Types of personal data processed:
- Inventory data (e.g. names, addresses)
- Contact details (e.g. email address, telephone numbers)
- Content (e.g. text material, photos, videos)
- Website traffic data (e.g. websites visited, interest in content, access times)
- Metadata and communication data (e.g. information about devices, IP addresses)
Categories of data subjects
- Customers / prospects / suppliers
- Visitors and users of the online offer
(referred to collectively as “users”).
Purpose of personal data processing
- Providing the online offer, its features and content
- Answering requests for contact and communication with users
- Security measures
- Measuring impact/marketing
“Personal data” is any information relating to an identified or identifiable natural person (“data subject”); natural persons who can be directly or indirectly identified, in particular by classifying the data to certain identification data like name, identification number, location data, online identifier (e.g. cookie), or by classifying the data to one or more special features that express physical, physiological, genetic, mental, economic and cultural, or the social identity of that natural person, are considered identifiable.
“Processing” is any process carried out with or without the aid of automatic means, or a series of such processes in the context of personal data. The concept has a broad content and includes virtually any handling of personal data.
“Pseudonymization” is the processing of personal data in such a way that the personal data can no longer be assigned to a particular data subject without the use of further additional information, provided that this additional information is stored separately and is subject to technical and organizational measures that ensure the personal data is not assigned to an identified or identifiable natural person.
“Profiling” is any form of automated processing of personal data that involves using them in evaluating certain personal aspects relating to a natural person, in particular for the purposes of analysis or estimation, or for analyzing or anticipating aspects relating to work performance, economic situation, health status, personal preferences, interests, reliability, behavior, or the location or movement of that person.
An “administrator” is a natural or legal person, public authority, agency or other entity that decides on its own or jointly with others the purpose and means of processing personal data.
A “processor” is a natural or legal person, public authority, agency or other entity that processes personal data for the administrator.
Defining the legal basis for processing personal data
Safeguarding the processing of personal data
Under the provisions of Article 32 of GDPR and taking into account the state of the technology, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures particularly include ensuring the confidentiality, integrity and availability of personal data that are subject to inspection of physical access, data entry, transmission, ensuring availability and separate storage. In addition, we have implemented procedures to ensure the protection of the rights of data subjects, data deletion and response to the breach of data protection. We keep the protection of personal data in mind during development, respectively the selection of hardware, software and procedures governed by the principle of data protection by design and by default (Article 25 of GDPR).
To ensure the security and confidentiality of personal data, which is especially important to us, we use technical and organizational measures, especially to protect against unauthorized access to data and their misuse. All measures are regularly evaluated and updated.
Cooperation with processors and third parties
If we share personal data processed by us with other persons and companies (processors or third parties), we transfer it to the third parties or companies, or we provide them access to the data using other means, we do so only on the basis of legal consent (e.g. if the transfer of personal data to third parties such as payment service providers is absolutely necessary for the purpose of contract performance under Article 6, paragraph 1(b) of GDPR), you have agreed to this legal obligation, or we do so based on our legitimate interests (such as using the services of authorized persons, web hosters, etc.).
If we entrust third parties with the processing of personal data on the basis of a “contract for the processing of personal data”, we will comply with the provisions of Article 28 of GDPR.
Transfer of personal data to third countries
If we process personal data in a third country (i.e. in a non-member state of the European Union (EU) or European Economic Area (EEA)), or the data is processed using the services of third parties or the personal data is released, i.e. transferred to third parties, we will do so only if it is necessary for the fulfillment of our (pre)contractual obligations, based on your consent, a legal commitment or our legitimate interests. Subject to legal or contractual consent, we process personal data or have personal data processed in a third country only if they meet the special requirements stipulated by Article 44 et seq. of GDPR. This means that the personal data will be processed on the basis of special safeguards. This guarantee means official recognition that the level of protection of personal data corresponds with standards in the European Union (e.g. for the U.S. under the Privacy Shield Agreement), or observance of officially recognized specific contractual obligations (“standard contractual clauses”).
Rights of data subjects
You have the right to request confirmation that personal data relating to you is processed and to request information on such data as well as other information and copies of personal data under the provisions of Article 15 of GDPR.
