Data Protection Statement
This data protection declaration provides information the type, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within the framework of the provision of our services as well as within our online service and the websites, functions and content connected with it as well as external online presences, such as our social media profile (hereinafter jointly referred to as “online service”). With regard to the terms used, such as “processing” or “responsible person”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Types of processed data
– Master data (e. g. personal master data, names or addresses).
– Contact details (e. g. email, telephone numbers).
– Content data (e. g. text entries, photographs, videos).
– Usage data (e. g. websites visited, interest in content, access times).
– Meta/communication data (e. g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online service (hereinafter the data subjects are collectively referred to as “users”).
Purpose of Processing
– Provision of the online service, its functions and contents.
– Replying to contact requests and communication with users.
– Safety measures.
– Impact measurement/marketing
“Personal data” shall mean any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e. g. a cookie) or one or more factors relating to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” shall mean any operation or set of operations which is performed with or without the help of automated procedures and which is performed with respect to personal data. The term has a broad scope and covers practically every kind of data handling.
“Pseudonymisation” shall mean the processing of personal data in such a way that such personal data cannot be related to a specific data subject without the use of additional information, provided that this additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data is not attributed to an identified or identifiable natural person.
“Profiling” shall mean any automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular with a view to analysing or predicting aspects regarding the work performance, economic situation, health, personal preferences, interests, reliability, conduct, location or change of location of that natural person.
“Responsible person” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data.
“Processor” shall mean any natural or legal person, public authority, agency or other body which processes personal data on behalf of the responsible person.
Relevant Legal Basis
In this section, we will inform you in accordance with Section 13 of the GDPR about the legal basis of our data processing. For users located within the jurisdiction covered by the General Data Protection Regulation (GDPR), i. e. the EU and the EEC, the following applies if the legal basis is not stated in the data protection declaration:
- The legal basis for obtaining consent is Section 6, paragraph 1 a and Section 7 of GDPR;
- The legal basis for data processing for the purpose of fulfilling our services and implementing contractual measures as well as answering enquiries is Section 6, paragraph 1 b of GDPR;
- The legal basis for data processing for the purpose of fulfilling our legal obligations is Section 6, paragraph 1 c of GDPR;
- In the event that the vital interest of the data subject or another natural person make it necessary to process personal data, Section 6, paragraph 1 d of GDPR shall serve as the legal basis.
- The legal basis for processing of data necessary for the performance of a task carried out in public interest or in the exercise of public authority vested in the responsible person is Section 6, paragraph 1 e of GDPR.
- The legal basis for processing data to safeguard our legitimate interest is Section 6, paragraph 1 f of GDPR.
- The processing of data for purposes other than those for which they were collected is governed by the provisions of Section 6, paragraph 4 of GDPR.
- Processing of special categories of data (in accordance with Section 9, paragraph 1 of GDPR) is governed by the provisions of Section 9, paragraph 2 of GDPR.
We take appropriate technical and organisational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of processing as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access, input, disclosure, securing availability and segregation of data. In addition, we have established procedures to ensure that the rights of data subjects are exercised, that data is deleted, and that we respond to any threats to the data. Furthermore, we take into account the protection of personal data already during the development or selection of hardware, software and processes, in accordance with the principle of data protection through technology design and data protection-friendly default settings.
Cooperation with Contract Processors, Jointly Responsible Parties and Third Parties
If, in the course of our processing activities, we disclose data to other persons and companies (processors, jointly responsible parties or third parties), transfer it to them or otherwise grant them access to the data, this is only done on the basis of a legal authorisation (e. g. if it is necessary to transfer the data to third parties, such as payment service providers, in order to fulfil a contract), if users have consented, a legal obligation provides for this or on the basis of our legitimate interests (e. g. when using agents, web hosts, etc.).
If we disclose, transmit or otherwise grant access to data to other companies in our group of companies, this is done in particular for administrative purposes as a legitimate interest and, moreover, on a basis that complies with legal requirements.
Transfers to Third Countries
If we process data in a third country (i. e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or if this is done in the context of using the services of third parties or disclosure or transfer of data to other persons or companies, this will only take place if it is done to fulfil our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to express consent or contractually required transfer, we only process or allow the data to be processed in a third country with a recognised level of data protection, which includes US processors certified under the “Privacy Shield” or on the basis of special guarantees, such as contractual obligations through so-called standard protection clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art. 44 to 49 of GDPR, Information page of the EU Commission).
