Types of Information Being Processed:
– master data (e. g. names, addresses).
– contact information (e. g. e-mail address, telephone numbers).
– content information (e. g. text input).
– usage information (e. g. websites accessed, content of interest, access times).
– meta-communiction-data (e. g. device information, IP addresses).
Categories of Persons Affected
Visitors and users of the online services (in the following referred to collectively as “users”).
Purpose of Processing
– providing our online services, functionality and content.
– replying to contact requests, and communication with users.
– security measures
– measuring reach / marketing.
“Personal Information” is all information regarding an identified or identifiable individual (in the following, “person affected”); an individual is considered identifiable if he can be identified directly or indirectly, in particular via the attribution of an identifier such as a name, an ID number, location data, an online identifier (e. g. a cookie) or of one or more specific characteristics which are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of said individual.
“Processing” is any process carried out with or without the help of automated methods or any series of such processes in relation to personal information. This term is comprehensive and includes practically any interaction with data.
“Pseudonymisation” is the processing of personal information in such a way that the personal information can no longer be attributed to a specific individual without bringing in additional information, insofar as this additional information is stored separately and subject to technical and organisational measures which prevent that the personal information can be associated with an identified or identifiable individual
“Profiling” is any kind of automated processing of personal data which consists of using these personal data to assess certain personal characteristics regarding an identified or identifiable individual, in particular characteristics with respect to work performance, economic situation, health, personal preferences, areas of interest, to analyse or predict reliability, behaviour, whereabouts, or change of location of the said individual.
A “Data Controller” is the individual or legal entity, government authority, institution, or other organisation which decides at his sole discretion or together with others on the purposes and means of his processing of personal information.
A “Data Processor” is the individual or legal entity, government authority, institution, or other organisation, which processes personal information on behalf of the Data Controller.
Applicable Legal Basis
The legal basis for requesting consent is Art. 6 Sect. 1 lit. a and Art. 7 GDPR, the legal basis for data processing to supply our services and to carry out contractual measures, as well as to reply to enquiries is Art. 6 Sect. 1 lit. b GDPR, the legal basis for data processing to meet our legal obligations is Art.6 Sect. 1 lit. c GDPR, and the legal basis for data processing to protect our legitimate interests is Art. 6 Sect. 1 lit. f GDPR. In the case that vital interests of the person affected or of another individual require the processing of personal information, Art. 6 Sect. 1 lit. d GDPR will serve as a legal basis.
Under Art. 32 GDPR and taking into account the state of the art, the cost of implementation, and the way, scope, circumstances, and purposes of processing, as well as the different probability of occurrence and the severity of the risk with regard to rights and freedoms of the individual, we will take suitable technical and organisational precautions to provide an adequate level of protection.
These precautions will include, in particular, safeguarding confidentiality, integrity, and accessibility of data by controlling physical access to the data, as well as with regard to technical access, to entering and transmitting data, to safeguarding availability, and to the separation of data. Furthermore, we have established a procedure which guarantees the exercise of data subject rights, the deletion of information, and reactions to compromise of the data. In addition, we take into account the protection of personal information already during development and/or choice of hardware, software, and processes, in compliance with the principle of data protection by technical design and by privacy-friendly pre-settings (Art. 25 GDPR).
Cooperation with Data Processors and Third Parties
Insofar as, within the frame of our processing of data, we disclose, transmit or otherwise make accessible information to other individuals or companies (data processors or third parties); this is done exclusively on the basis of legal permission (e. g. where a transmission of data to third parties, such as payment service providers, under Art. 6 Sect. 1 lit. b GDPR is necessary to fulfil our contractual obligations), if you have given your consent, if there is a legal obligation, or on the basis of our legitimate interest (e. g. when employing agents, a web host, etc.)
Insofar as we appoint third parties to process data on the basis of a so called “Data Processor Contract”, this is done on the basis of Art. 28 GDPR.
Transmission to Third Countries
Insofar as we process data in a third country (i. e. outside the European Union (EU) or the European Economic Area (EEA)), or if this is done by making use of the services of a third party, or if data are disclosed and/or relayed to third parties, this is only done in order to comply with our obligations under (pre-)contract, on the basis of your consent, because of a legal obligation, or on the basis of our legitimate interest. Subject to legal or contractual permission, we process data or have data processed in a third country only if the special conditions of Art. 44 ff. GDPR are fulfilled. This means that the processing will be done, for example, on the basis of special guarantees, such as the officially recognised declaration of a level of data protection equivalent of that in the EU (e. g. via “Privacy Shield” in the US) or the observation of officially recognised special contractual obligations (so called “standard contract clauses”).
Data Subject Rights
You have the right to request a confirmation whether certain information regarding you is being processed and to be informed about this information, as well as to receive further information and a copy of such data under Art. 15 GDPR.
You have the right, under Art. 16 GDPR, to demand the completion of your data or the correction of incorrect data referring to you.
Under Art. 17 GDPR, you have the right to demand the immediate deletion of such data, or alternatively, under Art. 18 GDPR, to demand a limitation of the processing of such data.
You have the right to demand that the information you provided with regard to yourself under Art. 20 GDPR will be provided to you, and to demand the transmission of such information to other data controllers.
In addition, under Art. 77 GDPR, you have the right to address a complaint to the relevant regulating authority.
Right of Withdrawal:
You have the right to withdraw the consent you gave under Art. 7 Sect. 3 GDPR with effect for the future.
