Data Protection Notice

The company Emmi AI GmbH, Bürgerstraße 6, 4020 Linz, Austria (hereinafter referred to as "Emmi AI" or "we") as the data controller in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data (hereinafter "GDPR"), hereby informs you about the processing of your personal data in your capacity as an Emmi AI customer or provider ("you") or collaborator of an Emmi AI customer/provider ("you") in the context of existing or prospective contractual and business relationships. 

1. Data controller and data protection officer 

All personal data provided by you is processed in compliance with all applicable provisions (especially the GDPR, the Data Protection Act [DSG] and the Telecommunications Act 2021 [TKG 2021]) in a correct, lawful and transparent manner for the purposes set out below and according to the following conditions of lawfulness (legal basis for processing).

The controller is:

Emmi AI GmbH

Bürgerstraße 6
4020 Linz
Austria
Email: privacy@emmi.ai      

2. Purposes of processing, categories of data and legal bases for processing

2.1 Processing of inquiries

If you contact us via the contact details mentioned above, we process your personal data (name, e-mail address or phone number, your inquiry, respective correspondence) for the purpose of processing and responding to your request. The legal basis is the fulfilment of our (pre-)contractual obligations (Art 6 para 1 lit b GDPR) and our legitimate interest (Art 6 para 1 lit f GDPR) in swift responding to possible follow-up questions.

2.2 Initiation of the contract, management and performance of the contract

For pre-contractual measures and the correct and complete management of the contractual relationship between Emmi AI and you, including its execution, we process the following data categories:

• company name;
• mailing address;
• company register number and tax code;
• VAT identification number;
• e-mail address and telephone number;
• bank details;
• invoice data;
• contract and order data (eg contract duration, sales data);
• documentation data (eg e-mail correspondence);
• contact person: first and last name, e-mail address and telephone number, role within the provider's corporate organization and (if applicable) information related to the work activity.

The processing of your personal data for this purpose is necessary for the execution of the contract or for the execution of pre-contractual measures (Art 6 para 1 lit b GDPR). Without this data, we cannot conclude the contract with you or process your request/enquiry. For the provider's/customer's collaborator (especially contact person): The processing of your personal data for this purpose is based on our legitimate interests (Art 6 para 1 lit f GDPR) to conclude and implement the contractual relationship with the provider with whom the legal representative, the administrator or the employee/collaborators has a contractual relationship. The data controller has a legitimate interest to also process the data of contact persons for the fulfillment of the contract, even if this person is not a party to the contract.

2.3 Fulfillment of corporate and tax law obligations

Furthermore, we process these data to the extent required by law in order to comply with our corporate and tax law obligations, in particular pursuant to the Austrian Commercial Code (UGB) and the Austrian Fiscal Code (BAO) (Art 6 para 1 lit c GDPR).

2.4 Assertion of legal claims

In addition, we process your personal data as well as the data from our business relationship in case of cause for the assertion, exercise and enforcement of legal claims. The data processing is therefore based on our legitimate interests to secure our legal claims (Art 6 para 1 lit f GDPR). If necessary, we also forward this data to our lawyers, collection agencies, courts or authorities.

2.5 Other

In the event of a corporate acquisition, we may disclose your data on the basis of our legal obligations in accordance with Art 6 para 1 lit c GDPR and our legitimate interests in accordance with Art 6 para 1 lit f GDPR in order to carry out the corporate restructuring properly.

3. Data sources

Your personal data will be obtained by the data controller:

• directly from you;
• from the customer/provider with whom you have a contractual relationship; and
• from publicly accessible sources (such as, for example, the Companies' Register kept by the chambers of commerce and other trade registers);

4. Recipients of personal data

We provide your personal data to the extent necessary to:

• to persons authorized by the data controller to carry out personal data processing operations (employees and/or collaborators of the controller); and
• the data processors appointed by the data controller (eg providers of IT, technological and telematic services; providers of services for the management and storage of tax and accounting documentation).

These data processors only process your data on our behalf, based on our documented instructions and exclusively to provide the mentioned services. We have concluded data processing agreements with all our processors in accordance with Art 28 GDPR.

To the extent necessary and for the purposes indicated above (cf Section 2), your personal data may be disclosed to the following independent data controllers:

• courts, authorities and other public bodies to the extent legally required; 
• external third parties involved in business processing (eg banks, postal service providers, forwarding agents, etc);
• to lawyers, collection agencies, courts and authorities to protect our legitimate interests in asserting and defending our rights;
• to (tax) consultants and auditors to fulfill our obligations under tax law.

Your data may also be transmitted in accordance with the law to tax authorities, police and judicial and administrative authorities, for the assessment and prosecution of crimes, prevention and protection from threats to public security, to allow the data controller to ascertain, exercise or defend a right in court, as well as for other reasons related to the protection of the rights and freedoms of others.

5. Storage period 

We store your personal data for as long as it is required for the purpose. After that, your data will be permanently deleted or in any case rendered irreversibly anonymous.

As regards contact inquiries, we store your personal data for a period of six months to respond to possible follow-up questions. A longer storage period applies if there is a subsequent contractual relationship with you.

If there is a contractual relationship, we are subject to statutory retention periods (in particular Sec 190, 212 UGB) and tax law requirements (in particular Sec 132 BAO). Your personal data will be stored for the management of the contract and for the fulfillment of our respective administrative/accounting/tax obligations for a period of 7 (seven) years from the correct and complete performance of the contract between Emmi and the Provider.

