Privacy policy 

TEADIT International Produktions GmbH and its subsidiaries (“TEADIT EU”) are committed to  protecting the rights and freedoms of individuals when processing their personal data.  Ensuring data protection is the basis for trusting business relationships and the reputation of  our company as an attractive employer. This Privacy Policy applies in full to TEADIT EU and is  based on recognized, fundamental principles of data protection, especially in Europe. If you  have any questions or doubts about the application of this policy or the law, please contact  TEU management. 


1.1 Personal data is data that can identify living persons. In addition to images, names, and  contact data, it can also contain numerical or statistical information from which the identity  of a person can be derived. 

1.2 Sensitive personal data are personal data about racial or ethnic origin, health, data on  health or sex life and sexual orientation, political opinions, trade union membership, criminal  records or religious or philosophical beliefs and, in accordance with the GDPR, genetic data  and biometric data. These data must be taken into account in a particularly protected manner  during collection, processing and transmission. 

1.3 Data shall be deemed to be anonymized if the personal identity cannot be carried out by  anyone or if the personal identity can only be restored with unreasonable effort. 

1.4 A data subject is the person who is the subject of personal data. In some countries, legal  entities may also be affected. 

1.5 A controller determines the purposes for which personal data are processed. The  controller is ultimately responsible for the personal data, regardless of whether they are  disclosed to a processor or not. This includes responsibility for responding to access requests  and complaints from data subjects. 

1.6 The European Economic Area (EEA) is an economic region associated with the EU and  includes Norway, Iceland, and Liechtenstein 

1.7 A Data Controller is a person who processes personal data on behalf of and for the  purposes established by the Data Controller. 

1.8 Third parties are all persons except the data subject and the controller. 1.9 Transmission is any transfer of protected data by the responsible body to third parties.


This document describes the TEADIT EU Privacy Policy. It provides an overview of the  requirements for data protection and provides guidance. 


This privacy policy applies to TEADIT EU and its employees. The privacy policy covers the entire  processing of personal data. In countries where the data of legal entities are protected to the  same extent as personal data, this Privacy Policy also applies to data of legal entities.  Anonymized data is not subject to this privacy policy. 

3.1 This Privacy Policy incorporates the internationally recognized data protection principles  without replacing existing national laws. It complements the national data protection laws.  The relevant national law shall prevail if it conflicts with this Privacy Policy or imposes stricter  requirements than this Privacy Policy. The content of this data protection declaration must  also be observed in the absence of corresponding national legislation. 

3.2 Any breach of this Privacy Policy may result in TEADIT EU, as the Data Controller (and in  some cases individuals), violating the Data Protection Regulations and thus being legally liable  for the consequences of such a breach. It is the responsibility of all employees who handle  personal data in TEADIT EU companies to ensure that it is kept safe. Personal data should not  be disclosed in any form, either accidentally or otherwise, to unauthorized third parties. Any  breach or non-compliance with this Privacy Policy, including but not limited to any intentional  disclosure of personal data to unauthorized third parties, may result in disciplinary or other  appropriate action. 


4.1 Fairness and legality 

When processing personal data, the individual rights of the data subjects must be protected.  Personal data must be collected and processed lawfully and fairly. 

4.2 Purpose limitation 

Personal data must be collected for specified, explicit and legitimate purposes and must not  be further processed in a manner incompatible with those purposes. Personal data can only  be processed for the purpose established before the data was collected. Subsequent changes  to the purpose are only possible to a limited extent and require justification. 

4.3 Transparency 

The data subject must be informed about how their data will be handled. In general, personal  data must be collected directly from the data subject. When collecting the data, the data 

subject must know or be informed either of the identity of the controller, the purpose of the  data processing and third parties or categories of third parties to whom the data may be  transmitted. 

4.4 Data Minimization 

Personal data must be adequate, relevant, and limited to those necessary for the purposes for  which they are processed. Before processing personal data, it is necessary to check whether  and to what extent the processing of personal data is necessary to achieve the purpose for  which it is carried out. Insofar as the purpose allows it and the effort is proportionate to the  objective pursued, anonymized or statistical data must be used. Personal data may not be  collected in advance and stored for possible future purposes, unless required or permitted by  national law. 

