Data protection declaration

Cookies are small data sets that are created during your visit to our website, stored temporarily on your system and kept ready for later retrieval. If the server of our website is called up again by your visit, your browser sends the previously transmitted cookie back to the server and can, for example, evaluate information obtained through this procedure.

Within the scope of the use of cookies, navigation on our website can be facilitated in particular.

In the cookies we use, we distinguish between

• Technically essential cookies
• Technically non-essential cookies
  • Analysis and statistics
  • Third-party content

More detailed information about the cookies we use can be found in the next sections.

Google Maps

If you plan to visit us in person, we would like to offer you the possibility via Google Maps that you can find us quickly and easily and reach us by your means of transport.

Google Maps is an Internet map service provided by Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland - hereinafter referred to as Google - which you can use to view locations of the STIWA Group, among others, online via a terminal device (PC, laptop, cell phone). By using Google my Business, you can also obtain further information about us, and you can also use Google Maps to display your route to us.

If you wish to make use of this offer, personal data will be transferred to Google and generally processed by them as an independent controller within the meaning of Art. 4 No. 7 GDPR. However, we cannot (technically) exclude that in the context of the use of Google Maps search services, which may be used by Google, requires a processing of your IP address from our systems. However, these are usually deleted 14 days after use.

Note: We would like to point out that the use of Google Maps is based exclusively on your consent.

You can find more information about data protection and the terms of use for Google Maps here:

Nähere Informationen zum Thema Datenschutz und den Nutzungsbedingungen zu Google Maps finden Sie hier: Privacy Policy – Privacy & Terms – Google

Vimeo

In order to present the STIWA Group to the outside world, to provide information about our services and products, and to provide you with the best possible content, we at STIWA Holding GmbH have also integrated videos on our website. The videos are stored via URL.

We use the service provider Vimeo.com, Inc. (330 West 34th Street, 5th Floor New York, New York 10001, USA).

If you are interested in viewing a video and have previously given your consent to do so, your browser will establish a direct connection to the Vimeo servers. Subsequently, the content of Vimeo is transmitted directly to your browser. Through this integration, Vimeo receives the information that your browser has called up the corresponding page of our website. It is irrelevant whether you have an account with Vimeo or not. In the course of the visit to Vimeo as the responsible party, there is also the use of cookies that collect personal data. Such collection of data may also occur for visitors to the Vimeo site who are not logged in or registered with Vimeo.

Further information regarding the processing of your personal data by Vimeo can be found on their privacy policy: Vimeo Privacy Policy.

We would like to expressly point out to you

• that in this context a transfer to a third country (United States of America) takes place,
• that we, STIWA Holding GmbH, are not responsible for the processing of your personal data and that we cannot influence this. As a rule, these are your IP address, technical information about your browser type, your operating system, or basic device information or session duration and
• that, if you already have an account with Vimeo, additional personal data may be processed by Vimeo.

The legal basis - as already mentioned above - is your consent pursuant to Art. 6 (1) lit. a GDPR. This consent is also obtained prior to retrieving the video, unless you have already consented during your first visit to our website. If you do not consent, it will not be possible to play the video.

We at STIWA Holding GmbH do not process any personal data from you in this context.

If you are interested in one of our training courses or if there is a need for instruction in connection with the purchase of one of our products, you can register at any time for the training course that is right for you.

The processing of personal data is carried out by STIWA Automation GmbH, STIWA AMS GmbH, STIWA Deutschland GmbH, STIWA US Inc. and STIWA Nantong Automation Machinery Production Co., Ltd, which classify themselves as joint controllers in accordance with Article 26 of the GDPR. The STIWA companies listed here have stipulated on the basis of an agreement which controller within the meaning of the EU Data Protection Regulation fulfills which obligations under data protection law. Upon request of the data subject, the essential content of this agreement can be made available.

In this context, the following personal data are processed:

• Gender
• Last name, first name
• E-mail address
• Title (optional)
• Telephone availability (optional)
• Company (optional)
• Address (optional)
• Information from remarks (optional)
• Information about qualification

The processing of the above personal data is carried out for the following purposes:

• Registration and organization to / of training courses and/or events
• Issuance of a certificate to the training participants.

Legal basis:

The processing of your personal data in connection with registration and organization is based on the legal basis of your consent pursuant to Art. 6 para. 1 lit. a. GDPR, the issuance of a certificate based on the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR (proof / documentation of qualification).

Storage period:

Personal data that we process for the above-mentioned purposes will be stored for the duration of the business relationship after the purpose has ceased to apply - provided that no legal retention periods or any legal claims oppose deletion or you already make use of withdrawal in advance - and subsequently deleted.

Recipient:

• Internally (within the STIWA Group); on an ad hoc basis if this is necessary to achieve the above-mentioned purposes; e.g., the involvement of additional specialist personnel for training.  Please note that in this case, data may also be transferred to our subsidiaries in a third country (United States of America / China) on an ad hoc basis. A third country transfer is only permitted if suitable guarantees are in place to protect your personal data. For this reason, we have recourse to standard contractual clauses of the European Commission: ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en.
• IT service providers, insofar as they have to be used for maintenance and support of our data processing equipment on an ad hoc basis. We have concluded order processing agreements with these service providers, which obligate them to comply with legal requirements.
• Third parties (courts, auditors) insofar as this is required by law or you have given your consent to this.

Your data protection rights:

For more information on your withdrawal pursuant to Art. 7(3) GDPR, but also on the other rights you have, please see section B.

If you would like to learn more about our products and services and decide to subscribe to our software newsletter, STIWA AMS GmbH processes the following personal data:

• E-mail address
• Name, first name, title (optional)

Note: In connection with our newsletter, in order to be able to check whether the registration is really made by you, we use the double opt-in procedure for online registration. Following your registration for our newsletter, you will receive an e-mail for renewed confirmation.

