Equip GmbH – Data privacy statement

Data Privacy Statement

The terms used in this data privacy statement always refer equally to all gender identities.
Gender specific terms are avoided to improve readability.

This data privacy statement informs you about the data processing operations
(in particular about the type, scope and purpose of data collection) when you contact us
or when we contact you with regard to our (potential) cooperation. You can find information relating to data privacy when you visit our online content or our website https://equip.co.at right here.

1. Data controller

Equip GmbH (FN 419573w)
Hauptstraße 56
A-2332 Hennersdorf bei Wien

Tel. +43 2235 211 83 0
E-Mail: office@equip.co.at

2. Principles of data processing and legal basis

We process personal data within the context of the General Data Protection
Regulation (GDPR), the Data Protection Act (DPA) and the Telecommunications Act
(TKG 2021). We shall keep this data safe and forward it internally or to third
parties only if this is necessary for the purpose of processing the contract,
or if you have given your consent to this previously.

As shown below, the data is processed either on the basis of a contract formation
process or contract performance (Art 6 Par 1 lit b GDPR), your consent (Art 6
Par 1 lit a GDPR), or to safeguard legitimate interests (Art 6 Par 1 lit f
GDPR).

3. Business services

3.1. Basic information: Type, purpose and use of the data

We process data belonging to our customers,
interested parties, applicants for employment or as freelancers and other
(potential) business partners (collectively referred to as “contractual
partners”) in the context of contractual and comparable legal relationships
as well as related measures and in the context of communication with the
contractual (or pre-contractual) partners, e.g. to answer enquiries.

We process this data so that we can fulfil our
contractual obligations. In particular, this includes obligations to provide
the agreed services, any obligations relating to updating data, and assistance
with issues regarding warranty and other services. Furthermore, we process the
data to protect our rights and for the purpose of the administration tasks that
are associated with these obligations and the company organisation. Moreover,
we process the data on the basis of our legitimate interests in proper and
economic management and in security measures for protecting our contractual
partners and our business operations from misuse, or for preventing their data,
secrets, information and rights from being compromised (for example to involve
telecommunications, transport and other auxiliary services as well as
sub-contractors, banks, tax and legal advisers, payment service providers or
financial authorities). Within the current legal framework, we shall forward
the data from the contractual partners to third parties only to the extent that
this is necessary for the aforementioned purposes, or for the fulfilment of
statutory obligations.

We shall inform the contractual partners about
which data is required for the aforementioned purposes either before the data
is being collected, as it is being collected, or in person.

Insofar as we are active on platforms such as karriere.at, freelancermap.at or foreign
platforms, the terms and conditions and data protection notices of the
respective third-party providers or platforms will apply in the relationship
between the users and the providers.

Types of data processed: Personal data (names, addresses); payment data (bank details, invoices, payment history); contact details (e-mail, phone numbers); contractual data (subject matter of the contract, term, customer category); applicant details (personal details, post and contact addresses, documents accompanying the application and the information contained therein, letters, CVs, references and additional information provided with regard to a specific job or provided voluntarily by applicants relating to their person or qualifications).
Data subjects: Interested parties; business and contractual partners; applicants.
Purpose of the processing: Provision of contractual services and customer service; contact requests and communication; office and organisational procedures; managing and responding to requests.
Legal basis: Contract performance and pre-contractual requests (Art 6 Par 1 lit b GDPR); legal obligation (Art 6 Par 1 lit c GDPR); legitimate interests (Art 6 Par 1 lit fGDPR).

3.2. Recruiting for third parties

Our services also include searching for potential candidates, contacting them, and
connecting them with third parties. To do this, we process the applicants’ data
and the personal data of the (potential) employer or their employees.

We process the information provided by the candidates and their contact details
for the purpose of justifying, performing and, where applicable, terminating a
job placement contract. Furthermore, we can ask interested parties about the
success of our agency service at a later stage and in accordance with statutory
requirements.

