Privacy Policy

Data protection declaration

The protection of your personal data is of particular concern to us. We therefore process your data exclusively on the basis of the legal provisions (GDPR, TKG 2003). In this data protection information we inform you about the most important aspects of data processing on our website.

When you visit our website, your IP address, start and end of the session are recorded for the duration of this session. This is due to technical reasons and therefore represents a legitimate interest within the meaning of Art 6 (1) (f) GDPR. Unless otherwise regulated in the following, this data will not be processed by us.


I. Who we are and how you can contact us if you have any questions:

The person responsible within the meaning of the Basic Data Protection Regulation (GDPR) is the:



Spechtgasse 34

A-2340 Mödling by Vienna

City Office

Linke Bahngasse 7

A-1030 Vienna

Tel.: + 43 1 603 11 33



II. our data processing - for what purpose and on what legal basis we process personal data

II.1 General:

We process personal data in compliance with the relevant data protection regulations, in particular the Basic Data Protection Regulation (GDPR, VO [EU] 2016/679) and the Austrian Data Protection Act (DSG). Any processing by us will therefore only take place on the basis of a legal basis (in particular in accordance with Art. 6 Para. 1 lit a - f GDPR), which will be stated below for the individual data processing operations. All of our employees entrusted with the processing are obliged to maintain the confidentiality of your data (data secrecy). TOL does not carry out any automated decision making.

In principle, we collect personal data from the data subject. In individual cases, we collect and store personal data (in particular name, contact information) on the basis of correspondence with our customers and business partners or from publicly accessible sources (e.g. telephone directory, websites, company register) on the basis of Art 6 para. 1 lit f GDPR (and thus not directly from the data subject) if this is necessary for our service provision or for contacting and administering the data, in which our legitimate interest also lies.

II.2 Operation of our website:

Every time you access our website (, your computer (terminal device) or browser automatically transmits certain information to enable you to visit or operate the website:

IP address

Date and time of the request

Time zone difference to Greenwich Mean Time (GMT)

Content of the request (page/content to be retrieved)

Access Status/HTTP(S) Status Code

Browser and browser version

Operating system and its interface

These data are stored in the log files of our system. This data is not stored together with other personal data of the user.

Legal basis and purpose of data processing

The legal basis for the processing of data and their temporary storage in log files is Art 6 Paragraph 1 lit f GDPR. Temporary storage of the listed data by the system is necessary to enable delivery of the website to the user's computer. The storage in log files is done to ensure the functionality of the website. In addition, the data serves us to optimise the website and to ensure the security of our information technology systems, in particular to guarantee the integrity, confidentiality and availability of the data processed via our website. These purposes also include our legitimate interest in data processing in accordance with Art 6 Paragraph 1 lit f GDPR. This data is not stored together with other personal data of the user.

Duration of storage

The data will be deleted as soon as they are no longer necessary for the purpose of their collection. This is the case when collecting data for the purpose of providing the website when the respective session is ended. When the data is stored in log files, this is the case after seven days at the latest, unless further processing is necessary to clarify a (suspected) attack.

Personal data, which is collected during the operation of the website, is only used by us in the event of a (suspected) data security incident or a criminal act (e.g. an attack) for the purposes of clarification, prosecution and the assertion of legal claims against third parties (in particular expert persons and security experts).
Personal data, which is collected during the operation of the website, will only be transmitted by us to third parties (in particular to expert persons and security authorities) in the event of a (suspected) data security incident or a criminal act (e.g. an attack) for the purposes of clarification, prosecution and the assertion of legal claims.

Third-party websites: Our website contains in part (e.g. in our event notes) hyperlinks to and from third-party websites. If you follow a hyperlink to one of these websites, please note that we cannot assume any responsibility or guarantee for third-party content or data protection conditions.

II.4 Twitter:

We use the short message service "Twitter" under the handle @WRitzberger and make use of the platform of Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103 USA. Responsible for data processing (for persons living outside the USA) is: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland. Please note that you use this short message service and its functions (e.g. Retweet, Like) on your own responsibility and that we have no influence on the data processing by Twitter. For more information on processing by Twitter, please refer to the Twitter privacy policy: Twitter Inc. is committed to the principles of the EU-US Privacy Shield. You can find more information about this here:
The data you publish on Twitter, in particular your handle (user name) and the content accessible under your account, are processed by us to the extent that we retweet or reply to these ("tweets") or write tweets from us that refer to your account.

II.5 Provision of services as well as customer care and information in this context (sale and offer of our services as well as administration of these services):

We process personal data for the purposes of providing our services, customer support and information, including internal documentation and administration. The legal basis for the processing of the data is the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 Paragraph 1 lit b GDPR); the fulfilment of legal obligations (Art 6 Paragraph 1 lit c GDPR) as well as our legitimate interests (Art 6 Paragraph 1 lit f GDPR), in particular the interests of asserting or defending our own legal claims as well as internal administration within the company.

In order to conclude a contract, the provision of certain personal data is required by law or by contract, which the person concerned is obliged to provide; otherwise, no contract (and thus no service) can be concluded.

II.6 Establishing contact:

When contacting us (e.g. via contact form or e-mail), the information provided by the inquirer (name, contact data, other details) will be processed for documentation, processing and answering the enquiry. We offer a contact form on our website. We have marked the mandatory data required to answer an inquiry as mandatory fields. The provision of further data is voluntary.

