Privacy Policy in accordance with the GDPR
We process your personal data exclusively in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
Note: For ease of reading, the term ‘data’ is generally used, even though personal data is meant. Unless otherwise stated, any references to legal provisions refer exclusively to those of the GDPR.
Below, we provide you with information, in accordance with the requirements of the GDPR, regarding the nature, scope and purpose of data collection, as well as the use of such data:
I. Name and address of the data controller
The data controller is:
MASSIVE ART WebServices GmbH
Gütlestraße 7a
6850 Dornbirn
Austria
Tel.: +43 (0) 5572 / 906090
Email: datenschutz@massiveart.com
Website: www.massiveart.com
Scope
This privacy policy applies to the processing of personal data by MASSIVE ART WebServices GmbH in connection with the operation of the website massiveart.com and the associated services. The information provided is primarily based on the provisions of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG 2018). Where Swiss data protection law (revDSG) applies, this information also applies mutatis mutandis to data subjects in Switzerland.
Data Protection Officer
No Data Protection Officer has currently been appointed. For any enquiries regarding data protection, please contact: datenschutz@massiveart.com.
II. General information on data processing
Scope of processing
As a general rule, we collect and use our users’ personal data only to the extent necessary to provide a fully functional website and our content and services. The collection and use of our users’ personal data generally takes place only with the user’s consent. An exception applies in cases where it is not possible, for practical reasons, to obtain consent in advance and where the processing of the data is permitted by statutory provisions.
Legal basis for the processing of personal data
Where we seek your consent for the processing of personal data, Article 6(1)(a) serves as the legal basis.
Where data is processed to fulfil a contract with you, Article 6(1)(b) serves as the legal basis. This also applies to processing operations necessary for the implementation of pre-contractual measures.
Where processing is necessary to comply with a legal obligation to which we are subject, Article 6(1)(c) serves as the legal basis.
If the processing is necessary to safeguard a legitimate interest of our company or a third party, and your interests and fundamental rights do not override the aforementioned interest, Article 6(1)(f) serves as the legal basis.
Data erasure and retention period
Your data will be erased or blocked as soon as the purpose for which it was stored no longer applies. Data may also be retained if this is provided for by European or national regulations, laws or other provisions to which we are subject. Data will also be blocked or erased when a retention period prescribed by the aforementioned standards expires, unless there is a need to continue storing the data for the conclusion or performance of a contract.
| Data category | Retention period | Legal basis / Note |
| 43r43 | 7 days | Deletion or anonymisation thereafter |
| Consent decision (CookieHub cookie) | 12 months | Proof of consent; renewed request thereafter |
| GA4 cookies (_ga, _ga_*) | 2 years (cookie lifetime); data retention in GA4: 14 months | Google Analytics data retention setting |
| Tracking/marketing cookies (Meta, LinkedIn, Bing, Clarity, Mouseflow, Leadfeeder, Google Ads, Floodlight) | Depending on the provider, between the end of the session and 2 years | For details, see the relevant provider section; deletion via CMP or browser possible at any time |
| Newsletter data (email, name) | Until you unsubscribe from the newsletter | Deleted immediately thereafter; login data (IP, timestamp) after 7 days |
| Contact form data | 6 months after the enquiry has been finalised, provided no contractual relationship arises | If a contract is concluded: duration of the contractual relationship + statutory retention periods (7 years under the Austrian Tax Code (BAO)) |
| HubSpot CRM data | Duration of the business relationship + statutory retention periods | Deletion possible at any time upon request |
| Applicant data | 6 months after rejection; if consent has been given for the talent pool: 2 years | If hired: Transfer to the HR information system |
| Invoice/contract data | 7 years (Austrian Federal Tax Code) | Statutory retention obligation |
| Federal Tax Code |
III. Provision of the website and creation of log files
1. Description and scope of data processing
Every time our website is accessed, our system automatically collects data and information from the computer system of the user accessing the site.
The following data is collected in this process:
- Information about the browser type and version used
- The user’s operating system
- The user’s internet service provider
- The user’s IP address
- Date and time of access
- Websites from which the user’s system accesses our website
- Websites accessed by the user’s system via our website
2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is Article 6(1)(f).
3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. To this end, the user’s IP address must remain stored for the duration of the session.
