Data privacy policy pursuant to Art. 13, 14 GDPR – fulfilment of the information obligations

1 Name and address of the controller

The controller, in accordance with the General Data Protection Regulation and other national data protection laws, as well as other data privacy directives, is:

Saubermacher Dienstleistungs AG
Hans-Roth-Straße 1
8073 Feldkirchen bei Graz
Tel.: +43 59 800
E-mail: office@saubermacher.at
Website: saubermacher.at

2 Contact details of the data privacy officer

The data privacy officer of the controller has the following contact details:

Tel.: +43 59 800
E-mail: datenschutz@saubermacher.at

3 Data processing of people in the corporate/business environment

3.1 Data processing pursuant to Art. 13 GDPR

We process the data of individuals that are provided to us as part of an enquiry by e-mail or to initiate and conclude a contract or business relationship.

3.2 Data processing pursuant to Art. 14 GDPR

In addition, we also process data from persons who are part of a contractual relationship which we have received as part of disclosures from third parties (e.g. managing directors send us data about their employees).

3.3 Data subjects

We process the following data of interested parties: Company, name of contact person and business contact and address details.

We process the following data of customers: Company, title and name of contact persons, business address and contact details, bank details, contract data.

We process the following data of suppliers and business partners: Company, title and name of contact persons, business address and contact details, bank details, contract data.

3.4 Passing on data

We will only pass on personal data to third parties if this is required for the purpose of contact processing and fulfilment, quality assurance or if legal stipulations require us to do so. We have concluded corresponding contracts and confidentiality agreements with data recipients.

3.5 Retention/erasure of data

Elapsing of contractual obligations: In the event that there are contractual provisions that prescribe for how long personal data must be retained, the data controller shall ensure that these retention periods are adhered to. Once these periods have elapsed, the data shall be deleted or anonymised by the data controller.
Revocation of consent: In the event that a data subject revokes consent for the processing of personal data, the data controller shall delete the data, provided that there is no other legal basis for processing.
Elapsing of statutory obligations: In some cases, there may be exceptions that not only permit but obligate a data controller to continue to retain personal data after statutory retention periods elapse or upon revocation of consent. This may be the case if there are legally prescribed retention periods that require retention of personal data for a defined period of time, e.g. retention of tax-related or accounting records. Once these statutory periods have elapsed, the data controller shall ensure that the data are anonymised or deleted.

3.6 Contact via email

When you make contact with us by e-mail, the data you have provided is stored by us on the basis of your consent in order to answer your questions. We erase the data gathered in this context after processing is no longer required, or we restrict the processing if there are legal obligations to preserve records.

3.7 Publication of the names of authors

We are legally obligated to disclose the names of the authors of image data (photographs or videos) whenever image data are published. We delete these personal data automatically as soon as we discontinue use of the image data.

3.8 Legal basis

Legal bases of data processing are

the initiation and fulfilment of a contract in accordance with Art. 6 Par. 1 b GDPR.
legal obligations in accordance with Art. 6 par. 1 c GDPR, (e.g. legally prescribed preserving of records or documentation duties).
the legitimate interest of our company in accordance with Art. 6 Par. 1 f GDPR (e.g. for statistical evaluations or in the event of customer surveys to ensure the quality of our service)
6 Par. 1 a GDPR when obtaining consent (e.g. when processing image data or for advertising purposes).

4 Data processing when establishing contact via our website, subscribing to the newsletter, customer portal, submitting an application

4.1 Establishment of contact

If you have allowed us to contact you via our web form or you have sent us a message, then we store your data that are required to make contact. This includes your name and your e-mail address. We delete the data as soon as storage is no longer required or if you object to the processing.

Legal basis: Art. 6 para. 1 lit. a GDPR

4.2 Newsletter

You have the option of subscribing to our newsletter. To do so, we need your first name, surname and e-mail address. You may unsubscribe from the newsletter at any time. After unsubscribing, we will no longer use your data for the newsletter mailing. If we have no form of business relationship with you and we are not subject to legal obligations to preserve records, your data is erased after unsubscribing from the newsletter.

