The data protection officer of ATH&S GmbH is Herr Peter Riesen.
With these data protection regulations, we inform you (hereinafter also referred to as the «User» or «Data Subject») about our data processing in general, when visiting our website and when contacting by email or phone. We will also inform you about your rights with regard to the processing of your data. Conceptually, «data processing» always means processing of personal data.
1.1 Categories of personal data
We process the following categories of personal data:
1.2 Recipient or categories of recipients of personal data
If, as part of our data processing, we disclose, transfer data or otherwise provide access to data to other persons and companies, such as web hosts, order processors or third parties, we do so legally (for example, if the transfer of data to third parties in accordance with Article 6, Chapter 1, paragraph b of the DS-GVO (General Data Protection Regulation) is necessary to fulfill contract terms), if the data subjects have expressed their consent to this or it is provided for by a legal obligation.
1.3 Duration of personal data storage
The criterion for the duration of storage of personal data is the corresponding statutory retention period. After this period, we delete relevant data if they are no longer required for target achievements, as well as contract fulfillment or preparation.
1.4 Transfer to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or do so as part of the use of third-party services or disclosure or transfer of information to third parties, then the only reason for doing so is fulfillment of our (preliminary) contractual obligations, based on your consent, on a legal obligation or our legitimate interests. Provided that there are no legal or contractual obstacles, we process or allow data processing in a third country only if there are special conditions in accordance with Article 44 and the following provisions of the DS-GVO (General Data Protection Regulation), i.e. processing is carried out, for example, on the basis of special guarantees, such as an officially recognized conclusion on compliance of the level of confidentiality with EU standards, or compliance with officially recognized special contractual obligations (so-called “standard contractual provisions”).
2.1 Log Files
Every time a data subject accesses our website, general data and information are entered and stored in registration files of our system:
When using these general data and information, we do not make any conclusions about the data subject. Personal evaluation or evaluation of personal data for marketing purposes or for the formation of a profile is not carried out. The IP address is not saved in connection therewith.
The legal basis for temporary data storage is Article 6, Chapter 1, paragraph f of the DS-GVO (General Data Protection Regulation). Data collection enabling access to the site and the storage of data in registration files are absolutely necessary for smooth operation of our website. Therefore, no objections can be raised on the part of the data subject.
2.2 Malware detection and log data analysis
We collect log data accumulated during operation of our company’s communication equipment and automatically analyze it if it is necessary to detect, trace or eliminate failures or errors in communication devices or to protect against attacks on our information engineering, or to detect and protect against malware.
The legal basis for temporary data storage is Article 6, Chapter 1, paragraph f of the DS-GVO (General Data Protection Regulation). Data storage and analysis are absolutely necessary to ensure the possibility of using the site and its smooth operation. Consequently, there is no possibility of objection on the part of the person concerned. Therefore, no objections can be raised on the part of the data subject.
The hosting services we use are designed to provide the following services: infrastructure and platform support services, computing capabilities, disk space and database services, security services, as well as maintenance services that we use to operate our website.
At the same time, we or our third-party service provider process credentials, contact data, content data, contract data, usage data, metadata and communication data of users of our website based on our legitimate interests in effective and reliable provision of this Internet service platform in accordance with Article 6, Chapter 1, paragraph f of the DS-GVO (General Data Protection Regulation) in combination with Article 28 of the DS-GVO (conclusion of contracts for data processing by third-party service providers).
3.1 Establishing communication by e-mail
You can contact us at the email address published on our website.
If you use this communication method, the data specified in your message (for example, first name, last name, address), but at least the email address and the information contained in the email, may be stored together with the personal data that you provide for the purposes of contacting and processing your requests. In addition, our system collects the following data:
The legal basis for the processing of personal data within the framework of messages sent to us by email is Article 6, Chapter 1, paragraph b or f of the DS-GVO (General Data Protection Regulation).
3.2 Establishing communication by regular mail/fax
If you send us an email or fax, the data that you transmit (for example, first name, last name, address) and the information specified in the email or fax are stored together with the personal data that you provide for the purposes of contacting and processing your requests.
The legal basis for the processing of personal data within the framework of messages sent to us by email and fax is Article 6, Chapter 1, paragraph b or f of the DS-GVO (General Data Protection Regulation).
As a data subject, you have the following rights in connection with the processing of your personal data:
4.1 Right to receive information
(1) The data subject shall have the right to request confirmation from the responsible person as to whether personal data concerning itself are being processed; if so, it shall have the right to receive a statement of such personal data and the following information:
a) processing purposes;
b) categories of personal data that are being processed;
c) recipients or categories of recipients to whom personal data has been disclosed or is still being disclosed, especially those from third countries or international organizations;
d) if possible, the planned period of storage of personal data or, if this is not possible, the criteria for determining this period;
e) whether there is a right to correct or delete personal data involved, or to restrict the processing of such data by the responsible person or to object to such processing;
f) whether there is a right to appeal to a supervisory authority;
g) all available information about the origin of the data if personal data are not collected from the data subject itself;
h) availability of automated decision-making, among other things regarding data profiling, in accordance with Art. 22, Chapter 1 and Chapter 4 of the DS-GVO (General Data Protection Regulation), and, at least in these cases, reliable information about the logic involved, as well as the extent and expected consequences of such processing for the data subject.
(2) If personal data are transferred to a third country or an international organization, the data subject shall have the right to be informed of the relevant guarantees in accordance with Article 46 of the DS-GVO (General Data Protection Regulation) related to the transfer.
