according to Art 12 ff GDPR
This privacy information applies to the processing of personal data with regard to the operation of the website (“website”), the online-platform (“platform”) and the (mobile) web-application (“app”) (together the “services”) of “CarCutter” by Meero Austria GmbH, Companies Register No (FN) 467638d, Hamerlinggasse 8/4/10, 8010 Graz. This privacy information does not apply to the processing of personal data in other business sectors of Meero Austria GmbH. To clarify the scope of this privacy information, Meero Austria GmbH is hereinafter referred to as “CarCutter”.
The protection and security of personal data and the compliance with the data protection regulations – currently the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – “GDPR”) and the Federal Act concerning the Protection of Personal Data in the amended version (Data Protection Act – “DSG”) and legal acts adopted on the basis of this legislation – is given special emphasis by CarCutter. The following privacy information provides the information according to Art 12 ff GDPR of what type of personal data CarCutter processes with regard to the operation of the services for what purposes and how CarCutter ensures the protection of these data.
This privacy information is available on www.car-cutter.com and can be electronically viewed, printed, downloaded and stored on a storage medium at any time.
The terms used in this privacy information are understood according to Art 4 GDPR.
Meero Austria GmbH, respectively CarCutter, is Controller according to Art 4 No 7 GDPR.
A data protection officer is not designated according to Art 37 Sec 1 GDPR, because the statutory requirements are not fulfilled, in particular, because the core activities of CarCutter do not consist of processing operations which, by virtue of their nature, their scope and / or their purposes, require regular and systematic monitoring of data subjects on a large scale.
CarCutter is operating in B2B-business and generally does not process personal data relating to natural persons. The application of this privacy information is limited to still possible processions of personal data (“data”) relating to natural persons (“data subjects”). These Data will only be processed according to the principles relating to processing of personal data in Art 5 ff GDPR and only if and to the extent that at least one of the cases of Art 6 GDPR applies. The purposes and duration of data processions are stated in Sec 4. below.
CarCutter does not process any special categories of personal data according to Art 9 Sec 1 GDPR.
If the legal requirements of other cases according to Art 6 GDPR are not met (or additionally to such a case), CarCutter will ask the data subject for consent to the processing of his or her data for one or more specific purposes. If the data subject makes available to or voluntarily provides data not requested or required by CarCutter, the data subject gives his or her consent to the proceeding of these data by CarCutter.
CarCutter discloses and transfers data only if and to the extent permitted by the applicable laws. Data may be transfered to the following categories of recipients: processors according to Art 28 GDPR, banks, legal representatives, accountants, auditors and tax advisors, courts, administrative authorities, contract and business partners, insurance companies. Without consent of data subjects CarCutter does not transfer data to recipients in non-EU-member-states or international organizations. Within the company of CarCutter data will be disclosed to all positions and organizational units involved in the procession of the relevant data.
CarCutter does not process any form of automated processing data consisting of the use of data to evaluate certain personal aspects relating to a natural person (“profiling”).
Collection and procession of technical data when accessing the services
When accessing its services, CarCutter automatically collects and processes data of a technical nature (access data and data processed using cookies) for the purpose of providing, securing and optimizing the services as legitimate interests according to Art 6 Sec 1 lit f) GDPR and – if necessary – only with consent of the data subjects according to Art 6 Sec 1 lit a) GDPR (see Sec 7. and 8. below).
Collection and procession of data when using the services and communicating
When using its services, CarCutter collects and processes the following data for the performance of the contract with the data subject according to Art 6 Sec 1 lit b) GDPR: first and last name, gender, date of birth, e-mail address, address (street, postal code, state), payment data. When communicating with CarCutter communication data such as telephone number and correspondence data may also be processed according to Art 6 Sec 1 lit b) GDPR. The processing of data will be treated confidentially, transferred only using SSL encryption and – if necessary – only be transferred to subcontractors and / or other companies entrusted with the performance of the contract.
Subject to automatically collected technical access data according to Sec 7. below and data processed using cookies according to Sec 8. below CarCutter does not process data not obtained from the data subject.
CarCutter does not process and store data permanently, but only in accordance with the time limits stipulated under the current applicable legislation, however, for at least as long as is necessary for the purposes for which the data are collected. CarCutter keeps the data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Data necessary for the performance of a contract are only kept and processed as long as required for the performance of the contract (including post-contractual duties) and required to comply with the applicable laws (in particular tax laws).
CarCutter will delete and no longer process data only processed with consent of the data subject according to Art 6 Sec 1 lit a) GDPR upon withdrawal of the consent by the data subject according to Art 7 Sec 3 GDPR and data only processed on the basis of legitimate interests according to Art 6 Sec 1 lit f) GDPR upon justified objection according to Art 21 GDPR.
CarCutter automatically collects and processes data of a technical nature about every access to the server on which the services are located and which are considered as personal data or can be used to identify the person or personal data of the data subject and which are kept in server logfiles (“access data”). These include, for example, the IP address, unique device identification, type and version of the operating system and the browser, name of the retrieved web page, file, date and time of retrieval, referrer URL (previously visited page) and the requesting provider.
CarCutter does not process this access data for the purpose of identifying the person or personal data of the data subject, but solely for the purpose of providing, customizing, adapting, improving, maintaining, optimizing and further developing the services (including functions, modules and features thereof), for error detection and correction, to maintain the security system and – when using web analytics services – for the purpose of internal statistical evaluation, without any conclusions being drawn on the person or data of the data subject.
Cookies are files that are stored locally in the buffer of the internet browser of the data subject and are, in particular, supposed to make the services (in particular by recognizing the accessing browser and storing files temporarily) more user-friendly, effective and secure as well as enabling an analysis of the use of the services when using web analytics services.
Session cookies are only stored temporarily for the duration of access or use by the data subject; persistent cookies until the data subject removes them from the browser.
Google will use this information to evaluate the use of the services, to compile reports on service activity and to provide other services related to service activity and internet usage to CarCutter.
Despite the right of refusing or withdrawing the consent data subjects have the possibility to anytime deactivate the cookie-settings in the internet browser and / or to delete and enhance settings as to how long cookies may be stored and when they need to be deleted. The procedure depends on the internet browser used. Moreover, data subjects can prevent the processing of the data generated by the cookie and related to the use of the services by downloading the browser plug-in available under the following link and installing: https://tools.google.com/dlpage/gaoptout?hl=de.
On the same legal basis, the services may additionally use Google AdWords, an online advertising platform of Google, using a tool known as conversion tracking. By clicking a Google advert, cookies will be set by Google AdWords for conversion tracking. These cookies expire after 30 days and are not intended to personally identify data subjects. Information collected via the conversion cookies is used to compile conversion statistics for CarCutter. If data subjects use the services and the cookies have not expired, CarCutter may notice that the data subject has clicked the ad and was transferred to the service. CarCutter will be informed about the total number of users that have clicked the adverts and were referred to its services. However, CarCutter will not receive information which would allow it to identify the data subject.
The services may use third-party-plugins to integrate their content and services (as for example “YouTube”-movies). If data subjects give their consent according to Art 6 Sec 1 lit a) GDPR to the activation of such plugins by clicking on a respective button, a direct connection is created to the third-party-servers and the plugin will be activated. The embedded content of the plugins will then be sent to the data subjects’ browser. The third party is thereby informed that CarCutters’ services have been visited even if the data subject is not logged into the third-party-service at the same time. The plugin transfers protocol data to the third-party-servers. This log information may include the following data: IP address, the address of the visited services, which may also include plugin-features, the type and settings of the browser, the date and time of request, the use of the plugins and cookies.
The transferred data will be processed by the third party according to their privacy policies. CarCutter is not aware of the content of the transferred data and of the procession of the transferred data by the third party.
When data processing is carried out on behalf of CarCutter, it only appoints processors within the meaning of Art 4 Sec 8 GDPR providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the data protection regulations and ensure the protection of the rights of the data subjects. For this purpose, CarCutter enters into appropriate contracts with its processors which meet the requirements of Art 28 GDPR and respects Art 44 GDPR for data processors based in non-EU member states (third countries).
CarCutters’ data processors are currently:
- Webflow, Inc (Webspace-Provider)
- AWS (Amazon Cloud Service)
- Hubspot (CRM, Request Form)
- Zoho Invoice (Payment Service Provider)
- Google (Google Business / Google Cloud Service)
- Maxio (Financial Operations Platform)
CarCutter implements, with regard to the criteria set out in Art 32 GDPR, adequate and appropriate technical and organizational measures to ensure a level of security and to protect the security of the processed data from risks, such as unauthorized procession, destruction, loss and alteration.
CarCutter safeguards the rights of the data subjects in accordance with the applicable data protection regulations. According to the current laws data subjects may assert the following (general) rights with regard to the processed data by submitting a request to CarCutter (contact details see Sec 1.1.). Data subjects are advised to declare their request in text form (e.g. written letter or E-Mail) for the purpose of evidence. Binding deadlines in the data protection regulations will be respected by CarCutter.
In accordance with Art 13 to 15 GDPR data subjects have the right to confirmation as to whether or not data concerning them are being processed, and, where that is the case, access to the data and information about the data processed and the rights of data subjects.
In accordance with Art 16 GDPR data subjects have the right to obtain from CarCutter the rectification of inaccurate data concerning them.
In accordance with Art 17 GDPR data subjects have the right to obtain from CarCutter the erasure of data concerning them without undue delay.
In accordance with Art 18 GDPR data subjects have the right to obtain from CarCutter restriction of processing.
In accordance with Art 20 GDPR data subjects have the right to receive the data concerning them, which they have provided to CarCutter, in a structured, commonly used and machine-readable format and have the right to transmit those data directly to another controller, insofar as this is technically feasible and insofar as this does not affect the rights and freedoms of other subjects.
In accordance with Art 21 GDPR data subjects have the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them which is based on Art 6 Sec 1 lit e) or f), including profiling based on those provisions. In this case, CarCutter will no longer process the data unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. Where the data subjects object to processing for direct marketing purposes, the data will no longer be processed for such purposes.
In accordance with Art 22 GDPR data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
According to Art 7 Sec 3 GDPR data subjects have the right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
In accordance with Art 77 GDPR and Para 24 DSG data subjects have the right to lodge a complaint with the Data Protection Authority (Datenschutzbehörde).
In accordance with Art 79 GDPR and Para 27 DSG data subjects have without prejudice to any available administrative or non-judicial remedy, including the right to lodge a complaint with a supervisory authority, the right to an effective judicial remedy (Recht auf Beschwerde an das Bundesverwaltungsgericht).
If this privacy information is made available in other languages, CarCutter does not assume any warranty and liability for the (outsourced) translation into other languages. In case of linguistic deviations of the versions in other languages than German, the German version shall take precedence.