Privacy Policy

Types of Data Processed

– Inventory data (e.g. names, addresses).
– Contact data (e.g. email addresses, telephone numbers).
– Content data (e.g. text entries, photographs, videos).
– Usage data (e.g. websites visited, interest in content, access times).
– Metadata and communication data (e.g. device information, IP addresses).

Purposes of Processing

– Provision of the online offering, its functions and content.
– Responding to enquiries and communicating with users.
– Security measures.
– Audience measurement and marketing.

Terminology

“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”). A natural person is considered identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Legal Basis for Processing

In accordance with Article 13 GDPR, we inform you of the legal bases for our processing of data. Unless otherwise stated in this Privacy Policy, the following applies:

The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR.

The legal basis for processing data in order to perform our services, fulfil contractual obligations and respond to enquiries is Article 6(1)(b) GDPR.

The legal basis for processing data in order to comply with legal obligations is Article 6(1)(c) GDPR.

The legal basis for processing data to safeguard our legitimate interests is Article 6(1)(f) GDPR.

Where processing is necessary in order to protect the vital interests of the data subject or another natural person, Article 6(1)(d) GDPR serves as the legal basis.

Security Measures

We ask you to review the contents of this Privacy Policy regularly. We will amend this Privacy Policy whenever changes to our data processing activities make this necessary. We will inform you whenever the amendments require your cooperation (e.g. consent) or any other individual notification.

Cooperation with Processors and Third Parties

Where, in the course of our processing activities, we disclose data to other persons or companies (processors or third parties), transfer data to them or otherwise grant them access to the data, this shall only take place where permitted by law (e.g. where the transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract pursuant to Article 6(1)(b) GDPR), where you have given your consent, where a legal obligation requires such disclosure, or on the basis of our legitimate interests (e.g. when using agents, web hosting providers, etc.).

Where we commission third parties to process data on the basis of a data processing agreement, this is carried out in accordance with Article 28 GDPR.

Transfers to Third Countries

Where we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or where this occurs in the context of using third-party services or disclosing or transferring data to third parties, this will only take place where it is necessary to fulfil our (pre-)contractual obligations, on the basis of your consent, pursuant to a legal obligation, or on the basis of our legitimate interests.

Subject to statutory or contractual authorisation, we process or arrange for data to be processed in a third country only where the special requirements set out in Articles 44 et seq. GDPR are met. This means that processing takes place, for example, on the basis of specific safeguards, such as an officially recognised determination of a level of data protection equivalent to that of the EU (e.g. for the United States through the Privacy Shield) or compliance with officially recognised contractual obligations (known as “Standard Contractual Clauses”).

Rights of Data Subjects

You have the right to request confirmation as to whether personal data concerning you is being processed and, where that is the case, to obtain access to that data and further information, together with a copy of the data, in accordance with Article 15 GDPR.

In accordance with Article 16 GDPR, you have the right to request the completion of incomplete personal data concerning you or the rectification of inaccurate personal data concerning you.

In accordance with Article 17 GDPR, you have the right to request the immediate erasure of personal data concerning you or, alternatively, to request the restriction of processing of your personal data in accordance with Article 18 GDPR.

You have the right to receive the personal data concerning you that you have provided to us in accordance with Article 20 GDPR and to request its transmission to another controller.

You also have the right to lodge a complaint with the competent supervisory authority pursuant to Article 77 GDPR.

Right to Withdraw Consent

You have the right to withdraw any consent you have given at any time with future effect in accordance with Article 7(3) GDPR.

Right to Object

You may object at any time to the future processing of your personal data in accordance with Article 21 GDPR. In particular, you may object to processing for direct marketing purposes.

Cookies and Right to Object to Direct Marketing

The term “cookies” refers to small files that are stored on users’ devices. Cookies may contain various types of information. Their primary purpose is to store information about a user (or the device on which the cookie is stored) during or after their visit to an online service.

Temporary cookies, also known as “session cookies” or “transient cookies”, are deleted once the user leaves the online service and closes their browser. Such cookies may, for example, store the contents of a shopping basket in an online shop or a login status.

