Data protection

Information on data processing in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR)

Privacy policy

The protection of your personal data is of particular concern to us. We therefore process your personal data (“data” for short) exclusively on the basis of the statutory provisions. With this privacy policy, we want to inform you comprehensively about the processing of your data in our company and the data protection claims and rights to which you are enti-tled.

1. Who is responsible for data processing and who can you contact?

Controller: RWA Raiffeisen Ware Austria Aktiengesellschaft („RWA AG“ for short)
Address: Raiffeisenstraße 1, 2100 Korneuburg
Telephone number: +43 (0) 2262/755 50-0
E-Mail: datenschutz@rwa.at

2. What data is processed and from what sources does this data originate?

We process the data that we receive from you as part of the business initiation and rela-tionship. We also process data that we have legitimately received from credit agencies, creditor protection associations, from publicly accessible sources (e.g. company register, register of associations, land register, media) and other companies and Lagerhaus-cooperatives with which we have a long-term business relationship.

Personal data includes:
Your master-/contact data such as:

as a private customer: first and last name, address, contact details (e-mail ad-dress, telephone number, fax), date of birth, data from proof of identity provid-ed (copy of ID), bank details
as a corporate customer: company, company register number, VAT number, company number, address, contact details (e-mail address, telephone number, fax), bank details

In addition, we also process the following other personal data:

Information about the nature and content of our business relationship such as contract data, order data, sales and receipt data, customer and supplier history, consultation documents,
Information about your financial status (e.g. creditworthiness data),
advertising and sales data,
documentation data (e.g. consultation protocols), image data,
Information from your electronic communication with us (e.g. IP address, log-in data),
Data that we have received from you as part of our business relationship (e.g. in discussions with customers),
Data that we generate ourselves from master-/contact data and other data, e.g. by means of customer demand and customer potential analyses.

3. For what purposes and on what legal basis is the data processed?

We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act as amended:

• for the fulfilment of (pre-)contractual obligations (Art 6 para 1 lit. b GDPR):
Your data is processed for the sale and distribution of our goods and services, for pro-curement and logistics purposes and for customer administration. The data is processed in particular when initiating business and when executing contracts with you.

• for the fulfilment of legal obligations (Art. 6 para. 1 lit. c GDPR):
The processing of your data is necessary for the purpose of fulfilling various legal obliga-tions, e.g. from the Austrian Commercial Code (UGB) or the Federal Fiscal Code (BAO), money laundering regulations, product-specific regulations such as the Raw Materials Regulation, Chemicals Act.

• to safeguard legitimate interests (Art. 6 para. 1 lit.f GDPR):
Based on a balancing of interests, data may be processed beyond the actual fulfilment of the contract to protect our legitimate interests or those of third parties. In any case, data processing is carried out to protect legitimate interests in the following cases

Consultation of and data exchange with credit agencies and creditor protection as-sociations to determine creditworthiness data;
Postal advertising or marketing
Measures for business management and further development of services and prod-ucts;
Measures to protect our company from behaviour in breach of contract or the law, e.g. access controls, video surveillance;
Operation and management of merchandise management systems and a central master data system (hereinafter referred to as the ‘overall system’) to ensure effi-cient organisation, increase data quality and improve customer service;
in the context of legal prosecution.
Image processing on the basis of our interest in documentation and/or for reporting purposes (unless consent is required).

• within the scope of your consent (Art. 6 para. 1 lit. a GDPR):
If you have given us your consent to process your data, it will only be processed in accord-ance with the purposes specified in the declaration of consent and to the extent agreed therein. Consent given can be revoked at any time with effect for the future. This does not affect the lawful processing of your data until your revocation. To do so, please contact our e-mail address specified in point 1, for example.

In detail:

A) Contact option via the website
Our website contains contact details that allow you to contact us quickly via electronic channels. If you contact us via these channels, we will process your personal data (name, email address, telephone number, enquiry) for the purpose of processing and responding to your enquiry. The legal basis is the fulfilment of our (pre-)contractual obligations pursuant to Art. 6 para. 1 lit. b GDPR and our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in the rapid processing and response to any queries.

