Skip to main content

Data Privacy 

The protection of your personal data is of particular importance to us. We therefore process your data exclusively based on the legal provisions (GDPR, Austrian Telecommunications Act 2003). In this privacy policy, we inform you about the most important aspects of data processing within the framework of our website.

Privacy Policy
Preamble

With the following privacy policy, we would like to inform you about the types of your personal data (hereinafter also referred to as "data") that we process, for what purposes, and to what extent. This privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online services").

The terms used are not gender specific.
Last updated: July 16, 2024

Controller

Contact us / Name and contact details of the controller

The controller within the meaning of the GDPR is:
sa² projects GmbH
Jagdschlossgasse 27, 1130 Wien

Commercial Court: Vienna Regional Court

You can reach us at our company address, by email at sb@sa2projects.com and via the contact form on our website.

Overview of Processing Activities

The following overview summarizes the types of data processed, the purposes of processing, and the data subjects.

Types of Data Processed

  • Inventory data
  • Employee data
  • Contact data
  • Content data
  • Usage data
  • Metadata, communication data, and procedural data
  • Log data

Categories of Data Subjects

  • Employees
  • Communication partners
  • Users

Purposes of Processing

  • Communication
  • Security measures
  • Audience measurement
  • Tracking
  • Target group formation
  • Organizational and administrative procedures
  • Feedback
  • Marketing
  • Profiles with user-related information
  • Provision of our online services and user-friendliness
  • Establishment and execution of employment relationships
  • Information technology infrastructure
  • Public relations
  • Business processes and operational procedures

Relevant Legal Bases

Relevant legal bases under the GDPR: Below you will find an overview of the legal bases under the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. If more specific legal bases apply in individual cases, we will inform you of these in the privacy policy.

Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.

Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering a contract.

Legal obligation (Art. 6 para. 1 sentence 1 lit. c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.

Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

National data protection regulations in Austria: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Austria. These include the Federal Act on the Protection of Natural Persons regarding the Processing of Personal Data (Data Protection Act – DSG). The Data Protection Act contains special provisions on the right of access, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes and transfers, as well as automated decision-making in individual cases.

Security Measures

In accordance with legal requirements, and taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

These measures include ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access to, input of, disclosure of, and ensuring the availability and separation of the data. Furthermore, we have established procedures that guarantee the exercise of data subject rights, the erasure of data, and responses to data breaches. We also consider the protection of personal data during the development and selection of hardware, software, and processes, in accordance with the principles of data protection by design and by default.

Transfer of Personal Data

While processing your personal data, it may be necessary to transfer or disclose it to other entities, companies, legally independent organizational units, or individuals. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content integrated into a website. In such cases, we comply with legal requirements and conclude appropriate contracts or agreements with the recipients of your data to protect your data.

International Data Transfers

Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU) and the European Economic Area (EEA)) or if processing takes place in the context of using third-party services or disclosing or transferring data to other persons, bodies, or companies, this is done only in accordance with legal requirements. If the level of data protection in the third country has been recognized by means of an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers only take place if the level of data protection is ensured by other means, through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR), explicit consent, or in the case of a contractual or legally required transfer (Art. 49 para. 1 GDPR). We will inform you of the legal basis for the transfer to a third country regarding the individual providers in the third country, whereby the adequacy decisions take precedence. Information on third-country transfers and existing adequacy decisions can be found on the European Commission's website: https://commission.europa.eu/law/law-topic/data-protection/internationa….

EU-US Trans-Atlantic Data Privacy Framework: Under the so-called "Data Privacy Framework" (DPF), the European Commission has also recognized the level of data protection for certain US companies as adequate in its adequacy decision of July 10, 2023. The list of certified companies and further information on the DPF can be found on the US Department of Commerce website at https://www.dataprivacyframework.gov/ (in English). We inform you in our privacy policy which of our service providers are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal regulations as soon as the underlying consents are withdrawn or no further legal basis for processing exists. Exceptions to this rule apply if legal obligations or special interests require longer storage or archiving of the data.

Rights of Data Subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, which arise from Articles 15 to 21 GDPR:

You have the fundamental rights to information, rectification, erasure, restriction of processing, data portability, withdrawal of consent, and objection. If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been infringed, please contact us so that we can clarify any questions. You can, of course, also lodge a complaint with the supervisory authority. In Austria, this is the Data Protection Authority.

Provision of Online Services and Web Hosting

We process user data to provide our online services. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data (e.g., page views and time spent on the site, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved). Log data (e.g., log files concerning logins or data retrieval or access times).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online services and user-friendliness; information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)). Security measures.
  • Storage and Deletion: Deletion is carried out in accordance with the information in the section "General Information on Data Storage and Deletion".
  • Legal Basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods, and services:

• Collection of Access Data and Log Files: Access to our online services is logged in the form of so-called "server log files". Server log files may contain the address and name of the accessed web pages and files, the date and time of access, the amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files may be used for security purposes, e.g., to detect and prevent unauthorized access. B. to prevent server overload (especially in the case of malicious attacks, so-called DDoS attacks), and secondly to ensure server capacity and stability; Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is exempt from deletion until the respective incident has been fully resolved.

Use of Cookies

Cookies are small text files or other storage markers that store information on and read information from end devices.

Information on consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users unless it is not required by law. The revocable consent is clearly communicated to them and includes information on the respective cookie usage.