Legal basis: Art. 6 para. 1 lit. a GDPR

4.3 Customer portal

As an SME, industry customer or corporation, on our website you have the option to sign in to our customer self-service portal using your login details in order to make use of additional functions (https://kundenportal.saubermacher.at/). To sign in, you need to provide your username and the password you have chosen.

To set up a new account, we require the following details: first name, surname, email address, phone number, RONA customer number and, if applicable, the respective destinations.

To notify you of any important changes to the scope of our portfolio or in the event of technical modifications, we shall use the email address provided during the registration process.

The data are stored by us for as long as you have an account with us, and are deleted unless they are subject to any statutory retention obligations.

Legal basis: Art. 6 par. 1 line b GDPR

4.4 Applicants

4.4.1 General

In the event that you send us your application documents, we process your personal data contained in those documents as well as your CV and your certificates for the purpose of personnel selection and recruitment. If your application is rejected, we will delete your documents 7 months after informing you of the rejection.

Legal basis: Art. 6 par. 1 line b GDPR

If we wish to keep your data on file so that we may contact you at a later point in time, we will contact you with our own request for consent. If you expressly grant your consent, we will store your application documents. If there is no further opportunity for recruitment with us within a period of a year, we will delete all of your application data one year after you have granted your consent.

Legal basis: Art. 6 para. 1 lit. a GDPR

4.4.2 Applicant portal

For persons interested in working for our company, there is the possibility to apply directly through a form provided on our website. To do so, please create your own user account with your email address and a password. In addition, we also require your form of address, first name and surname, email address, date of birth and place of residence; of course, you may also provide your phone number if you wish. You have the opportunity to upload your application documents (e.g. CV) later on in the course of the application. If your application is rejected, we will delete your documents at the latest 7 months after informing you of the rejection.

Legal basis: Art. 6 par. 1 line b GDPR

Legal basis: Art. 6 para. 1 lit. a GDPR

5 Data processing when visiting our website

5.1 Informational use of the website

In case of a purely informational use of the website, we collect only the personal data that your browser transmits to our server. If you would like to view our website, we at most collect the data that is technically necessary for us to display our website to you and to ensure stability and security:

IP address
Date and time of the enquiry
Time Zone Difference to Coordinated Universal Time (UTC)
Content of the requirement (concrete page)
Access Status / HTTP status code
Website from which the enquiry is made
Browser
Operating system and its interface
Language and version of the browser software.

This data is not merged with personal data sources. We reserve the right to check this data retrospectively if concrete indications of illegitimate use come to our knowledge and to pass on the data – if there has been a hacker attack – to law enforcement authorities. There is no passing on to third parties beyond this.

Legal basis: Art. 6 par. 1 line f GDPR

5.2 Cookies

During the use of our website, cookies will be stored on your computer. Cookies are small text files that are deposited on your hard drive by your browser and through which certain information flows to the party placing the cookie (in this case us or the service provider). Cookies cannot carry out programmes or transmit viruses to your computer.

Through the cookie, you can be identified when revisiting the website, without data that you previously entered needing to be entered again.

The information contained in the cookies is used for example to establish whether you are logged in, or what data you have already entered, or to recognise you as a user when a connection is established between our web server and your browser.

We distinguish between technical cookies, which are used solely to ensure operation of a website, and other cookies, which are saved to your device by us or by third parties for the purpose of statistical analysis, tracking or advertising/marketing.

Legal basis: Art. 6 para. 1 line f GDPR (for technical cookies), Art. 6 para. 1 line a GDPR (for all other cookies)

5.2.1 Cookie declaration

5.3 Data processing in the USA

We cannot rule out the possibility of your data being transmitted to the USA when your visit our website. If this is the case, we will draw attention to this in a separate location in this privacy policy.

The GDPR sets out ‘suitable guarantees’ for data transmission to a third country or to an international organisation pursuant to Art. 46 GDPR.

The European Commission has adopted an adequacy decision for the EU-US Data Privacy Framework. The decision establishes that the USA must guarantee an adequate level of protection – comparable to that of the EU – for personal data that are transferred from the EU to US enterprises within the new framework. On the basis of the new adequacy decision, personal data can be transmitted securely from the EU to certified US enterprises participating in the EU-US Data Privacy Framework without the need to introduce additional data protection guarantees.