B) Merchandise management systems and central master data system
We process certain data together with the Lagerhaus cooperatives in merchandise man-agement systems and a central master data system. We and the Lagerhaus cooperatives can access your master data. This overall system should enable participating Lagerhaus cooper-atives that serve the same customers to use information about these customers across or-ganisations. The aim of this procedure is to always provide the most up-to-date and rele-vant information and, in particular, to avoid duplicate mailings. On the other hand, we or individual Lagerhaus cooperatives can only view additional data (in particular data on the content and type of business relationship) if we or the respective Lagerhaus cooperative have a business relationship with you. Data exchange on purchasing and sales data be-tween the individual Lagerhaus cooperatives therefore deliberately does not take place.

Data processing within the central master data system is carried out to ensure efficient or-ganisation, increase the data quality of existing customer data while simultaneously mini-mising data by overwriting outdated (master) data (duplicate cleansing, moved/deceased indicators, address correction) and for better customer service. The master data system en-ables (i) the accuracy, up-to-dateness and standardisation of the database, (ii) faster pro-cessing of sales, (iii) efficient checking of sanctions list data and safety data sheets and (iv) the definition and control of internal Group requirements. The data processing is therefore carried out on the basis of the legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR of the controller and, if applicable, also for the fulfilment of legal obligations pursuant to Art. 6 para. 1 lit. c GDPR.

If you have consented to this (Art 6 para 1 lit a GDPR), we and other Lagerhaus cooperatives will also use your personal data jointly for personalised direct marketing campaigns (e.g. newsletters), for targeted online marketing and personalised online shop design.

We are jointly responsible for this data processing with the Lagerhaus co-operatives. You can find a list of the Lagerhaus co-operatives here: Link . Accordingly, we have concluded an agreement with the Lagerhaus cooperatives in accordance with Art 26 GDPR (‘Joint Controller Agreement’), which regulates the distribution of tasks and obliga-tions under data protection law. You have the right to assert your claims against any con-troller. As the single point of contact, we are responsible for exercising the rights of data subjects and for direct cooperation and communication with the supervisory authority.

C) Cookies and Tracking-Tools
Our website uses so-called cookies. These are small text files that are stored on your end device with the help of the browser. We use cookies to operate our website (technically necessary cookies) and to customise our offer in a user-friendly and targeted manner (other cookies). Apart from the technically necessary cookies, the use of cookies requires that you have previously consented to this in the cookie banner (consent in accordance with Art. 6 para. 1 lit a GDPR in conjunction with § 165 para. 3 TKG). This means that without your con-sent to store this information on your end device and/or to access information already stored on your end device, no such cookies will be set:

a) Technically necessary cookies: We use technically necessary cookies on our website in order to be able to display the website to you and to enable you to use the web-site properly. The data processing is necessary for the purpose of data security and the prevention of misuse and is therefore based on our legitimate interests in ac-cordance with Art. 6 para. 1 lit. f GDPR in conjunction with § 165 para. 3 TKG.

b) Functional cookies: serve to improve or expand the functionalities of the website. Data processing takes place on the basis of your voluntary consent in accordance with Art. 6 para. 1 lit. a GDPR in conjunction with § 165 para. 3 TKG.

c) Marketing cookies: We use marketing cookies to follow visitors on websites. In this way, we want to show users adverts that are relevant and appealing to them. Data processing takes place on the basis of your voluntary consent in accordance with Art. 6 para. 1 lit a GDPR in conjunction with § 165 para. 3 TKG.

You can also find a complete list of cookies in the cookie banner on our website.
Cookies remain stored on your end device until you delete them or until they reach a stor-age period specified by us. They enable us to recognise your browser on your next visit.
You can accept or reject all cookies requiring consent by clicking on ‘Allow all cookies’ or ‘Allow only necessary cookies’. You can also give your individual consent in the cookie ban-ner via the ‘Show details’ link and change it at any time.
If cookies are deactivated, the functionality of our website may be limited.

