By clicking Accept, you agree to the storage of cookies on your device to improve site navigation, analyze site usage, and support our marketing efforts. For more information, see our privacy policy.
AcceptPreferences

Privacy Policy

Preamble

With the following privacy policy we wouldlike to inform you which types of your personal data (hereinafter alsoabbreviated as "data") we process for which purposes and in whichscope. The privacy statement applies to all processing of personal data carriedout by us, both in the context of providing our services and in particular onour websites, in mobile applications and within external online presences, suchas our social media profiles (hereinafter collectively referred to as"online services").

The terms used are not gender-specific.

Last Update: 21. June 2024

Table of contents

  • Preamble
  • Controller
  • Overview of processing operations
  • Relevant legal bases
  • Security Precautions
  • Transmission of Personal Data
  • International data transfers
  • General Information on Data Retention and Deletion
  • Rights of Data Subjects
  • Business services
  • Provision of online services and web hosting
  • Use of Cookies
  • Special Notes on Applications (Apps)
  • Contact and Inquiry Management
  • Communication via Messenger
  • Surveys and Questionnaires
  • Web Analysis, Monitoring and Optimization
  • Profiles in Social Networks (Social Media)
  • Plugins and embedded functions and content
  • Processing of data in the context of employment relationships
  • Changes and Updates
  • Terminology and Definitions

Controller

First name, surname/company
Street, house no.
Postcode, City, Country

E-mail address: firstname.name@exampledomain.eu

Overview of processing operations

The following table summarises the types ofdata processed, the purposes for which they are processed and the concerneddata subjects.

Categories of Processed Data

  • Inventory data.
  • Employee Data.
  • Payment Data.
  • Location data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication and process data.
  • Social data.
  • Images and/ or video recordings.
  • Event Data (Facebook).
  • Log data.
  • Performance and behavioural data.
  • Working hours data.
  • Salary data.

Special Categories of Data

  • Health Data.
  • Religious or philosophical beliefs.
  • Trade union membership.

Categories of Data Subjects

  • Service recipients and clients.
  • Employees.
  • Prospective customers.
  • Communication partner.
  • Users.
  • Business and contractual partners.
  • Participants.

Purposes of Processing

  • Provision of contractual services and fulfillment of     contractual obligations.
  • Communication.
  • Security measures.
  • Direct marketing.
  • Web Analytics.
  • Targeting.
  • Office and organisational procedures.
  • Clicktracking.
  • A/B Tests.
  • Organisational and Administrative Procedures.
  • Content Delivery Network (CDN).
  • Feedback.
  • Heatmaps.
  • Polls and Questionnaires.
  • Marketing.
  • Profiles with user-related information.
  • Provision of our online services and usability.
  • Establishment and execution of employment relationships.
  • Information technology infrastructure.
  • Public relations.
  • Business processes and management procedures.

Relevant legal bases

Relevant legal bases according to theGDPR: In the following, you will find an overviewof the legal basis of the GDPR on which we base the processing of personaldata. Please note that in addition to the provisions of the GDPR, national dataprotection provisions of your or our country of residence or domicile mayapply. If, in addition, more specific legal bases are applicable in individualcases, we will inform you of these in the data protection declaration.

  • Consent (Article 6 (1) (a) GDPR) -     The data subject has given consent to the processing of his or her     personal data for one or more specific purposes.
  • Performance of a contract and prior requests (Article 6 (1) (b)     GDPR) - Performance of a contract to which the     data subject is party or in order to take steps at the request of the data     subject prior to entering into a contract.
  • Compliance with a legal obligation (Article 6 (1) (c) GDPR) - Processing is necessary for compliance with a legal     obligation to which the controller is subject.
  • Legitimate Interests (Article 6 (1) (f) GDPR) - the processing is necessary for the protection of the     legitimate interests of the controller or a third party, provided that the     interests, fundamental rights, and freedoms of the data subject, which     require the protection of personal data, do not prevail.
  • Healthcare, occupational and social security processing of     special categories of personal data (Article 9 (2)(h) GDPR) - processing is necessary for the purposes of preventive or     occupational medicine, for the assessment of the working capacity of the     employee, medical diagnosis, the provision of health or social care or     treatment or the management of health or social care systems and services     on the basis of Union or Member State law or pursuant to contract with a     health professional.

National data protection regulations inAustria: In addition to the data protectionregulations of the GDPR, national regulations apply to data protection in Austria.This includes in particular the Federal Act on the Protection of Individualswith regard to the Processing of Personal Data (Data Protection Act - DSG). Inparticular, the Data Protection Act contains special provisions on the right ofaccess, rectification or cancellation, processing of special categories ofpersonal data, processing for other purposes and transmission and automateddecision making in individual cases.

Reference to the applicability of theGDPR and the Swiss DPA: These privacy policy servesboth to provide information pursuant to the Swiss Federal Act on DataProtection (FADP) and the General Data Protection Regulation (GDPR). For thisreason, we ask you to note that due to the broader spatial application andcomprehensibility, the terms used in the GDPR are applied. In particular,instead of the terms used in the Swiss FADP such as "processing" of"personal data", "predominant interest", and"particularly sensitive personal data", the terms used in the GDPR,namely "processing" of "personal data", as well as"legitimate interest" and "special categories of data" areused. However, the legal meaning of these terms will continue to be determinedaccording to the Swiss FADP within its scope of application.

Security Precautions

We take appropriate technical andorganisational measures in accordance with the legal requirements, taking intoaccount the state of the art, the costs of implementation and the nature,scope, context and purposes of processing as well as the risk of varyinglikelihood and severity for the rights and freedoms of natural persons, inorder to ensure a level of security appropriate to the risk.

The measures include, in particular,safeguarding the confidentiality, integrity and availability of data bycontrolling physical and electronic access to the data as well as access to,input, transmission, securing and separation of the data. In addition, we haveestablished procedures to ensure that data subjects' rights are respected, thatdata is erased, and that we are prepared to respond to data threats rapidly.Furthermore, we take the protection of personal data into account as early asthe development or selection of hardware, software and service providers, inaccordance with the principle of privacy by design and privacy by default.

Securing online connections through TLS/SSLencryption technology (HTTPS): To protect the data of users transmitted via ouronline services from unauthorized access, we employ TLS/SSL encryptiontechnology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) arethe cornerstones of secure data transmission on the internet. Thesetechnologies encrypt the information that is transferred between the website orapp and the user's browser (or between two servers), thereby safeguarding the datafrom unauthorized access. TLS, as the more advanced and secure version of SSL,ensures that all data transmissions conform to the highest security standards.When a website is secured with an SSL/TLS certificate, this is indicated by thedisplay of HTTPS in the URL. This serves as an indicator to users that theirdata is being securely and encryptedly transmitted.

Transmission of Personal Data

In the course of processing personal data,it may happen that this data is transmitted to or disclosed to other entities,companies, legally independent organizational units, or individuals. Recipientsof this data may include service providers tasked with IT duties or providersof services and content that are integrated into a website. In such cases, weobserve the legal requirements and particularly conclude relevant contracts oragreements that serve to protect your data with the recipients of your data.

International data transfers

Data Processing in Third Countries: If weprocess data in a third country (i.e., outside the European Union (EU) or theEuropean Economic Area (EEA)), or if the processing is done within the contextof using third-party services or the disclosure or transfer of data to otherindividuals, entities, or companies, this is only done in accordance with legalrequirements. If the data protection level in the third country has beenrecognized by an adequacy decision (Article 45 GDPR), this serves as the basisfor data transfer. Otherwise, data transfers only occur if the data protectionlevel is otherwise ensured, especially through standard contractual clauses(Article 46 (2)(c) GDPR), explicit consent, or in cases of contractual orlegally required transfers (Article 49 (1) GDPR). Furthermore, we provide youwith the basis of third-country transfers from individual third-countryproviders, with adequacy decisions primarily serving as the foundation."Information regarding third-country transfers and existing adequacydecisions can be obtained from the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

EU-US Trans-Atlantic Data Privacy Framework:Within the context of the so-called "Data Privacy Framework" (DPF),the EU Commission has also recognized the data protection level for certaincompanies from the USA as secure within the adequacy decision of 10th July2023. The list of certified companies as well as additional information aboutthe DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/s/.We will inform you which of our service providers are certified under the DataPrivacy Framework as part of our data protection notices.

General Information on Data Retention and Deletion

We delete personal data that we process inaccordance with legal regulations as soon as the underlying consents arerevoked or no further legal bases for processing exist. This applies to caseswhere the original purpose of processing is no longer applicable or the data isno longer needed. Exceptions to this rule exist if statutory obligations orspecial interests require a longer retention or archiving of the data.

In particular, data that must be retainedfor commercial or tax law reasons, or whose storage is necessary for legalprosecution or protection of the rights of other natural or legal persons, mustbe archived accordingly.

Our privacy notices contain additionalinformation on the retention and deletion of data specifically applicable tocertain processing processes.

In cases where multiple retention periodsor deletion deadlines for a date are specified, the longest period alwaysprevails.

If a period does not expressly start on aspecific date and lasts at least one year, it automatically begins at the endof the calendar year in which the event triggering the period occurred. In thecase of ongoing contractual relationships in the context of which data isstored, the event triggering the deadline is the time at which the terminationor other termination of the legal relationship takes effect.

Data that is no longer stored for itsoriginally intended purpose but due to legal requirements or other reasons areprocessed exclusively for the reasons justifying their retention.

Further information on processingmethods, procedures and services used:

  • Data Retention and Deletion: The     following general deadlines apply to retention and archiving according to     Austrian law:

     
  • 10 Years - Retention period for books and records, annual      financial statements, inventories, annual reports, opening balance      sheets, booking receipts and invoices, as well as any necessary work      instructions and other organisational documents (Austrian Federal Tax      Code (BAO §132), Austrian Commercial Code (UGB §§190-212)). 
    •  
  • 6 Years - Remaining business documents: Received business or      trading letters, copies of sent business or trading letters, and other      documents, if they are relevant for taxation. These could be hourly wage      sheets, operational accounting sheets, calculation documents, price tags,      and payroll documents, as long as they aren't already booking receipts      and cash register strips (Austrian Federal Tax Code (BAO §132), Austrian      Commercial Code (UGB §§190-212)). .
    •  
  • 3 Years - Data required to consider potential warranty and      compensation claims or similar contractual claims and rights, as well as      to process related inquiries, based on previous business experiences and      common industry practices, will be stored for the duration of the regular      statutory limitation period of three years (Sections 1478, 1480 of the      Austrian Civil Code).

