1. Explanation on the duty to inform
In the following, we, next system Vertriebsges.m.b.H., as the “controller” under data protection law, would like to inform you, in accordance with the requirements of the EU General Data Protection Regulation, which of your personal data we process on our website, in our webshop and as part of our newsletter, why we need this data, how we use your data, whom you can contact if you have any questions and what rights you are entitled to.
Personal data is any information that relates to an identified or identifiable natural person and thus allows conclusions to be drawn about your person.
We take the protection of your personal data seriously. Therefore, we process your data exclusively on the basis of the statutory provisions.
2. Controller for data processing
This privacy policy applies to the data processing carried out on the website www.nextsystem.at by the following controller:
next system Vertriebsges.m.b.H.
Strohbogasse 4
A-1210 Vienna
Austria
3. Collection and storage of personal data as well as type and purpose of their use
a) Automatic data storage website and webshop
Nowadays, when you visit websites, certain information is automatically created and stored, including on this website.
The website operated by us and also the webshop operated by us are technically hosted and maintained by a third party (website host) (see point d Web hosting for more information).
When you visit our website and our webshop, our web server automatically stores the IP address of your device, the addresses of the subpages visited, details of your browser (e.g. Chrome, Firefox, Edge, …) and the date and time.
These data are processed for the following purposes:
- Providing a comfortable use of the website
- Ensuring smooth connection establishment
- Evaluation of system security and stability
For this processing, we rely on the legal basis according to Art. 6 (1) lit. f GDPR (legitimate interest). Our legitimate interest is the technical maintenance of the operation of the website, improvement of the services of the website and the prevention of misuse.
We also use cookies and analysis services in the operation of our website. You can find out more about this under points 5. – 8. of this privacy policy and in our cookie policy (available at https://www.nextsystem.at/cookie-richtlinie-eu/).
b) Data processing webshop
Within the framework of our webshop, the following data – if you enter them – will be stored by us for the purpose of contract execution: first name, last name, title, company name, address, email address, telephone number, company registration number, business license, bank data, industry of the buyer.
This data is required for the performance of the contract – i.e. for the execution of your order in the webshop. Without this data, we cannot conclude the contract with you. Furthermore, we process the above data for the fulfillment of legal obligations, for the settlement of possible claims and for the assertion of claims and legal defense. The data processing is therefore based on the legal basis under Article 6 para. 1. lit b. GDPR (contract performance) and Art 6 para. 1. lit c GDPR (legal obligation). No data is transferred to third parties, with the exception of the transfer of credit card data to the processing bank/payment service provider for the purpose of debiting the purchase price, to the transport company/shipping company commissioned by us for the delivery of the goods and to our tax advisor for the fulfillment of our tax obligations.
In the event of a termination of the purchasing process, the data stored by us will be deleted. In the event of a conclusion of contract, all data from the contractual relationship will be stored until the expiry of the retention period under tax law (7 years). Your name, address, details of the purchased goods and the date of purchase will also be stored until the expiry of the product liability period (10 years).
c) Processing of your personal data entered elsewhere, e.g. via the contact form.
Personal data that you otherwise transmit to us on this website, e.g. via the contact form, such as first name, last name, email address, address or other personal information in the context of submitting a form will be kept secure by us together with the time and IP address and will not be disclosed to third parties. The data you provide will be processed for the purpose of processing your request in accordance with Art. 6 para 1 lit. b GDPR and in the event that follow-up questions arise.
In principle, the data will be deleted after six months. If a longer storage period is required for the fulfillment of your request, the data provided will be stored for this period. In the event of a legally required archiving obligation, however, we will delete the data only after this retention period has expired.
We will not pass on this data without your consent and will only use it internally to deal with your request.
d) Web hosting
This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster’s servers. This may include, in particular, IP addresses, contact details, names, website accesses and other data generated via a website.
The hoster is used in accordance with Art. 6 para. 1 lit. f GDPR due to our legitimate economic interest to offer our products on this website and to present our company to the public. To ensure data protection-compliant processing, we have concluded a data processing agreement with our hoster. This contract is required by law because our hoster processes personal data on our behalf.
