Thank you for your interest in the information on our website!
With the help of this privacy policy, we would like to inform all persons who use this website about the type, scope and purposes of the processing of personal data. Personal data in this context is all information with which you can be personally identified as a user on our website (theoretically, possibly via detours or by linking various data), including your IP address. Information that is stored in cookies is generally not personal or only personal in exceptional cases; however, this is covered by a special regulation that makes the permissibility of the use of cookies – depending on their purpose – largely dependent on the active consent of the user.
In a general section of this privacy policy, we provide you with information on data protection that generally applies to our processing of data, including the collection of data on our website. In particular, you as the data subject will be informed of the rights to which you are entitled.
We make every effort to provide this information in gender-neutral language. If individual formulations do not yet take this into account, we would like to point out that this information applies to all people of all genders.
The terms used in our privacy policy and our data protection practices are based on the provisions of the EU General Data Protection Regulation (“GDPR”) and other relevant national legislation.
Responsible within the meaning of the GDPR
FIDELIO GmbH
FN 363598d
In Südpark 203
4030 Linz
Austria
E: office@fidelio.at
T: +43 732651885
F: +43 732 65188520#
Data collection on our website
On the one hand, personal data is collected from you if you expressly provide it to us; on the other hand, data, in particular technical data, is collected automatically when you visit our website. Some of this data is collected to ensure that our website functions correctly. Other data can be used for analysis purposes. However, you can use our website without having to provide any personal details.
Technologies on our website
Cookies and local storage
We use cookies on our website to make our Internet presence more user-friendly and functional. Some cookies remain stored on your end device.
Cookies are small data packets that are exchanged between your browser and the/our web server when you visit our website. These do not cause any damage and only serve to recognize website visitors. Cookies can only store information that is supplied by your browser, i.e. information that you have entered into the browser yourself or that is available on the website. Cookies cannot execute code and cannot be used to access your end device.
The next time you visit our website with the same end device, the information stored in cookies may subsequently be sent back either to us (“first-party cookie”) or to a third-party web application to which the cookie belongs (“third-party cookie”). Through the stored and returned information, the respective web application recognizes that you have already accessed and visited the website with the browser of your end device.
Cookies contain the following information:
- Cookie name
- Name of the server from which the cookie originated
- Cookie ID number
- A date on which the cookie is automatically deleted
Depending on their intended use and function, we divide cookies into the following categories:
- Technically necessary cookies to ensure the technical operation and basic functions of our website. This type of cookie is used, for example, to retain your settings while you navigate the website; or they can ensure that important information is retained throughout the session (e.g. login, shopping cart).
- Statistics cookies to understand how visitors interact with our website by collecting and analyzing information anonymously only. This gives us valuable insights to optimize both the website and our products and services.
- Marketing cookies to set targeted advertising activities for users on our website.
- Unclassified cookies are cookies that we are currently trying to classify together with providers of individual cookies.
Depending on the storage period, we also divide cookies into session and permanent cookies. Session cookies store information that is used during your current browser session. These cookies are automatically deleted when the browser is closed. No information remains on your end device. Permanent cookies store information between two visits to the website. Based on this information, you will be recognized as a returning visitor on your next visit and the website will react accordingly. The lifespan of a permanent cookie is determined by the provider of the cookie.
The legal basis for the use of technically necessary cookies is based on our legitimate interest in the technically flawless operation and smooth functionality of our website. Our website cannot function properly without these cookies. The use of statistics and marketing cookies requires your consent. You can revoke your consent to the use of cookies at any time for the future. Consent is voluntary. If it is not granted, there are no disadvantages. Further information about the cookies we actually use (in particular about their purpose and storage duration) can be found in this privacy policy and in the information about the cookies we use in our cookie banner.
You can also set your Internet browser so that the storage of cookies on your device is generally prevented or you are asked each time whether you agree to the setting of cookies. Once cookies have been set, you can delete them at any time. You can find out how all this works in detail in the help function of your browser.
Please note that a general deactivation of cookies may lead to functional restrictions on our website.
We also use so-called local storage functions (also known as “local storage”) on our website. Data is stored locally in your browser’s cache and can be read even after you close the browser – unless you delete the cache or it is the session storage.
Third parties cannot access the data stored in Local Storage. If special plugins or tools use the local storage functions, this is described in the respective plugin or tool.
If you do not want plugins or tools to use local storage functions, you can control this in the settings of your respective browser. We would like to point out that this may result in functional restrictions.
Google Analytics
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC (USA)
Purpose: Web analysis, performance measurement, conversion tracking, collection of statistical data
Category: Statistics
Recipients: EU, USA
processed data: IP address, details of the website visit, user data
Affected parties: Users
Technology: JavaScript call, cookies
Legal basis: Consent, Data Privacy Framework, https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active
Website: https://www.google.com
Further information:
https://policies.google.com/privacy
https://safety.google/intl/de/principles/
https://business.safety.google/adsprocessorterms/
Here you can find out exactly where Google data centers are located: https://www.google.com/about/datacenters/locations/
We use the functions of the web analysis service Google Analytics on our website to analyze user behavior and to optimize our Internet presence. The reports provided by Google are used to analyze the performance of our website and to measure the success of possible campaigns via our website.
Google Analytics uses cookies that enable us to analyze the use of our website.
Information about the use of the website such as browser type/version, operating system used, the previously visited page, host name of the accessing computer (IP address), time of the server request are usually transmitted to a Google server and stored there. We have concluded a contract with Google for this purpose.
Google will use this information on our behalf to evaluate the use of our website, to compile reports on the activities within our website and to provide us with further services associated with the use of our website and the use of the Internet. According to Google, the IP address transmitted by your browser will not be merged with other Google data.
We only use Google Analytics with IP anonymization activated by default. This means that the IP address of a user is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and shortened there. According to Google, the IP address transmitted by a user’s browser as part of Google Analytics is not linked to other Google data.
During the website visit, user behavior is recorded in the form of so-called events. These can represent the following:
- Page views, the click path of a user
- First visit to our website
- Websites visited
- Start of a session
- Interaction with our website
- User behavior (e.g. clicks, scrolls, dwell time, bounce rates)
- File downloads
- Viewed / clicked ads
- Interaction with videos
- internal search queries
is also recorded:
- approximate location (region)
- Date and time of the visit
- IP address (in abbreviated form)
- technical information about the browser or the end devices used (e.g. language setting, screen resolution)
- Internet provider
- Referrer URL (via which website/advertising medium a user came to our website)
This data is essentially processed by Google for its own purposes, such as profiling (without us being able to influence this).
The data on the use of our website will be deleted immediately after the end of the storage period set by us. Google Analytics specifies a standard retention period of 2 months for user and event data, with a maximum retention period of 14 months. This retention period also applies to conversion data. The following options are available for all other event data: 2 months, 14 months, 26 months (Google Analytics 360 only), 38 months (Google Analytics 360 only), 50 months (Google Analytics 360 only). We choose the shortest storage period that corresponds to our intended use. You can ask us at any time about the current storage period we have set.
Data that has reached the end of its retention period is automatically deleted once a month.
Google Tag Manager
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC (USA)
Purpose: Management of tools and plugins
Category: Technically required
Recipients: EU, USA
processed data: IP address
Affected parties: Users
Technology: JavaScript Call
Legal basis: Legitimate interest, Data Privacy Framework, https://www.dataprivacyframework.gov/s/participant-search/participant-detail?id=a2zt000000001L5AAI&status=Active
Website: https://www.google.com
Further information:
https://policies.google.com/privacy
https://safety.google/intl/de/principles/
https://business.safety.google/adsprocessorterms/
Here you can find out exactly where Google data centers are located: https://www.google.com/about/datacenters/locations/
The Google Tag Manager service is used on our website.
The Tag Manager is a service with which we can manage website tags via an interface. This allows us to integrate code snippets such as tracking codes or conversion pixels on websites without interfering with the source code. The Tag Manager only forwards the data, but neither collects nor stores it. The Tag Manager itself is a cookie-less domain and does not process any personal data, as it is used purely to manage other services in our online offering.
When the Google Tag Manager is started, the browser establishes a connection to Google’s servers. These are mainly found in the USA. This gives Google knowledge that our website has been accessed via the IP address of a user.
The Tag Manager ensures the resolution of other tags, which in turn may collect data. However, the Tag Manager does not access this data. If a deactivation has been made at domain or cookie level, this remains in place for all tracking tags that are implemented with the Tag Manager.
Hosting
As part of the hosting of our website, all data to be processed in connection with the operation of our website is stored. This is necessary to enable the operation of the website. We therefore process the data accordingly on the basis of our legitimate interest in optimizing our website offering. To provide our online presence, we use the services of web hosting providers to whom we make the above-mentioned data available as part of order processing.
Contact us
When you contact us, your details will be used to process the contact request and its handling as part of the fulfillment of pre-contractual rights and obligations. The processing of your data is necessary for processing and answering your request, otherwise we will not be able to answer your request or only to a limited extent. The data may be stored in a customer and prospect database on the basis of our legitimate interest in direct marketing.
We will delete your request and your contact data if your request has been conclusively answered and there are no legal retention periods to prevent deletion, e.g. in the context of subsequent contract processing. This is usually the case if there has been no contact with you for three years.
Server log files
For technical reasons, in particular to ensure a functional and secure Internet presence, we process technically necessary data about access to our website in so-called server log files, which your browser automatically transmits to us.
The access data that we process includes
- Name of the website accessed
- Browser type used incl. Version
- Operating system used by the visitor
- the page previously visited by the visitor (referrer URL)
- Time of the server request
- Amount of data transferred
- Host name of the accessing computer (IP address used)
This data is not assigned to any natural persons and is only used for statistical evaluations and for the operation and improvement of our website as well as for the security and optimization of our Internet offer. This data is only transmitted to our website host. This data is not combined or merged with other data sources. If there is any suspicion of unlawful use of our website, we reserve the right to check this data retrospectively. The data processing is based on our legitimate interest in the technically error-free presentation and optimization of our website.
The access data is deleted shortly after the purpose has been fulfilled, usually after a few days, unless further storage is required for evidence purposes. Otherwise, the data will be retained until an incident has been finally clarified.
SSL encryption
When you visit our website, we use the widely used SSL (Secure Socket Layer) method in conjunction with the highest level of encryption supported by your browser. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the status bar of your browser. The use of this procedure is based on our legitimate interest in the use of suitable encryption techniques.
We also use suitable technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or unauthorized access by third parties. Our security measures are continuously improved in line with technological developments and kept up to date.
Webshop with customer account
We process the data of our customers and contractual partners, in particular their master data, communication data, payment data and contract data as part of the execution of order processes in our web store. This is done for the purpose of selecting and ordering the selected products and / or services, as well as their payment and delivery or execution.
The purpose of processing is the provision of contractual services as part of the operation of our web store, the billing of deliveries and services, the delivery of products and the provision of services.
The processing is carried out for the fulfillment of the contract on the basis of Art. 6 para. 1 lit. b GDPR and furthermore pursuant to Art. Art 6 para. 1 lit. c GDPR to fulfill statutory retention obligations based on commercial and tax regulations. The mandatory information for the fulfillment of the contract is specially marked as such when entered in our store system or we will inform you of this personally. We only transfer the data to third parties for the provision of our services (e.g. to involved transport or other auxiliary services such as subcontractors or telecommunications services), for the processing of payment transactions (e.g. to banks, payment service providers, tax authorities or consultants) or within the scope of our legal rights and obligations, as well as within the scope of our legitimate interest in the appropriate legal prosecution in accordance with Art. 6 para. 1 lit. f GDPR. Art 6 para. 1 lit. f GDPR vis-à-vis legal advisors, courts and authorities in case of cause. The data will only be processed in third countries if this is absolutely necessary for the fulfillment of the contract (e.g. at the customer’s request for delivery or payment) and insofar as appropriate data protection guarantees are in place. Any other transfer of data to third parties will only take place with your express consent in accordance with Art. 6 para. 1 lit. a GDPR.
Users can create a user account in which they can view their orders, for example. User accounts are not publicly visible. If users have terminated their user account, their data will be deleted with regard to the user account, unless their retention is required for commercial or tax law reasons in accordance with Art. 6 para. 1 lit. a GDPR. 1 lit. c GDPR or on the basis of our legitimate interest in the enforcement of rights pursuant to Art. Art 6 para. 1 lit. f GDPR is necessary. It is the responsibility of users to back up their data before the end of the contract in the event of termination.
We store the IP address and the time of the respective user action as part of the registration process and when re-registering and using our online services. The storage takes place on the basis of our legitimate interests in accordance with. Art 6 para. 1 lit. f GDPR, as well as in the legitimate interest of the users themselves to protect against misuse and other unauthorized use. This data will not be passed on to third parties unless it is necessary for the pursuit of our claims or there is a legal obligation to do so in accordance with. Art. 6 para. 1 lit. c GDPR.
The data will be deleted after the expiry of statutory warranty and compensation obligations or other contractual or statutory obligations. Our customers and contractual partners will be informed separately in this privacy policy about further processing of data in the context of marketing activities.
General information on data protection
The following provisions apply not only to the collection of data on our website, but also to the processing of personal data in general.
Personal data
Personal data is information that can be assigned to you individually. Examples of this include your address, your name and your postal address, e-mail address or telephone number. Information such as the number of users who visit a website is not personal data because it does not allow any assignment to an individual person.
Legal basis for the processing of personal data
Unless more specific information is provided in this privacy policy (e.g. for the technologies used), we may process your personal data on the basis of the following legal bases:
- Consent pursuant to Art. 6 para. 1 lit. a GDPR – the data subject has given their consent to the processing of their personal data for one or more specific purposes.
- Contract fulfillment and pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR – The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps prior to entering into a contract.
- Legal obligation pursuant to Art. 6 para. 1 lit. c GDPR – Processing is necessary for compliance with a legal obligation.
- Protection of vital interests pursuant to Art. 6 para. 1 lit. d GDPR – Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR – Processing is necessary for the purposes of the legitimate interests pursued by the controller(s) or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
Please note that in addition to the provisions of the GDPR, the national data protection regulations in your or our home country may apply.
Transmission of personal data
Your personal data will not be transferred to third parties for purposes other than those listed in this privacy policy.
We only pass on your personal data to third parties if:
- Your according to Art. 6 para. 1 lit. a GDPR have given their express consent,
- disclosure in accordance with Art. 6 para. 1 lit. f GDPR is necessary for the protection of legitimate interests as well as for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in the non-disclosure of your data,
- for transfer to Art. 6 para. 1 lit. c GDPR a legal obligation exists, as far as this is legally permissible and / or
- it according to Art. 6 para. 1 lit. b GDPR is necessary for the processing of contractual relationships with you.
Cooperation with processors
We carefully select our service providers who process personal data on our behalf. If we commission third parties with the processing of personal data on the basis of an order processing contract, this is done in accordance with Art. 28 GDPR.
Transfer to third countries
If we process data in a third country or if this occurs in the context of the use of third-party services or disclosure or transfer of data to other persons or companies, this will only take place on the basis of the legal bases described above for the transfer of data.
Subject to express consent or contractual necessity, we process or have the data processed in accordance with Art. 44-49 GDPR only in third countries with a level of data protection recognized as adequate or on the basis of special guarantees, such as a contractual obligation through so-called standard contractual clauses of the EU Commission, the existence of certifications or binding internal data protection regulations.
Data transfer to the USA
We would like to expressly point out that as of July 10, 2023, the EU Commission pursuant to Art 45 para. 1 GDPR has issued an adequacy decision on the EU-US data protection framework (Data Privacy Framework). Accordingly, organizations or companies (as data importers) in the USA that are registered in a public list as part of the self-certification of the Data Privacy Framework offer an appropriate level of protection for data transfers. You can find out whether the specific provider of a service is already certified here: https://www.dataprivacyframework.gov/s/participant-search
The Data Privacy Framework constitutes a valid legal basis for the transfer of personal data to the USA. This creates binding safeguards to meet all the requirements of the CJEU; for example, it provides that access by US intelligence services to EU data is limited to what is necessary and proportionate and that a data protection review court is created to which individuals in the EU also have access.
If we transfer data to the USA at all or if we use a service provider based in the USA, we explicitly refer to this in this privacy policy (see in particular the description of the technologies on our website).
It should be noted that apart from significant improvements, the Data Privacy Framework is only partially applicable and only applies to data transfers to those data importers in the US that appear on the public list of certified organizations / companies.
What can the transfer of personal data to the USA mean for you as a user and what risks exist in this context?
Risks for you as a user:in as far as data importers in the USA are concerned, which are not covered by the Data Privacy Framework, are in any case the powers of the US intelligence services and the legal situation in the USA, which, according to the ECJ, currently no longer ensure an adequate level of data protection. These include the following points:
- Section 702 of the Foreign Intelligence Surveillance Act (FISA) provides no restrictions on the surveillance activities of the intelligence agencies and no guarantees for non-US citizens.
