Privacy Policy

Preamble

The protection of your data is important to us. With the following privacy policy we would like to inform you which types of your personal data (hereinafter also abbreviated as "data") we process for which purposes and in which scope. The privacy statement applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").

The terms used are not gender-specific.

Last Update: 19. May 2025

Legal text by Dr. Schwenke - please click for further information.

Table of contents

Controller

marketmind GmbH
Porzellangasse 32
1090 Vienna
Austria

Authorized Representatives: Dr. Verena Priemer and Dipl.-Wi.-Ing. Dr. Gereon Friederes

E-mail address: marketmind@marketmind.at

Phone: +43-1-369 46 26-0

Legal Notice: https://www.marketmind.at/Legal.aspx

Contact information of the Data Protection Officer

Mag. Dietmar Huemer, LL.M. (Chicago)
Attorney at Law
datenschutz@marketmind.at

Overview of processing operations

The following table summarizes the types of data processed, the purposes for which they are processed and the concerned data subjects.

Categories of Processed Data

Categories of Data Subjects

Purposes of Processing

Relevant legal bases

Relevant legal bases according to the GDPR: In the following, you will find an overview of the legal basis of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply. If, in addition, more specific legal bases are applicable in individual cases, we will inform you of these in the data protection declaration.

National data protection regulations in Austria: In addition to the data protection regulations of the GDPR, national regulations apply to data protection in Austria. This includes in particular the Federal Act on the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act - DSG). In particular, the Data Protection Act contains special provisions on the right of access, rectification or cancellation, processing of special categories of personal data, processing for other purposes and transmission and automated decision making in individual cases.

Relevant legal basis according to the Swiss Data Protection Act: If you are located in Switzerland, we process your data based on the Federal Act on Data Protection (referred to as "Swiss DPA"). Unlike the GDPR, for instance, the Swiss DPA does not generally require that a legal basis for processing personal data be stated and that the processing of personal data is conducted in good faith, lawfully and proportionately (Art. 6 para. 1 and 2 of the Swiss DPA). Furthermore, we only collect personal data for a specific purpose recognizable to the data subject and process it only in a manner compatible with this purpose (Art. 6 para. 3 of the Swiss DPA).

Reference to the applicability of the GDPR and the Swiss DPA: These privacy policy serves both to provide information pursuant to the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that due to the broader spatial application and comprehensibility, the terms used in the GDPR are applied. In particular, instead of the terms used in the Swiss FADP such as "processing" of "personal data", "predominant interest", and "particularly sensitive personal data", the terms used in the GDPR, namely "processing" of "personal data", as well as "legitimate interest" and "special categories of data" are used. However, the legal meaning of these terms will continue to be determined according to the Swiss FADP within its scope of application.

Security Precautions

We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of security appropriate to the risk.

The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input, transmission, securing and separation of the data. In addition, we have established procedures to ensure that data subjects' rights are respected, that data is erased, and that we are prepared to respond to data threats rapidly. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and service providers, in accordance with the principle of privacy by design and privacy by default.

Securing online connections through TLS/SSL encryption technology (HTTPS): To protect the data of users transmitted via our online services from unauthorized access, we employ TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the internet. These technologies encrypt the information that is transferred between the website or app and the user's browser (or between two servers), thereby safeguarding the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions conform to the highest security standards. When a website is secured with an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being securely and encryptedly transmitted.

Transmission of Personal Data

In the course of processing personal data, it may happen that this data is transmitted to or disclosed to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include service providers tasked with IT duties or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and particularly conclude relevant contracts or agreements that serve to protect your data with the recipients of your data.

Data Transfer within the Organization: We may transfer personal data to other departments or units within our organization or grant them access to it. If the data is shared for administrative purposes, it is based on our legitimate business and economic interests or occurs if it is necessary to fulfil our contractual obligations or if the data subjects have given their consent or a legal permission exists.