We use the following hoster:
Mittwald CM Service GmbH & Co KG
Königsberger Straße 4-6
32339 Espelkamp
Germany
www.mittwald.de
e) Newsletter
If you register for our newsletter, we will process the data you provide as part of the newsletter registration (first name, last name, e-mail address) to send you our newsletter to inform you about the kind of products you have requested. If you have subscribed to our newsletter, you will receive a notification with which you must confirm your subscription. This so-called double opt-in serves to determine that the registration for our newsletter was actually made by you and not by a third party.
We also send our newsletter to existing customers and people who have expressed an interest in our products and have provided us with their contact information for this purpose.
We use MailChimp for our newsletter. As part of the newsletter, we transmit your data to the operator of MailChimp, which sends the newsletter to you on our behalf. The operator of MailChimp is The Rocket Science Group LLC, 675 Ponce de Leon, AVE NE, Suite 5000, Atlanta, GA 30308 USA.
Mailchimp uses so-called “web beacons” with the help of which MailChimp can check whether the sent emails have arrived, have been opened and whether links contained in the emails have been clicked. This information is stored on MailChimp’s servers and provides us with statistical evaluations regarding our newsletters. This helps us to optimize the design and content of our newsletters. MailChimp also uses this data to optimize its own services.
Unsubscribing from our newsletter is possible at any time. You will find the link for this at the very bottom of every newsletter. If you unsubscribe from our newsletter, we will delete all data stored with the newsletter subscription.
The processing of your data within the scope of the newsletter is based on your express consent pursuant to Art. 6 para 1 p. 1 lit a GDPR together with your consent to data transfer to the USA pursuant to Art. 49 para 1 lit a GDPR as an unsecure third country.
The headquarters of the operator of MailChimp (The Rocket Science Group LLC) and the servers used by MailChimp are located in the USA, among other places. The Rocket Science Group LLC was an EU-US Privacy Shield certified company in the USA. The ECJ has declared the EU-US Privacy Shield to be insufficient as a basis for data transfer to third countries. The ECJ currently classifies the USA as a country with a level of data protection that does not meet EU standards. US authorities could possibly process your data without you having a legal remedy against this.
However, MailChimp continues to protect data from Europe in accordance with the principles of the Privacy Shield. You can find more information on the data protection measures by MailChimp at: https://mailchimp.com/de/help/mailchimp-european-data-transfers/
As a basis for data processing with recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway) or a data transfer thereto, MailChimp uses so-called standard contractual clauses (= Art. 46 para. 2 and 3 GDPR). Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through these clauses, MailChimp undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.
The MailChimp Data Processing Addendum, which references the standard contractual clauses, can be found at https://mailchimp.com/legal/data-processing-addendum/#Annex_C_-_Standard_Contractual_Clauses.
If you would like more privacy-related information about MailChimp, you can find it under the following link: https://www.intuit.com/privacy/statement/
– MailChimp data processing agreement (DPA)
We have concluded an order data processing agreement (DPA) with MailChimp within the meaning of Article 28 of the General Data Protection Regulation (GDPR).
This contract is required by law because MailChimp processes personal data on our behalf. It clarifies that MailChimp may only process data they receive from us according to our instructions and must comply with the GDPR. You can find the link to the order data processing agreement (DPA) at: https://mailchimp.com/en/legal/data-processing-addendum/
4. Disclosure of personal data to third parties
Your personal data will only be transferred to third parties for the purposes listed below.
a) Disclosure of data to third parties
We will only share your personal data with third parties if
- you have given your express consent to this in accordance with Art. 6 para. 1 lit. a GDPR
- this is necessary for the performance of a contract with you according to Art. 6 para. 1 lit. b GDPR
- there is a legal obligation to do so pursuant to Art. 6 para. 1 lit. c GDPR
The data disclosed will be used exclusively for the purposes stated.
b) Transfer of personal data to third countries
In some cases, personal data is transferred to third countries, i.e. a country outside the European Economic Area (EEA). This only occurs under the conditions of Art. 44 et seq. GDPR.
According to the ECJ, the USA is a so-called unsecure third country. This means that the level of data protection in the USA is considered inadequate compared to that in the EU. When personal data is transferred to the USA, there are certain risks because US authorities can gain access to the data. EU citizens have no effective legal protection against such access.
