Privacy Policy

General remarks

Your data is in safe hands with us, Löffler GmbH! For us protecting your data is both an obligation and a priority, which is why we also comply in particular with the applicable data protection rules of the General Data Protection Regulation (GDPR) and the Data Protection Act (Datenschutzgesetz – DSG) when processing your personal data in the performance of our activities.

In the following you will find more detailed information about the data processing performed by us. Please take the time to read our privacy policy carefully to find out why we collect your data and in what form we will process it

  • if you visit our website or are an interested party (see in particular under “Data processing regarding visitors to our website and interested parties”), with special information on our newsletter, contact form, links to other websites, cookies, online marketing, presence in social networks, plug-ins and embedded functions as well as content,
  • ii) if you use our online shop (B2C) or – as a business customer – our B2B portal / our B2B online shop (see in particular under “Data processing regarding users of our online shop (B2C) or our B2B portal / our B2B online shop”),
  • iii) if you are our (potential) customer or a contact of a customer (see in particular under “Data processing regarding (potential) customers or contacts of a customer”),
  • iv) if you are our supplier or business partner (see in particular under “Data processing regarding suppliers and business partners and their contacts”) or
  • v) if you apply for a job with us (see in particular under “Data processing regarding job candidates”).

For information on what data we collect about you from other sources, please see “Collection of personal data from sources other than the data subject himself/herself (Art. 14 GDPR)”.

Any use of masculine pronouns only on our website and in this privacy policy is to be understood in a gender-neutral manner  and thus equally refers to men, women and the neutral gender.

What are personal data?

Personal data means any information relating to an identified or identifiable natural person. This includes all data that can be related to you personally, e.g. name, address, e-mail addresses, invoice data, IP addresses, user behaviour.

Who is responsible for data protection (controller)?

Löffler GmbH
(FN 113126m, Regional Court (Landesgericht) of Ried im Innkreis)
4910 Ried im Innkreis – Austria
Phone: +43 77 52 / 84 421 – 0
Fax: +43 77 52 / 84 421 – 148
E-mail: office@loeffler.at or dsgvo@loeffler.at

As we are not legally obliged to do so, we have specified no data protection officer to the data protection authority.

Data security

We use appropriate technical and organisational measures and protection measures (TOMs) to prevent unauthorised access, unlawful processing and unauthorised or accidental loss of your data. This includes, for example, the encryption of your communication with us via this website based on the Secure Sockets Layer (SSL) encryption protocol.

You can check the quality of our encryption here: https://www.ssllabs.com/ssltest.

Please be aware that the transmission of data on the Internet may entail security risks and that complete protection against access by unauthorised third parties cannot be guaranteed.

Confidentiality

We shall ensure the confidentiality of personal data from data processing activities that have been entrusted or have become accessible to us solely due to our professional occupation, without prejudice to other statutory obligations of confidentiality, unless a legitimate reason for the transmission of the data that has been entrusted or become accessible to us exists (confidentiality of data, § 6 Data Protection Act (Datenschutzgesetz – DSG)).

Our employees are also obliged to maintain confidentiality pursuant to § 6 DSG.

Data processing regarding visitors to our website and interested parties

We process your personal data either for the purposes of our legitimate interests (Art. 6 para. (1) lit. (f) GDPR), namely to ensure the operation, security and optimisation of our website, or to handle your requests which you send to us by e-mail, via our contact form or by telephone (Art. 6 para. (1) lit (a) and lit (b) GDPR). You give us your consent when sending us your request. You can withdraw your consent at any time (see point “What rights do you have with regard to data processing?”).

To improve the information offered, the following data is processed and analysed on our website when you visit our website:

  • browser type,
  • operating system and its interface,
  • model name of the mobile phone and a generic device identifier,
  • country, date, time and duration of access,
  • IP address of the user’s computer and pages visited, including entry and exit sites,
  • time zone difference from Greenwich Mean Time (GMT),
  • access status / HTTP status code,
  • content of the request and amount of data transferred in each case,
  • website which the request has come from (referrer URL),
  • language and version of the browser software.

We analyse this data for statistical purposes to optimise the services on the website. In addition, this data is stored for a period of three months and then deleted, unless this is contrary to a legal or statutory provision on retention. Longer storage is also possible, as far as this is necessary for the investigation of attacks on this website.

The web server is located in Austria (https://www.loeffler.at). The data will not be used to personally identify the visitor of this website.

In order to fulfil the above-mentioned purposes, it may be necessary in certain cases to disclose your data, in particular to the following recipients. Such disclosure may be effected by transmission, dissemination or otherwise making the data available.

RECIPIENT

 

PLACE OF BUSINESS (COUNTRY)

 

BASIS FOR TRANSMISSION IN THIRD COUNTRY

 

Agentur LOOP New Media GmbH (website support / website maintenance)

 

Austria

 

Within the European Economic Area (“EEA”)

 

INFOTECH EDV-Systeme GmbH (Internet and telephone services)

 

Austria Within the EEA
INFOTECH EDV-Systeme GmbH (in the context of support and remote maintenance of our EDP)

 

Austria Within the EEA
Cooperation partners, insofar as this is necessary for the processing of requests

 

Austria and in individual cases EU-wide

 

Within the EEA

 

Registration and login: Users can create a user account. In the context of registration, the mandatory details are communicated to the users and processed for the purpose of making the user account available on the basis of the fulfilment of contractual obligations. The processed data includes, in particular, the login information (name, password and an e-mail address). The data entered during registration is used for the purposes of using the user account and its purpose.

Users can be informed by e-mail about processes that are relevant for their user account, such as technical changes. If users have cancelled their user account, their data regarding the user account shall be deleted, subject to a legal or statutory provision on retention. Once notice of termination has been given it is up to the users to back up their data before expiry of the contract. We shall be entitled to irretrievably delete all user data stored during the term of the contract.

In the context of the use of our registration and login functions as well as the use of the user account, we shall store the IP address and the time of the respective user action. Data is stored on the basis of our legitimate interests as well as those of the users in protection against abuse and other unauthorised use. As a rule, this data shall not be transferred to third parties, unless this is necessary to pursue our claims or there is a legal or statutory obligation to do so.

Processed data types: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), meta/communication data (e.g. device information, IP addresses).

Data subjects: users (e.g. website visitors, users of online services).

Processing purposes: contractual services and customer service, security measures, management and answering of requests.

Legal basis: consent (Art. 6 para. (1) sentence 1 lit. (a) GDPR), performance of contract and pre-contractual requests (Art. 6 para. (1) sentence 1 lit. (b) GDPR), legitimate interests (Art. 6 para. (1) sentence 1 lit. (f) GDPR)

Newsletter

You have the possibility to subscribe to our free newsletter. We send our newsletter, e-mails and other electronic communications (hereinafter referred to as “newsletter”) only with the consent of the recipients or where permitted by law. If the contents of the newsletter are specifically described in the context of a subscription to the newsletter, they shall be decisive for the users’ consent. In addition, our newsletters contain the latest news and information about our company, our services, and customised advertising.

In order to subscribe to our newsletters, it is generally sufficient to provide your e-mail address. However, we may ask you to provide a name so that we can address you personally in the newsletter, or for further information if this is necessary for the purposes of the newsletter.

Double opt-in procedure: As a rule, a so-called double opt-in procedure is used for subscriptions to our newsletter. This means that after subscribing you will receive an e-mail asking you to confirm your subscription. This confirmation is necessary so that nobody can register with a fake e-mail address. Newsletter subscriptions are recorded as evidence that the subscription process meets legal requirements. This includes recording the time of subscription and confirmation as well as the IP address. Changes to your data stored by the mailing service provider are recorded in the same manner.

Erasure and restriction of processing: We may store unsubscribed e-mail addresses for up to three years on the basis of our legitimate interests before we erase them in order to be able to provide evidence of a previously given consent. The processing of this data shall be restricted to the purpose of a possible defence against claims. An individual request for erasure is possible at any time, provided that the existence of a previously given consent is confirmed at the same time. In the case of obligations to permanently observe objections, we reserve the right to store the e-mail address in a blacklist for this purpose only.

