1. Explanation on the duty to inform
In the following, we, next system Vertriebsges.m.b.H., as the “controller” under data protection law, would like to inform you, in accordance with the requirements of the EU General Data Protection Regulation, which of your personal data we process on our website, in our webshop and as part of our newsletter, why we need this data, how we use your data, whom you can contact if you have any questions and what rights you are entitled to.
Personal data is any information that relates to an identified or identifiable natural person and thus allows conclusions to be drawn about your person.
We take the protection of your personal data seriously. Therefore, we process your data exclusively on the basis of the statutory provisions.
2. Controller for data processing
This privacy policy applies to the data processing carried out on the website www.nextsystem.at by the following controller:
next system Vertriebsges.m.b.H.
Strohbogasse 4
A-1210 Vienna
Austria
3. Collection and storage of personal data as well as type and purpose of their use
a) Automatic data storage website and webshop
Nowadays, when you visit websites, certain information is automatically created and stored, including on this website.
The website operated by us and also the webshop operated by us are technically hosted and maintained by a third party (website host) (see point d Web hosting for more information).
When you visit our website and our webshop, our web server automatically stores the following data: IP address, date, time, pages accessed, logs, status code, data volume, referrer, user agent and host name accessed.
The IP addresses are stored anonymously. The anonymized IP addresses are stored for 60 days. Error logs, which record errors when accessing pages, are deleted after seven days. In addition to the error messages, these contain the accessing IP address and, depending on the error, the website accessed.
These data are processed for the following purposes:
- Providing a comfortable use of the website
- Ensuring smooth connection establishment
- Evaluation of system security and stability
Legal basis: For this processing, we rely on the legal basis according to Art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest is the technical maintenance of the operation of the website, improvement of the services of the website and the prevention of misuse.
We also use cookies and analysis services in the operation of our website. You can find out more about this under points 5. – 8. of this privacy policy and in our cookie policy (available at https://www.nextsystem.at/cookie-richtlinie-eu/).
b) Data processing webshop
Within the framework of our webshop, the following data – if you enter them – will be stored by us for the purpose of contract execution: first name, last name, title, company name, address, email address, telephone number, company registration number, business license, bank data, industry of the buyer.
This data is required for the performance of the contract – i.e. for the execution of your order in the webshop. Without this data, we cannot conclude the contract with you. Furthermore, we process the above data for the fulfillment of legal obligations, for the settlement of possible claims and for the assertion of claims and legal defense.
Legal basis: The data processing is therefore based on the legal basis under Article 6 para. 1. lit b. GDPR (contract performance) and Art 6 para. 1. lit c GDPR (legal obligation). No data is transferred to third parties, with the exception of the transfer of credit card data to the processing bank/payment service provider for the purpose of debiting the purchase price, to the transport company/shipping company commissioned by us for the delivery of the goods and to our tax advisor for the fulfillment of our tax obligations.
In the event of a termination of the purchasing process, the data stored by us will be deleted. In the event of a conclusion of contract, all data from the contractual relationship will be stored until the expiry of the retention period under tax law (7 years). Your name, address, details of the purchased goods and the date of purchase will also be stored until the expiry of the product liability period (10 years).
c) Processing of your personal data entered elsewhere, e.g. via the contact form.
Personal data that you otherwise transmit to us on this website, e.g. via the contact form, such as first name, last name, email address, address or other personal information in the context of submitting a form will be kept secure by us together with the time and IP address and will not be disclosed to third parties. The data you provide will be processed for the purpose of processing your request in accordance with Art. 6 para 1 lit. b GDPR and in the event that follow-up questions arise.
In principle, the data will be deleted after six months. If a longer storage period is required for the fulfillment of your request, the data provided will be stored for this period. In the event of a legally required archiving obligation, however, we will delete the data only after this retention period has expired.
We will not pass on this data without your consent and will only use it internally to deal with your request.
d) Web hosting
This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster’s servers. This may include, in particular, IP addresses, contact details, names, website accesses and other data generated via a website.
Legal basis:The hoster is used in accordance with Art. 6 para. 1 lit. f GDPR due to our legitimate economic interest to offer our products on this website and to present our company to the public.
To ensure data protection-compliant processing, we have concluded a data processing agreement with our hoster. This contract is required by law because our hoster processes personal data on our behalf.
We use the following hoster:
Mittwald CM Service GmbH & Co KG
Königsberger Straße 4-6
32339 Espelkamp
Germany
www.mittwald.de
The servers of our hoster are all located in Germany.
e) Newsletter
If you register to our newsletter, we will process the data you provide as part of the newsletter registration (first name, last name, e-mail address) to send you our newsletter to inform you about the kind of products you have requested. If you have subscribed to our newsletter, you will receive a notification with which you must confirm your subscription. This so-called double opt-in serves to determine that the registration for our newsletter was actually made by you and not by a third party.
We also send our newsletter to existing customers and people who have expressed an interest in our products and have provided us with their contact information for this purpose.
Unsubscribing from our newsletter is possible at any time. You will find the link for this at the very bottom of every newsletter. If you unsubscribe from our newsletter, we will delete all data stored with the newsletter subscription.
We use MailChimp for our newsletter. As part of the newsletter, we transmit your data to the operator of MailChimp, which sends the newsletter to you on our behalf. The operator of MailChimp is The Rocket Science Group LLC, 675 Ponce de Leon, AVE NE, Suite 5000, Atlanta, GA 30308 USA.
Mailchimp uses so-called “web beacons” with the help of which MailChimp can check whether the sent emails have arrived, have been opened and whether links contained in the emails have been clicked. This information is stored on MailChimp’s servers and provides us with statistical evaluations regarding our newsletters. This helps us to optimize the design and content of our newsletters. MailChimp also uses this data to optimize its own services.
If you would like more privacy-related information about MailChimp, you can find it under the following link: https://www.intuit.com/privacy/statement/
Legal basis: The processing of your data within the scope of the newsletter is based on your express consent pursuant to Art. 6 para 1 p. 1 lit a GDPR. You can revoke your consent at any time.
Data transfer abroad: The headquarters of the operator of MailChimp (The Rocket Science Group LLC) and the servers used by MailChimp are located in the USA, among other places. Your data may therefore be transferred to the USA. The transfer of personal data to the USA takes place in compliance with the requirements of the GDPR and in particular Art. 44 et seq. of the GDPR.
With the adequacy decision within the meaning of Art. 45 GDPR of 10.07.2023, the EU Commission has determined that the United States guarantees an adequate level of protection – comparable to that of the European Union – for personal data. Data can be transferred to US companies on the basis of this adequacy decision without the need to introduce additional data protection safeguards if the US company to which the data is transferred is listed in the so-called Data Privacy List (available at: https://www.dataprivacyframework.gov/s/participant-search).
To be included in the Data Privacy List, the company must undertake to comply with detailed data protection obligations. The US Department of Commerce processes the certification applications and monitors whether the participating companies fulfill the certification requirements.
The provider of MailChimp, The Rocket Science Group LLC, has undertaken to comply with extensive data protection obligations in accordance with the EU Commission’s adequacy decision of 10.07.2023 and has accordingly been certified and included in the Data Privacy List administered by the US Department of Commerce.
Since The Rocket Science Group LLC is listed in the Data Privacy List, data transfer to the USA is permitted without further safeguards within the meaning of Art 46 GDPR.
More information on the data protection agreement between the USA and the EU and the adequacy decision of 10.07.2023 can be found at https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721
The Data Privacy List administered by the US Department of Commerce, which you can use to check whether a US company is certified in accordance with the adequacy decision of 10.07.2023, can be found at https://www.dataprivacyframework.gov/s/participant-search.
– MailChimp data processing agreement (DPA)
We have concluded a data processing agreement (DPA) with MailChimp within the meaning of Article 28 of the General Data Protection Regulation (GDPR).
