This privacy policy informs you about the type, scope, and purpose of processing personal data (hereinafter briefly referred to as “data”) within our online services and associated websites, functions, contents, as well as external online presences, such as our social media profiles (collectively referred to as “online services”). For the terms used, such as “processing” or “controller,” we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Controller
Richard Pettauer / pnc – pettauer.net Consulting Untere Augartenstrasse 16/13 A-1020 Vienna ritchie@pettauer.net | +43 664 75007799
Preamble
In this document, you will not find any information about Google Fonts, Google Maps, Google Analytics, other third-party or analytics tools, or embedded social media content.
This is simply because we do not use any of these services. All data retrieved from our site is hosted locally on our own server (hosted by Hetzner, Germany).
Privacy is a much more important concern for us than tracking.
Types of Processed Data:
- Inventory data (e.g., names, addresses).
- Contact data (e.g., email, telephone numbers).
- Content data (e.g., text input, photographs, videos).
- Usage data (e.g., visited websites, interest in content, access times).
- Meta/communication data (e.g., device information, IP addresses).
Categories of Affected Persons
Visitors and users of the online service (hereinafter, we also refer to the affected persons collectively as “users”).
Purpose of Processing
- Provision of the online service, its functions, and content.
- Responding to contact requests and communicating with users.
- Security measures.
- Reach measurement/marketing
Used Terminologies
“Personal data” is all information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing” is any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and encompasses virtually any handling of data.
“Pseudonymisation” is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
The “controller” is the natural or legal person, authority, institution, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” is a natural or legal person, authority, institution, or other body that processes personal data on behalf of the controller.
Relevant Legal Bases
In accordance with Art. 13 GDPR, we inform you about the legal bases of our data processing. Unless the legal basis is specified in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6 Abs. 1 lit. a and Art. 7 GDPR, the legal basis for processing for the performance of our services and the execution of contractual measures as well as the response to inquiries is Art. 6 Abs. 1 lit. b GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 Abs. 1 lit. c GDPR, and the legal basis for processing to protect our legitimate interests is Art. 6 Abs. 1 lit. f GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 Abs. 1 lit. d GDPR serves as the legal basis.
Security Measures
We take appropriate technical and organizational measures in accordance with Art. 32 GDPR, taking into account the state of technology, the implementation costs, and the nature, scope, circumstances, and purposes of the processing as well as the different likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure an adequate level of protection.
These measures include ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as related access, input, disclosure, availability, and separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, deletion of data, and response to data endangerment. Additionally, we consider the protection of personal data already in the development, or selection of hardware, software, and procedures, according to the principle of data protection through technology design and data protection-friendly default settings (Art. 25 GDPR).
Collaboration with Processors and Third Parties
If, in the course of our processing, we disclose data to other persons and companies (processors or third parties), transmit them to them, or otherwise grant them access to the data, this is only done on the basis of legal permission (e.g., if a transfer of data to third parties, such as to payment service providers, is required by Art. 6 Abs. 1 lit. b GDPR for contract fulfillment), you have consented, a legal obligation provides for this, or based on our legitimate interests (e.g., when using agents, web hosts, etc.).
If we commission third parties to process data on the basis of a so-called “order processing contract,” this is done on the basis of Art. 28 GDPR.
Transfers to Third Countries
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or this occurs in the context of using third-party services or disclosing, or transferring data to third parties, this is only done to fulfill our (pre)contractual obligations, on the basis of your consent, due to a legal obligation, or based on our legitimate interests. Subject to legal or contractual permissions, we process or have the data processed in a third country only in the presence of the special conditions of Art. 44 ff. GDPR. That is, the processing is carried out, for example, on the basis of special guarantees, such as the officially recognized determination of a data protection level corresponding to the EU (e.g., for the USA through the “Privacy Shield”) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).
Rights of Data Subjects
You have the right to request confirmation as to whether the relevant data is being processed and to information about this data as well as to further information and a copy of the data in accordance with Art. 15 GDPR.
