PRIVACY POLICIES – NEXT SYSTEM

Personal data is any information that relates to an identified or identifiable natural person and thus allows conclusions to be drawn about your person. 

We take the protection of your personal data seriously. Therefore, we process your data exclusively on the basis of the statutory provisions.

 

1.2. Controller for data processing

This Privacy Policy applies to the data processing carried out on the website www.nextsystem.at by the following controller:

Next System Vertriebsges.m.b.H.
Strohbogasse 4
1210 Vienna
Austria

Questions or inquiries related to data protection can be directed for example to datenschutz@nextsystem.at

1.3. Collection and storage of personal data as well as type and purpose of their use

a) Automatic data storage website and webshop

Nowadays, when you visit websites, certain information is automatically created and stored, including on this website.

The website operated by us and also the webshop operated by us are technically hosted and maintained by a third party (website host) (see point d Web hosting for more information). 

When you visit our website and our webshop, our web server automatically stores the following data: IP address, date, time, pages accessed, logs, status code, data volume, referrer, user agent and host name accessed. 

The IP addresses are stored anonymously. The anonymized IP addresses are stored for 60 days. Error logs, which record errors when accessing pages, are deleted after seven days. In addition to the error messages, these contain the accessing IP address and, depending on the error, the website accessed.

These data are processed for the following purposes:

• Providing a comfortable use of the website
• Ensuring smooth connection establishment
• Evaluation of system security and stability

Legal basis: For this processing, we rely on the legal basis according to Art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest is the technical maintenance of the operation of the website, improvement of the services of the website and the prevention of misuse. 

We also use cookies and analysis services in the operation of our website. You can find out more about this under points 1.5. – 1.8. of this Privacy Policy and in our cookie policy (available at https://www.nextsystem.at/cookie-richtlinie-eu/).

b) Data processing webshop

Within the framework of our webshop, the following data – if you enter them – will be stored by us for the purpose of contract execution: first name, last name, title, company name, address, email address, telephone number, company registration number, business license, bank data, industry of the buyer.

This data is required for the performance of the contract – i.e. for the execution of your order in the webshop. Without this data, we cannot conclude the contract with you. Furthermore, we process the above data for the fulfillment of legal obligations, for the settlement of possible claims and for the assertion of claims and legal defense. 

Legal basis: The data processing is therefore based on the legal basis under Article 6 para. 1. lit b.  GDPR (contract performance) and Art 6 para. 1. lit c GDPR (legal obligation). No data is transferred to third parties, with the exception of the transfer of credit card data to the processing bank/payment service provider for the purpose of debiting the purchase price, to the transport company/shipping company commissioned by us for the delivery of the goods and to our tax advisor for the fulfillment of our tax obligations. 

In the event of a termination of the purchasing process, the data stored by us will be deleted. In the event of a conclusion of contract, all data from the contractual relationship will be stored until the expiry of the retention period under tax law (7 years). Your name, address, details of the purchased goods and the date of purchase will also be stored until the expiry of the product liability period (10 years).  

c) Processing of your personal data entered elsewhere, e.g. via the contact form.

Personal data that you otherwise transmit to us on this website, e.g. via the contact form, such as first name, last name, email address, address or other personal information in the context of submitting a form will be kept secure by us together with the time and IP address and will not be disclosed to third parties. The data you provide will be processed for the purpose of processing your request in accordance with Art. 6 para 1 lit. b GDPR and in the event that follow-up questions arise. 

In principle, the data will be deleted after six months. If a longer storage period is required for the fulfillment of your request, the data provided will be stored for this period. In the event of a legally required archiving obligation, however, we will delete the data only after this retention period has expired. 

We will not pass on this data without your consent and will only use it internally to deal with your request. 

d) Web hosting

This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster’s servers. This may include, in particular, IP addresses, contact details, names, website accesses and other data generated via a website.

Legal basis:The hoster is used in accordance with Art. 6 para. 1 lit. f GDPR due to our legitimate economic interest to offer our products on this website and to present our company to the public. 

To ensure data protection-compliant processing, we have concluded a data processing agreement with our hoster. This contract is required by law because our hoster processes personal data on our behalf.

