By clicking Accept, you agree to the storage of cookies on your device to improve site navigation, analyze site usage, and support our marketing efforts. For more information, see our privacy policy.
With the following privacy policy we wouldlike to inform you which types of your personal data (hereinafter alsoabbreviated as "data") we process for which purposes and in whichscope. The privacy statement applies to all processing of personal data carriedout by us, both in the context of providing our services and in particular onour websites, in mobile applications and within external online presences, suchas our social media profiles (hereinafter collectively referred to as"online services").
The terms used are not gender-specific.
Last Update: 21. June 2024
Table of contents
Preamble
Controller
Overview of processing operations
Relevant legal bases
Security Precautions
Transmission of Personal Data
International data transfers
General Information on Data Retention and Deletion
Rights of Data Subjects
Business services
Provision of online services and web hosting
Use of Cookies
Special Notes on Applications (Apps)
Contact and Inquiry Management
Communication via Messenger
Surveys and Questionnaires
Web Analysis, Monitoring and Optimization
Profiles in Social Networks (Social Media)
Plugins and embedded functions and content
Processing of data in the context of employment relationships
Changes and Updates
Terminology and Definitions
Controller
First name, surname/company Street, house no. Postcode, City, Country
E-mail address: firstname.name@exampledomain.eu
Overview of processing operations
The following table summarises the types ofdata processed, the purposes for which they are processed and the concerneddata subjects.
Categories of Processed Data
Inventory data.
Employee Data.
Payment Data.
Location data.
Contact data.
Content data.
Contract data.
Usage data.
Meta, communication and process data.
Social data.
Images and/ or video recordings.
Event Data (Facebook).
Log data.
Performance and behavioural data.
Working hours data.
Salary data.
Special Categories of Data
Health Data.
Religious or philosophical beliefs.
Trade union membership.
Categories of Data Subjects
Service recipients and clients.
Employees.
Prospective customers.
Communication partner.
Users.
Business and contractual partners.
Participants.
Purposes of Processing
Provision of contractual services and fulfillment of contractual obligations.
Communication.
Security measures.
Direct marketing.
Web Analytics.
Targeting.
Office and organisational procedures.
Clicktracking.
A/B Tests.
Organisational and Administrative Procedures.
Content Delivery Network (CDN).
Feedback.
Heatmaps.
Polls and Questionnaires.
Marketing.
Profiles with user-related information.
Provision of our online services and usability.
Establishment and execution of employment relationships.
Information technology infrastructure.
Public relations.
Business processes and management procedures.
Relevant legal bases
Relevant legal bases according to theGDPR: In the following, you will find an overviewof the legal basis of the GDPR on which we base the processing of personaldata. Please note that in addition to the provisions of the GDPR, national dataprotection provisions of your or our country of residence or domicile mayapply. If, in addition, more specific legal bases are applicable in individualcases, we will inform you of these in the data protection declaration.
Consent (Article 6 (1) (a) GDPR) - The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Performance of a contract and prior requests (Article 6 (1) (b) GDPR) - Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Compliance with a legal obligation (Article 6 (1) (c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
Legitimate Interests (Article 6 (1) (f) GDPR) - the processing is necessary for the protection of the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject, which require the protection of personal data, do not prevail.
Healthcare, occupational and social security processing of special categories of personal data (Article 9 (2)(h) GDPR) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional.
National data protection regulations inAustria: In addition to the data protectionregulations of the GDPR, national regulations apply to data protection in Austria.This includes in particular the Federal Act on the Protection of Individualswith regard to the Processing of Personal Data (Data Protection Act - DSG). Inparticular, the Data Protection Act contains special provisions on the right ofaccess, rectification or cancellation, processing of special categories ofpersonal data, processing for other purposes and transmission and automateddecision making in individual cases.
Reference to the applicability of theGDPR and the Swiss DPA: These privacy policy servesboth to provide information pursuant to the Swiss Federal Act on DataProtection (FADP) and the General Data Protection Regulation (GDPR). For thisreason, we ask you to note that due to the broader spatial application andcomprehensibility, the terms used in the GDPR are applied. In particular,instead of the terms used in the Swiss FADP such as "processing" of"personal data", "predominant interest", and"particularly sensitive personal data", the terms used in the GDPR,namely "processing" of "personal data", as well as"legitimate interest" and "special categories of data" areused. However, the legal meaning of these terms will continue to be determinedaccording to the Swiss FADP within its scope of application.
Security Precautions
We take appropriate technical andorganisational measures in accordance with the legal requirements, taking intoaccount the state of the art, the costs of implementation and the nature,scope, context and purposes of processing as well as the risk of varyinglikelihood and severity for the rights and freedoms of natural persons, inorder to ensure a level of security appropriate to the risk.
The measures include, in particular,safeguarding the confidentiality, integrity and availability of data bycontrolling physical and electronic access to the data as well as access to,input, transmission, securing and separation of the data. In addition, we haveestablished procedures to ensure that data subjects' rights are respected, thatdata is erased, and that we are prepared to respond to data threats rapidly.Furthermore, we take the protection of personal data into account as early asthe development or selection of hardware, software and service providers, inaccordance with the principle of privacy by design and privacy by default.
Securing online connections through TLS/SSLencryption technology (HTTPS): To protect the data of users transmitted via ouronline services from unauthorized access, we employ TLS/SSL encryptiontechnology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) arethe cornerstones of secure data transmission on the internet. Thesetechnologies encrypt the information that is transferred between the website orapp and the user's browser (or between two servers), thereby safeguarding the datafrom unauthorized access. TLS, as the more advanced and secure version of SSL,ensures that all data transmissions conform to the highest security standards.When a website is secured with an SSL/TLS certificate, this is indicated by thedisplay of HTTPS in the URL. This serves as an indicator to users that theirdata is being securely and encryptedly transmitted.
Transmission of Personal Data
In the course of processing personal data,it may happen that this data is transmitted to or disclosed to other entities,companies, legally independent organizational units, or individuals. Recipientsof this data may include service providers tasked with IT duties or providersof services and content that are integrated into a website. In such cases, weobserve the legal requirements and particularly conclude relevant contracts oragreements that serve to protect your data with the recipients of your data.
International data transfers
Data Processing in Third Countries: If weprocess data in a third country (i.e., outside the European Union (EU) or theEuropean Economic Area (EEA)), or if the processing is done within the contextof using third-party services or the disclosure or transfer of data to otherindividuals, entities, or companies, this is only done in accordance with legalrequirements. If the data protection level in the third country has beenrecognized by an adequacy decision (Article 45 GDPR), this serves as the basisfor data transfer. Otherwise, data transfers only occur if the data protectionlevel is otherwise ensured, especially through standard contractual clauses(Article 46 (2)(c) GDPR), explicit consent, or in cases of contractual orlegally required transfers (Article 49 (1) GDPR). Furthermore, we provide youwith the basis of third-country transfers from individual third-countryproviders, with adequacy decisions primarily serving as the foundation."Information regarding third-country transfers and existing adequacydecisions can be obtained from the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.
EU-US Trans-Atlantic Data Privacy Framework:Within the context of the so-called "Data Privacy Framework" (DPF),the EU Commission has also recognized the data protection level for certaincompanies from the USA as secure within the adequacy decision of 10th July2023. The list of certified companies as well as additional information aboutthe DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/s/.We will inform you which of our service providers are certified under the DataPrivacy Framework as part of our data protection notices.
General Information on Data Retention and Deletion
We delete personal data that we process inaccordance with legal regulations as soon as the underlying consents arerevoked or no further legal bases for processing exist. This applies to caseswhere the original purpose of processing is no longer applicable or the data isno longer needed. Exceptions to this rule exist if statutory obligations orspecial interests require a longer retention or archiving of the data.
In particular, data that must be retainedfor commercial or tax law reasons, or whose storage is necessary for legalprosecution or protection of the rights of other natural or legal persons, mustbe archived accordingly.
Our privacy notices contain additionalinformation on the retention and deletion of data specifically applicable tocertain processing processes.
In cases where multiple retention periodsor deletion deadlines for a date are specified, the longest period alwaysprevails.
If a period does not expressly start on aspecific date and lasts at least one year, it automatically begins at the endof the calendar year in which the event triggering the period occurred. In thecase of ongoing contractual relationships in the context of which data isstored, the event triggering the deadline is the time at which the terminationor other termination of the legal relationship takes effect.
