The following describes the nature, scope and purposes of data processing as well as its legal basis and the rights of the persons concerned.
This concerns personal data of visitors, users, interested clients and customers (contractual partners) of VARIO-BAU Fertighaus GesmbH, Ackergasse 21, 2700 Wiener Neustadt, Austria
(also called "VARIO-HAUS").
When the following refers to the "company", this company is meant to the extent that it is responsible under data protection law.
The "affected person(s)" are the named visitors, users, interested parties and customers.
The Company collects personal information when individuals disclose it, such as:
- in the context of visiting and using the website,
- in the context of an inquiry (also with independent sales representatives of VARIO-HAUS) or in the course of an establishment of contact by our representatives or our independent sales representatives,
- within the scope of an application as an employee or self-employed commercial agent
- for (other) contact (e.g. via contact form, e-mail or live chat function on the website)
The categories of data that can be collected are as follows: Name, age, date of birth, address, e-mail address, telephone number, economic status. Which (further) data are collected in detail can be seen from the respective input forms or from the queries made by the company's employees or independent sales representatives. In the case of applications, all data provided by the applicant can be processed.
(b) Name and contact details of the person responsible
VARIO-BAU Fertighaus GesmbH
Mr. Daniel Gruber
2700 Wiener Neustadt
Phone: +43 2622 89336
A data protection officer has not been appointed in the company.
(c) Processing purposes and legal bases
The personal data of the data subjects are processed for the following purposes:
- Initiation and
- Fulfilment of transactions concerning the planning and construction of prefabricated houses,
- the former also in cooperation with self-employed commercial agents and
- Fulfillment of all associated processes such as invoicing, administration, bookkeeping, etc.
- Sending information and advertising and
- Recruitment of employees or self-employed commercial agents in case of sending application documents
The legal bases for processing are
- the performance of the contract or the execution of pre-contractual measures which take place at the request of the person concerned (advice, preparation of offers, etc.);
The same applies if the contract is concluded with a legal entity whose performance also requires the processing of personal data (contact person).
- the pre-contractual measures on request of the data subject;
- if no health data and no other sensitive data are concerned, the legitimate interest of the company (Art 6 para 1 lit b and f GDPR),
- the interest of a person concerned in a position in the company advertised by the company to work as an employee or self-employed commercial agent, even if the job advertisement is published via recruiters / job platforms,
- the fulfilment of legal documentation and transmission obligations, in particular in the field of taxation and data protection, and
- a consent (as described below).
We have a legitimate interest in the following cases:
- in the event of the initiation of business transactions by the company or its independently active commercial agents,
- for sufficient information of customers about the products and services, events, promotions etc. offered or brokered by the company, i.e. advertising. This also includes the transmission of data to contractors for this purpose, if this is necessary for the implementation of this or other marketing measures, statistical evaluations, etc,
- for internal administration within the Group, insofar as the company belongs to or is associated with such a company,
- for processing by contractors (for example, external accounting),
- for obtaining credit information,
- to prevent fraud or illegal use of the website. Apart from the latter case, the data automatically collected and stored by the provider on the web server (e.g. browser used, operating system, referring site, IP address, time) are not evaluated and are not assigned to a specific person. If comments or form entries are left, the entered data and their IP addresses are stored, this for the pursuit of illegal contents.
In the following cases, the legal basis for processing is the affected persont's consent:
- By registering or agreeing to receive a newsletter and other advertising, the person concerned agrees that the data required for this or separately provided by the person concerned will be used for the regular sending of newsletters and other advertising.
- When posting on the company's Facebook page, the person concerned agrees that the postings may be published by the company, e.g. on a social wall or embedded in the company's website.
- The inclusion in a list of participants at events and presentations together with their handing over to the participants and the further processing of the data stated therein is also based on the consent of the persons concerned. This also includes the use of photographic material which is created during the events or presentations at which the person concerned can be seen.
The consent can be revoked (also individually) at any time by sending a message to the contact option described above under lit (b). If the registration is possible online, e.g. by clicking on the relevant checkbox ("box"), the revocation is just as easily possible. A revocation does not render the processing carried out up to that point in time inadmissible (no retroactive effect of the revocation).
If the processing is based on the legitimate interest of the company (see above), the affected person has the right of objection under Article 21 of the GDPR. Please refer to the separate information at the end of this data protection declaration.
