Data Privacy & Processing Information

PREAMBLE

This document states HYDROGRID’s Data Privacy & Processing Information, relating to the use of HYDROGRID’s public company website.

TABLE OF CONTENTS

1. Controller
2. Contact details of the Controller
3. Processing activities
4. Purposes of data processing
5. Legal basis for data processing
6. Description of (overriding) legitimate interests for the purposes
7. Change of purpose
8. Evaluating personal aspects of the customer
9. Obligation to provide data
10. Automated decision-making
11. Processed types of data
12. Data sources (to the extent not provided by the customer nor collected by the controller)
13. External recipients of data
14. Internal recipients
15. Transfer to third countries In the course of data processing
16. Presence in social media channels
17. Storage period
18. Rights of the data subject
19. Right to lodge a complaint Art 77 GDPR
20. Supervisory authority

1. Processing activities

• · Provision of information about goods or services of the Controller for customers[1], interested parties and visitors,
• · Contract performance vis-à-vis customers.

2. Controller

HYDROGRID GmbH, FN [Business Register Number] 459688m, Biberstrasse 9/4, 1010 Vienna, Austria hereafter referred to as “Controller”.

3. Contact details of the Controller

datasecurity@hydrogrid.eu

4. Purposes of data processing

4.1. For Performance or Preparation of the Contract

4.1.1. Keeping retrievable information about services of the controller for customers and interested persons.

4.1.2. Provision of communication channels for disseminating contents and servicing the customer relationship.

4.1.3. Fulfilment of the contractual obligations under the service contracts.

4.2. For (Overriding) Legitimate Interest

4.2.1. Dissemination/presentation of (advertising) information for services and events of the Controller by means of direct marketing (“marketing purposes”), to the extent permitted by law.

4.2.2. Maintaining and enhancing customer satisfaction and customer retention through an analysis of user behaviour with the aim of improving the service offer by use of Google Analytics.

4.2.3. Providing customers with a newsletter on the statutory basis of Section 107 (3) of the Austrian Telecommunications Act [TKG] with the option to opt out at any time.

4.2.4. Transmission of electronic identification data of the user to third-party providers to include contents by posts in social networks (e.g. YouTube) and other applications (e.g. Google Maps).

4.3. For Consent

4.3.1. Providing customers with a newsletter on the basis of consent with the option to opt out at any time.

5. Legal basis for data processing

5.1. Performance of the Contract

5.1.1. Online: The use of the online services (HYDROGRID company website) of the Controller is based on a contract as defined in Art. 6 (1) (b) GDPR; a registration relationship is established upon registration.

5.1.2. Conclusion of contracts: In the case of acquisition of services, the Controller’s data processing is based on the contract concluded from time to time and serves the purpose of performance of the contract.

5.2. Additional services: Consent: The Controller will obtain the customer’s express consent to specific services (e.g. newsletters). Such consent may be withdrawn at any time with effect for the future.

5.3. Overriding legitimate interests (see Section 6).

6. Description of (overriding) legitimate interests for the purposes

6.1. Of IT Security: The Controller will store the IP addresses of mere visitors of the website (HYDROGRID company website) for a period of max. three (3) months in order to defend targeted attacks in the form of server overloads (denial of service attacks) or prevent other damage to the systems. The Controller has an overriding legitimate interest in such data processing for the purpose of maintaining the functionality of its online services (Recital 49 GDPR).

6.2. Of Dissemination of Information / Direct Marketing: The Controller will process customer data (except for data of children or special categories of personal data as defined in Art. 9 GDPR (“sensitive data”)) including to use them for direct marketing of (other) offers of the Controller. The Controller has a legitimate interest in processing personal data for direct marketing purposes (last sentence of Recital 47 GDPR). Only customer data will be processed which the Controller possesses under a contractual relationship and for which the storage period has not expired yet. This will not extend the storage period. The primary aim of data processing is to solicit customers. In this regard the Controller relies on its freedom to carry on a business (Art. 6 of the Austrian Basic Law [Staatsgrundgesetz/StGG]) and its freedom to communicate, both of which are protected by conventions (in particular Art. 10 of the European Convention on Human Rights (ECHR), which also protects advertising measures) and constitutional law, and on the rights

• To send advertising by mail;
• To send electronic mail upon consent as defined in Section 107 (3) TKG.

