Categories of processed data:
- Basic data (e.g. name, address)
- Contact details (e.g. email, phone numbers)
- Content data (e.g. text entries, photos, videos)
- User data (e.g. websites visited, interest in content, access times)
- Meta and communication data (e.g. device identifiers, IP addresses).
Categories of data subjects:
Visitors and users of the online offer (hereinafter collectively “users”).
Purposes for which we process personal data:
- To make available the online offer, its functions and content
- to answer contact requests and to communicate with users
- to implement security measures
- to measure audience reach/to carry out marketing measures
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This definition must be understood broadly and covers basically any handling of data.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Relevant legal bases:
Cooperation with processors and third parties:
Whenever we disclose, transfer or make data otherwise accessible to other persons or companies (processors or third parties) in the context of our processing operations, we do so on the basis of a legal authorisation (for example if it is necessary to transfer data to third parties, such as payment services providers, according to Article (6) (1) (b) GDPR for the performance of a contract), on the basis of your consent, to comply with a legal obligation or to pursue our legitimate interests (e.g. when we use contractors, web hosters, etc).
We will appoint third parties for the processing of data on the basis of a “data processing agreement” according to Article 28 GDPR.
Transfer of data to third countries:
Whenever we process data in a third country (i.e. in a state outside the European Union (EU) or the European Economic Area (EEA)) or where processing operations are carried out by third parties or data are disclosed or transferred to third parties, we do so only if this is necessary to comply with our (pre)contractual obligations on the basis of your consent, to comply with a legal obligation or to pursue our legitimate interests. Subject to legal or contractual authorisations, we process data or have data processed in a third country only if the conditions laid down in Articles 44 et seq GDPR are complied with. Data are therefore processed if appropriate safeguards have been provided, such as an officially recognised level of data protection consistent with EU requirements (e.g. the “Privacy Shield” for the United States) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).
Rights of the data subject:
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed and, where that is the case, to further information and to a copy of such data according to Article 15 GDPR.
According to Article 16 GDPR, you have the right to obtain the rectification of inaccurate personal data concerning you or to have incomplete personal data completed.
According to Article 17 GDPR, you have the right to obtain the erasure of the relevant data without undue delay or, alternatively, according to Article 18 GDPR, the right to restriction of processing.
According to Article 20 GDPR, you have the right to receive the data you have provided to us or to have those data transmitted to another controller.
Furthermore, according to Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.
Right of withdrawal:
You have the right to withdraw your consent at any time according to Article 7 (3) GDPR.
Right to object:
You have the right to object at any time to processing of your personal data based on Article 21 GDPR. You may also object to processing of data for direct marketing purposes.
Cookies and right to object to processing for direct marketing purposes:
“Cookies” are tiny text files that are stored on your computer. Cookies can store different information. A cookie primarily helps store information on a user (or on the device on which the cookie is stored) during, and also after a user visits a website in the context of an online offer. Temporary cookies or “session cookies” or “transient cookies” are cookies that are deleted when a user leaves a website and closes his or her browser. Such a cookie can store the content of an online basket or a login status. “Permanent” or “persistent” cookies remain on your computer also after you close your browser and can therefore store the log-in status if you visit the website again. Such a cookie can also store a user’s preferences that are used to measure audience reach or for marketing purposes. “Third-party cookies” are cookies of providers other than the controller who operates the online offer (the controller’s cookies are called “first-party cookies”).
If you want to block cookies, you should adjust the settings on your browser which allow you to disable cookies. You can adjust the settings on your browser to delete cookies. However, if you do this, you may not be able to benefit from the full functionality of this online offer.
Erasure of data:
According to legal requirements applicable in Austria, there is a 7-year retention period according to § 212 (1) of the Commercial Code (UGB) (books and records, inventories, opening balance sheets, financial statements and directors’ reports, etc.) and according to § 132 (1) Federal Tax Code (BAO) (accounting records, receipts/invoices, accounts, receipts, business records, statement of revenue and expenditure, etc.), a 22-year retention period in connection with land, and a 10-year retention period for documents relating to electronic services, telecommunications, radio and television services provided to non-entrepreneurs in EU Member States and for which the mini-one-stop-shop (MOSS) applies.
Business-related processing operations:
In addition, we process
- contract data (e.g. subject-matter of a contract, duration, customer category),
- payment data (e.g. bank details, payment history)
of our customers, prospects and business partners for the provision of services under a contract, for service and customer support, marketing, advertising, and market research.
