Data protection declaration

Preamble

With the following data protection declaration, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process for which purposes and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both in the context of the provision of our services and, in particular, on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offer").

The terms used are not gender-specific.

Status: April 4, 2024

Legal text by Dr. Schwenke - please click for further information.

Table of contents

Data controller

Elisabeth Santigli
Hauptplatz 10
8200 Gleisdorf, Austria

E-mail address: zahnspange@santigli.eu

Overview of processing operations

The following overview summarizes the types of data processed and the purposes of their processing and refers to the data subjects.

Types of data processed

  • Inventory data.
  • Payment data.
  • Location data.
  • Contact data.
  • Content data.
  • Contract data.
  • Usage data.
  • Meta, communication and procedural data.

Special categories of data

  • Health data.

Categories of data subjects

  • Clients.
  • Prospective customers.
  • Communication partners.
  • Users.
  • Business and contractual partners.
  • Patients.
  • People shown.

Purposes of processing

  • Provision of contractual services and fulfillment of contractual obligations.
  • Contact requests and communication.
  • Security measures.
  • Office and organizational procedures.
  • Administration and answering of inquiries.
  • Feedback.
  • Marketing.
  • Provision of our online services and user-friendliness.
  • Information technology infrastructure.

Relevant legal bases

Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the regulations of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Furthermore, should more specific legal bases be relevant in individual cases, we will inform you of these in the data protection declaration.

  • Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) – The data subject has given their consent to the processing of personal data relating to them for a specific purpose or several specific purposes.
  • Performance of a contract and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Protection of vital interests (Art. 6 para. 1 sentence 1 lit. d) GDPR) – Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
  • Processing of special categories of personal data relating to healthcare, occupation and social security (Art. 9 para. 2 lit. h) GDPR) – Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, for medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to a contract with a health professional.
  • Consent to the processing of special categories of personal data (Art. 9 para. 2 lit. a) GDPR) – The data subject has given explicit consent to the processing of the personal data in question for one or more specified purposes.
  • Processing of special categories of personal data to protect vital interests (Art. 9 para. 2 lit. c) GDPR) – Processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent.

National data protection regulations in Austria: In addition to the data protection regulations of the GDPR, national regulations on data protection apply in Austria. These include in particular the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act – DSG). The Data Protection Act contains in particular special regulations on the right to information, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes and transmission, and automated individual decision-making.

Note on the validity of the GDPR and Swiss FDSA: These data protection notices serve both to provide information in accordance with the Swiss Federal Act on Data Protection (Swiss FDSA) and in accordance with the General Data Protection Regulation (GDPR). For this reason, please note that the terms of the GDPR are used due to the broader spatial application and comprehensibility. In particular, instead of the terms „processing“ of „personal data“, „predominant interest“ and „data worthy of particular protection“ used in the Swiss FDSA, the terms „processing“ of „personal data“ and „legitimate interest“ and „special categories of data“ used in the GDPR are used. However, the legal meaning of the terms will continue to be determined in accordance with the Swiss FDSA within the scope of the Swiss FDSA.

Security measures

In accordance with legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

The measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as access relating to it, input, disclosure, ensuring availability and its separation. Furthermore, we have established procedures that guarantee the exercise of data subject rights, the deletion of data and reactions to data threats. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and procedures in accordance with the principle of data protection through technology design and through data protection-friendly default settings.

Securing online connections using TLS-/SSL encryption technology (HTTPS): We rely on TLS-/SSL encryption technology to protect user data transmitted via our online services from unauthorized access. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt the information transmitted between the website or app and the user's browser (or between two servers), protecting the data from unauthorized access. TLS, as the more advanced and secure version of SSL, ensures that all data transmissions meet the highest security standards. When a website is secured by an SSL-/TLS certificate, this is indicated by the display of HTTPS in the URL. This serves as an indicator to users that their data is being transmitted securely and encrypted.

Transmission of personal data

As part of our processing of personal data, it happens that this data is transferred to other bodies, companies, legally independent organizational units or persons or disclosed to them. The recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

International data transfers

Data processing in third countries: If we process data in a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of the use of third-party services or the disclosure or transfer of data to other persons, bodies or companies, this only takes place in accordance with the legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only take place if the level of data protection is otherwise guaranteed, in particular by standard contractual clauses (Art. 46 Para. 2 lit. c) GDPR), express consent or in the case of contractual or legally required transmission (Art. 49 Para. 1 GDPR). In addition, we will inform you of the basis of the third country transfer for the individual providers from the third country, whereby the adequacy decisions take precedence as the basis. Information on third country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en?prefLang=de.

