Support us
Support us

Data Protection Declaration

Introduction and Overview 

We have written this Data Protection Declaration (version 07.05.2023-122501705) to explain to you, according to the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (hereinafter referred to as data) we, as the responsible party, and the processors commissioned by us (e.g., providers) process, will process in the future, and what lawful options you have. The terms used are to be understood as gender-neutral.

In short: We comprehensively inform you about the data we process about you.

Data protection declarations typically sound very technical and use legal terminology. However, this data protection declaration aims to describe the most important aspects as simply and transparently as possible. Where it promotes transparency, technical terms are explained in a reader-friendly manner, links to further information are provided, and graphics are used. We inform you in clear and simple language that we only process personal data within our business activities if a corresponding legal basis exists. This is certainly not possible with the brief, unclear, and legally technical explanations often found on the internet when it comes to data protection. We hope you find the following explanations interesting and informative and that perhaps there is some information you did not already know. If any questions remain, we kindly ask you to contact the responsible office mentioned below or in the imprint, follow the available links, and view further information on third-party sites. Our contact details can also be found in the imprint.

Scope of Application 

This data protection declaration applies to all personal data processed by our company and all personal data processed by companies commissioned by us (processors). By personal data, we mean information as defined in Art. 4 No. 1 GDPR, such as the name, email address, and postal address of a person. The processing of personal data ensures that we can offer and bill for our services and products, whether online or offline. The scope of this data protection declaration includes:

  • All online presences (websites, online shops) that we operate
  • Social media presences and email communication
  • Mobile apps for smartphones and other devices

In short: This data protection declaration applies to all areas where personal data is processed in a structured manner within the company via the aforementioned channels. If we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.

Legal Basis 

In the following data protection declaration, we provide you with transparent information about the legal principles and regulations, i.e., the legal bases of the General Data Protection Regulation, which allow us to process personal data. Concerning EU law, we refer to the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can, of course, read this EU General Data Protection Regulation online on EUR-Lex, the access point to EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679. We only process your data if at least one of the following conditions applies:

1. Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of data you entered in a contact form.

2. Contract (Article 6(1)(b) GDPR): We process your data to fulfill a contract or pre-contractual obligations with you. For example, if we enter into a purchase agreement with you, we need personal information beforehand.

3. Legal Obligation (Article 6(1)(c) GDPR): We process your data when we are subject to a legal obligation. For instance, we are legally required to retain invoices for accounting purposes, which typically contain personal data.

4. Legitimate Interests (Article 6(1)(f) GDPR): In cases of legitimate interests that do not override your fundamental rights, we reserve the right to process personal data. For example, we must process certain data to operate our website securely and efficiently, which constitutes a legitimate interest.

Other conditions, such as the performance of tasks carried out in the public interest or the exercise of official authority, and the protection of vital interests, generally do not apply to us. If such a legal basis should become relevant, it will be indicated at the appropriate place. In addition to the EU regulation, national laws also apply:

In Austria, this is the Federal Act concerning the Protection of Personal Data (Data Protection Act), abbreviated as DSG. In Germany, the Federal Data Protection Act, abbreviated as BDSG, applies.

If additional regional or national laws apply, we will inform you in the following sections.

Contact Details of the Responsible Party

If you have any questions about data protection or the processing of personal data, you can find the contact details of the responsible person or entity below:

Association
Richtungswechsel
Tamara Höfer
Authorized representative: Viktoria Reigl
E-Mail: info@richtungswechsel.or.at
Imprint: https://www.richtungswechsel.or.at/en/imprint

Storage Duration As a general criterion, we store personal data only as long as is strictly necessary for providing our services and products. This means that we delete personal data once the purpose for data processing no longer exists. In some cases, we are legally obliged to store certain data even after the original purpose no longer applies, for example, for accounting purposes. If you wish to have your data deleted or withdraw your consent to data processing, the data will be deleted as quickly as possible, provided there is no obligation to retain it. We inform you about the specific duration of each data processing operation further below, if we have more information on this.

Rights According to the General Data Protection Regulation (GDPR) According to Articles 13 and 14 GDPR, we inform you about the following rights that you have to ensure fair and transparent data processing:

  • Right to Access (Article 15 GDPR): You have the right to know whether we process your data. If so, you have the right to obtain a copy of the data and the following information:

    • The purpose of the processing;
    • The categories of data being processed;
    • The recipients of the data and, if the data is transferred to third countries, how security is ensured;
    • The duration of data storage;
    • The existence of rights to rectification, deletion, restriction of processing, and objection to processing;
    • The right to lodge a complaint with a supervisory authority (links to these authorities can be found below);
    • The source of the data, if not collected from you;
    • Whether profiling is conducted, i.e., whether data is automatically evaluated to create a personal profile of you.

  • Right to Rectification (Article 16 GDPR): You have the right to correct your data if you find any errors.