We use the following tools and cookies on the basis of your voluntary and explicit consent:

• Tracking-Tools and use of Google Analytics
Our website uses analysis tools to collect general information about the usage behaviour of visitors. This includes, for example, pages viewed, length of visit, referring pages and gen-eral information about your computer system such as operating system, screen resolution, browser used etc. All data collected is stored anonymously and cannot be traced back to you personally.
This website also uses Google Analytics, an internet analysis service from Google. Google Analytics uses cookies that enable your use of the website to be analysed.
The information generated by the cookies about your use of the website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and in-ternet usage. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google’s behalf. You can prevent the installation of cookies by selecting the appropriate settings in your browser software.
We would like to inform you that this website uses Google Analytics exclusively by using a deactivation add-on ‘_anonymiseIp()’. Your IP address is not stored in full.
You can find more information on data usage by Google here: https://support.google.com/analytics/answer/6004245?hl=de

• Use of SocialSharing

We do not use any plugins from the respective social media services for the social sharing functionalities. Instead, we only use a text or image link. This means that no data, such as your IP address, browser used, screen resolution, the website accessed, date and time, is transmitted to the respective social media services.

If you click on a social sharing link while you are logged into your respective social media account, you can share the content of our pages on your profile. This allows the social me-dia service to associate your visit to our pages with your user account. In this case, the re-spective social media service and we are joint controllers in accordance with Art. 26 GDPR.

• Use of hCaptcha

We use the anti-spam/bot service hCaptcha (hereinafter ‘hCaptcha’) on our website. hCap-tcha is a service provided by Intuition Machines, Inc. (IMI) based in the USA and enables us to distinguish whether a contact request originates from a natural person or is automated by means of a programme. This tool displays captchas – small tasks that are easy for humans to solve but difficult for machines to master. These captchas help us to identify spam.
hCaptcha analyses the behaviour of the website visitor based on various characteristics. For the analysis, hCaptcha evaluates various information (e.g. IP address, how long the visitor has been on the website or the user’s mouse movements). In addition, hCaptcha collects the answers to the small tasks you are asked. This data is processed by hCaptcha exclusively to protect our website from bots and spam. Your (non-personal) answers to the small tasks you are asked (e.g. recognising certain objects in images) are also used by hCaptcha to train algorithms.
Further information on hCaptcha and IMI’s privacy policy and terms of use can be found at the following links: https://hcaptcha.com/privacy/and https://hcaptcha.com/terms

• Google Tag Manager

This website uses Google Tag Manager. This service allows website tags to be managed via an interface. The Google Tool Manager only implements tags. This means that no cookies are used and no personal data is collected. The Google Tool Manager triggers other tags, which in turn may collect data. However, the Google Tag Manager does not access this da-ta. If deactivation has been carried out at domain or cookie level, it remains in place for all tracking tags, provided that these are implemented with the Google Tag Manager.

You can also find a complete list of cookies in the cookie banner on our website.

4. Who receives your data?

4.1. If we commission a processor, we nevertheless remain responsible for the protection of your data. All processors are contractually obliged to treat your data confidentially and to process it only in the context of providing the service. The processors commissioned by us will receive your data if they require the data to fulfil their respective service. These are IT service providers that we require for the operation and security of our IT system as well as advertising and address publishers for our own advertising campaigns.

4.2. If you have given your express consent, your data will be transmitted to the ware-house’s own affiliated companies, to RWA AG, to other warehouses in permanent business relationships with RWA AG and to affiliated companies of RWA AG for the purposes of com-pany-related and individual advertising/customer support in the areas of home & garden, technology, agriculture, energy and building materials.
This processing of customer interests constitutes profiling within the meaning of Art. 4 GDPR; however, automated decision-making within the meaning of Art. 22 GDPR does not take place.
4.3. If an offer is made/sold/serviced via manufacturer portals, the data you provide will be processed directly in the manufacturer’s portal.

