Medved & Partner OG privacy statement

Name and address of the controller, general information:

Medved & Partner OG
Attn. Mrs. Mag. Christine Eder, MSc
Trappelgasse 4/17, 1040 Vienna
c.eder@medvedpartner.com

Processors
We have concluded processing agreements with our processors within the meaning of Art 28 et seq. of the GDPR and taken precautions in accordance with Art 44 et seq. GDPR, which we continually monitor and evaluate, with those processors located outside of the EEA. Our partners are obligated to erase the data once the purpose of processing has been fulfilled unless further storage is required on the basis of a statutory storage obligation.

The following processors regularly process data on our behalf. To the extent necessary, further processors are specified with the respective purposes:

  • Tax advisor/accountant
  • Lawyer
  • IT service provider/IT provider and telecommunications provider

Data erasure and storage period

The personal data of data subjects will be erased or anonymised as soon as the purpose of storage no longer applies. The data may have to be stored further if required by law. The data will be anonymised or erased if one of the storage periods as required by the specified standards expires. Any specific provisions can be found in the respective processing purposes.

Processing of customer data 

  1. Candidates:

We treat the data transmitted by candidates (applicants) with utmost confidentiality and will not forward them without their express consent. The following data from candidates (applicants) interested in the positions or who use the services offered (recruiting, jobs for lawyers, management coach, HR management, preparation for RAP/bar exam, coaching for lawyers, business consulting, career coaching, application coaching) from Medved & Partner OG in connection with HR consulting: Master data (such as name, gender, address, phone number, email, birth data, citizenship, address), employment background (e.g., training, further training, employment relationships to date, employers to date), professional, social and methodic skills (e.g. language skills, IT skills), documents transmitted (e.g. CV, letter of motivation, certificates of employment, letters of reference), correspondence with us and information regarding salary, any notice periods and other meeting notes. These data are processed in order to fulfil our contract in accordance with point b of Art 6(2)(b) of the GDPR. In any case, the data will be processed until the contract has been fulfilled and beyond that, based on statutory storage obligations, in particular 7 years in accordance with the BAO.

  1. Customers:

The following data of customers, who use the services offered by Medved & Partner OG, are processed: name, address, phone number, email, invoice data, service content, price). These data are processed in order to fulfil our contract in accordance with point b of Art 6(2)(b) of the GDPR. In any case, the data will be processed until the contract has been fulfilled and beyond that, based on statutory storage obligations, in particular 7 years in accordance with the BAO.

Newsletter

If you register for our newsletter, we will send you emails containing information about Medved & Partner OG, specific events, new offers and current job openings. Your email address and your name will be processed for this purpose. This processing is based on your express consent in accordance with Art 6(2)(a) of the GDPR. You can unsubscribe from this newsletter at any time by contacting ch.eder@medvedpartner.at . Your data will be processed for the order forwarding of the newsletter until you unsubscribe.

Contact form

When you submit a request via our contact form, we process your name, email address and the message sent in order to respond to your request. These data are processed on the basis of point b of Art 6(2) of the GDPR for (pre)contractual communication. You data will be erased once your request has been responded to unless further processing follows on the basis of another purpose (e.g. customer data, see above 4.).

Necessary cookies

Only technically required cookies are used on our website (https://www.medvedpartner.com). Cookies are small text files that are stored on your end device and can be read. One differentiates between session cookies, which are erased as soon as you close your browser and permanent cookies, which are saved beyond an individual session.
We only use cookies on our web pages, which are required in order to operate our web pages. These cookies only contain information on specific settings and do not refer to persons. They may also be necessary in order to facilitate guiding the user and ensuring that the page is secure. We use cookies that are necessary for operating the website, but not for the purpose of analytics, tracking or advertising. We use these cookies on the basis of point f Art. 6 (1)(f) of the GDPR with the legitimate interest of ensuring the functionality of our website.
You can configure your browser to inform you when cookies are installed. This makes the use of cookies transparent for you. You can also delete cookies at any time via the browser settings and prevent new cookies from being installed. Please keep in mind that our web pages cannot be displayed and some functions may technically no longer be available.

Matomo

We use Matomo (formerly Piwik) for web analytics, a service of InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, NZBN 6106769, (“Matomo”) that uses cookie technology. Protecting your data is important to us, which is why we have also configured Matomo to only document your iP address in a shortened form. As a result, we process your personal usage data in an anonymised form. It is therefore not possible for us to attribute this data to your person. You can find further information regarding the terms of use of Matomo and data protection provisions at: https://matomo.org/privacy/

Your visit to this website is currently being recorded using the Matomo web analytics tool. Click here to stop pseudonymous data collection.

