Privacy policy

DATA PROTECTION STATEMENT / OBLIGATION TO INFORM (April 2018)

We are deeply committed to protecting your data, which is why we process your personal data in accordance with the applicable data protection regulations, in particular the EU-GDPR and the Austrian Data Protection Act (DSG).

Please see below for more in-depth information about how we process your data:

  1. Controller
Herbert Handlos Gesellschaft m.b.H.
Schulstraße 20
A-4284 Tragwein
Tel.: +43 7263 88317

As we are not legally obliged to do so, we have not appointed a data protection officer with the data protection authority.

  1. How we process your personal data

2.1 Accounting and logistics

  • Purpose: Data is processed and transmitted in the context of a business relationship with customers and suppliers. This includes text documents (such as correspondence) relating to these matters that have been generated and archived with the aid of automated systems.
  • Legal basis: Processing is necessary for the performance of a contract and in order to take steps prior to entering into a contract (Art 6(1)(b) EU-GDPR), for compliance with a legal obligation (Art 6(1)(c) EU-GDPR), for the purposes of the legitimate interests, in particular defence, exercise and assertion of legal claims (Art 6(1)(f) EU-GDPR), the data subject has given explicit consent (Art 9(2)(a) EU-GDPR), or processing is necessary for the purposes of carrying out the obligations under labour law and social law (Art 9(2)(b) EU-GDPR).
  • Retention period: Until termination of the business relationship or until expiry of the guarantee, warranty, limitation or statutory retention periods applicable to the client (in particular the Austrian Federal Tax Code); beyond this until the end of any legal disputes in which the data is required as evidence.
  • Categories of recipients: Legal representatives; courts; banks for the processing of payment transactions; auditors for auditing purposes; competent administrative authorities, in particular tax authorities; collection companies for debt collection; third-party financiers such as leasing or factoring companies and assignees, insofar as the product or service is funded by third-party financing in this way; contractual or business partners who are involved or intended to be involved in the product or service; insurance companies for the conclusion of insurance contracts for the product/service or the occurrence of an insured event; the Austrian Federal Statistical Office for the compilation of statutory (official) statistics; the Group Executive Board of the controller, in the case of suppliers, commercial customers and major customers, customers (recipients of services).

 

2.2 Human resources and job applicant management

  • Purpose: Data is processed and transmitted for wage, salary and remuneration accounting purposes and compliance with recording, information and reporting obligations, insofar as this is required in each case on the basis of laws or standards of collective legal provisions or contractual obligations. This includes text documents (such as correspondence) relating to these matters that have been generated and archived with the aid of automated systems. This processing may be carried out by any client who employs workers under private law, with the exception of staff covered by the special applications of public sector employers; use and retention of personal data of applicants, if such data has been provided by the data subject.
  • Legal basis: The data subject has given consent (Art 6(1)(a) EU-GDPR), processing  is necessary for the performance of a contract and in order to take steps prior to entering into a contract (Art 6(1)(b) EU-GDPR), for compliance with a legal obligation (Art 6(1)(c) EU-GDPR), for the purposes  of the legitimate interests, in particular defence, exercise and  assertion of legal claims (Art 6(1)(f) EU-GDPR), the data subject has  given explicit consent (Art 9(2)(a) EU-GDPR), processing is necessary  for the purposes of carrying out the obligations under labour law and social law (Art 9(2)(b) EU-GDPR), processing is necessary for the establishment, exercise or defence of legal claims (Art 9(2)(f) EU-GDPR), legal duties of care (Art 10 EU-GDPR in conjunction with Section 4(3)(2) DSG), legitimate interest (Art 10 EU-GDPR in conjunction with Section 4(3)(2) DSG)
  • Retention period: Until termination of the relationship with the data subject and beyond that as long as there is a statutory retention period or as long as legal claims arising from the employment relationship can be asserted against the employer (esp. issuing references, etc.). Job applicants’ data will be deleted immediately after the advertised position has been filled, unless they have given their consent for their data to be kept on file; speculative applications will be kept on file. The record retention period is 9 months; after 9 months, the data kept on file will be deleted.
  • Recipients/categories of recipients: Creditors of the data subject and other parties involved in any associated legal proceedings, also in the case of voluntary salary transfers for any claims; social insurance institutions (including company health insurance funds); election committees for works council elections; Labour inspectorate, transport labour inspectorate and agricultural and forestry inspectorate, esp. under section 8 of the Labour Inspection Act; bodies representing the interests of employees (esp. works councils under section 89(4) of the Labour Constitution Act (ArbVG), safety representatives under section 10 of the Health and Safety Act (ASchG), youth representatives under section 125ff of the ArbVG and representatives of disabled workers under section 22a of the Disability Employment Act (BEinstG)); municipal authorities in administrative police matters; district administrative authorities in administrative police matters (trade authorities, responsibilities under ASchG, etc.); apprenticeship office under section 19 of the Federal Vocational Training Act (BAG) and vocational schools; labour exchange service; construction workers’ holiday and severance pay fund; Federal Office for Social Affairs and Disabled Persons, e.g. section 16 of the BEinstG; tax office; insurance institutions within the framework of an existing group or individual insurance; banks involved in the payment to the data subject or to third parties; trade union indicated by the employee, with the consent of the data subject; statutory interest group representatives; works council fund pursuant to section 73 (3) of the ArbVG; company doctors; pension funds; audit office; legal representatives; courts; co-insured persons; employee provision fund (MVK) pursuant to section 11 (2) Z and section 13 of the Company Employee Pension Act (BMVG).