The subscription procedure is recorded on the basis of our legitimate interests for the purposes of providing evidence that it has been effected duly and properly. If we commission a service provider to send e-mails, this shall be done on the basis of our legitimate interests in an efficient and secure mailing system.

Notes on legal basis: Newsletters are mailed on the basis of the recipients’ consent or, if no consent is required, on the basis of our legitimate interests in direct marketing, if and to the extent that this is permitted by law, e.g. in the case of advertising for existing customers. If we commission a service provider to send e-mails, this is done on the basis of our legitimate interests. The subscription process is recorded on the basis of our legitimate interests to provide evidence that it has been carried out in accordance with the law.

Contents: information about us, our services, campaigns and offers.

Success monitoring: The newsletters contain a so-called “web beacon”, i.e. a pixel-sized file that is retrieved from our server or, if we use a mailing service provider, from their server, when the newsletter is opened. In the context of this retrieval, technical information such as information on the browser and your system, as well as your IP address and the time of retrieval, is initially collected.

This information is used for the technical improvement of our newsletter by means of the technical data or the target groups and their reading behaviour based on their retrieval locations (which can be determined by means of the IP address) or the access times. This analysis also includes checking whether the newsletters are opened, when they are opened, and what links are clicked. For technical reasons, this information can be attributed to the individual newsletter recipients. However, it is neither our intention nor that of the mailing service provider – where commissioned – to monitor individual users. Rather, our analyses help us identify the reading habits of our users and adapt our contents to them or to mail different contents tailored to the interests of our users.

The analysis of the newsletter and success monitoring are performed subject to the express consent of the users, on the basis of our legitimate interests for the purposes of a user-friendly and secure newsletter system that both serves our business interests and meets the expectations of the users.

Unfortunately, a separate revocation of success monitoring is not possible; in this case the entire newsletter subscription must be cancelled or an objection must be submitted.

Processed data types: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), meta/communication data (e.g. device information, IP addresses), usage data (e.g. websites visited, interest in content, access times).

Data subjects: communication partners.

Processing purposes: direct marketing (e.g. by e-mail or by post).

Legal basis: consent (Art. 6 para. (1) sentence 1 lit. (a) GDPR), legitimate interests (Art. 6 para. (1) sentence 1 lit. (f) GDPR).

Used services and service providers: Mailchimp: e-mail marketing platform; service provider: “Mailchimp” – Rocket Science Group, LLC, 675 Ponce De Leon Ave NE #5000, Atlanta, GA 30308, USA; website: https://mailchimp.com; privacy statement: https://mailchimp.com/legal/privacy/;

You can withdraw your consent to receiving the newsletter at any time (see point “What rights do you have with regard to data processing?”). You can also cancel your subscription to our newsletter at any time; the details of how to unsubscribe can be found in the confirmation e-mail and in each individual newsletter.

Contact requests

When contacting us (e.g. by contact form, e-mail, telephone or on social media), the data of the persons sending a request will be processed to the extent necessary to answer such requests and any requested measures.

Contact requests in the context of contractual or pre-contractual relations are answered in order to perform our contractual obligations or to answer (pre-)contractual requests and otherwise on the basis of legitimate interests in answering such requests.

Processed data types: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos).

Data subjects: communication partners.

Processing purposes: contact requests and communication.

Legal basis: performance of contracts and pre-contractual requests (Art 6 para. (1) sentence 1 lit. (b) GDPR legitimate interests (Art.6 para. (1) lit. (f) GDPR).

Links to other websites

This website contains links to other websites the contents of which are beyond our control. We assume no liability for these contents. The respective provider of the linked website has sole responsibility for the contents and accuracy of the information provided there.

Cookies

“Cookies” are small files that are stored on the users’ devices. Cookies can be used to save certain information. This information can include, for example, the language settings on a website, the login status, a shopping cart or the location where a video was viewed.

As a rule, cookies are also used when the interests of a user or his behaviour (e.g. viewing certain contents, using functions etc.) are stored on individual web pages in a user profile. Such profiles serve to show users contents that match their potential interests, for example. This process is also known as “tracking”, i.e., monitoring the potential interests of users. The term “cookies” also includes other technologies that perform the same functions as cookies (e.g., when user information is stored by means of pseudonymous online identifiers, also known as “user IDs”).

If we use cookies or “tracking” technologies, we shall inform you separately in our privacy policy.

Notes on legal basis: The legal basis on which we process your personal data using cookies depends on whether we ask you for your consent. If this is the case and you consent to the use of cookies, the legal basis for processing your data is your declared consent. Otherwise, the data processed with the help of cookies will be processed on the basis of our legitimate interests (e.g. in a commercial operation of our online services and their improvement) or if the use of cookies is necessary to fulfil our contractual obligations.

General information on withdrawal of consent and objection (opting out): Irrespective of whether the processing is based on consent or is permitted by law, you have the possibility at any time to withdraw any consent you have given or to object to the processing of your data using cookie technologies (collectively referred to as “opting out”).

You can object, first of all, by changing your browser settings, e.g. by disabling the use of cookies (however, this may also reduce the functionality of our online services).

You can also object to the use of cookies for online marketing purposes by means of a variety of services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/ or generally on http://optout.aboutads.info.

Processing of cookie data based on consent: Before we process data or have it processed by means of using cookies, we ask users for their consent. You can withdraw your consent at any time (see point “What rights do you have with regard to data processing?”). Before consent has not been given, cookies shall only be used where necessary for the operation of our online services. Their use is based on our interests and the interests of the users in the expected functionality of our online services.

Cookie settings/ objection options: […button for cookie settings]

Processed data types: usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Data subjects: users (e.g. website visitors, users of online services).

Legal basis: consent (Art. 6 para. (1) sentence 1 lit. (a) GDPR), legitimate interests (Art. 6 para. (1) sentence 1 lit. (f) GDPR).

Online marketing

We process personal data for online marketing purposes, which includes in particular the display of advertising and other content (collectively referred to as “content”) based on the potential interests of users and the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (a so-called “cookie”) or similar procedures are used, by means of which the information about the user relevant for the display of the aforementioned contents is stored. This information may include, for example, content viewed, web pages visited, online networks used, but also communication partners and technical details such as the browser used, the computer system used and information on usage times. If users have consented to the collection of their location data, this data may also be processed.

The IP addresses of users are also stored. However, we use IP masking methods (i.e., pseudonymisation by shortening the IP address) to protect users. In general, the online marketing process does not store any clear user data (such as e-mail addresses or names), but pseudonyms. This means that we, as well as the providers of online marketing services, do not know the actual identity of the users, but only the information stored in their profiles.

The information in the profiles is usually stored in the cookies or by similar methods. These cookies can later generally also be read on other websites that use the same online marketing method, analysed for the purpose of displaying content as well as supplemented with additional data and stored on the server of the online marketing service provider.

Clear data can be attributed to the profiles in exceptional cases. This is the case, for example, if the users are members of a social network whose online marketing methods we use and if the network links the profiles of the users with the aforementioned information. Please note that users can make additional arrangements with the providers, e.g. by giving their consent during registration.

As a rule, we only have access to summarised information about the success of our advertisements. However, by using so-called conversion measurement, we can check which of our online marketing methods have led to a so-called conversion, i.e., for example, to the conclusion of a contract with us. Conversion measurement is used solely to analyse the success of our marketing measures.

Notes on legal basis: If we ask users for their consent to the use of the third party providers, the legal basis for data processing is their consent. You can withdraw your consent at any time (see point “What rights do you have with regard to data processing?”). Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, effective and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Facebook pixel: The Facebook pixel enables Facebook to determine visitors of our online services as a target group for displaying advertisements (so-called “Facebook ads”). Accordingly, we use the Facebook pixel to display the Facebook ads placed by us only to those Facebook users who have also shown an interest in our online services or who exhibit certain characteristics (e.g. interest in certain topics or products that are identifiable from the websites visited), which we transmit to Facebook (so-called “custom audiences”). With the help of the Facebook pixel, we also want to ensure that our Facebook ads match the potential interests of users and are not annoying. The Facebook pixel also allows us to monitor the effectiveness of Facebook ads for statistical and market research purposes by enabling us to see whether users have been redirected to our website after clicking on a Facebook ad (so-called “conversion measurement”).

