As the operator of the website www.xenox.at and of the XENOX online shop, pursuant to Article 12 et seq. of the General Data Protection Regulation (“GDPR”), at this point we would like to inform you about data processing carried out by us in connection with the website www.xenox.at and with the XENOX online shop, where “we” and “us” refers to
4020 Linz, Austria,
Tel. +43 732 772895 0
Fax: +43 732 781895
registered under FN 358176f with the commercial register at the regional court Linz (“Landesgericht Linz”).
1. We inform you about your rights under the GDPR:
Your right to object (Art 21 GDPR):
- If you object, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on point e or f of Arti 6/1 GDPR, we will no longer process the personal data for the relevant purpose, unless there are compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims (Art 21/1 GDPR).
- If, on the other hand, you object to the processing of personal data concerning you for direct marketing purposes, your data will no longer be processed for such marketing in any case, without further requirements having to be met (Art 21/2 GDPR).
Your other rights under the GDPR:
- The right to obtain from us confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access, and the right to be provided with a copy of the data concerning you stored by us (Art 15 GDPR), insofar as the provision of this information would not jeopardise a business or trade secret of ours or of a third party.
- Right to obtain from us without undue delay the rectification of inaccurate personal data concerning you (Art 16 GDPR).
- Right to obtain from us the erasure of personal data concerning you without undue delay (Art 17 GDPR) if one of the following cases applies:
- The personal data are no longer necessary in relation to the purposes for which they were processed.
- You have withdrawn consent on which the processing is based and there is no other legal ground for the processing.
- You successfully object to the processing (Art 21 GDPRA, see above).
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation which we are subject.
- The personal data have been collected in relation to information society services offered to children.
Article 17/3 GDPR contains restrictions on the right to erasure, for example where data is used for the defence of legal claims.
- Right to restriction of processing (Art 18 GDPR), whereby the use of data can be restricted without deleting them. This can be particularly useful in parallel with the assertion of a right to rectification or a right to object.
- Right to data portability (Art 20 GDPR), i.e. to receive data in a structured, commonly used and machine-readable format and to transmit it to another controller for processing; this, however, only insofar as the processing is based on consent or a contract and the processing is carried out by automated means.
- Right to withdraw your consent informally at any time, insofar as we process personal data relating to you based on consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (Art 7/3 GDPR).
- Right to lodge a complaint with the Austrian data protection authority or with another data protection supervisory authority in the EU, in particular at the place of residence or place of work.
2. Processing of customer data:
We process the personal data of each customer (orderer) as a data subject, which the customer (orderer) provides in the course of placing an order in the XENOX online shop by entering it in the respective mask, for the following purposes (on the basis of the aforementioned legal basis):
- Processing of the order, conclusion and fulfilment of the sales contract (legal basis is the necessity to take steps at the request of the data subject prior to entering into a contract and for the performance of a contract to which the data subject is party; Art 6/1/b GDPR).
- Accounting and documentation of all sales (legal basis is the necessity for compliance with a legal obligation, namely our obligation to keep records under commercial and tax law; Art 6/1/c GDPR).
- Contacting, sending useful or interesting information and advertising by ordinary mail, i.e. post (legal basis is our legitimate interest in achieving these purposes; Art 6/1/f GDPR).
- If the data subject has given appropriate consent: Sending the email newsletter; contacting, sending useful or interesting information and advertising by email (legal basis is the consent of the data subject; Art 6/1/a GDPR).
- If necessary, checking the legal situation and enforcing or defending legal claims, providing evidence (legal basis is our legitimate interest in achieving these purposes; Art 6/1/f GDPR).
This data will be disclosed, at least in part, to the following categories of recipients, where such disclosure shall be restricted to the extent necessary to achieve the purposes in question and where the data will not leave the territory of the European Union:
- Our employees.
- Our tax advisors.
- Processors used by us, such as IT service providers and software providers.
- Carriers engaged by us.
- If necessary, our legal representation, courts and various authorities.
Data concerning our customers will be stored until the expiry of all relevant limitation and retention periods.
The provision of personal data by the customer is neither legally nor contractually required. However, we can only process an order if the data requested in the course of the ordering process is made available to us.
3. Processing of data concerning website visitors
Data actively provided by the visitor:
From the visitors of the website www.xenox.at ("visitors"), we process all those data that the visitor actively provides by filling in the corresponding fields, in particular when registering for the newsletter. Such data processing serves the purpose of providing the visitor with the service for which he/she has registered (legal basis is the consent of the data subject).
This data is disclosed to our employees and to processors (in particular IT service providers) used by us.
With the following information we inform you about the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedure and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the procedures described.
Content of the newsletter: We send newsletters, e-mails and other electronic notifications with promotional information (hereinafter "newsletter") only with the consent of the recipients or a legal permission. If the contents of the newsletter are specifically described in the course of registration, they are decisive for the consent of the users. In addition, our newsletters contain information about our products and accompanying information (e.g. safety instructions), offers, promotions and our company.
Double opt-in and logging: Registration for our newsletter is carried out in a so-called double opt-in process. This means that after registration you will receive an e-mail in which you are asked to confirm your registration. This confirmation is necessary so that no one can register with other email addresses. The registrations for the newsletter are logged in order to be able to prove the registration process in accordance with the legal requirements. This includes the storage of the registration and confirmation time as well as the IP address. Likewise, changes to your data stored with the dispatch service provider are logged.
Registration data: To register for the newsletter, it is sufficient to enter your e-mail address. Optionally, we ask you to enter a name for the purpose of a personal address in the newsletter.
The newsletter is sent and its success measured on the basis of the recipients' consent pursuant to Art 6/1 point a, Art 7 GDPR in conjunction with § 107 Para 2 of the Austrian Telecommunication Act (“TKG”) or, if consent is not required, on the basis of our legitimate interests in direct marketing pursuant to Art 6/1 point f GDPR in conjunction with § 107 Para 2 and 3 TKG.
The logging of the registration process is based on our legitimate interests in accordance with Art 6/1 point f GDPR. Our interest is to use a user-friendly and secure newsletter system that serves our business interests as well as the expectations of the users and also allows us to prove consent.
Cancellation/withdrawal - You can cancel the receipt of our newsletter at any time, i.e. withdraw your consent. You will find a link to cancel the newsletter at the end of each newsletter. We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them in order to be able to prove consent previously given. The processing of this data is limited to the purpose of a possible defence against claims. An individual deletion request is possible at any time, provided that the former existence of consent is confirmed at the same time.
Newsletter - Mailchimp
The Rocket Science Group LLC d/b/a MailChimp is certified under the Privacy Shield agreement and thereby offers a guarantee of compliance with the European level of data protection (https://www.privacyshield.gov/participant?id=a2zt0000000TO6hAAG&status=Active). The shipping service provider is used on the basis of our legitimate interests pursuant to Art. 6/1 point f GDPR and an order processing contract pursuant to Art. 28/3 GDPR.
The dispatch service provider may use the data of the recipients in pseudonymous form, i.e. without assignment to a user, to optimise or improve its own services, e.g. to technically optimise the dispatch and presentation of the newsletter or for statistical purposes. However, the dispatch service provider does not use the data of our newsletter recipients to write to them itself or to pass the data on to third parties.
Newsletter - performance measurement
The newsletters contain a so-called "web beacon", i.e. a pixel-sized file which is retrieved from our server when the newsletter is opened, or if we use a dispatch service provider, from their server. Within the scope of this retrieval, technical information such as information on the browser and your system, as well as your IP address and the time of the retrieval are initially collected.
This information is used for the technical improvement of the services on the basis of the technical data or the target groups and their reading behaviour on the basis of their retrieval locations (which can be determined with the help of the IP address) or the access times. Statistical surveys also include determining whether newsletters are opened, when they are opened and which links are clicked. For technical reasons, this information can be assigned to the individual newsletter recipients. However, it is neither our intention nor, if used, that of the dispatch service provider to observe individual users. The evaluations serve us much more to recognise the reading habits of our users and to adapt our content to them or to send different content according to the interests of our users.
Unfortunately, a separate revocation of the performance measurement is not possible, in which case the entire newsletter subscription must be cancelled.
Hosting and e-mail dispatch
The hosting services used by us serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, e-mail dispatch, security services and technical maintenance services, which we use for the purpose of operating this online offer.
In doing so, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, meta data and communication data of customers, interested parties and visitors of this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer pursuant to Art 6/1 point f GDPR in conjunction with Art 28 GDPR (contract concluded with the processor).
- Automatically collected personal data (= cookies policy):
In the course of visiting our website, we also collect and process personal data relating to the visitor, which the visitor does not actively provide by entering it in a field provided for this purpose. This is done by setting cookies. A cookie is a small text file that stores internet settings and is downloaded by the visitor's web browser the first time they visit a website. The next time this website is called up with the same terminal device, the cookie is sent back and provides information, either to the website that generated it and sent it itself (first party cookie) or to a person different from the website that generated the cookie independently of the website and then sent it via the website (third party cookie). The website or this person different from the website recognises through this return of the cookie that the visitor has already visited this website or another website sending the same third party cookie with his browser. And possibly the content varies on the basis of this information.
We use Google Analytics: In the process, the IP address of the visitor is anonymised.
- Google Analytics is a web analytics service provided by Google, Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, United States). Google processes the website usage data on our behalf (as a processor) and is contractually committed to measures to ensure the confidentiality of the processed data.
- However, the IP anonymisation active on this website leads to the anonymisation of the IP address and thus to the anonymisation of all data collected: For user IP addresses of type IPv4, the last octet and for IPv6 addresses, the last 80 bits in the memory are set to zero (i.e. "anonymised") shortly after it has been sent to the Analytics data collection network for collection, while it is still within the working memory and before it is stored on the hard disk (more on anonymisation at https://support.google.com/analytics/answer/2763052?hl=de).
- The anonymised IP address transmitted by the browser used within the scope of Google Analytics is not merged with other Google data.
- The purpose of this data processing by Google is to analyse the use of our website and, based on this, to optimise our website and the associated advertising measures. We have a legitimate interest in achieving this purpose (Art 6/1/f GDPR).
- On our behalf, Google will use the information obtained for the purpose of evaluating - on an anonymous basis - the use of the website by visitors, compiling reports on website activity and providing other services relating to website activity and internet usage.
- Google stores this data on our behalf for 14 months, after which it is deleted. Only in aggregated form do they remain indefinitely (i.e. e.g. for the total number of website visits indicated).
- If you do not want user data and IP address to be stored and processed in anonymised form, you must not allow the cookies to be stored and thus also the collection of data by Google (setting in the web browser used: Do not allow third-party cookies.) Admittedly, not all functions of the website may then be fully usable.
- You can find even more details about Google Analytics here.
Google Tag Manager
Google Tag Manager is a solution with which we can manage so-called website tags via an interface (and thus, for example, integrate Google Analytics and other Google marketing services into our online offer). The tag manager itself (which implements the tags) does not process any personal data of the users. With regard to the processing of users' personal data, please refer to the following information on Google services. Usage guidelines: https://www.google.com/intl/de/tagmanager/use-policy.html.
Here you can: Deactivate Google Analytics
The users' personal data is deleted or anonymised after 14 months.
Google Universal Analytics
We use Google Analytics in the form of Universal Analytics. "Universal Analytics" refers to a Google Analytics procedure in which user analysis is carried out on the basis of a pseudonymous user ID and thus a pseudonymous profile of the user is created with information from the use of different devices (so-called "cross-device tracking").
Target group formation with Google Analytics
We use Google Analytics to display the ads placed within advertising services of Google and its partners only to those users who have also shown an interest in our online offer or who have certain characteristics (e.g. interests in certain topics or products determined on the basis of the websites visited), which we transmit to Google (so-called "Remarketing Audiences" or "Google Analytics Audiences"). With the help of the Remarketing Audiences, we also want to ensure that our ads correspond to the potential interest of the users.
Google AdWords and conversion measurement
We use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 Para. 1 lit. f. GDPR).
Google is certified under the Privacy Shield agreement and thereby offers a guarantee of compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). (Disable Google Analytics)
We use the online marketing tool Google "AdWords" to place ads in the Google advertising network (e.g., in search results, in videos, on web pages, etc.) so that they are displayed to users who have a presumed interest in the ads. This allows us to better target ads for and within our online offering to present users only with ads that potentially match their interests. If, for example, a user is shown ads for products he or she has been interested in on other online offers, this is referred to as "remarketing". For these purposes, when our website and other websites on which the Google advertising network is active are called up, a code is executed directly by Google and so-called (re)marketing tags (invisible graphics or code, also known as "web beacons") are integrated into the website. With their help, an individual cookie, i.e. a small file, is stored on the user's device (comparable technologies can also be used instead of cookies). This file records which web pages the user has visited, which content the user is interested in and which offers the user has clicked on, as well as technical information on the browser and operating system, referring web pages, time of visit and other information on the use of the online offer.
Furthermore, we receive an individual "conversion cookie". The information obtained with the help of the cookie is used by Google to create conversion statistics for us. However, we only learn the anonymous total number of users who clicked on our ad and were redirected to a page tagged with a conversion tracking tag. We do not, however, receive any information that can be used to personally identify users.
User data is processed pseudonymously within the Google advertising network. This means that Google does not store and process the name or email address of the user, for example, but processes the relevant data on a cookie basis within pseudonymous user profiles. This means that from Google's perspective, the ads are not managed and displayed for a specifically identified person, but for the cookie holder, regardless of who this cookie holder is. This does not apply if a user has expressly allowed Google to process the data without this pseudonymisation. The information collected about users is transmitted to Google and stored on Google's servers in the USA.
We use Facebook Pixel:
- Facebook Pixel is provided by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland ("Facebook").
- We are jointly responsible with Facebook for the processing of personal data associated with the use of Facebook Pixel.
- The use of Facebook Pixel causes Facebook to set a cookie, provided that the visitor has consented to this by setting their web browser accordingly (by allowing third-party cookies).
- Furthermore, personal data relating to the visitor is only collected and processed if the visitor is logged into Facebook and has accessed our website via a Facebook advertisement. This results in a link to the visitor's Facebook profile. In addition, data is processed about the visitor's behaviour on our website and about the hardware and software used. We do not perform the so-called "automatic advanced matching".
- The purpose of this data processing is the analysis and optimisation of our online offer and the appropriate promotion of the same, namely by placing targeted and individualised Facebook ads (details at https://www.facebook.com/business/learn/facebook-ads-pixel). The legal basis for data processing is our legitimate interest in achieving this purpose.
- Tracking procedures enable Facebook to track the visitor affected by the data processing across numerous websites and to use them for advertising products on Facebook. We ourselves as the website operator, on the other hand, cannot view this collected user data.
- In addition, visitors can change the settings for Facebook ads in their Facebook profile.
- Facebook Pixel is integrated on our website using the Google Tag Manager. Google Tag Manager is a solution that allows us to manage website tags (Facebook Pixel) via an interface. The Tag Manager tool itself (which implements the tags) is a cookie-less domain. The tool takes care of triggering other tags, which in turn collect data (as described above). Google Tag Manager does not access this data.
Consentmanager (Consent Management Tool):
- We use the consent management platform "Consentmanager" provided by consentmanager AB, Haltegelvägen 1b, 72348 Västeras, Sweden. This service allows us to obtain and manage the consent of website users for data processing. Consentmanager collects data generated by end users who use our website. When an end user provides consent, Consentmanager automatically logs the following data:
- Browser information
- Date and time of access
- Device information
- The URL, from the page visited
- Banner language
- Consent ID
- The end user's consent status, which serves as proof of consent. The consent status is also stored in the end user's browser so that the website can automatically read and follow the end user's consent in all subsequent page requests and future end user sessions for up to 12 months. Consent data (consent and withdrawal of consent) is stored for three years. The retention period corresponds to the regular limitation period according to § 195 BGB. The data will then be deleted immediately.
The functionality of the website is not guaranteed without the described processing. There is no possibility for the user to object as long as there is a legal obligation to obtain the user's consent to certain data processing operations (Artt. 7 para. 1, 6 para. 1 p. 1 lit. c DS-GVO).
Consentmanager is a recipient of your personal data and acts as a processor for us. The data processing takes place exclusively in the European Union. Detailed information on the use of Consentmanager can be found at: https://www.consentmanager.de/datenschutz/.
Online presence in social media
We maintain online presences within social networks and platforms in order to be able to communicate with the customers, interested parties and users active there and to inform them about our services there.
We would like to point out that user data may be processed outside the European Union. This may result in risks for the users, because it could, for example, make it more difficult to enforce the rights of the users. With regard to US providers certified under the Privacy Shield, we point out that they thereby undertake to comply with the data protection standards of the EU.
Furthermore, user data is usually processed for market research and advertising purposes. For example, usage profiles can be created from the usage behaviour and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the platforms that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users' computers, in which the usage behaviour and the interests of the users are stored. Furthermore, data may also be stored in the usage profiles irrespective of the devices used by the users (especially if the users are members of the respective platforms and are logged in to them).
The processing of the users' personal data is based on our legitimate interests in effectively informing users and communicating with users pursuant to Art. 6 para. 1 point f. GDPR. If the users are asked by the respective providers for consent to the data processing (i.e. declare their consent e.g. by ticking a checkbox or confirming a button), the legal basis of the processing is Art. 6 para. 1 point. a., Art. 7 GDPR.
For a detailed description of the respective processing and the opt-out options, please refer to the information provided by the providers linked below.
In the case of requests for information and the assertion of user rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users' data and can take appropriate measures and provide information directly. If you still need help, you can contact us.
Integration of third-party services and content
Within our online offer, we use content or service providers on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 Para. 1 point f. GDPR) to integrate content or services offered by third-party providers, such as videos or fonts (hereinafter uniformly referred to as "content").
This always requires that the third-party providers of this content are aware of the IP address of the user, as without the IP address they would not be able to send the content to their browser. The IP address is therefore necessary for the display of this content. We endeavour to only use content whose respective providers only use the IP address to deliver the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. The "pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, time of visit and other information about the use of our online offer, as well as being linked to such information from other sources.