- Terminology used
1.1. 'Personal data' is all information referring to an identified or identifiable natural person (hereinafter 'Data Subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
1.2. 'Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The definition goes further and covers practically any handling of data.
1.3. 'Controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Applicable legal bases
- Security measures
4.1. In accordance with Article 32 GDPR and in consideration of the latest available technology, the scope, circumstances and purpose of processing, as well as the various likelihoods and severity of risk for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures for safeguarding a level of protection appropriate to the risk, Measures include in particular the safeguarding of the confidentiality, integrity and availability of data by controlling physical access to the data and also the access, input, disclosure, and securing of its availability concerning it and its separation. We have also set up procedures for guaranteeing the assertion of rights by data subjects, deletion of data and reaction to data being jeopardised. In addition, we already consider the protection of personal data when designing or, as may apply, selecting hardware and software as well as procedures in accordance with the principle of data protection by design and default (Article 25 GDPR).
4.2. In particular, security measures include the encrypted transfer of data between your browser and our server.
- Disclosure and transfer of data
5.1. Where we disclose data to other persons and enterprises (processors or third parties) when processing, transmit it to them, or otherwise grant them access to the data, this only occurs based on legal permission (e.g. if sending the data to third parties, such as payment service providers, in accordance with Article 6 (1, b) GDPR is required for performing a contract), you have consented, a legal obligation provides for it, or based on our legitimate interests (e.g. when using agents, hosting providers, tax, business consultants, and customer care bookkeeping, invoicing and similar services allowing the efficient and effective performance of our contractual duties, administrative tasks and duties).
5.2. Where we commission third parties with the processing of data based on a ‘processing agreement', we do so based on Article 28 GDPR.
- Transmission in third countries
Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or this happens when using third-party services or disclosing/transmitting data to third parties, this only occurs if undertaken for complying with our (pre-) contractual duties, based on your consent, due to a statutory obligation, or based on our legitimate interests. Subject to legal or contractual permission, we only process or arrange for processing of data in a third country where the specific requirements of Articles 44 et seq GDPR are in place. In other words, processing occurs, for example, based on particular guarantees such as the officially recognised determination of a data protection level appropriate the EU (e.g. for the USA by means of the 'Privacy Shield') or compliance with specific recognised contractual obligations (so-called 'standard contractual clauses').
- Rights of data subjects
7.1. You have the right to ask for confirmation as to whether your data is being processed and for access to this data, as well as further information and a copy of the data in accordance with Article 15 GDPR.
7.2. In accordance with Article 16 GDPR, you have the right to demand completion of data concerning you or the rectification of incorrect data concerning you.
7.3. In accordance with Article 17 GDPR, you have the right to demand that the data in question is erased without undue delay or, as may apply, alternatively in accordance with Article 18 GDPR demand a restriction of data processing.
7.4. You have the right to demand, in accordance with Article 20 GDPR, receipt of the data concerning you that you have provided, and transmission to other Controllers.
7.5. In addition, in accordance with Article 77 GDPR you have the right to lodge a complaint with a supervisory authority.
- Right of withdrawal
You have the right to withdraw consent granted in accordance with Article 7 (3) GDPR with future effect.
- Right to object
In accordance with Article 21 GDPR, you are able to object at any time to the future processing of data concerning you. In particular, the objection can be directed at processing for the purposes of direct advertising.
- Cookies and the right to object with direct advertising
10.1. 'Cookies' refer to small files stored on users' computers. Different information may be stored within cookies. A cookie primarily serves to store the details about a user (or, as may apply, the device on which the cookie is stored) during or even after a visit within an online offer. Cookies deleted after a user leaves an online offer and closes their browser are referred to as temporary cookies or, as may apply, session or transient cookies. By way of example, the content of a shopping cart in an online store or a login status can be stored in such a cookie. Permanent or persistent cookies refer to ones that remain stored even after the browser has been closed. This allows, for example, the login status to be stored if the user returns after several days. In the same way, the user's interests can be saved in such a cookie and can be used for gauging the audience or for marketing purposes. Third-party cookies are cookies from providers other than the Controller operating the online offer (otherwise, first-party cookies are spoken about if only referring to its cookies).
- Erasing data
11.2. Germany: In accordance with statutory requirements, retention is in particular for 6 years in accordance with Section 257 (1) German Commercial Code (trading books, inventories, opening balance sheets, end-of-year financial statements, commercial correspondence, accounting vouchers etc.), and for 10 years in accordance with Section 147 (1) of the German Tax Code (books, records, situation reports, accounting vouchers, commercial and business correspondence, documents relevant for taxation etc.).
11.3. Austria: In accordance with statutory requirements, retention is in particular for 7 years in accordance with Section 132 (1) of the Austrian Federal Tax Code (accounting documents, vouchers/invoices, accounts, vouchers, business papers, lists of revenue and expenditure, etc.), for 22 years in connection with land, and for 10 years with records in connection with electronically provided services, telecommunications, radio and television services provided for non-undertakings in EU Member States, and claimed for those of the mini one-stop-shop (MOSS).
- Business analysis and market research
In order to be able to commercially operate our business and identify market trends as well as client and user requirements, we analyse the data available to us regarding business processes, contracts, enquiries etc. In doing so, we process, inventory data, communication data, contract data, payment data, usage date and meta data based on Article 6 (1, f) GDPR, where data subjects include clients, potential clients, business partners, visitors and users of the online offer. Analysis is performed for the purpose of business evaluation, marketing and market research. This allows us to consider the profiles of registered users with details, for example, of their purchasing processes. Analysis serves to increase user-friendliness, and optimise what we offer and economic efficiency. Analysis serves us alone and is not passed externally unless it involves anonymous analysis with summarised values. Where these analyses or profiles are personal, they are erased or anonymised with cancellation of the user, otherwise two years after a contract has been entered into. Otherwise, analysis of overall business efficiency and general determination of trends is created in an anonymous manner where possible.
- Making contact and customer service
When contacting us (via the contact form or email), user details are processed for handling and dealing with the contact request in accordance with Article 6 (1, b) GDPR. Details of the user can be stored in our customer relationship management system (‘CRM System’) or comparable enquiry structure. We delete the enquiries as soon as they are no longer required. We review the necessity every two years. We permanently save enquiries from customers with a customer account and refer to the details in the customer account for deletion. Statutory archiving duties also apply.
- Collection of access data and log files
We collect data about all access to the server on which the service is located (server log files) based on our legitimate interests in the sense of Article 6 (1, f) GDPR. Access data includes the name, data and time accessed, quantity of data transferred, report about successful access, browser type along with version, user's operating system, referrer URL (previous page visited), IP address, and requesting provider. For security reasons (e.g. for investigating misuse or fraud), log file information is stored for a maximum of seven days and then deleted. Data whose further retention is required for evidential purposes is exempt from deletion until definitive investigation of the incident.
- Online social media presence
- Google Analytics
- Facebook Social Plugins
- Communication via post, email, fax or telephone
For business and marketing purposes we use methods of remote communication such as post, telephone or email. In doing so, we process user data, address and contact details, and contract data from customers, participants, potential customers and communication partners. 27.2 Processing is based on Article 6 (1, a), Article 7 GDPR, and Article 6 (1, f) GDPR in conjunction with statutory requirements for promotional communication. Contact is made only with the consent of the contact partner or where permitted by law, and the data processed is erased as soon as not required and, otherwise, where justification is objected to/revoked or ceases to apply, or there or archiving is required by law.
- Involvement of third parties and third-party content