Data that is no longer stored for itsoriginally intended purpose but due to legal requirements or other reasons areprocessed exclusively for the reasons justifying their retention.
Further information on processingmethods, procedures and services used:
Data Retention and Deletion: The following general deadlines apply to retention and archiving according to Austrian law:
10 Years - Retention period for books and records, annual financial statements, inventories, annual reports, opening balance sheets, booking receipts and invoices, as well as any necessary work instructions and other organisational documents (Austrian Federal Tax Code (BAO §132), Austrian Commercial Code (UGB §§190-212)).
6 Years - Remaining business documents: Received business or trading letters, copies of sent business or trading letters, and other documents, if they are relevant for taxation. These could be hourly wage sheets, operational accounting sheets, calculation documents, price tags, and payroll documents, as long as they aren't already booking receipts and cash register strips (Austrian Federal Tax Code (BAO §132), Austrian Commercial Code (UGB §§190-212)). .
3 Years - Data required to consider potential warranty and compensation claims or similar contractual claims and rights, as well as to process related inquiries, based on previous business experiences and common industry practices, will be stored for the duration of the regular statutory limitation period of three years (Sections 1478, 1480 of the Austrian Civil Code).
Rights of Data Subjects
Rights of the Data Subjects under the GDPR:As data subject, you are entitled to various rights under the GDPR, which arisein particular from Articles 15 to 21 of the GDPR:
Right to Object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data which is based on letter (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.
Right of withdrawal for consents: You have the right to revoke consents at any time.
Right of access: You have the right to request confirmation as to whether the data in question will be processed and to be informed of this data and to receive further information and a copy of the data in accordance with the provisions of the law.
Right to rectification: You have the right, in accordance with the law, to request the completion of the data concerning you or the rectification of the incorrect data concerning you.
Right to Erasure and Right to Restriction of Processing: In accordance with the statutory provisions, you have the right to demand that the relevant data be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.
Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements, or to request its transmission to another controller.
Complaint to the supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.
Business services
We process data of our contractual and businesspartners, e.g. customers and interested parties (collectively referred to as"contractual partners") within the context of contractual andcomparable legal relationships as well as associated actions and communicationwith the contractual partners or pre-contractually, e.g. to answer inquiries.
We process this data in order to fulfillour contractual obligations. These include, in particular, the obligations toprovide the agreed services, any update obligations and remedies in the eventof warranty and other service disruptions. In addition, we process the data toprotect our rights and for the purpose of administrative tasks associated withthese obligations and company organization. Furthermore, we process the data onthe basis of our legitimate interests in proper and economical businessmanagement as well as security measures to protect our contractual partners andour business operations from misuse, endangerment of their data, secrets,information and rights (e.g. for the involvement of telecommunications,transport and other auxiliary services as well as subcontractors, banks, taxand legal advisors, payment service providers or tax authorities). Within theframework of applicable law, we only disclose the data of contractual partnersto third parties to the extent that this is necessary for the aforementionedpurposes or to fulfill legal obligations. Contractual partners will be informedabout further forms of processing, e.g. for marketing purposes, within thescope of this privacy policy.
Which data are necessary for theaforementioned purposes, we inform the contracting partners before or in thecontext of the data collection, e.g. in online forms by special marking (e.g.colors), and/or symbols (e.g. asterisks or the like), or personally.
We delete the data after expiry ofstatutory warranty and comparable obligations, i.e. in principle after expiryof 4 years, unless the data is stored in a customer account or must be kept forlegal reasons of archiving. The statutory retention period for documentsrelevant under tax law as well as for commercial books, inventories, openingbalance sheets, annual financial statements, the instructions required tounderstand these documents and other organizational documents and accountingrecords is ten years and for received commercial and business letters andreproductions of sent commercial and business letters six years. The periodbegins at the end of the calendar year in which the last entry was made in thebook, the inventory, the opening balance sheet, the annual financial statementsor the management report was prepared, the commercial or business letter wasreceived or sent, or the accounting document was created, furthermore therecord was made or the other documents were created.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Payment Data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or phone numbers). Contract data (e.g. contract object, duration, customer category).
Special categories of personal data: Health Data.
Data subjects: Service recipients and clients; Prospective customers. Business and contractual partners.
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Communication; Office and organisational procedures; Organisational and Administrative Procedures. Business processes and management procedures.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processingmethods, procedures and services used:
Hospitality, hotel and accommodation services: We process the data of our guests, visitors and interested parties (uniformly referred to as "guests") in order to provide our accommodation and related services of a tourist or gastronomic nature and to invoice the services provided.
As part of our assignment it may be necessary for us to process special categories of data within the meaning of Article 9 (1) GDPR, in particular information on the health of a person or information relating to his/her religious belief. In this case processing is carried out in order to protect the health interests of visitors (e.g. in the case of information on allergies) or otherwise to satisfy their physical or mental needs on request and with their consent.
If necessary for the fulfillment of the contract or required by law, or agreed by guests, or it is based on our legitimate interests, we disclose or transfer the guests' data e.g. to the service providers involved in the fulfillment of our services or from authorities, billing centers and in the area of IT, office or comparable services; Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Event Management: We process the data of the participants of the events, events and similar activities offered or organized by us (hereinafter uniformly referred to as "participants" and "events") in order to enable them to participate in the events and to make use of the services or actions associated with their participation.
Insofar as we process health-related data, religious, political or other special categories of data in this context, this is done within the framework of disclosure (e.g. for thematically oriented events or serves health care, security or is done with the consent of the data subjects).
The necessary information is identified as such in the context of the conclusion of the agreement, booking or comparable contract and includes the information required for the provision of services and billing as well as contact information in order to be able to hold any enquiries. Insofar as we gain access to information of end customers, employees or other persons, we process this in accordance with the legal and contractual requirements; Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Rental Services: We process the data of our tenants and of interested parties (uniformly referred to as "tenant") in accordance with the underlying rental or comparable contract. Furthermore, we can process the information on the characteristics and circumstances of persons or items belonging to them if this is necessary within the framework of the rental relationship. These can be, for example, information on personal circumstances, mobile or immovable assets and financial situation as well as the use of ancillary services (such as water or energy supply). As part of our assignment it may be necessary for us to process special categories of data within the meaning of Article 9 (1) GDPR, in particular information on the health of a person. The processing is done to protect the health interests of tenants and otherwise only with the consent of tenants . If necessary for the fulfilment of the contract or legally required, or agreed by the tenant or on the basis of our legitimate interests, we disclose or transmit the data of the tenants within the scope of cover requests, conclusions and execution of contracts, data e.g. to financial service providers, credit institutions, suppliers (e.g. electricity) or authorities. Furthermore, we process tenants' data if this is necessary to fulfill legal obligations (e.g. in the case of information obligations in connection with ancillary services and ancillary costs); Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Provision of online services and web hosting
We process user data in order to be able toprovide them with our online services. For this purpose, we process the IPaddress of the user, which is necessary to transmit the content and functionsof our online services to the user's browser or terminal device.
Processed data types: Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties); Log data (e.g. log files concerning logins or data retrieval or access times.). Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.).
Data subjects: Users (e.g. website visitors, users of online services). Business and contractual partners.
Purposes of processing: Provision of our online services and usability; Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.).); Security measures; Content Delivery Network (CDN). Office and organisational procedures.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Further information on processingmethods, procedures and services used:
Provision of online offer on rented hosting space: For the provision of our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also referred to as a "web hoster"); Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Collection of Access Data and Log Files: Access to our online service is logged in the form of so-called "server log files". Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, notification of successful retrieval, browser type along with version, the user's operating system, referrer URL (the previously visited page), and typically IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, known as DDoS attacks), and to ensure server load management and stability; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Retention period: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data, the further storage of which is necessary for evidence purposes, are excluded from deletion until the respective incident has been finally clarified.
Content-Delivery-Network: We use a so-called "Content Delivery Network" (CDN). A CDN is a service with whose help contents of our online services, in particular large media files, such as graphics or scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Webflow: Creation, management and hosting of websites, online forms and other web elements; Service provider: Webflow, Inc., 398 11th St., Floor 2, 94103 San Francisco, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://webflow.com; Privacy Policy:https://webflow.com/legal/eu-privacy-policy; Data Processing Agreement:https://webflow.com/legal/dpa. Basis for third-country transfers: Data Privacy Framework (DPF).
