General Data Protection Regulation ("GDPR”)
This Privacy Notice is intended to give you an overview of how we use the personal data provided by you. We would also like to inform you about the precautions we take to protect your data and about which rights and options you have to view your data and to protect your privacy.
This Privacy Notice contains information about which personal data we collect from you, how we process them and to which third parties we may forward your data.
Regarding the terms used, such as “processing” or “Controller”, we refer to the definitions in Art 4. of the General Data Protection Regulation (“GDPR”).
Whom can you contact?
E-mail address: email@example.com
For what purposes and on what legal basis are your personal data processed?
- Based on your consent (Art. 6 (1) (a) GDPR)
If you have given us your consent to process your personal data, processing will only take place following the purposes defined and to the extent agreed in the declaration of consent. Consent given may be withdrawn at any time without giving reasons and with likely effect if you no longer agreed to the processing.
- For compliance with contractual obligations (Art. 6 (1) (b) GDPR)
Processing of personal data takes place in connection with account management, for the performance of our contract with you and execution of your orders as well as all tasks necessary for the operation and administration of our company.
- For compliance with legal obligations (Art. 6 (1) (c) GDPR)
Processing of personal data may be necessary for compliance with various legal obligations concerning contract management, accounting and invoicing.
- To protect the Controller’s legitimate interests (Art. 6 (1) (f) GDPR)
Where necessary, data processing may take place beyond the actual performance of the contract as part of a balancing of interests in favour of Circleze or a third party, to protect our legitimate interests or those of third parties.
Such processing of customer (employee) data takes place in the following cases:
Measures for business management and continuing development of products and services;
Measures for protecting customers and their employees as well as company property;
In the context of legal proceedings; and
Who receives your personal data?
The protection and confidentiality of your personal data are essential to us. Therefore, we transfer your personal data only to the extent described below or within the scope of instruction at the time the data are collected. Also, personal data that we collect concerning you will neither be sold by us nor otherwise disclosed.
- Transfer to networking companies and other parties We transfer the personal data we collect to the companies of the Circleze and individual service providers (e.g. external data protection officer). We transfer personal data for account management and other operations requested by you as well as to conduct internal administrative activities efficiently in a shared way and to improve our products and services.
- Transfer to other third parties If we, Circleze, acting as a service provider for third parties, we provide them with personal data we have collected on their behalf.
- Transfers to processors To a limited extent, we also pass on personal information to processors who perform services for us such as a performance of contracts, account management, accounting, invoicing and sending out newsletters. Processors may only use or disclose these data to the extent necessary to perform services for us or to comply with legal rules. We contractually oblige these processors to ensure the confidentiality and security of the personal data that they process on our behalf.
- Other transfers We may also transfer personal information concerning you (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.
Are data transferred to a third country or an international organisation?
If we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third-party services or disclosure and/or transfer of personal data to third parties, we shall only transfer personal data to comply with our (pre)contractual obligations, based on your consent, a legal obligation or our legitimate interests. Subject to legal or contractual authorisations, we process or have personal data processed in a third country only where the particular conditions of Art. 44 et seq GDPR are met. This means, for example, that processing and the transfer is carried out on the basis of special safeguards, such as the officially recognised setting of level of data protection corresponding to the EU (e.g. for the USA by the “Privacy Shield”) or compliance with officially recognised special contractual obligations (known as “standard contractual clauses”).
For how long are personal data stored and processed?
We process your data for the duration of the entire business relationship (from initiation through performance to termination of a contract), and beyond this, according to statutory retention and documentation obligations. These derive, for example, from:
- the Austrian Commercial Code (UGB); and
- the Federal Tax Code (BAO).
Also, the storage period must take into account the statutory limitations periods, which, according to the Austrian Civil Code (ABGB), for example, may range up to 3 years in some instances (the general limitations period is 30 years).
Unless expressly stated in this Privacy Notice, personal data processed by us shall be erased as soon as they are no longer required for their intended purpose and the erasure does not conflict with any statutory retention obligations.
What rights and options do you have?
1. Right of access
You have the right to request confirmation from us as to whether we are processing personal data concerning you.
Where personal data concerning you are being processed, you have the right, as the data subject, to receive information from us at any time regarding the personal data stored about you and to receive a copy of the personal data concerning you which is undergoing processing. In this regard, as the data subject, you shall have the right to obtain the following information:
- The purposes of the processing;
- The categories of personal data being processed;
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- The existence of a right to rectification or erasure of the personal data concerning you, or to the restriction of processing by the Controller, or to object to such processing;
- The existence of the right to complain of supervisory authority;
- Any available information about the origin of the data where the personal data were not collected directly from you; and
- Where present, the existence of automated decision-making, including profiling, according to Art. 22 (1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data concerning you are transferred to a third country or an international organisation, you shall also have the right to be informed of the appropriate safeguards relating to the transfer.
