Privacy Policy

Introduction and Overview

We have written this Privacy Policy (version 01.02.2024-112713154) to explain to you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (shortened to "data") we as data controllers – and the processors we commission (e.g., providers) – process, will process in the future, and what lawful options you have. The terms used are to be understood as gender-neutral. In short: We inform you comprehensively about the data we process about you.

Privacy policies typically sound very technical and use legal terminology. However, this privacy policy aims to describe the most important aspects as simply and transparently as possible. To promote transparency, technical terms are explained in a reader-friendly manner, links to further information are provided, and graphics are used. We inform you in clear and simple language that we only process personal data within the scope of our business activities if there is a corresponding legal basis for doing so. This is certainly not possible if one gives brief, unclear, and legally-technical explanations, as is often standard on the internet when it comes to data protection.

I hope you find the following explanations interesting and informative, and perhaps there is some information you were not previously aware of. If there are still questions, we ask you to contact the responsible office mentioned below or in the imprint, follow the available links, and view further information on third-party sites. Our contact details can also be found in the imprint.

Scope of Application

This Privacy Policy applies to all personal data processed by us within the company and to all personal data processed by companies commissioned by us (processors). By personal data, we mean information within the meaning of Art. 4 No. 1 GDPR, such as the name, email address, and postal address of a person. The processing of personal data ensures that we can offer and bill for our services and products, whether online or offline. The scope of this Privacy Policy includes:
- all online presences (websites, online shops) that we operate
- social media presences and email communication
- mobile apps for smartphones and other devices
‍
In short: The Privacy Policy applies to all areas where personal data is processed in the company through the aforementioned channels in a structured manner. Should we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.

Legal Bases

In the following Privacy Policy, we provide you with transparent information about the legal principles and regulations, i.e., the legal bases of the General Data Protection Regulation, that allow us to process personal data.

Regarding EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016. You can, of course, read this EU General Data Protection Regulation online on EUR-Lex, the access to EU law, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679.

We only process your data if at least one of the following conditions applies:

Consent (Article 6 paragraph 1 lit. a GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of the data you entered in a contact form.

Contract (Article 6 paragraph 1 lit. b GDPR): To fulfill a contract or pre-contractual obligations with you, we process your data. For example, if we enter into a purchase contract with you, we need personal information in advance.

Legal obligation (Article 6 paragraph 1 lit. c GDPR): If we are subject to a legal obligation, we process your data. For example, we are legally obliged to retain invoices for accounting purposes. These usually contain personal data.

Legitimate interests (Article 6 paragraph 1 lit. f GDPR): In the case of legitimate interests that do not restrict your fundamental rights, we reserve the right to process personal data. For example, we need to process certain data to operate our website securely and economically efficiently. This processing is thus a legitimate interest.

Other conditions such as the performance of tasks carried out in the public interest or in the exercise of official authority, and the protection of vital interests, generally do not apply to us. If such a legal basis should become relevant, it will be indicated at the appropriate point.

In addition to the EU regulation, national laws also apply:

In Austria, this is the Federal Act concerning the Protection of Personal Data (Data Protection Act), abbreviated as DSG.

In Germany, the Federal Data Protection Act, abbreviated as BDSG, applies.

If further regional or national laws apply, we will inform you in the following sections.

Contact Details of the Controller

If you have any questions about data protection or the processing of personal data, you will find the contact details of the responsible person or entity below:

cmvisuals GmbH
Obere Augartenstraße 74/7, 1020 Vienna
hello@d-d.studio
+43 699 11210313
Email: hello@draussen.studio
Phone: +43 699 11210313
Imprint: https://www.draussen.studio/imprint

Storage Duration

A general criterion for us is that we only store personal data for as long as it is absolutely necessary to provide our services and products. This means that we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obligated to retain certain data even after the original purpose has ceased, for example, for accounting purposes.

If you wish for your data to be deleted or withdraw your consent to data processing, the data will be deleted as quickly as possible, provided there is no obligation to retain it.

We will inform you about the specific duration of the respective data processing further below, if we have more information on it.

Rights According to the General Data Protection Regulation

According to Article 15 of the GDPR, you have the right to know whether we process data about you. If this is the case, you have the right to receive a copy of the data and to be informed of the following:

the purpose for which we carry out the processing;
the categories, i.e., the types of data that are processed;
who receives this data and, if the data is transferred to third countries, how security can be guaranteed;
how long the data will be stored;
the existence of the right to rectification, erasure, or restriction of processing and the right to object to the processing;
that you can lodge a complaint with a supervisory authority (links to these authorities can be found below);
the source of the data if we did not collect it from you;
whether profiling is carried out, i.e., whether data is automatically evaluated to create a personal profile of you.

