With the following data protection declaration, we would like to inform you about the types of your personal data that we collect from you, the purposes for which we use them, and the extent to which we do so. It also explains how we use personal data on our websites, mobile applications, and other online platforms where we have an external online presence, like our social media profiles (hereinafter collectively referred to as “Online Offer”).
*Note: The terms used are not gender specific.
*Status: October 25, 2022.
Table of contents:
- Responsible authority
- Overview of processing operations
- Relevant legal basis
- Security measures
- Transfer of personal data
- Data processing in third countries
- Deletion of data
- Business services
- Provision of online offers and web hosting
- Contact and inquiry management.
- Web analysis, monitoring and optimization.
- Rights of data subjects.
1010 Vienna , Austria
Overview of the processing operations
The types of processed data, their processing goals, and references to the data subjects are all listed in the overview that follows.
- Types of data processed:
- Inventory data.
- Payment data.
- Contact data.
- Content data.
- Contract data.
- Usage data.
- Meta/communication data.
- Categories of data subjects:
- Interested parties.
- Communication partners.
- Business and contractual partners.
- Purposes of processing
- Provision of contractual and customer services.
- Contact Requests and Communication.
- Safety measures.
- Range measurement.
- Office and organizational procedures.
- Management and response to inquiries.
- Profiles with user-related information.
- Provision of our online offer and user-friendliness.
- Information technology infrastructure.
Relevant legal bases
Below is an overview of the General Data Protection Regulation (GDPR) legal bases. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence. If more specific legal bases are relevant in individual cases, we will inform you in the data protection declaration.
- Consent (Art. 6 Para. 1 S. 1 lit. a GDPR) – The individual has granted consent to process their personal data for a specific or several specific purposes.
- Fulfillment of contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b GDPR) – The processing is required to carry out a contract to which the data subject is a party or to carry out pre-contractual measures that the data subject has requested be taken place.
- Legal obligation (Art. 6 Para. 1 S. 1 lit. c GDPR) – The processing is required in order for the person responsible to execute a legal obligation.
- Legitimate interests (Art. 6 Para. 1 S. 1 lit. f GDPR) – Processing is necessary to protect the legitimate interests of the person responsible or a third party, unless the interests or fundamental rights and freedoms of the data subject, which protect personal Data require prevail.
In Austria, national data protection laws are applied in addition to the General Data Protection Regulation. The Federal Act on the Protection of Natural People in the Processing of Personal Data is one example of this (Data Protection Act – DSG). The Data Protection Act specifically includes regulations on the right to information, the right to rectification or deletion, the processing of special categories of personal data, processing for other purposes, transmission, and automated decision-making in specific circumstances.
We take appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the type, scope, circumstances, and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to natural persons’ rights and freedoms, to ensure an appropriate level of protection.
The measures include securing the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data and access, input, disclosure, securing availability and their separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, data deletion, and responses to data threats. Furthermore, we already consider personal data protection when developing or selecting hardware, software, and processes in accordance with the data protection principle, through technology design, and through data protection-friendly default settings. TLS encryption (https): We use TLS encryption to protect your data transmitted via our online offer. The prefix https:// in your browser’s address line indicates such encrypted connections.
Transfer of personal data
As part of our processing of personal data, the data may be transmitted to other bodies, companies, legally independent organizational units, or persons or that it is disclosed to them. Data recipients may include, service providers tasked with IT tasks or providers of services and content integrated into a website. In such cases, we follow the law and enter into appropriate contracts or agreements with the recipients of your data to protect your data.
Data processing in third countries
We process data in a third country (outside the European Union (EU), the European Economic Area (EEA)) or the processing within the framework of the third-party services use or the disclosure/transmission of data to other persons, bodies or companies takes place, only in accordance with the legal requirements.
