Data Type | Storage Location | Duration |
|---|---|---|
| Verification session | Working memory (RAM) | Max. 5 min., deleted after single retrieval |
| Image of identity document (document check) | Working memory (RAM) | 2–5 seconds — discarded immediately |
| Billing data (verification results without personal reference) | Database | 7 years (§ 132 BAO) |
| App token | Device + server (encrypted) | Default 365 days — deletable by user at any time |
| System logs | Working memory (ring buffer) | Volatile — no persistent storage |
Billing data consists of the verification result (over 14/16/18/21: yes/no), a timestamp, and a machine identifier. Re-identification of individual users is not possible for Easy Vending GmbH with the means at its disposal.
7. Cookies
easyID uses exclusively technically necessary cookies:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Assignment of the verification session | End of session (max. 5 min.) |
No tracking, analytics, or advertising cookies are used (§ 165(3) TKG 2021).
8. Automated Decision-Making
The verification result is determined automatically. Automated decision-making within the meaning of Art. 22(1) GDPR does not take place, as the stored verification results have no personal reference (Art. 11 GDPR).
9. Your Rights
Since no personal data is stored during age verification and Easy Vending GmbH cannot identify the data subject, the rights under Art. 15 to 20 GDPR do not apply to verification data pursuant to Art. 11(2) GDPR.
Should you provide additional information enabling your identification (e.g. by email or via the support form), you are entitled to the rights of access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21).
Contact: office@easyvending.at
10. Right to Lodge a Complaint
You have the right to lodge a complaint with the competent data protection supervisory authority:
Austrian Data Protection Authority (DSB)
Barichgasse 40–42, 1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at