Information obligations

Compliance with the information requirements under Article 13 GDPR

The name and contact data of the controller are:

Name: Austrian Standards International – Standardization and Innovation as well as Austrian Standards plus GmbH

Postal address: Heinestraße 38, 1020 Vienna, Austria

Telephone number: +43 1 213 00-0

E-mail address: [email protected]

Website: www.austrian-standards.at

 

Information on the rights of data subjects is available here.

 

We process personal data as follows:

In the context of business relations, the following data provided by you are processed: master data, including contact details (e.g. address, telephone, e-mail, fax, VAT number), bank account data, access data (e.g. user ID, passwords). Additionally, the following data resulting from business relations are processed: communication data, accounting and controlling data, order and contract data, funding and payment conditions, credit rating information, objects of product or service provision, data on delivery terms, organizational data (e.g. deadlines), object and reference, documentation of business transactions, product/service data, inquiries, standard development and committee management, membership management and arbitration procedures.

 

General data processing in the context of business relations

Data are processed to perform contracts or on the basis of legal provisions in the context of business relations (and to manage such relations). Your data are processed for the formal handling of business transactions to be carried out for us, to analyse and evaluate whether customers are satisfied and to assess the quality of the services used as well as for handling the sale of products and services.

Whenever data are passed on, only the data that are relevant in each individual case are transmitted on the basis of legal provisions or in order to comply with a contract. Data are passed on to the following categories of recipients:

  • Banks
  • Legal representatives
  • Chartered accountants, auditors
  • Courts of law
  • Competent public authorities
  • Debt collection companies
  • External finance providers
  • Contract and business partners
  • Insurance companies
  • Statistics Austria
  • Public inspection services
  • Internal and external interest groups
  • Provident funds, severance pay funds, social security institutions, pension funds
  • Transport companies
  • Suppliers
  • Partner organizations (e.g. standard developers and sales partners)
  • Standardization organizations in the EU (CEN, CENELEC, ETSI)
  • Standardization organizations world-wide (ISO, IEC, CEN, CENELEC and ETSI members outside the EU)
  • Participants in standardization
  • Supervisory authority (Federal Ministry for Digital and Economic Affairs)
  • Advisory Board on Standardization
  • Conciliation Board
  • Functions supporting the officials

 

The following service providers receive your data in order to enable us to formally handle business transactions to be performed by us and to process the sale of products and services:

  • Exchange Online, an e-mail service provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft Corporation is certified under the EU-US Privacy Shield that ensures compliance with the data protection standard applying in the EU.
  • Dynamics 365 are enterprise resource planning (ERP) and customer relationship management (CRM) applications provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft Corporation is certified under the EU-US Privacy Shield that ensures compliance with the data protection standard applying in the EU.
  • Surveymonkey is a balloting, voting and surveying tool provided by SurveyMonkey Inc., One Curiosity Way, San Mateo, CA 94403, USA. SurveyMonkey is certified under the EU-US Privacy Shield that ensures compliance with the data protection standard applying in the EU.
  • eCert is a cloud and on-premises solution for enterprise resource planning (ERP) for audits, assessments, certification, accreditation and standards management provided by Intact GmbH, Parkring 6, 8403 Lebring, Austria.
  • Austrian Standards Operations GmbH, Heinestraße 38, 1020 Vienna, Austria.

 

These companies act as processors for us and may only use your data for performing concrete tasks and are contractually obliged by us to comply with data protection legislation.

We store your data as long as the (business) relationship exists and three years thereafter.

 

Data processing for direct marketing

Data are processed on the basis of your consent and our legitimate interest in developing business with regard to the services and products we offer and extends to text documents electronically created and archived (e.g. correspondence) in that context. The legitimate interest results from the controller's interest in informing customers about news from our organization, offers and events and in marketing our sending messages to its customers in order to market its own portfolio of products and services.

We store your data as long as the (business) relationship exists and three years thereafter.