In this privacy policy, we inform you when and how we transfer personal data to the USA or other unsecure third countries. We only transfer your personal data under the conditions of Art. 49 DSGVO, for example if
- sufficient guarantees are provided by the recipient in accordance with Art. 46 GDPR for the protection of the personal data
- you have expressly consented to the transfer, after we have informed you about the risks, in accordance with Art. 49 para. 1 lit. a GDPR
- the transfer is necessary for the fulfillment of contractual obligations between you and us (Art. 49. Abs 1. lit b GDPR).
Guarantees according to Art. 46 GDPR can be, for example, so-called standard contractual clauses. With these standard contractual clauses, the recipient assures to protect the data in such a way that a protection level of the data comparable to the GDPR is achieved.
5. Google Tag manager
We use cookies to make your visit to our website more user-friendly, to personalize content and ads, and to analyze visits to our website (see point 6. Cookies for more information). To manage and set them, we use Google Tag Manager, which we explain here below:
a) Google Tag Manager
– Summary
Google Tag Manager is used on our website to organize the management and setting of cookies that require consent. The Google Tag Manager does not store any data itself. The data is collected by the tags of the web analytics tools used. The storage period of the collected data depends on the web analytics tool used. The legal basis for the processing is Article 6 para. 1 lit. a. GDPR (consent) and Art 6 para 1. lit. f GDPR (legitimate interests).
– What is Google Tag Manager?
For our website we use the Google Tag Manager of the company Google Inc. For the European area the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services. This tag manager is one of many helpful marketing products from Google. Through the Google Tag Manager, we can centrally incorporate and manage code sections from various tracking tools that we use on our website.
In this privacy policy, we want to explain in more detail what Google Tag Manager does, why we use it, and in what form data is processed.
Google Tag Manager is an organizational tool that allows us to embed and manage website tags centrally and through a user interface. Tags are small sections of code that, for example, record (track) your activities on our website. For this purpose, JavaScript code sections are inserted into the source code of our page. The tags often come from Google-internal products such as Google Ads or Google Analytics, but tags from other companies can also be included and managed via the manager. Such tags perform different tasks. They can collect browser data, feed marketing tools with data, embed buttons, set cookies and also track users across multiple websites.
– Why do we use Google Tag Manager for our website?
As the saying goes: organization is half the battle! And of course this also applies to the maintenance of our website. In order to make our website as good as possible for you and all the people who are interested in our products and services, we need various tracking tools such as Google Analytics. The collected data from these tools show us what you are most interested in, where we can improve our services and which people we should still show our offers to. And for this tracking to work, we need to embed appropriate JavaScript codes into our website. In principle, we could include each code section of each tracking tool separately in our source code. However, this requires quite a lot of time and it is easy to lose track. That is why we use the Google Tag Manager. We can easily incorporate the necessary scripts and manage them from one place. Moreover, Google Tag Manager offers an easy-to-use interface and you do not need any programming skills. This is how we manage to keep order in our tag jungle.
– What data is stored by Google Tag Manager?
The Tag Manager itself is a domain that does not set any cookies or store any data. It acts as a mere “manager” of the implemented tags. The data is collected by the individual tags of the various web analysis tools. The data is virtually passed through to the individual tracking tools in the Google Tag Manager and is not stored.
However, the situation is completely different with the embedded tags of the various web analysis tools, such as Google Analytics. Depending on the analysis tool, various data about your web behavior is usually collected, stored and processed with the help of cookies. For this, please read our privacy texts on the individual analysis and tracking tools that we use on our website.
In the Tag Manager account settings, we have allowed Google to receive anonymized data from us. However, this is only the use and usage of our Tag Manager and not your data stored via the code sections. We allow Google and others to receive selected data in anonymized form. We thus consent to the anonymous sharing of our website data. Which summarized and anonymous data is forwarded exactly, we could not find out – despite long research. In any case, Google deletes all information that could identify our website. Google combines the data with hundreds of other anonymous website data and creates user trends as part of benchmarking measures. Benchmarking involves comparing your own results with those of your competitors. Processes can be optimized on the basis of the information collected.
– How long and where is the data stored?
When Google stores data, this data is stored on Google’s own servers. The servers are distributed all over the world. Most of them are located in America. At https://www.google.com/about/datacenters/locations/?hl=en you can read exactly where the Google servers are located. How long the individual tracking tools store data from you can be found in our individual privacy texts for the individual tools.