We use the following hoster:

Mittwald CM Service GmbH & Co KG
Königsberger Straße 4-6
32339 Espelkamp
Germany

www.mittwald.de

The servers of our hoster are all located in Germany.

e) Newsletter

If you register to our newsletter, we will process the data you provide as part of the newsletter registration (first name, last name, e-mail address) to send you our newsletter to inform you about the kind of products you have requested. If you have subscribed to our newsletter, you will receive a notification with which you must confirm your subscription. This so-called double opt-in serves to determine that the registration for our newsletter was actually made by you and not by a third party. 

We also send our newsletter to existing customers and people who have expressed an interest in our products and have provided us with their contact information for this purpose.

Unsubscribing from our newsletter is possible at any time. You will find the link for this at the very bottom of every newsletter. If you unsubscribe from our newsletter, we will delete all data stored with the newsletter subscription.

We use MailChimp for our newsletter. As part of the newsletter, we transmit your data to the operator of MailChimp, which sends the newsletter to you on our behalf. The operator of MailChimp is The Rocket Science Group LLC, 675 Ponce de Leon, AVE NE, Suite 5000, Atlanta, GA 30308 USA.

Mailchimp uses so-called “web beacons” with the help of which MailChimp can check whether the sent emails have arrived, have been opened and whether links contained in the emails have been clicked. This information is stored on MailChimp’s servers and provides us with statistical evaluations regarding our newsletters. This helps us to optimize the design and content of our newsletters. MailChimp also uses this data to optimize its own services. 

If you would like more privacy-related information about MailChimp, you can find it under the following link: https://www.intuit.com/privacy/statement/

Legal basis: The processing of your data within the scope of the newsletter is based on your express consent pursuant to Art. 6 para 1 lit a GDPR. You can revoke your consent at any time. 

Data transfer abroad: The headquarters of the operator of MailChimp (The Rocket Science Group LLC / Intuit Inc.) and the servers used by MailChimp are located in the USA, among other places. Your data may therefore be transferred to the USA. The transfer of personal data to the USA takes place in compliance with the requirements of the GDPR and in particular Art. 44 et seq. of the GDPR.

With the adequacy decision within the meaning of Art. 45 GDPR of 10.07.2023, the EU Commission has determined that the United States guarantees an adequate level of protection – comparable to that of the European Union – for personal data. Data can be transferred to US companies on the basis of this adequacy decision without the need to introduce additional data protection safeguards if the US company to which the data is transferred is listed in the so-called Data Privacy List (available at: https://www.dataprivacyframework.gov/s/participant-search).

To be included in the Data Privacy List, the company must undertake to comply with detailed data protection obligations. The US Department of Commerce processes the certification applications and monitors whether the participating companies fulfill the certification requirements.

The provider of MailChimp, The Rocket Science Group LLC / Intuit Inc., has undertaken to comply with extensive data protection obligations in accordance with the EU Commission’s adequacy decision of 10.07.2023 and has accordingly been certified and included in the Data Privacy List administered by the US Department of Commerce.

Since The Rocket Science Group LLC is listed in the Data Privacy List, data transfer to the USA is permitted without further safeguards within the meaning of Art 46 GDPR.

More information on the data protection agreement between the USA and the EU and the adequacy decision of 10.07.2023 can be found at https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721

The Data Privacy List administered by the US Department of Commerce, which you can use to check whether a US company is certified in accordance with the adequacy decision of 10.07.2023, can be found at https://www.dataprivacyframework.gov/s/participant-search.

– MailChimp data processing agreement (DPA)

We have concluded a data processing agreement (DPA) with MailChimp within the meaning of Article 28 of the General Data Protection Regulation (GDPR). 

Such an agreement is required by law because MailChimp processes personal data on our behalf. It clarifies that MailChimp may only process data they receive from us according to our instructions and must comply with the GDPR. You can find the link to the order data processing agreement (DPA) at: https://mailchimp.com/en/legal/data-processing-addendum/

1.4. Disclosure of personal data to third parties

Your personal data will only be transferred to third parties for the purposes listed below. 

a) Disclosure of data to third parties

We will only share your personal data with third parties if 

• you have given your express consent to this in accordance with Art. 6 para. 1 lit. a GDPR
• this is necessary for the performance of a contract with you according to Art. 6 para. 1 lit. b GDPR
• there is a legal obligation to do so pursuant to Art. 6 para. 1 lit. c GDPR

The data disclosed will be used exclusively for the purposes stated.

b) Transfer of personal data to third countries

In some cases, when you visit our website, use our webshop or in the context of our newsletter, personal data is transferred to third countries, i.e. a country outside the European Economic Area (EEA). This only occurs under the conditions of Art. 44 et seq. GDPR.

