Privacy policy

Privacy policy

Introduction and Overview

We have drafted this Privacy Policy (version 08.10.2025-113065722) to explain to you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 (GDPR) and applicable national laws, which personal data (hereinafter “data”) we as the controller — and the processors we commission (e.g. hosting providers) — process now and in the future, and which lawful options you have. The terms used are intended to be gender-neutral.

In short: We provide you with comprehensive information about the data we process about you.

Privacy policies often sound very technical and use legal jargon. In contrast, this Privacy Policy is intended to describe the most important points as simply and transparently as possible. Where it supports transparency, technical terms are explained in a reader‑friendly way, links to further information are provided, and graphics may be used. In clear, simple language, we inform you that, in the course of our business activities, we only process personal data when a corresponding legal basis exists. That is certainly not possible if one provides the briefest, most opaque, and overly legal‑technical explanations — the kind that are all too common on the internet when it comes to data protection. We hope you find the following explanations interesting and informative — and perhaps you’ll discover some information you didn’t know before.

If you still have questions, please contact the responsible office listed below or in the legal notice (Imprint), follow the links provided, and consult third‑party resources for more details. You will also find our contact details in the Imprint.

Scope

This Privacy Policy applies to all personal data processed by us within our company, and to all personal data processed by companies commissioned by us (processors). By personal data we mean information within the meaning of Art. 4(1) GDPR, such as a person’s name, email address, and postal address. The processing of personal data enables us to offer and bill for our services and products, whether online or offline. The scope of this Privacy Policy includes:

  • all online presences (websites, online shops) we operate
  • social media presences and email communications
  • mobile apps for smartphones and other devices

In short: This Privacy Policy applies to all areas in which personal data is processed in our company via the channels mentioned. Should we enter into legal relationships with you outside of these channels, we will inform you separately where appropriate.

Legal Bases

In the following Privacy Policy we provide transparent information about the legal principles and provisions — i.e., the legal bases of the GDPR — that allow us to process personal data. With respect to EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can, of course, read this GDPR online on EUR‑Lex, the gateway to EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

  • Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of the information you entered in a contact form.
  • Contract (Article 6(1)(b) GDPR): We process your data to fulfill a contract or pre‑contractual obligations with you. For example, if we conclude a purchase agreement with you, we need personal information in advance.
  • Legal obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For instance, we are legally required to retain invoices for accounting purposes, which typically contain personal data.
  • Legitimate interests (Article 6(1)(f) GDPR): Where we have legitimate interests that do not override your fundamental rights, we reserve the right to process personal data. For example, we must process certain data to operate our website securely and efficiently. Such processing is therefore a legitimate interest.

Other bases such as the performance of a task carried out in the public interest or in the exercise of official authority, and the protection of vital interests, generally do not apply to us. If such a legal basis should nonetheless be relevant, we will indicate it at the corresponding point.

In addition to the EU Regulation, national laws also apply:

  • In Austria, this is the Federal Act on the Protection of Natural Persons in the Processing of Personal Data (Datenschutzgesetz, DSG).
  • In Germany, the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG) applies.

Where other regional or national laws apply, we will inform you in the following sections.

Controller’s Contact Details

If you have questions about data protection or the processing of personal data, please find below the contact details of the controller pursuant to Article 4(7) GDPR:

Cincomedia Software GmbH
Innsbrucker Bundesstraße 136 / 3
5020 Salzburg
Austria

Email: in**@********ia.at
Phone: +43 665 65994390
Imprint: https://cincomedia.at/impressum/

Storage Period

As a general principle, we store personal data only for as long as is strictly necessary to provide our services and products. This means that we delete personal data as soon as the reason for processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose no longer applies — for example, for accounting purposes.

If you request the deletion of your data or withdraw your consent to data processing, we will delete the data as quickly as possible, provided there is no legal obligation to retain it.

Where we have further information on the specific duration of the respective data processing, we will inform you below.

