Scope

The protection and security of your data is also of vital interest to us. For this reason, we are going to inform you in detail about how we handle your data. You will learn how we collect your personal data, what we do with it, for what purposes and on what legal basis this is done, and what rights and claims this entails for you.

The privacy notice applies to data processing in the youniqx Identity AG as well as in the context of our website www.youniqx.com and related services that refer to this privacy notice.

Our data protection information on the use of our websites and the privacy notice of the youniqx Identity AG do not apply to your activities on the websites of social networks or other providers that you can reach via the links on our websites. Please check the websites of these providers for their privacy policies.

Name and address of the controller

Controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions having a data protection character:

youniqx Identity AG
Tenschertstraße 7
1230 Vienna
Austria
Tel.: +43 1 206 66-0
Email: office@youniqx.com
Website: www.youniqx.com

You can reach the data protection officer by email at: privacy@youniqx.com

1. Collection and processing of personal data from business partners

1.1. Purposes of the processing

In the context of a business relationship with customers and suppliers, we process personal data for the following purposes:
• Processing for the purpose of fulfilling the contract;
• Processing and transmission of data within the scope of a business relationship with customers and suppliers, including automatically created and archived text documents (e.g. correspondence),
• Customer support, detailed data collection for logistics and accounting
• Communicating with business partners about products, services and projects, e.g. processing enquiries from a customer or supplier.
• Processing orders, collecting payments, for accounting and billing purposes, invoicing, deliveries
• Order processing, e.g. in the context of the production of ID documents
• Compliance with legal requirements, e.g. tax retention obligations
• Settlement of legal disputes, defence of legal claims, enforcement of existing contracts

1.2. The following categories of personal data may be processed for the above purposes:

• Customer and supplier data as well as data of interested parties
• Contact data such as name, title, address, telephone number, email address, delivery address, invoice address
• Information which must be processed in the context of a project or the handling of a contractual business relationship with the youniqx Identity AG or which is voluntarily provided by contact persons.
• Information from publicly available sources

The data you provide is essential to achieve the above-mentioned purposes and to fulfil the contract or to carry out pre-contractual measures. Without this data, the individual purposes described may not be achieved or we may not be able to conclude the contract with you. In particular, we take into account in each case – as part of the necessary balancing of interests – the type of personal data, the purpose of the processing, the circumstances of the processing and your interest in the confidentiality of your personal data.

1.3. Recipients of personal data

If necessary, data will be passed on to the following recipients
• All relevant departments of the youniqx Identity AG for the purpose of contract processing
• Competent administrative authorities, especially tax authorities for audits
• Contractual or business partners involved in supply of goods or services
• Insurance companies on occurrence of an insured incident
• Auditors for the purposes of auditing
• Courts to initiate default action
• The Federal Agency “Statistics Austria” for the compilation of (official) statistics required by law
• Group management of the contract awarder for accounting purposes
• Customers for the receipt of services
• Banks for the processing of payment transactions

1.4. Source of the data (Article 13 and 14 GDPR)

We process personal data that we receive from you by post, fax or email in the course of contacting you or in response to your enquiry, as well as any information from publicly available sources.

1.5. Legal basis of data processing

The data is processed for the performance of a contract or for the implementation of pre-contractual measures on the basis of Article 6(1)(b) GDPR.

1.6. Duration of data storage

We store the data until the termination of the business relationship or until the expiry of the warranty, guarantee, limitation and statutory retention periods applicable to the contract awarder; furthermore, until the termination of any legal disputes in which the data is required as evidence.

2. Processing of the personal data of business partners in the case of email correspondence using Microsoft 365 Exchange

We use Microsoft 365 Exchange as our email service. Youniqx Identity AG ensures that Microsoft 365 Exchange is used in a data protection-friendly manner. Technical and organisational measures guarantee that only the personal data required for processing is processed and access by Microsoft is limited to a necessary minimum.

