A. FOR WHAT PURPOSE AND ON WHAT LEGAL BASIS WILL YOUR PERSONAL DATA BE PROCESSED?
In order for the company to operate within a legally compliant framework and thus in accordance with legal and internal company regulations, it may be necessary to carry out internal company investigations and compliance checks. This may require the processing of your personal data. We process your personal data in order to prevent potential violations. Such violations can arise in the areas of criminal, antitrust, tax or labor law. For this purpose, email traffic, calendar entries, or data and documents stored on the company's own IT systems and devices can be logged and evaluated in compliance with the principle of data minimization. Data obtained from third parties (e.g. authorities, whistleblowers) may also be examined and processed.
Your personal data will be processed in particular for the following purposes: - to investigate misconduct (e.g. labor, criminal, antitrust or tax law violations, etc.), - to eliminate grievances in the company (e.g. carrying out educational measures to eliminate conflicts of interest), - to determine suitable measures to avoid (contractual or statutory) violations of laws or guidelines, - to clarify specific suspected cases in individual cases (also to protect employees who are wrongly suspected) and - to secure and subsequently assert legal claims.
In this context, we base the processing of your personal data on our overriding legitimate interest in accordance with Article 6 (1) (f) GDPR.
Our legitimate interest lies in avoiding violations of legal prohibitions as far as possible and in improving the quality of our compliance measures for the purpose of compliant operations. Processing can also take place for reasons of fulfilling the contract in accordance with Article 6 Paragraph 1 lit b or within the framework of the fulfillment of legal obligations in accordance with Article 6 Paragraph 1 lit c GDPR.
B. WHAT PERSONAL DATA WILL BE PROCESSED?
It may happen that we process the following personal data about you as part of the implementation of appropriate compliance measures:
- Names
- Function or role in the company - Factual data (description of facts or incidents, specific suspicion)
- Evidence (access logs, emails, calendar entries, notes, saved documents and other relevant content)
- Senders and recipients of emails
C. TO WHOM DO WE SHARE YOUR PERSONAL DATA?
We will only pass on your personal data if this is necessary to fulfill contractual obligations, if we are legally obliged to do so, if there is a legitimate interest in 3 the transfer or if you have given your consent. In any case, we will only pass on your data to the extent necessary to achieve the purpose. Since ELG has several group companies, we transfer personal data to other companies in our group if necessary to achieve the purposes stated above. In addition, your personal data may be transmitted to the following recipients or external service providers:
- Public bodies (e.g. social security institutions, tax authorities, labor authorities, courts, public prosecutor's offices, etc.)
- Tax advisors and auditors
- External IT experts
- Lawyers
- Other comparable professionals
D. HOW LONG DO WE STORE YOUR PERSONAL DATA?
Your personal data will only be retained for as long as it is necessary to fulfill the purposes, in particular for the compliance measures stated in this data protection declaration. Your personal data will be stored for as long as it is necessary for the respective check and control. This includes storage for documentation purposes. In addition, your personal data will be stored for as long as it is necessary for documentation purposes, legal prosecution and the duration of the respective procedure. Otherwise, the data will be deleted two months after the end of the examination. To the extent that personal data is required to fulfill tax and commercial retention obligations (e.g. BAO and UGB), these will be stored for 7 years from the end of the respective calendar year.
E. WHAT DATA PROTECTION RIGHTS DO YOU HAVE?
As a data subject, you have the following rights with regard to the processing of your personal data:
You can request information about the data processed about you, in particular about the origin and categories of the data processed, the storage period, the recipients to whom your personal data is or has been disclosed, the purpose or type of processing. Upon request, we will provide you with a copy of the personal data we process about you.
If we process data about you that is incorrect or incomplete, you can request that it be corrected or completed - including by means of a supplementary declaration. Right to deletion You have the right to request that we delete personal data relating to you. We will be happy to delete your data if this is required by law (Article 17 GDPR). We would like to point out that there is no right to deletion in particular if we have to process the data in order to fulfill a legal (retention) obligation or in order to be able to assert, exercise or defend legal claims.
If it is unclear whether the data processed about you is incorrect, incomplete or processed unlawfully, you can request that we restrict the use of your personal data.
Even if your personal data is correct and complete and is processed lawfully by us, you can object to the processing of this data in special individual cases based on your reasons.
If we process personal data about you that you have provided to us, in certain circumstances you may request that this data be sent to you in a machine-readable format. You can also instruct us to transmit this data directly to a third party of your choice, provided this is technically feasible.
To the extent that we process your data based on your consent, you are entitled to withdraw your consent at any time. Please note that a revocation does not affect the lawfulness of the data processing carried out based on the consent up to the revocation.
Although we make every effort to protect and protect your data, disagreements about the way we use your data cannot be ruled out. If you believe that the processing of your data violates the GDPR, you may lodge a complaint with the responsible supervisory authority, the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna.