Data protection

Since the protection of your personal data is a particular concern for us, we strictly adhere to the legal requirements of the Austrian Data Protection Act (DSG) and the EU General Data Protection Regulation (EU-GDPR) when collecting and processing your personal data.

Below we inform you in detail about the scope and purpose of our data processing as well as your rights as a data subject. Please read our privacy policy carefully before you continue to use our website and, where applicable, give your consent to any data processing.

A. Processing of personal data on our website

1. Personal Data

The use of our website is generally possible without providing any personal data. However, different rules may apply for the use of individual services, which we will point out separately.

Accordingly, apart from the cookies described in detail below, only those data are collected and stored by us that you actively provide to us by entering them in our input forms or by otherwise interacting with our website.

Personal data are all information relating to an identified or identifiable natural person. This includes, for example, your name, address, telephone number, or date of birth, as well as your IP address or geolocation data that allow conclusions to be drawn about you.

2. Use of Cookies

a. If you use our website for informational purposes only, that is, if you do not register for a service or otherwise transmit information to us (for example via a contact form), we only collect the personal data that your browser transmits to our server. When you visit our website, we therefore collect the following data, which are technically necessary for us to display the website and to ensure its stability and security in accordance with Art. 6 (1) sentence 1 lit. f EU-GDPR:

• IP address

• Date and time of the request

• Time zone difference to Greenwich Mean Time (GMT)

• Content of the request

• Access status / HTTP status code

• Amount of data transferred in each case

• Website from which the request originates

• Browser used

• Operating system and its interface

• Language and version of the browser software

b. In addition to the data mentioned above, when you use our website, first- and third-party cookies are stored on your device; these are small text files that are stored in your browser. The entity that sets a cookie (here: us and the third parties listed below) thereby receives certain information. We need these cookies both to recognize you as a user of the website and to make the use of our services traceable. Finally, we use cookies for marketing purposes to analyze your usage behavior and, where appropriate, to provide you with targeted advertising.

One can generally distinguish between first-party cookies, third-party cookies, and third-party requests.

First-Party Cookies
First-party cookies are stored by us (i.e., our website) in your browser to provide you with the best possible user experience. These are primarily functional cookies, such as shopping cart cookies.

Third-Party Cookies
Third-party cookies are stored in your browser by third-party providers. These are usually tracking or marketing tools that evaluate your user behavior and enable the third parties to recognize you on other visited websites. For example, retargeting marketing is based on such cookies. Which third-party cookies we use can be found in our cookie banner.

Third-Party Requests
Third-party requests are all requests that you, as a website user, make to third parties via our site— for example, when you interact with social network plugins or use the offerings of payment providers. In this case, no cookies are stored in your browser, but it cannot be ruled out that personal data are sent to these third parties through the interaction. For this reason, we also inform you in detail in our privacy policy about the tools & applications we use.

3. Collection and Processing of Personal Data
   Personal data that go beyond the information stored by cookies are processed by us only if you voluntarily provide them to us yourself, for example by registering with us, entering into a contractual relationship with us, or otherwise contacting us. This exclusively concerns contact details and information about the matters you approach us with. We use the personal data you provide only to the extent necessary for the fulfillment of the respective purpose of processing (e.g., registration, newsletter dispatch, processing an order, sending informational and advertising material, conducting a prize draw, answering a question, granting access to certain information) and as permitted by law (in particular pursuant to Art. 6 EU-GDPR), for example, to send advertising and informational material to existing customers. We process applicants’ data in the course of contract initiation and for six months thereafter to defend against any claims by an applicant arising from a rejection. If you consent, we will store your application documents for a period of three years for record-keeping purposes. The purpose of processing your data as a website visitor is operating our website and providing company-specific information as well as showcasing our products and services (marketing). Any further use of your data takes place only if you have expressly consented to it beforehand. You may withdraw your consent at any time for the future, as explained in detail below.

4. Data Retention Period
   Data that you have provided to us solely for customer support or for marketing and informational purposes are generally stored until three years after our last contact. If you wish, we will delete your data before the end of this period, provided there is no legal obstacle. In the event of contract initiation or conclusion, we process your personal data after complete contract fulfillment until the expiration of warranty, limitation, product liability, and compensation periods applicable to us, and the statutory retention periods, and beyond that until the conclusion of any legal disputes in which the data are required as evidence.