Rights of Data Subjects
Right of access: You have the right to obtain confirmation as to whether or not the data in question is being processed and to obtain information about such data, as well as further information and a copy of the data in accordance with legal requirements.
Right to rectification: In accordance with the law, you have the right to request the completion of or the correction of incorrect data concerning you.
Right to deletion and restriction of processing: In accordance with the statutory provisions, you have the right to demand that the relevant data be deleted immediately, or alternatively, in accordance with the statutory provisions, to demand that the processing of the data be restricted.
Right to data transferability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements or to request its transfer to another responsible party.
Complaint to the regulatory body: You also have the right, in accordance with the statutory provisions, to make a complaint to the competent regulatory authority.
P: +43 1 521 52-25 69
Right of Revocation
You have the right to revoke given consents with effect for the future.
Right of Objection
Right of objection: You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you on the basis of Section 6(1) paragraph (e) or (f) of GDPR; this also applies to profiling based on these provisions. Where your personal data are processed for the purpose of direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such promotional activities, including profiling, insofar as it is linked to such direct advertising.
Cookies and Right of Objection with Direct Advertising
“Cookies” are small files that are stored on the computers of users. Different information can be stored within the cookies. The primary purpose of a cookie is to store information about a user (or the device on which the cookie is stored) during or after his visit of an online service. Temporary cookies, or “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online service and closes his browser. Such a cookie may be used to store the content of a shopping cart in an online shop or a login status. Cookies are described as “permanent” or “persistent” if they remain stored even after the browser is closed. This allows the login status to be saved for when users visit the site after several days. Likewise, the interest of the users can be stored in such a cookie, which are used for impact measurement or marketing purposes. Third-party cookies are cookies that are offered by providers other than the person responsible for operating the online service (otherwise, if it is only their cookies, they are referred to as “first-party cookies”).
We may use temporary and permanent cookies and provide information on this in our data protection statement.
If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. The exclusion of cookies may lead to functional limitations of this online service.
Deletion of Data
The data processed by us will be deleted or restricted in their processing in accordance with the legal requirements. Unless expressly stated within the scope of this data protection statement, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory storage obligations.
If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or fiscal reasons.
Changes and Updates to the Data Protection Statement
We kindly invite you to inform yourself regularly about the content of our data protection statement. We will amend our data protection statement as soon as changes to our data processing practices make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e. g. consent) or other individual notification.
Additionally we process
– Contract data (e. g. object of contract, duration, customer category).
– Payment data (e. g. bank details, payment history)
by our customers, interested parties and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising and market research.
Order Processing in the Online Shop and Customer Account
During the ordering processes in our online shop, we process the data of our customers to enable them to select and order the selected products and services and to enable them to pay for them and have them delivered or carried out.
The processed data includes inventory data, communication data, contract data, payment data and the data subjects affected by our processing include our customers, interested parties and other business partners. Processing is carried out for the purpose of providing contractual services in the context of operating an online shop, billing, delivery and customer services. For this purpose, we use session cookies to store the content of the shopping cart and permanent cookies to store the login status.
Processing is carried out in order to fulfil our services and to carry out contractual measures (e. g. carrying out ordering processes) and insofar as it is legally required (e. g. legally required archiving of business transactions for commercial and tax purposes). The information marked as required is necessary to justify and fulfil the contract. We disclose data to third parties only within the scope of delivery, payment or within the scope of legal permissions and obligations, as well as if this is done on the basis of our legitimate interest, which we will inform you about in the context of this data protection statement (e. g. to legal and tax advisors, financial institutions, freight companies and authorities).
Users may create an optional user account to view their orders. The required mandatory data are communicated to the users during the registration process. The user accounts are not public and cannot be indexed by search engines. When users terminate their user account, their data relating to the user account will be deleted, unless their retention is required due to commercial reasons or as per the tax law. Information in the customer account remains until its deletion with subsequent archiving in case of a legal obligation or our legitimate interest (e. g. in case of legal disputes). In case of termination, it is the users responsibility to save their data before the end of the contract.
As part of the registration and renewed logins and use of our online services, we store the IP address and the time of the respective user action. Such storage takes place to protect our legitimate interests as well as those of the user against misuse and other unauthorised access. As a matter of principle, this data will not be passed on to third parties, unless it is necessary as a legitimate interest to pursue our legal claims or there is a legal obligation to do so.
