SHMP
Schwartz Huber-Medek Partner Rechtsanwälte GmbH
Hohenstaufengasse 7
A-1010 Vienna

Phone: +43 1 513 50 050
Fax: +43 1 513 50 05-50
E-mail: office@shmp.at

1. INTRODUCTION
2. RESPONSIBLE
3. WHAT DATA IS COLLECTED?
3.1 Accessing the website (without registration or login)
3.1.1 Data processing
3.1.2 Legal basis for the processing of data
3.1.3 How long will the data be stored?
3.2 Use of the award platform
3.2.1 Data processing in connection with the ANKÖ
3.2.2 Legal basis for the processing of data
3.2.3 How long will the data be stored?
3.3 Customer contact by e-mail
3.3.1 Data processing
3.3.2 Legal basis for the processing of data
3.3.3 How long will the data be stored?
4. (NO USE OF) COOKIES
4.1 General information
4.2 Web analysis with Matomo
4.3 OpenStreetMap
5. DATA SECURITY
6. DATA PROCESSING IN THE EUROPEAN UNION
7. DATA TRANSMISSION TO THIRD PARTIES
8. PROCESSORS
9. WHAT DATA PROTECTION RIGHTS DO YOU HAVE?
9.1 General information
9.2 Revocation (Art 7 para 3 GDPR)
9.3 Right to information (Art 15 GDPR)
9.4 Right to rectification (Art 16 GDPR)
9.5 Right to erasure (Art 17 GDPR)
9.6 Right to restriction (Art 18 GDPR)
9.7 Right to data portability (Art. 20 GDPR)
9.8 Right to object (Art 21 GDPR)
9.9 Right to lodge a complaint (Art 77 GDPR)
10. MISCELLANEOUS

Thank you for visiting our website. The protection of your personal data is important to us. In the following, we would therefore like to inform you comprehensively and transparently about the processing of your data during your visit to our website.

The person responsible for this website, including contact details, is

Name: SHMP Schwartz Huber-Medek Partner Rechtsanwälte GmbH
Address: A-1010 Vienna, Hohenstaufengasse 7
Telephone: +43 1 513 50 05-0
Fax: +43 1 513 50 05-50
E-mail: office@shmp.at

3.1 Accessing the website (without registration or login)

3.1.1 Data processing

Our website can be used by all users free of charge and without registration or login. If you only access the website for information purposes, we only collect the data - in particular access data and log files (hereinafter referred to as "server log files") - that your internet browser automatically transmits. This data is technically necessary to display the website correctly and to ensure its operation. The following server log files are processed:

 IP address of the requesting computer;
 Date and time of access;
 Name and URL of the retrieved file;
 Website from which the access is made (referrer URL);
 browser used and, if applicable, the operating system of your computer, as well as the name of your access provider.

3.1.2 Legal basis for the processing of data

The aforementioned data is processed to ensure a trouble-free connection to the website and the security of our systems. This processing is carried out on the basis of our legitimate interest in accordance with Art. 6 lit f GDPR.

3.1.3 How long will the data be stored?

The server log files are processed for a period of 30 days. They are then deleted unless longer processing is necessary (e.g. DDOS attacks).

3.2 Use of the award platform

3.2.1 Data processing in connection with the ANKÖ

In accordance with Sections 48, 217 BVergG 2018, we are obliged to handle procurement procedures that fall within the upper threshold range electronically. In addition, we also handle many other award procedures (e.g. in the sub-threshold area) electronically on a voluntary basis. This has the advantage for you that you can upload your documents via a secure platform (two-factor authentication or ID Austria) and your data is therefore protected in the best possible way.

Such electronic tendering procedures are carried out via the Austrian Contractor Register ("ANKÖ"). ANKÖ has created the following link for us for this purpose: https://shmp.vergabeportal.at. You can use this platform to call up information on initiated procurement procedures during the open period. After the deadline, this option is only available to those companies that have participated in the procedure. In the context of currently pending procedures, you also have the option of uploading your application documents or your tender directly via the respective procedure link on the procurement platform - or alternatively directly via the ANKÖ website. Regardless of the access method you choose, your documents will always be uploaded via the ANKÖ website.

The documents uploaded by you are then stored and checked by us on the local server. Personal data is also processed as part of such tendering procedures. This concerns in particular the request for proof of suitability and the transmission or comparison of company-related information. The processing is carried out exclusively for the purpose of carrying out and processing award procedures - in particular to check the suitability and reliability of bidders in accordance with the provisions of public procurement law. You can find more detailed information on this in the data protection information for the respective procedures.

The link https://shmp.vergabeportal.at and the ANKÖ platform https://www.ankoe.at are operated and managed exclusively by ANKÖ - ANKÖ is therefore solely responsible for these within the meaning of the GDPR.