In the context of the double opt-in procedure, the following data is also processed:

• Place, date and time of registration
• IP address
• E-mail address
• Name, first name, if you have also provided this on a purely voluntary basis.

Your personal data is processed for the following purpose:

• Dispatch of the software newsletter
• Execution of the double opt-in procedure

Legal basis:

The legal basis for the processing of your personal data is your consent in accordance with Art. 6 (1) lit. a GDPR and is generally not required. However, failure to provide your personal data would mean that we would not be able to send you information about products and services. The processing of your personal data in the context of the double opt-in procedure is based on the legal basis of GDPR Art. 5 para. 2. Profiling does not take place.

Retention period:

Your personal data will already be deleted after withdrawal of your voluntarily given consent - provided that there are no legal retention periods or any legal claims.

Note: Please bear in mind that, for technical reasons, it may take a few hours until the unsubscription from the newsletter is executed, so in a few exceptional cases a dispatch will take place during this period.

Recipient:

• IT service provider that we use to send the newsletter. A data processing agreement has been concluded with this service provider, which obligates it to comply with legal requirements.
• Third parties; insofar as we are legally obliged to do so or you have given your express consent.

Your data protection rights:

In connection with your consent, you have the right of revocation in accordance with Article 7 (3) GDPR. For more information on this, but also on the other rights you have, see section B.

In the context of meetings, the STIWA Group also uses virtual means of communication (Microsoft Teams web conference), in which your voice is transmitted via microphone and, if necessary, your image is also transmitted via webcam to all other meeting participants (hereinafter referred to as "online meetings"). For this purpose, we use service providers with whom - if necessary - corresponding data protection agreements have been concluded.

The respective company of the STIWA Group with which you hold a virtual meeting is responsible for processing your personal data.

We would also like to point out that the type or amount of personal data that is processed depends, on the one hand, on the functional scope of the video conferencing system itself and, on the other hand, on you as a user or meeting participant, i.e. which data you provide.

The following personal data may be processed:

• Display name
• E-mail address
• Status (optional)
• Status messages (optional)
• Profile picture (optional)
• Language
• Date and time
• Duration of the meeting
• Meeting ID
• Log files
• Phone number - event related
• Location data - event-related
• Text, audio, video and other multimedia data
• Audio or video recordings
• Shared content (including links, documents)

Note: During a videoconference, data from the microphone, a webcam, or a screen display of your end device (using the screen/content sharing function) is processed for the display of video signals, the playback of audio signals, and multimedia data; e.g., if you are giving a presentation. The meeting participant can switch the microphone and / or the camera on and off independently at his end device at any time; furthermore, the screen / content sharing function must also be actively activated and terminated by the user. In addition, the user may also have recourse to the chat function.

Your personal data is processed for the following purpose:

• Ensuring frictionless communication and conducting telephone conferences, online meetings, video conferences, training courses and webinars ("online meetings").
• Documentation and for logging (audio and/or video recording) of, among other things, questions to be clarified or results during the online meeting or for training purposes, in order to also train persons who could not participate in the online meeting afterwards or for self-study.

Legal basis:

The legal basis for the processing of your personal data is the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. The legitimate interest here lies, among other things, in ensuring functionality, frictionless communication and the conduct of online meetings with our business partners in further contractual obligations.

The processing of your personal data in the context of recordings is based on the legal basis of your consent pursuant to Art. 6 (1) lit. a GDPR. If a recording is planned, we will inform you of this in a transparent manner and obtain your consent in advance.

Data retention:

Your user data will be stored by us as long as, for example, a business relationship with you exists and subsequently no legal retention periods or any legal claims oppose deletion.

Meeting data and text, audio or video data, if no recording took place but there was processing apart from this, are automatically deleted after 90 days following the end of the online meeting.

If a recording of the online meeting took place for which you have given your consent, we store this data after the end of the online meeting until the purpose no longer applies and delete it afterwards, unless there are legal retention periods or any legal claims or you have revoked your consent in advance.

Automated decision-making pursuant to Art. 22 GDPR is not used.

Recipients:

Internally within the STIWA Group, on an ad hoc basis if this is necessary to achieve one of the purposes listed above and you have given your consent. Please note that in this case, data will also be transferred to our subsidiaries in a third country (United States of America / China). A third country transfer is only permitted if suitable guarantees are in place to protect your personal data. For this reason, we have recourse to standard contractual clauses of the European Commission: Standard contractual clauses for international transfers (europa.eu).

IT service providers who may be required to conduct online meetings or to maintain and support the data processing equipment used here. Corresponding data protection agreements have been concluded with these service providers, obliging them to comply with legal requirements.

Third parties; (e.g. external participants, courts), if we are legally obliged to do so or you have given your express consent.

Note: Within our technical capabilities, we have limited the storage locations to data centers within the EU/EEA. Thus, the processing of your personal data does not take place outside the borders of the EU/EEA. However, we cannot technically completely rule out routing or storage on servers outside the European Union at the processor Microsoft.

Note / information in line with the use of Microsoft Teams ("MS Teams"):

Should you call up the corresponding Microsoft website (https://teams.microsoft.com/) to download the necessary MS Teams software, "Microsoft" is responsible for data processing. The call of this website is only necessary for the download, if a use should/cannot be made directly and without a download via an Internet browser.

"Microsoft Teams" is a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, United States of America.

The use of MS-Teams is generally subject to the usage and data protection provisions of "Microsoft", over which the STIWA Group itself has no influence. If MS-Teams is used, the user must accept the terms of use and data protection of "Microsoft". If this is not done, the use of MS-Teams is not possible.

