Preamble

With the following privacy policy, we would like to inform you which categories of your personal data (hereinafter also referred to simply as “data”) we process, for which purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and in particular on our websites, in mobile applications and within external online presences, such as our social‑media profiles (collectively referred to below as the “online offering”).

The terms used are gender‑neutral.

Status: 20 April 2025

Table of contents

• Preamble
• Controller
• Overview of processing operations
• Relevant legal bases
• Security measures
• Transfer of personal data
• International data transfers
• General information on storage and deletion
• Rights of data subjects
• Business services
• Business processes and procedures
• Payment procedures
• Provision of the online offering and web hosting
• Use of cookies
• Registration, login and user account
• Blogs and publication media
• Contact and enquiry management
• Communication via messenger
• Video conferences, online meetings, webinars and screen‑sharing
• Cloud services
• Newsletters and electronic notifications
• Web analytics, monitoring and optimisation
• Online marketing
• Customer reviews and rating procedures
• Presences in social networks (Social Media)
• Plug‑ins and embedded functions and content
• Management, organisation and auxiliary tools
• Amendment and update
• Definitions

Controller

Agnes Andersen, BA.
Aspangstraße 29/2/7
1030 Vienna

Email address: office@agnesandersen.com

Legal notice: https://www.agnesandersen.com/impressum/

Overview of processing operations

The following overview summarises the types of data processed, the purposes of their processing, and indicates the categories of data subjects.

Types of data processed

• Master data.
• Payment data.
• Location data.
• Contact data.
• Content data.
• Contract data.
• Usage data.
• Meta, communication and procedural data.
• Image and/or video recordings.
• Audio recordings.
• Contact information (Facebook).
• Event data (Facebook).
• Log data.

Categories of data subjects

• Service recipients and clients.
• Employees.
• Interested parties.
• Communication partners.
• Users.
• Business and contractual partners.
• Depicted persons.
• Third parties.
• Customers.

Purposes of processing

• Provision of contractual services and fulfilment of contractual obligations.
• Communication.
• Security measures.
• Direct marketing.
• Reach measurement.
• Tracking.
• Office and organisational procedures.
• Remarketing.
• Conversion measurement.
• Click tracking.
• Audience building.
• Organisational and administrative procedures.
• Feedback.
• Marketing.
• Profiles with user‑related information.
• Provision of our online offering and user‑friendliness.
• Information‑technology infrastructure.
• Finance and payment management.
• Public relations.
• Sales promotion.
• Business processes and economic procedures.

Relevant legal bases

Relevant legal bases under the GDPR: The following list provides an overview of the GDPR legal bases on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data‑protection regulations may apply in your or our country of residence or establishment. Where more‑specific legal bases apply in individual cases, we will inform you of these in this privacy policy.

• Consent (Art. 6 (1) (a) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
• Performance of a contract and pre‑contractual enquiries (Art. 6 (1) (b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
• Legal obligation (Art. 6 (1) (c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject.
• Legitimate interests (Art. 6 (1) (f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

National data‑protection rules in Austria: In addition to the GDPR, national rules apply in Austria, in particular the Federal Act concerning the Protection of Natural Persons in the Processing of Personal Data (Data Protection Act – DSG). The DSG contains specific provisions on the right of access, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes, transmission and automated individual decision‑making.

Note on applicability of the GDPR and the Swiss Data Protection Act: These privacy notices serve both to provide information under the Swiss Data Protection Act (DSG) and under the GDPR. Therefore, for wider geographic applicability and clarity, the terminology of the GDPR is used. In particular, instead of the terms used in the Swiss DSG (“processing” of “personal data”, “overriding interest” and “particularly sensitive personal data”), the GDPR terms (“processing” of “personal data”, “legitimate interest” and “special categories of data”) are used. The legal meaning of the terms within the scope of the Swiss DSG is still determined by the Swiss DSG.

Security measures

We take technical and organisational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.

These measures include in particular safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as the related access, input, disclosure, securing availability and separation. Furthermore, we have procedures in place that ensure the exercise of data‑subject rights, deletion of data and responses to data jeopardy. In addition, we consider the protection of personal data when developing or selecting hardware, software and procedures in accordance with the principle of data protection by design and by default.

IP address truncation: Where IP addresses are processed by us or by the service providers and technologies used, and processing of the full IP address is not required, the IP address is truncated (“IP masking”). This involves removing or replacing the last two digits or the last part of the IP address after a dot. Truncation is intended to prevent or significantly hinder the identification of a person via their IP address.

