Data Privacy Notice
This data privacy notice informs you of the nature, scope and purpose of the processing of personal data (hereafter “data” for short) within our online service and the websites, features and content associated with this as well as external internet presences, e.g. such as our social media profiles (hereafter collectively referred to as the “online service”). With regard to the terminology used, e.g. such as “processing” or “controller”, we refer to the definitions in art. 4 of the General Data Protection Regulation (GDPR).
Dr. Beata Lutomska-Kaufmann
Adalbert Stifter Gasse 591
3034 Maria Anzbach
Tel: +43 664 42 49 668
Types of Data Processed:
– Personal data (e.g. names, addresses).
– Contact data (e.g. e-mail, telephone numbers).
– Content data (e.g. text inputs, photographs, videos).
– Usage data (e.g. visited websites, interest in content, access times).
– Meta/communications data (e.g. device information, IP addresses).
Categories of Data Subjects
Visitors and users of the online service (in the following, data subjects are collectively referred to as “users”).
Purpose of Processing
– Provision of the online service, its features and contents.
– Replying to contact enquiries and communication with users.
– Security measures.
– Measuring coverage / marketing
Personal data are any information relating to an identified or identifiable natural person (hereafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term is far-reaching and includes virtually any handling of data.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Relevant Legal Basis
In accordance with art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not specified in the data privacy notice, the following applies: the legal basis for obtaining consents is art. 6 par. 1 letter a and art. 7 GDPR, the legal basis of processing for the performance of our services and implementation of contractual measures as well as replying to enquiries is art. 6 par. 1 letter b GDPR, the legal basis of processing for compliance with our legal obligations is art. 6 par. 1 letter c GDPR, and the legal basis of processing for the protection of our legitimate interests is art. 6 par. 1 letter f GDPR. In the event that vital interests of the data subject or another natural person necessitate the processing of personal data, art. 6 par. 1 letter d GDPR serves as the legal basis.
Cooperation with Order Data Processors and Third Parties
If we disclose data to other people and companies (order data processors or third parties) in the course of our processing, transmit data to them or otherwise grant them access to data, this is done only on the basis of statutory authorisation (e.g. if transmission of the data to third parties such as payment service providers is required in accordance with art. 6 par. 1 letter b GDPR for performance of a contract), your consent, the requirement of a legal obligation or on the basis of our legitimate interests (e.g. if agents, web hosts etc. are used).
If we commission third parties with processing of data on the basis of a so-called “data processing agreement,” this is done on the basis of art. 28 GDPR.
Transmissions to Third Countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this happens in the course of the use of services from third parties or if data are disclosed/transmitted to third parties, this takes place only if it is for the fulfilment of our pre-contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Subject to statutory or contractual authorisations, we process data or have data processed in a third country only if the special conditions of art. 44 et seq. GDPR are in place, i.e. processing takes place e.g. on the basis of special guarantees, such as officially recognised establishment of a data protection level that corresponds to that of the EU or compliance with officially recognised special contractual obligations (so-called “standard contractual clauses”).
Rights of Data Subjects
You have the right to demand confirmation of whether relevant personal data are being processed and to information about these data as well as further information and a copy of the data in accordance with art. 15 GDPR.
In accordance with art. 16 GDPR, you have the right to demand completion of data concerning you or rectification of incorrect data concerning you.
According to art. 17 GDPR, you have the right to demand erasure of data concerning you without delay or alternatively, according to art. 18 GDPR, to demand restriction of processing of the data.
You have the right to demand to receive the data concerning you, which you have provided to us, in accordance with art. 20 GDPR and to demand their transmission to other controllers.
Furthermore, in accordance with art. 77 GDPR, you have the right to lodge a complaint with the responsible supervisory authority.
Right to Withdraw
With effect for the future, you have the right to withdraw consents issued, in accordance with art. 7 par. 3 GDPR.
Right to Object
You can object at any time to the future processing of the data concerning you, in accordance with art. 21 GDPR. The objection may be made in particular to processing for the purposes of direct marketing.
Cookies and Right to Object in the Case of Direct Marketing
“Cookies” refer to small files that are stored on computers of users. A variety of information can be stored within the cookies. A cookie primarily serves to store the information about a user (or the device on which the cookie is stored) during or after the visit of the user within an online service. Temporary cookies – “session cookies” or “transient cookies” – refer to cookies that are deleted after a user leaves an online service and closes the browser. The contents of a basket in an online shop, for example, or a login status may be stored in such a cookie. “Permanent” or “persistent” cookies refer to those that remain stored even after the browser is closed. The login status, for example, can therefore be stored in case users visit again after several days. The interests of users can also be stored in such a cookie and are used for measuring coverage or marketing purposes. “Third-party cookies” refer to cookies that are offered by providers other than the controller operating the online service (otherwise, if only the cookies of the latter are concerned, these are referred to as “first-party cookies”).
We may use temporary and permanent cookies and we inform you about these as part of our data privacy notice.
If users do not wish to have cookies stored on their computer, they are asked to deactivate the relevant option in the system settings of their browser. Stored cookies can be deleted in the browser system settings. The exclusion of cookies may cause functional impairments in this online service.
Erasure of Data
The data processed by us are erased or their processing is restricted in accordance with art. 17 and 18 GDPR. Unless explicitly specified as part of this data privacy notice, data stored by us are erased as soon as they are no longer required for their intended purpose and there are no statutory retention obligations to prevent erasure. If the data are not erased, because they are required other and legally permissible purposes, their processing is restricted, i.e. the data are stored and not processed for other purposes. This applies e.g. for data that have to be retained for reasons of commercial or fiscal law.
Under statutory requirements in Austria, retention is specifically required for at least 7 years in accordance with § 132 par. 1 of the Austrian federal fiscal code (accounting documents, receipts/invoices, accounts, receipts, business papers, list of income and expenditure etc.), for 22 years in connection with properties and for at least 10 years in the case of documents in connection with services that are provided electronically, telecommunications, radio and television services provided to non-businesses in EU member states and for which the Mini One Stop Shop (MOSS) is used.
The hosting services that we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, security services as well as technical maintenance services that we use for the purpose of operating this online service.
In this, we – or rather our hosting provider – process inventory data, contact data, content data, contract data, usage data, meta and communications data from customers, prospective customers and visitors to this online service, on the basis of our legitimate interest in efficient and secure provision of this online service in accordance with art. 6 par. 1 letter f GDPR in conjunction with art. 28 GDPR (“data processing contract” conclusion).
Collection of Access Data and Log Files
On the basis of our legitimate interest in line with art. 6 par. 1 letter f GDPR, we – or rather our hosting provider – process data about every access to the server on which this service is located (so-called server log files). The access data include the name of the website retrieved, file, date and time of retrieval, data volume transmitted, notification of successful retrieval, browser type together with version, operating system of the user, referrer URL (the page visited previously), IP address and requesting provider.
For security reasons (e.g. to resolve abusive or fraudulent actions), log file information is stored for a maximum duration of 7 days and then erased. Data of which further retention is required for the purposes of evidence are excluded from erasure until final resolution of the respective incident.
If we are contacted (e.g. via contact form, e-mail, telephone or social media), the details of the user are processed in accordance with art. 6 par. 1 letter b) GDPR, in order to handle and deal with the contact enquiry. User details may be stored in a customer relationship management (CRM) system or similar enquiry organiser.
We erase enquiries when they are no longer required. We verify the requirement every two years; furthermore, the statutory archiving obligations apply.