Person responsible CEO: Harald Grabner
A RESULT DRIVEN DIGITAL MARKETING AGENCY.
1220 Vienna – Austria
Tel: +43 1 253 00 25 235
Types of data processed:
- User data (e.g. customer master data, names, addresses).
- Contact details (e.g. e-mail addresses, telephone numbers).
- Content data (e.g. text input, photographs, videos).
- Contractual data (e.g. subject matter of the contract, duration, category of customer).
- Payment data (e.g. bank account details, transactions history).
- Usage data (e.g. websites visited, content of interest, time of access).
- Meta- and communication data (e.g. device information, IP addresses).
Categories of persons concerned
- Customers/interested parties/business partners.
- Visitors and users of the online offer.
(hereinafter the persons concerned are collectively referred to as “users”).
Purpose of data processing
- providing the online offer, its features and content;
- providing contractually agreed services and customer care;
- replying to contact requests and communicating with users;
- security measures;
- marketing, advertising and market research.
Last update: July 2018
- Terms used
- “Personal data” refers to any information relating to an identified or identifiable natural person (hereinafter the “concerned person”). A natural person is considered as identifiable, which can be identified directly or indirectly, in particular by means of correlation with an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or one or more special features expressing the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.
- “Processing” refers to any process performed with or without the aid of automated procedures or any such process related to personal data. The term is broad and includes virtually any sort of data handling.
- “Pseudonymisation” refers to the processing of personal data so that the latter can no longer be correlated to a specific person without additional information being provided. This applies provided that such additional information is stored separately and is subject to technical and organisational measures to ensure that the personal data are not connected to an identified or identifiable natural person.
- “Profiling” refers to any kind of automated processing of personal data involving the use of such personal data to evaluate given personal aspects relating to a natural person for the purpose of analysis and prediction. In particular, these include aspects relating to work productivity, economic status, health, personal preferences, interests, reliability, behaviour, usual place of residence or change of location of that natural person.
- “Responsible party” refers to the natural or legal person, public authority, institution or other body that decides, alone or in concert with others, on the purposes and means of personal data processing.
- “Processor” refers to a natural or legal person, public authority, institution or other body that processes personal data on behalf of the responsible person.
- Relevant legislative basis
In accordance with Art. 13 GDPR, we inform you about the legislative basis of our data processing. For users within the domain of the General Data Protection Regulation (GDPR), i.e. in the EU and the EEC, the following applies: unless the legislative basis in the data protection declaration is mentioned, the following applies: the legal basis for obtaining consent is Article 6 paragraph 1 lit. a and Art. 7 GDPR, the legal basis for the processing for the purpose of performance of our services and the execution of contractual measures as well as the response to inquiries is Art. 6 paragraph 1 lit. b GDPR, the legal basis for processing in order to fulfil our legal obligations is Art. 6 paragraph 1 lit. c GDPR, and the legal basis for processing in order to safeguard our legitimate interests is Article 6 paragraph 1 lit. f GDPR. Should the processing of personal data be required due to vital interests of the person concerned or another natural person, Art. 6 paragraph 1 lit. d GDPR will be regarded as legal basis.
Furthermore, the provisions of the Austrian Data Protection Act 2018 and the competition regulations for commercial communications in the Austrian Telecommunications Act (in particular in § 107) apply.
- Security measures
- With the purpose of ensuring a suitable level of protection from risks, we will take appropriate technical and organisational measures in accordance with legal requirements, considering the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing as well as the different likelihood and severity of the risks for the rights and freedoms of individuals.
- In particular, measures include ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as their access, input, disclosure, availability and separation. For these reasons, we have set up procedures to ensure the protection of the rights concerned, data deletion and reaction to data vulnerability. Furthermore, we consider the protection of personal data already in the development and/or selection of hardware, software and procedures, according to the principle of data protection through technology design and privacy-friendly default settings.