When using such data the Controller shall meet the requirements of communication law, in particular Section 107 TKG.

7. Change of purpose

7.1. Dissemination of information / direct marketing: The Controller advises that it will process personal data of the customer also for disseminating information and for direct marketing. In this way, the Controller wants to advise its own goods and services. For that purpose, the data will be made available to no third party under its responsibility. There is no incompatibility with the purpose of the original collection of data. The customer may object to the use of his personal data for the purpose of direct marketing at any time and without having to state reasons.

8. Evaluating personal aspects of the customer

There will be no evaluation of personal aspects of the customer.

9. Obligation to provide data

The customer is under no obligation to provide data.

10. Automated decision-making

The customer is subject to no automated decision-making which would become legally effective vis-à-vis him or her.

11. Processed types of data

11.1. Personal Data Provided by the Customer

• Name, company name, academic degree
• Phone and fax number
• Postal address
• Email address
• Content of the customer’s messages

11.2. Additionally collected by the Controller

• IP address of requesting device) together with date, time, communication protocol
• Requested file (name and URL),
• Amount of data transferred to requesting device
• Status message of request (success, failure)
• Identification data of browser, together with operation system used
• Website from which request was sent (if the access was made via a link).
• Information on account use (e.g. date created, number of logins, date of the last request)
• Information on software use (e.g. use of provided options)

12. Data sources (to the extent not provided by the customer nor collected by the controller)

12.1. MailChimp

• The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA
• Types of data: IP location, preferred email client, registration source, campaign details (receipt, open, click)

13. External recipients of data

13.1. Inclusion of content of third-party providers on the website: Transmission of electronic identification data, in particular IP addresses:

• Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, https://facebook.com/about/basics
• LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) https://www.linkedin.com/legal/privacy-policy?trk=uno-reg-guest-home-privacy-policy
• Twitter Inc., 795 Folsom Street, Suite 600, San Francisco, CA 94107, USA, https://twitter.com/en/privacy
• YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA https://support.google.com/youtube/answer/7671399?hl=en
• Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA, https://vimeo.com/privacy

13.2. Processors

• Server Host Provider: Internex GmbH, Lagerstraße 15, 3950 Gmünd, Austria
• Cloudservices internal: Internex GmbH, Lagerstraße 15, 3950 Gmünd, Austria
• Hosted Microsoft Exchange Server: Domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning, Germany
• Website: Domainfactory GmbH, Oskar-Messter-Str. 33, 85737 Ismaning, Germany
• Google Analytics, Maps (including “anonymize IP”): Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
• Email campaign mailing “Mailchimp”: The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA
• CRM: Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia

The Controller expressly reserves the right to use more processors. They will then be stated in the updated data protection information after the start of their use. Processing of such data by processors shall be made in the Controller’s responsibility.

14. Internal recipients

• System administrator
• Departments (IT, Sales, Operations)
• Management

15. Transfer to third countriesIn the course of data processing
The following data will be transmitted to countries outside the EU:

Country		Application	Type of Data
USA	Google (Standard Contractual Clauses)		Google Analytics: anonymised IP address, website title, browser-specific information, information about website use Google Maps: IP address, website title, browser-specific information, information about website use Google reCAPTCHA: IP address, website title, browser-specific information, information about website use
USA	MailChimp (Standard Contractual Clauses)		Email address, name

16. Presence in social media channels

16.1. The Controller informs that for the purposes of advertising and communication with customers in social media channels, it keeps independent online presences available. In connection with such online presence customer data may be processed outside the European Union, which increases the risk of a data protection breach. To the extent that they are resident in the USA the providers of social media channels have submitted to Standard Contractual Clauses.

