Categories of processed data:
- Basic data (e.g. name, address)
- Contact details (e.g. email, phone numbers)
- Content data (e.g. text entries, photos, videos)
- User data (e.g. websites visited, interest in content, access times)
- Meta and communication data (e.g. device identifiers, IP addresses).
Categories of data subjects:
Visitors and users of the online offer (hereinafter collectively “users”).
Purposes for which we process personal data:
- To make available the online offer, its functions and content
- to answer contact requests and to communicate with users
- to implement security measures
- to measure audience reach/to carry out marketing measures
“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. This definition must be understood broadly and covers basically any handling of data.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Relevant legal bases:
Cooperation with processors and third parties:
Whenever we disclose, transfer or make data otherwise accessible to other persons or companies (processors or third parties) in the context of our processing operations, we do so on the basis of a legal authorisation (for example if it is necessary to transfer data to third parties, such as payment services providers, according to Article (6) (1) (b) GDPR for the performance of a contract), on the basis of your consent, to comply with a legal obligation or to pursue our legitimate interests (e.g. when we use contractors, web hosters, etc).
We will appoint third parties for the processing of data on the basis of a “data processing agreement” according to Article 28 GDPR.
Transfer of data to third countries:
Whenever we process data in a third country (i.e. in a state outside the European Union (EU) or the European Economic Area (EEA)) or where processing operations are carried out by third parties or data are disclosed or transferred to third parties, we do so only if this is necessary to comply with our (pre)contractual obligations on the basis of your consent, to comply with a legal obligation or to pursue our legitimate interests. Subject to legal or contractual authorisations, we process data or have data processed in a third country only if the conditions laid down in Articles 44 et seq GDPR are complied with. Data are therefore processed if appropriate safeguards have been provided, such as an officially recognised level of data protection consistent with EU requirements (e.g. the “Privacy Shield” for the United States) or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).
Rights of the data subject:
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed and, where that is the case, to further information and to a copy of such data according to Article 15 GDPR.
According to Article 16 GDPR, you have the right to obtain the rectification of inaccurate personal data concerning you or to have incomplete personal data completed.
According to Article 17 GDPR, you have the right to obtain the erasure of the relevant data without undue delay or, alternatively, according to Article 18 GDPR, the right to restriction of processing.
According to Article 20 GDPR, you have the right to receive the data you have provided to us or to have those data transmitted to another controller.
Furthermore, according to Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.
Right of withdrawal:
You have the right to withdraw your consent at any time according to Article 7 (3) GDPR.
Right to object:
You have the right to object at any time to processing of your personal data based on Article 21 GDPR. You may also object to processing of data for direct marketing purposes.
Cookies and right to object to processing for direct marketing purposes:
“Cookies” are tiny text files that are stored on your computer. Cookies can store different information. A cookie primarily helps store information on a user (or on the device on which the cookie is stored) during, and also after a user visits a website in the context of an online offer. Temporary cookies or “session cookies” or “transient cookies” are cookies that are deleted when a user leaves a website and closes his or her browser. Such a cookie can store the content of an online basket or a login status. “Permanent” or “persistent” cookies remain on your computer also after you close your browser and can therefore store the log-in status if you visit the website again. Such a cookie can also store a user’s preferences that are used to measure audience reach or for marketing purposes. “Third-party cookies” are cookies of providers other than the controller who operates the online offer (the controller’s cookies are called “first-party cookies”).
If you want to block cookies, you should adjust the settings on your browser which allow you to disable cookies. You can adjust the settings on your browser to delete cookies. However, if you do this, you may not be able to benefit from the full functionality of this online offer.
Google DoubleClick Cookies:
Erasure of data:
According to legal requirements applicable in Austria, there is a 7-year retention period according to § 212 (1) of the Commercial Code (UGB) (books and records, inventories, opening balance sheets, financial statements and directors’ reports, etc.) and according to § 132 (1) Federal Tax Code (BAO) (accounting records, receipts/invoices, accounts, receipts, business records, statement of revenue and expenditure, etc.), a 22-year retention period in connection with land, and a 10-year retention period for documents relating to electronic services, telecommunications, radio and television services provided to non-entrepreneurs in EU Member States and for which the mini-one-stop-shop (MOSS) applies.
Business-related processing operations:
In addition, we process
- contract data (e.g. subject-matter of a contract, duration, customer category),
- payment data (e.g. bank details, payment history)
of our customers, prospects and business partners for the provision of services under a contract, for service and customer support, marketing, advertising, and market research.
