Data Protection Statement

Content Area

1. Data Protection Overview

General information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that is capable of identifying an individual. Detailed information on the subject of data protection can be found in our data protection statement below this text.

Data collection, processing and storage on this website

Who is responsible for data collection on this website?

Data processing on this website is carried out by the website operator. Their contact details can be found in the ‘Information of the data controller’ section of this data protection statement.

How do we collect your data?

Firstly, your information is collected when you provide it to us. For example, this may be information that you enter into a contact form.

Other information is collected automatically or with your consent by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of page view). This information is collected automatically when you enter this website.

What do we use your data for?

Some of the data is collected to ensure that the website is provided without errors. Other data may be used to analyse your user behaviour. If contracts can be concluded or initiated via the website, the data transmitted will also be processed for contract offers, orders or other order inquiries.

What rights do you have with regard to your data?

You have the right to receive information about the origin, recipient and purpose of your stored personal data at any time, free of charge. You also have the right to request the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time for the future. You also have the right to request the restriction of the processing of your personal data in certain circumstances. Furthermore, you have the right to lodge a complaint with the responsible supervisory authority

You can contact us at any time regarding this and other questions on the subject of data protection.

Analysis tools und tools from third parties

When you visit this website, your surfing behaviour may be statistically evaluated. This is primarily done using analysis programmes.

Detailed information on these analysis programmes can be found in our data protection statement below this text.

2. Hosting

We host the content of our website with the following provider:

External hosting

This website is hosted externally. The personal data collected on this website are stored on the servers of the host(s). This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website.

The external hosting serves the purpose of fulfilling the contract with our potential and existing customers (Art 6 (1) (b) GDPR) and in the interest of a secure, fast and efficient provision of our online services by a professional provider (Art 6 (1) (f) GDPR). If appropriate consent has been obtained, the processing is carried out exclusively based on Art 6 (1) (a) GDPR and § 25 (1) TDDDG, insofar as the consent includes the storage of cookies or access to information in the user's end device (e.g. device fingerprinting) within the meaning of the TDDDG. This consent can be revoked at any time.

Our host(s) will only process your data to the extent necessary to fulfil its performance obligations and follow our instructions with regard to such data.

We use the following host(s):

Shopando GmbH
Business Park 6 / Top 49
8200 Gleisdorf
Austria

Commissioned data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This contract is mandated by data protection laws and guarantees that personal data of our website visitors only be processed in accordance with our instructions and in compliance with the GDPR.

3. General notes and mandatory information

Data protection

We are committed to protecting the privacy of your personal data. Therefore, we treat your personal data confidentially and process your data exclusively in accordance with the legal obligations regarding data protection of personal data as well as this data protection statement.

When you access this website, various personal data is collected. Personal data is any data that is capable of identifying an individual. This data protection statement explains which data we process and how such data is processed as well as the purposes for which we process it.

We would like to point out that data transmission over the internet (e.g. communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.

Information of the data controller

The operator responsible for data processing of this website is:

KAPAS Steuerberatung GmbH
Gleisdorfer Straße 23
8160 Weiz
Austria

Phone: +43 (3172) 3780-0
Email: office@kapas.at

The controller is the natural or legal person responsible for determining, solely or jointly with others, the purposes and means of processing personal data (e.g. names, email and more).

Storage period

We store your personal data until the purpose for data processing no longer applies, unless a more specific storage period has been specified in this data protection statement. If you assert an authorised deletion request or revoke your consent to data processing, we will delete your data. However, if we have other legal permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law), the deletion will take place after these reasons no longer apply.

General information on the legal basis for data processing on this website

If you have consented to data processing, we process your personal data on the basis of Art 6 (1) (a) GDPR or Art 9 (2) (a) GDPR, if special categories of data are processed according to Art 9 (1) GDPR. In the case of explicit consent to the transfer of personal data to third countries, the data processing also applies Art 49 (1) (a) GDPR. If you have consented to the storage of cookies or to the access to information in your end device (e.g. via device fingerprinting), the data processing is additionally on the basis of § 25 (1) TDDDG. The consent can be revoked at any time. If your data is required for the fulfilment of a contract or for the implementation of pre-contractual measures, we process your data on the basis of Art 6 (1) (b) GDPR. Furthermore, if your data is required for the fulfilment of a legal obligation, we process your data on the basis of Art 6 (1) (c) GDPR. The data processing also may be carried out on the basis of our legitimate interest according to Art 6 (1) (f) GDPR. Information on the relevant legal basis for each individual case is provided in the following paragraphs of this data protection statement.

Data protection officer

We have appointed a data protection officer.

