Last updated: November 30th, 2020
1. Data processing during use of the website
1.1 Visiting our website
You can visit our website without having to disclose information about yourself. You can visit our website for purely informational purposes, to find out about our products, services and activities, without it becoming possible for us to link such data to you personally. Data processed automatically does not enable us to identify you personally. Nevertheless, IP addresses are considered personal data under the GDPR.
Server log files (Zugriffsdaten)
For technical reasons (particularly to ensure a functioning and secure website), we process the technically necessary data about accesses to our website in so-called server log files which your browser automatically sends to us.
• The access data we process includes:
• The name of the website you are accessing
• The browser type (including version) you use
• The operating system you use
• The site you visited before accessing our site (referrer URL)
• The time of your server request
• The amount of data transferred
• The host name of the computer (IP address) you are using to access the site
This data cannot be traced back to any natural person and is used solely to perform statistical analyses and to operate and improve our website while also optimising our site and keeping it secure. This data is sent exclusively to our website operator. The data is neither connected nor aggregated with other data sources. In case of suspicion of unlawful use of our website, we reserve the right to examine the data retroactively. This data processing takes place on the legal grounds of our legitimate interest in maintaining a technically fault-free and optimal website, as described under Art. 6 paragraph 1 lit. f of the GDPR.
The access data is deleted within a short period of time after serving its purpose (usually within a few days) unless further storage is required for evidence purposes. In such cases, the data is stored until the incident is definitively resolved.
In the process of hosting our website, we store all data related to the operation of our website. This is necessary for enabling operation of our website. Therefore, we process this data on the legal grounds of our legitimate interest in optimising our website as described under Art. 6 paragraph 1 lit. f of the GDPR. To provide access to our website, we use the services of web hosting providers, to whom we supply the aforementioned data within the context of contractual processing in accordance with Art. 28 of the GDPR.
1.2. Non-binding requests/solicitations while visiting the website
Whenever you contact us, your information is used to process and handle your contact request in the course of fulfilling pre-contractual rights and obligations in accordance with Art. 6 paragraph 1 lit. b of the GDPR. To handle and answer your request it is necessary for us to process your data; otherwise we are unable to answer your request or only able to partially answer it. Your information can be stored in a database of customers and leads on the grounds of our legitimate interest in direct marketing as described in Art. 6 paragraph 1 lit. f of the GDPR.
We delete your request and contact information when your request has been definitively answered and there is no legally required time limit for storing this data prior to deletion (e.g. pursuant to a subsequent contractual relationship). This is usually the case when there is no further contact with you for three years in a row.
Cookies are small packages of data that are exchanged between your browser and our web server whenever you visit our website. They do not cause any damage and are used solely to recognise website visitors. The next time you access our website using the same device, the information stored in the cookies can then either be sent back to us (“first-party cookie”) or to a web application of third party to whom the cookie belongs (“third-party cookie”). The information that is stored and sent back allows each web application to recognise that you have already accessed and visited the website using the browser on your device. We use this information to optimally design and display our website in accordance with your preferences. Any further processing of personal data only occurs with your explicit consent in accordance with Art. 6 paragraph 1 lit. a of the GDPR or, on the basis of our legitimate interests as described in Art. 6 paragraph 1 lit. f of the GDPR, when strictly necessary for technical reasons to enable you to use the service you are accessing.
• Cookies contain the following information:
• Cookie name
• Name of the server from which the cookie originates
• Cookie ID number
• An expiry date, after which the cookie will be automatically deleted
We classify cookies in the following categories depending on their purpose and function:
• Technically necessary cookies which are required for ensuring technical operations and the basic functionality of our website (e.g. to be able to access secured areas of the website). These are so-called session or connection cookies.
• Statistics cookies, which collect anonymous data that we analyse to gain an understanding of how visitors interact with our website. These are also used for measuring the reach and access of our website, and to analyse how often specific pages are accessed.
• Marketing cookies, for analysing user behaviour, which is used as a basis for providing personalised, targeted advertising based on your interests.
The legal basis for using technically necessary cookies is our legitimate interest in the technically fault-free operation and smooth functionality of our website as described in Art. 6 paragraph 1 lit. f of the GDPR. The use of statistics and marketing cookies is subject to your consent, in accordance with Art. 6 paragraph 1 lit. a of the GDPR.
Most browsers automatically accept cookies. However, you can change your browser settings so that cookies are either totally blocked or only certain types are permitted (e.g. you can choose to only block third-party cookies). Please note that you may not be able to enjoy the full functionality of the website if you change your cookie settings. You can find out how to change your settings on the most common browsers using the following links:
Internet Explorer™: https://windows.microsoft.com/en-us/windows-vista/Block-or-allow-cookies
1.4. Use of tools and plugins on our website
paragraph 1 of the GDPR. The cookies banner that appears when you access the website gives you the option of setting your own personal cookies preferences.
We use the functions of the web analytics service Google Analytics on our website to analyse user behaviour and to optimise our website. The provider of this service is Google Ireland Limited, Barrow Street, Dublin 4, Ireland (‘Google’). In general, information about your use of the website is transferred to a Google server and stored there, such as the type and version of browser you used, the operating system you used, the site you visited prior to accessing our site, the host name of the computer (IP address) you used to access the site, and the time of your server request. For this purpose, we have entered into a contract with Google for contractual processing of your data in accordance with Art. 28 of the GDPR.
At our request, Google will use this information to analyse the use of our website, to create reports on the activities within our website and to render additional services related to the use of our website and of the internet. According to Google, the IP address submitted by your browser will not be added to other data held by Google.
We use Google Analytics only with IP anonymisation activated, which means we have expanded this website to include the code ‘anonymizeIP’. This ensures that your IP address is masked, so that all data is collected anonymously. Only under exceptional circumstances will a full IP address be transmitted to a Google server and truncated there.
The data about the use of our website is immediately deleted after expiration of the storage limits that we have set. Google Analytics gives us the following options for the storage limits: 14 months, 26 months, 38 months, 50 months or no automatic deletion. You can ask us any time for the current storage limit that we have set.
The processing of your data using Google Analytics is subject to your explicit consent in accordance with Art. 6 paragraph 1 lit. a of the GDPR. You can revoke your consent at any time with effect for the future in accordance with Art. 7 paragraph 3 of the GDPR.
You can also block the collection of data by downloading and installing the browser plugin available through the link below: http://tools.google.com/dlpage/gaoptout?hl=en.
In case Google processes your data in the United States, please note that Google, headquartered in the United States, is certified under the Privacy Shield Framework, which guarantees that it complies with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). The Privacy Shield Framework is an agreement between the European Union and the United States, which is designed to ensure compliance with European data protection regulations in the United States. It is therefore permitted for data to be transferred to the United States in accordance with Art. 45 of the GDPR.
To display fonts consistently, our website uses Web Fonts which are provided by Google. Google Fonts is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’). For this purpose, the web browser you use must connect with a Google server. This informs Google that our website is being accessed via your IP address. The IP address from the browser of the device you are using to access our site is also stored by Google. If your browser does not support Web Fonts, your computer will display the site using a standard font type. With each Google Font request, your IP address is automatically transferred to a Google server along with information such as your language preferences, display resolution, version and name of your browser. The usage data collected by Google enables them to determine the popularity of specific font types. Google publishes these findings on internal analytics sites (e.g. Google Analytics).
In case Google processes your data in the United States, please note that Google, headquartered in the United States, is certified under the Privacy Shield Framework, which guarantees that it complies with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). It is therefore permitted for data to be transferred to the United States in accordance with Art. 45 of the GDPR.
Google Fonts enables us to use fonts on our own website without uploading them to our server. Google Fonts is an important building block for maintaining the high quality of our website. All Google fonts are automatically optimised for the web. This reduces the data volume and is particularly advantageous for use on mobile devices.
When you visit our site, the low file size allows for quicker loading times. Furthermore, Google Fonts are secure Web Fonts that support all major browsers.
The processing of your data therefore takes place on the basis of our legitimate interest in maintaining a consistent, attractive presentation for our website. This is defined as a legitimate interest under Art. 6 paragraph 1 lit. f of the GDPR.
