Personal data (hereinafter referred to simply as „data“) is only processed by us to the extent necessary and for the purpose of providing a functional and user-friendly website, including its content and the services offered therein. According to Article 4(1) of Regulation (EU) 2016/679, the General Data Protection Regulation (hereinafter „GDPR“), „processing“ means any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

The following privacy policy informs you in particular about the type, scope, purpose, duration, and legal basis of the processing of personal data, insofar as we, either alone or jointly with others, determine the purposes and means of such processing. Additionally, we inform you below about third-party components we use for optimization purposes and to improve the quality of the user experience, insofar as these third parties process data under their own responsibility.

I. Information about the Data Controller

The data controller responsible for this website under data protection law is:

CAATS Service GmbH
Rathausstraße 21/12
1010 Vienna
Austria
VAT Number: ATU 78116628

Company Registration Number: FN 580032 p
Commercial Court: Commercial Court of Vienna
Registered Office: Vienna
Legal Form: Limited Liability Company (GmbH)

Phone: +43 (0) 720 272 022
Email: office@caats.io

II. Rights of Users and Data Subjects

With regard to the data processing described in more detail below, users and data subjects have the right:

  • to obtain confirmation as to whether data concerning them is being processed, to access the data being processed, to receive further information about the data processing, and to obtain copies of the data (cf. Art. 15 GDPR);
  • to request the rectification or completion of inaccurate or incomplete data (cf. Art. 16 GDPR);
  • to request the immediate deletion of data concerning them (cf. Art. 17 GDPR), or, alternatively, if further processing is required under Art. 17(3) GDPR, to request the restriction of processing in accordance with Art. 18 GDPR;
  • to receive the data concerning them that they have provided and to have this data transmitted to other providers/controllers (cf. Art. 20 GDPR);
  • to lodge a complaint with a supervisory authority if they believe that the data concerning them is being processed by the provider in violation of data protection regulations (cf. Art. 77 GDPR).

Furthermore, the provider is obliged to inform all recipients to whom data has been disclosed by the provider about any rectification or erasure of data or restriction of processing carried out in accordance with Articles 16, 17(1), and 18 GDPR. This obligation does not apply if such notification proves impossible or involves a disproportionate effort. Regardless of this, the user has the right to be informed about these recipients.

In addition, pursuant to Article 21 GDPR, users and data subjects have the right to object to the future processing of their data, provided that the data is processed by the provider on the basis of Article 6(1)(f) GDPR. In particular, an objection to data processing for the purpose of direct marketing is permitted.

III. Information on Data Processing

The data processed during your use of our website will be deleted or blocked as soon as the purpose for storing it no longer applies, provided that there are no statutory retention obligations preventing deletion and unless otherwise specified for particular processing activities below.

Server Data

For technical reasons, in particular to ensure the security and stability of our website, data is transmitted to us or to our web space provider by your internet browser. These so-called server log files include, among other things, the type and version of your internet browser, the operating system used, the website from which you accessed our site (referrer URL), the pages you visit on our website, the date and time of access, and the IP address of the internet connection from which our website is accessed.

This data is stored temporarily and is not merged with other personal data. The storage is carried out on the legal basis of Art. 6(1)(f) GDPR. Our legitimate interest lies in improving the stability, functionality, and security of our website.

The data is deleted at the latest after seven days, unless further retention is required for evidentiary purposes. In such cases, the data will be exempt from deletion until the respective incident is fully resolved.

Cookies

a) Session Cookies

We use so-called cookies on our website. Cookies are small text files or other storage technologies that are placed and stored on your device by the internet browser you use. These cookies process certain information from you to an individual extent, such as your browser or location data or your IP address.

This processing makes our website more user-friendly, effective, and secure, as the processing enables, for example, the display of our website in different languages or the use of a shopping cart function.

The legal basis for this processing is Art. 6(1)(b) GDPR, provided that these cookies are used to collect data for the initiation or performance of a contract.

If the processing does not serve the initiation or performance of a contract, our legitimate interest lies in improving the functionality of our website. The legal basis in that case is Art. 6(1)(f) GDPR.

When you close your browser, these session cookies are deleted.

b) Third-Party Cookies

Our website may also use cookies from partner companies with whom we cooperate for the purposes of advertising, analysis, or functionalities of our website.