In this Privacy Policy, we inform you when and how we transfer personal data to third countries and under what conditions such a transfer is permitted.

The EU Commission can determine that certain countries outside the European Economic Area offer an adequate level of protection for personal data by means of a so-called adequacy decision in accordance with Article 45 GDPR. If such an adequacy decision exists, the controller may transfer data to this third country without the need for further safeguards in accordance with Article 46 et seq. of the GDPR.

If there is no adequacy decision by the EU Commission for a third country in accordance with Article 45 GDPR (so-called unsafe third countries), we will only transfer your personal data under the conditions of Article 46 or Article 49 GDPR, for example if

• sufficient safeguards are provided by the recipient in accordance with Art. 46 GDPR for the protection of the personal data
• you have expressly consented to the transfer, after we have informed you about the risks, in accordance with Art. 49 para. 1 lit. a GDPR
• the transfer is necessary for the fulfillment of contractual obligations between you and us (Art. 49. Abs 1. lit b GDPR).

Safeguards according to Art. 46 GDPR can be, for example, so-called standard contractual clauses. With these standard contractual clauses, the recipient assures to protect the data in such a way that a protection level of the data comparable to the GDPR is achieved.

– Transfer of data in the USA

With the adequacy decision within the meaning of Art. 45 GDPR of 10.07.2023 (so-called EU-U.S. Data Privacy Framework), the EU Commission has determined that the United States guarantees an adequate level of protection – comparable to that of the European Union – for personal data. 

Data can be transferred to US companies or other data recipients in the US on the basis of this adequacy decision without the need to introduce additional data protection safeguards if the US company to which the data is transferred is listed in the so-called Data Privacy List (available at: https://www.dataprivacyframework.gov/s/participant-search). If a recipient in the US is not listed in the Data Privacy List, a transfer based on Art. 45 GDPR is not permitted.

To be included in the Data Privacy List, the company must undertake to comply with detailed data protection obligations. The US Department of Commerce processes the certification applications and monitors whether the participating companies fulfill the certification requirements.

More information about the EU-US Data Privacy Framework can be found at https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721.

1.5. Google Tag manager 

We use cookies to make your visit to our website more user-friendly, to personalize content and ads, and to analyze visits to our website (see point 1.6. Cookies for more information). To manage and set them, we use Google Tag Manager, which we explain here below:

a) Google Tag Manager

– Summary

Google Tag Manager is used on our website to organize the management and setting of cookies that require consent. The Google Tag Manager does not store any data itself. The data is collected by the tags of the web analytics tools used. The storage period of the collected data depends on the web analytics tool used. The legal basis for the processing is Article 6 para. 1 lit. a. GDPR (consent) and Art 6 para 1. lit. f GDPR (legitimate interests).

– What is Google Tag Manager?

For our website we use the Google Tag Manager of the company Google LLC. For the European area the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. This tag manager is one of many helpful marketing products from Google. Through the Google Tag Manager, we can centrally incorporate and manage code sections from various tracking tools that we use on our website. 

In this Privacy Policy, we want to explain in more detail what Google Tag Manager does, why we use it, and in what form data is processed.

Google Tag Manager is an organizational tool that allows us to embed and manage website tags centrally and through a user interface. Tags are small sections of code that, for example, record (track) your activities on our website. For this purpose, JavaScript code sections are inserted into the source code of our page. The tags often come from Google-internal products such as Google Ads or Google Analytics, but tags from other companies can also be included and managed via the manager. Such tags perform different tasks. They can collect browser data, feed marketing tools with data, embed buttons, set cookies and also track users across multiple websites.

– Why do we use Google Tag Manager for our website?

As the saying goes: organization is half the battle! And of course this also applies to the maintenance of our website. In order to make our website as good as possible for you and all the people who are interested in our products and services, we need various tracking tools such as Google Analytics. The collected data from these tools show us what you are most interested in, where we can improve our services and which people we should still show our offers to. And for this tracking to work, we need to embed appropriate JavaScript codes into our website. In principle, we could include each code section of each tracking tool separately in our source code. However, this requires quite a lot of time and it is easy to lose track. That is why we use the Google Tag Manager. We can easily incorporate the necessary scripts and manage them from one place. Moreover, Google Tag Manager offers an easy-to-use interface and you do not need any programming skills. This is how we manage to keep order in our tag jungle.