Data is stored in log files to ensure the website functions properly. Furthermore, we use the data to optimise the website and to ensure the security of our IT systems. The data is not analysed for marketing purposes in this context.
These purposes also constitute our legitimate interest in data processing pursuant to Article 6(1)(f).
4. Duration of storage
The data is deleted as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of data collected for the purpose of providing the website, this is the case once the respective session has ended.
Where data is stored in log files, this occurs after seven days at the latest. Storage beyond this period is possible. In such cases, users’ IP addresses are deleted or anonymised so that the client making the request can no longer be identified.
5. Right to object and right to erasure
The collection of data for the purpose of providing the website and the storage of data in log files is absolutely essential for the operation of the website. Consequently, users have no right to object.
IV. Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored in the web browser or by the web browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. This cookie contains a distinctive string of characters that enables the browser to be uniquely identified when the website is visited again.
We use cookies on our website that enable us to analyse users’ browsing behaviour. The following data may be transmitted:
- Search terms entered
- Frequency of page views
The user data collected in this way is anonymous. It is therefore not possible to link the data to the specific user accessing the site. The data is not stored together with any other personal data relating to users. When visiting our website, users are informed via an information banner about the use of cookies for analytical purposes. In this context, there is also a note on how the storage of cookies can be prevented in the browser settings.
The following cookies are used in particular in connection with Google Analytics 4 (GA4):
- _ga – Distinguishing unique users (duration: 2 years)
- _ga_<container-id> – Storing the session status (duration: 2 years)
2. Legal basis for data processing
The legal basis for processing your data using technically necessary cookies is Article 6(1)(f). For cookies used for analytical purposes, the legal basis is Article 6(1)(a), provided you have given your consent.
3. Purpose of data processing
The purpose of using non-technically necessary cookies is to analyse users’ browsing behaviour. All functions of our website can also be provided without the use of these cookies.
Analytical cookies are used to improve the quality of our website and its content. These cookies enable us to understand how the website is used, allowing us to continuously optimise our service. Processing is carried out on the basis of your consent in accordance with Article 6(1)(a) of the GDPR.
4. Duration of storage, right to object and option to delete
Cookies are stored on the user’s computer and transmitted from there to our site. As a user, you therefore have full control over the use of cookies. By changing the settings in your web browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. There are several ways to manage cookies. The help button on the toolbars of most browsers will show you how to stop accepting cookies, how to be notified when a new cookie is set, and how to block cookies. If you block cookies, you may not be able to register, log in or make full use of the services.
Consent Management (CookieHub)
We use the consent management platform CookieHub (CookieHub ApS, Denmark) to obtain and manage your consent for the storage of cookies and the use of similar technologies. When you visit our website, a cookie banner will appear, allowing you to give or withhold your consent for various categories of cookies (e.g. essential, analytics, marketing). You can change or withdraw your settings at any time via the cookie icon or the consent link on our website. CookieHub stores your consent decision in a technically necessary cookie. The legal basis for the use of CookieHub is Article 6(1)(c) of the GDPR (compliance with legal obligations) in conjunction with Article 6(1)(f) of the GDPR (legitimate interest in verifiable consent management). Further information: cookiehub.com/privacy-policy.
V. Newsletter
1. Description and scope of data processing
On our website, you have the option to subscribe to a free newsletter. When you register for the newsletter, the data entered in the form is transmitted to us. Specifically, we require your email address, your first name and surname including your title, and information as to whether the address is a private or a business address.
In addition, the following data is collected during registration:
- IP address of the accessing computer
- Date and time of registration
Your consent to the processing of this data is obtained as part of the registration process, and reference is made to this privacy policy.
We use HubSpot (HubSpot, Inc., 25 First St 2nd Floor, Cambridge, MA, USA / HubSpot Ireland, 1 Sir John Rogerson’s Quay, Dublin 2, Ireland) to send out our newsletter. When you subscribe to the newsletter, your email address and, where applicable, your name are transmitted to HubSpot and stored there. HubSpot enables us to carry out statistical analysis of our newsletter campaigns (e.g. open rate, click-through rate). We use this information to improve our email service.
