1. Overview

If we welcome you as a prospective client or applicant, please start reading from Section III.

If you are visiting our website, please start from Section II.

2. What data do we process when you visit our website?

Welcome to our website! Please take a moment to understand how we process your personal data when you visit our website (Article 13, Article 14 GDPR; § 165 Para 3 TKG).

The following data may be processed when you visit our website:

• Browser type,
• Operating system,
• Country,
• Date,
• Time and duration of access,
• Access provider's name,
• IP address and pages visited on our website, including entry and exit pages,
• Contact page on the website,
• Cookies for analytical purposes, statistical evaluations, marketing, and retargeting,
• Consent management tool for cookie settings,
• Data collection into our CRM system,
• Sending of newsletters,
• Application form,
• Social media plug-ins.

The processing of this data is necessary to ensure the security of the website's operation and the functionality of the website from a technical perspective. This data collection is partially done through technical cookies. These technical cookies are used only to the necessary extent (§ 165 Para 3 TKG). The processing of this data is justified by our legitimate interest in operating our website (Article 6 Para 1 lit. f GDPR).

For the operation of our website, we may need to disclose your data to the following recipients:

• Recipient Data: Corpex Internet GmbH

Purpose of data processing: Website hosting

Legal basis of data processing: Primarily legitimate interest (Article 6 Para 1 lit. f GDPR); Data processing agreement (Article 28 GDPR)

Business location: Germany

Secure transfer to a third country: Within the EU

• Recipient Data: Usercentrics GmbH

Purpose of data processing: Cookie management tool

Legal basis of data processing: Primarily legitimate interest (Article 6 Para 1 lit. f GDPR)

Business location: Germany

• Recipient Data: HubSpot Inc

Purpose of data processing: CRM system and newsletter distribution

Legal basis of data processing: Primarily legitimate interest (Article 6 Para 1 lit. f GDPR); Consent for newsletter (Article 6 Para 1 lit. a GDPR)

Business location: USA

Secure transfer to a third country: HubSpot Inc is listed under the EU-US Data Privacy Framework (only regarding Non-HR Data)

• Recipient Data: Personio SE & Co. KG

Purpose of data processing: Management of applicant inquiries

Legal basis of data processing: Primarily legitimate interest (Article 6 Para 1 lit. f GDPR); Data processing agreement (Article 28 GDPR)

Business location: Germany

Secure transfer to a third country: Within the EU

• Recipient Data: Piwik PRO GmbH

Purpose of data processing: Data analytics tool

Legal basis of data processing: Consent (Article 6 Para 1 lit. a GDPR); Data processing agreement (Article 28 GDPR)

Business location: Germany

Secure transfer to a third country: Within the EU

• Recipient Data: Hotjar Ltd

Purpose of data processing: Data analytics tool; Analytical evaluation of website visits

Legal basis of data processing: Consent (Article 6 Para 1 lit. a GDPR)

Business location: USA

Secure transfer to a third country: [I couldn’t find EU-US Data Privacy Framework listing or standard contractual clauses]

• Recipient Data: Google LLC (Google Tag Manager, Google StreetView, Google Maps, Google Ads Conversion Tracking, Google Ads “Enhanced” Conversion Tracking, Google AdSense, BASIC Google Consent Mode, YouTube)

Purpose of data processing: Statistical evaluation of the website; Orientation tools, social media [YouTube], analysis of website visits

Legal basis of data processing: Consent (Article 6 Para 1 lit. a GDPR)

Business location: USA

Secure transfer to a third country: Google LLC is listed under the EU-US Data Privacy Framework

• Recipient Data: Microsoft Corporation (Microsoft Advertising Conversion Tracking, LinkedIn Conversion Tracking, LinkedIn Analytics)

Purpose of data processing: Analysis of visitor behavior

Legal basis of data processing: Consent (Article 6 Para 1 lit. a GDPR)

Business location: USA

Secure transfer to a third country: Microsoft Corporation is listed under the EU-US Data Privacy Framework

Recipient Data: Various social media plug-ins (Meta Platforms Inc [Facebook and Instagram], Microsoft [LinkedIn])

Legal basis of data processing: Consent (Article 6 Para 1 lit. a GDPR)

Business location: USA

Secure transfer to a third country: Meta Platforms Inc is listed under the EU-US Data Privacy Framework (only regarding Non-HR Data); Microsoft Corporation is listed under the EU-US Data Privacy Framework

2.1. Overview of "Technical" Cookies Used

The aforementioned data is stored through so-called "cookies." Cookies are text files that are stored on your computer and allow for analysis of website usage. They are used for recognizing and storing temporary data about the website visitor. We use cookies only to the extent necessary to communicate with you via the homepage.

