Privacy Policy

Data Privacy Notice

Protection of your personal data is of particular importance to Gertraud Lackner KG. With this privacy notice, we would like to inform you about the nature, extent and purpose of personal data processed by us and inform data subjects affected by the data processing about the rights to which they are entitled.
Your personal data will be protected as best as we can during collecting, processing, storing and visiting our website. The processing of personal data, such as the name, address, e-mail address or telephone number is solely based on the statutory provisions (DSGVO/GDPR, DSG, TKG 2003).

Gertraud Lackner KG has implemented plenty of technical and organizational measures, so-called TOMs, to ensure adequate protection of the personal data processed by the controller. Nevertheless, we would like to point out that, in particular, internet-based or wireless-based data transmissions generally have vulnerabilities that can not fully guarantee absolute protection. In addition, it often eludes the public – and also us as a company – how and where and to what extent globally active companies, such as Facebook, Google, etc., collect, store and exploit data in our networked world. The privacy notce of Gertraud Lackner KG uses those terms defined by the General Data Protection Regulation (GDPR) itself. The GDPR states in Article 12 that the information that has to be provided – such as this privacy statement – must be written in a “clear, transparent, understandable and easily accessible form in a clear and simple language”. Therefore, we would first like to introduce you to the terms used. Confident that the European legislator has formulated the regulations in the sense of his own guidelines – understandable, clear and simple – we refer to the same, essentially to the wording of the law.

  1. Definitions
    We use the following terms in this privacy notice, including but not limited to:
    a) Personal data
    Personal data (hereinafter referred to as “pbD”) is any information relating to an identified or identifiable natural person (data subject). A natural person is considered to be identifiable who, directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier or one or more special features, expresses the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person can be identified.
    b) Data subject
    Dat subject is the person who provides their pbD to the responsible person for the purpose of processing. The primary purpose of the GDPR is to protect the rights of data subjects.
    c) Processing
    Processing means any process or series of operations related to personal data, such as collecting, collecting, organizing, organizing, storing, adapting or modifying, reading, querying, using, with or without the aid of automated procedures; disclosure by submission, dissemination or other form of provision, reconciliation or association, restriction, erasure or destruction.
    d) Controller
    Controller or responsible person is the natural or legal person, authority, institution or other body that decides on the purposes and means of processing personal data alone or together with others. Together with the processor, he is the norm addressee of the GDPR and has to ensure that the processing of the pbD is carried out in accordance with the law and that the data subject’s rights are met.
  2. e) Processor
    The processor is a natural or legal person, public authority, institution or other body that pbD processes on behalf of the controller. Independent decisions about means and purpose of the processing of pbD are not made. The processor will act solely on behalf of the controller. Example: We process in the sense of capture pbD of our customers (name, address, date of birth, etc.) as “responsible person”. Now let’s give this data to e.g. a printing company to create and send advertising folders to our customers, the print shop is our “processor”.
  3. f) Recipient
    Recipient is a natural or legal person, public authority, institution or other entity that is disclosed to pbD, regardless of whether the recipient is a natural or legal person, public authority, institution or other entity that is disclosed to pbD, whether or not it is a third party. The recipient may be located in-house (e.g., a department) or an external third party.
  4. g) Third party

Third is a natural or legal person, public authority, body or body other than the data subject, the controller, the processor and the persons authorized under the direct responsibility of the controller or the processor to process the personal data.

  1. h) Restriction of processing

Restriction of the processing means to limit stored personal data with the aim to limit future processing.

  1. i) Profiling

Profiling is any kind of automated processing of personal data that consists in using that personal information to evaluate certain personal aspects relating to a natural person, in particular aspects relating to job performance, economic situation, health, personal To analyze or predict preferences, interests, reliability, behavior, whereabouts or relocation of that natural person.

  1. j) Pseudonymisation

Pseudonymisation is the processing of personal data in such a way that personal data can no longer be attributed to a specific data subject without the need for additional information, provided that such additional information is kept separate and subject to technical and organizational measures to ensure that the personal data not assigned to an identified or identifiable natural person.


  1. k) Consent

Consent is any voluntarily given and unambiguously expressed in the form of a statement or other unambiguous confirmatory act by the data subject for the particular case, by which the data subject indicates that they consent to the processing of the personal data concerning him / her is.


  1. Name and address of the controller

The responsible person/controller within the meaning of the General Data Protection Regulation is:

Gertraud Lackner KG

Badergäßchen 2

5020 Salzburg

T +43 662 842385


FN 220188g LG Salzburg



  1. Categories and recipients of pbD

We process those pbD that we receive from you as part of a business relationship. We also process data that we have legitimately received from publicly available sources. For example, pbD (name, address, date of birth, e-mail address, phone number, IBAN or credit card number) will only be collected and processed on our website if you have actively provided this information, e.g. during registration or as part of the ordering process in our webshop.

