1.1 Personal data is data that can identify living persons. In addition to images, names, and contact data, it can also contain numerical or statistical information from which the identity of a person can be derived.
1.2 Sensitive personal data are personal data about racial or ethnic origin, health, data on health or sex life and sexual orientation, political opinions, trade union membership, criminal records or religious or philosophical beliefs and, in accordance with the GDPR, genetic data and biometric data. These data must be taken into account in a particularly protected manner during collection, processing and transmission.
1.3 Data shall be deemed to be anonymized if the personal identity cannot be carried out by anyone or if the personal identity can only be restored with unreasonable effort.
1.4 A data subject is the person who is the subject of personal data. In some countries, legal entities may also be affected.
1.5 A controller determines the purposes for which personal data are processed. The controller is ultimately responsible for the personal data, regardless of whether they are disclosed to a processor or not. This includes responsibility for responding to access requests and complaints from data subjects.
1.6 The European Economic Area (EEA) is an economic region associated with the EU and includes Norway, Iceland, and Liechtenstein
1.7 A Data Controller is a person who processes personal data on behalf of and for the purposes established by the Data Controller.
1.8 Third parties are all persons except the data subject and the controller. 1.9 Transmission is any transfer of protected data by the responsible body to third parties.
4.1 Fairness and legality
When processing personal data, the individual rights of the data subjects must be protected. Personal data must be collected and processed lawfully and fairly.
4.2 Purpose limitation
Personal data must be collected for specified, explicit and legitimate purposes and must not be further processed in a manner incompatible with those purposes. Personal data can only be processed for the purpose established before the data was collected. Subsequent changes to the purpose are only possible to a limited extent and require justification.
The data subject must be informed about how their data will be handled. In general, personal data must be collected directly from the data subject. When collecting the data, the data
subject must know or be informed either of the identity of the controller, the purpose of the data processing and third parties or categories of third parties to whom the data may be transmitted.
4.4 Data Minimization
Personal data must be adequate, relevant, and limited to those necessary for the purposes for which they are processed. Before processing personal data, it is necessary to check whether and to what extent the processing of personal data is necessary to achieve the purpose for which it is carried out. Insofar as the purpose allows it and the effort is proportionate to the objective pursued, anonymized or statistical data must be used. Personal data may not be collected in advance and stored for possible future purposes, unless required or permitted by national law.
After expiry of the legal or business process-related deadlines, personal data that is no longer required must be deleted. In individual cases, there may be an indication of interests worthy of protection or historical significance of this data. If so, the data must be kept until the interests worthy of protection have been legally clarified or the company archive has evaluated the data to determine whether it must be kept for historical purposes.
Personal data must be accurate, complete and, if necessary, up-to-date. All reasonable measures must be taken to ensure that incorrect or incomplete data is deleted, corrected, supplemented, or updated.
4.7 Limitation of Recording
Personal data must be kept in a form that does not require identification of the data subjects for longer than for the purposes for which the personal data are processed. Personal data may be stored for longer periods of time, provided that the data are processed exclusively for archiving purposes in the public interest or for scientific and historical research purposes or for statistical purposes in accordance with Article 89(1) GDPR and provided that appropriate technical and organizational measures are taken.
4.8 Confidentiality and data security
Personal data is subject to data secrecy. They must be treated confidentially and secured by appropriate organizational and technical measures against unauthorized and unlawful access, unlawful processing, or dissemination as well as against accidental loss, damage, alteration or destruction. This applies to paper and electronic recording systems. Systems should be access controlled, personnel should be trained accordingly, and security processes should be
developed and understood. Appropriate monitoring and reporting on data security risks, initiatives and developments shall be carried out.
4.9 Privacy Secret
Personal data is subject to data secrecy. The data protection regulations require that employees who handle personal data maintain confidentiality (data secrecy). Persons involved in data processing may not collect, process, or use personal data without authorization (confidentiality). They are obliged to maintain this confidentiality even after the end of their activities. The “need to know” principle applies. Employees only have access to personal data if this is appropriate to the nature and scope of the task in question. This requires careful division and separation, as well as the implementation of roles and responsibilities.
Employees are prohibited from using personal data for private or commercial purposes, making it accessible to unauthorized persons or making it available in any other way. This obligation also applies after termination of the employment relationship.