Processed data types: usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), location data (data indicating the location of an end user’s device).

Data subjects: users (e.g. website visitors, users of online services), interested parties.

Processing purposes: tracking (e.g. profiling based on interests and behaviour, use of cookies), remarketing, analysis of visitor actions, interest-based and behaviour-related marketing, profiling (creation of user profiles), conversion measurement (measurement of the effectiveness of marketing measures), reach measurement (e.g. access statistics, recognition of returning visitors), targeting (identification of target groups relevant for marketing purposes or other output of content), cross-device tracking (cross-device processing of user data for marketing purposes).

Security measures: IP masking (pseudonymisation of IP address).

Legal basis: consent (Art. 6 para. (1) sentence 1 lit. (a) GDPR), legitimate interests (Art. 6 para. (1) sentence 1 lit. (f) GDPR).

Objection (opt-out) option: We refer to the privacy policies of the respective providers and the objection (“opt-out”) options specified for the providers. If no explicit opt-out option has been specified, it is possible to disable cookies in your browser settings. However, this may reduce the functionality of our online services. We therefore recommend the following additional opt-out options, which are offered collectively for the respective regions: a) Europe: https://www.youronlinechoices.eu. b) Canada: https://www.youradchoices.ca/choices. c) USA: https://www.aboutads.info/choices. d) multiple territories: http://optout.aboutads.info.

Used services and service providers:

Google Analytics: Online marketing and web analytics; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://marketingplatform.google.com/intl/de/about/analytics/; privacy policy: https://policies.google.com/privacy; objection (opt-out) option: opt-out plugin: http://tools.google.com/dlpage/gaoptout?hl=de, ad settings: https://adssettings.google.com/authenticated.

Facebook pixel: Facebook pixel; service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; objection (opt-out) option: https://www.facebook.com/settings?tab=ads.

Presence in social networks

We have an online presence in social networks in order to communicate with the users of such networks or to offer information about us there.

Furthermore, in social networks user data is usually processed for market research and advertising purposes. For example, user profiles can be created on the basis of user behaviour and the resulting interests of the users. The user profiles can in turn be used, for example, to place advertisements inside and outside the networks that are likely to correspond to the users’ interests. For these purposes, cookies are usually saved on the users’ computers to store usage behaviour and interests of the users. Moreover, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).

For more details on the respective types of processing and objection (opt-out) options, we refer to the privacy statements and information provided by the operators of the respective networks.

Also in respect of requests for information and the assertion of data subject rights, we would like to point out that these can most effectively be asserted with the providers. Only the providers have access to the respective data of users and can directly take appropriate measures and provide information. However, if you still require assistance please feel free to contact us.

Processed data types: inventory data (e.g. names, addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Data subjects: users (e.g. website visitors, users of online services).

Processing purposes: contact requests and communication, tracking (e.g. profiling based on interests and behaviour, use of cookies), remarketing, reach measurement (e.g. access statistics, recognition of returning visitors).

Legal basis: legitimate interests (Art. 6 para. (1) lit. (f) GDPR).

Used services and service providers:

Instagram: social network; service provider: Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA; website: https://www.instagram.com; privacy policy: http://instagram.com/about/legal/privacy.

Facebook: social network; service provider: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; objection (opt-out) option: ad settings: https://www.facebook.com/settings?tab=ads; additional data protection information: agreement on joint processing of personal data on Facebook pages: https://www.facebook.com/legal/terms/page_controller_addendum, data protection information for Facebook pages: https://www.facebook.com/legal/terms/information_about_page_insights_data.

Plug-ins and embedded functions and content

We embed function and content elements in our online services that are obtained from the servers of their respective providers (hereinafter referred to as “third party providers”). For example, this may include graphics, videos or social media buttons and posts (hereinafter referred to uniformly as “content”).

Embedding these elements always requires that the third party providers of this content process the users’ IP address, as without the IP address they would not be able to send the content to their browsers. The IP address is therefore required to display these contents or functions. We make every effort to use only such content of which the respective providers use the IP address only to deliver the content. Third parties may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. “Pixel tags” enable the analysis of information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user’s device and may contain, among other things, technical information on the browser and the operating system, on referring websites, on the time of visit and other information on the use of our online services, and may be combined with such information from other sources.

Notes on legal basis: If we ask users for their consent to the use of the third party providers, the legal basis for data processing is their consent. You can withdraw your consent at any time (see point “What rights do you have with regard to data processing?”). Otherwise, user data is processed on the basis of our legitimate interests (i.e. interest in efficient, effective and recipient-friendly services). In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Processed data types: usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses), contact data (e.g. e-mail, telephone numbers), content data (e.g. text entries, photographs, videos), inventory data (e.g. names, addresses).

Data subjects: users (e.g. website visitors, users of online services), communication partners.

Processing purposes: making our online services available, user-friendliness, contractual services and customer service, contact requests and communication, direct marketing (e.g. by e-mail or post), tracking (e.g. profiling based on interests or behaviour, use of cookies), interest-based and behavioural marketing, profiling (creation of user profiles), feedback (e.g. collection of feedback via online form), security measures, administration and answering of requests.

Legal basis: legitimate interests (Art. 6 para. (1) sentence 1 lit. (f) GDPR), consent (Art. 6 para. (1) sentence 1 lit. (a) GDPR), performance of contract and pre-contractual requests (Art. 6 para. (1) sentence 1 lit. (b) GDPR).

Used services and service providers:

Facebook social plug-ins: Facebook social plug-ins – They can include content such as images, videos or texts and buttons with which users can share content from these online services within Facebook. Here you will find the list and images of Facebook social plug-ins: https://developers.facebook.com/docs/plugins/; service provider: https://www.facebook.com, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, parent company: Facebook, 1 Hacker Way, Menlo Park, CA 94025, USA; website: https://www.facebook.com; privacy policy: https://www.facebook.com/about/privacy; objection (opt-out) option: ad settings: https://www.facebook.com/settings?tab=ads.

Web fonts from Fast.Fonts.Net or Fonts.com: We embed the fonts of the provider Monotype GmbH, Spichernstraße 2, 10777 Berlin, Germany (fonts.com or fast.fonts.net); in this context the user’s data is used solely for the purpose of displaying the fonts in the user’s browser. When you call up a page, your browser loads the required web fonts into your browser cache to display texts and fonts correctly. For this purpose, the browser you use must connect to the servers of fonts.com. In this way, fonts.com is notified that our website was accessed via your IP address. If your browser does not support web fonts, a default font is used by your computer. Fonts are embedded on the basis of our legitimate interests in a technically secure, maintenance-free and efficient use of fonts, their uniform display and taking account of possible restrictions under licensing law for font embedding. Service provider: Monotype GmbH, parent company: Monotype Imaging Holdings Inc, 600 Unicorn Park Drive, Woburn, MA 01801, USA; website: https://www.monotype.com/; privacy policy: https://www.monotype.com/legal/privacy-policy. For more information on these web fonts see https://www.fonts.com/info/legal and the privacy policy of Fonts.com: https://www.fonts.com/info/legal/privacy / and the privacy policy of Monotype GmbH: https://www.monotype.com/legal/privacy-policy/.

FontAwesome: In order to display fonts and visual elements on our website, we use the external fonts of FontAwesome. FontAwesome is a service of Fonticons Inc, 6 Porter Road, Apartment 3R, Cambridge, MA 02140, USA, hereinafter referred to as “FontAwesome” only. When our website is called up, a connection is established to the FontAwesome server in the USA to enable and update the display of fonts and visual elements. The legal basis is Art. 6 para. (1) lit. (f) GDPR. Our legitimate interest lies in the optimisation and efficient operation of our Internet presence. Due to the connection established with the FontAwesome server whenever you access our website FontAwesome can determine the website from which your request was sent and the IP address to which the font is to be sent. FontAwesome offers further information, in particular on how to prevent the use of data, on https://fontawesome.com/privacy.

