DATA PROTECTION POLICY

This Data Protection Policy (the “Policy”) contains details on how Integra Handel GmbH, operating as Fliesen & Dekor (the “Company”), processes personal data when you contact the Company, purchase from us, use our services, or visit our website.

Personal data is processed in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 – “GDPR”) and the applicable national and European data protection laws (together, the “Data Protection Laws”).

Terms highlighted in this Policy are, where provided, defined in a glossary.

SCOPE

This Policy applies to all personal data that we process as controller within the meaning of the GDPR.

The Company is the controller for personal data insofar as it determines for what purpose and in what manner such data is processed.

The Company may process personal data in particular from the following categories of persons:

• Customers and prospective customers
• Visitors to our shop or our website
• Contacts at suppliers and business partners
• Service providers and contractors
• Applicants
• Employees and former employees

PURPOSE

The purpose of this Policy is to explain:

• which personal data we process,

• for what purposes such data is processed, and

• which measures we take to protect such data.

In addition, this Policy sets out our obligations and responsibilities in connection with the protection of personal data.

This Policy is not an exhaustive description of all processing activities. You will be informed separately of material changes or deviations where required by law and where practicable.

TYPES OF PERSONAL DATA

1. Employees, applicants and contractors

The Company collects and processes personal data relating to employees, applicants, self‑employed/freelance service providers and contractors, as well as former employees and contractors, insofar as this is necessary for the establishment, performance and termination of employment or contractual relationships.

The personal data processed may include, in particular:

• Personal data such as name, date of birth, nationality
• Contact data such as address, telephone numbers and e‑mail address
• Identification and administration data such as social security number, tax identifiers, bank details
• Employment-related data such as employment contract, working hours, place of work, training, qualifications, performance reviews, further training and development measures
• Application data such as CV, education and professional background
• Payroll and remuneration data such as salary and wage information
• Data required by law in connection with tax, social security and reporting obligations
• Health-related data insofar as legally required (e.g. sick leave, medical confirmations)

This list is not exhaustive; however, it covers the data typically processed in the context of an employment or service relationship.

2. Suppliers, business partners and customers

The Company collects and processes personal data of suppliers, business partners, customers and their contacts insofar as this is necessary for business execution.

This may include, in particular:

• Master data such as name, title, function or position
• Contact data such as e‑mail address, telephone number, business address
• Contract and communication data in connection with quotations, orders, deliveries and invoices
• Accounting and tax data, in particular company register information, VAT IDs and other tax-relevant information

3. Special categories of personal data

The Company processes special categories of personal data within the meaning of Article 9 GDPR only where this is permitted or required by law.

This may include, in particular:

• Health data (e.g. in connection with employment-law obligations)
• Social security relevant data
• Data in connection with statutory evidence and documentation obligations

Special categories of personal data are processed only in compliance with the Data Protection Laws and with appropriate technical and organisational safeguards.

PURPOSES OF PROCESSING

The Company processes personal data exclusively for the purposes for which it was collected, or for purposes compatible with those purposes.

The most common purposes include, in particular:

• Performance and handling of purchase contracts, orders, deliveries and payments
• Invoicing, accounting and tax processing
• Administration of employees, including payroll accounting, HR administration and compliance with employment and social-security obligations
• Processing of enquiries, customer service and ongoing communication with customers, suppliers and business partners
• Marketing and sales measures where permitted by law
• Improvement of our products, services and business processes
• Analysis and statistical purposes to optimise the business operation
• Business planning and business strategy
• Internal controls, audits and investigations
• Prevention, detection and investigation of unlawful or abusive conduct against the Company, its customers or its employees
• Compliance with statutory obligations, in particular under tax, commercial and employment law

From time to time, the Company may also process personal data for additional purposes, provided such processing is compatible with the original purposes or is based on an appropriate legal basis.

The Company ensures that data subjects are informed about the purposes of processing, where required, at the time of collection or as soon as possible thereafter.

Where processing is based on consent, data subjects have the right to withdraw such consent at any time with effect for the future.

PROFILING

The Company may, to a limited extent, carry out automated evaluations of personal data of certain persons—especially employees, contractors and applicants—where this is necessary for personnel administration, deployment planning or performance assessment.

Such processing may include, for example, attendance, deployment or performance analyses within the scope of personnel organisation.

The Company carries out such processing only if:

a) it is permissible under applicable national or European laws (e.g. to fulfil employment or tax obligations), or

b) it is necessary for the conclusion or performance of a contract, or

c) the data subject has given explicit consent.

Automated decision-making within the meaning of Article 22 GDPR that produces legal effects or similarly significantly affects the data subject does not, as a rule, take place.

RIGHTS OF INDIVIDUALS

Data subjects have certain rights under the Data Protection Laws, in particular the GDPR.

1. Access

You have the right to request confirmation as to whether personal data relating to you is being processed. If so, you may request access to such data and a copy of the personal data processed by us.

2. Rectification, completion and erasure

If you believe that personal data processed by us is inaccurate or incomplete, you have the right to request rectification or completion.

In addition, you may request erasure of your personal data under the statutory conditions.

