Privacy Policy & Data Protection

2. Controller

Trotec Laser GmbH
Freilinger Straße 99
4614 Marchtrenk
E-Mail: data-protection@trogroup.com
Phone: +43 720 / 115244

3. Data processing on our website

Below you will learn which information we collect, process and use when you visit and use our website www.troteclaser.com (“website”).

3.1    Provision and use of the website

• Purpose: If our website is used for informational purposes only (no registration and no transmission of other information), personal data is collected that is transmitted from your browser to our server. This is technically necessary to display our website to you and to ensure the stability and security of the website.
• The following data is processed:
  • Location data: If you are looking for a Trotec location near you, we process the location (address) you provide to display the hits. We delete this information after your visit to the website.
  • Technical data: IP address of your device, date and time of the request, the internet browser used, your operating system and the website from which you visit us.
    This personal data can also be collected via cookies (see below).
• Data Subjects: Website visitors.
• Storage period: The personal data is only stored for as long as you use our website or as long as we need it to fulfil the purpose.
• Legal bases: The legal basis for data processing on the website is the legitimate interest (Art. 6 para 1 lit f GDPR) and § 165 para. 3 Telecommunications Act 2021.
• Who has access to your data: For the use of the website, personal data is processed by a processor.

3.2    Electronic contact requests via the website 

• Purpose: Processing of contact requests via e-mail or on website contact forms.
• The following data is processed:
  • Contact and enquiry data: When you actively contact us (e.g. via e-mail or via a contact form or with other electronic means), the data and contact details (e.g. name, address, company, enquiry, telephone number, e-mail and content of the enquiry) are processed.
• Data Subjects: Website visitors, interested parties, customers, suppliers.
• Legal bases: The following legal bases serve for data processing: Performance of a contract, necessary for the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR), legitimate interest (Art 6 para 1 lit f GDPR), § 165 para 3 Telecommunications Act 2021.
• Storage period: We store the data until the inquiry has been answered or for the duration of the ongoing business relationship (see point 3.6). If there are statutory retention obligations, processing will be restricted until then.
• Who has access to your data: For the use of the website, the personal data is processed by a processor.

3.3    Cookies

Like most websites, we use cookies. Details and precise descriptions can be found under the round, black button at the bottom left of our website. https://www.troteclaser.com/. 

3.4    Third-party services

3.4.1    Social media 

• Purpose: In addition to our website, we are also represented on social networks, in particular Facebook, Instagram, LinkedIn, TikTok and YouTube, to increase awareness of our company and for marketing purposes. When you visit one of our online presences on social media, personal data may be transmitted to the operator of the social network. Furthermore, the operator can link your profile to ours if you are logged into the respective network. As part of our public relations work, we also present articles about our products and events.
• Data subjects: Visitors to our social media presences.
• The following data is processed: Date and time of the actions performed, user ID (only for logged-in users), location data (country/city), language setting, age/gender group (for logged-in users from the user profile), previously visited website, determination of hardware (computer/mobile device). If you choose to interact with us, content, images and video recordings accompanied by your contributions, content data, any requests and messages are handled according to Clause 3.2 of this Data Protection Policy.
• Legal bases: Consent (Art 6 para 1 lit a GDPR), legitimate interest (Art 6 para 1 lit f GDPR), explicit consent (Art 49 para 1 lit a GDPR). With your express consent to the processing of cookies on the respective online platform, you also consent to the possible processing of your data in the countries mentioned.
• Who has access to your data: Operator of the social media platform visited.

3.4.1.1    Facebook, Instagram (Meta Inc.)

Facebook and Instagram belong to Meta Inc. The services are operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, which is the Controller for the processing of personal data relating to the use of Facebook and Instagram.