2.1. Purposes of the processing

We process the data for the purpose of pre-contractual measures and contract fulfilment as well as for the processing and transmission of data within the scope of a business relationship with customers, including automatically created and archived text documents (e.g. correspondence), for customer support and internal and external communication.

2.2 The following categories of personal data will be processed

• First name, last name
• Email address
• Email content
• Photos (if integrated)

2.3 Recipients of personal data

In the course of the mail traffic, data is passed on to the following recipients
• All relevant departments of the youniqx Identity AG for the purpose of contract processing
• Contractual or business partners involved in supply of goods or services
• Microsoft Corporation; One Microsoft Way; Redmond, WA 98052-6399; USA for the purpose of control, maintenance and administration of the Microsoft product.

Where is the Microsoft Office 365 data stored?
Microsoft stores the customer data of the Office 365 services in its worldwide Microsoft Cloud. Data from European customers is stored in the Microsoft data centres in Austria, Finland, Ireland and the Netherlands.
Privacy notice Microsoft: https://privacy.microsoft.com/en-us/privacystatement

What legal precautions within the meaning of Chapter V of the GDPR, if any, are third-country transfers under Item 5 based on?
On the standard data protection clauses – Article 46(2) c GDPR. For this purpose, we receive confirmation from Microsoft as a processor of appropriate safeguards to protect the rights of data subjects in the event of mandatory data transfers to US security authorities (Cloud Act). Microsoft undertakes to indemnify data subjects against all damages regardless of fault. In addition, Microsoft will in principle exploit all legal means to prevent the transfer of data to US authorities.

2.4 Source of the data (Article 13 and 14 GDPR)

We process personal data that we receive from you by email in the course of contacting you or responding to your enquiry.

2.5 Legal basis of data processing

The data is processed for the performance of a contract or for the implementation of pre-contractual measures on the basis of Article 6(1)(b) GDPR.

2.6 Duration of data storage

We store the data until the termination of the business relationship or until the expiry of the warranty, guarantee, limitation and statutory retention periods applicable to the client; furthermore, until the termination of any legal disputes in which the data is required as evidence.

3. Processing of personal data of business partners during video conferences

We hold video conferences via the Internet and use various communication tools for this purpose. Video conferencesare intended to save work time and travel costs and are indispensable, for example,if exceptional circumstances arise,in order to be able to maintain business operations.
The use of the conference services involves the transfer of personal data to a third country, in particular the USA. We expressly point out that there is no adequacy decision pursuant to Article 45(3) GDPR, nor appropriate safeguards pursuant to Article 46 GDPR, for the transfer to the USA.
As a matter of principle, we coordinate the use of the video platform or online software in advance with the business partner, who always voluntarily participates in a video or online conference. In order to enter a virtual meeting room, a participant must agree to the installation of software that makes participation technically possible in the first place.

3.1 The following categories of personal data are processed:

Lists of participants, login data such as user, email address, IP address and device data

3.2 Recipients of personal data

Video conferences are only conducted via selected and internally approved service providers.
Possible use of video and online conferencing services:
Microsoft Teams with their registered office in the USA. Use of Microsoft Teams is subject to the terms of use and privacy policy of Microsoft. Privacy policy: https://privacy.microsoft.com/de-de/privacystatement By using Microsoft Teams, you accept the terms of use and privacy policy of Microsoft.

ZOOM Video Communications Inc. („Zoom“) with their registered office in the USA. The use of Zoom is subject to their terms of use and privacy policy: https://zoom.us/de-de/privacy.html By using “Zoom” you accept their terms of use and privacy policy.

Cisco WebEx with their registered office in the USA, Slack with their registered office in the USA The use of Cisco WebEx is subject to their terms of use and privacy policy: https://www.cisco.com/c/de_at/about/legal/privacy.html By using Cisco WebEx, you accept their terms of use and privacy policy.