EU-US Trans-Atlantic Data Privacy Framework: Within the framework of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the level of data protection as secure for certain companies from the USA within the framework of the adequacy decision of July 10, 2023. You can find the list of certified companies as well as further information on the DPF on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We will inform you in the data protection information which of our service providers are certified under the Data Privacy Framework.

Deletion of data

The data processed by us will be deleted in accordance with legal requirements as soon as the consent to processing is revoked or other permissions no longer apply (e.g. if the purpose of processing this data no longer applies or it is no longer necessary for the purpose). If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted to these purposes. This means that the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax reasons or the storage of which is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person. As part of our data protection information, we can provide users with further information on the deletion and storage of data that applies specifically to the respective processing processes.

Rights of data subjects

Rights of data subjects under the GDPR: As data subjects, you have various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:

  • Right to object: You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising, which includes profiling to the extent that it is related to such direct marketing.
  • Right of revocation for consent: You have the right to revoke granted consent at any time.
  • Right to information: You have the right to request confirmation as to whether data relating to you is being processed and to information about this data as well as to further information and a copy of the data in accordance with legal requirements.
  • Right to rectification: In accordance with legal requirements, you have the right to request the completion of data concerning you or the correction of incorrect data concerning you.
  • Right to deletion and restriction of processing: In accordance with legal requirements, you have the right to request that data concerning you be deleted immediately or, alternatively, to request a restriction on the processing of the data in accordance with legal requirements.
  • Right to data portability: You have the right to receive data concerning you that you have provided to us in a structured, commonly used and machine-readable format in accordance with legal requirements or to request its transfer to another controller.
  • Complaint to a supervisory authority: In accordance with legal requirements and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the member state in which you are habitually resident, the supervisory authority of your place of work or the place of the alleged violation, if you are of the opinion that the processing of personal data relating to you violates the GDPR.

Business services

We process data from our contractual and business partners, e.g. customers and interested parties (collectively referred to as “contractual partners”), within the framework of contractual and comparable legal relationships as well as associated measures and with regard to communication with the contractual partners (or pre-contractually), for example to answer inquiries.

We use this data to fulfill our contractual obligations. This includes in particular the obligations to provide the agreed services, any update obligations and remedies in the event of warranty and other service disruptions. In addition, we use the data to protect our rights and for the purpose of the administrative tasks associated with these obligations as well as the company organization. We also process the data on the basis of our legitimate interests both in proper and economic management and in security measures to protect our contractual partners and our business operations from misuse, endangerment of their data, secrets, information and rights (e.g. for the participation of telecommunications, transport and other auxiliary services as well as subcontractors, banks, tax and legal advisors, payment service providers or financial authorities). Within the framework of applicable law, we only pass on the data of contractual partners to third parties to the extent that this is necessary for the aforementioned purposes or to fulfill legal obligations. The contractual partners will be informed about other forms of processing, such as for marketing purposes, in this data protection declaration.

We inform the contractual partners which data is required for the aforementioned purposes before or within the framework of data collection, e.g. in online forms, through special markings (e.g. colors) or symbols (e.g. asterisks or similar), or personally.

We delete the data after the expiry of statutory warranty and comparable obligations, i.e. generally after four years, unless the data is stored in a customer account, e.g. as long as they have to be kept for archiving for legal reasons (e.g. for tax purposes, usually ten years). We delete data that has been disclosed to us by the contractual partner as part of an order in accordance with the requirements and generally after the end of the order.

  • Processed data types: Inventory data (e.g. names, addresses); Payment data (e.g. bank details, invoices, payment history); Contact details (e.g. email, phone numbers). Contract data (e.g. subject matter of the contract, term, customer category).
  • Special categories of personal data: Health data.
  • Data subjects: Prospective customers; Business and contractual partners. Patients.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Contact requests and communication; Office and organizational procedures. Administration and answering of inquiries.
  • Legal bases: Performance of contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR); Legal obligation (Art. 6 Para. 1 S. 1 lit. c) GDPR); Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR); Protection of vital interests (Art. 6 Para. 1 S. 1 lit. d) GDPR); Processing of special categories of personal data relating to health, occupation and social security (Art. 9 Para. 2 lit. h) GDPR); Consent to the processing of special categories of personal data (Art. 9 Para. 2 lit. a) GDPR). Processing of special categories of personal data to protect vital interests (Art. 9 Para. 2 lit. c) GDPR).