Google stores requests for CSS assets for one day on its servers. This enables us to use the fonts with the support of a Google style sheet. The font files are stored by Google for one year. To delete data prematurely, you must contact Google Support (https://support.google.com/?hl=de&tid=231563100246).
We embed the service Google Maps on our website to make it easier to read the user’s geographical information, particularly so that we can display our location and provide you with route directions. The provider of this service is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’). The use of Google Maps enables Google to collect and process data about the use of this service.
The processing of your data occurs on the basis of our legitimate interest in providing visual, graphical information to users of our website, in accordance with Art. 6 paragraph 1 lit. f of the GDPR. In case Google processes your data in the United States, please note that Google, headquartered in the United States, is certified under the Privacy Shield Framework, which guarantees that it complies with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active). It is therefore permitted for data to be transferred to the United States in accordance with Art. 45 of the GDPR.
Google Tag Manager
We use the service Google Tag Manager on our website. This service is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (‘Google’). The Tag Manager is used to manager website tags via an interface. This enables us to embed code snippets such as tracking codes or conversion pixels into our website without interfering with the source code. In this process, Tag Manager data is only transferred; it is not collected or stored. The Tag Manager itself is a cookie-less domain and does not process any personal data, because it is used solely to manage other services used on our website. The Tag Manager triggers other tags which in turn collect data under specific circumstances. However, the Tag Manager has no access to this data. If you have chosen to deactivate cookies on our site in general or to deactivate specific cookies, this will remain in effect for all tracking tags that are implemented using the Tag Manager.
For more information about data protection, refer to the following Google websites:
FAQ Google Tag Manager: https://www.google.com/intl/de/tagmanager/faq.html
Use Policy Google Tag Manager: https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/
the user, it is only used for the correct execution of the service. The use of the above data is therefore based on our legitimate interest in the legally compliant design of our website in accordance with Art. 6 paragraph 1 lit. f GDPR.
Further information can be found in the DataReporter data protection declaration at https://www.datareporter.eu/datenschutz. Please feel free to send your enquiries about this service to firstname.lastname@example.org.
Data transfer to the US / Discontinuation of the Privacy Shield
We would like to expressly point out that as of July 16, 2020, due to a legal dispute between a private individual and the Irish supervisory authority, the so-called "Privacy-Shield", an adequacy decision of the EU Commission according to Art 45 GDPR, which confirmed an adequate level of data protection for the US under certain circumstances, is no longer valid with immediate effect.
The Privacy Shield therefore no longer constitutes a valid legal basis for the transfer of personal data to the United States!
What can the transfer of personal data to the US mean for you as a user and what risks are involved?
Risks for you as a user are at any rate the powers of the US secret services and the legal situation in the US, which, in the opinion of the European Court of Justice, no longer ensure an adequate level of data protection. Among other things, this concerns the following points:
- Section 702 of the Foreign Intelligence Surveillance Act (FISA) does not provide for any restrictions on the surveillance measures of the secret services or guarantees for non-US citizens.
- Presidential Policy Directive 28 (PPD-28) does not provide effective remedies for those affected against actions by U.S. authorities and does not provide barriers to ensuring proportionate measures.
- The ombudsman provided for in the Privacy Shield does not have sufficient independence from the executive; he cannot issue binding orders to the U.S. secret services.
- Legally compliant transfer of data to the US on the basis of standard contractual clauses?
The standard contractual clauses adopted by the Commission in 2010 (2010/87/EU of 05.02.2010), Art. 46 paragraph 2 lit. c DGDPR, are still valid, but a level of protection for personal data must be ensured which is equivalent to the level in the European Union.
Therefore, not only the contractual relationships with our service providers are relevant, but also the possibility of access to the data by U.S. authorities and the legal system of the U.S. (legislation and jurisdiction, administrative practice of authorities).
The standard contractual clauses cannot bind authorities in the US and therefore do not yet provide adequate protection in cases in which the authorities are authorized under the law in the US to intervene in the rights of the data subjects without additional measures by us and our service provider.
Legally compliant transfer of data to the US on the basis of your consent?