Where personal data is transferred to the USA in connection with the sending of the newsletter, this is done on the basis of an adequacy decision pursuant to Article 45 of the GDPR or appropriate safeguards pursuant to Article 46 of the GDPR (in particular standard contractual clauses). HubSpot’s data processing terms can be found at: legal.hubspot.com/dpa.
You may object to this tracking at any time by using the unsubscribe link in every newsletter email or by contacting us at webservices@massiveart.com.
2. Legal basis for data processing
The legal basis for processing your data following your subscription to the newsletter is Article 6(1)(a) where the user has given their consent.
3. Purpose of data processing
Your email address is collected for the purpose of sending you the newsletter.
4. Duration of storage
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. The user’s email address will therefore be stored for as long as the newsletter subscription remains active.
Any other data collected as part of the registration process is generally deleted after a period of seven days.
5. Right to object and right to erasure
The user concerned may cancel their subscription to the newsletter at any time. For this purpose, a corresponding unsubscribe link is included in every newsletter. Alternatively, you can unsubscribe by emailing webservices@massiveart.com.
This also allows you to withdraw your consent to the storage of the personal data collected during the registration process.
VI. Web Analytics and Optimisation
On our website, we use the following services for web analytics and/or audience measurement.
Google Tag Manager
We use Google Tag Manager, provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). Google Tag Manager itself does not store any cookies and does not process any personal data. It merely provides the technical infrastructure through which other tags and tracking services are integrated and controlled. Where services integrated via Google Tag Manager process data, please refer to the relevant sections of this privacy policy.
Google Analytics 4 (GA4)
We use Google Analytics 4 (GA4) provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). GA4 uses an event-based data model and employs cookies that enable the analysis of how our website is used. The information generated by the cookies regarding your use of this website is usually transmitted to a Google server and stored there. We use IP anonymisation, which means that your IP address is truncated by Google beforehand within EU Member States or in other signatory states to the EEA.
Generally, no personally identifiable data of users (such as email addresses or names) is stored as part of the online marketing process; instead, pseudonyms are used. Neither we nor Google, as the provider of the online marketing services, know the actual identity of the users, but only the information stored in their profiles. The information in the profiles is usually stored in cookies or by means of similar methods. These cookies can generally also be read later on other websites that use the same online marketing service, analysed for the purpose of displaying content, supplemented with further data, and stored on the server of the online marketing service provider.
In exceptional cases, personal data may be linked to the profiles. This is the case, for example, when users are members of a social network whose online marketing system we use and the network links users’ profiles to the aforementioned information. Please note that users may enter into additional agreements with the providers, for example by giving their consent during registration.
In principle, we only have access to aggregated information regarding the success of our advertisements. However, as part of so-called conversion tracking, we may check which of our online marketing methods have led to a so-called conversion, i.e. for example, the conclusion of a contract with us. Conversion tracking is used solely to analyse the success of our marketing activities.
Google Ads Conversion Tracking
We use Google Ads conversion tracking (Google Ireland Limited). If you access our website via a Google advert, Google Ads will set a cookie on your computer. This cookie is used to measure and evaluate the success of our adverts. The information collected in this way is used exclusively for statistics relating to ad optimisation. We do not receive any information that can be used to personally identify users. The legal basis is your consent in accordance with Article 6(1)(a) of the GDPR. Further information: policies.google.com/privacy.
Google Floodlight / Campaign Manager 360
We use Floodlight tags from Google Campaign Manager 360 (Google Ireland Limited) to measure the effectiveness of our online advertising campaigns. When you visit our website, a cookie is set which enables us to link your visit to an advert you have previously viewed. We receive only aggregated statistical reports. No personal data is transmitted to us. The legal basis is your consent in accordance with Article 6(1)(a) of the GDPR.