Cloudflare: Content-Delivery-Network (CDN) - service with whose help contents of our online services, in particular large media files, such as graphics or scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.cloudflare.com; Privacy Policy:https://www.cloudflare.com/privacypolicy/; Data Processing Agreement:https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for third-country transfers: Data Privacy Framework (DPF).
Amazon CloudFront: Content-Delivery-Network (CDN) - service with whose help contents of our online services, in particular large media files, such as graphics or scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Service provider: Amazon Web Services EMEA SARL, 38 avenue John F. Kennedy, 1855, Luxembourg; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://aws.amazon.com/cloudfront/; Privacy Policy:https://aws.amazon.com/privacy/; Data Processing Agreement:https://aws.amazon.com/compliance/gdpr-center/. Basis for third-country transfers: Standard Contractual Clauses (Provided by the service provider).
JSDelivr: Content Delivery Network (CDN) that helps deliver media and files quickly and efficiently, especially under heavy load; Service provider: ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.jsdelivr.com. Privacy Policy:https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net.
Use of Cookies
Cookies are small text files or other typesof storage markers that store information on end devices and read informationfrom them. For example, to save the login status in a user account, thecontents of a shopping cart in an e-shop, the content accessed, or thefunctions used of an online offer. Furthermore, cookies can be used for variousconcerns, such as for the functionality, security, and comfort of online offersas well as the creation of analyses of visitor flows.
Notes on Consent: We use cookies in accordance with legal regulations. Therefore, weobtain prior consent from users, unless it is not required by law. Permissionis particularly not necessary if the storage and reading of information,including cookies, are absolutely necessary to provide a telemedia service(i.e., our online offer) expressly requested by the users. The revocableconsent is clearly communicated to them and contains information on therespective cookie usage.
Notes on the legal basis for dataprotection: The legal basis on which weprocess users' personal data with the help of cookies depends on whether we askthem for consent. If users accept, the legal basis for processing their data isthe declared consent. Otherwise, the data processed with the help of cookiesare based on our legitimate interests (e.g., in a commercial operation of ouronline offer and its usability improvement) or, if this occurs within thefulfillment of our contractual obligations, when the use of cookies isnecessary to fulfill our contractual obligations. We clarify the purposes forwhich the cookies are used by us in the course of this data protection declarationor within the scope of our consent and processing processes.
Storage Duration: Regarding the storage duration, the following types of cookies aredistinguished:
Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his end device (e.g., browser or mobile application).
Permanent cookies: Permanent cookies remain stored even after closing the end device. For example, the login status can be saved and preferred content can be displayed directly when the user revisits a site. Similarly, user data collected via cookies can be used for reach measurement. Unless we provide users with explicit information about the nature and storage duration of cookies (e.g., when obtaining consent), they should assume that they are permanent and the storage duration can be up to two years.
General notes on revocation andobjection (Opt-out): Users can revoke theconsents they have given at any time and also declare an objection to theprocessing according to legal requirements, also via the privacy settings oftheir browser.
Processed data types: Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties).
Data subjects: Users (e.g. website visitors, users of online services).
Further information on processingmethods, procedures and services used:
Processing Cookie Data on the Basis of Consent: We implement a consent management solution that obtains users' consent for the use of cookies or for the processes and providers mentioned within the consent management framework. This procedure is designed to solicit, log, manage, and revoke consents, particularly regarding the use of cookies and similar technologies employed to store, read from, and process information on users' devices. As part of this procedure, user consents are obtained for the use of cookies and the associated processing of information, including specific processing and providers named in the consent management process. Users also have the option to manage and withdraw their consents. Consent declarations are stored to avoid repeated queries and to provide proof of consent according to legal requirements. The storage is carried out server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to associate the consent with a specific user or their device.If no specific details about the providers of consent management services are provided, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored along with the time of consent, details on the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, system, and device used; Legal Basis: Consent (Article 6 (1) (a) GDPR).
Special Notes on Applications (Apps)
We process the data of the users of ourapplication to the extent necessary to provide the users with the applicationand its functionalities, to monitor its security and to develop it further.Furthermore, we may contact users in compliance with the statutory provisionsif communication is necessary for the purposes of administration or use of theapplication. In addition, we refer to the data protection information in thisprivacy policy with regard to the processing of user data.
Legal basis:The processing of data necessary for the provision of the functionalities ofthe application serves to fulfil contractual obligations. This also applies ifthe provision of the functions requires user authorisation (e.g. release ofdevice functions). If the processing of data is not necessary for the provisionof the functionalities of the application, but serves the security of theapplication or our business interests (e.g. collection of data for the purposeof optimising the application or security purposes), it is carried out on thebasis of our legitimate interests. If users are expressly requested to givetheir consent to the processing of their data, the data covered by the consentis processed on the basis of the consent.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Security measures. Provision of our online services and usability.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processingmethods, procedures and services used:
Device authorizations for access to functions and data: The use of certain functions of our application may require access to the camera and the stored recordings of the users. By default, these authorizations must be granted by the user and can be revoked at any time in the settings of the respective devices. The exact procedure for controlling app permissions may depend on the user's device and software. Users can contact us if they require further explanation. We would like to point out that the refusal or revocation of the respective authorizations can affect the functionality of our application.
Contact and Inquiry Management
When contacting us (e.g. via mail, contactform, e-mail, telephone or via social media) as well as in the context of existinguser and business relationships, the information of the inquiring persons isprocessed to the extent necessary to respond to the contact requests and anyrequested measures.
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties).
Data subjects: Communication partner (Recipients of e-mails, letters, etc.).
Purposes of processing: Communication; Organisational and Administrative Procedures; Feedback (e.g. collecting feedback via online form). Provision of our online services and usability.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
Further information on processingmethods, procedures and services used:
Contact form: Upon contacting us via our contact form, email, or other means of communication, we process the personal data transmitted to us for the purpose of responding to and handling the respective matter. This typically includes details such as name, contact information, and possibly additional information provided to us that is necessary for appropriate processing. We use this data exclusively for the stated purpose of contact and communication; Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Communication via Messenger
We use messenger services for communicationpurposes and therefore ask you to observe the following information regardingthe functionality of the messenger services, encryption, use of the metadata ofthe communication and your objection options.
You can also contact us by alternativemeans, e.g. telephone or e-mail. Please use the contact options provided to youor use the contact options provided within our online services.
In the case of encryption of content (i.e.the content of your message and attachments), we point out that thecommunication content (i.e. the content of the message and attachments) isencrypted end-to-end. This means that the content of the messages is notvisible, not even by the messenger service providers themselves. You shouldalways use a current version of the messenger service with activatedencryption, so that the encryption of the message contents is guaranteed.
However, we would like to point out to ourcommunication partners that although messenger service providers do not see thecontent, they can find out that and when communication partners communicatewith us and process technical information on the communication partner's deviceused and, depending on the settings of their device, also location information(so-called metadata).
Information on Legal basis: If we ask communicationpartners for permission before communicating with them via messenger services,the legal basis of our processing of their data is their consent. Otherwise, ifwe do not request consent and you contact us, for example, voluntarily, we usemessenger services in our dealings with our contractual partners and as part ofthe contract initiation process as a contractual measure and in the case ofother interested parties and communication partners on the basis of ourlegitimate interests in fast and efficient communication and meeting the needsof our communication partners for communication via messenger services. Wewould also like to point out that we do not transmit the contact data providedto us to the messenger service providers for the first time without yourconsent.
Withdrawal, objection and deletion: You can withdraw your consentor object to communication with us via messenger services at any time. In thecase of communication via messenger services, we delete the messages inaccordance with our general data retention policy (i.e. as described aboveafter the end of contractual relationships, archiving requirements, etc.) andotherwise as soon as we can assume that we have answered any informationprovided by the communication partners, if no reference to a previousconversation is to be expected and there are no legal obligations to store themessages to prevent their deletion.
Reservation of reference to other meansof communication: For your security, we kindly askfor your understanding that we may not respond to enquiries via messenger forspecific reasons. This applies in situations where contract details requireheightened confidentiality or a response via messenger does not meet formalrequirements. In such cases, we recommend using more appropriate communicationchannels.
Processed data types: Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties).
Data subjects: Communication partner (Recipients of e-mails, letters, etc.).
Purposes of processing: Communication. Direct marketing (e.g. by e-mail or postal).