– What data is stored by Google Tag Manager?

The Tag Manager itself is a domain that does not set any cookies or store any data. It acts as a mere “manager” of the implemented tags. The data is collected by the individual tags of the various web analysis tools. The data is virtually passed through to the individual tracking tools in the Google Tag Manager and is not stored.

However, the situation is completely different with the embedded tags of the various web analysis tools, such as Google Analytics. Depending on the analysis tool, various data about your web behavior is usually collected, stored and processed with the help of cookies. For this, please read our privacy texts on the individual analysis and tracking tools that we use on our website.

In the Tag Manager account settings, we have allowed Google to receive anonymized data from us. However, this is only the use and usage of our Tag Manager and not your data stored via the code sections. We allow Google and others to receive selected data in anonymized form. We thus consent to the anonymous sharing of our website data. Which summarized and anonymous data is forwarded exactly, we could not find out – despite long research. In any case, Google deletes all information that could identify our website. Google combines the data with hundreds of other anonymous website data and creates user trends as part of benchmarking measures. Benchmarking involves comparing your own results with those of your competitors. Processes can be optimized on the basis of the information collected.

– How long and where is the data stored?

When Google stores data, this data is stored on Google’s own servers. The servers are distributed all over the world. Most of them are located in America. At https://www.google.com/about/datacenters/locations/?hl=en you can read exactly where the Google servers are located. How long the individual tracking tools store data from you can be found in our individual privacy texts for the individual tools.

– How can I delete my data or prevent data storage?

The Google Tag Manager itself does not set cookies, but manages tags from various tracking websites. In our privacy texts for the individual tracking tools, you will find detailed information on how to delete or manage your data.

Please note that when using this tool, data from you may also be stored and processed outside the EU. Third countries for which there is no adequacy decision by the EU Commission within the meaning of Art 45 GDPR are not considered secure under current European data protection law. Data to unsecure third countries may therefore not simply be transferred, stored and processed there unless there are suitable safeguards (such as EU standard contractual clauses) between us and the non-European service provider.

– Legal basis

The use of Google Tag Manager requires your consent, which we have obtained with our Cookie Consent Banner. According to Art. 6 para. 1 lit. a GDPR (consent), this consent constitutes the legal basis for the processing of personal data as it may occur during the collection by web analytics tools.

In addition to consent, there is a legitimate interest on our part to analyze the behavior of website visitors and thus to improve our offer technically and economically. With the help of Google Tag Manager, we can improve our economic efficiency. The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate Interests). Nevertheless, we only use the Google Tag Manager if you have given your consent.

Google also processes data from you in the USA, among other places. 

With the adequacy decision within the meaning of Art. 45 GDPR of 10.07.2023, the EU Commission has determined that the United States guarantees an adequate level of protection – comparable to that of the European Union – for personal data. Data can be transferred to US companies on the basis of this adequacy decision without the need to introduce additional data protection safeguards if the US company to which the data is transferred is listed in the so-called Data Privacy List (available at: https://www.dataprivacyframework.gov/s/participant-search).

To be included in the Data Privacy List, the company must undertake to comply with detailed data protection obligations. The US Department of Commerce processes the certification applications and monitors whether the participating companies fulfill the certification requirements.

The provider of the Google Tag Managers, Google LLC, has undertaken to comply with extensive data protection obligations in accordance with the EU Commission’s adequacy decision of 10.07.2023 and has accordingly been certified and included in the Data Privacy List administered by the US Department of Commerce.

Furthermore, Google uses so-called standard contractual clauses. Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to and stored in third countries. Through these clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in third countries for which there is no adequacy decision within the meaning of Art 45 GDPR. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: 

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.

The Google Ads Data Processing Terms, which refer to the standard contractual clauses, can be found at https://business.safety.google/intl/en/adsprocessorterms/.

If you want to learn more about Google Tag Manager, we recommend the FAQs at https://support.google.com/tagmanager/?hl=en#topic=3441530.

– Data processing agreement (DPA) Google Tag Manager

We have concluded a data processing agreement (DPA) with Google within the meaning of Article 28 of the General Data Protection Regulation (GDPR).

