Registration

We, Toouls KG (also referred to as "toouls", "TOL" or "we" in this privacy policy), are committed to the principles of personal data protection and data minimization. As a rule, the use of our website and our scientific and business activities involve the processing of personal data. In order to make these data processing operations comprehensible, we would like to inform you in our data protection declaration how we process personal data and what rights you have in this connection. Should you have any further questions, please find our contact details below.

The person responsible within the meaning of the Basic Data Protection Regulation (GDPR) is the:

Toouls KG
Bennogasse 13/5
AT-1080 Vienna
Company registration number: FN 355885k, HG Wien
e-mail: office@toouls.at
Phone: +43 1 524 3 524

We process personal data in compliance with the relevant data protection regulations, in particular the Basic Data Protection Regulation (GDPR, VO [EU] 2016/679) and the Austrian Data Protection Act (DSG). Any processing by us will therefore only take place on the basis of a legal basis (in particular in accordance with Art. 6 Para. 1 lit a - f GDPR), which will be stated below for the individual data processing operations. All of our employees entrusted with the processing are obliged to maintain the confidentiality of your data (data secrecy). TOL does not carry out any automated decision making.

In principle, we collect personal data from the data subject. In individual cases, we collect and store personal data (in particular name, contact information) on the basis of correspondence with our customers and business partners or from publicly accessible sources (e.g. telephone directory, websites, company register) on the basis of Art 6 para. 1 lit f GDPR (and thus not directly from the data subject) if this is necessary for our service provision or for contacting and administering the data, in which our legitimate interest also lies.

Every time you access our website (https://toouls.at), your computer (terminal device) or browser automatically transmits certain information to enable you to visit or operate the website:

• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (page/content to be retrieved)
• Access Status/HTTP(S) Status Code
• Browser and browser version
• Operating system and its interface

These data are stored in the log files of our system. This data is not stored together with other personal data of the user. Legal basis and purpose of data processing

The legal basis for the processing of data and their temporary storage in log files is Art 6 Paragraph 1 lit f GDPR. Temporary storage of the listed data by the system is necessary to enable delivery of the website to the user's computer. The storage in log files is done to ensure the functionality of the website. In addition, the data serves us to optimise the website and to ensure the security of our information technology systems, in particular to guarantee the integrity, confidentiality and availability of the data processed via our website. These purposes also include our legitimate interest in data processing in accordance with Art 6 Paragraph 1 lit f GDPR. This data is not stored together with other personal data of the user.

Duration of storage

The data will be deleted as soon as they are no longer necessary for the purpose of their collection. This is the case when collecting data for the purpose of providing the website when the respective session is ended. When the data is stored in log files, this is the case after seven days at the latest, unless further processing is necessary to clarify a (suspected) attack.

Personal data, which is collected during the operation of the website, is only used by us in the event of a (suspected) data security incident or a criminal act (e.g. an attack) for the purposes of clarification, prosecution and the assertion of legal claims against third parties (in particular expert persons and security experts).
Personal data, which is collected during the operation of the website, will only be transmitted by us to third parties (in particular to expert persons and security authorities) in the event of a (suspected) data security incident or a criminal act (e.g. an attack) for the purposes of clarification, prosecution and the assertion of legal claims.

Third-party websites: Our website contains in part (e.g. in our event notes) hyperlinks to and from third-party websites. If you follow a hyperlink to one of these websites, please note that we cannot assume any responsibility or guarantee for third-party content or data protection conditions.

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. If a user calls up a website, a cookie can be stored on the user's system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. In the "session cookies" we use, only the above-mentioned data about your use of the website is temporarily stored. These store a so-called "session ID", which can be used to assign various requests from your browser to a common session. The session cookies used are technically necessary and are deleted when you close your browser. These cookies are not used for "tracking" or to establish a personal reference.

Legal basis and purpose for data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these it is necessary that the browser is recognized even after a page change.

For this purpose, we also have a legitimate interest in processing personal data in accordance with Art 6 Paragraph 1 lit f GDPR.

Duration of storage, objection and removal possibility

Cookies are stored on the user's computer and transmitted by the user to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. Cookies already stored can be deleted at any time. This can also be done automatically. If cookies for our website are deactivated, it is possible that not all functions of the website can be used to their full extent.

We use the short message service "Twitter" under the handle @HenryAveMedi and make use of the platform of Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103 USA. Responsible for data processing (for persons living outside the USA) is: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland. Please note that you use this short message service and its functions (e.g. Retweet, Like) on your own responsibility and that we have no influence on the data processing by Twitter. For more information on processing by Twitter, please refer to the Twitter privacy policy: https://twitter.com/de/privacy. Twitter Inc. is committed to the principles of the EU-US Privacy Shield. You can find more information about this here: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
The data you publish on Twitter, in particular your handle (user name) and the content accessible under your account, are processed by us to the extent that we retweet or reply to these ("tweets") or write tweets from us that refer to your account.

We process personal data for the purposes of providing our services, customer support and information, including internal documentation and administration. The legal basis for the processing of the data is the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 Paragraph 1 lit b GDPR); the fulfilment of legal obligations (Art 6 Paragraph 1 lit c GDPR) as well as our legitimate interests (Art 6 Paragraph 1 lit f GDPR), in particular the interests of asserting or defending our own legal claims as well as internal administration within the company.

In order to conclude a contract, the provision of certain personal data is required by law or by contract, which the person concerned is obliged to provide; otherwise, no contract (and thus no service) can be concluded.

When contacting us (e.g. via contact form or e-mail), the information provided by the inquirer (name, contact data, other details) will be processed for documentation, processing and answering the enquiry. We offer a contact form on our website. We have marked the mandatory data required to answer an inquiry as mandatory fields. The provision of further data is voluntary.