In the event of data processing by US data recipients that have not been certified under the EU-US Data Privacy Framework or the Privacy Shield, for you as the data subject, at present the following risks in particular cannot be excluded:

Your personal data may be passed on to other third parties by the respective service provider (e.g. American authorities) beyond the actual purpose of order fulfilment.
You may not be able to exert your right to access to information from the respective service provider.
There may be a higher likelihood that incorrect data processing can occur, as the technical and organisational measures for protecting personal data do not correspond quantitatively and qualitatively to the full extent to the GDPR requirements.

With your consent to the processing of (advertising and marketing) cookies, you are explicitly agreeing to data transmission to the USA. You can remove cookies stored on your PC yourself at any time by deleting the temporary internet data.

Legal basis: Art. 6 para. 1 lit. a GDPR

6 Social media presence

We maintain the social media sites LinkedIn, Xing, YouTube, Facebook, Instagram and Flickr. When you visit our social media presence, personal data, including the IP address of the respective provider, are processed and cookies are used to collect data. To find out exactly what information is transferred, please refer to the data privacy policy of the respective service provider. There you will also find information on possibilities for getting in contact as well as various settings.

We set store by comprehensive customer satisfaction, and use these services primarily in order to be able to get in contact i.e. communicate with you. Furthermore, we also view them as an additional option alongside our other existing information offers.

For services with a link to the USA, as a general rule the data collected are sent to a server in the USA and stored there. We have no influence over or possibility to monitor the nature and extent of the data processed by these services, the nature of processing and use or the passing on of these data to third parties. For options to limit the processing of these data within the respective settings of these services, please refer to the precise descriptions in the data privacy policies of the respective providers.

Furthermore, we would like to point out that your use of the respective services and their functions are your own responsibility. This applies in particular to the use of the interactive functions (for example sharing, commenting or reviewing).

The providers of the social media services have provided us with corresponding agreements – in the majority of cases, these are agreements regarding the joint responsibility of data processing. The use of social media is based on our legitimate business interest.

Legal basis: Art. 6 par. 1 line f GDPR

7 Data processing for Facebook services

7.1 Facebook plug-ins

We maintain a Facebook page, and for this we have social plug-ins (“plug-ins”) from Meta Platforms Ireland Ltd., 4 Grand Canal Square Grand Canal Harbour, Dublin 2, Ireland on our website. These plug-ins can be recognised by one of the Facebook logos (a dark grey or black “f” on a light grey circle or a white “f” on blue tile, or the term “Like” or the “Thumbs up” symbol) or are designated with the suffix “Facebook Social Plug-in”. The list and appearance of the Facebook social plug-ins can be viewed here: https://developers.facebook.com/docs/plugins/.

We have concluded a contract with Meta Ireland; Meta Ireland may, however, transfer personal data to Meta USA. Meta Platforms, Inc. has been certified for the transmission of personal data to the USA in accordance with the adequacy decision. The European Commission concludes that for personal data that are transferred from the EU to a company in the USA that is certified under the EU-US Data Privacy Framework, an adequate level of protection exists, which is why data transmission is permitted pursuant to Art. 45 GDPR.

The browser establishes a direct connection with the servers of Facebook when a user accesses the website of the offer that contains a social plug-in. The content of the plug-in is transferred directly from Facebook to your browser, which then embeds it into the page. We therefore have no influence on the scope of the data that Facebook collects with the help of this plug-in and thus inform users according to the best of our knowledge:

The data collected in this way are anonymous for us, i.e. we do not see the personal data of individual users. However, these data are stored and processed by Facebook, which we inform you about according to our state of knowledge. Facebook can connect these data with your Facebook account and use them for its own advertising purposes in accordance with Facebook’s policy on data usage https://www.facebook.com/about/privacy/. You can allow Facebook and its partners to display ads on and off Facebook. A cookie may also be stored on your computer for these purposes.