According to Article 16 of the GDPR, you have the right to rectification of data, which means that we must correct data if you find errors.
According to Article 17 of the GDPR, you have the right to erasure (“right to be forgotten”), which specifically means that you can request the deletion of your data.
According to Article 18 of the GDPR, you have the right to restrict processing, which means that we may only store the data but not use it further.
According to Article 20 of the GDPR, you have the right to data portability, which means that we must provide you with your data in a common format upon request.
According to Article 21 of the GDPR, you have the right to object, which, once enforced, brings about a change in the processing.

If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you can object to the processing. We will then check as quickly as possible whether we can legally comply with this objection.
If data is used for direct marketing, you can object to this type of data processing at any time. We will then no longer be allowed to use your data for direct marketing.
If data is used for profiling, you can object to this type of data processing at any time. We will then no longer be allowed to use your data for profiling.

According to Article 22 of the GDPR, you may have the right not to be subject to a decision based solely on automated processing (e.g., profiling).
According to Article 77 of the GDPR, you have the right to lodge a complaint. This means you can contact the data protection authority at any time if you believe that the processing of your personal data violates the GDPR.

In short: You have rights – do not hesitate to contact the responsible office listed above with us!

If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can lodge a complaint with the supervisory authority. For Austria, this is the Data Protection Authority, whose website you can find at https://www.dsb.gv.at/. In Germany, each federal state has a data protection officer. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:

According to Articles 13 and 14 of the GDPR, we inform you of the following rights to ensure fair and transparent data processing:

Explanation of Used Terms

We always strive to write our privacy policy as clearly and understandably as possible. However, this is not always easy, especially with technical and legal topics. It often makes sense to use legal terms (such as personal data) or specific technical expressions (such as cookies, IP address). However, we do not want to use them without explanation. Below you will find an alphabetical list of important terms we have used, which we may not have sufficiently addressed in the existing privacy policy. If these terms are taken from the GDPR and are definitions, we will also provide the GDPR texts here and possibly add our own explanations.

Processor

Definition according to Article 4 of the GDPR

In the context of this regulation, the term:

"Processor" refers to a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

Explanation: As a company and website owner, we are responsible for all data we process from you. In addition to controllers, there may also be so-called processors. This includes any company or person that processes personal data on our behalf. Processors may therefore include service providers such as tax advisors, hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

Consent

Definition according to Article 4 of the GDPR:

In the context of this regulation, the term:

"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;

Explanation: Typically, such consent on websites is obtained through a cookie consent tool. You're probably familiar with this. Whenever you visit a website for the first time, you are usually asked via a banner whether you consent to the data processing. You can usually also make individual settings and thus decide for yourself which data processing you allow and which you do not. If you do not consent, no personal data may be processed from you. In principle, consent can also be given in writing, i.e., not through a tool.

Personal data

Definition according to Article 4 of the GDPR:

In the context of this regulation, the term:

"personal data" means any information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Explanation: Personal data refers to any information that can identify you as an individual. These typically include data such as:

Name
Address
Email address
Postal address
Phone number
Date of birth
Identification numbers such as social security number, tax identification number, ID card number, or student ID number
Banking information such as account number, credit information, account balances, and more.

According to the European Court of Justice (ECJ), your IP address is also considered personal data. IT experts can use your IP address to determine at least the approximate location of your device and subsequently identify you as the subscriber. Therefore, storing an IP address also requires a legal basis under the GDPR. There are also so-called "special categories" of personal data that are particularly protected. These include:

Racial and ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data, such as data obtained from blood or saliva samples
Biometric data (information about psychological, physical, or behavioral characteristics that can identify a person)
Health data
Data concerning sexual orientation or sex life

Controller

Definition according to Article 4 of the GDPR:

In the context of this regulation, the term:

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

Explanation: In our case, we are responsible for processing your personal data and therefore the "Controller". If we transfer collected data to other service providers for processing, they are "Processors". For this, a "Data Processing Agreement (DPA)" must be signed.

Processing

Definition according to Article 4 of the GDPR:

In the context of this regulation, the term:

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

Note: When we refer to processing in our privacy policy, we mean any kind of data processing. This includes, as mentioned in the original GDPR explanation above, not only the collection but also the storage and processing of data.

All texts are protected by copyright.

Source: Created with the Privacy Policy Generator Austria by AdSimple