4.2 Right to rectification
The data subject shall have the right to immediately demand that the responsible person rectifies any incorrect personal data related to the data subject. Taking into account the purpose of processing, the data subject shall have the right to request (also by means of a separate application) additional completion of missing personal data.
4.3 Right to erasure / right to be forgotten
(1) The data subject shall have the right to demand that the responsible person immediately deletes personal data related to the data subject, and the responsible person shall be obliged to immediately delete personal data provided that following reasons exist:
a) personal data are no longer required for the purposes for which they were collected or otherwise processed.
b) the data subject withdraws the consent on the basis of which the processing was carried out in accordance with Article 6, Chapter 1, paragraph a) or Article 9, Chapter 2, paragraph a) of the DS-GVO (General Data Protection Regulation), and there are no other legal grounds for such processing.
c) the data subject objects to data processing in accordance with Article 21, Chapter 1 of the DS-GVO (General Data Protection Regulation), and there are no more substantial legal grounds for processing, or the data subject objects to processing in accordance with Article 21, Chapter 2 of the DS-GVO.
d) personal data have been processed illegally
e) the deletion of personal data is necessary to fulfill legal obligations in accordance with the legislation of the Union or EU Member States in which the data protection officer is located.
f) personal data were collected within the framework of services offered by the information society, in accordance with Article 8, Chapter 1 of the DS-GVO (General Data Protection Regulation).
(2) If the responsible person has published personal data and is obliged to delete them in accordance with Chapter 1, it shall be obliged to take appropriate measures, taking into account available technologies and implementation cost, including technical measures, to inform the data processing persons responsible for processing personal data about the data subject’s requirement to delete all personal data and all references to these personal data or copies thereof, or reproduction of such personal data.
(3) Chapters 1 and 2 are not applicable if data processing is required
a) to exercise the right to freedom of speech and information;
b) to fulfill a legal obligation requiring the processing of data in accordance with the legislation of the Union or EU Member States to which the responsible person is subordinate, or to perform a task in the public interest, or if the processing takes place within the exercise of authority vested in the responsible person;
c) based on public interest in the field of public health in accordance with Article 9, Chapter 2 of paragraph h) and paragraph i), as well as Article 9, Chapter 3 of the DS-GVO (General Data Protection Regulation);
d) for the purposes of archiving, scientific or historical research or for statistical purposes in accordance with Article 89, Chapter 1, since it is assumed that the right referred to in Chapter 1 makes it impossible or seriously affects the achievement of purposes of this processing, or
e) to comply with, execute or defend legal requirements.
4.4 Right to restrict data processing
(1) The data subject shall have the right to demand that the responsible person restricts processing if one of the following conditions is met:
a) the accuracy of personal data is disputed by the subject of personal data, while during such a period of time that allows the responsible person to verify the accuracy of personal data,
b) the processing is illegal, and the subject of personal data refuses to delete personal data, and requires restrictions on the use of personal data instead;
c) the responsible person no longer needs personal data for processing purposes, but the data subject needs them to assert, exercise or protect their legal rights, or
d) the data subject objected to the processing in accordance with Article 21, Chapter 1 of the DS-GVO (General Data Protection Regulation), for a period until it is established whether legitimate grounds for the objections of the responsible person have priority over legitimate grounds of the data subject.
(2) If the processing of personal data is restricted in accordance with Chapter 1, then these personal data, regardless of their accumulation, may be processed only with the consent of the data subject or for compliance, exercising or protection of legal claims, or for protection of rights of another natural person or legal entity, or for reasons related to important public interests of the Union or a EU Member State.
4.5 Right to data portability
(1) The data subject shall have the right to receive personal data related thereto, which it has provided to the responsible person, in a structured, generally accepted and machine-readable format, and shall also have the right to transfer such data to another responsible person without involving the person to whom these data were submitted, provided that
a) processing is based on consent in accordance with Article 6, Chapter 1, paragraph a) or Article 9, Chapter 2, paragraph a) of the DS-GVO or is based on a contract in accordance with Article 6, Chapter 1, paragraph b) of the DS-GVO, and
b) the processing is carried out with the use of automated processes.
(2) When exercising its right to data portability in accordance with Chapter 1, the data subject shall have the right to request the transfer of personal data directly from one responsible person to another responsible person, to the technically feasible extent.
The right under Chapter 1 must not infringe on the rights and freedoms of others.
This right does not apply to processing necessary for the performance of tasks for the purposes of public interest, or if the processing takes place within the framework of the exercise of authority entrusted to the responsible person;
4.6 Right to object to processing:
The data subject shall have the right at any time to object to the processing of personal data relating thereto, occurring in accordance with Article 6, Chapter 1, paragraph e) or f) of the DS-GVO (General Data Protection Regulation), for reasons arising from its specific situation; this shall also be applicable to data profiling based on these provisions. In such a case, the responsible person stops processing personal data, with the exception of cases when it can present substantial legal grounds for processing which prevail over the interests, rights and freedoms of the data subject, or when the processing serves to comply with, fulfill or protect legitimate requirements.
In connection with the use of information society services and regardless of Directive 2002/58/EC, the data subject may exercise its right to object by automated means using technical specifications.
4.7 Right to withdraw consent to data processing:
The data subject shall have the right to withdraw its consent to the processing of personal data carried out in accordance with the legislative provision on data protection at any time. Withdrawal of consent shall not affect the validity of processing performed on the basis of consent prior to its withdrawal.
4.8 Right to appeal to a supervisory authority
Any data subject shall have the right to appeal to a supervisory authority without prejudice to any other administrative and legal or judicial remedies, in particular in a EU Member State at its place of residence, place of work or place of alleged violation, if the data subject believes that the processing of personal data involving itself violates this Provision.