Data privacy statement
General, for example, for visitors, interested parties & business partners
The following is intended to provide you with an overview of how we process your personal data and the rights you have under data protection law. The details concerning what data are processed and in what manner are determined primarily by the services requested or agreed upon. Consequently, not all aspects of this information will be applicable to you.
Data controller and contact information
The respective legal persons are responsible
Responsible for Austria:
K industries GmbH
Krestastraße 1, 9433 St. Andrä, Österreich
Tel.: +43 4358 3811-0
Responsible for Germany:
K industries - Althammer GmbH
In den Seewiesen 50, 89520 Heidenheim, Deutschland
Tel.: +49 7321 3503-0
K industries – Steel&Engineering GmbH
Siemensstrasse 50, 67227 Frankenthal, Deutschland
You can reach or company Data Protection Officer under
K industries GmbH
z.Hd. DI (FH) Philipp Kreuzer, MBA
Krestastraße 1, 9433 St. Andrä, Österreich
Tel.: +43 4358 3811-0
What sources and data do we use?
We process personal data which we receive from our customers or other involved parties in the context of our business relationship. Moreover, we process personal data — when required for the fulfilment of our service — which we obtain in a permissible manner from publicly accessible sources (e.g. lists of debtors, land registers, registers of business and associations, the press, Internet) or which are transferred to us legitimately from other companies of the group or from other third parties (e.g. a credit agency).
Relevant personal data are personal details (name, address and other contact data such as citizenship).
Beyond this, such data can also include order data (e.g. development order), data from the fulfilment of our contractual obligations, information about the financial situation of our customers (e.g. creditworthiness data, scoring or rating data, source of financial assets), advertising and marketing data (incl. advertising scores), documentation data as well as other data from categories comparable to those named.
As a matter of principle, we do not process any special categories of personal data except if attention is drawn to this in a special statement.
Why do we process your data (purpose of processing) and on what legal grounds?
We process personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) in addition to the Austrian Data Protection Act and the German Federal Data Protection Act (BDSG):
a. For the fulfilment of contractual obligations (Art. 6(1) point (b) GDPR):
Data processing is carried out to enable the manufacture of our products and the fulfilment of our services in mechanical engineering in the context of executing our contracts with our customers or for carrying out contractual measures which are performed upon request. The purposes of data processing are determined primarily by the specific product concerned and, in addition to the contract-related written, telephone and email communication with you, can include needs assessments, consultancy, project management, design engineering and construction, among others.
Further details on the purposes for data processing can be found in the relevant contract documents and terms and conditions of business as well as a specific data privacy statement for these services, as the case may be.
b. In the context of legitimate interests (Art. 6(1) point (f) GDPR):
To the extent necessary, we process your data beyond the actual fulfilment of the contract in order to safeguard our legitimate interests or those of third parties.
- Consultation of and data exchange with credit bureaus (e.g. SCHUFA) for the determination of credit risks,
- Analysis and optimization of procedures for needs assessment for the purpose of direct customer contact, advertising or market and opinion research provided you have not objected to the use of your data,
- The exercise of legal rights and defence in the event of legal disputes,
- Safeguarding of information security and the company’s operations,
- The prevention and investigation of criminal acts,
- Video surveillance for the safeguarding of premises access rights, for the collection of evidence in the event of industrial espionage, assaults, robbery and fraudulent activities,
- Building and plant security measures (e.g. physical access control),
- Measures for the safeguarding of the right to ban individuals from the premises,
- Measures for business management and ongoing development of services and products,
- Risk control in the group.
c. Based on your consent (Art. 6(1) point (a) GDPR):
Consent that has been granted can be withdrawn at any time.This also applies for the withdrawal of declarations of consent which were granted to us before the GDPR went into effect, meaning before 25 May 2018. The withdrawal of consent has an effect for the future only and does not affect the legality of the data processing which took place up to the time of the withdrawal.
d. Based on legal obligations (Art. 6(1) point (c) GDPR) or in the public interest (Art. 6(1) point (e) GDPR):
As a group of companies, we are subject to various legal obligations, or statutory requirements (e.g. tax laws, IT security laws, German Telemedia Act (TMG), etc.).
The purposes for processing include matters such as the fulfilment of tax-law storage and reporting obligations.
Who gets my data?
Within the group, those offices are given access to your data which need it for the fulfilment of our contractual and legal obligations. It is also possible that service providers we engage in the context of order-processing circumstances and vicarious agents could receive data for these purposes provided that they comply with the data protection regulations. These are companies in the categories of services in mechanical engineering, IT service providers, logistics, printing services, telecommunications, collection, consultancy as well as sales and marketing.
Further data recipients can be those offices for which you have granted us consent for the transfer of data or to which we are entitled to transfer personal data based on a legitimate interest.
Are data transferred to a third country or to an international organization?