We use hosting services in order to provide the following services: infrastructure and platform services, computing capacity, memory and database services, security services, and technical maintenance services which we use to run this online offer.
In doing so, we or our hosting provider process personal details, contact details, content data, contract data, usage data, meta and communication data of customers, prospects and visitors of this online offer on the basis of our legitimate interests which consist in making this online offer available in an efficient and safe manner according to Article 6 (1) (f) GDPR in conjunction with Article 28 GDPR (conclusion of data processing agreement).
Collection of access data and log files:
Based on our legitimate interests according to Article 6 (1) (f) GDPR, our hosting providers or we will collect data on every access to the server which hosts the services (so-called server log files). Access data include the name of the website visited, the name of the file that was retrieved, and the date and time when it was retrieved, the data volume transferred, status of successful transfer, type and version of browser, user's operating system, referrer URL (the site visited before), IP address and requesting provider.
Log file information is stored for a maximum period of 7 days for security reasons (e.g. to clear up cases involving abuse or fraud) and is then erased. Data that must be kept for evidence purposes will not be erased until the respective incident is finally resolved.
Provision of contractual services:
We process personal details (such as names and addresses and contact details of users), contract data (e.g. services used, names of contact points, payment information) in order to comply with our contractual obligations and to provide services according to Article 6 (1) (b) GDPR. Information that you are obliged to provide in online forms is necessary for the conclusion of a contract.
We erase data after the expiration of legal guarantee obligations or similar obligations; every three years, we assess whether it is still necessary to keep data; data are erased after the expiration of legal archiving obligations. Any information provided in a customer’s account is kept until the account is deleted.
If a user contacts us (for example via contact form, email, phone or social media), we will process the user’s information to handle the contact request according to Article 6 (1) (b) GDPR. The user’s information can be stored in a customer relationship management system (“CRM system) or in a similar request organization.
We erase requests that are no longer necessary. We assess that necessity every two years; the legal archiving obligations apply.
Comments and posts:
Based on our legitimate interests according to Article 6 (1) (f) GDPR, we will store the IP addresses of users who post comments for 7 days. We do this for our own safety in case someone should post unlawful content (insults, banned political propaganda etc). In this case, we could be held liable for the comment or post and therefore want to know the author’s identity.
The following chapter describes the content of our newsletters, how you can sign up for and receive newsletters, how we perform statistical analyses, and how you can exercise your right to object. If you subscribe to our newsletter, you are deemed to agree with receiving the newsletter and with the procedures described.
Content: We send newsletters, emails and other electronic mail containing advertising (hereinafter “Newsletter) only with the recipient’s consent or based on a legal permission. If the content of a Newsletter is explicitly described when you sign up for it, such content is relevant for the user’s consent. Furthermore, our Newsletters provide information on our services and our business.
Double-opt-in and logging: There is a double-opt-in process if you want to sign up for our Newsletter. After you have filled out the signup form, you will receive an email and are asked to verify your registration. This ensures that others cannot use your email address to sign up. Newsletter registrations are logged in order to document the sign-up process in line with legal requirements. This includes storage of sign-up and verification time, and of the IP address. Also changes of your data stored with the shipping provider will be logged.
Sign-up data: If you want to sign up for the Newsletter, we simply need your email address. We also ask you to give us a name, so we can address you personally in the Newsletter.
The sign-up process is logged on the basis of our legitimate interests according to Article 6 (1) (f) GDPR, which consist in providing a user-friendly and safe Newsletter system that serves our business interests and meets the expectations of users and allows us to prove that we have obtained consents.
Cancellation/withdrawal - You may cancel our Newsletter or withdraw your consent at any time. If you want to cancel the Newsletter, click a link which is provided at the bottom of each Newsletter. We may keep email addresses of users who cancelled our Newsletter for up to three years on the basis of our legitimate interests before we erase them; this allows us to prove that we had sent you the Newsletter based on your consent. Such data are processed only to defend potential claims. You may send us a cancellation request at any time, provided that you can confirm that you had previously given your consent.
Google is certified according to the EU-US Privacy Shield and therefore guarantees to compliance with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
On our behalf, Google will use this information for the purpose of evaluating your use of our online offer, for compiling synthesis reports on website activity for website operators, and providing us with other services relating to website activity and internet usage. In this context, pseudonym user profiles can be created on the basis of the processed data.