International data transfers

Data Processing in Third Countries: If we transfer data to a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if this occurs in the context of using third-party services or the disclosure or transfer of data to other individuals, entities, or companies (which becomes apparent either from the postal address of the respective provider or when explicitly mentioned in the privacy policy regarding data transfer to third countries), this is always done in accordance with legal requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as a secure legal framework by the EU Commission's adequacy decision of July 10, 2023. Additionally, we have concluded Standard Contractual Clauses with the respective providers, which comply with the EU Commission's requirements and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: The DPF serves as the primary level of protection, while the Standard Contractual Clauses act as an additional security measure. Should any changes occur within the DPF framework, the Standard Contractual Clauses will serve as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

For individual service providers, we will inform you whether they are certified under the DPF and if Standard Contractual Clauses are in place. The list of certified companies and further information about the DPF can be found on the U.S. Department of Commerce's website at https://www.dataprivacyframework.gov/.

For data transfers to other third countries, appropriate safeguards apply, particularly Standard Contractual Clauses, explicit consent, or legally required transfers. Information on third-country transfers and applicable adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

Disclosure of Personal Data Abroad: In accordance with the Swiss Data Protection Act (Swiss DPA), we only disclose personal data abroad when an appropriate level of protection for the affected persons is ensured (Art. 16 Swiss DPA). If the Federal Council has not determined an adequate level of protection (list of states: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement alternative security measures.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which has been recognized as a secure legal framework by Switzerland's adequacy decision of June 7, 2024. Additionally, we have concluded Standard Data Protection Clauses with the respective providers, which have been approved by the Federal Data Protection and Information Commissioner (FDPIC) and establish contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: The DPF serves as the primary level of protection, while the Standard Data Protection Clauses act as an additional security measure. Should any changes occur within the DPF framework, the Standard Data Protection Clauses will serve as a reliable fallback option. This ensures that your data remains adequately protected even in the event of political or legal changes.

For individual service providers, we will inform you whether they are certified under the DPF and if Standard Data Protection Clauses are in place. The list of certified companies and further information about the DPF can be found on the U.S. Department of Commerce's website at https://www.dataprivacyframework.gov/.

For data transfers to other third countries, appropriate safeguards apply, including international agreements, specific guarantees, FDPIC-approved Standard Data Protection Clauses, or internal company data protection regulations previously recognized by the FDPIC or a competent data protection authority of another country.

Under Art. 16 of the Swiss DPA, exceptions can be made for the disclosure of data abroad if certain conditions are met, including the consent of the affected person, contract execution, public interest, protection of life or physical integrity, publicly made data, or data from a legally provided register. Such disclosures always comply with the legal requirements.

We will inform you which of our service providers are certified under the Data Privacy Framework as part of our privacy notices.

General Information on Data Retention and Deletion

We delete personal data that we process in accordance with legal regulations as soon as the underlying consents are revoked or no further legal bases for processing exist. This applies to cases where the original purpose of processing is no longer applicable or the data is no longer needed. Exceptions to this rule exist if statutory obligations or special interests require a longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax law reasons, or whose storage is necessary for legal prosecution or protection of the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on the retention and deletion of data specifically applicable to certain processing processes.

In cases where multiple retention periods or deletion deadlines for a date are specified, the longest period always prevails.

If a period does not expressly start on a specific date and lasts at least one year, it automatically begins at the end of the calendar year in which the event triggering the period occurred. In the case of ongoing contractual relationships in the context of which data is stored, the event triggering the deadline is the time at which the termination or other termination of the legal relationship takes effect.

Data that is no longer stored for its originally intended purpose but due to legal requirements or other reasons are processed exclusively for the reasons justifying their retention.

