Data privacy statement

All designations of persons are always intended to be gender-neutral and serve only to make the text easier to read.

1 Controller for data processing
The controller pursuant to Art. 4 Para. 7 EU General Data Protection Regulation (GDPR) is

CMTA AG
Schmiedgasse 38/3
8010 Graz
Tel: +43 50 2682
E-mail: office@cmta.at

2 Data processing of prospects, customers, suppliers and business partners
We save the data that contact persons of prospects, customers, suppliers or business partners provide us with through their own information, for instance, within the framework of an enquiry by e-mail or to conclude a contract or a business relationship. This includes, for instance, gender, salutation, title, first name and surname of executives and employees, Pep status, address and e-mail address, telephone number, fax number, bank details, contract data.

Personal data are only transferred by us to third parties if this is necessary for purposes of handling the contract or due to statutory provisions or – in addition – only on the basis of consent from the data subject. We have concluded legally compliant contract processor agreements with all third parties, where required.

The data will be deleted by us as soon as they are no longer required to be saved or statutory retention obligations, e.g. under VAT law, have expired. If the basis of the processing should constitute consent, we will restrict the processing or we will delete the data when the consent is revoked, unless this conflicts with statutory provisions.

When you contact us by e-mail, the data you provide to us are saved by us so that we can answer your questions. We delete the data collected in this context after it is no longer necessary to save them, or we restrict processing if there are statutory retention obligations.


The legal basis of the data processing is
• the contract preparation and fulfilment pursuant to Art. 6 Para. 1 Letter b GDPR,
• statutory obligations pursuant to Art 6 Para. 1 Letter c GDPR that we have to fulfil such as retention and documentation obligations stipulated by law.
• legitimate interests of our company pursuant to Art. 6 Para. 1 Letter f GDPR,
• Art 6 Para. 1 Letter a GDPR in the event of consent being obtained.

3 Collection of personal data when visiting our website
3.1 Usage of the website for information purposes
When the website is only used for information purposes, we only collect the personal data that your browser sends to our server. If you wish to view our website, we will at most collect the data that is necessary for us from a technical perspective to display our website to you and to guarantee its stability and security.
• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific site)
• Access status / HTTP status code
• Website which the request comes from
• Browser
• Operating system and its interface
• Language and version of the browser software.

Legal basis: Art. 6 Abs. 1 lit. f DSGVO

3.2 Cookies
In addition to the data named above, cookies are saved on your computer when you use our website. Cookies are small text files that are saved on your hard disk and assigned to the browser used by you and by means of which the organisation that sets the cookie (in this case us) receives certain information. Cookies cannot execute any programs or transmit viruses to your computer.

Through the cookie, you can be recognised again when you visit the website, without data that you have already entered previously having to be re-entered.

The information contained in the cookies is used, e.g. to establish whether you are logged in or which data you have already entered or to recognise you again as a user when a link is established between our web server and your browser. With most web browsers, cookies are automatically accepted.

By using our web pages, you agree to the use of these cookies if cookies are accepted according to your browser settings.

3.2.1 Transient cookies
Transient cookies are automatically deleted when you close the browser. These include, in particular,
the session cookies. These save a so-called session ID with which various requests from your browser
can be assigned to the joint session. Your computer can thus be recognised again when you return to our website. The session cookies are deleted when you log out or close the browser.

3.2.2 Persistent cookies
Persistent cookies are automatically deleted after a specified duration which can differ depending on the cookie. You can delete the cookies at any time in the security settings of your browser.

3.2.3 Third-party cookies
These come from providers other than the operator of the website. They can, for instance, be used to collect information for advertising, user-defined content and web statistics.

3.2.4 Browsers
The default settings of browsers are that they accept all cookies. You can set your browser so that you are informed about the setting of cookies and only permit cookies in individual cases, exclude the acceptance of cookies
for certain cases or in general, and activate the automatic deletion of the cookies when the browser is closed. When cookies are deactivated, the functionality of our website can be restricted.

You can remove cookies saved on your PC at any time yourself by deleting the temporary Internet files.