3.3 Legal bases of processing

The data is processed for the performance of a contract or for the implementation of pre-contractual measures on the basis of Article 6(1)(b) GDPR.
Through the use, a transmission to a third country (possibly the USA) takes place. In this regard, we refer to Article 49(1)(a) to (c) GDPR.

3.4 Duration of data storage

We store personal data that we have collected for as long as is necessary for the purposes we have stated, unless there is a longer retention obligation by law. The conference services store the data for the period during which we have an ongoing business relationship with the respective conference service and the services continue to be made available to us, and in accordance with legal obligations of the service provider to retain the data.

4. Collection and processing of personal data for visitor registration and visitor registration on the business premises of the youniqx Identity AG

4.1. Purpose of processing and the legal basis

youniqx Identity AG is located in the business premises of the Österreichische Staatsdruckerei GmbH (OeSD). All visitors to the high-security establishment must be announced and registered. The visitor registration data is collected from the person concerned prior to the visit. It is stored and passed on to the responsible reception and security departments in order to register the visit of the person concerned to the OeSD. Without this registration, visitors have no right of access to the company premises and the company building.

During visitor registration, personal data is collected directly on site (scan of an identity document) in order to thereby assess and record who is on the business premises and to be able to create a visitor pass.

Collection, storage and disclosure is carried out for the purpose of legitimate interest on the basis of Article 6(1) sentence 1 f GDPR. In individual cases, an assessment is made as to whether an interest worthy of protection stands in the way of collection (especially in the case of children). We consider our legitimate interest to be the protection of OeSD as a high-security company with critical infrastructure. The data will not be passed on to third parties. Failure to provide this data will result in visitors not being able to be registered and therefore not being able to visit the company.

We ensure the protection of personal data through up-to-date technical and organisational measures. These are always adapted to the current state of the art.

4.2. Duration of data storage

We store your visitor application and visitor registration data in our system for 12 months. After this period, the data collected for this procedure will be deleted.

5. Collection and processing of personal data when visiting our website

Every time you access content on the website, data is temporarily stored that may allow identification. The following data is collected:
• Date and time of access
• IP address
• Host name of the accessing computer
• Website from which the website was accessed
• Websites accessed via the website
• Page visited on our website
• Message as to whether the retrieval was successful
• Amount of data transferred
• Information on browser type and version used
• Operating system

The temporary storage of data is necessary for the duration of a website visit in order to make the delivery of the website possible. Further storage in log files takes place in order to ensure that the website functions properly and to ensure the security of the information technology systems. Our legitimate interest in data processing also lies in these purposes.

5.1. Other recipients of personal data in addition to the controller

The website is hosted at Körbler GmbH; Hofweg 1; 8435 Leitring | office@koerbler.com | www.koerbler.at The hosting service receives the above data as a processor.

5.2. Legal bases of processing

Legitimate interest pursuant to Article 6(1) f GDPR to provide information about the company and the application/marketing of products and services.

5.3. How long are the data stored?

The data will be erased as soon as they are no longer required to achieve the purpose for which they were collected. In the case of the website provision, this is the case when the respective session has ended. The log files are kept for 7 days, only accessible to administrators. After that, they are only available indirectly via the reconstruction of data backups and are finally deleted after two weeks.

5.4. Collection and processing of personal data via a contact form on our website

You can request information about our products via a contact form on our website www.youniqx.com In doing so, we will only collect your name and email address in order to be able to respond to your request. If you contact us via the form on the website, the data you provide (name and email address) will only be stored by us for six months for the purpose of processing the enquiry and in case of follow-up questions.

5.5. Cookies

Cookies are small files that enable specific information related to the device to be stored on the access device of the user (PC, smartphone or similar). On the one hand, they serve the user-friendliness of websites and thus the users (e.g. storage of login data). We store information that is necessary for the operation of the website in cookies. However, personal data that might be read by third parties is not stored there. Users can have an influence of how cookies are used. You can set up your browser so that it informs you about the use of cookies and only allows them in individual cases. By refusing to accept cookies in the browser or by deleting them regularly, you can also prevent conclusions from being drawn about your behaviour.
If cookies are deactivated, this may limit the way in which our website functions.

