The protection of personal data is regarded as a matter of paramount importance within our organisation. All processing activities are conducted in strict compliance with the provisions of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the Austrian Data Protection Act (DSG), and other applicable legal frameworks.
This statement provides a consolidated overview of how personal data is collected, processed, and protected across all associated web services and digital platforms operated by our organisation.
1. Principles of Data Processing
All personal data is processed in accordance with the fundamental principles set out in Article 5 GDPR, namely:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality
- Accountability
In particular, personal data is limited to what is strictly necessary for the defined processing purposes and is not retained beyond the required duration.
2. Legal Basis for Processing
Processing of personal data is carried out exclusively on one or more of the following legal bases:
- Consent of the data subject (Article 6(1)(a) GDPR)
- Performance of a contract or pre-contractual measures (Article 6(1)(b) GDPR)
- Compliance with legal obligations (Article 6(1)(c) GDPR)
Legitimate interests pursued by the organisation (Article 6(1)(f) GDPR), provided that such interests are not overridden by the rights and freedoms of the data subject
Each processing activity is clearly assigned to a specific legal basis, ensuring full transparency and auditability.
3. Categories of Data and Purpose of Processing
Personal data may include, but is not limited to:
- Identification and contact data (e.g. name, email address, organisation)
- Technical data (e.g. IP address, browser information, access logs)
- Communication data submitted via forms or other interactions
Data is processed exclusively for defined purposes, including:
- Provision and operation of web services
- Processing of enquiries and communication requests
- Delivery of requested content or services
- Security monitoring and system integrity
- Statistical analysis and service improvement (subject to consent where required)
4. Technical and Organisational Measures
Appropriate technical and organisational measures (TOMs) are implemented in accordance with Article 32 GDPR to ensure a level of security appropriate to the risk. These measures include, inter alia:
- Access control mechanisms and role-based permissions
- Encryption and pseudonymisation where applicable
- Logging and monitoring of system activities
- Regular data backups and recovery procedures
- Network segmentation and secure system configurations
The effectiveness of these measures is regularly reviewed and continuously improved.
5. Data Retention
Personal data is retained only for as long as necessary to fulfil the respective processing purposes or to comply with statutory retention obligations.
Retention periods are defined and documented in accordance with the organisation’s internal Data Protection Handbook, which serves as the authoritative reference for all data lifecycle management processes.
6. Data Transfers and Third-Party Processing
Where personal data is processed by external service providers (processors), such processing is governed by Data Processing Agreements in accordance with Article 28 GDPR.
In cases where data is transferred to third countries outside the European Union, appropriate safeguards are implemented, including:
- Standard Contractual Clauses (SCCs) pursuant to Article 46 GDPR
- Additional technical and organisational measures where required
All transfers are assessed in accordance with applicable legal requirements and documented accordingly.
7. Cookies and Tracking Technologies
The use of cookies and similar technologies is strictly limited to what is necessary and lawful.
Non-essential cookies (e.g. analytics or marketing) are only activated following explicit consent by the user. Users are provided with clear and granular choices regarding cookie categories and may withdraw consent at any time.
8. Rights of Data Subjects
Data subjects are entitled to exercise the following rights under the GDPR:
- Right of access (Article 15 GDPR)
- Right to rectification (Article 16 GDPR)
- Right to erasure (“right to be forgotten”) (Article 17 GDPR)
- Right to restriction of processing (Article 18 GDPR)
- Right to data portability (Article 20 GDPR)
- Right to object (Article 21 GDPR)
- Right to withdraw consent at any time
Requests may be submitted via the contact details provided below.
Furthermore, data subjects have the right to lodge a complaint with the competent supervisory authority, in particular in Austria with the Austrian Data Protection Authority (Datenschutzbehörde).
9. Accountability and Governance
In accordance with the principle of accountability (Article 5(2) GDPR), the organisation ensures that all processing activities are:
- Properly documented
- Subject to internal governance processes
- Regularly reviewed and audited
The organisation’s Data Protection Handbook constitutes the central governance framework and defines all policies, procedures, and controls related to data protection and information security.
10. Continuous Improvement
Data protection and information security are treated as continuous processes. All systems, processes, and controls are subject to ongoing monitoring, risk assessment, and improvement in alignment with evolving regulatory requirements, technological developments, and organisational needs.
11. Contact
For any inquiries regarding data protection or the exercise of data subject rights, please contact: