This Privacy Notice is intended to give you an overview of how we use the personal data provided by you. We would also like to inform you about the precautions we take to protect your personal data and about which rights and options you have to view your data and to protect your privacy.
This Privacy Notice contains information about which personal data we collect from you, how we process them and to which third parties we may forward your data. Regarding the terms used, such as “processing” or “Controller“, we refer to the definitions in Art 4 of the General Data Protection Regulation (“GDPR“).
Who is responsible for the data processing, and whom can you contact?
We, Pelzmann Gall Größ Rechtsanwälte GmbH, are the Controller for the processing of your personal data, within the meaning of the GDPR.
Controller responsible for data processing:
Pelzmann Gall Größ Rechtsanwälte GmbH Wagramer Straße 19/33 1220 Wien E-Mail: firstname.lastname@example.org
Authorized representatives: Dr. Mario Gall, Dr. Stephan Größ, Dr. Helen Pelzmann, Dr. Stephan Hofmann
Shareholders: Dr. Mario Gall, Dr. Stephan Größ, Dr. Helen Pelzmann, Dr. Stephan Hofmann
For what purposes and on what legal basis are your personal data processed?
- Based on your consent (Art 6 (1) (a) GDPR)
If you have given us your consent to process your personal data, processing will only take place in accordance with the purposes defined and to the extent agreed in the declaration of consent. Consent given may be withdrawn at any time without giving reasons and with future effect, if you no longer agree to the processing. This applies, for example, to sending newsletters.
- For compliance with contractual obligations (Art 6 (1) (b) GDPR)
Processing of personal data takes place in connection with the provision of legal services, for the performance of our contract with you and for execution of your orders as well as all tasks necessary for the operation and administration of our company Pelzmann Gall Größ Rechtsanwälte GmbH.
- For compliance with legal obligations (Art 6 (1) (c) GDPR)
Processing of personal data may be necessary for compliance with various legal or professional obligations (e.g. the Attorneys Code (“RAO”) or the Guidelines for the Practicing as Attorney).
- To protect the Controller’s legitimate interests (Art 6 (1) (f) GDPR)
Where necessary, data processing may take place beyond the actual performance of the contract as part of a balancing of interests in favour of Pelzmann Gall Größ Rechtsanwälte GmbH or a third party, in order to protect our legitimate interests or those of third parties. We process your data where this is required for the assertion, exercise or defence of legal claims and where there is no reason to believe that you have an overriding legitimate interest in your data not being used.
Who receives your personal data?
The protection and confidentiality of your personal data is important to us. Therefore, we transfer your personal data only to the extent described below or within the scope of an instruction at the time the data are collected. In addition, personal data that we collect concerning you will neither be sold by us nor otherwise disclosed to third parties.
Transfer to third parties
We transfer the personal data to other third parties with your consent or if it is necessary to fulfil the contract with you (e.g. if you appoint us to contact the opposite party in your name).
Transfers to processors
To a limited extent, we also pass on personal information to processors who perform services for us such as data processing services. Processors may only use or disclose these data to the extent absolutely necessary to perform services for us or to comply with legal rules. We contractually oblige these processors to ensure the confidentiality and security of the personal data that they process on our behalf.
We may also transfer personal information concerning you (i) if we are required to do so by law or in the context of legal proceedings, (ii) if we believe that disclosure is necessary to prevent damages or financial loss, (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities or (iv) for the assertion, exercise or defence of legal claims of our legitimate legal interests.
Are data transferred to a third country or an international organisation?
If we process personal data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of the use of third party services or disclosure and/or transfer of personal data to third parties, we shall only transfer personal data to comply with our (pre)contractual obligations, based on your consent, a legal obligation or our legitimate interests.
For how long are personal data stored and processed?
We process your data for the duration of the entire business relationship (from initiation through performance to termination of a contract), and beyond this, pursuant to statutory retention and documentation obligations. These derive, for example, from:
- The Austrian Commercial Code (UGB);
- The Federal Tax Code (BAO); or
- The Solicitors’ Professional Code (RAO).
In addition, the storage period must take into account the statutory limitations periods, which, according to the Austrian Civil Code (ABGB), for example, may range up to 30 years in certain cases (the general limitations period is 30 years).
What rights and options do you have?
a) Right of access (Art 15 GDPR)
You have the right to request confirmation from us as to whether we are processing personal data concerning you.
Where personal data concerning you are being processed, you have the right, as the data subject, to receive information from us at any time regarding the personal data stored about you and to receive a copy of the personal data concerning you which is undergoing processing. In this regard, as the data subject, you shall have the right to obtain the following information:
- The purposes of the processing;
- The categories of personal data being processed;
- The recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organisations;
- Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- The existence of a right to rectification or erasure of the personal data concerning you, or to restriction of processing by the Controller, or to object to such processing;The existence of the right to lodge a complaint with a supervisory authority;
- Any available information about the origin of the data where the personal data were not collected directly from you; and
- Where present, the existence of automated decision-making, including profiling, pursuant to Art 22 (1) and (4) GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Where personal data concerning you are transferred to a third country or to an international organisation, you shall also have the right to be informed of the appropriate safeguards relating to the transfer.
b) Right to rectification (Art 16 GDPR)
You shall have the right to request the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you shall also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
c) Right to erasure (Art 17 GDPR)
You shall have the right to request from us the erasure of personal data concerning you without undue delay where one of the following grounds applies and if no further processing is required:
- The personal data are no longer needed for the purposes for which they were collected;
- You withdraw your consent on which the processing was based and where there is no other legal ground or overriding legitimate interest for the processing;
- The personal data have been unlawfully processed;
- Erasure of the personal data is required for compliance with a legal obligation under Union or Member State law to which the Controller is subject; or
- The personal data have been collected in relation to the offer of information society services pursuant to Art 8 (1) GDPR.
d) Right to restriction of processing (Art 18 GDPR)
You shall have the right to request from us the restriction of processing where one of the following conditions applies:
- You contest the accuracy of the personal data (the restriction shall be put in place for a period which enables the Controller to verify the accuracy of the personal data);
- The processing of your personal data was unlawful and you oppose the erasure of your personal data and request instead the restriction of their use;
- The Controller no longer requires your personal data for the purposes of the processing, but you require them for the assertion, exercise or defence of legal claims; or
- You have objected to processing of your personal data and it has not yet been determined whether the legitimate grounds of the Controller override your own.
e) Right to data portability (Art 20 GDPR)
You shall have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You shall also have the right to request that we transfer these data directly to another controller, designated by you, where this is technically feasible and does not adversely affect the rights and freedoms of others. The right to data portability may only be exercised where the basis of the processing is either your consent or a (pre)contractual necessity, and where the processing is carried out by automated means. The right to data portability does not apply to data processings which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
f) Right to object (Art 7 (3) GDPR)
You shall have the right at any time to withdraw your consent to the processing of your personal data. If you have objected to processing, we shall no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or unless the processing is for the assertion, exercise or defence of legal claims.
We also use your personal data for direct marketing purposes. You shall have the right to object at any time to processing for such marketing. This also applies to profiling where it is related to such direct marketing. After your objection has been raised, we shall no longer process your personal data for direct marketing purposes.
You shall have the right to object, on grounds relating to your particular situation, to processing by us of personal data concerning you for scientific or historical research purposes or statistical purposes pursuant to Art 89 (1) GDPR, unless such processing is necessary for the performance of a task carried out in the public interest.
Should you wish to exercise one or more of the above-mentioned rights, you can contact us at any time (email@example.com).
With which supervisory authority may you lodge a complaint?
Pursuant to Art 77 GDPR, you shall have the right to lodge a complaint with the competent supervisory authority. In Austria, this is the Data Protection Authority (Datenschutzbehörde).
Do you have to provide your personal information?
In order to be able to enter into a business relationship with you, we require various personal data. In some cases we are also legally obliged to collect them.
Unfortunately, if you refuse to provide us with your personal data necessary for the conclusion and performance of the contract, we will be unable to enter into a contractual relationship with you. We may have to terminate existing contractual relationships if necessary.
You are not obliged to give your consent to the processing of personal data concerning you which is not relevant to the performance of the contract respectively not required by law and/or for regulatory purposes.
To what extent is automated decision-making carried out?
As a general principle, we do not use fully automated decision-making for the establishment and implementation of the business relationship. Should we use such processes in individual cases, we will inform you separately about this, to the extent that this is required by law.
Are personal data processed for purposes other than those for which the personal data were collected?
As a general principle, we only process data for the purposes for which they were collected. In exceptional cases, however, we may process personal data which we have collected for one specific purpose for another purpose. In this case, we will inform you before the intended processing about the purpose, the period for which your personal data will be stored, the exercise of data subject rights, the option to withdraw consent, the existence of the right to lodge a complaint with the data protection authority, whether provision of the data was necessary on legal or contractual grounds and what the consequences would be if it were not provided, and whether automated decision-making or profiling is carried out.
What types of personal data are processed?
We process, inter alia, the following types of personal data:
- Inventory data (e.g. name, addresses);
- Contact data (e.g. e-mail, telephone numbers);
- Content data (e.g. text input, photos, videos);
- Order data (e.g. BIC, IBAN); and
- Documentation data (e.g. file notes).
We stress that we process personal data only to the extent necessary. In individual cases, therefore, less than the above data may suffice.
Is there a cooperation with contract processors and / or third parties?
If, in the course of our processing, we disclose personal data to other persons and companies (contract processors or third parties), transmit them to them or otherwise grant them access to the data, this will be based on a legal basis.
When will your personal data be deleted?
According to legal requirements, storage takes place, for example:
- 5 years according to § 12 (2) and (3) RAO (storage of files and documents); or
- 7 years according to § 132 (1) BAO (accounting documents, receipts / invoices, accounts, business papers, statement of income and expenditure, etc).
The hosting services we use are for the purpose of providing the following services: Provision of the web space and technical maintenance services we use for the purpose of operating this online services.
We or our hosting provider abaton EDV-Dienstleistungs GmbH, Hans-Resel-Gasse 17, 8020 Graz do not process any personal data.
We send newsletters, e-mails and other electronic notifications for advertising purposes and to announce news (hereinafter “newsletter”) only with your consent, which is recorded during registration for the newsletter, or where there is a legal basis to do so (e.g. Art 107 (2) and (3) of the Telecommunications Act (TKG)).
You may unsubscribe from our newsletter, i.e. withdraw your consent, at any time. You can unsubscribe by responding to our newsletter by an email saying “unsubscribe” or you send an e-mail to firstname.lastname@example.org. Please note that we will continue to process your personal data until you withdraw your consent, so that we can prove consent previously given to receive newsletters. The processing of these data is limited to the purpose of a possible defence against claims. You shall have the right to request the erasure of your personal data.
If you contact us (e.g. by e-mail or telephone), your details will be processed for the purpose of handling and processing the contact request.
We will erase the contact requests, and your personal data provided to us in them, if their storage is no longer necessary.
Personal data of children
We do not knowingly collect personal data concerning children under the age of 14. If we become aware that we have inadvertently collected personal data concerning children under the age of 14, we will take steps to erase that information as soon as possible, unless required by law to store it.
How will I find out about changes to this Privacy Notice?
We are committed to upholding the principles of privacy and data protection. For this reason, we regularly review our Privacy Notice. This is to ensure that it is correct and clearly displayed on our website, contains appropriate information about your rights and our processing activities and is implemented in accordance with applicable law and thus complies with data protection requirements. We update this Privacy Notice when required, in order to take current circumstances into account. In the event that we make significant changes to this Privacy Notice, we will notify you on our website and provide you with the updated version of the Privacy Notice.
Data protection on our website