Privacy Policy

We have prepared this Privacy Policy (Version 10/31/2023-122601755) to explain to you, in accordance with the requirements of the General Data Protection Regulation (EU) 2016/679 and applicable national laws, which personal data (hereinafter “data”) we, as the data controller—and the processors we have commissioned (e.g., service providers)—process, will process in the future, and what legal options you have. The terms used are to be understood as gender-neutral.
In short: We provide you with comprehensive information about the data we process regarding you.

Privacy policies usually sound very technical and use legal jargon. This privacy policy, however, is intended to describe the most important points as simply and transparently as possible. Where transparency is aided by it, technical terms are explained in a reader-friendly manner, links to further information are provided, and graphics are used. We therefore inform you in clear and simple language that, within the scope of our business activities, we process personal data only when there is a corresponding legal basis. This is certainly not possible if one provides explanations that are as brief, unclear, and legally technical as those often found online when it comes to data protection. I hope you find the following explanations interesting and informative, and perhaps there is some information here that you were not previously aware of.
If you still have questions, please contact the responsible party listed below or in the legal notice, follow the provided links, and review additional information on third-party websites. You can, of course, also find our contact information in the legal notice.

This Privacy Policy applies to all personal data processed by us within the company and to all personal data processed by companies we have commissioned (processors). By “personal data,” we mean information as defined in Article 4(1) of the GDPR, such as a person’s name, email address, and mailing address. The processing of personal data enables us to offer and bill for our services and products, whether online or offline. The scope of this Privacy Policy includes:

• all online platforms (websites, online stores) that we operate
• social media platforms and email communication
• mobile apps for smartphones and other devices

In short: This Privacy Policy applies to all areas where personal data is processed in a structured manner within the company via the aforementioned channels. Should we enter into legal relationships with you outside of these channels, we will inform you separately if necessary.

In the following privacy policy, we provide you with transparent information regarding the legal principles and regulations—that is, the legal basis under the General Data Protection Regulation—that allow us to process personal data.
With regard to EU law, we refer to REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of April 27, 2016. You can, of course, read this EU General Data Protection Regulation online on EUR-Lex, the portal for EU law, at https://eur-lex.europa.eu/legal-content/DE/ALL/?uri=celex%3A32016R0679.

We process your data only if at least one of the following conditions applies:

1. Consent (Article 6(1)(a) GDPR): You have given us your consent to process data for a specific purpose. An example would be the storage of the data you entered in a contact form.
2. Contract (Article 6(1)(b) GDPR): We process your data to fulfill a contract or pre-contractual obligations with you. For example, if we enter into a purchase agreement with you, we need personal information in advance.
3. Legal obligation (Article 6(1)(c) GDPR): We process your data if we are subject to a legal obligation. For example, we are legally required to retain invoices for accounting purposes. These typically contain personal data.
4. Legitimate Interests (Article 6(1)(f) GDPR): In cases of legitimate interests that do not infringe upon your fundamental rights, we reserve the right to process personal data. For example, we must process certain data to operate our website securely and economically efficiently. This processing therefore constitutes a legitimate interest.

Other conditions, such as processing in the public interest, the exercise of official authority, and the protection of vital interests, generally do not apply to us. If such a legal basis were to be relevant, it will be indicated in the appropriate section.

In addition to the EU Regulation, national laws also apply:

• In Austria, this is the Federal Act on the Protection of Natural Persons with Regard to the Processing of Personal Data (Data Protection Act), or DSG for short.
• In Germany, the Federal Data Protection Act (BDSG) applies.

If other regional or national laws apply, we will inform you about them in the following sections.

If you have any questions regarding data protection or the processing of personal data, please find the contact information for the responsible person or department below:
LAMBDA Wärmepumpen GmbH
Perlmooserstraße 2
A – 6322 Kirchbichl

Florian Entleitner, MSc., and Florian Fuchs, MSc.

Email: office@lambda-wp.at
Phone: +43 (0)506322
Legal Notice: https://lambda-wp.at/impressum/

It is our general policy to store personal data only for as long as is strictly necessary to provide our services and products. This means that we delete personal data as soon as the reason for processing it no longer exists. In some cases, we are legally required to retain certain data even after the original purpose has ceased to exist, for example, for accounting purposes.

If you wish to have your data deleted or revoke your consent to data processing, the data will be deleted as soon as possible, provided there is no legal obligation to retain it.

We provide further information below regarding the specific duration of each data processing activity, to the extent that we have additional details available.