Such an agreement is required by law because MailChimp processes personal data on our behalf. It clarifies that MailChimp may only process data they receive from us according to our instructions and must comply with the GDPR. You can find the link to the order data processing agreement (DPA) at: https://mailchimp.com/en/legal/data-processing-addendum/
4. Disclosure of personal data to third parties
Your personal data will only be transferred to third parties for the purposes listed below.
a) Disclosure of data to third parties
We will only share your personal data with third parties if
- you have given your express consent to this in accordance with Art. 6 para. 1 lit. a GDPR
- this is necessary for the performance of a contract with you according to Art. 6 para. 1 lit. b GDPR
- there is a legal obligation to do so pursuant to Art. 6 para. 1 lit. c GDPR
The data disclosed will be used exclusively for the purposes stated.
b) Transfer of personal data to third countries
In some cases, when you visit our website, use our webshop or in the context of our newsletter, personal data is transferred to third countries, i.e. a country outside the European Economic Area (EEA). This only occurs under the conditions of Art. 44 et seq. GDPR.
In this privacy policy, we inform you when and how we transfer personal data to third countries and under what conditions such a transfer is permitted.
The EU Commission can determine that certain countries outside the European Economic Area offer an adequate level of protection for personal data by means of a so-called adequacy decision in accordance with Article 45 GDPR. If such an adequacy decision exists, the controller may transfer data to this third country without the need for further safeguards in accordance with Article 46 et seq. of the GDPR.
If there is no adequacy decision by the EU Commission for a third country in accordance with Article 45 GDPR (so-called unsafe third countries), we will only transfer your personal data under the conditions of Article 46 or Article 49 GDPR, for example if
- sufficient safeguards are provided by the recipient in accordance with Art. 46 GDPR for the protection of the personal data
- you have expressly consented to the transfer, after we have informed you about the risks, in accordance with Art. 49 para. 1 lit. a GDPR
- the transfer is necessary for the fulfillment of contractual obligations between you and us (Art. 49. Abs 1. lit b GDPR).
Safeguards according to Art. 46 GDPR can be, for example, so-called standard contractual clauses. With these standard contractual clauses, the recipient assures to protect the data in such a way that a protection level of the data comparable to the GDPR is achieved.
– Transfer of data in the USA
With the adequacy decision within the meaning of Art. 45 GDPR of 10.07.2023 (so-called EU-U.S. Data Privacy Framework), the EU Commission has determined that the United States guarantees an adequate level of protection – comparable to that of the European Union – for personal data.
Data can be transferred to US companies or other data recipients in the US on the basis of this adequacy decision without the need to introduce additional data protection safeguards if the US company to which the data is transferred is listed in the so-called Data Privacy List (available at: https://www.dataprivacyframework.gov/s/participant-search). If a recipient in the US is not listed in the Data Privacy List, a transfer based on Art. 45 GDPR is not permitted.
To be included in the Data Privacy List, the company must undertake to comply with detailed data protection obligations. The US Department of Commerce processes the certification applications and monitors whether the participating companies fulfill the certification requirements.
More information about the EU-US Data Privacy Framework can be found at https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721.
5. Google Tag manager
We use cookies to make your visit to our website more user-friendly, to personalize content and ads, and to analyze visits to our website (see point 6. Cookies for more information). To manage and set them, we use Google Tag Manager, which we explain here below:
a) Google Tag Manager
– Summary
Google Tag Manager is used on our website to organize the management and setting of cookies that require consent. The Google Tag Manager does not store any data itself. The data is collected by the tags of the web analytics tools used. The storage period of the collected data depends on the web analytics tool used. The legal basis for the processing is Article 6 para. 1 lit. a. GDPR (consent) and Art 6 para 1. lit. f GDPR (legitimate interests).
– What is Google Tag Manager?
For our website we use the Google Tag Manager of the company Google LLC. For the European area the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. This tag manager is one of many helpful marketing products from Google. Through the Google Tag Manager, we can centrally incorporate and manage code sections from various tracking tools that we use on our website.
In this privacy policy, we want to explain in more detail what Google Tag Manager does, why we use it, and in what form data is processed.