Legal basis: Art. 6 para. 1 lit. a GDPR

7.2 Facebook Pixel

Our website uses Facebook Pixels (“Pixels”) provided by the social networking service Facebook (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grant Canal Harbour, Dublin 2, Ireland) for the purpose of analysis, optimisation and economic operation of our online presence.

Facebook can use the Pixels to determine website visitors as a target group for the display of advertisements (“Facebook Ads”). Accordingly, we use the Pixels to display the Facebook Ads that we have configured only to those Facebook users who have shown an interest in our online presence or who have certain characteristics (such as an interest in certain topics or products, determined according to websites visited) that we transmit to Facebook (‘Custom Audiences’). The objective is to ensure that our Facebook Ads are consistent with user interest and do not become irritating. With the aid of Pixels, we can monitor the effectiveness of Facebook Ads for statistical purposes and market research, by seeing whether users were forwarded to our website after clicking on a Facebook Ad (‘Conversion’).

Your actions are then stored in one or multiple cookies. These cookies enable Facebook to compare your user data (such as IP address, user ID) with the data from your Facebook account. The collected data remain anonymous and cannot be viewed by us, and can only be used within the context of placing Facebook Ads. If you would like to prevent a link to your Facebook account, you can log out before taking any action.

For further information, please see Facebook’s privacy policy at https://de-de.facebook.com/policy.php.
For specific information on Facebook Pixels, please see https://de-de.facebook.com/business/help/651294705016616.

Legal basis: Art. 6 para. 1 lit. a GDPR

8 Data processing when using Matomo

For statistical analysis of user behaviour and for optimisation and marketing purposes, we have integrated the web analysis service Matomo (www.matomo.org), previously Piwik, provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, (“Matomo”) into our website. The EU Commission has certified an adequate level of data protection for New Zealand, on the basis of which data transmission is permitted in accordance with Art. 45 GDPR.

The following data is processed: Browser type, browser version, operating system, country of origin, date and time of the server request, number of visits, length of stay on the website and the external links you have clicked. The IP address is anonymised before it is saved. Pseudonymised usage profiles can be created and evaluated using this data. The collected data is processed on our servers and is not passed on to third parties.

The information generated in the pseudonymous user profile is never used to personally identify website visitors and is never combined with personal data concerning the holder of the pseudonym.

For further information, please see the privacy policy of Matomo at https://matomo.org/gdpr/.

Legal basis: Art. 6 para. 1 lit. a GDPR

9 Data processing when using YouTube

We operate a YouTube channel and have integrated YouTube videos into our website, which are stored on https://www.youtube.com/. The operating company of YouTube is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Ireland Limited., Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube videos in privacy-enhanced mode. With this setting, YouTube does not store cookies when you call up our website. A connection to YouTube servers is only established when you start the playback of the embedded videos. YouTube uses cookies for data collection and statistical data analysis. In the process, YouTube is notified which pages you are visiting. If you are logged in to YouTube, your data are directly associated with your account. YouTube uses your data for advertising and market research purposes.

We have entered into an agreement with Google Ireland. It can happen even so that data from Europe is transmitted to the USA, which we as a company cannot influence. Google has been certified for the transmission of personal data to the USA in accordance with the adequacy decision. The European Commission concludes that for personal data that are transferred from the EU to a company in the USA that is certified under the EU-US Data Privacy Framework, an adequate level of protection exists, which is why data transmission is permitted pursuant to Art. 45 GDPR.

By providing your consent to data processing by YouTube, you agree to YouTube reloading additional cookies and services, in particular from Google.

Further information about data privacy at “YouTube” is available in the data privacy statement of the provider under: https://www.google.de/intl/de/policies/privacy/

Legal basis: Art. 6 para. 1 lit. a GDPR

10 Data usage for Google services

We have concluded a contract with Google Ireland Limited (“Google”), a company registered and operated according to Irish law (register number: 368047) with its head office at Gordon House, Barrow Street, Dublin 4, Ireland. It can happen even so that data from Europe is transmitted to the USA, which we as a company cannot influence.