5.6. Piwik/Matomo

The web analytics service Piwik/Matomo is used on our website. Piwik/Matomo is an open source software that analyses the traffic on a website. The analysis is made possible by means of cookies, which are text files. The cookies collect information regarding your use of our website. This information is stored on a Piwik/Matomo server in Germany. Your IP address is anonymised beforehand. However, you have the option to prevent cookies from Piwik/Matomo from being stored on your computer. To do this, you must modify the settings on your internet browser accordingly. This may mean that you cannot use our website to its full extent.

5.7. Use of the websites by minors

It should be noted that any processing of personal data may only be used by persons who have reached the age of 14. The use of our systems and tools and the resulting processing of the data of users under this age limit is prohibited without the consent of the parents/guardians. Should such data processing nevertheless occur, we will stop processing this data as soon as we become aware of this.

5.8. Social Plugins

We use so-called social plugins (hereinafter buttons) of social networks such as Facebook, Twitter, LinkedIn Xing and YouTube on our website. When you visit our website, these buttons are deactivated by default, i.e. they do not send any data to the respective social networks without your intervention. Before you can use the buttons, you must deliberately activate them with your click. The button remains active until you deactivate it again or delete your cookies. After activation, a direct connection is established with the server of the respective social network. The content of the button is then transmitted directly to your browser by the social networks and integrated into the website by the browser. After activating a button, the respective social network can already collect data, regardless of whether you interact with the button or not. If you are logged in to a social network, it can assign your visit to this website to your user account. A social network cannot assign a visit to other websites until you have also activated the respective button there. If you are a member of a social network and do not want it to link the data collected during your visit to our website with your stored membership data, you must log out of the respective social network before activating the buttons. We have no influence on the scope of the data that is collected by the social networks with their buttons. Please refer to the data protection notices of the respective social networks for the purpose and scope of data collection and further processing and use of the data by the respective social networks as well as on your rights in this regard and possible settings to protect your privacy.

5.9. Facebook Pixel

In the course of advertising its products and brand on Facebook, the youniqx Identity AG uses the so-called “Facebook Pixel”, with which user behaviour can be analysed and evaluated after clicking on a Facebook advertisement and after subsequent forwarding to the target page. The continuous analysis enables the display of Facebook ads to be oriented towards the interests of Facebook users and is thus used to improve Facebook ads. With the help of the Facebook Pixel, youniqx Identity AG can also assess whether users are redirected to the page www.youniqx.com after clicking on a Facebook Ad. If you have a Facebook account and are logged in, your visit to this website will be assigned to your Facebook user account.
All user data collected in the course of using Facebook Pixel remains anonymous to youniqx Identity AG.
Facebook Pixel is operated and used by Facebook Inc, 1 Hacker Way, Menlo Park, CA 94025, USA; for EU residents, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
Facebook stores and processes user data in accordance with Facebook’s Data Use Policy (more info: https://www.facebook.com/about/privacy/ The collection by Facebook Pixel and the use of user data for the display of Facebook ads can be edited in the settings for advertisements (more info: https://www.facebook.com/policies/cookies You can also object to this processing on the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/

5.10. Privacy policy on the use and deployment of Getty Images pictures

The controller has integrated components of the Getty Images company on the www.youniqx.com. Getty Images is an American stock images agency. A stock image agency is a company that offers photos and other visual material on the market. Stock image agencies usually market photographs, illustrations and film footage. Various clients, in particular website operators, editorial departments of print and TV media and advertising agencies, license the images they use via a stock image agency.

The operating company of the Getty Images components is the
Getty Images International, 1st Floor, The Herbert Building, The Park, Carrickmines,
Dublin 18, Ireland.