 

2.3 Customer and supplier support/administration and marketing

  • Purpose: Use of own or purchased data of customers and prospective customers for the initiation of a business relationship pertaining to the company’s own range of products or services. This includes text documents (such as correspondence) relating to these  matters that have been generated and archived with the aid of automated  systems.
  • Legal basis: The data subject has given consent (Art 6(1)(a) EU-GDPR), processing is necessary for the performance of a contract and in order to take steps prior to entering into a contract (Art 6(1)(b) EU-GDPR), for the purposes  of the legitimate interests, in particular defence, exercise and  assertion of legal claims (Art 6(1)(f) EU-GDPR)
  • Retention period: The data may be retained until the end of the third year after the last contact with the client, unless longer contractual or legal retention periods exist.
  • Recipients/categories of recipients: none

 

2.4 Video surveillance

  • Purpose: To protect the controller’s property and employees and to protect their responsibilities ( the fulfilment of traffic safety obligations, contractual liability vis-à-vis customers, etc.) as well as for the purpose of preventing, containing and clarifying conduct relevant under criminal law. Results are to be evaluated exclusively in the event of a specific incident defined by the purpose.
  • Legal basis: For compliance with a legal obligation (Art 6(1)(c) EU-GDPR), or the purposes of legitimate interests (Art 6(1)(f) EU-GDPR),section 12(2) DSG, for the defence, exercise  and assertion of legal claims Art 9(2)(f) EU-GDPR), the purposes of legitimate interests - transmission of records of criminal offences to the competent law enforcement authorities for the purpose of prosecution (Art 10 in conjunction with Section 4(3)(2) of the DSG)
  • Retention period: Personal data must be deleted within no more than 72 hours after recording, unless a longer retention period has been expressly stipulated by law, by an official legal act, in a works agreement or with the consent of the staff representatives. In the event of a specific incident, until the incident has been dealt with or until it has been passed on to the competent authority.
  • Recipients/categories of recipients: Courts and public authorities

 

2.5 User ID management

  • Purpose: To control access to the system and to manage user IDs for the client’s data applications, to manage the allocation of hardware and software to the system users. This  includes text documents (such as correspondence) relating to these  matters that have been generated and archived with the aid of automated  systems.
  • Legal basis: Processing is necessary for compliance with a legal obligation, in particular compliance with access controls (e.g. password guidelines) or access authorisations (Art 6(1)(c) EU-GDPR), for the purposes of the legitimate interests, in particular defence, exercise  and assertion of legal claims (Art 6(1)(f) EU-GDPR)
  • Retention period: Data is deleted when the data subject’s system rights have expired and any legal proceedings in which the data is needed as evidence have been concluded. Data will be deleted in any case, however, if legal retention periods no longer apply.
  • Recipients/categories of recipients: none

 