4.5 Deletion 

After expiry of the legal or business process-related deadlines, personal data that is no longer  required must be deleted. In individual cases, there may be an indication of interests worthy  of protection or historical significance of this data. If so, the data must be kept until the  interests worthy of protection have been legally clarified or the company archive has  evaluated the data to determine whether it must be kept for historical purposes. 

4.6 Accuracy 

Personal data must be accurate, complete and, if necessary, up-to-date. All reasonable  measures must be taken to ensure that incorrect or incomplete data is deleted, corrected,  supplemented, or updated. 

4.7 Limitation of Recording 

Personal data must be kept in a form that does not require identification of the data subjects  for longer than for the purposes for which the personal data are processed. Personal data may  be stored for longer periods of time, provided that the data are processed exclusively for  archiving purposes in the public interest or for scientific and historical research purposes or  for statistical purposes in accordance with Article 89(1) GDPR and provided that appropriate  technical and organizational measures are taken. 

4.8 Confidentiality and data security 

Personal data is subject to data secrecy. They must be treated confidentially and secured by  appropriate organizational and technical measures against unauthorized and unlawful access,  unlawful processing, or dissemination as well as against accidental loss, damage, alteration or  destruction. This applies to paper and electronic recording systems. Systems should be access controlled, personnel should be trained accordingly, and security processes should be 

developed and understood. Appropriate monitoring and reporting on data security risks,  initiatives and developments shall be carried out. 

4.9 Privacy Secret 

Personal data is subject to data secrecy. The data protection regulations require that  employees who handle personal data maintain confidentiality (data secrecy). Persons  involved in data processing may not collect, process, or use personal data without  authorization (confidentiality). They are obliged to maintain this confidentiality even after the  end of their activities. The “need to know” principle applies. Employees only have access to  personal data if this is appropriate to the nature and scope of the task in question. This  requires careful division and separation, as well as the implementation of roles and  responsibilities. 

Employees are prohibited from using personal data for private or commercial purposes,  making it accessible to unauthorized persons or making it available in any other way. This  obligation also applies after termination of the employment relationship. 

4.10 Responsibility 

The controller is responsible for compliance with these principles and can demonstrate them. 4.11 Data protection by design and standard 

The controller shall take appropriate technical and organizational measures to ensure that, by  default, only the personal data necessary for the respective purpose of the processing are  processed. This obligation applies to the amount of personal data collected, the scope of their  processing, the duration of their storage and their accessibility. These measures shall ensure,  in particular, that personal data are not made accessible without the intervention of an  indefinite number of natural persons.


5.1 Data processing consent 

The data may be processed with the consent of the data subject. Before giving consent, the  data subject must be informed. The declaration of consent must be obtained in writing or  electronically for documentation purposes. In certain circumstances, such as .B telephone  conversations, consent may be given orally. The granting of consent must be documented. 

Consent must be a freely given, specific, informed and unambiguous indication of the wishes  of the individual. There must be a clear form of consent. Consent cannot be derived from  silence, marked boxes or inactivity. Consent must also be separate from other conditions.  There must be simple ways to withdraw consent. 

5.2 Data processing – legal conditions 

The processing of personal data is also permitted if national legislation requires or permits it.  The type and scope of data processing must be necessary for the legally permissible data  processing and comply with the relevant legal provisions. 

5.3 Automatic individual decisions 

The automated processing of personal data used to assess certain aspects (e.B  creditworthiness) cannot be the sole basis for decisions that have negative legal consequences  or that could significantly affect the data subject. The data subject must be informed about  the facts and results of automated individual decisions and the possibility of reaction. A check  and plausibility check must be carried out by an employee. 

5.4 User data 

If personal data is collected, processed, and used on websites or apps, the data subjects must  be informed in a data protection declaration and, if necessary, information about cookies. The  privacy policy and all cookie information must be integrated in such a way that they are easily  identifiable, directly accessible, and consistently available to the data subjects. 

If usage profiles (tracking) are created to evaluate the use of websites and apps, the data  subjects must always be informed accordingly in the data protection declaration. Personal  persecution may only take place if this is permitted under national law or with the consent of  the data subject. If the tracking uses a pseudonym, the data subject should have the  opportunity to unsubscribe in the privacy policy. 

If websites or apps can access personal data in an area restricted to registered users, the  identification and authentication of the data subject must provide sufficient protection during  access.