“Permanent” or “persistent” cookies remain stored even after the browser has been closed. For example, the login status may be retained if users revisit the website after several days. Likewise, such cookies may store users’ interests for audience measurement or marketing purposes.

“Third-party cookies” are cookies provided by parties other than the controller operating the online service. If only the controller’s own cookies are used, these are referred to as “first-party cookies”.

If users do not wish cookies to be stored on their device, they are asked to disable the relevant option in their browser settings. Stored cookies can be deleted via the browser settings. Please note that disabling cookies may result in certain functions of this online offering no longer being available.

A general objection to the use of cookies employed for online marketing purposes can be declared for a range of services, particularly in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. In addition, the storage of cookies can be prevented by disabling them in your browser settings. Please note that if you do so, not all functions of this online offering may be available.

Erasure of Data

The data processed by us will be erased or its processing restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated otherwise in this Privacy Policy, the data stored by us will be deleted as soon as it is no longer required for its intended purpose and no statutory retention obligations prevent its deletion. Where data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for any other purpose. This applies, for example, to data that must be retained for commercial or tax law reasons.

In accordance with German statutory requirements, retention periods are, in particular, 10 years pursuant to Sections 147(1) AO and 257(1) Nos. 1 and 4, (4) HGB (books, records, management reports, accounting documents, commercial books and records, documents relevant for taxation, etc.) and 6 years pursuant to Section 257(1) Nos. 2 and 3, (4) HGB (commercial correspondence).

In accordance with Austrian statutory requirements, retention periods are, in particular, 7 years pursuant to Section 132(1) BAO (accounting records, receipts/invoices, accounts, vouchers, business documents, statements of income and expenditure, etc.), 22 years in connection with real estate, and 10 years for records relating to electronically supplied services, telecommunications, broadcasting and television services provided to non-taxable persons in EU Member States for which the Mini One Stop Shop (MOSS) scheme is used.

Hosting

The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space, database services, security services and technical maintenance services required for the operation of this online offering.

In doing so, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data and metadata/communication data of customers, prospective customers and visitors to this online offering on the basis of our legitimate interests in the efficient and secure provision of this online offering pursuant to Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).

Collection of Access Data and Log Files

We, or our hosting provider, collect data about every access to the server on which this service is hosted on the basis of our legitimate interests within the meaning of Article 6(1)(f) GDPR (so-called server log files). The access data includes the name of the website accessed, the file, the date and time of access, the volume of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.

For security reasons (e.g. to investigate misuse or fraud), log file information is stored for a maximum of seven days and then deleted. Data whose further retention is required for evidential purposes is exempt from deletion until the respective incident has been conclusively resolved.

Administration, Accounting, Office Organisation and Contact Management

We process data in the context of administrative tasks, the organisation of our business operations, financial accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in connection with the provision of our contractual services. The legal bases for processing are Article 6(1)(c) GDPR and Article 6(1)(f) GDPR. The processing affects customers, prospective customers, business partners and website visitors. The purpose of, and our legitimate interest in, the processing lies in administration, financial accounting, office organisation, archiving of data and tasks that serve to maintain our business operations, fulfil our responsibilities and provide our services. The deletion of data relating to contractual services and contractual communication corresponds to the information provided for those processing activities.

In this context, we disclose or transfer data to tax authorities, advisers such as tax consultants or auditors, as well as other fee collection bodies and payment service providers.

Furthermore, on the basis of our legitimate business interests, we store information relating to suppliers, event organisers and other business partners, for example for the purpose of future contact. This predominantly business-related data is generally stored on a permanent basis.

Contact

When you contact us (e.g. via contact form, email, telephone or social media), the information provided by the user is processed for the purpose of handling the enquiry and its processing in accordance with Article 6(1)(b) GDPR. User information may be stored in a Customer Relationship Management (CRM) system or a comparable enquiry management system.

We delete enquiries once they are no longer required. We review the necessity of retaining such enquiries every two years. Statutory retention obligations also apply.