Further information on processing operations, procedures and services:

  • Medical and medical services: We process the data of our patients in order to provide them with our treatment services and to be able to invoice them. The processed data, the type, the scope, the purpose and the necessity of their processing are determined by the underlying contractual and patient relationship and are communicated to the patients in good time.
    In the course of our activities, we process information on the health of our patients as special categories of personal data. This is done either within the framework of healthcare or to protect the vital interests of the patients. In all other situations, we obtain the express consent of the patients to process these special categories of personal data.
    If it is necessary for our performance of the contract, to protect vital interests or by law (e.g. to fulfill social security obligations and reporting obligations), or if the patients have given their consent, we disclose or transmit the data of the patients to third parties or agents, such as authorities, medical facilities, laboratories, billing centers and in the area of IT, office or comparable services, in compliance with professional regulations.
    Your data will be stored for as long as it is necessary for the provision of our services and any follow-up care. The retention period is usually ten years, but may differ in special cases due to special regulations, e.g. the requirements of the Radiation Protection Act; Legal bases: Performance of contract and pre-contractual inquiries (Art. 6 Para. 1 S. 1 lit. b) GDPR), Legal obligation (Art. 6 Para. 1 S. 1 lit. c) GDPR), Protection of vital interests (Art. 6 Para. 1 S. 1 lit. d) GDPR), Legitimate interests (Art. 6 Para. 1 S. 1 lit. f) GDPR), Processing of special categories of personal data relating to health, occupation and social security (Art. 9 Para. 2 lit. h) GDPR), Consent to the processing of special categories of personal data (Art. 9 Para. 2 lit. a) GDPR), Processing of special categories of personal data to protect vital interests (Art. 9 Para. 2 lit. c) GDPR).

Providers and services used in the course of business activities

In the course of our business activities, we use additional services, platforms, interfaces or plug-ins from third-party providers (referred to as “services” for short) in compliance with legal requirements. Their use is based on our interests in the proper, lawful and economic management of our business operations and our internal organization.

  • Processed data types: Inventory data (e.g. names, addresses); Payment data (e.g. bank details, invoices, payment history); Contact details (e.g. email, phone numbers); Content data (e.g. entries in online forms). Contract data (e.g. subject matter of the contract, term, customer category).
  • Data subjects: Customers; prospective clients; users (e.g. website visitors, users of online services). Business and contractual partners.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations. Office and organizational procedures.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Provision of the online offer and web hosting

We process user data in order to provide them with our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times); meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, consent status). Content data (e.g. entries in online forms).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online services and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)). Security measures.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

  • Provision of online services on rented storage space: For the provision of our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also called “web host”); Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Collection of access data and log files: Access to our online services is logged in the form of so-called “server log files”. The server log files may include the address and name of the web pages and files accessed, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider. The server log files can be used for security purposes, e.g. to avoid overloading the servers (especially in the event of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure the utilization of the servers and their stability; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidential purposes are excluded from deletion until the final clarification of the respective incident.
  • Email dispatch and hosting: The web hosting services we use also include the dispatch, receipt and storage of emails. For these purposes, the addresses of the recipients and senders as well as other information relating to the email dispatch (e.g. the providers involved) and the content of the respective emails are processed. The aforementioned data may also be processed for the purpose of detecting SPAM. Please note that emails are generally not sent in encrypted form on the internet. As a rule, emails are encrypted during transport, but not on the servers from which they are sent and received (unless a so-called end-to-end encryption method is used). We can therefore not assume any responsibility for the transmission path of emails between the sender and the recipient on our server; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • WordPress.com: Hosting and software for the creation, provision and operation of websites, blogs and other online services; Service provider: Aut O’Mattic A8C Irland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://wordpress.com; Data protection declaration: https://automattic.com/de/privacy/; Order processing agreement: https://wordpress.com/support/data-processing-agreements/. Basis of third country transfers: Data Privacy Framework (DPF).

Use of cookies

Cookies are small text files or other storage entries that store information on end devices and read it from them. For example, to save the login status in a user account, the contents of a shopping cart in an e-shop, the content accessed or functions used in an online service. Cookies can also be used in relation to various concerns, such as for the functionality, security and convenience of online services and for the creation of analyses of visitor flows.

Information on consent: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users, unless it is not required by law. Permission is not required in particular if the storage and reading of the information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e. our online service) that they have expressly requested. The revocable consent is clearly communicated to them and contains the information on the respective cookie usage.

Information on data protection legal bases: The data protection legal basis on which we process the personal data of users with the help of cookies depends on whether we ask them for consent. If the users accept, the legal basis for the use of their data is the declared consent. Otherwise, the data processed with the help of cookies is processed on the basis of our legitimate interests (e.g. in the economic operation of our online service and the improvement of its usability) or, if this is done within the scope of the fulfillment of our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We will clarify the purposes for which the cookies are used by us in the course of this data protection declaration or within the scope of our consent and processing procedures.

Storage period: With regard to the storage period, the following types of cookies are distinguished:

  • Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user leaves an online service and closes their device (e.g. browser or mobile application).
  • Permanent cookies: Permanent cookies remain stored even after the device is closed. For example, the login status can be saved and preferred content can be displayed directly when the user visits a website again. Likewise, the user data collected with the help of cookies can be used to measure reach. Unless we provide users with explicit information on the type and storage period of cookies (e.g. as part of obtaining consent), they should assume that these are permanent and that the storage period can be up to two years.

General information on revocation and objection (opt-out): Users can revoke their given consent at any time and also declare an objection to the processing in accordance with the legal requirements, also by means of the privacy settings of their browser.

  • Types of data processed: Usage data (e.g. websites visited, interest in content, access times).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online services and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Further information on processing operations, procedures and services:

  • Processing of cookie data on the basis of consent: We use a consent management solution in which the user's consent to the use of cookies or to the procedures and providers named in the consent management solution is obtained. This procedure serves to obtain, log, manage and revoke consent, in particular in relation to the use of cookies and comparable technologies that are used to store, read and process information on the user's devices. Within the scope of this procedure, the users' consent for the use of cookies and the associated processing of information, including the specific processing and providers named in the consent management procedure, is obtained. Users also have the option of managing and revoking their consent. The declarations of consent are stored in order to avoid repeated queries and to be able to provide proof of consent in accordance with the statutory requirements. The storage takes place on the server side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to be able to assign the consent to a specific user or their device. Unless there is specific information on the providers of consent management services, the following general information applies: The duration of the storage of the consent is up to two years. A pseudonymous user identifier is created, which is stored together with the time of consent, information on the scope of consent (e.g. categories of cookies and/or service providers concerned) and information about the browser, the system and the device used; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).
  • Cookie opt-out: In the footer of our website you will find a link via which you can change your cookie settings and revoke your consent accordingly; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Contact and request management

When contacting us (e.g. by post, contact form, email, telephone or via social media) and within the scope of existing user and business relationships, the data of the requesting persons are processed insofar as this is necessary to answer the contact requests and any requested measures.

  • Types of data processed: Contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, consent status).
  • Data subjects: Communication partners.
  • Purposes of processing: Contact requests and communication; administration and answering of inquiries; feedback (e.g. collecting feedback via online form). Provision of our online services and user-friendliness.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR).

Further information on processing operations, procedures and services:

  • Contact form: When users contact us via our contact form, e-mail or other communication channels, we process the data provided to us in this context to process the communicated request; Legal bases: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Video conferences, online meetings, webinars and screen sharing

We use platforms and applications from other providers (hereinafter referred to as "conference platforms") for the purpose of conducting video and audio conferences, webinars and other types of video and audio meetings (hereinafter collectively referred to as "conference"). When selecting conference platforms and their services, we observe the legal requirements.

Data processed by conference platforms: As part of participation in a conference, the conference platforms process the following personal data of the participants. The scope of processing depends, on the one hand, on which data is required as part of a specific conference (e.g. providing access data or clear names) and which optional information is provided by the participants. In addition to processing for the purpose of conducting the conference, the data of the participants may also be processed by the conference platforms for security purposes or service optimization. The processed data includes personal data (first name, last name), contact information (e-mail address, telephone number), access data (access codes or passwords), profile pictures, information on professional position/function, the IP address of the internet access, information on the participants' end devices, their operating system, the browser and its technical and language settings, information on the content communication processes, i.e. entries in chats as well as audio and video data, as well as the use of other available functions (e.g. surveys). The content of communications is encrypted to the extent technically provided by the conference providers. If the participants are registered as users with the conference platforms, further data can be processed in accordance with the agreement with the respective conference provider.

Logging and recordings: If text entries, participation results (e.g. from surveys) as well as video or audio recordings are logged, the participants will be informed transparently in advance and they will be asked for their consent – if required.

Data protection measures of the participants: Please note the data protection information of the conference platforms for details on the processing of your data by the conference platforms and select the security and data protection settings that are optimal for you within the settings of the conference platforms. Furthermore, please ensure data and personal protection in the background of your recording for the duration of a video conference (e.g. by informing roommates, closing doors and using the function to make the background unrecognizable, if technically possible). Links to the conference rooms and access data must not be passed on to unauthorized third parties.

Information on legal bases: If, in addition to the conference platforms, we also process the data of users and ask users for their consent to the use of the conference platforms or certain functions (e.g. agreement to a recording of conferences), the legal basis for the processing is this consent. Furthermore, our processing may be necessary to fulfill our contractual obligations (e.g. in participant lists, in the case of processing discussion results, etc.). In addition, the data of users is processed on the basis of our legitimate interests in efficient and secure communication with our communication partners.

  • Processed data types: Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status).
  • Data subjects: Communication partners; users (e.g. website visitors, users of online services). People depicted.
  • Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; contact requests and communication. Office and organizational procedures.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

Presences in social networks (social media)

We maintain online presences within social networks and process user data in this context in order to communicate with the users active there or to offer information about us.

We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce user rights.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, user profiles can be created based on user behavior and the resulting interests of users. The latter may in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. Cookies are therefore generally stored on the user's computer, in which the user's usage behavior and interests are stored. In addition, data can also be stored in the user profiles independently of the devices used by the users (especially if they are members of the respective platforms and are logged in there).

For a detailed description of the respective forms of processing and the options for objection (opt-out), please refer to the data protection declarations and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the latter have access to the user data and can take appropriate measures and provide information directly. If you still need help, you can contact us.

  • Types of data processed: Contact data (e.g. email, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times). Meta, communication and procedural data (e.g. IP addresses, time stamps, identification numbers, consent status).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Contact requests and communication; feedback (e.g. collecting feedback via online form). Marketing.
  • Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

  • Instagram: Social network; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com; Privacy Policy: https://instagram.com/about/legal/privacy. Basis for third country transfers: Data Privacy Framework (DPF).
  • Facebook pages: Profiles within the social network Facebook; Service provider: Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.facebook.com; Privacy Policy: https://www.facebook.com/about/privacy; Basis for third country transfers: Data Privacy Framework (DPF); Further information: We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data from visitors to our Facebook page (so-called "fan page"). This data includes information about the types of content users view or interact with, or the actions they take (see under "Things you and others do and provide" in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data; see under "Device information" in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under "How do we use this information?", Facebook also collects and uses information to provide analytics services, known as "Page Insights", for page operators to help them understand how people interact with their pages and the content associated with them. We have concluded a special agreement with Facebook ("Information on Page Insights", https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfill the rights of data subjects (i.e. users can, for example, send information or deletion requests directly to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the "Information on Page Insights"(https://www.facebook.com/legal/terms/information_about_page_insights_data). The joint responsibility is limited to the collection by and transfer of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, which relates in particular to the transfer of data to the parent company Meta Platforms, Inc. in the USA.
  • LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.linkedin.com; Data protection declaration: https://www.linkedin.com/legal/privacy-policy; Basis for third country transfers: Data Privacy Framework (DPF); Objection option (opt-out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Further information: We are jointly responsible with LinkedIn Ireland Unlimited Company for the collection (but not the further processing) of data from visitors who are responsible for the creation of the “Page Insights” (statistics) of our LinkedIn profiles.
    This data includes information on the types of content that users view or interact with, or the actions they take, as well as information about the devices used by users (e.g. IP addresses, operating system, browser type, language settings, cookie data) and information from the user's profile, such as job function, country, industry, hierarchy level, company size and employment status. Data protection information on the processing of user data by LinkedIn can be found in LinkedIn's data protection information: https://www.linkedin.com/legal/privacy-policy
    We have concluded a special agreement with LinkedIn Ireland (“Page Insights Joint Controller Addendum (the ‚Addendum‘)”, https://legal.linkedin.com/pages-joint-controller-addendum), which regulates in particular which security measures LinkedIn must observe and in which LinkedIn has agreed to fulfill the rights of data subjects (i.e. users can send information or deletion requests directly to LinkedIn, for example). The rights of users (in particular to information, deletion, objection and complaint to the responsible supervisory authority) are not restricted by the agreements with LinkedIn. The joint responsibility is limited to the collection of data by and the transfer to Ireland Unlimited Company, a company based in the EU. The further processing of the data is the sole responsibility of Ireland Unlimited Company, which in particular concerns the transfer of the data to the parent company LinkedIn Corporation in the USA.

Plug-ins and embedded functions and content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These can be, for example, graphics, videos or city maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process the IP address of the users, as they could not send the content to their browser without the IP address. The IP address is therefore required for the presentation of this content or functions. We endeavor to only use content whose respective providers only use the IP address to deliver the content. Third-party providers can also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user's device and contain, among other things, technical information about the browser and operating system, referring websites, the time of the visit and other information on the use of our online offer, but can also be linked to such information from other sources.

Information on legal bases: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, economic and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this data protection declaration.

  • Processed data types: Usage data (e.g. websites visited, interest in content, access times); Meta, communication and procedural data (e.g. IP addresses, time data, identification numbers, consent status); Inventory data (e.g. names, addresses); contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms). Location data (information on the geographical position of a device or a person).
  • Data subjects: Users (e.g. website visitors, users of online services).
  • Purposes of processing: Provision of our online services and user-friendliness. Provision of contractual services and fulfillment of contractual obligations.
  • Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing operations, procedures and services:

  • Google Fonts (provision on our own server): Provision of font files for the purpose of a user-friendly presentation of our online offer; Service provider: The Google Fonts are hosted on our server, no data is transmitted to Google; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
  • Google Maps: We integrate the maps of the “Google Maps” service provided by Google. The processed data may include, in particular, IP addresses and location data of users; Service provider: Google Cloud EMEA Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://mapsplatform.google.com/; Data protection declaration: https://policies.google.com/privacy. Basis for third country transfers: Data Privacy Framework (DPF).
  • reCAPTCHA: We integrate the „reCAPTCHA“ function to be able to recognize whether entries (e.g. in online forms) are made by humans and not by automatically acting machines (so-called “bots“). The data processed may include IP addresses, information on operating systems, devices or browsers used, language settings, location, mouse movements, keystrokes, time spent on websites, previously visited websites, interactions with ReCaptcha on other websites, possibly cookies and results of manual recognition processes (e.g. answering questions or selecting objects in images). Data processing is based on our legitimate interest in protecting our online offer from abusive automated crawling and spam; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.google.com/recaptcha/; Data protection declaration: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF). Objection option (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff.
  • YouTube videos: Video content; Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal bases: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR); Website: https://www.youtube.com; Data protection declaration: https://policies.google.com/privacy; Basis for third country transfers: Data Privacy Framework (DPF). Objection option (opt-out): Opt-out plugin: https://tools.google.com/dlpage/gaoptout?hl=de, settings for the display of advertisements: https://myadcenter.google.com/personalizationoff.

Amendment and update of the privacy policy

We kindly request that you regularly review the content of our privacy policy. We adapt the privacy policy as soon as changes to the data processing carried out by us make this necessary. We will inform you as soon as the changes require your cooperation (e.g. consent) or other individual notification.

If we provide addresses and contact information of companies and organizations in this privacy policy, please note that the addresses may change over time and please check the information before contacting us.

Definitions

This section provides you with an overview of the terms used in this privacy policy. Insofar as the terms are defined by law, their legal definitions apply. The following explanations, on the other hand, are primarily intended to aid understanding.

  • Personal data: "Personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Location data: Location data is generated when a mobile device (or another device with the technical requirements for location determination) connects to a radio cell, a WLAN or similar technical means and functions of location determination. Location data is used to indicate the geographically determinable position on earth at which the respective device is located. Location data can be used, for example, to display map functions or other location-dependent information.
  • Controller: The "controller" is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • Processing: "Processing" means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is broad and covers practically every handling of data, be it collection, analysis, storage, transmission or deletion.
zahnspange@santigli.eu +43311236800