Types of data processed:
– Inventory data (e.g., names, addresses).
– Contact data (e.g., email, phone numbers).
– Content data (e.g., text input, photographs, videos).
– Usage data (e.g., websites visited, interest in content, access times).
– Meta/communication data (e.g., device information, IP addresses).
Categories of data subjects
Visitors and users of the online offer (data subjects will hereinafter also be referred to as "users").
– Provision of the online offer, its functions and content.
– Answering contact enquiries and communication with users.
– Security measures.
– Reach measurement/marketing
"Personal data" refers to all information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); a natural person is regarded as identifiable if he can be directly or indirectly identified, especially by means of association with an identifier such as a name, with an identification number, with location data, with an online identifier (e.g., cookies) or with one or several special features reflecting the physical, physiological, genetic, psychological, economic, cultural, or social identity of that natural person.
"Processing" means any operation carried out with or without the aid of automated procedures or any such series of operations in connection with personal data. The term is broad and covers virtually every aspect of dealing with data.
"Pseudonymisation" means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without additional information, provided that this additional information is kept separately and is subject to technical and organisational measures ensuring that the personal data are not attributed to an identified or an identifiable natural person.
"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
"Data controller" refers to the natural or legal person, public authority, agency, or any other body that alone or jointly with others determines the purposes and means of the processing of personal data.
A "processor " is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller.
Applicable legal bases
In accordance with Article 32 GDPR, we take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account current technology, implementation costs, the nature, scope, context, and purposes of processing, and the varying likelihood and severity of the risk to the rights and freedoms of natural persons.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling both physical access to the data and associated access, input, transmission, security of availability, and its separation. We have also established procedures that guarantee the exercise of the rights of data subjects, deletion of data, and reaction to risks concerning the data. In addition, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data protection-friendly defaults (Article 25 GDPR).
Cooperation with data processors and third parties
If we disclose data to other persons and companies (data processors or third parties) within the scope of our processing, transmit the data to them or otherwise grant them access to the data, this shall only take place on the basis of a legal permission (e.g., if a transmission of the data to third parties, such as payment service providers, in accordance with Article 6 (1) (b) GDPR is required for contract fulfilment), you have consented, a legal obligation provides for this or on the basis of our legitimate interests (e.g., when using agents, web hosts, etc.).
If we commission third parties with the processing of data on the basis of a so-called "order processing contract", this is done on the basis of Article 28 GDPR.
Transmission to third countries
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or data disclosure or transfer to third parties, this will only take place to fulfil our (pre)contractual obligations, based on your consent, based on a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only if the particular requirements of Article 44 ff. GDPR are met. This means, for example, that the processing is carried out on the basis of special guarantees, such as the officially recognised determination of a data protection level equivalent to that of the EU (e.g., through the "Privacy Shield" for the USA) or compliance with officially recognised special contractual obligations (so-called "standard contractual clauses").
Rights of the data subjects
You have the right to request confirmation as to whether the data concerned are being processed and to request information about these data as well as further information and a copy of the data in accordance with Article 15 GDPR.
In accordance with Article 16 GDPR, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.
In accordance with Article 17 GDPR, you have the right to demand that relevant data be deleted immediately or, alternatively, to demand a restriction on the processing of the data in accordance with Article 18 GDPR.
You have the right to request the data concerning you that you have provided to us in accordance with Article 20 GDPR and to request their transmission to other controllers.
In accordance with Article 77 GDPR, you have the further right to lodge a complaint with the responsible supervisory authority.
Right of withdrawal
You have the right to withdraw your consent in accordance with Article 7 (3) GDPR with effect for the future.
Right to object
You can object to the future processing of the data concerning you in accordance with Article 21 GDPR at any time. You can in particular object to processing for the purposes of direct advertising.
Cookies and right of objection to direct advertising
Cookies are small files stored on users' computers. A variety of data can be stored within cookies. A cookie serves primarily to save the data of a user (or the device on which the cookie is stored) during or after their visit to an online offering. Temporary cookies, as well as "session cookies" or "transient cookies", are cookies which are deleted after a user leaves an online offering and closes their browser. For example, the content of a shopping cart in an online shop or a login status can be stored in a cookie of this kind. Cookies are referred to as "permanent" or "persistent" if they remain stored even after the browser has been closed. For example, this allows the login status to be saved if users visit the site again after several days. Likewise, users' interests may be stored in a cookie of this nature and used for measuring reach or marketing purposes. "Third-party cookies" are cookies that are offered by providers other than the data controller who operates the website (if it's only the data controller's cookies, they are referred to as "first-party cookies").
If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Cookies that are already stored can be deleted in the system settings of the browser at any time. The exclusion of cookies can lead to functional restrictions of this website.
Deletion of data
In particular, pursuant to legal requirements in Germany, storage lasts for 10 years pursuant to §§ 147 (1) AO (Revenue Code), 257 (1) no. 1 and 4, (4) HGB (German Commercial Code) (books, records, management reports, accounting records, trading books, documents relevant for taxation, etc.) and for 6 years in accordance with § 257 (1) nos. 2 and 3, (4) HGB (commercial letters).
In particular, pursuant to legal requirements in Austria, storage lasts for 7 years in accordance with § 132 (1) BAO (Austrian Federal Revenue Code) (accounting documents, receipts/invoices, accounts, receipts, business papers, statement of income and expenditure, etc.), for 22 years in connection with properties, and for 10 years for documents in connection with electronically provided services, telecommunications, radio and television services provided to non-entrepreneurs in EU Member States and for which the Mini-One-Stop-Shop (MOSS) is used.
When contacting us (for example, by contact form, email, telephone or via social media), the user's details are processed for the handling of the contact enquiry in accordance with Article 6 (1) (b) GDPR. User information can be stored in a Customer Relationship Management System ("CRM System") or comparable ticket system.
We delete the enquiries if they are no longer necessary. We review as to whether they are required every two years; the legal archiving obligations also apply.
Hosting and sending emails
The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services and technical maintenance services that we use for the purpose of operating this online offering.
In this regard, either we or our hosting provider process the inventory data, contact data, content data, contract data, usage data, as well as the meta and communication data of customers, interested parties and visitors of this online offering based on our legitimate interests in the efficient and secure provision of this website, in accordance with Article 6 (1) (f) GDPR in conjunction with Article 28 GDPR (conclusion of order processing agreement).
Google has become subject to the Privacy Shield agreement, thereby offering a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active)
On our behalf, Google will use this information to evaluate the use of our online offering by the user, to compile reports on the activities within this online offering and to provide us with other services related to the use of this online offering and the internet. Pseudonymous usage profiles of users may be created from the data processed.
We only use Google Analytics with IP anonymisation active. This means that users' IP addresses are shortened by Google within EU member states or other countries party to the Agreement on the European Economic Area. Only in exceptional cases will the entire IP address be transmitted to a Google server in the USA and truncated there.
Users' personal data will be deleted or anonymised after 14 months.
Online social media presence
We maintain online presences on social networks and platforms in order to communicate with active customers, interested parties, and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply.
Integration of third-party services and content
On the basis of our legitimate interests (i.e., interest in the analysis, optimisation, and economic operation of our website within the meaning of Article 6 (1) (f) GDPR), we include content or service offerings from third parties so that we can incorporate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content").
This always requires that the third-party providers of this content can see the IP address of users, since without the IP address, they would not be able to send the content to the users' browsers. Your IP address is therefore necessary in order to display this content. We strive to only use content whose respective provider uses the IP address solely for the delivery of content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as web beacons) for statistical or marketing purposes. "Pixel tags" can be used to analyse information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visiting time, and other information about the use of our website. It may also be linked to such information from other sources.