• wpml-ls-flag
  • wpml-ls-flag

Privacy Policy pursuant to Art. 13, 14 GDPR – Fulfilment of the Duty to Provide Information

All personal designations are intended to be gender-neutral and serve solely to facilitate readability.

1. Entity Responsible for Data Processing

The entity responsible pursuant to Art. 4 para. 7 of the EU General Data Protection Regulation (GDPR) is:

CMTA AG
Schmiedgasse 38
8010 Graz

Tel: +43 50 2682

Email: office@cmta.at

2. Data Processing Relating to Persons in a Business Context

2.1. 2.1. Data Processing pursuant to Art. 13 GDPR

We process data that various persons provide to us through their own input, for example within the scope of an enquiry by e-mail, for the purpose of initiating and concluding a contract or business relationship.

2.2. 2.2. Data Processing pursuant to Art. 14 GDPR

We also process data relating to persons who may be part of a contractual relationship, which we have lawfully received from third parties (e.g., managing directors providing us with data of their employees).

2.3. 2.3. Data Subjects

For prospective clients, we process the following data: company name, name of contact person, and professional contact and address data.

For customers, we process the following data: title, gender, first name and surname, date of birth, address, nationality, contact details, identification data (e.g., copy of ID card), PEP status, and customer number. We also process order data, data arising from the fulfilment of contractual obligations, or documentation data (e.g., consultation records).

For suppliers and business partners (e.g., trading partners and settlement agents), we process: company name, titles and names of contact persons, professional address and contact data, bank details, and contract data.

2.4. 2.4. Disclosure of Data

Personal data is only disclosed to third parties if this is necessary for contract processing and fulfilment or required by legal provisions.

2.5. 2.5. Retention and Deletion of Data

We delete data as soon as storage is no longer necessary or permitted, or as soon as statutory retention periods (e.g., under VAT law) have expired. If processing is based on consent, we restrict processing or delete the data upon withdrawal of consent unless legal regulations require otherwise.

2.6. Contact by E-Mail

When you contact us by e-mail, the data you provide is stored based on your consent in order to answer your questions. We delete the data once processing is no longer necessary or restrict processing if legal retention obligations exist.

2.7. 2.7. Publication of the Names of Authors

We are legally obliged to disclose the names of authors of image data (photos or videos) upon publication. Such personal data is automatically deleted once we cease using the image data.

2.8. 2.8. Legal Bases

The legal bases for data processing are:

– Contract initiation and performance pursuant to Art. 6 para. 1 lit. b GDPR

– Legal obligations pursuant to Art. 6 para. 1 lit. c GDPR (e.g., statutory retention and documentation duties, publication obligations under copyright law)

– Legitimate interests of our company pursuant to Art. 6 para. 1 lit. f GDPR (e.g., use of software, due diligence)

– Consent obtained pursuant to Art. 6 para. 1 lit. a GDPR (e.g., processing of image data or for advertising purposes)

3. Data Processing in the Context of Applications

3.1. 3.1. General

If you send us your application documents, we process the personal data contained therein, your CV, and references for the purpose of personnel selection and filling positions. In the event of rejection, we delete your documents seven months after notification.

Legal basis: Art. 6 para. 1 lit. b GDPR.

If you consent to being kept on file for potential future contact, we will send you a separate request to confirm your consent. Once granted, we store your consent. If no vacancy arises within one year, all application data is deleted one year after receipt of your consent.

Legal basis: Art. 6 para. 1 lit. a GDPR.

3.1.1. 3.1.1. Application Platforms

We use various online application platforms for recruiting employees. Interested persons can apply directly via forms provided by the respective portal operators. Applicants decide what data to provide and may upload documents. Personal data and uploaded documents are forwarded to us by the operator. Both the platform and we act as controllers under the GDPR. Please consult the privacy policies of the respective portal operators. Section 3.4.1 applies accordingly.

Legal basis: Art. 6 para. 1 lit. a GDPR.

4. Data Processing When Visiting Our Website

4.1. 4.1. Informational Use of the Website

During purely informational use of our website, we only collect the personal data transmitted by your browser to our server (server log files).

