Privacy Policy
Introduction and Overview
We have created this privacy policy (version 06.07.2023-112539527) to explain to you, in accordance with the provisions of the General Data Protection Regulation (GDPR) (EU) 2016/679 and applicable national laws, which personal data (referred to as “data”) we process as the data controller, as well as the data processed by data processors (e.g., service providers) contracted by us, and what lawful options you have. The terms used in this policy are gender-neutral.
In brief: We provide comprehensive information about the data we process about you.
Privacy policies are often written in technical and legal jargon. However, we have designed this privacy policy to describe the most important aspects in a simple and transparent manner. Wherever possible, we explain technical terms in a reader-friendly manner, provide links to additional information, and use graphics to enhance understanding. We aim to inform you clearly and plainly that we only process personal data as part of our business activities when there is a legal basis for doing so. This would not be achievable with brief, unclear, and legally technical explanations often found on the internet regarding privacy. We hope you find the following explanations interesting and informative and that you may come across some information you were not previously aware of.
If you still have questions, we kindly ask you to reach out to the responsible entity listed below or follow the provided links for further information on third-party websites. Our contact details can also be found in the imprint.
Scope
This privacy policy applies to all personal data processed by us in our company and by data processors (contracted companies) on our behalf. By personal data, we mean information as defined in Art. 4 No. 1 GDPR, such as a person’s name, email address, and postal address. The processing of personal data enables us to offer and bill our services and products, whether online or offline. The scope of this privacy policy includes:
– All online presences (websites, online shops) operated by us
– Social media presences and email communications
– Mobile apps for smartphones and other devices
In short: The privacy policy applies to all areas in which personal data is processed within the company through the mentioned channels. If we enter into legal relationships with you outside of these channels, we will inform you separately, if necessary.
Legal Basis
In this privacy policy, we provide transparent information about the legal principles and regulations, i.e., the legal bases of the General Data Protection Regulation, that allow us to process personal data.
Regarding EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016. You can find this EU General Data Protection Regulation online at EUR-Lex, the access to EU law, at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.
We only process your data if at least one of the following conditions applies:
1. Consent (Article 6(1)(a) GDPR): You have given us consent to process data for a specific purpose. For example, this could be storing your provided data in a contact form.
2. Contract (Article 6(1)(b) GDPR): We process your data to fulfill a contract or pre-contractual obligations with you. For example, if we conclude a purchase contract with you, we need certain personal information beforehand.
3. Legal Obligation (Article 6(1)(c) GDPR): We process your data when we are legally obliged to do so. For example, we are required by law to retain invoices for accounting purposes, which usually contain personal data.
4. Legitimate Interests (Article 6(1)(f) GDPR): In case of legitimate interests that do not infringe on your fundamental rights, we reserve the right to process personal data. For example, we may need to process certain data to operate our website securely and efficiently. This processing constitutes a legitimate interest.
Other conditions such as processing data in the public interest, exercising official authority, and protecting vital interests typically do not apply to us. If such a legal basis were to be applicable in a specific situation, it would be stated accordingly.
In addition to the EU regulation, national laws also apply:
– In Austria, this is the Federal Act concerning the Protection of Personal Data (Datenschutzgesetz), abbreviated as DSG.
– In Germany, the Federal Data Protection Act (Bundesdatenschutzgesetz), abbreviated as BDSG, applies.
If additional regional or national laws are applicable, we will inform you about them in the following sections.
Contact Details of the Data Controller
If you have any questions about data protection or the processing of personal data, you can find the contact details of the responsible person or entity below:
Studio Sophie Pochtler
Sophie Pochtler
Reithlegasse 6, 1190 Vienna, Austria
Authorized representative: Sophie Pochtler
Email: sophie1337@atelier1337.com
Phone: +43 4711 12345
Imprint: https://www.musterfirma.at/impressum/
Data Retention
As a general criterion, we store personal data only for as long as it is strictly necessary to provide our services and products. This means that we delete personal data as soon as the purpose for data processing no longer exists. In some cases, we may be legally obligated to continue storing certain data even after the original purpose has ceased, such as for accounting purposes.
If you wish to have your data deleted or withdraw your consent to data processing, we will delete the data as quickly as possible, provided there is no legal obligation to retain it.
The specific duration of each data processing is provided further below, where applicable information is available.
Rights according to the General Data Protection Regulation
According to Articles 13 and 14 of the GDPR, we inform you about the following rights that are granted to you to ensure fair and transparent data processing:
1. Right to Information (Article 15 GDPR): You have the right to know if we process data about you. If that is the case, you have the right to obtain a copy of the data and the following information:
– The purpose of the processing
– The categories of data being processed
– Recipients of the data and, if the data is transferred to third countries, how the security of such data is guaranteed
– How long the data will be stored
– The right to rectify, erase, or restrict the processing and the right to object to the processing
– The right to lodge a complaint with a supervisory authority (links to these authorities are provided below)
– The origin of the data if we did not collect it from you
– Whether profiling is being conducted, meaning whether data is automatically evaluated to create a personal profile of you.
2. Right to Rectification (Article 16 GDPR): You have the right to have incorrect data corrected.
3. Right to Erasure (“Right to be Forgotten”) (Article 17 GDPR): You have the right to request the deletion of your data.
4. Right to Restriction of Processing (Article 18 GDPR): You have the right to request that we only store your data without further processing.
5. Right to Data Portability (Article 20 GDPR): You have the right to request your data to be provided
to you in a commonly used, machine-readable format upon request.
6. Right to Object (Article 21 GDPR): If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you have the right to object to the processing. We will examine whether we can legally comply with this objection as quickly as possible.
– If data is used for direct marketing purposes, you can object to this type of data processing at any time. After this, we may not use your data for direct marketing anymore.
– If data is used for profiling purposes, you can object to this type of data processing at any time. After this, we may not use your data for profiling anymore.
7. Right to Not Be Subject to Automated Decision-making (Article 22 GDPR): Under certain circumstances, you have the right not to be subject to a decision based solely on automated processing (e.g., profiling).
8. Right to Lodge a Complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority. This means that you can contact the data protection authority at any time if you believe that the processing of personal data violates the GDPR.
In short: You have rights – feel free to contact the responsible entity listed above!
If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can lodge a complaint with the supervisory authority. In Austria, this is the Datenschutzbehörde (data protection authority), whose website can be found at https://www.dsb.gv.at/. In Germany, each federal state has a data protection officer. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For our company, the following local data protection authority is responsible:
Austrian Data Protection Authority
Head: Mag. Dr. Andrea Jelinek
Address: Barichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/
Security of Data Processing
To protect personal data, we have implemented both technical and organizational measures. Wherever possible, we encrypt or pseudonymize personal data to make it as difficult as possible for third parties to infer personal information from our data.
Art. 25 GDPR refers to “data protection by design and by default,” meaning that both software (e.g., forms) and hardware (e.g., server room access) should always prioritize security and implement appropriate measures. Below, we will go into specific measures if necessary.
TLS Encryption with HTTPS
TLS, encryption, and HTTPS may sound very technical, and indeed, they are. We use HTTPS (Hypertext Transfer Protocol Secure) to transmit data securely over the internet.
This means that the entire transmission of data from your browser to our web server is secured, and no one can “eavesdrop.”
By doing this, we have introduced an additional layer of security and comply with data protection by design (Article 25(1) GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure data transmission over the internet, we ensure the protection of confidential data.
You can recognize the use of this secure data transmission by the small padlock symbol at the top left of your browser, to the left of the internet address (e.g., beispielseite.de), and the use of the “https” scheme in our internet address instead of “http.”
If you want to learn more about encryption, we recommend searching “Hypertext Transfer Protocol Secure wiki” on Google to find good links to further information.
Communication
Summary of Communication
👥 Data Subjects: Anyone who communicates with us via phone, email, or online form
📓 Processed Data: e.g., phone number, name, email address, entered form data. More details can be found for each type of contact used
🤝 Purpose: Processing communication with customers, business partners, etc.
📅 Storage Duration: Duration of the business case and legal requirements
⚖️ Legal Bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(b) GDPR (Contract), Art. 6(1)(f) GDPR (Legitimate Interests)
When you contact us and communicate via phone, email, or online form, personal data may be processed.
The data is processed to handle and process your inquiry and the associated business transaction. The data is stored for as long as necessary and as long as required by law.
Data Subjects
All those who seek contact with us through the communication channels provided by us are affected by the mentioned processes.
Phone
When you call us, call data is pseudonymously stored on the respective device and at the telecommunications provider used. Additionally, data such as name and phone number may be sent via email and stored for responding to the inquiry. The data is deleted as soon as the business case is completed and legal requirements allow for deletion.
When you communicate with us via email, data may be stored on the respective device (computer, laptop, smartphone, etc.) and stored on the email server. The data is deleted as soon as the business case is completed and legal requirements allow for deletion.
Online Forms
When you communicate with us via online forms, data is stored on our web server and may be forwarded to one of our email addresses. The data is deleted as soon as the business case is completed and legal requirements allow for deletion.
Legal Bases
The processing of the data is based on the following legal bases:
– Art. 6(1)(a) GDPR (Consent): You give us consent to store and use your data for purposes related to the business case.
– Art. 6(1)(b) GDPR (Contract): There is a necessity for fulfilling a contract with you or a data processor, such as the telephone provider, or we need to process the data for pre-contractual activities, such as preparing an offer.
– Art. 6(1)(f) GDPR (Legitimate Interests): We aim to conduct customer inquiries and business communication in a professional manner. For this purpose, certain technical facilities, such as email programs, exchange servers, and mobile network providers, are necessary to operate communication efficiently.
Cookies
Summary of Cookies
👥 Data Subjects: Website visitors
🤝 Purpose: Depends on the respective cookie. More details can be found below or from the software manufacturer that sets the cookie.
📓 Processed Data: Depends on the respective cookie. More details can be found below or from the software manufacturer that sets the cookie.
📅 Storage Duration: Depends on the respective cookie, ranging from hours to years
⚖️ Legal Bases: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(f) GDPR (Legitimate Interests)
What are Cookies?
Our website uses HTTP cookies to store user-specific data.
In the following, we will explain what cookies are and why they are used to help you better understand the following privacy policy.
Whenever you browse the internet, you use a browser. Common browsers include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge. Most websites store small text files in your browser. These files are called cookies.
One thing is undeniable: cookies are really useful helpers. Almost all websites use cookies. More specifically, these are HTTP cookies, as there are also other cookies for different areas of application. HTTP cookies are small files that our website stores on your computer. These cookie files are automatically placed in the cookie folder, which is like the “brain” of your browser. A cookie consists of a name and a value. When defining a cookie, one or more attributes must also be specified.
Cookies store certain user data of yours, such as language or personal page settings. When you revisit our site, your browser sends the “user-related” information back to our site. Thanks to cookies, our website knows who you are and offers you the settings you are used to. In some browsers, each cookie has its own file, while in others, such as Firefox, all cookies are stored in a single file.
The following graphic shows a possible interaction between a web browser like Chrome and the web server. In this process, the web browser requests a website and receives a
cookie back from the server, which the browser uses again when requesting another page.
There are both first-party cookies and third-party cookies. First-party cookies are created directly by our site, while third-party cookies are created by partner websites (e.g., Google Analytics). Each cookie needs to be assessed individually, as they store different types of data. Also, the expiration time of a cookie varies from a few minutes to a few years. Cookies are not software programs and do not contain viruses, trojans, or other “malware.” Cookies cannot access information on your PC.