Dr. Gudrun Weinberger, MBA, MSc
Gleisdorfer Straße 23
8160 Weiz
Austria

Phone: +43 (3172) 3780-466
Email: Gudrun.Weinberger@kapas.at

Recipients of personal data

We cooperate with various external parties as part of our business activities. In some cases, this requires the transfer of personal data to these external parties. We disclose personal data to external parties only if it is required for the fulfilment of a contract, if we are required by law (e.g. disclosure of data to tax authorities), if we have a legitimate interest in the disclosure on the basis of Art 6 (1) (f) GDPR, or if another legal basis permits the disclosure of this data. We disclose our clients’ personal data with processors only on the basis of a valid data processing contract. In the case of joint processing, a joint processing agreement is concluded.

Withdrawal of your consent to data processing

Many data processing operations are only possible with your explicit consent. You can withdraw your consent at any time. The legality of the data processing carried out until the revocation remains unaffected by the withdrawal.

Right to object to the data processing in special cases and in case of direct marketing (Art 21 GDPR)

IF THE DATA PROCESSING IS BASED ON ART 6 (1) (E) OR (F) GDPR, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA BASED ON REASONS ARISING FROM YOUR PARTICULAR SITUATION. THIS ALSO APPLIES TO ANY PROFILING BASED ON THOSE PROVISIONS. TO DETERMINE THE LEGAL BASIS, ON WHICH ANY PROCESSING OF DATA IS BASED, PLEASE CONSULT THIS DATA PROTECTION DECLARATION. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR AFFECTED PERSONAL DATA UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OF THE DATA SUBJECT OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 (1) GDPR).

IF YOUR PERSONAL DATA ARE PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF YOUR PERSONAL DATA FOR SUCH MARKETING. THIS ALSO APPLIES TO ANY PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING. IF YOU OBJECT, YOUR PERSONAL DATA WILL SUBSEQUENTLY NO LONGER BE USED FOR DIRECT MARKETING PURPOSES (OBJECTION PURSUANT TO ART 21 (2) GDPR).

Right to lodge a complaint with the respective supervisory authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged infringement. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

Right to data portability

You have the right to receive your personal data that we process automatically on the basis of your consent or in fulfilment of a contract in a structured, commonly used and machine-readable format. You additionally have the right to have the personal data transmitted directly to another controller, where technically feasible.

Right of access, rectification and erasure

In accordance with applicable legal framework, you have the right to free access to your personal data and information regarding their source and recipients as well as purposes of the processing at any time. Additionally, you may have right to request rectification or erasure of such personal data at any time. You can contact us at any time regarding this and other questions on the subject of data protection.

Right to restriction of processing

You have the right to obtain the restriction of the processing of your personal data. To do this, you can contact us at any time. The right to restriction of processing applies in the following cases:

If you contest the accuracy of your personal data, we usually need some time to verify the correctness of the data. For this period, you have the right to request the restriction of the processing of your personal data.
If the processing of your personal data is or was unlawful, you can request the restriction of their use instead the erasure of the personal data.
If we no longer need your personal data for the purposes of the processing, but you require the data for the establishment, exercise or defence of legal claims, you can request the restriction of their use instead the erasure of the personal data.
If you have objected to processing pursuant to Article 21 (1) GDPR, the verification whose legitimate grounds overrides the others are pending. For this period, in which it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

SSL and/or TLS encryption

This website uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from ‘http://’ to ‘https://’ and by the lock symbol in your browser line.

If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Objection to email marketing

We hereby object to the use of contact data published as part of our obligation to provide a legal notice for the purpose of sending unsolicited advertising and information material. The operators of this website expressly reserve the right to take legal action in the event of the unsolicited sending of advertising information, such as spam emails.

4. Data collection on this website

Cookies

Our webpages use so-called ‘cookies’. Cookies are small data packets and do not cause any damage to your end device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted after closing the browser (end of the “session”). Permanent cookies remain stored on your end device until you delete them yourself or they are automatically deleted by your web browser.

Cookies may originate from us (first-party cookies) or from third parties (third-party cookies). Third-party cookies enable the integration of services from third parties within websites (e.g. cookies for processing of payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping basket function or the display of videos). Other cookies can be used to evaluate user behaviour or for advertising purposes.

Cookies that are required to facilitate the electronic communication process, to provide requested functions (e.g. for the shopping basket function) or to optimise the website (e.g. cookies to measure the web audience), also called necessary cookies, are stored on the basis of Art 6 (1) (f) GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of necessary cookies for the technically error-free and optimised provision of its services. If consent to the storage of cookies and comparable recognition technologies has been requested, the processing is carried out exclusively on the basis of this consent (Art (6) (1) (a) GDPR and § 25 (1) TDDDG). The consent can be revoked at any time.

You can set your browser to be informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies after closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

The information which cookies and services are used on this website is provided in this data protection statement.

Server log files

The provider of our web pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. Server log files are:

Browser type and version
Operating system in use
Referrer URL
Host name of the accessing computer
Time of the server inquiry
IP address

This data is not merged with other data sources.

This data is collected on the basis of Art 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website. The server log files must be recorded for this purpose.

Contact form

If you contact us via the contact form, your details from the contact form, including your contact details, will be stored by us for the purpose of processing your inquiry and in the event of follow-up questions. We will not pass on this data without your consent.

This data is processed on the basis of Art 6 (1) (b) GDPR if your inquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the inquiries addressed to us (Art (6) (1) (f) GDPR) or on your explicit consent (Art (6) (1) (a) GDPR). This consent can be revoked at any time.

We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions, in particular retention periods, remain unaffected.

Requests by email, telephone or fax

If you contact us via email, telephone or fax, your request including all personal data (name, request) will be stored and processed by us for the purpose of processing your inquiry. We will not pass on this data without your consent.

We will retain the data you provide in the contact request until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions, in particular retention periods, remain unaffected.

5. Analysis tools and advertising

Matomo

This website uses the open-source web analysis service Matomo.

With the help of Matomo, we can collect and analyse data about your utilization of our web pages by website visitors. This informs us about access time and region, among other data. We also record various log files (e.g. IP address, referrer, browser and used operating system) and can track whether our website visitors perform certain actions (e.g. clicks, purchases and more).

This analysis tool is used on the basis of Art 6 (1) (f) GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise its website and advertising. If consent has been requested, the processing is carried out exclusively on the basis of Art (6) (1) (a) GDPR and § 25 (1) TDDDG. This only applies if the consent includes the storage of cookies or the access to information in your end device (e.g. via device fingerprinting) within the meaning of the TDDDG. The consent can be revoked at any time.

IP anonymization

We use IP anonymization for the analysis with Matomo. Your IP address is shortened before the analysis so that it can no longer be clearly assigned to you.

Hosting

We host Matomo exclusively on our own servers so that all analysis data remains with us and is not passed on.

Meta Pixel (formerly Facebook Pixel)

This website uses the tracking pixel from Meta to measure conversions. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Meta, the data collected is also transferred to the USA and other third countries.

This allows the behaviour of site visitors to be tracked after they have been redirected to the provider's website by clicking on a Meta ad. Therefore, the effectiveness of the meta adverts can be evaluated for statistical and market research purposes and future advertising measures can be optimised.

The data collected is anonymous to us as the operator of this website and we cannot draw any conclusions about the identity of the users. However, the data is stored and processed by Meta so that a connection to the respective user profile on Facebook or Instagram is possible and Meta can use the data for its own advertising purposes in accordance with the Meta Privacy Policy (https://www.facebook.com/privacy/policy/ (external link)). The process enables Meta to place adverts on Facebook, Instagram pages and other advertising channels. This use of the data cannot be influenced by us as the website operator.

The use of this service is based on your consent according to Art (6) (1) (a) GDPR and § 25 (1) TDDDG. The consent can be revoked at any time.

We use the advanced matching function within the meta pixel.

Advanced matching allows us to transmit various types of data (e.g. place of residence, state, postcode, hashed email addresses, name, gender, date of birth or phone number) of our customers and prospects that we collect via our website to Meta. This allows us to tailor our advertising campaigns on Facebook and Instagram even more precisely to people who are interested in our services. In addition, the extended comparison improves the allocation of website conversions and expands custom audiences.

Insofar as personal data is collected on our website and transferred to Meta by using the tools described here, we and Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland are jointly responsible for this data processing (Art 26 GDPR). The joint responsibility is limited exclusively to the collection of the data and its transfer to Meta. The processing carried out by Meta after the transfer is not part of the joint responsibility. Our joint obligations have been set out in a joint processing agreement. The text of the agreement can be found at: https://www.facebook.com/legal/controller_addendum (external link). According to this agreement, we are responsible for providing the data protection information when using the Meta tool and for the secure implementation of the tool on our website in accordance with data protection laws. Meta is responsible for the data security of the Meta products. You can assert data subject rights (e.g. requests for information) regarding the data processed by Facebook or Instagram directly with Meta. If you assert your data subject rights with us, we are obliged to forward them to Meta.

The data transfer to the US is based on the standard contractual clauses of the European Commission. For further details see: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381.

You can find further information on the protection of your privacy in Meta's data privacy policy: https://www.facebook.com/about/privacy/.

You can also deactivate the remarketing function ‘Custom Audiences’ in the settings for adverts at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen. You must be logged into Facebook to adjust your settings.

If you do not have a Facebook or Instagram account, you can deactivate usage-based advertising from Meta on the website of the European Interactive Digital Advertising Alliance: https://youronlinechoices.eu/ (external link).