5. Tools and Applications Used
   a. We use Google Analytics, a web analytics service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. This service uses cookies, whose functionality has been extensively explained above. If you consent to the use of Google Analytics in our cookie banner, the information generated by these cookies about your use of this website is normally transmitted to and stored on a Google server. On our behalf, Google uses this information to evaluate your use of our website, compile reports on website activity, and provide us with other services related to website and Internet usage. The IP address transmitted by your browser for Google Analytics is not merged with other Google data by the controller. You can prevent the storage of cookies required by Google Analytics by setting your browser software accordingly; however, this may mean that you cannot use all functions of this website to their full extent. You can also prevent the collection of the data generated by the cookie and related to your use of the website (including your IP address) as well as their transmission and processing by Google by downloading and installing the browser plugin available at http://tools.google.com/dlpage/gaoptout?hl=de. For further information on the type, scope, and purpose of data collection by Google, we recommend reading their privacy policy at https://support.google.com/analytics/answer/6004245?hl=de. Google also processes your data in the USA. By consenting to the use of Google Analytics, you agree that your data collected via these plugins may be transferred to the USA (Art. 49 (1) (a) GDPR). This is relevant because, according to the latest decisions of the authorities and the case law of the CJEU, the USA does not provide an adequate level of data protection (C-311/18, Schrems II). Critically, accesses by U.S. authorities (FISA 702) are not comprehensively limited by law, do not require independent authorization, and there are no effective legal remedies available in the event of such interventions. Please take this into account when giving your consent.

b. We also use Google Maps on our website. With your consent, this allows us to display interactive maps directly on our website and enables you to use the map function comfortably to find our location and plan your route. When you visit our website, Google receives the information that you have accessed the corresponding subpage of our website and the personal data listed in section 2. This happens regardless of whether you are logged into a Google account. If you are logged into Google, your data will be directly associated with your account. If you do not wish this, you must log out of Google before using this service. Google uses your data for advertising, market research, and demand-oriented website design. You have the right to object to this use of your data, which you must assert directly with Google. Further information on the purpose and scope of data collection can be found in Google’s privacy policy at http://www.google.de/intl/de/policies/privacy. Google also processes your data in the USA. By consenting to the use of Google Maps, you agree that your data collected via these plugins may also be transferred to the USA (Art. 49 (1) (a) GDPR). As explained above, the USA does not provide an adequate level of data protection, and U.S. authorities have broad access rights under FISA 702.

c. With your consent, we also use the Google Tag Manager on our website. Google Tag Manager is a popular tool for managing tags on websites. It can control everything from statistical scripts to marketing tags that collect data for analytics and advertising, such as tracking page views, mouse clicks, scrolling, and user behavior. Websites use Google Tag Manager to update and optimize their content based on tracked user interactions. For more information on the purpose and scope of data collection, please see Google’s privacy policy at http://www.google.de/intl/de/policies/privacy. Google processes your data in the USA. By consenting to the use of Google Tag Manager, you agree that your data collected via these plugins may be transferred to the USA (Art. 49 (1) (a) GDPR). The considerations regarding U.S. data protection adequacy and FISA 702 access apply as described above.

d. Another marketing tool we use—if you give your consent—is Google Ads Remarketing, an advertising system from Google. With this tool, we can run ads that are primarily oriented toward search results when you use our services. Google Ads is Google’s online advertising tool that enables you to create online ads targeted to your personal interests and preferences. For more information on the purpose and scope of data collection, please see Google’s privacy policy at http://www.google.de/intl/de/policies/privacy. Google processes your data in the USA. By consenting to the use of Google Ads Remarketing, you agree that your data collected via these features may be transferred to the USA (Art. 49 (1) (a) GDPR). The considerations regarding U.S. data protection adequacy and FISA 702 access apply as described above.

e. We also use the Facebook Pixel, provided you give your consent. The Facebook Pixel is an analytics tool used to measure the effectiveness of our advertising. It can analyze actions taken by people on our website. The Facebook Pixel is JavaScript code embedded on web pages that can link people’s behavior on the website with Facebook user profiles. It collects data that help track conversions, optimize ads, and create audiences. By consenting to the use of the Facebook Pixel, you agree that your data collected via this feature may be transferred to the USA (Art. 49 (1) (a) GDPR). For more information on the purpose and scope of data collection, please see Meta’s privacy policy at https://www.facebook.com/business/gdpr. Meta processes your data in the USA. The considerations regarding U.S. data protection adequacy and FISA 702 access apply as described above.

