Data protection

Data privacy statement

This data privacy statement informs you about the nature, scope and purpose of processing personal data (referred to simply as “data” in the following) within our online offering and the related websites, functions and content as well as external online presences such as our social media profiles (jointly referred to as “online offering” in the following). In regards to the terminology that is used, such as “processing” or “controller”, please refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Controller

APMT Gmbh
Advanced Production Methods and Tools

Tannenweg 6
A-8160 Weiz, Austria
Phone: 0043 3172 30606
Fax: 0043 3172 306064
E-Mail: apmt@apmt.at

General Manager + Owner: Günter Christandl

VAT Registration No: ATU63348728

Legal notice

For data protection inquiries, please contact:

Günter Christandl
E-Mail: apmt@apmt.at, Phone: 0043 3172 30606

Type of data disseminated:

– Basic data (e.g. name, address).
– Contact data (e.g. e-mail, telephone numbers).
– Content data (e.g. text input, photos, videos).
– Usage data (e.g. websites visited, interest in content, access times).
– Metadata/communication data (e.g. device information, IP addresses).

Categories of data subjects

Visitors and users of the online offering (in the following, data subjects are also jointly referred to as “users”).

Purpose of processing

– Delivering the online offering, its functions and contents.
– Responding to contact requests and communicating with users.
– Security measures.
– Coverage measurement/marketing.

Terminology

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Processing” means any operation or set of operations which is performed on personal data or on sets of personal data. The term is far-reaching and encompasses practically all handling of data.

“Pseudonymisation” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Applicable legal basis

We inform you of the legal basis of our processing in accordance with Art. 13 GDPR. Insofar as the legal basis is not identified in the data privacy statement, the following applies: The legal basis for obtaining consent is Art. 6 (1), point a and Art. 7 GDPR, the legal basis for processing to provide our services and for contractual performance as well as responding to enquiries is Art. 6 (1), point b GDPR, the legal basis for processing to meet our legal obligations is Art. 6 (1), point c GDPR and the legal basis for processing to protect our legitimate interests is Art. 6 (1), point f GDPR. In case the vital interests of the data subject or another natural person require the processing of personal data, the legal basis is Art. 6 (1), point d GDPR.

Security measures

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk pursuant to Art. 32 GDPR.

The measures include in particular ensuring the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access rights, input, dissemination, ensuring availability and the separation of data. We have also implemented procedures for protecting the rights of data subjects, the erasure of data, and responding to threats to the data. Furthermore, we take the protection of personal data into account in the development and selection of hardware, software and procedures according to the principle of data protection through the design of technology and through default settings that favour data protection (Art. 25 GDPR).

Cooperation with processors and third parties

Insofar as we disclose data to other persons and companies (processors or third parties) in the course of our processing, transfer data to them or otherwise grant them access to data, this is done solely based on legal permission (e.g. when a transfer of the data to third parties such as payment service providers is required for contractual performance pursuant to Art. 6 (1), point b GDPR), when you have given your consent, based on a legal obligation or to protect our legitimate interests (e.g. when employing agents, web hosting providers etc.).

Insofar as we engage third parties for processing data based on a “processing contract”, this is done pursuant to Art. 28 GDPR.

Transmission to third party countries

Insofar as we process data in a third party country (i.e. outside the European Union (EU) or European Economic Area (EEA)) or this is done within the scope of utilising third-party services or the disclosure or transfer of data to third parties, this takes place solely to meet our (pre-)contractual obligations, based on your consent, due to a legal obligation or to protect our legitimate interests. Subject to legal or contractual permission, we only process or have data processed in a third party country when the special requirements pursuant to Art. 44 ff. GDPR are met. This means that processing is performed, for example, based on specific guarantees such as the officially recognised determination of a data protection level equivalent to the EU (e.g. by the “Privacy Shield” for the USA) or subject to officially recognised special contractual obligations (known as “standard contract clauses”).

Rights of the data subject

You have the right to request confirmation whether relevant data are processed and to obtain information about these data as well as additional information and a copy of the data pursuant to Art. 15 GDPR.

Pursuant to Art. 16 GDPR, you have the right to request the completion of data pertaining to you or the correction of incorrect data pertaining to you.

Pursuant to Art. 17 GDPR, you have the right to request the prompt deletion of relevant data. Alternatively you may request a restriction of processing for the data pursuant to Art. 18 GDPR.