Rights under the GDPR

Pursuant to Articles 13 and 14 GDPR, we inform you of the following rights to ensure fair and transparent processing:

  • Right of access (Art. 15 GDPR): You have the right to know whether we process data about you. If so, you have the right to receive a copy of the data and to obtain the following information:
    • the purposes of processing;
    • the categories of data processed;
    • the recipients of the data and, where data are transferred to third countries, how security is ensured;
    • the storage period;
    • the existence of the right to rectification, erasure, restriction of processing, and the right to object to processing;
    • the right to lodge a complaint with a supervisory authority (links provided below);
    • the source of the data if we did not collect it from you;
    • whether profiling is carried out, i.e., whether data are evaluated automatically to create a personal profile about you.
  • Right to rectification (Art. 16 GDPR): You have the right to have inaccurate data corrected.
  • Right to erasure (Art. 17 GDPR): You have the right to request deletion of your data (“right to be forgotten”).
  • Right to restriction of processing (Art. 18 GDPR): You have the right to restrict processing, meaning we may only store the data but not use it further.
  • Right to data portability (Art. 20 GDPR): Upon request, we will provide your data in a commonly used format.
  • Right to object (Art. 21 GDPR): You have the right to object to processing, which, once exercised, will result in a change in processing. If processing is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interests), you may object. We will then promptly assess whether we can legally comply with your objection.
  • If data are used for direct marketing, you may object at any time. We will then no longer use your data for direct marketing.
  • If data are used for profiling, you may object at any time. We will then no longer use your data for profiling.
  • Right not to be subject to automated decision‑making (Art. 22 GDPR): You may have the right not to be subject to a decision based solely on automated processing (e.g., profiling).
  • Right to lodge a complaint (Art. 77 GDPR): You can lodge a complaint with a supervisory authority at any time if you believe that the processing of personal data violates the GDPR.

In short: You have rights — please do not hesitate to contact the responsible office listed above!

If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been infringed, you can lodge a complaint with a supervisory authority. In Austria, this is the Data Protection Authority (DSB), whose website you will find at https://www.dsb.gv.at/. In Germany, each federal state has a data protection officer. For more information, please contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local supervisory authority is competent for our company:

Austria – Data Protection Authority
Head: Dr. Matthias Schmidl
Address: Barichgasse 40–42, 1030 Vienna
Phone: +43 1 52 152‑0
Email: ds*@****gv.at
Website: https://www.dsb.gv.at/

Security of Data Processing

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. Within our means, this makes it as difficult as possible for third parties to infer personal information from our data.

Article 25 GDPR refers to “data protection by design and by default,” meaning that both in software (e.g., forms) and hardware (e.g., access to the server room) one always considers security and implements appropriate measures. Where necessary, we describe specific measures below.

Communication

Communication – Summary
👥 Data subjects: Anyone who communicates with us by phone, email, or online form
📓 Data processed: e.g., phone number, name, email address, form entries. Details are provided for each communication method used.
🤝 Purpose: Handling communication with customers, business partners, etc.
📅 Storage period: Duration of the business case and statutory retention periods
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract), Art. 6(1)(f) GDPR (legitimate interests)

When you contact us and communicate by phone, email, or online form, personal data may be processed.

The data are processed to handle and manage your inquiry and the related business transaction. The data are stored for as long as necessary for that purpose and as long as required by law.

Data Subjects
All individuals who use the communication channels we provide to contact us are affected by the above processes.

Telephone
If you call us, call data are pseudonymized and stored on the respective device and by the telecommunications provider used. In addition, data such as name and telephone number may be sent subsequently by email and stored for the purpose of responding to the inquiry. The data are deleted once the business case has been completed and where permitted by law.

Email
If you communicate with us by email, data may be stored on the respective device (computer, laptop, smartphone, etc.) and on the email server. The data are deleted once the business case has been completed and where permitted by law.

Online Forms
If you communicate with us using an online form, data are stored on our web server and may be forwarded to one of our email addresses. The data are deleted once the business case has been completed and where permitted by law.

Legal Bases
Data processing is based on the following legal bases:

  • Art. 6(1)(a) GDPR (consent): You give us consent to store your data and use it further for purposes related to the business case;
  • Art. 6(1)(b) GDPR (contract): Processing is necessary for the performance of a contract with you or with a processor (e.g., the telephone provider), or for pre‑contractual measures such as preparing an offer;
  • Art. 6(1)(f) GDPR (legitimate interests): We aim to conduct customer inquiries and business communications professionally. Certain technical facilities (e.g., email programs, exchange servers, mobile network operators) are necessary to conduct communication efficiently.