Right of Objection:
You can object to the future processing of your data under Art. 21 GDPR at any time. The objection may be directed in particular against data processing for direct marketing purposes.
Cookies and Right of Objection to Direct Marketing
“Cookies” are small files which are stored on the user’s computer. Various data can be stored within cookies. Primarily, cookies are used to save information about a user (or about the device where the cookie is stored) during or even after the user’s access to an online service. Temporary cookies, also called “session cookies” or “transient cookies”, are cookies which are deleted after a user exits an online service and closes his browser. Such a cookie may store, for example, the content of a shopping cart at an online shop or a login status. “Permanent” or “persistent” cookies are those which remain stored even after the browser is closed. Thus, a login status, for example, could still be stored when a user returns several days later. In the same way, the areas of interest of a user could be stored in cookies of this type, which are used to measure outreach or for marketing purposes. “Third-party cookies” are cookies which are provided by other suppliers than the entity responsible for the online service in question (otherwise, if it is only about their own cookies, these are called “first-party cookies”).
Users who do not wish cookies to be stored on their computer are kindly requested to disable this option in their browser settings. Cookies that have already been stored can be deleted in the browser settings. Disabling cookies may result in limited functionality of the online service.
the storage of cookies can be prevented in the browser settings. Please note
that certain functionality of this online service may no longer be available in
Deletion of Information
Regulations in germany require the preservation of records for 10 years under Articles 147 sect. 1 AO, 257 sect. 1 No. 1, and 4 Sect. 4 HGB (journals, records, management reports, vouchers, account books, documents relevant for taxation, etc.) and for 6 years under § 257 sect. 1 Nos. 2 and 3, Sect. 4 HGB (business letters).
Regulations in Austria require the preservation of records for 7 years under Article 132 sect. 1 BAO (accounting records, receipts/invoices, accounts, vouchers, business documents, lists of revenues and expenses, etc.), for 22 years if related to real estate, and for 10 years in case of documents related to services provided electronically, telecommunications, broadcasting, and television services, which are provided to non-entrepreneurs in EU member states and for which the Mini One Stop Shop (MOSS) is claimed.
If a user contacts us (e. g. via contact form, by e-mail or phone) the data of said user will be processed in order to process the enquiry and its follow-up under Art. 6 Sect. 1 lit. b GDPR. User data may be stored in a Customer Relationship Management System (“CRM System”) or an equivalent organiser.
We will delete such enquiries as soon as they are no longer necessary. We will review their necessity every two years; in addition, legal archiving obligations apply.
The hosting services we use are necessary for the provision of the following services: infrastructure and platform services, computing capacity, storage capacity and database services, security services, and technical maintenance, which we use to operate this online service.
In this context, we, or our hosting provider, process master data, contact information, content information, contract data, usage information, meta and communication data pertaining to customers, interested parties, and visitors of this online service on the basis of our legitimate interest to provide this online service efficiently and safely, under Art. 6 Sect. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of a data processor contract).
Collection of Access Data and Logfiles
We collect, or our hosting provider collects, on the basis of our legitimate interest according to Art. 6 Sect. 1 lit. f GDPR, data about each access to the server where this service is hosted (so called server logfiles). These access data include the name of the website accessed, file, date and time of access, volume of data transmitted, report of successful access, browser type and version, user’s operating system, referrer URL (the site accessed before), IP address, and the provider requesting access.
For security reasons, logfile information (e. g. to investigate abuse or fraudulent activities) will be stored for a maximum of 7 days and will then be deleted. Information which may need to be preserved for evidence purposes will be exempt from deletion until final clarification of the incident in question.
Google is certified under the Privacy Shield agreement and therefore guarantees to adhere to European privacy law (https://www.privacyshield.gov/participant id=a2zt000000001L5AAI&status=Active).
Google will use this information on our behalf to evaluate the use of our online service by users, to compile reports on the activity within this online service, and to provide other services related to the use of this online service and of the internet in general to us. During this activity, processed data may be used to create pseudonymous user profiles.
We use Google Analytics only with IP anonymisation activated. This means that the users’ IP addresses will be shortened by Google within a member state of the European Union or in another signatory to the Agreement on the European Economic Area. Only in exceptional cases the full IP address will be transmitted to a Google server in the US and shortened there.The IP address transmitted by the user’s browser will not be aggregated with other information at Google. You can prevent the storage of cookies by adjusting your browser settings accordingly; you can, furthermore, prevent the collection of data generated by cookies and the use of information on your use of our online services as well as the processing of these data by Google by downloading and installing the browser plugin available under Google (tools).
In addition, the users’ IP addresses will be collected, which will then be shortened within a member state of the European Union or in another signatory to the Agreement on the European Economic Area; only in exceptional cases will the full IP address be transmitted to a Google server in the US and shortened there. The information collected as described above may be combined by Google with information derived from other sources. If the user proceeds to gain access to other websites, according to his presumed interests based on his user profile, personalised advertisements may be shown to him.
User data will be processed pseudonymously within the frame of the Google network. That means Google will not store and process the user’s name or e-mail address, but the relevant data in relation to cookies within pseudonymous user profiles. From Google’s point of view, the ads are thus not displayed to a specific, identified individual and displayed, but for the cookie owner, regardless of who this owner is. This does not apply if a user has explicitly agreed to Google processing his data without pseudonymisation. The information collected by Google Marketing Services about users are transmitted to Google and stored on Google’s US servers.