Privacy

Introduction and Overview

We have written this privacy policy (version 26.01.2023-122397927) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (referred to as data) we as controllers – and the processors commissioned by us (e.g. providers) – process, will process in the future, and what legal options you have. The terms used are to be understood as gender-neutral.
In short: We inform you comprehensively about the data we process about you.

Privacy policies usually sound very technical and use legal terminology. This privacy policy, however, is intended to describe the most important things to you as simply and transparently as possible. Where it promotes transparency, technical terms are explained in a reader-friendly way, links to further information are provided, and graphics are used. We thus inform you in clear and simple language that we only process personal data within the scope of our business activities when there is a legal basis for doing so. That is certainly not possible if one gives very brief, unclear, and legally-technical explanations, as is often standard on the internet when it comes to data protection. I hope you find the following explanations interesting and informative—and perhaps there is one or another piece of information you did not yet know.
If any questions remain, we kindly ask you to contact the responsible entity named below or in the legal notice, follow the provided links, and consult further information on third-party sites. Our contact details can of course also be found in the legal notice.

Scope of Application

This privacy policy applies to all personal data processed by us in the company and to all personal data processed by companies commissioned by us (processors). By personal data, we mean information within the meaning of Art. 4 No. 1 GDPR, such as the name, email address, and postal address of a person. The processing of personal data ensures that we can offer and bill for our services and products, whether online or offline. The scope of this privacy policy includes:

• all online presences (websites, online shops) that we operate
• social media presences and email communication
• mobile apps for smartphones and other devices

In short: The privacy policy applies to all areas in which personal data is processed in a structured manner via the aforementioned channels within the company. If we enter into legal relationships with you outside these channels, we will inform you separately if necessary.

Legal Bases

In the following privacy policy, we provide you with transparent information about the legal principles and regulations—that is, the legal bases of the General Data Protection Regulation—that allow us to process personal data.
Regarding EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can of course read this EU General Data Protection Regulation online on EUR-Lex, the access to EU law, at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

1. Consent (Article 6 Paragraph 1 lit. a GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of data you enter in a contact form.
2. Contract (Article 6 Paragraph 1 lit. b GDPR): We process your data to fulfill a contract or pre-contractual obligations with you. For example, when we conclude a purchase contract with you, we need personal information in advance.
3. Legal obligation (Article 6 Paragraph 1 lit. c GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally required to retain invoices for accounting purposes. These typically contain personal data.
4. Legitimate interests (Article 6 Paragraph 1 lit. f GDPR): In cases of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data to operate our website securely and economically. This processing thus constitutes a legitimate interest.

Other conditions, such as processing in the public interest, the exercise of official authority, or the protection of vital interests, generally do not apply to us. If such a legal basis should become relevant, it will be specified at the appropriate point.

In addition to the EU regulation, national laws also apply:

• In Austria, this is the Federal Act concerning the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act), abbreviated as DSG.
• In Germany, the Federal Data Protection Act, abbreviated as BDSG, applies.

If additional regional or national laws apply, we will inform you in the following sections.

Contact Details of the Responsible Party

If you have any questions about data protection or the processing of personal data, you will find the contact details of the responsible person or entity below:

Contact Details of the Data Protection Officer
If you have any questions about data protection, you will find the contact details of the responsible person or entity below:

Mag. Markus Sax, MBA
Aurikelweg 10
Wien
1220 Österreich
E-mail: office@conventura.at
Tel: +43 664 827 70 81
Legal Notice: https://conventura.at

Storage Duration

As a general principle, we only store personal data for as long as is absolutely necessary to provide our services and products. This means we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obligated to retain certain data even after the original purpose no longer applies—for example, for accounting purposes.

If you request the deletion of your data or revoke your consent to data processing, the data will be deleted as quickly as possible, provided there is no obligation to retain it.

We will inform you below about the specific duration of the respective data processing, if we have further information on this.