Please refer to the following information for details, particularly regarding the purposes and legal bases of the use of such third-party cookies.

c) Disabling Cookies

You can prevent or restrict the installation of cookies by adjusting the settings of your internet browser. You can also delete previously stored cookies at any time. However, the steps and measures required depend on your specific internet browser. If you have any questions, please use the help function or documentation of your browser or contact its provider.

Flash cookies cannot be blocked via browser settings. Instead, you must change the settings of your Flash player. The required steps depend on your Flash player. If you need help, consult the help section or documentation for your Flash player or contact the manufacturer.

Please note that if you disable or restrict the use of cookies, some functions of our website may not be fully usable.

C) Right to Erasure (Right to be Forgotten)

Every data subject affected by the processing of personal data has the right granted by the European legislator to obtain from the controller the erasure of personal data concerning them without undue delay, provided that one of the following reasons applies and insofar as the processing is not necessary:

  • The personal data were collected or otherwise processed for purposes for which they are no longer necessary.
  • The data subject withdraws the consent on which the processing is based according to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, and there is no other legal ground for the processing.
  • The data subject objects to the processing pursuant to Art. 21(1) GDPR, and there are no overriding legitimate grounds for the processing, or the data subject objects pursuant to Art. 21(2) GDPR.
  • The personal data have been unlawfully processed.
  • The erasure of the personal data is required to comply with a legal obligation under Union or Member State law to which the controller is subject.
  • The personal data were collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.

If one of the above reasons applies and a data subject wishes to request the deletion of personal data stored by the controller, they may contact an employee of the controller at any time. The employee will ensure that the request for deletion is complied with without undue delay.

If the controller has made the personal data public and is obliged pursuant to Art. 17(1) GDPR to erase the personal data, the controller shall take reasonable steps, including technical measures, taking into account available technology and the cost of implementation, to inform other controllers processing the published personal data that the data subject has requested the erasure of all links to or copies or replications of those personal data, insofar as processing is not required. The employee will arrange the necessary measures in individual cases.

e) Right to Restriction of Processing

Every data subject has the right to obtain from the controller restriction of processing where one of the following applies:

  • The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the data.
  • The processing is unlawful and the data subject opposes the erasure of the data and requests the restriction of their use instead.
  • The controller no longer needs the personal data for the purposes of processing, but the data subject requires them for the establishment, exercise, or defense of legal claims.
  • The data subject has objected to processing pursuant to Art. 21(1) GDPR pending verification whether the legitimate grounds of the controller override those of the data subject.

If one of the above conditions is met, the data subject may request restriction by contacting any employee of the controller. The employee will initiate the restriction without delay.

f) Right to Data Portability

Every data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format. They also have the right to transmit those data to another controller without hindrance from the controller to whom the data have been provided, where:

  • The processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR, and
  • The processing is carried out by automated means, provided it is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority.

Furthermore, the data subject has the right to have the personal data transmitted directly from one controller to another, where technically feasible and provided that this does not adversely affect the rights and freedoms of others.

To assert this right, the data subject may contact any employee of the controller at any time.

g) Right to Object

Every data subject has the right to object at any time, on grounds relating to their particular situation, to processing of personal data concerning them which is based on Art. 6(1)(e) or (f) GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data unless they can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims.

Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to such processing. This includes profiling to the extent it is related to direct marketing. If the data subject objects, the personal data shall no longer be processed for such purposes.

Additionally, the data subject has the right to object, on grounds relating to their particular situation, to processing of personal data for scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise this right, the data subject may contact any employee of the controller. Furthermore, the data subject may exercise their objection using automated means using technical specifications, notwithstanding Directive 2002/58/EC.

h) Automated Individual Decision-Making, Including Profiling

Every data subject has the right not to be subject to a decision based solely on automated processing — including profiling — which produces legal effects concerning them or similarly significantly affects them, unless the decision:

  1. Is necessary for entering into, or performance of, a contract between the data subject and a controller,
  2. Is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or
  3. Is based on the data subject’s explicit consent.

Where decisions are necessary for contract performance or based on consent, the controller shall implement suitable measures to safeguard the data subject’s rights, at least the right to obtain human intervention, express their point of view, and contest the decision.

To assert this right, the data subject may contact any employee of the controller.

i) Right to Withdraw Consent

Every data subject has the right to withdraw their consent to the processing of personal data at any time.

To exercise this right, the data subject may contact any employee of the controller at any time..