  • Right to Erasure (“Right to be Forgotten”) (Article 17 GDPR): You have the right to request the deletion of your data.

  • Right to Restriction of Processing (Article 18 GDPR): You have the right to request that we only store your data and not process it further.

  • Right to Data Portability (Article 20 GDPR): You have the right to request your data in a common format.

  • Right to Object (Article 21 GDPR): You have the right to object to the processing of your data, which will result in a change in processing. If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you can object to the processing. We will then promptly check whether we can legally comply with the objection. If data is used for direct marketing, you can object to this type of data processing at any time. We may no longer use your data for direct marketing purposes. If data is used for profiling, you can object to this type of data processing at any time. We may no longer use your data for profiling purposes.

  • Right not to be subject to automated decision-making (Article 22 GDPR): You have the right, in certain circumstances, not to be subject to a decision based solely on automated processing (e.g., profiling).

  • Right to Lodge a Complaint (Article 77 GDPR): You have the right to lodge a complaint with a supervisory authority at any time if you believe that the processing of personal data violates the GDPR.

 

In short: You have rights – do not hesitate to contact the responsible office listed above!

If you believe that the processing of your data violates data protection law or that your data protection rights have been infringed in any other way, you can file a complaint with the supervisory authority. In Austria, this is the Data Protection Authority, whose website can be found at https://www.dsb.gv.at/. In Germany, each federal state has its own data protection officer. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For our company, the following local data protection authority is responsible:

Austrian Data Protection Authority
Head: Mag. Dr. Andrea Jelinek
Address: Barichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

Data Processing Security To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. This makes it as difficult as possible within our means for third parties to infer personal information from our data.

Article 25 of the GDPR refers to “data protection by design and by default,” which means that security measures should always be considered and implemented for both software (e.g., forms) and hardware (e.g., access to the server room). Below, we will discuss specific measures where necessary.

TLS Encryption with HTTPS TLS, encryption, and HTTPS sound very technical and indeed they are. We use HTTPS (Hypertext Transfer Protocol Secure) to transmit data securely over the internet. This means that the entire transmission of all data from your browser to our web server is secure – no one can “listen in.”

This adds an extra layer of security and fulfills data protection by design (Article 25(1) GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure data transmission over the internet, we can ensure the protection of confidential data. You can recognize the use of this data transmission security by the small lock symbol in the top left corner of the browser, to the left of the internet address (e.g., examplesite.com) and by the use of the https (instead of http) scheme as part of our internet address. If you want to learn more about encryption, we recommend searching “Hypertext Transfer Protocol Secure wiki” on Google to find good links for further information.

Communication If you have any questions or concerns about data protection or data processing, please do not hesitate to contact us using the contact details provided in the responsible office section.


Security of Data Processing

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. This makes it as difficult as possible within our means for third parties to infer personal information from our data.

Article 25 of the GDPR refers to “data protection by design and by default,” meaning that security measures should always be considered and implemented for both software (e.g., forms) and hardware (e.g., access to the server room). Below, we will discuss specific measures where necessary.

TLS Encryption with HTTPS

TLS, encryption, and HTTPS sound very technical and indeed they are. We use HTTPS (Hypertext Transfer Protocol Secure) to transmit data securely over the internet. This means that the entire transmission of all data from your browser to our web server is secure – no one can “listen in.”

This adds an extra layer of security and fulfills data protection by design (Article 25(1) GDPR). By using TLS (Transport Layer Security), an encryption protocol for secure data transmission over the internet, we can ensure the protection of confidential data. You can recognize the use of this data transmission security by the small lock symbol in the top left corner of the browser, to the left of the internet address (e.g., examplesite.com) and by the use of the https (instead of http) scheme as part of our internet address. If you want to learn more about encryption, we recommend searching “Hypertext Transfer Protocol Secure wiki” on Google to find good links for further information.

Communication

If you contact us via telephone, email, or online form, personal data may be processed.

The data will be processed to handle and process your inquiry and the related business transaction. The data will be stored as long as necessary or as required by law.

Affected Individuals

All individuals who contact us through the communication channels provided are affected by the aforementioned processes.

Telephone

When you call us, the call data is pseudonymously stored on the respective end device and by the telecommunications provider used. Additionally, data such as name and phone number may be sent via email and stored to respond to the inquiry. The data will be deleted once the business case is concluded and legal requirements allow.

Email

When you communicate with us via email, data may be stored on the respective end device (computer, laptop, smartphone, etc.) and on the email server. The data will be deleted once the business case is concluded and legal requirements allow.

Online Forms

When you communicate with us via online forms, data is stored on our web server and may be forwarded to an email address of ours. The data will be deleted once the business case is concluded and legal requirements allow.