3. Objection

You have the right to object to the processing of your personal data where such processing is based on a legitimate interest of the Company.

4. Restriction of processing

You may request restriction of processing under the statutory conditions, in particular if:

• the accuracy of the personal data is contested,
• the processing is unlawful,
• the personal data is no longer needed for the purposes of processing, or
• you have objected to the processing.

5. Automated decision-making

Where the Company uses automated decision-making including profiling that produces legal effects or similarly significantly affects you, you have the right to object.

Requests to exercise your rights may be addressed to the Company at any time. The Company will review and process such requests in accordance with the statutory requirements.

SECURITY

Security measures

The Company implements appropriate technical and organisational measures to protect personal data against unlawful or unauthorised processing, and against accidental loss, destruction, alteration or disclosure, as well as against unauthorised access.

Personal data is processed and stored using various safeguards, in particular:

• Physical safeguards such as restricted access to office areas and lockable filing cabinets
• Technical safeguards such as access controls, user and authorisation concepts, password protection and secured IT systems
• Organisational measures such as internal policies, training and clear responsibilities for handling personal data

These measures are reviewed regularly and, where required, adapted to the state of the art.

Personal data breaches

The Company maintains internal procedures for the detection, assessment and handling of personal data breaches.

In the event of a personal data breach, the Company will take all measures required by law, in particular:

• immediate internal reporting and assessment of the incident,

• where applicable, notification of the competent supervisory authority, and

• where required by law, informing the affected data subjects.

Employees and contractors are obliged to report suspected or actual personal data breaches without undue delay so that appropriate action can be taken promptly.

DISCLOSURE OF PERSONAL DATA

From time to time, the Company may disclose personal data to third parties or grant third parties access to personal data processed by us where there is a legal basis for doing so. This may in particular occur where an authority, court or law enforcement body makes a lawful request for disclosure.

In addition, the Company may disclose personal data:

a) to selected third parties such as business partners, suppliers, service providers or subcontractors, to the extent necessary for the fulfilment of contractual or statutory obligations;

b) to third parties in the context of corporate or asset transactions, in particular the sale, acquisition or restructuring of parts of the business; or

c) where the Company is legally obliged to disclose personal data, including the exchange of information with other companies or organisations for fraud prevention or the enforcement of legal claims.

Where the Company engages third parties to process personal data on its behalf (processors), it ensures that appropriate processing agreements are concluded and that such parties implement suitable technical and organisational measures to protect the data.

Such parties may include, in particular:

• IT and communications service providers
• Accounting and tax advisory service providers
• Payroll accounting providers
• Payment and billing service providers
• Marketing or sales service providers
• Operators of IT systems or data centres

Disclosure takes place in each case in accordance with the Data Protection Laws.

DATA RETENTION

The Company retains personal data only for as long as it is necessary for the purposes for which it was collected and processed.

Retention is carried out in accordance with applicable statutory retention and documentation obligations, in particular under corporate, tax and employment law, as well as in accordance with the Company’s internal requirements.

Once personal data is no longer required for the stated purposes and no statutory retention obligations apply, such data will be deleted or anonymised.

DATA TRANSFERS OUTSIDE THE EEA

In individual cases it may be necessary that the Company transfers personal data to countries outside the European Economic Area (EEA) or that processing takes place there.

Such transfers are carried out exclusively in accordance with the Data Protection Laws, in particular the GDPR. The Company ensures that appropriate safeguards are implemented to guarantee an adequate level of protection.

ROLES AND RESPONSIBILITIES

The Company, as controller within the meaning of the GDPR, is responsible for the processing of personal data.

The Company’s management bears overall responsibility for compliance with this Policy and the applicable Data Protection Laws. Management appoints suitable internal contacts for:

i) the processing of personal data of current and former employees,

ii) the processing of personal data of customers, suppliers and other business contacts, and

iii) ensuring the confidentiality, integrity and availability of the personal data processed by the Company.

Legal advice and support for the interpretation and implementation of the Data Protection Laws and this Policy may, where necessary, be provided by external legal or tax advisers.

All employees and contractors of the Company are required to comply with the current version of this Policy.

An intentional or grossly negligent breach of this Policy may—depending on severity—result in employment- or contract-law measures up to and including termination of the employment or contractual relationship.

COMPLAINT PROCEDURE

If you have questions about this Policy and/or the processing of your personal data, or wish to submit a complaint, you may contact the Company at any time.

Please address your request or complaint to:

E‑mail: management@fliesendekor.com

Management or the designated contact will review your request/complaint and will endeavour to clarify the matter promptly and amicably.

Irrespective of this, you have the right to lodge a complaint with the competent data protection authority if you believe that the processing of your personal data violates the Data Protection Laws.

However, we would appreciate it if you would first contact us directly so that we have the opportunity to review and address your concerns.

RELATED DOCUMENTS

This Policy should be read in conjunction with the following documents:

• General Terms and Conditions (AGB)
• Imprint
• Website Privacy Notice

The principles and measures described in this Policy form the general basis for the handling of personal data within the Company.