In accordance with Articles 13 and 14 of the GDPR, we are informing you of the following rights to which you are entitled to ensure fair and transparent data processing:

• Under Article 15 of the GDPR, you have the right to request information regarding whether we process your data. If this is the case, you have the right to receive a copy of the data and to learn the following information:
   
  • the purpose for which we process the data;
  • the categories, i.e., the types of data being processed;
  • who receives this data and, if the data is transferred to third countries, how security is ensured;
  • how long the data will be stored;
  • the existence of the right to rectification, erasure, or restriction of processing, and the right to object to processing;
  • that you can lodge a complaint with a supervisory authority (links to these authorities can be found below);
  • the source of the data if we did not collect it from you;
  • whether profiling is carried out, i.e., whether data is automatically analyzed to create a personal profile of you.
• Under Article 16 of the GDPR, you have the right to rectification of the data, which means that we must correct the data if you find any errors.
• Under Article 17 of the GDPR, you have the right to erasure (“right to be forgotten”), which specifically means that you may request the erasure of your data.
• Under Article 18 of the GDPR, you have the right to restriction of processing, which means that we may only store the data but may not use it further.
• Under Article 20 of the GDPR, you have the right to data portability, which means that we must provide you with your data in a commonly used format upon request.
• Under Article 21 of the GDPR, you have the right to object, which, once exercised, results in a change to the processing.
   
  • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you may object to the processing. We will then review as soon as possible whether we can legally comply with this objection.
  • If data is used for direct marketing, you may object to this type of data processing at any time. We may no longer use your data for direct marketing thereafter.
  • If data is used for profiling, you may object to this type of data processing at any time. We may no longer use your data for profiling after that.
• Under certain circumstances, you have the right under Article 22 of the GDPR not to be subject to a decision based solely on automated processing (such as profiling).
• Under Article 77 of the GDPR, you have the right to lodge a complaint. This means you can file a complaint with the data protection authority at any time if you believe that the processing of personal data violates the GDPR.

In short: You have rights—don’t hesitate to contact the responsible party listed above!

If you believe that the processing of your data violates data protection law or that your data protection rights have been infringed in any other way, you may file a complaint with the supervisory authority. In Austria, this is the Data Protection Authority, whose website can be found at https://www.dsb.gv.at/. In Germany, there is a data protection officer for each federal state. For further information, you can contact the Federal Commissioner for Data Protection and Freedom of Information (BfDI). The following local data protection authority is responsible for our company:

Director: Mag. Dr. Andrea Jelinek
Address: Barichgasse 40-42, 1030 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: https://www.dsb.gv.at/

We transfer or process data to countries outside the scope of the GDPR (third countries) only if you consent to such processing or if there is another legal basis for doing so. This applies in particular when the processing is required by law or necessary to fulfill a contractual relationship, and in any case only to the extent that it is generally permitted. In most cases, your consent is the primary reason we process data in third countries. The processing of personal data in third countries such as the United States, where many software providers offer services and have their server locations, may mean that personal data is processed and stored in unexpected ways.

We expressly point out that, in the opinion of the European Court of Justice, an adequate level of protection for data transfers to the U.S. currently exists only if a U.S. company that processes personal data of EU citizens in the U.S. is an active participant in the EU-U.S. Data Privacy Framework. For more information, please visit: https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en

Data processing by U.S. services that are not active participants in the EU-U.S. Data Privacy Framework may result in data being processed and stored without anonymization. Furthermore, U.S. government authorities may access individual data. In addition, collected data may be linked to data from other services of the same provider, provided you have a corresponding user account. Whenever possible, we strive to use server locations within the EU, if available.
We provide more detailed information about data transfers to third countries, where applicable, in the relevant sections of this Privacy Policy.

To protect personal data, we have implemented both technical and organizational measures. Whenever possible, we encrypt or pseudonymize personal data. In this way, we make it as difficult as possible—within the limits of our capabilities—for third parties to infer personal information from our data.

Article 25 of the GDPR refers to “data protection by design and by default,” meaning that security must always be considered and appropriate measures implemented for both software (e.g., forms) and hardware (e.g., access to the server room). Below, we will discuss specific measures where necessary.

Communication Summary
👥 Data subjects: Anyone who communicates with us by phone, email
, or online form 📓 Data processed: e.g., phone number, name, email address, form data entered. You can find more details under the respective contact method
🤝 Purpose: Handling communication with customers, business partners, etc.
📅 Retention period: Duration of the business transaction and as required by law
⚖️ Legal basis: Art. 6(1)(a) GDPR (consent), Art. 6(1)(b) GDPR (contract), Art. 6(1)(f) GDPR (legitimate interests)

When you contact us and communicate via phone, email, or online form, personal data may be processed.