5.5 Data processing for a contractual relationship 

Personal data of the respective interested parties, customers and partners can be processed  for the establishment, execution ,and termination of a contract. This also includes advising the  contractual partner if this is in connection with the purpose of the contract. Prior to a contract  – during the contract initiation phase – personal data may be processed in order to prepare  offers or orders or to fulfil other requests from the interested party relating to the conclusion  of the contract. Interested parties can be contacted during the contract preparation process  using the information they provide. The restrictions demanded by interested parties must be  complied with. For further advertising measures, the following requirements must be  observed. 

5.6 Data processing for advertising purposes 

If the data subject contacts a TEADIT EU company to request information (e.g. request for  information material about a product), data processing is permitted to meet this requirement.  Customer loyalty or advertising measures are subject to further legal requirements. Personal  data may be processed for advertising purposes or for market and opinion research, if this is  compatible with the purpose for which the data was originally collected. The data subject must  be informed about the use of his data for advertising purposes. If data is only collected for  advertising purposes, disclosure by the data subject is voluntary. The data subject is informed  that the provision of data for this purpose is voluntary. When communicating with the data  subject, consent to the processing of the data for advertising purposes must be obtained from  him. When giving consent, the data subject should be able to choose between the available  contact options such as post, e-mail and telephone. If the data subject refuses to use his data  for advertising purposes, they can no longer be used for these purposes and must be blocked  for these purposes. Further country-specific restrictions on the use of the data for advertising  purposes must be observed 


6.1 The transmission of personal data is only permitted with the consent of the data subject  or if this is required or permitted by law. 

6.2 The information published on the Internet is to be regarded as an export of data outside  the European Union/European Economic Area. No web-based or cloud services should be  used for the storage or transmission of sensitive personal data unless agreed with the Financial  Director. 

6.3 If personal data is transferred from a group company based in the European  Union/European Economic Area to a sister company outside the EU or to a third party based  outside the European Union/European Economic Area (third country), the Data Protection  Coordinator should be contacted to comply with all requirements and instructions of the  supervisory authority regarding the processing of the transferred data. The same applies to  the transfer of data by sister companies from other countries. If they are part of an 

international certification system for binding corporate rules on data protection, they must  ensure cooperation with the responsible auditors and agencies. Participation in such  certification schemes must be agreed with the Data Protection Coordinator. 


7.1 Data processing on behalf of a provider means that a provider is commissioned to process  personal data without being given responsibility for the associated business process. In these  cases, an agreement on data processing on behalf of external providers and between the  company of TEADIT EU must be concluded. 

7.2 When placing an order, the following requirements must be observed; the ordering  departments must ensure that all legal requirements are met. 

7.3 The Provider shall be selected on the basis of its ability to ensure the necessary technical  and organizational protective measures. 

7.4 Personal data may only be processed on the documented instructions of the controller.  The Processor shall ensure that the persons authorized to process the personal data have  committed themselves to confidentiality or are subject to a corresponding statutory duty of  confidentiality. 

7.5 Processing on behalf of the data is governed by a contract which specifies the subject  matter, duration of processing, nature and purpose of the processing, type of personal data  and categories of data subjects, as well as the obligations and rights of the controller. The  information on the further processing of the data must be documented. 

7.6 Before the start of data processing, the customer must be sure that the provider is fulfilling  his obligations. A provider can demonstrate compliance with the requirements for data  security, in particular by means of appropriate certification. Depending on the risk of data processing, the checks must be repeated regularly during the term of the contract. 

7.7 At the choice of the controller, he deletes or returns all personal data to the controller and  deletes existing copies, unless a law requires the storage of the personal data. 

7.8 The Processor shall provide the Controller with all the information necessary to  demonstrate compliance with legal obligations and to enable and contribute to the  performance of audits, including inspections, by the Controller or another auditor appointed  by it. 

7.9 Where a processor engages another processor to carry out certain processing activities on  behalf of the controller, the same data protection obligations apply as in the contract or in  other legal acts between the controller and the processor.

7.10 In the case of cross-border order data processing, the respective national requirements  for the disclosure of personal data abroad must be met. In such cases, please contact the Data  Protection Coordinator. 