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Legal Basis: Consent (Article 6 (1) (a) GDPR); Performance of a contract and prior requests (Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
Further information on processingmethods, procedures and services used:
Apple iMessage: Send and receive text messages, voice messages, and video calls. Conduct group conversations. Share files, photos, videos, and locations. Secure communication through end-to-end encryption. Synchronise messages across multiple devices; Service provider: Apple Inc., Infinite Loop, Cupertino, CA 95014, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.apple.com/. Privacy Policy:https://www.apple.com/privacy/privacy-policy/.
Instagram: Messaging via the social network Instagram; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.instagram.com. Privacy Policy:https://privacycenter.instagram.com/policy/.
Facebook-Messenger: Sending and receiving text messages, making voice and video calls, creating group chats, sharing files and media, transmitting location information, synchronising contacts, encrypting messages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.facebook.com; Privacy Policy:https://www.facebook.com/privacy/policy/; Data Processing Agreement:https://www.facebook.com/legal/terms/dataprocessing. Basis for third-country transfers: Data Privacy Framework (DPF).
WhatsApp: Text messages, voice and video calls, sending images, videos and documents, group chat functionality, end-to-end encryption for enhanced security; Service provider: WhatsApp Ireland Limited, Merrion Road 4, D04 X2K5 Dublin, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.whatsapp.com/; Privacy Policy:https://www.whatsapp.com/legal. Basis for third-country transfers: Data Privacy Framework (DPF).
Surveys and Questionnaires
We conduct surveys and interviews to gatherinformation for the survey purpose communicated in each case. The surveys andquestionnaires ("surveys") carried out by us are evaluatedanonymously. Personal data is only processed insofar as this is necessary forthe provision and technical execution of the survey (e.g. processing the IPaddress to display the survey in the user's browser or to enable a resumptionof the survey with the aid of a cookie).
Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.). Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features).
Data subjects: Participants.
Purposes of processing: Feedback (e.g. collecting feedback via online form); Polls and Questionnaires (e.g. surveys with input options, multiple choice questions); Targeting (e.g. profiling based on interests and behaviour, use of cookies); Clicktracking; A/B Tests; Heatmaps ("Heatmaps" are mouse movements of the users, which are combined to an overall picture.); Profiles with user-related information (Creating user profiles). Provision of our online services and usability.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Web analysis is used to evaluate thevisitor traffic on our website and may include the behaviour, interests ordemographic information of users, such as age or gender, as pseudonymousvalues. With the help of web analysis we can e.g. recognize, at which time ouronline services or their functions or contents are most frequently used orrequested for repeatedly, as well as which areas require optimization.
In addition to web analysis, we can alsouse test procedures, e.g. to test and optimize different versions of our onlineservices or their components.
Unless otherwise stated below, profiles,i.e. data aggregated for a usage process, can be created for these purposes andinformation can be stored in a browser or in a terminal device and read fromit. The information collected includes, in particular, websites visited andelements used there as well as technical information such as the browser used,the computer system used and information on usage times. If users have agreedto the collection of their location data from us or from the providers of theservices we use, location data may also be processed.
Unless otherwise stated below, profiles,that is data summarized for a usage process or user, may be created for thesepurposes and stored in a browser or terminal device (so-called"cookies") or similar processes may be used for the same purpose. Theinformation collected includes, in particular, websites visited and elementsused there as well as technical information such as the browser used, thecomputer system used and information on usage times. If users have consented tothe collection of their location data or profiles to us or to the providers ofthe services we use, these may also be processed, depending on the provider.
The IP addresses of the users are alsostored. However, we use any existing IP masking procedure (i.e.pseudonymisation by shortening the IP address) to protect the user. In general,within the framework of web analysis, A/B testing and optimisation, no userdata (such as e-mail addresses or names) is stored, but pseudonyms. This meansthat we, as well as the providers of the software used, do not know the actualidentity of the users, but only the information stored in their profiles forthe purposes of the respective processes.
Notes on legal bases: If we ask users fortheir consent to use third-party providers, the legal basis for data processingis consent. Otherwise, user data will be processed on the basis of ourlegitimate interests (i.e. interest in efficient, economical and recipient-friendlyservices). In this context, we would also like to draw your attention to theinformation on the use of cookies in this privacy policy.
Processed data types: Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Web Analytics (e.g. access statistics, recognition of returning visitors); Profiles with user-related information (Creating user profiles); Targeting (e.g. profiling based on interests and behaviour, use of cookies); Clicktracking; A/B Tests; Heatmaps ("Heatmaps" are mouse movements of the users, which are combined to an overall picture.). Provision of our online services and usability.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years.).
Security measures: IP Masking (Pseudonymization of the IP address).
Further information on processingmethods, procedures and services used:
Hotjar Observe: Software for the analysis and optimization of online services based on pseudonymously performed measurements and analyses of user behavior, which may include in particular A/B tests (measurement of the popularity and user-friendliness of different content and functions), measurement of click paths and interaction with content and functions of the online service (as so-called heat maps and recordings); Service provider: Hotjar Ltd., 3 Lyons Range, 20 Bisazza Street, Sliema SLM 1640, Malta; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website:https://www.hotjar.com; Privacy Policy:https://www.hotjar.com/legal/policies/privacy; Retention period: The cookies that Hotjar uses have a different "lifetime"; some last up to 365 days, some only last during the current visit; cookie policy: https://www.hotjar.com/legal/policies/cookie-information. Opt-Out:https://www.hotjar.com/legal/compliance/opt-out.
Profiles in Social Networks (Social Media)
We maintain online presences within socialnetworks and process user data in this context in order to communicate with theusers active there or to offer information about us.
We would like to point out that user datamay be processed outside the European Union. This may entail risks for users,e.g. by making it more difficult to enforce users' rights.
In addition, user data is usually processedwithin social networks for market research and advertising purposes. Forexample, user profiles can be created on the basis of user behaviour and theassociated interests of users. The user profiles can then be used, for example,to place advertisements within and outside the networks which are presumed tocorrespond to the interests of the users. For these purposes, cookies areusually stored on the user's computer, in which the user's usage behaviour andinterests are stored. Furthermore, data can be stored in the user profilesindependently of the devices used by the users (especially if the users aremembers of the respective networks or will become members later on).
For a detailed description of therespective processing operations and the opt-out options, please refer to therespective data protection declarations and information provided by theproviders of the respective networks.
Also in the case of requests forinformation and the exercise of rights of data subjects, we point out thatthese can be most effectively pursued with the providers. Only the providershave access to the data of the users and can directly take appropriate measuresand provide information. If you still need help, please do not hesitate tocontact us.
Processed data types: Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.). Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Communication; Feedback (e.g. collecting feedback via online form). Public relations.
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion".
Further information on processingmethods, procedures and services used:
Instagram: Social network, allows the sharing of photos and videos, commenting on and favouriting posts, messaging, subscribing to profiles and pages; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.instagram.com; Privacy Policy:https://privacycenter.instagram.com/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).
Facebook Pages: Profiles within the social network Facebook - We are jointly responsible (so called "joint controller") with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page. This data includes information about the types of content users view or interact with, or the actions they take (see "Things that you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/), and information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie information; see "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/). As explained in the Facebook Data Policy under "How we use this information?" Facebook also collects and uses information to provide analytics services, known as "page insights," to site operators to help them understand how people interact with their pages and with content associated with them. We have concluded a special agreement with Facebook ("Information about Page-Insights", https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular the security measures that Facebook must observe and in which Facebook has agreed to fulfill the rights of the persons concerned (i.e. users can send information access or deletion requests directly to Facebook). The rights of users (in particular to access to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information about Page Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data). The joint controllership is limited to the collection and transfer of the data to Meta Platforms Ireland Limited, a company located in the EU. Further processing of the data is the sole responsibility of Meta Platforms Ireland Limited; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.facebook.com; Privacy Policy:https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).