Facebook Pixel / Meta Audiences
We use the “Facebook Pixel”, a service provided by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (parent company: Meta Platforms, Inc., 1 Hacker Way, Menlo Park, CA 94025, USA). The data collected through the integration of third-party cookies, web beacons or similar technologies enables us to measure and design our advertising activities on Facebook more effectively and, for example, to display posts or advertisements only to visitors to our website. To collect this data, we use exclusively cookies, web beacons and similar, tried-and-tested and widely used third-party technologies. With the help of the Facebook Pixel, Meta is able, on the one hand, to identify visitors to our website as a target group for the display of adverts (so-called ‘Facebook Ads’). Accordingly, we use the Facebook Pixel to ensure that the Facebook Ads we place are shown only to those users on Facebook and within the services of Facebook’s partner networks (the so-called “Audience Network”) to those users on Facebook and within the services of Facebook’s partner sites who have also shown an interest in our online offering or who exhibit certain characteristics (e.g. an interest in specific topics or products, as indicated by the web pages they have visited), which we transmit to Facebook (so-called “Custom Audiences”). We also use the Facebook Pixel to ensure that our Facebook adverts are tailored to users’ potential interests and do not come across as intrusive. Furthermore, using the Facebook Pixel, we can track the effectiveness of Facebook adverts for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook advert (known as “conversion tracking”).
Extended Matching for the Facebook Pixel: When using the Facebook Pixel, the additional ‘Extended Matching’ feature is utilised. In this context, data such as users’ email addresses or Facebook IDs is transmitted to Facebook (in encrypted form) for the purpose of creating target audiences.
We do not pass on any lists containing personal data to Facebook, nor do we upload such lists to Facebook. The data collected in this process is transmitted to Facebook in encrypted form only. We cannot view any personal data relating to individual users.
LinkedIn Insight Tag
On our website, we use the LinkedIn Insight Tag provided by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (parent company: LinkedIn Corporation, 1000 W. Maude Ave, Sunnyvale, CA 94085, USA). The LinkedIn Insight Tag enables us to obtain information about visitors to our website who are also members of LinkedIn, and to measure the effectiveness of our LinkedIn advertising campaigns (conversion tracking). No personal data is transmitted directly to us in this process; we merely receive aggregated reports on website audiences and ad performance. The legal basis is your consent in accordance with Article 6(1)(a) of the GDPR. Further information: linkedin.com/legal/privacy-policy. Opt-out: linkedin.com/psettings/guest-controls/retargeting-opt-out.
Microsoft Bing UET
We use Universal Event Tracking (UET) from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA (EU: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland). UET enables us to measure the effectiveness of our Bing Ads campaigns. In doing so, a cookie is set which allows us to link the data to an advert that has previously been displayed. We receive only aggregated statistical reports. The legal basis is your consent in accordance with Article 6(1)(a) of the GDPR. Further information: privacy.microsoft.com.
Microsoft Clarity
We use Microsoft Clarity (Microsoft Corporation / Microsoft Ireland Operations Limited), a web analytics tool that visualises user behaviour on our website via session replays and heatmaps. Clarity records mouse movements, clicks, scrolling behaviour and technical information (e.g. browser type, screen resolution). IP addresses are anonymised. Processing is carried out on the basis of your consent in accordance with Article 6(1)(a) of the GDPR. Further information: clarity.microsoft.com/terms.
Matomo (Self-Hosted)
We use Matomo (formerly Piwik), an open-source web analytics platform operated on our own servers in Germany (data.massiveart.com). The data is not passed on to third parties and remains entirely within the EU. There is no transfer to a third country. Matomo is operated with mandatory cookie consent (requireCookieConsent). In addition, the Matomo ‘Heatmap & Session Recording’ plugin is active, which records mouse movements and click patterns to optimise the user-friendliness of our website. The data is processed in a pseudonymised form. The legal basis is your consent in accordance with Article 6(1)(a) of the GDPR. Further information: matomo.org/privacy-policy.
HubSpot
We use HubSpot, a digital marketing tool, on our website. The service provider is the US company HubSpot, Inc., 25 First St 2nd Floor, Cambridge, MA, USA. The company also has a registered office in Ireland at 1 Sir John Rogerson’s Quay, Dublin 2, Ireland.
Where personal data is transferred to the USA, this is done – depending on the provider and the specific circumstances – on the basis of an adequacy decision pursuant to Article 45 of the GDPR or on the basis of appropriate safeguards pursuant to Article 46 of the GDPR, in particular standard contractual clauses.
- The Data Processing Agreement can be found at legal.hubspot.com/dpa
- You can find out more about the data processed through the use of HubSpot in the Privacy Policy at legal.hubspot.com/de/privacy-policy
Leadfeeder
We use Leadfeeder (Dealfront), a web analytics service provided by Liidio Oy (Mikonkatu 17 C, 00100 Helsinki, Finland). Leadfeeder collects visitors’ IP addresses and links them to publicly available information about companies to provide us with insights into B2B visitor traffic. Processing is carried out on the basis of your consent in accordance with Article 6(1)(a) of the GDPR.