You have accordingly. the right according to Art. 16 GDPR to demand the completion of the data concerning you or the correction of the incorrect data concerning you.
In accordance with Art. 17 GDPR, you have the right to demand that relevant data be deleted immediately, or alternatively, in accordance with Art. 18 GDPR, to demand a restriction on the processing of the data.
You have the right to demand that the data relating to you that you have provided to us be received in accordance with Art. 20 GDPR and to request their transmission to other persons responsible.
You also have the right according to Art. 77 GDPR to file a complaint with the competent supervisory authority.
Right to Withdraw
You have the right to withdraw consents granted according to Art. 7 Abs. 3 GDPR with effect for the future
Right to Object
You can object to the future processing of the data concerning you according to Art. 21 GDPR at any time. The objection can be made in particular against processing for direct marketing purposes.
Cookies and Right to Object in Direct Marketing
“Cookies” are small files that are stored on users’ computers. Different information can be stored within the cookies. A cookie is primarily used to store the information about a user (or the device on which the cookie is stored) during or after his visit to an online offer. As temporary cookies, or “session cookies” or “transient cookies,” are called, cookies are deleted after a user leaves an online offer and closes his browser. In such a cookie, e.g., the content of a shopping cart in an online store or a login status can be stored. Cookies are called “permanent” or “persistent” and remain stored even after the browser is closed. Thus, e.g., the login status can be saved when users visit it after several days. Likewise, the interests of users used for range measurement or marketing purposes can be stored in such a cookie. As “third-party cookie” are called, which are offered by providers other than the responsible, who operates the online offer (otherwise, if it is only their cookies, this is called “first-party cookies”).
We can use temporary and permanent cookies and clarify this in the context of our privacy policy.
If users do not want cookies stored on their computer, they are asked to disable the corresponding option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online offer.
A general contradiction against the use of cookies used for purposes of online marketing can be found in a variety of services, especially in the case of tracking, via the US-American site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be achieved by switching them off in the settings of the browser. Please note that then, if necessary, not all functions of this online offer can be used.
Deletion of Data
The data processed by us are deleted or restricted in their processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated in this privacy policy, the data stored by us are deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory storage obligations. If the data are not deleted because they are required for other and legally permissible purposes, their processing is restricted. That is, the data are blocked and not processed for other purposes. This applies, for example, to data that must be kept for commercial or tax reasons.
According to legal requirements in Germany, storage takes place in particular for 10 years according to §§ 147 Abs. 1 AO, 257 Abs. 1 Nr. 1 and 4, Abs. 4 HGB (books, records, management reports, accounting documents, trading books, documents relevant for taxation, etc.) and 6 years according to § 257 Abs. 1 Nr. 2 and 3, Abs. 4 HGB (commercial letters).
According to legal requirements in Austria, storage is carried out in particular for 7 J according to § 132 Abs. 1 BAO (accounting documents, receipts/invoices, accounts, receipts, business papers, statement of income and expenses, etc.), for 22 years in connection with land, and for 10 years for documents related to electronically provided services, telecommunications, radio, and television services provided to non-entrepreneurs in EU Member States and for which the Mini-One-Stop-Shop (MOSS) is used.
Administration, Financial Accounting, Office Organization, Contact Management
We process data in the context of administrative tasks as well as organization of our business, financial accounting, and compliance with legal obligations, such as archiving. In doing so, we process the same data that we process in the course of providing our contractual services. The processing bases are Art. 6 Abs. 1 lit. c. GDPR, Art. 6 Abs. 1 lit. f. GDPR. The processing affects customers, prospective customers, business partners, and website visitors. The purpose and our interest in processing lie in administration, financial accounting, office organization, data archiving, that is, tasks that serve to maintain our business activities, perform our tasks and provide our services. The deletion of the data in terms of contractual services and contractual communication corresponds to the information mentioned in these processing activities.
We disclose or transmit here the data to the financial administration, consultants, such as tax advisors or auditors, as well as other fee bodies and payment service providers.