LinkedIn: Social network - We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data from visitors for the purposes of creating „Page-Insights" (statistics) for our LinkedIn profiles. This data includes information about the types of content that users view or interact with, or the actions they take, as well as information about the devices used by the users (e.g., IP addresses, operating system, browser type, language settings, cookie data) and details from the users' profiles, such as job function, country, industry, seniority, company size, and employment status. Privacy information regarding the processing of user data by LinkedIn can be found in LinkedIn's privacy notices: https://www.linkedin.com/legal/privacy-policy We have concluded a special agreement with LinkedIn Irland, the 'Page Insights Joint Controller Addendum (the ‘Addendum’)' (https://legal.linkedin.com/pages-joint-controller-addendum), which specifically regulates the security measures that LinkedIn must observe and wherein LinkedIn has agreed to fulfill the rights of the affected parties (i.e., users can, for example, direct requests for information or deletion directly to LinkedIn). The rights of the users (in particular to access to information, erasure, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with LinkedIn. The joint responsibility is limited to the collection of data by and transmission to Ireland Unlimited Company, a company based in the EU. The further processing of the data is the sole responsibility of Ireland Unlimited Company, particularly regarding the transmission of data to the parent company LinkedIn Corporation in the USA; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.linkedin.com; Privacy Policy:https://www.linkedin.com/legal/privacy-policy; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-Out:https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Pinterest: Social network, allows for the sharing of photos, commenting, favouriting and curating of posts, messaging, subscribing to profiles; Service provider: Pinterest Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.pinterest.com. Privacy Policy:https://policy.pinterest.com/en/privacy-policy.
X: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://x.com. Privacy Policy:https://x.com/privacy.
Vimeo: Social network and video platform; Service provider: Vimeo Inc., Attention: Legal Department, 555 West 18th Street New York, New York 10011, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://vimeo.com. Privacy Policy:https://vimeo.com/privacy.
YouTube: Social network and video platform; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Privacy Policy:https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-Out:https://myadcenter.google.com/personalizationoff.
Plugins and embedded functions and content
Within our online services, we integratefunctional and content elements that are obtained from the servers of theirrespective providers (hereinafter referred to as "third-partyproviders"). These may, for example, be graphics, videos or city maps(hereinafter uniformly referred to as "Content").
The integration always presupposes that thethird-party providers of this content process the IP address of the user, sincethey could not send the content to their browser without the IP address. The IPaddress is therefore required for the presentation of these contents orfunctions. We strive to use only those contents, whose respective offerers usethe IP address only for the distribution of the contents. Third parties mayalso use so-called pixel tags (invisible graphics, also known as "webbeacons") for statistical or marketing purposes. The "pixeltags" can be used to evaluate information such as visitor traffic on thepages of this website. The pseudonymous information may also be stored incookies on the user's device and may include technical information about thebrowser and operating system, referring websites, visit times and otherinformation about the use of our website, as well as may be linked to suchinformation from other sources.
Processed data types: Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties); Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.); Location data (Information on the geographical position of a device or person); Event Data (Facebook) ("Event Data" is data that can be transmitted from us to Facebook, e.g. via Facebook pixels (via apps or other means) and relates to persons or their actions; the data includes, for example, information about visits to websites, interactions with content, functions, installations of apps, purchases of products, etc.; Event data is processed for the purpose of creating target groups for content and advertising information (Custom Audiences). Event Data does not include the actual content (such as written comments), login information, and Contact Information (such as names, email addresses, and phone numbers). Event Data is deleted by Facebook after a maximum of two years, the Custom Audiences created from them with the deletion of our Facebook account).
Data subjects: Users (e.g. website visitors, users of online services).
Purposes of processing: Provision of our online services and usability; Provision of contractual services and fulfillment of contractual obligations; Marketing. Profiles with user-related information (Creating user profiles).
Retention and deletion: Deletion in accordance with the information provided in the section "General Information on Data Retention and Deletion". Storage of cookies for up to 2 years (Unless otherwise stated, cookies and similar storage methods may be stored on users' devices for a period of two years.).
Further information on processingmethods, procedures and services used:
Integration of third-party software, scripts or frameworks: We incorporate into our online services software which we retrieve from servers of other providers (e.g. function libraries which we use for the purpose of displaying or user-friendliness of our online services). The respective providers collect the user's IP address and can process it for the purposes of transferring the software to the user's browser as well as for security purposes and for the evaluation and optimisation of their services; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Facebook plugins and contents: Facebook Social Plugins and contents - This can include content such as images, videos or text and buttons with which users can share content from this online service within Facebook. The list and appearance of the Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/ - We are jointly responsible (so-called "joint-controllership") with Meta Platforms Ireland Limited for the collection or transmission (but not further processing) of "Event Data" that Facebook collects or receives as part of a transmission using the Facebook Social Plugins that run on our website for the following purposes: a) displaying content advertising information that matches users' presumed interests; b) delivering commercial and transactional messages (e.g. b) delivering commercial and transactional messages (e.g., addressing users via Facebook Messenger); c) improving ad delivery and personalizing features and content (e.g., improving recognition of which content or advertising information is believed to be of interest to users). We have entered into a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which specifically addresses the security measures that Facebook must take (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to comply with the rights of data subjects (i.e., users can, for example, submit information access or deletion requests directly to Facebook). Note: If Facebook provides us with measurements, analyses and reports (which are aggregated, i.e. do not contain information on individual users and are anonymous to us), then this processing is not carried out within the scope of joint responsibility, but on the basis of a DPA ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing/update), the "Data Security Conditions" (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of Standard Contractual Clauses ("Facebook EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (in particular to access to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website:https://www.facebook.com; Privacy Policy:https://www.facebook.com/privacy/policy/. Basis for third-country transfers: Data Privacy Framework (DPF).
Google Fonts (Provision on own server): Provision of font files for the purpose of a user-friendly presentation of our online services; Service provider: The Google Fonts are hosted on our server, no data is transmitted to Google; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Google Fonts (from Google Server): Obtaining fonts (and symbols) for the purpose of a technically secure, maintenance-free and efficient use of fonts and symbols with regard to timeliness and loading times, their uniform presentation and consideration of possible restrictions under licensing law. The provider of the fonts is informed of the user's IP address so that the fonts can be made available in the user's browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) are transmitted which are necessary for the provision of the fonts depending on the devices used and the technical environment. This data may be processed on a server of the provider of the fonts in the USA - When visiting our online services, users' browsers send their browser HTTP requests to the Google Fonts Web API. The Google Fonts Web API provides users with Google Fonts' cascading style sheets (CSS) and then with the fonts specified in the CCS. These HTTP requests include (1) the IP address used by each user to access the Internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent describing the browser and operating system versions of the website visitors, as well as the referral URL (i.e., the web page where the Google font is to be displayed). IP addresses are not logged or stored on Google servers and they are not analyzed. The Google Fonts Web API logs details of HTTP requests (requested URL, user agent, and referring URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. With the Google Fonts Web API, the user agent must match the font that is generated for the particular browser type. The user agent is logged primarily for debugging purposes and is used to generate aggregate usage statistics that measure the popularity of font families. These aggregate usage statistics are published on Google Fonts' Analytics page. Finally, the referral URL is logged so that the data can be used for production maintenance and to generate an aggregate report on top integrations based on the number of font requests. Google says it does not use any of the information collected by Google Fonts to profile end users or serve targeted ads; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://fonts.google.com/; Privacy Policy:https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Further Information:https://developers.google.com/fonts/faq/privacy?hl=en.
Google Maps: We integrate the maps of the service "Google Maps" from the provider Google. The data processed may include, in particular, IP addresses and location data of users; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website:https://mapsplatform.google.com/; Privacy Policy:https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
Google Maps APIs and SDKs: Interfaces to the map and location services provided by Google, which, for example, allow the addition of address entries, location determinations, distance calculations or the provision of supplementary information on locations and other places; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website:https://mapsplatform.google.com/; Privacy Policy:https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
Instagram plugins and contents: Instagram plugins and contents - This can include content such as images, videos or text and buttons with which users can share content from this online service within Instagram . - We are jointly responsible (so-called "joint-controllership") with Meta Platforms Ireland Limited for the collection or transmission (but not further processing) of "Event Data" that Facebook collects or receives as part of a transmission using Instagram functions that run on our website for the following purposes: a) displaying content advertising information that matches users' presumed interests; b) delivering commercial and transactional messages (e.g. b) delivering commercial and transactional messages (e.g., addressing users via Facebook Messenger); c) improving ad delivery and personalizing features and content (e.g., improving recognition of which content or advertising information is believed to be of interest to users). We have entered into a special agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum), which specifically addresses the security measures that Facebook must take (https://www.facebook.com/legal/terms/data_security_terms) and in which Facebook has agreed to comply with the rights of data subjects (i.e., users can, for example, submit information access or deletion requests directly to Facebook). Note: If Facebook provides us with measurements, analyses and reports (which are aggregated, i.e. do not contain information on individual users and are anonymous to us), then this processing is not carried out within the scope of joint responsibility, but on the basis of a DPA ("Data Processing Terms", https://www.facebook.com/legal/terms/dataprocessing/update), the "Data Security Conditions" (https://www.facebook.com/legal/terms/data_security_terms) and, with regard to processing in the USA, on the basis of Standard Contractual Clauses ("Facebook EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum). The rights of users (in particular to access to information, erasure, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.instagram.com. Privacy Policy:https://privacycenter.instagram.com/policy/.