Legal basis: Art. 6 Para. 1 Letter f GDPR (in the case of technical cookies), Art. 6 Para. 1 Letter a (in the case of all other cookies)

4 Server log files
To optimise this website with regard to the system performance, user friendliness and provision of useful information about our services, the provider of the website automatically collects and saves information in so-called server log files that your browser automatically sends to us. This includes the Internet Protocol address (IP address) of the requesting computer (including mobile devices), browser and language setting, operating system, referrer URL, your Internet service provider and date/time.

These data are not merged with sources of personal data. We reserve the right to check these data subsequently if specific indications of an unlawful usage become known, and to transfer the data to the criminal prosecution authorities if there has been a hacker attack. There is no transfer of data to third parties that goes beyond this.

Legal basis: Art. 6 Para. 1 Letter f GDPR

5 Webflow
Our website is hosted by Webflow, an external service provider whose address is Webflow, Inc., 398 11th Street, 2nd Floor, San Francisco, CA 94103 in the USA.

The personal data that are recorded on this website are saved on the servers of the hoster. These are primarily IP addresses, meta and communication data, web page visits and other data that are generated via a website.

Our hoster will only process your data to the extent required to fulfil its performance obligations and will comply with our instructions with regard to these data.

Information about the data privacy declaration of Webflow can be found at the following link (English):
https://www.webflow.com/privacy

For the US, there is currently no adequacy decision of the European Commission pursuant to Article
45 Para. 1, 3 General Data Protection Regulation (GDPR). This means that the European Commission has not yet positively ascertained that the country-specific data privacy level of this country corresponds to that of the European Union based on the GDPR (Article 46 Suitable guarantees).

The GDPR requires so-called suitable guarantees for data transmission to a third country or to an international organisation, Art. 46 Para. 2, 3 GDPR. Such guarantees do not exist for the aforementioned
country of destination.
Possible risks that cannot currently be excluded for you as the data subject in connection with the
aforementioned information are in particular:
• Your personal data could possibly be transferred by Webflow, beyond the actual purpose of the contract fulfilment, to other third parties (e.g.: US authorities).
• You may possibly not be able to claim or assert your rights to information towards Webflow in the long term.
• There is possibly a higher probability that there may be incorrect data processing as the technical and organisational measures for the protection of personal data do not fully correspond to the requirements of the GDPR with regard to their quantity and quality.

With your consent to the processing of (advertising and marketing) cookies, you explicitly consent to the transfer of data to the USA. You can revoke this consent at any time by e-mail; there are no formal requirements with regard to this e-mail. The data processing that has taken place before your consent was revoked is not affected by the revocation and is thus legally compliant.

Legal basis: Art. 6 Para. 1 Letter f GDPR

6 Wistia
Wistia provides software for the creation, administration and sharing of videos for business purposes with an individual adjustable player and detailed analyses. Our website uses Wistia that is provided by Wistia, Inc., 17 Tudor Street, Cambridge, MA 02139, USA, www.wistia.com (“Wistia”) in order to host videos. Wistia provides functions such as an integrated CDN (Content Delivery Network) for faster loading as well as improved quality control, depending on the type of device and the Internet speed of the user. In addition, subtitles can be added with this program that enhance the quality of the video content with regard to clarity. When you come into contact with videos on our
website, Wistia automatically receives and saves information of the browser used by you, including your IP address, information on cookies and the page requested by you in your server logs.

As stated in the data privacy declaration of Wistia, Wistia can also use user information in an identifiable form to send information to the creator of the videos that is directly associated with the videos.

This information can include how many and which videos of a particular creator of a video have been viewed by a particular user, at what place a particular video was viewed by a user, and how often a particular video was viewed by a particular user. Further information on the data privacy provisions of Wistia can be found at https://wistia.com/privacy.

For the US, there is currently no adequacy decision of the European Commission pursuant to Article
45 Para. 1, 3 General Data Protection Regulation (GDPR). This means that the European Commission has not yet positively ascertained that the country-specific data privacy level of this country corresponds to that of the European Union based on the GDPR (Article 46 Suitable guarantees).