We use hosting services in order to provide the following services: infrastructure and platform services, computing capacity, memory and database services, security services, and technical maintenance services which we use to run this online offer.
In doing so, we or our hosting provider processes personal details, contact details, content data, contract data, usage data, meta and communication data of customers, prospects and visitors of this online offer on the basis of our legitimate interests which consist in making this online offer available in an efficient and safe manner according to Article 6 (1) (f) GDPR in conjunction with Article 28 GDPR (conclusion of data processing agreement).
Collection of access data and log files:
Based on our legitimate interests according to Article 6 (1) (f) GDPR, our hosting providers or we will collect data on every access to the server which hosts the services (so-called server log files). Access data include the name of the website visited, the name of the file that was retrieved, and the date and time when it was retrieved, the data volume transferred, status of successful transfer, type and version of browser, user's operating system, referrer URL (the site visited before), IP address and requesting provider.
Log file information is stored for a maximum period of 7 days for security reasons (e.g. to clear up cases involving abuse or fraud) and is then erased. Data that must be kept for evidence purposes will not be erased until the respective incident is finally resolved.
Provision of contractual services:
We process personal details (such as names and addresses and contact details of users), contract data (e.g. services used, names of contact points, payment information) in order to comply with our contractual obligations and to provide services according to Article 6 (1) (b) GDPR. Information that you are obliged to provide in online forms is necessary for the conclusion of a contract.
We erase data after the expiration of legal guarantee obligations or similar obligations; every three years, we assess whether it is still necessary to keep data; data are erased after the expiration of legal archiving obligations. Any information provided in a customer’s account is kept until the account is deleted.
If a user contacts us (for example via contact form, email, phone or social media), we will process the user’s information to handle the contact request according to Article 6 (1) (b) GDPR. The user’s information can be stored in a customer relationship management system (“CRM system) or in a similar request organization.
We erase requests that are no longer necessary. We assess that necessity every two years; the legal archiving obligations apply.
Google is certified according to the EU-US Privacy Shield and therefore guarantees to comply with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
On our behalf, Google will use this information for the purpose of evaluating your use of our online offer, for compiling synthesis reports on website activity for website operators, and for providing us with other services relating to website activity and internet usage. In this context, pseudonym user profiles can be created on the basis of the processed data.
We use Google Analytics only with activated IP anonymisation. This means that your IP address will be truncated by Google in a Member State of the European Union or in another contracting state of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there.
The IP address transmitted by your browser will not be matched with other data of Google. Furthermore, you may adjust the settings of your browser to block cookies; furthermore, you can download and install the browser plugin provided below to prevent the collection of data relating to your use of this online offer generated by the cookie to Google and the processing of such data by Google. http://tools.google.com/dlpage/gaoptout?hl=en.
You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this site: Disable Google Analytics.
If you want to learn more about how Google uses data, how to adjust your settings and how to object, go the following Google websites: https://policies.google.com/technologies/partner-sites?hl=en ("How Google uses information from sites or apps that use our services“), https://policies.google.com/technologies/ads?hl=en (“How Google uses data in advertising”), https://adssettings.google.de/anonymous?sig=ACi0TCg70AiACphn6rLyDmG3m4MAR-cU_gBgo_BOTpXHGzGy8RsJJJmgIMrjBnIlYDzG-zV8AXHemNkg4oobH2kVtmcTGpmS6i6AHRSCnOysjJDKBp6J0xg&hl=en (“Control the information Google uses to show you ads”).
Online presence in social media:
We are active on social media and platforms in order to communicate with and inform customers, prospects and users on these platforms about our services. When you visit these media and platforms, the terms and conditions and data processing policies of the respective operators apply.
Integration of services and content provided by third parties:
We provide content or services offered by third parties in the context of our online offer based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer according to Article 6 (1) (f) GDPR) in order to integrate their content and services such as videos or fonts (hereinafter collectively “content”).
However, this always requires the third-party providers of such content to recognise the IP address of a user, because they could not send content to a user’s browser without the IP address. The IP address is therefore necessary to display such content. We endeavour to use only content of providers who use the IP address only to deliver such content. Furthermore, third-party providers can also use pixel tags (transparent graphic images also referred to as “web beacons”) for purposes of statistics or marketing. Pixel tags are used to analyse information such as user traffic on the pages of this website. Pseudonymous data can also be stored in cookies on the user’s computer and contain, among other things, technical information on the browser and operating system, referring websites, time of visit, and other information on the use of our online offer, and can be matched with such information from other sources.