The basis for this is our legitimate interest in the proper documentation, processing and answering of the enquiry (Art 6 para. 1 lit f GDPR); in the event of contact being made in an upright customer relationship or the initiation of a business relationship, we rely on the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 para. 1 lit b GDPR).
If you contact us in order to fulfil your obligations under labour or civil law as an employee (employee) for your employer or other client, we also have a legitimate interest in the proper documentation, processing and answering of the enquiry (Art 6 Paragraph 1 lit f GDPR), which also includes your data as an external contact person; in the case of contacting us in an upright client relationship or the initiation of a business relationship, we rely on the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 Paragraph 1 lit b GDPR).

We process the data of applicants on the basis of Art 6 Paragraph 1 lit b GDPR (pre-contractual measures) and Art 6 Paragraph 1 lit f GDPR for the purpose of carrying out the application procedure and contacting the applicant.

If you apply for an open position and there is no recruitment, we will store the personal data for six months from the end of the application procedure (deadline for asserting claims under Sections 15 (1) and 29 GlBG) on the basis of Art 6 (1) lit f GDPR. If the applicant agrees to this in each individual case, we will keep the specific application documents in evidence for a further period of up to two years.

If it is a speculative application, we process the application documents for a maximum of two years on the basis of Art 6 Paragraph 1 lit f GDPR in order to be able to contact the applicant in the event of suitable positions, whereby an informal objection to the processing can be lodged at any time.

In any case, proof of qualification is required for the conclusion of a contract. In individual cases, depending on the requirements for filling a vacancy, it may also be necessary to submit further data (e.g. extract from the criminal register). If the required data is not submitted, such an application cannot be considered. If we contact the applicant with references provided by the applicant, data and information on a previous employment relationship may be collected by appropriate third parties. In the event that an employment relationship is established, the application documents will continue to be used for personnel administration purposes.

We will only transfer your personal data to the extent necessary and only in the following cases:

• with your consent;
• for the processing of contractual relationships or for the implementation of pre-contractual measures;
• insofar as we are legally obliged to do so;
• to companies that support us in providing our services; these service providers act as contract processors, who may only process the data in accordance with our instructions (within the framework of a contract processing agreement);
• insofar as this is necessary to protect our legitimate interests (e.g. to assert, exercise or defend legal claims) or those of a third party and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.

In the cases mentioned above, the following third parties may come into consideration: contractual and business partners who are involved in the delivery or service (e.g. logistics companies), banks (for handling payment transactions), legal representatives, courts, auditors / tax consultants, administrative authorities, self-governing bodies (social insurance carriers), insurance companies.

In principle, TOL has no intention to transfer personal data to recipients in third countries or international organisations. Such a transfer is possible if a data subject or, in the specific case, a party involved is located in a third country (e.g., in the case of a customer headquartered outside the EU). If we transfer data to a country without adequate data protection legislation, we ensure an adequate level of protection by using suitable guarantees in the form of appropriate contracts (standard contractual clauses) or binding internal data protection regulations (Binding Corporate Rules) or rely on the exceptional circumstances otherwise provided for in the GDPR (consent, the execution of a contract, the establishment, exercise or enforcement of legal claims, overriding public interests, the published personal data or because it is necessary to protect the integrity of the data subjects). For a copy of the mentioned contractual guarantee, please contact us using the contact details provided.

In this context, we would also like to point out that any data voluntarily published by users of our services themselves (e.g. online comments on the website) is public and potentially accessible worldwide.

Unless otherwise specified in the respective processing, we store personal data for as long as it is necessary to ensure the fulfilment of the aforementioned purposes or as long as we are legally obliged to do so.

This means for business letters, contracts, bookings etc. according to § 212 para. 1 UGB and § 132 para. 1 BAO: Until the end of the business relationship or until the expiry of the limitation and statutory retention periods applicable to us (in particular at least 7 years to prove compliance with tax, duty and company law retention obligations); furthermore until the end of any legal disputes in which the data is required as evidence. In the case of services where claims for damages or other titles are asserted, for the required period (between 3 and 30 years).
For inquiries (contacting): Personal data that you voluntarily provide us with will be stored by us for the purpose of providing the associated processing and keeping records (up to 3 years after completion or termination), except for a longer storage period is also required for the purpose of fulfilling a legal obligation or for the assertion or defense of legal claims.

Provided that the respective legal requirements are met, you can assert the following rights of data subjects:

• Right to information: You can request confirmation as to whether personal data concerning you is being processed and request information about this data and the information in accordance with Art 15 GDPR.
• Right of rectification if we process incorrect or incomplete data about you (Art 16 GDPR).
• Right to have personal data concerning you deleted if the conditions of Art 17 GDPR are met.
• Right to limit the processing of your data (Art 18 GDPR).
• The right to transfer the data you have provided to us, provided that the processing is based on consent (Art 6 Paragraph 1 letter a) or on a contract (Art 6 Paragraph 1 letter b) to which you are party and that the processing is carried out using automated procedures (Art 20 GDPR).
• In the case of processing operations carried out on the basis of legitimate interests (pursuant to Art. 6 para. 1 lit f GDPR), you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are reasons for doing so arising from your particular situation. In the case of processing for the purpose of direct marketing, this right is unrestricted.
• You can revoke your consent to the processing of personal data at any time, please contact us (see our contact details). Revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.
• Right of complaint: You have the right to complain to a supervisory authority responsible for you (in Austria: Data Protection Authority, www.dsb.gv.at) if you believe that the processing of personal data relating to you has violated the GDPR or your rights as a data subject have been infringed. In cases in which you were not completely satisfied with our work, we request that you first contact us so that we can be given an opportunity to rectify any errors.