Further information on processing methods, procedures and services used:

Rights of Data Subjects

Rights of the Data Subjects under the GDPR: As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

Rights of the data subjects under the Swiss DPA:

As the data subject, you have the following rights in accordance with the provisions of the Swiss DPA:

Maintenance of Data Diligence According to the ESOMAR

Verena Priemer, managing director and owner is a member of ESOMAR (European Society for Opinion and Marketing Research). Therefore, marketmind is committed to uphold the fundamentals of this institution. Hence integrity and diligence in handling data as well as the ethics of our profession form the basis for national and international projects. Moreover, they constitute the pillars of our understanding of the way we work and our view of quality, independently of the mentioned body of regulations.

“As an ESOMAR Member, I comply with the ICC/ESOMAR Code on Market and Social Research and ESOMAR World Research Guidelines.” - Verena Priemer, Managing Director and owner of marketmind

Collection of Data

marketmind conducts surveys for the exclusive purpose of market research. We guarantee that marketmind does not conduct any surveys with the explicit or implicit intention of advertising, selling, or eliciting orders. When collecting personal information from respondents, marketmind shall ensure that respondents are aware of the purpose of the collection and of any quality control activity involving re-contact.

Use of Data

marketmind guarantees that personal information collected and held in accordance with the ESOMAR code shall be collected only for specified research purposes and not used in any manner incompatible with these purposes. The data shall only be used in the context of the specific market research project and shall not be used in any subsequent surveys. We assume full responsibility for ensuring that personal information is preserved no longer than is required for the purpose for which the information was collected or further processed.

We abide by the chief principle that respondents´ personal identity is withheld from the client. The responses supplied by all respondents participating in the project are gathered by marketmind, categorized according to personal attributes, among others, and processed into anonymous statistics. This is the reason why we inquire about statistical information about your person. marketmind communicates the information collected during the market research project to the client exclusively in an anonymous form (e.g. in the form of tables, charts, lists, reports).

marketmind will only communicate a respondent´s identifiable personal information to the client under the following conditions:

- the respondent has expressly desired that the information be passed on to the client and/or

- the respondents have given their explicit consent.

Security of Processing

marketmind shall employ adequate security measures in order to prevent unauthorized access, manipulation or disclosure of the personal data. If personal data are transferred to third parties, it shall be established that these third parties employ at least an equivalent level of security measures.

Your Rights as Respondent

We contact respondents exclusively for purposes of market research. As respondent you are entitled to decline participating in the market research project or to withdraw from the market research interview at any time. If you want to opt out of receiving invitations for participating in market research surveys, you can do so at any time by means of the “opt out” function included in the e-mail or you can send an appropriate message to abmeldung@marketmind.at.

If you should have participated as respondent in a study by marketmind, we would like to thank you for your participation and your trust in our work! By supplying information, you make an active contribution to optimizing products and services for you as client and consumer.

List to avoid unwanted contact (“blacklist”)

If you do not wish to be contacted as part of a survey for market and opinion research purposes and inform us of this, e.g. as feedback on an attempted contact, we will take the following steps.

To avoid unwanted contact by phone or email in the course of future surveys, we maintain a list to prevent unwanted contact (hereinafter referred to as the "blacklist"). Telephone numbers or email addresses included in this list are made unrecognizable using a hash function, a computer-assisted process. Telephone numbers or email addresses included in this list will not be contacted for a survey. This list contains the following personal data:

- Telephone number and/or email address (hash), date of blocking, blocking note

You personally provide us with your telephone number and email address when you request to be included in the list. We process your aforementioned personal data based on the following legal basis:

- legitimate interest pursuant to Art. 6 (1) (f) GDPR; as a market and opinion research institute, we have an interest in ensuring that no contact is made with potential survey participants if they do not wish to be contacted.

Use and disclosure, duration of storage of the blacklist

We use the telephone numbers and email addresses in the blacklist exclusively for the purpose of avoiding contact. Your telephone number or email address will not be shared with third parties. Your personal data will be stored until you revoke your consent. You can revoke your consent informally by email or post to the contact address provided above.