f. Our website also contains links to other websites for informational purposes only. These websites are not under our control and are not covered by this privacy policy. If you click on a link, it is possible that the operator of that website will collect data about you and process it according to their own privacy policy, which may differ from ours. Please always inform yourself about the current privacy policies of the websites we link to.

g. Our website also offers the possibility to interact with various social network plugins. These include:

• LinkedIn, operated by LinkedIn Inc., 2029 Stierlin Court, Mountain View, CA 94043, USA

If you click on a plugin of one of these social networks, it becomes active and connects to the respective network’s servers as described above. By activating these plugins, you agree that your data collected via these plugins may be transferred to the USA (Art. 49 (1) (a) GDPR). As noted, the USA does not provide an adequate level of data protection, and U.S. authorities have extensive access rights under FISA 702. We have no influence on the scope and content of the data that are transmitted to the operator of the social network via the plugin or that may subsequently be accessed by U.S. authorities. If you want to learn about the type, scope, and purpose of data collection by these social networks, please read their privacy policies.

h. LinkedIn Company Page
We operate a LinkedIn company page at https://www.linkedin.com/company/jawa-management-software-gmbh/. This page serves to share information about our company’s activities, conduct marketing measures, and provide an additional communication channel with us. In this context, we are joint controllers with LinkedIn Ireland Unlimited Company (Gardner House, 2 Wilton Pl, Dublin 2, D02 CA30, Ireland) under Art. 26 EU-GDPR. LinkedIn allows you to choose in your settings which personal data are shared with us. If you do not wish to share this data, we receive all information about the usage of our page and visitors’ personal data in anonymized form. For details, we have concluded an Art. 26 GDPR agreement with LinkedIn. Further information can be found at https://de.linkedin.com/pulse/wie-du-social-media-fanpages-rechtlich-richtig-nutzt-kandelhard. Please also read LinkedIn’s privacy policy at https://de.linkedin.com/legal/privacy-policy. You can assert your data subject rights both against us according to section C.3 of this privacy policy and against LinkedIn Ireland Unlimited Company.

i. Customer Relationship Management (CRM)
We manage our customer relationships using Jira Service Management. The legal basis for using “Customer Relationship Management” is contract performance, including pre-contractual measures, legitimate interest of the controller or third parties, or consent. The following data categories are processed: contact data (from sales data of existing and potential new customers), user data, image and video data, orders and deliveries, IP address, location, and usage behavior (frequency). In this context, we or Jira Service Management store and process all data provided by registered users. Technical registration data such as date, time, or IP address are also stored in the background.

Tools used:
Jira Service Management, Atlassian Pty Ltd, Level 6, 341 George Street, Sydney NSW 2000, Australia

We have no influence on the scope and content of the data transmitted to Jira Service Management or on data that may subsequently be accessed by Australian or U.S. authorities. If you want information on the type, scope, and purpose of data collection by Jira Service Management, please read their privacy policy. By consenting to the use of Jira Service Management, you agree that your data collected via this tool may also be transferred to Australia or the USA (Art. 49 (1) (a) GDPR).

B. Processing of data of our customers, suppliers and interested parties for marketing purposes
We use personal data of our customers and suppliers (e.g., contact persons, their contact details, and marketing-relevant information) not only for contract processing and within the framework of legal retention obligations (e.g., accounting) but also for marketing and customer support purposes. We also collect personal data from prospective customers (e.g., contact persons, their contact details, and marketing-relevant information) in the course of our acquisition and sales activities. We are always looking online, at trade fairs, and at other events for potential contractual partners and maintain a marketing database for this purpose to enable targeted advertising for our products and services. All of the measures listed here are carried out in the legitimate interest for marketing purposes pursuant to Art. 6 (1) sentence 1 lit. f EU-GDPR in conjunction with Recital 47 for a period of three years from the end of a contractual relationship (customers & suppliers) or our first (unsuccessful) contact (prospective customers), unless there is an express consent from the data subject for a longer period.

If we do not collect personal data for marketing purposes directly from the data subject, we inform the data subject upon first contact where we obtained their data. If, as part of an ongoing business relationship or as a result of explicit requests from interested parties, we are to supply products and services offered by other companies affiliated with us, we will pass on personal data of interested parties for marketing purposes to those affiliated companies that offer the products and services of interest to the specific data subject out of legitimate interest.

