Data Protection Declaration – Information according to Art. 13 GDPR

Karl Mertl Handelsges.m.b.H. considers the protection and security of your personal data to be an important issue. We process your data exclusively on the basis of the relevant statutory provisions (GDPR, Data Protection Act [DSG], 2013 Telecommunications Act [TKG 2013]). Please find below detailed information on our various processing activities in the course of our business relationship.

Table of Contents

• 1. Data controller
• 2. Processing activities in connection with our website – www.mertl.com
• 3. Processing activities in connection with our customer portal website – service.rohrmertl.at
• 4. Processing of customer data
• 5. Processing of supplier data
• 6. Rights of data subjects

1. Data Controller

Karl Mertl Handelsges.m.b.H.
Hähergasse 14, 2320 Schwechat-Rannersdorf
Phone: +43 1 70131-0
Email: rohr@mertl.com

If you have any questions concerning data protection, please contact our Data Protection Coordinator: datenschutz@mertl.com

2. Processing activities in connection with our website – www.mertl.com

The website www.mertl.com serves the exclusive purpose of information. No personal data can therefore be entered by means of forms, etc. However, your browser communicates personal data which are stored on our web server.

2.1 Data categories

When you visit this website, the following personal data are collected:

• IP address
• Date and time
• Sub-menu accessed at mertl.com
• Status code
• Data quantity of the object
• Type and version of web browser
• Type and version of operating system
• Site from which the information was requested

2.2 Processing purposes

Your personal data are processed for the following purposes:

• Server log evaluation for problem analysis
• Logging system use

2.3 Legal basis for processing

The legal basis for processing your personal data is our overriding legitimate interest (Art 6 (1) letter f of the GDPR) in order to fulfill the above-mentioned purposes.

2.4 Recipients

The above-mentioned personal data are only accessible to the in-house IT unit and are not transferred to any third party.

2.5 Period of storage

As a matter of principle, your personal data are stored for a period of three months. They will be stored for a longer period, only to the extent necessary, in order to investigate identified attacks on our website.

2.6 SSL encryption

For reasons of security and as protection against the transfer of personal data, the website service.rohrmertl.at uses SSL encryption upon login. You can recognize an encrypted connection by looking at the address line of your browser which changes from “http://” to “https://” and shows a lock as a symbol in the browser line. If SSL encryption has been activated, the data which you transfer to us cannot be read by third parties at the same time.

2.7 Cookies

The website www.mertl.com uses so-called cookies. These are short data files which are stored on your computer whenever you visit a website. Cookies are generally used in order to grant users access to more website functions. For example, website settings may be stored, which are loaded automatically when the website is re-visited (e.g. language, image, etc.). Cookies cannot access any other data on your computer, or read or modify them.

For details, a full list of cookies in use, and how to manage consent settings, please see our Cookie Policy.

3. Processing activities in connection with our customer portal website – service.rohrmertl.at

The website service.rohrmertl.at accommodates our customer portal and serves to provide information about our stock of customers. Personal data are entered by means of a login form. Moreover, your browser provides personal data which are stored on our web server.

3.1 Data categories

When you visit our aforementioned website, the following personal data are collected:

• Company ID
• User ID
• Password
• Language
• IP address
• Date and time
• Sub-menu accessed at service.rohrmertl.at
• Status code
• Data quantity of the object
• Type and version of the web browser
• Type and version of the operating system
• Site from which the information was requested

3.2 Processing purposes

Your personal data are processed for the following purposes:

• Authorizing process at login
• Server log evaluation for problem analysis
• Logging system use

3.3 Legal basis for processing

The legal basis for processing your personal data is our overriding legitimate interest (Art 6 (1) letter f of the GDPR) in order to fulfill the above-mentioned purposes.

3.4 Recipients

The above-mentioned personal data are only accessible to the in-house IT unit and are not transferred to any third party.

3.5 Period of storage

Your login data (company ID, user ID, password, language) are stored during the period in which you have an account. Your personal data will be stored for a longer period only if we are required by law to do so. As a matter of principle, your other data, as shown above, are stored for a period of three months. These data will only be stored for a longer period in order to investigate any identified attack on our website.

3.6 Cookies

The website service.rohrmertl.at uses so-called cookies. These are short data files which are stored on your computer whenever you visit a website. Cookies are generally used in order to grant users access to more website functions. For example, website settings may be stored, which are loaded automatically when the website is re-visited (e.g. language, image, etc.). Cookies cannot access any other data on your computer, or read or modify them.

The website service.rohrmertl.at uses so-called session cookies. This means that they are deleted automatically when you have ended your website visit. Persistent cookies, by contrast, will remain on your computer until they are deleted manually.

You can adapt your bowser settings so that you will be informed about the setting of cookies and can allow cookies only in individual cases. You can also exclude accepting cookies in specific cases or generally, and you can also activate the automatic deletion of cookies when closing the browser. Please be aware that blocking or deleting cookies affects website functionality and may prevent you from using our website to the full extent.

3.7 Analysis tools

The website service.rohrmertl.at does not use any analysis tools for web analysis.

3.8 SSL encryption

For reasons of security and as protection against the transfer of personal data, the website service.rohrmertl.at uses SSL encryption upon login. You can recognize an encrypted connection by looking at the address line of your browser which changes from “http://” to “https://” and shows a lock as a symbol in the browser line. If SSL encryption has been activated, the data which you transfer to us cannot be read by third parties at the same time.

4. Processing of customer data

In the course of our business relationship with our customers we need various data which allow us to handle offers, orders, etc.
We collect several of your data so that we can give you – our customer – the best-possible attention from quotation to delivery of the ordered goods. All data of private customers or legal entities are personal data whenever they refer back to a physical person (e.g. one-person limited-liability companies). For all other legal entities it is only the data of the respective contact person that are considered personal data.