ReCaptcha: We embed the \”ReCaptcha\” function to detect bots, e.g. when data is entered in online forms. The users’ behaviour data (e.g. mouse movements or queries) are analysed in order to be able to distinguish people from bots. Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://www.google.com/recaptcha/; privacy policy: https://policies.google.com/privacy;  objection (opt-out) option: opt-out plugin: http://tools.google.com/dlpage/gaoptout?hl=de, ad settings: https://adssettings.google.com/authenticated.

Google Maps: We embed maps of the “Google Maps” service provided by Google. The processed data may include, in particular, IP addresses and location data of the users, which, however, cannot be collected without their consent (usually as part of the settings of their mobile devices). Service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://maps.google.de; privacy policy: https://policies.google.com/privacy; objection (opt-out) option: opt-out plugin: http://tools.google.com/dlpage/gaoptout?hl=de, ad settings: https://adssettings.google.com/authenticated.

YouTube: videos; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; website: https://www.youtube.com; privacy policy: https://policies.google.com/privacy; objection (opt-out) option: opt-out plugin: http://tools.google.com/dlpage/gaoptout?hl=de, ad settings: https://adssettings.google.com/authenticated.

Google Tag Manager: Our website uses the Google Tag Manager service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). The Tag Manager is a service that facilitates the management of website tags through an interface. This allows us to integrate code snippets such as tracking codes or conversion pixels on websites without interfering with the source code. The Tag Manager only forwards the data, but does not collect or store it. The Tag Manager itself is a cookie-free domain and does not process any personal data, as it only serves to manage other services in our online offering. The Tag Manager provides for the resolution of other tags, which in turn may collect data. However, the Tag Manager does not access this data. If cookies were disabled at domain or cookie level, this remains the case for all tracking tags implemented with Google Tag Manager. For further information on data protection please see the following Google websites:

Privacy policy: https://policies.google.com/privacy?hl=de&gl=de

FAQ Google Tag Manager: https://www.google.com/intl/de/tagmanager/faq.html

Google Tag Manager use policy: https://www.google.com/intl/de/tagmanager/use-policy.html

Rollbar error tracking

This website uses the analytics service of Rollbar, Inc. (Rollbar, 51 Federal Street, San Francisco, CA 94107, USA). In the event of an error only, IP addresses, the user agent and the page accessed are transmitted to Rollbar. Further data protection information from Rollbar is available at https://docs.rollbar.com/docs/privacy-policy. The legal basis for the processing of your personal data is Art. 6 para. (1) lit. (f) GDPR. The purpose of processing is the technical monitoring of our website and tracking of error messages in order to optimise technical stability. This is our legitimate interest in the processing of your personal data in accordance with Art. 6 para. (1) lit. (f) GDPR. Your personal data will be erased as soon as it is no longer needed for our aforementioned purposes. This is the case after 180 days.

Hotjar

We use Hotjar to better understand our users’ needs and to optimize the service and experience on our website. Hotjar is a technology service that helps us better understand our users’ experiences (e.g., how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices. This includes a device’s IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

EyeFitU Sizefinder

In order to get a size recommendation, we need you to provide personal data, such as your height, weight, age, gender, sizing preferences, and user updated body measurements, (the “Data”) enabling the service to provide you with sizing recommendations. Age has an impact on how your weight is distributed and is needed for recommendation of the right size.

The Data you provide in this service will only be used for the size recommendation and in anonymized form for academic and statistical purposes.

The data is stored in Local storage in your browser, so we can give you a size recommendation the next time you access our online store from the same browser. The data is stored until you delete the local storage.

Löffler GmbH is responsible for processing the Data according to the current rules on the protection of personal data. All our processing of personal data as set out above, follows our general Privacy Policy.

The legal basis to provide you with this service is our legitimate interest in offering you sizing recommendations. It is voluntary to use this service.

Data processing regarding users of our online shop (B2C) or our B2B portal / our B2B online shop

Online shop (B2C)

We operate an online shop (B2C), where customers who are consumers can avail themselves of our offers.

What data we process about you in the context of our online shop (B2C):

During your visit to our online shop and the processing of your orders, we collect the categories of personal data listed in Annex 1 .

You are not obliged to provide us with the personal data that we request from you. However, you will not be able to use all the functions of this online shop, nor will you be able to order goods from our online shop if you do not provide your personal data. Should the provision of your data be legally binding in some cases, we will point this out to you separately.

In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Purposes of data processing:

We process the categories of your personal data listed in Annex 1 in order

  1. to make our online shop available to you and to offer you goods;
  2. to process your order;
  3. to further improve and develop our online shop;
  4. to be able to produce usage statistics; and
  5. to recognise, prevent and investigate attacks on our online shop.

Legal basis for processing:

We process the categories of your personal data listed in Annex 1 on the basis of performance of a contract concluded with you or the implementation of pre-contractual measures, insofar as this is necessary for this purpose (Art. 6 para. (1) lit (b) GDPR), or of our overriding legitimate interest pursuant to Art. 6 para. (1) lit (f) GDPR, which consists in achieving the purposes mentioned in lit. (c) and (d) above, or the necessity to fulfil legal obligations to which we are subject (Art. 6 para. (1) lit (c) GDPR).

Transmission of your personal data:

To the extent necessary for the above purposes, we will transmit your personal data to the following categories of recipients:

  • IT service providers used by us;
  • distribution partners, logistics companies or delivery service providers used by us;
  • payment service providers; and
  • companies that are affiliated with our group.

Duration of storage:

As a rule, we will store your data for a term of three months. A longer storage term will only apply (i) as far as this is necessary to investigate observed attacks on our website or (ii) as long as a legal or statutory provision on retention applies or (iii) as long as any legal claims for the establishment or defence of which the personal data is required are not yet time-barred.

If you register on our website, we shall store your data for as long as your account exists.

B2B portal / B2B online shop

We operate a B2B portal / a B2B online shop, through which corporate customers can avail themselves of our offers.

What data we process about you in the context of our B2B portal / B2B online shop:

During your registration, we will create a user name and set up password-protected direct access to a user account for you. In doing so, we process the following categories of personal data that you have disclosed during registration:

  • Customer number,
  • Company name,
  • Address,
  • E-mail address,
  • First name, surname, telephone number or e-mail address of the contact,
  • User name,

You are not obliged to provide us with the personal data that we request from you. However, you will not be able to use all the functions of the B2B portal / B2B online shop, nor will you be able to order goods from our B2B online shop if you do not provide your personal data. Should the provision of your data be legally binding in some cases, we will point this out to you separately.

In this context, we would also like to draw your attention to the information on the use of cookies in this privacy policy.

Purposes of data processing:

We process the following categories of personal data that you have disclosed during registration in order

  1. to make our B2B portal / B2B online shop available to you and to offer you goods;
  2. to process your order;
  3. to further improve and develop our B2B portal and our B2B online shop;
  4. to be able to produce usage statistics; and
  5. to be able to recognise, prevent and investigate attacks on our B2B portal / B2B online shop.

Legal basis for processing:

We process the categories of your personal data disclosed by you during registration on the basis of performance of a contract concluded with you or the implementation of pre-contractual measures, insofar as this is necessary for this purpose (Art. 6 para. (1) lit (b) GDPR), or of our overriding legitimate interest pursuant to Art. 6 para. (1) lit (f) GDPR, which consists in achieving the purposes mentioned in lit. (c) and (d) above, or the necessity to fulfil legal obligations to which we are subject (Art. 6 para. (1) lit (c) GDPR).

Transmission of your personal data:

To the extent necessary for the above purposes, we will transmit your personal data to the following categories of recipients:

  • IT service providers used by us;
  • distribution partners, logistics companies or delivery service providers used by us;
  • payment service providers; and
  • companies that are affiliated with our group.

Duration of storage:

If you register on our website, we shall store your data for as long as your user account exists. A longer storage term will only apply (i) as far as this is necessary to investigate observed attacks on our website or (ii) as long as a legal or statutory provision on retention applies or (iii) as long as any legal claims for the establishment or defence of which the personal data is required are not yet time-barred.

Payment service providers

Within the scope of contractual and other legal relationships, on the basis of legal obligations or otherwise based on our legitimate interests, we offer data subjects efficient and secure payment options and use other payment service providers in addition to banks and credit institutions (collectively “payment service providers”).

