Privacy Police

Protecting your personal data is very important to us. Therefore, we process your data exclusively on the basis of legal provisions (GDPR, TKG 2003). In this Privacy Policy, we inform you about the most important aspects of data processing within the framework of our website.

Preamble

With the following Privacy Policy, we aim to inform you about the types of personal data (hereinafter briefly referred to as "data") we process, for what purposes, and to what extent. This Privacy Policy applies to all processing of personal data carried out by us, both in the context of providing our services and, in particular, on our websites, in mobile applications, and within external online presences, such as our social media profiles (hereinafter collectively referred to as "online offering").

The terms used are not gender-specific.

Status: June 19, 2024

Controller
Contact Us / Name and Contact Details of the Controller

The controller in the sense of the GDPR is:

T.T. Immobilien Holding GmbHA-8925 - St. Johann/Haide 111Commercial Register Number: FN 548544 hCommercial Court: Regional Court for Civil Matters Graz

You can reach us at our aforementioned company address, by email at office@tt-immobilienholding.at, and via the contact form on our website.

Table of Contents
  • Preamble
  • Controller
  • Overview of Processing Activities
  • Relevant Legal Bases
  • Security Measures
  • Transfer of Personal Data
  • International Data Transfers
  • General Information on Data Storage and Deletion
  • Rights of Data Subjects
  • Provision of the Online Offering and Web Hosting
  • Use of Cookies
  • Contact and Inquiry Management
  • Web Analysis, Monitoring, and Optimization
  • Online Marketing
  • Presence on Social Networks (Social Media)
  • Plug-ins and Embedded Functions and Content
  • Processing of Data in the Context of Employment Relationships
Overview of Processing Activities

The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.

Types of Processed Data
  • Inventory data
  • Employee data
  • Contact data
  • Content data
  • Usage data
  • Meta, communication, and procedural data
  • Log data
Categories of Data Subjects
  • Employees
  • Communication partners
  • Users
Purposes of Processing
  • Communication
  • Security measures
  • Reach measurement
  • Tracking
  • Target group formation
  • Organizational and administrative procedures
  • Feedback
  • Marketing
  • Profiles with user-related information
  • Provision of our online offering and user-friendliness
  • Establishment and execution of employment relationships
  • Information technology infrastructure
  • Public relations
  • Business processes and commercial procedures
Relevant Legal Bases
Relevant Legal Bases under the GDPR

Below is an overview of the legal bases under the GDPR on which we process personal data. Please note that in addition to the GDPR regulations, national data protection requirements in your or our country of residence or establishment may apply. Furthermore, if more specific legal bases are relevant in individual cases, we will inform you of these in the Privacy Policy.

  • Consent (Art. 6 (1) sentence 1 lit. a) GDPR) - The data subject has given consent to the processing of their personal data for one or more specific purposes.
  • Performance of a Contract and Pre-Contractual Inquiries (Art. 6 (1) sentence 1 lit. b) GDPR) - Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal Obligation (Art. 6 (1) sentence 1 lit. c) GDPR) - Processing is necessary for compliance with a legal obligation to which the controller is subject.
  • Legitimate Interests (Art. 6 (1) sentence 1 lit. f) GDPR) - Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
National Data Protection Regulations in Austria

In addition to the data protection regulations of the GDPR, national data protection regulations apply in Austria. This particularly includes the Federal Act on the Protection of Natural Persons with regard to the Processing of Personal Data (Data Protection Act – DSG). The Data Protection Act contains special provisions on the right to information, the right to rectification or erasure, the processing of special categories of personal data, processing for other purposes and transmission, and automated individual decision-making.

Security Measures

In accordance with legal requirements and taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

Measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability, and separation of data. Furthermore, we have established procedures to ensure the exercise of data subjects' rights, the deletion of data, and responses to data breaches. We also consider the protection of personal data already during the development and selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default.

Transfer of Personal Data

In the course of our processing of personal data, it may occur that these are transferred to or disclosed to other bodies, companies, legally independent organizational units, or persons. Recipients of this data may include, for example, service providers commissioned with IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude corresponding contracts or agreements with the recipients of your data that serve to protect your data.

International Data Transfers
Data Processing in Third Countries

If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing takes place in the context of using third-party services or disclosing or transferring data to other persons, bodies, or companies, this will only occur in accordance with legal requirements. If the data protection level in the third country has been recognized by an adequacy decision (Art. 45 GDPR), this serves as the basis for the data transfer. Otherwise, data transfers will only take place if the data protection level is otherwise secured, in particular by standard contractual clauses (Art. 46 (2) lit. c) GDPR), explicit consent, or in the case of contractual or legally required transmission (Art. 49 (1) GDPR). Furthermore, we will inform you about the bases of the third country transfer for the individual providers from the third country, whereby the adequacy decisions take precedence as bases. Information on third-country transfers and existing adequacy decisions can be found in the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en.

