Information on data processing according to Art. 13 and 14 General Data Protection Regulation (GDPR)
We care about the protection of your personal data and your privacy. For this reason, we will inform you in the following about our handling of your personal data, in particular for what purposes we process your personal data, to whom we transfer it and about the data protection claims and rights to which you are entitled. When we subsequently talk about data, we mean your personal data. This includes all information that directly or indirectly identifies you as a person.
Please read the following information carefully.
1. Who is responsible for data processing?
The responsible controller is:
Mr Christof Grabner
Bonygasse 60/3, 1120 Wien
Tel: +43 680 1405 808
2. Which categories of data are being processed?
We process the following personal data for the purposes described under item 4.:
- Personal master data (name, job title, employer organisation, contact details)
- Contract data (if you enter into a contract with us)
- Data contained in your job application
- Evaluation of user behavior (i.e. opening and click rates of emails)
3. From which sources do we receive data?
- directly from the data subject or
- via industry research from publicly accessible sources
4. For what purposes and on what legal basis is your data being processed?
- We process your personal data in accordance with the data protection regulations (GDPR and the Data Protection Act (Datenschutzgesetz – DSG) in their respectively applicable version).
4.1. For the performance of a contract and in order to take steps prior to entering into a contract (Art. 6 para. 1 lit b GDPR):
- Entering into, administration, performance of a business relationship with you: We will process your personal data in connection with offering and performing our services to you.
- Online job application: You can apply for an open position or proactively for a job through our website. We will process the personal data provided by you to process your application.
4.2. For compliance with a legal obligation (Art. 6 para. 1 lit c GDPR):
- Compliance with statutory retention and documentation obligations: We will process your personal data as necessary to comply with statutory retention and documentation obligations applicable to us.
4.3. For the purpose of legitimate interests (Art. 6 para. 1 lit f GDPR):
- Promoting our business: We will process your personal data in order to contact you and inform you about new developments regarding our company and our services we offer.
- If the processing is based on legitimate interests, you have the right of object pursuant to Art. 21 para. 1 GDPR. Please refer to the separate information at the end of this data protection declaration (What rights do you have?).
5. Who receives your data?
Within GRA:FIN M&A Advisry e.U. only those employees receive your data, who need it for processing for the corresponding purposes.
In addition, your data will be transferred to the following :
- companies who process personal information on GRA:FIN M&A Advisory e.U.’s behalf (for example companies providing us with IT-support)
- professional advisors, for example accountants, lawyers or other consultants
- courts and administrative authorities
Some of the recipients mentioned above are outside of Austria or process your personal data there. However, we only transfer your data to countries that have an adequate level of data protection pursuant to a decision of the EU Commission. If this is not the case, we will take measures to ensure that all recipients have an adequate level of data protection (e.g. conclusion of standard data protection clauses).
Updating of your personal data takes place primarily on the basis of your direct feedback or modification notice to us.
7. How long will your data be stored?
We process your personal data, as long as necessary, for the purposes described above as well as pursuant to statutory retention and documentation obligations stipulated in particular by the Austrian Commercial Code (Unternehmensgesetzbuch – UGB) and the Federal Tax Code (Bundesabgabenordnung – BAO) or to assert, exercise or defend legal claims for the duration of the statutory statutes of limitation, which, for example pursuant to the General Civil Code (Allgemeines Bürgerliches Gesetzbuch – ABGB) may be generally 30 years, however, in some cases only 3 years.
Generally, your data will therefore be deleted after the termination of our business relationship, revocation of your consent or your objection, if storage is not required for the fulfilment of a legal obligation or for the assertion, exercise or defence of legal claims.
There is the possibility that anonymization of the data is carried out instead of a deletion. In this case, any personal reference is irretrievably removed, which is why the data protection obligations to deletion no longer apply. In this case, personal reference cannot be restored.
8. What rights do you have?
In connection with your personal data and our processing of your personal data you have the following rights:
- Right of access to your personal data pursuant to Art. 15 GDPR;
- Right to rectification pursuant to Art. 16 GDPR;
- Right to erasure (‘right to be forgotten’) pursuant to Art. 17 GDPR;
- Right to restriction of processing pursuant to Art. 18 GDPR;
- Right to data portability pursuant to Art. 20 GDPR;
- Right to object pursuant to Art. 21 GDPR.
Moreover, you have the right to lodge a complaint with the data protection authority in case of a suspected violation regarding your personal data.
Telephone: +43 1 52 152-0
9. Is there an obligation to provide data?
As part of the business relationship, you only need to provide the personal data that is required to establish and conduct the business relationship or that we are required to collect by law. You are also required to notify us of any changes in your data. Without this data, we will usually have to refuse the conclusion of the contract or the performance of the contract or an existing contract can no longer be performed and consequently has to be terminated.
10. Is my data used for automated individual decision-making including profiling?
We do not use automated individual decision-making pursuant to Art. 22 GDPR.