Such an agreement is required by law because Google processes personal data on our behalf. It clarifies that Google may only process data they receive from us according to our instructions and must comply with the GDPR. You can find the link to the data processing agreement (DPA) at https://business.safety.google/adsprocessorterms/.

1.6. Cookies

Cookies are small text files that are temporarily stored on your terminal device (smartphone, PC, etc.) with the help of the browser. The use of cookies serves to make the visit to our website more user-friendly, to personalize content and ads and to analyze access to our website. 

For further information on cookies and in particular on the cookies used on our website, please refer to our Cookie Policy (available at https://www.nextsystem.at/cookie-policy-eu/?lang=en) and to points 1.7 – 1.8 of this Privacy Policy.

Some cookies remain stored on your terminal device until you delete them. They allow us to recognize your browser on your next visit.

We only set cookies that are not technically necessary if you have expressly consented to their setting in our Cookie Consent Banner (Art. 6 para. 1 lit. a GDPR). This banner will be displayed when you visit our website (for the first time). If you generally do not allow the setting of cookies, it may be that some functions and pages do not work as expected.

You have the option to manage your consent settings in our Cookie Policy (available under https://www.nextsystem.at/cookie-policy-eu/?lang=en) in point 7. Consent.

Furthermore, if you do not wish cookies to be set, you can configurate your browser so that it informs you about the setting of cookies and that you only allow this only in individual cases. You can delete cookies that are already on your computer or disable cookies at any time. The procedure for doing this varies by browser, it is best to search the instructions in Google with the search term “delete cookies chrome” or “disable cookies chrome” in the case of a Chrome browser or replace the word “chrome” with the name of your browser, e.g. edge, firefox, safari.

1.7. Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google LLC. (“Google”). For the member states of the European Union, the company Google Ireland Limited (Gordon House, Barrows Street Dublin 4, Ireland) is responsible for all Google services. Google Analytics uses so-called cookies (see point 1.6. of this data Privacy Policy), i.e. text files that are stored on your computer to enable an analysis of the use of the website. For example, information on the operating system, the browser, your IP address, the website you previously visited (referrer URL) and the date and time of your visit to our website are collected. The information generated by the cookies is transferred to a Google server and stored there.

Further information on the cookies set by Google Analytics can be found in our cookie policy (available at https://www.nextsystem.at/cookie-policy-eu/?lang=en/)

We use the information generated by Google Analytics to evaluate the use of the website in order to compile reports about the activities on our website. We use this information solely for the purposes of our own market research and to optimize the design of the website. The IP address is anonymized so that it is not possible to connect it to a user. The user data collected via cookies is automatically deleted after 14 months.

The information may be transferred to third parties if this is required by law or if third parties process this data on our behalf. The processed data may be transferred to servers in the USA and insecure third countries and processed there. 

For more information on data processing by Google, please see the Google Privacy Policy & Terms of Use: https://policies.google.com/privacy?hl=en.

Legal basis: We only use Google Analytics on our website if you have given your express consent to this in accordance with Art. 6 para. 1 para. 1 lit. a GDPR. . You can revoke your consent in the Cookie Settings at any time.

With the adequacy decision within the meaning of Art. 45 GDPR of 10.07.2023, the EU Commission has determined that the United States guarantees an adequate level of protection – comparable to that of the European Union – for personal data. Data can be transferred to US companies on the basis of this adequacy decision without the need to introduce additional data protection safeguards if the US company to which the data is transferred is listed in the so-called Data Privacy List (available at: https://www.dataprivacyframework.gov/s/participant-search).

To be included in the Data Privacy List, the company must undertake to comply with detailed data protection obligations. The US Department of Commerce processes the certification applications and monitors whether the participating companies fulfill the certification requirements.

The provider of Google Analytics, Google LLC, has undertaken to comply with extensive data protection obligations in accordance with the EU Commission’s adequacy decision of 10.07.2023, and has accordingly been certified and included in the Data Privacy List administered by the US Department of Commerce.

Furthermore, Google uses so-called standard contractual clauses. Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to and stored in third countries. Through these clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in third countries for which there is no adequacy decision within the meaning of Art 45 GDPR. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: 

https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.