Among the pbD processed by us include u.a.

  • Master data, for example: customer number, name, date of birth, etc.
  • Communication data, for example: postal address, telephone number, e-mail address
  • Contract data, for example: order data (date of purchase, purchased goods), shipping method, data for the execution of the contract including payment data (BIC, IBAN or credit card data), data on the termination of the contract (for example, cancellation)

Within Gertraud Lackner KG, only those bodies or employees receive their data that they need to fulfill their contractual, statutory and regulatory obligations and to safeguard legitimate interests (“need-to-know-basis”). In addition, commissioned by us processors (especially IT and possibly back office service providers) receive your data, if they need them to fulfill their respective task. All processors (including computer administrators, internet and e-mail providers (technical infrastructure), newsletter tool providers, storage and data storage (possibly in the cloud or in a data center), comparison portals, CRM Systems, also for the purpose of legally compliant documentation) are contractually obliged to treat your data confidentially and to process it only in the context of the provision of services.

If there is a legal or supervisory obligation, public authorities and institutions (eg tax authorities, etc.) may also receive your personal data.

A transfer of data to third parties does not take place, with the exception of the transmission of the credit card data to the unwinding bank / payment service provider for the purpose of debiting the purchase price, to the transport company commissioned by us (FedEx, Österreichische Post AG) to deliver the goods and to our Tax consultant to fulfill our tax obligations. Your personal information will be shared with third parties (such as shipping / transport companies) only if required for the execution of the contract.

In principle, there is no transfer of your personal data to third countries unless the service provider (e.g., Microsoft) has signed the Privacy Shield Agreement.


  1. Purposes and legal basis of the data processing,

We process your personal data in accordance with the data protection regulations in order to:

– Fulfillment of contractual and / or legal obligations (Article 6 (1b), Art. 6 (1c) GDPR):

The purposed by business is governed by the data processing on the basis of the statutory provisions of § 96 (3) TKG and Art. 6 para. 1 lit. a (consent) and / or lit. b (necessary for performance of the contract) and lit c (legal obligation) of the GDPR.

The data provided by you is required to fulfill the contract or to carry out pre-contractual measures. Without this data, we can not conclude the contract with you or comply with legal obligations.

– in the context of your consent (Article 6 (1a) GDPR)

If you have given us consent to the processing of your personal data (e.g. for newsletter subscription), processing will only take place in accordance with the purposes stated in the consent declaration and to the extent agreed therein. Any consent given may be revoked at any time with future effect (for example, you may object to the processing of your personal information for marketing and promotional purposes in the future).

– for the protection of legitimate interests (Article 6 (1f) GDPR)

Should it be necessary to safeguard the legitimate interests of Gertraud Lackner KG or a third party that your data will be processed beyond the fulfillment of the contract, data processing will take place in the following cases:

Consultation and data exchange with credit bureaus (eg Österreichischer Kreditschutzverband 1870) for the identification of credit risks and default risks

Examination and optimization of procedures for needs analysis and direct customer approach

Advertising or market and opinion research, as far as you have not objected to the use of your data according to Art. 21 GDPR

Measures for business management and further development of services and products

Measures to protect employees, customers and the property of the company

Measures to prevent and combat fraud (Fraud Transaction Monitoring)


  1. Cookies

The website of Gertraud Lackner KG uses cookies. Cookies are text files that are stored and stored on a computer system via an Internet browser.

Many websites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a string through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited websites and servers to distinguish the individual’s browser from other internet browsers that contain other cookies. A particular web browser can be recognized and identified by the unique cookie ID.

Through the use of cookies, Gertraud Lackner KG can provide users of this website with more user-friendly services that would not be possible without the cookie setting.

By means of a cookie the information and offers on our website can be optimized in the sense of the user. Cookies allow us, as already mentioned, to recognize the users of our website. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a website that uses cookies need not reenter their credentials each time they visit the website, as this is done by the website and the cookie stored on the user’s computer system.

The data subject can prevent the setting of cookies through our website at any time by means of a corresponding setting of the Internet browser used and thus permanently contradict the setting of cookies. Furthermore, already set cookies can be deleted at any time via an internet browser or other software programs. This is possible in all common internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable.

