Privacy policy

Thank you for your interest in our company. CITO FormLine GmbH values data protection highly. CITO FormLine GmbH's website(s) may, in principle, be used without any provision of personal data. If a data subject wishes to make use of particular services of our company via our website, it could, however, be necessary to process personal data. If the processing of personal data is required and there are no legal grounds for such processing, we will generally obtain the consent of the data subject.

The processing of personal data, such as the name, address, email address or telephone number of a data subject, shall always be carried out in accordance with the General Data Protection Regulation and in accordance with the country-specific data protection regulations as applicable for CITO FormLine GmbH. Via this privacy statement, our company seeks to inform the public about the nature, scope and purpose of the collected, used and processed personal data. In addition, this privacy statement will inform data subjects of their rights.

CITO FormLine GmbH, as the data controller, has implemented technical and organisational measures in order to protect the personal data processed via this website, such that the protection is as seamless as possible. In principle, however, the transmission of data via the internet can lead to security gaps, so that absolute protection cannot be guaranteed.

1. Definitions

The privacy statement of CITO FormLine GmbH is based on the terminology used by the European body issuing directives and legislation upon adoption of the General Data Protection Regulation (GDPR). Our privacy policy is designed to be easily readable and understandable for the public, as well as for our customers and business partners. In order to ensure this, we would like to explain the terminology used hereinafter.

In this privacy statement, we use the following terms, amongst others:

a) Personal Data

"Personal Data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "Data Subject"). A natural person is considered to be identifiable, directly or indirectly, in particular by means of assignment to an identifier, such as a name, an identification number, location data, Online ID or one or more specific characteristics.

b) Data Subject

The "Data Subject" is any identified or identifiable natural person whose Personal Data is processed by the Data Controller.

c) Processing

"Processing" means any operation or set of operations performed with or without the help of automated procedures, in connection with Personal Data, such as collection, obtention, storage, changing, use, distribution or any other form of provision, deletion or destruction.

d) Restriction of Processing

"Restriction of Processing" is the marking of stored Personal Data with the aim of limiting its Processing in the future.

e) Controller, or Data Controller

The "Controller", or the "Data Controller" is the natural or legal person, public authority, agency or other body which decides – alone or jointly with others – on the purposes and means of Processing the Personal Data.

f) Processors

A "Processor" is a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.

g) Recipient

A "Recipient" is a natural or legal person, public authority, agency or other body to whom the Personal Data is disclosed, regardless of whether it is a third party or not.

h) Third Party

A "Third Party" is a natural or legal person, public authority, agency or other body apart from the Data Subject, the Controller, the Processor and persons who are under the direct responsibility of the Controller or the Processor and are authorised to process the Personal Data.

i) Consent

"Consent" means any informed and unequivocal expression of will, voluntarily submitted for the specific case by the Data Subject, in the form of a declaration or any other unambiguous affirmative action, where the Data Subject makes it understood that he/she agrees to the processing of the Personal Data.

2. Name and address of the Data Controller

The Controller in the sense of the General Data Protection Regulation and of other data protection provisions of legal character is:

CITO FormLine GmbH
Carlbergergasse 38/13
1230 Wien
Austria

Tel.: +43 1 8691091
Email: info@cito-formline.at
Website: www.cito-formline.at

3. Collection of general data and information

Each time a Data Subject or an automated system accesses CITO FormLine GmbH's website, some general data and information is collected. This general data and information is saved in the log files of the server. The following may be collected: (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the website from which an accessing system arrived at our website (the "referrer"), (4) the sub-websites which are accessed via an accessing system on our website, (5) the date and time of accessing the website, (6) an Internet Protocol address (IP address), (7) the internet service provider of the accessing system and (8) other related data and information, which serve to aid security in the event of attacks on our information technology systems.

In using this general data and information, CITO FormLine GmbH does not draw conclusions regarding the Data Subject. Rather, this information is needed in order to (1) correctly deliver the content of our website, (2) optimise the content of our website and the advertising for it, (3) ensure the long-term functional capability of our information technology systems and the technology of our website and (4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber-attack. This anonymous data and information collected will be evaluated statistically by CITO FormLine GmbH and also with the aim of increasing the level of data protection and data security in our company and, ultimately, to ensure an optimal level of protection for Personal Data processed by us.

4. Registration on our website

The Data Subject has the option of registering on the Data Controller's website, by giving Personal Data. Which Personal Data is transmitted to the Data Controller is derived from the respective input mask used for the registration process The Personal Data entered by the Data Subject is collected and stored exclusively for internal use by the Data Controller and for our own purposes. The Data Controller may authorise transfer to one or more Processors – for example, a parcel service – who will likewise use the Personal Data exclusively for internal use, which is attributable to the Data Controller.

By registering on the Data Controller's website, the IP address assigned by the Internet Service Provider (ISP) of the Data Subject is saved, as well as the date and the time of registration. This data is stored against the backdrop of this being the only way of preventing abuse of our services, where this data enables crimes to be investigated if need be. In this respect, the storage of this data is required for the purpose of protecting the Data Controller.

The registration of the Data Subject following the voluntary disclosure of Personal Data is used by the Data Controller to offer the Data Subject content or services which, due to the nature of the matter, can only be offered to registered users. Registered persons have the option of modifying the Personal Data given upon registration at any time, or of having it completely deleted from the Data Controller's database at any time.

The Data Controller shall provide each Data Subject – at any time upon request – information about what Personal Data is stored regarding the Data Subject.