The transfer of data to offices in countries outside of the European Union (referred to as third countries) takes place inasmuch as it is required for the fulfilment of your orders (e.g. foreign jobs), it is required by law (e.g. information for commercially authorized parties in export) or you have granted us your consent.
In the event that this should be required in individual cases, your personal data are transferred in compliance with the European level of data protection.
Furthermore, a transfer to offices in third countries is envisioned in the following cases:
The group uses Office 365 Cloud Services by Microsoft for its communication and collaboration services. The storage (data at rest) of personal data, e.g. in emails, Sharepoint, etc. takes place as a matter of principle within the European Union, whereby for support purposes (Azure Active Directory) and maintenance services, data can be transferred to other Microsoft locations outside of the EU. In all cases, the contracts and locations for these services are subject to the EU standard contractual clauses (as per Art. 29 Working Party) and in the case of the USA, alternatively, to the U.S.-EU Privacy Shield treaty. The information on the guarantees is available for public viewing on the Microsoft website (and is stored alternatively by the data controller). No transfer of personal data from Microsoft to other companies takes place.
With the consent of the data subject or based on legal provisions, especially for the purpose of investigation of criminal offences as well as in the context of a legitimate interest, in individual cases, personal data may be transferred subject to compliance with the data protection level of the European Union.
How long are my data stored?
We process personal data for as long as a corresponding basis for processing exists and there is a legitimate interest in the continued processing. Once the data are no longer required, they are erased regularly. Please note here that we have ongoing contractual obligations, for example, with many suppliers, which are arranged for periods of many years.
The erasure periods for processing are generally determined as the following examples show:
The fulfilment of commercial and tax-law storage obligations which can result from, among other things: Commercial laws and tax codes, etc. The periods specified there for the storage of documentation are typically two to ten years.
Preservation of evidence in the context of the legal statutes of limitation. In Germany, the limitation periods can be up to 30 years according to paragraphs 195 ff of the German Civil Code (BGB), whereby the usual limitation period is 3 years.
Additional erasure periods and/or regulations can be found in the supplements to the data protection information for special types of processing or user groups.
What data protection rights do I have?
Every data subject has a right to:
- Information according to Article 15 GDPR
- Correction according to Article 16 GDPR
- Erasure according to Article 17 GDPR
- Restriction of processing according to Article 18 GDPR
- Objection according to Article 21 GDPR
- Data portability according to Article 20 GDPR
- Make an appeal to a responsible data protection supervisory authority (Article 77 GDPR in conjunction with Par. 19 Federal Data Protection Act (BDSG) in Germany)
With regard to the rights to information and erasure, the restrictions as per pars. 34 and 35 BDSG apply for our German companies.
In the interest of protecting personal data, a data subject must prove their identity to us in a suitable manner (e.g. with a copy of a personal identity card) to exercise their rights. Moreover, in the case of obviously unfounded requests or excessively frequent repetitions, we can demand a reasonable fee or refuse to take action. (Art. 12(5) GDPR)
Consent you have granted to the processing of personal data can be withdrawn at any time.This also applies for the withdrawal of declarations of consent which were granted to us before the GDPR went into effect, meaning before 25 May 2018. Please bear in mind that the withdrawal of consent only takes effect for the future. Processing that took place before the withdrawal is not affected. (Please also see the last section.)
Am I obligated to provide data?
In the context of our business relationship, you must provide the personal data that are required for the commencement, execution and termination of a business relationship and for the fulfilment of the associated contractual obligations or which we are required by law to gather. Without these data, we would generally be unable to conclude a contract with you, to execute it or to terminate it.
Does profiling take place?
We do not use your personal data for automated processing to create profiles.
To what extent does automated decision making take place?
As a matter principle, we do not use any fully automated decision making processes in terms of Article 22 GDPR concerning the establishment or the execution of a business relationship.
Information concerning your right of objection according to Article 21 GDPR
Right of objection in individual cases
For reasons which arise from your special situation, you have the right to object at any time to the processing of personal data concerning you which is based on Article 6(1) point (e) GDPR (data processing in the public interest) or Article 6(1) point (f) GDPR (data processing based on a legitimate interest); this also applies for profiling in terms of Article 4(4) GDPR which is based on this provision.
If you object, we will no longer process your personal data except if we are able to adduce compulsory legitimate grounds for the processing which outweigh your interests, rights and freedoms or the processing serves the purpose of enforcing, exercising or defending legal claims.
Right of objection to processing of data for purposes of direct advertising
In individual cases, we process your personal data in order to engage in direct advertising. You have the right to object at any time to the processing of personal data concerning you for the purpose of advertising of this nature; this also applies for profiling inasmuch as it is connected with such direct advertising.
If you object to the processing for the purpose of direct advertising, we will no longer process your personal data for this purpose.
Addressee for submitting an objection
The objection can be submitted without form requirements using the subject line “Objection” and including your name, your address and your date of birth and should be addressed to:
K industries GmbH
Krestastraße 1, 9433 St. Andrä, Austria
Tel.: +43 4358 3811-0