Data Privacy Statement
Westbahnstraße 7 Top 6a
1070 Vienna Austria
Company Registration No.: FN 418654 v
Managing Director: Doris Schnepf
Telephone: +43 676 67 00 215
Types of data held:
- Personal data
- Contact details
- Content data
- Usage data (such as websites visited, interest in content, access times)
- Meta / communication data (e.g. device information, IP addresses)
Only data that has been expressly given by users is stored, such as data entered in an online form.
Categories of data subjects:
- Customers / interested parties / suppliers
- Website visitors and online users
Hereinafter, we refer to any persons concerned as ‘users’.
Purpose of holding data:
- Answering contact requests and communicating with users, as of 25.05.2018.
- Relevant legal framework
In accordance with Article 13 of the GDPR, we are informing you of the legal basis of our data processing. Unless referring to another legal basis in the data protection declaration, the following applies: the legal basis for obtaining consent is Article 6 (1) (a) and Article 7 of the GDPR; the legal basis for processing data to carry out our services and contractual obligations and answering inquiries about our services is Article 6 (1) (b) of the GDPR; the legal basis for processing data to fulfil our legal obligations is Article 6 (1) (c) of the GDPR; and the legal basis for processing data to protect our legitimate interests is Article 6 (1) (f) of the GDPR. If, in the interests of the data subject or another individual personal, data requires processing, Article 6 (1) (d) of the GDPR is our legal basis.
- Security measures
3.1. We take appropriate technical measures in accordance with Article 32 of the GDPR, taking into account the state of the art, implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the likelihood and severity of risk to the rights and freedoms of natural persons and organisational measures to ensure a level of protection appropriate to the risk. In particular, measures include ensuring the confidentiality, integrity and accessibility of data by controlling physical access to the data, as well as online access, input, disclosure, availability and separation. In addition, we have established procedures that ensure data subject rights, data erasure and response to data vulnerability. Furthermore, we also consider the protection of personal data when developing or selecting hardware, software and procedures, in accordance with the principle of data protection by technology design and by privacy-friendly default settings (Article 25 of the GDPR).
3.2. One of the security measures is the encrypted transfer of data between your browser and our server.
- Cooperation with subcontractors and third parties
4.1. If in the course of processing, we disclose data to other persons and companies (subcontractors or third parties), share data with them or otherwise grant access to data, this is done only where legally permitted (e.g. sharing data with third parties as required by payment service providers, pursuant to Article 6 (1) (b) of the GDPR in order to fulfil the contract), with your consent or in pursuit of our legitimate interests (such as the use of agents, website hosts, etc.).
4.2. If we commission third parties to process data on the basis of a ‘processing contract’, this is done on the basis of Article 28 of the GDPR.
- International transfer of personal data
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or when using third party services or disclosure or transmission of data to third parties, this will only be done if it is to fulfil our (pre) contractual obligations, with your consent, to fulfil a legal obligation or in pursuit of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only under special conditions of Article 44 et seq. of the GDPR, that processing is subject to specific guarantees, such as officially recognized level of data protection (e.g. in the USA, through the Privacy Shield) or compliance with officially recognized special contractual obligations (so-called ‘standard contractual clauses’).
- Rights of the persons concerned
6.1. You have the right to ask for confirmation about whether your personal data is being processed, for information about your data and for any other information, and a copy of your data in accordance with Article 15 of the GDPR.
6.2. In accordance with Article 16 of the GDPR you have the right to demand the completion of your data or the correction of any incorrect data concerning you.
6.3. You have the right to demand the relevant data be deleted immediately in accordance with Article 17 of the GDPR, or alternatively to require a restriction of the processing of your data in accordance with Article 18 of the GDPR.
6.4. You have the right to demand that the personal data you have provided us with be obtained by and request its transmission to other responsible persons, in accordance with Article 20 of the GDPR.
6.5. In accordance with Article 77 of the GDPR you have the right to file a complaint with the relevant supervisory authority.
- Right to withdraw consent
You have the right under Article 7 (3) of the GDPR to withdraw your consent with effect in perpetuity.
- Right to refuse
You can refuse any future processing of your data at any time, in accordance with Article 21 of the GDPR. Refusal in particular can be made to processing your data for direct marketing purposes.
- Cookies and your right to refuse direct marketing
- Deletion of personal data
10.2. Under legal requirements, data must be retained for 7 years in accordance with § 132 (1) (accounting documents, receipts / invoices, accounts, commercial documents, statements of income and expenses, etc.), 22 years for data relating to land, and 10 years for data relating to electronic services, telecommunications, broadcasting and television services provided to private persons in EU Member States and for which the Mini One Stop Shop (MOSS) is used.
11.1. When contacting us (via contact form or email), the information provided by the user will be used to process and respond to the contact request in accordance with Article 6 (1) (b) of the GDPR.
11.2. User information may be stored in our Customer Relationship Management System (‘CRM System’) or a similar request management system.
11.3. We delete requests if they are no longer required. We check the necessity every two years; we store inquiries from customers with a customer account permanently and record any deletion in the customer account details.
- Comments and posts
12.1. If users leave comments or other contributions, their IP addresses are stored for 7 days based on our legitimate interests within the meaning of Article 6 (1) (f) of the GDPR.
12.2. For our own security, if a person posts any illegal content in comments and contributions (insults, prohibited political propaganda, etc.) we ourselves can be prosecuted for the comment or post, thus we therefore need to be able to identify the author.
- Collection of access data and logfiles
13.1. Based on our legitimate interests under Article 6 (1) (f) of the GDPR, we collect data every time the server on which our service is located is accessed (known as server log files). The access data includes the name of the retrieved web page, file, date and time of retrieval, quantity of data transferred, message about successful retrieval, browser type and version, the user’s operating system, referrer URL (the page previously visited), IP address and the request provider.
13.2. Logfile information is stored for security purposes (for example to investigate abusive or fraudulent activities) for a maximum of seven days and then deleted. Data whose further retention is required for any purpose of evidence is exempt from the cancellation until final clarification of the incident.
- Online presence on social media
14.1. We maintain an online presence on social networks and platforms to communicate with customers, prospective customers and users active there, and to tell them about our services. For activity on these networks and platforms, terms and conditions and data processing guidelines apply to their respective operators.
- Cookies and audience analysis
15.1. Cookies are information transmitted from our web server or third-party web servers to users’ web browsers and stored there for later retrieval. Cookies can be small files or other types of information storage.
15.3. If users do not want cookies stored on their computer, they will be asked to disable the option in their browser’s system settings. Saved cookies can be deleted in the system settings of the browser. Disabling cookies can lead to restricted online functionality.
- Google Analytics
16.2. Google is certified under the Privacy Shield Agreement, which gives a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
16.3. Google uses this information on our behalf to analyse the use of our website by users, to compile reports on online activities and to provide us with further services related to the use of our website and internet presence. In this case, anonymised user activity profiles may be created from the processed data.
16.4. We only use Google Analytics with activated IP pseudonymisation. This means that the IP address of users will be shortened by Google within Member States of the European Union or in other states in the European Economic Area who have signed up to the agreement. Only in exceptional cases will the full IP address be sent to a Google server in the USA and shortened there.
16.5. The IP address submitted by the user’s browser will not be merged with other data provided by Google. Users can prevent the storage of cookies by setting their browser software accordingly; users may also prevent the collection by Google of data generated by cookies and related to their use of the website as well as the processing of this data by Google, by downloading and installing the browser plug-in available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
16.6. For more information about Google’s data usage, and opting in or out, please visit Google’s websites: https://www.google.com/intl/en/policies/privacy/partners (‘How Google uses information from sites or apps that use our services’), https://policies.google.com/technologies/ads (‘Advertising’), and https://adssettings.google.com/authenticated (‘Control the information Google uses to show you ads’).
- Facebook social plugins
17.1. In pursuit of our legitimate interests (the analysis, optimisation and economic operation of our website under Article 6 (1) (f) of the GDPR) we use the social plugins (‘plugins’) of the social network Facebook.com, operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbor, Dublin 2, Ireland (‘Facebook’). The plugins can represent interaction elements or content (such as videos, graphics or text contributions) and can be recognized by one of the Facebook logos (white ‘f’ on a blue tile, the term ‘Like’ or a ‘thumbs up’ sign) or are marked with the addition ‘Facebook Social Plugin’. The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.
17.2. Facebook is certified under the Privacy Shield Agreement, which provides a guarantee to comply with European privacy legislation (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active).
17.3. When a user invokes a feature of this website that includes such a plugin, their device establishes a direct connection to Facebook servers. The content of the plugin is transmitted by Facebook directly to the device of the user and incorporated by them into the website. In the process, user profiles can be created from the processed data. We therefore cannot control the amount of data Facebook collects with the help of plugins and therefore we inform users that this is our understanding.
17.4. By integrating the plugins, Facebook receives information that the user has accessed the corresponding page of the website. If the user is logged in to Facebook, Facebook can assign the visit to their Facebook account. If users interact with the plugins, for example, press the Like button or leave a comment, the information is transmitted from your device directly to Facebook and stored there. If a user is not a member of Facebook, there is still the possibility that Facebook will learn of and save their IP address. According to Facebook, only an anonymous IP address is stored in Germany.
17.6. If a user is a Facebook member and does not want Facebook to collect data about them via this website and link it to their member data stored on Facebook, they must log out of Facebook and delete their cookies before using our website. Other settings and controls in the use of data for advertising purposes are available within Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US American site http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are independent of the platform, and can be applied to any device, such as desktop computers or mobile devices.
- Integration of third party services and content
18.1. Within our website based on our legitimate interests (interest in the analysis, optimisation and economic operation of our website within the meaning of Article 6 (1) (f) of the GDPR), we make use of third party content or service offers to provide content and services, such as embedding videos or fonts (collectively referred to as ‘content’). This always assumes the third party sees the user’s IP address, since they could not send content to their browser without the IP address. The IP address is therefore required for the presentation of this content. We endeavour to use only content whose respective providers use the IP address solely for the delivery of the content. Third parties may also use so-called pixel tags (invisible graphics, also referred to as ‘web beacons’) for statistical or marketing purposes. The ‘pixel tags’ can be used to analyse information such as visitor traffic to the pages of our website. The pseudonymised information may also be stored in cookies on the user’s device and may include, but is not limited to, technical information about the browser and operating system, referral web sites, visit time, and other information regarding the use of our website.