It is currently controversial whether informed consent and thus a deliberate and knowingly restriction of parts of your basic right to data protection is legally possible at all.
What measures do we take to ensure that a data transfer to the US complies with the law?
Insofar as US providers offer the option, we choose to process data on EU servers. This should technically ensure that the data is located within the European Union and cannot be accessed by US authorities.
Furthermore, we carefully examine European alternatives to US tools used. However, this is a process that does not happen overnight, as it also involves technical and economic consequences for us. Only if the use of European tools and / or the immediate switch off of the US tools is impossible for us for technical and / or economic reasons, US service providers are currently still used.
For the further use of US tools we take the following measures:
As far as possible, your consent will be asked for before using a US tool and you will be informed in advance in a transparent manner about the functioning of a service. The risks involved in transferring data to the USA can be found in this section.
We make every effort to conclude standard contract clauses with US service providers and to demand additional guarantees. In particular, we require the use of technologies that do not allow access to data, e.g. the use of encryption that cannot be broken even by US services or anonymization or pseudonymization of data, where only the service provider can make the assignment to a person. At the same time, we require additional information from the service provider if data is actually accessed by third parties or the service provider exhausts all legal remedies until access to data is granted at all.
2. Transfer of your personal data
Within our organisation, your data will be transferred to the offices and/or employees who need it to fulfil our contractual or legal obligations or where we have a legitimate interest to process your data.
Furthermore, your data will be transferred to (external) data processors contracted by us, insofar as they require it to perform their duties (whereby the possibility of accessing personal data is sufficient). All data processors are contractually obliged to treat your data as confidential and only to process in order to provide their services. The following data processors receive your data:
• Customer management
• Analytics tools
• IT service providers and IT support used by us
• Marketing management
We maintain a current list of types of data recipient and contractors.
Some of the aforementioned recipients are located or process your (personal) data outside the EU. However, we take measures to guarantee that all recipients demonstrate appropriate privacy standards. For example, we agree to standardised contractual clauses which can be provided to you upon request. Alternatively, we use suppliers who are certified under the EU-US Privacy Shield, which is an appropriate level of data protection under the GDPR (as per the adequacy decision by the European Commission).
If we use any data processors, then, as stated, these are bound to our privacy guidelines and your personal data is also handled as strictly confidential. Under no circumstances will data processors transfer your data to third parties or use it without our explicit consent, for any purposes other than for the fulfilment of your obligations towards Silhouette, or for those based on our explicit instructions.
3. Data subject’s rights
One of the main objectives of data protection legislation is to grant you certain options for controlling your personal data after data processing has already begun. For this purpose, data subjects have various rights which we must observe immediately upon your request (or, in any case, within one (1) month of your request). To exercise your rights, contact us at the following e-mail address:
Specifically, you have the following rights:
(a) Should you exercise your , and no legal restrictions apply, we will right to information provide you with comprehensive information about our processing of your data. To do so, we will provide you with (i) copies of the data (e-mails, database excerpts, etc.), as well as information related to (ii) specifically processed data, (iii) processing purposes, (iv) categories of data being processed, (v) data recipients, (vi) storage limits and/or criteria for determining these, (vii) the origin of the data, and (viii) other information, as necessary, depending on your specific case. Please note, however, that we cannot issue any documents which could infringe upon the rights of other persons.
(b) With your right to correction, you can request that we correct information that we have recorded incorrectly, that is no longer correct or that is incomplete (for the specific processing purposes in question). Your request will be evaluated, during which time you can request for the data processing in question to be restricted until the evaluation is complete.
(c) The right to (data) deletion can be exercised (i) in the event that there is no necessity with regard to the processing purpose, (ii) in case you withdraw your consent, (iii) in case of a special objection, if the data processing in question is based on Silhouette’s legitimate interests, (iv) in case of improper data processing, (v) in the event that there is a legal requirement to delete the data, and (vi) in case of processing of personal data referring to minors under the age of 16.
(d) In specific cases, the data subject has a right to restriction of processing. After this right is exercised, the data in question can only be stored. In addition to the option of restriction during the evaluation period for data corrections, this extends to (i) unlawful data processing (insofar as no deletion is requested) and (ii) the duration of the evaluation of a special objection, in accordance with Art. 21 paragraph 1 of the GDPR.