The provision of personal data to the company is necessary for the conclusion and fulfilment of the contract. Non-provision would mean that the company could not take action and could therefore not conclude a contract.
The provision of personal data is required for sending a newsletter and other advertising, otherwise the newsletter could not be sent. A lack of consent has no effect on the company's activities or on the subsequent conclusion of the contract, so this is expressly not a prerequisite.
Posting on the Company's Facebook page requires the provision of personal information otherwise the posting may not be published. Non-provision has no effect on the company's activities or on the subsequent conclusion of the contract, so this is expressly not a prerequisite.
To participate in events and presentations, personal data must be provided and handed over to the participants and the data provided therein must be processed further as well as the photographic material created during these events and presentations for advertising purposes. Non-provision would mean that participation would not be possible. Non-provision has no effect on the company's activities or on the subsequent conclusion of the contract, so this is expressly not a prerequisite.
(e) Recipient of the data
Disclosure of the data subject's personal data to recipients other than the company (i.e. to other natural or legal persons, authorities, institutions or other bodies) is generally not made (see, however, the information in lit. j) to r). This does not apply to
- Possibly appointed independent sales representatives (to contact the interested party, his advice by the representative, etc.);
- any third parties named by the person concerned (e.g. architects or professionals or also in connection with the preparation of official channels vis-à-vis the authorities);
- public authorities which may receive personal data under Union law or Austrian law within the framework of a specific investigation mandate; the processing of such data by the said authorities must be carried out in accordance with the applicable data protection rules;
- Processors who process the personal data on behalf of the company (e.g. printers for sending newsletters; for processing payments, the credit institution responsible for processing the payment).
(f) Updating/origin of data
The updating of interested party and customer data or personal data is primarily based on direct feedback or change notices from interested parties and customers or persons to the company.
The data usually originate from the interested parties or customers or persons themselves or from any self-employed commercial agents of the company. Exceptionally, publicly accessible information (e.g. professional and industry directories) is (also) used. The categories of data that can be collected, depending on availability, are as follows: Name, age, date of birth, address, e-mail address, telephone number, economic status or payment history. Information from creditor protection associations and credit agencies may also be available for the latter.
(g) Duration of data storage
The personal data will be stored for this period,
- until they are no longer necessary for the purposes for which they were collected or otherwise processed;
- in the case of processing on the basis of a declaration of consent, until the data subject withdraws his/her consent and until no other legal basis for further processing exists (Art 17 para 1 lit b DSGVO);
- in any case, however, as long as the storage is necessary to fulfil a legal obligation (e.g. statutory retention obligations) or to assert, exercise or defend legal claims of the company.
(h) Rights of the affected person
Under Article 15 of the GDPR, the affected person has the right to request confirmation from the data controller - upon proof of his identity - as to whether he processes personal data concerning him. If this is the case, the person concerned shall continue to have the right to
- to information about this personal data and
- the information referred to in Art 15 para 1 GDPR, such as the categories of personal data and other information
The affected person has the right to request the data controller to correct any inaccurate personal data concerning him/her without delay (right to correction in accordance with Article 16 of the GDPR).
Under the conditions of Art 17 GDPR, the data subject has a right to the deletion ("right to be forgotten") of personal data concerning him/her, for example then,
- the data are no longer necessary for the purposes for which they were collected or otherwise processed, or
- processed unlawfully; or
- in the case of processing on the basis of a declaration of consent, if the data subject withdraws his/her consent.
If the company has made public the personal data that must be deleted, the following obligation exists according to Art 21 Para. 2 GDPR:
Taking into account the available technology and the resulting costs, appropriate measures shall be taken to inform other persons responsible of the deletion to be carried out. This applies to those responsible for processing the personal data. You must be informed that the person concerned has requested the deletion of all links to this personal data, copies and replications of this personal data.
However, the right to cancellation is not entitled,
if the exceptions mentioned in Art 17 para 3 GDPR are applicable, for example if the processing is necessary to fulfil a legal obligation under EU law or Austrian law (e.g. statutory retention obligations) or to assert, exercise or defend legal claims.
Under Article 18 of the GDPR, the affected person has the right to have processing restricted, e.g.
- if the affected person disputes the accuracy of the data processed,
- the processing is unlawful, or
- there is a dispute between the company and the affected person as to whether there is a right to cancellation. In this case, the company will only store the data in question, but will not process it in any other way.