  1. Collection of general data and information on the website

The website of Gertraud Lackner KG collects a series of general data and information each time the website is accessed by an affected person or an automated system. This general data and information is stored in the log files of the server. The (1) browser types and versions used, (2) the operating system used by the accessing system, (3) the internet page from which an accessing system accesses our website (so-called referrers), (4) the sub-web pages which can be accessed via (5) the date and time of access to the website, (6) an Internet Protocol address (IP address), (7) the Internet service provider of the accessing system and (8) other similar data and information used in the event of attacks on our information technology systems.

When using this general data and information, Gertraud Lackner KG does not draw any conclusions about the person concerned. Rather, this information is required to (1) correctly deliver the contents of our website, (2) to optimize the content of our website and to advertise it, (3) to ensure the continued functioning of our information technology systems and the technology of our website, and ( 4) to provide law enforcement authorities with the information necessary for law enforcement in the event of a cyberattack. Gertraud Lackner KG evaluates this anonymously collected data and information on the one hand statistically and further with the aim of increasing data protection and data security in our company in order to ultimately ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by an affected person.


  1. Subscription to our newsletter

We inform our customers and business partners at regular intervals by means of a newsletter about offers of the company. The newsletter of our company can only be received by the person concerned if

(1) the data subject has a valid e-mail address and

(2) the data subject has registered for sending out the newsletter or

(3) there is an active customer relationship with the person concerned.

A confirmation e-mail will be sent to the e-mail address entered by an affected person for the first time for the newsletter dispatch in the double-opt-in procedure. This confirmation email is used to check whether the owner of the e-mail address as the person concerned authorized the receipt of the newsletter.

When subscribing to the newsletter, we also store the IP address of the computer system used by the person concerned at the time of registration, as well as the date and time of registration, as assigned by the Internet Service Provider (ISP). The collection of this data is necessary in order to understand the (possible) misuse of an affected person’s e-mail address at a later date and therefore serves as legal safeguards for the controller.

The personal data collected in the context of registering for the newsletter will be used exclusively to send our newsletter. Subscribers to the newsletter may also be notified by e-mail if this is necessary for the operation of the newsletter service or registration, as might be the case in the event of changes to the newsletter or technical changes. The subscription of our newsletter and thus the consent to the processing pbD can be revoked at any time by the data subject. For the purpose of revoking the consent, there is a corresponding link in each newsletter. It is also possible to unsubscribe from the newsletter at any time on our website or to inform the controller in a different way (by letter or e-mail).


  1. Storage duration; routine deletion or blocking of pbD

Gertraud Lackner KG processes pbD of the data subject as far as necessary for the duration of the entire business transaction (from initiation, fulfillment to termination / performance of a contract) as well as in accordance with the statutory retention and documentation obligations arising, for example, from the Austrian Commercial Code (UGB ) or the Federal Tax Code (BAO) or as long as limitation periods of potential legal claims have not yet been expired. – So your pbD will be stored e.g. 7 years after the end of the financial year in which the data was collected (§ 132 BAO) and in addition kept to the assertion or defense of claims (including tax issues); furthermore 3 years after the last contact with newsletter / advertising measures.

If you register in our webshop, we will store your pbD as long as your account exists and thereafter only for as long as this is necessary for legal obligations. After expiry of the respective retention or limitation periods, the pbD are routinely blocked and deleted in accordance with the statutory provisions (§ 4 para. 2 DSG, Art. 23 DSGVO).


  1. Rights of the data subject
  2. a) Right to information

Any person affected by the processing of personal data has the right to obtain information from the controller at any time as to whether the pbD concerned is being processed. Furthermore, there is the right to obtain free information about the pbD stored on his person and a copy of this information.


  1. b) Right to rectification

Every person affected by the processing pbD has the right to demand the immediate correction of any incorrect pbD concerning them. Furthermore, the data subject has the right, subject to the purposes of the processing, to demand the completion of incomplete pbD, also by means of a supplementary declaration.


  1. c) Right to cancellation (Right to be forgotten)

Any person affected by the pbD processing has the right to require the controller to immediately delete the pbD pertaining to it, if one of the following reasons applies and if processing is not (further) required:

The pbD were collected for such purposes or otherwise processed, for which they are no longer necessary.

The data subject revokes their consent, on which the processing was based in accordance with Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, and there is no other legal basis for processing.

According to Art. 21 (1) GDPR, the data subject submits an objection to the processing and there are no legitimate reasons for the processing, or the person concerned objects to the processing pursuant to Art. 21 (2) GDPR.

The pbD were processed unlawfully.

The deletion of the pbD is necessary to fulfill a legal obligation under the European Union law or the law of the member states, to which the person responsible is subject.

The pbD were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.


  1. d) Right to restriction of processing

Any person affected by the pbD processing has the right to require the controller to restrict processing if any of the following conditions apply:

The accuracy of the pbD is denied by the data subject, and for a period of time that allows the person responsible to verify the accuracy of the pbD.