 

Data processing for organizing events

If you take part in our events, the data you provide are processed on the basis of your consent, and in order to perform a the contract or to comply with a legal obligation in order to handle registrations, to organize and implement on the organization and implementation of the event in question, to answer questions you address to us in the context of your registration and to formally handle the transactions to be performed by us within the framework of a business relationship.

The transmission of data that are relevant in each specific case is based on your consent and serves for the performance of a contract.

We store your data as long as the (business) relationship exists and three years thereafter unless retention obligations under tax or corporate law provide for a storage period of 7 years.

The following service providers receive your data to enable us to organize and implement an event:

  • Austrian Standards Operations GmbH, Heinestraße 38, 1020 Vienna, Austria

This company acts as a processor for us and may only use your data for performing concrete tasks and is contractually obliged by us to comply with data protection legislation.

Please note that we may take photographs and make video recordings during the event in order to document the event and report on it in media (e.g. journals, magazines, publications or on websites and social media platforms).

 

DATA PROCESSING FOR ORGANIZING EDUCATION AND TRAINING

In the context of education and training events, we process the personal data of participants in order to formally handle the transactions to be performed by us, to determine and evaluate the satisfaction of participants and to assess the quality of services used as well as to organize and implement the education and training events.

Your data are processed in order to perform a contract or on the basis of legal provisions within the framework of a business relationship (or to handle it).

Whenever data are passed on, only the data that are relevant in each individual case are transmitted on the basis of legal provisions or in order to comply with a contract. Data are passed on to the following categories of recipients:

  • partners
  • suppliers

We store your data as long as the (business) relationship exists and three years thereafter unless retention obligations under tax or corporate law provide for a storage period of 7 years.
 

Data processing for competitions and prize draws

If you take part in one of our competitions or prize draws, we process your data to implement the competition, to answer questions you address to us in the context of the competition or prize draw and to formally handle the transactions to be performed by us within the framework of the business relationship.

Your data are processed on the basis of your consent for the implementation of the competitions or prize draws.

We only process your data only as long as this is necessary for the implementation of the competition or prize draw and three years thereafter or until you withdraw your consent to processing.

 

Data Processing for Participation in a Committee

Participation in a committee is voluntary and based on the Austrian Normengesetz 2016 (Federal Act on Standardization 2016), the EU Standardisation Regulation No. 1025/2012 and the Internal Regulations of Austrian Standards International.

In the context of participation in a committee, we process personal data of participants for the purpose of standardization work in committees based on a legal obligation. This also involves cooperation with European and international bodies/committees, so it may be necessary to transfer your personal data to the following categories of recipients in third countries, by doing so your personal data will be made public:

  • Standardization organizations in the EU: CEN, CENELEC, ETSI
  • Standardization organizations world-wide: ISO, IEC

Your personal data will be stored for an unlimited period of time.

 

Membership administration

The processing of data is carried out for the purpose of keeping membership lists, registering membership fees and communicating with members of the association for the duration of your membership or 7 years beyond.

The transmission of the relevant data in the individual case takes place for the fulfilment of a contractual relationship. The data may be transferred to the following recipients:

  • Chartered accountants
  • Auditors
  • Supervisory authorities

Your name will also be published on the website for the duration of your membership.

 

Data processing for administrative activities

We operate a customer relationship management (CRM) system and process your data to document and improve our relationship with you (documentation of communications between our staff and you). The legal basis is our legitimate interest in optimizing customer-specific communication with our customers.

The transmission of data that are relevant in each specific case is based on legal provisions and serves for the performance of a contract. Additionally, the data are passed on to the following categories of recipients:

  • Legal representatives
  • Chartered accountants, auditors and tax consultants

 

We store your data as long as the (business) relations exist and three years thereafter.

The following service provider receives your data in order to allow us to document and improve the business relationship:

  • Dynamics 365 are enterprise resource planning and customer relationship management applications provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft Corporation is certified under the EU-US Privacy Shield that ensures compliance with the data protection standard applying in the EU.

