Data Protection

Introduction

We have drafted this privacy policy (version 30.01.2024-122709546) to explain to you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, what personal data (hereinafter referred to as "data") we, as the controller, and our commissioned data processors (e.g., providers) process, will process in the future, and what lawful options you have.

In short: We provide comprehensive information about the data we process about you.

Privacy policies typically sound very technical and use legal terminology. However, this privacy policy aims to describe the most important things to you as simply and transparently as possible. Wherever transparency is beneficial, technical terms are explained in reader-friendly language, links to further information are provided, and graphics are used. We want to inform you in clear and simple language that we only process personal data within the scope of our business activities when there is a legal basis for doing so. This is not possible if we provide concise, unclear, and legally-technical explanations, as is often the standard on the internet when it comes to data protection. We hope you find the following explanations interesting and informative, and perhaps you will find some information that you did not know before.

If you still have questions, we kindly ask you to contact the responsible party mentioned below or in the imprint, follow the provided links, and view further information on third-party sites. Our contact details are also available in the imprint.

Scope

This privacy policy applies to all personal data processed by us in the company and to all personal data processed by companies contracted by us (data processors). By personal data, we mean information in accordance with Article 4 No. 1 GDPR, such as a person's name, email address, and postal address. The processing of personal data enables us to offer and invoice our services and products, whether online or offline. The scope of this privacy policy includes:

all online presences (websites, online-shops), which we are running
social media presence and email-communication
mobile apps for smartphones and other devices

In short: The privacy policy applies to all areas where personal data is processed within the company through the mentioned channels. If we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.

Legal Basis

In the following privacy policy, we provide you with transparent information regarding the legal principles and regulations, namely the legal basis of the General Data Protection Regulation (GDPR), which enables us to process personal data. As for EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can read this EU General Data Protection Regulation online on EUR-Lex, the access point to EU law, at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679.

We process data only if at least one of the following applies:

Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be storing the data you entered in a contact form.
Contract (Article 6(1)(b) GDPR): We process your data to fulfill a contract or pre-contractual obligations with you. For example, if we enter into a purchase agreement with you, we need personal information beforehand.
Legal obligation (Article 6(1)(c) GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally required to retain invoices for accounting purposes, which typically contain personal data.
Legitimate interests (Article 6(1)(f) GDPR): In case of legitimate interests that do not override your fundamental rights, we reserve the right to process personal data. For example, we may need to process certain data to operate our website securely and economically efficiently. This processing is therefore a legitimate interest.

Other conditions such as the performance of tasks carried out in the public interest or in the exercise of official authority, as well as the protection of vital interests, typically do not apply to us. If such a legal basis should be relevant, it will be indicated at the corresponding point.

In addition to the EU regulation, national laws also apply:

In Austria, this is the Federal Act concerning the Protection of Personal Data (Data Protection Act), abbreviated as DSG.
In Germany, the Federal Data Protection Act, abbreviated as BDSG, applies.
If additional regional or national laws are applicable, we will inform you about them in the following sections.

Contact data of the person responsible for data protection

If you have any questions regarding data protection or the processing of person-related data, below are the contact details of the responsible person or office:

Wolfgang Windsteiger
Schwaigaustrasse 21a
4030 Linz

E-Mail: info@riedenblick.at

Duration of Storage

That we only store personal data for as long as it is absolutely necessary for providing our services and products is a general criterion for us. This means that we delete personal data as soon as the reason for data processing is no longer present. In some cases, we are legally obliged to store certain data even after the original purpose has ceased, for example for accounting purposes.

If you wish to have your data deleted or revoke your consent to data processing, the data will be deleted as soon as possible, provided that there is no obligation to store it.

We will inform you about the specific duration of each data processing further below, if we have more information about it.

Rights according to GDPR

According to Articles 13 and 14 of the General Data Protection Regulation (GDPR), we inform you about the following rights that you are entitled to in order to ensure fair and transparent processing of your data:

According to Article 15 of the GDPR, you have the right to request information about whether we process data about you. If this is the case, you have the right to receive a copy of the data and to be informed about the following:
- The purpose of the processing.
- The categories or types of data processed.
- Who receives these data, and if the data are transferred to third countries, how the security can be guaranteed.
- The duration of the data storage.
- The existence of the right to rectification, erasure, or restriction of processing, as well as the right to object to the processing.
- The right to lodge a complaint with a supervisory authority (links to these authorities can be found below).
- The origin of the data if they were not collected from you.
- Whether profiling is carried out, i.e., whether data are automatically evaluated to create a personal profile of you.
According to Article 16 of the GDPR, you have the right to rectification of your data, meaning that we must correct any errors you find.
According to Article 17 of the GDPR, you have the right to erasure ("right to be forgotten"), meaning that you may request the deletion of your data.
According to Article 18 of the GDPR, you have the right to restriction of processing, meaning that we may only store the data but not further use them.
According to Article 20 of the GDPR, you have the right to data portability, meaning that we must provide you with your data in a common format upon request.
According to Article 21 of the GDPR, you have the right to object to processing, which, if successful, will result in a change in processing.
- If the processing of your data is based on Article 6(1)(e) (public interest, exercise of public authority) or Article 6(1)(f) (legitimate interest), you can object to the processing. We will then check as soon as possible whether we can comply with this objection.
- If data are used for direct marketing purposes, you can object to this type of data processing at any time. We may no longer use your data for direct marketing purposes thereafter.
- If data are used for profiling, you can object to this type of data processing at any time. We may no longer use your data for profiling purposes thereafter.
According to Article 22 of the GDPR, you may have the right not to be subject to a decision based solely on automated processing (e.g., profiling).
According to Article 77 of the GDPR, you have the right to lodge a complaint. That means you can complain to the supervisory authority at any time if you believe that the processing of personal data violates the GDPR.

In short: You have rights - do not hesitate to contact the responsible authority listed above!

If you believe that the processing of your data violates data protection law or if your data protection rights have been violated in any other way, you can lodge a complaint with the supervisory authority. For Austria, this is the Data Protection Authority, whose website you can find at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI).

Glossary

We always strive to draft our privacy policy as clearly and comprehensibly as possible. However, this is not always easy, especially when dealing with technical and legal topics. Often, it is useful to use legal terms (such as personal data) or specific technical expressions (such as cookies, IP address). However, we do not want to use these without explanation. Below you will find an alphabetical list of important terms that we have used in our privacy policy, on which we may not have sufficiently elaborated so far. If these terms were taken from the GDPR and they represent definitions, we will also provide the GDPR texts here and, if necessary, add our own explanations.

Data Processor

Definition according to Article 4 GDPR

For the purposes of this regulation, the term:

"Data Processor" means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller;

Explanation: As a company and website owner, we are responsible for all data we process from you. In addition to controllers, there may also be so-called processors. This includes any company or person who processes personal data on our behalf. Processors may include service providers such as tax consultants, hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

Consent

Definition according to Article 4 GDPR

For the purposes of this regulation, the term:

"Consent" of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Explanation: Typically, such consent on websites is obtained through a cookie consent tool. You are probably familiar with this. Whenever you visit a website for the first time, you are usually asked via a banner whether you consent to data processing. Often, you can also make individual settings and thus decide for yourself which data processing you allow and which you do not. If you do not consent, no personal data may be processed. In principle, consent can also be given in writing, i.e., not through a tool.

Personal Data

Definition according to Article 4 GDPR

For the purposes of this regulation, the term:

"Personal data" means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;

Explanation: Personal data refers to any information that can identify a natural person. This typically includes data such as:

Name
Address
E-Mail adresse
Postal address
Phone
Date of birth
Identification numbers such as social security number, tax identification number, ID card number, or student ID number
Banking information such as account number, credit information, account balances, etc.

According to the European Court of Justice (ECJ), your IP address is also considered personal data. IT experts can determine at least the approximate location of your device based on your IP address and subsequently identify you as the subscriber. Therefore, storing an IP address also requires a legal basis under the GDPR. There are also so-called "special categories" of personal data, which are particularly protected. These include:

Racial and ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data such as data extracted from blood or saliva samples
Biometric data (information about psychological, physical, or behavioral characteristics that can identify a person)
Health data
Data concerning sexual orientation or sexual life

Profiling

Definition according to Article 4 GDPR

For the purposes of this regulation, the term:

"Profiling" refers to any form of automated processing of personal data that involves using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.

Explanation: Profiling involves gathering various pieces of information about a person to learn more about them. In the web context, profiling is often used for advertising purposes or for credit checks. Web or advertising analysis programs, for example, collect data about your behavior and interests on a website. This information is then used to create a specific user profile, which enables targeted advertising to be displayed to a specific audience.

Controller

Definition according to Article 4 GDPR

For the purposes of this regulation, the term:

"Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

Explanation: In our case, we are responsible for processing your personal data and thus are the "Controller". If we transfer collected data to other service providers for processing, they are considered "Processors". For this, a "Data Processing Agreement (DPA)" must be signed.

Processing

Definition according to Article 4 GDPR

For the purposes of this regulation, the term:

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Note: When we refer to processing in our privacy policy, we mean any type of data processing. This includes, as mentioned in the original GDPR explanation above, not only the collection but also the storage and processing of data.

Source: German original generated by the Datenschutz Generator from AdSimple