Business processes and operations

Personal data of service recipients and clients - including customers, clients, or in specific cases, mandates, patients, or business partners as well as other third parties - are processed within the framework of contractual and comparable legal relationships and pre-contractual measures such as the initiation of business relations. This data processing supports and facilitates business processes in areas such as customer management, sales, payment transactions, accounting, and project management.

The collected data is used to fulfil contractual obligations and make business processes efficient. This includes the execution of business transactions, the management of customer relationships, the optimization of sales strategies, and ensuring internal invoicing and financial processes. Additionally, the data supports the protection of the rights of the controller and promotes administrative tasks as well as the organization of the company.

Personal data may be transferred to third parties if necessary for fulfilling the mentioned purposes or legal obligations. After legal retention periods expire or when the purpose of processing no longer applies, the data will be deleted. This also includes data that must be stored for longer periods due to tax law and legal obligations to provide evidence.

Further information on processing methods, procedures and services used:

Use of Cookies

The term "cookies" refers to functions that store information on users' devices and read it from them. Cookies can also be used for different purposes, such as ensuring the functionality, security, and convenience of online services, as well as analyzing visitor traffic. We use cookies in accordance with legal regulations. If necessary, we obtain users' consent in advance. If consent is not required, we rely on our legitimate interests. This applies when storing and reading information is essential to provide explicitly requested content and functions. This includes, for example, saving settings and ensuring the functionality and security of our online services. Consent can be withdrawn at any time. We clearly inform users about the scope of the consent and which cookies are used.

Information on legal data protection bases: Whether we process personal data using cookies depends on users' consent. If consent is given, it serves as the legal basis. Without consent, we rely on our legitimate interests, as outlined in this section and in the context of the respective services and procedures.

Storage duration: The following types of cookies are distinguished based on their storage duration:

General information on withdrawal and objection (opt-out): Users can withdraw their consent at any time and object to the processing according to legal regulations, including through the privacy settings of their browser.

Further information on processing methods, procedures and services used:

Contact and Inquiry Management

When contacting us (e.g. via mail, contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to respond to the contact requests and any requested measures.

Further information on processing methods, procedures and services used:

Newsletter and Electronic Communications

We send newsletters, emails, and other electronic notifications (hereinafter "newsletters") exclusively with the consent of the recipients or based on a legal basis. If the contents of the newsletter are specified during registration for the newsletter, these contents are decisive for the users' consent. Interested parties have the opportunity to voluntarily subscribe to the marketmind newsletter by providing their data. By subscribing to the newsletter, you agree that all data provided may be processed for advertising purposes in the course of sending the newsletter. To subscribe to our newsletter, it is normally sufficient to provide your e-mail address. However, to be able to offer you a personalized service, we may ask you to provide your name so that we can address you personally in the newsletter. Registration takes place via a double opt-in process (confirmation of registration via e-mail required).

Deletion and restriction of processing: You can revoke this consent at any time and without giving reasons by clicking on the unsubscribe link in every newsletter. If you wish to change your data, you can use the corresponding change data link in the newsletter. We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to demonstrate previously given consent. The processing of these data is limited to the purpose of potentially defending against claims. An individual request for deletion is possible at any time, provided that at the same time the former existence of consent is confirmed. In case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The logging of the registration process is based on our legitimate interests for the purpose of proving its proper execution. If we commission a service provider to send emails, this is done based on our legitimate interests in an efficient and secure mailing system.

Contents:

Information about us, our services, promotions and offers.

Further information on processing methods, procedures and services used:

This data is processed exclusively within the European Union and is not passed on to third parties. Data processing agreement: Provided by the service provider;

Service provider: eworx Network & Internet GmbH
Hanriederstraße 25
4150 Rohrbach-Berg
Austria; Website: https://www.eworx.at/marketing-suite/impressum.
Privacy Policy: https://www.eworx.at/marketing-suite/datenschutz.