- Cooperation with other processors, responsible parties and third parties
- In the course of our processing, we may disclose data to other persons and companies (other processors, responsible parties or third parties), transmit data to them or otherwise grant them access to them. This shall take place exclusively on the basis of legal permission (e.g. if a transmission of the data to third parties, as to payment service providers, is required in order to fulfil the contract). Consent to a legal obligation shall be granted by users on the basis of our legitimate interests (e.g. in case of use of agents, hosting providers, etc.).
- If we disclose, transmit or otherwise grant access to data to other companies in our group, this is done in particular for administrative purposes as a legitimate interest and based on a legal basis.
- Transfers to third countries
- Provided that we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA) or the Swiss Confederation) or, due to the use of third party services, we disclose or transfer data to another person or company, this shall be done only if needed in order to fulfil our (pre-) contractual obligations, on the basis of your consent, because of a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only in the presence of statutory conditions. This means that the processing occurs e.g. on the basis of specific guarantees, such as the officially recognised level of data protection of the EU (e.g. for the USA through the “privacy shield”) or in compliance with officially recognised special contractual obligations.
- Rights of the persons concerned
- In accordance with legal specifications, you have the right to request a confirmation as to whether personal data concerning you are being processed as well as the right to information about these data and to further information and a copy of it.
- In accordance with the legal specifications, you have the right to demand the completion or the correction of incorrect data concerning you.In accordance with the legal specifications, you have the right to demand that the data in question be deleted immediately, or – alternatively – in accordance with the legal specifications, to demand to restrict the processing of the data.
- In accordance with the legal specifications, you have the right to request the data concerning you, which you have provided to us, and to request their transmission to other responsible parties.
- In accordance with the legal specifications, you have the right to file a complaint with the competent supervisory authority.
- Right of withdrawal
You have the right to withdraw your consent to process your data with effect for the future.
- Right of objection
In accordance with the legal specifications, you can object to future processing of your data at any time. The objection may in particular be made against processing for direct marketing purposes.
- Cookies and right of objection for direct marketing
- If users do not want cookies to be saved on their computer, they can avoid this by disabling the relevant option in the settings of their browser. Already existing cookies can be deleted in the settings of the browser. If you do not accept cookies, you may not be able to access all the functions of the online offer.
- Data deletion
- Insofar as the data are not deleted because required for other legitimate purposes, their processing will be restricted. This means that the data are blocked and not processed for other purposes. This applies, for example, for data that must be stored for commercial or tax reasons.
- Agency services
- We process the data of our contractual partners and prospective customers (uniformly referred to as “contractual partners”) in the context of our contractual services. Such services include: conceptual and strategic consulting, campaign planning, software and design development/consulting or maintenance, implementation of campaigns and processes/handling, server administration, data analysis/consulting services and training services.
- The data processed, the nature, scope and purpose as well as the necessity to process them are determined by the underlying contractual relationship.
- The processed data include the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers) as well as contract data (e.g. services requested, contract content, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).
- In principle, we do not process special categories of personal data, unless they are part of processing requested or contractually agreed.
- We process data required in order to establish and perform the contractual services and point to the necessity of their indication, provided that this is not evident for the contractual partners. Disclosure to external persons or companies will only occur if required by a contract. When processing the data provided to us within the framework of an order, we act in accordance with the instructions of the customer as well as the legal requirements.
- As part of the use of our online services, we can save the IP address and the time of action of each user. The storage is based on our legitimate interests, as well as the interests of the user in the protection against misuse and other unauthorised use. A transfer of these data to third parties does not occur, unless it is necessary to exercise our rights or there is a legal obligation to do so.
- The data will be deleted if they are no longer required for the fulfilment of contractual or statutory duties of care as well as for the handling of any warranty and comparable obligations, whereby the necessity of keeping the data is reviewed every three years; otherwise the statutory storage obligations apply.
- Administration, accounting, office organisation, management of contacts
- We process data in the context of administrative tasks as well as for the organisation of our business, accounting and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process for the execution of our contractual services. The processing affects customers, potential customers, business partners and website visitors. The purpose and our legitimate interest in processing lies in administration, accounting, office organisation, data archiving, i.e. tasks that serve to maintain our business, perform our duties and provide our services. The deletion of the data in view of contractual performance and contractual communication corresponds to the information provided in these processing activities.
- We disclose or transmit data to the financial administration, consultants, such as tax consultants or auditors, and other tax authorities and payment service providers.
- Furthermore, based on our economic interests, we store information about suppliers, event organisers and other business partners, e.g. for later contact. We generally store this majority of company-related data permanently.
- Economic analyses and market research
- In order to operate our business economically, to recognise market trends as well as wishes of the contractors and users, we analyse the data available to us for business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata based on our legitimate interests, whereby the persons concerned include contractual partners, potential customers, customers, visitors and users of our online offer as well as our trade fairs and events.
- In this context, we can take into consideration the profiles of registered users and the related specifications, e.g. the services they may be interested in. The analyses serve the purpose of improving the user-friendliness, the optimisation of our offer, our events and the business economics. The analyses are for us alone and will not be disclosed externally, unless they are anonymous analyses reporting aggregated values.
- If these analyses or profiles are personal, they will be deleted or anonymised when the user terminates the contract, otherwise after three years from the conclusion of the contract. Incidentally, the overall business analyses and general determinations of trends are created anonymously if possible.
- Establishment of contact
- When contacting us (e.g. via contact form, e-mail, telephone or social media) the information of the user is processed for the purpose of fulfilling the demands of the contact request and its development in the context of contractual/pre-contractual relationships in the case of customers or, in the case of non-customers, based on our legitimate interests, for the purpose of responding to inquiries. The information of the users can be stored in a Customer Relationship Management System (“CRM system”) or similar software.
- The following data are provided by the user when the contact form is filled in: first name, last name, e-mail address and the specific request.
- We delete the requests as long as they are no longer required and the legal archiving requirements do not require storage. We review the requests needed every two years.
- We process the applicant data only for the purpose and in the context of the application process and in accordance with the legal requirements. The processing of the applicant data occurs in order to fulfil our (pre-) contractual obligations in the context of the application process within the meaning of Art. 6 paragraph 1 lit. b. GDPR and Art. 6 paragraph 1 lit. f. GDPR if the data processing is required, e.g. in legal procedures.
- The application process requires applicants to provide us with the applicant data. The applicant data required are marked in the online form, provided that we offer one, otherwise, these result from the job descriptions and usually include personal details, postal and contact addresses and the relevant application documents, such as cover letter, CV and certificates. In addition, applicants can voluntarily provide us with additional information.
- Insofar as, within the framework of the application procedure, special categories of personal data within the meaning of Art. 9 paragraph 1 GDPR are voluntarily provided, these are additionally processed in accordance with Art. 9 paragraph 2 lit. b GDPR (e.g. health information such as disability or ethnic origin). Insofar as, in the context of the application procedure, special categories of personal data within the meaning of Art. 9 paragraph 1 GDPR are requested from applicants, these are additionally processed in accordance with Art. 9 paragraph 2 lit. a GDPR (e.g. health data, if these are a requirement for the profession).
- If provided, applicants can submit their applications to us via an online form on our website. The data will be encrypted and transmitted to us in accordance with the state of the art.
Furthermore, applicants can send us their applications via e-mail. However, please note that e-mails are generally not sent in encrypted form and that encryption shall be executed by the applicant. We can therefore take no responsibility for the transmission process of the application occurring between the moment of sending and the reception on our server; therefore, we recommend rather to use an online form or the postal delivery. Instead of applying via the online form and e-mail, applicants still have the opportunity to send us the application by post.
- In the event of a successful application, the data provided by the applicants may be further processed by us for employment purposes. Otherwise, if the application for a position is not successful, the applicants’ data will be deleted. Applicants’ data will also be deleted if an application is withdrawn. Applicants are entitled to withdraw their application at any time.