The GDPR requires so-called suitable guarantees for data transmission to a third country or to an international organisation, Art. 46 Para. 2, 3 GDPR. Such guarantees do not exist for the aforementioned
country of destination.
Possible risks that cannot currently be excluded for you as the data subject in connection with the
aforementioned information are in particular:
• Your personal data could possibly be transferred by Wistia, beyond the actual purpose of the contract fulfilment, to other third parties (e.g.: US authorities).
• You may possibly not be able to claim or assert your rights to information towards Wistia in the long term.
• There is possibly a higher probability that there may be incorrect data processing as the technical and organisational measures for the protection of personal data do not fully correspond to the requirements of the GDPR with regard to their quantity and quality.

With your consent to the processing of (advertising and marketing) cookies, you explicitly consent to the transfer of data to the USA. You can revoke this consent at any time by e-mail; there are no formal requirements with regard to this e-mail. The data processing that has taken place before your consent was revoked is not affected by the revocation and is thus legally compliant.

Legal basis: Art. 6 Para. 1 Letter a GDPR

7 Content Delivery Network of Cloudflare
On our website we use the “Content Delivery Network” (CDN) from the company Cloudflare, Inc.,
101 Townsend Street, San Francisco, CA 94107, USA.

The CDN service makes it possible for content of our online services to be delivered faster.

Further information can be found in the data privacy declaration of Cloudflare:
https://www.cloudflare.com/security-policy.

For the US, there is currently no adequacy decision of the European Commission pursuant to Article
45 Para. 1, 3 General Data Protection Regulation (GDPR). This means that the European Commission has not yet positively ascertained that the country-specific data privacy level of this country corresponds to that of the European Union based on the GDPR (Article 46 Suitable guarantees).

The GDPR requires so-called suitable guarantees for data transmission to a third country or to an international organisation, Art. 46 Para. 2, 3 GDPR. Such guarantees do not exist for the aforementioned
country of destination.
Possible risks that cannot currently be excluded for you as the data subject in connection with the
aforementioned information are in particular:
• Your personal data could possibly be transferred by Cloudflare, beyond the actual purpose of the contract fulfilment, to other third parties (e.g.: US authorities).
• You may possibly not be able to claim or assert your rights to information towards Cloudflare in the long term.
• There is possibly a higher probability that there may be incorrect data processing as the technical and organisational measures for the protection of personal data do not fully correspond to the requirements of the GDPR with regard to their quantity and quality.

With your consent to the processing of (advertising and marketing) cookies, you explicitly consent to the transfer of data to the USA. You can revoke this consent at any time by e-mail; there are no formal requirements with regard to this e-mail. The data processing that has taken place before your consent was revoked is not affected by the revocation and is thus legally compliant.

Legal basis: Art. 6 Para. 1 Letter a GDPR

8 Content Delivery Network of Fastly
On our website we use the Content Delivery Network ("CDN") from the service provider Fastly Inc.,
475 Brannan St. #300, San Francisco, CA 94107, USA (“Fastly”). A Content Delivery Network is an online service with the aid of which large media files (such as graphics, page content or scripts) are delivered via a network of regionally distributed servers connected via the Internet. The use of the Content Delivery Network of Fastly helps us to optimise the loading speeds of our website.

For the US, there is currently no adequacy decision of the European Commission pursuant to Article
45 Para. 1, 3 General Data Protection Regulation (GDPR). This means that the European Commission has not yet positively ascertained that the country-specific data privacy level of this country corresponds to that of the European Union based on the GDPR (Article 46 Suitable guarantees).

The GDPR requires so-called suitable guarantees for data transmission to a third country or to an international organisation, Art. 46 Para. 2, 3 GDPR. Such guarantees do not exist for the aforementioned
country of destination.
Possible risks that cannot currently be excluded for you as the data subject in connection with the
aforementioned information are in particular:
• Your personal data could possibly be transferred by Fastly, beyond the actual purpose of the contract fulfilment, to other third parties (e.g.: US authorities).
• You may possibly not be able to claim or assert your rights to information towards Fastly in the long term.
• There is possibly a higher probability that there may be incorrect data processing as the technical and organisational measures for the protection of personal data do not fully correspond to the requirements of the GDPR with regard to their quantity and quality.

With your consent to the processing of (advertising and marketing) cookies, you explicitly consent to the transfer of data to the USA. You can revoke this consent at any time by e-mail; there are no formal requirements with regard to this e-mail. The data processing that has taken place before your consent was revoked is not affected by the revocation and is thus legally compliant.