Web Analysis, Monitoring and Optimization

Web analytics (also referred to as "reach measurement") is used to evaluate the visitor flows of our online services and may include pseudonymous values related to visitor behavior, interests, or demographic information such as age or gender. Through reach analysis, we can, for example, identify when our online services or their functions and content are most frequently used or likely to encourage repeat visits. It also enables us to determine which areas need optimization.

In addition to web analytics, we may also use testing procedures to test and optimize different versions of our online services or their components.

Unless otherwise specified below, profiles (i.e., data combined from a usage process) may be created for these purposes, and information can be stored in and later retrieved from a browser or device. The data collected includes, in particular, visited websites and elements used on them, as well as technical information such as the browser used, the computer system, and information about usage times. If users have given consent to the collection of their location data to us or to the providers of the services we use, the processing of location data is also possible.

Additionally, users' IP addresses are stored. However, we use an IP masking process (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as email addresses or names) is stored as part of web analytics, A/B testing, or optimization. Instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, only the information stored in their profiles for the respective procedures.

Legal basis information: If we ask users for their consent to use third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in efficient, economic, and user-friendly services). In this context, we would also like to point out the information on the use of cookies in this privacy policy.

Further information on processing methods, procedures and services used:

Profiles in Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may entail risks for users, e.g. by making it more difficult to enforce users' rights.

In addition, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created on the basis of user behavior and the associated interests of users. The user profiles can then be used, for example, to place advertisements within and outside the networks which are presumed to correspond to the interests of the users. For these purposes, cookies are usually stored on the user's computer, in which the user's usage behavior and interests are stored. Furthermore, data can be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective networks or will become members later on).

For a detailed description of the respective processing operations and the opt-out options, please refer to the respective data protection declarations and information provided by the providers of the respective networks.

Also, in the case of requests for information and the exercise of rights of data subjects, we point out that these can be most effectively pursued with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need help, please do not hesitate to contact us.

Further information on processing methods, procedures and services used:

Processing of data in the context of employment relationships

In the context of employment relationships, the processing of personal data aims to effectively manage the establishment, execution, and termination of such relationships. This data processing supports various operational and administrative functions necessary for managing employee relations.

The data processing covers various aspects ranging from contract initiation to termination. Included are the organization and management of daily working hours, management of access rights and permissions, as well as handling personnel development measures and staff appraisals. The processing also serves payroll accounting and management of wage and salary payments, which represent critical aspects of contract execution.

Additionally, the data processing considers legitimate interests of the responsible employer, such as ensuring workplace safety or capturing performance data for evaluating and optimizing operational processes. Moreover, the data processing includes disclosing employee data in external communication and publication processes where necessary for operational or legal purposes.

The processing of this data always takes place with due regard for the applicable legal frameworks, aiming always to create and maintain a fair and efficient working environment. This also includes considering the privacy of affected employees, anonymizing or deleting data after fulfilling the processing purpose or according to legal retention periods.

Further information on processing methods, procedures and services used:

Employee data are deleted under Austrian law when they are no longer necessary for the purpose for which they were collected, unless they must be retained or archived due to legal obligations or the employer's interests. The following retention and archiving obligations are observed:

  1. Data regarding payroll tax and levy obligations under § 132 Abs 1 Federal Tax Code (BAO) - 7 years. The period begins at the end of the calendar year relevant to the data.
  2. Limitation of the obligation to pay social security contributions under § 68 Social Security Code (ASVG) - 3 or 5 years. The period generally begins on the day the contributions are due, or from the day of reporting if no report was filed.
  3. Retention periods in social insurance - 7 years under the Commercial Code (UGB).
  4. Entitlement to holiday under § 4 Abs 5 Holiday Act (UrlG) - 2 years from the end of the holiday year in which the holiday entitlement arose. The period starts 2 years after the end of the holiday year.
  5. Claims for holiday compensation under § 1486 Z 5 General Civil Code (ABGB) - 3 years. The period begins from the date the final claims are due, i.e., the last working day.
  6. Records and reports on workplace accidents under § 16 Worker Protection Act (ASchG) - at least 5 years. The period begins from the day of the workplace accident.
  7. Records on the provision of temporary workers under § 13 Abs 3 Act on Temporary Agency Work (AÜG) - 5 years. The period begins on the day the last wage claim of the temporary worker is due.
  8. Register of minors under § 26 Abs 2 Youth Employment Act (KJBG) - 2 years. The period begins two years after the last entry in the new register.
  9. Claims for compensation due to discriminatory termination of employment under §§ 15 Abs 1a and 29 Abs 1a Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 3 Employment of Disabled Persons Act (BEinstG) - 6 months. The period begins from the date of receipt of the termination.
  10. Claims of the employer or employee from a premature termination of the employment relationship under § 34 Employees Act (AngG) or § 1162d General Civil Code (ABGB) - 6 months. The period begins from the date the claims are due, typically from the day the termination notice is received.
  11. Entitlement to an employment reference under § 1478 General Civil Code (ABGB) - 30 years. The period begins at the termination of the employment relationship.
  12. Claims for compensation due to discriminatory rejection of an application under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 1 Employment of Disabled Persons Act (BEinstG) - 6 months. The period begins from the day the rejection is received, or 7 months from the receipt of the application.
  13. Claims for reimbursement of interview expenses under § 1486 Z 5 General Civil Code (ABGB) - 3 years. The period begins on the day the expenses were incurred.
  14. Liability for severance claims and company pensions after a business transfer under § 6 Abs 2 Company Pension Act (AVRAG) - 5 years. The period begins at the time of the business transfer.
  15. Claims for compensation due to discriminatory rejection of a promotion under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 1 Employment of Disabled Persons Act (BEinstG) - 6 months. The period begins from the day the promotion rejection is received.
  16. Claims for compensation due to discriminatory treatment in remuneration, voluntary social benefits, training and further education measures or other working conditions under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 5 Employment of Disabled Persons Act (BEinstG) - 3 years. The period begins at the point the right could first have been exercised and the objective possibility to sue was given.
  17. Claims for compensation due to discriminatory harassment under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 4 Employment of Disabled Persons Act (BEinstG) - 1 year. The period begins from the time the discrimination was recognized.
  18. Claims for compensation due to discriminatory rejection of an application under §§ 15 Abs 1 and 29 Abs 1 Equal Treatment Act (GlBG) and § 7k Abs 1 in conjunction with Abs 2 Z 1 Employment of Disabled Persons Act (BEinstG) - 6 months. The period begins from the day the rejection is received, or 7 months from the receipt of the application.
  19. Claims for compensation due to sexual harassment under § 15 Abs 1 Equal Treatment Act (GlBG) - 3 years. The period begins from the time the discrimination was recognized.
  20. Claims for reimbursement of interview expenses under § 1486 Z 5 General Civil Code (ABGB) - 3 years. The period begins on the day the expenses were incurred.
  21. Claims of the employee for wages or reimbursement of expenses as well as of the employer for advances made on these under § 1486 Z 5 General Civil Code (ABGB) - 3 years. The period begins upon the due date of the respective claims.
  22. Limitation of prosecution for underpayment under § 31 Abs 1 Administrative Penal Act (VStG) in conjunction with § 29 Abs 4 Wage and Social Dumping Prevention Act (LSD-BG) - 3 years. The period begins upon the due date of the wages.
  23. Damage claims of the employer against the employee from employee liability for slight negligence under § 6 Employee Liability Act (DHG) - 6 months. The period begins from the day they can be asserted.
  24. Damage claims of the employer against the employee from employee liability for gross negligence or intentional misconduct and other damage claims of the employer under § 1489 General Civil Code (ABGB) - 3 years or 30 years. The period begins with the shorter term from knowledge of damage and perpetrator, and with the longer term from the occurrence of damage.