Pursuant to Art. 20 GDPR, you have the right to request a copy of the data pertaining to you that you have provided to us and to request their transfer to another controller.

Furthermore, you have the right pursuant to Art. 77 GDPR to submit a complaint to the applicable supervisory authority.

Right of withdrawal

Pursuant to Art. 7 (3) GDPR, you have the right to revoke your consent with future effect.

Right to object

You may object to the future processing of data pertaining to you at any time pursuant to Art. 21 GDPR. In particular, you can object to processing for the purpose of direct marketing.

Cookies and right to object to direct marketing

Cookies are small files stored on a user’s device. Various information can be stored in cookies. A cookie is used primarily to store information about a user (or the device on which the cookie is stored) during or also after a visit to an online offering. A temporary, session or transient cookie is a cookie that is deleted after a user leaves an online offering and closes their browser. Such a cookie can be used for example to store the contents of a shopping cart in an online shop or a login status. Permanent or persistent cookies are cookies that continue to be stored even after the browser is closed. For example, the login status can be stored when a user returns after several days. Such a cookie can also be used to store the user’s interests for coverage measurement or marketing purposes. Third-party cookies are cookies of providers other than the controller who operates the online offering (otherwise one speaks of first-party cookies when referring to the cookies of the controller).

We may use temporary and permanent cookies. The relevant information is provided in our data privacy statement.

If a user does not want cookies to be stored on their device, they can deactivate the corresponding option in their browser’s system settings. Stored cookies can be erased in the browser’s system settings. Excluding cookies can limit the functionality of this online offering.

A general objection to the use of cookies for online marketing purposes can be submitted to numerous services, in particular in case of tracking, via the US page http://www.aboutads.info/choices or the EU page http://www.youronlinechoices.com. Furthermore, storing cookies can be deactivated in the browser settings. Please note that you may not be able to use all functions of this online offering in that case.

Data erasure

The data processed by us are erased or their processing is restricted pursuant to Art. 17 and 18 GDPR. Unless expressly specified within the scope of this data privacy statement, the data stored by us are erased as soon as they are no longer needed for their intended purpose and their erasure does not conflict with any statutory retention obligations. Insofar as the data are not erased because they are needed for other and legally permissible purposes, their processing is restricted. This means the data are blocked and not processed for other purposes. This applies for example for data that have to be retained for commercial or tax law reasons.

According to legal requirements in Germany, a 10-year retention period applies pursuant to Section 147, Paragraph 1 of the Tax Code (AO) and Section 257, Paragraph 1, No. 1 and 4, Paragraph 4 of the German Commercial Code (HGB) (books, records, management reports, accounting records, account books, documents relevant for taxation etc.), and a 6-year retention period pursuant to Section 257, Paragraph 1, No. 2 and 3, Paragraph 4 HGB (business letters).

According to legal requirements in Austria, a 7-year retention period applies pursuant to Section 132, Paragraph 1 of the Federal Fiscal Code (BAO) (accounting records, documents/invoices, accounts, vouchers, business documents, listing of income and expenses etc.), a 22-year retention period in the context of land and a 10-year retention period related to services provided electronically, telecommunication, radio and television services provided to non-entrepreneurs in EU member states and for which the mini one-stop shop (MOSS) exemption is claimed.

Processing for business purposes

We also process
– contract data (e.g. object of the contract, term, customer category), and
– payment data (e.g. bank details, payment history)
of our customers, prospects and business partners for the purpose of contractual performance, service and customer support, marketing, promotion and market research.

Order processing in the online shop and customer account
Online booking with online booking tool

We process the data of our customers in the course of ordering processes in our online shop for the purpose of selecting and ordering the chosen products and services, their payment and delivery or execution.

The processed data include basic data, communication data, contract data and payment data, and the data subjects affected by processing include our customers, prospects and other business partners. Processing is performed for the purpose of contractual performance in the course of operating an online shop, billing, delivery and customer service. We use session cookies in this context to store shopping cart contents and permanent cookies to store the login status.

Processing is performed based on Art. 6 (1), point b (completing ordering processes) and c (legally required archiving) GDPR. Here the information identified as mandatory is required for contract closing and contractual performance. We only disclose the data to third parties in the course of delivery and payment or to legal advisers and public authorities within the scope of legal permission and obligations. The data are only processed in third party countries when this is required for contractual performance (e.g. by customer request on delivery or payment).