Data Processing Agreement (DPA)

In this section, we explain what a Data Processing Agreement (DPA) is and why it is needed. Like most companies, we do not work alone; we also use the services of other companies or individuals. By involving various companies or service providers, we may transmit personal data for processing. These partners then act as processors, with whom we conclude a contract — the so‑called Data Processing Agreement (DPA). Most importantly for you: processing of your personal data is carried out exclusively on our instructions and must be governed by a DPA.

Who are processors?
We, as a company and website owner, are responsible for all data we process about you. In addition to controllers, there are also so‑called processors. This includes any company or person who processes personal data on our behalf. More precisely, according to the GDPR definition: any natural or legal person, public authority, agency, or other body that processes personal data on our behalf is a processor. Processors can therefore be service providers such as hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

For clarity, here is an overview of the three roles under the GDPR:

Data subject (you as a customer or prospect) → Controller (us as the company and client) → Processor (service providers such as web hosts or cloud providers)

Content of a DPA
As noted above, we have concluded DPAs with our partners who act as processors. They stipulate foremost that the processor processes the data exclusively in accordance with the GDPR. The contract must be concluded in writing; however, electronic conclusion is also deemed “in writing” for this purpose. Processing of personal data takes place only on the basis of the contract. The contract must contain the following:

  • Binding to us as the controller
  • Duties and rights of the controller
  • Categories of data subjects
  • Types of personal data
  • Nature and purpose of data processing
  • Subject matter and duration of data processing
  • Place of data processing

The contract also sets out all obligations of the processor. Key obligations include:

  • ensuring data security measures;
  • implementing appropriate technical and organizational measures to protect data subjects’ rights;
  • maintaining a record of processing activities;
  • cooperating with the supervisory authority upon request;
  • conducting a risk analysis for the personal data received;
  • engaging sub‑processors only with the controller’s written authorization.

You can find an example of what a DPA looks like at this WKO sample contract.

Cookies

Cookies – Summary
👥 Data subjects: Website visitors
🤝 Purpose: depends on the respective cookie. More details can be found below or from the software provider that sets the cookie.
📓 Data processed: depends on the cookie used. More details can be found below or from the software provider that sets the cookie.
📅 Storage period: depends on the respective cookie; may vary from hours to years
⚖️ Legal bases: Art. 6(1)(a) GDPR (consent), Art. 6(1)(f) GDPR (legitimate interests)

What are cookies?

Our website uses HTTP cookies to store user‑specific data. Below, we explain what cookies are and why they are used so that you can better understand the following Privacy Policy.

Whenever you browse the internet, you use a browser. Well‑known browsers include Chrome, Safari, Firefox, Internet Explorer, and Microsoft Edge. Most websites store small text files in your browser. These files are called cookies.

It’s undeniable: cookies are truly useful little helpers. Nearly all websites use cookies — specifically, HTTP cookies, since there are other types of cookies for other applications. HTTP cookies are small files stored by our website on your computer. These cookie files are automatically placed in your browser’s cookie folder — essentially your browser’s “memory.” A cookie consists of a name and a value. When defining a cookie, one or more attributes must also be specified.

Cookies store certain user data such as language or personal site settings. When you revisit our site, your browser sends the “user‑related” information back to our site. Thanks to cookies, our website recognizes you and offers the settings you are used to. In some browsers, each cookie has its own file, while in others, such as Firefox, all cookies are stored in a single file.

The following graphic shows a possible interaction between a web browser (e.g., Chrome) and a web server. The web browser requests a website and receives a cookie from the server, which the browser uses again as soon as another page is requested.

HTTP cookie interaction between browser and web server

There are both first‑party and third‑party cookies. First‑party cookies are created directly by our site; third‑party cookies are created by partner websites (e.g., Google Analytics). Each cookie must be evaluated individually because each cookie stores different data. The expiration time of a cookie also varies — from a few minutes to several years. Cookies are not software programs and do not contain viruses, trojans, or other “malware.” Cookies also cannot access information on your PC.

Here is an example of cookie data:

  • Name: _ga
  • Value: GA1.2.1326744211.152113065722-9
  • Purpose: distinguishing website visitors
  • Expiration: after 2 years

Minimum sizes that a browser should support:

  • At least 4096 bytes per cookie
  • At least 50 cookies per domain
  • At least 3000 cookies in total

What types of cookies are there?