Rights of Data Subjects

Rights of the Data Subjects under the GDPR:As data subject, you are entitled to various rights under the GDPR, which arisein particular from Articles 15 to 21 of the GDPR:

  • Right to Object: You have the right, on grounds arising from     your particular situation, to object at any time to the processing of your     personal data which is based on letter (e) or (f) of Article 6(1) GDPR,     including profiling based on those provisions. Where personal data are     processed for direct marketing purposes, you have the right to object at     any time to the processing of the personal data concerning you for the     purpose of such marketing, which includes profiling to the extent that it     is related to such direct marketing.
  • Right of withdrawal for consents:     You have the right to revoke consents at any time.
  • Right of access: You have the right     to request confirmation as to whether the data in question will be     processed and to be informed of this data and to receive further     information and a copy of the data in accordance with the provisions of     the law.
  • Right to rectification: You have     the right, in accordance with the law, to request the completion of the     data concerning you or the rectification of the incorrect data concerning     you.
  • Right to Erasure and Right to Restriction of Processing: In accordance with the statutory provisions, you have the     right to demand that the relevant data be erased immediately or,     alternatively, to demand that the processing of the data be restricted in     accordance with the statutory provisions.
  • Right to data portability: You have     the right to receive data concerning you which you have provided to us in     a structured, common and machine-readable format in accordance with the     legal requirements, or to request its transmission to another controller.
  • Complaint to the supervisory authority: In accordance with the law and without prejudice to any other     administrative or judicial remedy, you also have the right to lodge a     complaint with a data protection supervisory authority, in particular a     supervisory authority in the Member State where you habitually reside, the     supervisory authority of your place of work or the place of the alleged     infringement, if you consider that the processing of personal data     concerning you infringes the GDPR.

Business services

We process data of our contractual and businesspartners, e.g. customers and interested parties (collectively referred to as"contractual partners") within the context of contractual andcomparable legal relationships as well as associated actions and communicationwith the contractual partners or pre-contractually, e.g. to answer inquiries.

We process this data in order to fulfillour contractual obligations. These include, in particular, the obligations toprovide the agreed services, any update obligations and remedies in the eventof warranty and other service disruptions. In addition, we process the data toprotect our rights and for the purpose of administrative tasks associated withthese obligations and company organization. Furthermore, we process the data onthe basis of our legitimate interests in proper and economical businessmanagement as well as security measures to protect our contractual partners andour business operations from misuse, endangerment of their data, secrets,information and rights (e.g. for the involvement of telecommunications,transport and other auxiliary services as well as subcontractors, banks, taxand legal advisors, payment service providers or tax authorities). Within theframework of applicable law, we only disclose the data of contractual partnersto third parties to the extent that this is necessary for the aforementionedpurposes or to fulfill legal obligations. Contractual partners will be informedabout further forms of processing, e.g. for marketing purposes, within thescope of this privacy policy.

Which data are necessary for theaforementioned purposes, we inform the contracting partners before or in thecontext of the data collection, e.g. in online forms by special marking (e.g.colors), and/or symbols (e.g. asterisks or the like), or personally.

We delete the data after expiry ofstatutory warranty and comparable obligations, i.e. in principle after expiryof 4 years, unless the data is stored in a customer account or must be kept forlegal reasons of archiving. The statutory retention period for documentsrelevant under tax law as well as for commercial books, inventories, openingbalance sheets, annual financial statements, the instructions required tounderstand these documents and other organizational documents and accountingrecords is ten years and for received commercial and business letters andreproductions of sent commercial and business letters six years. The periodbegins at the end of the calendar year in which the last entry was made in thebook, the inventory, the opening balance sheet, the annual financial statementsor the management report was prepared, the commercial or business letter wasreceived or sent, or the accounting document was created, furthermore therecord was made or the other documents were created.

  • Processed data types: Inventory     data (For example, the full name, residential address, contact     information, customer number, etc.); Payment Data (e.g. bank details,     invoices, payment history); Contact data (e.g. postal and email addresses     or phone numbers). Contract data (e.g. contract object, duration, customer     category).
  • Special categories of personal data: Health Data.
  • Data subjects: Service recipients     and clients; Prospective customers. Business and contractual partners.
  • Purposes of processing: Provision     of contractual services and fulfillment of contractual obligations;     Communication; Office and organisational procedures; Organisational and     Administrative Procedures. Business processes and management procedures.
  • Retention and deletion: Deletion in     accordance with the information provided in the section "General     Information on Data Retention and Deletion".
  • Legal Basis: Performance of a     contract and prior requests (Article 6 (1) (b) GDPR); Compliance with a     legal obligation (Article 6 (1) (c) GDPR). Legitimate Interests (Article 6     (1) (f) GDPR).

Further information on processingmethods, procedures and services used:

  • Hospitality, hotel and accommodation services: We process the data of our guests, visitors and interested     parties (uniformly referred to as "guests") in order to provide     our accommodation and related services of a tourist or gastronomic nature     and to invoice the services provided.
       
        As part of our assignment it may be necessary for us to process special     categories of data within the meaning of Article 9 (1) GDPR, in particular     information on the health of a person or information relating to his/her     religious belief. In this case processing is carried out in order to     protect the health interests of visitors (e.g. in the case of information     on allergies) or otherwise to satisfy their physical or mental needs on     request and with their consent.
       
        If necessary for the fulfillment of the contract or required by law, or     agreed by guests, or it is based on our legitimate interests, we disclose     or transfer the guests' data e.g. to the service providers involved in the     fulfillment of our services or from authorities, billing centers and in     the area of IT, office or comparable services; Legal Basis:     Performance of a contract and prior requests (Article 6 (1) (b) GDPR).
  • Event Management: We process the     data of the participants of the events, events and similar activities     offered or organized by us (hereinafter uniformly referred to as     "participants" and "events") in order to enable them     to participate in the events and to make use of the services or actions     associated with their participation.
       
        Insofar as we process health-related data, religious, political or other     special categories of data in this context, this is done within the     framework of disclosure (e.g. for thematically oriented events or serves     health care, security or is done with the consent of the data subjects).
       
        The necessary information is identified as such in the context of the     conclusion of the agreement, booking or comparable contract and includes     the information required for the provision of services and billing as well     as contact information in order to be able to hold any enquiries. Insofar     as we gain access to information of end customers, employees or other     persons, we process this in accordance with the legal and contractual     requirements; Legal Basis: Performance of a contract and prior     requests (Article 6 (1) (b) GDPR).
  • Rental Services: We process the     data of our tenants and of interested parties (uniformly referred to as     "tenant") in accordance with the underlying rental or comparable     contract. Furthermore, we can process the information on the     characteristics and circumstances of persons or items belonging to them if     this is necessary within the framework of the rental relationship. These     can be, for example, information on personal circumstances, mobile or     immovable assets and financial situation as well as the use of ancillary     services (such as water or energy supply).
        As part of our assignment it may be necessary for us to process special     categories of data within the meaning of Article 9 (1) GDPR, in particular     information on the health of a person. The processing is done to protect     the health interests of tenants and otherwise only with the consent of     tenants .
        If necessary for the fulfilment of the contract or legally required, or     agreed by the tenant or on the basis of our legitimate interests, we     disclose or transmit the data of the tenants within the scope of cover     requests, conclusions and execution of contracts, data e.g. to financial     service providers, credit institutions, suppliers (e.g. electricity) or     authorities. Furthermore, we process tenants' data if this is necessary to     fulfill legal obligations (e.g. in the case of information obligations in     connection with ancillary services and ancillary costs); Legal Basis:     Performance of a contract and prior requests (Article 6 (1) (b) GDPR).

Provision of online services and web hosting

We process user data in order to be able toprovide them with our online services. For this purpose, we process the IPaddress of the user, which is necessary to transmit the content and functionsof our online services to the user's browser or terminal device.

  • Processed data types: Usage data     (e.g. page views and duration of visit, click paths, intensity and     frequency of use, types of devices and operating systems used,     interactions with content and features); Meta, communication and process     data (e.g. IP addresses, timestamps, identification numbers, involved     parties); Log data (e.g. log files concerning logins or data retrieval or     access times.). Content data (e.g. textual or pictorial messages and     contributions, as well as information pertaining to them, such as details     of authorship or the time of creation.).
  • Data subjects: Users (e.g. website     visitors, users of online services). Business and contractual partners.
  • Purposes of processing: Provision     of our online services and usability; Information technology     infrastructure (Operation and provision of information systems and     technical devices, such as computers, servers, etc.).); Security measures;     Content Delivery Network (CDN). Office and organisational procedures.
  • Retention and deletion: Deletion in     accordance with the information provided in the section "General     Information on Data Retention and Deletion".
  • Legal Basis: Legitimate Interests     (Article 6 (1) (f) GDPR).

Further information on processingmethods, procedures and services used:

  • Provision of online offer on rented hosting space: For the provision of our online services, we use storage space,     computing capacity and software that we rent or otherwise obtain from a     corresponding server provider (also referred to as a "web     hoster"); Legal Basis: Legitimate Interests (Article 6 (1) (f)     GDPR).
  • Collection of Access Data and Log Files: Access to our online service is logged in the form of so-called     "server log files". Server log files may include the address and     name of the accessed web pages and files, date and time of access,     transferred data volumes, notification of successful retrieval, browser     type along with version, the user's operating system, referrer URL (the     previously visited page), and typically IP addresses and the requesting     provider. The server log files can be used for security purposes, e.g., to     prevent server overload (especially in the case of abusive attacks, known     as DDoS attacks), and to ensure server load management and stability; Legal     Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Retention     period: Log file information is stored for a maximum period of 30 days     and then deleted or anonymized. Data, the further storage of which is     necessary for evidence purposes, are excluded from deletion until the     respective incident has been finally clarified.
  • Content-Delivery-Network: We use a     so-called "Content Delivery Network" (CDN). A CDN is a service     with whose help contents of our online services, in particular large media     files, such as graphics or scripts, can be delivered faster and more     securely with the help of regionally distributed servers connected via the     Internet; Legal Basis: Legitimate Interests (Article 6 (1) (f)     GDPR).
  • Webflow: Creation, management and     hosting of websites, online forms and other web elements; Service     provider: Webflow, Inc., 398 11th St., Floor 2, 94103 San Francisco,     USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:     https://webflow.com; Privacy     Policy: https://webflow.com/legal/eu-privacy-policy;     Data Processing Agreement: https://webflow.com/legal/dpa.     Basis for third-country transfers: Data Privacy Framework (DPF).
  • Cloudflare: Content-Delivery-Network     (CDN) - service with whose help contents of our online services, in     particular large media files, such as graphics or scripts, can be     delivered faster and more securely with the help of regionally distributed     servers connected via the Internet; Service provider: Cloudflare,     Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Basis:     Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.cloudflare.com; Privacy     Policy: https://www.cloudflare.com/privacypolicy/;     Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/.     Basis for third-country transfers: Data Privacy Framework (DPF).
  • Amazon CloudFront: Content-Delivery-Network     (CDN) - service with whose help contents of our online services, in     particular large media files, such as graphics or scripts, can be     delivered faster and more securely with the help of regionally distributed     servers connected via the Internet; Service provider: Amazon Web     Services EMEA SARL, 38 avenue John F. Kennedy, 1855, Luxembourg; Legal     Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://aws.amazon.com/cloudfront/;     Privacy Policy: https://aws.amazon.com/privacy/;     Data Processing Agreement: https://aws.amazon.com/compliance/gdpr-center/.     Basis for third-country transfers: Standard Contractual Clauses     (Provided by the service provider).
  • JSDelivr: Content Delivery Network     (CDN) that helps deliver media and files quickly and efficiently,     especially under heavy load; Service provider: ProspectOne,     Królewska 65A/1, 30-081, Kraków, Poland; Legal Basis: Legitimate     Interests (Article 6 (1) (f) GDPR); Website: https://www.jsdelivr.com. Privacy     Policy: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net.

Use of Cookies

Cookies are small text files or other typesof storage markers that store information on end devices and read informationfrom them. For example, to save the login status in a user account, thecontents of a shopping cart in an e-shop, the content accessed, or thefunctions used of an online offer. Furthermore, cookies can be used for variousconcerns, such as for the functionality, security, and comfort of online offersas well as the creation of analyses of visitor flows.

Notes on Consent: We use cookies in accordance with legal regulations. Therefore, weobtain prior consent from users, unless it is not required by law. Permissionis particularly not necessary if the storage and reading of information,including cookies, are absolutely necessary to provide a telemedia service(i.e., our online offer) expressly requested by the users. The revocableconsent is clearly communicated to them and contains information on therespective cookie usage.

Notes on the legal basis for dataprotection: The legal basis on which weprocess users' personal data with the help of cookies depends on whether we askthem for consent. If users accept, the legal basis for processing their data isthe declared consent. Otherwise, the data processed with the help of cookiesare based on our legitimate interests (e.g., in a commercial operation of ouronline offer and its usability improvement) or, if this occurs within thefulfillment of our contractual obligations, when the use of cookies isnecessary to fulfill our contractual obligations. We clarify the purposes forwhich the cookies are used by us in the course of this data protection declarationor within the scope of our consent and processing processes.

Storage Duration: Regarding the storage duration, the following types of cookies aredistinguished:

  • Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has     left an online offer and closed his end device (e.g., browser or mobile     application).
  • Permanent cookies: Permanent     cookies remain stored even after closing the end device. For example, the     login status can be saved and preferred content can be displayed directly     when the user revisits a site. Similarly, user data collected via cookies     can be used for reach measurement. Unless we provide users with explicit     information about the nature and storage duration of cookies (e.g., when     obtaining consent), they should assume that they are permanent and the     storage duration can be up to two years.

General notes on revocation andobjection (Opt-out): Users can revoke theconsents they have given at any time and also declare an objection to theprocessing according to legal requirements, also via the privacy settings oftheir browser.

  • Processed data types: Meta,     communication and process data (e.g. IP addresses, timestamps,     identification numbers, involved parties).
  • Data subjects: Users (e.g. website     visitors, users of online services).
  • Legal Basis: Legitimate Interests     (Article 6 (1) (f) GDPR). Consent (Article 6 (1) (a) GDPR).

Further information on processingmethods, procedures and services used:

  • Processing Cookie Data on the Basis of Consent: We implement a consent management solution that obtains users'     consent for the use of cookies or for the processes and providers     mentioned within the consent management framework. This procedure is     designed to solicit, log, manage, and revoke consents, particularly     regarding the use of cookies and similar technologies employed to store,     read from, and process information on users' devices. As part of this     procedure, user consents are obtained for the use of cookies and the     associated processing of information, including specific processing and     providers named in the consent management process. Users also have the     option to manage and withdraw their consents. Consent declarations are     stored to avoid repeated queries and to provide proof of consent according     to legal requirements. The storage is carried out server-side and/or in a     cookie (so-called opt-in cookie) or by means of comparable technologies in     order to associate the consent with a specific user or their device.If no     specific details about the providers of consent management services are     provided, the following general notes apply: The duration of consent     storage is up to two years. A pseudonymous user identifier is created,     which is stored along with the time of consent, details on the scope of     consent (e.g., relevant categories of cookies and/or service providers),     as well as information about the browser, system, and device used; Legal     Basis: Consent (Article 6 (1) (a) GDPR).

Special Notes on Applications (Apps)

We process the data of the users of ourapplication to the extent necessary to provide the users with the applicationand its functionalities, to monitor its security and to develop it further.Furthermore, we may contact users in compliance with the statutory provisionsif communication is necessary for the purposes of administration or use of theapplication. In addition, we refer to the data protection information in thisprivacy policy with regard to the processing of user data.

Legal basis:The processing of data necessary for the provision of the functionalities ofthe application serves to fulfil contractual obligations. This also applies ifthe provision of the functions requires user authorisation (e.g. release ofdevice functions). If the processing of data is not necessary for the provisionof the functionalities of the application, but serves the security of theapplication or our business interests (e.g. collection of data for the purposeof optimising the application or security purposes), it is carried out on thebasis of our legitimate interests. If users are expressly requested to givetheir consent to the processing of their data, the data covered by the consentis processed on the basis of the consent.

  • Processed data types: Inventory     data (For example, the full name, residential address, contact     information, customer number, etc.); Usage data (e.g. page views and     duration of visit, click paths, intensity and frequency of use, types of     devices and operating systems used, interactions with content and     features). Meta, communication and process data (e.g. IP addresses,     timestamps, identification numbers, involved parties).
  • Data subjects: Users (e.g. website     visitors, users of online services).
  • Purposes of processing: Provision     of contractual services and fulfillment of contractual obligations;     Security measures. Provision of our online services and usability.
  • Retention and deletion: Deletion in     accordance with the information provided in the section "General     Information on Data Retention and Deletion".
  • Legal Basis: Performance of a     contract and prior requests (Article 6 (1) (b) GDPR). Legitimate Interests     (Article 6 (1) (f) GDPR).

Further information on processingmethods, procedures and services used:

  • Device authorizations for access to functions and data: The use of certain functions of our application may require     access to the camera and the stored recordings of the users. By default,     these authorizations must be granted by the user and can be revoked at any     time in the settings of the respective devices. The exact procedure for     controlling app permissions may depend on the user's device and software.     Users can contact us if they require further explanation. We would like to     point out that the refusal or revocation of the respective authorizations     can affect the functionality of our application.

Contact and Inquiry Management

When contacting us (e.g. via mail, contactform, e-mail, telephone or via social media) as well as in the context of existinguser and business relationships, the information of the inquiring persons isprocessed to the extent necessary to respond to the contact requests and anyrequested measures.

  • Processed data types: Inventory     data (For example, the full name, residential address, contact     information, customer number, etc.); Contact data (e.g. postal and email     addresses or phone numbers); Content data (e.g. textual or pictorial     messages and contributions, as well as information pertaining to them,     such as details of authorship or the time of creation.); Usage data (e.g.     page views and duration of visit, click paths, intensity and frequency of     use, types of devices and operating systems used, interactions with     content and features). Meta, communication and process data (e.g. IP     addresses, timestamps, identification numbers, involved parties).
  • Data subjects: Communication     partner (Recipients of e-mails, letters, etc.).
  • Purposes of processing:     Communication; Organisational and Administrative Procedures; Feedback     (e.g. collecting feedback via online form). Provision of our online     services and usability.
  • Retention and deletion: Deletion in     accordance with the information provided in the section "General     Information on Data Retention and Deletion".
  • Legal Basis: Legitimate Interests     (Article 6 (1) (f) GDPR). Performance of a contract and prior requests     (Article 6 (1) (b) GDPR).

Further information on processingmethods, procedures and services used:

  • Contact form: Upon contacting us     via our contact form, email, or other means of communication, we process     the personal data transmitted to us for the purpose of responding to and     handling the respective matter. This typically includes details such as     name, contact information, and possibly additional information provided to     us that is necessary for appropriate processing. We use this data     exclusively for the stated purpose of contact and communication; Legal     Basis: Performance of a contract and prior requests (Article 6 (1) (b)     GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Communication via Messenger

We use messenger services for communicationpurposes and therefore ask you to observe the following information regardingthe functionality of the messenger services, encryption, use of the metadata ofthe communication and your objection options.

You can also contact us by alternativemeans, e.g. telephone or e-mail. Please use the contact options provided to youor use the contact options provided within our online services.

In the case of encryption of content (i.e.the content of your message and attachments), we point out that thecommunication content (i.e. the content of the message and attachments) isencrypted end-to-end. This means that the content of the messages is notvisible, not even by the messenger service providers themselves. You shouldalways use a current version of the messenger service with activatedencryption, so that the encryption of the message contents is guaranteed.

However, we would like to point out to ourcommunication partners that although messenger service providers do not see thecontent, they can find out that and when communication partners communicatewith us and process technical information on the communication partner's deviceused and, depending on the settings of their device, also location information(so-called metadata).

Information on Legal basis: If we ask communicationpartners for permission before communicating with them via messenger services,the legal basis of our processing of their data is their consent. Otherwise, ifwe do not request consent and you contact us, for example, voluntarily, we usemessenger services in our dealings with our contractual partners and as part ofthe contract initiation process as a contractual measure and in the case ofother interested parties and communication partners on the basis of ourlegitimate interests in fast and efficient communication and meeting the needsof our communication partners for communication via messenger services. Wewould also like to point out that we do not transmit the contact data providedto us to the messenger service providers for the first time without yourconsent.

Withdrawal, objection and deletion: You can withdraw your consentor object to communication with us via messenger services at any time. In thecase of communication via messenger services, we delete the messages inaccordance with our general data retention policy (i.e. as described aboveafter the end of contractual relationships, archiving requirements, etc.) andotherwise as soon as we can assume that we have answered any informationprovided by the communication partners, if no reference to a previousconversation is to be expected and there are no legal obligations to store themessages to prevent their deletion.

Reservation of reference to other meansof communication: For your security, we kindly askfor your understanding that we may not respond to enquiries via messenger forspecific reasons. This applies in situations where contract details requireheightened confidentiality or a response via messenger does not meet formalrequirements. In such cases, we recommend using more appropriate communicationchannels.

  • Processed data types: Contact data     (e.g. postal and email addresses or phone numbers); Content data (e.g.     textual or pictorial messages and contributions, as well as information     pertaining to them, such as details of authorship or the time of     creation.); Usage data (e.g. page views and duration of visit, click     paths, intensity and frequency of use, types of devices and operating     systems used, interactions with content and features). Meta, communication     and process data (e.g. IP addresses, timestamps, identification numbers,     involved parties).
  • Data subjects: Communication     partner (Recipients of e-mails, letters, etc.).
  • Purposes of processing:     Communication. Direct marketing (e.g. by e-mail or postal).
  • Retention and deletion: Deletion in     accordance with the information provided in the section "General     Information on Data Retention and Deletion".
  • Legal Basis: Consent (Article 6 (1)     (a) GDPR); Performance of a contract and prior requests (Article 6 (1) (b)     GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processingmethods, procedures and services used:

  • Apple iMessage: Send and receive     text messages, voice messages, and video calls. Conduct group     conversations. Share files, photos, videos, and locations. Secure     communication through end-to-end encryption. Synchronise messages across     multiple devices; Service provider: Apple Inc., Infinite Loop,     Cupertino, CA 95014, USA; Legal Basis: Legitimate Interests     (Article 6 (1) (f) GDPR); Website: https://www.apple.com/.     Privacy Policy: https://www.apple.com/privacy/privacy-policy/.
  • Instagram: Messaging via the social     network Instagram; Service provider: Meta Platforms Ireland     Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis:     Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.instagram.com. Privacy     Policy: https://privacycenter.instagram.com/policy/.
  • Facebook-Messenger: Sending and     receiving text messages, making voice and video calls, creating group     chats, sharing files and media, transmitting location information,     synchronising contacts, encrypting messages; Service provider: Meta     Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal     Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.facebook.com; Privacy     Policy: https://www.facebook.com/privacy/policy/;     Data Processing Agreement: https://www.facebook.com/legal/terms/dataprocessing.     Basis for third-country transfers: Data Privacy Framework (DPF).
  • WhatsApp: Text messages, voice and     video calls, sending images, videos and documents, group chat     functionality, end-to-end encryption for enhanced security; Service     provider: WhatsApp Ireland Limited, Merrion Road 4, D04 X2K5 Dublin,     Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f)     GDPR); Website: https://www.whatsapp.com/;     Privacy Policy: https://www.whatsapp.com/legal.     Basis for third-country transfers: Data Privacy Framework (DPF).

Surveys and Questionnaires

We conduct surveys and interviews to gatherinformation for the survey purpose communicated in each case. The surveys andquestionnaires ("surveys") carried out by us are evaluatedanonymously. Personal data is only processed insofar as this is necessary forthe provision and technical execution of the survey (e.g. processing the IPaddress to display the survey in the user's browser or to enable a resumptionof the survey with the aid of a cookie).

  • Processed data types: Inventory     data (For example, the full name, residential address, contact     information, customer number, etc.); Contact data (e.g. postal and email     addresses or phone numbers); Content data (e.g. textual or pictorial     messages and contributions, as well as information pertaining to them,     such as details of authorship or the time of creation.). Usage data (e.g.     page views and duration of visit, click paths, intensity and frequency of     use, types of devices and operating systems used, interactions with     content and features).
  • Data subjects: Participants.
  • Purposes of processing: Feedback     (e.g. collecting feedback via online form); Polls and Questionnaires (e.g.     surveys with input options, multiple choice questions); Targeting (e.g.     profiling based on interests and behaviour, use of cookies);     Clicktracking; A/B Tests; Heatmaps ("Heatmaps" are mouse     movements of the users, which are combined to an overall picture.);     Profiles with user-related information (Creating user profiles). Provision     of our online services and usability.
  • Retention and deletion: Deletion in     accordance with the information provided in the section "General     Information on Data Retention and Deletion".
  • Legal Basis: Legitimate Interests     (Article 6 (1) (f) GDPR).

Further information on processingmethods, procedures and services used:

Web Analysis, Monitoring and Optimization

Web analysis is used to evaluate thevisitor traffic on our website and may include the behaviour, interests ordemographic information of users, such as age or gender, as pseudonymousvalues. With the help of web analysis we can e.g. recognize, at which time ouronline services or their functions or contents are most frequently used orrequested for repeatedly, as well as which areas require optimization.

In addition to web analysis, we can alsouse test procedures, e.g. to test and optimize different versions of our onlineservices or their components.

Unless otherwise stated below, profiles,i.e. data aggregated for a usage process, can be created for these purposes andinformation can be stored in a browser or in a terminal device and read fromit. The information collected includes, in particular, websites visited andelements used there as well as technical information such as the browser used,the computer system used and information on usage times. If users have agreedto the collection of their location data from us or from the providers of theservices we use, location data may also be processed.

Unless otherwise stated below, profiles,that is data summarized for a usage process or user, may be created for thesepurposes and stored in a browser or terminal device (so-called"cookies") or similar processes may be used for the same purpose. Theinformation collected includes, in particular, websites visited and elementsused there as well as technical information such as the browser used, thecomputer system used and information on usage times. If users have consented tothe collection of their location data or profiles to us or to the providers ofthe services we use, these may also be processed, depending on the provider.

The IP addresses of the users are alsostored. However, we use any existing IP masking procedure (i.e.pseudonymisation by shortening the IP address) to protect the user. In general,within the framework of web analysis, A/B testing and optimisation, no userdata (such as e-mail addresses or names) is stored, but pseudonyms. This meansthat we, as well as the providers of the software used, do not know the actualidentity of the users, but only the information stored in their profiles forthe purposes of the respective processes.

Notes on legal bases: If we ask users fortheir consent to use third-party providers, the legal basis for data processingis consent. Otherwise, user data will be processed on the basis of ourlegitimate interests (i.e. interest in efficient, economical and recipient-friendlyservices). In this context, we would also like to draw your attention to theinformation on the use of cookies in this privacy policy.

  • Processed data types: Usage data     (e.g. page views and duration of visit, click paths, intensity and frequency     of use, types of devices and operating systems used, interactions with     content and features). Meta, communication and process data (e.g. IP     addresses, timestamps, identification numbers, involved parties).
  • Data subjects: Users (e.g. website     visitors, users of online services).
  • Purposes of processing: Web     Analytics (e.g. access statistics, recognition of returning visitors);     Profiles with user-related information (Creating user profiles); Targeting     (e.g. profiling based on interests and behaviour, use of cookies);     Clicktracking; A/B Tests; Heatmaps ("Heatmaps" are mouse     movements of the users, which are combined to an overall picture.).     Provision of our online services and usability.
  • Retention and deletion: Deletion in     accordance with the information provided in the section "General     Information on Data Retention and Deletion". Storage of cookies for     up to 2 years (Unless otherwise stated, cookies and similar storage     methods may be stored on users' devices for a period of two years.).
  • Security measures: IP Masking     (Pseudonymization of the IP address).
  • Legal Basis: Consent (Article 6 (1)     (a) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processingmethods, procedures and services used:

  • Hotjar Observe: Software for the     analysis and optimization of online services based on pseudonymously     performed measurements and analyses of user behavior, which may include in     particular A/B tests (measurement of the popularity and user-friendliness     of different content and functions), measurement of click paths and     interaction with content and functions of the online service (as so-called     heat maps and recordings); Service provider: Hotjar Ltd., 3 Lyons     Range, 20 Bisazza Street, Sliema SLM 1640, Malta; Legal Basis:     Consent (Article 6 (1) (a) GDPR); Website: https://www.hotjar.com; Privacy     Policy:  https://www.hotjar.com/legal/policies/privacy;     Retention period: The cookies that Hotjar uses have a different     "lifetime"; some last up to 365 days, some only last during the     current visit; cookie policy: https://www.hotjar.com/legal/policies/cookie-information.     Opt-Out: https://www.hotjar.com/legal/compliance/opt-out.

Profiles in Social Networks (Social Media)

We maintain online presences within socialnetworks and process user data in this context in order to communicate with theusers active there or to offer information about us.

We would like to point out that user datamay be processed outside the European Union. This may entail risks for users,e.g. by making it more difficult to enforce users' rights.

In addition, user data is usually processedwithin social networks for market research and advertising purposes. Forexample, user profiles can be created on the basis of user behaviour and theassociated interests of users. The user profiles can then be used, for example,to place advertisements within and outside the networks which are presumed tocorrespond to the interests of the users. For these purposes, cookies areusually stored on the user's computer, in which the user's usage behaviour andinterests are stored. Furthermore, data can be stored in the user profilesindependently of the devices used by the users (especially if the users aremembers of the respective networks or will become members later on).

For a detailed description of therespective processing operations and the opt-out options, please refer to therespective data protection declarations and information provided by theproviders of the respective networks.

Also in the case of requests forinformation and the exercise of rights of data subjects, we point out thatthese can be most effectively pursued with the providers. Only the providershave access to the data of the users and can directly take appropriate measuresand provide information. If you still need help, please do not hesitate tocontact us.

  • Processed data types: Contact data     (e.g. postal and email addresses or phone numbers); Content data (e.g.     textual or pictorial messages and contributions, as well as information     pertaining to them, such as details of authorship or the time of creation.).     Usage data (e.g. page views and duration of visit, click paths, intensity     and frequency of use, types of devices and operating systems used,     interactions with content and features).
  • Data subjects: Users (e.g. website     visitors, users of online services).
  • Purposes of processing:     Communication; Feedback (e.g. collecting feedback via online form). Public     relations.
  • Retention and deletion: Deletion in     accordance with the information provided in the section "General     Information on Data Retention and Deletion".
  • Legal Basis: Legitimate Interests     (Article 6 (1) (f) GDPR).

Further information on processingmethods, procedures and services used:

  • Instagram: Social network, allows     the sharing of photos and videos, commenting on and favouriting posts,     messaging, subscribing to profiles and pages; Service provider:     Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland;     Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website:     https://www.instagram.com; Privacy     Policy: https://privacycenter.instagram.com/policy/.     Basis for third-country transfers: Data Privacy Framework (DPF).
  • Facebook Pages: Profiles within the     social network Facebook - We are jointly responsible (so called     "joint controller") with Meta Platforms Ireland Limited for the     collection (but not the further processing) of data of visitors to our     Facebook page. This data includes information about the types of content     users view or interact with, or the actions they take (see "Things     that you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/),     and information about the devices used by users (e.g., IP addresses,     operating system, browser type, language settings, cookie information; see     "Device Information" in the Facebook Data Policy: https://www.facebook.com/privacy/policy/).     As explained in the Facebook Data Policy under "How we use this     information?" Facebook also collects and uses information to provide     analytics services, known as "page insights," to site operators     to help them understand how people interact with their pages and with     content associated with them. We have concluded a special agreement with     Facebook ("Information about Page-Insights", https://www.facebook.com/legal/terms/page_controller_addendum),     which regulates in particular the security measures that Facebook must     observe and in which Facebook has agreed to fulfill the rights of the     persons concerned (i.e. users can send information access or deletion     requests directly to Facebook). The rights of users (in particular to     access to information, erasure, objection and complaint to the competent     supervisory authority) are not restricted by the agreements with Facebook.     Further information can be found in the "Information about Page     Insights" (https://www.facebook.com/legal/terms/information_about_page_insights_data).     The joint controllership is limited to the collection and transfer of the     data to Meta Platforms Ireland Limited, a company located in the EU.     Further processing of the data is the sole responsibility of Meta Platforms     Ireland Limited; Service provider: Meta Platforms Ireland Limited,     Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal Basis: Legitimate     Interests (Article 6 (1) (f) GDPR); Website: https://www.facebook.com; Privacy Policy:     https://www.facebook.com/privacy/policy/.     Basis for third-country transfers: Data Privacy Framework (DPF).
  • LinkedIn: Social network - We are     jointly responsible with LinkedIn Ireland Unlimited Company for the     collection (but not the further processing) of data from visitors for the     purposes of creating „Page-Insights" (statistics) for our LinkedIn     profiles. This data includes information about the types of content that     users view or interact with, or the actions they take, as well as     information about the devices used by the users (e.g., IP addresses,     operating system, browser type, language settings, cookie data) and     details from the users' profiles, such as job function, country, industry,     seniority, company size, and employment status. Privacy information     regarding the processing of user data by LinkedIn can be found in     LinkedIn's privacy notices: https://www.linkedin.com/legal/privacy-policy
        We have concluded a special agreement with LinkedIn Irland, the 'Page     Insights Joint Controller Addendum (the ‘Addendum’)' (https://legal.linkedin.com/pages-joint-controller-addendum),     which specifically regulates the security measures that LinkedIn must     observe and wherein LinkedIn has agreed to fulfill the rights of the     affected parties (i.e., users can, for example, direct requests for     information or deletion directly to LinkedIn). The rights of the users (in     particular to access to information, erasure, objection, and complaint to     the competent supervisory authority) are not restricted by the agreements     with LinkedIn. The joint responsibility is limited to the collection of     data by and transmission to Ireland Unlimited Company, a company based in     the EU. The further processing of the data is the sole responsibility of     Ireland Unlimited Company, particularly regarding the transmission of data     to the parent company LinkedIn Corporation in the USA; Service provider:     LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal     Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.linkedin.com; Privacy     Policy: https://www.linkedin.com/legal/privacy-policy;     Basis for third-country transfers: Data Privacy Framework (DPF). Opt-Out:     https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
  • Pinterest: Social network, allows     for the sharing of photos, commenting, favouriting and curating of posts,     messaging, subscribing to profiles; Service provider: Pinterest     Europe Limited, 2nd Floor, Palmerston House, Fenian Street, Dublin 2,     Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f)     GDPR); Website: https://www.pinterest.com.     Privacy Policy: https://policy.pinterest.com/en/privacy-policy.
  • X: Social network; Service     provider: Twitter International Company, One Cumberland Place, Fenian     Street, Dublin 2 D02 AX07, Ireland; Legal Basis: Legitimate     Interests (Article 6 (1) (f) GDPR); Website: https://x.com.     Privacy Policy: https://x.com/privacy.
  • Vimeo: Social network and video     platform; Service provider: Vimeo Inc., Attention: Legal     Department, 555 West 18th Street New York, New York 10011, USA; Legal     Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://vimeo.com. Privacy Policy: https://vimeo.com/privacy.
  • YouTube: Social network and video     platform; Service provider: Google Ireland Limited, Gordon House,     Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests     (Article 6 (1) (f) GDPR); Privacy Policy: https://policies.google.com/privacy;     Basis for third-country transfers: Data Privacy Framework (DPF). Opt-Out:     https://myadcenter.google.com/personalizationoff.

Plugins and embedded functions and content

Within our online services, we integratefunctional and content elements that are obtained from the servers of theirrespective providers (hereinafter referred to as "third-partyproviders"). These may, for example, be graphics, videos or city maps(hereinafter uniformly referred to as "Content").

The integration always presupposes that thethird-party providers of this content process the IP address of the user, sincethey could not send the content to their browser without the IP address. The IPaddress is therefore required for the presentation of these contents orfunctions. We strive to use only those contents, whose respective offerers usethe IP address only for the distribution of the contents. Third parties mayalso use so-called pixel tags (invisible graphics, also known as "webbeacons") for statistical or marketing purposes. The "pixeltags" can be used to evaluate information such as visitor traffic on thepages of this website. The pseudonymous information may also be stored incookies on the user's device and may include technical information about thebrowser and operating system, referring websites, visit times and otherinformation about the use of our website, as well as may be linked to suchinformation from other sources.

  • Processed data types: Usage data     (e.g. page views and duration of visit, click paths, intensity and     frequency of use, types of devices and operating systems used,     interactions with content and features); Meta, communication and process     data (e.g. IP addresses, timestamps, identification numbers, involved     parties); Inventory data (For example, the full name, residential address,     contact information, customer number, etc.); Contact data (e.g. postal and     email addresses or phone numbers); Content data (e.g. textual or pictorial     messages and contributions, as well as information pertaining to them,     such as details of authorship or the time of creation.); Location data     (Information on the geographical position of a device or person); Event     Data (Facebook) ("Event Data" is data that can be transmitted     from us to Facebook, e.g. via Facebook pixels (via apps or other means)     and relates to persons or their actions; the data includes, for example,     information about visits to websites, interactions with content,     functions, installations of apps, purchases of products, etc.; Event data     is processed for the purpose of creating target groups for content and     advertising information (Custom Audiences). Event Data does not include     the actual content (such as written comments), login information, and     Contact Information (such as names, email addresses, and phone numbers).     Event Data is deleted by Facebook after a maximum of two years, the Custom     Audiences created from them with the deletion of our Facebook account).
  • Data subjects: Users (e.g. website     visitors, users of online services).
  • Purposes of processing: Provision     of our online services and usability; Provision of contractual services     and fulfillment of contractual obligations; Marketing. Profiles with     user-related information (Creating user profiles).
  • Retention and deletion: Deletion in     accordance with the information provided in the section "General     Information on Data Retention and Deletion". Storage of cookies for     up to 2 years (Unless otherwise stated, cookies and similar storage     methods may be stored on users' devices for a period of two years.).
  • Legal Basis: Consent (Article 6 (1)     (a) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processingmethods, procedures and services used:

  • Integration of third-party software, scripts or frameworks: We incorporate into our online services software which we     retrieve from servers of other providers (e.g. function libraries which we     use for the purpose of displaying or user-friendliness of our online     services). The respective providers collect the user's IP address and can     process it for the purposes of transferring the software to the user's     browser as well as for security purposes and for the evaluation and     optimisation of their services; Legal Basis: Legitimate Interests     (Article 6 (1) (f) GDPR).
  • Facebook plugins and contents: Facebook     Social Plugins and contents - This can include content such as images,     videos or text and buttons with which users can share content from this     online service within Facebook. The list and appearance of the Facebook     Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/     - We are jointly responsible (so-called "joint-controllership")     with Meta Platforms Ireland Limited for the collection or transmission     (but not further processing) of "Event Data" that Facebook     collects or receives as part of a transmission using the Facebook Social     Plugins that run on our website for the following purposes: a) displaying     content advertising information that matches users' presumed interests; b)     delivering commercial and transactional messages (e.g. b) delivering     commercial and transactional messages (e.g., addressing users via Facebook     Messenger); c) improving ad delivery and personalizing features and     content (e.g., improving recognition of which content or advertising information     is believed to be of interest to users). We have entered into a special     agreement with Facebook ("Controller Addendum", https://www.facebook.com/legal/controller_addendum),     which specifically addresses the security measures that Facebook must take     (https://www.facebook.com/legal/terms/data_security_terms)     and in which Facebook has agreed to comply with the rights of data     subjects (i.e., users can, for example, submit information access or     deletion requests directly to Facebook). Note: If Facebook provides us     with measurements, analyses and reports (which are aggregated, i.e. do not     contain information on individual users and are anonymous to us), then     this processing is not carried out within the scope of joint     responsibility, but on the basis of a DPA ("Data Processing     Terms", https://www.facebook.com/legal/terms/dataprocessing/update),     the "Data Security Conditions" (https://www.facebook.com/legal/terms/data_security_terms)     and, with regard to processing in the USA, on the basis of Standard     Contractual Clauses ("Facebook EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum).     The rights of users (in particular to access to information, erasure,     objection and complaint to the competent supervisory authority) are not     restricted by the agreements with Facebook; Service provider: Meta     Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal     Basis: Consent (Article 6 (1) (a) GDPR); Website: https://www.facebook.com; Privacy     Policy: https://www.facebook.com/privacy/policy/.     Basis for third-country transfers: Data Privacy Framework (DPF).
  • Google Fonts (Provision on own server): Provision of font files for the purpose of a user-friendly     presentation of our online services; Service provider: The Google     Fonts are hosted on our server, no data is transmitted to Google; Legal     Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
  • Google Fonts (from Google Server): Obtaining     fonts (and symbols) for the purpose of a technically secure, maintenance-free     and efficient use of fonts and symbols with regard to timeliness and     loading times, their uniform presentation and consideration of possible     restrictions under licensing law. The provider of the fonts is informed of     the user's IP address so that the fonts can be made available in the     user's browser. In addition, technical data (language settings, screen     resolution, operating system, hardware used) are transmitted which are     necessary for the provision of the fonts depending on the devices used and     the technical environment. This data may be processed on a server of the     provider of the fonts in the USA - When visiting our online services,     users' browsers send their browser HTTP requests to the Google Fonts Web     API. The Google Fonts Web API provides users with Google Fonts' cascading     style sheets (CSS) and then with the fonts specified in the CCS. These     HTTP requests include (1) the IP address used by each user to access the     Internet, (2) the requested URL on the Google server, and (3) the HTTP     headers, including the user agent describing the browser and operating     system versions of the website visitors, as well as the referral URL     (i.e., the web page where the Google font is to be displayed). IP     addresses are not logged or stored on Google servers and they are not     analyzed. The Google Fonts Web API logs details of HTTP requests     (requested URL, user agent, and referring URL). Access to this data is     restricted and strictly controlled. The requested URL identifies the font     families for which the user wants to load fonts. This data is logged so     that Google can determine how often a particular font family is requested.     With the Google Fonts Web API, the user agent must match the font that is     generated for the particular browser type. The user agent is logged primarily     for debugging purposes and is used to generate aggregate usage statistics     that measure the popularity of font families. These aggregate usage     statistics are published on Google Fonts' Analytics page. Finally, the     referral URL is logged so that the data can be used for production     maintenance and to generate an aggregate report on top integrations based     on the number of font requests. Google says it does not use any of the     information collected by Google Fonts to profile end users or serve     targeted ads; Service provider: Google Ireland Limited, Gordon     House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate     Interests (Article 6 (1) (f) GDPR); Website: https://fonts.google.com/; Privacy     Policy: https://policies.google.com/privacy;     Basis for third-country transfers: Data Privacy Framework (DPF). Further     Information: https://developers.google.com/fonts/faq/privacy?hl=en.
  • Google Maps: We integrate the maps     of the service "Google Maps" from the provider Google. The data     processed may include, in particular, IP addresses and location data of     users; Service provider: Google Cloud EMEA Limited, 70 Sir John     Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Consent (Article 6     (1) (a) GDPR); Website:  https://mapsplatform.google.com/;     Privacy Policy: https://policies.google.com/privacy.     Basis for third-country transfers: Data Privacy Framework (DPF).
  • Google Maps APIs and SDKs: Interfaces     to the map and location services provided by Google, which, for example,     allow the addition of address entries, location determinations, distance     calculations or the provision of supplementary information on locations     and other places; Service provider: Google Cloud EMEA Limited, 70     Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal Basis: Consent     (Article 6 (1) (a) GDPR); Website:      https://mapsplatform.google.com/;     Privacy Policy: https://policies.google.com/privacy.     Basis for third-country transfers: Data Privacy Framework (DPF).
  • Instagram plugins and contents: Instagram     plugins and contents - This can include content such as images, videos or     text and buttons with which users can share content from this online     service within Instagram . - We are jointly responsible (so-called     "joint-controllership") with Meta Platforms Ireland Limited for     the collection or transmission (but not further processing) of "Event     Data" that Facebook collects or receives as part of a transmission     using Instagram functions that run on our website for the following     purposes: a) displaying content advertising information that matches     users' presumed interests; b) delivering commercial and transactional     messages (e.g. b) delivering commercial and transactional messages (e.g.,     addressing users via Facebook Messenger); c) improving ad delivery and     personalizing features and content (e.g., improving recognition of which     content or advertising information is believed to be of interest to     users). We have entered into a special agreement with Facebook     ("Controller Addendum", https://www.facebook.com/legal/controller_addendum),     which specifically addresses the security measures that Facebook must take     (https://www.facebook.com/legal/terms/data_security_terms)     and in which Facebook has agreed to comply with the rights of data     subjects (i.e., users can, for example, submit information access or     deletion requests directly to Facebook). Note: If Facebook provides us     with measurements, analyses and reports (which are aggregated, i.e. do not     contain information on individual users and are anonymous to us), then     this processing is not carried out within the scope of joint     responsibility, but on the basis of a DPA ("Data Processing     Terms", https://www.facebook.com/legal/terms/dataprocessing/update),     the "Data Security Conditions" (https://www.facebook.com/legal/terms/data_security_terms)     and, with regard to processing in the USA, on the basis of Standard     Contractual Clauses ("Facebook EU Data Transfer Addendum, https://www.facebook.com/legal/EU_data_transfer_addendum).     The rights of users (in particular to access to information, erasure,     objection and complaint to the competent supervisory authority) are not     restricted by the agreements with Facebook; Service provider: Meta     Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal     Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.instagram.com. Privacy     Policy: https://privacycenter.instagram.com/policy/.
  • Pinterest plugins and contents: Pinterest     plugins and contents- This can include content such as images, videos or     text and buttons with which users can share content from this online service     within Pinterest; Service provider: Pinterest Inc., 635 High     Street, Palo Alto, CA, 94301, USA; Legal Basis: Legitimate     Interests (Article 6 (1) (f) GDPR); Website: https://www.pinterest.com. Privacy     Policy: https://policy.pinterest.com/en/privacy-policy.
  • reCAPTCHA: We integrate the     "reCAPTCHA" function to be able to recognise whether entries     (e.g. in online forms) are made by humans and not by automatically     operating machines (so-called "bots"). The data processed may     include IP addresses, information on operating systems, devices or     browsers used, language settings, location, mouse movements, keystrokes,     time spent on websites, previously visited websites, interactions with     ReCaptcha on other websites, possibly cookies and results of manual     recognition processes (e.g. answering questions asked or selecting objects     in images). The data processing is based on our legitimate interest to     protect our online services from abusive automated crawling and spam; Service     provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin     4, Ireland, , parent company: Google LLC, 1600 Amphitheatre Parkway,     Mountain View, CA 94043, USA; Legal Basis: Legitimate Interests     (Article 6 (1) (f) GDPR); Website: https://www.google.com/recaptcha/;     Privacy Policy: https://policies.google.com/privacy;     Basis for third-country transfers: Data Privacy Framework (DPF). Opt-Out:     Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=en,  Settings for the Display of     Advertisements: https://myadcenter.google.com/personalizationoff.
  • X plugins and contents: Plugins and     buttons of the platform "X" - This may include, for example,     content such as images, videos or texts and buttons with which users can     share content of this online offer within X; Service provider:     Twitter International Company, One Cumberland Place, Fenian Street, Dublin     2 D02 AX07, Ireland; Legal Basis: Legitimate Interests (Article 6     (1) (f) GDPR); Website: https://x.com;     Privacy Policy: https://x.com/privacy,     (Settings: https://x.com/personalization);     Data Processing Agreement: https://privacy.x.com/en/for-our-partners/global-dpa.     Basis for third-country transfers: Standard Contractual Clauses (https://privacy.x.com/en/for-our-partners/global-dpa).
  • YouTube videos: Video contents; Service     provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin     4, Ireland, , parent company: Google LLC, 1600 Amphitheatre Parkway,     Mountain View, CA 94043, USA; Legal Basis: Consent (Article 6 (1)     (a) GDPR); Website: https://www.youtube.com;     Privacy Policy: https://policies.google.com/privacy;     Basis for third-country transfers: Data Privacy Framework (DPF). Opt-Out:     Opt-Out-Plugin: https://tools.google.com/dlpage/gaoptout?hl=en,  Settings for the Display of     Advertisements: https://myadcenter.google.com/personalizationoff.
  • YouTube-Videos: Video content;     ouTube videos are integrated via a special domain (recognizable by the     component "youtube-nocookie") in the so-called " enhanced     data protection mode", whereby no cookies on user activities are     collected in order to personalise the video playback. Nevertheless,     information on the user's interaction with the video (e.g. remembering the     last playback point) may be stored; Service provider: Google     Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, , parent     company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043,     USA; Legal Basis: Consent (Article 6 (1) (a) GDPR); Website:     https://www.youtube.com; Privacy     Policy: https://policies.google.com/privacy.     Basis for third-country transfers: Data Privacy Framework (DPF).

Processing of data in the context of employmentrelationships

In the context of employment relationships,the processing of personal data aims to effectively manage the establishment,execution, and termination of such relationships. This data processing supportsvarious operational and administrative functions necessary for managingemployee relations.

The data processing covers various aspectsranging from contract initiation to termination. Included are the organizationand management of daily working hours, management of access rights andpermissions, as well as handling personnel development measures and staffappraisals. The processing also serves payroll accounting and management ofwage and salary payments, which represent critical aspects of contractexecution.

Additionally, the data processing considerslegitimate interests of the responsible employer, such as ensuring workplacesafety or capturing performance data for evaluating and optimizing operationalprocesses. Moreover, the data processing includes disclosing employee data inexternal communication and publication processes where necessary foroperational or legal purposes.

The processing of this data always takesplace with due regard for the applicable legal frameworks, aiming always tocreate and maintain a fair and efficient working environment. This alsoincludes considering the privacy of affected employees, anonymizing or deletingdata after fulfilling the processing purpose or according to legal retentionperiods.

  • Processed data types: Employee Data     (Information about employees and other individuals in an employment     relationship); Payment Data (e.g. bank details, invoices, payment     history); Contract data (e.g. contract object, duration, customer     category); Inventory data (For example, the full name, residential     address, contact information, customer number, etc.); Contact data (e.g.     postal and email addresses or phone numbers); Content data (e.g. textual     or pictorial messages and contributions, as well as information pertaining     to them, such as details of authorship or the time of creation.); Social     data (Data subject to a special social confidentiality obligation and     processed, for example, by social insurance institutions, social welfare     institutions or pension authorities.); Log data (e.g. log files concerning     logins or data retrieval or access times.); Performance and behavioural     data (For example, performance and behavioural data aspects such as     performance evaluations, feedback from supervisors, training attendance,     compliance with company policies, self-assessments, and behavioural     assessments.); Working hours data (e.g. start of work time, end of work     time, actual working hours, target working hours, break times, overtime,     vacation days, special leave days, sick days, absences, home office days,     business trips); Salary data (e.g. basic salary, bonus payments, premiums,     tax class information, surcharges for night work/overtime, tax deductions,     social security contributions, net payout amount); Images and/ or video     recordings (e.g. photographs or video recordings of a person); Usage data     (e.g. page views and duration of visit, click paths, intensity and     frequency of use, types of devices and operating systems used,     interactions with content and features). Meta, communication and process     data (e.g. IP addresses, timestamps, identification numbers, involved     parties).
  • Special categories of personal data: Health Data; Religious or philosophical beliefs. Trade union     membership.
  • Data subjects: Employees (e.g.     employees, job applicants, temporary workers, and other personnel.).
  • Purposes of processing: Establishment     and execution of employment relationships (Processing of employee data in     the context of the establishment and execution of employment     relationships); Business processes and management procedures; Provision of     contractual services and fulfillment of contractual obligations; Public     relations; Security measures. Office and organisational procedures.
  • Legal Basis: Performance of a     contract and prior requests (Article 6 (1) (b) GDPR); Compliance with a     legal obligation (Article 6 (1) (c) GDPR); Legitimate Interests (Article 6     (1) (f) GDPR); Healthcare, occupational and social security processing of     special categories of personal data (Article 9 (2)(h) GDPR). Consent     (Article 6 (1) (a) GDPR).

Further information on processingmethods, procedures and services used:

  • Time Recording: Processes for     recording employees' working hours include both manual and automated     methods, such as the use of punch clocks, time tracking software, or     mobile apps. Activities involved include entering clock-in and clock-out     times, break times, overtime, and absences. To verify and validate the     recorded working hours, they are compared with deployment or shift     schedules, checked for absences, and approved for overtime by supervisors.     Reports and analyses are generated based on the recorded working hours to     provide work time records, overtime reports, and absence statistics for     management and the human resources department; Legal Basis:     Performance of a contract and prior requests (Article 6 (1) (b) GDPR),     Legitimate Interests (Article 6 (1) (f) GDPR).
  • Authorization Management: Procedures     required for the definition, management, and control of access rights and     user roles within a system or an organisation (e.g., creation of     authorisation profiles, role- and access-based control, review and     approval of access requests, regular review of access rights, tracking and     auditing of user activities, creation of security policies and     procedures); Legal Basis: Performance of a contract and prior     requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation     (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
  • Special categories of personal data: Special categories of personal data are processed in the     context of employment relationships or to fulfil legal obligations. The     processed special categories of personal data include information     concerning the health, trade union membership, or religious affiliation of     employees. This data may be transferred to health insurance companies or     processed for assessing the employees' work capacity, for corporate health     management, or for declarations to the tax authorities; Legal Basis:     Performance of a contract and prior requests (Article 6 (1) (b) GDPR),     Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate     Interests (Article 6 (1) (f) GDPR).
  • Sources of Processed Data: Personal     data received during the application process and/or employment     relationship will be processed. Furthermore, where required by law,     personal data will be collected from other sources. These may include     financial authorities for tax-related information, the respective health     insurance company for information on work incapacity, third parties such     as employment agencies, or publicly accessible sources like professional     social networks in the context of application procedures; Legal Basis:     Compliance with a legal obligation (Article 6 (1) (c) GDPR), Legitimate     Interests (Article 6 (1) (f) GDPR).
  • Purposes of Data Processing: The     personal data of employees are primarily processed for the establishment,     execution, and termination of the employment relationship. Furthermore,     the processing of this data is necessary to fulfil legal obligations in     the field of tax and social security law. In addition to these primary     purposes, the data of employees are also used to meet regulatory and     supervisory requirements, to optimise processes of electronic data     processing, and to compile company-internal or cross-company data,     possibly including statistical data. Moreover, the data of employees may     be processed for the assertion of legal claims and defense in legal     disputes; Legal Basis: Performance of a contract and prior requests     (Article 6 (1) (b) GDPR), Compliance with a legal obligation (Article 6     (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
  • Transmission of Employee Data to Third Countries: The transfer of employee data to third countries, meaning     countries outside the European Union (EU) and the European Economic Area     (EEA), occurs only if it is necessary for the fulfilment of the employment     relationship, legally required, or if employees have given their consent.     Employees will be informed about the details separately, as far as legally     required; Legal Basis: Legitimate Interests (Article 6 (1) (f)     GDPR).
  • Transmission of Employee Data: The     data of employees is processed internally only by those departments that     require it to fulfil operational, contractual, and legal obligations. The     transfer of data to external recipients only occurs if it is legally     required, or if the affected employees have given their consent. Possible     scenarios for this can include requests for information from authorities     or in the case of asset formation benefits. Furthermore, the controller     may transfer personal data to further recipients as far as this is     necessary for fulfilling his contractual and legal obligations as an     employer. These recipients can include: a) banks b) health insurance     companies, pension insurance institutions, providers of old-age provisions     and other social insurance carriers c) authorities, courts (e.g., tax     authorities, labour courts, further supervisory authorities within the     framework of fulfilling reporting and information obligations) d) tax and     legal advisors e) third-party debtors in the case of wage and salary     garnishments f) other entities to which legally obligatory declarations     must be made.
        In addition, data can be transferred to third parties if this is necessary     for communication with business partners, suppliers or other service     providers. Examples include details in the sender area of emails or     letterheads as well as creating profiles on external platforms; Legal     Basis: Performance of a contract and prior requests (Article 6 (1) (b)     GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).
  • Business Travel and Travel Expense Settlement: Procedures required for planning, executing, and accounting for     business trips (e.g., booking of travel, organizing accommodations and     transportation, managing travel expense advances, submitting and reviewing     travel expense reports, controlling and recording incurred costs,     compliance with travel policies, handling of the travel expense     management); Legal Basis: Performance of a contract and prior     requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation     (Article 6 (1) (c) GDPR), Legitimate Interests (Article 6 (1) (f) GDPR),     Healthcare, occupational and social security processing of special     categories of personal data (Article 9 (2)(h) GDPR).
  • Payroll and wage accounting: Procedures     required for calculating, disbursing, and documenting wages, salaries, and     other remuneration for employees (e.g., recording of working hours,     calculation of deductions and surcharges, remittance of taxes and social     security contributions, preparation of payroll statements, management of     wage accounts, reporting to the tax authorities and social security     institutions); Legal Basis: Performance of a contract and prior     requests (Article 6 (1) (b) GDPR), Compliance with a legal obligation     (Article 6 (1) (c) GDPR).
  • Deletion of Employee Data: Employment     data will be deleted under German law when it is no longer required for     the purpose for which it was collected, unless there is a legal obligation     to retain or archive it, or it needs to be kept for the interests of the     employer. The following retention and archiving obligations are observed:Legal     Basis: Performance of a contract and prior requests (Article 6 (1) (b)     GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR),     Legitimate Interests (Article 6 (1) (f) GDPR), Healthcare, occupational     and social security processing of special categories of personal data     (Article 9 (2)(h) GDPR).

     
  • General personnel records - General personnel records (such as      employment contracts, references, supplementary agreements) are retained      for up to three years after the termination of the employment      relationship (§ 195 German Civil Code (BGB)).
         Tax-relevant documents - Tax-relevant documents in the personnel file are      kept for six years (§ 147 Tax Code (AO), § 257 Commercial Code (HGB)).
         Information on wages and working hours - Information on wages and working      hours for (accident) insured with wage proof are kept for five years (§      165 I 1, IV 2 Social Code Book VII (SGB VII)).
    •  
  • Payrolls including lists for special payments - Payrolls      including lists for special payments, if a booking receipt is available,      are kept for ten years (§ 147 Tax Code (AO), § 257 Commercial Code      (HGB)).
    •  
  • Wage lists for interim, final, and special payments - Wage      lists for interim, final, and special payments are kept for six years (§      147 Tax Code (AO), § 257 Commercial Code (HGB)).
    •  
  • Documents on employee insurance - Documents on employee      insurance, if booking receipts are available, are kept for ten years (§      147 Tax Code (AO), § 257 Commercial Code (HGB)).
    •  
  • Contribution statements to social security institutions -      Contribution statements to social security institutions are kept for ten      years (§ 165 Social Code Book VII (SGB VII)).
         Wage accounts - Wage accounts are kept for six years (§ 41 I 9 Income Tax      Act (EStG)).
    •  
  • Applicant data - Kept for a maximum of six months from the      receipt of rejection.
    •  
  • Working time records (for more than 8 hours on workdays) -      Kept for two years (§ 16 II Working Time Act (ArbZG)).
    •  
  • Application documents (following online job advertisement) -      Kept for three to a maximum of six months from the receipt of rejection      (§ 26 Federal Data Protection Act (BDSG) n.F., § 15 IV General Act on      Equal Treatment (AGG)).
    •  
  • Certificates of incapacity for work (AU) - Kept for up to five      years (§ 6 I Act on the Compensation of Expenses (AAG)).
    •  
  • Documents on company pension schemes - Kept for 30 years (§      18a Act to Improve Occupational Pensions (BetrAVG)).
    •  
  • Sickness data of employees - Kept for twelve months from the      start of the illness, if the absence in a year does not exceed six weeks.
    •  
  • Documents on maternity protection - Kept for two years (§ 27      para. 5 Maternity Protection Act (MuSchG)).

  • Deletion of Employee Data: Employee     data are deleted under Austrian law when they are no longer necessary for     the purpose for which they were collected, unless they must be retained or     archived due to legal obligations or the employer's interests. The     following retention and archiving obligations are observed: .

     
  • Data regarding payroll tax and levy obligations under § 132      Abs 1 Federal Tax Code (BAO) - 7 years. The period begins at the end of      the calendar year relevant to the data.
    •  
  • Limitation of the obligation to pay social security      contributions under § 68 Social Security Code (ASVG) - 3 or 5 years. The      period generally begins on the day the contributions are due, or from the      day of reporting if no report was filed.
    •  
  • Retention periods in social insurance - 7 years under the      Commercial Code (UGB).
    •  
  • Entitlement to holiday under § 4 Abs 5 Holiday Act (UrlG) - 2      years from the end of the holiday year in which the holiday entitlement      arose. The period starts 2 years after the end of the holiday year.
    •  
  • Claims for holiday compensation under § 1486 Z 5 General Civil      Code (ABGB) - 3 years. The period begins from the date the final claims      are due, i.e., the last working day.
    •  
  • Records and reports on workplace accidents under § 16 Worker      Protection Act (ASchG) - at least 5 years. The period begins from the day      of the workplace accident.
    •  
  • Records on the provision of temporary workers under § 13 Abs 3      Act on Temporary Agency Work (AÜG) - 5 years. The period begins on the      day the last wage claim of the temporary worker is due.
    •  
  • Register of minors under § 26 Abs 2 Youth Employment Act      (KJBG) - 2 years. The period begins two years after the last entry in the      new register.
    •  
  • Claims for compensation due to discriminatory termination of      employment under §§ 15 Abs 1a and 29 Abs 1a Equal Treatment Act (GlBG)      and § 7k Abs 1 in conjunction with Abs 2 Z 3 Employment of Disabled      Persons Act (BEinstG) - 6 months. The period begins from the date of      receipt of the termination.
    •  
  • Claims of the employer or employee from a premature      termination of the employment relationship under § 34 Employees Act      (AngG) or § 1162d General Civil Code (ABGB) - 6 months. The period begins      from the date the claims are due, typically from the day the termination      notice is received.
    •  
  • Entitlement to an employment reference under § 1478 General      Civil Code (ABGB) - 30 years. The period begins at the termination of the      employment relationship.
    •  
  • Claims for compensation due to discriminatory rejection of an      application under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and      § 7k Abs 1 in conjunction with Abs 2 Z 1 Employment of Disabled Persons      Act (BEinstG) - 6 months. The period begins from the day the rejection is      received, or 7 months from the receipt of the application.
    •  
  • Claims for reimbursement of interview expenses under § 1486 Z      5 General Civil Code (ABGB) - 3 years. The period begins on the day the      expenses were incurred.
    •  
  • Liability for severance claims and company pensions after a      business transfer under § 6 Abs 2 Company Pension Act (AVRAG) - 5 years.      The period begins at the time of the business transfer.
    •  
  • Claims for compensation due to discriminatory rejection of a      promotion under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and §      7k Abs 1 in conjunction with Abs 2 Z 1 Employment of Disabled Persons Act      (BEinstG) - 6 months. The period begins from the day the promotion      rejection is received.
    •  
  • Claims for compensation due to discriminatory treatment in      remuneration, voluntary social benefits, training and further education      measures or other working conditions under §§ 15 Abs 1 and 29 Abs 1 Equal      Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 5      Employment of Disabled Persons Act (BEinstG) - 3 years. The period begins      at the point the right could first have been exercised and the objective      possibility to sue was given.
    •  
  • Claims for compensation due to discriminatory harassment under      §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in      conjunction with Abs 2 Z 4 Employment of Disabled Persons Act (BEinstG) -      1 year. The period begins from the time the discrimination was      recognized.
    •  
  • Claims for compensation due to discriminatory rejection of an      application under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and      § 7k Abs 1 in conjunction with Abs 2 Z 1 Employment of Disabled Persons      Act (BEinstG) - 6 months. The period begins from the day the rejection is      received, or 7 months from the receipt of the application.
    •  
  • Claims for compensation due to sexual harassment under § 15      Abs 1 Equal Treatment Act (GlBG) - 3 years. The period begins from the      time the discrimination was recognized.
    •  
  • Claims for reimbursement of interview expenses under § 1486 Z      5 General Civil Code (ABGB) - 3 years. The period begins on the day the      expenses were incurred.
    •  
  • Claims of the employee for wages or reimbursement of expenses      as well as of the employer for advances made on these under § 1486 Z 5      General Civil Code (ABGB) - 3 years. The period begins upon the due date      of the respective claims.
    •  
  • Limitation of prosecution for underpayment under § 31 Abs 1      Administrative Penal Act (VStG) in conjunction with § 29 Abs 4 Wage and      Social Dumping Prevention Act (LSD-BG) - 3 years. The period begins upon      the due date of the wages.
    •  
  • Damage claims of the employer against the employee from      employee liability for slight negligence under § 6 Employee Liability Act      (DHG) - 6 months. The period begins from the day they can be asserted.
    •  
  • Damage claims of the employer against the employee from      employee liability for gross negligence or intentional misconduct and      other damage claims of the employer under § 1489 General Civil Code      (ABGB) - 3 years or 30 years. The period begins with the shorter term      from knowledge of damage and perpetrator, and with the longer term from      the occurrence of damage.