Users may set up an optional user account where they can in particular view their orders. Users are informed of the required mandatory information in the course of registration. The user accounts are not public and cannot be indexed by search engines. When a user cancels their user account, their user account data are erased except when their retention is required for commercial or tax law reasons pursuant to Art. 6 (1), point c GDPR. Information remains in the customer account until it is deleted, and is subsequently archived in case of a legal obligation. Securing the data upon cancellation before the end of the contract term is the responsibility of the user.

We store the IP address and time of the respective user action in the course of registration, subsequent logins and the use of our online services. This storage is based on our legitimate interests and the interest of the user in protection against misuse and other unauthorised use. In principle there is no dissemination of these data to third parties, unless this is required to pursue our claims or in case of a legal obligation pursuant to Art. 6 (1), point c GDPR.

Erasure takes place after the expiration of statutory warranty and similar obligations. The need to retain the data is reviewed every three years. In case of statutory archiving obligations, erasure takes place after the end of the applicable retention period (6 years under commercial law and 10 years under tax law).

Contractual services

We process the data of our contractual partners and prospects as well as other customers, clients and contractual partners (jointly referred to as “contractual partners”) pursuant to Art. 6 (1), point b. GDPR for the purpose of providing our contractual or pre-contractual services. The data processed in this context and the nature, scope and purpose of as well as the need for their processing are determined based on the underlying contractual relationship.

The processed data include the master data of our contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers), contract data (e.g. services used, contract contents, contractual communication, names of contact persons) and payment data (e.g. bank details, payment history).

We generally do not process special categories of personal data except when these are part of commissioned or contractual processing.

We process data require for contract closing and contractual performance, and point out the need for the information insofar as this is not evident for the contractual partners. Disclosure to external persons or companies only takes place when required in the course of contractual performance. In processing the data provided to us within the scope of an order, we act according to the directives of our customers and the applicable legal requirements.

We may store the IP address and time of the respective user action in the course of using our online services. This storage is based on our legitimate interests and the interest of the user in protection against misuse and other unauthorised use. In principle there is no dissemination of these data to third parties, unless this is required to pursue our claims pursuant to Art. 6 (1), point f. GDPR or in case of a legal obligation pursuant to Art. 6 (1), point c. GDPR.

The data are erased when they are no longer needed for the purpose of contractual or statutory fiduciary duty or in the context of possible warranty and comparable obligations; here the need to retain the data is reviewed every three years. Otherwise the statutory retention obligations apply.

Administration, financial accounting, office organisation, contact management

We process data in the course of administrative tasks and the organisation of our business, financial accounting and compliance with legal obligations such as archiving. Here we process the same data as in the course of our contractual performance. The basis of processing is Art. 6 (1), point c. and Art. 6 (1), point f. GDPR. Customers, prospects, business partners and website visitors are affected by this processing. The purpose of and our interests in processing include administration, financial accounting, office organisation and data archiving that serves to maintain our business activities, complete our tasks and provide our services. The erasure of data in regards to contractual performance and communication corresponds to the information provided for these processing activities.

In this context we disclose or transmit data to the financial administration, consultants such as auditors or tax consultants and other billing offices and payment service providers.

We also store information about suppliers, organisers and other business partners based on our legitimate business interests, for example to subsequently contact them. These mainly company-specific data are generally stored by us permanently.

Business management analyses and market research

In order to operate our business economically and identify market trends and preferences of contractual partners and users, we analyse the data available to us for business processes, contracts, enquiries etc. In doing so we process basic data, communication data, contract data, payment data, usage data and metadata based on Art. 6 (1), point f. GDPR; data subjects include contractual partners, prospects, customers, visitors and users of our online offering.

The analyses are conducted for the purpose of business management evaluations, marketing and market research. We are able to take the profiles of registered users with information, for example on the services used, into account in doing so. The analyses are conducted by us to improve usability, optimise our offering and for operating efficiency. These analyses are solely for our own use and are not disclosed externally, except in case of anonymous analyses with summarised values.

Insofar as these analyses or profiles are related to specific persons, they are erased or anonymised when the user cancels, otherwise two years after the end of the respective contract. Otherwise the overall business management and general trend analyses are prepared anonymously as far as possible.