Google Tag Manager is an organizational tool that allows us to embed and manage website tags centrally and through a user interface. Tags are small sections of code that, for example, record (track) your activities on our website. For this purpose, JavaScript code sections are inserted into the source code of our page. The tags often come from Google-internal products such as Google Ads or Google Analytics, but tags from other companies can also be included and managed via the manager. Such tags perform different tasks. They can collect browser data, feed marketing tools with data, embed buttons, set cookies and also track users across multiple websites.
– Why do we use Google Tag Manager for our website?
As the saying goes: organization is half the battle! And of course this also applies to the maintenance of our website. In order to make our website as good as possible for you and all the people who are interested in our products and services, we need various tracking tools such as Google Analytics. The collected data from these tools show us what you are most interested in, where we can improve our services and which people we should still show our offers to. And for this tracking to work, we need to embed appropriate JavaScript codes into our website. In principle, we could include each code section of each tracking tool separately in our source code. However, this requires quite a lot of time and it is easy to lose track. That is why we use the Google Tag Manager. We can easily incorporate the necessary scripts and manage them from one place. Moreover, Google Tag Manager offers an easy-to-use interface and you do not need any programming skills. This is how we manage to keep order in our tag jungle.
– What data is stored by Google Tag Manager?
The Tag Manager itself is a domain that does not set any cookies or store any data. It acts as a mere “manager” of the implemented tags. The data is collected by the individual tags of the various web analysis tools. The data is virtually passed through to the individual tracking tools in the Google Tag Manager and is not stored.
However, the situation is completely different with the embedded tags of the various web analysis tools, such as Google Analytics. Depending on the analysis tool, various data about your web behavior is usually collected, stored and processed with the help of cookies. For this, please read our privacy texts on the individual analysis and tracking tools that we use on our website.
In the Tag Manager account settings, we have allowed Google to receive anonymized data from us. However, this is only the use and usage of our Tag Manager and not your data stored via the code sections. We allow Google and others to receive selected data in anonymized form. We thus consent to the anonymous sharing of our website data. Which summarized and anonymous data is forwarded exactly, we could not find out – despite long research. In any case, Google deletes all information that could identify our website. Google combines the data with hundreds of other anonymous website data and creates user trends as part of benchmarking measures. Benchmarking involves comparing your own results with those of your competitors. Processes can be optimized on the basis of the information collected.
– How long and where is the data stored?
When Google stores data, this data is stored on Google’s own servers. The servers are distributed all over the world. Most of them are located in America. At https://www.google.com/about/datacenters/locations/?hl=en you can read exactly where the Google servers are located. How long the individual tracking tools store data from you can be found in our individual privacy texts for the individual tools.
– How can I delete my data or prevent data storage?
The Google Tag Manager itself does not set cookies, but manages tags from various tracking websites. In our privacy texts for the individual tracking tools, you will find detailed information on how to delete or manage your data.
Please note that when using this tool, data from you may also be stored and processed outside the EU. Third countries for which there is no adequacy decision by the EU Commission within the meaning of Art 45 GDPR are not considered secure under current European data protection law. Data to unsecure third countries may therefore not simply be transferred, stored and processed there unless there are suitable safeguards (such as EU standard contractual clauses) between us and the non-European service provider.
– Legal basis
The use of Google Tag Manager requires your consent, which we have obtained with our Cookie Consent Banner. According to Art. 6 para. 1 lit. a GDPR (consent), this consent constitutes the legal basis for the processing of personal data as it may occur during the collection by web analytics tools.
In addition to consent, there is a legitimate interest on our part to analyze the behavior of website visitors and thus to improve our offer technically and economically. With the help of Google Tag Manager, we can improve our economic efficiency. The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate Interests). Nevertheless, we only use the Google Tag Manager if you have given your consent.
Google also processes data from you in the USA, among other places.
With the adequacy decision within the meaning of Art. 45 GDPR of 10.07.2023, the EU Commission has determined that the United States guarantees an adequate level of protection – comparable to that of the European Union – for personal data. Data can be transferred to US companies on the basis of this adequacy decision without the need to introduce additional data protection safeguards if the US company to which the data is transferred is listed in the so-called Data Privacy List (available at: https://www.dataprivacyframework.gov/s/participant-search).