8.1 The data subject may request information about which personal data is stored about him  or her, how and for what purpose it was collected. If there are further rights to inspect the  employer’s documents on the employment relationship (e.g. personnel file), these remain  unaffected. 

8.2 If personal data is passed on to third parties, information about the identity of the recipient  or the recipient groups must be provided. 

8.3 If personal data are incorrect or incomplete, the data subject may request their correction  or supplementation. The data subject may object to the processing of his data for the purposes  of advertising or market and opinion research. The data must then be blocked for this type of  use. 

8.4 The data subject may request the deletion of his data if the processing of this data has no  legal basis or the legal basis has ceased to exist. The same applies if the purpose of the data  processing has expired or has ceased to exist for other reasons. Existing retention periods and  conflicting interests worthy of protection must be observed. 

8.5 In principle, the data subject has a right to object to the processing of his data, which must  be taken into account if the protection of his interests takes precedence over the interest of  the Data Controller due to a particular personal situation. This does not apply if a legal  regulation requires the processing of the data. 

8.6 The rights of the data subject to objection, data portability, restriction of processing and  deletion (“right to be forgotten”) must be respected. 

8.7 Please inform the Data Protection Coordinator of any such request from the data subject. 9. Privacy Incidents 

9.1 Any unauthorized access to or disclosure of personal data or other breaches of data  security should be reported to the Data Protection Coordinator as soon as possible. The  supervisor or department responsible for the function is obliged to inform the data protection coordinator immediately of any data protection incidents. 

9.2 In the event of inadmissible disclosure of personal data to third parties, unauthorized access by third parties to personal data or loss of personal data, the necessary company  reports (information security incident management) must be made without delay so that any  reporting obligations under national law can be fulfilled.


10.1 The organs of the individual companies are responsible for data processing in their area  of responsibility. You must therefore ensure that the legal 

and data protection requirements (e.B. national reporting obligations). The managers are  responsible for ensuring that organizational, personnel and technical measures are taken to  ensure data processing in accordance with data protection regulations. 

10.2 Compliance with these requirements is the responsibility of the respective employees.  Where official bodies carry out data protection controls, the data protection coordinator shall  be informed without delay. 

10.3 The data protection coordinator is the contact person for data protection. He can carry out checks and must familiarize employees with the content of the privacy policy.  The responsible management is obliged to support the data protection coordinator in his  efforts. The bodies responsible for business operations and projects must inform the data  protection coordinator in good time of the new processing of personal data. The management  is responsible for data processing plans that may pose special risks to the individual rights of  the data subjects. The data protection coordinator must be informed before the start of  processing. This applies especially to particularly sensitive personal data. Managers must  ensure that their employees are adequately trained in data protection. 

10.4 Every employee informs the data protection coordinator immediately of any data  protection risks. Any data subject may at any time contact the Data Protection Coordinator to  raise concerns, ask questions, request information or lodge complaints regarding data  protection or data security. Concerns and complaints will be treated confidentially on request. 

10.5 Improper processing of personal data or other violations of data protection laws can be  prosecuted in many countries and lead to claims for damages. Violations for which individual  employees are responsible can also lead to labor law sanctions. 

  1. And what does that mean in concrete terms? 

The processing of personal data by TEADIT EU takes place exclusively by the company itself or  by commissioned processors. These are all located in Austria or Germany and are fully subject  to the GDPR. If the processing is carried out by third parties, there are corresponding data  protection agreements / agreements for order processing. The data processing systems used  are protected against misuse and data loss in accordance with the current state of the art. 

TEADIT EU maintains a process register in accordance with the GDPR.

TEADIT EU processes personal data primarily in the realm of personnel administration. To a  lesser extent, personal data is also used in sales and purchasing. This is done due to or on the basis of laws, for the fulfilment of contractual agreements and on the basis of the  preponderance of legitimate interest of the company. 

Data protection supervisor 

TEADIT EU does not fall under any of the three criteria listed under Article 37(1) of the GDPR.  Thus, there is no obligation to appoint a data protection officer. TEADIT EU does not do this  on a voluntary basis either. However, the Financial Director of TEADIT EU coordinates the  relevant activities as Data Protection Coordinator. 

Kirchbichl, March 25th, 2022

Contact us
TEADIT Distributors

Phone: +43 5332 74000