However, we are responsible for the data entered by us via the ANKÖ websites within the meaning of the GDPR (unless the data is manipulated by third parties). This concerns the following data:

a. Client, address, postcode, town/city, e-mail address and telephone number;
b. Awarding body and its contact persons as well as address, postcode, town/city, e-mail address and telephone number;
c. Responsible award control authority as well as address, postcode, city, e-mail address and telephone number;
d. Award procedure;
e. Conclusion of the award procedure;
f. Title (type of contract);
g. Nature of the notice (place of fulfilment);
h. Contractors who have been awarded the contract, as well as their address, postcode, town/city, e-mail address and telephone number.

3.2.2 Legal basis for the processing of data

Insofar as we are obliged to process award procedures electronically, the legal basis for the processing of the publicly accessible data entered by us via the ANKÖ websites is Article 6(1)(c) GDPR (legal obligation).

If we process award procedures electronically via ANKÖ without a legal obligation, the legal basis for the processing of the data is Art 6 para 1 lit b GDPR (contract initiation and fulfilment).

3.2.3 How long will the data be stored?

The data entered by us via the ANKÖ websites and made publicly accessible are managed by ANKÖ. Further information on data processing by ANKÖ - in particular the duration of processing - can be found on the website https://www.ankoe.at/en/datenschutz/.

3.3. CUSTOMER CONTACT BY E-MAIL

3.3.1 Data processing

If you contact us by e-mail, the processing of your e-mail address and any other personal data transmitted is necessary for technical reasons in order to be able to process and answer your enquiry.

If you are already a client or party in an award procedure when you contact us, your enquiry will be assigned to the corresponding file and stored there.

If you wish to send us documents electronically, we request that you only use the Dropbox link provided by us. This ensures that your data is transmitted securely and in compliance with data protection regulations.

3.3.2 Legal basis for the processing of data

The legal basis for the processing of your email address and any other personal data transmitted is our legitimate interest pursuant to Art. 6 (1) (f) GDPR. If the processing is necessary for the fulfilment of a contractual or pre-contractual relationship, Art. 6 para. 1 lit. b GDPR is the corresponding basis.

3.3.3 How long will the data be stored?

In the event of an initiating or existing client relationship or if you are a party to a procurement procedure, your emails and any personal data contained therein will be stored for the period of time required for the proper fulfilment of the mandate or the handling of the procurement procedure. In addition, the data will be stored in accordance with the relevant professional law (e.g. Section 12 RAO), public procurement law (e.g. Section 49 BVergG 2018), company law (e.g. Section 212 UGB) or tax law (e.g. Section 132 BAO) regulations. It may be necessary to process personal data - even beyond the legally prescribed period - in order to be able to assert or defend against any legal claims.

If there is no client relationship, your emails and the personal data contained therein will only be stored for as long as is necessary to process your enquiry. The data will then be deleted unless another legal basis requires longer storage.

Erroneous e-mails (i.e. obviously misdirected e-mails) are deleted immediately after appropriate checking.

4.1 General information

Cookies are small data records in which certain information is stored (e.g. your IP address). When you visit a website, these files are stored via your internet browser on the device you are using (e.g. smartphone or laptop). If you continue to use a website, these cookies can be retrieved and, if necessary, supplemented with additional information. Depending on the type of cookie, the data collected is either only processed for the duration of your session and then deleted or remains stored for a defined period of time.

To protect your data, we do not use cookies. However, we use the following programmes to evaluate and improve the use of our website.

4.2 Web analysis with Matomo

We use the open source web analysis software Matomo for the statistical evaluation and optimisation of our website.

Matomo is operated locally on our server so that no data is transmitted to third parties.

The website is used without the use of cookies. Instead, user behaviour is evaluated exclusively on the basis of anonymised information. In particular, no personal data is processed: The IP address is automatically anonymised by removing part of the IP address (for example, the IP address 192.0.2.123 becomes the anonymised form 192.0.2.0). Other methods of recognition (such as fingerprinting) are not used either. This means that it is not possible to identify individual persons.

Although no personal data is processed, we would still like to inform you about which data is collected as part of the web analysis in order to maximise transparency:

a. IP address (anonymised);
b. Date and time of the page view;
c. Visited page URLs (these are the pages that are accessed within a website);
d. Page title (this is the title of the website that is displayed in the browser tab);
e. Reference source (referrer URL, e.g. from which page the visitor came);
f. Screen resolution;
g. Device type (e.g. desktop, tablet, mobile device);
h. Browser type and version;
i. Operating system and version;
j. Language of the browser;
k. Location data (roughly estimated on the basis of the IP address: e.g. country, region, city);
l. Session data (duration of the visit, number of pages per visit, interactions such as clicks, downloads, map interactions in the context of using OpenStreetMap, error events, scroll depth).

The information obtained is used exclusively to analyse aggregated access figures in order to improve the technology and content of our website. It is not passed on to third parties or linked to other data.

As no personal data is processed, data processing is permitted without consent in accordance with data protection regulations.

4.3 OpenStreetMap

On our website, we use the OpenStreetMap (OSM) service, provided by the OpenStreetMap Foundation, St John's Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom, to display interactive maps.

The map content is loaded directly from the servers of the OpenStreetMap Foundation. Your IP address is transmitted to OSM as it is technically required to deliver the map data to your browser. Depending on your browser and security settings, further technical information such as the date and time of access, the browser type used or the operating system may be transmitted to OSM. The map function is used without the use of cookies by OSM.

We integrate OpenStreetMap in a data-saving manner in order to provide you with user-friendly geographical information - without using third-party tracking.

Your IP address is processed on the basis of our legitimate interest in an appealing and functional presentation of our online offering in accordance with Art. 6 (1) (f) GDPR.

Further information on data processing by the OpenStreetMap Foundation can be found in the OSM Foundation's privacy policy (available at: https://www.openstreetmap.at/datenschutz/).

We use appropriate technical and organisational measures to protect your data in the best possible way. This is to prevent unauthorised persons from gaining access to our systems and thus also to your data.

Despite the greatest possible care, unforeseeable or unavoidable data breaches may occur in individual cases - for example due to faulty data transmissions or unauthorised access by third parties. In this context, we would like to point out that we cannot accept any liability for data protection breaches and any resulting damage if these were caused by third parties and are beyond our control (e.g. due to a hacked phone or account).

The web server is located in a data centre in Austria. We have concluded an order processing contract with the provider in question in accordance with Art. 28 GDPR.

Your data will not be transferred to third parties unless there is a legal basis for doing so. In such a case, however, personal data will only be transmitted to the extent covered by the respective basis in accordance with Art. 6 (1) GDPR.

We are obliged to transfer your personal data to the following recipients: Tax consultants and auditors, banks and insurance companies, courts and authorities.

In some cases, recipients may be located outside the European Union or the European Economic Area. This in turn may mean that no data protection comparable to European standards is guaranteed in the countries concerned. Your data will only be transferred to those third countries that have an adequate level of data protection according to the European Commission.

The following processors process your personal data exclusively on our behalf and in accordance with the conditions specified by us (e.g. purpose, processing duration):

a. We use an IT service provider to ensure technical functionality and IT security.

b. The technical support and maintenance of our website is provided by a specialised web agency.

c. The web server is operated by an external hosting service provider.

We have concluded a corresponding order processing contract with all service providers in accordance with Art. 28 GDPR.

If some of our processors are located outside the European Union or the European Economic Area, we ensure that they undertake to comply with European standards.

9.1 General information

To exercise the following rights - with the exception of the right to lodge a complaint (see section 10.9.) - please contact us informally:

Name: SHMP Schwartz Huber-Medek Partner Rechtsanwälte GmbH
Address: A-1010 Vienna, Hohenstaufengasse 7
Telephone: +43 1 513 50 05-0
Fax: +43 1 513 50 05-50
E-mail: office@shmp.at

9.2 Revocation (Art 7 para 3 GDPR)

You can revoke your consent, on the basis of which we process your personal data, at any time without giving reasons. As a result, we will no longer be allowed to continue processing your data on this basis in the future. However, the revocation only applies to the future - the legality of the data previously processed on the basis of the consent does not change.

9.3 Right to information (Art 15 GDPR)

You have the right to know which of your personal data we process. Such right of access includes in particular the following: (i) processing purposes, (ii) categories of personal data, (iii) recipients or categories of recipients to whom your personal data is disclosed, (iv) planned storage period and (v) origin of the data.

9.4 Right to rectification (Art 16 GDPR)

In accordance with Art. 16 GDPR, you have the right to have your personal data rectified or completed without undue delay.

9.5 Right to erasure (Art 17 GDPR)

You have the right to the immediate erasure of any data processed unlawfully (e.g. where the legal basis no longer applies) for any reason whatsoever. However, this does not apply in particular if the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defence of legal claims.

9.6 Right to restriction (Art 18 GDPR)

In accordance with Art. 18 GDPR, you have the right to restrict the processing of your personal data. This applies in particular if the accuracy of the processed data is disputed - for a period of time that enables us to verify the accuracy of your personal data. Furthermore, you can also request the restriction of the data if you refuse the complete erasure of the unlawfully processed data. The same applies to data that is no longer required by us, but which you as the data subject require for the establishment, exercise or defence of legal claims. This also applies if you have objected to the processing of your data (in accordance with Art. 21 GDPR), unless our legitimate grounds for further data processing outweigh the grounds stated by you.

9.7 Right to data portability (Art. 20 GDPR)

You may also request to receive the data you have provided to us in a structured, commonly used and machine-readable format or to transmit it to another controller.

9.8 Right to object (Art 21 GDPR)

If the data processing is based on our legitimate interest, you can object to such processing. If you exercise your right to object, we may ask you to state your reasons for doing so immediately.

9.9 Right to lodge a complaint (Art 77 GDPR)

If you believe that the processing of personal data concerning you is in breach of the GDPR, you may - without prejudice to any other administrative or judicial remedy - lodge a complaint with a supervisory authority (at your habitual residence, place of work or place of the alleged infringement).

This data protection notice will be updated or adapted as necessary (e.g. due to legal or technical changes). The adapted version will then also be available on the homepage.