Pinterest plugins and contents: Pinterest plugins and contents- This can include content such as images, videos or text and buttons with which users can share content from this online service within Pinterest; Service provider: Pinterest Inc., 635 High Street, Palo Alto, CA, 94301, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.pinterest.com. Privacy Policy:https://policy.pinterest.com/en/privacy-policy.
reCAPTCHA: We integrate the "reCAPTCHA" function to be able to recognise whether entries (e.g. in online forms) are made by humans and not by automatically operating machines (so-called "bots"). The data processed may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with ReCaptcha on other websites, possibly cookies and results of manual recognition processes (e.g. answering questions asked or selecting objects in images). The data processing is based on our legitimate interest to protect our online services from abusive automated crawling and spam; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, , parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://www.google.com/recaptcha/; Privacy Policy:https://policies.google.com/privacy; Basis for third-country transfers: Data Privacy Framework (DPF). Opt-Out: Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=en, Settings for the Display of Advertisements: https://myadcenter.google.com/personalizationoff.
X plugins and contents: Plugins and buttons of the platform "X" - This may include, for example, content such as images, videos or texts and buttons with which users can share content of this online offer within X; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:https://x.com; Privacy Policy:https://x.com/privacy, (Settings: https://x.com/personalization); Data Processing Agreement:https://privacy.x.com/en/for-our-partners/global-dpa. Basis for third-country transfers: Standard Contractual Clauses (https://privacy.x.com/en/for-our-partners/global-dpa).
YouTube-Videos: Video content; ouTube videos are integrated via a special domain (recognizable by the component "youtube-nocookie") in the so-called " enhanced data protection mode", whereby no cookies on user activities are collected in order to personalise the video playback. Nevertheless, information on the user's interaction with the video (e.g. remembering the last playback point) may be stored; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, , parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website:https://www.youtube.com; Privacy Policy:https://policies.google.com/privacy. Basis for third-country transfers: Data Privacy Framework (DPF).
Processing of data in the context of employmentrelationships
In the context of employment relationships,the processing of personal data aims to effectively manage the establishment,execution, and termination of such relationships. This data processing supportsvarious operational and administrative functions necessary for managingemployee relations.
The data processing covers various aspectsranging from contract initiation to termination. Included are the organizationand management of daily working hours, management of access rights andpermissions, as well as handling personnel development measures and staffappraisals. The processing also serves payroll accounting and management ofwage and salary payments, which represent critical aspects of contractexecution.
Additionally, the data processing considerslegitimate interests of the responsible employer, such as ensuring workplacesafety or capturing performance data for evaluating and optimizing operationalprocesses. Moreover, the data processing includes disclosing employee data inexternal communication and publication processes where necessary foroperational or legal purposes.
The processing of this data always takesplace with due regard for the applicable legal frameworks, aiming always tocreate and maintain a fair and efficient working environment. This alsoincludes considering the privacy of affected employees, anonymizing or deletingdata after fulfilling the processing purpose or according to legal retentionperiods.
Processed data types: Employee Data (Information about employees and other individuals in an employment relationship); Payment Data (e.g. bank details, invoices, payment history); Contract data (e.g. contract object, duration, customer category); Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.); Social data (Data subject to a special social confidentiality obligation and processed, for example, by social insurance institutions, social welfare institutions or pension authorities.); Log data (e.g. log files concerning logins or data retrieval or access times.); Performance and behavioural data (For example, performance and behavioural data aspects such as performance evaluations, feedback from supervisors, training attendance, compliance with company policies, self-assessments, and behavioural assessments.); Working hours data (e.g. start of work time, end of work time, actual working hours, target working hours, break times, overtime, vacation days, special leave days, sick days, absences, home office days, business trips); Salary data (e.g. basic salary, bonus payments, premiums, tax class information, surcharges for night work/overtime, tax deductions, social security contributions, net payout amount); Images and/ or video recordings (e.g. photographs or video recordings of a person); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties).
Special categories of personal data: Health Data; Religious or philosophical beliefs. Trade union membership.
Data subjects: Employees (e.g. employees, job applicants, temporary workers, and other personnel.).
Purposes of processing: Establishment and execution of employment relationships (Processing of employee data in the context of the establishment and execution of employment relationships); Business processes and management procedures; Provision of contractual services and fulfillment of contractual obligations; Public relations; Security measures. Office and organisational procedures.
Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR); Compliance with a legal obligation (Article 6 (1) (c) GDPR); Legitimate Interests (Article 6 (1) (f) GDPR); Healthcare, occupational and social security processing of special categories of personal data (Article 9 (2)(h) GDPR). Consent (Article 6 (1) (a) GDPR).
Further information on processingmethods, procedures and services used:
Time Recording: Processes for recording employees' working hours include both manual and automated methods, such as the use of punch clocks, time tracking software, or mobile apps. Activities involved include entering clock-in and clock-out times, break times, overtime, and absences. To verify and validate the recorded working hours, they are compared with deployment or shift schedules, checked for absences, and approved for overtime by supervisors. Reports and analyses are generated based on the recorded working hours to provide work time records, overtime reports, and absence statistics for management and the human resources department; Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Authorization Management: Procedures required for the definition, management, and control of access rights and user roles within a system or an organisation (e.g., creation of authorisation profiles, role- and access-based control, review and approval of access requests, regular review of access rights, tracking and auditing of user activities, creation of security policies and procedures); Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Special categories of personal data: Special categories of personal data are processed in the context of employment relationships or to fulfil legal obligations. The processed special categories of personal data include information concerning the health, trade union membership, or religious affiliation of employees. This data may be transferred to health insurance companies or processed for assessing the employees' work capacity, for corporate health management, or for declarations to the tax authorities; Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Sources of Processed Data: Personal data received during the application process and/or employment relationship will be processed. Furthermore, where required by law, personal data will be collected from other sources. These may include financial authorities for tax-related information, the respective health insurance company for information on work incapacity, third parties such as employment agencies, or publicly accessible sources like professional social networks in the context of application procedures; Legal Basis: Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Purposes of Data Processing: The personal data of employees are primarily processed for the establishment, execution, and termination of the employment relationship. Furthermore, the processing of this data is necessary to fulfil legal obligations in the field of tax and social security law. In addition to these primary purposes, the data of employees are also used to meet regulatory and supervisory requirements, to optimise processes of electronic data processing, and to compile company-internal or cross-company data, possibly including statistical data. Moreover, the data of employees may be processed for the assertion of legal claims and defense in legal disputes; Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Transmission of Employee Data to Third Countries: The transfer of employee data to third countries, meaning countries outside the European Union (EU) and the European Economic Area (EEA), occurs only if it is necessary for the fulfilment of the employment relationship, legally required, or if employees have given their consent. Employees will be informed about the details separately, as far as legally required; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
Transmission of Employee Data: The data of employees is processed internally only by those departments that require it to fulfil operational, contractual, and legal obligations. The transfer of data to external recipients only occurs if it is legally required, or if the affected employees have given their consent. Possible scenarios for this can include requests for information from authorities or in the case of asset formation benefits. Furthermore, the controller may transfer personal data to further recipients as far as this is necessary for fulfilling his contractual and legal obligations as an employer. These recipients can include: a) banks b) health insurance companies, pension insurance institutions, providers of old-age provisions and other social insurance carriers c) authorities, courts (e.g., tax authorities, labour courts, further supervisory authorities within the framework of fulfilling reporting and information obligations) d) tax and legal advisors e) third-party debtors in the case of wage and salary garnishments f) other entities to which legally obligatory declarations must be made. In addition, data can be transferred to third parties if this is necessary for communication with business partners, suppliers or other service providers. Examples include details in the sender area of emails or letterheads as well as creating profiles on external platforms; Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Business Travel and Travel Expense Settlement: Procedures required for planning, executing, and accounting for business trips (e.g., booking of travel, organizing accommodations and transportation, managing travel expense advances, submitting and reviewing travel expense reports, controlling and recording incurred costs, compliance with travel policies, handling of the travel expense management); Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR), Healthcare, occupational and social security processing of special categories of personal data (Article 9 (2)(h) GDPR).