The data processed by the payment service providers include inventory data, such as name and address, bank data, such as account or credit card numbers, passwords, TANs and checksums, as well as contract, sum and recipient-related information. The information is necessary to perform the transactions. However, the entered data is only processed by the payment service providers and stored by them. This means that we do not receive any account or credit card-related information, but only information with confirmation or negative information of payment. Under certain circumstances, the payment service providers may transmit the data to credit agencies. The purpose of this transmission is to verify identity and creditworthiness. In this regard, we refer to the general terms and conditions and the privacy policies of the payment service providers.

Payment transactions are subject to the terms and conditions and the privacy policies of the respective payment service providers, which are available on the respective websites or transaction applications. We also refer to these for the purpose of further information and the assertion of rights of withdrawal, access and other data subject rights.

Processed data types: inventory data (e.g. names, addresses), payment data (e.g. bank details, invoices, payment history), contract data (e.g. subject matter, term, customer category), usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).

Data subjects: customers, interested parties.

Processing purposes: contractual services and customer service.

Legal basis: performance of contracts and pre-contractual requests (Art 6 para. (1) sentence 1 lit. (b) GDPR, legitimate interests (Art.6 para. (1) sentence 1 lit. (f) GDPR).

Used services and service providers:

Klarna / Sofortüberweisung (instant transfer): payment services; service provider: Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden; website: https://www.klarna.com/de; privacy policy: https://www.klarna.com/de/datenschutz.

PayPal: payment services and solutions (e.g. PayPal, PayPal Plus, Braintree); service provider: PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg; website: https://www.paypal.com/de; privacy policy: https://www.paypal.com/de/webapps/mpp/ua/privacy-full.

Adyen: payment services; service provider: Adyen, Simon Carmiggeltstraat 5-60, 1011 DJ Amsterdam, The Netherlands; website: https://www.adyen.com/de_DE/; privacy policy: https://www.adyen.com/policies-and-disclaimer/privacy-policy.

Data processing regarding (potential) customers or contacts of a customer

We process your personal data either to implement pre-contractual measures or to fulfil our contractual obligations (Art. 6 para. (1) lit. (b) GDPR) within the framework of the contractual relationship, based on your express consent (Art. 6 para. (1) lit (a) GDPR), if you give us your consent to be named as a reference, also to comply with our legal obligations (Art. 6 para. (1) lit (c) GDPR) and on the basis of our overriding legitimate interest (Art. 6 para. (1) lit. (f) GDPR), which consists in achieving the purposes mentioned in (c) to (g) below.

If the data is sensitive, we process it to carry out our obligations in the field of social or employment law (Art. 9 para. (2) lit. (b) GDPR).

The processing of your data serves above all to carry out and execute our deliveries and services. You can withdraw your consent to being named as a reference at any time (see point “What rights do you have with regard to data processing?”).

We will process the categories of your personal data listed in Annex 2 in particular for the following purposes:

  1. Handling our delivery and service processes;
  2. Managing our customer relations, comprising contact management and communication, including analysis of customer needs and how our products and services are used;
  3. Managing in-house visits;
  4. Analysing and forecasting customer demand;
  5. Providing information about our services and events;
  6. Conducting surveys and
  7. Performing direct marketing and advertising measures via electronic and non-electronic channels.

We collect your personal data either

  • directly from you, as part of our communication or business relationship, or
  • from public sources (e.g. social media, public Internet sources, public attendance lists from conferences or public books) or
  • via our employees, who are in contact with you or manage your visit to our company.

You are not obliged to provide us with the personal data that we request from you. However, joint business or marketing processes may be delayed or become impossible and you may not be able to participate in our events if you do not provide your personal data. Should the provision of your data be legally binding in some cases, we will point this out to you separately.

We will use your contact details to send you information by post or e-mail about our range of services and invitations to events organised by our company (Art. 6 para. (1) lit. (f) GDPR). You have the right to object to this processing of your data for the purpose of direct marketing at any time without specifying reasons by sending a letter to us or an e-mail to office@loeffler.at or dsgvo@loeffler.at. We will process your data for this purpose for as long as you do not object, but only up to three years after termination of the contract. The processing of your personal data for the purpose of direct marketing is not necessary for the execution of our contractual relationship.

For other forms of direct marketing, we will only process your data if you have given your express consent to the processing of your data (Art. 6 para. (1) lit. (a) GDPR). You can withdraw your consent at any time (see point “What rights do you have with regard to data processing?”).

The security of data is ensured with regard to confidentiality and integrity as well as resilience / availability in accordance with the achieved state of technological knowledge and taking account of the respective type of data.

Notwithstanding our efforts to maintain an appropriately high level of due diligence at all times, it cannot be ruled out that information that you disclose to us via the Internet may be viewed and used by other persons.

Please note that we therefore accept no liability whatsoever for the disclosure of information due to errors not caused by us in data transmission and/or unauthorised access by third parties (e.g. hack attack on homepage, e-mail account or telephone).

 In order to fulfil the purposes to be achieved, it may be necessary in certain cases to disclose your data, in particular to the following recipients. Such disclosure may be effected by transmission, dissemination or otherwise making the data available.

RECIPIENT

 

PLACE OF BUSINESS (COUNTRY)

 

BASIS FOR TRANSMISSION IN THIRD COUNTRY

 

Agentur LOOP New Media GmbH (website support / website maintenance)

 

Austria

 

Within the European Economic Area (“EEA”)

 

INFOTECH EDV-Systeme GmbH (Internet and telephone services)

 

Austria Within the EEA
INFOTECH EDV-Systeme GmbH (in the context of support and remote maintenance of our EDP)

 

Austria Within the EEA
Legal representatives

 

Austria Within the EEA
Banks for handling payment transactions

 

Austria

 

Within the EEA

 

Public accountants

 

Austria

 

Within the EEA
Courts and administrative authorities

 

Austria and in individual cases EU-wide

 

Within the EEA
Competent administrative authorities, in particular tax authorities

 

Austria

 

Within the EEA
Collection agencies for collecting debts (abroad, therefore, only if the debt must be collected abroad)

 

Austria and in individual cases EU-wide Within the EEA
External financers, such as leasing or factoring companies and transferees, if the delivery or service is financed externally

 

Austria

 

Within the EEA
Insurance companies due to the conclusion of an insurance contract for the delivery / service or the occurrence of an insured event

 

Austria Within the EEA
Contract and business partners who are involved in or are to be involved in the delivery or service

 

Worldwide depending on place of business of the company

 

Required for performance of the contract (Art. 49 para. (1) lit. (b) or (c) GDPR)

 

 

Data processing regarding suppliers and business partners and their contacts

We process your personal data either to implement pre-contractual measures or to fulfil our contractual obligations (Art. 6 para. (1) lit. (b) GDPR), to comply with our legal obligations (Art. 6 para. (1) lit (c) GDPR) or on the basis of our overriding legitimate interest (Art. 6 para. (1) lit. (f) GDPR), which consists in achieving the purposes mentioned in lit. (a) to (e) below.

The processing of your data serves above all to initiate, maintain and execute our contracts for goods and services.

We will process your personal data listed in Annex 3 in particular for the following purposes:

  1. for handling our procurement;
  2. for providing working materials and infrastructure to ensure efficient internal workflows;
  3. for communicating with our suppliers and business partners;
  4. for making it possible for us to use the products and services of our suppliers and business partners; and
  5. for administering our contracts with our suppliers and business partners.

Your personal data

  • is provided to us either directly by you (in particular by e-mail or other means of communication) or
  • we collect your personal data ourselves as part of managing our business relations.

You are not obliged to provide us with the personal data that we request from you. However, joint business processes may be delayed or in some cases may be impossible if you do not provide your personal data. Should the provision of your data be legally binding in some cases, we will point this out to you separately.

In order to fulfil these purposes to be achieved, it may be necessary in certain cases to disclose your data, in particular to the following recipients. Such disclosure may be effected by transmission, dissemination or otherwise making the data available. If you do not provide us with your data, we cannot enter into a business relationship with you.