– Data Processing Agreement (DPA) Google Analytics

We have concluded a data processing agreement with Google incorporating the EU standard contractual clauses for the use of Google Analytics. Such an agreement is required by law because Google processes personal data on our behalf. Through this contract, Google assures that the data is processed in accordance with the GDPR and that the protection of the rights of the data subject is guaranteed.

The link to the data processing agreement (DPA) can be found here https://business.safety.google/adsprocessorterms/.

1.8. Complianz

We use the cookie consent technology of Complianz (hereinafter “Complianz”) on our website.

Complianz provider is:

Complianz B.V.
Kalmarweg 14-5
9723JG Groningen
Netherlands

Complianz helps us to obtain your consent to the use of cookies and similar technologies. Furthermore, Complianz serves to manage, store and document your consent to cookies. This information is stored by Complianz in your browser using cookies.

Storage: The data collected in this way will be deleted when the purpose of the data processing ceases to exist. The cookies set by means of Complianz have an expiration date of 365 days. The data stored by Complianz will not be disclosed to third parties. 

Legal basis: We use Complianz to be able to obtain the consent required under the GDPR and other applicable legal provisions. The legal basis for the data processing is thus the necessary data processing for the compliance with a legal obligation pursuant to Article 6 (1) lit c GDPR. 

For more information, please see our Cookie Policy (available at https://www.nextsystem.at/cookie-richtlinie-eu/) and at https://complianz.io/legal/privacy-statement/.

1.9. Automated individual decision making (including Profiling)

We do not use any decision-making based on automated processing – including profiling – on our website within the meaning of Article 22 GDPR.

1.10. Your rights

The General Data Protection Regulation grants you extensive rights with regard to your data. You can assert these rights, for example, in writing by sending an e-mail to datenschutz@nextsystem.at. However, you are not obliged to assert your rights by means of this e-mail address. 

You have a right of access (Art 15 GDPR) about whether and if so, which and how we process your personal data. You have a right to rectification (Art 16 GDPR) or completion of your inaccurate or incomplete personal data. Under certain circumstances, you have a right to erasure (Art 17 GDPR), a right to restriction of processing (Art 18 GDPR), a right to data portability (Art 20 GDPR) and a right to object (Art 21 GDPR). 

If you have given us consent, you have the right to revoke it at any time. A revocation does not affect the lawfulness of the processing based on the consent until the revocation. 

In addition, you have a right to lodge a complaint (Art 77 GDPR) with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, or another supervisory authority if you believe that the processing of personal data concerning you violates the GDPR.

1.11. Our contact details

If you have any further questions, please feel free to contact us:

Next System Vertriebsges.m.b.H.
FN 209521 w, Commercial Court Vienna
Strohbogasse 4
1210 Vienna
Austria

Tel: +43 1 33166
datenschutz@nextsystem.at

2. Privacy Policy Customers, Business Partners, and other third Parties

2.1. Explanation on the duty to inform

In the following, we, next system Vertriebsges.m.b.H., as the “controller” under data protection law, would like to inform you, in accordance with the requirements of the EU General Data Protection Regulation, which personal data  of customers, business partners and other third parties we process in the context of contract initiation, preparation of offers, ongoing business relationships, and the execution and fulfilment of contractual relationships. This Privacy Policy also explains for what purposes we require this data, how we use your data, whom you can contact if you have any questions, and what rights you possess.

Personal data is any information that relates to an identified or identifiable natural person and thus allows conclusions to be drawn about you as an individual.

2.2. Controller for data processing

Next System Vertriebsges.m.b.H.
Strohbogasse 4
1210 Vienna
Austria

Questions or inquiries related to data protection can be directed for example to datenschutz@nextsystem.at

2.3. Categories of Personal Data

In the context of the processing activities described in section 2.4, we process in particular the following types and categories of personal data:

• Name
• Salutations
• Gender
• Address
• Email address
• Telephone number
• Account number / banking details
• VAT identification number

The specific data we process depends on the nature of your inquiry and the type and content of the cooperation or contractual relationship.