Where specific processing—especially in connection with the use of the website—is concerned, the relevant provisions of the Website Privacy Notice prevail.

Should further policies or procedures be introduced in the future, these will be supplemented accordingly and communicated.

ANNEX I – GLOSSARY
The terms used in this Data Protection Policy have the meanings set out below:

Data Controller
The Data Controller is the natural or legal person who, alone or jointly with others, determines the purposes and means of processing personal data.
For the purposes of this Privacy Policy, this refers to Integra Handel GmbH (Fliesen & Dekor).

Data Processor
A Data Processor is a natural or legal person who processes personal data on behalf of the Data Controller, e.g. IT service providers, accounting or payroll providers.

Personal Data
Personal data refers to any information relating to an identified or identifiable natural person. A person is considered identifiable if their identity can be determined directly or indirectly.
Personal data includes, in particular:

Employees, Applicants, and Contractors

• Personal details (e.g. name, date of birth)
• Contact information (e.g. address, phone number, email address)
• Contract and employment data (e.g. employment contract, place of assignment, qualifications)
• Payroll and administrative data (e.g. bank details, tax and social security numbers)
• Application documents (e.g. CV, educational and professional background)
• Health data, where legally required (e.g. medical certificates)

Customers, Suppliers, and Business Partners

• Personal master data (e.g. name, role, company)
• Contact details (e.g. address, phone number, email)
• Contract, order, and billing data
• Tax-relevant information (e.g. VAT number, tax number)

Processing
Processing refers to any operation performed on personal data, with or without the aid of automated processes, such as:
collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, restricting, erasing, or destroying.

Profiling
Profiling means any form of automated processing of personal data aimed at evaluating certain personal aspects of a natural person, in particular to analyze or predict work performance, behavior, or preferences.

Special Categories of Personal Data
Special categories of personal data refer to personal data revealing:

• racial or ethnic origin
• political opinions
• religious or philosophical beliefs
• trade union membership
• genetic data
• biometric data (e.g. fingerprints, facial images)
• health data
• data concerning a person’s sex life or sexual orientation
  Additionally, data relating to criminal convictions and offences are also considered particularly sensitive.

Personal Data Breach
A personal data breach is a security incident that – whether accidental or unlawful – results in the destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data.

European Economic Area (EEA)
The European Economic Area (EEA) includes all member states of the European Union as well as Iceland, Liechtenstein, and Norway.

ANNEX II – COMPANY-SPECIFIC PROCESSING
This annex provides additional information on the company-specific processing of personal data by Integra Handel GmbH (Fliesen & Dekor).

1. Applicable Data Protection Laws and Supervisory Authority
In this annex, the term “data protection laws” refers to the General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR) as well as the Austrian Data Protection Act (DSG) in its applicable version.
The competent data protection supervisory authority is:
Austrian Data Protection Authority
Wickenburggasse 8
1080 Vienna
Phone: +43 1 52 152-0

2. Personal Data Processed by the Company
In addition to the categories described in this Privacy Policy, the company also processes the following personal data, where required in individual cases:

• Creditworthiness and payment information from customers, especially when payment terms, instalments, or credit lines are granted or requested;
• Contract- and payment-related history, including information on outstanding receivables, payment history, and dunning processes.

These data are processed exclusively for specific purposes, proportionately, and in accordance with data protection laws, in particular for:

• Assessing the financial performance of customers,
• Minimizing payment defaults, and
• Fulfilling the company’s legitimate economic interests.

The company does not process:

• GPS location data,
• Vehicle or tachograph data,
• Biometric data,
• Systematic surveillance data.

3. Purposes of Processing Personal Data
In addition to the purposes described in this Privacy Policy, the company processes personal data exclusively within the scope of operational business activities, in particular for:

• Handling of purchase agreements and customer inquiries
• Invoicing, accounting, and tax obligations
• Personnel management and employment law obligations
  There are currently no other company-specific purposes.

4. Profiling
The company does not perform profiling within the meaning of the GDPR.

5. Security Measures
In addition to the measures described in this Privacy Policy, the company implements the following technical and organizational security measures, in particular:

• Regular software and system updates
• Use of current and industry-standard IT technologies
• Access restrictions on IT systems (user accounts, password protection)
• Access granted only to authorized persons
• Regular review of access and user permissions

6. Disclosure of Personal Data to Third Parties
The company does not disclose personal data to third parties beyond the recipients described in this Privacy Policy.

7. Data Retention Periods
Personal data is retained based on the following criteria:

• Existing or terminated business relationships
• Statutory retention periods, especially under tax and commercial law
• Duration of contracts as well as warranty and complaint periods
• Duration of employment or application relationships (active / terminated)

The relevant legal requirements from accounting, tax law, contract law, and labor law are taken into account.

8. Data Transfers Outside the EEA
In individual cases, it may be necessary for the Company to transfer personal data to countries outside the European Economic Area (EEA) or to have such data processed there.

Any such transfer shall be carried out exclusively in compliance with the applicable data protection laws, in particular the General Data Protection Regulation (GDPR), and only with the implementation of appropriate safeguards in order to ensure an adequate level of data protection.