RECIPIENT

 

PLACE OF BUSINESS (COUNTRY)

 

BASIS FOR TRANSMISSION IN THIRD COUNTRY

 

Agentur LOOP New Media GmbH (website support / website maintenance)

 

Austria

 

Within the European Economic Area (“EEA”)

 

INFOTECH EDV-Systeme GmbH (Internet and telephone services)

 

Austria Within the EEA
INFOTECH EDV-Systeme GmbH (in the context of support and remote maintenance of our EDP)

 

Austria Within the EEA
Legal representatives

 

Austria Within the EEA
Banks for handling payment transactions

 

Austria

 

Within the EEA

 

Public accountants

 

Austria

 

Within the EEA
Courts and administrative authorities

 

Austria and in individual cases EU-wide

 

Within the EEA
Competent administrative authorities, in particular tax authorities

 

Austria

 

Within the EEA
Collection agencies for collecting debts (abroad, therefore, only if the debt must be collected abroad)

 

Austria and in individual cases EU-wide Within the EEA
External financers, such as leasing or factoring companies and transferees, if the delivery or service is financed externally

 

Austria

 

Within the EEA
Insurance companies due to the conclusion of an insurance contract for the delivery / service or the occurrence of an insured event

 

Austria Within the EEA
Contract and business partners who are involved in or are to be involved in the delivery or service

 

Worldwide depending on place of business of the company

 

Required for performance of the contract (Art. 49 para. (1) lit. (b) or (c) GDPR)

 

Statistics Austria for the production of legally required (official) statistics

 

Austria Within the EEA
Customers

 

Worldwide depending on place of business of the company Required for performance of the contract (Art. 49 para. (1) lit. (b) or (c) GDPR)

 

Data processing regarding job candidates

We process your personal data either to implement pre-contractual measures (conclusion of an employment contract, Art. 6 para. (1) lit. (b) GDPR), based on your express consent (Art. 6 para. (1) lit. (a) GDPR), if we wish to keep you on file as an applicant or to comply with our legal obligations (registration as an employee with the social security authorities, Art. 6 para. (1) lit. (c) GDPR). You can withdraw your consent to being kept on file as a job candidate at any time (see point “What rights do you have with regard to data processing?”).

The processing of your data serves to handle the job application procedure and for registering you with the social security authorities if we should employ you. If you do not provide us with your data, we cannot handle your job application.

We will process the categories of your personal data listed in Annex 4 in particular for the following purposes:

  • To actively approach potential employees through various channels as well as through commissioned personnel consultants (recruitment);
  • to carry out human resources planning and management, including ensuring adequate staffing;
  • for investment decisions;
  • to plan and manage the skills of potential employees;
  • to process applications received through different channels (e.g. via e-mail, Xing or LinkedIn);
  • to implement the job application process;
  • to establish, exercise or defend legal claims;
  • to be able to avail ourselves of received applications at a later date for potential employment.

We receive this data

  • from public sources,
  • from personnel consultants,
  • in the course of the application process in which you provide us with the data yourself (e.g. by sending us your CV by e-mail) or
  • through notes made during the interview.

You are not obliged to provide us with the personal data that we request from you. However, it will not be possible to complete the application process if you do not provide your personal data. Should the provision of your data be legally binding in some cases, we will point this out to you separately.

In order to fulfil these purposes to be achieved, it may be necessary in certain cases to disclose your data, in particular to the following recipients. Such disclosure may be effected by transmission, dissemination or otherwise making the data available.

RECIPIENT

 

PLACE OF BUSINESS (COUNTRY)

 

BASIS FOR TRANSMISSION IN THIRD COUNTRY

 

Agentur LOOP New Media GmbH (website support / website maintenance)

 

Austria

 

Within the European Economic Area (“EEA”)

 

INFOTECH EDV-Systeme GmbH (Internet and telephone services)

 

Austria Within the EEA
INFOTECH EDV-Systeme GmbH (in the context of support and remote maintenance of our EDP)

 

Austria Within the EEA
External personnel accounting, bookkeeping, tax consultancy if required in the job application procedure and for registration with the social security authorities

 

Austria

 

Within the EEA

 

 

Collection of personal data from sources other than the data subject himself/herself (Art. 14 GDPR)

Even if the processing of your data falls under “Data processing regarding visitors to our website and interested parties” in respect of newsletters, contact forms, “Data processing regarding users of our online shop”, “Data processing regarding (potential) customers or contacts of a customer”, “Data processing regarding suppliers and business partners and their contacts” or “Data processing regarding job candidates” and we therefore, as a rule, collect the data from you personally, i.e. it is usually you yourself who makes this data available to us, it may in individual cases happen that we also obtain data from other sources. These other sources are publicly accessible information only that we obtain from the Internet or, in individual cases, from credit agencies. The data that we obtain about you from third party sources and store in our systems is limited to contact details (e-mail address and telephone number, postal address), your position in the company, your professional history, and your association with or responsibility for a particular company (usually your employer or any company affiliated or otherwise related to it), if you have not disclosed this information to us in the course of the communication. If you are a job candidate, we can also process information from publicly available sources about your professional, school and university career as well as about works you have written. However, we usually ask you directly whether you can provide us with this information if it could not be found in your application documents. This processing is based on our legitimate interest in a complete set of data concerning you, which is necessary for professional communication and for handling of the business relationship as well as the application process, depending on our relationship with you (Art. 6 para. (1) lit. (f) GDPR).

Data transfer within the group of companies

We may transfer personal data to other companies within our group of companies or grant them access to such data. If this transfer is for administrative purposes, the transfer of data is based on our legitimate entrepreneurial and business interests or is effected if necessary for the fulfilment of our contractual obligations or if the data subjects have given their consent or it is permitted by law.

Data transfer to third country / automated decision-making

As a rule, data is not transferred to a third country (i.e. outside the European Union (EU), the European Economic Area (EEA)) or an international organisation. Some of the recipients of your personal data mentioned in “Data processing regarding visitors to our website and interested parties” and specifically regarding newsletters, contact forms, links to other websites, cookies, online marketing, presence in social networks, plugins and embedded functions and content, “Data processing regarding users of our online shop”, “Data processing regarding (potential) customers or contacts of a customer”, “Data processing regarding suppliers and business partners and their contacts” or “Data processing regarding job candidates” are located outside your country or process your personal data there. The level of data protection in other countries may not correspond to that in Austria. If we process data in a third country or if processing takes place in the context of using the services of third parties or the disclosure or transfer of data to other persons, bodies or companies, this is only done in compliance with legal requirements. Subject to express consent or transfer required by contract or by law, we process or allow the data to be processed only in third countries with a recognised level of data protection or on the basis of special safeguards, such as contractual obligations through the so-called standard contractual clauses of the EU Commission, the existence of certifications or binding internal data protection regulations (Art 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de). The standard contractual clauses are available on request (see the contact data under “Who is responsible for data protection?”).

There is no automated decision-making in individual cases including profiling pursuant to Art 22 GDPR.

How long will your data be stored?

Your personal data will only be stored by us for as long as necessary to achieve the above-mentioned purposes.

We store your personal data in any case for as long as (i) a legal or statutory provision on retention applies or (ii) any legal claims are not yet time-barred, for the establishment or defence of which the personal data is required.

For tax law reasons, we store contracts and other documents as well as the related correspondence from our contractual relationship for a period of 10 years as a rule.

Data of job candidates who are not hired will be deleted 7 months after completion of the application procedure, unless we ask them to agree to being kept on record. Up to 3 years after a job interview, we shall store the data relevant for the assessment of a claim for compensation of any interview costs according to section 1486 Z 5 of the Austrian General Civil Code (ABGB). For hired job candidates, our internal privacy policy for employees shall apply, which can be requested during the application process.

Marketing data is retained for up to 3 years after the last contact.

What rights do you have with regard to data processing?

You have the following rights towards us in relation to the personal data concerning you:

  • Right of access (Art. 15 GDPR): You have the right to obtain confirmation from us as to whether or not personal data concerning you is being processed. Where that is the case, you have a right of access to this personal data and to information pursuant to Art. 15 GDPR.
  • Right to rectification (Art. 16 GDPR): You have the right to obtain from us without undue delay the rectification of personal data concerning you or, if necessary, to have incomplete personal data completed.
  • Right to erasure (“right to be forgotten”; Art 17 GDPR): You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the grounds specified in Art. 17 GDPR applies (e.g. data processing is no longer necessary to achieve the purpose).
  • Right to restriction of processing (Art. 18 GDPR): You have the right to obtain from us restriction of processing where one of the grounds listed in Art. 18 GDPR applies (e.g. in the case of an objection to processing pending the verification whether our legitimate grounds override your legitimate grounds).
  • Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller without hindrance from us. However, you are only entitled to this right if the processing is based on consent (Art. 6 para. (1) lit (a) or Art. 9 para. (2) lit. (a) GDPR) or on a contract (Art. 6 para. (1) lit. (b) GDPR) and the processing is carried out by automated means.

Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you. However, you are only entitled to this right if the processing is necessary for the performance of a task carried out in the public interest or is carried out in the exercise of official authority vested in us (Art. 6 para. (1) lit. (e) GDPR) or is necessary to protect our legitimate interests or those of a third party (Art. 6 para. (1) lit. (f) GDPR).

When exercising your right to object, we ask you to please state your reasons why we should not process your personal data as we have done. We will examine the situation and either discontinue or adjust our data processing or point out to you our compelling legitimate grounds and continue the data processing. We will also continue the data processing if it serves for the establishment, exercise or defence of legal claims.

You may object to data processing for the purposes of direct marketing and data analysis (profiling related to direct marketing) at any time and free of charge. In this case we will then no longer process the data.

Right of withdrawal

If you have given us your consent to process your personal data, you can also withdraw this consent at any time. Your withdrawal will not affect the lawfulness of processing before its withdrawal; i.e. the withdrawal is valid for the future.

How can you exercise your rights towards us?

In order to exercise the aforementioned rights, you must notify us in person, by telephone or in writing:

Löffler GmbH
(FN 113126m, Regional Court (Landesgericht) of Ried im Innkreis)
4910 Ried im Innkreis – Austria
Phone: +43 77 52 / 84 421 – 0
Fax: +43 77 52 / 84 421 – 148
E-mail: dsgvo@loeffler.at

Please note that we can only provide you with information if you can identify yourself.

If, despite our obligation to process your data lawfully, an unexpected violation of your right to the lawful processing of your data should occur, please contact us by post or e-mail (see above for contact details) so that we can learn about your concerns and deal with them. However, you also have the right to lodge a complaint with the Austrian Data Protection Authority or another data protection supervisory authority in the EU, in particular at your habitual place of residence or place of work. Should you have any further questions regarding the processing of your data, please do not hesitate to contact us directly (contact details see above).

Minors

Our website and our services are not intended for the use of minors and we do not wish to collect data from minors. If a parent or other representative of a minor believes that his or her child may have provided us with personal data, please write to us using the contact details provided above and we will delete such personal data subject to applicable law and this privacy policy.

Our contact details

Löffler GmbH
(FN 113126m, Regional Court (Landesgericht) of Ried im Innkreis)
4910 Ried im Innkreis – Austria
Phone: +43 77 52 / 84 421 – 0
Fax: +43 77 52 / 84 421 – 148
E-mail: office@loeffler.at or dsgvo@loeffler.at

Annex 1: Personal data of private persons (B2C)

  • Names
  • Titles
  • Contact details (address, e-mail address, telephone number)
  • Preferred language
  • Delivery address
  • Terms and conditions of delivery or service (including details of the place of delivery or service, packaging, etc.)
  • Payment method
  • Bank details
  • Credit card number and credit card company
  • Date and time of visit of our online shop
  • IP address, name and version of your web browser
  • Website (URL) that you visited before accessing our online shop
  • Information that you provide to us by filling out a contact form, registering in this online shop or ordering products

Annex 2: Personal data of (potential) customers:

  • Names
  • Titles
  • Company name
  • Contact details (address, e-mail address, telephone number)
  • Communication with you

Personal data of customers:

  • Concluded delivery and service contracts and related data, in particular
    • Spending and revenues
    • Block indicators (e.g. contact block, invoice block, delivery block, posting block, payment block)
    • Affiliation with a specific purchasing association or group
    • Object of the delivery or service
    • Bonus, commission data, etc.
    • Contact for handling the delivery or service
    • Terms and conditions of delivery and service (including information on the place of delivery or service, packaging, etc.)
    • Data on customs clearance (e.g. country of origin, customs tariff number) and export controls
    • Data concerning the insurance of the delivery or service and its financing
    • Financing and payment conditions
    • Credit management data (e.g. credit limit, bill of exchange limit)
    • Data on payment or performance behaviour of the data subject
    • Reminder/claim data
    • Account and document data
    • Performance-specific expenses and earnings
  • Company register/commercial register data
  • Creditworthiness data
  • Turnover tax identification number or Intrastat identification number
  • Payment data (especially bank account and credit card data)
  • Customer category

Personal data of employees with (potential) customers:

  • Names
  • Titles
  • Gender
  • The company you work for and your function there
  • Date and place of birth
  • Contact details (address, e-mail address, telephone number)
  • Communication content (of e-mails and telephone calls etc)
  • Additional data for addressing the customer, supplier or third party
  • Business transactions processed by the data subject
  • Representation powers
  • Date and time of visits
  • Signature
  • Receipt of and response to marketing and sales initiatives
  • Professional and personal interests

Annex 3: Personal data of suppliers and business partners

  • Names
  • Titles
  • Gender
  • Date of birth
  • Contact details (address, e-mail address, telephone number)
  • Company register/commercial register data
  • Block indicators (e.g. contact block, invoice block, delivery block, posting block, payment block)
  • Identification numbers for the purposes of official statistics such as UID number and Intrastat identification number
  • Affiliation with a specific purchasing association or group
  • Object of the delivery or service
  • Bonus, commission data, etc.
  • Contact for handling the delivery or service
  • Third parties involved in the provision of services, including information on the nature of their involvement
  • Terms and conditions of delivery and service (including information on the place of delivery or service, packaging, etc.)
  • Data on customs clearance (e.g. country of origin, customs tariff number) and export controls
  • Data concerning the insurance of the delivery or service and its financing
  • Data on tax liability and tax calculation
  • Financing and payment conditions
  • Bank details, credit card details
  • Credit management data (e.g. credit limit, bill of exchange limit)
  • Data on payment or performance behaviour of the data subject
  • Reminder/claim data
  • Account and document data
  • Performance-specific expenses and earnings

Personal data of contacts at suppliers and business partners

  • Names
  • Titles
  • Gender
  • Associated customer, supplier or third party
  • Additional data for addressing the customer, supplier or third party
  • Function of the data subject with the recipient or provider of services
  • Scope of the power of representation
  • Business transactions processed by the data subject

Annex 4: Personal data of job candidates

  • Name
  • Form of address (Mr/Ms/divers) including academic title
  • Name affix
  • Photo (if provided)
  • Gender
  • Address
  • Date and place of birth
  • Driving licence (yes/no)
  • E-mail address
  • Telephone number
  • Marital status and children
  • Nationality
  • Position for which you would like to apply
  • Earliest entry date
  • Term of notice
  • Salary expectations
  • Curriculum vitae
  • Military service/civilian service
  • Education (school, university, courses)
  • Previous professional experience
  • Personal skills and expertise
  • Signature
  • Certificates and testimonials
  • Notes from the job interview
  • Communication data (including e-mail correspondence)
  • Other data provided by you in the context of the application process

Privacy information Facebook

Name and address of the controllers:

For the purposes of the European Union’s General Data Protection Regulation (“GDPR”) and other data protection rules and regulations, the joint controllers bearing responsibility for the operation of this Facebook page are:

Facebook Ireland Ltd. (hereinafter “Facebook”)
4 Grand Canal Square
Grand Canal Harbour
Dublin 2
Ireland

and

LÖFFLER GmbH
(Registered with the Regional Court of Ried im Innkreis under registration no. FN 113126m)
Südtirolerstraße 41
4910 Ried im Innkreis
Austria
Tel. +43 77 52 / 84 421 – 0
Fax. +43 77 52 / 84 421 – 148
Email: office@loeffler.at or dsgvo@loeffler.at

Information about our Facebook page:

We operate this Facebook page for the purpose of calling your attention to our services/products and to establish contact with you as a visitor to and user of this Facebook page and our website. Further information about us, our activities, company, etc., can be found on our website: https://www.loeffler.at/en/.