  • Personnel file management: Procedures     required for the organisation, updating, and management of employee data     and records (e.g., recording of basic personnel data, retention of     employment contracts, certificates and attestations, updating data upon     changes, compilation of documents for employee discussions, archiving of     personnel files, compliance with data protection regulations); Legal     Basis: Performance of a contract and prior requests (Article 6 (1) (b)     GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR),     Legitimate Interests (Article 6 (1) (f) GDPR), Healthcare, occupational     and social security processing of special categories of personal data     (Article 9 (2)(h) GDPR).
  • Personnel development, performance evaluation, and staff     appraisals: Procedures required in the area of     employee promotion and development, as well as in assessing their     performance and during employee discussions (e.g., needs analysis for     further training, planning and implementation of training measures,     creation of performance evaluations, conducting goal-setting and feedback     discussions, career planning and talent management, succession planning); Legal     Basis: Performance of a contract and prior requests (Article 6 (1) (b)     GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR),     Legitimate Interests (Article 6 (1) (f) GDPR), Healthcare, occupational     and social security processing of special categories of personal data     (Article 9 (2)(h) GDPR).
  • Obligation to Provide Data: The     person in charge informs the employees that the provision of their data is     required. This is generally the case when the data are necessary for the     establishment and execution of the employment relationship, or when their     collection is mandated by law. The provision of data may also be required     when employees assert claims or are entitled to claims. The implementation     of these measures or fulfilment of services depends on the provision of     such data (for example, providing data for the receipt of wages); Legal     Basis: Performance of a contract and prior requests (Article 6 (1) (b)     GDPR), Compliance with a legal obligation (Article 6 (1) (c) GDPR),     Legitimate Interests (Article 6 (1) (f) GDPR).
  • Publication and Disclosure of Employee Data: The data of employees will only be published or disclosed to     third parties if it is necessary for the performance of work tasks     according to the employment contract. This applies, for example, when     employees are named as contact persons in correspondences, on the website,     or in public registers following an agreement or specified job     description, or if their field of work includes representative functions.     Similarly, this may occur if representation or communication with the public     takes place as part of performing these tasks, such as image recordings     during public relations activities. Otherwise, employee data is published     only with their consent or based on the legitimate interests of the     employer, for example, in the case of stage or group photographs taken     during a public event; Legal Basis: Consent (Article 6 (1) (a)     GDPR), Performance of a contract and prior requests (Article 6 (1) (b)     GDPR), Legitimate Interests (Article 6 (1) (f) GDPR).

Changes and Updates

We kindly ask you to inform yourselfregularly about the contents of our data protection declaration. We will adjustthe privacy policy as changes in our data processing practices make thisnecessary. We will inform you as soon as the changes require your cooperation(e.g. consent) or other individual notification.

If we provide addresses and contactinformation of companies and organizations in this privacy policy, we ask youto note that addresses may change over time and to verify the informationbefore contacting us.

Terminology and Definitions

In this section, you will find an overviewof the terminology used in this privacy policy. Where the terminology islegally defined, their legal definitions apply. The following explanations,however, are primarily intended to aid understanding.

  • A/B Tests: A/B tests are designed     to improve the usability and performance of online services. For example,     users are presented with different versions of a website or its elements,     such as input forms, on which the placement of the contents or labels of     the navigation elements can differ. The behaviour of users, e.g. prolonged     visits to the site or more frequent interaction with the elements, can     then be used to determine which of these sites or elements are more     responsive to users' needs.
  • Clicktracking: Clicktracking allows     users to keep track of their movements within an entire website. Since the     results of these tests are more accurate if the interaction of the users     can be followed over a certain period of time (e.g. if a user likes to     return), cookies are usually stored on the computers of the users for     these test purposes.
  • Contact data: Contact details are     essential information that enables communication with individuals or     organizations. They include, among others, phone numbers, postal     addresses, and email addresses, as well as means of communication like     social media handles and instant messaging identifiers.
  • Content Delivery Network (CDN): A     "Content Delivery Network" (CDN) is a service with whose help     contents of our online services, in particular large media files, such as     graphics or scripts, can be delivered faster and more securely with the     help of regionally distributed servers connected via the Internet.
  • Content data: Content data comprise     information generated in the process of creating, editing, and publishing     content of all types. This category of data may include texts, images,     videos, audio files, and other multimedia content published across various     platforms and media. Content data are not limited to the content itself     but also include metadata providing information about the content, such as     tags, descriptions, authorship details, and publication dates.
  • Contract data: Contract data are     specific details pertaining to the formalisation of an agreement between     two or more parties. They document the terms under which services or     products are provided, exchanged, or sold. This category of data is     essential for managing and fulfilling contractual obligations and includes     both the identification of the contracting parties and the specific terms     and conditions of the agreement. Contract data may encompass the start and     end dates of the contract, the nature of the agreed-upon services or     products, pricing arrangements, payment terms, termination rights,     extension options, and special conditions or clauses. They serve as the     legal foundation for the relationship between the parties and are crucial     for clarifying rights and duties, enforcing claims, and resolving     disputes.
  • Controller: "Controller"     means the natural or legal person, public authority, agency or other body     which, alone or jointly with others, determines the purposes and means of     the processing of personal data.
  • Employees: As employees,     individuals are those who are engaged in an employment relationship,     whether as staff, employees, or in similar positions. Employment refers to     a legal relationship between an employer and an employee, established     through an employment contract or agreement. It entails the obligation of     the employer to pay the employee remuneration while the employee performs     their work. The employment relationship encompasses various stages,     including establishment, where the employment contract is concluded, execution,     where the employee carries out their work activities, and termination,     when the employment relationship ends, whether through termination, mutual     agreement, or otherwise. Employee data encompasses all information     pertaining to these individuals within the context of their employment.     This includes aspects such as personal identification details,     identification numbers, salary and banking information, working hours,     holiday entitlements, health data, and performance assessments.
  • Heatmaps: "Heatmaps" are     mouse movements of the users, which are combined to an overall picture,     with the help of which it can be recognized, for example, which web page     elements are preferred and which web page elements users prefer less.
  • Inventory data: Inventory data encompass     essential information required for the identification and management of     contractual partners, user accounts, profiles, and similar assignments.     These data may include, among others, personal and demographic details     such as names, contact information (addresses, phone numbers, email     addresses), birth dates, and specific identifiers (user IDs). Inventory     data form the foundation for any formal interaction between individuals     and services, facilities, or systems, by enabling unique assignment and     communication.
  • Location data: Location data is     created when a mobile device (or another device with the technical     requirements for a location determination) connects to a radio cell, a     WLAN or similar technical means and functions of location determination.     Location data serve to indicate the geographically determinable position     of the earth at which the respective device is located. Location data can     be used, for example, to display map functions or other information     dependent on a location.
  • Log data: Protocol data, or log     data, refer to information regarding events or activities that have been     logged within a system or network. These data typically include details     such as timestamps, IP addresses, user actions, error messages, and other     specifics about the usage or operation of a system. Protocol data is often     used for analyzing system issues, monitoring security, or generating     performance reports.
  • Meta, communication and process data: Meta-, communication, and procedural data are categories that     contain information about how data is processed, transmitted, and managed.     Meta-data, also known as data about data, include information that     describes the context, origin, and structure of other data. They can     include details about file size, creation date, the author of a document,     and modification histories. Communication data capture the exchange of     information between users across various channels, such as email traffic,     call logs, messages in social networks, and chat histories, including the     involved parties, timestamps, and transmission paths. Procedural data     describe the processes and operations within systems or organisations,     including workflow documentations, logs of transactions and activities,     and audit logs used for tracking and verifying procedures.
  • Payment Data: Payment data comprise     all information necessary for processing payment transactions between     buyers and sellers. This data is crucial for e-commerce, online banking,     and any other form of financial transaction. It includes details such as     credit card numbers, bank account information, payment amounts,     transaction dates, verification numbers, and billing information. Payment     data may also contain information on payment status, chargebacks,     authorizations, and fees.
  • Performance and behavioural data:     Performance and behavioral data refer to information related to how     individuals perform tasks or behave within a certain context, such as in     an educational, work, or social setting. This data may include metrics     such as productivity, efficiency, quality of work, attendance, and     adherence to policies or procedures. Behavioral data could encompass     interactions with colleagues, communication styles, decision-making     processes, and responses to various situations. These types of data are     often used for performance evaluations, training and development purposes,     and decision-making within organizations.
  • Personal Data: "personal     data" means any information relating to an identified or identifiable     natural person ("data subject"); an identifiable natural person     is one who can be identified, directly or indirectly, in particular by     reference to an identifier such as a name, an identification number,     location data, an online identifier or to one or more factors specific to     the physical, physiological, genetic, mental, economic, cultural or social     identity of that natural person.
  • Processing: The term     "processing" covers a wide range and practically every handling     of data, be it collection, evaluation, storage, transmission or erasure.
  • Profiles with user-related information: The processing of "profiles with user-related     information", or "profiles" for short, includes any kind of     automated processing of personal data that consists of using these     personal data to analyse, evaluate or predict certain personal aspects relating     to a natural person (depending on the type of profiling, this may include     different information concerning demographics, behaviour and interests,     such as interaction with websites and their content, etc.) (e.g. interests     in certain content or products, click behaviour on a website or location).     Cookies and web beacons are often used for profiling purposes.
  • Targeting: "Tracking" is     the term used when the behaviour of users can be traced across several     websites. As a rule, behavior and interest information with regard to the     websites used is stored in cookies or on the servers of the tracking     technology providers (so-called profiling). This information can then be     used, for example, to display advertisements to users presumably     corresponding to their interests.
  • Usage data: Usage data refer to     information that captures how users interact with digital products,     services, or platforms. These data encompass a wide range of information     that demonstrates how users utilise applications, which features they prefer,     how long they spend on specific pages, and through what paths they     navigate an application. Usage data can also include the frequency of use,     timestamps of activities, IP addresses, device information, and location     data. They are particularly valuable for analysing user behaviour,     optimising user experiences, personalising content, and improving products     or services. Furthermore, usage data play a crucial role in identifying     trends, preferences, and potential problem areas within digital offerings
  • Web Analytics: Web Analytics serves     the evaluation of visitor traffic of online services and can determine     their behavior or interests in certain information, such as content of     websites. With the help of web analytics, website owners, for example, can     recognize at what time visitors visit their website and what content they     are interested in. This enables them, for example, to better adapt the     content of their websites to the needs of their visitors. For the purposes     of web analytics , pseudonymous cookies and web beacons are often used to     recognize returning visitors and thus obtain more precise analyses of the     use of an online service.