Such online presence is kept available in the technical environment of the relevant social media operator. The social media operators will then use the customer’s visit to the online presence for their own purposes, in particular for sending out (interest based) advertising. The social media operators use the visit to store cookies on the customer’s terminal device, to retrieve existing cookies/identifiers, to draw conclusions from the user behaviour regarding the customer’s interests and thus to enhance the user profile which has been established for the customer or the identifier. The aim is to send out interest based advertising to the customer, which may also be done on websites of third-party providers visited at a later point in time.

Processing personal data of the customer is based on the overriding legitimate interests of the Controller in advertising measures and communication with the customer, which is protected by conventions and constitutional law through the freedom to carry on a business (Art. 6 of the Austrian Basic Law [Staatsgrundgesetz/StGG]) and the freedom to communicate (in particular Art. 10 ECHR, which also protects advertising measures). If the customers are users of social media channels, data processing may also be covered by the customer’s consent.

The Controller advises that it has no access whatsoever to the customer’s data. Thus, the Controller recommends customers contact the social media channel directly if they want to assert their rights to access, rectification, erasure, restriction, objection or data portability. Users of social media channels may also make changes in their privacy settings themselves. If necessary, the Controller will provide assistance to the customer.

16.2. Additional information is available to the customer at:

16.2.1. Facebook

• Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
• Privacy statement: https://www.facebook.com/about/privacy/
• Opt-Out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com

16.2.2. Twitter

• Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA
• Privacy statement: https://twitter.com/en/privacy
• Opt-out: https://twitter.com/personalization

16.2.3. Google/YouTube

• Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
• Privacy statement: https://policies.google.com/privacy
• Opt-out: https://adssettings.google.com/authenticated

16.2.4. LinkedIn

• LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland
• Privacy policy: https://www.linkedin.com/legal/privacy-policy?trk=uno-reg-guest-home-privacy-policy

17. Storage period

17.1. Legal basis of the statutory obligation (in particular invoice data): to the extent that there is a legal obligation to retain data, in particular as defined in Section 132 (1) of the Austrian Fiscal Code [BAO], (accounting) relevant data will be processed in any case up to the end of the statutory retention period (currently generally seven (7) years from the end of the business year in which the data was created).

18. Rights of the data subject

Basis	Contents
Art 15 GDPR “Access”	The customer shall have the right to obtain confirmation as to whether or not and to what extent his/her personal data is being processed.
Art 16 GDPR “Rectification”	The customer shall have the right to obtain without undue delay the rectification of inaccurate personal data or to have it completed.
Art 17 GDPR “Erasure”	The customer shall have the right to obtain the erasure of personal data without undue delay as long as the reasons stated in Art 17(1) GDPR are fulfilled.
Art 18 GDPR “Restriction”	The customer shall have the right to obtain restriction of processing of personal data as long as the reasons stated in Art 18(1) GDPR are fulfilled.
Art 21 GDPR “Objection”	The customer shall have the right to object to the processing of his/her personal data on the basis of overriding legitimate interest.
Art 20 GDPR “Data portability”	The customer shall have the right to receive the advised personal data concerning him in a structured, commonly used and machine-readable format.
Art 15 GDPR “Access”	The customer shall have the right to obtain confirmation as to whether or not and to what extent his/her personal data is being processed.
Art 16 GDPR “Rectification”	The customer shall have the right to obtain without undue delay the rectification of inaccurate personal data or to have it completed.
Art 17 GDPR “Erasure”	The customer shall have the right to obtain the erasure of personal data without undue delay as long as the reasons stated in Art 17(1) GDPR are fulfilled.

19. Right to lodge a complaint

19.1. Art 77 GDPR Section 24 of the Austrian Data Protection Act [Datenschutzgesetz/DSG]: Each customer shall have the right to lodge a complaint with the supervisory authority if he/she is of the opinion that the processing of personal data relating to him infringes this Regulation.

20. Supervisory authority

Österreichische Datenschutzbehörde [Austrian Data Protection Authority]

Barichgasse 40-42, 1030 Vienna, Austria
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at

 

[1] If only the masculine form is used for describing natural persons in this data protection information, it shall refer to both women and men equally. If a term is used for a specific natural person, the respective gender-specific form must be used. The term customer refers to both consumers and entrepreneurs.