If the person concerned requests the deletion or restriction or raises an objection (cf. at the end of this data protection declaration), he will be informed immediately of the measures taken or of the reasons which, from the company's point of view, stand in the way of implementation.
Under Article 20 of the DSBER, the data subject has the right to receive the personal data concerning him/her that he/she has provided to the company in a structured, current and machine-readable format. However, this only applies if processing is carried out using automated methods.
Furthermore, it has the right to transfer this data to another person responsible. The data controller to whom the personal data has been provided must not impede it (right to data transferability). Where technically feasible, it has the right to transfer directly from one person responsible to another.
(i) Right of appeal to the Supervisory Authority
The affected peron has the right of appeal to the data protection authority if he or she considers that the processing of personal data concerning him or her violates the GDPR or § 1 or Article 2 1st main part of the Data Protection Act (DPR) in the version of the Data Protection Adaptation Act 2018.
Cookies are small files that allow this website to store specific user-related information on the visitor's computer while the website is being visited. Cookies help to determine the frequency of use and the number of users of the Internet pages and to make offers convenient and efficien.
The company uses session cookies, which are only stored temporarily for the duration of use of the website, and permanent cookies to record information about visitors who repeatedly access the website. The purpose of the use of these cookies is to provide optimal user guidance, to recognize visitors and to present as attractive a website and interesting content as possible in the event of repeated use. The content of a permanent cookie is limited to an identification number. Name, IP address etc. are not stored. An individual profile of the usage behavior does not take place.
The company's offers can also be used without cookies.
With an appropriate browser setting, the storage of cookies can be deactivated or restricted to certain websites. The browser can also be set to notify the user as soon as a cookie is sent. Cookies can be deleted from the hard disk of the PC at any time. Please note that the site can then only be used to a limited extent.
(k) Use of Google Analytics
This website uses Google Analytics, a web analysis service of Google Inc. "("Google"). Google Analytics uses so-called "cookies" (see point[j]).
In this respect, the company relies on an overriding legitimate interest in producing cost-efficient and simple website access statistics (Art 6 para 1 lit f Basic Data Protection Regulation).
The information generated by the cookie about the use of this website is usually transferred to a Google server in the USA and stored there. However, if IP anonymisation is activated on this website, Google's IP address will previously be reduced within Member States of the European Union or in other states party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there.
On behalf of the operator of this website, Google will use this information to evaluate the use of the website, to compile reports on the website activities and to provide the website operator with further services associated with the use of the website and the Internet. However, the IP address transmitted by the browser within the framework of Google Analytics is not merged with other Google data.
The possibility described under point (j) exists to prevent the storage of cookies by a corresponding setting of the browser software; however, we point out that in this case not all functions of this website may be fully usable.
In addition, the collection of data generated by the cookie and related to the use of the website (including the IP address) to Google and the processing of this data by Google can be prevented by downloading and installing the browser plug-in under the following link (http://tools.google.com/dlpage/gaoptout?hl=en ).
On this website Google Analytics has been extended by the code "gat._anonymizeIp();" to ensure an anonymous collection of IP addresses (so-called IP masking).
(l) Google Maps
The microsites use the Google Maps API service. This service is a service of Google, Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This will transfer at least the following data to Google, Inc.: IP address, time of visit of the website, screen resolution of the visitor, URL of the website (referer), the identification of the browser (user agent) and search terms. The data transfer is independent of whether a Google user account exists, via which the user is logged in, or whether no user account exists. If the user is logged in, this data is assigned directly to the account.
If this assignment to the profile is not desired, the user must log out before activating the button. Google, Inc. stores this data as usage profiles and uses it for the purposes of advertising, market research and/or demand-oriented design of its website. The user has the right to object to the creation of these user profiles and must contact Google Inc. to exercise this right.
Further information on the purpose and scope of data collection and processing by Google, Inc. is available at www.google.at/intl/de/policies/privacy/ By using the Google Maps service, the user agrees to data processing by Google, Inc. The data concerned are not processed by the person responsible.
(m) Google Remarketing
This website uses Google Remarketing, a service of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, to present interest-based advertisements to visitors to our website. Cookies (text files) are stored on your computer by your browser. These enable us to recognize you as a website visitor when you visit websites that belong to Google's advertising network. These pages may contain advertisements relating to content that you have previously viewed on other websites you have visited. Google does not collect any personal data during this process.