Legal Basis

The processing of the data is based on the following legal grounds:

  • Article 6(1)(a) GDPR (Consent): You give us your consent to store and use your data for purposes related to the business case;
  • Article 6(1)(b) GDPR (Contract): There is a necessity to fulfill a contract with you or a processor, such as the telephone provider, or we need to process the data for pre-contractual activities, such as preparing an offer;
  • Article 6(1)(f) GDPR (Legitimate Interests): We aim to handle customer inquiries and business communication professionally. This requires certain technical setups, such as email programs, exchange servers, and mobile operators, to efficiently manage the communication.

Data Processing Agreement (DPA)

In this section, we explain what a Data Processing Agreement (DPA) is and why it is necessary. Since the term “Data Processing Agreement” is quite a mouthful, we will often refer to it simply as DPA in the text. Like most companies, we do not work alone but also use services from other companies or individuals. By involving various companies or service providers, it may be necessary to pass on personal data for processing. These partners then act as processors, with whom we enter into a contract known as a Data Processing Agreement (DPA). The most important thing for you to know is that the processing of your personal data is carried out exclusively according to our instructions and must be regulated by the DPA.

Who are Processors?

As a company and website owner, we are responsible for all data we process from you. In addition to the controllers, there can also be processors. This includes any company or individual that processes personal data on our behalf. Specifically, according to the GDPR definition, any natural or legal person, public authority, agency, or other body that processes personal data on our behalf is considered a processor. Processors can include service providers such as hosting or cloud providers, payment or newsletter providers, or large companies like Google or Microsoft. For better understanding of the terminology, here is an overview of the three roles in the GDPR:

Data Subject (You as the customer or interested party) → Controller (us as the company and client) → Processor (service providers such as web hosts or cloud providers)

Content of a Data Processing Agreement

As mentioned above, we have concluded a DPA with our partners who act as processors. The primary point established is that the processor processes the data exclusively according to the GDPR. The contract must be in writing; however, an electronic contract is also considered “written” in this context. Only on the basis of the contract is the processing of personal data carried out. The contract must include the following:

  • Binding to us as the controller
  • Duties and rights of the controller
  • Categories of data subjects
  • Nature of personal data
  • Type and purpose of data processing
  • Subject and duration of data processing
  • Location of data processing

Furthermore, the contract includes all obligations of the processor. The most important obligations are:

  • To ensure data security measures
  • To implement possible technical and organizational measures to protect the rights of the data subject
  • To maintain a record of data processing activities
  • To cooperate with the supervisory authority upon request
  • To conduct a risk analysis regarding the received personal data
  • To engage sub-processors only with written consent from the controller

You can find an example of such a DPA at https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-mustervertrag-auftragsverarbeitung.html. This site presents a sample contract.

Web Hosting Introduction

What is Web Hosting?

When you visit websites today, certain information—including personal data—is automatically generated and stored, including on this website. This data should be processed as sparingly as possible and only for justified reasons. By “website,” we mean the entirety of all web pages on a domain, from the homepage to the very last subpage (like the one you’re on now). By “domain,” we mean something like example.com or sampleexample.com.

To view a website on a computer, tablet, or smartphone, you use a program called a web browser. You might be familiar with some web browsers by name: Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari. We’ll refer to these simply as browsers or web browsers.

To display the website, the browser needs to connect to another computer where the website’s code is stored: the web server. Operating a web server is a complex and demanding task, which is why it is usually handled by professional providers. These providers offer web hosting services, ensuring reliable and error-free storage of website data. It’s a lot of technical jargon, but hang on, it gets better!

During the connection between your browser on your computer (desktop, laptop, tablet, or smartphone) and while transferring data to and from the web server, personal data processing can occur. On one hand, your computer stores data, and on the other hand, the web server must also store data temporarily to ensure proper operation.

A picture is worth a thousand words, so the following graphic illustrates the interaction between the browser, the internet, and the hosting provider.

What Data is Processed?

Even while you’re visiting our website, our web server (the computer where this website is hosted) typically automatically stores data such as:

  • The complete Internet address (URL) of the visited web page
  • The browser and browser version (e.g., Chrome 87)
  • The operating system used (e.g., Windows 10)
  • The address (URL) of the previously visited page (Referrer URL) (e.g., https://www.exampleorigin.com/whereIdcamefrom/)
  • The hostname and IP address of the device from which access is made (e.g., COMPUTERNAME and 194.23.43.121)
  • Date and time

This data is stored in files known as web server log files.

How Long is Data Stored?

Typically, the aforementioned data is stored for two weeks and then automatically deleted. We do not share this data; however, we cannot rule out that such data may be accessed by authorities in case of illegal activities.

In short: Your visit is logged by our provider (the company that operates our website on specialized computers (servers)), but we do not share your data without consent!