- Opt-out: yourdata.leadfeeder.com
- Further information: leadfeeder.com/privacy
Mouseflow
This website uses Mouseflow, a web analytics tool provided by Mouseflow ApS, Flaesketorvet 68, 1711 Copenhagen, Denmark. Data processing is carried out for the purpose of analysing this website and its visitors. To this end, data is collected and stored for marketing and optimisation purposes. Usage profiles may be created from this data under a pseudonym. Cookies may be used for this purpose. The Mouseflow web analytics tool records randomly selected individual visits (using only anonymised IP addresses). This generates a log of mouse movements and clicks with the aim of randomly replaying individual website visits and deriving potential improvements for the website from them.
The data collected via Mouseflow is not used to personally identify visitors to this website without the data subject’s separate consent, nor is it combined with personal data relating to the holder of the pseudonym. Processing is carried out on the basis of your consent in accordance with Article 6(1)(a) of the GDPR. You have the right to withdraw your consent at any time. To do so, you can globally deactivate tracking on all websites that use Mouseflow for the browser you are currently using via the following link: mouseflow.de/opt-out
1. Legal basis for the processing of personal data
Where consent has been given, the legal basis for the processing of users’ personal data is Article 6(1)(a) of the GDPR.
2. Purpose of data processing
The processing of users’ personal data enables us to analyse users’ browsing behaviour, for example through audience measurement (e.g. access statistics, identification of returning visitors), tracking (e.g. interest-based or behaviour-based profiling, use of cookies), analysis of visitor engagement, profiling (creation of user profiles), click tracking, A/B testing, feedback (e.g. collection of feedback via online forms), heatmaps (users’ mouse movements, which are aggregated to form an overall picture), surveys and questionnaires. By analysing the data collected, we are able to compile information on the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness.
In addition to web analytics, we may also use testing methods to, for example, test and optimise different versions of our online service or its components. For these purposes, so-called user profiles may be created and stored in a file (known as a ‘cookie’), or similar methods serving the same purpose may be used. Users’ IP addresses are also stored. However, we use an IP masking procedure (i.e. pseudonymisation by truncating the IP address) to protect users. Generally, no personally identifiable data (such as email addresses or names) is stored in the context of web analytics, A/B testing and optimisation; instead, pseudonyms are used.
These purposes also constitute our legitimate interest in processing the data. However, processing only takes place once you have given your consent in accordance with Article 6(1)(a) of the GDPR. The pseudonymisation of the IP address ensures that users’ interests in the protection of their personal data are adequately safeguarded.
The following types of data are processed for the purposes mentioned above: usage data (e.g. webpages visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
3. Duration of storage
The data is deleted as soon as it is no longer required for our record-keeping purposes. The cookies set by the respective services have varying ‘lifespans’. Some remain valid for up to 365 days, whilst others are only valid for the duration of the current visit. You can find out how to disable cookies etc. in the section on the right to object and the option to delete data.
4. Options for objection and removal
We refer you to the privacy policies of the respective providers and the opt-out options specified by them. If no explicit opt-out option has been provided, you can disable cookies in your browser settings. However, this may restrict certain functions of our website.
We therefore also recommend the following opt-out options, which are summarised and organised by region: a) Europe: youronlinechoices.eu. b) Across regions: optout.aboutads.info
Google Analytics:
Website: marketingplatform.google.com; Further information on data protection can be found in Google’s Privacy Policy at: policies.google.com/privacy; Opt-out option: Opt-out plugin: tools.google.com/dlpage/gaoptout, settings for the display of adverts: adssettings.google.com/authenticated
Facebook:
Further information on this can be found in Facebook’s privacy policy at facebook.com/about/privacy. If you do not wish your data to be collected via the ‘Facebook Pixel’ or Custom Audience, you can opt out via the link facebook.com/settings?tab=ads .