2.4. Purpose and Legal Basis of the Data Processing

The processing of personal data (see section 2.3) is carried out for the following purposes:

• Responding to inquiries
• Preparing offers
• Processing orders
• Customer support
• Handling complaints
• Managing contracts with customers and business partners
• Making deliveries / tracking and monitoring deliveries
• Fulfilling contractual obligations
• Issuing and sending invoices / dunning procedures

Legal basis for these processing activities: Performance of a contract or taking steps prior to entering into a contract at the request of the data subject (Article 6(1)(b) GDPR)

• Accounting and ongoing bookkeeping
• Responding to official inquiries and complying with other legal obligations

Legal basis for these processing activities: Compliance with legal obligations (Article 6(1)(c) GDPR)

• Credit checks / application for default insurance
• Internal controlling
• Establishment, exercise or defense of legal claims

Legal basis for these processing activities: Legitimate interests pursued by the controller (Article 6(1)(f) GDPR)

• • With regard to the processing of data in connection with credit checks and the application for default insurance, the legitimate interest of the controller lies in the ability to assess the risk of payment defaults and, if necessary, mitigate such risks.
  • With regard to the processing of data in connection with internal controlling, the legitimate interest of the controller lies in the ability to assess its own economic activities, to plan for the future, and to make informed business decisions.
  • With regard to the processing of data in connection with the assertion, exercise or defense of legal claims, the legitimate interest of the controller lies in enforcing its own claims or defending itself against unfounded claims.

For the purposes mentioned above, we primarily process the personal data that you yourself provide to us, for example when making an inquiry or when concluding a contract, such as your name, address, or banking details. Providing this data is, of course, voluntary. In some cases, however, providing this data may be necessary in order to enter into or perform a contract. Failure to provide such data may result in us being unable to conclude the relevant contract with you. We further process personal data as part of the performance of the contract. In certain cases, personal data may also be obtained from third parties (for example, insolvency registers, creditworthiness information from creditor protection associations, etc.).

2.5 Disclosure of Personal Data of Customers, Business Partners and other third Parties

For the purposes mentioned above, your personal data may in specific cased be disclosed to the following categories of recipients:

• Processors (e.g. SAP support, IT service providers)
• Public authorities within the scope of their statutory responsibilities
• Banks and payment service providers
• Lawyers, tax advisors and auditors engaged by the controller
• Insurance companies
• Suppliers and delivery service providers

Your personal data will only be disclosed to third parties on the basis of the GDPR, in particular for the performance of a contract (Article 6(1)(b) GDPR), based on your prior consent (Article 6(1)(a) GDPR), to comply with a legal obligation (Article 6(1)(c) GDPR), or where the processing is necessary for the purposes of the legitimate interests pursued by the controller (Article 6(1)(f) GDPR). The data disclosed will be used exclusively for the purposes outlined in section 2.4.

2.6. Retention Period

Generally your personal data is retained only for as long as is necessary to achieve the purposes outlined in section 2.4, or for as long as statutory retention obligations exist or limitation periods for potential legal claims have not yet expired. The following applies to the deletion of the specific data categories described below:

• Data of prospective customers is deleted from the ERP system after one year if the inquiry is not pursued further or if there is no longer a relevant interest on the part of the prospective customer.
• Data of companies that have gone bankrupt is anonymised in the ERP system within one week.
• Project documents are retained for the entire duration of the project and are destroyed after the end of the project, taking into account the applicable warranty periods. Documents related to order processing are destroyed after seven years.
• Accounting records (tax-related and business-relevant documents) are destroyed after the expiry of the statutory retention periods.

2.7. Your rights

The General Data Protection Regulation grants you extensive rights with regard to your data. You can assert these rights, for example, in writing by sending an e-mail to datenschutz@nextsystem.at. However, you are not obliged to assert your rights by means of this e-mail address. 

You have a right of access (Art 15 GDPR) about whether and if so, which and how we process your personal data. You have a right to rectification (Art 16 GDPR) or completion of your inaccurate or incomplete personal data. Under certain circumstances, you have a right to erasure (Art 17 GDPR), a right to restriction of processing (Art 18 GDPR), a right to data portability (Art 20 GDPR) and a right to object (Art 21 GDPR). 

If you have given us consent, you have the right to withrdaw it at any time. A withdrawal of consent does not affect the lawfulness of the processing based on the consent until the revocation. 

In addition, you have a right to lodge a complaint (Art 77 GDPR) with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, or another supervisory authority if you believe that the processing of personal data concerning you violates the GDPR.