Legal Basis

The legality of processing personal data in the context of web hosting is based on Art. 6 (1) (f) GDPR (legitimate interests), as the use of professional hosting by a provider is necessary to securely and user-friendly present the company online and to potentially track attacks and claims arising from this.

We typically have a contract with the hosting provider for data processing according to Art. 28 GDPR, ensuring compliance with data protection and guaranteeing data security.

Easyname Privacy Policy

To host our website, we use the web hosting services of Easyname. Easyname is based in Canettistraße 5/10, A-1100 Vienna, Austria. For more information about Easyname, please visit: Easyname. Privacy notices can be found here: Easyname Privacy Policy.

Explanation of Terms Used

We strive to make our privacy policy as clear and understandable as possible. Particularly with technical and legal topics, this isn’t always easy. It often makes sense to use legal terms (e.g., personal data) or specific technical expressions (e.g., cookies, IP address). We do not want to use these terms without explanation. Below is an alphabetical list of important terms used in the privacy policy that we may not have sufficiently explained earlier. If these terms are derived from the GDPR and are definitions, we will include the GDPR texts and, if necessary, provide additional explanations.

Data Processor

Definition according to Article 4 GDPR

In the context of this regulation, the term:

“Data Processor” refers to a natural or legal person, authority, agency, or other body that processes personal data on behalf of the data controller.

Explanation: As a company and website owner, we are responsible for all data we process from you. In addition to the data controllers, there may also be so-called data processors. This includes any company or individual that processes personal data on our behalf. Data processors can therefore include service providers such as tax advisors, hosting or cloud providers, payment or newsletter providers, or large companies like Google or Microsoft.

Consent

Definition according to Article 4 GDPR

In the context of this regulation, the term:

“Consent” of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they, by a statement or a clear affirmative action, signify their agreement to the processing of personal data relating to them.

Explanation: Consent on websites usually occurs through a cookie consent tool. You are likely familiar with this: when you first visit a website, you are often asked via a banner if you agree to data processing or consent. You can usually also make individual settings to decide which data processing you allow and which you do not. If you do not consent, no personal data may be processed. Consent can also be given in writing, not just through a tool.

Personal Data

Definition according to Article 4 GDPR

In the context of this regulation, the term:

“Personal Data” means any information relating to an identified or identifiable natural person (the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

Explanation: Personal data includes all information that can identify you as a person. These are typically data such as:

  • Name
  • Address
  • Email address
  • Postal address
  • Phone number
  • Date of birth
  • Identification numbers such as social security number, tax identification number, ID card number, or student ID number
  • Bank details such as account number, credit information, account balances, etc.

According to the European Court of Justice (ECJ), your IP address also counts as personal data. IT experts can determine the approximate location of your device and subsequently identify you as the account holder based on your IP address. Thus, storing an IP address also requires a legal basis under the GDPR. There are also “special categories” of personal data that are particularly sensitive and include:

  • Racial and ethnic origin
  • Political opinions
  • Religious or philosophical beliefs
  • Trade union membership
  • Genetic data such as data from blood or saliva samples
  • Biometric data (information on physical, physiological, or behavioral characteristics that can identify a person)
  • Health data
  • Data on sexual orientation or sexual life

Profiling

Definition according to Article 4 GDPR

In the context of this regulation, the term:

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning that person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Explanation: Profiling involves gathering various pieces of information about a person to learn more about them. In the web context, profiling is often used for advertising purposes or credit assessments. Web or advertising analysis programs collect data about your behavior and interests on a website, creating a specific user profile that helps target ads to a specific audience.

Data Controller

Definition according to Article 4 GDPR

In the context of this regulation, the term:

“Data Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.

Explanation: In our case, we are responsible for processing your personal data and are thus the “Data Controller.” When we transfer collected data for processing to other service providers, these are “Data Processors.” An “Order Processing Agreement (AVV)” must be signed for this.

Processing

Definition according to Article 4 GDPR

In the context of this regulation, the term:

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

Note: When we refer to processing in our privacy policy, we mean any type of data processing. This includes not only collecting but also storing and processing data.

Final Words

Congratulations! If you are reading this, you have either thoroughly read our entire privacy policy or scrolled down to this point. As you can see from the extent of our privacy policy, we take the protection of your personal data very seriously. It is important to us to inform you to the best of our knowledge and belief about the processing of personal data. We aim not only to inform you about which data is processed but also to explain the reasons for using various software programs. Privacy policies often sound very technical and legal. Since most of you are not web developers or lawyers, we wanted to take a different approach and explain the matter in simple and clear language. This is not always possible due to the topic. Therefore, the most important terms are explained at the end of the privacy policy.

If you have any questions about data protection on our website, please do not hesitate to contact us or the responsible party. We wish you a pleasant time and hope to welcome you back to our website soon.

All texts are protected by copyright.

Source: Created with the AdSimpl Privacy Policy Generator