Getty Images permits the embedding of stock images (free of charge, if applicable). Embedding is the inclusion or integration of specific third-party content, for example text, video or image data, which is provided by a third-party website and then appears on your own website. A so-called embedding code is used for embedding. An embedding code is an HTML code that is integrated into a website by a website operator. If an embedding code has been integrated by a website operator, the external content of the other website is displayed immediately by default as soon as a website is visited. To display the third-party content, the external content is loaded directly from the other website.

Getty Images provides further information on embedding content under the link http://www.gettyimages.de/resources/embed.
The IP address of the Internet connection through which the data subject accesses our website is transmitted to Getty Images via the technical implementation of the embedding code that enables the display of the images from Getty Images. In addition, Getty Images collects our website, the browser type used, the browser language, the time and the length of the access. Getty Images may also collect navigational information, i.e. information about which of our sub-pages have been visited by the data subject and which links have been clicked on, as well as other interactions that the data subject has carried out when visiting our website. This data can be stored and evaluated by Getty Images.
Further information and the applicable privacy policy of Getty Images can be found at http://www.gettyimages.de/enterprise/privacy-policy.

5.11. Privacy policy on the use and application of Google AdWords

The controller has integrated Google AdWords on the websites zulassung.oesd.at and reisepass.oesd.at. Google AdWords is an internet advertising service that allows advertisers to place ads both in Google’s search engine results and in the Google advertising network. Google AdWords makes it possible for an advertiser to specify certain keywords in advance. By means of these keywords, an advertisement will be displayed in Google’s search engine results but only if the user uses the search engine to retrieve a keyword-relevant search result. In the Google advertising network, the ads are distributed on topic-relevant websites by means of an automatic algorithm and by taking into account the previously defined keywords.

The purpose of Google AdWords is to advertise our website by displaying interest-relevant advertising on the websites of third-party companies and in the search engine results of the Google search engine and to display third-party advertising on our website.

The operating company of the Google AdWords services is Google Inc.,1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
We expressly point out that there is no adequacy decision pursuant to Article 45(3) GDPR, nor appropriate safeguards pursuant to Article 46 GDPR, for the transfer to the USA. This means that it may not be possible to trace how the data is used and who has access to it. You have the choice of consenting to the use of Google AdWords by opting in before visiting the website www.youniqx.com

If a data subject accesses our website via a Google advertisement, a so-called conversion cookie will be stored by Google on the information technology system of the data subject. What cookies are has already been explained above. A conversion cookie loses its validity after thirty days and does not serve to identify the data subject. If the cookie has not yet expired, the conversion cookie is used to track whether certain sub-pages, for example the shopping basket of an online shop system, have been accessed on our website. The conversion cookie enables both us and Google to track whether a data subject who has accessed our website via an AdWords ad has generated a sale, i.e. has completed or cancelled a purchase.

The data and information collected through the use of the conversion cookie are used by Google to compile statistics on visits to our website. These visit statistics are in turn used by us to determine the total number of users who were referred to us via AdWords ads, i.e. to determine the success or failure of the respective AdWords ad and to optimise our AdWords ads for the future. Neither our company nor other advertisers of Google AdWords receive information from Google by means of which the data subject could be identified.

Personal information, such as the web pages visited by the data subject, is stored by means of the conversion cookie. Each time you visit our website, personal data, including the IP address of the internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Under certain circumstances, Google will pass on this personal data collected via this technical process to third parties.

As described above, the data subject can prevent the setting of cookies by our website at any time by means of an appropriate adjustment of the Internet browser being used and thereby permanently object to the setting of cookies. Such a setting of the internet browser being used would also prevent Google from setting a conversion cookie on the information technology system of the data subject. In addition, a cookie already set by Google AdWords can be deleted at any time via the internet browser or other software programmes.
Furthermore, the data subject has the option of objecting to interest-based advertising by Google. To do this, the data subject must access the link www.google.de/settings/ads from any of the internet browsers he or she uses and make the desired settings there.
Further information and the applicable Google privacy policy can be found at https://www.google.de/intl/de/policies/privacy/.