The specific cookies we use depend on the services employed and are described in the following sections of the Privacy Policy. At this point, we briefly introduce the various types of HTTP cookies:

  1. Essential cookies
    These cookies are necessary to ensure basic website functions. For example, when a user puts a product in the shopping cart, then continues browsing other pages and later proceeds to checkout, these cookies ensure that the cart is not deleted, even if the user closes the browser window.
  2. Functional cookies
    These cookies collect information about user behavior and whether users receive error messages. They also help measure loading times and website behavior across different browsers.
  3. Preference‑oriented cookies
    These cookies improve user friendliness. For example, they store entered locations, font sizes, or form data.
  4. Advertising cookies
    Also known as targeting cookies, these deliver individually tailored advertising to users. This can be very useful — but also annoying.

Usually, when you first visit a website, you are asked which of these cookie types you wish to allow. And naturally, that decision is also stored in a cookie.

If you want to learn more about cookies and don’t mind technical documentation, we recommend the IETF’s Request for Comments called “HTTP State Management Mechanism”: https://datatracker.ietf.org/doc/html/rfc6265.

Purpose of processing via cookies

The purpose ultimately depends on the respective cookie. More details can be found below or from the software provider that sets the cookie.

What data are processed?

Cookies are small helpers for many different tasks. It is not possible to generalize which data are stored in cookies, but we inform you within this Privacy Policy about the data processed or stored.

Storage period for cookies

The storage period depends on the respective cookie and is specified below. Some cookies are deleted in less than an hour; others can remain stored on a computer for several years.

You can also influence the storage period yourself. You can delete all cookies manually at any time via your browser (see also “Right to object”). Furthermore, cookies that are based on consent are deleted at the latest after you withdraw your consent, without affecting the lawfulness of storage up to that point.

Right to object – how can I delete cookies?

You decide how and whether you wish to use cookies. Regardless of the service or website from which the cookies originate, you can always delete, deactivate, or partially allow cookies. For example, you can block third‑party cookies while allowing all other cookies.

If you want to find out which cookies have been stored in your browser, or if you want to change or delete cookie settings, you can do so in your browser settings:

  • Chrome: Delete, enable, and manage cookies in Chrome
  • Safari: Manage cookies and website data with Safari
  • Firefox: Delete cookies to remove data that websites have stored on your computer
  • Internet Explorer: Delete and manage cookies
  • Microsoft Edge: Delete and manage cookies

If you generally do not want cookies, you can set your browser to always inform you when a cookie is to be set. This way, you can decide on a case‑by‑case basis whether to allow the cookie. The procedure differs depending on the browser. It’s best to search for instructions on Google with the term “delete cookies Chrome” or “disable cookies Chrome,” if you use the Chrome browser, for example.

Legal basis

Since 2009 there have been the so‑called “cookie directives,” which stipulate that storing cookies requires your consent (Article 6(1)(a) GDPR). However, EU countries have responded very differently to these directives. In Austria, implementation took place in Section 165(3) of the Telecommunications Act (2021). In Germany, the cookie directives were not implemented as national law; instead, they were largely implemented in Section 15(3) of the Telemedia Act (TMG), which since May 2024 has been replaced by the Digital Services Act (DDG).

For strictly necessary cookies, even where consent is not present, legitimate interests (Article 6(1)(f) GDPR) apply — in most cases economic in nature. We want to offer our website visitors a pleasant user experience, and certain cookies are often indispensable for this.

Where non‑essential cookies are used, this happens only with your consent. The legal basis in this respect is Art. 6(1)(a) GDPR.

In the following sections, you will find more detailed information about the use of cookies where the software we employ uses them.

Web Hosting – Introduction

Web Hosting – Summary
👥 Data subjects: Website visitors
🤝 Purpose: Professional hosting of the website and ensuring operations
📓 Data processed: IP address, time of website visit, browser used, and other data. More details can be found below or from the web hosting provider used.
📅 Storage period: Depends on the provider, but generally 2 weeks
⚖️ Legal basis: Art. 6(1)(f) GDPR (legitimate interests)

What is web hosting?

When you visit websites nowadays, certain information — including personal data — is automatically created and stored, and this applies to our website as well. Such data should be processed as sparingly as possible and only for good reason. By “website,” we mean all pages on a domain — everything from the homepage to the very last subpage (such as this one). By “domain,” we mean, for example, example.com.

To view a website on a computer, tablet, or smartphone, you use a program called a web browser. You likely know several by name: Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari.