Google has been certified for the transmission of personal data to the USA in accordance with the adequacy decision. The European Commission concludes that for personal data that are transferred from the EU to a company in the USA that is certified under the EU-US Data Privacy Framework, an adequate level of protection exists, which is why data transmission is permitted pursuant to Art. 45 GDPR.

10.1 Google Analytics

This website uses the function “Activation of IP anonymisation” (i.e. that Google Analytics has been extended by the code “gat._anonymizeIp();”, in order to ensure an anonymised collection of IP addresses, so-called IP masking) This means that your IP address will be stored by Google in shortened form within Member States of the European Union or in other states that are contracting parties to the Agreement on the European Economic Area. The full IP address will only be transferred to a Google server in the USA and shortened there in exceptional cases.

According to Google, Google will use the gained information to evaluate your use of the website, to compile reports about website activity and to provide further services to us relating to website usage and Internet usage. The IP address transmitted from your browser as part of Google Analytics is not merged with other Google data. Google may, however, transmit this information to third parties, insofar as this is legally mandatory or third parties are processing this data on behalf of Google. You can disable cookies using the relevant settings in your browser. We would like to point out, however, that in this case you may not be able to use all the functions of the websites to the full extent. Furthermore, you can prevent the collection of the data generated by the cookie relating to your website use (incl. your anonymised IP address), as well as the processing of this data by Google, by downloading and installing the browser plugin available under the following link (https://tools.google.com/dlpage/gaoptout?hl=de).

You can find further information about usage conditions and data privacy under https://www.google.com/analytics/terms/de.html and https://support.google.com/analytics/answer/6004245?hl=de.

10.2 Google Tag Manager

To identify your user behaviour, we use the so-called Google Tag Manager. The Google Tag Manager is a solution with which the marketer can manage website tags through an interface. The tool itself processes the following personal data: IP address of the user. The tool triggers other tags, which may in certain circumstances collect data. Google Tag Manager does not access this data. Google Tag Manager can install cookies, in any event in the administrator’s preview and debug modes, as well as outside of these modes. If there has been a deactivation at a domain or cookie level, this remains in place for all tracking tags that were implemented with the Google Tag Manager.

Further information is available here: https://www.google.com/intl/de/tagmanager/faq.html.

Legal basis: Art. 6 para. 1 lit. a GDPR

10.3 Google AdWords Conversion (Google Ads)

Our website also uses Google Conversion Tracking, Google Ads thereby places a cookie on your device if you accessed our website through a Google advert. These cookies lose their validity after 30 days and do not serve the purpose of personal identification. If the user visits certain pages of the website of an Ads customer and the cookie has not yet expired, Google and the customer can identify that the user has clicked on the advert and was forwarded to this page. Every Ads customer receives a different cookie. Cookies can therefore not be traced through the websites of Ads customers. The information gathered with the help of the conversion cookie serves the purpose of compiling conversion statistics for Ads customers who have chosen conversion tracking. The Ads customers can find out the total number of users who have clicked on their advert and were transferred to a page with a conversion tracking tag. However, they do not receive any information with which users could be personally identified. If you do not wish to participate in the tracking procedure, you also have the option to reject the placement of the cookie necessary for this procedure by changing your browser settings to deactivate the automatic placement of cookies in general. You can also deactivate cookies for conversion tracking by configuring your browser to block cookies from the domain “www.googleadservices.com”. You can find Google’s data privacy policy here.

If you use the SSL search, the encrypted search function of Google, the search words are usually not sent as part of the URL in the reference URL. There are, however, some exceptions, for example if you use certain less common browsers. You can find further information about SSL search here. Search enquiries or information in the reference URL may also in certain circumstances be viewed by Google Analytics or an Application Programming Interface (API). In addition, advertisers may receive information about the exact search words through which a click on an advertisement was prompted. https://policies.google.com/faq?hl=de

10.4 Google Maps

On this website we use the services of Google Maps. This allows us to show you interactive maps, after you provide your consent, directly on the website and enables convenient use of the map function. By visiting the website, Google receives the information that you have accessed the corresponding subpage of our website. In addition, the data already stated under the point “Informational use of the website” is transmitted. This is done regardless of whether Google provides a user account that you are logged in to, or if there is no user account. When you’re logged in to Google, your data will be assigned directly to your account. If you do not wish to be associated with your profile on Google, you must log out before activating the button. Google stores your data as a user profile and uses it for the purposes of advertising, market research and/or designing its website according to requirements. Such an evaluation takes place in particular (even for users who are not logged in) to carry out targeted advertising and to inform other users of the social network about your activities on our website. You have a right of objection to the formation of these user profiles, and you must contact Google to exercise this right.