- Subject to a legitimate withdrawal of the candidate, the deletion occurs after the expiration of a period of six months, so that we can answer any follow-up questions to the application and meet our obligations under the Equal Treatment Act (Gleichbehandlungsgesetz). Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.
- Applicant pool
- During the application process, we offer the opportunity to applicants to be part of our “applicant pool” for a period of two years. For this purpose, applicants need to give their consent in accordance with Art. 6 paragraph 1 lit. a and Art. 7 GDPR.
- Application documents in the applicant pool will only be processed within the scope of future job openings and the search of employees. In addition, these documents will be deleted at expiration of the two years deadline at the latest. Applicants will be instructed that the consent for inclusion in the applicant pool is on a voluntary basis and does not affect the current application process. In addition, applicants can declare the withdrawal as objection to their consent at any time in accordance with Art. 21 GDPR.
- With the following indications, we inform you on the content of our newsletter as well as the registration, distribution and evaluation processes related to it and your rights of cancellation. By subscribing to our newsletter, you give your consent to receive the newsletter and the related process described.
- We send newsletters, e-mails and other electronic messages with marketing content (hereinafter “newsletter”) only with the consent or other legal permission of the recipient. Awareness of the content of newsletters is essential for the user in order to provide his/her consent, provided that the content is concretely outlined during the subscription process. Incidentally, our newsletters contain information about our services and our company.
- The registration to our newsletter is based on a double opt-in procedure. I.e. immediately after registration, you will receive an e-mail requesting you to confirm your registration separately. This confirmation is necessary so that nobody can register with external e-mail addresses. The registration for the newsletter will be recorded in order to be able to prove the registration process according to the legal requirements. This implies that, in the course of the registration process, the login, registration and confirmation times as well as the IP address of the user are saved. Likewise, changes to your data stored with the delivery service provider will be recorded.
- In order to subscribe to the newsletter, it is enough to enter your e-mail address. Optionally, you may enter your name. This allows us to personally address the newsletter to you.
- The transmission of our newsletter and the related performance measurement occur on the basis of a consent from the recipient or, if consent is not required, on the basis of our legitimate interests in direct marketing.
- Record of the registration process is based on our legitimate interests. It is in our interest to use a user-friendly and secure newsletter system, which serves both our business interests and the expectations of the user and also allows us to keep record of the consent granted.
- Users can cancel the subscription to our newsletter at any time, i.e. withdraw your consent. At the bottom of every newsletter, you can find a link to cancel the subscription. On the basis of our legitimate interests, in order to be able to show evidence of prior consent, we can keep stored the cancelled e-mail addresses up to three years before deleting them. The processing of this data is limited to the purpose of a potential defence against claims. An individual request for cancellation is possible at any time, provided that at the same time the former existence of a consent is confirmed.
- Newsletter delivery service provider
- The newsletter is distributed by means of the delivery service “MailChimp”, a mailing list platform of the American provider Rocket Science Group, LLC, 675 Ponce De Leon Ave NE # 5000, Atlanta, GA 30308, USA.The data protection regulations of the delivery service provider can be viewed online on: https://mailchimp.com/legal/privacy/. The Rocket Science Group LLC t/a MailChimp is certified under the Privacy Shield Agreement, which guarantees that the European data protection standards are respected (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). The delivery service provider is appointed based on our legitimate interests in accordance with Art. 6 paragraph 1 lit. f GDPR, as well as on the basis of a contract processing agreement in accordance with Art. 28 paragraph 3 GDPR.
- The delivery service provider may use the data of the recipients in pseudonymous form – i.e. without connecting it to a specific user – to optimise or improve its own services, e.g. for the technical optimisation of delivery and the presentation of newsletters or for statistical purposes. However, the delivery service provider does not use the data of our newsletter recipients to contact them for its own scopes or to pass on this data to third parties.