We wish to emphasise that your use of this Facebook page and its functions is your own responsibility. This applies in particular to any use that is made of the interactive functions (e.g. commenting, sharing, and rating).

When you visit our Facebook page, personal data are collected and processed by the above-mentioned joint controllers. Together with Facebook, we are responsible for the collection (but not the further processing) of the data of visitors to our Facebook page. To this end, we have concluded a joint responsibility agreement with Facebook. You can find more information about this agreement at:
https://www.facebook.com/legal/terms/page_controller_addendum.

As the operator of the Facebook page, we have no interest in the collection and further processing of your individual personal data for analysis or marketing purposes. Further information on our handling of personal data can be found in our data policy, which is available on our website at the following address https://www.loeffler.at/en/privacy-policy/.

Pursuant to Article 6(1)(f) GDPR, the operation of this Facebook page – including the processing of any personal data concerning users of this page – is lawful based on our legitimate interest in providing information and support to our users and visitors and interacting with them in a timely manner.

If you are registered with Facebook, you give your consent to the processing of your personal data by Facebook in accordance with the relevant terms of use and Facebook’s data protection and cookie provisions, as provided for under Article 6(1)(a) GDPR. If you are not registered on Facebook, you give your consent to the processing and statistical analysis of your personal data by Facebook and to the transmission of such anonymised statistics to us, in accordance with Article 6(1)(a) GDPR, by accessing a subpage of our Facebook page. No personal data are collected by cookies unless you call up and access a subpage of our Facebook page.

Processing of personal data by Facebook:

I am/we are aware that Facebook processes user data for the following purposes:

  • Advertising (analysis, personalised advertising)
  • Creation of user profiles
  • Market research

Facebook uses cookies to store and further process this information, i.e. small text files that are stored on the various end devices of users. If the user has a Facebook profile and is logged in, the storage and analysis of data is also carried out across all devices.

In its data policy, Facebook describes in general terms what information Facebook receives and how it is used. There you will also find information about how to contact Facebook and the settings for advertisements. Its data policy is available at:
https://www.facebook.com/about/privacy.
Facebook’s full data use policy can be found here:
https://www.facebook.com/full_data_use_policy.

We do not know and Facebook does not conclusively and clearly state in what way it makes use of the data it collects from visitors to Facebook pages for its own purposes, to what extent activities on a Facebook page are assigned to individual users, how long Facebook stores this data and whether data from a visit to a Facebook page is passed on and made available to third parties.

When you access a Facebook page, the IP address assigned to your end device is transmitted to Facebook. According to information from Facebook, this IP address is anonymised. Facebook also stores information about the end devices of its users (e.g. as part of the “login notification” function); Facebook is thus able to assign IP addresses to individual users, as the case may be.

If you are currently logged in to Facebook as a user, a cookie containing your Facebook ID is stored on your end device. This lets Facebook know that you have visited this page and enables it to understand how you have used it. This also applies to all other Facebook pages. Facebook buttons integrated into websites enable Facebook to record your visits to these website pages and assign them to your Facebook profile. This data can be used to offer content tailored to you or targeted advertising.

If you wish to prevent this from happening, you should log out of Facebook or deactivate the “stay logged in” function, delete the cookies stored on your device, close your browser and then restart it. By doing this, Facebook information that could be used to identify you directly is deleted. This will allow you to access and use our Facebook page without revealing your Facebook identification. When you access interactive features of the site (Like, Comment, Share, Messages, etc.), a Facebook login screen will appear. Should you decide to log back in, Facebook will once again be able to identify you as a specific user.

Information on how to manage or delete information about you can be found on the following Facebook support pages:
https://www.facebook.com/about/privacy.

Opt-outs can be set here:
https://www.facebook.com/settings?tab=ads and here
http://www.youronlinechoices.com.

As the operator of the page we cannot exclude the possibility of the transmission and further processing of users’ personal data to and in third countries, such as the United States for example, as well as the potential risks this may pose to users. The United States does not provide a level of data protection that is equivalent to the protection afforded under EU law. In particular, US security and intelligence services may access your data without informing you and without you being able to take legal action against it. For this reason, the Court of Justice of the European Union issued a ruling in which it invalidated the previous adequacy decision (“EU-US Privacy Shield”).

Statistical data:

We can access different categories of statistical data via the so-called “Insights” Facebook page. These statistics are generated and made available by Facebook. As the operator of the site, we have no influence on the generation and presentation of such statistics. We cannot turn off this function or prevent the generation and processing of the data. For a chosen period and in each case for the categories ‘fans’, ‘subscribers’, ‘people reached’ and ‘people interacting’, Facebook will make the following data relating to our Facebook page available to us:

  • Total number of page views;
  • “Like” information;
  • Page activities;
  • Contribution interactions;
  • Range;
  • Video views;
  • Contribution range;
  • Comments;
  • Shared content;
  • Replies;
  • Proportion of men and women;
  • Origin with regard to country and city;
  • Language;
  • Calls and clicks in the shop;
  • Clicks on route planners;
  • Clicks on telephone numbers;
    This also provides data on the Facebook groups linked to our Facebook page.

Data that identifies you personally (e.g. name or e-mail address) are not transmitted to us within the context of joint processing. More information on Page Insights Data can be found at:
https://www.facebook.com/legal/terms/information_about_page_insights_data.

These data are available to us for a period of two years following their collection.

As Facebook is under constant development, the availability and preparation of the data is subject to change, so we would ask that you refer to the above-mentioned Facebook privacy policy for further details.

We use this available data in an aggregated form to make our contributions and activities on our Facebook page more attractive to users. For example, we use data on age and gender distributions to adapt the approach we take and we use data on users’ preferred visiting times to plan and optimise the time of our posts. Information about the type of end devices used by visitors to the page helps us to customise the visual and creative design of our contributions. According to the Facebook Terms of Use, which each user agrees to be bound by when creating a Facebook profile, we can identify subscribers and fans of the page and view their profiles and other shared information by them.

User rights:

Facebook is primarily responsible for providing you with information on joint processing and for enabling you to exercise the rights to which you are entitled under the GDPR.

You can learn more about these rights in your Facebook settings:
https://www.facebook.com/settings?tab=your_facebook_information.

More information on the right of access and the right to data portability can be found at:
https://www.facebook.com/help/contact/2032834846972583.

More information on the right to object can be found at:
https://www.facebook.com/help/contact/367438723733209.

You can find more information about Facebook’s cookie and privacy policy at:
https://www.facebook.com/about/privacy, https://www.facebook.com/policies/cookies/.

As only Facebook has full access to user data, we recommend you contact Facebook directly if you wish to exercise your rights as a data subject or withdraw your consent. The best way to do this is to use the forms to which links are provided in Facebook’s privacy policy on Page Insights Data (https://www.facebook.com/legal/terms/information_about_page_insights_data) or write to Facebook at the following address: Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. In the event that you no longer wish your data to be processed in future as described here, please remove the link to our page from your user profile by using the “I no longer like this page” function.

Furthermore, you have the right

  • referred to in Article 15 GDPR, to obtain information at any time about which data concerning you are being processed;
  • pursuant to Articles 16 and 17 GDPR, to have incomplete data completed and to have inaccurate data rectified or deleted;
  • subject to certain conditions, to demand the erasure of your data as provided for in Article 17 GDPR (however, no right to erasure exists to the extent that the processing is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims);
  • subject to certain conditions, to demand the restriction of the processing of your data pursuant to Article 18 GDPR and to object to the processing of your data as provided for in Article 21 GDPR;
  • pursuant to Article 20 GDPR, to receive the data concerning you, which you have provided, in a structured, commonly used and machine-readable format and to transmit those data to another controller or – where technically feasible – to have it transmitted by Facebook;
  • to revoke your consent at any time if your data are processed on the basis of your consent, whereby the revocation does not affect the lawfulness of the data processing carried out up until the time of revocation; and
  • to lodge a complaint with the Austrian Data Protection Agency or with another data protection supervisory authority within the European Union, in particular at your place of residence or work.