4.4. For the purpose of creditor protection, we transmit master data and information on your financial status to credit insurance companies (currently Acredia Versicherung AG), credit protection associations (currently KSV 1870 Information GmbH) and credit agencies (currently CRIF GmbH).

4.5. In the event of a legal obligation (Art 6 para 1 lit c GDPR) and in the context of legal prosecution based on our legitimate interests (Art 6 para 1 lit f GDPR), authorities and courts as well as external auditors and legal representatives may be recipients of your data.

4.6. In addition, insurance companies, banks, credit agencies and service providers may be recipients of your data for the purpose of contract initiation and fulfilment.

4.7. For the purpose of documentation and reporting (in particular of events), print and digital media such as Bezirksblätter, ‘Unser Land’ may be recipients of image recordings. This data processing is carried out on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f GDPR in an appealing company presentation and external communication. If we cannot base the data processing on our legitimate interests, we will obtain your voluntary consent in advance in accordance with Art. 6 para. 1 lit. a GDPR.

4.8. For a better understanding of the recipient categories mentioned under point 4, you will find a selection of individual companies at this link.

5. Will the personal data be transferred to a third country?

In principle, we do not transfer any data to a third country. In individual cases, data will only be transferred on the basis of an adequacy decision by the European Commission, standard contractual clauses, suitable guarantees or your express consent.

6. How long will your data be stored?

We process your data until the termination of the business relationship or until the expiry of the applicable guarantee, warranty, limitation and statutory retention periods (e.g. from the Austrian Commercial Code (UGB), the Federal Fiscal Code (BAO)); in addition, until the termination of any legal disputes in which the data is required as evidence.

7. What data protection rights do you have?

You have the right to information, correction, deletion or restriction of the processing of your stored data, a right to object to the processing and a right to data portability at any time. If the data processing is based on your consent, you can revoke this at any time with effect for the future. You also have the right to lodge a complaint with the competent su-pervisory authority. In detail:

7.1. Right to information:
You can request information from us as to whether and to what extent we process your da-ta.

7.2. Right to rectification:
If we process your data that is incomplete or incorrect, you can request that we correct or complete it at any time.

7.3. Right to erasure:
You can demand that we erase your data if we process it unlawfully or if the processing dis-proportionately interferes with your legitimate protection interests. Please note that there may be reasons that prevent immediate erasure, e.g. in the case of statutory retention obli-gations.

7.4. Right to restriction of processing:
You can demand that we restrict the processing of your data if

you contest the accuracy of the data, for a period enabling us to verify the accuracy of the data
the processing of the data is unlawful, but you oppose the erasure of the data and request the restriction of its use instead,
we no longer need the data for the intended purpose, but you still need this data for the assertion or defence of legal claims, or
you have objected to the processing of the data.

7.5. Right to data portability:
You may request that we provide you with the data you have provided to us in a structured, commonly used and machine-readable format and that you may transmit this data to an-other controller without hindrance from us, provided that

we process this data on the basis of your revocable consent or for the fulfilment of a contract between us, and
this processing is carried out using automated procedures.

If technically feasible, you can request that we transfer your data directly to another con-troller.

7.6. Right to object:
If we process your data for legitimate interests, you can object to this data processing at any time for reasons arising from your particular situation; this also applies to profiling based on these provisions. We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims. You can object to the processing of your data for the purpose of direct advertising at any time without giving reasons.

7.7. Right to lodge a complaint:
If you are of the opinion that we are violating Austrian or European data protection law when processing your data, please contact us so that we can clarify any questions you may have. Of course, you also have the right to lodge a complaint with the Austrian Data Protec-tion Authority (Barichgasse 40-42, 1030 Vienna; dsb@dsb.gv.at) or with a supervisory au-thority within the EU.

If you wish to assert one of the aforementioned rights against us, please contact us at the e-mail address given in point 1. In case of doubt, we may request additional information to confirm your identity. This serves to protect your rights and your privacy.

8. Final provisions

In the course of the further development of our services, we will continuously adapt this privacy policy. We will make the currently valid version of the privacy policy available on our website. We recommend that you inform yourself regularly about the current version.