We only process data in third countries with a recognized level of data protection, contractual obligation through so-called EU Commission standard protection clauses, if there are certifications or binding internal data protection regulations (Art. 44 to 49 DSGVO, Information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de
Deletion of data
The data processed will be deleted in accordance with the legal requirements as soon as your consent to processing is revoked or other permissions are no longer applicable (e.g., if the purpose of processing this data no longer applies or it is not required for the purpose). If the data is not deleted because it is required for other, legally permissible purposes, its processing will be limited to these purposes. This means the data will be blocked and not processed for other purposes. This applies to data that must be stored for commercial or tax reasons or whose storage is necessary to assert, exercise or defend legal claims or to protect the rights of another natural or legal person. Our data protection information can also contain further information on the storage and deletion of data, which apply primarily to the respective processing.
Cookies are small text files, or other memory notes, which store information on end devices and read information from the end devices. E.g., to store the login status in a user account, a shopping cart content in an e-shop, the content accessed, or functions used of an online offer. Cookies can further be used for various purposes, e.g., for purposes of functionality and security of online offers as well as the creation of analyses of visitor flows.
Storage duration: Regarding the storage duration, the following types of cookies are distinguished:
- Temporary cookies (session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his end device (browser or mobile application).
- Permanent cookies: Permanent cookies remain stored even after the end device is closed. i.e., the login status can be saved or preferred content can be displayed directly when the user visits a website again. Likewise, user data collected with the help of cookies can be used for reach measurement. Unless we provide users with explicit information about the type and storage duration of cookies, users should assume that cookies are permanent and that the storage period can be up to two years.
Further notes on processing, procedures, and services:
Subject to individual information on the providers of cookie management services, the following information applies: The duration of the storage of consent can be up to two years. A pseudonymous user identifier is created and stored with the time of consent, information about the scope of consent (which categories of cookies and/or service providers), and the browser, system and end device used.
We process data of our contractual and business partners (prospective customers), in the context of contractual and comparable legal relationships and related measures as well as in the context of communication with contractual partners (or pre-contractual), e.g., to answer inquiries. We use this information to carry out our contractual obligations. This includes obligations to provide the agreed-upon services, as well as any update obligations and remedies in the event of warranty or other service disruptions. Furthermore, we process the data to protect our rights and for administrative tasks related to these obligations and company organization. Also, we process data based on our legitimate interests in proper and business management, and security measures to protect our contractual partners and our business operations from misuse, endangering their data, secrets, information, and rights (e.g., for the involvement of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or tax authorities). Within the framework of applicable law, we only disclose the data of contractual partners to third parties to the extent that this is necessary for the purposes or to fulfill legal obligations. Contractual partners will be informed about further forms of processing, e.g., for marketing purposes, within the scope of this data protection declaration. We inform the contractual partners which data is required for the aforementioned purposes before or in the course of data collection, such as in online forms, by special marking (e.g., colors) or symbols (e.g., asterisks or similar), or in person.
We delete the data after expiry of legal warranty and comparable obligations, i.e., in principle after 4 years, unless the data is stored in a customer account, e.g., if it must be kept for legal archiving reasons. The statutory retention period for tax-related documents, commercial books, inventories, opening balances, annual financial statements, work instructions required to understand these documents, and other organizational documents and accounting records is ten years, and six years for received commercial and business letters and reproductions of sent commercial and business letters. The period begins at the end of the calendar year in which the last entry was made in the book, the inventory, the opening balance sheet, the annual financial statements, or the management report was prepared, the commercial or business letter was received or dispatched, or the accounting document was created, and the recording or other documents were made. When we use third-party providers or platforms to provide our services, the terms and conditions and data protection notices of the respective third-party providers or platforms govern the relationship between the users and the providers.
- Types of data processed: inventory data (e.g., names, addresses); payment data (e.g., bank details, invoices, payment history); contact data (e.g., e-mail, phone numbers); contract data (e.g., subject matter of contract, term, customer category); usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses).
- Data subjects: Customers; prospective customers; business and contractual partners.
- Purposes of processing: provision of contractual services and customer services; security measures; contact requests and communication; office and organizational procedures; administration and response to requests.
- Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO); Legal obligation (Art. 6 para. 1 p. 1 lit. c) DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Further information on processing processes, procedures, and services:
- Customer account: Contractual partners can set up an account through our online service (customer or user account, “customer account” for short). If a customer account must be registered, contractual partners will be notified, as well as the information needed for registration. Customer accounts are not accessible to the public and cannot be indexed by search engines. We store the IP addresses of customers along with the access times as part of the registration and subsequent registrations and uses of the customer account to be able to prove the registration and prevent any misuse of the customer account. If a customer terminates their customer account, the data associated with the customer account will be deleted, unless their retention is required by law. Customers are responsible for backing up their data if their customer account is terminated; Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 S. 1 lit. b) DSGVO).
- Store and e-commerce: We process the data of our customers to enable them to select, purchase or order the selected products, goods, and related services, as well as their payment and delivery or execution. If necessary for the execution of an order, we use service providers, postal, forwarding and shipping companies, to carry out the delivery, or execution to our customers. For the processing of payment transactions, we use the services of banks and payment service providers. The required information is identified as such in the context of the order or comparable acquisition process and includes the information needed for delivery, or provision and billing, as well as contact information to be able to make any consultations; Legal basis: contract performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO).
- Agency services: We process our customers’ data as part of our contractual services, which may include conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, campaign and process implementation, handling, server administration, data analysis/consulting services, and training services. performance of contracts and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b) DSGVO).
Provision of the online services and web hosting
We process users’ data to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or terminal device.
- Types of data processed: Usage data (e.g., websites visited, interest in content, access times); meta/communication data (e.g., device information, IP addresses); content data (e.g., entries in online forms).
- Data subjects: Users (e.g., website visitors, users of online services).
- Purposes of processing: provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).); security measures.
- Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Further notes on processing procedures, and services:
- Provision of online offer on rented storage space: for the provision of our online offer, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called “web hoster”); legal basis: legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
- Collection of access data and log files: Access to our online offer is logged in the form of so-called “server log files”. The address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and, in most cases, IP addresses and the requesting provider are all stored in the server log files. The server log files can be used for security purposes, such as preventing server overload (especially in the event of abusive attacks, such as DDoS attacks), and for ensuring server utilization and stability. Legal foundation: legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); Deletion of data: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is exempt from deletion until final clarification of the respective incident.
- E-mail dispatch and hosting: The web hosting services we use also include the dispatch, receipt, and storage of e-mails. For these purposes, the addresses of the recipients and senders as well as further information regarding the e-mail dispatch (e.g., the providers involved) and the contents of the respective e-mails are processed. The data may also be processed for SPAM detection purposes. Please note that e-mails are generally not sent encrypted on the Internet. As a rule, e-mails are encrypted in transit, but (unless a so-called end-to-end encryption method is used) not on the servers from which they are sent and received. We can therefore not assume any responsibility for the transmission path of the e-mails between the sender and the reception on our server; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO).
Contact and inquiry management:
When contacting us (via contact form, e-mail, telephone, or social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.
- Types of data processed: contact data (e-mail, telephone numbers); content data (entries in online forms); usage data (websites visited, interest in content, access times); meta/communication data (device information, IP addresses).
- Data subjects: Communication partners.
- Purposes of processing: contact inquiries and communication; managing and responding to inquiries; feedback (collecting feedback via online form); providing our online offer and user experience.
- Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f) DSGVO); contract performance and pre-contractual requests (Art. 6 para. 1 p. 1 lit. b) DSGVO).
Further guidance on processing operations, procedures, and services:
- Contact form: If users contact us via our contact form, e-mail, or other communication channels, we process the data communicated to us in this context for the purpose of processing the communicated request; Legal basis: Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) DSGVO), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) DSGVO).
Web analysis, monitoring and optimization:
Web analytics (reach measurement) is used to evaluate the flow of visitors to our online offers and may include behavior, interests, or demographic information about visitors, such as age or gender, as anonymous values. With the help of reach analysis, we can recognize, for example, at what time our online offer or its functions or content are most frequently used or invite re-use. Likewise, we can understand which areas need optimization. In addition to web analytics, we may also use testing procedures, for example, to test and optimize different versions of our online offering or its components. Unless otherwise stated below, profiles, i.e., data summarized for a usage process, may be stored in a browser, or in a terminal device, and read from it. The information collected includes, websites visited and elements used there, as well as technical information such as the browser used, the computer system used, and information on usage times. If users have agreed to the collection of their location data from us or from the providers of the services we use, location data may also be processed. The IP addresses of the users are also stored. However, we use an IP masking procedure (pseudonymization by shortening the IP address) to protect users. Generally, in the context of web analysis, A/B testing and optimization, no clear data of the users (such as e-mail addresses or names) are stored, but pseudonyms. This means that we, as well as the providers of the software used, do not know the actual identity of the users, but only the information stored in their profiles for the purposes of the respective procedures.