2.6 Physical access control with personal data

  • Purpose: To enable the owner or authorised user to control access to buildings and demarcated areas with the aid of systems that automatically detect and store personal data. This  includes text documents (such as correspondence) relating to these  matters that have been generated and archived with the aid of automated  systems.
  • Legal basis: The data subject has given consent (Art 6(1)(a) EU-GDPR), processing is necessary for the performance of a contract and in order to take steps prior to entering into a contract (Art 6(1)(b) EU-GDPR), for compliance with a legal obligation to implement technical and organisational measures for the protection of personal data (Art 6(1)(c) EU-GDPR), for the purposes of the legitimate interests, in particular defence, exercise and assertion of legal claims (Art 6(1)(f) EU-GDPR), the data subject has given explicit consent (Art 9(2)(a) EU-GDPR), or processing is necessary for the purposes of carrying out the obligations under labour law and social law (Art 9(2)(b) EU-GDPR)
  • Retention period: Until access authorisation is terminated and beyond that for as long as a statutory retention period exists or as long as special legal claims arising from the employment relationship can be asserted against the employer. If no special retention periods exist, the data must be deleted six months after access authorisation ends.
  • Recipients/categories of recipients: Courts and public authorities

 

2.7 Cookies/web analytics services

We use the web analytics service Google Analytics on our website. This web analytics service uses cookies, which are small text files that are stored on your end device (computer, smartphone, etc.) with the aid of the browser you are using. This allows us to analyse how people use our website. The data generated in this way is transmitted to the provider’s server and stored there.

We do not use cookies until you have given your consent. We may use cookies whose sole purpose is to facilitate the transmission of a message across a communications network or which are strictly necessary to enable us to provide the service you have specifically requested without your consent.

You can also change your browser settings at any time to prevent cookies from being stored.

  • Purpose: To improve our range of services, website and direct marketing.
  • Legal basis: The data subject has given consent (Art 6(1)(a) EU-GDPR), processing is necessary for the performance of a contract and in order to take steps prior to entering into a contract (Art 6(1)(b) EU-GDPR), for the purposes  of the legitimate interests, in particular to improve the company’s services for the benefit of users (Art 6(1)(f) EU-GDPR), section 96(3) Telecommunications Act (TKG)
  • We collect the following data: your IP address
  • Retention period: 26 months
  • Recipient: Google Inc.; an order processing agreement has been concluded

 

We wish to inform you that according to Art 21 EU-GDPR, you have the right to object to the processing of your personal data at any time on grounds relating to your particular situation. This only applies if the data processing is necessary to protect our legitimate interests or those of a third party (Art 6(1)(f) EUR-GDPR).

Please refer to Section 3 for information on how to exercise your right of objection.

 

2.8 Electronic newsletter

You have the option of subscribing to our newsletter via our website. ( this option/newsletter is not available yet!) To do so, you must state that you consent to receiving the newsletter (opt-in).

  • Purpose: To send a newsletter
  • Legal basis: The data subject has given consent (Art 6(1)(a) EU-GDPR), processing is necessary for the performance of a contract and in order to take steps prior to entering into a contract (Art 6(1)(b) EU-GDPR), section 107 TKG
  • We collect the following data: your email address, your name
  • Retention period: Until you withdraw your consent to receive the newsletter
  • Recipients/categories of recipients: Analysis service / service provider company

We wish to inform you that you have the right to withdraw your consent at any time without stating the reasons. The withdrawal of consent shall however not affect the lawfulness of processing based on your consent before its withdrawal.

Please refer to Section 3 for information on how to exercise your right to withdraw your consent.

 

  1. Data subject rights/right to withdraw consent/right to lodge a complaint

3.1 You have the right of access (Art 15 EU-GDPR), right to rectification (Art 16 EU-GDPR), right to erasure (Art 17 EU-GDPR), right to restriction of processing (Art 18 EU-GDPR), right to data portability (Art 20 EU-GDPR) and the right to object (Art 21 EU-GDPR).

If you have given us your consent to process your personal data, you can withdraw this consent at any time. The withdrawal of consent shall however not affect the lawfulness of processing based on your consent before its withdrawal.

 

To exercise the rights listed above, you must inform us in person, by telephone or in writing:

Herbert Handlos Gesellschaft m.b.H.
Attn: IT Administrator
Schulstrasse 20
A-4284 Tragwein
Tel.: +43 7263 88317
This email address is being protected from spambots. You need JavaScript enabled to view it.

Please note that we cannot provide you with information unless you can identify yourself.

 

3.2 If you believe that your data is being processed in breach of applicable data protection law or that we are violating your data protection rights, you have the right to lodge a complaint with the supervisory authority.

Please address your complaint to:

Österreichische Datenschutzbehörde
Wickenburggasse 8
A-1080 Vienna