To be included in the Data Privacy List, the company must undertake to comply with detailed data protection obligations. The US Department of Commerce processes the certification applications and monitors whether the participating companies fulfill the certification requirements.
The provider of the Google Tag Managers, Google LLC, has undertaken to comply with extensive data protection obligations in accordance with the EU Commission’s adequacy decision of 10.07.2023 and has accordingly been certified and included in the Data Privacy List administered by the US Department of Commerce.
Furthermore, Google uses so-called standard contractual clauses. Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to and stored in third countries. Through these clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in third countries for which there is no adequacy decision within the meaning of Art 45 GDPR. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.
The Google Ads Data Processing Terms, which refer to the standard contractual clauses, can be found at https://business.safety.google/intl/en/adsprocessorterms/.
If you want to learn more about Google Tag Manager, we recommend the FAQs at https://support.google.com/tagmanager/?hl=en#topic=3441530.
– Data processing agreement (DPA) Google Tag Manager
We have concluded a data processing agreement (DPA) with Google within the meaning of Article 28 of the General Data Protection Regulation (GDPR).
Such an agreement is required by law because Google processes personal data on our behalf. It clarifies that Google may only process data they receive from us according to our instructions and must comply with the GDPR. You can find the link to the data processing agreement (DPA) at https://business.safety.google/adsprocessorterms/.
6. Cookies
Cookies are small text files that are temporarily stored on your terminal device (smartphone, PC, etc.) with the help of the browser. The use of cookies serves to make the visit to our website more user-friendly, to personalize content and ads and to analyze access to our website.
For further information on cookies and in particular on the cookies used on our website, please refer to our Cookie Policy (available at https://www.nextsystem.at/cookie-policy-eu/?lang=en) and to points 7 – 8 of this Privacy Policy.
Some cookies remain stored on your terminal device until you delete them. They allow us to recognize your browser on your next visit.
You have the option to manage your consent settings in our Cookie Policy (available under https://www.nextsystem.at/cookie-policy-eu/?lang=en) in point 7. Consent.
Furthermore, if you do not wish cookies to be set, you can configurate your browser so that it informs you about the setting of cookies and that you only allow this only in individual cases. You can delete cookies that are already on your computer or disable cookies at any time. The procedure for doing this varies by browser, it is best to search the instructions in Google with the search term “delete cookies chrome” or “disable cookies chrome” in the case of a Chrome browser or replace the word “chrome” with the name of your browser, e.g. edge, firefox, safari.
We only set cookies that are not technically necessary if you have expressly consented to their setting in our Cookie Consent Banner. This banner will be displayed when you visit our website (for the first time). If you generally do not allow the setting of cookies, it may be that some functions and pages do not work as expected.
7. Google Analytics
Our website uses Google Analytics, a web analytics service provided by Google LLC. (“Google”). For the member states of the European Union, the company Google Ireland Limited (Gordon House, Barrows Street Dublin 4, Ireland) is responsible for all Google services. Google Analytics uses so-called cookies (see point 6. of this data privacy policy), i.e. text files that are stored on your computer to enable an analysis of the use of the website. For example, information on the operating system, the browser, your IP address, the website you previously visited (referrer URL) and the date and time of your visit to our website are collected. The information generated by the cookies is transferred to a Google server and stored there.
Further information on the cookies set by Google Analytics can be found in our cookie policy (available at https://www.nextsystem.at/cookie-policy-eu/?lang=en/)
We use the information generated by Google Analytics to evaluate the use of the website in order to compile reports about the activities on our website. We use this information solely for the purposes of our own market research and to optimize the design of the website. The IP address is anonymized so that it is not possible to connect it to a user. The user data collected via cookies is automatically deleted after 14 months.
The information may be transferred to third parties if this is required by law or if third parties process this data on our behalf. The processed data may be transferred to servers in the USA and insecure third countries and processed there.
For more information on data processing by Google, please see the Google Privacy Policy & Terms of Use: https://policies.google.com/privacy?hl=en.