– How can I delete my data or prevent data storage?
The Google Tag Manager itself does not set cookies, but manages tags from various tracking websites. In our privacy texts for the individual tracking tools, you will find detailed information on how to delete or manage your data.
Please note that when using this tool, data from you may also be stored and processed outside the EU. Most third countries (including the USA) are not considered secure under current European data protection law. Data to unsecure third countries may therefore not simply be transferred, stored and processed there unless there are suitable safeguards (such as EU standard contractual clauses) between us and the non-European service provider.
– Legal basis
The use of Google Tag Manager requires your consent, which we have obtained with our cookie popup. According to Art. 6 para. 1 lit. a GDPR (consent), this consent constitutes the legal basis for the processing of personal data as it may occur during the collection by web analytics tools.
In addition to consent, there is a legitimate interest on our part to analyze the behavior of website visitors and thus to improve our offer technically and economically. With the help of Google Tag Manager, we can improve our economic efficiency. The legal basis for this is Art. 6 para. 1 lit. f GDPR (legitimate Interests). Nevertheless, we only use the Google Tag Manager if you have given your consent.
Google also processes data from you in the USA, among other places. We would like to point out that according to the opinion of the European Court of Justice, there is currently no adequate level of protection for the transfer of data to the USA. This may be associated with various risks for the legality and security of data processing.
Google uses so-called standard contractual clauses (= Art. 46 para. 2 and 3 GDPR) as the basis for data processing for recipients located in third countries (outside the European Union, Iceland, Liechtenstein, Norway, i.e. in particular in the USA) or a data transfer thereto. Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through these clauses, Google undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the US. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here, among other places: https://eurlex.europa.eu/eli/dec_impl/2021/914/oj?locale=en.
The Google Ads Data Processing Terms, which refer to the standard contractual clauses, can be found at https://business.safety.google/intl/en/adsprocessorterms/.
If you want to learn more about Google Tag Manager, we recommend the FAQs at https://support.google.com/tagmanager/?hl=en#topic=3441530.
– Data processing agreement (DPA) Google Tag Manager
We have concluded a data processing agreement (DPA) with Google within the meaning of Article 28 of the General Data Protection Regulation (GDPR).
This contract is required by law because Google processes personal data on our behalf. It clarifies that Google may only process data they receive from us according to our instructions and must comply with the GDPR. You can find the link to the data processing agreement (DPA) at https://business.safety.google/adsprocessorterms/.
6. Cookies
Cookies are small text files that are temporarily stored on your terminal device (smartphone, PC, etc.) with the help of the browser. The use of cookies serves to make the visit to our website more user-friendly, to personalize content and ads and to analyze access to our website.
For further information on cookies and in particular on the cookies used on our website, please refer to our Cookie Policy (available at https://www.nextsystem.at/cookie-richtlinie-eu/#cmplz-cookies-overview) and to points 7 – 8 of this Privacy Policy.
Some cookies remain stored on your terminal device until you delete them. They allow us to recognize your browser on your next visit.
You have the option to manage your consent settings in our Cookie Policy (available under https://www.nextsystem.at/cookie-richtlinie-eu/#cmplz-cookies-overview) in point 7. Consent.
Furthermore, if you do not wish cookies to be set, you can configurate your browser so that it informs you about the setting of cookies and that you only allow this only in individual cases. You can delete cookies that are already on your computer or disable cookies at any time. The procedure for doing this varies by browser, it is best to search the instructions in Google with the search term “delete cookies chrome” or “disable cookies chrome” in the case of a Chrome browser or replace the word “chrome” with the name of your browser, e.g. edge, firefox, safari.
We only set technically unnecessary cookies if you have expressly consented to their setting in our Cookie Consent Banner. This banner will be displayed when you visit our website (for the first time). If you generally do not allow the setting of cookies, it may be that some functions and pages do not work as expected.
7. Google Analytics
Our website uses Google Analytics, a web analytics service provided by Google LLC. (“Google”). For the member states of the European Union, the company Google Ireland Limited (Gordon House, Barrows Street Dublin 4, Ireland) is responsible for all Google services. Google Analytics uses so-called cookies (see point 6.), i.e. text files that are stored on your computer to enable an analysis of the use of the website. For example, information on the operating system, the browser, your IP address, the website you previously visited (referrer URL) and the date and time of your visit to our website are collected. The information generated by the cookies is transferred to a Google server and stored there.