The basis for this is our legitimate interest in the proper documentation, processing and answering of the enquiry (Art 6 para. 1 lit f GDPR); in the event of contact being made in an upright customer relationship or the initiation of a business relationship, we rely on the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 para. 1 lit b GDPR).
If you contact us in order to fulfil your obligations under labour or civil law as an employee (employee) for your employer or other client, we also have a legitimate interest in the proper documentation, processing and answering of the enquiry (Art 6 Paragraph 1 lit f GDPR), which also includes your data as an external contact person; in the case of contacting us in an upright client relationship or the initiation of a business relationship, we rely on the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 Paragraph 1 lit b GDPR).

II.7. Applications:

We process the data of applicants on the basis of Art 6 Paragraph 1 lit b GDPR (pre-contractual measures) and Art 6 Paragraph 1 lit f GDPR for the purpose of carrying out the application procedure and contacting the applicant.

If you apply for an open position and there is no recruitment, we will store the personal data for six months from the end of the application procedure (deadline for asserting claims under Sections 15 (1) and 29 GlBG) on the basis of Art 6 (1) lit f GDPR. If the applicant agrees to this in each individual case, we will keep the specific application documents in evidence for a further period of up to two years.

If it is a speculative application, we process the application documents for a maximum of two years on the basis of Art 6 Paragraph 1 lit f GDPR in order to be able to contact the applicant in the event of suitable positions, whereby an informal objection to the processing can be lodged at any time.

In any case, proof of qualification is required for the conclusion of a contract. In individual cases, depending on the requirements for filling a vacancy, it may also be necessary to submit further data (e.g. extract from the criminal register). If the required data is not submitted, such an application cannot be considered. If we contact the applicant with references provided by the applicant, data and information on a previous employment relationship may be collected by appropriate third parties. In the event that an employment relationship is established, the application documents will continue to be used for personnel administration purposes.

II.8 To whom do we transmit personal data?

We will only transfer your personal data to the extent necessary and only in the following cases:

with your consent;

for the processing of contractual relationships or for the implementation of pre-contractual measures;

insofar as we are legally obliged to do so;

to companies that support us in providing our services; these service providers act as contract processors, who may only process the data in accordance with our instructions (within the framework of a contract processing agreement);

insofar as this is necessary to protect our legitimate interests (e.g. to assert, exercise or defend legal claims) or those of a third party and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.

In the cases mentioned above, the following third parties may come into consideration: contractual and business partners who are involved in the delivery or service (e.g. logistics companies), banks (for handling payment transactions), legal representatives, courts, auditors / tax consultants, administrative authorities, self-governing bodies (social insurance carriers), insurance companies.

In principle, TOL has no intention to transfer personal data to recipients in third countries or international organisations. Such a transfer is possible if a data subject or, in the specific case, a party involved is located in a third country (e.g., in the case of a customer headquartered outside the EU). If we transfer data to a country without adequate data protection legislation, we ensure an adequate level of protection by using suitable guarantees in the form of appropriate contracts (standard contractual clauses) or binding internal data protection regulations (Binding Corporate Rules) or rely on the exceptional circumstances otherwise provided for in the GDPR (consent, the execution of a contract, the establishment, exercise or enforcement of legal claims, overriding public interests, the published personal data or because it is necessary to protect the integrity of the data subjects). For a copy of the mentioned contractual guarantee, please contact us using the contact details provided.

In this context, we would also like to point out that any data voluntarily published by users of our services themselves (e.g. online comments on the website) is public and potentially accessible worldwide.

III How long do we store personal data?

Unless otherwise specified in the respective processing, we store personal data for as long as it is necessary to ensure the fulfilment of the aforementioned purposes or as long as we are legally obliged to do so.


This means for business letters, contracts, bookings etc. according to § 212 para. 1 UGB and § 132 para. 1 BAO: Until the end of the business relationship or until the expiry of the limitation and statutory retention periods applicable to us (in particular at least 7 years to prove compliance with tax, duty and company law retention obligations); furthermore until the end of any legal disputes in which the data is required as evidence. In the case of services where claims for damages or other titles are asserted, for the required period (between 3 and 30 years).

For inquiries (contacting): Personal data that you voluntarily provide us with will be stored by us for the purpose of providing the associated processing and keeping records (up to 3 years after completion or termination), except for a longer storage period is also required for the purpose of fulfilling a legal obligation or for the assertion or defense of legal claims.

IV. Rights of the person concerned

Provided that the respective legal requirements are met, you can assert the following rights of data subjects:

Right to information: You can request confirmation as to whether personal data concerning you is being processed and request information about this data and the information in accordance with Art 15 GDPR.

Right of rectification if we process incorrect or incomplete data about you (Art 16 GDPR).

Right to have personal data concerning you deleted if the conditions of Art 17 GDPR are met.

Right to limit the processing of your data (Art 18 GDPR).

The right to transfer the data you have provided to us, provided that the processing is based on consent (Art 6 Paragraph 1 letter a) or on a contract (Art 6 Paragraph 1 letter b) to which you are party and that the processing is carried out using automated procedures (Art 20 GDPR).

In the case of processing operations carried out on the basis of legitimate interests (pursuant to Art. 6 para. 1 lit f GDPR), you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, provided that there are reasons for doing so arising from your particular situation. In the case of processing for the purpose of direct marketing, this right is unrestricted.

You can revoke your consent to the processing of personal data at any time, please contact us (see our contact details). Revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation.

Right of complaint: You have the right to complain to a supervisory authority responsible for you (in Austria: Data Protection Authority, if you believe that the processing of personal data relating to you has violated the GDPR or your rights as a data subject have been infringed. In cases in which you were not completely satisfied with our work, we request that you first contact us so that we can be given an opportunity to rectify any errors.

Changes to our privacy policy

We always keep our privacy policy up to date and therefore adapt it when necessary.