The data protection regulations of Microsoft can be found here: https://privacy.microsoft.com/en-us/privacystatement

The terms of use can be found here: https://www.microsoft.com/en/servicesagreement/

Furthermore, you can find further information on the subject of online services from Microsoft here: https://www.microsoft.com/en-us/trust-center/privacy/.

Microsoft Corporation, as one of our IT service providers, receives personal data from the above-mentioned in the context of Online Meeting, insofar as this is provided for in our order processing agreement with Microsoft. With the help of the concluded order processing, on the basis of EU standard contractual clauses, Microsoft is obliged to comply with the legal requirements of the applicable data protection law. A current version can be found at the following link: Licensing Documents (microsoft.com).

Your Privacy Rights:

In the case of legitimate interest, you have the right to object at any time in accordance with Art. 21, and in connection with your consent, the right of revocation in accordance with Art. 7 (3) GDPR. For more information on this, but also on the other rights you have, please see section B.

In the context of ever newer technologies that enable us to work even more effectively and efficiently in order to meet the requirements of our customers at best, we also use, among other things, the HoloLens2 from Microsoft in conjunction with MS Teams. This may involve the processing of personal data in the course of assembly or maintenance activities at your site, among other things.

The respective company of the STIWA Group that uses HoloLens2 is always responsible for the processing of your personal data.

In this context, the following additional personal data may be processed in addition to the personal data already listed under Section C - Item 3.3:

• Sensor data, including the respective location via GPS or WLAN.
• Biometric data, if applicable, insofar as your iris is stored in the system and used for activation.

Your personal data is processed for the following purpose:

• Facilitation or improvement of the employee's activities, including in the context of instructions via data glasses during maintenance work, fault analysis without the need for physical presence at the customer's site or training / instruction. 
• Making operational processes more effective.

Legal basis:

The legal basis for the processing of your personal data is the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR. The legitimate interest in this case lies, among other things, in ensuring functionality and a cost-efficient implementation of contractual obligations in the context of maintenance or repair work.

The legal basis for the processing of your personal data in the context of audio or video recordings is your freely given consent pursuant to Art. 6 para. 1 lit. a GDPR, if your iris is processed to activate the terminal device, your express consent pursuant to Art. 9 para. 2 lit. a GDPR.

Storage period:

Your user data will be stored by us as long as, for example, a business relationship with you exists and subsequently no legal retention periods or any legal claims oppose deletion.

Meeting data and text, audio or video data, if no recording took place but there was processing apart from this, are automatically deleted after 90 days following the end of the online meeting.

If a recording of the online meeting took place for which you have given your consent, we store this data after the end of the online meeting until the purpose no longer applies and delete it afterwards, unless there are legal retention periods or any legal claims or you have revoked your consent in advance.

Automated decision-making pursuant to Art. 22 GDPR is not used.

Recipients:

• Internally within the STIWA Group, on an ad hoc basis if this is necessary to achieve one of the purposes listed above and you have given your consent. Please note that in this case, data will also be transferred to our subsidiaries in a third country (United States of America / China). A third country transfer is only permitted if suitable guarantees are in place to protect your personal data. For this reason, we have recourse to standard contractual clauses of the European Commission: Standard contractual clauses for international transfers (europa.eu)
• IT service providers who may be required to conduct online meetings or to maintain and support the data processing equipment used here. Corresponding data protection agreements have been concluded with these service providers, obliging them to comply with legal requirements.
• Third parties; (e.g. external participants, courts), if we are legally obliged to do so or you have given your express consent.

Note: Within our technical capabilities, we have limited the storage locations to data centers within the EU/EEA. Thus, the processing of your personal data does not take place outside the borders of the EU/EEA. However, we cannot technically completely rule out routing or storage on servers outside the European Union at the processor Microsoft.

Note / information in line with the use of MS HoloLens2.

The data protection regulations of Microsoft can be found here: https://privacy.microsoft.com/en-us/privacystatement

The terms of use can be found here: https://www.microsoft.com/en/servicesagreement/

Furthermore, you can find more detailed information about HoloLens2 from Microsoft here: HoloLens 2 Privacy | Microsoft Docs

Microsoft Corporation, as one of our IT service providers, receives personal data from the above-mentioned in the context of Online Meeting, insofar as this is provided for in our order processing agreement with Microsoft. With the help of the concluded order processing, on the basis of EU standard contractual clauses, Microsoft is obliged to comply with the legal requirements of the applicable data protection law. A current version can be found at the following link: Licensing Documents (microsoft.com).

Your data subject rights:

In the case of legitimate interest, you have the right to object at any time in accordance with Art. 21, and in connection with your consent, the right of revocation in accordance with Art. 7 (3) GDPR. For more information on this, but also on the other rights you have, please see section B.

If you would like to be informed about our jazz events and access our concert newsletter, STIWA Holding GmbH processes the following personal data:

• E-mail address
• Name, first name (optional)

Note: In connection with our newsletter, in order to be able to check whether the registration is really made by you, we use the double opt-in procedure for online registration. Following your registration for our newsletter, you will receive an e-mail for renewed confirmation.

In the context of the double opt-in procedure, the following data is also processed:

• Place, date and time of registration
• IP address
• E-mail address
• Name, first name, if you have also provided this on a purely voluntary basis.

Your personal data is processed for the following purpose:

• Sending the concert newsletter to inform you about our events
• Execution of the double opt-in procedure

Legal basis:

The legal basis for the processing of your personal data is your consent pursuant to Art. 6 (1) lit. b GDPR and is generally not required. However, failure to provide your personal data would result in us not being able to send you information about events.

