Introduction and overview
We have prepared this privacy notice (last updated 14 Jan. 2022, version 211149835) in accordance with the EU General Data Protection Regulation (Regulation [EU] 2016/679; GDPR) to explain what personal data (sometimes referred to simply as “data”) we process in our role as the Controller, what personal data are processed by any processors (e.g. providers) who we engage, what data we will process in the future, and your legal rights.
Put simply: We provide you with full information on the personal data we process.
Privacy notices usually sound highly technical and use specialist legal terms. But our privacy notice is designed to describe the most important points as clearly and transparently as possible. Where necessary to ensure transparency, we provide user-friendly explanations of technical terms and links to additional information. We want to inform you in clear and simple terms that we only process personal data in the course of our operations in accordance with the applicable law. We can’t do this if we only try to provide the shortest possible information, or the sorts of unclear legal or technical explanations that you often find on the internet. We hope you find the following explanations useful and informative, and maybe you’ll come across some new information as well.
If you still have any questions, feel free to contact us using the details provided below and in our legal notice. Alternatively, please click on the links provided; you will also find useful information on external websites. You can find our contact details in the legal notice.
TLS encryption using HTTPS
TLS, encryption and HTTPS all sound very technical – and they are. We use the Hypertext Transfer Protocol Secure (HTTPS) to transfer data online without the risk of them being intercepted. This means that the transfer of data from your browser to our server is secure, and no-one can “listen in”.
As a result, we have introduced an extra layer of security that meets the requirements for data protection by design (Article 25 of the GDPR). We ensure the protection of confidential data by using Transport Layer Security (TLS), an encryption protocol for secure online data transfer.
The lock icon displayed in the top left corner of your browser, to the left of the internet address, and the use of https (instead of http) at the beginning of our address show that this means of protecting the transfer of data is being used.
If you would like to find out more about encryption, you can find some useful links to additional information by googling ‘Hypertext Transfer Protocol Secure wiki’.
Your rights under the General Data Protection Regulation
Section 2 of the GDPR gives you the following rights that are designed to ensure legitimate and transparent processing of your data:
- Article 15 gives you the right to obtain information about whether we process your personal data. If this is the case, you have the right to receive a copy of the data as well as the following information:
- The purposes of data processing
- The categories or types of personal data processed
- The recipients of your data and, if the data are transferred to third countries, how data protection can be guaranteed
- How long we store your data
- Information about the existence of your right to ask us to rectify or erase your personal data, to request the restriction of processing of your personal data, and to object to processing of your personal data
- Your right to submit a complaint to a supervisory authority (you can find links to the authority below)
- The source of personal data that were not collected from you
- Whether we use automated decision-making, including profiling, to build up a personal profile of you
- Under Article 16 of the GDPR, you have what is called “the right to rectification” of your data. Put simply, this means that we have to correct your data if you find any errors.
- Article 17 gives you the right to erasure of your data (which is also called the “right to be forgotten”); this means you can demand that we delete your personal data.
- If you make use of your right to restriction of processing (Article 18 of the GDPR), we are only allowed to store your data, but we cannot use it any longer.
- According to Article 20 of the GDPR, you have the right to data portability – in other words, we will provide you with a copy of your personal data in a commonly used and machine-readable format if you request it.
- Article 21 of the Regulation gives you a right to object. If you exercise this right, the way we process your personal data will be changed.
- If we process your personal data in the public interest or in the exercise of official authority (Article 6[e]) or on the basis of our legitimate interests (Article 6[f]), you can submit an objection to the processing of your data. If you object, we will assess as quickly as possible whether we are legally permitted to accept your objection.
- If we use data to carry out direct marketing, you can object to this type of data processing at any time. After you object, we will no longer be allowed to process your personal data for this purpose.
- If we use your personal data for profiling purposes, you can also object to this form of data processing at any time. This means we will no longer be allowed to process your personal data for profiling.
- According to Article 22 of the GDPR, under some circumstances you have the right not to be subject to a decision based exclusively on automated processing (for example, profiling).
If you believe that processing of your data is in breach of data protection law or that your entitlements under data protection law have been infringed in some other way, you can make a complaint to the regulatory authority. In Austria, this is the Datenschutzbehörde, or Data Protection Authority to give it its English name (www.dsb.gv.at/ – German only).
Put simply: You have rights – please contact the regulatory authority if you have any questions about them.
Security of data processing
We have taken technical and organisational steps in order to protect your data. Where possible, we encrypt or pseudonymise your personal data. In other words, we make it as difficult as possible for third parties to discover personal information about you on the basis of your data.
Article 25 of the General Data Protection Regulation refers to ‘data protection by design and by default’ – all this means is that we always need to consider security and take suitable measures in connection with our software (e.g. forms) and hardware (e.g. physical access to our server). Where necessary, we provide additional information on some specific measures below.