 .

Job Application Process

The application process requires applicants to provide us with the data necessary for their assessment and selection. The information required can be found in the job description or, in the case of online forms, in the information contained therein.

In principle, the required information includes personal information such as name, address, a contact option and proof of the qualifications required for a particular employment. Upon request, we will be happy to provide you with additional information.

Where available, applicants are welcome to submit their applications via our online form, which is securely encrypted to the latest standards. Alternatively, applications can also be sent to us by email. However, we kindly remind you that emails are not inherently encrypted over the Internet. While emails are usually encrypted in transit, they are not encrypted on the servers from which they are sent and received. Therefore, we cannot assume responsibility for the security of the application during its transmission from the sender to our server.

For the purposes of searching for applicants, submitting applications and selecting applicants, we may use applicant management or recruitment software and platforms and services from third-party providers in compliance with legal requirements.

Applicants are welcome to contact us about how to submit their application or send us their application by post.

Processing of special categories of data: To the extent that special categories of personal data (Article 9(1) GDPR, e.g., health data, such as disability status or ethnic origin) are requested from applicants or communicated by them during the application process, their processing is carried out so that the controller or the data subject can exercise rights arising from employment law and the law of social security and social protection, in the case of protection of vital interests of the applicants or other persons, or for purposes of preventive or occupational medicine, for the assessment of the employee's work ability, for medical diagnosis, for the provision or treatment in the health or social sector, or for the management of systems and services in the health or social sector.

Ereasure of data: In the event of a successful application, the data provided by the applicants may be further processed by us for the purposes of the employment relationship. Otherwise, if the application for a job offer is not successful, the applicant's data will be deleted. Applicants' data will also be deleted if an application is withdrawn, to which applicants are entitled at any time. Subject to a justified revocation by the applicant, the deletion will take place at the latest after the expiry of a period of six months, so that we can answer any follow-up questions regarding the application and comply with our duty of proof under the regulations on equal treatment of applicants. Invoices for any reimbursement of travel expenses are archived in accordance with tax regulations.

Admission to a talent pool - Admission to a talent pool, if offered, is based on consent. Applicants are informed that their consent to be included in the talent pool is voluntary, has no influence on the current application process and that they can revoke their consent at any time for the future.

Duration of data retention in the applicant pool in months: 12

Privacy Information for Whistleblowers

In this section, you will find information on how we handle data from individuals who provide tips (whistleblowers), as well as from affected and involved parties within the framework of our whistleblower procedure. Our aim is to offer a straightforward and secure means of reporting potential misconduct by us, our employees, or service providers, especially for actions that violate laws or ethical guidelines. Furthermore, we ensure appropriate processing and handling of the reports.

Legal Bases (Austria): To the extent that we process data to fulfil our legal obligations in accordance with the Austrian Whistleblower Protection Act (HSchG), the legal basis for processing is Article 6(1)(c) GDPR and, in the case of special categories of personal data, Article 9(2)(g) GDPR, in conjunction with § 8 HSchG. This relates to the obligation to establish and operate an internal whistleblower reporting office, the fulfilment of its legal duties, and, in the case of using data collected in the reporting process, the initiation of further investigations or employment-related steps against individuals found to have committed a violation.

To the extent that we process data (especially in cases of identified misconduct) for the purpose of or in preparation for legal defence, this is done on the basis of our legitimate interests in lawful and ethical conduct in accordance with Article 6(1)(f) GDPR.

To the extent that consent has been given for processing personal data for specific purposes, processing is based on this consent according to Article 6(1)(a) of the GDPR and in case of special categories of personal data Article 9(2)(a) of the GDPR. An example would be disclosing a whistleblower's identity or creating a verbatim report during a personal meeting. Given consent can be revoked at any time with effect for the future.

