1. Processing activities
Provision of information about soil profiles and surrounding images.
Information on Data Privacy Protection
2. Responsible controller
- TB Unterfrauner GmbH
- Regional tribunal St. Pölten, FN 430626z
- Umseerstrasse 39, 3040 Neulengbach
- E-Mail: office@soilbook.info
3. Purpose of data processing on the legal basis
of freedom of communication
about soil profiles and surrounding images via a publicly available archive. The processing of data takes place in the range of the foundation of freedom of press, freedom of opinion and freedom of communication, which is backed by conventional and constitutional rights (Art 13 StGG; Art 10 EMRK).
of performance or preparation of contracts
b) Online access to information about services of the controller
c) ) Provision of communication channels to spread the contents and to service the customer relation
of consent
d) Provision of a newsletter and other notifications (e.g. about new entries) based on the customers consent with the possibility to opt out at any time
of the (overriding) legitimate interests
e) spreading of (also advertising) information about services and events of the controller in the means of direct advertising (marketing purposes), as far as legally permitted
f) preservation and raising of customer satisfaction and customer loyalty via analysis of the user behavior (utilizing Google Analytics) aiming to improve the services
g) operation of an archive about soil profiles
h) transfer of user’s electronic identification data to third parties to enrich editorial contents with contributions from social media (e.g. youTube) and other applications (e.g. Google Maps).
4. Legal basis of data processing
1) Performance of the contract: The use of the online media of the controller is based on a contract according to Art 6 (1) (b) GDPR. With the registration a registration relationship is established.
2) Additional services: Consent. For single services (e.g. newsletter) the controller explicitly asks the customer for consent. This consent can be revoked at any time with future effect.
3) Overriding legitimate interests (see point 5)
5. Description of (overriding) legitimate interests for the purposes
of IT-security:
The controller will store the IP-addresses of its customers for a period of 14 days to protect against targeted attacks in the form of server overloads („denial of service“-attacks) and other damages to the systems. The controller has an overriding legitimate interest in such data processing in order to maintain the functionality of its online services (recital 49 GDPR).
of archiving:
The controller operates an online retrievable archive to present soil profiles and surrounding images. Users all over the world can submit their data there. So they can complete the pedigrees and keep them updated. There is public interest in the contents of the archive according to Art 5 (1) (b) GDPR.
of an appealing presentation:
The controller uses external fonts from Adobe Fonts (Adobe Typekit). The utilization of Adobe Fonts is in the interest of an appealing presentation of our online services. This is a legitimate interest according to Art. 6 (1) (f) GDPR.
6. Change of purpose
Purpose of archiving: The controller is hereby informing that information is processed in archiving purposes if affected person has no secrecy interest. There is no incompatibility with the purpose of the initial data collection. The customer can contradict the utilization of his personal data for archiving purposes at any time and without giving any reasons.
7. Evaluating personal aspects of a person (Profiling)
The controller does not evaluate personal aspects relating to the customers.
8. Obligation to provide data
The customer is under no obligation to provide data.
9. Automated decision-making
The customer is not subject to an automated decision-making that unfolds legal effects on him.
10. Processed types of data
- provided by the customer
- • first name
- • username
- • last name (optional)
- • e-mail-address
- • region/state/county
- • country
- • password (encrypted)
- • contents of messages of the customer
- • soil profile data
- • images and other content
- additionally collected by the controller
- • IP-addresses (log files)
- • data concerning the terminal device
- • used browser
- • used device
- • communication protocol
- • information concerning account usage (e.g. creation date, number of logins, date of the last request)
- • GPS-data of the images
11. Data sources (to the extent not provided by the customer nor collected by the controller)
| Source | Type of data |
|---|---|
| Wildbit, LLC (service: „Postmark“) 225 Chestnut St. Philadelphia, Pennsylvania 19106, USA | IP location, preferred e-mail client, source of the login, campaign details (reception, opening, click) |
| Newsletter-service “MailChimp”: The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA | IP location, preferred e-mail client, source of the login, campaign details (reception, opening, click) |
12. External recipients of data
A) Integration of content of third parties into the website: Transmission of electronic identification data, especially IP-address:
- • Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025, USA, Policy
- • Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA, Policy
- • Twitter Inc., 795 Folsom Street, Suite 600, San Francisco, CA 94107, USA, Policy
- • YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA Policiy
- • Vimeo/Google-AdSens/Google-Maps: Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA Policy
- • Pinterest Europe Ltd, Palmerston House, 2nd Floor, Fenian Street, Dublin 2, Ireland Policy
- • Wildbit, LLC (Service: „Postmark“) 225 Chestnut St. Philadelphia, Pennsylvania 19106, USA Policy
- • AdobeFonts: Adobe Systems Software Ireland Limited, 4-6 Riverwalk, City West Business Campus, Saggart, Dublin 24, Ireland. Policy
B) Processors of contract data
- • Website support: stiege10 GbR, Hermanngasse 18/3, 1070 Vienna, Austria
- • Hostprovider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
- • Cloud: Amazon Web Services EMEA SARL 38, avenue John F. Kennedy, L-1855, Luxembourg
- • • E-mail-campaign shipping „Postmark“: Wildbit, LLC, 225 Chestnut St., Philadelphia, Pennsylvania 19106, USA
- • OpenStreetMap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom
- • Google Analytics (mit “anonymize IP”): Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA
- • Newsletter-service “MailChimp”: The Rocket Science Group, LLC 675 Ponce de Leon Ave NE Suite 5000 Atlanta, GA 30308 USA.
The controller explicitly reserves the utilization of other processors of contract data. These are declared in the next “Data protection Information - Soilbook” update following the start of the implementation. The data processing of the processors of contract data takes place under the responsibility of the controller.
13. Internal recipients
- System administrator:
- stiege10 GbR, TB Unterfrauner GmbH
- Types of data
- IP location, E-Mail Client, Source of login, Campaign details (receipt, opening, click)
14. Transfer to third countries
The following data will be transmitted to countries outside of the EU in connection with data processing:
| Land | Use | Types of data |
|---|---|---|
| USA | Google (EU-US- Privacy-Shield) | Google Analytics: anonymised IP-address, title of the website, information concerning the browser, information concerning webusage |
| USA | „Postmark“ (EU-US-Privacy-Shield) | e-mail-address, user name, content of the e-mails generated in the application |
| USA | MailChimp (EU-US-Privacy-Shield) | e-mail-address, name, content of the newsletter |
15. Appearance in social-media-channels
The controller informs that it keeps independent online appearances retrievable for purposes of advertising and communication with the customers. In these online appearances the data of the customer may be processed outside of the EU, which may result in a higher risk for violation of data protection standards. The operators of the social media channels have been brought together widely under the EU-US-Privacy-Shield, as far as they are located in the USA.
These online appearances are retrievable in the technical environment of the respective social media operator. The social media operators are using the customers visit to the online appearance for their own purposes especially to advertise (interest-based). The social media operators are using the visit to drop cookies on the device of the customer, to read preexisting cookies/identifiers with the purpose to deduce user behavior and interests and to enrich the customer’s user profile or the according identifier with this information. The purpose of that is interest-based advertising targeting the customer, which also may occur later during a visit on websites of third parties.
The processing of personalized data of the customer takes place because of the predominant legitimate interest of the controller regarding advertising measures and customer communication. This is protected by the conventional and constitutional rights of freedom of business (Art 6 StGG) and freedom of communication (esp. Art 10 EMRK, which also protects advertising measures). If the customer is a user of the social media channels, data processing may be covered under the consent of the customer.
The controller informs that the controller has no access to the data of the customer. Therefore the controller is recommending the customer to address the respective social media channel directly in case of an assertion of the customers right for information, correction, deletion, restriction, contradiction and data transferability. The users of social media channels may change privacy rules in the respective settings themselves. If necessary the controller is supporting the customer with these steps.
Further information can be found here:
- Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - data protection declaration, Opt-Out, Online Choices
- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) - Datenschutzerklärung
- Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) - data protection declaration, Opt-Out
16. Storage period
Non-registered customers: The personal data (esp. IP-address) of (non-registered) website visitors are stored for a period of 14 days for IT-security purposes and are deleted after this period.
Registred customers: The data of registered customers are processed by the responsible party on the basis of the above-mentioned legal basis for the duration of the registration relationship. The user contract ends in any case by deletion of the account.
Legal basis of contractual relationship: The personalized data is processed by the controller based on the registration- and licensing-contract basically up to 40 months after contract termination (= 36 months possible contractual claims for damage + max. 4 months positioning time for legal action). After this period, this data is deleted (at least the personal reference). In case of an existing legal obligation to store data, especially according to § 132 (1) BAO, the processing of personalized and billing-relevant data takes place by the end of the legal retention period (at the time basically 7 years after the end of the fiscal year of the occurrence).
17. Rights of the data subject
| Legal basis | Content |
|---|---|
| Art 15 GDPR „Access“ | The customer shall have the right to obtain confirmation as to whether or not his personal data is being processed. |
| Art 16 GDPR „Rectification“ | The customer shall have the right to obtain without undue delay the rectification of inaccurate personal data or to have them completed. |
| Art 17 GDPR „Erasure“ | The customer shall have the right to obtain the erasure of personal data without undue delay as long as the reasons stated in Art17(1) GDPR are fulfilled. |
| Art 18 GDPR „Restriction“ | The customer shall have the right to obtain restriction of processing of personal data as long as the reasons stated in Art18(1) GDPR are fulfilled. |
| Art 20 GDPR "Data portability" | The customer shall have the right to receive the personal data concerning him in a structured, commonly used and machine-readable format. |
| Art 21 GDPR „Objection“ | The customer shall have the right to object to processing of his personal data on the legal basis of a legitimate interest at any time. |
18. Right of appeal
Art 77 GDPR § 24 DSG
Every customer has the right to lodge a complaint with the supervisory authority if he or she considers that the processing of personal data concerning him or her infringes this Regulation.
19. Supervisory authority
- Austrian Data Protection Authority
- Barichgasse 40-42
- A-1030 Vienna
- Telephone: +43 1 52 152-0
- E-Mail: dsb@dsb.gv.at