• Transmission to the following third countries under data protection law: USA

Details about the specific data collection and processing by the respective operator can be found on the following links:
Facebook: https://de-de.facebook.com/about/privacy/ (general privacy policy) and https://www.facebook.com/legal/terms/page_controller_addendum# (particular data collection for page insights)
Instagram: https://help.instagram.com/155833707900388

• Transmission to the following third countries under data protection law:

USA: Companies that have successfully completed the Data Privacy Framework Program are considered to have an adequate level of security in accordance with the provisions of the EU-US and Swiss-US Data Privacy Framework. It is permissible under data protection law to transfer information to these companies within the framework of the Data Privacy Framework.

Meta Platforms, Inc, the parent company of the Facebook and Instagram services, has committed to complying with the requirements of the EU-US and Swiss-US Data Privacy Framework by becoming certified under the Data Privacy Framework Program. Information on participation can be found under the search term “Meta Platforms, Inc.” here: https://www.dataprivacyframework.gov/s/participant-search.

3.4.1.2    YouTube (Google LLC)

YouTube is part of the Google LLC group of companies. Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, is responsible for the processing of personal data in the context of YouTube use.

• Transmission to the following third countries under data protection law:
  • USA: Companies that have successfully completed the Data Privacy Framework Program are considered to have an adequate level of security in accordance with the provisions of the EU-US and Swiss-US Data Privacy Framework. It is permissible under data protection law to transfer information to these companies within the framework of the Data Privacy Framework.

Details on the specific data collection and processing by the respective operator can be found on the following links:
YouTube: https://www.youtube.com/static?gl=DE&template=terms&hl=de and https://policies.google.com/privacy.

Google LLC, the parent company of the YouTube platform, has committed to complying with the requirements of the EU-US and Swiss-US Data Privacy Framework by becoming certified for the Data Privacy Framework Program. Information on participation can be found under the search term “Google LLC.” Here: https://www.dataprivacyframework.gov/s/participant-search

In some cases Google LLC relies on the Standard Contractual Clauses for international data transfers (SCCs) issued by the European Commission for the transfer of personal data. Details are provided here: https://policies.google.com/privacy/frameworks?hl=en.

3.4.1.3    LinkedIn (Microsoft Corporation)

LinkedIn is part of the Microsoft Corporation group of companies. The Controller for the processing of personal data in the context of the use of LinkedIn services is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

• Transmission to the following third countries under data protection law:
  • USA: For companies that have not gone through the Data Privacy Framework Program, no sufficient level of security can be guaranteed according to the legal requirements.

Details on the specific data collection and processing by the respective operator can be found here:
LinkedIn: https://www.linkedin.com/legal/privacy-policy

LinkedIn bases the transfer of personal data on the Standard Contractual Clauses for International Data Transfers (SCC) issued by the European Commission. Details can be found here: https://www.linkedin.com/help/linkedin/answer/a1343190?trk=microsites-frontend_legal_privacy-policy&lang=en-us&intendedLocale=en 

3.4.1.5    TikTok (ByteDance)

TikTok is operated by the Chinese company ByteDance. TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, is responsible for the processing of personal data in the context of TikTok use.

Details about the specific data collection and processing by TikTok can be found here: https://www.tiktok.com/legal/page/eea/privacy-policy/de

• Transmission to the following third countries under data protection law: USA, China, Malaysia
  • USA: For companies that have not completed the Data Privacy Framework Program, a sufficient level of security cannot be guaranteed under the legal requirements.
  • China: The Chinese Multi-Level Protection Scheme 2.0 obliges companies based in China to disclose data to Chinese authorities and to guarantee them unrestricted access to servers. As a result, an adequate level of security and compliance with European data protection requirements cannot be guaranteed.
  • Malaysia: Malaysia has enacted statutory data protection regulations, but there is currently no adequacy decision. Consequently, an adequate level of security and compliance with European data protection requirements cannot be conclusively guaranteed.