5.12. Security/storage periods

OeSD takes all the technical and organisational security measures necessary to protect your personal data from loss and misuse.
The respective statutory retention period is the criterion for the duration of the storage of personal data. After expiry of the deadline, the corresponding data is routinely erased insofar as it is no longer required for the fulfilment or initiation of the contract.

6. Newsletter

You have the option of subscribing to our newsletter. For this purpose, we need your first and last name as well as your email address and a declaration that you agree to receive the newsletter. You can revoke your consent to the storage of the data, the email address and their use for sending the newsletter at any time, for example via the “unsubscribe” link in the newsletter email.

6.1. Purposes of the processing

Customer care and marketing for our own purposes.

6.2 The following categories of personal data will be processed

• First and last names
• Email address

6.3 Recipients of personal data

• Marketing department of the Youniqx Identity AG for the purpose of customer service
• Sendinblue GmbH; Köpenicker Str. 126, 10179 Berlin; provides the necessary infrastructure and the tool for sending newsletters by email (data protection information: https://de.sendinblue.com/datenschutz-uebersicht/
• GPK public GmbH; Gußhausstraße 13, 1040 Vienna; for the purpose of designing the newsletter and processing the mail dispatch (data protection information: https://gpk.at/datenschutz/)

6.4 Source of the data (Article 13 and 14 GDPR)

We process personal data (first name, last name, email address) that we receive from you via our homepage when you order our newsletter.

6.5 Legal basis of data processing

Article 6(1) a GDPR (explicit consent)

6.6 Duration of data storage

You can unsubscribe from the newsletter at any time and thus revoke your consent. After you have unsubscribed, we will no longer use your data for the newsletter mailing. If we do not have any business relationship with you and we are not subject to any statutory retention obligations, your data will be erased after unsubscribing from the newsletter.

7. Rights of data subjects

7.1. Right of information

You can request information about your personal data that we process in accordance with Article 15 GDPR.

7.2. Right to object:

You have the right to object at any time, on grounds relating to your particular situation, to the processing of your personal data carried out on the basis of Article 6(1)(f) GDPR. The controller shall then no longer process the personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims. Collecting the data to provide the website and storing the log files are absolutely necessary for the operation of the website.

7.3. Right of rectification:

If the information concerning you is not (or is no longer) accurate, you can request rectification in accordance with Article 16 GDPR. If your data is incomplete, you can request that it be rectified.

7.4. Right to erasure:

You can request the erasure of your personal data in accordance with Article 17 GDPR.

7.5. Right to restriction of processing:

You have the right to request restriction of the processing of your personal data in accordance with Article 18 GDPR.

7.6. Right to data portability

In the event that the requirements of Article 20(1) GDPR are met, you have the right to have data handled automatically by us on the basis of your consent or in fulfilment of a contract handed over to you or to a third party. Collecting the data to provide the website and storing the log files are absolutely necessary for the operation of the website. They are therefore not based on consent under Article 6(1)(a) GDPR or on a contract under Article 6(1)(b) GDPR, but are justified under Article 6(1)(f) GDPR. The requirements of Article 20(1) GDPR are therefore not fulfilled.

Should you wish to exercise your data protection rights, please contact our data protection officer at: privacy@youniqx.com

7.7. Right to complain:

If you are of the opinion that the processing of your personal data violates data protection law, you have the right to lodge a complaint with the data protection supervisory authority pursuant to Article 77(1) GDPR. The data protection supervisory authority responsible for the controller:

Österreichische Datenschutzbehörde
Barichgasse 40-42
1030 Wien
Tel.: +43 1 52 152-0
Email: dsb@dsb.gv.at