Privacy Notice



1           General information

Thank you for your interest in our website and our company.

Our website includes links to other websites, which are provided purely for the purpose of information. We check external links carefully. However, we are not responsible for the content or security of these external links.

We protect the personal data you provide when visiting our website, and maintain your data privacy in our data processing, in accordance with the legal requirements. For further details on our data handling and protection policies, please read on.

1.1           The Controller for the processing of your personal data is


Business Consultant

Elmargasse 2-4

1190 Vienna

Enquiries concerning data protection should be sent directly to the email address or postal address above.


2         How we use your data

2.1         What kind of personal data do we process and where do they come from?

We process the following of your personal data which we obtain during our business dealings:

If you just visit our website, we will process your personal data only as described below in section 5.

The data may include details of transactions (e.g. payments), data required for the fulfilment of our contractual obligations (e.g. policy data), advertising and sales data, documentation data (e.g. consultation records), registration data, information from your electronic communications with our Group companies, data processing results generated by the CERTAINITY Group, and data required for the fulfilment of our legal and regulatory obligations.

We also process data obtained from other CERTAINITY Group companies, from credit agencies (e.g. KSV1870 Holding AG) and from publicly available sources (e.g. Companies Register, Land Register, the media). We may also obtain data from public authorities (e.g. courts) or government officials.

Under certain circumstances we may also process special categories of your personal data (such as health-related information) as described below in section 3.4.

Depending on the specific context in which we process your data, we will provide you with additional information, as applicable.

We only process the data that are required for the particular processing purpose (please see section 3. below for details).

2.2       Children’s data

We do not enter contracts with minors and are not permitted to do so. When you accept an online contract or online services etc., you confirm that you are not a child, i.e., in Austria, that you are over 14 years old, or that your legal guardian has given consent.

3         Purposes and legal bases for processing of your personal data

3.1         Contractual performance pursuant to Art 6 (1 b) GDPR

We are independent business consultants. Personal data are processed in the course of our business relationships with you or your employer as our customer (client) and/or supplier. These include electronically created, saved and archived documents (e.g. correspondence) concerning offers and acceptances of contracts, or during other stages of contract preparation, or for the administration and fulfilment of our contractual rights and responsibilities, also photographs and other documents uploaded by you. Further information on our data processing is also included in your contract documents.

If the services we provide to you involve more than one CERTAINITY company, for example where consulting is provided in more than one country, your data needs to be processed by each of the relevant CERTAINITY Group companies. The relevant Group companies are listed on our website

3.2       Processing for the fulfilment of legal obligations pursuant to Art 6 (1 c) GDPR

There are also some legal regulations which require that we process your personal data, e.g.:

·         information provided to the judicial authorities and courts in the event of criminal proceedings, or to the financial authorities in the event of finance offences: Code of Criminal Procedures, Financial Criminal Code

·         Prevention of fraud or money laundering

·         Regulations on the reporting of possible grievances


3.3       3.3 Data processing to safeguard legitimate interests in accordance with GDPR Art 6 (1 f)

In order to safeguard the legitimate interests of the Controller and of other companies of the CERTAINITY Group, data may be processed on the basis of balancing your and our interests beyond the specific fulfilment of a contract.

This includes, in particular, the following types of data processing activities respectively the interests we pursue with them:

·         IT services for safeguarding of network and information security

·         marketing (including direct marketing) for offering our services

·         monitoring of the CERTAINITY Group’s range of services for ongoing optimisation

·         business management activities for the purpose of further development of services and products

·         exercising and defending legal claims in judicial and extra-judicial proceedings

·         prevention of fraud or money laundering

·         processing for statistical purposes

·         processing for market research

·         compliance with and implementation of regulations on the reporting of possible grievances

·         communications within the CERTAINITY Group for the above purposes

In addition to the CERTAINITY Group companies with which you have direct contracts, other CERTAINITY Group companies involved in the fulfilment of contracts (e.g. for revenue management), may act as (sub-)processors or (joint) Controllers. CERTAINITY Holding GmbH, as the controlling and holding company of the Group, also provides a variety of other services (in addition to IT services) to the entire CERTAINITY Group.

With respect to the transfer of data to these CERTAINITY companies and other third parties, we emphasize that we are obliged to maintain data privacy and confidentiality of all customer data and information provided to us in the course of our business relationship. All employees of CERTAINITY companies who might possibly have access to your personal data, and all data processing (sub-)contractors are required to confirm in writing that they will maintain confidentiality and will only process personal data as authorized. CERTAINITY Holding GmbH in Austria, as the central IT service provider for all CERTAINITY companies, monitors data security in accordance with Art. 32 GDPR.

