- Who is controller and which personal data do we process?
- Purposes and legal basis for processing
- Is your data transmitted to third parties?
- Retention period
- Obligation to provide data
- Automated decision-making and profiling
- Rights of Data Subjects
Information on data processing activities under Art. 13 and 14 of the General Data Protection Regulation (GDPR).
1.1. For us, IXOLIT Group, comprising
- IXOLIT GmbH, FN 213107v
- IXOPAY GmbH, FN 451099g, each Mariahilfer Straße 77-79, 1060 Vienna,
(jointly “IXOLIT Group”, each individually “the GROUP MEMBER”)
it is an important concern to adequately protect your personal data. Therefore, we strictly observe the applicable data protection provisions, in particular the General Data Protection Regulation ("GDPR"), the Austrian Data Protection Act ("DSG") and the Telecommunications Act ("TKG") concerning the protection, lawful processing and confidentiality of personal data as well as data security.
2. Who is controller and which personal data do we process?
Controller under Art 4 (7) GDPR is the respective GROUP MEMBER maintaining, having maintained or is about to establish a business relationship with you (hereinafter referred to as “we”).
We process personal data that we receive from you in the course of the initiation of and performance within a business relationship. In addition, we process data that we have lawfully obtained from publicly accessible sources (e.g. commercial register, register of associations, land register, media).
Such personal data includes:
2.1. Personal particulars & contact details:
Title, name, address, mobile number, e-mail address and business contact details, date of birth, nationality.
2.2. Company information:
Company, company register data, address, VAT number.
2.3. Bank details (as far as communicated by you):
Account holder, account number, IBAN, BIC, SWIFT.
In addition, we may process include order information, data from the fulfilment of our contractual obligations, advertising and sales data as well as documentation data (e.g. minutes of meetings).
3. Purposes and legal basis for processing
We process your personal data in accordance with data protection law:
3.1. For the performance of a contract (Art 6 (1) lit b GDPR)
We process your personal data to provide our services to you and - generally speaking - to implement our contracts with you and to bill our services. The purposes of the data processing depend on the respective service or product (our “IXOPAY" Payment Orchestration Platform, individual software development, consulting services, our subscription management and billing platform "IXOPLAN").
3.2. Based on your consent (Art 6 (1) lit a GDPR)
If you have consented to the processing of your personal data, it will only be processed for the purposes specified in the declaration of consent and to the extent agreed therein. A given consent can be withdrawn at any time by e-mail or letter to our address stated in Section 8.7. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
3.3. For the purpose of legitimate interests (Art 6 (1) lit f GDPR)
If necessary, we process your data on the basis of our legitimate interests or the legitimate interests of third parties. Legitimate interests are in particular:
- Legally permissible direct marketing advertising, marketing purposes, for customer loyalty as well as for market and opinion research;
- Transmitting for Internal administrative purposes within the IXOLIT Group, including the processing of clients' personal data;
- Activities for purposes of business management and development of services and products;
- for the establishment, exercise or defence of legal claims.
Your data may therefore be processed on the basis of such legitimate interests in addition to an applicable legal basis such as consent (even if this has been withdrawn in accordance with Section 3.2) or performance of a contract (Section 3.1).
3.4. We will inform you in advance of processing or collecting personal data for other purposes other described in this document.
4. Is your data transmitted to third parties?
4.1. To the extent necessary, we provide your personal data to the following service providers (acting as “processors”) outside IXOLIT Group that support us in the performance of our services:
- IT-service providers and/or providers of data hosting solutions or similar services;
- Other service providers, providers of tools and software solutions that support us with the performance of our services as well and operate on our behalf.
All our processors have been contractually bound to process your data only on our behalf and on the basis of our instructions.
4.2. Apart from that, we transmit your personal data to the extent necessary to the following recipients (acting as “controller”):
- third parties involved in the provision of services in the course of the fulfilment of contractual obligations (e.g. banks for transaction processing , payment service providers, providers of content delivery network (CDN) and DDOS protection, marketing tools, marketing agencies, communication service providers, shipping service providers, providers of embedded content such as tutorial videos);
- other external third parties on the basis of our legitimate interests to the extent necessary (e.g. auditors and tax consultants, insurances in case of insured events, legal representatives in case of incidents);
- authorities and other public entities to the extent legally necessary (e.g. financial authorities); and
- persons who, under our direct authority are authorised to process personal data (particularly our employees).
4.3. Only if necessary for the fulfilment of our (pre)contractual obligations, on the basis of your consent, due to a legal obligation or on the basis of our legitimate interests, we process your data in a third country outside the European Union (EU) or the European Economic Area (EEA) or within the use of third parties’ services. We have implemented appropriate safeguards for any transfer of your data to a third country (e.g. by concluding so called "EU-Standard Contractual Clauses"). Upon your enquiry we can transmit a copy of those appropriate safeguards to you, provided processing activities are carried out in third countries.
5. Retention period
5.1. We store your personal data only as long as necessary for the purposes for which they are processed, in particular for the duration of the entire business relationship (from initiation to performance up to termination of a contract). Beyond that, we might be obligated to keep your data in accordance to statutory retention periods.
5.2. Specifically, we store your data in connection with your enquiries, business letters and contract documents in accordance with statutory retention periods (inter alia § 212 BAO, §132 UGB) for a time period of seven years.
5.3. If we collect access data and log files as a part of our services, such data is stored for a maximum time period of 500 days and are erased subsequently.
5.4. We store data in connection with your registration and your user account (e.g. for deliverables of our “IXOPAY” Payment Orchestration Platform, www.ixopay.com) until the end of your client relationship with us or, moreover, until the expiry of statutory retention periods (cf Section 5.2).
5.5. In specific cases, we store your personal data beyond the above-mentioned retention periods for as long as necessary for the establishment, exercise or defence of legal claims out of our legal relationship.
6. Obligation to provide data
6.1. Within our business relationship, you must provide us with personal data required for the performance of our contractual obligations towards you and for voluntary services and performances, as well as data that we are legally obliged to collect (e.g. name, company, VAT number, address, telephone number, bank details). Data to be provided by is marked with (*) or by other clear indication as a mandatory field. If you do not provide us with such data, we will generally have to refuse to enter into a contract or execute the order, or we will no longer be able to perform an existing contract and will therefore have to terminate it.
6.2. You are not obliged to consent to data processing with regard to data which is not relevant for the fulfilment of the contract or which is not legally required.
7. Automated decision-making and profiling
We do not use automated decision-making pursuant to Art 22 GDPR in order to reach a decision on the establishment and performance of the business relationship or other decisions that would significantly affect you.
8. Rights of Data Subjects
We try to answer your questions and concerns as soon as possible. However, our answer can take up to a month. If we need more time, we will let you know beforehand.
8.1. You have the right to access your personal data that is being processed by us. Apart from that, you have the right to rectification of inaccurate or incomplete data (Art 15 et seq GDPR).
8.2. You have a right to erasure (Art 17 GDPR) if (i) your personal data is no longer necessary for the purposes for which we have collected it, (ii) you withdraw your consent and there is no other legal basis for processing by us (cf. Section 3), (iii) you object to the processing and there are no overriding legitimate grounds for the processing (except in the case of processing for direct marketing purposes), (iv) your personal data has been unlawfully processed or (v) for compliance with our legal obligations.
8.3. You have the right to restrict the processing (Art 18 GDPR) if (i) you contest the accuracy of your personal data, for a period enabling us to verify the accuracy, (ii) the processing is unlawful and you oppose the erasure of the data and request the restriction of its use instead, (iii) your personal data is no longer necessary for the purposes of the processing, but required by you for the establishment, exercise or defence of legal claims or if (iv) you have objected to processing pending the verification whether our interests override.
8.4. Subject to the terms of Art 20 GDPR you have the right to receive personal data that you have provided to us in a structured, transferable format (right to data portability).
8.5. Additionally, you have the right to withdraw your consent free of charge at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
8.6. Finally, you have the right to lodge a complaint with the competent supervisory authority (Art 77 GDPR), for Austria: Österreichische Datenschutzbehörde, Barichgasse 40-42, 1030 Vienna.
8.7. If you have questions relating to this or any other questions, you can contact us at:
Mariahilfer Straße 77-79, 1060 Vienna
8.8. Right to object
We may process your data on the basis of legitimate interests (cf Section 3.3) in which case you have the right to object to the processing of your data. In the case of an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing of this data which override your interests, rights and freedoms (weighing of interests) or for the establishment, exercise or defence of legal claims.
In particular, you may object at any time to the processing of your data for the purposes of direct marketing of the IXOLIT Group. In the case of such an objection, we will no longer process your personal data for these purposes (no weighing of interests).
Version: 18 Jan 2022