We use the information generated by Google Analytics to evaluate the use of the website in order to compile reports about the activities on our website. We use this information solely for the purposes of our own market research and to optimize the design of the website. The IP address is anonymized so that it is not possible to assign it to a user. The user data collected via cookies is automatically deleted after 14 months.
The information may be transferred to third parties if this is required by law or if third parties process this data on our behalf. The processed data may be transferred to servers in the USA and other insecure third countries and processed there.
According to the ECJ, the USA is a so-called unsecure third country. This means that the level of data protection in the USA is considered inadequate compared to that in the EU. When personal data is transferred to the USA, there are certain risks because US authorities can gain access to the data. EU citizens have no effective legal protection against such access.
We have concluded a data processing agreement with Google incorporating the EU standard contractual clauses for the use of Google Analytics. This contract is required by law because Google processes personal data on our behalf. Through this contract, Google assures that the data is processed in accordance with the GDPR and that the protection of the rights of the data subject is guaranteed.
We only use Google Analytics on our website if you have given your express consent to this in accordance with Art. 6 para. 1 para. 1 lit. a GDPR for the setting of technically unnecessary cookies together with your consent to data transfer to the USA in accordance with Art. 49 para. 1 lit. a GDPR as an unsecure third country.
For more information about the cookies set by Google Analytics, please see our Cookie Policy (available at https://www.nextsystem.at/cookie-richtlinie-eu/).
For more information on data processing by Google, please see the Google Privacy Policy & Terms of Use: https://policies.google.com/privacy?hl=en.
You may refuse the use of cookies by selecting the appropriate settings on your browser. In this case, you may no longer be able to use the full functionality of this website.
Furthermore, you can revoke your consent to the setting of cookies at any time in point 7. of our Cookie Policy (available at https://www.nextsystem.at/cookie-richtlinie-eu/).
You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
8. Complianz
We use Complianz (hereinafter “Complianz”) cookie consent technology on our website.
Complianz provider is:
Complianz B.V.
Kalmarweg 14-5
9723JG Groningen
Netherlands
Complianz helps us to obtain your consent to the use of cookies and similar technologies. Furthermore, Complianz serves to manage, store and document your consent to cookies. This information is stored by Complianz in your browser using cookies.
The data collected in this way will be deleted when the purpose of the data processing ceases to exist. The cookies set by means of Complianz have an expiration date of 365 days. The data stored by Complianz will not be disclosed to third parties.
We use Complianz to be able to obtain the consent required under the GDPR and other applicable legal provisions. The legal basis for the data processing is thus the necessary data processing for the compliance with a legal obligation pursuant to Article 6 (1) lit c GDPR.
For more information, please see our Cookie Policy (available at https://www.nextsystem.at/cookie-richtlinie-eu/) and at https://complianz.io/legal/privacy-statement/.
9. Your rights
The General Data Protection Regulation grants you extensive rights with regard to your data. You can assert these rights, for example, in writing by sending an e-mail to datenschutz@nextsystem.at. However, you are not obliged to assert your rights by means of this e-mail address.
You have a right of access (Art 15 GDPR) about whether and if so, which and how we process your personal data. You have a right to rectification (Art 16 GDPR) or completion of your inaccurate or incomplete personal data. Under certain circumstances, you have a right to erasure (Art 17 GDPR), a right to restriction of processing (Art 18 GDPR), a right to data portability (Art 20 GDPR) and a right to object (Art 21 GDPR).
If you have given us consent, you have the right to revoke it at any time. A revocation does not affect the lawfulness of the processing based on the consent until the revocation.
In addition, you have a right to lodge a complaint (Art 77 GDPR) with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, or another supervisory authority if you believe that the processing of personal data concerning you violates the GDPR.
10. Our contact details
If you have any further questions, please feel free to contact us:
next system Vertriebsges.m.b.H.
FN 209521 w, Commercial Court Vienna
Strohbogasse 4
1210 Vienna
Austria
Tel: +43 1 33166
datenschutz@nextsystem.at