4.1 Data categories

The following data are collected in the course of the business relationship:

• Customer number
• Name
• Industry and customer group
• Address
• Language of communication
• VAT number and checking date
• Country code and EC code
• Company register number
• Phone numbers
• Web addresses
• Email addresses
• Correspondence in electronic or written form
• Bank details
• Data for tax payments (VAT rate)
• Type and conditions of payment
• Payment arrangements
• Data on credit rating (information, etc.)
• Data on granting of credit (credit limit, etc.)
• Data on credit insurance (insurance limit, coverage, etc.)
• Data on payment reminders (dunning level, etc.)
• Blocking flags (delivery block, dunning block)
• Compliance provisions
• Data for customs clearance (origin marks, etc.)
• Data relating to quotations and orders
• Data on acceptance of goods (type of goods, sales, etc.)
• Data on delivery terms (delivery address, delivery times, packaging, railway number, etc.)
• Data on quality assurance (complaints management, evaluations, calls on customers)
• Data concerning contact persons (form of address, title, name, phone/fax number, email address)

4.2 Processing purposes and legal basis

Your personal data are processed for the following purposes:

• To execute contracts with our customers as well as to perform pre-contractual measures. This processing purpose is based on the legal basis of Art 6 (1) letter b of the GDPR.
• Processing steps which serve to send reports to the tax office, Statistik Austria or other agencies, to which we are obliged by law. Their legal basis is Art 6 (1) letter c of the GDPR.
• Data processing steps which are taken to protect against economic risks. They help us to safeguard our legitimate interests. They are taken on the legal basis of Art 6 (1) letter f of the GDPR.

4.3 Recipients

Your personal data are transferred to the following recipients for the purposes outlined above:

• Inside Karl Mertl Handelsges.m.b.H., only technically competent staff members are given access to personal data.
• Personal data are transferred to third parties, whenever needed, such as forwarding agents, insurance companies, banks, tax advisers, chartered accountants as well as legal counsels or courts, if applicable.
• Moreover, we transfer personal data to our IT service provider under a processor agreement.

All processing steps as well as the transfer of personal data are performed solely inside the EU and/or the EEA.

4.4 Period of storage

We store your personal data for a period that, from our perspective, is necessary in order to achieve the processing purposes listed in item 4.2, and which are admissible under applicable law. In any event, we store your data for the safekeeping period required by law, or for as long as limitation periods for potential legal claims have not expired.

5. Processing of supplier data

In the course of the business relationship with our suppliers we need several data in order to be able to handle inquiries, orders, etc. In case of legal entities which refer back to a physical person (e.g. one-person limited-liability companies), all data are personal data. For all other legal entities the data of the contact persons are personal data.

5.1 Data categories

The following data are collected in the course of the business relationship:

• Supplier number
• Name
• Industry
• Company address (factory address, if applicable)
• Language of communication
• Language of certificate
• VAT number and checking date
• Country code and EC code
• Company register number
• Phone numbers
• Web addresses
• Email addresses
• Correspondence in electronic or written form
• Bank details
• Type of supplier
• Data for tax payments (pre-tax rate)
• Type and conditions of payment
• Payment arrangements
• Compliance provisions
• Data for customs clearance (origin marks, etc.)
• Data on inquiries, orders, supplier declarations and certificates
• Data on range of products (type of products, sales, delivery dates, etc.)
• Data on delivery conditions (delivery parity, mode of shipment, REACH, etc.)
• Data on quality assurance (complaints management, evaluations, calls by suppliers)
• Data on contact persons (form of address, title, name, phone/fax number, email address)

5.2 Processing purposes and legal basis

Your personal data are processed for the following purposes:

• To execute contracts with our business partners as well as to perform pre-contractual measures. This processing purpose is based on the legal basis of Art 6 (1) letter b of the GDPR.
• Processing steps which serve to send reports to the tax office, Statistik Austria or other agencies to which we are obliged by law. Their legal basis is Art 6 (1) letter c of the GDPR.
• Data processing steps which are taken to protect against economic risks. They help us to safeguard our legitimate interests. They are taken on the legal basis of Art 6 (1) letter f of the GDPR.

5.3 Recipients

Your personal data are forwarded to the following recipients for the purposes outlined above:

• Inside Karl Mertl Handelsges.m.b.H. only technically competent staff members are given access to personal data.
• Personal data are forwarded to third parties, whenever needed, such as forwarding agents, insurance companies, banks, tax advisers, chartered accountants as well as legal counsels or courts, if applicable.
• Moreover, we forward personal data to out IT service provider in the course of a processor agreement.

All processing steps as well as the forwarding of personal data are performed solely inside the EU and/or the EEA.

5.4 Period of storage

We store your personal data for a period that, from our perspective, is necessary in order to achieve the processing purposes listed in item 5.2, and which are admissible under applicable law. In any event, we store your data for the safekeeping period required by law, or for as long as limitation periods for potential legal claims have not expired.

6. Rights of data subjects

On the basis of the General Data Protection Regulation you have comprehensive rights concerning your personal data:

• Right of information
• Right of rectification
• Right of erasure
• Right of restriction of processing
• Right of data portability
• Right of objection

As a data subject you can exercise all your rights by sending an email to datenschutz@mertl.com, a message by mail or by establishing direct contact.

Moreover, you have the right to file a complaint with the Data Protection Agency at any time, concerning the processing of your personal data. The contact data of the Data Protection Agency are:

Österreichische Datenschutzbehörde (Austrian Data Protection Agency)
Wickenburggasse 8
1080 Vienna
Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at

Status: September 2022