3.4       Data processing for which you have given consent pursuant to Art 6 (1 a) or Art 9 (2 a) GDPR

Data provided by you may be processed in accordance with your consent, e.g. contact details for the distribution of newsletters and other information about products and other services provided by your CERTAINITY partner, or photos provided by customers for the purpose of references or reporting on CERTAINITY events on the website.

Where your permission is required for a specific category of data processing, we will not proceed until we have your express consent for that specific purpose.

For the settlement of claims it is sometimes necessary to process sensitive data (e.g. details of injuries), as defined in Art. 9 GDPR, or data about (suspected) offences (e.g. in the case of traffic accidents), as defined in Art. 10 GDPR. As a general rule, we process such data for the purpose of establishing, exercising or defending legal claims, so that Art. 9 (2f) GDPR usually constitutes the legal basis for such processing. Where the processing of such data is not already justified on the basis of statutory provisions such as Art.

Your consent may be withdrawn at any time. The withdrawal of consent does not affect the legality of earlier processing.

3.5       Are you obliged to provide us with your personal data? What happens if you do not wish to do so?

Our business dealings require customers to provide many personal details. For example, we cannot provide you with our service without your name and address. We need to be able to process your personal data wherever this is necessary for contractual or legal reasons within the context of our business relationship. If you do not wish your data to be used in this way, there may be certain products or services that we cannot provide. Where your specific consent is required for us to be able to process your data, there is no obligation for you to grant this consent or provide this type of data.

3.6       Is there any automated decision-making, including profiling, as defined in GDPR Art. 22(1) and Art. 4?

No, there is no automated decision-making. For our services we check credit status by means of enquiries to credit protection associations. The evaluation of this kind of information is never automated.

4        Transmission and retention of personal data

4.1        Is your personal data shared, and if so, with whom?

The security of your personal data is important to us. For that reason, your data are only shared where there is a contractual or legal requirement to do so, or where this is necessary for the protection of our legitimate interests (e.g. within the company), or with your consent. Your personal data may be shared with:

·         other CERTAINITY companies within the CERTAINITY Group and third parties, their employees and agents, to the extent that this is necessary for the fulfilment of contractual, legal or regulatory obligations, and for the protection of legitimate interests, or their back office services or service lines, for the fulfilment of our associated responsibilities or otherwise for the provision of our services

·         Microsoft Ireland Operations Limited in its capacity as a data processor (including its sub-processors) through the use of cloud services provided within the EU

·         Providers of IT infrastructure, IT security and/or network services

·         public bodies and institutions, where we are legally required to do so (e.g. the trade licensing authority as regulatory authority, financial authorities)

·         third parties acting on our instruction, e.g. lawyers; third parties are contractually obliged to keep your data confidential and only to process them as necessary for the provision of service

4.2       Are my personal data transmitted to third countries?

It is sometimes necessary to transmit data to a third country without adequate data protection regulations, e.g. in the event of cross-border solutions, to the relevant partner CERTAINITY companies in third countries.

In the event that data have to be transmitted to a third country without adequate data protection, or to an international organization, such transfer will occur on the basis of EU standard contract clauses, or other guarantees of adequate data protection as defined in GDPR Chapter V.

CERTAINITY companies in third countries are contractually obliged within the CERTAINITY Group to uphold the standards of data protection and security as defined in the GDPR. This is also monitored, e.g. in Austria by CERTAINITY Holding GmbH, the central IT service provider of the CERTAINITY Group. CERTAINITY Holding GmbH, as central IT service provider (computing centre), also processes data on behalf of CERTAINITY companies in third countries.

In many cases, CERTAINITY companies may also be joint controllers with other companies, including in third countries (e.g. for cross-border solutions). In such cases, contracts for joint controllers are signed which set out detailed requirements in accordance with Art. 26 GDPR. Where CERTAINITY companies process your data as joint controllers, your rights as a data subject and other claims pursuant to the GDPR (see item 6 below, “Your rights”) can be exercised against each relevant controller, if no specific point of contact has been communicated to you

(Art. 26 (2) GDPR).

We do not generally use data processors outside the CERTAINITY Group which are located in third countries. Where the data processors we have engaged use the services of sub-processors located outside the EU, we ensure that these sub-processors are obliged to comply with the data protection and security standards of the GDPR so that they provide appropriate safeguards for the protection of your personal data.

4.3       How long is your personal data retained?

We will process or store your personal data for the duration of the business relationship between us. Also otherwise, we will only retain your data for so long as necessary for the fulfilment of the processing purposes described above.