The controller is responsible for compliance with these principles and can demonstrate them. 4.11 Data protection by design and standard
The controller shall take appropriate technical and organizational measures to ensure that, by default, only the personal data necessary for the respective purpose of the processing are processed. This obligation applies to the amount of personal data collected, the scope of their processing, the duration of their storage and their accessibility. These measures shall ensure, in particular, that personal data are not made accessible without the intervention of an indefinite number of natural persons.
5.1 Data processing consent
The data may be processed with the consent of the data subject. Before giving consent, the data subject must be informed. The declaration of consent must be obtained in writing or electronically for documentation purposes. In certain circumstances, such as .B telephone conversations, consent may be given orally. The granting of consent must be documented.
Consent must be a freely given, specific, informed and unambiguous indication of the wishes of the individual. There must be a clear form of consent. Consent cannot be derived from silence, marked boxes or inactivity. Consent must also be separate from other conditions. There must be simple ways to withdraw consent.
5.2 Data processing – legal conditions
The processing of personal data is also permitted if national legislation requires or permits it. The type and scope of data processing must be necessary for the legally permissible data processing and comply with the relevant legal provisions.
5.3 Automatic individual decisions
The automated processing of personal data used to assess certain aspects (e.B creditworthiness) cannot be the sole basis for decisions that have negative legal consequences or that could significantly affect the data subject. The data subject must be informed about the facts and results of automated individual decisions and the possibility of reaction. A check and plausibility check must be carried out by an employee.
5.4 User data
If websites or apps can access personal data in an area restricted to registered users, the identification and authentication of the data subject must provide sufficient protection during access.
5.5 Data processing for a contractual relationship
Personal data of the respective interested parties, customers and partners can be processed for the establishment, execution ,and termination of a contract. This also includes advising the contractual partner if this is in connection with the purpose of the contract. Prior to a contract – during the contract initiation phase – personal data may be processed in order to prepare offers or orders or to fulfil other requests from the interested party relating to the conclusion of the contract. Interested parties can be contacted during the contract preparation process using the information they provide. The restrictions demanded by interested parties must be complied with. For further advertising measures, the following requirements must be observed.
5.6 Data processing for advertising purposes
If the data subject contacts a TEADIT EU company to request information (e.g. request for information material about a product), data processing is permitted to meet this requirement. Customer loyalty or advertising measures are subject to further legal requirements. Personal data may be processed for advertising purposes or for market and opinion research, if this is compatible with the purpose for which the data was originally collected. The data subject must be informed about the use of his data for advertising purposes. If data is only collected for advertising purposes, disclosure by the data subject is voluntary. The data subject is informed that the provision of data for this purpose is voluntary. When communicating with the data subject, consent to the processing of the data for advertising purposes must be obtained from him. When giving consent, the data subject should be able to choose between the available contact options such as post, e-mail and telephone. If the data subject refuses to use his data for advertising purposes, they can no longer be used for these purposes and must be blocked for these purposes. Further country-specific restrictions on the use of the data for advertising purposes must be observed
6.1 The transmission of personal data is only permitted with the consent of the data subject or if this is required or permitted by law.
6.2 The information published on the Internet is to be regarded as an export of data outside the European Union/European Economic Area. No web-based or cloud services should be used for the storage or transmission of sensitive personal data unless agreed with the Financial Director.
6.3 If personal data is transferred from a group company based in the European Union/European Economic Area to a sister company outside the EU or to a third party based outside the European Union/European Economic Area (third country), the Data Protection Coordinator should be contacted to comply with all requirements and instructions of the supervisory authority regarding the processing of the transferred data. The same applies to the transfer of data by sister companies from other countries. If they are part of an
international certification system for binding corporate rules on data protection, they must ensure cooperation with the responsible auditors and agencies. Participation in such certification schemes must be agreed with the Data Protection Coordinator.
7.1 Data processing on behalf of a provider means that a provider is commissioned to process personal data without being given responsibility for the associated business process. In these cases, an agreement on data processing on behalf of external providers and between the company of TEADIT EU must be concluded.
7.2 When placing an order, the following requirements must be observed; the ordering departments must ensure that all legal requirements are met.
7.3 The Provider shall be selected on the basis of its ability to ensure the necessary technical and organizational protective measures.
7.4 Personal data may only be processed on the documented instructions of the controller. The Processor shall ensure that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to a corresponding statutory duty of confidentiality.
7.5 Processing on behalf of the data is governed by a contract which specifies the subject matter, duration of processing, nature and purpose of the processing, type of personal data and categories of data subjects, as well as the obligations and rights of the controller. The information on the further processing of the data must be documented.