Deletion takes place after expiry of the statutory warranty and other contractual rights or obligations (e. g. payment claims or performance obligations from contracts with customers), whereby the necessity of storing the data is reviewed every three years; in the case of storage due to statutory archiving obligations, deletion takes place after they expire.
Administration, Financial Accounting, Office Organisation, Contact Management
We process data for administrative purposes as well as for the organisation of our operations, financial accounting and compliance with legal obligations, such as archiving. In this respect, we process the same data that we process within the scope of providing our contractual services. The legal basis for processing data is Section 6(1) paragraph (c) of GDPR and Section 6(1) paragraph (f) of GDPR. Customers, interested parties, business partners and website visitors are affected by such data processing. The purpose and our interest in processing data lies in the administration, financial accounting, office organisation, and archiving of data, i. e. tasks that serve to maintain our business activities, perform our tasks and provide our services. The deletion of personal data in relation to contractual services and contractual communication is in line with the information mentioned in these processing activities.
In this context, we may disclose or transmit data to tax authorities, consultants, such as tax advisors or auditors, as well as other fee agencies and payment service providers.
Moreover, we store information on suppliers, event organisers and other business partners on the basis of our business interests, e. g. for the purpose of contacting them at a later date. We store this data, which is mostly company-related, permanently.
When contacting us (e. g. via contact form, email, phone or social media), the user’s details will be used to process the contact request and its execution according to Section 6(1) paragraph (b) (within the framework of contractual/pre-contractual relations) and Section 6(1) paragraph (f) (other requests) of GDPR. The information provided by users may be stored in a customer relationship management system (“CRM System”) or a similar query management system.
We delete all request records when they are no longer necessary. We review such necessity on a biennial basis; furthermore, the statutory archiving obligations apply.
Google will use this information on our behalf to evaluate the use of our online service by users, to compile reports concerning activities within this online service and to provide us with further services associated with the use of this online service and the use of the Internet. The processed data may be used to create pseudonymous user profiles of the users.
We only use Google Analytics with activated IP anonymity. This means that Google will truncate users IP addresses located in a Member State of the European Union or in another state party to the Agreement in the European Economic Area. Only in exceptional cases is the full IP address transferred to a Google server in the USA and truncated there.
The user’s IP address transmitted by your browser will not be merged with other Google data. Users can prevent the storage of cookies by making appropriate settings in their browser software; users can also prevent the collection of data generated by the cookie and related to their use of the online offer by Google and the processing of this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
Where we ask users to give their consent (e. g. in connection with a cookie), the legal basis relating to this data processing is Section 6(1) paragraph (a) of GDPR. In all other respects, personal data of users will be processed on the basis of our legitimate interests (i. e. interest in the analysis, optimisation and economic operation of our online service in the sense of Section 6(1) paragraph (f) of GDPR).
To the extent that data is processed in the USA, we would like to point out that Google is certified under the Privacy Shield Agreement and thereby assures that it complies with European data protection laws (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
For more information about Google’s use of data, settings and opt-out options, please see Google’s data protection statement (https://policies.google.com/privacy) and Google’s advertising display settings (https://adssettings.google.com/authenticated). All personal data of users will be deleted or anonymized after 14 months.
Integration of Third-Party Services and Content
Within the scope of our online service, we use third-party content or service offerings based on our legitimate interests (i. e. interest in the analysis, optimisation and economic operation of our online service in the sense of Section 6(1) paragraph (f) of GDPR) to incorporate their content and services, such as videos or fonts (hereinafter collectively referred to as “Content”).
This always implies that the third party providers of this content are aware of the IP address of the users, as without the IP address they would not be able to send the content to their browsers. The IP address is therefore required to display this content. We make every effort to use only such content whose respective providers solely use IP addresses to deliver their content. Third parties may also use so-called pixel tags (invisible images, also known as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic on the pages of this website. Pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information on the browser and operating system, referring web pages, visiting time and other information on the use of our online service, as well as being linked to such information from other sources.
We incorporate the fonts (“Google Fonts”) of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. According to Google, user data is used solely for the purpose of displaying fonts in the user’s browser. The incorporation is based on our legitimate interest in a technically secure, a maintenance-free and efficient use of fonts, their uniform presentation and the consideration of possible licensing restrictions for their incorporation. Data protection statement: https://www.google.com/policies/privacy/.
We incorporate the maps of the “Google Maps” service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The processed data may in particular include IP addresses and location data of the users, which, however, cannot be collected without their express consent (usually obtained via the settings of their mobile devices). This data may be processed in the USA. Data protection statement: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.