Under Article 16 of GDPR, you have the right to request that incomplete personal data relating to you be completed, or inaccurate data be corrected.
Under the provisions of Article 17 of GDPR, you have the right to request that your personal data be erased immediately, or you can request limitations on the processing of your personal data under Article 18 of GDPR.
Under Article 20 of GDPR, you have the right to obtain the personal data concerning you that you have provided to us, and request that they be transferred to another administrator.
You also have the right under Article 77 of GDPR to file a complaint with the competent supervisory authority.
Right to withdraw your consent
Under Article 7, paragraph 3 of GDPR, you have the right to withdraw your consent to the processing of your personal data any time.
Right to objection
Under Article 21 of GDPR, you have the right to object to the processing of personal data relating to you. You can particularly object to processing for direct marketing purposes.
Cookies and the right to object to direct marketing
“Cookies” are small data files that are stored on users’ computers. Various data can be stored in these files. Cookies are used primarily to store data about users (or data about the device on which the cookie is stored) during their visit or afterwards within the framework of the online offer. “Temporary” cookies are files that are deleted after the user exits the online offer and closes his browser. Such cookies can store things like the contents of a shopping cart in an online store or login status. “Permanent” or “persistent” cookies are those that remain stored even after you close your browser. For example, to store their login status should users visit again in a few days. The cookie can also store user interest, which is then used to measure the effectiveness of advertising or for marketing purposes. “Third-party cookies” are those offered by persons other than the administrator who operate the online offer (we call the cookies of the administrator “first-party cookies”).
If users do not want the cookies to be stored on their computers, they will be asked to deactivate the relevant option in the system settings of their browsers. Stored cookies can be deleted in the system settings of the browser. Blocking cookies can lead to limitations in this online offer.
Deleting personal data
In accordance with the legal provisions in Austria, personal data are stored in particular for 7 years according to § 132 exp. 1 BAO – Bundesabgabenordnung/Federal Tax Code - (accounting documents, vouchers / invoices, accounts, bills/receipts, business papers, statement of income and expenses, etc.), for 22 years in connection with real estate and for 10 years relating to electronically supplied services, telecommunication-, broadcasting- and television services provided to non-entrepreneurs in EU Member States and for which the Mini-One-Stop-Shop (MOSS) is used.
Commercial processing of personal data
We also process the following data from our customers, interested parties and business partners for the purpose of providing contractual performance, customer care and service, marketing, advertising and market research:
- Contractual data (e.g. scope of the contract, term of the contract, customer category)
- Payment information (e.g. bank, payment history).
Administration, financial accounting, office organization, contact management
We process personal data as part of administrative tasks and organizing our operations, financial accounting and complying with obligations stipulated by law, such as archiving. We process the same data that we process within the framework of providing our contractual performance. The basics of data processing are provided in the provisions of Article 6, paragraph 1(c) of GDPR and Article 6, paragraph 1(f) of GDPR. The personal data of customers, interested parties, business partners and visitors to the website are processed. The purpose and reason for our interest in processing personal data is administration, financial accounting, office organization, data archiving, i.e. the work we undertake to maintain our activities, complete our tasks and provide our services. The deletion of personal data relating to contractual performance and contractual communication corresponds to the data reported for these processing activities.
We share or transfer personal data to financial administrations and advisors, such as tax advisors or auditors and other authorities that collect fees, as well as to payment service providers.
Based on our economic interests, we also store data about suppliers, organizers and other business partners for the purpose of possibly concluding a later contact. This data, which mostly concerns businesses, is basically stored by us permanently.
Corporate economic analysis and market research
In order to be able to carry out our business activities efficiently, to monitor developments in the market and know the desire of our contractual partners and users, we analyze the personal data we obtain from business transactions, contracts, inquiries, etc. We process status data, communication data, contractual, payment, user data and metadata in accordance with Article 6, paragraph 1(f) of GDPR, where the data subjects are contractual partners, interested parties, customers, visitors and users of our online offer.
We do these analyses in order to maintain accounting records and conduct marketing and research. The profiles of registered users can be useful to us, i.e. the services used by them. These analyses help us increase user comfort and optimize our offer and efficiency. The analyses are only for our needs and will not be provided to external entities unless they are anonymous analyses with aggregate values.