To display the website, the browser must connect to another computer where the website code is stored: the web server. Operating a web server is complex and demanding, which is why it is usually handled by professional providers. They offer web hosting and thereby ensure reliable and error‑free storage of website data. That’s a lot of technical terminology — but bear with us!

When your browser connects from your device (desktop, laptop, tablet, or smartphone) and during the transfer of data to and from the web server, personal data may be processed. On the one hand, your device stores data; on the other hand, the web server must also store data for a period to ensure proper operation.

A picture is worth a thousand words — hence the graphic illustrating the interaction among browser, the internet, and the hosting provider.

Browser and web server

Why do we process personal data?

The purposes of processing are:

  • Professional hosting of the website and ensuring operations;
  • Maintaining operational and IT security;
  • Anonymous analysis of access behavior to improve our offering and, if necessary, for law enforcement or assertion of claims.

What data are processed?

Even while you are visiting our website right now, our web server — the computer on which this website is stored — usually automatically stores data such as:

  • the complete internet address (URL) of the page accessed;
  • browser and browser version (e.g., Chrome 87);
  • the operating system used (e.g., Windows 10);
  • the address (URL) of the previously visited page (referrer URL);
  • the host name and IP address of the device from which access occurs (e.g., COMPUTERNAME and 194.23.43.121);
  • date and time,

in files known as web server log files.

How long are data stored?

As a rule, the data mentioned above are stored for two weeks and then automatically deleted. We do not share this data, but we cannot rule out that authorities may access it in cases of unlawful behavior.

In short: Your visit is logged by our provider (the company that runs our website on special computers/servers), but we do not pass on your data without consent!

Legal basis

The lawfulness of processing personal data in the context of web hosting arises from Art. 6(1)(f) GDPR (legitimate interests), because using professional hosting with a provider is necessary to present the company securely and user‑friendly on the internet and to pursue attacks and claims where applicable.

As a rule, we have a processing contract with the hosting provider pursuant to Art. 28 et seq. GDPR, which ensures compliance with data protection and guarantees data security.

1&1 IONOS Web Hosting – Privacy Policy

1&1 IONOS Web Hosting – Summary
👥 Data subjects: Website visitors
🤝 Purpose: Hosting the website and providing internet accessibility
📓 Data processed: IP address, and especially technical data
📅 Storage period: Visitor data are deleted after 8 weeks
⚖️ Legal basis: Art. 6(1)(f) GDPR (legitimate interests)

What is 1&1 IONOS Web Hosting?

To host our website, we use the web hosting services of IONOS by 1&1. In Germany, 1&1 IONOS SE is located at Elgendorfer Str. 57, 56410 Montabaur. In Austria, 1&1 IONOS SE can be found at Gumpendorfer Straße 142/PF 266, 1060 Vienna.

IONOS provides the following services around web hosting: domain, website & shop, hosting & WordPress, marketing, email & office, IONOS Cloud, and servers. With over 22 million domains, nearly 9 million customer contracts, and 100,000 servers, IONOS is one of the largest German players in web hosting.

As mentioned in our introductory words on web hosting: hosting also results in your data or your device’s data being stored on IONOS servers. First and foremost, your IP address — which is a personal data point — is stored. In addition, technical data such as the URL of our website, the name of your internet browser, or the operating system you use are also stored.

Why do we use 1&1 IONOS Web Hosting?

IONOS was founded in Germany in 1988 and thus has more than 30 years of experience. That does not mean, however, that the company has not continued to evolve technologically. This combination of experience and innovative spirit provides, in our view, a solid foundation for our website. Ultimately, we want our website to function smoothly 24/7 while ensuring a high level of security. Since IONOS does not limit monthly data traffic and provides plenty of storage space, our website remains powerful even with many visitors. We are very satisfied with the site’s speed, and the price‑performance ratio currently meets our needs.

Which data are processed by 1&1 IONOS Web Hosting?

1&1 IONOS Web Hosting may also process your personal data. When you visit our website, the following data from you and/or your computer are stored by IONOS:

  • the previously visited website (referrer);
  • the requested website (in this case, our website);
  • browser type and version;
  • your operating system and device type;
  • time of page access;
  • your IP address in anonymized form.

The data collected are used to increase website security, detect possible errors, and perform anonymous statistical analyses. According to IONOS, the anonymized IP address is used only to determine the place of access.

How long and where are data stored?