Furthermore, we store your personal data until the end of the statutory limitation period (in general 3 years after the end of the contract, but a maximum of 30 years) and until the end of legal proceedings, where the data are needed as evidence. We store your data subject requests for 18 months.

Data related to unconfirmed compliance violations is stored for a maximum of 2 months after the conclusion of any investigations (or pending proceedings).

This is without prejudice to cases where retention for a longer period is required for any litigation, requests by the competent authorities or under applicable law.

6. Transfer outside the EU/EEA

In principle, we do not transfer your data to countries outside the European Union (EU) or the European Economic Area (EEA). In cases, where we do need to transfer your data to countries outside the EU or EEA, we only transfer your data to countries that offer an adequate level of data protection as determined by adequacy decisions of the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en).

The transfer of your personal data to countries outside the EU/EEA that do not ensure an adequate level of protection will only take place if Emmi AI and the recipients of the data have concluded the standard contractual clauses of the European Commission (SCCs) as adequate safeguards for the protection of your personal data and have implemented supplementary security measures, or if you have given your express voluntary consent.

7. Data security

We have taken appropriate technical and organizational security measures within the meaning of Art 32 GDPR to ensure the confidentiality and security of your personal data.

8. Your rights as a data subject

As a data subject, you can exercise the rights provided for in the applicable legislation on the protection of personal data with regard to the data processing described here: 

• to obtain confirmation as to whether personal data concerning you is being processed and, if so, to obtain access to the data and related information (in particular the purposes of the processing; the categories of personal data processed; the recipients or categories of recipients to whom the data have been or will be disclosed; the duration of storage of the data or the criteria for determining this; the existence of the right to rectify or delete the data or to restrict or object to its processing; the right to lodge a complaint with a supervisory authority; the origin of the data; the possible existence of automated decision-making, including profiling, and, in such cases, meaningful information about the logic involved and the significance and expected consequences of such processing for the data subject; the appropriate safeguards in the event of personal data being transferred outside the EU/EEA), as well as a copy of this personal data, provided that this does not affect the rights and freedoms of other persons (right of access, Art 15 GDPR).

• The rectification of your personal data, i.e. the correction, modification or updating of inaccurate or no longer applicable data, as well as the completion of incomplete personal data, including by means of a supplementary statement (right to rectification, Art 16 GDPR).

• to request the erasure of your personal data, in particular if (i) it is no longer necessary for the purposes for which it was collected or processed, or (ii) it has been processed unlawfully, or (iii) it must be erased to comply with a legal obligation, or finally (iv) you have objected to the processing (see below "Right to object") and there are no overriding legitimate grounds for Emmi AI to continue the processing in any case (right to erasure, Art 17 GDPR). In particular, deletion cannot take place if the processing is necessary for compliance with a legal obligation or for the establishment, exercise, or defense of legal claims in court.

• to obtain restriction of the processing of your personal data, i.e. that Emmi AI retains this data without being able to use it. This right may be exercised in particular if (i) the accuracy of the personal data is contested, for the period required by Emmi AI to verify the accuracy of the data, or (ii) the processing of the data is unlawful and a restriction on the use of the data is requested instead of its erasure, or (iii) although Emmi AI no longer needs them for the purposes of the processing, the personal data is required by the data subject for the establishment, exercise, or defense of legal claims; or (iv) you have objected to the processing (see below "Right to object") pending verification of whether the legitimate grounds of Emmi override those of the data subject (right to restriction of processing, Art 18 GDPR).

• to request Emmi AI to store the personal data processed on the basis of your consent or on the basis of a contract in a commonly used format and, where technically feasible, to transmit it directly to a third party designated by you (right to data portability, Art 20 GDPR).

• To withdraw your consent at any time without giving reasons with effect for the future, e.g. by email to privacy@emmi.ai (right to withdraw consent, Art 7 para 3 GDPR). 

Furthermore, as a data subject, you have the right to object (Art 21 GDPR) to direct marketing measures and, at any time, on grounds relating to your particular situation, to the processing of your personal data for the purpose of contract execution and fulfillment between Emmi AI and the provider. In this case, Emmi AI will refrain from further processing of your personal data unless it can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or the processing serves to assert, exercise, or defend legal claims.

If you believe that your personal data has been processed unlawfully, you have the right to lodge a complaint with the data protection authority at Barichgasse 40-42, 1030 Vienna, Austria, or lodge a judicial appeal (Art 77 GDPR). The complaint may also be lodged with the supervisory authority of the EU country in which you have your habitual residence or place of work, or with the supervisory authority of the place where the alleged infringement took place.

To exercise these rights, you can contact us at any time, for example in writing to Emmi AI GmbH, Bürgerstraße 6, 4020 Linz, Austria, or at the email address privacy@emmi.ai.

9. Changes

The continuous development of our activities may lead to changes in the characteristics of the processing of your personal data described above. Therefore, this privacy policy may be subject to changes and additions over time, which may also be necessary in view of new laws on the protection of personal data.

In the event of significant changes to this policy, we will inform you separately. In addition, the current version of the privacy policy can be accessed at any time via https://emmi.ai/privacy-policy.