The company is certified under the ‘EU-U.S. Data Privacy Framework’ (DPF). The DPF is an agreement between the European Union and the United States to ensure that European data protection standards are met when data is processed in the USA. Any company certified under the DPF agrees to comply with these data protection standards. Further information on this can be obtained from the provider at the following link: https://www.dataprivacyframework.gov/participant/4452 (external link).

Meta Conversion API

We have integrated the Meta Conversion API on this website. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to Meta, the data collected is also transferred to the USA and other third countries.

The Meta Conversion API allows us to record the website visitor's interactions with our website and share this information with Meta to improve advertising performance on Facebook and Instagram.

Specifically, the time of the website visit, the website visited, the IP address and the user agent, and other applicable information (such as products purchased, shopping basket value and currency) are recorded. You can find a complete overview of the data that may be collected here: https://developers.facebook.com/docs/marketing-api/conversions-api/parameters (external link).

The use of this service is based on your consent according to Art (6) (1) (a) GDPR and § 25 (1) TDDDG. The consent can be revoked at any time.

The data transfer to the US is based on the standard contractual clauses of the European Commission. For further details see: https://www.facebook.com/legal/EU_data_transfer_addendum (external link) and https://de-de.facebook.com/help/566994660333381 (external link).

You can find further information on the protection of your privacy in Meta's privacy policy: https://de-de.facebook.com/about/privacy/ (external link).

You can also deactivate the remarketing function ‘Custom Audiences’ in the settings for adverts at https://www.facebook.com/ads/preferences/?entry_product=ad_settings_screen (external link). You must be logged into Facebook to adjust your settings.

Processor

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract prescribed by data protection law, which guarantees that it processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Meta Custom Audiences

We use Meta Custom Audiences. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland.

When you visit or use our websites and apps, take advantage of our free or paid services, submit information to us, or interact with our company's Facebook or Instagram content, we collect your personal data. If you give us your consent to use Meta Custom Audiences, we will transfer this data to Meta, which Meta can use to show you relevant advertising. Your information may also be used to define target groups (lookalike audiences).

Meta processes this data as our processor. Further details can be found in the Meta terms of service: https://www.facebook.com/legal/terms/customaudience (external link).

The use of this service is based on your consent according to Art (6) (1) (a) GDPR and § 25 (1) TDDDG. The consent can be revoked at any time.

The data transfer to the US is based on the standard contractual clauses of the European Commission. For further details see: https://www.facebook.com/legal/terms/customaudience (external link) and https://www.facebook.com/legal/terms/dataprocessing (external link).

6. Newsletter

Newsletter data

If you would like to receive the newsletter offered on the website, we require your email address as well as information that allows us to verify that you are the owner of the provided email address and consent to receiving the newsletter. Further data is not collected except on a voluntary basis. For the processing of the newsletter, we use newsletter service providers, which are described below.

Brevo

This website uses Brevo for the dispatch of newsletters. The provider of this service is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany.

Brevo is a service that can be used to organise and analyse the dispatch of newsletters and more. The data you provide to subscribe to the newsletter is stored on the servers of Sendinblue GmbH in Germany.

Data analysis by Brevo

Brevo allows us to analyse our newsletter campaigns. For example, we can see whether a newsletter was opened and which links were clicked. This helps us to identify which links receive the most engagement.

We can also track whether specific predefined actions were taken after opening a newsletter (conversion rate). For instance, we can determine whether a purchase was made following an opening of a newsletter.

Brevo also enables us to segment our newsletter recipients into different categories, such as age, gender, or place of residence. This helps us tailor our content more effectively to different target groups.

If you do not wish to be analysed by Brevo, you can unsubscribe from the newsletter at any time. A corresponding unsubscribe link is included in every newsletter email.

For more detailed information on Brevo’s features visit the following link: https://www.brevo.com/de/newsletter-software/ (external link).

Legal basis

The data processing is based on your consent according to Art 6 (1) (a) GDPR. You can withdraw your consent at any time. The legality of the data processing carried out until the revocation remains unaffected by the withdrawal.

Storage time

The data you provide for the purpose of receiving our newsletter will be stored by us and/or the newsletter service provider until you unsubscribe. Once you unsubscribe from our newsletter, your data will be removed from the newsletter distribution list. Data stored by us for other purposes remains unaffected by this.

After you have unsubscribed from the newsletter distribution list, your email address may be stored in a blacklist by us and/or the newsletter service provider, if this is necessary to prevent future mailings. The data in the blacklist will be used solely for this purpose and will not be combined with other data. This serves both your interest and ours in complying with legal requirements for newsletter distribution (legitimate interest according to Art 6 (1) (f) GDPR). There is no time limit for storage in the blacklist. You may object to this storage if your interests outweigh our legitimate interest.

You can find more details in Brevo’s privacy policy:https://www.brevo.com/de/datenschutz-uebersicht/ (external link) and https://www.brevo.com/de/legal/privacypolicy/ (external link).