👥 Data subjects: the people who visit our website
🤝 Purpose: evaluating visitor information in order to optimise our website
📓 Processed data: access statistics, data including locations from where our website is accessed, device information, duration and time of access, surfing and click behaviour, and IP addresses. You can find further details below.
📅 Duration of storage: depends on the properties used
⚖️ Legal basis: Article 6(1)(a) (consent) and Article 6(1)(f) GDPR (legitimate interest)
What is Google Analytics?
Our website uses Google Analytics, an analysis and tracking tool from the US company Google Inc. Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services provided in Europe. Google Analytics collects data about the way you navigate our website. For example, if you click on a link, this information is saved in the form of a cookie and sent to Google Analytics. We use the reports we receive from Google Analytics to adapt our website and services more closely to your requirements. You can find more information about the tool below, in particular the data we store and how you can prevent your data being collected.
Google Analytics is a tracking tool that analyses data traffic on our website. A tracking code has been built into the code for our website to ensure that Google Analytics works properly. This code records various actions you carry out when you visit our website. As soon as you leave our website, these data are transmitted to Google Analytics’ servers and stored there.
Google processes the data and we receive reports on your activity during your visit. These reports include:
- Target group reports: these help us to find out more about users and build up a clearer picture of who is interested in our services.
- Advertising reports: these reports enable us to analyse and improve our online advertising more easily.
- Acquisition reports: acquisition reports provide useful information about how we can attract more people to use our services.
- Behaviour reports: this is a way for us to see how you interact with our website. We can see how you navigate through our website and what links you click on.
- Conversion reports: conversion is the process of encouraging users to carry out desired actions in response to a marketing message, for example when you become a buyer or newsletter subscriber instead of an ordinary website visitor. These reports show us how you respond to our marketing measures, which helps us to increase our conversion rate.
- Real-time reports: these reports show us what is happening on our website at a given time. For instance, we can see how many people are reading this policy right now.
Why do we use Google Analytics on our website?
The aim of our website is to provide you with the best possible service. Statistics and data from Google Analytics enable us to do this.
The analysed data give us a clear picture of the strengths and weaknesses of our website. This means we can optimise the site so that people interested in our services can find us more easily on Google. The data also helps us to gain a better understanding of site users’ needs. As a result, we know precisely what we have to improve on our website so that we can offer you the best possible service. The data also enable us to customise our advertising and marketing measures, and make them more cost-effective. At the end of the day, it only makes sense to present our services if people are interested in using them.
What data are stored by Google Analytics?
Google Analytics uses a tracking code to generate a random, unique ID, which is connected with your browser cookie. In this way, Google Analytics can identify you as a new user. The next time that you visit our website, you will be recognised as a returning visitor. All of the data collected are stored together with this user ID, which makes it possible to analyse pseudonymised user profiles in the first place.
In order to analyse our website with the help of Google Analytics, a property ID has to be inserted in the tracking code. The data are then stored in the corresponding property. The Google Analytics 4 property is the default for every newly created property. Alternatively, the Universal Analytics property can still be created. Data are stored for different periods depending on which property is used.
The way that you interact with our website is measured using identifiers such as cookies and app instance IDs. All of the different actions you carry out when you visit our website are referred to as interactions. If you use other Google systems (such as your Google account), data generated using Google Analytics can be linked with third-party cookies. Google does not transmit any Google Analytics data, unless we give our approval in our role as the website operator. But some exceptions are possible, especially if required by law.
Google Analytics uses the following cookies:
Purpose: analytics.js uses the _ga cookie as standard in order to store your user ID. It is basically used to distinguish between website visitors.
Expires: after two years
Purpose: This cookie is also used to distinguish between website visitors.
Expires: after 24 hours
Purpose: Used to reduce the request rate. If Google Analytics is provided via Google Tag Manager, the name of this cookie is _dc_gtm_ <property-id>.
Expires: after one minute
Value: not specified
Purpose: This cookie includes a token that can be used to request a user ID from the AMP Client ID service. Other potential values indicate a logout, a query or an error.
Expires: after 30 seconds and up to one year
Purpose: This cookie records your behaviour on the website and measures the site’s performance. The cookie is updated every time information is sent to Google Analytics.
Expires: after two years
Purpose: Like _gat_gtag_UA_<property-id>, this cookie is used to restrict the request rate.
Expires: after 10 minutes
Purpose: This cookie is used to identify new sessions, and it is updated whenever new data or information are sent to Google Analytics.
Expires: after 30 minutes
Purpose: This cookie is used to identify new sessions for returning visitors. This is a session cookie, so it is only stored until you close your browser.
Expires: after you close your browser
Purpose: This cookie identifies the source of visitor traffic on our website. This means that the cookie saves details of the online location from which you accessed our website. This could be an advertisement or another website.
Expires: after six months
Value: not specified
Purpose: The purpose of this cookie is to store user-defined user data. It is updated whenever information is sent to Google Analytics.
Expires: after two years
Note: This list is not comprehensive because Google constantly changes the cookies it uses.