TikTok, operated by the Chinese company ByteDance, relies on the Standard Contractual Clauses for International Data Transfers (SCC) issued by the European Commission for the transfer of personal data. Details can be found here:
https://www.tiktok.com/legal/page/eea/privacy-policy/de#share-info
https://www.tiktok.com/legal/page/eea/transferee-countries/de 

3.5    Customer care and marketing for own purposes

• Purpose: Processing of own or purchased customer and prospective customer data for the initiation of business relating to the company’s own range of products or services and for the implementation of advertising measures and newsletter distribution; customer relationship management.
  The information on cross-group joint processing activities is provided in Clause 7 Joint processing activities.
• Data Subjects: customers, interested parties.
• The following data is processed: Master data (first/last name, address, e-mail address).
• Legal bases: legitimate interest (Art 6 para 1 lit f GDPR), § 174 para 4 Telecommunications Act 2021,
• Storage period: The data may be stored until the end of the third year after the last contact with the client, unless longer contractual or statutory retention periods exist.
• Who has access to your data: Personal data is processed by a processor for the purpose of sending the information.

3.6    Customer and supplier management, accounting, logistics and bookkeeping

The provision of your personal data is necessary for the fulfilment of the contract or the implementation of pre-contractual measures. Without this data, we cannot conclude a contract with you.

• Purpose: Processing of personal data in the context of any business relationship with customers and suppliers as part of a commercial activity, including the systematic recording of all business transactions relating to income and expenditure.
• Data Subjects: Customers, suppliers.
• The following data is processed: Master data, (name, e-mail-address, telephone number) payment information, financial data, bank details.
• Legal bases: Consent (Art 6 para 1 lit a GDPR), performance of a contract, necessary for the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR), in particular to contact you in the context of the business relationship; fulfilment of a legal obligation (Art 6 para 1 lit c GDPR), legitimate interest, in particular defence, exercise and assertion of legal claims (Art 6 para 1 lit f GDPR).
• Storage period: Your personal data will be stored by us for as long as is necessary to fulfil our obligations, depending on the necessity until the end of the business relationship or until the expiry of the guarantee, warranty, limitation and statutory retention periods applicable to the client (in particular the tax law retention obligations for business letters, invoices and receipts); in addition, until the termination of any legal disputes in which the data is required as evidence.
• Who gains access to your data: If necessary for the fulfilment of the contract, your personal data will be passed on to the companies of the group of companies, or their sales and service partners in the countries concerned so that they can act on our behalf. Therefore, we will only transfer your data to third parties in order to fulfil our obligations. This includes, in particular, the tax office, courts and authorities, suppliers, shipping companies, debt collection agencies, banks involved in the payment to the data subject or to third parties, legal representatives, chartered accountants.

3.7    Training courses / seminars, demos, webinars

• Purpose: Conducting training courses / seminars, demos or webinars.
• Data Subjects: Interested parties, customers, seminar and webinar participants.
• The following data is processed:
  • Registration data: When you register for training courses / seminars, demos or webinars, we collect the registration data provided (name, company, address, e-mail, telephone, booked events).
• Legal bases: Consent (Art 6 para 1 lit a GDPR), performance of a contract, necessary for the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR), in particular to contact you as part of the business relationship; fulfilment of a legal obligation (Art 6 para 1 lit c GDPR), legitimate interest, in particular defence, exercise and assertion of legal claims (Art 6 para 1 lit f GDPR).
• Storage period: Your personal data will be stored by us for as long as is necessary to fulfil our obligations, depending on the necessity until the end of the business relationship or until the expiry of the guarantee, warranty, limitation and statutory retention periods applicable to the client (in particular the tax law retention obligations for business letters, invoices and receipts); in addition, until the termination of any legal disputes in which the data is required as evidence.
• Who gains access to your data: If necessary for the fulfilment of the contract, your personal data will be passed on to the companies within the group of companies, or their sales and service partners in the countries concerned so that they can act on our behalf. These include, in particular, the tax office, courts and authorities, suppliers, shipping companies, debt collection agencies, banks involved in the payment to the data subject or third parties, legal representatives, chartered accountants.

