top of page

Terms & Conditions

Introduction and Overview

We have drafted this privacy policy (Version 05.10.2023-112637124) to explain to you, in accordance with the provisions of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, the personal data (referred to as "data") that we, as data controllers, and our authorized data processors (e.g., providers) process, will process in the future, and the lawful options available to you. The terms used in this policy are gender-neutral. In brief, we provide comprehensive information about the data we process concerning you.

Privacy policies often sound very technical and use legal terminology. However, this privacy policy is designed to describe the most important aspects as simply and transparently as possible. Technical terms are explained in a reader-friendly manner, links to additional information are provided, and graphics are used for the sake of clarity and simplicity. We aim to inform you in clear and simple language that we only process personal data in the course of our business activities when there is a corresponding legal basis. This is not possible if we provide brief, unclear, and legally technical explanations, as is often the norm on the internet when it comes to data protection. We hope you find the following explanations interesting and informative, and perhaps there is some information you were not aware of.

If you still have questions, we kindly ask you to contact the responsible entity mentioned below or in the imprint, follow the provided links, and seek further information on third-party websites. You can naturally find our contact information in the imprint as well.

Scope

This privacy policy applies to all personal data processed by us within the company and to all personal data processed by companies we have commissioned (data processors). By "personal data," we mean information as defined in Art. 4 No. 1 of the General Data Protection Regulation (GDPR), such as a person's name, email address, and postal address. The processing of personal data allows us to provide and bill for our services and products, whether online or offline. The scope of this privacy policy includes:

  • All online presences (websites, online shops) that we operate.

  • Social media presences and email communication.

  • Mobile apps for smartphones and other devices.

In summary, this privacy policy applies to all areas where personal data is systematically processed within the company through the mentioned channels. If we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.

Legal Basis

In the following privacy policy, we provide you with transparent information about the legal principles and regulations, namely, the legal bases of the General Data Protection Regulation (GDPR) that enable us to process personal data.

Regarding EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016. You can read this EU General Data Protection Regulation online on EUR-Lex, the EU's legal database, at https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32016R0679.

We process your data only when at least one of the following conditions applies:

  1. Consent (Article 6, paragraph 1, letter a of the GDPR): You have given us your consent to process data for a specific purpose. An example would be storing data you entered in a contact form.

  2. Contract (Article 6, paragraph 1, letter b of the GDPR): To fulfill a contract or pre-contractual obligations with you, we process your data. For instance, if we enter into a purchase contract with you, we need your personal information beforehand.

  3. Legal obligation (Article 6, paragraph 1, letter c of the GDPR): If we are under a legal obligation, we process your data. For example, we are legally required to retain invoices for accounting purposes, which typically contain personal data.

  4. Legitimate interests (Article 6, paragraph 1, letter f of the GDPR): In the case of legitimate interests that do not infringe upon your fundamental rights, we reserve the right to process personal data. For example, we may need to process certain data to operate our website securely and efficiently. This processing is thus a legitimate interest.

Other conditions such as the exercise of public interest and the exercise of official authority and the protection of vital interests typically do not apply to us. If such a legal basis were to be relevant, it would be indicated in the corresponding section.

In addition to the EU regulation, national laws also apply:

  • In Austria, this is the Federal Act for the Protection of Individuals with regard to the Processing of Personal Data (Data Protection Act), abbreviated as DSG.

  • In Germany, the Federal Data Protection Act, abbreviated as BDSG, applies.

If additional regional or national laws are applicable, we will inform you in the following sections.

Contact Information for the Data Controller

If you have any questions regarding data protection or the processing of personal data, you can find the contact information of the responsible person or entity below:

Cellar Talk GmbH

Joaquin Fernandez de Cordova Hohenlohe,

Philip Kleffel

Werdertorgasse 5-7, 1010 Vienna, Austria

 

Email: info@villumi.com

Phone: +43 66488784860

Imprint: https://www.villumi.com/impressum/

Data Retention

One of our general criteria is that we only store personal data for as long as it is absolutely necessary for the provision of our services and products. This means that we delete personal data as soon as the reason for data processing no longer exists. In some cases, we are legally obligated to retain certain data even after the original purpose has been fulfilled, such as for accounting purposes.

If you wish to have your data deleted or withdraw your consent for data processing, the data will be deleted as quickly as possible, provided there is no legal obligation to retain it.

We will provide you with specific information about the duration of each data processing below, if we have further details on this.

Rights under the General Data Protection Regulation (GDPR)

In accordance with Articles 13 and 14 of the GDPR, we inform you about the following rights that you are entitled to, to ensure fair and transparent data processing:

  • According to Article 15 of the GDPR, you have the right to know whether we process your data. If so, you have the right to receive a copy of the data and obtain the following information:

    • The purpose for which we are processing the data.