The data is processed for the purpose of handling and addressing your inquiry and the associated business transaction. The data is stored for as long as necessary or as required by law.

Data Subjects

The aforementioned processes affect everyone who contacts us via the communication channels we provide.

Phone

When you call us, the call data is stored in pseudonymized form on the respective device and with the telecommunications provider used. Additionally, data such as your name and phone number may subsequently be sent via email and stored to respond to your inquiry. The data is deleted as soon as the business matter is concluded and legal requirements permit.

Email

When you communicate with us via email, data may be stored on the respective device (computer, laptop, smartphone, etc.) and data is stored on the email server. The data is deleted as soon as the business transaction is completed and legal requirements permit.

Online Forms

When you communicate with us via an online form, data is stored on our web server and, if necessary, forwarded to one of our email addresses. The data will be deleted as soon as the business transaction is completed and legal requirements permit.

Legal Basis

The processing of data is based on the following legal grounds:

• Art. 6(1)(a) GDPR (Consent): You give us your consent to store your data and to use it for purposes related to the business transaction;
• Art. 6(1)(b) GDPR (Contract): It is necessary for the performance of a contract with you or a processor, such as a telephone provider, or we must process the data for pre-contractual activities, such as preparing a quote;
• Art. 6(1)(f) GDPR (Legitimate Interests): We aim to handle customer inquiries and business communications in a professional manner. To do so, certain technical tools—such as email programs, Exchange servers, and mobile network operators—are necessary to ensure efficient communication.

In this section, we would like to explain what a data processing agreement is and why it is necessary. Since the term “data processing agreement” is quite a mouthful, we will often use the acronym DPA throughout this text. Like most companies, we do not operate in isolation but also utilize the services of other companies or individuals.  By involving various companies or service providers, we may need to share personal data for processing. These partners then act as data processors, with whom we enter into a contract known as a Data Processing Agreement (DPA). The most important thing for you to know is that the processing of your personal data takes place exclusively in accordance with our instructions and must be governed by the DPA.

Who are data processors?

As a company and website owner, we are responsible for all data we process from you. In addition to the data controllers, there may also be so-called data processors. This includes any company or individual that processes personal data on our behalf. More precisely, and according to the GDPR definition: any natural or legal person, public authority, agency, or other body that processes personal data on our behalf is considered a data processor. Processors can therefore be service providers such as hosting or cloud providers, payment or newsletter providers, or large companies such as Google or Microsoft.

To help clarify the terminology, here is an overview of the three roles in the GDPR:

Data Subject (you as a customer or prospective customer) → Data Controller (we as a company and the data controller) → Data Processor (service providers such as web hosts or cloud providers)

Contents of a Data Processing Agreement

As mentioned above, we have entered into a DPA with our partners who act as data processors. Above all, this agreement stipulates that the data processor shall process the data exclusively in accordance with the GDPR. The agreement must be concluded in writing; however, in this context, an electronic agreement is also considered “in writing.” The processing of personal data takes place only on the basis of the agreement. The agreement must include the following:

• Obligations to us as the data controller
• Obligations and rights of the controller
• Categories of data subjects
• Type of personal data
• Nature and purpose of data processing
• Subject matter and duration of data processing
• Location of data processing

Furthermore, the contract sets forth all obligations of the data processor. The most important obligations are:

• Measures to ensure data security
• Taking all reasonable technical and organizational measures to protect the rights of the data subject
• Maintaining a record of processing activities
• Cooperating with the data protection supervisory authority upon request
• Conducting a risk assessment regarding the personal data received
• Sub-processors may only be engaged with the written consent of the controller

You can see what such a data processing agreement looks like, for example, at https://www.wko.at/service/wirtschaftsrecht-gewerberecht/eu-dsgvo-mustervertrag-auftragsverarbeitung.html. A sample contract is presented there.

Congratulations! If you’re reading this, you’ve either really “battled” your way through our entire privacy policy or at least scrolled down to this point. As you can see from the length of our privacy policy, we take the protection of your personal data very seriously. It is important
to us to inform you, to the best of our knowledge and belief, about the processing of personal data. However, we don’t just want to tell you what data is processed; we also want to explain the reasons behind our use of various software programs. Privacy policies usually sound very technical and legal. But since most of you aren’t web developers or lawyers, we wanted to take a different approach linguistically and explain the facts in simple and clear language. Of course, this isn’t always possible given the subject matter. Therefore, the most important terms are explained in more detail at the end of the privacy policy.
If you have any questions regarding data protection on our website, please don’t hesitate to contact us or the responsible authority. We hope you enjoy your visit and look forward to welcoming you back to our website soon.

All texts are protected by copyright.