Transfers to third countries
Where the services mentioned above transfer personal data to third countries (in particular the USA), this is done – depending on the provider and the specific circumstances – on the basis of an adequacy decision pursuant to Article 45 of the GDPR or on the basis of appropriate safeguards pursuant to Article 46 of the GDPR, in particular standard contractual clauses. Specifically:
| Provider | Registered office / EU entity | Transfer mechanism | DPA / SCC evidence |
| Google (GA4, Ads, Floodlight, GTM) | Google Ireland Limited, Dublin | SCCs (Art. 46 GDPR) / where applicable, DPF (Art. 45 GDPR) | business.safety.google/adsprocessorterms |
| Meta (Facebook Pixel) | Meta Platforms Ireland Limited, Dublin | SCCs (Art. 46 GDPR) / where applicable, DPF (Art. 45 GDPR) | facebook.com/legal/terms/dataprocessing |
| LinkedIn (Insight Tag) | LinkedIn Ireland Unlimited Company, Dublin | SCCs (Art. 46 GDPR) / where applicable, DPF (Art. 45 GDPR) | legal.linkedin.com/dpa |
| Microsoft (Clarity, Bing UET) | Microsoft Ireland Operations Limited, Dublin | SCCs (Art. 46 GDPR) / where applicable, DPF (Art. 45 GDPR) | Microsoft DPA |
| HubSpot | HubSpot Ireland, Dublin | SCCs (Art. 46 GDPR) / where applicable, DPF (Art. 45 GDPR) | legal.hubspot.com/dpa |
| Leadfeeder (Dealfront) | Liidio Oy, Helsinki, Finland | No transfer to a third country (EU) | – |
| Mouseflow | Mouseflow ApS, Copenhagen, Denmark | No transfer to a third country (EU) | – |
| CookieHub | CookieHub ApS, Denmark | No transfer to a third country (EU) | – |
| Matomo (self-hosted) | data.massiveart.com, Germany | No transfer to a third country (EU) | – |
VII. Data Protection Notice for Job Applicants
We are delighted that you are interested in our company and are applying, or have applied, for a position with us. We would like to provide you with the following information regarding the processing of your personal data in connection with your application.
1. What data do we process about you? And for what purposes?
We process the data you have sent us in connection with your application in order to assess your suitability for the post (or, where applicable, other vacant positions within our company) and to carry out the recruitment process.
2. What is the legal basis for this?
The legal basis for the processing of your personal data in this application process is the version of the EU General Data Protection Regulation (EU GDPR) applicable from 25 May 2018. Under this, the processing of data necessary in connection with the decision on whether to enter into an employment relationship is permitted. Should the data be required for legal proceedings after the application process has been completed, data processing may take place on the basis of the conditions set out in Article 6 of the GDPR, in particular to pursue legitimate interests pursuant to Article 6(1)(f) of the GDPR. Our interest in this case is to assert or defend claims.
3. How long will the data be stored?
Data relating to applicants will be deleted after 6 months in the event of a rejection. Should you have consented to the continued storage of your personal data, we will transfer your data to our applicant pool. The data will be deleted from there after two years. Should you have been successful in the recruitment process and been offered a position, the data will be transferred from the applicant database to our HR information system.
4. To whom is the data disclosed?
Your application details will be reviewed by the HR department upon receipt of your application. Suitable applications will then be forwarded internally to the department heads responsible for the relevant vacancy. The next steps will then be agreed. Within the company, access to your data is restricted to those individuals who require it for the proper conduct of our recruitment process.
5. Where is the data processed?
The data is processed within the European Economic Area (EEA).
6. Your rights
You have the right to access the personal data we process about you. If a request for access is not made in writing, please understand that we may then require you to provide evidence proving that you are the person you claim to be. Furthermore, you have the right to rectification, erasure or restriction of processing, insofar as you are entitled to this by law. You also have the right to object to processing within the framework of the statutory provisions. The same applies to the right to data portability.
7. Right to lodge a complaint
You have the right to lodge a complaint with a data protection supervisory authority regarding our processing of your personal data.
VIII. Technical and organisational measures (Article 32 of the GDPR)
We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, loss, misuse or alteration. These include, in particular, measures to restrict access, to ensure the confidentiality and integrity of data transfers, to ensure the availability of our systems, and to review and continuously improve our security measures.
IX. Users’ rights (data subjects’ rights)
If your personal data is being processed, you are a data subject within the meaning of the GDPR and you have the following rights in relation to us as the data controller:
1. Right of access
You may request confirmation from us as to whether we are processing personal data relating to you.