We use Google Analytics only with activated IP anonymisation. This means that your IP address will be truncated by Google in a Member State of the European Union or in another contracting state of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and truncated there.
The IP address transmitted by your browser will not be matched with other data of Google. Furthermore, you may adjust the settings of your browser to block cookies; furthermore, you can download and install the browser plugin provided below to prevent the collection of data relating to your use of this online offer generated by the cookie to Google and the processing of such data by Google. http://tools.google.com/dlpage/gaoptout?hl=en.
You can prevent the collection of your data by Google Analytics by clicking on the following link. An opt-out cookie will be set to prevent your data from being collected on future visits to this site: Disable Google Analytics.
If you want to learn more about how Google uses data, how to adjust your settings and how to object, go to the following Google websites: https://policies.google.com/technologies/partner-sites?hl=en ("How Google uses information from sites or apps that use our services“), https://policies.google.com/technologies/ads?hl=en (“How Google uses data in advertising”), https://adssettings.google.de/anonymous?sig=ACi0TCg70AiACphn6rLyDmG3m4MAR-cU_gBgo_BOTpXHGzGy8RsJJJmgIMrjBnIlYDzG-zV8AXHemNkg4oobH2kVtmcTGpmS6i6AHRSCnOysjJDKBp6J0xg&hl=en (“Control the information Google uses to show you ads”).
Online presence in social media:
We are active on social media and platforms in order to communicate with and inform customers, prospects and users on these platforms about our services. When you visit these media and platforms, the terms and conditions and data processing policies of the respective operators apply.
Integration of services and content provided by third parties:
We provide content or services offered by third parties in the context of our online offer based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer according to Article 6 (1) (f) GDPR) in order to integrate their content and services such as videos or fonts (hereinafter collectively “content”).
However, this always requires the third-party providers of such content to recognise the IP address of a user, because they could not send content to a user’s browser without the IP address. The IP address is therefore necessary to display such content. We endeavour to use only content of providers who use the IP address only to deliver such content. Furthermore, third-party providers can also use pixel tags (transparent graphic images also referred to as “web beacons”) for purposes of statistics or marketing. Pixel tags are used to analyse information such as user traffic on the pages of this website. Pseudonymous data can also be stored in cookies on the user’s computer and contain, among other things, technical information on the browser and operating system, referring websites, time of visit, and other information on the use of our online offer, and can be matched with such information from other sources.
Use of Facebook Social Plugins:
Based on our legitimate interests (i.e. interest in the analysis, optimisation, and economic operation of our website according to Article 6 (1) (f) GDPR) we use Social Plugins ("plugins") of the social network facebook.com operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). Plugins may represent interaction elements or content (e.g. videos, graphic images, or comments) and are marked with a Facebook logo (white “f” in a blue box, the word "like", or a "thumbs up" sign) or are designated as "Facebook Social Plugin". For a list and images of the icons of the Facebook Social Plugins, go to: .https://developers.facebook.com/docs/plugins/
Facebook is certified under the EU-U.S. Privacy Shield Framework and thus guarantees that it will comply with European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
If a user accesses a function of this website that contains such a plugin, the user's browser will establish a direct connection to the Facebook servers. Facebook transmits the content of the plugin directly to the user's device, where it is integrated into the website. The data processed can be used to create usage profiles of the respective users. We thus have no influence on the scope of data Facebook will collect via this plugin, and we therefore inform the user to the best of our knowledge.
As a result of the plugin integration, Facebook is informed that the user has visited the corresponding page of the website. If the user is logged in on Facebook, Facebook can assign the user's visit to the user's Facebook account if the user interacts with the plugins, for example by using the "Like" button or by leaving a comment, your device transmits the corresponding information directly to Facebook where it is stored. If the user is not a member of Facebook, Facebook can still collect and store the user's IP address. According to Facebook, only anonymised IP addresses are stored in Austria.
The purpose and scope of the data collection and the further processing and use of the data by Facebook as well as the related rights and settings available to users to protect their privacy are described in the Facebook privacy policies: https://www.facebook.com/about/privacy/.
If the user is a member of Facebook and does not want Facebook to collect data in the manner described above and match it with the user's membership data stored on Facebook, the user must log out of his/her Facebook account before he or she visits our website and delete his/her cookies. Further settings and objections to the use of data for advertising purposes are possible in the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the United States page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. These are cross-platform settings, that is, once made, they will apply to all devices such as desktop computers or mobile devices.