We process the candidates’ and the employers’ data to fulfil our contractual
obligations and to process the requests we have received to place jobs to the
satisfaction of the parties involved.

Legal basis: Contract performance and pre-contractual requests (Art 6 Para 1 lit b GDPR).

3.3. Consulting

We process the data belonging to our customers, interested parties and other
contractual partners (hereinafter referred to as “clients”) so that we can
provide them with our consulting services.

The data that is processed, the type, scope, purpose and need for its processing
are all determined by the underlying contractual relationship. If required for
our contractual performance, to protect vital interests or if it is legally
required, or if the client has given their consent, we shall disclose or
transmit the client’s data to third parties or to representatives such as
authorities, subcontractors or in the field of IT, office or comparable
services, whilst taking all requirements under trade law into consideration.

Legal basis: Vertragserfüllung und vorvertragliche Anfragen (Art 6 Abs 1 lit b DSGVO).

3.4. Project and development services

The required information is marked as such when the order, purchase order or
comparable contract is concluded, and comprises the information that is
required for the provision and billing of services as well as contact
information needed to hold any necessary further discussions. If we are given
access to information belonging to end customers, employees or other persons,
we shall process this in accordance with the statutory and contractual
specifications.

Legal basis: Contract performance and pre-contractual requests (Art 6 Par 1 lit b GDPR).

4. Notes on the application processes

Each application process requires applicants to provide us with the data we need
to assess and select them (point 3.1.), or the data that is required in the
field of recruitment for third parties (point 3.2.). Which information is
required follows on from the job description or, in the case of online forms,
the information stated therein.

In principle, this required information comprises personal information such as the
applicant’s name, address, contact details and proof that they have the necessary
qualifications for a job.

Applicants can send us their applications via an online form. The data is transmitted to us in an encrypted form according to state-of-the-art technological standards. Applicants can also submit their applications via e-mail. Please note that e-mails on the Internet are generally not sent in encrypted form. As a rule, e-mails are encrypted in transit, but not on the servers from which they are sent and
received. We therefore cannot assume any responsibility for the transmission
path of the job application between the sender and its receipt on our server.

In accordance with legal provisions, we may use application management or
recruitment software and platforms and services from third-party providers for
the purposes of searching for applicants, submitting applications and selecting
applicants.

Applicants are welcome to contact us about the way of submitting their application or to send us their application by post.

Processing special categories of data: If, within the application process, applicants are asked about special categories of personal data within the meaning of Art 9 Par 1 GDPR (health-related data such as disability, or ethnic origin) so that the data controller or the data subject can exercise his or her rights arising from employment law and social security legislation, and can fully assume their obligations in this regard, this data will be processed pursuant to Art 9 Par 2 lit b GDPR, in the event of protection of vital interests of the applicant or other persons pursuant to Art 9 Par 2 lit c GDPR, or for purposes of health care or occupational medicine, for assessing the employee’s ability to work, for medical diagnosis, for
provision or treatment for health or social sector or for managing systems and
services in health or social care pursuant to Art 9 Par 2 lit h GDPR.

In the event that we are notified of special categories of data on a voluntary
basis, this data will be processed according to Art 9 Par 2 lit a GDPR.

Inclusion in an applicant pool: Applicants shall provide their consent if they want to be included in an applicant pool, if this is available. The applicants will be informed that their consent to being included in the talent pool is voluntary, that it does not have any impact on an ongoing application process, and that they can withdraw their consent any time time with future effect.

Legal basis: Application process as a
pre-contractual or contractual relationship (Art 6 Par 1 lit b GDPR);
legitimate interests (Art 6 Par 1 lit f GDPR).