Processed types of data:

In the course of receiving and processing reports, as well as in the subsequent whistleblower procedure, we may collect various data. These particularly include information provided by a whistleblower, such as:

For the purposes of fact-finding and further proceedings, we also process the following personal data:

Special categories of personal data:

It may occur that we collect special categories of personal data in the course of our activities, especially when they are provided by a whistleblower. These include:

These data are only processed if they are relevant to the handling of the respective report and have been explicitly provided by the whistleblower.

Use of our online forms: Please note that you have the option to submit tips anonymously. To ensure the security of your data when using our online forms, we recommend accessing them in the so-called 'Incognito Mode' of your browser. Here's how you can open an Incognito window: a) On a Windows PC: Open your browser and press Ctrl+Shift+N; b) On a Mac: Open your browser and press Command+Shift+N; c) On mobile devices: Switch to private mode via the tab menu.

When accessing our website in normal mode, your browser automatically sends certain information to our server, such as browser type and version, date and time of your access. This also includes the IP address of your device. These data are temporarily stored in a log file and automatically deleted after no more than 30 days.

The processing of the IP address serves technical and administrative purposes for establishing a connection to our website. It ensures the security, stability, and functionality of the whistleblower form and is an essential part of our measures to ensure the confidential submission of reports.

The processing of logged data is based on Article 6 (1)(f) GDPR. Our legitimate interest lies in the need for security and the necessity to ensure the technical conditions for a smooth and uninterrupted submission of reports.

Disclosure of names: You have the option to submit reports anonymously. However, unless prohibited by national legislation, we recommend that you provide your name and contact details. This enables us to follow up on the report more effectively and, if necessary, to contact you directly.

Should you choose to provide your name and contact information, your identity will be treated with strict confidentiality. Exceptions to this confidentiality exist only if we are legally obliged to disclose your identity. This may be necessary in order to protect or defend our rights or the rights of our employees, customers, suppliers, or business partners. Another exception is if it is determined that the allegations were made with malicious intent.

Disclosure of data to third parties: Data related to the report provided will only be disclosed to third parties under certain circumstances. This occurs either a) if you have given us your explicit consent according to Art. 6 (1)(a) of the GDPR, or b) if there is a legal obligation to disclose the data pursuant to Art. 6 (1)(c) of the GDPR. Possible third parties include public authorities, government, regulatory or tax agencies, if disclosure is necessary for compliance with a legal or regulatory obligation. Furthermore, within the scope of legal provisions, we may engage lawyers and other professional advisers who are authorized to investigate suspected misconduct and take necessary actions following an investigation, such as initiating disciplinary or legal proceedings. Additionally, carefully selected and supervised service providers whom we employ may also receive data for these purposes (such as operators of a web-based reporting tool). However, these providers are contractually bound to comply with the prevailing data protection regulations under a so-called data processing agreement.

Data retention and deletion: Personal data will be processed only for as long as necessary to fulfil the purposes of processing described above. If the data are no longer needed for these purposes, they will be deleted. However, in certain situations, the data may be retained for longer periods to meet legal requirements, provided this is necessary and proportionate. In such cases, the data will be deleted as soon as they are no longer required for these purposes.

Technical and organizational measures: We have implemented the necessary contractual, technical, and organizational measures to ensure the security of all data processed by us. This data is processed exclusively for the purposes set out. The incoming hints are handled by authorized individuals who gain access to the respective reports and carry out the subsequent examination of the facts. Our employees are specifically trained, educated, and bound to strict confidentiality in the proper execution of these examinations of facts.

Changes and Updates

We kindly ask you to inform yourself regularly about the contents of our data protection declaration. We will adjust the privacy policy as changes in our data processing practices make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, we ask you to note that addresses may change over time and to verify the information before contacting us.

 Supervisory authority competent for us:

Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna

Terminology and Definitions

In this section, you will find an overview of the terminology used in this privacy policy. Where the terminology is legally defined, their legal definitions apply. The following explanations, however, are primarily intended to aid understanding.

 

1