- Types of data processed: Usage data (web pages visited, interest in content, access times); meta/communication data (device information, IP addresses).
- Data subjects: Users (website visitors, users of online services).
- Security measures: IP masking (pseudonymization of the IP address).
- Legal basis: Consent (Art. 6 para. 1 p. 1 lit. a) DSGVO).
Further information on processing, procedures, and services:
Google Analytics: web analytics, reach measurement and measurement of user flows; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal basis: consent (Art. 6 para. 1 p. 1 lit. a) DSGVO);
Order processing contract: https://business.safety.google/adsprocessorterms ;
Standard contractual clauses (ensuring level of data protection for processing in third countries): https://business.safety.google/adsprocessorterms ;
Opt-out: Opt-Out Plugin: https://tools.google.com/dlpage/gaoptout?hl=de ,
Advertising Display Settings: https://adssettings.google.com/authenticated ;
Further Information: https://privacy.google.com/businesses/adsservices
Rights of the data subjects
As a data subject, you are entitled to various rights under the GDPR, which arise from Art. 15 to 21 GDPR:
- Right to object: you have the right to object at any time, on grounds relating to your situation, to the processing of your personal data which is carried out based on Art. 6(1)(e) or (f) DSGVO; this also applies to profiling based on these provisions. If your personal data is processed for the purpose of direct marketing, you have the right to object at any time.
- Right to withdraw consent: You have the right to revoke any consent given at any time.
- Right to information: you have the right to request confirmation as to whether data in question is being processed and to information about this data, and a copy of the data in accordance with the legal requirements.
- Right to rectification: you have the right, in accordance with the law, to request your data be completed or that inaccurate data concerning you be rectified.
- Right to erasure and restriction of processing: You have the right to demand your data be deleted without delay, or alternatively, in accordance with the legal requirements, to demand restriction of the processing of the data.
- Right to data portability: You have the right to receive your data, which you have provided to us, in a structured, common, and machine-readable format in accordance with the legal requirements, or to demand its transfer to another responsible party.
- Complaint to the supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the requirements of the GDPR.
Definitions of terms
This section provides an overview of the terms used in this privacy declaration. Many of the terms are taken from the law and defined primarily in Art. 4 of the GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to aid understanding. The terms are sorted alphabetically.
- Personal data: An identifiable natural person is one who can be identified, directly or indirectly, using a name, an identification number, location data, an online identifier (e.g., cookie), or one or more factors specific to that natural person’s physical, physiological, genetic, mental, economic, cultural, or social identity.
- Profiles with user-related information: This includes any type of automated processing of personal data that consists of using such personal data to analyze, evaluate or to predict certain personal aspects relating to a natural person, this may include different information concerning demographics, behavior and interests, such as interaction with websites and their content, etc.) (e.g., interests in certain content or products, click behavior on a website or location). Cookies and web beacons are often used for profiling purposes.
- Reach measurement: Reach measurement (web analytics) is used to evaluate the flow of visitors to an online offering and can include visitors’ behavior or interests in certain information, such as website content.
- Tracking: Tracking is when the behavior of users can be traced across several online services. As a rule, behavioral and interest information is stored in cookies or on servers of the providers of the tracking technologies regarding the online offers used (so-called profiling). This information can subsequently be used, for example, to display advertisements to users that are likely to correspond to their interests.
- Controller: a “controller” is the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
Processing: “Processing” means any operation or set of operations which is performed upon personal data, whether by automatic means. The term is broad and includes virtually any handling of data, be it collection, evaluation, storage, transmission, or deletion