Here’s an example of how cookie data may look:
Name: _ga
Value: GA1.2.1326744211.152112539527-9
Purpose: Distinguishing website visitors
Expiration Date: after 2 years
These are the minimum sizes a browser should support:
At least 4096 bytes per cookie
At least 50 cookies per domain
At least 3000 cookies in total
What types of cookies are there?
The specific cookies we use depend on the services used, which will be clarified in the following sections of the privacy policy. Here, we briefly explain the different types of HTTP cookies.
There are 4 types of cookies:
Essential Cookies
These cookies are necessary to ensure basic functionality of the website. For example, they are required when a user adds a product to the shopping cart, then continues browsing other pages, and later proceeds to checkout. These cookies keep the shopping cart intact even if the user closes their browser window.
Functional Cookies
These cookies collect information about user behavior and whether the user receives any error messages. Additionally, they measure the loading time and behavior of the website in different browsers.
Preference Cookies
These cookies enhance user-friendliness. For example, entered locations, font sizes, or form data may be stored.
Advertising Cookies
Also known as targeting cookies, these cookies are used to deliver individually tailored advertising to the user. This can be very convenient, but it may also be bothersome.
Usually, when you visit a website for the first time, you will be asked which types of cookies you want to allow. Your decision will also be stored in a cookie.
If you want to know more about cookies and don’t mind technical documentation, we recommend checking out https://datatracker.ietf.org/doc/html/rfc6265, the Request for Comments by the Internet Engineering Task Force (IETF) called “HTTP State Management Mechanism.”
Purpose of Processing through Cookies
The purpose ultimately depends on each specific cookie. More details can be found below or with the manufacturer of the software that sets the cookie.
What Data is Processed?
Cookies serve as assistants for various tasks. Unfortunately, it’s not possible to generalize which data is stored in cookies, but we will inform you about the processed or stored data within the scope of the following privacy policy.
Storage Duration of Cookies
The storage duration depends on the specific cookie and will be specified further below. Some cookies are deleted after less than an hour, while others can be stored on a computer for several years.
You also have control over the storage duration. You can manually delete all cookies via your browser at any time (also see “Right to Object” below). Furthermore, cookies based on consent will be deleted at the latest after you withdraw your consent, while the legality of storage until that point remains unaffected.
Right to Object – How Can I Delete Cookies?
Whether and how you want to use cookies is entirely up to you. Regardless of the service or website the cookies come from, you always have the option to delete, disable, or partially allow cookies. For example, you can block third-party cookies but allow all other cookies.
If you want to find out which cookies are stored in your browser, change or delete cookie settings, you can find this in your browser settings:
Chrome: Delete, enable, and manage cookies in Chrome
Safari: Manage cookies and website data with Safari
Firefox: Delete cookies to remove data that websites have stored on your computer
Internet Explorer: Delete and manage cookies
Microsoft Edge: Delete and manage cookies
If you generally don’t want any cookies, you can set up your browser to always inform you when a cookie is about to be set. This way, you can decide for each individual cookie whether to allow it or not. The procedure varies depending on the browser. It’s best to search for the instructions in Google using the search term “delete cookies Chrome” or “disable cookies Chrome” in the case of a Chrome browser.
Legal Basis
Since 2009, there have been the so-called “Cookie Directives.” These state that storing cookies requires consent (Article 6(1)(a) GDPR) from you. Within the EU countries, however, there are still very different responses to these directives. In Austria, the implementation of this directive was included in § 96(3) of the Telecommunications Act (TKG). In Germany, the cookie directives were not implemented as national law. Instead, the implementation of these directives largely occurred in § 15(3) of the Telemedia Act (TMG).
For strictly necessary cookies, even if no consent is given, there are legitimate interests (Article 6(1)(f) GDPR) that are mostly of an economic nature. We want to provide visitors to the website with a pleasant user experience, and certain cookies are often absolutely necessary for that.
If non-essential cookies are used, this is only done with your consent. The legal basis in this case is Article 6(1)(a) GDPR.
In the following sections, you will be informed in more detail about the use of cookies, if the software used employs cookies.
Explanation of Used Terms
We always strive to make our privacy policy as clear and understandable as possible. Especially with technical and legal topics, this is not always easy, but we want to avoid using legal terms (such as personal data) or certain technical expressions (such as cookies, IP address) without explanation. Below you will find an alphabetical list of important terms used, to which we may not have sufficiently explained in the previous privacy policy. If these terms were taken from the GDPR and are definitions of terms, we will also provide the GDPR texts here and, if necessary, add our own explanations.
Processor
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller;
Explanation: As a company and website owner, we are responsible for all data we process from you. In addition to the responsible parties, there may also be so-called processors. This includes any company or individual that processes personal data on our behalf. Consequently, data processors can include service providers such as tax advisors, as well as hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.
Consent
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
Explanation: In most cases, on websites, such consent is obtained through a cookie consent tool. You may be familiar with this. Whenever you visit a website for the first time, you are usually asked via a banner whether you consent to the processing
of data. Usually, you can also make individual settings and thus decide for yourself which data processing you allow and which you do not. If you do not consent, no personal data about you may be processed. In principle, consent can also be given in writing, not just through a tool.
Personal Data
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Personal data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
Explanation: Personal data is any data that can identify you as a person. These are usually data such as:
Name
Address
Email address
Postal address
Phone number
Date of birth
Identification numbers such as social security number, tax identification number, ID number, or student ID number
Bank data such as account number, credit information, account balance, etc.
According to the European Court of Justice (ECJ), even your IP address is considered personal data. IT experts can identify the approximate location of your device based on your IP address and, consequently, determine you as the account holder. Therefore, storing an IP address also requires a legal basis under the GDPR. There are also so-called “special categories” of personal data, which are particularly protected. These include:
Racial and ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data, such as data obtained from blood or saliva samples
Biometric data (information on physical, physiological, or behavioral characteristics that can identify a person).
Health data
Data on sexual orientation or sex life
Profiling
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements;
Explanation: Profiling involves gathering various information about a person to learn more about them. On the web, profiling is often used for advertising purposes or credit checks, for example. Web or advertising analysis programs collect data about your behavior and interests on a website. This results in a specific user profile that can be used to target advertising to a specific audience.
Controller
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
Explanation: In our case, we are responsible for the processing of your personal data and thus the “Controller.” If we pass on collected data for processing to other service providers, they are “processors.” A “Data Processing Agreement (DPA)” must be signed for this purpose.
Processing
Definition according to Article 4 of the GDPR
For the purposes of this Regulation, the term:
“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, or combination, restriction, erasure, or destruction;
Note: When we refer to processing in our privacy policy, we mean any kind of data processing. This includes, as mentioned in the original GDPR explanation above, not only collection but also storage and processing of data.
Closing Words
Congratulations! If you are reading these lines, you have truly “fought your way through” our entire privacy policy or at least scrolled to this point. As you can see from the extent of our privacy policy, we take the protection of your personal data anything but lightly.
It is important to us to inform you about the processing of personal data to the best of our knowledge and belief. However, we don’t just want to tell you which data is processed but also explain the reasons for using various software programs in more detail. Privacy policies often sound very technical and legal. However, since most of you are not web developers or lawyers, we wanted to take a different approach in terms of language and explain the matter in simple and clear terms. Of course, this is not always possible due to the topic. Therefore, the most important terms will be explained in more detail at the end of the privacy policy.
If you have any questions about data protection on our website, please do not hesitate to contact us or the responsible party. We wish you a pleasant time and hope to welcome you back to our website soon.
All texts are protected by copyright.