5. Contact via the website

As a result of statutory provisions, CITO FormLine GmbH's website contains information which enables rapid electronic contact with our company, as well as a direct communication with us, which likewise includes a general address for electronic mail (email address). Insofar as a Data Subject contacts the Data Controller via email or via a contact form, the Personal Data communicated by the Personal Concerned will be automatically stored. Personal Data communicated by the Data Subject to the Data Controller in this manner will be stored for the purposes of processing or for contacting the Data Subject. This Personal Data will not be transferred to Third Parties.

6. Routine deletion and blocking of Personal Data

The Data Controller shall process and store the Personal Data of the Data Subject only for the period of time that is required to achieve aim of the storage, or if envisaged by the European body issuing directives and regulations, or by another legislator of laws or regulations, to which the Data Controller is subject.

7. Rights of the Data Subject

a) Right to confirmation

Each Data Subject has the right – granted by the European body issuing directive and regulations – to demand from the Data Controller confirmation of whether Personal Data is being processed.

b) Right to information

Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to receive information from the Controller (at any time and free of charge) about the Personal Data stored regarding his/her person and a copy of this information.

c) Right to correction

Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to demand the correction of incorrect Personal Data relating to him/her.

d) Right to deletion

Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to demand that the Controller delete the relevant Personal Data, insofar as one of the following reasons is applicable and to the extent that Processing is not required:

  • The Personal Data was collected (or otherwise processed) for purposes which are no longer required.
  • The Data Subject revokes his/her consent to Processing according to Article 6(1a) GDPR or Article 9(2a) GDPR, and there is a lack of any legal grounds for the Processing.
  • The Data Subject, in accordance with Article 21(1) GDPR, objects to the Processing, and there are no prevailing legitimate reasons for the Processing, or the Data Subject, in accordance with Article 21(2) GDPR, objects to the Processing.
  • The Personal Data has been processed unlawfully.
  • The Personal Data is to be deleted in order to fulfil a legal obligation, in accordance with EU law or the law of the Member States to which the Controller is subject.

e) Right to the Restriction of Processing

Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to demand a Restriction of Processing by the Controller, if any of the following conditions exist:

  • The accuracy of the Personal Data is disputed by the Data Subject; this dispute must be for a period of time which allows the Controller to verify the accuracy of the Personal Data.
  • The Processing is unlawful, the Person Concerns rejects the deletion of Personal Data and requires instead the restriction of the use of the Personal Data.
  • The Controller no longer requires the Personal Data for Processing purposes, whilst the Data Subject, however, requires it for the assertion, exercise or defence of legal claims.
  • The Data Subject has objected to the Processing in accordance with Article 21(1) of GDPR and it is still not clear whether the legitimate reasons of the Controller prevail over those of the Data Subject.

f) Right to data portability

Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to receive the Personal Data concerning him/her, as provided by the Data Subject to a Controller, in a structured, common and machine-readable format. In addition, that Data Subject has the right to communicate this data to any other controller without interference from the Controller to whom the Personal Data were provided, insofar as the Processing is performed based on Consent pursuant to Article 6(1a) GDPR or Article 9(2a) GDPR or on a contract in accordance with Article 6(1b) GDPR, and the Processing is carried out using automated procedures, unless the Processing is necessary for the performance of a task in the public interest or in the exercise of public authority, where such authority has been transferred to the Controller.

g) Right to revocation of Consent under data protection legislation

Each Data Subject whose Personal Data is processed has the right – granted by the European body issuing directive and regulations – to revoke Consent to the Processing of Personal Data relating to him/her at any time.

8. Legal grounds for the Processing

Article 6(1a) GDPR serves as legal grounds for our company for Processing operations, whereby we obtain consent for a specific Processing purpose. If the Processing of Personal Data is required for the performance of a contract to which the data subject is party, for example, in the case of processing operations required for the delivery of goods or the provision of any other service or performance, then the Processing is based on Article 6(1b) GDPR. The same applies for such Processing operations which are required for the implementation of pre-contractual measures, such as in the case of requests for our products or services. If our company is subject to a legal obligation by which any processing of Personal Data is required, for example in order to fulfil tax obligations, then the Processing is based on Article 6(1c) GDPR. Finally, Processing may be based on Article 6(1f) GDPR. Processing operations have their legal grounds in the latter where none of the aforementioned legal grounds apply, if Processing is required in order to maintain a legitimate interest of our company or a Third Party, provided that the interests, fundamental rights and freedoms of the Data Subject do not prevail. Such Processing operations are permitted in particular when the European legislators have mentioned them especially. The legislator has taken the view that a legitimate interest could be assumed, if the Data Subject is a customer of the Controller (Recital 47 Sentence 2 of the GDPR).

9. Legitimate interests in respect of Processing pursued by the Controller or a Third Party

Where the Processing of Personal Data is based on Article 6(1f) GDPR, then our legitimate interest is in the implementation of our business activities in favour of the welfare of all our employees and our shareholders.

10. Duration for which Personal Data is stored

The criterion for the duration of the storage of Personal Data is the respective statutory retention period. After expiry of the period, the relevant data is routinely deleted if no longer required for the fulfilment of the contract or for contract negotiations.

11. Statutory or contractual provisions regarding the provision of Personal Data; necessity for conclusion of contract; requirement of the Data Subject to provide the personal data; possible consequences of non-provision

We hereby clarify that the provision of Personal Data is in part required by law (for example, tax regulations) or may also arise from contractual arrangements (e.g. information regarding the contract partner). Sometimes it may be necessary – for the purposes of contract conclusion – that a Data Subject provides us with Personal Data which must then be processed by us. The Data Subject is, for example, obliged to provide us with Personal Data, if our business enters into a contract with him/her. The non-provision of Personal Data would result in the contract not being concluded with the Data Subject.