Additional information about data processing, procedures and services:

LinkedIn Recruiter: Job applications and application-related services within the LinkedIn platform; Service provider: LinkedIn Irland Unlimited Company, Wilton
Plaza Wilton Place, Dublin 2, Irland; Website: https://www.linkedin.com; GTC: https://legal.linkedin.com/dpa; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Data processing agreement: https://legal.linkedin.com/dpa.
Xing: Job application and application-related services within the Xing platform; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Deutschland; Website: https://www.xing.com; Data privacy statement: https://privacy.xing.com/de/datenschutzerklaerun

5. Video conferences and online meetings

We use platforms and applications from other providers (hereinafter referred to as “conference platforms”) for the purpose of holding video and audio conferences
as well as other types of video and audio meetings (hereinafter referred to as
“conference”). We observe statutory requirements when selecting conference
platforms and their services.

Data processed by conference platforms: For the purpose of participating in a conference, the conference platforms process the following personal data belonging to the participants. The extent to which the data is processed depends on which data is required within a specific conference (such as specification of access data or real names) and which optional information is provided by the participants. In addition to the processing for holding the conference, the participants’ data can also be processed by the conference platform for reasons of security or service optimisation. The data that is processed includes data relating to the person (first name, last name), contact information (e-mail address, phone number), access data (access codes or passwords), profile pictures, information about their professional position/role, the IP address of their internet access,
information about participants’ end devices, their operating system, their browser and its technical and language settings, information about content-related communication processes, such as entries in chats as well as audio and video data, and the use of other functions that are available (such as surveys). The contents of the communications are encrypted to the extent that is technically provided by the conference provider. If the participants in
the conference platform are registered as users, additional data may be processed
pursuant to the agreement with the respective conference provider.

Logging and recordings: If text entries, participation results (of surveys, for example) and video or audio recordings are logged, the participants will be made aware of this beforehand and they will be asked to give their consent where this is
necessary.

Privacy practices of participants: Please refer to the privacy notices to see details of how your data is processed by the conference platforms and within the settings for the conference platforms, select the security and data protection settings that are optimal for you. Furthermore, for the duration of a video conference, please
ensure data and privacy protection in the background of your recording (e.g. by
informing cohabitants, closing doors and, where technically feasible, making
the background unrecognisable). Links to the conference rooms and access
details must not be passed on to unauthorised third parties.

Notes on legal bases: If, in addition to the conference platforms, we also process the users’ data and ask users for their consent regarding the use of conference platforms or specific functions (such as consent to conferences being recorded), this consent forms the legal basis of the processing. Furthermore, it may be necessary for us to process the data to fulfil our contractual obligations (for example in participant lists, when processing results of discussions, etc.).
Furthermore, users’ data is processed on the basis of our legitimate interests
in ensuring efficient and secure communication with our communication partners..

Types of data processed: Personal data (names, addresses); contact details (e-mail, phone numbers); content data; usage data; meta, communication and process data (e.g. IP addresses, times, identification numbers, consent status).
Data subjects: Communication partners, persons depicted.
Purposes of the processing: Provision of contractual services and customer service; contact requests and communication; office and organisational procedures.
Legal basis: Legitimate interests (Art 6 Par 1 lit f GDPR)..

Additional information about processing operations, procedures and services:

Discord: Chat, audio and video transmissions, instant messaging and community management; Service provider: Discord, Inc., 444 De Haro St, Suite 200, San Francisco, California 94107, USA; Website: https://discordapp.com/; Data privacy statement: https://discordapp.com/privacy.
Microsoft Teams: Messenger and conference software; Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Irland, Mutterunternehmen: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://www.microsoft.com/de-de/microsoft-365; Data privacy statement: https://privacy.microsoft.com/de-de/privacystatement, Security notices: https://www.microsoft.com/de-de/trustcenter; Standard contract clauses
(ensure data privacy level for processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.
Skype: Messenger and conference software; Service provider: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://www.skype.com/de/; Privacy statement: https://privacy.microsoft.com/de-de/privacystatement, Security notices: https://www.microsoft.com/de-de/trustcenter.
TeamViewer: Conference software; Service provider: TeamViewer GmbH, Jahnstr. 30, 73037 Göppingen, Deutschland; Website: https://www.teamviewer.com/de;
Data privacy statement: https://www.teamviewer.com/de/datenschutzerklaerung/.
Zoom: Video conferences, web conferences and webinars; Service provider: Zoom Video Communications, Inc., 55 Almaden Blvd., Suite 600, San Jose, CA 95113, USA; Website: https://zoom.us; Data privacy statement: https://zoom.us/docs/de-de/privacy-and-legal.html; Data processing agreement: https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA); Standard contract clauses (ensure data privacy level for processing in third countries): https://zoom.us/docs/de-de/privacy-and-legal.html (referred to as Global DPA).

