Data Privacy Statement

5. Purpose of data collection

We collect (personal) data for the following purposes:

• provision of the website, its contents and functions
• personalised display of website content
• maintenance of inventory data and usage data
• acquisition of new customers
• recruitment of employees
• application procedures
• preparation and response to contact requests and communication with users
• other services for customers
• provision of contract performance services, service, and customer care
• marketing, advertising, and market research
• safety precautions

6. Modifications and updates to this data privacy statement

We ask you to regularly catch up on the content of our data privacy statement. We will modify the data privacy statement as soon as changes to our data processing make this necessary. We will inform you as soon as the modifications make your cooperation (e.g., consent) necessary or if any other individual notification is required.  

7. Data transfer to third countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if this takes place in the context of the use of services by third parties or disclosure and/or transfer of data to third parties, this will only take place if we need to fulfil our (pre)contractual obligations, on the basis of your consent, due to a legal obligation, or on the basis of our legitimate interests. Subject to legal or contractual permissions, we will process the data, or have them processed, in a third country only in the presence of the special prerequisites of Article 44 et seq. GDPR. I.e., the processing is carried out observing officially recognised specific contractual obligations (so-called “standard contract clauses”). 

8. Cookies

a. We set temporary and permanent cookies. Cookies are files that your browser stores on your terminal device when you visit our website. In part, cookies are used for security purposes or are required for the operation of our website (e.g., for the presentation of the website) or to store the user's decision when confirming the cookie banner. In addition, we or our technology partners use cookies for reach measurement and marketing purposes, about which users will be informed further below in this data privacy statement.

b. A general objection to the use of cookies used for the purposes of online marketing can be declared for a variety of services, particularly in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, you can prevent the storage of cookies by disabling them in your browser settings. Please note that you may not be able to use the entire range of functions of this website in this case.

c. Cookies are pieces of information that our web server or third-party web servers transmit to the users’ web browser and store there for later retrieval. Cookies can be small files or other types of information storage.

d. We use “session cookies”, which are stored only for the duration of the current visit to our online presence (e.g., in order to be able to even allow the use of our website). A session cookie stores a randomly generated unique identification number, a so-called session ID. A cookie also contains information about its origin and storage period. These cookies cannot store any other data. Session cookies will be deleted after you have finished using our website and, e.g., log out or close your browser.

e. This data privacy statement will inform users about the use of cookies in the context of pseudonymous reach measurement.

f. If users do not want cookies to be stored on their computer, we ask them to disable the relevant option in the system settings of their browser. Stored cookies can be deleted in the system settings of the browser. Excluding cookies can lead to functional limitations of this website.

g. You can object to the use of cookies used for reach measurement and advertising purposes at the opt-out page of the Network Advertising Initiative (http://optout.networkadvertising.org/) and additionally the US website (http://www.aboutads.info/choices) or the European website (http://www.youronlinechoices.com/uk/your-ad-choices/).  

10. Cookies/integration of third-party services and content

a. Within our website, we use third-party content or service offerings to integrate their content and services, such as videos (hereinafter uniformly referred to as "content") on the basis of our legitimate interests (i.e., interest in the analysis, optimization, and efficient operation of our website within the meaning of Article 6(1)(f) GDPR). This always assumes that the third parties providing this content will view the IP address of the users, as they could not transmit the content to their browsers without the IP address. The IP address is hence required for the presentation of that content. We strive to use only such content whose respective providers use the IP address only for the delivery of the content. Third-party providers can also use so-called web beacons (invisible graphics, also known as web bugs) for statistical and marketing purposes. The web beacons allow information, e.g., visitor traffic on the pages of this website, to be evaluated. The pseudonymized information may also be stored in cookies on the devices of the users and, among other things, may contain technical information about the browser and operating system used, referring websites, visit time and contain information about the use of our website as well as be associated with such information from other sources.

b. The following provides an overview of third-party providers and their content, along with links to their respective data privacy statements, which include more information on data processing and, in some cases already mentioned here, means of objection (so-called opt-out).