After the end of our relationship with you, the data retention period depends on our statutory record keeping obligations and the duration of statutes of limitations on claims which may be raised between us. For instance, according to record keeping obligations under corporate and tax law, we are obliged to keep our business records for a minimum of seven (7) years. Examples of very common record keeping obligations under Austrian law can be found here (available in German only):

If we are not already obliged to retain your data as a result of our statutory record keeping obligations, we may still retain your data while the statute of limitations on claims which may possibly be raised between us have not yet expired.

4.4      What security measures are in place for the processing of personal data?

Data protection and data security are very important to us. Our data processing is protected by technical and organizational measures. This includes in particular the protection of your personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed. The centralized provision of IT services for all CERTAINITY companies by CERTAINITY Holding GmbH, as the computing center for Austria, supports this protection in all CERTAINITY companies.

Protective measures include for example the use of modern security software and encryption methods, controls on physical access, authorization concepts, pseudonymization and other precautions to protect against and prevent external and internal attacks.


5         Online media

5.1         Cookies

Cookies are used on our website.

5.2       Social networks

We work in cooperation with various social networks. If you use these social networks, your browser will automatically be linked to the relevant network. This transmits your IP address and other information such as cookies, if you have already visited the platform concerned.

As far as possible we avoid this kind of data transfer until you do actually interact with one of these platforms. By clicking the relevant symbol (e.g. the Facebook logo) you indicate that you are ready to communicate with the selected platform, and accept that information about you, such as your IP address, is transmitted to that social network.

Our website offers the option to interact with various different social networks via plug-ins.

We have no influence over the extent and content of the data transmitted to the operator of the social network when you click on its plug-in. If you would like to find out more about the type, extent and purpose of the data collected by the operators of these social networks, we recommend that you read the data protection policies of each social network.

5.3       Newsletter

On our website you can subscribe to our newsletter. You can also unsubscribe, by activating the “unsubscribe” link at the end of each newsletter or contact us directly by replying to the newsletter.

This aspect of data processing is regulated by the legal provisions in sections 96 (3) and 107 of the Austrian Telecommunications Act (Telekommunikationsgesetz, TKG) and Art. 6(1)(a) GDPR (Consent).

5.4       Contact form

The information you provide in our contact form, including personal data, is transmitted to our systems, and processed by third party applications, and saved by us so that we can respond to your enquiry.

By using our contact form, you confirm that you are not a child, i.e. in Austria, that you are over 14 years old, or that your legal guardian has given consent.

This aspect of data processing is regulated by the legal provisions in sections 96 (3) and 107 of the Austrian Telecommunications Act (Telekommunikationsgesetz, TKG) and Art. 6(1)(a) GDPR (Consent).


6        Your rights

You have the right of access, rectification, or erasure or to restrict the processing of your saved data, the right to object to processing and the right to data portability, at any time, subject to the conditions of the data protection laws. Please direct any enquiries on these matters to the Controller for the processing of your personal data, as defined in item 1.1.

To ensure that your data do not fall into the wrong hands, and that no-one can erase your data against your wishes, it is essential that we check your identity every time you contact us.

Any complaints may be submitted to the regulatory authority:

Austrian Data Protection Authority (Österreichische Datenschutzbehörde)

You have the following specific rights:

6.1         Right of access

According to Art 15 GDPR, Controllers must provide any data subject with access to personal data concerning themselves which is being processed.

6.2       Rectification and erasure

According to Art 16 and Art. 17 GDPR, you as a data subject have the right to demand the rectification and erasure of personal data concerning yourself.

6.3       Restriction of processing

According to Art 18 GDPR, you have the right to restrict the processing of personal data concerning yourself.

6.4      Data portability

According to Art 20 GDPR you have the right to data portability. This is the right, under the conditions specified, to obtain personal data you have provided, in a structured, commonly used and machine readable format, and to require that these data be transmitted to a third party.

6.5       Right to object

According to Art 21 (1) GDPR every data subject has the right, for reasons arising from their particular situation to object to the processing of personal data concerning themselves which are processed, amongst other things, for pursuing the legitimate interests of the Controller or a third party. This also applies to data processed for profiling based on this provision. You can object at any time to the processing of your personal data for the purpose of direct marketing (e.g. for a spotlight or newsletter), to be effective for the future.


7        Automated decision-making

We do not use automated decision-making as defined in Art 22 GDPR for decisions on the establishment and operation of our business relationships.


8        Modification of this policy declaration

This policy declaration replaces all earlier versions. We reserve the right to modify this policy as necessary if circumstances change. The current version of this data protection policy is available at any time on our website at