3.8    Trotec Webshop

For the webshop, we have compiled our own detailed information and descriptions on the processing of personal data, which you can find at: https://shop.troteclaser.com/s/data-privacy

3.9    Applicant management

• Purpose: Use and record-keeping of personal data provided by applicants if this data has been provided by the data subject.
• Data Subjects: Applicants
• The following data will be processed: Master data (first and last name, e-mail-address, telephone number), CV and photo.
• Legal bases: Consent (Art 6 para 1 lit a GDPR), explicit consent (Art 9 para 2 lit a GDPR) as well as assertion, exercise and defence of legal claims (Art 9 para 2 lit f GDPR) and legitimate interest (Art 10 GDPR in conjunction of § 4 para 3 clause 2 Data Protection Act).
• Storage period: Applicant data will be deleted immediately after the advertised position has been filled or after the expiry of any objection periods against the allocation of the job, unless consent to the retention of records has been given. Unsolicited applications are appropriately kept on file for the intended purpose until revoked by the person concerned.
• Who has access to your data: Applicant data will not be passed on to external bodies. The information on cross-group joint processing activities is explained in Clause 7.

3.10    Whistleblower system 

• Purpose: Processing of reports in connection with possible or suspected legal violations.
• Data Subjects: Whistleblower, reported person, witness.
• The following data is processed: Master data of the whistleblower, such as name, e-mail address and telephone number, if as these are disclosed in the report, personal data of the person named in the report, data on potentially punishable acts by courts and administrative authorities (content data of the report).
• Legal bases: § 8 para 3 Austrian Whistleblower Protection Act, Art 6 para 1 lit e GDPR (for the performance of a task in the public interest), Art 6 para 1 lit f GDPR (legitimate interest), Art 9 para 2 lit f GDPR (processing for the assertion, exercise and defense of legal claims) and Art 9 para 2 lit g GDPR (processing based on union law and the law of a member state).
• Storage period: five (5) years, log data will be retained for three (3) years from last time it was used.
• Who gains access to your data: An internal office has been set up to process reports. A processor is used to operate the whistleblower system. When a report is submitted, an initial assessment is carried out by a lawyer. If necessary, your data will be transmitted to courts and authorities.

4.    Information about data transfers to third countries or to international organisations

Except in the cases already mentioned, the data processed by us will not be transferred to recipients in third countries without an adequate level of security or to international organisations.

5.    How does Trotec protect your data?

We take appropriate technical and organisational security measures within the meaning of Article 5 para 1 lit f or Article 32 GDPR to protect your personal data against accidental or unlawful destruction, alteration, damage or loss and against unauthorized disclosure or access. In addition, we and our employees are obliged to maintain data confidentiality.

6.    What are your rights?

6.1    Your rights as a data subject

You have a right to information about the personal data we process about you (Art. 15 GDPR). In addition, you have the right to rectification of inaccurate data and erasure (Art. 16 and 17 GDPR). You also have the right to restriction of processing (Art 18 GDPR) and the right to data portability (Art 20 GDPR). For the sake of completeness, we would like to point out that a request for erasure can only be complied with insofar as it does not conflict with any statutory retention obligations or other obligations.

6.2    Your right of objection

If the processing of your personal data is based on a balance of interests (Art 6 para 1 lit f GDPR: legitimate interests), you have the right to object to the processing at any time for reasons arising from your particular situation. When exercising your right to object, we ask you to explain to us your reasons why we should not process your personal data as we have done. We will examine the situation and either discontinue or adapt the data processing or show you our compelling legitimate reasons and continue the data processing. We will also continue the data processing if it serves the assertion, exercise or defense of legal claims.  You can object to data processing for the purposes of direct advertising and data analysis at any time. In this case, we will cease processing the data.

6.3    Your right of withdrawal

If you have given us your consent to the processing of your personal data, you can withdraw your consent at any time. Your revocation does not affect the legality of the data processing that has taken place up to the revocation.

6.4    Complaint to the supervisory authority

You can also contact the Austrian data protection authority (Barichgasse 40-42, 1030 Wien, phone: +43 1 52 152-0, E-mail: dsb@dsb.gv.at) with a complaint. The data protection authorities of other countries can be found on https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_de.

If you have questions about your rights or data processing, you can also contact us. You can find our full contact details under Clause 2 of this Privacy Protection Policy.

7.    Joint processing activities 

If companies process personal data jointly, there is joint responsibility if they all jointly determine the purposes and means of processing. The Controllers shall specify in a transparent manner in an agreement which of them fulfils which obligation and shall inform the data subjects of the main contents of the agreement.

7.1    Cross-group processing of applicant data
7.1.1    Who is involved in the joint processing?

• Purpose: Processing of applicant data for business initiation in relation to employment relationships, standardised human resource management.
• Data Subjects: Applicants
• The following data is processed: Master data, application data
• Storage period: In the case of cross-group vacancies and international job advertisements, we delete the data no later than 12 months after the position has been filled, unless the person concerned has given their consent or there are longer contractual or statutory retention periods. In the case of national advertisements and vacancies, the retention periods are based on national legal requirements.

7.2    Other cross-group processing 
7.2.1    Who is involved in the joint processing

TroGroup GmbH, AUT;
Trotec Laser GmbH, AUT
Trotec Laser Ltd., UK
Trotec Laser Canada Inc, CAN
Trotec Laser AG, CHE
Trotec Laser B.V., NLD
Trotec Laser S.r.l., ITA
Trotec Laser Japan Co. Ltd., JPN
Trotec Laser France SAS, FRA
Trotec Laser Espana S.L.U., ESP
Trotec Laser Deutschland GmbH, DEU
Trotec Laser Automation GmbH, DEU
Trodat Holding GmbH, AUT
Trodat GmbH, AUT
Trodat Vertriebs GmbH, DEU
Trodat Production s.r.l., ROU
Trodat Italia S.r.l., ITA
Trodat France S.A.S., FRA
Trodat Benelux B.V., NLD
Trodat Polska Sp.z.o.o., POL 
Trodat UK Ltd, UK 
Trodat Marking Canada Inc., CAN 
Trodat Stamps (A-Pak) Limited, IRL 
Ash Rubber Stamp Co.Ltd., UK 
Motivation in Learning Ltd., UK 
WJ Finanzierung GmbH, AUT 
Iradion Laser Holding GmbH, AUT 
Iradion Laser GmbH, DEU 
Iradion Laser Inc., USA
Iradion Laser (Xiamen) Co. Ltd., CHN
Trotec Laser Inc., USA
Engravers Network LLC, USA
High Speed Laser Systems S de RL de CV, MEX 
Trotec Laser PTY Ltd., AUS 
Trotec Laser (Xiamen) Co. Ltd., CHN 
Innovative Laminations Company Inc., USA 
Trotec Laser Asia Pacific Pte. Ltd., SGP 
Trodat USA Inc., USA
Tro Sellos Mexico S de RL de CV, MEX
Rubber Stamp&Engraving Co.Ltd., ZAF
Yocotrim Investments Ltd., ZAF
Trodat Marking India Pvt. Ltd., IND
Trodat Carimbos de Brasil Ltda, BRA 
TRODAT RUS LLC, RUS 
Trodat Marking Devices (Xiamen) Co.Ltd., CHN

7.2.2    Executive management

• Purpose: Processing of data and contracts of managers with regard to employment relationships, group-wide human resource management for managers and group-wide human resources development.
• Data Subjects: Managers of the members of the group of companies
• The following data is processed: Master data(name, e-mail address, telephone number), data on the employment contract
• Storage period: Until the end of the statutory retention periods, in particular the Austrian Commercial Code, Federal Fiscal Code and Product Liability Law. In addition, the data will be stored until the end of any legal disputes in which the data is required as evidence.