(e) Furthermore, you have a fundamental right to object to data processing at any time. This only applies whenever the processing is based on Silhouette’s legitimate interests. Please note, however, that legitimate interests can only be invoked as a legal basis for processing activities in specific cases.
(f) You can also exercise your right to complain to supervisory authorities (see point 9).
(g) You also have the right to data portability. If you choose to exercise this right, you are entitled to receive the data in question in a structured, standard and machine-readable format and to transfer this data to another data controller or request for it to be transferred directly to another data controller.
Please also note that in some cases we will be unable to comply with your request due to mandatory, protected reasons for processing (weighing of interests) and/or processing based on the exertion, exercise or defence of legal claims (on our side). The same applies in the case of excessive requests, in which case (as in the case of compliance with manifestly unfounded requests), a fee may be imposed.
4. Data security, data deletion
Silhouette takes all the suitable technical and organisational measures to ensure that, by default, personal data is only processed to the extent strictly necessary for the business purpose in question. The measures taken by Silhouette relate to the quantity of the collected data, the scope of the processing as well as the storage limits and accessibility of the data. Through these measures, Silhouette ensures that personal data is made available by default only to a strictly limited and necessary number of persons. No other persons are granted access to personal data without the explicit consent of the data subject. Furthermore, Silhouette uses various safety mechanisms (back-ups, encryption) to secure its website and other systems. These are intended to provide your (personal) data with the greatest possible level of protection against loss, theft, destruction, unauthorised access, modification or distribution.
All Silhouette employees are adequately informed of all applicable regulations under data protection law as well as internal data protection rules and data security precautions. They are bound to confidentiality with respect to any information made known and/or accessible to them within the scope of their work. The provisions of the GDPR are strictly observed and personal data is only provided to individual employees to the extent necessary with regard to the purpose of the data collection and our obligations arising from it. If Silhouette engages processors, they are bound to us by specific framework agreements to act in accordance with our data protection practice.
In accordance with the provisions of the GDPR, all (personal) data collected by us via our website shall only be stored for as long as necessary with regard to the legal grounds for processing them, unless a longer storage period is stipulated by law. We uphold our obligation to delete data with our company’s own internal data deletion procedure. We can provide you with further information about it, at your request.
5. Links to Third-Party Websites
On our website, we use links to third-party sites. These include reference links that direct you to our permanent partners, as well as links to social networks such as Facebook, Instagram and YouTube. If you click on any of these links, you will be redirected directly to the relevant web page. The only data that the website operators will receive is that you have come via our website. We therefore refer you to the privacy policies of these websites.
For the privacy policies of Instagram and /policy.php. https://de-de.facebook.com/policy.php. YouTube, refer to: https://help.instagram.com/519522125107875 and https://support.google.com/youtube/answer/7671399?p=privacy_guidelines&hl=de&visit_id=636927545803058837-989013203&rd=1.
These links to third-party sites, do not constitute any endorsement on our part to the contents that they may include. We are not responsible for the availability or content of such sites, nor do we assume any liability for damages or injuries incurred by the use of such content in any form whatsoever. By linking to third-party websites, we merely provide our users with access to use of the contents of those sites. The individual providers of those sites are solely responsible for any illegal, inaccurate or incomplete content and for any damages incurred by the use of those sites.
6. Right of Complaint
If you decide that we have infringed against incumbent data privacy laws, you have the right to file a complaint with the relevant national data protection authority. The requirements for such a complaint are based on § 24ff of the Austrian Data Protection Act (DSG). However, we encourage you to contact us before filing a complaint so that we can resolve any questions or problems.
Below are the contact details of the relevant Data Protection Authority:
Barichgasse 40-42, 1030 Wien, Österreich
Tel.: +43 1 52 152-0, email@example.com
7. Contact Details for Data Protection Questions, Messages and Requests
Please send questions, notifications or requests regarding data protection law to the following contact address:
Silhouette International Schmied AG | www.silhouette-international.com