For more information on the purpose and scope of the data collection and its processing by the plug-in provider, please refer to the provider’s privacy policy. There you will also find further information about your rights and settings options with regard to the protection of your privacy: http://www.google.de/intl/de/policies/privacy.

Legal basis: Art. 6 para. 1 lit. a GDPR

11 Incorporation of Flickr image host

Components (web albums) of the web service Flickr are linked on this webpage. Flickr is a service of SmugMug, Inc and has been part of the company based at 67 E. Evelyn Ave, Suite 200 Mountain View, California, USA since 2018.

With every single access to or click on the Flickr components, cookies are placed by Flickr. Cookies are small text files that are stored on your computer and allow an analysis of your use of the Flickr services. We are not privy to knowledge of what user information and user behaviour exactly is collected and transmitted to the web servers of Flickr and associated companies in America for further processing.

Use of this service means that personal data are transferred to the USA or that a transfer of personal data to the USA cannot be ruled out! – Please see 5.3 of this declaration for further information.

With your consent to the processing of (advertising and marketing) cookies, you are explicitly agreeing to data transmission to the USA.

If you as a user do not agree to this processing of your data, there is the option of deactivating the Flickr service and thereby preventing the transmission of data to the Flickr server and associated companies. To do this, you must deactivate JavaScript in your browser. We would like to point out, however, that in this case you will not be able to use Flickr, or only to a limited extent.

12 Use of the chat service ONLIM

On our website, we use chat functions from the company Onlim (Onlim GmbH, Weintraubengasse 22, 1020, Vienna, Austria) who act as our data processor. When you use our chat functions, your data entries are transmitted to the Onlim servers. This data includes the information you input such as the data and time of the chat.

We process these data to improve our customer service and other services.

Your data are deleted or made completely anonymous at the latest after 30 days. You also have the option of adjusting the storage period of your data directly on the chat service. Your personal data is then erased within 24 hours.

You can find the data privacy policy of Onlim at https://onlim.com/de/datenschutzerklaerung/.

Legal basis: Art. 6 para. 1 lit. a GDPR

ONLIM uses the cloud web hosting solution from the US provider Amazon Web Services, Inc. (AWS), 410 Terry Avenue North, Seattle WA 98109. Since AWS acts as the cloud provider, data are stored and processed on the AWS servers. When using the ONLIM chat service, therefore, your IP addresses and access times may be recorded by AWS in order to guarantee the security and operation of the website.

Amazon has been certified for the transmission of personal data to the USA in accordance with the adequacy decision. The European Commission concludes that for personal data that are transferred from the EU to a company in the USA that is certified under the EU-US Data Privacy Framework, an adequate level of protection exists, which is why data transmission is permitted pursuant to Art. 45 GDPR.

For further information, please read the data privacy policy of Amazon Cloud Services: https://aws.amazon.com/de/compliance/data-privacy/.

Legal basis: Art. 6 par. 1 line f GDPR

13 Your rights

You have the following rights with respect to the personal data concerning you:

Right to access, rectification and erasure
Right to restriction of the processing
Right to objection to the processing
Right to data portability
Right to lodge a complaint with the Austrian data protection authority
Barichgasse 40 – 42, 1030 Vienna, telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at

If you believe that we are contravening Austrian or European data protection law during the processing of data and have therefore infringed your rights, please contact us to clarify any questions.

To do so, please direct your enquiries and concerns by email to datenschutz@saubermacher.at or use the given contact details.

14 Changes to this data privacy policy

We reserve the right to make adjustments to our data privacy policy from time to time. We publish all changes to the privacy policy on this page. Please note the current version of our privacy policy.