The controller in the meaning of the EU General Data Protection Regulation (hereinafter “GDPR”) is:
Company register number 203482p (Vienna Commercial Court)
2. Processing of personal data
The controller processes personal data transferred to it by the data subject when registering to participate for an event organized by the controller or another company in the B&C Group (e.g. the Houskapreis awards ceremony), or in connection with a business relationship with a B&C Group company. Typically, these include personal data such as title, first and last name, private and business address, date of birth, company, company register number, position, assistant, contact information (telephone numbers, e-mail addresses), payment information if required (e.g. bank account number, VAT number), website, partner and information about the B&C events to which the data subject has been invited.
If the data subject takes part in an event (e.g. the Houskapreis awards ceremony), it is possible that photographs may be taken and videos recorded in which the data subject is recognizable, and that these may be processed and published.
3. Data processing
Data are processed for the purposes of contacting the data subject, implementing the business relationship, inviting data subjects to events (e.g. the Houskapreis awards ceremony) and sending information about B&C’s activities (e.g. the B&C yearbook). The legal basis for processing is the performance of a contract or taking steps prior to entering into a contract, the fulfillment of the controller’s legal obligations and, as the case may be, a declaration of consent from the data subject, as well as the controller’s legitimate interests (Art. 6(1)(a-c) and (f) GDPR).
The processing of personal data is – subject to the following paragraph – not prescribed by law, but is necessary for the purposes specified above. If these data are not provided, or not provided in full, the data subject can no longer be contacted, and can no longer be invited to B&C events.
If, however, there is a (continuing) business relationship with the data subject, or if such a relationship is being initiated, it is necessary to process the aforementioned data for performance of the contract or to take steps prior to entering into a contract, and to fulfill the controller’s statutory obligations. If in this case the data are not provided or not provided in full, the controller might not be able to completely fulfill its contractual obligations to the data subject or its statutory obligations, and might not be able to conclude a contract with the data subject.
The data subject’s personal data will be shared with B&C Group companies. In addition, as necessary, the data subject’s personal data will be shared with external service providers (processors) such as IT service providers, event organizers or event agencies, printers, and consultants (e.g. tax consultants, auditors, and lawyers). Personal data may also be shared with courts and other authorities if required.
By providing their declaration of consent (e.g. by clicking on the corresponding checkbox) the data subject gives their consent for their personal data to be processed by the controller as described in section 2 above, for the aforementioned purposes.
If the data subject participates in one of the controller’s events, the data subject also gives their consent that photos may be taken and videos made that record their participation, and that the controller or the event agency engaged by the controller may publish these on the controller’s website, in the B&C yearbook, and on social media platforms (Facebook, LinkedIn, Twitter, YouTube) as well as publishing, possibly, the name of the data subject, their title, company name, place of business, and position at their company/institution, for the purpose of raising the profile of the prizewinners, the controller and the B&C Group. Publication on social media platforms may entail the transfer of data to the USA. The European Commission has adopted an adequacy decision in respect of the USA as a recipient state (the EU-US Privacy Shield Framework); Facebook Inc., LinkedIn Corporation, Twitter Inc. and Google LLC (the parent company of YouTube LLC) each have corresponding certification. These data are also shared with print and online media for publication, via a PR agency.
The data subject may withdraw their consent at any time, for example by sending an e-mail to email@example.com. If consent is withdrawn, the controller will no longer use these data for the stated purposes. With regard to the transfer of data to third parties, upon withdrawal of consent the controller will ensure that third parties also no longer use the data.
4. Storage period
The personal data will be erased when the purpose of processing no longer applies, or after withdrawal of consent by the data subject, unless a legitimate interest of the controller precludes this (e.g. retention of the data for purposes of evidence, such as for enforcement of or defense against legal claims, subject to the applicable limitation periods).
5. Information on the rights of the data subject
Right of access: The data subject has the right to obtain confirmation as to whether or not personal data concerning him or her are being processed.
Right to rectification: If personal data are processed that are incorrect or incomplete, the data subject has the right to have the data corrected or completed.
Right to erasure: The data subject has the right to erasure of the data without delay, on any of the following grounds:
- the personal data are no longer required for the purpose for which they were originally collected or otherwise processed;
- the data subject withdraws his or her consent and there is no other legal basis for processing;
- the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes;
- the personal data have been unlawfully processed;
- erasure is necessary in order to fulfill a legal obligation, or
- the personal data were collected from a child in relation to the offer of information society services.
As outlined above, there may be grounds that preclude immediate erasure, for example where the controller is subject to a statutory retention obligation.
Right to restriction of processing: The data subject has the right to obtain restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment or defense of legal claims;
- the data subject has objected to processing, pending the verification whether the legitimate grounds of the controller override those of the data subject.
Right to data portability: The data subject has the right to receive the personal data concerning him or her, which he or she has provided, in a structured, commonly used and machine-readable format, where:
- the processing is based on the data subject’s consent or on a contract, and
- the processing is carried out by automated means.
Right to object: The data subject has the right to object to processing of personal data concerning him or her, if the controller carries out processing for performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller, or for the purposes of an overriding legitimate interest. The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. The data subject has the right to object at any time to processing for direct marketing purposes.
Exercising rights: The data subject can exercise their aforementioned rights at any time and free of charge. The controller can be contacted at the following e-mail address: firstname.lastname@example.org.
Right to lodge a complaint: If the data subject considers that the controller is in infringement of the GDPR, the data subject has the right to lodge a complaint with the competent supervisory authority (in Austria, the Austrian Data Protection Authority).
The controller does not make any use of automated decision-making, including profiling.
8. Web analytics
Our website uses functions of the Google Analytics web analytics service and Google Tag Manager. Cookies are also used to help analyse how visitors use the website. The information generated is transmitted to the provider’s server and stored there. You can block this by configuring your browser settings so that no cookies are saved. We have concluded a data processing agreement with the provider. Your IP address will be recorded, but immediately anonymised. This means that only approximate localisation is possible.