Data Protec­tion

BWT Aktiengesellschaft (you will find our contact data below) and its subsidiaries and affiliates are delighted to welcome you to our website. We are committed to protecting your data and your privacy.

In general, it is possible to use our website without ever having to enter any personal data. However, if you wish to make use of certain of our services via our website, processing of your personal data may be required. If we do need to process your personal data but there is no basis in law permitting this, we will always ask for your consent prior to processing.

We always perform any processing of personal data in compliance with the General Data Protection Regulation (GDPR) and in accordance with all national data protection laws applicable to BWT Aktiengesellschaft. This Privacy Statement is intended to inform the general public of the nature, scope and purpose of the personal data that we collect, use and process, and tell you about your rights in this regard.

BWT Aktiengesellschaft has implemented appropriate technical and organisational measures to safeguard your data against loss, manipulation, unauthorised access and other hazards. The measures in place are subject to regular review and are continuously updated.

This Privacy Statement applies solely for BWT Aktiengesellschaft and the website subpages devoted to that company, but not for websites controlled and operated by third parties. We kindly request that you check all websites controlled and operated by third parties, as BWT Aktiengesellschaft is not responsible for their content or measures they utilise for data protection. Section 2 explains which of our Group companies is responsible for processing your data.

1. General

This Privacy Statement is based on the terms as defined in the GDPR.

"Personal data" means any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. "Non-personal data" are data that have been rendered anonymous and which under no circumstances can be traced to any specific data subject. For this reason, non-personal data are not subject to data protection law.

"Data subject" means any identified or identifiable natural person whose personal data is to be processed by the controller.

"Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.

"Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

"Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Personal data that we process are processed exclusively in accordance with the data protection laws, rules and regulations currently in force. Please note that when you correspond with us or complete a form on our website, the data you enter in the form will be processed for the purposes defined below.

2. Name and address of the controller and data protection contact

The controller as defined in the GDPR, any other data protection laws in force in the Member States of the European Union, and other statutory or regulatory provisions governing data protection, is:

BWT Austria GmbH
Walter-Simmer-Strasse 4
A-5310 Mondsee, Austria.

The data protection officer voluntarily appointed by the controller can be reached using the following contact information:

EY Law – Pelzmann Gall Größ Rechtsanwälte GmbH
Dr. Ermano Geuer
Alexander Wollmann
Wagramer Strasse 19/33 A-1220 Vienna, Austria
Email: [email protected]

3. Processing of personal data

Your personal data are processed solely for the purposes specified in this Privacy Statement and only to the extent required for achieving these purposes. These data will not be disclosed to any other party without your consent except as defined in this Privacy Statement or where required by mandatory national legislation.

Use of certain facilities on our website – such as a user account, newsletters and contact forms – may require prior registration involving further processing of your personal data. However, we will make use of these data only if you provide them to us and expressly consent to such usage beforehand. In such cases, we will display a request for your consent at prominent locations, and make further information available to you directly via hyperlinks at these locations.

3.1 Log files

When you visit our website, for technical reasons your browser transmits the following data to our server (in what are termed server log files):

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Operating system and is access status / HTTP status code
  • Volume of data transmitted
  • Website the request is coming from (referrer URL)
  • Browser, language and version of the browser software.

It is necessary to store these data in log files in order to provide the website to users and for reasons of IT security. These data are not combined with personal data sources. We reserve the right to review these data at a future time if we become aware of specific evidence of unlawful use. If, in such cases, it is necessary to identify a data subject, we collect these data on the basis of our legitimate interest as defined in Article 6(1)(f) of the GDPR in order to display our website and ensure that it is secure.

3.2. User account

A user account is required in order to use our partner portal. You can delete your user account at any time. Data disclosed in the user account is necessary for customer support and customer care purposes and we process and use it for those purposes.

Some of the services we provide require collaboration with partner companies. If a user makes use of one of these services, we share names or other contact details with these partner companies so that they can perform their tasks. However, our partner companies are not permitted to use information disclosed to them for purposes other than the tasks associated with the service.

3.3. Pearls and More rewards program

Our BWT drinking water professionals and BWT partner fitters are registered in our partner web (fitter platform). When registering, the personal data of the BWT drinking water professional or BWT partner installer entered in the contact fields (title, name, address, telephone number and email address) will be processed. These personal data are transmitted to Connex Marketing GmbH, located at Dr-Schauer-Strasse 26 in A-4600 Wels, Austria, to enable these BWT drinking water professionals and BWT partner fitters to access our Pearls & More rewards program. A data processing agreement has been concluded with Connex Marketing GmbH. No processing of customer data takes place. The purpose of processing these data is to implement certain pre-contractual and contractual measures. The legal basis for this processing is Article 6(1)(b) of the GDPR.