- Newsletter performance measurement
- Newsletters contain a “web-beacon”, i.e. a pixel-size file. This is retrieved when the newsletter is opened by our server or from that of the delivery service provider, provided that we use one. During this process, technical information, such as information about the browser and your system, as well as your IP address and time of access will be collected.
- This information is used to improve the technical performance of services based on the technical data or the target audience and their reading behaviour, based on the access times and locations (which can be determined with the help of the IP address). Statistical surveys also include determining whether the newsletter has been opened, when it has been opened and which links have been clicked. For technical reasons, this information can be connected to individual newsletter subscribers/recipients, but it is neither our endeavour nor that of the delivery service provider to monitor individual users. Rather, the evaluations are used to identify the reading habits of our users and to adapt our content to them or to send and personalise different content according to their interests.
- Unfortunately, it is not possible to withdraw consent only for performance measurement. The only way to do so is to cancel the entire subscription to the newsletter.
- Hosting and e-mail delivery
- The website domain is provided and managed by BRSA GmbH and Host Europe GmbH (hereinafter “hosting provider”). All online offers on our website as well as information arising from its use are stored and saved by our service providers BRSA GmbH, Auerspergstraße 4/9, 1010 Vienna, ATU71368236 and Host Europe GmbH, Hansestrasse 111, 51149 Cologne.
- The hosting services we use to operate this online offer are the following: infrastructure and platform services, processing capacity, storage space and database services, e-mail distribution, security services as well as maintenance services.
- In doing so, we – or our hosting provider – process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors of this online offer on the basis of our legitimate interests and of an efficient and secure provision of our online offer.
- Collection of access data and log files
- On the basis of our legitimate interests, we – or our hosting provider – collect data on every access to the server on which this service is located (so-called server log files). The access data include name of the webpage accessed, files accessed, date and time of access, amount of data transferred, message of successful retrieval, browser type and version, operating system of the user, referrer URL (the previously visited page), IP address and the requesting provider.
- Logfile information is stored for security purposes (for example, to investigate abusive or fraudulent activities) for a maximum of 7 days and then deleted or anonymised. Data needed as evidence shall be exempted from the cancellation until final clarification of the incident.
- Google Tag Manager
Google Tag Manager is a solution with which we can manage the so-called website tags via an interface (and integrate, for example, Google Analytics as well as other Google marketing tools in our online offer). The Tag Manager itself (which implements tags) does not process any personal data of the user. With regard to the processing of personal data of the user, please refer to the following specifications on Google services. Acceptable use policy: https://www.google.com/intl/de/tagmanager/use-policy.html.
- Google Analytics
- Google is certified under the Privacy Shield Agreement, which guarantees that the European data protection law will be observed (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
- Google will use the information gathered on our behalf to evaluate the use made of our online offer, to compile reports on the activities on our website and to provide us with further services related to the use of this online offer and Internet more in general. In doing so, the processed data may serve to create pseudonymous usage profiles of the user.
- We only use Google Analytics with activated IP anonymisation. This means that, within states member of the European Union or in other states belonging to the European Economic Area, Google will shorten the IP address of the user. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there.
- The IP address transmitted by the user’s browser will not be merged with other data provided by Google. Users can prevent the storage of cookies by changing their browser settings accordingly. Users may also prevent Google from collecting the data generated by the cookie and related to their use of the online offer as well as the processing of this data by Google by visiting the following link, downloading and installing the browser plugin: http://tools.google.com/dlpage/gaoptout?hl=de.
- Personal data of the user will be deleted or anonymised after 14 months.
- Identification of target audience segments with Google Analytics
We use Google Analytics to identify – through advertisements placed within Google’s advertising services and its affiliates – only those users who have shown an interest in our online offer or who have given features (e.g. interests in specific topics or products, which are determined by the websites they visited) and then send this information to Google (known as “remarketing” or “Google Analytics Audiences”). By using Google remarketing service, we also wish to ensure that our advertisements match the potential interests of users.