2.8. Our contact details

If you have any further questions, please feel free to contact us:

Next System Vertriebsges.m.b.H.
FN 209521 w, Commercial Court Vienna
Strohbogasse 4
1210 Vienna
Austria

Tel: +43 1 33166
datenschutz@nextsystem.at

3. Privacy Policy Applicants

3.1. Explanation on the duty to inform

In the following, we, next system Vertriebsges.m.b.H., as the “controller” under data protection law, would like to inform you, in accordance with the requirements of the EU General Data Protection Regulation, which of your personal data we process the event of a job application. This Privacy Policy also explains for what purposes we require this data, how we use your data, whom you can contact if you have any questions, and what rights you have.

This Privacy Policy is addressed to individuals (hereinafter referred to as “applicants”) who apply to us either in response to a job advertisement or by submitting an unsolicited application, and whose data we process in the course of the application process.

Personal data is any information that relates to an identified or identifiable natural person and thus allows conclusions to be drawn about your person

3.2. Controller for data processing

Next System Vertriebsges.m.b.H.
Strohbogasse 4
1210 Vienna
Austria

Questions or inquiries related to data protection can be directed for example to datenschutz@nextsystem.at

3.3. Purpose and legal basis of the data processing / Categories of personal data

The processing of your personal data in connection with a job application is carried out for the following purposes:

• Recording, administering and evaluating applications for potential employment within the controller’s company
• Selecting suitable candidates for the establishment of an employment relationship
• Legal documentation purposes

The legal basis for these processing activities is, on the one hand, the taking of steps prior to entering into a contract (Article 6(1)(b) GDPR). On the other hand, we also process your personal data on the basis of our legitimate interests in conducting a recruitment process to identify suitable employees, as well as for evidentiary purposes in order to document compliance with our legal obligations (e.g. under the Equal Treatment Act [GlbG] and the Act on the Employment of Persons with Disabilities [BEinstG]), and in connection with the establishment, exercise or defence of legal claims.

In the course of the processing activities described, the following personal data and categories of data may be processed, among others:

• Name
• Academic title
• Salutations
• Date of birth
• Gender
• Nationality
• Address
• Telephone number
• Email address
• Marital status
• Application documents (certificates, CV, cover letter)
• Data relating to professional experience and education

The specific personal data we process depends in particular on the information you voluntarily provide to us as part of your application (e.g. cover letter, CV).

Please note that health data, information on racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or sexual orientation constitute special categories of personal data and are subject to enhanced protection. We therefore kindly ask you not to transmit such data to us.

You are under no statutory or contractual obligation to provide us with your personal data. However, if you choose not to provide any personal data, we will not be able to consider your application. The data you submit will be used exclusively for the purposes described above.

3.4. Disclosure of personal data of Applicants

The information you provide to us in the course of your application will be treated confidentially and will only be shared within the controller’s company with those persons who are involved in the specific recruitment process.

3.5. Retention period

Application documents of candidates who are rejected during the pre-selection phase without being invited to an interview will be shredded or deleted six months after rejection. Personal data of such applicants, which is recorded for the purpose of evaluating all incoming applications, will be anonymised after six months.

Personal data of applicants who are invited to an interview but are not hired will be destroyed or anonymised after three years. Documents of applicants with whom we inter into an employment relationship will be stored in their personnel file.

3.6. Your rights

The General Data Protection Regulation grants you extensive rights with regard to your data. You can assert these rights, for example, in writing by sending an e-mail to datenschutz@nextsystem.at. However, you are not obliged to assert your rights by means of this e-mail address. 

You have a right of access (Art 15 GDPR) about whether and if so, which and how we process your personal data. You have a right to rectification (Art 16 GDPR) or completion of your inaccurate or incomplete personal data. Under certain circumstances, you have a right to erasure (Art 17 GDPR), a right to restriction of processing (Art 18 GDPR), a right to data portability (Art 20 GDPR) and a right to object (Art 21 GDPR). 

If you have given us consent, you have the right to withdraw it at any time. A withdrawal does not affect the lawfulness of the processing based on the consent until the revocation. 

In addition, you have a right to lodge a complaint (Art 77 GDPR) with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, or another supervisory authority if you believe that the processing of personal data concerning you violates the GDPR.

3.7. Our contact details

If you have any further questions, please feel free to contact us:

Next System Vertriebsges.m.b.H.
FN 209521 w, Commercial Court Vienna
Strohbogasse 4
1210 Vienna
Austria

Tel: +43 1 33166
datenschutz@nextsystem.at