Data Protection Statement
We are very pleased with your interest in our enterprise. Data protection is very important for the management board of the A/C-Innovations GmbH (hereinafter referred to as ACI). The use of ACI websites is (in principle) possible without the provision of any personal data. However, if the interested person would like to take advantage of specific services of our company via our website, it may turn out that the processing of personal data may be necessary. If the processing of personal data would be necessary and there is no legal basis for such processing, then we generally ask the interest person to give his or her consent.
The processing of personal data (for example, name, address, e-mail address or phone number of the interested person) always takes place in accordance with the General Data Protection Regulation and according to the applicable ACI national regulations on data protection. By means of this Data Protection Statement, our enterprise wants to inform the public about the manner, scape and purpose of personal data collected and processed by us. Moreover, the persons concerned will be informed (by means of this Statement) about their rights.
In order to ensure complete protection of personal data processed with the use of this website, ACI, as the administrator responsible for processing, applied numerous technical and organizational measures. However, data transmission through the Internet can essentially contain security gaps, so that the absolute protection cannot be guaranteed. For this reason, each person concerned has the right to choose and provide his or her personal data to us via an alternative route – for example, by phone.
The ACI’s Data Protection Statement is based on the concepts that have been applied by the European Legislative Authority for directives and ordinances when publishing the General Data Protection Regulation (GDPR). Our Data Protection Statement should be easily readable and understandable both for the public and for our clients. To ensure this, we would like to explain the applied concepts.
In this Data Protection Statement, we use, among others, the following concepts:
a) Personal data
Personal data is any information that refers to an identified or identifiable natural person (hereinafter referred to as “data subject”). The identifiable person is a natural person, who can be directly or indirectly identified, in particular on the basis of an associated identifier, such as surname, identification number, location data, online identifier, as well as on the basis of one or more specific features that define the physical, physiological, genetic, psychological, economic, cultural or social identity of a natural person.
b) Data subject
The data subject is any identified or identifiable natural person, whose data will be processed by the administrator.
Processing means automated or non-automated operations or a set of operations performed on personal data, such as collecting, recording, organizing, arranging, storing, adapting or modifying, reading, searching, using, disclosing by forwarding, distributing or otherwise making available, matching or combining, limiting, deleting or destroying.
d) Limitation of processing
It means the marking of stored personal data in order to limit its future processing.
Profiling means any form of automated processing of personal data, which involves the use of personal data for the evaluation of certain personal aspects of a given natural person, especially to analyze or forecast aspects related to the effects of his or her work, his or her economic situation, health, personal preferences, interests, credibility, behavior, place of residence or movement;
Pseudonymization means the processing of personal data in such a way that it can no longer be assigned to the specific data subject without the use of additional information, provided that such additional information is kept separately and it is covered by technical and organizational measures that prevent to assign it to an identified or identifiable natural person;
g) Administrator or entity responsible for processing
The administrator or entity responsible for processing means a natural or legal person, public body, institution or other entity, which (independently or jointly with others) determines the aims and methods for the processing of personal data. If the aims and methods of such processing are set out in European Union law or in the law of a Member State, the administrator or the criteria for his designation may be determined in accordance with Union or Member State law. Moreover, in the EU law or in the law of a Member State, the administrator may be designated or specific criteria may be laid down for his designation.
The processor means a natural or legal person, public body, individual or other entity that processes personal data at the request of the administrator.
The recipient means a natural or legal person, public body, institution or other entity, to whom personal data is disclosed, regardless of whether he is a third party or not. However, public bodies, which possible receive personal data within the framework of a specific procedure in accordance with Union law of the law of a Member State, are not considered recipients;
j) Third party
The third party is a natural or legal person, public body, institution or entity other than the data subject, the administrator or the processor or persons, who (under the authority of the controller or the processor) may process personal data.
The consent means any data subject’s declaration of will, submitted voluntarily, knowingly and unambiguously, in relation to a specific case, in the form of a statement of other explicit confirmation action, by which the person implies that he or she agrees to the processing of his or her personal data;
2. Contact details of the entity responsible for processing
The Administrator, within the meaning of the General Data Protection Regulation, other Data Protection Acts in force in the Member State of the European Union, as well as other data protection regulations, is the enterprise specified in the Editorial Information.
Contact with the responsible employee is possible via the e-mail address: firstname.lastname@example.org.
With the help of a cookie, information and offers on our website can be optimized in the interest of the user. Cookies enable us, as already mentioned before, re-recognition of our website’s users. The aim of this recognition is to facilitate the use of our website by users. A user of a website that takes advantage of cookies does not need to provide his or her access data, because it will be taken over by the website and installed on the computer system. Another example is the cookie of a shopping cart in the Online-Shop. Online-Shop via cookie remembers the articles that the client placed in the virtual shopping cart.
The data subject may prevent the placement of cookies through our website thanks to the adequate setting of the web browser. Moreover, the data subject may oppose the permanent placement of cookies. Additionally, all cookies already posted can always be deleted with the use of a website or other software. This is possible in all current web browsers. If the data subject disables the placement of cookies on the web browser, there may be a case that in these circumstances not all functions of our website will be available in the full extent.
4. Registration of general data and information
Each time during the launch of a website by the data subject or the automated system, the ACI website records a sequence of general data and information. The above data and information are saved in the server login data. The following information can be saved: (1) used types and versions of web browsers, (2) operating system of a system with access, (3) a website, from which a system has access to our website (s-called referrer), (4) subpages, to which we are guided through the system, which has an access to our website, (5) date and time for launch of the website, (6) IP address, (7) Internet service provider of the system with access and (8) other similar data and information that serves to defend against attacks on our information and technology systems.
When using these general data and information, ACI does not draw any conclusions about the data subject. This information is rather needed to: (1) provide the contents of our website properly, (2) optimize contents of our website, as well as advertisement about it, (3) ensure the continuous efficiency of our technology and information systems and the techniques of our website, as well as (3) provide law enforcement agencies with information necessary to prosecute a crime in the event of a cyber-attack. This anonymously collected data and information will be analyzed by ACI on the one hand for statistical purposes, and on the other hand to ensure increased protection and data security in our company, in order to ensure an optimal level of protection for the personal data processed by us. Anonymous server login details will be saved separately from any personal data provided by the data subject.
5. Possibility of contact via the website
The ACI’s website, in connection with statutory regulations, contains information that enables quick electronic contact with our company, as well as direct communication with us. They also include the general address of the so-called electronic mail (e-mail address). If the data subject establishes contact via e-mail or a contact form with the entity responsible for processing, the transferred personal data of the data subject will be automatically saved. Such personal data (voluntarily given to the entity responsible for processing by the data subject) will be recorded in order to develop or make contact with the data subject. Further transfer of this personal data to third parties does not take place.
6. Routine deletion and blocking of personal data
The entity responsible for processing processes and saves the data subject’s personal data only for the period required to achieve the purpose of the data storage or if so provided by the European Legislative Authority for directives and ordinances, as well as by another legislator in the acts or regulations, to which the entity responsible for processing is subject.
If the purpose of data storage is no longer valid or the storage period specified by the European Legislative Authority for directives and ordinances, as well as other relevant legislator, has expired, personal data will be routinely blocked or removed in accordance with statutory provisions.
7. Rights of the data subject
a) The right to obtain confirmation
Each data subject has the right (that has been granted to him or her by the European Legislative Authority for directives and ordinances) to request the entity responsible for processing a confirmation of whether his or her personal data is processed. If the data subject would like to use his or her right to obtain such a confirmation, he or she can (at any time) ask the employee of the entity responsible for processing in this case.
b) The right to information
Each person affected by the processing of personal data has the right (provided by the European Legislative Authority for directives and ordinances) to obtain from the entity responsible for data processing, at every request, free information about his or her stored personal data and to receive a copy of such information. Furthermore, the European Legislative Authority for directives and ordinances granted the data subject the right to receive the following information:
• Purposes of data processing
• Categories of personal data that is processed
• Recipients or categories of recipients, to whom personal data have been or will be made available, in particular with regard to recipients in third countries or international organizations
• If possible, the planned time, for which personal data will be stored, or if this is not possible – criteria for the determination of such a period
• Existence of the right to rectify or delete his or her personal data, as well as the right to reduce the processing by the administrator and the right to object
• Existence of the right to submit a complaint to the supervisory body
• If personal data have not been obtained from the data subject: all available information on the data’s origin
• Existence of automated decision making process, including profiling, pursuant to Article 22 section 1 and 4 of the GDPR and – at least in such cases – clear information on the associated logic, as well as the extent and intended impact of this type of data processing for the data subject.
Additionally, the data subject has the right to be informed whether personal data have been transferred to one of the third countries or to an international organization. In such a case, the data subject also has the right to obtain information about the applicable warranties in relation to the transfer.
If the data subject would like to take advantage of his or her right to information, he or she can (at any time) ask the employee of the entity responsible for the information to do so.
c) The right to rectification
Each person affected by the processing of personal data has the right (guaranteed by the European Legislative Authority for directives and ordinances) to demand the immediate rectification of his or her incorrect personal data. Furthermore, the data subject has the right to request the supplementation of incomplete personal data with regard to the purpose of its processing – also by means of a supplementary declaration.
If the data subject would like to exercise his or her right to rectification, he or she may (at any time) refer to the employee of the entity responsible for processing.
d) The right to delete data (right to be forgotten)
Each person affected by the processing of personal has the right (guaranteed by the European Legislative Authority for directives and ordinances) to demand the deletion of his or her personal data without any delay by the administrator if one of the following causes applies and unless data processing is required:
• Personal data is no longer necessary for the purposes, for which it was collected or otherwise processed.
• The data subject revokes the consent, on which the processing is based in accordance with Article 6 section 1 letter a or Article 9 section 2 letter a of the GDPR and there is no other legal basis for the processing.
• The data subject files objects to the processing in accordance with Article 21 section 1 of the GDPR and there are no priority legitimate grounds for processing or the data subject objects to the processing in accordance with Article 21 section 2 of the GDPR.
• Personal data has been processed unlawfully.
• Deletion of personal data is necessary to fulfill a legally imposed obligation in accordance with European Union law or the law of the Member State, to which the administrator belongs.
• Personal data was collected in connection with the services offered by the IT community in accordance with Article 8 section 1 of the GDPR.
If one of the above-mentioned reasons applies and the data subject wants to request the deletion of data stored in ACI, the data subject may (at any time) ask the employee of the entity responsible for processing to take action. A ACI employee will ensure that the deletion procedure will be carried out without any delay.
If personal data is published by ACI, and our company (as the administrator in accordance with Article 17 section 1 of the GDPR) is obliged to delete personal data, ACI (taking into account available technologies and implementation costs) will take adequate steps (also technical steps) to inform other administrators of personal data, who process published personal data, about the fact that the data subject has requested from these other personal data administrators the removal of all links to this personal data, as well as its copies and replications, unless its processing is necessary. A ACI employee will do what is necessary in individual cases.
e) The right to have the processing restricted
Each person affected by the processing of personal has the right (guaranteed by the European Legislative Authority for directives and ordinances) to request the administrator to restrict the processing if one of the following conditions is met:
• The correctness of personal data will be challenged by the data subject, namely for such a period that the administrator can check the accuracy of personal data.
• Data processing is unlawful and the data subject rejects the deletion of data and request, instead, restriction of the use of personal data.
• The administrator does not need any more personal data for processing, but the data subject needs it to investigate, enforce or defend legal claims.
• The data subject has objected to the processing of personal data in accordance with Article 21 section 1 of the GDPR and it is not yet clear whether the legitimate reasons of the administrator outweigh the legitimate reasons of the data subject. If one of the above-mentioned conditions occurs and the data subject requires the limitation of the personal data processing stored by ACI, it may at any time ask the employee of the entity responsible for processing in the matter. A ACI employee will order a limitation of data processing.
f) The right to transfer data
Each person affected by the processing of personal data has the right (guaranteed by the European Legislative Authority for directives and ordinances) to receive personal data concerning this person that has been given to the administrator, in a structured, commonly used and readable computer format. Additionally, he or she has the right to transfer this data to another administrator without obstacles on the part of the administrator, to whom the data was put at the disposal, if the processing is based on consent in accordance with Article 6 section 1 letter a of the GDPR or Article 9 section 2 letter a of the GDPR or on the agreement in accordance with Article 6 section 1 letter b of the GDPR, and the processing takes place by means of an automated procedure, provided that processing is not necessary for the realization or an obligation that is in the public interest or in connection with the exercise of public authority entrusted to the administrator.
Furthermore, the data subject, using the right to data transfer in accordance with Article 20 section 1 of the GDPR, has the right to give the consent to transfer personal data by one administrator to another administrator, as long as it is technically possible and it does not limit the rights and freedoms of other people.
In order to exercise the right to data transfer, the data subject may contact with the responsible ACI employee at any time.
g) The right to object
Each person affected by the processing of personal data has the right (guaranteed by the European Legislative Authority for directives and ordinances) to object (at an time) to the processing of personal data relating to him or her in accordance with Article 6 section 1 letter e or f of the GDPR, for reasons arising from a special situation. This also applies to profiling based on these provisions.
In the event of an objection, ACI will not process personal data, unless we will be able to demonstrate sufficient reasons, which are more important than interests, rights and freedoms of the data subject, or that the processing serves to investigate, enforce or defend legal claims.
If personal data is processed by ACI for the purpose of direct advertisement, the data subject has the right to object (at any time) to the processing of personal data for the purpose of such advertising. This also applies to profiling, as long as it is connected with such direct advertisement. If the data subject has objected to ACI for the processing of data for direct advertising purposes, ACI will no longer process personal data for these purposes.
Moreover, the data subject has the right (for reasons that arise from particular situation) to object to the processing of personal data that is processed by ACI for the purpose of scientific or historical researches or for statistical purposes pursuant to Article 89 section 1 of the GDPR, unless such processing is necessary to perform a task in the public interest.
In order to exercise the right to object, the data subject may contact any ACI employee or other employee. The data subject has the right, in the context of using IT society services (regardless of Directive 2002/58/EC), to exercise his or her right to object with the use of automated procedures and on the basis of technical specifications.
h) Automated decisions in individual cases, including profiling
Each person affected by the processing of personal data has the right (guaranteed by the European Legislative Authority for directives and ordinances) to be subject to a decision solely based on automatic processing, including profiling, which has legal effect on him or her, or in a similar manner significantly affects this person, provided that this decision (1) is not necessary for the conclusion or performance of the agreement between the data subject and the administrator, (2) is permitted by Union or Member State legislation of the administrator and these regulations provide adequate measures to protect the rights and freedoms of the data subject, or (3) it was issued with the express consent of the data subject.
If the decision is necessary (1) for the conclusion or performance of the agreement between the data subject and the administrator, or (2) it occurred with the express consent of the data subject, ACI will take appropriate measures to protect the rights, freedoms and legitimate interest of the data subject with the right (at least) to cause an intervention by the administrator to clarify the position and challenge the decision.
If the data subject would like to exercise his or her rights regarding automatic decisions, he or she may (at any time) ask the employee of the entity responsible for processing in this matter.
i) The right to withdraw consent in the field of data protection
Each person affected by the processing of personal data has the right (guaranteed by the European Legislative Authority for directives and ordinances) to revoke the consent to the processing of personal data at any time.
If the data subject would like to exercise this right to revoke his or her consent, he or she can (at any turn) ask the employee of the entity responsible for processing in this matter.
8. Data protection when applying for a job in the recruitment process
The entity responsible for processing collects and processes personal data of candidates in order to perform the recruitment process. Processing can also be done electronically. This is particularly visible when the applicant submits the relevant application documents in an electronic form, for, example, via e-mail or via the Internet form on the website, to the party responsible for data processing. If the entity responsible for the processing concludes an employment agreement with the candidate, this transferred data will be recorded in order to implement the employment relationship, taking into account statutory provisions. If no employment agreement is concluded between the party responsible for data processing and the candidate, the application documents will be automatically deleted after two months from the date of notification of the negative decision, if the removal does not prevent other legitimate interests of the entity responsible for processing. Another legitimate interest in this sense is, for example, the obligation to provide evidence in proceedings in accordance with the Equal Treatment Act (AGG).
9. Legal basis for processing
Article 6 I letter a of the GDPR serves our company as a legal basis in the processing of data, in which we request consent for specific purpose of processing. If the processing of personal data is necessary to complete an agreement, to which the data subject is a party, as in the case, foe example, in data processing processes that are necessary for the delivery of goods or the performance of another benefit or mutual consideration, the processing of data is based on Article 6 I letter b of the GDPR. This also applies to such data processing processes that are necessary to perform pre-contractual activities, for example in the case of inquiries about our products or services. If our company is subject to a legal obligation that requires the processing of personal data, such as tax obligation, then the processing of data is based on Article 6 I letter c of the GDPR. In rare cases, the processing of personal data may be necessary to protect the vital interests of the data subject or another natural person. This could happen, for example, when a quest in our facility would be injured and as a result, it would be necessary to give the doctor, hospital or other third party his or her name, age and data regarding sickness funds or other vital information. In this case, the data processing would be based on Article 6 I letter d of the GDPR. Ultimately, the data processing could be based on Article 6 I letter f of the GDPR. This legal basis serves to the data processing processes that are not included in any of the legal grounds listed above, if the processing is necessary to protect the legitimate interests of our enterprise or a third party, if the interests, fundamental rights and fundamental freedoms of the person concerned are not prevailing. Such data processing processes are especially usable, because they have been specifically mentioned by the European Union Legislator. I this respect, he represents the view that a legitimate interest would have to be assumed if the data subject is the client of the administrator (Recital 47 sentence 2 of the GDPR).
10. Legitimate interest in the data processing, which is carried out by the administrator or a third party
If the processing of personal data is based on Article 6 I letter f of the GDPR, our legitimate interest is to conduct our business activities aimed at the well-being of all our associates and shareholders.
11. The period, for which personal data is stored
The criterion determining the period for storage of personal data is the statutory period of storage. After the end of this period, the relevant data will be routinely deleted, unless it is necessary to complete or initiate the agreement.
12. Statutory and contractual provisions regarding the sharing of personal data; The need to conclude an agreement; The obligation to disclose data by the data subject; Possible consequences of not sharing
We would like to inform you that disclose of personal data is partly required by law (e.g. tax regulations) or it may also result from contractual provisions (e.g. information about a contractor). Sometimes it may be necessary to conclude an agreement that the data subject should provide us with persona data, which must consequently be processed by us. The data subject is obliged to provide his or her personal data to us, for example, when our company concludes an agreement with him or her. Failure to disclose personal data could result in the fact that the agreement with the interested party could not be concluded. Before disclosing personal data by the person concerned, he or she must contact one of our employees. Our employee will inform the person concerned, in relation to each individual case, whether disclosure of personal data is imposed by law or agreement, or whether it is necessary to conclude an agreement, is there an obligation to disclose personal data and what consequences could be connected with the failure to disclose this data.