Securing online connections via TLS/SSL encryption technology (HTTPS): To protect users’ data transmitted via our online services against unauthorised access, we rely on TLS/SSL encryption technology. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are the cornerstones of secure data transmission on the Internet. These technologies encrypt information transmitted between the website or app and the user’s browser (or between two servers), thereby shielding the data from unauthorised access. TLS, as the advanced and more secure version of SSL, ensures that all data transfers meet the highest security standards. When a website is secured by an SSL/TLS certificate, this is indicated by the display of HTTPS in the URL, signalling to users that their data is transmitted securely and in encrypted form.

Transfer of personal data

In the course of processing personal data, it may occur that such data is transferred to other entities, companies, legally independent organisational units or individuals, or disclosed to them. Recipients of this data may include, for example, IT service providers or providers of services and content that are embedded in a website. In such cases we comply with the statutory requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.

International data transfers

Data processing in third countries: If we transfer data to a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third‑party services, or if data is disclosed or transferred to other persons, entities or companies (which is recognisable, for example, from the provider’s postal address or if the privacy policy explicitly refers to data transfers to third countries), this is always done in compliance with the statutory requirements.

For data transfers to the USA, we primarily rely on the Data Privacy Framework (DPF), which was recognised as a secure legal framework by an EU‑Commission adequacy decision on 10 July 2023. In addition, we have concluded standard contractual clauses with the respective providers that meet the EU‑Commission requirements and impose contractual obligations to protect your data.

This dual safeguard ensures comprehensive protection of your data: the DPF forms the primary level of protection, while the standard contractual clauses provide additional security. Should changes arise within the framework of the DPF, the standard contractual clauses act as a reliable fallback. In this way, we ensure that your data remains adequately protected even amid political or legal changes.

For each individual service provider, we inform you whether they are certified under the DPF and whether standard contractual clauses are in place. Further information on the DPF and a list of certified companies can be found on the website of the U.S. Department of Commerce: https://www.dataprivacyframework.gov/ (English).

For data transfers to other third countries, equivalent safeguards apply—particularly standard contractual clauses, explicit consents or transfers required by law. Information on third‑country transfers and applicable adequacy decisions can be found in the EU Commission’s resources: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

General information on storage and deletion

We delete personal data that we process in accordance with legal requirements as soon as the underlying consents are revoked or no further legal grounds for processing apply. This applies in cases where the original purpose of processing ceases to exist or the data is no longer needed. Exceptions exist if statutory obligations or special interests require longer retention or archiving of the data.

In particular, data that must be retained for commercial or tax reasons, or whose storage is necessary for the assertion, exercise or defence of legal claims, or to protect the rights of other natural or legal persons, must be archived accordingly.

Our privacy notices contain additional information on retention and deletion that apply specifically to certain processing activities.

If different retention periods or deletion deadlines are specified for the same data, the longest period shall prevail.

If a period does not explicitly begin on a specific date and is at least one year, it automatically starts at the end of the calendar year in which the event that triggered the period occurred. In the case of ongoing contractual relationships in which data is stored, the triggering event is the effective date of termination or other ending of the legal relationship.

Data that is no longer required for the original purpose but is retained due to legal obligations or other reasons will be processed exclusively for the purposes that justify its retention.

Rights of data subjects

Rights of data subjects under the GDPR: As a data subject, you have various rights under the GDPR, in particular under Articles 15 to 21 GDPR:

• Right to object: You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data carried out on the basis of Article 6 (1) (e) or (f) GDPR; this also applies to profiling based on these provisions. If your personal data is processed for direct‑marketing purposes, you have the right to object at any time to the processing of your personal data for such advertising; this also applies to profiling insofar as it is related to such direct marketing.
• Right to withdraw consent: You have the right to withdraw any consent you have given at any time.
• Right of access: You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and, where that is the case, to obtain access to the data and further information in accordance with legal requirements.
• Right to rectification: You have the right, in accordance with the law, to request the completion of data concerning you or the rectification of inaccurate data concerning you.
• Right to erasure and restriction of processing: You have the right, in accordance with the law, to request that data concerning you be erased without undue delay, or alternatively, in accordance with the law, to request restriction of processing of the data.
• Right to data portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine‑readable format, or to request its transmission to another controller, in accordance with the law.
• Right to lodge a complaint with a supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data‑protection supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.