Furthermore, we store information about suppliers, event organizers, and other business partners based on our business interests, e.g., for later contact. These mostly company-related data, we generally store permanently.
Business Analyses and Market Research
In order to operate our business economically, to recognize market trends, wishes of contractual partners, and users, we analyze the data available to us about business transactions, contracts, inquiries, etc. We process inventory data, communication data, contract data, payment data, usage data, metadata on the basis of Art. 6 Abs. 1 lit. f. GDPR, whereby the persons affected include contractual partners, interested parties, customers, visitors, and users of our online offer.
The analyses are carried out for the purpose of business evaluations, marketing, and market research. We can consider the profiles of registered users with information, e.g., on their services used. The analyses serve us to increase user-friendliness, optimize our offer, and business efficiency. The analyses serve us alone and are not disclosed externally, as long as it is not anonymous analyses with summarized values.
If these analyses or profiles are personal, they will be deleted or anonymized upon termination of the users, otherwise after two years from the conclusion of the contract. Otherwise, the overall business analyses and general trend determinations are created anonymously if possible.
Use of Mailchimp for Email Newsletter Dispatch
We use Mailchimp from The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA (Mailchimp) for sending our newsletters. This allows us to directly contact subscribers. Additionally, we analyze your usage behavior to optimize our offering.
For this purpose, we provide the following personal data to Mailchimp:
- Email address
- Name
[Our email distributions include a link that allows you to update your personal data.]
Mailchimp is the recipient of your personal data and acts as a processor on our behalf, insofar as it concerns the dispatch of our newsletter. The processing of the data specified in this section is neither legally nor contractually prescribed. Without your consent and the transmission of your personal data, we cannot send you a newsletter.
Additionally, Mailchimp collects the following personal data using cookies and other tracking methods: information about your device (IP address, device information, operating system, browser ID, information about the application with which you read your emails, and further information about hardware and internet connection. Moreover, usage data such as the date and time when you opened the email/campaign and browser activities (e.g., which emails/websites were opened) are collected. Mailchimp needs this data to ensure the security and reliability of the systems, compliance with terms of use, and prevention of misuse. This corresponds to Mailchimp’s legitimate interest (according to Art. 6 Abs. 1 lit. f GDPR) and serves the performance of the contract (according to Art. 6 Abs. 1 lit. b GDPR). Further, Mailchimp evaluates performance data such as email delivery statistics and other communication data. These pieces of information are used to create usage and performance statistics for the services.
Mailchimp also collects additional information about you from other sources. Over an unspecified period and extent, personal data is collected about social media and other third-party data providers. We have no control over this process.
For more information on options for objecting to and eliminating data processing by Mailchimp, see: https://mailchimp.com/legal/privacy/#3._Privacy_for_Contacts
The legal basis for these processing activities is your consent according to Art. 6 Abs. 1 lit. a GDPR. You can revoke your consent to the processing of your personal data at any time. A corresponding link can be found in all mailings. Additionally, revocation can be made using the contact options provided. The lawfulness of the processing carried out until the revocation is not affected by the revocation.
Your data will be processed as long as the corresponding consent exists. Apart from this, these will be deleted after the termination of the contract between us and Mailchimp unless legal requirements necessitate further storage.
Mailchimp has implemented compliance measures for international data transfers. These apply to all global activities where Mailchimp processes personal data of natural persons in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, see: https://mailchimp.com/legal/data-processing-addendum/
Online Presence in Social Media
We maintain online presences within social networks and platforms to communicate with customers, prospects, and users active there and inform them about our services. The terms and conditions and data processing policies of their respective operators apply when accessing the respective networks and platforms.
Unless otherwise stated in our privacy policy, we process users’ data as long as they communicate with us within social networks and platforms, e.g., write posts on our online presences or send us messages.
Event Registration via LinkedIn
We use the registration functions of the platform LinkedIn for promoting online workshops like Lab Masterclass and similar events. Event participants provide us with their contact details. We use these contact details exclusively for communication regarding the respective workshop. Furthermore, LinkedIn’s privacy policies apply.