Privacy policy
1. Who is responsible for data processing and who can I contact?
1.1 CIS - Certification & Information Security Services GmbH is leading partner for system certifications, verifications and validations, assessments, trainings and individuals’ certifications (following also referred to as "CIS services"). The basis is formed by accreditations at BMAW (“Bundesministerium für Arbeit und Wirtschaft” - “Federal Ministry of Labour and Economy”). Its key asset is its competence as a national market leader for information security management and IT service management for secure and increased business excellence. Thus CIS is an important driver and trendsetter for the economic site of Austria and for "securing your business".
1.2 Certification & Information Security Services GmbH ("CIS-Cert", "we", "us") is the controller within the meaning of Article 4(7) of the General Data Protection Regulation ("GDPR").
1.3 You can reach us as follows:
Certification & Information Security Services GmbH
Salztorgasse 2/3/7
1010 Vienna, Austria
Phone: +43 (0)1 532 98 90
Fax: +43 (0)1 532 98 90 89
E-Mail: datenschutz@cis-cert.com
1.4 The controller takes the protection of your personal data very seriously. The controller therefore treats your personal data confidentially and in accordance with the applicable data protection regulations, in particular the GDPR and the Austrian Data Protection Act in the current version ("DSG").
1.5 In this privacy policy you will find information on the data processing activities carried out. The terms laid down in the GDPR are used accordingly. For better comprehensibility, you will find the most important terms according to their legal definition below:
- Personal data: any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Data subject: The person whose personal data is processed.
- Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
- Processor: The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- Consent (of the data subject): any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. For what purposes and on what legal basis is your personal data processed?
2.1 Provision of the website
2.1.1 In order to make the website available to you and to be able to identify, prevent and investigate attacks on our website, CIS-Cert processes the following personal data on the basis of our aforementioned legitimate interests (Art 6 para 1 lit f GDPR) the URL; the date and time of the visit; the IP address of the computer or mobile device; the name and version of the web browser; the browser type and settings data (screen resolution, colour depth, time zone settings, browser extensions, fonts, language); the operating system; and the website (URL) from which you visit our website ("referrer"). The processing of this data is necessary to provide you with the website and its features.
2.2 Enquiry by website, email, post or telephone
2.2.1 If you send an inquiry to CIS-Cert via the contact form on the website, by e-mail or by telephone, CIS-Cert processes the following personal data to answer the inquiry in order to fulfil pre-contractual measures or to fulfil the contract (Art 6 para 1 lit b GDPR) or on the basis of our legitimate interests in being able to process your inquiry (Art 6 para 1 lit f GDPR): Name; e-mail address; address; telephone number; content of the enquiry; other information you provide to us voluntarily; personal information about our CIS services. The processing of this data is necessary to handle your enquiry.
2.3 Offering CIS services (incl. customer handling)
2.3.1 As part of our CIS services, we process (i) personal data that you provide to us, (ii) personal data that our customers provide to us as principals of the CIS services and (iii) personal data that we collect ourselves in the course of providing the CIS services. The personal data that we collect in the course of providing a CIS service are used for the purposes of fulfilling the contract in accordance with the relevant contractual documents and our terms and conditions, as well as for the necessary documentation in accordance with the normative requirements (in particular ISO/IEC 17021-1, ISO/IEC 17024, and any additional requirements from models to be audited commissioned by the customer), for bookkeeping and accounting, for the assertion and defense of legal claims and for customer relationship management, including the submission of offers for further CIS services (e.g. recertification and extension certifications, relevant training).
2.3.2 For the aforementioned purposes, we process name, address and other contact data, date and place of birth, identification data (including ID data, certificates, electronic signature) and other personal data in connection with the respective order (including audit documentation, event documentation, certificate data, billing data, bank data). Without the processing of the aforementioned data, we cannot offer the CIS services and cannot manage ongoing customer relationships. The legal basis for this processing is the implementation of pre-contractual measures or the fulfilment of the contract (Art 6 para 1 lit b GDPR).
2.4 Marketing communication, newsletter, event participation
2.4.1 We send our customers electronic communications (by e-mail, SMS, MMS or Messenger) to advertise our CIS services ("promotional messages"). For this purpose, we process your name, contact details and other information that you provide to us voluntarily in connection with the receipt of promotional messages. The customer can object to the sending of promotional messages at any time by sending an e-mail to marketing@cis-cert.com with the objection. We will also give you the opportunity to opt out of receiving further promotional messages with each promotional message. The legal basis for the sending of promotional messages is Section 174 para 4 Telecommunications Act 2021.
2.4.2 We will send you postal letters with advertising communication on the basis of our legitimate interests in advertising CIS services of interest to you (Art 6 para. 1 lit. f GDPR). For this purpose, we process your name, contact details and other information that you provide to us voluntarily in connection with the receipt of advertising communication. You can exercise your right to object to postal advertising communication by sending an email to the address specified in point 1.3 to the e-mail address provided.