7.2.3    Customer/supplier management, accounting, logistics and bookkeeping

• Purpose: All responsible parties process the data in a ERP program. Data is currently stored in Europe at the TroGroup GmbH site. Each Controller processes data within this system, taking into account the respective authorisations.
  Processing of personal data in the context of business relationships with customers and suppliers, including the systematic recording of all transactions relating to income and expenses.
• Data Subjects: Customers, interested parties
• The following data is processed: Master data, VAT number
• Storage period: Legal requirements; until the termination of the business relationship or until the expiry of the applicable guarantee, warranty, limitation and statutory retention periods; furthermore, until the termination of legal disputes in which the data is required as evidence.

7.2.4    Marketing and management of customer relationships

• Purpose: Processing of collected or purchased customer and prospective customer data for the acquisition of business from the Controller with regard to their product portfolio and the implementation of advertising measures and newsletter distribution; customer relation management.
• Data Subjects: Customers, interested parties
• The following data is processed: Master data (name, e-mail address, telephone number), account information, data on purchases (number, average order value), promotions (engagement by campaign), events
• Storage period: The data will be stored until the end of the third year after the last contact with the customer, provided there are no longer contractual or statutory retention periods.

7.2.5    Website

• Purpose: The website is technically managed by TroGroup GmbH and Trotec Laser GmbH and the content is managed by Trotec Laser GmbH. Country-specific contact enquiries are automatically forwarded to the respective company in the customer's target region to answer enquiries and are stored in the joint customer database.
  In addition, the purposes consist of promoting the corporate identity, a standardised corporate image for the group of companies, improving services and the website.
• Data Subjects: Customers, interested parties, suppliers.
• The following data is processed: IP address of the visitor, date and time of the request, time zone difference to GMT, content of the request (specific page), access status/HTTP status code, amount of data transferred, requesting website, browser, operating system and user interface, language, browser software version, contact and content data of requests.
• Storage period: up to 38 months, details and precise descriptions can be found on each of our websites in the data protection settings (cookies).

7.2.6    EHS (environmental, health and safety management)

• Purpose: Improvement of health and safety standards within the group of companies, prevention of occupational accidents or environmental damage, training of safety officers
• Data Subjects: Employees, suppliers.
• The following data is processed: Employee master data, information about (near) accidents, injuries suffered, sick leave, training and prevention measures, reports to authorities and outcomes.
• Storage period: 30 years.

7.2.7    Public Relation Management, standardised group communication

• Purpose: Informing external stakeholders, building corporate culture and public image; maintenance and harmonisation of corporate communication within the group of companies; central contact point for crisis communication.
• Data Subjects: Employees, suppliers.
• The following data is processed: Employee master data and the manager concerned, time of the incident, employees involved, statements, reports.
• Retention period: 30 years.

7.2.8    Case management whistleblower system

• Purpose: Group-wide processing of information in connection with possible or suspected legal infringements.
• Data Subjects: Whistleblower, reported person.
• The following data is processed: Master data of the whistleblower (name, e-mail address, telephone number), insofar as these are disclosed in the report and the personal data of the person named in the report, data on potentially criminal actions by courts and administrative authorities (content data of the report).
• Storage period: five (5) years, log data will be retained for three (3) years from last time it was used.

7.3    Point of contact for data subjects

If you have any questions about your rights or data processing, you can get in touch with the contact person for the data subjects:

TroGroup GmbH
Linzer Straße 156
4600 Wels
data-protection@trogroup.com

7.4    Lead supervisory authority

The joint controllers have appointed the Austrian data protection authority (Barichgasse 40-42, 1030 Wien, phone: +43 1 52 152-0, E-mail: dsb@dsb.gv.at) as the lead supervisory authority.

8.    Change management

The current version of this Data Protection Policy is available on our website. Questions about an earlier version should be sent to data-protection@trogroup.com.