Legal basis: We only use Google Analytics on our website if you have given your express consent to this in accordance with Art. 6 para. 1 para. 1 lit. a GDPR. . You can revoke your consent in the Cookie Settings at any time.
With the adequacy decision within the meaning of Art. 45 GDPR of 10.07.2023, the EU Commission has determined that the United States guarantees an adequate level of protection – comparable to that of the European Union – for personal data. Data can be transferred to US companies on the basis of this adequacy decision without the need to introduce additional data protection safeguards if the US company to which the data is transferred is listed in the so-called Data Privacy List (available at: https://www.dataprivacyframework.gov/s/participant-search).
To be included in the Data Privacy List, the company must undertake to comply with detailed data protection obligations. The US Department of Commerce processes the certification applications and monitors whether the participating companies fulfill the certification requirements.
The provider of Google Analytics, Google LLC, has undertaken to comply with extensive data protection obligations in accordance with the EU Commission’s adequacy decision of 10.07.2023, and has accordingly been certified and included in the Data Privacy List administered by the US Department of Commerce.
Furthermore, Google uses so-called standard contractual clauses. Standard Contractual Clauses (SCCs) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to and stored in third countries. Through these clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in third countries for which there is no adequacy decision within the meaning of Art 45 GDPR. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.
– Data Processing Agreement (DPA) Google Analytics
We have concluded a data processing agreement with Google incorporating the EU standard contractual clauses for the use of Google Analytics. Such an agreement is required by law because Google processes personal data on our behalf. Through this contract, Google assures that the data is processed in accordance with the GDPR and that the protection of the rights of the data subject is guaranteed.
The link to the data processing agreement (DPA) can be found here https://business.safety.google/adsprocessorterms/.
8. Complianz
We use the cookie consent technology of Complianz (hereinafter “Complianz”) on our website.
Complianz provider is:
Complianz B.V.
Kalmarweg 14-5
9723JG Groningen
Netherlands
Complianz helps us to obtain your consent to the use of cookies and similar technologies. Furthermore, Complianz serves to manage, store and document your consent to cookies. This information is stored by Complianz in your browser using cookies.
Storage: The data collected in this way will be deleted when the purpose of the data processing ceases to exist. The cookies set by means of Complianz have an expiration date of 365 days. The data stored by Complianz will not be disclosed to third parties.
Legal basis: We use Complianz to be able to obtain the consent required under the GDPR and other applicable legal provisions. The legal basis for the data processing is thus the necessary data processing for the compliance with a legal obligation pursuant to Article 6 (1) lit c GDPR.
For more information, please see our Cookie Policy (available at https://www.nextsystem.at/cookie-richtlinie-eu/) and at https://complianz.io/legal/privacy-statement/.
9. Automated individual decision making (including Profiling)
We do not use any decision-making based on automated processing – including profiling – on our website within the meaning of Article 22 GDPR.
10. Your rights
The General Data Protection Regulation grants you extensive rights with regard to your data. You can assert these rights, for example, in writing by sending an e-mail to datenschutz@nextsystem.at. However, you are not obliged to assert your rights by means of this e-mail address.
You have a right of access (Art 15 GDPR) about whether and if so, which and how we process your personal data. You have a right to rectification (Art 16 GDPR) or completion of your inaccurate or incomplete personal data. Under certain circumstances, you have a right to erasure (Art 17 GDPR), a right to restriction of processing (Art 18 GDPR), a right to data portability (Art 20 GDPR) and a right to object (Art 21 GDPR).
If you have given us consent, you have the right to revoke it at any time. A revocation does not affect the lawfulness of the processing based on the consent until the revocation.
In addition, you have a right to lodge a complaint (Art 77 GDPR) with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, or another supervisory authority if you believe that the processing of personal data concerning you violates the GDPR.
11. Our contact details
If you have any further questions, please feel free to contact us:
next system Vertriebsges.m.b.H.
FN 209521 w, Commercial Court Vienna
Strohbogasse 4
1210 Vienna
Austria
Phonel: +43 1 33166
datenschutz@nextsystem.at