Company policy for personal data processing

1. General Provisions

This Policy of processing personal data (hereinafter referred to as the ”Policy“) was developed in accordance with the General Data Protection Regulation (GDPR) of the European Union. The purpose of this Policy is to define the procedure for processing personal data and measures to ensure their security within ECOCOM Environmental Technologies GmbH (hereinafter referred to as the ”Operator“), a company registered in Austria with VAT number ATU47237501, in order to protect the rights and freedoms of individuals.

Key Definitions:

Personal Data: Any information relating to an identified or identifiable individual (data subject).
Processing of Personal Data: Any operation or set of operations performed on personal data, including collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, erasure, or destruction.
Data Subject: The identified or identifiable individual to whom the personal data relates.
Controller (Operator): The entity which determines the purposes and means of the processing of personal data.
Processor: A third party that processes personal data on behalf of the Controller.

2. Principles and Terms of Personal Data Processing

2.1. Principles of Processing Personal Data

The processing of personal data by the Operator is based on the following principles:

Lawfulness, fairness, and transparency.
Purpose limitation: Personal data is collected for specified, explicit, and legitimate purposes.
Data minimization: Only data that is necessary for the purpose is processed.
Accuracy: Personal data must be accurate and kept up to date.
Storage limitation: Personal data is stored only as long as necessary for the purpose of processing.
Integrity and confidentiality: Data must be processed in a manner that ensures appropriate security.
Accountability: The Operator must be able to demonstrate compliance with these principles.

2.2. Legal Basis for Processing

The Operator processes personal data under the following conditions:

With the explicit consent of the data subject.
To fulfill contractual obligations with the data subject.
To comply with legal obligations of the Operator.
For legitimate interests pursued by the Operator, provided these do not override the rights and freedoms of the data subject.

2.3. Confidentiality of Personal Data

Personal data must not be disclosed to third parties without the explicit consent of the data subject unless required by law.

2.4. Special Categories of Data

The processing of sensitive personal data, including information on race, ethnicity, political views, religious beliefs, health, or sexual orientation, is restricted and requires explicit consent from the data subject, unless necessary under law.

3. Rights of the Data Subject

4. Security of Personal Data

The Operator ensures the security of personal data by implementing appropriate technical and organizational measures, such as:

Appointing a Data Protection Officer (DPO) responsible for overseeing data protection activities.
Implementing access control measures and encryption for sensitive data.
Regularly assessing security practices and taking action to mitigate risks.
Ensuring that any data breach is reported to the relevant supervisory authority within 72 hours.

5. Final Provisions

Any further obligations of the Operator regarding the processing of personal data are determined by applicable European and local regulations. The Operator is subject to fines and penalties in case of non-compliance with GDPR or local privacy laws.

This Policy is reviewed regularly and updated as necessary to comply with legal requirements.