3.4. Newsletters

We offer you the option of receiving various newsletters by email. You can register to receive newsletters either by consenting to receive the newsletter(s) you have selected when you register as a user, or by explicitly providing your email address when subscribing to a specific newsletter. The data you submit when registering to receive a newsletter will be used solely for the purpose of sending the newsletter to you. We will use the email address that you give us to send you the newsletter(s), and require your confirmation that you, as the holder of that email address, consent to receive it/them.

When you register for newsletters, the personal data you enter in the contact fields (title, name, address, telephone number, and email address) will be processed. The purpose of processing these data is to send you information on products, services and events.

The legal basis for this processing is Article 6(1)(a) of the GDPR. Under Article 7(3) of the GDPR, you may withdraw your consent to future processing of your data at any time. All you need to do is inform us of your withdrawal of consent, which you can do by simply clicking the unsubscribe link provided in every newsletter.

3.5. Email notifications (SendGrid)

Account-specific and product-specific notifications (status messages, warning messages and error messages) and email confirmations in response to contact forms are sent via an external service provided by the company SendGrid.

Specifically, the following personal data are transmitted for processing for this purpose:

  • Recipient’s email address
  • Personal form of address

To enable us to better support you in the event of problems regarding your enquiries, your customer account and your product notifications, the following events are stored for a maximum of 30 days:

  • Email delivered to receiving server
  • Email delivered to receiving server - spam
  • Email delivered to receiving server - bounce
  • Email delivered to receiving server - blocked
  • Email opened
  • Link in email clicked

We have concluded a data processing agreement in accordance with Article 28 of the GDPR with this service provider.

3.6. Contact via the website

Our website contains a contact form that can be used to get it touch with us electronically quickly and communicate with us directly. If you use this contact form to get in touch with us, the personal data that you enter will be stored automatically. When you use the contact form to get in touch with us, the personal data you enter in the contact fields (title, name, address, telephone number, fax number, and email address) will be processed. The purpose of this data processing is to process your request. The legal basis for this processing is Article 6(1)(b) of the GDPR.

4. How long we store your data for

We store your personal data, if necessary, for the duration of the entire business relationship (from the initiation of the relationship and its implementation through to completion of contract execution) and beyond, in accordance with the statutory obligations governing the retention and documentation of information, and for the purpose of defending against legal claims. The duration of data retention is therefore determined by the mandatory statutory retention periods and by statutes of limitation. The Austrian Commercial Code (UGB) and the Austrian Federal Tax Code (BAO) stipulate a mandatory retention period of 7 years, while the Austrian Equal Treatment Act (GIBG) sets a period of six months. A longer period of retention may be necessary in certain cases due to statutes of limitation or in order to defend against legal claims.

5. Rights of data subjects

With respect to data processing, every user and data subject has the right:

  • to obtain confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and further information on the data processing, as well as to copies of the personal data undergoing processing (see also Article 15 of the GDPR);
  • to obtain rectification of inaccurate personal data and to have incomplete personal data concerning him or her completed (see also Article 16 of the GDPR);
  • to obtain erasure without undue delay of the personal data concerning him or her (see also Article 17 of the GDPR) or, alternatively, provided further processing is needed in accordance with Article 17(3) of the GDPR, to obtain restriction of processing in accordance with Article 18 of the GDPR;
  • to receive the data concerning him or her and which he or she provided, and to transmit these data to other providers/controllers (see also Article 20 of the GDPR);
  • to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data related to him or her by the provider infringes the statutory provisions governing data protection (see also Article 77 of the GDPR). The appropriate supervisory authority in Austria is the Austrian Data Protection Authority.
  • The service provider is further obligated to communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 of the GDPR to each recipient to whom the service provider has disclosed data. This obligation does not apply, however, if this proves impossible or involves disproportionate effort. Irrespective of this, the user has the right to receive information on these recipients.
  • Users and data subjects likewise have the right, in accordance with Article 21 of the GDPR, to object to future processing of data concerning them if the service provider processes the data in accordance with Article 6(1)(f) of the GDPR. In particular, data subjects may object to data processing for the purpose of direct marketing.

You can exercise these rights at any time by writing directly to the controller or the controller’s data protection officer. Please note that we can only provide access to personal data if you provide adequate proof of your identity.

Should you wish to permanently delete your user account, the data stored in your user account will be completely erased automatically.

Version of 7 March 2019