Information obligation GDPR
1. Data Controller
Name: The Circuit GmbH
Contact Information: Oberdorf 5b, 6261 Strass im Zillertal
http://www.the-circuit.eu
2. Purpose and Legal Basis of Data Processing
In accordance with the principle of data minimization, only the data necessary for fulfilling the purpose is collected.
The collection, processing, and storage are carried out for the following purposes:
2.1. Pre-Contractual Measures, Contract Fulfillment, and Accounting
For the purpose of conducting pre-contractual measures and/or fulfilling the concluded contract
or the resulting mutual obligations. Furthermore, for accounting and bookkeeping purposes
or for the planning and management of our company.
Providing your personal data is necessary for this purpose.
Failure to provide such data would result in the inability to enter into a contract with you.
If you are not a potential contracting party, but have a contractual, personal, or economic relationship with one,
such as a representative of a legal entity, an authorized person, contact person, etc.,
you are not obligated to provide your personal data to us. However, not providing such data may prevent the
conclusion of a contract with the potential contracting party or significantly hinder contract fulfillment.
Legal Basis:
Art 6 Abs. 1 lit. a DSGVO (when consent is given): The processing is based on the consent provided by the data subjects.
Art 6 Abs. 1 lit. b DSGVO: Processing is necessary for the fulfillment of the contract and/or the execution of pre-contractual measures.
Art 6 Abs. 1 lit. c DSGVO: Processing is necessary for compliance with our legal obligations arising from national and Union law provisions, in particular tax law and/or the Commercial Code.
Art 6 Abs. 1 lit. f DSGVO: There is a legitimate interest in processing personal data of individuals who have a contractual, personal, or economic relationship with the potential contracting party / contracting party, such as a representative of a legal entity, an authorized person, contact person, etc., in order to fulfill contractual obligations towards the contracting party or to have a point of contact. Furthermore, we have a legitimate interest in processing the data for the planning and management of our company.
2.2. Human Resources Management
For job applications/job advertisements for the purpose of human resources management/planning. Processing your personal data is necessary for this purpose. Failure to provide such data would result in the inability to enter into a contract with you or consideration as a potential applicant will be excluded.
Legal Basis:
Art 6 Abs. 1 lit. a DSGVO (when consent is given): The processing is based on the consent provided by the data subjects.
Art 6 Abs. 1 lit. b DSGVO: Processing is necessary for pre-contractual measures (e.g., job interviews) or the conclusion of a contract.
Art 6 Abs. 1 lit. f DSGVO: There is a legitimate interest in processing personal data for the planning and management of the company.
2.3. Business Partner Database
For the purpose of creating a database of potential business partners/business partners and individuals who have a contractual, personal, or economic relationship with them (e.g., representatives of a legal entity, authorized persons, contact persons, etc.).
Legal Basis:
Art 6 Abs. 1 lit. f DSGVO: We have a legitimate interest in processing personal data to establish a business partner database that enables us to quickly and cost-efficiently process and handle subsequent legal transactions with the respective business partner. The database also serves to keep potential business partners and business partners in records to provide them with follow-up offers or opportunities for work.
Art 6 Abs. 1 lit. a DSGVO (when consent is given): The processing is based on the consent provided by you.
2.4. Marketing, Information und Advertising
For the purpose of information/advertising, especially direct advertising, for our company and our services and products (e.g., web presence).
Legal Basis:
Art 6 Abs. 1 lit. a DSGVO (when consent is given): The processing is based on the consent provided by you.
Art 6 Abs. 1 lit. f DSGVO: We have a legitimate interest in processing data to offer and advertise our company, goods, or services for the purpose of sales/promotion, image maintenance, or customer retention/care. The use of necessary cookies may be required to provide our website.
2.5. Legal Pursuit or Defense
For the purpose of legal pursuit or defense.
Legal Basis:
Art 6 Abs. 1 lit. f DSGVO There is a legitimate interest in processing personal data of individuals to pursue our legal claims or defend against claims directed at us.
3. Categories of Recipients
Your data may or will be shared with the following categories of recipients: Our employees, cooperating contractual and business partners / subcontractors / processors, tax advisors, certified public accountants, auditors, payroll accountants, banks, insurers, lawyers and notaries, collection agencies, courts and authorities including tax authorities, external financiers (e.g., leasing or in case of a security assignment), IT service providers and IT support (hardware and software)."
4. Storage Duration / Criteria for Determining Duration
Your personal data will only be stored by us for as long as necessary. If the contract has not yet been fulfilled or the business has not been concluded, your personal data will be stored. In connection with a contract/business, we are currently obligated by law to retain your personal data for 7 years. The period begins, simplistically speaking, from the end of the calendar year in which the entries in the books or records were made, and for receipts, business papers, and other documents, from the end of the calendar year to which they refer; if the business year deviates from the calendar year, the deadlines run from the end of the calendar year in which the business year ends. If customs regulations are relevant to the business, personal data must be retained for 5 years, unless the respective destination country prescribes longer retention periods. GPS data is stored on the respective local device for 7 days and automatically read every 7 days. The personal data collected as a result is subsequently stored for varying durations, and reference is made to the other sections of this point for more details. Application documents/data of applicants will be stored by us during their evaluation or the application process. Application documents/data of applicants who are hired become part of personnel records and are stored until the termination of the employment relationship. Application documents/data of applicants whose application is rejected will be stored for seven months from the rejection of the application. With the applicant's consent, longer storage (evidence retention) for a possible future employment can be carried out. Personal data collected and processed solely based on consent or legitimate interest will be stored until the consent is revoked or objection is raised. However, if such data remain inactive/unutilized for more than three years, they will be deleted based on the principle of storage limitation. Exception to this rule is personal data stored for the business partner database, which will be deleted after five years of inactivity. If data is required for asserting legal claims, legal defense, or evidence purposes, they will be stored until the conclusion of the legal dispute or the expiration of the statute of limitations. Regarding cookies, please refer to the section below.
5. Data Subject Rights
In connection with your personal data, you have the following rights:
Right to information about the personal data concerning you. Right to rectification of inaccurate personal data. Right to erasure of personal data under certain conditions. Right to restriction of processing under certain conditions. Right to data portability. Right to object to processing based on legitimate interests. Right to withdraw consent at any time with future effect
6. Right to Lodge a Complaint with a Supervisory Authority
If you believe that the processing of your data violates data protection laws, your data subject rights are not respected, or other data protection claims have been violated by us, you have the right to lodge a complaint with a supervisory authority. In Austria, this is the Data Protection Authority.
7. Further Processing for Another Purpose
If personal data is processed for a purpose other than the ones mentioned above, you will be informed before such processing takes place.
8.Transfer to Third Countries or International Organizations
In our company, the messaging service "WhatsApp" and Microsoft core products (e.g. Microsoft 365, OneDrive, SharePoint, Outlook, etc.) are used.
While using WhatsApp, messages are encrypted end-to-end; however, WhatsApp Ireland Limited may still receive certain personal data (e.g., contact details, name) of the data subjects. The use of the messaging service "WhatsApp" is provided for European users by WhatsApp Ireland Limited, located at 4 Grand Canal Square, Dublin 2, Ireland. Consequently, no personal data is transferred from us to a data processor/controller located in a non-EU third country.
Nevertheless, WhatsApp Ireland Limited, as part of the Facebook corporate group, utilizes the global infrastructure and data centers of Facebook Inc., located at 1 Hacker Way, CA 94025 Menlo Park, USA, and WhatsApp LLC, located at 1601 Willow Road, CA 94025 Menlo Park, USA. Therefore, it cannot be ruled out that data may be transmitted to these companies.
Microsoft
Microsoft Corporation, located at One Microsoft Way, Redmond, WA 98052-6399, USA, offers a range of products, including core products (e.g., Outlook, Word, etc.) from Microsoft 365, which are used in our company. When using online services (e.g., Outlook Exchange, OneDrive, SharePoint, etc.), Microsoft reserves the right to transfer personal data to third countries outside the European Union, especially to the USA, for storage and processing. Thus, data transmission to third-country locations cannot be excluded. For the European Economic Area and Switzerland, Microsoft Corporation has appointed Microsoft Ireland Operations, Ltd., located at One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, as its data protection representative.
The data transmission from WhatsApp Ireland Limited to WhatsApp LLC. and Facebook Inc. is necessary for providing the service in accordance with Article 49 of the GDPR. Furthermore, the Facebook corporate group employs standard contractual clauses approved by the European Commission as the basis for data transfer to third countries, or, in the case of certain third countries (e.g., Switzerland) to which data transfer may occur, there is an adequacy decision of the European Commission.
Microsoft Corporation also bases its data transfer to third countries on European Commission-approved standard contractual clauses. Microsoft is certified under the EU-U.S. and the Swiss-U.S. Privacy Shield frameworks, and the associated commitments. However, Microsoft does not rely on the EU-U.S. Privacy Shield Framework as a legal basis for the transfer of personal data, following the judgment of the CJEU in Case C-311/18. In its Microsoft Products and Services Data Protection Addendum, Microsoft commits that all transfers of personal data to a third country or international organization are subject to appropriate safeguards in accordance with Article 46 of the GDPR. These safeguards are seen as adequate guarantees to ensure that the level of protection guaranteed by the GDPR is not undermined.
For more information on WhatsApp's data policy, please visit: https://www.whatsapp.com/legal/?eea=1#privacy-policy For more information on the data privacy of Microsoft Corporation, please visit: https://www.microsoft.com/en-us/trustcenter/privacy/gdpr/default.aspx https://www.microsoft.com/en-us/trustcenter/privacy/gdpr/FAQ
9. Additional Information on Data Collection not from the Data Subject
9.1. Categories of Collected Personal Data
Not all of these data categories are collected/processed/stored for every data subject. Data categories: Names, company, other business designations, contact details, especially address, email address, telephone number, etc., bank and transfer data, VAT ID number, public register data (e.g., commercial register, association register), creditworthiness data (e.g., solvency, payment default, litigation and enforcement data, insolvency proceedings, etc.), contract texts and business correspondence, performance records and case notes, billing, payment and booking data, role (e.g., managing director, contact person, etc.), project execution data, customs documents, vehicle data, driver card and GPS location data of used trucks, image recordings (e.g., photos, videos), application documents, scope of power of representation, cookies (website), insurance data, especially insurance, policy and claim numbers, decisions of courts, authorities, arbitration courts, etc., settlements, other judicial or extrajudicial dispute resolution, and processed circumstances.
9.2. Source of Personal Data
Publicly accessible registers (e.g., land register, commercial register, association register) and information sources (e.g., internet, telephone directory), transmission by credit protection associations, business partners, clients or local authorities.