These technical cookies are activated as soon as you visit our website.

The following cookies are used on our website based on our legitimate interest (Article 6 Para 1 lit. f GDPR):

See our Cookie Policy

2.2. Overview of "Advertising Cookies" Used

In addition to the above-described "technical cookies," we also use so-called advertising cookies (including "statistical cookies"). These advertising cookies allow us to better understand and analyze your interests. With the help of these cookies, we can merge your browsing behavior across websites to understand your interests and address you more effectively.

We respect that not every visitor may wish this. Therefore, we process your data with advertising cookies only if you have given your consent (Article 6 Para 1 lit. a GDPR). You can revoke this consent at any time, but the data processing that took place until the revocation remains lawful.

A list of advertising cookies can be found here:

See our Cookie Policy

3. What purposes do we process your data for when you show interest in our company?

In the course of our business relationship with customers and business partners, we process data based on contractual obligations (e.g., processing the contractual relationship with you, pre-contractual obligations, invoicing, sending documents, communication for contract performance) and legal obligations (e.g., statutory retention obligations under § 132 BAO) (Article 6 Para 1 lit. b and c GDPR), as well as our legitimate interests or those of third parties (Article 6 Para 1 lit. f GDPR), namely:

For internal administration and management of your business case to the necessary extent (e.g., processing your business case, forwarding your case to assistance, file archiving, correspondence with you),

For direct marketing purposes (e.g., newsletters, advertising for own products). Please note that you can object to the processing of your data for marketing purposes at any time (Article 21 Para 2 GDPR),

For providing our services,

For asserting and defending legal claims,

each as needed. Processing your data serves to initiate, maintain, and conclude our business relationships. If you do not provide us with this data, we may not be able to process your business case.

We may also process your data based on your voluntary, explicit consent (Article 6 Para 1 lit. a GDPR).

In the case of an application, we process personal data based on (pre-)contractual obligations according to Article 6 Para 1 lit. b GDPR and our legitimate interests under Article 6 Para 1 lit. f GDPR. We retain applicant data for seven months. Longer retention is based on your consent (Article 6 Para 1 lit. a GDPR) for archival purposes. Please note that we use Personio SE & Co. KG for managing applicant requests.

4. How long do we store your data?

We will store your data only as long as it is necessary for the purposes for which we collected it. In this context, statutory retention obligations must be observed (e.g., for tax reasons, contracts and other documents related to our contractual relationship are generally to be retained for seven years under § 132 BAO). In specific cases, such as asserting and defending legal claims, we may retain your data up to 30 years after the end of the business relationship.

We store data from prospective clients for up to one year from the date of the last contact with the prospective client.

Data from applicants will be deleted seven months after the conclusion of the application process.

5. Is automated decision-making or profiling taking place (Article 13 Para 2 lit. f GDPR)?

Our company does not carry out automated decision-making or profiling.

6. What rights do you have regarding the processing of your data?

• We would like to inform you that, provided the legal requirements are met, you have the right to:
• Request information about which data we process about you (see Article 15 GDPR in detail),
• Request correction or completion of inaccurate or incomplete data concerning you (see Article 16 GDPR in detail),
• Request the deletion of your data (see Article 17 GDPR in detail),
• Object to processing of your data based on our or a third

The address of the Austrian Data Protection Authority is:

Austrian Data Protection Authority

Barichgasse 40-42,

1030 Vienna, Austria

8. How can you contact us?

If you have any further questions regarding the processing of your data, feel free to contact our Data Protection Officer using the contact details provided below. Our Data Protection Officer is Gambit Consulting GmbH, Junkersring 35, 53844 Troisdorf, Germany.

9. Data Controller

The data controller within the meaning of Article 4 (7) GDPR is:

Gambit Solutions GmbH

Gertrude-Fröhlich-Sandner-Straße 1/Top 13

1100 Vienna, Austria

Tel: +43 (0)664 4391770

[info(at)gambit-consulting(dot)at]

Author of this Privacy Policy: RA Dr. Tobias Tretzmüller, LL.M.; www.digital-recht.at

Any use of this Privacy Policy or any part thereof without the author's consent constitutes a violation of copyright.