Am Bergacker 11
84184 Tiefenbach, Germany
What information do we process?
– User-related data (e.g. names, addresses).
– Contact details (e.g. email addresses, telephone numbers).
– Content data (e.g. text input, photographs, videos).
– Usage data (e.g. pages visited, time spent on sites, interest in contents).
– Metadata/browser and communication data (e.g. device information, IP addresses).
Whose data do we process?
Data of visitors and users of our sites (hereinafter collectively referred to as ‘Users’).
Why do we process data?
– To make our sites available, including its functions and contents.
– To respond to contact requests and to communicate with Users.
– For security reasons.
– To measure reach/marketing
‘Personal data’ is any information relating to an identified or identifiable natural person (hereinafter referred to as ‘data subject’); an identifiable natural person is one that can be identified, directly or indirectly, in particular by reference to an identifier, such as name, an identification number, location data, an online identifier (such as a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
‘Processing’ is any operation or set of operations performed on personal data or sets of personal data, whether or not by automated means. The term has a broad meaning and covers practically all use of data.
‘Pseudonymization’ refers to the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such information is kept separately and is subject to technical and organizational safeguards to ensure that the personal data are not attributed to an identified or identifiable natural person.
‘Profiling’ refers to a form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
‘Controller’ is the natural or legal person, public authority, agency or other body, which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Applicable lawful bases
the lawful basis for obtaining consent is Art. 6 (1)(a) and Art. 7 GDPR;
the lawful basis for the processing of data necessary for the performance of a contract or in order to respond to requests is Art. 6 (1)(b) GDPR;
the lawful basis for the processing of data necessary for compliance with legal obligations is Art. 6 (1)(c) GDPR;
the lawful basis for the processing of data necessary to protect our legitimate interests is Art. 6 (1)(f) GDPR.
the lawful basis for the processing of data necessary to protect the vital interests of the data subject or of another natural person is Art. 6 (1) (d) GDPR.
We shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, pursuant to Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
Such measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to such data, as well as their access, input, transmission, availability and separation. We have also set up procedures to ensure the exercise of data subject rights, deletion of data and response to data risks. Furthermore, the protection of personal data is something we take into consideration early on in the development and selection of hardware, software and procedures, all of which are carried out according to the principle of data protection through technology design and data protection-friendly default settings (Art. 25, GDPR).
Collaboration with processors and third parties
In the event that we, in the context of our processing, disclose data to other persons and companies (contracted processors and/or other third parties), transmit data to them or otherwise grant them access to data, we shall do this only on the basis of a legal permission (for example, when the transmission of data to third parties, such as payment service providers, is necessary for the performance of a contract as laid down in Art. 6 (1)(b) GDPR); if you have given your consent; in order to comply with a legal obligation, or to protect our legitimate interests (for example, when collaborating with contractors, agents, web hosts, etc.)
Should we contract third parties to process data, this collaboration shall be based on a so-called processing contract, and in accordance with the provisions of Art. 28 GDPR.
Transfers of data to third countries
Should we process data in a third country (outside the European Union (EU) or the European economic Area (EEA)), or when processing in third countries occurs in the context of our use of third-party services, or in the event of disclosure or transmission of data to third parties, this shall take place only if necessary to perform our (pre)contractual obligations, if you have provided your consent, to comply with a legal obligation, or to protect our legitimate interests.
Subject to legal or contractual permissions, we process data or have data processed in a third country only if the special conditions laid down in Art. 44 ff. GDPR are complied with. This means that data shall be processed only if specific safeguards, which have been officially determined to provide an adequate level of data protection as required by the EU (the ‘Privacy Shield’ in the USA, for example) are in place, or if these safeguards comply with special contractual obligations that have been officially recognized (the EU Commission’s ‘standard contractual clauses’).
Rights of the data subject
As laid down in Art. 15 GDPR, you have the right to request confirmation as to whether data concerning you are being processed, and, to obtain information regarding this data as well as additional information and a copy of the personal data undergoing processing.
As laid down in Art. 16 GDPR you have the right to have incomplete personal data completed or demand that inaccurate personal data that concerns you is rectified.
As laid down in Art. 17 GDPR, you have the right to demand the erasure of personal data that concerns you without undue delay, or, alternatively to demand a restriction of processing of your personal data pursuant to Art. 18 GDPR.
As laid down in Art. 20 GDPR, you have the right to obtain the personal data you made available to us and demand that the data be transmitted to another controller.
As laid down in Art. 77 GDPR, you have the right to lodge a complaint with a competent supervisory authority.