Legal basis: Art. 6 Para. 1 Letter a GDPR

9 Content Delivery Network from Cloudfront
On our website we use the Content Delivery Network (CDN) Cloudfront. This is a service
of Amazon Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109-5210. The Cloudfront
CDN provides duplicates of data of a website on various Amazon Web
Services (AWS) servers distributed worldwide. This ensures a faster loading time for the website, a higher reliability and increased
protection against data loss. Some of the images and videos integrated on this website are obtained from the Cloudfront CDN when the page is viewed. When a page is viewed, information about your usage of our website (such as your IP address) is transferred to servers of Amazon in another EU country and saved there. This is done as soon as you access our website. The usage of Amazon Web Services and the Amazon CDN Cloudfront is done in the interest of greater reliability of the website, the increased protection against data loss and an improved loading speed of the website.

For the US, there is currently no adequacy decision of the European Commission pursuant to Article
45 Para. 1, 3 General Data Protection Regulation (GDPR). This means that the European Commission has not yet positively ascertained that the country-specific data privacy level of this country corresponds to that of the European Union based on the GDPR (Article 46 Suitable guarantees).

The GDPR requires so-called suitable guarantees for data transmission to a third country or to an international organisation, Art. 46 Para. 2, 3 GDPR. Such guarantees do not exist for the aforementioned
country of destination.
Possible risks that cannot currently be excluded for you as the data subject in connection with the
aforementioned information are in particular:
• Your personal data could possibly be transferred by Cloudfront, beyond the actual purpose of the contract fulfilment, to other third parties (e.g.: US authorities).
• You may possibly not be able to claim or assert your rights to information towards Cloudfront in the long term.
• There is possibly a higher probability that there may be incorrect data processing as the technical and organisational measures for the protection of personal data do not fully correspond to the requirements of the GDPR with regard to their quantity and quality.

With your consent to the processing of (advertising and marketing) cookies, you explicitly consent to the transfer of data to the USA. You can revoke this consent at any time by e-mail; there are no formal requirements with regard to this e-mail. The data processing that has taken place before your consent was revoked is not affected by the revocation and is thus legally compliant.

Legal basis: Art. 6 Para. 1 Letter a GDPR


10 Your rights
You have the following rights towards us with regard to your personal data:
• Right to information, rectification and erasure
• Right to restriction of processing
• Right to object to the processing
• Right to data portability

Please send your enquiries and concerns by e-mail to office@cmta.at or contact us using the contact details indicated.

If you believe that we are in breach of Austrian or European data privacy law when processing your data and thus we have infringed your rights, please contact us so that we can clarify any issues.

You also have the right to appeal to the supervisory authority, i.e. the Austrian Data Protection Authority:

Austrian Data Protection Authority, Barichgasse 40 – 42, 1030 Vienna, telephone: +43 1 52 152-0
E-mail: dsb@dsb.gv.at

11 Changes to this data privacy declaration
We reserve the right to make adjustments to our data privacy declaration from time to time.
All changes to the data privacy declaration will be published by us on this page. Please note in this regard the respectively valid version of our data privacy declaration.

12 Disclaimer
CMTA AG does not assume any responsibility for content on third-party websites which are linked to our website. Solely the operators of the sites are responsible for the content of the linked sites.

Complaints management

The outstanding quality of the services we offer as well as careful and fair operations in the customer’s best possible interest is of the utmost priority for CMTA AG. Nevertheless, there may be complaints and claims. In this case, please contact us at one of the following addresses:

by e-mail:
office@cmta.at

by post:
CMTA AG
Schmiedgasse 38/3
8010 Graz
Austria

Complaints received by CMTA AG or of which it gains knowledge by other means will be answered within 3 bank working days. We strive to find a definitive solution to your complaint within two weeks after receipt of the complaint.

Further information on the handling of complaints can be found in our customer information in the download area.

If you should not be satisfied with the handling of your complaint, you can also contact the arbitration centre for consumer transactions at office@verbraucherschlichtung.at. In addition, you have the option of bringing legal action before an ordinary court.