EU-US Trans-Atlantic Data Privacy Framework

Within the framework of the "Data Privacy Framework" (DPF), the EU Commission has also recognized the data protection level as secure for certain companies from the USA under the adequacy decision of July 10, 2023. A list of certified companies and further information on the DPF can be found on the website of the U.S. Department of Commerce at https://www.dataprivacyframework.gov/ (in English). We will inform you in the privacy notices which of our service providers are certified under the Data Privacy Framework.

General Information on Data Storage and Deletion

We delete personal data that we process in accordance with legal provisions as soon as the underlying consents are revoked or no further legal bases for processing exist. Exceptions to this rule exist if legal obligations or special interests require longer storage or archiving of the data.

Rights of Data Subjects
Rights of Data Subjects under the GDPR

As data subjects, you have various rights under the GDPR, particularly arising from Articles 15 to 21 GDPR:

You generally have the rights to information, rectification, erasure, restriction of processing, data portability, withdrawal of consent, and objection. If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, we ask you to contact us to clarify any questions. You can, of course, also lodge a complaint with the supervisory authority. In Austria, this is the Data Protection Authority.

Provision of the Online Offering and Web Hosting

We process user data to provide our online services to them. For this purpose, we process the user's IP address, which is necessary to transmit the content and functions of our online services to the user's browser or device.

  • Types of data processed: Usage data (e.g., page views and dwell time, click paths, usage intensity and frequency, device types and operating systems used, interactions with content and functions); Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons). Log data (e.g., log files regarding logins or the retrieval of data or access times).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Purposes of processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)). Security measures.
  • Storage and deletion: Deletion according to the information in the "General Information on Data Storage and Deletion" section.
  • Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).
Further information on processing processes, procedures, and services:
  • Collection of access data and log files: Access to our online offering is logged in the form of so-called "server log files". Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data volume, notification of successful retrieval, browser type and version, the user's operating system, referrer URL (the previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files can be used for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and to ensure server load and stability; Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR). Deletion of data: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further retention is required for evidentiary purposes is excluded from deletion until the final clarification of the respective incident.
Use of Cookies

Cookies are small text files or other storage notes that store and read information on end devices.

Notes on Consent:

We use cookies in accordance with legal provisions. Therefore, we obtain prior consent from users, unless it is not required by law. The revocable consent is clearly communicated to them and contains information about the respective cookie usage.

Notes on Data Protection Legal Bases:

The data protection legal basis on which we process users' personal data with the help of cookies depends on whether we ask them for consent. If users accept, the legal basis for the use of their data is the given consent. Otherwise, the data used with the help of cookies is processed on the basis of our legitimate interests or, if this occurs within the framework of fulfilling our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We explain the purposes for which we use cookies in this Privacy Policy or within our consent and processing processes.

General Notes on Revocation and Objection (Opt-out):

Users can revoke their given consents at any time and also declare an objection to the processing in accordance with legal requirements, also by means of their browser's privacy settings.

  • Types of data processed: Meta, communication, and procedural data (e.g., IP addresses, time stamps, identification numbers, involved persons).
  • Data subjects: Users (e.g., website visitors, users of online services).
  • Legal bases: Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR). Consent (Art. 6 (1) sentence 1 lit. a) GDPR).
Contact and Inquiry Management

When contacting us (e.g., by mail, contact form, email, phone, or via social media) and in the context of existing user and business relationships, the information of the inquiring persons is processed to the extent necessary to answer contact inquiries and any requested measures.

Further information on processing processes, procedures, and services:
  • Contact form: When contacting us via our contact form, by email, or other communication channels, we process the personal data transmitted to us to answer and process the respective request. We use this data exclusively for the stated purpose of contact and communication.
    • Legal bases: Performance of a contract and pre-contractual inquiries (Art. 6 (1) sentence 1 lit. b) GDPR), Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).
Web Analysis, Monitoring, and Optimization

Web analysis (also referred to as "reach measurement") serves to evaluate the visitor flows of our online offering and may include behavior, interests, or demographic information about visitors, such as age or gender, as pseudonymous values.

Unless otherwise stated below, profiles, i.e., data summarized for a usage process, can be created for these purposes, and information can be stored in a browser or on an end device and then read out. The collected information includes, in particular, visited websites and elements used there, as well as technical information, such as the browser used, the computer system used, and information on usage times. If users have agreed to the collection of their location data by us or by the providers of the services we use, processing of location data is also possible.

In addition, the IP addresses of users are stored. However, we use an IP masking procedure (i.e., pseudonymization by shortening the IP address) to protect users. In general, no clear user data (such as email addresses or names) are stored within the framework of web analysis, A/B testing, and optimization, but pseudonyms. This means that neither we nor the providers of the software used know the actual identity of the users, but only the information stored in their profiles for the purpose of the respective procedures.

Notes on Legal Bases:

If we ask users for their consent to the use of third-party providers, the legal basis for data processing is consent. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this Privacy Policy.