11. Use of HubSpot

We use HubSpot for marketing activities on our website. HubSpot is a US software provider with a branch in Ireland, HubSpot Ireland Limited in 2nd Floor 30 North Wall Quay, Dublin 1, Ireland.

We use this integrated software solution for our own marketing, lead generation, applications, and customer service purposes. This includes, among others, e-mail marketing, which manages the distribution of newsletters as well as automated mailings, social media publishing and reporting, contact management such as user segmentation and CRM, landing pages and contact forms.

HubSpot uses cookies, small text files that are stored locally in the cache of your web browser on your terminal device and allow us to analyse your use of the website. HubSpot analyses the information collected (e.g., IP address, geographical location, browser type, visit duration and pages viewed) on our behalf so that we can generate reports on the visit and the pages visited.

Information collected by HubSpot and the content of our website is stored on servers of HubSpot's service providers. If you have granted your consent to this in accordance with Article 6(1)(1)(a) GDPR, processing on this website is carried out for the purpose of website analysis.

Since personal data is transferred to the US, this requires further protection mechanisms to ensure the level of data protection of the GDPR. To guarantee this, we have agreed standard data protection clauses with the provider in accordance with Article 46(2)(c) GDPR. These oblige the recipient of the data in the US to process the data in accordance with the level of protection in Europe. In cases where this cannot be guaranteed even by means of this contractual extension, we will seek to obtain additional regulations and commitments from the recipient in the US. Learn more about HubSpot’s privacy policy here: https://legal.hubspot.com/de/privacy-policy. 
For more information on the DPA, please refer to: https://legal.hubspot.com/de/dpa 

The data will be deleted as soon as they are no longer required for the achievement of the purpose of their collection. We will check the requirement every two years. Enquiries by customers who have a customer account will be stored permanently. Regarding a deletion, we refer to the information on the customer account. In the case of the legal archiving obligations, the deletion will take place after their expiry (end of commercial law retention obligation (6 years) and tax law retention obligation (10 years)).

You can permanently object to the collection of data by HubSpot and the placement of cookies by preventing the storage of cookies accordingly via your browser settings. You can object to the processing of your personal data at any time with effect for the future.

12. Use of HubSpot Video

We integrate videos on our website using “HubSpot Video”. HubSpot Video allows videos to be uploaded to HubSpot's file tool and then added to pages, marketing e-mails, blog posts, and knowledge base articles. HubSpot is a US software provider with a branch in Ireland, HubSpot Ireland Limited in 2nd Floor 30 North Wall Quay, Dublin 1, Ireland.

If the playback of embedded HubSpot videos starts following your consent, the provider will set “HubSpot Video” cookies. “HubSpot Video” cookies are small text files that are stored locally in the cache of your web browser on your terminal device and allow us to analyse your use of the video content on our website. HubSpot analyses the information collected (e.g., IP address, geographical location, browser type, visit duration and pages viewed) on our behalf so that we can generate reports on the performance of the video playback. The information collected via the “HubSpot Video” cookie is stored on the servers of HubSpot's service providers.

Since personal data is transferred to the US, this requires further protection mechanisms to ensure the level of data protection of the GDPR. To guarantee this, we have agreed standard data protection clauses with the provider HubSpot in accordance with Article 46(2)(c) GDPR. These oblige the recipient of the data in the US to process the data in accordance with the level of protection in Europe. In cases where this cannot be guaranteed even by means of this contractual extension, we will seek to obtain additional regulations and commitments from the recipient in the US. 

For more information on data protection and data use by HubSpot, please refer to: https://legal.hubspot.com/de/privacy-policy
For more information on the DPA, please refer to: https://legal.hubspot.com/de/dpa

13. Youtube

We embed videos from “YouTube”, a social media platform of Google Ireland Limited, Google Building Gordon House, Barrow St, Dublin 4, Ireland (hereinafter referred to as “Google”) into our website. The legal basis for processing your personal data is the consent you have granted for this purpose pursuant to Article 6(1)(a) GDPR.

If the playback of embedded YouTube videos starts following your consent, the provider “YouTube” will set cookies to collect information about the user behaviour. According to YouTube, these cookies are used, among other things, to collect video statistics, improve user-friendliness and prevent abuse. If you are logged in to your Google account, your data will be directly associated with your account when you click on a video. If you do not wish to have your data associated with your YouTube profile, you must log out before activating the button. Google stores this data as usage profiles and uses it for advertising, market research and/or designing their websites to meet user needs. Such an evaluation is carried out in particular (also for users who are not logged in) for the display of customised advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles. Please contact Google directly in this regard.

Since personal data is transferred to the US, this requires further protection mechanisms to ensure the level of data protection of the GDPR. To ensure this, Google uses standard data protection clauses in accordance with Article 46(2)(c) GDPR. These oblige the recipient of the data in the US to process the data in accordance with the level of protection in Europe. In cases where this cannot be guaranteed even by means of this contractual extension, we will seek to obtain additional regulations and commitments from the recipient in the US.

Please refer to the following Google websites for further information on data protection and data use by Google: https://policies.google.com/privacy?hl=de&gl=de

14. Google Recaptcha

We use “Google reCAPTCHA” (hereinafter “reCAPTCHA”) on our website. This service is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). 

The purpose of reCAPTCHA is to check whether the data input on our website (e.g., in a contact form) is made by a human or by an automated programme. To this end, reCAPTCHA analyses the behaviour of the website visitor on the basis of different characteristics. This analysis begins automatically as soon as the website visitor accesses the website. For this purpose, reCAPTCHA evaluates various details, e.g.,
IP address, the time spent on the website, 
mouse movements made by the user. 

The data collected during the analysis is transmitted to Google.

The reCAPTCHA analyses run entirely in the background. Website visitors are not made aware that an analysis is taking place. Data processing is based on Article 6(1)(f) GDPR.
We have a legitimate interest in protecting our website from abusive automated spying and from unwanted automated mailings (spam).

Since personal data is transferred to the US, this requires further protection mechanisms to ensure the level of data protection of the GDPR. To guarantee this, we have agreed standard data protection clauses with the provider in accordance with Article 46(2)(c) GDPR. These oblige the recipient of the data in the US to process the data in accordance with the level of protection in Europe. In cases where this cannot be guaranteed even by means of this contractual extension, we will seek to obtain additional regulations and commitments from the recipient in the US.

We do not store any personal data from the use of reCAPTCHA. In general, the personal data of the data subject will be erased or blocked as soon as the purpose for storage lapses.

For further information on Google reCAPTCHA and Google's data privacy statement, please refer to the following links: https://www.google.com/intl/de/policies/privacy/ and https://www.google.com/recaptcha/intro/v3beta.html

15. Google Maps

Our website uses Google Maps, an online map service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google Maps uses so-called “cookies”.   

Google will use this information on behalf of the operator of this website to show the exact location of our company and facilitate the journey to us. In order to show the different routes, map sections of our locations are integrated into our website using HTML code. 

When accessing those sub-pages in which the Google Maps map is embedded, information about your use of our website (such as your IP address) is transmitted to Google servers and stored there. This occurs regardless of whether Google provides a user account via which you are logged in or whether a user account exists. If you are logged in to Google, your data will be directly associated with your account. If you do not wish to have your data associated with your Google profile, you must log out before activating the button. Google stores your data (even for users who are not logged in) as usage profiles and evaluates them. 

The IP address sent by your browser in the context of Google Maps is not combined with other Google data. Processing takes place pursuant to Article 6(1)(a) GDPR on the basis of the consent you have granted. 

We have concluded a data processing agreement with the service provider, in which we oblige them to protect our customers' data and not disclose them to third parties.  

Since personal data is transferred to the US, this requires further protection mechanisms to ensure the level of data protection of the GDPR. To guarantee this, we have agreed standard data protection clauses with the provider in accordance with Article 46(2)(c) GDPR. These oblige the recipient of the data in the US to process the data in accordance with the level of protection in Europe. In cases where this cannot be guaranteed even by means of this contractual extension, we will seek to obtain additional regulations and commitments from the recipient in the US.  

Please refer to the following links for Google Maps’ terms of use and information on data protection:  
https://www.google.com/intl/de_US/help/terms_maps.html
https://www.google.de/intl/de/policies/   

The data will be deleted as soon as they are no longer required for the achievement of the purpose of their collection. Data on user and event level associated with cookies, user identifiers (e.g., user ID) and advertising identifiers (e.g., double-click cookies, Android advertising ID, IDFA [Apple identifier for advertisers]) will be deleted 14 months after collection at the latest. 

You can prevent cookies from being stored by adjusting the settings of your browser software accordingly. However, we would like to inform you that in this case, you may not be able to use all functions of this website without restrictions. You may also prevent Google from collecting the data generated by the cookie and from analysing your website use (including your IP address) and processing this data by downloading and installing the browser plug-in available from https://tools.google.com/dlpage/gaoptout?hl=de

16. New Relic

Since personal data is transferred to the US, this requires further protection mechanisms to ensure the level of data protection of the GDPR. To guarantee this, we have agreed standard data protection clauses with the provider in accordance with Article 46(2)(c) GDPR. These oblige the recipient of the data in the US to process the data in accordance with the level of protection in Europe. In cases where this cannot be guaranteed even by means of this contractual extension, we will seek to obtain additional regulations and commitments from the recipient in the US. For further information on data protection, please refer to: https://newrelic.com/termsandconditions/privacy

17. Kununu

Our website uses the kununu live score widget of the social network Kununu, which is operated by XING Kununu Prescreen GmbH, Schottenring 2-6, A - 1010 Vienna, Austria, of the parent company Xing GmbH & Co. KG, Dammtorstraße 30, 20354 Hamburg, Germany. 
When you access our website, which includes this widget, your browser will establish a direct connection with Kununu’s servers. Kununu will send the button's content directly to your browser and, from there, integrate it into the website. This way, we allow our visitors to view our kununu live score on our website to strengthen our image. The legal basis of the use is Article 6(1)(1)(f) GDPR. We would like to point out that we, as providers of the websites, have no knowledge about the content of the transmitted data and their use by Kununu. We have no influence on the extent of the data that Kununu collects with the button. Please obtain the purpose and scope of data collection and the further processing and use of the data by Kununu, as well as your rights and setting options related to this to protect your privacy from Kununu’s data privacy information at http://www.kununu.com/info/agb or the data privacy statement of Xing at https://privacy.xing.com/de/datenschutzerklaerung. 
If you do not want Kununu to associate the visit to our website with your user account, please log out of your Kununu account prior to visiting our website.

18. Online presences in social networks

a. We have online presences in social networks and platforms to communicate with the customers, prospects, and users active there and to be able to inform them there about our services. When you access the respective networks and platforms, the terms and conditions and data processing guidelines of their respective operators apply.

b. Unless otherwise specified in our data privacy statement, we will process the data of users if they communicate with us within social networks and platforms, e.g., make posts on our online presences or send us messages.