If such processing is taking place, you may request the following information from us:
The purposes and categories of personal data being processed, including the recipients or categories of recipients to whom your data has been or will be disclosed, as well as the intended duration of storage of the data relating to you. Should we use profiling technologies, we must provide you with meaningful information about the logic involved, as well as the scope and intended effects of such processing on you. Furthermore, we must inform you of your right to lodge a complaint with the data protection authority. You also have the right to request information as to whether your personal data is being transferred to a third country or to an international organisation.
2. Right to rectification
You have the right to have your data rectified and/or completed if the data we process concerning you is inaccurate or incomplete. Where applicable, we will rectify the data without delay.
3. Right to restriction of processing
You may request the restriction of the processing of your data under the following conditions:
(1) where you contest the accuracy of the data relating to you for a period enabling us to verify the accuracy of your data; (2) where the processing is unlawful and you oppose the erasure of your data and instead request the restriction of its use; (3) we no longer need your data for the purposes of processing, but you require it to establish, exercise or defend legal claims; or (4) where you have objected to the processing and it has not yet been determined whether our legitimate grounds override your interests.
If the processing of your data has been restricted, such data – apart from its storage – may only be processed with your consent, or for the purpose of establishing, exercising or defending legal claims, or to protect the rights of another natural or legal person.
If the restriction on processing has been imposed in accordance with the above conditions, we will inform you before the restriction is lifted.
4. Right to erasure
We are obliged to erase your data without delay if any of the following grounds apply:
(1) Your data is no longer necessary for the purposes for which it was collected by us; (2) You withdraw your consent and there is no other legal basis for the processing; (3) You object to the processing in accordance with Article 21(1) and there are no overriding legitimate grounds on our part for the processing, or you object to the processing in accordance with Article 21(2). (4) Your data has been processed unlawfully.
The right to erasure does not apply where processing is necessary
(1) to comply with a legal obligation which requires the processing (e.g. vis-à-vis public authorities and government departments), or to carry out a task carried out in the public interest which has been entrusted to us; (2) to establish, exercise or defend legal claims.
5. Right to information
If you have exercised your right to rectification, erasure or restriction of processing against us, we are obliged to notify all recipients to whom your data has been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed of these recipients.
6. Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of your data carried out on the basis of Article 6(1)(e) or (f); this also applies to profiling based on these provisions.
In such cases, we will no longer process your data unless we have compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing is necessary for the establishment, exercise or defence of legal claims.
If your data is processed for the purposes of direct marketing, you have the right to object at any time to the processing of your data for the purposes of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
If you object to processing for the purposes of direct marketing, the data relating to you will no longer be processed for these purposes.
7. Right to withdraw consent under data protection law
You have the right to withdraw your consent to data processing at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of that consent prior to its withdrawal.
8. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with the data protection authority in accordance with Section 24 et seq. of the DSG 2018 if you believe that the processing of your data infringes the GDPR.
Competent supervisory authority:
Austrian Data Protection Authority
Barichgasse 40–42
1030 Vienna
Telephone: +43 1 52 152-0
Email: dsb@dsb.gv.at
Website: www.dsb.gv.at
The Data Protection Authority shall inform the complainant of the status and outcome of the complaint, including the possibility of seeking judicial redress.
9. Exercising your rights (DSAR process)
To exercise your rights as set out above, you may contact us at any time:
Contact: datenschutz@massiveart.com
Subject line: Please use the subject line “Data Protection Enquiry” and describe your request as specifically as possible (e.g. access, erasure, rectification).
Identity verification: To protect your data, we reserve the right to verify your identity when you make an enquiry (e.g. by cross-checking your email address or asking for further details). Under no circumstances will we ask you to send sensitive documents (e.g. copies of identity documents) via unencrypted email.
Processing time: We will process your request without undue delay and, as a rule, within one month of receipt. Should an extension be necessary, we will inform you of this, stating the reasons, within the one-month period.
Costs: Exercising your rights is generally free of charge. In the case of manifestly unfounded or excessive requests, we reserve the right to charge a reasonable fee or to refuse to process the request (Article 12(5) of the GDPR).
Dornbirn, May 2026
© MASSIVE ART WebServices GmbH