This includes IP address, date and time of request, time zone difference to UTC, content of the request, access status/HTTP code, referring website, browser, operating system and interface, and language and version of the browser software.

We do not merge this data with other data sources. We reserve the right to check this data retrospectively if we become aware of indications of unlawful use or to forward it to authorities in the event of a cyberattack. No further disclosure occurs.

Legal basis: Art. 6 para. 1 lit. f GDPR.

4.2. 4.2. Cookies

When you use our website, cookies are stored on your computer. Cookies are small text files stored on your device by your browser, transmitting specific information to the entity setting the cookie (ourselves or third parties). Cookies cannot execute programs or transmit viruses.

Cookies allow recognition of your browser when revisiting the website without re-entering data. They may indicate login status or previously entered data.

We distinguish between technical cookies (necessary for operation) and others used by us or third parties for statistical analysis, tracking, or marketing. Legal basis: Art. 6 para. 1 lit. f GDPR (technical cookies), Art. 6 para. 1 lit. a GDPR (all others).

4.3. 4.3. Data Processing in the USA

It cannot be excluded that personal data may be transmitted to the USA when visiting our website. Where applicable, we indicate this separately.

No adequate safeguards exist under Art. 46 GDPR for the USA.

Potential risks include

– disclosure of data to third parties (e.g., US authorities),

– limited enforceability of data subject rights,

– and insufficient technical/organisational safeguards.

By consenting to marketing cookies, you explicitly agree to such transfers. You may delete cookies anytime.

Legal basis: Art. 6 para. 1 lit. a GDPR.

5. Social Media Presence

We operate social media pages on LinkedIn. Visiting our social media pages involves processing of personal data, including IP addresses, by the provider and the use of cookies. For details, please refer to the provider’s privacy policy.

We use social media to communicate and maintain customer relationships. For US-related services, data may be transmitted to and stored in the USA. We have no influence over the data processing by these services. Please consult each provider’s privacy settings.

Furthermore, we point out that you use the respective service and its functions on your own responsibility. This applies in particular to the use of interactive functions (e.g. sharing, commenting or rating).

Use of social media is based on our legitimate business interests.

Legal basis: Art. 6 para. 1 lit. f GDPR.

6. Data Processing in Google Services

We have concluded an agreement with Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Data transfers from Europe to the USA may occur, over which we have no control.

Data transfers from Europe to the USA may occur, over which we have no control. Further details are set out under section 4.3.

6.1. 6.1. Google Analytics

We use Google Analytics to analyse website traffic.

The “IP anonymisation” feature ensures IP masking. Your IP address is shortened within the EU/EEA before transfer to the USA.

Google uses this data to provide analytical reports and may disclose it where required by law. You can prevent cookie storage or data collection via browser settings or the opt-out plugin https://tools.google.com/dlpage/gaoptout?hl=de.

See alsohttps://www.google.com/analytics/terms/de.html bzw. unter https://support.google.com/analytics/answer/6004245?hl=de.
Legal basis: Art. 6 para. 1 lit. a GDPR.

6.2. 6.2. Google Tag Manager

The tool processes your IP address but does not access data collected by triggered tags. Cookies may be set, especially in preview/debug mode. Deactivation at domain or cookie level applies to all tags.

More information: https://www.google.com/intl/en/tagmanager/faq.html.

Legal basis: Art. 6 para. 1 lit. a GDPR.

7. Your Rights

You have the following rights regarding your personal data:

– Right of access, rectification, and erasure
– Right to restriction of processing
– Right to object to processing
– Right to data portability
– Right to lodge a complaint with the Austrian Data Protection Authority:

Barichgasse 40 – 42, 1030 Wien, Telefon: +43 1 52 152-0
E-Mail: dsb@dsb.gv.at

If you believe that we are violating Austrian or EU data protection law, please contact us to clarify any concerns.


Requests may be directed to office@cmta.at or via our other contact details.

8. Amendments to this Privacy Policy

We reserve the right to update this Privacy Policy from time to time. All amendments will be published on this page. Please refer to the latest version.

9. Disclaimer

CMTA AG assumes no responsibility for content on external websites linked from our site. The operators of the linked pages are solely responsible for their content.