Rights Under the General Data Protection Regulation

In accordance with Articles 13 and 14 of the GDPR, we inform you about the following rights to ensure fair and transparent data processing:

• According to Article 15 GDPR, you have the right to obtain confirmation as to whether or not we are processing personal data about you. If we are, you have the right to receive a copy of the data and to be informed about the following:
  • the purpose of the processing;
  • the categories, i.e., types of data being processed;
  • who receives this data and, if the data is transferred to third countries, how the security of the data is ensured;
  • how long the data is stored;
  • the existence of the rights to rectification, erasure, restriction of processing, and objection to processing;
  • that you can lodge a complaint with a supervisory authority (links to these authorities can be found below);
  • the origin of the data, if it was not collected from you;
  • whether profiling is carried out, meaning whether data is automatically analyzed to form a personal profile about you.
• According to Article 16 GDPR, you have the right to rectification of your data, which means we must correct any errors you find.
• According to Article 17 GDPR, you have the right to erasure ("right to be forgotten"), which specifically means you may request the deletion of your data.
• According to Article 18 GDPR, you have the right to restrict processing, which means we may only store your data but not use it further.
• According to Article 20 GDPR, you have the right to data portability, meaning that we must provide your data in a commonly used format upon request.
• According to Article 21 GDPR, you have the right to object, which, when exercised, changes the way we process your data.
  • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interests), you may object to the processing. We will then assess as quickly as possible whether we can legally comply with this objection.
  • If data is used for direct marketing, you may object to this type of data processing at any time. We must then no longer use your data for direct marketing.
  • If data is used for profiling, you may object to this type of data processing at any time. We must then no longer use your data for profiling.
• According to Article 22 GDPR, you have the right, under certain circumstances, not to be subject to a decision based solely on automated processing (e.g., profiling).
• According to Article 77 GDPR, you have the right to lodge a complaint. This means you can contact the data protection authority at any time if you believe that the processing of your personal data violates the GDPR.

In short: You have rights—don’t hesitate to contact the responsible entity listed above!

If you believe that the processing of your data violates data protection law or that your data protection rights have been infringed in any way, you can lodge a complaint with the supervisory authority. In Austria, this is the Data Protection Authority, whose website you can find at https://www.dsb.gv.at/. In Germany, each federal state has its own data protection officer. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:

Explanation of Terms Used

We always strive to make our privacy policy as clear and understandable as possible. However, especially with technical and legal topics, this isn’t always easy. It often makes sense to use legal terms (such as personal data) or specific technical expressions (such as cookies, IP address). We do not want to use these without explanation. Below, you will find an alphabetical list of important terms used that may not have been sufficiently explained in the privacy policy so far. If these terms are defined in the GDPR, we will also cite the original text from the regulation and add our own explanations if necessary.

Processor

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

"Processor" means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Explanation: As a company and website operator, we are responsible for all the data we process about you. In addition to the controller, there can also be so-called processors. This includes any company or person who processes personal data on our behalf. Processors may include, for example, service providers like tax advisors, but also hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

Consent

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them;

Explanation: On websites, this kind of consent is typically obtained via a cookie consent tool. You are probably familiar with this: when you visit a website for the first time, a banner usually asks if you consent to data processing. You can usually set preferences to decide what processing you allow or not. If you do not consent, no personal data may be processed. Of course, consent may also be given in writing, outside of a tool.

Personal Data

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

"Personal data" means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Explanation: Personal data is any data that can identify you as a person. Typically, these include:

• Name
• Address
• Email address
• Mailing address
• Phone number
• Date of birth
• Identifiers such as social security number, tax ID, national ID number, or student ID
• Bank information such as account numbers, credit information, account balances, etc.

According to the European Court of Justice (ECJ), your IP address is also considered personal data. IT experts can use it to determine at least the approximate location of your device and, consequently, identify you as the connection owner. Therefore, storing an IP address also requires a legal basis under the GDPR. There are also so-called "special categories" of personal data that require extra protection. These include:

• Racial and ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data (e.g. from blood or saliva samples)
• Biometric data (information related to physical, physiological, or behavioral characteristics that can identify a person).
  Health data
• Data concerning sexual orientation or sex life

Profiling

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

"Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;

Explanation: Profiling involves collecting various types of information about a person to learn more about them. On the web, profiling is often used for advertising or credit scoring. Web and advertising analytics tools collect data about your behavior and interests on a website, which helps create a specific user profile. This profile allows advertising to be targeted to specific audiences.

 

Controller

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Explanation: In our case, we are responsible for processing your personal data and are therefore the "controller." If we pass on collected data to other service providers for processing, they are considered "processors." A data processing agreement (DPA) must be signed for this.

 

Processing

Definition according to Article 4 of the GDPR

For the purposes of this Regulation, the term means:

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Note: When we refer to processing in our privacy policy, we mean any form of data handling. As stated in the original GDPR definition above, this includes not just collecting but also storing and processing data.

All texts are protected by copyright.

Source: Created with the privacy policy generator by AdSimple