Payroll and wage accounting: Procedures required for calculating, disbursing, and documenting wages, salaries, and other remuneration for employees (e.g., recording of working hours, calculation of deductions and surcharges, remittance of taxes and social security contributions, preparation of payroll statements, management of wage accounts, reporting to the tax authorities and social security institutions); Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR).
Deletion of Employee Data: Employment data will be deleted under German law when it is no longer required for the purpose for which it was collected, unless there is a legal obligation to retain or archive it, or it needs to be kept for the interests of the employer. The following retention and archiving obligations are observed:Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR), Healthcare, occupational and social security processing of special categories of personal data (Article 9 (2)(h) GDPR).
General personnel records - General personnel records (such as employment contracts, references, supplementary agreements) are retained for up to three years after the termination of the employment relationship (§ 195 German Civil Code (BGB)). Tax-relevant documents - Tax-relevant documents in the personnel file are kept for six years (§ 147 Tax Code (AO), § 257 Commercial Code (HGB)). Information on wages and working hours - Information on wages and working hours for (accident) insured with wage proof are kept for five years (§ 165 I 1, IV 2 Social Code Book VII (SGB VII)).
Payrolls including lists for special payments - Payrolls including lists for special payments, if a booking receipt is available, are kept for ten years (§ 147 Tax Code (AO), § 257 Commercial Code (HGB)).
Wage lists for interim, final, and special payments - Wage lists for interim, final, and special payments are kept for six years (§ 147 Tax Code (AO), § 257 Commercial Code (HGB)).
Documents on employee insurance - Documents on employee insurance, if booking receipts are available, are kept for ten years (§ 147 Tax Code (AO), § 257 Commercial Code (HGB)).
Contribution statements to social security institutions - Contribution statements to social security institutions are kept for ten years (§ 165 Social Code Book VII (SGB VII)). Wage accounts - Wage accounts are kept for six years (§ 41 I 9 Income Tax Act (EStG)).
Applicant data - Kept for a maximum of six months from the receipt of rejection.
Working time records (for more than 8 hours on workdays) - Kept for two years (§ 16 II Working Time Act (ArbZG)).
Application documents (following online job advertisement) - Kept for three to a maximum of six months from the receipt of rejection (§ 26 Federal Data Protection Act (BDSG) n.F., § 15 IV General Act on Equal Treatment (AGG)).
Certificates of incapacity for work (AU) - Kept for up to five years (§ 6 I Act on the Compensation of Expenses (AAG)).
Documents on company pension schemes - Kept for 30 years (§ 18a Act to Improve Occupational Pensions (BetrAVG)).
Sickness data of employees - Kept for twelve months from the start of the illness, if the absence in a year does not exceed six weeks.
Documents on maternity protection - Kept for two years (§ 27 para. 5 Maternity Protection Act (MuSchG)).
Deletion of Employee Data: Employee data are deleted under Austrian law when they are no longer necessary for the purpose for which they were collected, unless they must be retained or archived due to legal obligations or the employer's interests. The following retention and archiving obligations are observed: .
Data regarding payroll tax and levy obligations under § 132 Abs 1 Federal Tax Code (BAO) - 7 years. The period begins at the end of the calendar year relevant to the data.
Limitation of the obligation to pay social security contributions under § 68 Social Security Code (ASVG) - 3 or 5 years. The period generally begins on the day the contributions are due, or from the day of reporting if no report was filed.
Retention periods in social insurance - 7 years under the Commercial Code (UGB).
Entitlement to holiday under § 4 Abs 5 Holiday Act (UrlG) - 2 years from the end of the holiday year in which the holiday entitlement arose. The period starts 2 years after the end of the holiday year.
Claims for holiday compensation under § 1486 Z 5 General Civil Code (ABGB) - 3 years. The period begins from the date the final claims are due, i.e., the last working day.
Records and reports on workplace accidents under § 16 Worker Protection Act (ASchG) - at least 5 years. The period begins from the day of the workplace accident.
Records on the provision of temporary workers under § 13 Abs 3 Act on Temporary Agency Work (AÜG) - 5 years. The period begins on the day the last wage claim of the temporary worker is due.
Register of minors under § 26 Abs 2 Youth Employment Act (KJBG) - 2 years. The period begins two years after the last entry in the new register.
Claims for compensation due to discriminatory termination of employment under §§ 15 Abs 1a and 29 Abs 1a Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 3 Employment of Disabled Persons Act (BEinstG) - 6 months. The period begins from the date of receipt of the termination.
Claims of the employer or employee from a premature termination of the employment relationship under § 34 Employees Act (AngG) or § 1162d General Civil Code (ABGB) - 6 months. The period begins from the date the claims are due, typically from the day the termination notice is received.
Entitlement to an employment reference under § 1478 General Civil Code (ABGB) - 30 years. The period begins at the termination of the employment relationship.
Claims for compensation due to discriminatory rejection of an application under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 1 Employment of Disabled Persons Act (BEinstG) - 6 months. The period begins from the day the rejection is received, or 7 months from the receipt of the application.
Claims for reimbursement of interview expenses under § 1486 Z 5 General Civil Code (ABGB) - 3 years. The period begins on the day the expenses were incurred.
Liability for severance claims and company pensions after a business transfer under § 6 Abs 2 Company Pension Act (AVRAG) - 5 years. The period begins at the time of the business transfer.
Claims for compensation due to discriminatory rejection of a promotion under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 1 Employment of Disabled Persons Act (BEinstG) - 6 months. The period begins from the day the promotion rejection is received.
Claims for compensation due to discriminatory treatment in remuneration, voluntary social benefits, training and further education measures or other working conditions under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 5 Employment of Disabled Persons Act (BEinstG) - 3 years. The period begins at the point the right could first have been exercised and the objective possibility to sue was given.
Claims for compensation due to discriminatory harassment under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 4 Employment of Disabled Persons Act (BEinstG) - 1 year. The period begins from the time the discrimination was recognized.
Claims for compensation due to discriminatory rejection of an application under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 1 Employment of Disabled Persons Act (BEinstG) - 6 months. The period begins from the day the rejection is received, or 7 months from the receipt of the application.
Claims for compensation due to sexual harassment under § 15 Abs 1 Equal Treatment Act (GlBG) - 3 years. The period begins from the time the discrimination was recognized.
Claims for reimbursement of interview expenses under § 1486 Z 5 General Civil Code (ABGB) - 3 years. The period begins on the day the expenses were incurred.
Claims of the employee for wages or reimbursement of expenses as well as of the employer for advances made on these under § 1486 Z 5 General Civil Code (ABGB) - 3 years. The period begins upon the due date of the respective claims.
Limitation of prosecution for underpayment under § 31 Abs 1 Administrative Penal Act (VStG) in conjunction with § 29 Abs 4 Wage and Social Dumping Prevention Act (LSD-BG) - 3 years. The period begins upon the due date of the wages.
Damage claims of the employer against the employee from employee liability for slight negligence under § 6 Employee Liability Act (DHG) - 6 months. The period begins from the day they can be asserted.
Damage claims of the employer against the employee from employee liability for gross negligence or intentional misconduct and other damage claims of the employer under § 1489 General Civil Code (ABGB) - 3 years or 30 years. The period begins with the shorter term from knowledge of damage and perpetrator, and with the longer term from the occurrence of damage.
Personnel file management: Procedures required for the organisation, updating, and management of employee data and records (e.g., recording of basic personnel data, retention of employment contracts, certificates and attestations, updating data upon changes, compilation of documents for employee discussions, archiving of personnel files, compliance with data protection regulations); Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR), Healthcare, occupational and social security processing of special categories of personal data (Article 9 (2)(h) GDPR).
Personnel development, performance evaluation, and staff appraisals: Procedures required in the area of employee promotion and development, as well as in assessing their performance and during employee discussions (e.g., needs analysis for further training, planning and implementation of training measures, creation of performance evaluations, conducting goal-setting and feedback discussions, career planning and talent management, succession planning); Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR), Healthcare, occupational and social security processing of special categories of personal data (Article 9 (2)(h) GDPR).
Obligation to Provide Data: The person in charge informs the employees that the provision of their data is required. This is generally the case when the data are necessary for the establishment and execution of the employment relationship, or when their collection is mandated by law. The provision of data may also be required when employees assert claims or are entitled to claims. The implementation of these measures or fulfilment of services depends on the provision of such data (for example, providing data for the receipt of wages); Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Publication and Disclosure of Employee Data: The data of employees will only be published or disclosed to third parties if it is necessary for the performance of work tasks according to the employment contract. This applies, for example, when employees are named as contact persons in correspondences, on the website, or in public registers following an agreement or specified job description, or if their field of work includes representative functions. Similarly, this may occur if representation or communication with the public takes place as part of performing these tasks, such as image recordings during public relations activities. Otherwise, employee data is published only with their consent or based on the legitimate interests of the employer, for example, in the case of stage or group photographs taken during a public event; Legal Basis: Consent (Article 6 (1) (a) GDPR), Performance of a contract and prior requests (Article 6 (1) (b) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
Changes and Updates
We kindly ask you to inform yourselfregularly about the contents of our data protection declaration. We will adjustthe privacy policy as changes in our data processing practices make thisnecessary. We will inform you as soon as the changes require your cooperation(e.g. consent) or other individual notification.
If we provide addresses and contactinformation of companies and organizations in this privacy policy, we ask youto note that addresses may change over time and to verify the informationbefore contacting us.
Terminology and Definitions
In this section, you will find an overviewof the terminology used in this privacy policy. Where the terminology islegally defined, their legal definitions apply. The following explanations,however, are primarily intended to aid understanding.
A/B Tests: A/B tests are designed to improve the usability and performance of online services. For example, users are presented with different versions of a website or its elements, such as input forms, on which the placement of the contents or labels of the navigation elements can differ. The behaviour of users, e.g. prolonged visits to the site or more frequent interaction with the elements, can then be used to determine which of these sites or elements are more responsive to users' needs.
Clicktracking: Clicktracking allows users to keep track of their movements within an entire website. Since the results of these tests are more accurate if the interaction of the users can be followed over a certain period of time (e.g. if a user likes to return), cookies are usually stored on the computers of the users for these test purposes.
Contact data: Contact details are essential information that enables communication with individuals or organizations. They include, among others, phone numbers, postal addresses, and email addresses, as well as means of communication like social media handles and instant messaging identifiers.
Content Delivery Network (CDN): A "Content Delivery Network" (CDN) is a service with whose help contents of our online services, in particular large media files, such as graphics or scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet.
Content data: Content data comprise information generated in the process of creating, editing, and publishing content of all types. This category of data may include texts, images, videos, audio files, and other multimedia content published across various platforms and media. Content data are not limited to the content itself but also include metadata providing information about the content, such as tags, descriptions, authorship details, and publication dates.
Contract data: Contract data are specific details pertaining to the formalisation of an agreement between two or more parties. They document the terms under which services or products are provided, exchanged, or sold. This category of data is essential for managing and fulfilling contractual obligations and includes both the identification of the contracting parties and the specific terms and conditions of the agreement. Contract data may encompass the start and end dates of the contract, the nature of the agreed-upon services or products, pricing arrangements, payment terms, termination rights, extension options, and special conditions or clauses. They serve as the legal foundation for the relationship between the parties and are crucial for clarifying rights and duties, enforcing claims, and resolving disputes.
Controller: "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Employees: As employees, individuals are those who are engaged in an employment relationship, whether as staff, employees, or in similar positions. Employment refers to a legal relationship between an employer and an employee, established through an employment contract or agreement. It entails the obligation of the employer to pay the employee remuneration while the employee performs their work. The employment relationship encompasses various stages, including establishment, where the employment contract is concluded, execution, where the employee carries out their work activities, and termination, when the employment relationship ends, whether through termination, mutual agreement, or otherwise. Employee data encompasses all information pertaining to these individuals within the context of their employment. This includes aspects such as personal identification details, identification numbers, salary and banking information, working hours, holiday entitlements, health data, and performance assessments.
Heatmaps: "Heatmaps" are mouse movements of the users, which are combined to an overall picture, with the help of which it can be recognized, for example, which web page elements are preferred and which web page elements users prefer less.
Inventory data: Inventory data encompass essential information required for the identification and management of contractual partners, user accounts, profiles, and similar assignments. These data may include, among others, personal and demographic details such as names, contact information (addresses, phone numbers, email addresses), birth dates, and specific identifiers (user IDs). Inventory data form the foundation for any formal interaction between individuals and services, facilities, or systems, by enabling unique assignment and communication.
Location data: Location data is created when a mobile device (or another device with the technical requirements for a location determination) connects to a radio cell, a WLAN or similar technical means and functions of location determination. Location data serve to indicate the geographically determinable position of the earth at which the respective device is located. Location data can be used, for example, to display map functions or other information dependent on a location.
Log data: Protocol data, or log data, refer to information regarding events or activities that have been logged within a system or network. These data typically include details such as timestamps, IP addresses, user actions, error messages, and other specifics about the usage or operation of a system. Protocol data is often used for analyzing system issues, monitoring security, or generating performance reports.
Meta, communication and process data: Meta-, communication, and procedural data are categories that contain information about how data is processed, transmitted, and managed. Meta-data, also known as data about data, include information that describes the context, origin, and structure of other data. They can include details about file size, creation date, the author of a document, and modification histories. Communication data capture the exchange of information between users across various channels, such as email traffic, call logs, messages in social networks, and chat histories, including the involved parties, timestamps, and transmission paths. Procedural data describe the processes and operations within systems or organisations, including workflow documentations, logs of transactions and activities, and audit logs used for tracking and verifying procedures.
Payment Data: Payment data comprise all information necessary for processing payment transactions between buyers and sellers. This data is crucial for e-commerce, online banking, and any other form of financial transaction. It includes details such as credit card numbers, bank account information, payment amounts, transaction dates, verification numbers, and billing information. Payment data may also contain information on payment status, chargebacks, authorizations, and fees.
Performance and behavioural data: Performance and behavioral data refer to information related to how individuals perform tasks or behave within a certain context, such as in an educational, work, or social setting. This data may include metrics such as productivity, efficiency, quality of work, attendance, and adherence to policies or procedures. Behavioral data could encompass interactions with colleagues, communication styles, decision-making processes, and responses to various situations. These types of data are often used for performance evaluations, training and development purposes, and decision-making within organizations.
Personal Data: "personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing: The term "processing" covers a wide range and practically every handling of data, be it collection, evaluation, storage, transmission or erasure.
Profiles with user-related information: The processing of "profiles with user-related information", or "profiles" for short, includes any kind of automated processing of personal data that consists of using these personal data to analyse, evaluate or predict certain personal aspects relating to a natural person (depending on the type of profiling, this may include different information concerning demographics, behaviour and interests, such as interaction with websites and their content, etc.) (e.g. interests in certain content or products, click behaviour on a website or location). Cookies and web beacons are often used for profiling purposes.
Targeting: "Tracking" is the term used when the behaviour of users can be traced across several websites. As a rule, behavior and interest information with regard to the websites used is stored in cookies or on the servers of the tracking technology providers (so-called profiling). This information can then be used, for example, to display advertisements to users presumably corresponding to their interests.
Usage data: Usage data refer to information that captures how users interact with digital products, services, or platforms. These data encompass a wide range of information that demonstrates how users utilise applications, which features they prefer, how long they spend on specific pages, and through what paths they navigate an application. Usage data can also include the frequency of use, timestamps of activities, IP addresses, device information, and location data. They are particularly valuable for analysing user behaviour, optimising user experiences, personalising content, and improving products or services. Furthermore, usage data play a crucial role in identifying trends, preferences, and potential problem areas within digital offerings
Web Analytics: Web Analytics serves the evaluation of visitor traffic of online services and can determine their behavior or interests in certain information, such as content of websites. With the help of web analytics, website owners, for example, can recognize at what time visitors visit their website and what content they are interested in. This enables them, for example, to better adapt the content of their websites to the needs of their visitors. For the purposes of web analytics , pseudonymous cookies and web beacons are often used to recognize returning visitors and thus obtain more precise analyses of the use of an online service.