Data are stored on IONOS’s own servers. In principle, IONOS stores the data for as long as necessary to fulfill its obligations. Visitor data are stored for 8 weeks. Data may be stored longer, for example, to retain evidence for possible legal disputes. Visitor data are not shared with third parties and are not transferred to a country outside the EU.

How can I delete my data or prevent storage?

You have the right at any time to obtain information, rectification, erasure, and restriction of processing of your personal data. You may also withdraw your consent to data processing at any time.

If you want to generally deactivate, delete, or manage cookies, you will find links to the respective instructions for the most common browsers in the “Cookies” section.

Legal basis

We have a legitimate interest in using IONOS to provide our online service. Professional hosting by a provider is required to present our company securely and user‑friendly on the internet and to be able to pursue possible cyberattacks. The corresponding legal basis is Art. 6(1)(f) GDPR (legitimate interests).

You can find much more information about data protection at IONOS in their privacy policy at https://www.ionos.com/terms-gtc/privacy-policy. If you have further questions on data protection, you can also contact the IONOS data protection team by email at da*********@***os.de.

Data Processing Agreement (DPA) with IONOS

Pursuant to Article 28 GDPR, we have concluded a Data Processing Agreement (DPA) with IONOS. For what a DPA is and what it should contain, see our general section “Data Processing Agreement (DPA)” above.

This contract is required by law because IONOS processes personal data on our behalf. It stipulates that IONOS may process data received from us only on our instructions and must comply with the GDPR. You can find the link to IONOS’s DPA information at this IONOS page.

Explanation of Terms Used

We strive to draft our Privacy Policy as clearly and understandably as possible. However, this is not always easy, especially with technical and legal topics. It often makes sense to use legal terms (e.g., personal data) or certain technical expressions (e.g., cookies, IP address). We do not want to use these terms without explanation. Below you will find an alphabetical list of important terms used that we may not have explained sufficiently above. Where these terms are taken from the GDPR and constitute definitions, we include the GDPR text and, if appropriate, add our own explanations.

Processor

Definition under Article 4 GDPR: “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

Explanation: We, as a company and website owner, are responsible for all data we process about you. In addition to controllers, there are also processors. This includes any company or person who processes personal data on our behalf. Processors can include, in addition to service providers such as tax advisors, hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

Consent

Definition under Article 4 GDPR: “Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Explanation: On websites, such consent usually occurs via a cookie consent tool. You likely know this: the first time you visit a website, a banner typically asks whether you consent to data processing. Usually you can also make individual settings and thus decide which data processing you allow and which you do not. If you do not consent, no personal data about you may be processed. Of course, consent can also be given in writing — i.e., not via a tool.

Personal data

Definition under Article 4 GDPR: “Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Explanation: Personal data are all data that can identify you as a person. These are typically data such as:

  • name
  • address
  • email address
  • postal address
  • telephone number
  • date of birth
  • identifiers such as social security number, tax ID, ID card number, or matriculation number
  • bank data such as account number, credit information, account balances, etc.

According to the Court of Justice of the European Union (CJEU), your IP address is also considered personal data. Based on your IP address, IT specialists can determine at least the approximate location of your device and, subsequently, you as the subscriber. Therefore, storing an IP address also requires a legal basis within the meaning of the GDPR. There are also “special categories” of personal data that are particularly worthy of protection, including:

  • racial and ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data (e.g., data from blood or saliva samples)
  • biometric data (information on physical, physiological, or behavioral characteristics that can identify a person)
  • health data
  • data on sexual orientation or sex life

Profiling

Definition under Article 4 GDPR: “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Explanation: In profiling, various pieces of information about a person are compiled to learn more about that person. In the web context, profiling is often used for advertising or credit checks. Web or advertising analytics programs collect data about your behavior and interests on a website. This results in a specific user profile that can be used to deliver advertising targeted to a particular audience.

Controller

Definition under Article 4 GDPR: “Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Explanation: In our case, we are responsible for processing your personal data and are thus the “controller.” If we pass collected data to other service providers for processing, they are “processors.” A “Data Processing Agreement (DPA)” must be signed for this.

Processing

Definition under Article 4 GDPR: “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Note: When we speak of processing in this Privacy Policy, we mean any type of data processing. As mentioned in the original GDPR definition above, this includes not only collection but also storage and further processing of data.

All texts are protected by copyright.

Source: Privacy Policy created with the Privacy Policy Generator for Austria by AdSimple