This company acts as a processor for us and may only use your data for performing concrete tasks and is contractually obliged by us to comply with data protection legislation.

We store your data as long as the (business) relationship exists and three years thereafter unless retention obligations under tax or corporate law provide for a storage period of 7 years. 

 

Data processing for job application management

When you apply for a job with us we process your data in order to assess your suitability, qualification and professional performance with regard to the vacancy for which you apply. If you consent to being kept on file, we process your data also after the vacancy in question is filled for contacting you later on.

Your data are processed for implementing pre-contractual activities and based on our legitimate interest in managing an efficient job application process. Within the framework of keeping you on file for future vacancies, your data are processed on the basis of your consent.

The transmission of data that are relevant in each specific case is based on legal provisions and serves for the performance of a contract. Additionally, the data are passed on to the following categories of recipients:

  • Recruitment agencies
  • Personnel leasing companies

We process your data only as long as required for the implementation of the job application process and for defending legal claims. If you are not employed by us and do not consent to being kept on file, your data are deleted six months after the vacancy in question is filled.

The data are exclusively processed for the sole purpose of managing the job application process. Applicant data are stored by Austrian Standards and processed for completing the job application process. They are deleted six months after the related vacancy is filled unless the applicant consented to having his/her data kept on file thereafter. The data are not transferred to third parties.

The personal data are processed on the basis of the provisions of Article 6 (1) (b) (pre-contractual measures), Article 6 (1) (a) (consent), Article 6 (1) (f) (legitimate interest) of GDPR.


Data processing in the context of video telephony and video conferences

If you make a video call with us or participate in one of our video conferences, we process your data for the technical provision and organization of the video call. The video call or video conference can be conducted purely virtually or hybrid, which means with partly virtual and partly physically present persons. Generally, no recordings of the video call or video conference are made, otherwise you will be informed about it separately.

The processing of the data is based on the performance of pre-contractual measures or for the fulfillment of a contractual obligation or on our legitimate interest to enable the video call or video conference technically and to ensure IT and network security.

We store your data as long as necessary for the technical provision and organization of video calls or video conferences or as required by law (for example, in accordance with labor and corporate law storage obligations). In the latter case, we generally store your data for 7 years.

 

DATA PROCESSING FOR LESESAAL USERS

If you use our Lesesaal, we process your data in order to ensure registration and the organization of access to our Lesesaal. Additionally, we process your data to answer questions you address to us in the context of using our Lesesaal.

Your data are processed on the basis of our legitimate interest in monitoring and organizing access to our Lesesaal.

Data are not transferred to third parties pursuing their own objectives.

We store the data as long as you use Lesesaal and three years thereafter.

 

DATA PROCESSING WITHIN THE FRAMEWORK OF VIDEO SURVEILLANCE

We process your data for the purposes of video surveillance as a preventive measure and for ensuring the traceability of illegal actions and facilitating investigations after such incidents (preventive protection of persons and property).

Image data will only be screened exclusively in case of an incident defined by that purpose. Your data are processed on the basis of our legitimate interest in the protection of property, against hazards, against crime and for customers, members, employees, etc.

If image data are not needed in a concrete case for achieving the underlying purposes of protection and evidence preservation, we delete image data within 72 hours at the latest.

If data need to be transferred in case of an incident defined by that purpose on the basis of legal provisions or our legitimate interests, they are passed on to the following categories of recipients:

  • Legal representatives
  • Courts of law
  • Competent administrative authorities

The following service providers receive your data in order to ensure the operation, maintenance and administration of video surveillance:

  • Austrian Standards Operations GmbH, Heinestraße 38, 1020 Vienna, Austria

This company acts as a processor for us and may only use your data for performing concrete tasks and is contractually obliged by us to comply with data protection legislation.