Data privacy statement for the application process

We process applicant data only for the purpose and within the scope of an application process according to the applicable legal requirements. The processing of applicant data is performed to meet our (pre-)contractual obligations within the scope of the application process pursuant to Art. 6 (1), point b. GDPR, Art. 6 (1), point f. GDPR insofar as data processing becomes necessary for us, for example in the course of legal proceedings (Section 26 BDSG applies additionally in Germany).

The application process requires applicants to provide us with the applicant data. Required applicant data are identified insofar as we offer an online form. Otherwise they are derived from the job posting. They generally include information about the person, mailing and contact addresses and the application documents such as the cover letter, CV and certificates. Applicants may voluntarily provide us with additional information as well.

By submitting their application to us, applicants agree to the processing of their data for the purpose of the application process according to the nature and scope described in this data privacy statement.

Insofar as special categories of personal data pursuant to Art. 9 (1) GDPR are voluntarily provided within the scope of the application process, they are generally processed pursuant to Art. 9 (2), point b GDPR (e.g. health data such as disability or ethnicity). Insofar as special categories of personal data pursuant to Art. 9 (1) GDPR are requested from applicants in the course of the application process, they are generally processed pursuant to Art. 9 (2), point a GDPR (e.g. health data when these are required for the occupation).

Applicants may submit their application using an online form on our website when this is provided. The data are transmitted to us encrypted according to the state of the art.
Applicants may also submit their applications to us by e-mail. In this case however, please note that e-mail is generally not sent in encrypted form and the applicant is responsible for encryption. Therefore we assume no responsibility for the transmission of the application between the sender and receipt on our server, and recommend using an online form or submission by mail. In addition to applying using the online form or e-mail, applicants may submit their application to us by regular mail.

The data provided by applicants may be further processed by us for the purpose of the employment relationship in case of a successful application. Otherwise the applicant data are erased insofar the application for a job posting is not successful. The applicant data are also erased when an application is retracted. Applicants have the right to do so at any time.

Subject to legitimate revocation of the applicants, erasure takes place at the end of six months so that we are able to answer possible follow-up questions about the application and meet our obligation to produce supporting documents under equal treatment laws. Invoices for the possible reimbursement of travel expenses are archived in accordance with tax law requirements.

Making contact

When making contact with us (e.g. using a contact form, e-mail, telephone or via social media), the user’s information is processed for the purpose of handling and processing the contact request pursuant to Art. 6 (1), point b) GDPR. User information may be stored in a customer relationship management (CRM) system or comparable enquiry organisation system.

We erase the enquiries insofar as they are no longer needed. A review of necessity is performed every two years and statutory archiving obligations apply in addition.

Collection of access data and logfiles

We and/or our hosting provider collect data based on our legitimate interests pursuant to Art. 6 (1), point f. GDPR for each access to the server where this service is hosted (known as server logfiles). The access data include the name of the accessed website, file, date and time of access, transmitted data volume, report on successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address and requesting provider.

Logfile information is stored for a maximum of 7 days for security reasons (e.g. to resolve cases of misuse or fraud) and then erased. Data that must be retained as evidence until the incident in question is finally resolved are exempt from erasure.

Google Analytics

Based on our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online offering pursuant to Art. 6 (1), point f. GDPR), we use Google Analytics, a web analysis service of Google LLC (“Google”). Google uses cookies. The information generated by the cookies regarding the use of the online offering by the user is generally transmitted to a Google server in the USA where it is stored.

Google is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

Google uses this information on our behalf in order to evaluate the use of our online offering by the users, compile reports about the activities within this online offering and provide us with additional services related to the use of this online offering and the Internet. In doing so, pseudonymised usage profiles for the users may be prepared from the processed data.

We only use Google Analytics with activated IP anonymisation. This means that the IP address of users within member states of the European Union or other states in the European Economic Area is shortened by Google. Only in exceptional cases is the full IP address transferred to a Google server in the USA and shortened there.

The IP address transferred by the user’s browser is not combined with other data by Google. Users can prevent the storage of cookies by configuring the settings of their browser software accordingly. Furthermore, users can prevent the capture of data generated by the cookie and related to their use of the online offering by Google as well as the processing of these data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.

Alternatively to the browser add-on or in browsers on mobile devices, please click the following link to prevent future data collection by Google Analytics within this website: analytics opt-out. This stores an opt-out cookie on your device. If you delete your cookies then you have to click the link again.

Further information about the use of data by Google, settings and rights to object is available in the Google data privacy statement (https://policies.google.com/technologies/ads) and the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

The personal data of users are erased or anonymised after 14 months.

Google Universal Analytics

We use Google Analytics in the “Universal Analytics” version. “Universal Analytics” is a Google Analytics process that prepares the user analysis on the basis of a pseudonymised user ID and thereby creates a pseudonymised user profile with information from the use of various devices (known as cross-device tracking).

Formation of target groups with Google Analytics

We use Google Analytics in order to display the advertisements placed within advertising services of Google and its partners only to those users who have shown an interest in our online offering, or who exhibit certain characteristics (e.g. interest in certain topics or products determined based on the websites that are visited), which we transmit to Google (known as Remarketing Audiences or Google Analytics Audiences). With the help of Remarketing Audiences, we also want to ensure that our advertisements correspond to the potential interests of users.

Google AdWords and conversion measurement

Based on our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online offering pursuant to Art. 6 (1), point f. GDPR), we use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

Google is certified under the Privacy Shield agreement and thereby guarantees compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).

We use the Google AdWords online marketing method to place advertisements in the Google advertising network (e.g. in search results, in videos, on websites etc.) so they are displayed for users who have a presumed interest in the advertisements. This allows us to display advertisements for and within our online offering more selectively in order to only present advertisements to users that potentially correspond to their interests. For example, when advertisements for products in which a user has expressed interest in other online offerings are displayed to that user, this is called remarketing. When our and other websites that are part of the Google advertising network are accessed, a Google code is executed directly by Google and what are known as (re)marketing tags (invisible graphics or code, also known as web beacons) are integrated into the website. These are used to store an individual cookie or small file on the user’s device (comparable technologies may also be used instead of cookies). This file stores the websites the user visits, the content the user is interested in and the offers on which the user clicks, as well as technical information about the browser and operating system, referrer URLs, time of the visit and further information about the use of the online offering.

We also receive an individual conversion cookie. Google uses information obtained with the help of this cookie to prepare conversion statistics for us. However, we only obtain the anonymous total number of users who have clicked our advertisement and were forwarded to a page with a conversion tracking tag. We do not receive any information that could be used to identify the users personally.

User data is pseudonymised for processing within the Google advertising network. This means that Google does not store and process, for example, the name or e-mail address of the user, but processes the relevant data on a cookie basis within pseudonymised user profiles. From the perspective of Google, the advertisements are not managed and displayed for a concrete, identified person but for a cookie owner, regardless of who this cookie owner is. This does not apply when the user has expressly permitted Google to process the data without such pseudonymisation. The information collected about users is transmitted to Google and stored on Google servers in the USA.

Further information about the use of data by Google, settings and rights to object is available in the Google data privacy statement (https://policies.google.com/technologies/ads) and the settings for the display of advertisements by Google (https://adssettings.google.com/authenticated).

Integration of third-party services and content

Within our online offering and based on our legitimate interests (i.e. interest in the analysis, optimisation and economical operation of our online offering pursuant to Art. 6 (1), point f. GDPR), we use content and services offered by third-party providers, integrating their content and services such as videos or fonts (jointly referred to as “content” in the following).

This always requires these third-party providers to obtain the user’s IP address, since they are unable to send content to the user’s browser without the IP address. The IP address is therefore required to display this content. We strive to only integrate content for which the respective providers use the IP address solely for delivering the content. Third-party providers may also use what are called pixel tags (invisible graphics also known as web beacons) for statistical or marketing purposes. Pixel tags allow information such as visitor traffic on pages of this website to be evaluated. The pseudonymised information can also be stored in cookies on the user’s device that, among other things, may contain technical information about the browser and operating system, referrer URLs, time of the visit and further details about the use of our online offering, and can be linked to such information from other sources.

YouTube

We integrate videos from the “YouTube” platform of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google Fonts

We integrate the fonts (“Google Fonts”) of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google ReCaptcha

We integrate the function to identify bots, e.g. for input in online forms (“ReCaptcha”), of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Google Maps

We integrate the maps of the “Google Maps” service of the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data can include, in particular, the IP address and location data of the user, but these data are only collected with consent (generally obtained as part of your mobile device settings). These data may be processed in the USA. Data privacy statement: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.

Prepared with Datenschutz-Generator.de by the lawyer Dr Thomas Schwenke
and adapted by the agency crosseye Marketing

Change cookie settings