- Google AdWords and conversion measurement
- We use the online marketing system Google “AdWords” to place advertisements in Google’s advertising network (e.g. in the search results, in videos, on websites, etc.). In this way, advertisements are shown to users who are presumably interested in the adverts. This allows us to target the advertisements for and within our online offer to a suitable audience and present to users only advertisements that potentially match their interests. It is a form of “remarketing”, for example, if advertisements for products the user showed interest in by visiting different online offers appear to him/her. For these purposes, by retrieving our website – or other websites on which the Google advertising network is active – a Google code will be run immediately through Google and the so-called (re-) marketing tags (invisible graphics or codes, also known as “web beacon”) integrated into the website. With the help of these, an individual cookie, i.e. a small data, will be saved (instead of cookies, other comparable technologies can be used). Within such data the following information is noted: websites accessed by the user, type of content in which he/she showed interest or offers the user clicked, further information on the browser and operating system, referrer websites, times of access as well as other information related to the use of the online offer.
- Furthermore, we receive an individual “conversion-cookie”. The information retrieved by means of the cookies is then used by Google to create conversion statistics for us. However, we receive information only on the anonymous overall number of users who clicked on our advert and were forwarded to a page provided with a conversion tracking tag. We do not receive any information that personally identifies users.
- User data are processed within the framework of Google’s advertising network with a pseudonym. This means that Google does not store and process, for example, the name and e-mail address of the user, but rather processes the relevant data obtained through the cookie in connection to a pseudonymous user profile. I.e. from the perspective of Google, the advertisements are not managed and displayed for a concretely identifiable person, but rather for the cookie owner, regardless of who the cookie owner is. This does not apply whenever a user has expressly given his/her consent to Google to process these data without this pseudonymisation. The information collected about the user is then transmitted to Google and stored on Google’s servers in the USA.
- Online presences and advertising measures in social media
- We maintain online presences within social networks and platforms in order to communicate with active customers, interested parties and users and inform them on our services.
- Please note that users’ data may be processed beyond the territories of the European Union and Switzerland. This might pose risks for users because in this way, for example, the enforcement of the rights of the user may be impeded. With regard to US providers certified under the Privacy Shield, they undertake to follow data protection standards of the EU and EEC.
- Furthermore, as a rule, users’ data are processed for market research and advertising purposes. It follows that, for example, usage profiles can be constructed from data on use behaviours and the related interests of users. Usage profiles can in turn be used to place advertisements that presumably match the interests of the user within and beyond the platforms. For these purposes, cookies are usually saved on the computer of the user and information on usage behaviour and interests of the users are stored. Furthermore, in usage profiles it is also possible to store data regardless of the appliance used by the user (in particular when the user is a member of the relevant platform and he/she is logged in).
- The processing of personal data of the user occurs on the basis of our legitimate interest in an effective information of users and communication with them. Should users be asked to give theirs consent to data processing from the relevant provider (i.e. their agreement by, for example, ticking a box or clicking on a confirmation button), processing is based on legal consent.
- For a detailed description of the relevant type of processing and opt-out options, please refer to the links of providers below.
- In the event of information requests and enforcement of user rights, please note that these can be claimed most effectively from the providers. Only providers have access to user data and can intervene directly with the appropriate measure and provide information. Should you require further help, feel free to contact us.
- Inclusion of services and content of third parties
- We include in our online offer content and services provided by third parties in order to integrate their content and services such as e.g. videos or fonts (hereinafter referred to as “content”).
- This always presupposes that the third-party providing this content can detect the IP address of the user, given that they would not be able to send the content to the user’s browser without the IP address. The IP address is therefore required in order to display this content. We endeavour to use only content whose respective providers use the IP address solely for the delivery of the content. Third parties may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. The web beacons can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may include, but is not limited to, technical information about the browser and operating system, referrer websites, access time, and other information regarding the use of our online offer. In addition, they can also be linked to information from other sources.
- We use services and content from the following third parties:
- User-ID and Consent history
Date Version Consent