Facebook

We operate a Facebook page, which you can find under https://www.facebook.com/… On it, we also link to our website.

The social network facebook.com is operated by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (“Facebook”) and serves interaction with users. The Facebook button links to our Facebook profile. The data protection provisions on Facebook’s website apply.

The user can find the purpose of the data collection and the processing of data as well as the use of the same by Facebook as well as data types (scope of data) in the data policy published by Facebook itself; it can be viewed here: http://www.facebook.com/policy.php . In the sense of the best possible transparency, we are summarising the key points for the user:

The data collected in this way serve to analyse usage behaviour and to provide, select, evaluate and understand the ads Facebook posts on and outside of Facebook (this also includes ads, which are provided by the subsidiaries of Facebook or in their name) and which are used to generate statistics regarding users. Furthermore, Facebook uses the data provided to it to improve the advertising and metrics systems so that Facebook is able to display relevant ads to users on Facebook services and outside of them and to measure the effectiveness and reach of ads and services. If the user is registered on Facebook, Facebook is able, through the use of the data collected, to provide the user with services, to personalise content for the user and to provide the user with links and suggestions, which may be of interest to it. The collected data are then used to send the user marketing communication, to communicate with the user regarding its services and to inform the user regarding the guidelines, terms and conditions of Facebook.

If the user is the owner of a Facebook account and if the user uses the Facebook button, the user must give their consent that their information is recorded, transferred, saved, disclosed and used in accordance with Facebook’s privacy policy (https://www.facebook.com/about/privacy). The user can change the data protection settings of its Facebook account in the account settings.

You can find more information on Facebook and the GDPR at: https://www.facebook.com/business/gdpr#Facebook-als-Datenverantwortlicher-vs.-Auftragsverarbeiter .

Instagram

We have an Instagram account, which we also link to from our website (https://www.instagram.com/…)

Instagram is part of the Facebook Group. The controller under data protection law is therefore Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland. The Instagram social media button links to our Instagram profile. On Instagram’s website, their privacy policy applies (also see in regards to Facebook).

The user can find the purpose of data collection and processing as well as the use of the same by Instagram and/or Facebook as well as data types (scope of data) in the data policy published by Instagram itself; it can be viewed here: https://help.instagram.com/519522125107875. The information specified above regarding Facebook also applies to Instagram.

If the data subject follows the social media link to Instagram (that is, if they push the Instagram social media button), data are processed, collected, transferred, saved, disclosed and used in accordance with the  Privacy Policyof Instagram. Furthermore, cookies can be saved on the device of the data subject when visiting the Instagram site. Facebook’s cookie policy applies to this: https://www.facebook.com/policies/cookies. If the data subject owns an Instagram account, the information transferred from Instagram and/or Facebook can be linked to this account.

LinkedIn

On our web pages, we have linked to LinkedIn and we have a LinkedIn page https://www.linkedin.com/company/medved-partner-og/….. The provider is LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland (“LinkedIn”).

If you follow this link, your data will be processed by LinkedIn as the controller on the basis of their privacy policy. If you have logged into your account with LinkedIn, LinkedIn can attribute your visit to our website to you and your user account. Unless you disagree with this, you must log out of your LinkedIn account.

You can find further information regarding data protection on LinkedIn in the privacy policy: www.linkedin.com/legal/privacy-policy , and the possibility of opting out: www.linkedin.com/psettings/guest-controls/retargeting-opt-out .

Rights of the data subject  

If personal data concerning you are processed, you are the data subject in the sense of  the GDPR and you have the following rights vis-à-vis the controller:

Right of access 

You can request confirmation from the controller as to whether we process personal data concerning you.

If such processing occurs, you can request access regarding the following information from the controller:

  1. the purposes of the processing of personal data;
  2. the categories of personal data that are processed;
  3. the recipients and/or categories of recipients, to whom your personal data has been or will be disclosed;
  4. the planned duration of storage of your personal data or, if it is not possible to provide specific information, criteria for determining the duration of storage;
  5. the existence of a right to the rectification or erasure of your personal data, a right of restriction of processing by the controller or a right to object to such processing;
  6. the existence of a right to lodge a complaint with a supervisory authority;
  7. all available information regarding the origin of the data if the personal data are not collected with the data subject;
  8. the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
  9. You have the right to request information as to whether personal data concerning you will be transferred to a third country or an international organisation. In this context, you can request to be informed of suitable safeguards in accordance with Art. 46 of the GDPR in connection with the transfer.

Right to rectification 

You have a right to rectification and/or completion vis-à-vis the controller insofar the personal data concerning you is inaccurate or incomplete. The controller must perform the rectification without undue delay.

In the event of data processing for scientific, historical or statistical research purposes: Your right to rectification may be restricted in so far as it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary in order to fulfil the research or statistical purposes.

Right to the restriction of processing 

You can request the restriction of processing of the personal data concerning you under the following conditions:

  1. if you contest the inaccuracy of the personal data concerning you for a period of time, which allows the controller to evaluate the accuracy of the personal data;
  2. the processing is illegitimate and you refuse erasure of the personal data and instead request restriction of the use of the personal data;
  3. the controller does not require the personal data for processing purposes, but you require them for the establishment, exercise or defence of legal claims, or
  4. if you have lodged a complaint against processing in accordance with Art. 21(1) GDPR and it is not yet certain whether the legitimate grounds of the controller outweigh your grounds.

If the processing of the personal data concerning you has been restricted, these data may only be processed – except from its storage – with your consent or for the establishment, exercise or defence of legal claims or to protect the rights of another natural person or legal entity or on grounds of a legitimate public interest of the Union or a member state.
If the restriction of the processing is restricted in accordance with the aforementioned prerequisites, you will be informed by the controller before the restriction is lifted.
In the event of data processing for scientific, historical or statistical research purposes:
Your right to rectification may be restricted to the extent it forseeably renders the fulfillment of the research or statistical purposes impossible or seriously impairs them and the restriction is necessary in order to fulfil research or statistical purposes.

Right to rectification 

a)    Erasure obligation

You can request that the controller erases personal data concerning you with undue delay and that the controller is obligated to erase this data with undue delay insofar as one of the following reasons applies:

  1. The personal data concerning you is no longer required for the purposes, for which they were collected or otherwise processed.
  2. You withdraw your consent, on which the processing is based in accordance with point a of Art. 6(1)1 or point a of Art. 9(2) of the GDPR and there is no other legal basis for processing.
  3. You lodge a complaint against processing in accordance with Art. 21(1) of the GDPR and there are no overriding legitimate grounds for processing or you lodge a complaint against processing in accordance with Art. 21(2) of the GDPR.
  4. The personal data concerning you have been unlawfully processed.
  5. The erasure of the personal data concerning you is required in order to comply with a legal obligation under Union law or the law of the member states, to which the controller is subject.
  6. The personal data concerning you were collected in reference to information society services in accordance with Art. 8 (1) GDPR.

b)    Information to third parties

If the controller has made public personal data concerning you and is obligated to erase them in accordance with Art. 17 (1) of the GDPR, it shall take suitable measures, also of a technical nature, taking into consideration available technology and the implementation costs in order to inform those responsible for data processing, who process the personal data, that you, as the data subject, have requested that they erase all links to these personal data or copies or replications of these personal data.

c)    Exceptions

There exists no right to erasure to the extent processing is required

  1. in order to exercise the right to freedom of expression and information;
  2. for compliance with a legal obligation which requires processing by the law of the Union or the member states to which the controller is subject or for the performance of a task in the public interest or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. for the establishment, exercise or defence of legal claims.

Right to be informed 

If you have exercised the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller shall be obligated to communicate any rectification or erasure or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort. You shall have the right vis-à-vis the controller to be informed of these recipients.

Right to data portability 

You have the right to obtain the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  1. the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and
  3. the processing is carried out by automated means.

In exercising this right, you shall further have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The rights and freedoms of other persons may not be infringed upon as a result. The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller

Right to object 

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you, which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions.

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or processing serves the establishment, exercise or defence of legal claims.

Where personal data concerning you are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications

In the event of data processing for scientific, historical or statistical research purposes:

You also have the right, for reasons relating to your particular situation, to object to processing of personal data concerning you for scientific or historical research purposes or for statistical purposes in accordance with Art. 89(1) of the GDPR.

Your right to object may be restricted in so far as it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary in order to fulfil the research or statistical purposes

Right to withdraw data protection consent 

You have the right to withdraw at any time your data protection consent. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Automated individual decision-making, including profiling 

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision is necessary for

  1. entering into, or performance of, a contract between the yourself and a data controller,
  2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  3. is based on your explicit consent.

However, such decisions shall not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard the rights and freedoms and your legitimate interests, at least the right to obtain human intervention on the part of the controller, to express one’s own point of view and to contest the decision.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement if you consider that the processing of personal data relating to you is in violation of the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

Data security

We make every effort to protect your data. This includes implementing measures to prevent manipulation, loss, destruction or access by unauthorised persons. To do so, we implement a technical framework (such as access controls, locked filing cabinets, password guidelines, etc.), an organisational framework (such as training courses and usage guidelines) as well as a legal framework (non-disclosure agreements, data protection agreements, commissioned data processing agreements) to prevent this.