19. Legal basis of data collection, processing and storage

a. If we obtain consent for a specific processing purpose, Article 6(1)(a) GDPR will serve as the legal basis for our group’s processing operations.

b. If processing personal data is required for the performance of a contract to which the data subject is the contractual party, processing shall be based on Article 6(1)(b) GDPR. This is the case, for instance, when processing data that is necessary for the provision of another service or counterperformance. The same applies if data processing is necessary in the context of pre-contractual measures, for example, in the context of application procedures (cf. Section 24). This also applies to enquiries regarding our products or services.

c. If our group of companies is subject to legal obligations that make the processing of personal data necessary, the processing shall be based on Article 6(c) GDPR. This is the case, for instance, when meeting tax obligations.

d. By way of exception, the protection of vital interests of the data subject or another natural person may make the processing of personal data necessary, for instance, if a visitor to our group of companies were to be injured and, in this context, for instance, name, age, health insurance details or other vital information would have to be passed on to third parties such as the emergency doctor. In this case, Article 6(1)(d) GDPR serves as the legal basis.

e. If none of the above regulations is relevant, the processing of data can also be based on Article 6(1)(f) GDPR. This is the case if processing is necessary to protect a legitimate interest of our group of companies or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. We are therefore entitled to processing operations on this basis because they have been specifically mentioned in the GDPR. A legitimate interest exists, for instance, if there is a relevant and appropriate relationship between the data subject and the controller, for example, if the data subject is a customer or employee of the controller (Recital 47, Sentence 2, GDPR).

f. The transfer to state institutions and authorities entitled to receive information only takes place within the framework of the legal obligations to provide information or if we are obliged to provide information by a court decision.

g. In any case, your data will be deleted after the contract has been processed and after the expiry of the terms resulting from tax and commercial law provisions (see Section 23).

20. Duration of data storage

The storage duration of personal data is based on the respective statutory retention periods. After the expiry of this period, the corresponding data is deleted routinely if it is no longer required for the fulfilment or initiation of the contract (cf. Section 11).

21. Rights of the data subject

If your personal data is processed, you are a “data subject” in the sense of the GDPR. You are therefore entitled to the following rights. For the assertion of these rights, please contact our data protection officer or another employee of the Tintschl Group at any time: Right of confirmation and access

a. Right of confirmation and information
You have the right to request confirmation from the controller as to whether they are processing personal data concerning you. Furthermore, as a data subject, you have the right to obtain information free of charge about the personal data stored about you and the following information:
• the purposes of processing
• the categories of personal data that are being processed
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations
• if possible, the planned duration for which the personal data will be stored or, if this is impossible, the criteria for determining this duration
• the existence of a right to rectification or erasure of personal data concerning you or the right to restriction of processing by the controller or a right to object to this processing
• the existence of a right of appeal to a supervisory authority
• if the personal data are not collected from the data subject: all available information on the origin of the data
• the existence of automated decision-making, including profiling according to Article (22)(1) and (4) GDPR and – at least in these cases – meaningful information about the logic involved as well as the scope and desired effects of such processing for the data subject. 
You, as a data subject, have the right to request information as to whether or not personal data was transmitted to a third country or an international organisation. If this is the case, you also have the right to obtain information on the appropriate safeguards in connection with the transfer.

b. Right to rectification
You have the right to request the immediate rectification of inaccurate personal data without delay. You also have the right to request incomplete personal data be completed, including by means of a supplementary declaration, taking into account the purposes of the processing.

c. Right to erasure (“right to be forgotten”)  
You have the right to request that the controller erases personal data concerning you without delay if one of the following reasons applies and insofar as no processing is necessary:
• Personal data was collected or otherwise processed for such purposes for which it is no longer necessary.
• You have revoked your consent on which the processing according to Article (6)(1)(a) GDPR or Article (9)(2) GDPR was based, and there is no other legal basis for processing.
• As a data subject, you have objected to processing according to Article(21)(1) GDPR and there are no other legitimate reasons for processing, or you object to processing according to Article(21)(2) GDPR.
• Personal data have been processed unlawfully.
• The erasure of personal data is required for compliance with a legal obligation according to European Union law or the law of the Federal Republic of Germany to which the controller is subject.
• Personal data have been collected in relation to the offer of information society services in accordance with Article 8(1) GDPR.