Data retention:

Your personal data will be deleted immediately after the purpose no longer applies - in most cases, this is the case after three years after the last contact - provided that no legal retention periods or any legal claims exist, or you have already withdrawed your consent in advance.

Recipients:

• IT service provider that we use to send the newsletter. A data processing agreement has been concluded with this service provider, which obligates it to comply with legal requirements.
• Third parties; insofar as we are legally obliged to do so or you have given your express consent.

Your data protection rights:

In connection with your consent, you have the right of withdrawal in accordance with Article 7 (3) GDPR. For more information on this, but also on the other rights you have, see section B.

If we may welcome you as a guest at one of our events or if you rent one of our seminar rooms in Hagenberg, the following personal data will be processed by us, STIWA Holding GmbH:

• Name, first name
• Title
• Reachability by telephone
• E-mail address
• Content / information of your message / inquiry
• Date
• Bank details in the context of payment for tickets
• Photo / video recordings
• IP address / MAC address, duration of connection, log files (guest WLAN)

Your personal data is processed for the following purpose:

• Organization, implementation and processing of requests, ticket sales and events.
• Reporting and publication of photos / video recordings
• Provision of the guest WLAN

Legal basis:

The legal basis for the processing of your personal data as a natural person in the context of the organization, implementation and processing of requests, ticket sales and events are pre-contractual measures or a contract between you and us pursuant to Art. 6 para. 1 lit. b GDPR. As a legal entity, the processing of your personal data in response to an inquiry on your part is based on consent pursuant to Art. 6 para. 1 lit. a GDPR, the organization, implementation and handling of the event itself on the legitimate interest of a contractual obligation pursuant to Art. 6 para. lit. f GDPR.

In the case of the processing of photos / video recordings or if you also want to use our guest WLAN, the processing is based on your consent pursuant to Art. 6 para. 1 lit. a GDPR and is therefore not required in principle. However, a non-provision would result in you not being able to use our guest WLAN, among other things.

If photos / video recordings of historical value are created (e.g. in the course of anniversaries), the long-term archiving is based on our legitimate interest pursuant to Art. 6 (1) (f) in conjunction with Art. 17 (3) (a) GDPR (note; However, the processing of your personal data is restricted in this case).

Data retantion:

In the case of an offer or the conclusion of a contract, we are obliged to store your data for seven years after the expiry of the purpose due to statutory retention periods (including §132 of the Federal Fiscal Code BAO). However, the processing is restricted.

Photos and video recordings that are of historical value to us are archived for a long period of time - in accordance with the right to freedom of expression and information (cf. Art. 17 para. 3 lit. a DSGVO) - but the processing is restricted and the protection of personal data is ensured technically and organisationally.

General photos or video recordings will be deleted immediately after the purpose no longer applies or after you have exercised your right of revocation. However, please bear in mind that print media already ordered and printed, or the photos and names used in them, will not be destroyed. Furthermore, even in the case of publication in social media and on our website, your data can never be completely deleted from a technical point of view.

Personal data that exists in connection with the provision of our guest WLAN on the basis of your consent will be stored for a period of 30 days and then deleted.

Recipients:

• Internally within the STIWA Group; on an ad hoc basis if this is necessary to achieve one of the purposes listed above. Please note that in this case, data could also be transferred to our subsidiaries in a third country (United States of America / China). A third country transfer is only permitted if suitable guarantees are in place to protect your personal data. For this reason, we have recourse to the standard contractual clauses of the European Commission: Standard contractual clauses for international transfers (europa.eu)
• Third parties (including regional and national print media / social networks, external recipients of the employee magazine Profiles); publication of photographs and reporting on events.

Other sources:

On an occasion-related basis, we receive your personal data in connection with attendance at one of our events from an external ticketing service (in this case: CTS Eventing Austria GmbH (ÖTicket)).

Your data protection rights:

In the case of legitimate interest, you have the right of objection at any time in accordance with Art. 21, and in connection with your consent, the right of withdrawal in accordance with Art. 7 (3) GDPR. For more information on this, but also on the other rights you have, please see section B.

If you, as our customer, supplier or business partner, are interested in our internal employee magazine "Profile" and would like it to be sent to you or if we would like to mention you in one of our articles in our magazine, STIWA Holding GmbH will process the following personal data:

• Name, first name
• Title
• Company name
• Address
• Photographs
• Information about anniversaries, career, birth, birthday, wedding or death (event-related).

Your personal data will be processed for the following purpose:

• Mailing of the employee magazine Profiles
• Creation and publication of the employee magazine (internal / external), among other things, to pass on information regarding products, services, events and to introduce people connected with STIWA
• Long-term archiving in the case of photos / information for the documentation of the company history. In this case, however, a restriction of processing takes place

Legal basis:

The legal basis for the processing of the above-mentioned personal data is your consent pursuant to Art. 6 (1) lit. a GDPR. In principle, it is not necessary to provide your personal data, however, if you do not provide it, we will not be able to send you our employee magazine Profile or pass on information on your part or about you.

If photos / video recordings of historical value are created (e.g. in the course of anniversaries), the long-term archiving is based on our legitimate interest pursuant to Art. 6 (1) f in conjunction with Art. 17 (3) a GDPR (note; However, the processing of your personal data is limited in this case).

Data retention:

The processing of your personal data for the purpose of sending and forwarding information takes place until your consent is revoked. Subsequently, the personal data processed for the purpose defined above will be deleted. Please note, however, that in the case of print media that have already been ordered or printed, revocation is unfortunately no longer possible and printed copies are still used up.

Photos / information of historical value will be archived, but we would like to explicitly inform them that in this case there will be a strict limitation of processing.

Recipients:

• Internally within the STIWA Group; on an ad hoc basis if this is necessary to achieve one of the purposes listed above. Please note that in this case, data will also be transferred to our subsidiaries in a third country (United States of America / China). A third country transfer is only permitted if suitable guarantees for the protection of your personal data are available. For this reason, we have recourse to standard contractual clauses of the European Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_de
• Service providers (in this case: printers) who have been entrusted with the mailing of the employee magazine Profile. An order processing agreement was concluded with this service provider, which obligates it to comply with legal requirements.
• IT service providers, insofar as they have to be used for maintenance and support of our data processing equipment on an ad hoc basis. Corresponding contracts (order processing contracts or, in the case of a third country transfer, standard contractual clauses of the EU Commission) have been concluded with them, obliging them to comply with legal requirements.

Your data protection rights:

In the case of legitimate interest, you have the right to object at any time in accordance with Art. 21, and in connection with your consent, the right of revocation in accordance with Art. 7 (3) GDPR. For more information on this, but also on the other rights you have, please see section B.

If we have aroused your interest as a future employer and you access our career portal to send us your application documents, your documents will be sent to the relevant STIWA Group company of the branches in the EU/EEA (see also section A). In this case, there is a joint controllership according to Article 26 of the European General Data Protection Regulation. These branches have determined by means of an agreement which controller within the meaning of the GDPR fulfills which obligations under data protection law. The essential content of this agreement can be made available upon request by the data subject.

Note: In the case of an application directly to our subsidiary STICHT Technologie GmbH or STIWA US Inc. this joint responsibility does not exist. In this context, the companies mentioned here are their separate controllers within the meaning of the GDPR.

In connection with their application via our career portal (Open Positions), we process the following personal data:

• First name, secound name
• E-mail address
• Availability by telephone (optional)
• Information that we receive, on the one hand, through your application documents and, on the other hand, in the course of the interview (title, nationality, gender, photo, address, cover letter, curriculum vitae, (service) certificates, information on training, qualifications and professional experience).
• If applicable, also travel data and bank details (for reimbursement of travel expenses)
• Information on the source, how you came to our attention.

If you also provide us with special categories of personal data (such as health data, religious affiliation, degree of disability) on a purely voluntary basis in the letter of application or as part of the subsequent application process, this data will only be processed if you have given us your consent to do so.

The processing of the above-mentioned personal data is carried out for the following purposes:

• Including carrying out the application process
• Evaluation of the application documents to determine whether recruitment is possible for the advertised position
• Communication and invitation to interviews
• Submission of an offer and, if applicable, reimbursement of travel expenses.
• In the event that you have given your consent for your application documents to be kept on file
• Improvement of our applicant marketing by evaluating the source

Legal basis:

The processing of your personal data in connection with applicant management is based on the legal basis of your consent pursuant to Art. 6 para. 1 lit. a. GDPR or, subsequently, on the basis of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR.

With reference to our German companies, the legal basis results from Art. 88 para. 1 GDPR in conjunction with § 26 para. 1 sentence 1 BDSG. Insofar as the data are special categories of personal data that you yourself provide to us (for example, information about a severely disabled status), the processing is based on the legal basis of Art. 9 (2) lit. b GDPR in conjunction with Section 26 (3) Federal Data Protection Act (BDSG).

The legal basis for the evaluation of the source, how they became aware of us and which contributes to the improvement of our application marketing, is our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR.

If - as already mentioned above - you also provide us with special categories of personal data, the processing will be based purely on your consent (Art. 9 Para. 2 lit. a GDPR).

If we are unable to consider you further with regard to a job offer, but you would like us to keep a record of it, the processing of your personal data is also based on a separate consent pursuant to Art. 6 Para. 1 lit. a GDPR, which you give us.

Storage period:

Your personal data will be deleted immediately after the purpose ceases to apply or after withdrawel of any consent given on your part or objection - provided that no legal retention periods, any legal claims or legal proceedings stand in the way of deletion. If no recruitment takes place, this is regularly the case 6 months after a rejection has been issued.

If travel expenses are reimbursed, we are obligated by legal retention periods (e.g. from commercial and tax retention obligations in Austria up to 7 years and in Germany up to 10 years) to store the related personal data on a limited basis.

If you have given your consent for us to store your personal data in our applicant database even after a rejection, the data will be deleted after two years unless you revoke your consent in advance.

If you sign an employment contract with us, we will store your data for the duration of the employment relationship. In this case, you will receive further information about the processing of your data in the employment relationship as soon as you start the employment relationship with us.

Recipients:

• Internally within the STIWA Group within the scope of joint responsibility (EU/EEA), transmission of application documents to requesters of the corresponding vacancies within the EU/EEA.
• IT service providers, insofar as they have to be used for the maintenance and support of our data processing equipment on an ad hoc basis For the maintenance and operation of our applicant tool, we use an external IT service provider within the EU/EEA. A contract processing agreement has been concluded with this service provider, which obligates it to comply with legal requirements.
• Third parties (including courts), to the extent legally permissible and necessary to comply with applicable law or to assert, exercise or defend legal claims

Other sources:

Apart from your application directly via the career portal (open positions) on our STIWA homepage, there is also the possibility in individual cases that your application documents are transmitted to us by career portals (including Karriere.at , DEV.Jobs), furthermore by job agencies (including ePunkt GmbH, WIPA GmbH) or educational institutions.

In the context of a direct approach to candidates on the social media platforms provided for this purpose (e.g. Xing or LinkedIn), personal data of potential applicants are processed. For our part, only publicly accessible profile data (in particular first name/last name) is processed. The processing of personal data primarily serves the purpose of searching for suitable candidates and establishing contact. In this particular case, the data processing is based on Art. 6 para. 1 lit. f GDPR. The collected data remains exclusively within the STIWA companies named above.

Note: This does not apply in the case of an application directly to our subsidiary STICHT Technologie GmbH or STIWA US Inc.

Your data subject rights:

In the case of legitimate interest, you have the right of objection at any time in accordance with Art. 21 GDPR, and in the case of consent, the right of revocation in accordance with Art. 7 (3) GDPR. For more information on this, but also on the other rights you have, please see section B.

If we have aroused your interest in an apprenticeship / dual study program with us at STIWA Holding GmbH or an apprenticeship with STIWA Deutschland GmbH or STICHT Technologie GmbH (DE) and you would like to apply to us, we will process the following personal data from you or your parents’ authorized:

• First name, last name
• Title
• E-mail address
• Reachability by telephone
• Address
• Information we receive from your application documents and during the interview (title, nationality, gender, photo, address, cover letter, curriculum vitae, references, information on training, qualifications and work experience).
• Photographs for public relations purposes
• Social security number to apply for subsidies
• Information on motor and mental abilities within the framework of the entrance test       

The processing of the above personal data is carried out for the following purposes:

• Organization and implementation of career orientation
• Carrying out the application procedure (evaluation of application documents to determine whether recruitment is possible for the advertised position, communication and invitation to the admission interview, submission of an offer)
• Conducting and handling the admission test and the practice day
• Instruction in work safety at the workplace
• Publication of photos for reporting and publication within the framework of the career orientation day and the practice day
• Application for subsidies and the associated apprenticeship notification (contact details; applicant data) to the relevant authority, which must be carried out before the apprenticeship contract is signed (Öster-reichische Gesellschaften.

Legal basis:

With the exception of the purpose regarding instruction in occupational safety and for applying for subsidies, the processing of your personal data or its custody authorized is based on the legal basis of consent pursuant to Art. 6 (1) lit. a GDPR. In principle, it is not necessary to provide your personal data, but in this case we cannot evaluate your application documents and subsequently consider them in the application process.

Personal data and its processing in connection with occupational safety are based on a legal requirement (including the ASchG in Austria) in accordance with Art. 6 (1) c GDPR, in connection with the application for funding on a legitimate interest in accordance with Art. 6 (1) f GDPR and are therefore necessary.

Storage period:

Personal data that we collect as part of the career orientation day and the practical day will be deleted immediately if you are no longer interested in applying to us or the processing has been withdrawed.

If a contract of employment is concluded between you and us, the personal data transmitted will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. In this case, you will receive further information about the processing of your data in the employment relationship as soon as you start this relationship with us.

If no employment contract is concluded with you, your application documents will be deleted six months after notification of the rejection decision, provided that no other legitimate interests of our company prevent deletion. A legitimate interest is, for example, the obligation to provide evidence in proceedings under the Equal Treatment Act (GlBG), among other things.

Photographs that we have taken of you or your guardians during the practice day and published as part of our public relations work are stored for a limited period of four years so that they can be used, for example, for a review of your apprenticeship training. Please bear in mind that - if a report is published in our internal employee magazine or in local print media - print media that have already been ordered and printed, or the photos and names used in them, cannot be destroyed; furthermore, even in the case of publication in social media and on our homepage, your data can never be completely deleted from a technical point of view.

Personal data that exist in connection with the application for subsidies and the associated apprenticeship end notification, are stored for 7 years in Austria (Federal Fiscal Code §132 BAO) after the purpose ceases to exist.

Recipients:

• IT service providers, insofar as these would have to be accessed on an ad hoc basis in the context of the maintenance and support of our data processing equipment. We have concluded a dataprocessing agreement with them to protect your personal data in accordance with Art. 28 GDPR.
• Service providers, among others, for the evaluation of the test results of the admission test. A contract processing agreement in accordance with Art. 28 GDPR has been concluded with them for the protection of your personal data.
• Third parties (authorities, public institutions, (vocational) schools, media); among other things, for the issuance of the apprenticeship contract / training contract, the processing of the final examination, application for funding and the associated apprenticeship notification, for summoning you to the vocational school or media for reporting and publication of photos.

Your data protection rights:

In the case of legitimate interest, you have the right of objection at any time in accordance with Art. 21 GDPR, and in the case of consent, the right of withdrawal in accordance with Art. 7 (3) GDPR. For more information on this, but also on the other rights you have, please see section B.

If we have aroused your interest in an internship or in writing your scientific paper with us, your application documents will be forwarded to the relevant STIWA Group company of the branches in Austria. In this case, there is a joint controllership according to Article 26 of the European Data Protection Regulation. These branches have stipulated by means of an agreement which responsible party within the meaning of the GDPR fulfills which obligations under data protection law. The essential content of this agreement can be made available upon request by the data subject.

In connection with your application, we process the following personal data from you or your authorized guardians

• First name, last name
• E-mail address
• Availability by telephone
• Address
• Information that we receive through your application documents and during the interview (cover letter, curriculum vitae, (service) certificates, information on training, qualifications and professional experience).

The processing of the above personal data is carried out for the following purposes:

• Including carrying out the application process
  • Evaluation of application documents
  • Communication and invitation to interviews
  • Submission of the contract and, if necessary, reimbursement of travel expenses.
• In the case of an existing consent to keep records

Legal basis:

The processing of your personal data is based on the legal basis of your consent pursuant to Art. 6 para. 1 lit. a. GDPR or subsequently on the basis of pre-contractual measures pursuant to Art. 6 para. 1 lit. b GDPR. If we cannot consider you further, but it is desired on your part that we keep them on record, the processing of your personal data is also based on a separate consent pursuant to Art. 6 para. 1 lit. a GDPR, which you give us.

Storage period:

Your personal data will be deleted immediately after the purpose has ceased to apply or after revocation of any consent you have given - provided that no statutory retention periods, any legal claims or legal proceedings stand in the way of deletion. This is regularly the case 6 months after a cancellation has been issued.

If travel expenses are reimbursed, we are obligated by legal retention periods (e.g. from commercial and tax retention obligations in Austria of up to 7 years) to store the associated personal data for a restricted period.

If you have given your consent for us to store your personal data in our applicant database even after a rejection, the data will be deleted after two years unless you revoke your consent in advance.

If you sign a contract with us, we will store your data for the duration of your internship / writing your scientific paper. In this case, you will receive further information about the processing of your data as soon as you start with us.

Recipients:

• Internally within the group (within the STIWA Group (AT) within the scope of joint controllership), transmission of application documents to requesters of the corresponding vacancy.
• IT service providers, insofar as these would have to be accessed on an ad hoc basis within the framework of the maintenance and support of our data processing equipment. We have concluded a data processing agreement with them to protect your personal data in accordance with Art. 28 GDPR.
• Third parties (third parties if this is necessary to comply with applicable law or to assert, exercise or defend legal claims (including courts, authorities, legal advisors).

Your data protection rights:

In the event of consent, you have the right of withdrawal in accordance with Art. 7 (3) GDPR. More information on this, but also on the other rights you have, can be found in section B. 

If you are interested in our STIWA Educational Content and would like to have access to our demonstration package, STIWA AMS GmbH processes the following personal data:

• Username
• IP address

Your personal data will be processed for the following purpose:

• Provision of our Educational Content

Legal basis:

The legal basis for the processing of your personal data is a contract ((user) license agreement) that you as a natural person conclude with us at STIWA AMS GmbH (Art. 6 para. 1 lit b DSGVO). The processing is necessary in this context.

Profiling does not take place.

Storage period:

Your personal data will be stored for one month after the purpose ceases to apply - provided there are no statutory retention periods or any legal claims - and then deleted immediately. 

Recipients:

• IT service provider to whom we have recourse on an ad hoc basis as part of maintenance or support. 
• Third parties; insofar as we are legally obliged to do so or you have given your express consent.

Your data protection rights:

You can find more information on this, as well as on the other rights you have, in section B. 

If you have filled out our networking form at one of our trade fair stands or during a visit on site because you are interested in becoming a future employee in one of our STIWA companies (EU/EEA) and would also like to be informed about current STIWA topics and news, we will process the following personal data from you:

• First name, secound name
• Title (optional)
• E-mail address
• Telephone contact details (optional)
• Information about your education (study / school) (optional)
• Information about your interest in STIWA and your preferred location (optional)
• Any other information you would like to share with us about yourself (optional)  

In this case, there is joint controllership in accordance with Article 26 of the European General Data Protection Regulation. These branches have concluded an agreement to determine which controller within the meaning of the GDPR fulfills which data protection obligations. The essential content of this agreement can be made available at the request of the person concerned.

The processing of the above-mentioned personal data is carried out for the following purposes:

• To contact you following our conversation in order to be able to offer you information tailored to you (e.g. a vacancy, an apprenticeship, an internship or dual studies).
• To inform you about current STIWA topics and news (STIWA Insider)

Legal basis:

The processing of your personal data in connection with the above-mentioned purposes is based in both cases on the legal basis of your consent pursuant to Art. 6 para. 1 lit. a. GDPR.

Storage period:

Personal data that we process from you for the above-mentioned purpose will be stored for 2 years after the purpose no longer applies - provided that no statutory retention periods or any legal claims oppose deletion or you already make use of revocation in advance - and subsequently deleted.

Longer storage than 2 years will only take place if you have separately consented to this.

Recipients:

• Within the group (within the STIWA Group EU/EEA); on an ad hoc basis, if this is necessary to achieve the above-mentioned purpose.
• IT service providers, insofar as they need to be used for the maintenance and support of our data pro-cessing equipment. Order processing contracts have been concluded with them, which oblige them to com-ply with legal requirements.
• Third parties (e.g. courts, authorities) insofar as we are legally obliged to do so or you have given us your consent to do so.

Your data protection rights:

In the event of consent, you have the right of withdrawal in accordance with Art. 7 (3) GDPR. More information on this, but also on the other rights you have, can be found in section B.

If you visit us personally at one of our locations, we would like to draw your attention to the fact that our premises and server rooms are under video surveillance. The processing is carried out within the framework of joint controllership in accordance with Article 26 of the European General Data Protection Regulation. The respective STIWA companies have stipulated by means of an agreement which responsible party within the meaning of the GDPR fulfills which obligations under data protection law. Upon request of the data subject, the essential content of this agreement can be made available.

In addition to the data protection declaration, you will also be made aware of this at the relevant access points to our sites by means of corresponding information signs.

We process the following personal data in connection with the video surveillance of our business premises:

• Video recording
• Date and time
• Location of the recording
• Identity of the persons concerned (if recognizable)
• Vehicle license plate number (if recognizable)

The processing of the above personal data is carried out for the following purposes:

• Encrypted video surveillance for the purpose of self-protection / domiciliary rights (protection of the organization's property as well as the employees)
• Prevention, containment and clarification of criminally relevant behavior, insofar as this affects the area of responsibility of the person responsible, with exclusive evaluation in the occasion defined by the purpose
• Assertion of claims

Legal basis:

The processing of your personal data is based on the legal basis of legitimate interest Art. 6 para. 1 lit. f GDPR or §12 para. 2f DSG and is necessary for the above purposes.

No automatic decision-making or profiling is carried out.

Storage period:

Your personal data is only stored for a period of 72 hours. Subsequently, these will be deleted automatically, unless data is required as evidence in the context of an event or in the context of the assertion of staigen legal claims.

Recipients:

• Service provider (security/doorman service), in the course of real-time monitoring of our business premises. An order processing contract has been concluded with this service provider, which obligates it to comply with legal requirements.
• Third parties (law enforcement agencies, legal and public prosecutor's office, courts or insurance companies) on an occasion-related basis for the assertion of any legal claims or settlement of damages.

Your data protection rights:

In the case of legitimate interest, you have the right of objection at any time in accordance with Art. 21 GDPR. For more information on this, please refer to section B.

To fulfill the legal requirements resulting from the Austrian Whistleblower Protection Act (HSchG), the Austrian companies of the STIWA Group and TISP Aufschließungs- und Betreibergesellschaft mbH use the whistleblower system HINTBOX.

Processing of personal data

In principle, it is possible to use our HINTBOX whistleblower system - as far as legally permissible - without providing personal data. A provision of personal data (name, first name, residence, telephone number, e-mail address, voice recording) is based explicitly on your voluntary consent.

We also do not process special categories of personal data. However, should you provide us with special categories of personal data (e.g. racial and/or ethnic origin, religious and/or ideological beliefs, trade union membership or sexual orientation), this will be done exclusively on the basis of your express consent.

The transmitted notification may also include personal data of third parties. In this case, the persons concerned will be informed and given the opportunity to comment on the matter. If this is the case, your identity will be treated confidentially and the person concerned - insofar as this is legally permissible - will not receive any information about your identity.

Should you provide us with personal data on a purely voluntary basis, the processing will be carried out for the following purposes:

• Investigation of the report submitted via the HINTBOX whistleblower system.
• Investigation of suspected violations of regulations and laws
• Initiation of any necessary legal steps and for documentation purposes

If we have any questions about your report, we will communicate exclusively via the HINTBOX whistleblower system to ensure confidentiality and protect your identity.

We do not intend to use your personal data for purposes other than those mentioned above. Should this change, we will obtain your prior consent.

Legal basis:

If you provide us with personal data in the context of using our whistleblower system HINTBOX, the processing is based on your voluntary consent pursuant to Art. 6 (1) lit a GDPR, in the case of special categories of personal data based on your explicit consent pursuant to Art. 9 (2) lit a GDPR. There is no need for this, as the use of the whistleblower system Hintbox is possible in a purely anonymized manner.

Should it be necessary or legally required in the course of the investigation / examination of the facts or the initiation of legal action that we have to process your personal data, the processing is based on legal obligations (HSchG, criminal, competition and labor law obligations) pursuant to Art. 6 (1) lit. c GDPR or the legitimate interest of the company or third parties pursuant to Art. 6 (1) lit. f GDPR, in order to prevent and detect violations within the company, to verify the lawfulness of internal processes and to maintain the integrity of the company. This also applies to personal data of third parties that are necessary or required by law to clarify the facts.

Technical implementation and security of your data

Our whistleblower system HINTBOX offers the possibility of anonymous communication via an encrypted connection. If you use the HINTBOX, your IP address and your current location will not be stored at any time. After sending a message, you will receive access data to the HINTBOX inbox so that you can continue to communicate with us in a secure manner.

We maintain appropriate technical measures to ensure data protection and confidentiality. The data you provide is stored in a secure database. All data stored in the database is encrypted by lawcode GmbH using state-of-the-art technology. An data processing agreement has been concluded with this company, which obliges it to comply with legal requirements.

Storage period:

If personal data is processed, the data is irrevocably deleted after the purpose no longer applies, unless legal retention periods or any legal claims conflict with this. In Austria, this is usually the case after 5 years following the conclusion of the internal investigation, external investigations by law enforcement authorities or a possible legal dispute.

Recipients:

• Internally within the Group (within the STIWA Group & TISP Aufschließungs- und Betreibergesellschaft mbH); on an ad hoc basis if this is necessary to achieve one of the purposes listed above. This would be the case, for example, if the investigation of your report is carried out in the country concerned. All persons authorized to inspect the data are bound to secrecy. Stored data can also only be viewed by authorized persons within the company who are free of conflicts of interest. Please note that in this case, data may also be transferred to our subsidiaries in a third country (United States of America / China) on an ad hoc basis. A third country transfer is only permitted if suitable guarantees are in place to protect your personal data. For this reason, we make use of standard contractual clauses of the European Commission: ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en
• IT service provider in the context of providing our whistleblower system Hintbox (service-as-a-solution) and in the context of maintenance and support. A data processing agreement has been concluded with this in accordance with Art. 28 DSGVO.
• Third parties (including courts, authorities, the legal profession) insofar as we are legally obliged to do so or you have given your express consent.

Your data protection rights

In connection with your consent, you have the right of revocation pursuant to Art. 7(3) GDPR, and in the case of a legitimate interest, the right of objection. For more information on this, but also on the other rights you have, please see section B.

Note: Please keep in mind that according to Section 8 (9) HSchG (Austria), for the duration of an administrative or judicial proceeding or an investigation under the StPO, to protect the whistleblower or to prevent attempts to prevent, undermine, or obstruct tips or follow-up actions based on tips, recourse to the following rights is not possible:

• Right to information (§ 43 DSG, Articles 13 and 14 DSGVO),
• Right of access (§ 1 para 3 (1) and Section 44 DSG, Art. 15 DSGVO),
• Right to rectification (§ 1 para 3 (2) and Section 45 DSG, Art. 16 DSGVO),
• Right to erasure (§ 1 para. 3 (2) and § 45 DSG, Art. 17 DSGVO),
• Right to restriction of processing (§ 45 DSG, Art. 18 DSGVO),
• Right to object (Art. 21 DSGVO) as well as
• Right to notification of a personal data breach (Section 56 DSG and Art. 34 DSGVO).