You can also disable the installation of cookies by Google Remarketing by making the appropriate settings at http://www.google.com/settings/ads
Individual pages of our website contain embedded (or linked) videos that are stored on the YouTube platform. By viewing the video, personal information is transferred to YouTube Inc, 1000 Cherry Avenue, San Bruno, CA 94066, USA, which is a subsidiary of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This will transfer at least the following data to YouTube Inc.: IP address, time of access, screen resolution of the visitor, URL of the website (referer), the identification of the browser (user agent). The data transfer is independent of whether a user account exists at YouTube Inc. via which the user is logged in or whether no user account exists. If the user is logged in, this data is assigned directly to the account.
If this assignment to the profile is not desired, the user must log out before calling the video. YouTube Inc. stores these data as user profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. The user has the right to object to the creation of these user profiles and must contact YouTube Inc. to exercise this right.
Further information on the purpose and scope of data collection and processing by YouTube Inc. is available at www.youtube.com/static?template=privacy_guidelines By using the YouTube service, the user agrees to the data processing by YouTube Inc. The data concerned are not processed by the person responsible.
(o) OLARK Live Chat Tool
By using the Live Chat tool offered on the Website for immediate, written communication with a consultant of the Company, data will be transmitted to Habla, Inc, 76 South Park Street, San Francisco, CA 94107, USA, which provides the Chat Service. At least the following data are transmitted to Habla, Inc.: IP address, time and duration of the visit to the website, pages accessed, frequency of visits to the website, screen resolution of the visitor, URL of the website (referer), the identification of the browser (user agent) and search terms.
(p) Recommentation using AddThis
(q) MailChimp Newsletter Tool
When you request a company newsletter, data will be transmitted to The Rocket Science Group, LLC, 675 Ponce de Leon Avenue NE, Suite 5000, Atlanta, GA 30308, USA, which operates the newsletter tool MailChimp, which the company uses to send newsletters. This will at least transfer the following data to The Rocket Science Group, LLC: IP address, time of ordering and confirmation of the newsletter, name and address if specified, newsletter (articles) accessed or clicked on, preferred e-mail program.
Further information on data protection at MailChimp can be found at:http://mailchimp.com/legal/privacy/ . You can unsubscribe from the newsletter at any time by clicking on the unsubscribe link at the end of each newsletter or by sending an e-mail to the person responsible named in letter b).
MailChimp is certified under the US-EU data protection agreement "Privacy Shield" and thus commits itself to comply with EU data protection regulations. Furthermore, a data processing agreement was concluded with MailChimp.
Personal data is transferred to Typekit.com, a web service of Adobe Systems Inc. 345 Park Avenue, San Jose, CA 95110-2704, USA, to display the font family Effra on our website. Adobe is certified under the US-EU Privacy Shield and is committed to comply with EU privacy laws. For more information about Adobe's data processing, please visit https://www.adobe.com/de/privacy.html .
(s) Automatic location
To automatically show you construction consultants in your area, we determine your approximate geographical location based on your IP address. Your IP address will be transmitted to MaxMind, Inc, 14 Spring Street, 3rd Floor, Waltham, MA 02451, USA. MaxMind is certified under the US-EU data protection agreement "Privacy Shield" and thus undertakes to comply with EU data protection regulations.
(t) Data security
All interested party, customer and personal data processed by the company is protected, secured and logged in accordance with generally accepted technological security standards in order to prevent misuse, loss and falsification in the best possible way. The sending and receipt of e-mail messages between the company and the person concerned is not encrypted. The transmission of data via the website is SSL-encrypted.
Separate information pursuant to Art. 21 para. 4 GDPR:
Since the processing is based on the legitimate interest of the company, the data subject has the right of objection under Article 21(1) of the GDPR. However, this only applies if there are reasons for this which arise from the special situation. It would not be sufficient if the person concerned does not generally wish to be stored or processed in any other way. Rather, it must explain personal reasons why - unlike other customers and users - the (further) processing of personal data is unreasonable for it. If this is explained, further processing of personal data is only permissible in two cases:
- the company provides compelling grounds for processing which outweigh the interests, rights and freedoms of the data subject, or
- the processing serves to assert, exercise or defend legal claims.
The data subject also has the right to object to the processing of personal data concerning him/her for direct marketing purposes in accordance with Article 21(2) of the DSBER. The person concerned can also only object to the processing of individual categories of data concerning him, e.g. the use of his e-mail address for advertising purposes.
Version: June 12, 2018