    • The categories, i.e., the types of data being processed.

    • Who receives this data and, if the data is transferred to third countries, how the security is guaranteed.

    • The duration of data retention.

    • The right to rectify, erase, or restrict processing and the right to object to the processing.

    • The right to lodge a complaint with a supervisory authority (links to these authorities can be found below).

    • The source of the data, if it was not collected from you.

    • Whether profiling is being carried out, i.e., whether data is automatically analyzed to create a personal profile of you.

  • According to Article 16 of the GDPR, you have the right to rectify your data, which means that we must correct data if you find errors.

  • According to Article 17 of the GDPR, you have the right to erasure ("right to be forgotten"), which means that you can request the deletion of your data.

  • According to Article 18 of the GDPR, you have the right to restrict processing, which means that we may only store the data but not further use it.

  • According to Article 20 of the GDPR, you have the right to data portability, which means that we must provide your data in a common format upon request.

  • According to Article 21 of the GDPR, you have the right to object, which, when exercised, results in a change in the processing:

    • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of public authority) or Article 6(1)(f) (legitimate interests), you can object to the processing. We will then promptly assess whether we can legally comply with this objection.

    • If data is used for direct marketing, you can object to this type of data processing at any time. We may no longer use your data for direct marketing.

    • If data is used for profiling, you can object to this type of data processing at any time. We may no longer use your data for profiling.

  • According to Article 22 of the GDPR, under certain circumstances, you have the right not to be subject to a decision based solely on automated processing (e.g., profiling).

  • According to Article 77 of the GDPR, you have the right to lodge a complaint. This means you can file a complaint with the data protection authority at any time if you believe that the processing of personal data violates the GDPR.

In summary: You have rights – do not hesitate to contact the responsible entity listed above! If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any way, you can file a complaint with the supervisory authority. In Austria, this is the Data Protection Authority, whose website can be found at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For our company, the following local data protection authority is responsible: [Local Data Protection Authority Information].

Austria Data Protection Authority

Director: Mag. Dr. Andrea Jelinek

Address: Barichgasse 40-42, 1030 Vienna

Phone Number: +43 1 52 152-0

Email Address: dsb@dsb.gv.at

Website: https://www.dsb.gv.at/

Data Transfer to Third Countries

We only transfer or process data in countries outside the scope of the GDPR (third countries) when you consent to such processing or when there is another legal basis. This is particularly the case when processing is required by law or necessary to fulfill a contractual relationship and only to the extent permitted by law. Your consent is, in most cases, the primary reason for us to process data in third countries. Processing of personal data in third countries, such as the United States, where many software providers offer services and have server locations, may result in personal data being processed and stored in unexpected ways.

We expressly emphasize that, according to the European Court of Justice, an adequate level of protection for data transfer to the United States currently exists only when a U.S. company processing personal data of EU citizens in the U.S. is an active participant in the EU-US Data Privacy Framework. You can find more information on this at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

Data processing by U.S. services that are not active participants in the EU-US Data Privacy Framework may result in data not being anonymized and stored, and U.S. governmental authorities may potentially access individual data. Additionally, collected data may be linked with data from other services of the same provider if you have a corresponding user account. Where possible, we attempt to use server locations within the EU if such options are available.

We will provide more detailed information on data transfers to third countries at appropriate sections of this privacy policy, if applicable.

Data Processing Security

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. This makes it as difficult as possible, within the scope of our capabilities, for third parties to infer personal information from our data.

Article 25 of the GDPR refers to "data protection by design and by default," which means that security is always a consideration, and appropriate measures are taken, both in software (e.g., forms) and hardware (e.g., access to the server room). Below, we will detail specific measures if necessary.

TLS Encryption with HTTPS

TLS, encryption, and HTTPS may sound very technical, and they are. We use HTTPS (Hypertext Transfer Protocol Secure) to transmit data securely over the internet.

This means that the complete transmission of all data from your browser to our web server is secured, and no one can eavesdrop. By doing this, we have introduced an additional layer of security and comply with data protection by design (Article 25, paragraph 1 of the GDPR).

Through the use of TLS (Transport Layer Security), an encryption protocol for secure data transmission over the internet, we can ensure the protection of confidential data.

You can recognize the use of this data transmission security by the small padlock symbol in the top left of your browser, to the left of the website address (e.g., examplepage.com), and the use of the "https" scheme instead of "http" as part of our web address.

If you would like to learn more about encryption, we recommend performing a Google search for "Hypertext Transfer Protocol Secure wiki" to find good links to further information.

Rights under the General Data Protection Regulation (GDPR)

In accordance with Articles 13 and 14 of the GDPR, we inform you about the following rights that you are entitled to, to ensure fair and transparent data processing:

  • According to Article 15 of the GDPR, you have the right to know whether we process your data. If so, you have the right to receive a copy of the data and obtain the following information:

    • The purpose for which we are processing the data.

    • The categories, i.e., the types of data being processed.

    • Who receives this data and, if the data is transferred to third countries, how the security is guaranteed.

    • The duration of data retention.

    • The right to rectify, erase, or restrict processing and the right to object to the processing.

    • The right to lodge a complaint with a supervisory authority (links to these authorities can be found below).

    • The source of the data, if it was not collected from you.

    • Whether profiling is being carried out, i.e., whether data is automatically analyzed to create a personal profile of you.

  • According to Article 16 of the GDPR, you have the right to rectify your data, which means that we must correct data if you find errors.

  • According to Article 17 of the GDPR, you have the right to erasure ("right to be forgotten"), which means that you can request the deletion of your data.

  • According to Article 18 of the GDPR, you have the right to restrict processing, which means that we may only store the data but not further use it.

  • According to Article 20 of the GDPR, you have the right to data portability, which means that we must provide your data in a common format upon request.

  • According to Article 21 of the GDPR, you have the right to object, which, when exercised, results in a change in the processing:

    • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of public authority) or Article 6(1)(f) (legitimate interests), you can object to the processing. We will then promptly assess whether we can legally comply with this objection.

    • If data is used for direct marketing, you can object to this type of data processing at any time. We may no longer use your data for direct marketing.

    • If data is used for profiling, you can object to this type of data processing at any time. We may no longer use your data for profiling.

  • According to Article 22 of the GDPR, under certain circumstances, you have the right not to be subject to a decision based solely on automated processing (e.g., profiling).

  • According to Article 77 of the GDPR, you have the right to lodge a complaint. This means you can file a complaint with the data protection authority at any time if you believe that the processing of personal data violates the GDPR.

In summary: You have rights – do not hesitate to contact the responsible entity listed above! If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any way, you can file a complaint with the supervisory authority. In Austria, this is the Data Protection Authority, whose website can be found at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For more information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). For our company, the following local data protection authority is responsible: [Local Data Protection Authority Information].

Austria Data Protection Authority

Director: Mag. Dr. Andrea Jelinek

Address: Barichgasse 40-42, 1030 Vienna

Phone Number: +43 1 52 152-0

Email Address: dsb@dsb.gv.at

Website: https://www.dsb.gv.at/

Data Transfer to Third Countries

We only transfer or process data in countries outside the scope of the GDPR (third countries) when you consent to such processing or when there is another legal basis. This is particularly the case when processing is required by law or necessary to fulfill a contractual relationship and only to the extent permitted by law. Your consent is, in most cases, the primary reason for us to process data in third countries. Processing of personal data in third countries, such as the United States, where many software providers offer services and have server locations, may result in personal data being processed and stored in unexpected ways.

We expressly emphasize that, according to the European Court of Justice, an adequate level of protection for data transfer to the United States currently exists only when a U.S. company processing personal data of EU citizens in the U.S. is an active participant in the EU-US Data Privacy Framework. You can find more information on this at: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

Data processing by U.S. services that are not active participants in the EU-US Data Privacy Framework may result in data not being anonymized and stored, and U.S. governmental authorities may potentially access individual data. Additionally, collected data may be linked with data from other services of the same provider if you have a corresponding user account. Where possible, we attempt to use server locations within the EU if such options are available.

We will provide more detailed information on data transfers to third countries at appropriate sections of this privacy policy, if applicable.

Data Processing Security

To protect personal data, we have implemented both technical and organizational measures. Where possible, we encrypt or pseudonymize personal data. This makes it as difficult as possible, within the scope of our capabilities, for third parties to infer personal information from our data.

Article 25 of the GDPR refers to "data protection by design and by default," which means that security is always a consideration, and appropriate measures are taken, both in software (e.g., forms) and hardware (e.g., access to the server room). Below, we will detail specific measures if necessary.

TLS Encryption with HTTPS

TLS, encryption, and HTTPS may sound very technical, and they are. We use HTTPS (Hypertext Transfer Protocol Secure) to transmit data securely over the internet.

This means that the complete transmission of all data from your browser to our web server is secured, and no one can eavesdrop. By doing this, we have introduced an additional layer of security and comply with data protection by design (Article 25, paragraph 1 of the GDPR).

Through the use of TLS (Transport Layer Security), an encryption protocol for secure data transmission over the internet, we can ensure the protection of confidential data.

You can recognize the use of this data transmission security by the small padlock symbol in the top left of your browser, to the left of the website address (e.g., examplepage.com), and the use of the "https" scheme instead of "http" as part of our web address.

If you would like to learn more about encryption, we recommend performing a Google search for "Hypertext Transfer Protocol Secure wiki" to find good links to further information.

Communication Summary

👥 Data Subjects: All those who communicate with us via phone, email, or online forms.

📓 Processed Data: For example, phone number, name, email address, entered form data. More details can be found for each respective contact method.

🤝 Purpose: Facilitating communication with customers, business partners, etc.

📅 Data Retention: Duration of the business case and legal requirements.

⚖ Legal Basis: Art. 6(1)(a) GDPR (Consent), Art. 6(1)(b) GDPR (Contract), Art. 6(1)(f) GDPR (Legitimate Interests).

When you contact us and communicate via phone, email, or online forms, personal data may be processed.

The data is processed to handle and address your inquiries and the related business transaction. The data is stored for as long as necessary or as required by law.

Data Subjects

All individuals who seek contact with us via the communication channels we provide are affected by the processes.

Phone

When you call us, call data is pseudonymized and stored on the respective device and by the telecommunication provider. Additionally, data such as name and phone number may be sent via email and stored for query responses. The data is deleted once the business case is concluded and legal requirements permit it.

Email

When you communicate with us via email, data may be stored on the respective device (computer, laptop, smartphone) and data is also stored on the email server. The data is deleted once the business case is concluded and legal requirements permit it.

Online Forms

When you communicate with us using online forms, data is stored on our web server and may be forwarded to an email address provided by us. The data is deleted once the business case is concluded and legal requirements permit it.

Legal Basis

The processing of data is based on the following legal bases:

• Art. 6(1)(a) GDPR (Consent): You give us consent to store your data and use it further for purposes related to the business case.

• Art. 6(1)(b) GDPR (Contract): It is necessary to fulfill a contract with you or a data processor, such as a telephone provider, or we must process the data for pre-contractual activities, such as preparing a quote.

• Art. 6(1)(f) GDPR (Legitimate Interests): We aim to conduct customer inquiries and business communication within a professional framework. For this, certain technical facilities such as email programs, Exchange servers, and mobile operators are required to efficiently conduct communication.

Data Processing Agreement (DPA)

In this section, we would like to explain what a Data Processing Agreement is and why it is needed. Since the term "Data Processing Agreement" is quite a mouthful, we will often use the acronym DPA in the text. Like most companies, we do not work alone but also use the services of other companies or individuals. By involving various companies or service providers, we may need to share personal data for processing. These partners then act as data processors with whom we conclude a contract, the so-called Data Processing Agreement (DPA). Most importantly for you to know is that the processing of your personal data is carried out exclusively according to our instructions and must be regulated by the DPA.

Who Are Data Processors?

As a company and website owner, we are responsible for all the data we process from you. Besides the data controllers, there may also be data processors. This includes any company or individual who processes personal data on our behalf. More precisely and according to the GDPR definition: any natural or legal person, authority, agency, or other body that processes personal data on our behalf is considered a data processor. Data processors can, therefore, be service providers such as hosting or cloud providers, payment or newsletter providers, or large companies like Google or Microsoft. For a better understanding of the terminology, here is an overview of the three roles in the GDPR: Data Subject (You as a customer or prospect) → Data Controller (Us as a company and client) → Data Processor (Service providers like web hosts or cloud providers)

Contents of a Data Processing Agreement

As mentioned above, we have entered into a DPA with our partners who act as data processors. It is stipulated in the DPA, above all, that the data processor processes the data to be processed exclusively in accordance with the GDPR. The contract must be concluded in writing, although an electronic contract is also considered "in writing" in this context. The processing of personal data is carried out only on the basis of the contract. The contract must include the following: • The data processor's commitment to us as the data controller • Duties and rights of the data controller • Categories of data subjects • Types of personal data • Nature and purpose of data processing • Subject and duration of data processing • Location of data processing Furthermore, the contract contains all the obligations of the data processor. The most important obligations are: • Ensuring data security measures • Taking possible technical and organizational measures to protect the rights of data subjects • Maintaining a data processing register • Cooperating with the data protection supervisory authority upon request • Performing a risk analysis regarding the processed personal data • Sub-data processors may only be engaged with the written permission of the data controller.

What such a DPA looks like in concrete terms can be found, for example, at https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-mustervertrag-auftragsverarbeitung.html. A sample contract for data processing is presented there.

bottom of page