We have put together an overview of the most important data collected using Google Analytics:
Heat maps: Google creates what are called heat maps, which show precisely which sections of the site you click on. This gives us information about where you navigate to on our site.
Duration of visit: This is the term that Google uses to describe the time you stay on our website without leaving. If no activity is recorded for 20 minutes, your visit is ended automatically.
Bounce rate: When you only visit one page on our website and then leave the site, this is called a bounce.
Account set-up: If you set up an account or place an order on our website, Google Analytics records the data you provide.
IP address: The IP address is shortened so that it cannot be associated directly with a particular user.
Location: The IP address can be used to identify the country and approximate location from which you accessed our website. This process is called IP geolocation.
Technical information: The technical information collected includes your browser type, internet provider and screen resolution.
Traffic source: We (and Google Analytics) are also interested in finding out about the website or advertisement from which you accessed our site.
Information such as contact details, any ratings, media that you play (for example, a video that you watch through our site), content that you share on social media or sites that you add to your favourites is also collected. This list is by no means exhaustive and is only intended to give you general information on the data that Google Analytics stores.
How long do we store your data and where do we store it?
Google has servers all over the world. Most of them are in the United States, so your data are usually stored on servers there. To find out exactly where Google’s data centres are located, visit https://www.google.com/about/datacenters/inside/locations/?hl=en.
Your data are saved on several different physical data storage mediums. The advantage of this is that your data can be retrieved more quickly and are better protected against manipulation. Every Google data centre has emergency procedures that help to protect your data if there is a problem. For example, if Google’s hardware or its servers suffer an outage due to a natural disaster, the risk of Google’s services being interrupted is low.
The retention period for your data – in other words, how long it is kept – depends on the properties that are used. With the latest Google Analytics 4 properties, your user data are stored for 14 months as standard. We have the option of storing other kinds of event data for either two months or 14 months.
For Universal Analytics properties in Google Analytics, the standard retention period for your user data is 26 months. At the end of the retention period, your data are deleted. However, we can also select the length of time that we store user data ourselves. There are five options:
- Deletion after 14 months
- Deletion after 26 months
- Deletion after 38 months
- Deletion after 50 months
- No automatic deletion
There is also the option of deleting your data if you do not return to our website for a period of time chosen by us. In this case, the retention period will be reset every time you return to our website during the defined period.
When this period has expired, data will be deleted once a month. The retention period applies to your personal data that are linked to cookies, user recognition and advertising IDs (e.g. cookies in the double click domain). Report results are based on aggregated data and stored separately from user data. Aggregating data involves merging individual sets of data to form a larger package.
How can I delete my data or prevent my data from being stored?
If you would like to disable cookies (independently of Google Analytics), or delete or manage cookies, you can do this in different ways depending on the browser you use:
Chrome: delete, enable and manage cookies in Chrome
Safari: manage cookies and website data in Safari
Firefox: delete cookies to remove data that websites have stored on your computer
Internet Explorer: delete and manage cookies
Microsoft Edge: delete and manage cookies
Remember that if you use this tool, your personal data could be stored and processed outside the EU. By the standards of current European data protection law, most third countries – including the US – do not provide the same level of data protection. Data must not be transmitted to third countries with low data protection standards, and stored and processed there, unless we have obtained appropriate guarantees from the non-European service provider concerned (for example, by using EU standard contractual clauses).
The use of Google Analytics requires your consent. This consent in accordance with Article 6(1)(a) GDPR forms the legal basis for processing of your personal data, which can take place if the data are collected using web analytics tools.
In addition to obtaining your consent, we also have a legitimate interest in analysing the behaviour of visitors to our website, so that we can improve our site from a technical and a business point of view. Google Analytics enables us to spot errors on our website, identify cyberattacks and improve efficiency. The legal basis for this is Article 6(1)(f) GDPR (legitimate interests).
Please note that in the opinion of the European Court of Justice, the level of protection for data transferred to the USA is still not appropriate. Data processing is mainly carried out by Google. This means that in some cases your data will not be processed and stored in anonymised form. In addition, US government and state authorities could have access to some data in certain cases. It is also possible that these data will be linked to data from other Google services where you have a user account.
We hope you find this overview of the most important information on data processing by Google Analytics useful. If you would like to find out more about this tracking service, we recommend that you visit https://marketingplatform.google.com/about/analytics/terms/gb/ and https://support.google.com/analytics/answer/6004245?hl=en.
What data are processed?
Duration of data processing
In general, we only process your data for as long as is necessary in order to provide our services. The different types of data stored in cookies are saved for different periods of time. Some cookies are deleted as soon as you leave our website, while others can be stored in your browser for several years. The exact duration of data processing depends on the tool that is used, but you can normally expect data to be stored for several years. The privacy notices of the various providers usually give you precise information about the length of time for which your data are processed.
Right to object
Produced using the privacy notice generator at firmenwebseiten.at.