Right to withdraw consent
Art. 7 (3) GDPR gives you the you the right to withdraw your consent at any time with future effect.
Right to object
Art. 21 GDPR gives you the right to object to the future processing of any personal data that concerns you at any time. In particular, you may object to the processing of your personal data for direct marketing purposes.
Cookies and the right to opt out from online advertising and tracking
Cookies are small files that are stored on a User’s computer. Cookies can hold a variety of data. Cookies are primarily used as a way of storing information about a User (or, information on the device on which the cookies are stored) during or even after a User visits a website. Session cookies (also called transient cookies) are temporary cookies that are deleted once the User leaves the website and closes his or her browser. This kind of cookie is used, for example, to store the contents of a shopping cart in an online shop or a User’s login status. A permanent or persistent cookie is one that is stored on a User’s hard drive even after the browser has been closed. This kind of cookie, for example, stores a User’s login status allowing him or her to access the site several days later without having to log in again. Such a cookie can also store a User’s interests, which are used for marketing purposes and to track performance. A third-party cookie is a cookie that is set by a website with a domain name other than the one the User is visiting (cookies set by the website the User is visiting are referred to as first-party cookies).
If a User does not want their browser to accept cookies and use them in the ways described above it is possible for them to change their browser privacy settings. It is also possible to delete existing cookies from the browser. However, blocking all cookies will affect the User’s web experience and may result in some parts of this site not functioning properly.
Erasure of data
The legal retention period in Germany makes it necessary to store certain data (bookkeeping records, minutes, financial reports, accounting vouchers, account books, tax-relevant documents, etc.) for 10 years (pursuant to section 147 (1) German Fiscal Code and section 257 (1) nos. 1 and 4 and (4) German Commercial Code); the retention period for commercial correspondence is 6 years (pursuant to section 257 (1) nos. 2 and 3, and (4) German Commercial Code).
In Austria the legal retention period is 7 years for documents such as accounting documents, receipts, invoices, accounts, accounting vouchers, business documents, profit and loss statements; 22 years for documentation related to real estate; and 10 years for documents related to electronically supplied services, telecommunication services, as well as radio and television broadcasting services provided to consumers (non-taxable persons) within the EU for which the Mini-One-Stop-Shop (MOSS-Scheme) is used (according to section 132 (1) BAO/Federal Fiscal System).
We process the data of our contractual partners and interested parties as well as the data of other contracting entities, customers, clients and contracting parties (collectively referred to as ‘contractual partners’) pursuant to Art. 6 (1)(b) GDPR, to comply with our pre-contractual and contractual obligations. The data processed, the nature, the extent and purpose, as well as the necessity of processing are determined by the underlying contractual relationship.
The processed data includes the master data of our contractual partners (e.g. names and addresses), contact information (e.g. email addresses and telephone numbers) as well as contractual data (e.g. services received, contract details, contract-related communication, names of contacts) and payment information (e.g. bank details, payment history).
In general, we do not process special categories of personal data, unless processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
We process data as required to perform and fulfil contractual obligations and we point out the need for the required data to be communicated to us should this not be evident to our contractual partners. We only disclose data to third parties or companies to the extent necessary within the context of a contract. When processing data communicated to us within the scope of an order, we act in accordance with the instructions of the client as well as the legal requirements.
When a User visits our sites, we may store their IP address and the time and date of their visit. This data is stored on the basis of our legitimate interests, as well as for the User’s protection against misuse and any other unauthorized use. This data shall not be made available to third parties unless such an action is necessary to pursue our claims as laid down in Art. 6 (1)(f) GDPR, or to comply with a legal obligation to which we are subject pursuant to Art. 6 (1)(c) GDPR.
The data will be deleted as soon as it is no longer required for the performance and fulfilment of contractual and legal duties of care or for the processing of potential guarantee obligations or comparable obligations, whereby the need to store the data will be reviewed every three years; in addition, legal retention requirements shall also apply.
Social media presence
We maintain an online presence on social media and platforms to be able to interact and communicate with active customers, interested parties and Users, and inform them of our services.
When accessing these networks and platforms, the terms and conditions and the data processing guidelines of the respective operators apply.
GOOGLE WEB FONTS
For uniform representation of fonts, this page uses web fonts provided by Google. When you open a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly.
In the event of breaches of data protection law, the data subject has the right to appeal to the competent supervisory authority. The competent supervisory authority for data protection issues is the federal state commissioner for data protection of the federal state in which our company is headquartered. The following link provides a list of federal state commissioners for data protection as well as their contact details:
Data Controller as defined by the Data Protection Act:
Am Bergacker 11