2.4.3 If you voluntarily provide us with your contact details and other data provided by you for the purpose of sending newsletters, participating in events or other information transmissions, we process your data on the basis of your consent (Art 6 para 1 lit a GDPR). You can revoke your consent at any time by sending an email to the address given in point 1.3 e-mail address provided.
2.5 Certificate management
2.5.1 According to the Accreditation Act and the relevant standards (in particular ISO/IEC 17021-1, ISO/IEC 17024), CIS-Cert is obliged to provide a publicly accessible list of the certifications carried out. The respective certificate holders are listed in the directory, which is accessible on the CIS website. CIS-Cert thus makes it possible to check or query valid certificates that have been issued. For this purpose, personal data can be processed, specifically name, academic title, certificate name, certificate title and certificate number. (for further details, see point 3.3 below). The legal basis for this is Art. 6 para. 1 lit. c GDPR in conjunction with the Accreditation Act 2021 (as well as relevant standards, in particular EN ISO/IEC 17021-1, ISO/IEC 17065, ISO 17024 and relevant regulations of the accreditation bodies) and our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to carry out all activities related to certificate management.
2.6 Legal Prosecution
2.6.1 If an administrative or judicial dispute arises, the personal data necessary for the appropriate legal prosecution will be processed and, if necessary, transmitted to legal representatives, courts and/or administrative authorities. In this context, your contact details (first and last name, academic title, address) and other data in connection with the legal dispute in question (your behaviour in relation to the use of the website) will be processed. The aforementioned personal data is processed on the basis of our legitimate legal interests in legal prosecution pursuant to Art. 6 para 1 lit f GDPR and pursuant to Art 9 para 2 lit f GDPR.
3. To which recipients will your personal data be transmitted?
3.1 We transmit your personal data to our co-operation partners of the relevant CIS to the extent necessary to process your enquiry or to provide the desired CIS services. When booking co-operation services that are identified as such, the personal data will be passed on to the respective partners.
3.2 We use processors pursuant to Art 28 GDPR who perform services on our behalf. The processors may only process the data provided to them in accordance with our instructions and to the extent necessary to perform services for us. We contractually oblige these processors to guarantee the confidentiality and security of the personal data processed within the scope of the order. For the purpose of providing the requested CIS services, CIS-Cert will forward the data to the external auditors, trainers, assessors and technical experts employed by it, who also act as processors of CIS-Cert. In addition, CIS-Cert uses external IT service providers.
3.3 Due to legal requirements, CIS-Cert is obliged to provide the accreditation and licensing bodies with information about the services and/or to grant access to them upon request. The accreditation and licensing bodies may also participate in on-site audits. In the course of this, personal data may also be passed on to the accreditation and licensing bodies. In addition, CIS-Cert may transmit personal data to other recipients (such as authorities) in order to fulfil statutory reporting obligations.
3.4 The level of data protection in other countries outside the EEA may not be the same as within the EEA. However, we only transfer your personal data to countries for which the European Commission has decided that they have an adequate level of data protection, or we take measures in accordance with Chapter V GDPR to ensure that all recipients in third countries guarantee an adequate level of data protection. For example, we conclude the standard contractual clauses issued by the European Commission with these recipients.
4. How long will your personal data be stored?
4.1 Your personal data will only be stored for as long as is necessary to fulfil the respective purpose.
4.2 Notwithstanding point 4.1, CIS-Cert will store your data for longer if and insofar as this is necessary to fulfil statutory retention obligations (pursuant to § 132 para 1 BAO; §§ 190, 212 UGB: 7 years) or to pursue or defend legal claims (generally for a maximum period of 3 years), whereby longer processing of the data may be necessary in the event of imminent or pending proceedings.
4.3 Application documents, audit and assessment reports as well as other documents related to certification are generally stored for a period of 10 years in accordance with Section 12 (8) of the Accreditation Act 2012, unless normative or legal requirements require longer storage. In order to pursue or defend against legal claims, the aforementioned documents are generally processed for a maximum of 3 years, whereby longer processing of the data may be necessary in the event of imminent or pending proceedings.
4.4 If the data processing is based on your consent, CIS-Cert will process your data until your withdrawal of consent. The withdrawal can be made at any time by e-mail to the address given in point 1.3 to the e-mail address provided. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
5. What rights do you have?
5.1 You have the right of access under Art 15 GDPR, the right to rectification under Art 16 GDPR, the right to erasure under Art 17 GDPR, the right to restriction of processing under Art 18 GDPR, the right to object under Art 21 GDPR, the right not to be subject to automated individual decision-making, including profiling, under Art 22 GDPR and the right to data portability under Art 20 GDPR. In addition, you have the right to lodge a complaint with a competent data protection supervisory authority in accordance with Art 77 GDPR. You can find more information about your rights at: https://www.dsb.gv.at/rechte-der-betroffenen.
5.2 The competent supervisory authority is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna (https://www.dsb.gv.at/).
5.3 If you have any questions in connection with the processing of your personal data or wish to assert any rights under the GDPR, such as your right to erasure or your right of access, please contact CIS-Cert as described above in point 1.3.