Should these analyses or profiles relate to individuals, they will be erased or anonymized when the user revokes his consent to the processing of his personal data, otherwise two years after the conclusion of the contract. In other cases, company-wide economic analyses will be elaborated and general trends identified anonymously if possible.
Information about privacy in application process
We process the personal data of job applicants and use it only for the purposes and within the framework of choosing and hiring new employees in accordance with legal regulations. We process the personal data of job applicants in order to meet our pre(contractual) obligations in the choosing and hiring of employees in accordance with Article 6, paragraph 1(b) of GDPR and Article 6, paragraph 1(f) of GDPR, if processing this data is necessary for us f.e. in the context of legal proceedings .
The application process presumes that applicants will share their personal data with us. The necessary personal data of applicants are indicated, in case we offer an online application form, otherwise arise from the job descriptions and basically include data about the individual applicant, postal and contact addresses and the documents necessary for the application procedure, such as cover letter, CV and professional and educational certificates. In addition, applicants may freely provide us with additional information.
In case the job applicant freely provides us with a special category of personal data in accordance with Article 9, paragraph 1 of GDPR, such data will be processed in accordance with Article 9, paragraph 2(b) of GDPR (e.g. data about health status such as degree of disability or ethnic origin). If within the framework of the application procedure, applicants will be asked to share specific categories of personal data in accordance with Article 9, paragraph 1 of GDPR, the processing of such data will be additionally performed in accordance with Article 9, paragraph 2(a) of GDPR (e.g. data about health status if necessary for occupational purposes).
If provided, the job applicants may send us their applications using the online application form on our website. The data will be encoded in accordance with current technology and transferred to us.
Applicants may also send us their job applications via email. In this case, however, we ask you to bear in mind that these emails are essentially uncoded and applicants must therefore arrange the encoding themselves. We therefore cannot be responsible for the manner in which the application is transferred between the sender and its receipt on our server; we therefore recommend using the online form.
We may use the data provided by the applicant in the event the applicant is successful and the data need to be processed for the purposes of an employment contract. On the other hand, should the job applicant be unsuccessful, his personal data will be deleted. The personal data of applicants will likewise be deleted if the applicants withdraw their job applications. Applicants have the right to withdraw their job applications at any time.
Subject to an authorized cancellation by applicants, the data will not be deleted for six months in order to allow us to answer any questions related to the job application and so meet our other legal obligations, resp. for 3 years in order to allow us to assert or defend against any claims arising from the application process. Invoices for any reimbursement of travel expenses will be archived in accordance with accounting and tax regulations.
As part of the application procedure, we offer the applicants the opportunity to enter our Talent-Pool for a period of two years on the basis of their consent according to Article 6, paragraph 1(a) and Article 7 of GDPR.
The application documents from the talent pool will be processed within future application procedures, and searches for employees and will be erased at the latest once the deadline has passed. Applicants will always be informed that their consent to entering the talent pool is voluntary and has no impact on the ongoing hiring procedure, and that this consent can be withdrawn at any time and an objection can be raised in accordance with Article 21 of GDPR.
When we are contacted (e.g. through a contact form, email, phone or via social media), the user’s data is processed in order to allow us to establish contact and process inquiries in accordance with Article 6, paragraph 1(b) (in the context of contractual/pre-contractual relations), Article 6, paragraph 1(f) (other queries) of GDPR. The user’s data can be stored in the customer relationship management system (“CRM system”) or in a comparable organizational system.
We delete inquiries once they are no longer needed. We check this need once every two years. Archiving obligations stipulated by law shall furthermore apply.
Hosting and sending emails
Our hosting services are used to provide the following services: infrastructure and platform services, computing capacity, storage and database services, sending email, security services and technical maintenance. We use these services for the purposes of facilitating our online offer.
We, or our hosting provider, process the status data, contact data, content data, contractual data, user data, metadata and communication data of customers, interested parties and viewers of this online offer based on our legitimate interests in the efficient and secure provision of this online offer under Article 6, paragraph 1(f) of GDPR in conjunction with Article 28 of GDPR (concluding a contract for the processing of personal data).
Collecting data on accesses and logs
Based on our legitimate interests within the meaning of Article 6, paragraph 1(f) of GDPR, we collect data about every access to the server on which this service is located (i.e. server log files). The data about such access include the name of the visited website, file, date and time viewed, transferred amount of data, reports on successful page loads, browser type and its version, operating system of the user, referring URL (previously visited page) and the provider that requested it. IP addresses are anonymous.
These data are not personal data; we therefore cannot go back to find which user searched for which data, and we do not try to obtain such information.
Google is certified under the Privacy-Shield agreement and provides a guarantee that the European law on personal data protection will be respected. (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf in order to evaluate the use of our online offer by users, prepare reports on activities within the framework of the online offer, and provide other services associated with the use of the online offer and Internet usage. For this purpose, pseudonymized user profiles may be compiled from the processed data.
We only use Google Analytics with IP anonymization enabled. This means that Google shortens the IP address of users located in member states of the European Union or in other countries of the European Economic Area. Only in exceptional cases will a complete IP address be transferred to one of the servers of Google in the US, where it will be truncated.
An IP address transmitted by the browser of the user will not be linked to other data by Google. Users can prevent the storage of cookies by selecting the appropriate settings in the software of their browser. In addition, users can prevent the collection of data via cookies and data about their use of the online offer and the processing of this data by Google by downloading and installing a browser plug-in that is available at this link: http://tools.google.com/dlpage/gaoptout?hl=de.
In addition to the service of Browser Add-On or as part of browsers on mobile devices, another option is to click on this link to prevent future data collection using Google Analytics on this website: Analytics Opt-Out. This will save the Opt-Out-Cookie on your device. If you delete your cookies, you will need to click this link again.
The personal data of users will be deleted after 14 months or made anonymous.
Online presentations on social media
We make online presentations on social networks and platforms so that we can communicate with customers, interested people and users and inform them about our services.
Please note that the personal data of users may be processed outside of European Union states. This may pose a risk for users, as it may be more difficult for them to exercise their rights. We would like to inform you that service providers in the US are certified under the Privacy Shield agreement and are pledged to abide by the standards of the European Union on protecting personal data.
Furthermore, the personal data will usually be processed for the purposes of market research and advertising. For example, user profiles can be compiled from behavior and the interests indicative of it. User profiles can be used for displaying advertisements on the platform and outside it, which are probably relevant to your interests. For these purposes, cookies that store the behavior and interests of users are usually stored on the computers of these users. In addition, data independent of the devices used by users can be stored in the user profiles (especially if users are members of a certain platform and are logged onto it).
We process the personal data of users based on our legitimate interests, which includes effective communication with users and providing them with information in accordance with the provisions of Article 6, paragraph 1(f) of GDPR. If users are prompted by the service provider to give their consent to the processing of their personal data (i.e. their consent by ticking the appropriate box or confirmation button, for example), the legal basis for the processing of personal data is Article 6, paragraph 1(a) and Article 7 of GDPR.
You can find more information about the processing of personal data and the opt-out option by clicking the links of the service providers given below.
Also, in the case of requests for information and the application of user rights, we would like to remind you that the best place to make such requests and applications are the service providers. Only service providers have access to user data and can directly take appropriate measures and provide information. Should you still require assistance, you may contact us.
- Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – privacy statement: https://policies.google.com/privacy, Opt-Out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Interconnecting the services and content of third parties
As part of our online offer, we use the content and service of third-party providers based on the legitimate interests of our offer (such as the analysis, optimization and economic facilitation of our online offer within the meaning of Article 6, paragraph 1(f) of GDPR) so that we can use their content and services such as videos or fonts (collectively referred to as “content”).
It is always a prerequisite for third-party content providers to store the IP addresses of users, because they cannot send their content to the browsers of these users without an IP address. An IP address is therefore necessary to display this content. We try to only use the content of providers who use an IP address only to provide content. Third-party providers may also use pixel tags (invisible images that are also referred to as “web beacons”) for statistical and marketing purposes. Pixel tags make it possible to evaluate information such as traffic on this website. Pseudonymized information can also be stored in cookies on the user’s device, and they include technical information about the browser and operating system, the referring website, length of the visit to the website and other data about the use of our online offer. In addition, it can be interconnected with information from other sources.