  • Legal bases: Consent (Art. 6 (1) sentence 1 lit. a) GDPR). Legitimate interests (Art. 6 (1) sentence 1 lit. f) GDPR).
Further information on processing processes, procedures, and services:
  • Google Analytics: Our website uses functions of the web analysis service Google Analytics, a web analysis service of Google LLC ("Google"), Amphitheatre Parkway, Mountain View, CA 94043, USA. The data collected is also processed outside the EU. Cookies are used for this purpose, which enable an analysis of the website's use by its users. The information generated thereby is transferred to the provider's server and stored there.You can prevent this by setting your browser not to store cookies.In the event that IP anonymization is activated via your browser, your IP address will be truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. This means that only a rough localization is possible. The relationship with the web analytics provider is based on the EU's standard contractual clauses under the Privacy Shield Agreement. Further information: Google Privacy Policy & Terms of Use.Data processing is carried out on the basis of the legal provisions of § 96 (3) TKG as well as Art 6 (1) lit a (consent) and/or lit f (legitimate interest) of the GDPR. Our concern in the sense of the GDPR (legitimate interest) is the improvement of our offer and our web presence. Since the privacy of our users is important to us, user data is pseudonymized and the IP address is anonymized.
Online Marketing

We process personal data for the purpose of online marketing, which includes, in particular, the marketing of advertising spaces or the display of advertising and other content (collectively referred to as "content") based on potential user interests, as well as the measurement of their effectiveness.

For these purposes, so-called user profiles are created and stored in a file (the so-called "cookie") or similar procedures are used, by means of which the information relevant for the display of the aforementioned content is stored about the user. This may include, for example, viewed content, visited websites, used online networks, but also communication partners and technical information, such as the browser used, the computer system used, and information on usage times and used functions. If users have consented to the collection of their location data, this can also be processed.

In addition, the IP addresses of users are stored. However, we use available IP masking procedures (i.e., pseudonymization by shortening the IP address) for user protection. In general, no clear user data (such as email addresses or names) are stored within the framework of online marketing procedures, but pseudonyms. This means that neither we nor the providers of the online marketing procedures know the actual user identity, but only the information stored in their profiles.

The statements in the profiles are generally stored in the cookies or by similar procedures. These cookies can later generally also be read out on other websites that use the same online marketing procedure and analyzed for the purpose of displaying content, as well as supplemented with further data and stored on the server of the online marketing procedure provider.

We generally only receive access to aggregated information about the success of our advertisements. However, within the framework of so-called conversion measurements, we can check which of our online marketing procedures have led to a so-called conversion, i.e., for example, to a conclusion of a contract with us. Conversion measurement is used solely for the success analysis of our marketing measures.

Notes on Revocation and Objection:

We refer to the privacy notices of the respective providers and the objection options (so-called "Opt-Out") indicated for the providers. If no explicit opt-out option has been specified, there is the possibility that you can disable cookies in your browser settings. However, this may restrict the functions of our online offering.

Presence on Social Networks (Social Media)

We maintain online presences within social networks and process user data in this context to communicate with active users there or to offer information about us.

We would like to point out that user data may be processed outside the European Union.

Furthermore, user data within social networks is generally processed for market research and advertising purposes. For example, usage profiles can be created based on user behavior and resulting interests. The latter may in turn be used to place advertisements within and outside the networks that presumably correspond to the users' interests. Therefore, cookies are generally stored on the users' computers, in which the usage behavior and interests of the users are stored. In addition, data can also be stored in the usage profiles regardless of the devices used by the users (especially if they are members of the respective platforms and logged in there).

For a detailed description of the respective processing forms and the objection options (opt-out), we refer to the privacy policies and information of the operators of the respective networks.

Also in the case of requests for information and the assertion of data subject rights, we point out that these can be asserted most effectively with the providers. Only the latter have access to the user data and can directly take appropriate measures and provide information. Should you still need assistance, you can contact us.

Plug-ins and Embedded Functions and Content

We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter referred to as "third-party providers"). These may include, for example, graphics, videos, or city maps (hereinafter uniformly referred to as "content").

The integration always requires that the third-party providers of this content process the users' IP address, as they would not be able to send the content to their browsers without the IP address. The IP address is therefore necessary for the display of this content or functions. We strive to use only such content whose respective providers only use the IP address for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. "Pixel tags" can be used to evaluate information such as visitor traffic on the pages of this website. The pseudonymous information can also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring websites, visit time, and other information about the use of our online offering, but can also be linked to such information from other sources.

Notes on Legal Bases:

If we ask users for their consent to the use of third-party providers, the legal basis for data processing is permission. Otherwise, user data is processed on the basis of our legitimate interests (i.e., interest in efficient, economical, and user-friendly services). In this context, we would also like to refer you to the information on the use of cookies in this Privacy Policy.

Of course, we are always available to provide you with information about data protection on our website.