2. Right to rectification
You shall have the right to request the correction of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
3. Right to erasure
You shall have the right to request from Circleze the deletion of personal data concerning you without undue delay where one of the following grounds applies and if no further processing is required:
The personal data are no longer needed for the purposes for which they were collected;
You withdraw your consent on which the processing was based and where there is no other legal ground or overriding legitimate interest for the processing;
The personal data have been unlawfully processed;
Erasure of the personal data is required for compliance with a legal obligation under Union or Member State law to which the Controller is subject; or
The personal data have been collected concerning the offer of information society services according to Art. 8 (1) GDPR.
4. Right to the restriction of processing
You shall have the right to request from us the limitation of processing where one of the following conditions applies:
You contest the accuracy of the personal data (the restriction shall be put in place for a period which enables the Controller to verify the accuracy of the personal data);
The processing of your personal data was unlawful, and you oppose the erasure of your personal data and request instead of the restriction of their use;
The Controller no longer requires your personal data for the processing, but you expect them for the assertion, exercise or defence of legal claims; or
You have objected to the processing of your personal data, and it has not yet been determined whether the legitimate grounds of the Controller override your own.
5. Right to data portability
You shall have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You shall also have the right to request that we transfer these data directly to another controller, designated by you, where this is technically feasible and does not adversely affect the rights and freedoms of others. The right to data portability may only be exercised where the basis of the processing is either your consent or a (pre)contractual necessity, and where the processing is carried out by automated means.
The right to data portability does not apply to process which is necessary for the performance of a task carried out in the public interest or the exercise of official authority vested in the Controller.
6. Right to object
You shall have the right at any time to withdraw your consent to the processing of your personal data.
If you have objected to processing, we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the assertion, exercise or defence of legal claims.
You shall have the right to object, on grounds relating to your particular situation, to processing by Circleze of personal data concerning you for scientific or historical research purposes or statistical purposes according to Art. 89 (1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
Should you wish to exercise one or more of the rights mentioned above, you can contact us (see above for contact details
With which supervisory authority may you complain?
According to Art. 77 GDPR, you shall have the right to complain about the competent supervisory authority. In Austria, this is the Data Protection Authority (Datenschutzbehörde).
Are personal data processed for purposes other than those for which the personal data were collected?
As a general principle, we only process data for the purposes for which they were collected.
In exceptional cases, however, we may process personal data which we have collected for one specific purpose for another purpose. In this case, we will inform you before the intended processing about the purpose, the period for which your personal data will be stored, the exercise of data subject rights, the option to withdraw consent, the existence of the right to lodge a complaint with the data protection authority, whether provision of the data was necessary on legal or contractual grounds and what the consequences would be if it were not provided, and whether automated decision-making or profiling is carried out.
What types of personal data are processed?
We process, among other things, the following types of personal data:
- Inventory data (e.g. name, title, company, addresses, date of birth);
- Contact data (e.g. e-mail, telephone numbers);
- Content data (e.g. text input, photos, videos);
- Usage data (e.g. websites visited, interest in contents, times of access);
- Meta/communication data (e.g. device information, IP addresses); and
- Advertising and sales data.
We stress that we process personal data only to the extent necessary. In individual cases, therefore, less than the above data may suffice.
We send newsletters, e-mails and other electronic notifications for advertising purposes and to announce news (hereinafter “newsletter”) only with your consent, which is recorded during registration for the newsletter, or where there is a legal basis to do so (e.g. Art. 107 (2) and (3) of the Telecommunications Act (TKG)).
You may unsubscribe from our newsletter, i.e. withdraw your consent, at any time. You will find a link to unsubscribe at the end of each newsletter. Please note that we will continue to process your personal data until you withdraw your consent so that we can prove consent previously given to receive newsletters. The processing of these data is limited to the purpose of a possible defence against claims. You shall have the right to request the erasure of your personal data.
If you communicate us (e.g. by contact form, e-mail, telephone or via social media), your details will be processed to handle and process the contact request. Your personal data may be stored in a customer relationship management system (“CRM system”) or a similar organisational tool.
We will erase the contact requests, and your personal data provided to us in them, if their storage is no longer necessary.
Online presence in social media
We maintain an internet presence on social media and platforms to communicate with active customers, prospective customers and users and inform them about our services. When you access the respective networks and platforms, the general terms and conditions and data privacy policies of the individual platform operators apply.
Unless otherwise stated in our Privacy Notice, we process the personal data of users who communicate with us within social networks and platforms, e.g. post articles on our websites or send us messages.
How is my data protected?
We take the protection of your personal data very seriously and implement appropriate technical and organisational measures to protect you against unauthorised or illegal processing of your personal data, and against accidental loss, destruction or damage.
How will I find out about changes to this Privacy Notice?
We, Circleze, are committed to upholding the principles of privacy and data protection. For this reason, we regularly review our Privacy Notice. This is to ensure that it is correct and displayed on our website, contains appropriate information about your rights and our processing activities and is implemented following applicable law and thus complies with data protection requirements. We update this Privacy Notice when required, to take current circumstances into account. If we make significant changes to this Privacy Notice, we will notify you on our website and provide you with the updated version of the Privacy Notice.