We and each of our affiliated companies store data for marketing and customer support purposes for the duration described in A.4.

C. Processing of personal data for other purposes
Other processing purposes may include the purchase of products, materials, and services; the sale of products and services; the rental of real estate and machinery; maintenance and service after purchasing our products; optimizing machine performance; providing communication channels to our sales partners; processing and transmitting employee data for payroll accounting; and compliance with recording, information, and reporting obligations.

We will provide separate information on special processing purposes, such as video surveillance measures, photos and videos at events organized by us, etc., on a case-by-case basis. This also applies to the applicable retention and deletion periods.

If you provide us with personal data (such as name, address, e-mail address, telephone number, company affiliation) outside our website by e-mail, fax, post, or personal delivery (e.g., a business card at trade fairs) to obtain information about our company and/or to initiate business contacts, we will also process and use this data for these purposes.

D. General information on data protection

1. Data Disclosure
   Your data will not be transferred to third parties unless we are legally obliged to do so, the data transfer is necessary for the execution of a contractual relationship concluded between us, or you have previously expressly consented to the transfer of your data. External processors or other cooperation partners will only receive your data if this is necessary for the execution of the contract or if we have a legitimate interest in doing so, which we will always disclose separately in each case. If one of our processors comes into contact with your personal data, we ensure that they comply with the provisions of data protection laws in the same way as we do.

Your personal data will not be sold or otherwise marketed by us to third parties outside our group. If our contractual partners or processors are based in a third country, i.e., a country outside the European Economic Area (EEA), we will inform you of the consequences of this circumstance in the description of the offering.

2. Security
   We use numerous technical and organizational security measures to protect your data against manipulation, loss, destruction, and access by third parties. Our security measures are continuously improved in line with technological developments. If you would like more information on the type and scope of the technical and organizational measures we have taken, please do not hesitate to contact us in writing at any time.

3. Your Rights
   In accordance with the General Data Protection Regulation and the Austrian Data Protection Act, you are entitled to the following rights and legal remedies as a data subject of our data processing:

Right of Access (Art. 15 EU-GDPR)
As the data subject, you have the right to obtain confirmation as to whether personal data concerning you are being processed, and, if so, access to that data. For your protection—so that no unauthorized person receives information about your data—we will verify your identity in an appropriate manner before providing information.

Right to Rectification (Art. 16) and Erasure (Art. 17 EU-GDPR)
You have the right to obtain the rectification of inaccurate personal data concerning you without undue delay or completion of incomplete personal data and to obtain the erasure of your data, provided that the conditions of Art. 17 EU-GDPR are met.

Right to Restriction of Processing (Art. 18 EU-GDPR)
Under the legal requirements, you have the right to restrict the processing of all personal data collected. After restriction, the data may only be processed with your consent or for legal claims.

Right to Data Portability (Art. 20 EU-GDPR)
You have the right to receive personal data concerning you that you have provided to us in a structured, commonly used, and machine-readable format and to transmit those data to another controller without hindrance.

Right to Object (Art. 21 EU-GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you based on legitimate interests. After objection, we will no longer process your data unless there are compelling legitimate grounds that override your interests, rights, and freedoms or for the establishment, exercise, or defense of legal claims. You may also object at any time to processing for direct marketing purposes.

Withdrawal of Consent
If you have given your consent to the processing of your data, you may withdraw this consent at any time. Such withdrawal affects the lawfulness of processing your personal data after you have given your consent but does not affect processing carried out before the withdrawal.

If you exercise any of the rights described above, JAWA must respond to the request without undue delay, but at the latest within one month of receipt.

We will respond to all reasonable requests within the legal framework free of charge and as promptly as possible.

The Data Protection Authority is responsible for complaints regarding violations of the right to access, the right to rectification or erasure, or confidentiality. Their contact details are:

Austrian Data Protection Authority
Barichgasse 40–42
1030 Vienna
dsb@dsb.gv.at

4. Contact Information / Data Protection Officer

a. Contact Information of the Controller
JAWA Management Software GmbH
Liebenauer Hauptstraße 65 A–
8041 Graz
Tel.: +43 316 403274-0
E-mail: office@jawa.com

b. Contact Information of the Data Protection Officer
You can contact us at any time through all channels, in particular via the e-mail address gdpr@jawa.com

Status: May 2023