 

Data Processing in the context of the Internal Reporting Channel (Internal Whistleblower System, Whistleblower Channel)

We operate an internal reporting channel for the purpose of preventing and combating violations of the law, enabling the submission of information about such violations and verifying the validity of such information. As part of the operation of our internal reporting channel, we process the personal data of the following data subjects:

  • reporting persons (unless the report is made anonymously),
  • persons concerned,
  • facilitators,
  • third persons who are connected with the reporting persons and who could suffer retaliation,
  • persons affected by or involved in follow-up measures.

The personal data are processed on a legal basis. In accordance with the retention obligations under the Austrian Whistleblower Protection Act, we store the data for 5 years from the last time it was processed or transmitted or until the conclusion of administrative or judicial proceedings that have already been initiated or investigation proceedings under the Austrian Code of Criminal Procedure.

The following service providers receive the data in order to enable us to receive reports:

  • Whistleblower Software ApS, Kannikegade 4, 1, DK-8000 Aarhus C, Denmark.

This company acts as a processor for us and may only use the data for performing concrete tasks and is contractually obliged by us to comply with data protection legislation.

Please note: For persons concerned, the following rights of the data subject do not apply as long and insofar as it is necessary to protect the reporting persons and other data subjects, to achieve the purposes of the Austrian Whistleblower Protection Act, and at least for the duration of administrative or judicial proceedings or investigation proceedings under the Austrian Code of Criminal Procedure:

  • right to information,
  • right of access,
  • right to rectification,
  • right to erasure,
  • right to restriction of processing,
  • right to object and
  • right to communication of a personal data breach.

 

Joint controllers under Article 26 GDPR

Austrian Standards International and Austrian Standards Plus GmbH, both headquartered at Heinestraße 38, 1020 Vienna, Austria, act as joint controllers for all the data applications described above. Within the framework of this joint controllership, all the obligations are fulfilled by Austrian Standards International, Heinestraße 38, 1020 Vienna, Austria.

Austrian Standards International, Austrian Standards Plus GmbH and Austrian Standards Operations GmbH, all headquartered at Heinestraße 38, 1020 Vienna, Austria, act as joint controllers for the following data applications:

  • Data processing for job application management
  • Data processing for administrative activities

Within the framework of this joint controllership, all the obligations are fulfilled by Austrian Standards International, Heinestraße 38, 1020 Vienna, Austria.

Austrian Standards International and Austrian Standards Plus GmbH, both headquartered at Heinestraße 38, 1020 Vienna, Austria, act as joint controllers for the following data application:

  • Data processing for organizing events

Within the framework of this joint controllership, all the obligations are fulfilled by Austrian Standards International, Heinestraße 38, 1020 Vienna, Austria.

 

Further information

Data subjects have the right to obtain access to data under Article 15 GDPR, the right to rectification of inaccurate data under Article 16 GDPR, the right to erasure of data under Article 17 GDPR, the right to a restriction of processing under Article 18 GDPR, the right to object to unreasonable data processing under Article 21 GDPR and the right to data portability under Article 20 GDPR.

If data are processed on the basis of a declaration of consent, the data subject may withdraw this consent anytime without prejudice to the lawfulness of previous processing based on the consent given up to the time of its withdrawal.

Data subjects have the right to file complaints with the supervisory authority. In Austria, the competent body is the Data Protection Authority. Its address is:

 

Austrian Data Protection Authority

Barichgasse 40-42

1030 Vienna

Austria

Telephone: +43 1 52 152-0

E-mail: [email protected]

 

In the context of obtaining data, we inform the person concerned whether the provision of personal data is a statutory or contractual requirement or a requirement necessary to enter into a contract. At the same time, we indicate whether the person concerned is obliged to provide the personal data and point out the possible consequences of a failure to provide them.

There is no automated decision-making, including profiling. If personal data should be processed for a purpose other than that for which the personal data were collected, we inform the person concerned about that other purpose.

If you want to exercise your data protection rights, please click here.