- Presidential Policy Directive 28 (PPD-28) does not provide affected persons with effective legal remedies against measures taken by the US authorities and does not provide for any limits to ensure proportionate measures.
- the ombudsman’s office provided for in the Privacy Shield does not have sufficient independence from the executive; it cannot issue binding orders to the intelligence services.
Legally compliant transfer of data to the USA on the basis of the standard contractual clauses for data importers not covered by the Data Privacy Framework?
In June 2021, the European Commission adopted new Standard Contractual Clauses (SCCs) in Decision 2021/914/EU. These create a new legal basis for data transfers where the level of data protection is not the same as in the EU.
Legally compliant transfer of data to the USA on the basis of consent?
If data is transferred to a service provider based in the USA that is not covered by the Data Privacy Framework and this data transfer is based on explicit consent, we will provide explicit information about this in this privacy policy, in particular in the description of the technologies used on our website.
What measures do we take to ensure that data transfers to the USA are legally compliant?
Where US providers offer the option, we choose to process data on EU servers. This should technically ensure that the data is located within the European Union and cannot be accessed by US authorities.
Storage period in general
If no explicit storage period is specified when data is collected (e.g. as part of a declaration of consent), we are obliged to store the data in accordance with Art. 5 para. 1 lit. e GDPR obliges us to delete personal data as soon as the purpose of its processing no longer exists. In this context, we would like to point out that statutory retention obligations to which we are subject constitute a legitimate purpose for the further processing of the personal data collected.
In principle, we store and retain data in personal form until the end of a business relationship or until the expiry of applicable guarantee, warranty or limitation periods, and beyond that until the end of any legal disputes in which the data is required as evidence, or in any case until the end of the third year after the last contact with a business partner.
Storage duration in particular
The description of individual technologies on our website contains specific information on the storage period of data. Our cookie table informs you about the storage duration of individual cookies. In addition, you always have the option of asking us directly about the specific storage period of data. To do so, please use the contact details provided in this privacy policy.
Rights of data subjects
Affected persons have the right:
- (i) in accordance with Art. 15 GDPR, to request information about your personal data processed by us. In particular, you can request information about the processing purposes, the category of personal data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
- (ii) in accordance with Art. 16 GDPR, to immediately request the correction of incorrect or incomplete personal data stored by us;
- (iii) in accordance with Art. 17 GDPR, to request the deletion of your personal data stored by us under certain circumstances, unless the processing is necessary to exercise the right to freedom of expression and information, to fulfill a legal obligation, for reasons of public interest or to assert, exercise or defend legal claims;
- (iv) in accordance with Art. 18 GDPR, to demand the (temporary) restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it, we no longer need the data but you need it to assert, exercise or defend legal claims or you have lodged an objection to the processing in accordance with Art. 21 GDPR;
- (v) in accordance with Art. 20 GDPR, to receive from us your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transmitted directly to another controller; however, this only covers your personal data that we process with the aid of automated procedures on the basis of your consent or on the basis of a contract;
- (vi) pursuant to Art. 21 GDPR, insofar as your personal data is processed on the basis of our legitimate interest, to object to the processing of your personal data, provided that there are reasons for this arising from your particular situation or the objection is directed against direct advertising. In the latter case, you have a general right to object, which will be implemented by us without specifying a particular situation;
- (vii) pursuant to Art. 7 para. 3 GDPR to revoke your consent once given to us at any time. As a result, we may no longer continue the data processing that was based on this consent in the future. Among other things, you have the option of revoking your consent to the use of cookies on our website with effect for the future by accessing our cookie settings;
- (viii) in accordance with Art. 77 GDPR, to complain to a supervisory authority about the unlawful processing of your data by us. As a rule, you can contact the supervisory authority of your usual place of residence or workplace or our company headquarters.
The competent supervisory authority for FIDELIO GmbH is:
Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna, Austria
Tel.: +43 1 52 152-0, dsb@dsb.gv.at
Assertion of data subject rights
You yourself decide on the use of your personal data. Should you therefore wish to exercise any of your above-mentioned rights against us, you are welcome to contact us by e-mail at office@fidelio.at or by post or telephone.
Please help us to clarify your request by answering questions from our responsible employees regarding the specific processing of your personal data. If there is reasonable doubt about your identity, we may request a copy of your ID.
If you have any questions about data protection, please contact us at office@fidelio.at or using the other contact details provided in this privacy policy.
Linz, July 2, 2024