The processing is unlawful, the data subject refuses to delete the pbD and instead requires the restriction of the use of pbD.

The person responsible no longer needs the pbD for processing purposes, but the data subject needs them to assert, exercise or defend legal claims.

The person concerned has objection to the processing acc. Art. 21 para. 1 DSGVO and it is not yet clear whether the legitimate reasons of the person responsible outweigh those of the data subject.


  1. e) Data transferability

Each person affected by the pbD processing has the right to receive the pbD pertaining to it, which has been provided by the data subject to a responsible person, in a structured, common and machine-readable format. It also has the right to transfer this data to another person in charge without hindrance by the person responsible to whom the pbD was provided, provided that the processing is based on the consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) lit. a GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task in the public interest or in the exercise of official authority which was transferred to the person responsible.

Furthermore, in exercising their right to data portability under Article 20 (1) of the GDPR, the data subject has the right to obtain that data subjects are transmitted directly from one data controller to another, insofar as this is technically feasible and if this is not the case Rights and freedoms of others are impaired.


  1. f) Right to object

Every person affected by the processing pbD has the right to object at any time for reasons arising from its particular situation against the processing of pbD pertaining to it, which occurs on the basis of Article 6 (1) lit e or f GDPR. This also applies to profiling based on these provisions. Gertraud Lackner KG will no longer process the pbD in the event of an objection, unless we can prove that there are compelling legitimate reasons for processing that outweigh the interests, rights and freedoms of the data subject, or the processing is for assertion, exercise or defense of legal claims.

If Gertraud Lackner KG processes pbD in order to operate direct marketing then the data subject has the right to appeal at any time against the processing of the pbD for the purpose of such advertising. This also applies to the profiling, as far as it is associated with such direct mail. If the data subject objects to Gertraud Lackner KG for the purpose of direct marketing, Gertraud Lackner KG will no longer process the pbD for these purposes.

In addition, the data subject has the right, for reasons arising from his or her particular situation, against processing pbD, or at Gertraud Lackner KG for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 (1) DSGVO objection, unless such processing is necessary to fulfill a public interest task.


  1. g) Automated decisions on a case-by-case basis, including profiling

Any person concerned by the processing of personal data shall have the right not to be subject to a decision based solely on automated processing, including profiling, which has a legal effect or similarly appreciably affects it, unless Decision (1) does (2) is permissible under Union or Member State legislation to which the controller is subject, and where such legislation provides for appropriate measures to safeguard the rights and freedoms, and the legitimate interests of the data subject or (3) with the express consent of the data subject.

If the decision (1) is required for the conclusion or performance of a contract between the data subject and the controller or (2) it takes place with the express consent of the data subject, Gertraud Lackner KG shall take appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, including at least the right to obtain the intervention of a person by the controller, to express his / her own position and to contest the decision.

We currently do not use automated decision-making according to Art. 22 DSGVO.


  1. h) Right to revoke a data protection consent

Any person affected by the processing of personal data has the right, granted by the European directive and regulatory authority, to revoke consent to the processing of personal data at any time.

If the data subject wishes to assert their right to withdraw consent, they can contact our data protection officer or another member of the data controller at any time.

Note: If you believe that the processing of your data violates data protection law or your data protection claims have otherwise been violated in any way, you can contact the Austrian Data Protection Authority (DSB), Wickenburggasse 8-10, 1080 Vienna.


  1. Legal or contractual provisions for the provision of personal data; Necessity for the conclusion of the contract; Obligation of the data subject to provide the personal data; possible consequences of non-provision

As explained in point 4 above, the provision of personal data is partly required by law (such as tax regulations) or arises from legal and contractual requirements (such as details of the contractor). For the conclusion of the contract and the fulfillment of the contract, it is therefore necessary that pbD be made available to us, which are subsequently processed by us. If you do not provide us with this data, we will generally have to refuse to conclude the contract or to execute the order or to be unable to carry out an existing contract and therefore not justify or terminate the business relationship. It is not necessary to give consent for data processing with regard to the fulfillment of relevant or legally and / or legally required data processing.


  1. Miscellaneous

We have implemented organizational and technical safeguards that we continually evaluate and adapt as necessary to protect your personal information that we store and process.

We reserve the right to change this privacy policy at any time and to adapt it to new developments. The new version is valid from provision on our website. The current version of the privacy policy is available at any time on the website at, our imprint can be found at


  1. Contact Details

For further information please contact us at Gertraud Lackner KG, Badergäßchen 2, 5020 Salzburg, Tel. +43 662 842385 or