6. Cloud services

We use software services that are accessible over the internet and executed on the servers of their providers (known as “cloud services” or “Software as a Service”) for storing and managing content (such as document storage and
management, exchanging documents, content and information with specific
recipients or publishing content and information).

Personal data may be processed in this context and stored on the providers’ servers if they are a component of communication procedures with us, or are processed by us, as stated within this data privacy statement. This data may include master data and contact data for users, data relating to operations, contracts, other processes and their content. Furthermore, the providers of cloud services will process the usage data and metadata that they use for security purposes and optimise their services.

If we use cloud services to provide documents and content for other users or
publicly accessible websites, forms or similar, the providers may set cookies
on the users’ devices for the purpose of web analysis or to remember user
settings (such as in the case of media control).

Types of data processed: Personal data (names, addresses); contact details (e-mail, phone numbers); content data; usage data; meta, communication and process data (e.g.
IP addresses, times, identification numbers, consent status).
Data subjects: Customers; employees (e.g. staff, applicants, former employees); interested parties; communication partners; users (e.g. website visitors, users of online services).
Purposes of the processing: Office and organisational procedures; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).
Legal basis: Legitimate interests (Art 6 Par 1 lit f GDPR).

Additional information about processing operations, procedures and services:

Dropbox: Cloud storage service; Service provdier: Dropbox, Inc., 333 Brannan Street, San Francisco, California 94107, USA; Website: https://www.dropbox.com/de; Data privacy statement: https://www.dropbox.com/privacy; Data processing agreement: https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf; Standard contract clauses (ensure data privacy level for processing in third countries): https://assets.dropbox.com/documents/en/legal/dfb-data-processing-agreement.pdf.
Google Cloud services: Cloud infrastructure services and
cloud-based application software; Service provider: Google Cloud EMEA
Limited, 70 Sir John Rogerson’s Quay, Dublin 2, Irland; Website: https://cloud.google.com/; Data privacy statement: https://policies.google.com/privacy; Data processing agreement: https://cloud.google.com/terms/data-processing-addendum; Standard contract clauses (ensure data privacy level for processing in third countries): https://cloud.google.com/terms/eu-model-contract-clause; Additional information: https://cloud.google.com/privacy.
Microsoft Cloud services: Cloud storage, cloud infrastructure
services and cloud-based application software; Service provider:
Microsoft Ireland Operations Limited, One Microsoft Place, South County
Business Park, Leopardstown, Dublin 18, Irland, Mutterunternehmen: Microsoft
Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://microsoft.com/de-de; Data privacy statement: https://privacy.microsoft.com/de-de/privacystatement, Security notices: https://www.microsoft.com/de-de/trustcenter; Data processing agreement: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA; Standard contract clauses (ensure
data privacy level for processing in third countries): https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA.

7. Social media

We are active in social networks, and we process user data in this context so that
we can communicate with the users who are active there, or to provide them with
information about us.

We would like to point out that data belonging to users may be processed outside
of the European Union. This could create risks for users, for example by making
it more difficult to enforce users’ rights.

Furthermore, user data within social networks is usually processed for market research and
advertising purposes. For example, usage profiles can be created on the basis
of usage behaviour and the resulting interests of the users. In turn, the usage
profiles can be used, for example, to display advertisements within and outside
the networks that presumably correspond to the interests of the users. For
these purposes, cookies are usually stored on the users’ computers on which the
usage behaviour and the interests of the users are stored. Furthermore, data
may also be stored in the usage profiles irrespective of the devices used by
the users (especially if the users are members of the respective platforms and
are logged in to them).

For a detailed description of the respective forms of processing and the
possibilities of objection (opt-out), we refer to the data privacy statements
and information provided by the operators of the respective networks.

In the case of requests for information and the assertion of data subject rights,
we would also like to point out that these can be asserted most effectively
with the providers. Only the providers have access to the users’ data in each
case and can take appropriate measures and provide information directly. If you
still need help, then you can contact us.

Types of data processed: Contact data (e-mail, phone numbers); content data (entries in online forms); usage data (websites visited, interest in contents, access times); meta, communication and process data (e.g. IP addresses, times, identification numbers, consent status).
Data subjects: Users of online services.
Purposes of the processing: Contact requests and communication; feedback; marketing.
Legal basis: Legitimate interests (Art 6 Par 1 lit f GDPR).

Additional information about processing operations, procedures and services:

LinkedIn: Social network; Service provider: LinkedIn Irland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Irland; Website: https://www.linkedin.com; Privacy Policy: https://www.linkedin.com/legal/privacy-policy; Data processing agreement: https://legal.linkedin.com/dpa; Standard contract clauses (ensure data
privacy level for processing in third countries): https://legal.linkedin.com/dpa; Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Xing: Social network; Service provider: New Work SE, Am Strandkai 1, 20457 Hamburg, Deutschland; Website: https://www.xing.de; Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

8. Data security

Your personal data is protected by means of appropriate organisational and technical measures. These measures particularly concern protection from unauthorised, unlawful or even incidental access, processing, loss, use and manipulation.

Despite efforts to maintain a consistently high and appropriate standard of
precautionary measures, it cannot be excluded that the information you provide
us over the Internet may be viewed and used by other persons.

Please note that we therefore do not assume any liability for the disclosure of
information due to data transmission errors that are not our fault, or
unauthorised access by third parties (e.g. if an e-mail account or phone is
hacked).

9. Announcement of data breaches

We try to ensure that data breaches are identified early on, and that, if need be,
those breaches and the data categories they affect are reported to you or the
competent supervisory authority without undue delay.

10. Data retention

We shall not retain data for longer than is necessary to fulfil our contractual or
legal obligations and to avert any possible liability claims.

If your personal data is processed (exclusively) on the basis of your consent,
then, should you withdraw your consent, your data will no longer be processed
and will be deleted. Personal data will otherwise be deleted after six months,
provided that no legal obligation exists to retain the data for a longer period
or if we are authorised to continue processing this data.

If their application is successful, the data provided by applicants may be
processed further by us for the purpose of the employment relationship.

11. Rights of data subjects

At all times, you have the right of access to information about your personal data that is stored (Art 15 GDPR), a right to correction (Art 16 GDPR), deletion (Art 17 GDPR), restriction of processing (Art 18 GDPR) and a right to object to the processing (Art 21 GDPR) or a right to data portability (Art 20 GDPR). If your personal data changes, please inform us accordingly.

You have the right to withdraw your consent to the use of your personal data, in whole or in part, at any time. Your personal data will be stored until you withdraw your consent. If you do withdraw your consent, this will not affect the legitimacy of the processing of your personal data during the time before you withdrew your consent. Please note that if you do withdraw your consent, it may no longer be possible to fulfil specific purposes to their full extent.

If you believe that the processing of your personal data breaches applicable data protection law, or that your rights under data protection law have been otherwise infringed, you may lodge a complaint with the competent supervisory authority (Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna, Austria, dsb@dsb.gv.at).