If one of the above reasons applies and you want personal data stored by the Tintschl Group to be deleted, you can contact our data protection officer or another employee of the Tintschl Group of Companies at any time. We will comply with your request for erasure without delay. 
If we have published the personal data and are obliged to erase these data, we shall, taking into account the available technology and implementation costs, take the appropriate measures, also of a technical nature, to inform the controllers that you have requested the erasure of all links to these personal data or of copies or replications of these personal data.

d. Right to restriction of processing
You have the right to request the controller to restrict processing if one of the following conditions applies:
• The accuracy of the personal data is contested by the data subject for a period allowing the controller to verify the accuracy of the personal data.
• The processing is unlawful, the data subject objects to the erasure of the personal data and instead requests the restriction of the use of the personal data.
• The controller no longer needs the personal data for the purpose of processing, however, the data subject needs them for the enforcement, exercise, or defence of legal claims.
• The data subject has objected to processing in accordance with Article 21(1) GDPR, and it has not yet been decided whether the legitimate reasons of the controller outweigh those of the data subject.
If one of the aforementioned conditions applies and you, as a data subject, want to request the restriction of processing of personal data stored with the Tintschl Group, you can contact our data protection officer or another employee of the Tintschl Group at any time. We will arrange the restriction of the processing.

e. Right to data portability
You have the right to obtain the personal data concerning you which you have provided to the Tintschl Group in a structured, common and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the Tintschl Group, provided that the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR and the processing is carried out with the assistance of automated procedures unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 
As a data subject, when exercising your right to data portability pursuant to Article 20(1) GDPR, you also have the right to obtain that the personal data be transferred directly from the Tintschl Group to another controller, insofar as this is technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals.

f. Right to object  
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you, which is carried out on the basis of Article 6(1)(e) or (f) GDPR. This also applies to profiling based on these provisions. In the event of an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing which override the interests, rights, and freedoms of the data subject or for the enforcement, exercise, or defence of legal claims. 
If the Tintschl Group processes personal data for the purpose of direct marketing, data subjects have the right to object at any time to the processing of personal data processed for such marketing. This also applies to profiling in connection with such direct marketing. In the event of the data subject objecting to the processing for direct marketing purposes, we will no longer process the personal data for these purposes. 
As a data subject, you also have the right, on grounds relating to your particular situation, to object to the processing of personal data which is carried out by the Tintschl Group for scientific or historical research purposes or for statistical purposes pursuant to Article 89(1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest. 
To exercise the right to object, please directly contact our data protection officer or another employee. The data subject also has the option, in relation to the offer of information society services, notwithstanding Directive 2002/58/EC, to exercise their right to object by means of automated processes in which technical specifications are used.

g. Automated individual decision-making, including profiling
You have the right not to be subjected to a decision solely based on automated processing – including profiling – which takes legal effect against you or significantly impacts you in a similar way. Unless the decision is
• not required for the conclusion or performance of a contract between the data subject and the controller, or,
• due to statutory provisions of the European Union or the member states to which the controller is subject, is admissible, and these statutory provisions contain appropriate measures in order to safeguard the rights and freedoms as well as legitimate interests of the data subject or
• is made with the express consent of the data subject. If the decision
• is required for the conclusion or performance of a contract between the data subject and the controller, or
• is carried out with the express consent of the data subject,
the Tintschl Group shall take appropriate measures in order to safeguard the rights and freedoms as well as the legitimate interests of the data subject, which includes at least the right to obtaining the intervention of a person on the part of the controller, the right to presentation of one's own position and the right to challenge the decision.

h. Right to revoke consent under data protection law
You have the right to revoke your consent to the processing of personal data at any time.

22. Legitimate interests in the processing pursued by the controller or a third party

Where the processing of personal data is based on Article 6(1)(f) GDPR, our legitimate interest is to conduct our business for the benefit of our workforce, shareholders and owners. 

23. Existence of automated decision-making

Since we make our own decisions and also consider ourselves responsible in this regard, we do not use automated decision-making or profiling.

Status: 16.12.2022