Information on the legal basis for data protection: The legal basis for processing users' personal data using cookies depends on whether we request their consent. If users accept, the legal basis for processing their data is their explicit consent. Otherwise, the data processed using cookies is processed based on our legitimate interests or, if this occurs within the scope of fulfilling our contractual obligations, if the use of cookies is necessary to meet our contractual obligations. We explain the purposes for which we use cookies in this privacy policy or within the framework of our consent and processing procedures.

General information on revocation and objection (opt-out): Users can revoke their consent at any time and object to the processing of their data in accordance with legal requirements, including via their browser's privacy settings.

  • • Types of data processed: Metadata, communication data, and procedural data (e.g., IP addresses, timestamps, identification numbers, individuals involved).
  • • Data subjects: Users (e.g., website visitors, users of online services).
  • • Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR). Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR).

Contact and Inquiry Management

When you contact us (e.g., by mail, contact form, email, telephone, or via social media), as well as within the context of existing user and business relationships, the information provided by the inquiring individuals is processed to the extent necessary to respond to the contact requests and any requested actions.

Further information on processing procedures, processes, and services:

  • Contact Form: When you contact us via our contact form, email, or other communication channels, we process the personal data you provide to respond to and process your request. We use this data exclusively for the stated purpose of contacting and communicating with you.

Legal Basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Web Analytics, Monitoring, and Optimization

Web analytics (also known as "reach measurement") is used to evaluate visitor traffic to our online services and may include pseudonymous data on visitor behavior, interests, or demographic information such as age or gender.

Unless otherwise stated below, profiles—that is, data aggregated from a user session—may be created for these purposes, and information may be stored and then retrieved from a browser or device. The data collected includes websites visited and elements used there, as well as technical information such as the browser used, the operating system, and usage times. If users have consented to the collection of their location data by us or by the providers of the services we use, the processing of location data is also possible.

In addition, users' IP addresses are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear user data (such as email addresses or names) is stored during web analytics, A/B testing, and optimization; instead, pseudonyms are used. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective processes.

Legal basis: If we ask users for their consent to the use of third-party providers, the legal basis for data processing is that consent. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).

Further information on processing procedures, methods, and services:

Google Analytics: Our website uses functions of the web analytics service Google Analytics, a web analytics service provided by Google LLC (“Google”), Amphitheatre Parkway, Mountain View, CA 94043, USA. The data collected is also processed outside the EU. Cookies are used for this purpose, enabling an analysis of website usage by its users. The information generated is transmitted to and stored on the provider's server.

You can prevent this by configuring your browser to not store cookies.

However, if IP anonymization is activated via your browser, your IP address will be shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted. This allows only a rough localization. The relationship with the web analytics provider is based on the EU Standard Contractual Clauses within the framework of the Privacy Shield Agreement. Further information: Google Privacy Policy & Terms of Service.

Data processing is carried out based on the legal provisions of Section 96 Paragraph 3 of the German Telecommunications Act (TKG) and Article 6 Paragraph 1 Letter a (consent) and/or Letter f (legitimate interest) of the GDPR. Our legitimate interest within the meaning of the GDPR is the improvement of our services and our website. Because the privacy of our users is important to us, user data is pseudonymized and IP addresses are anonymized.

Online Marketing

We process personal data for online marketing purposes, which may include the marketing of advertising space or the display of advertising and other content (collectively referred to as "content") based on users' potential interests, as well as measuring its effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called "cookie") or similar methods are used to store user information relevant to displaying the content. This may include, for example, viewed content, visited websites, used online networks, as well as communication partners and technical information such as the browser used, the computer system used, and information about usage times and functions used. If users have consented to the collection of their location data, this may also be processed.

In addition, users' IP addresses are stored. However, we use available IP masking methods (i.e., pseudonymization by shortening the IP address) to protect users. Generally, no clear user data (such as email addresses or names) is stored as part of the online marketing process; instead, pseudonyms are used. This means that neither we nor the providers of the online marketing methods know the actual user identity, but only the information stored in their profiles.

The information in the profiles is usually stored in cookies or using similar methods. These cookies can later be read on other websites that use the same online marketing method and analyzed for the purpose of displaying content, supplemented with further data, and stored on the server of the online marketing method provider.

We generally only receive access to aggregated information about the success of our advertisements. However, within the framework of so-called conversion tracking, we can check which of our online marketing methods have led to a conversion, i.e., for example, to a contract being concluded with us. Conversion tracking is used solely for the purpose of analyzing the success of our marketing measures.

Information on revocation and objection:

We refer you to the privacy policies of the respective providers and the objection options (so-called "opt-out") provided by the providers. If no explicit opt-out option is provided, you can disable cookies in your browser settings. However, this may limit the functionality of our online services.

Plugins and embedded functions and content

We integrate functional and content elements into our online services that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or maps (hereinafter collectively referred to as "content").

The integration always requires that the third-party providers of this content process the users' IP addresses, as they could not send the content to their browsers without the IP address. The IP address is therefore necessary for displaying this content or these functions. We strive to use only content from providers who use the IP address solely for delivering the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. These pixel tags allow for the analysis of information such as visitor traffic on the pages of this website. The pseudonymized information can also be stored in cookies on users' devices and may include, among other things, technical information about the browser and operating system, referring websites, the time of visit, and other details about the use of our online services. This information may also be combined with information from other sources.

 

Legal basis: If we request users' consent to the use of third-party providers, the legal basis for data processing is this permission. Otherwise, user data is processed based on our legitimate interests (i.e., our interest in efficient, economical, and user-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Of course, we are always happy to answer any questions you may have about data protection on our website.

Startseite