7.6 Before the start of data processing, the customer must be sure that the provider is fulfilling his obligations. A provider can demonstrate compliance with the requirements for data security, in particular by means of appropriate certification. Depending on the risk of data processing, the checks must be repeated regularly during the term of the contract.
7.7 At the choice of the controller, he deletes or returns all personal data to the controller and deletes existing copies, unless a law requires the storage of the personal data.
7.8 The Processor shall provide the Controller with all the information necessary to demonstrate compliance with legal obligations and to enable and contribute to the performance of audits, including inspections, by the Controller or another auditor appointed by it.
7.9 Where a processor engages another processor to carry out certain processing activities on behalf of the controller, the same data protection obligations apply as in the contract or in other legal acts between the controller and the processor.
7.10 In the case of cross-border order data processing, the respective national requirements for the disclosure of personal data abroad must be met. In such cases, please contact the Data Protection Coordinator.
8.1 The data subject may request information about which personal data is stored about him or her, how and for what purpose it was collected. If there are further rights to inspect the employer’s documents on the employment relationship (e.g. personnel file), these remain unaffected.
8.2 If personal data is passed on to third parties, information about the identity of the recipient or the recipient groups must be provided.
8.3 If personal data are incorrect or incomplete, the data subject may request their correction or supplementation. The data subject may object to the processing of his data for the purposes of advertising or market and opinion research. The data must then be blocked for this type of use.
8.4 The data subject may request the deletion of his data if the processing of this data has no legal basis or the legal basis has ceased to exist. The same applies if the purpose of the data processing has expired or has ceased to exist for other reasons. Existing retention periods and conflicting interests worthy of protection must be observed.
8.5 In principle, the data subject has a right to object to the processing of his data, which must be taken into account if the protection of his interests takes precedence over the interest of the Data Controller due to a particular personal situation. This does not apply if a legal regulation requires the processing of the data.
8.6 The rights of the data subject to objection, data portability, restriction of processing and deletion (“right to be forgotten”) must be respected.
8.7 Please inform the Data Protection Coordinator of any such request from the data subject. 9. Privacy Incidents
9.1 Any unauthorized access to or disclosure of personal data or other breaches of data security should be reported to the Data Protection Coordinator as soon as possible. The supervisor or department responsible for the function is obliged to inform the data protection coordinator immediately of any data protection incidents.
9.2 In the event of inadmissible disclosure of personal data to third parties, unauthorized access by third parties to personal data or loss of personal data, the necessary company reports (information security incident management) must be made without delay so that any reporting obligations under national law can be fulfilled.
10.1 The organs of the individual companies are responsible for data processing in their area of responsibility. You must therefore ensure that the legal
and data protection requirements (e.B. national reporting obligations). The managers are responsible for ensuring that organizational, personnel and technical measures are taken to ensure data processing in accordance with data protection regulations.
10.2 Compliance with these requirements is the responsibility of the respective employees. Where official bodies carry out data protection controls, the data protection coordinator shall be informed without delay.
10.4 Every employee informs the data protection coordinator immediately of any data protection risks. Any data subject may at any time contact the Data Protection Coordinator to raise concerns, ask questions, request information or lodge complaints regarding data protection or data security. Concerns and complaints will be treated confidentially on request.
10.5 Improper processing of personal data or other violations of data protection laws can be prosecuted in many countries and lead to claims for damages. Violations for which individual employees are responsible can also lead to labor law sanctions.
The processing of personal data by TEADIT EU takes place exclusively by the company itself or by commissioned processors. These are all located in Austria or Germany and are fully subject to the GDPR. If the processing is carried out by third parties, there are corresponding data protection agreements / agreements for order processing. The data processing systems used are protected against misuse and data loss in accordance with the current state of the art.
TEADIT EU maintains a process register in accordance with the GDPR.
TEADIT EU processes personal data primarily in the realm of personnel administration. To a lesser extent, personal data is also used in sales and purchasing. This is done due to or on the basis of laws, for the fulfilment of contractual agreements and on the basis of the preponderance of legitimate interest of the company.
TEADIT EU does not fall under any of the three criteria listed under Article 37(1) of the GDPR. Thus, there is no obligation to appoint a data protection officer. TEADIT EU does not do this on a voluntary basis either. However, the Financial Director of TEADIT EU coordinates the relevant activities as Data Protection Coordinator.
Kirchbichl, March 25th, 2022
Phone: +43 5332 74000