Data protection

We are happy to see that you are interested in our enterprise. Data protection is given particularly high importance by the management of GN Treuhand Anstalt. Generally, the webpages of GN Treuhand Anstalt can be used without entering any personal data. However, as soon as a data subject wants to obtain special services of our enterprise through our webpage, it might become necessary that personal data is processed. If the processing of personal data is necessary and if there is no legal basis for such processing, we generally obtain the consent of the person concerned (the “data subject”).

The processing of personal data such as the name, address, e-mail address, or telephone number of the data subject will always happen in accordance with the General Data Protection Regulation and with the country-specific data protection rules applicable to GN Treuhand Anstalt. By way of this Privacy Statement, our company wants to inform the public on the manner, amount, and purpose of the personal data obtained, used, and processed by us. Furthermore, this Privacy Statement is to inform data subjects on the rights to which they are entitled.

As the data controller, GN Treuhand Anstalt has implemented numerous technical and organisational measures in order to ensure a protection that is as thorough as possible of the personal data processed through this webpage. Nevertheless, internet-based data transfers may as a matter of principle have security gaps, so that absolute protection cannot be guaranteed. For this reason, any data subject is free to provide us with personal data by alternative ways, such as by telephone.

1. Definitions

The Privacy Statement of GN Treuhand Anstalt is based on the terms used by the European bodies issuing directives and regulations when issuing the General Data Protection Regulation (GDPR). It is our objective that our Privacy Statement should be easy to read and understandable for the public as well as for our clients and business partners. To ensure this, we would like to explain in advance the terms used.

We use the following terms in this Privacy Statements, among others:

• a)    personal data

Personal data means all information relating to an identified or identifiable natural person (hereinafter: “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• b)    data subject

A data subject is any identified or identifiable natural person whose personal data is processed by the controller.

• c)    Processing

Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• d)    Restriction of processing

Restriction of processing means the marking of stored personal data with the goal of restricting its future processing.

• e)    Profiling

Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

• f)    Pseudonymisation

Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

• g)    Controller or data controller

Controller or data controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

• h)    Processor

Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

• i)    Recipient

Recipient means a natural or legal person, public authority, agency or another body, to which the personal data is disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.

• j)    Third party

Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.

• k)    Consent

Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

2. Controller’s name and address

The controller as defined in the General Data Protection Regulation, any other data protection laws applicable in the Member States of the European Union, and any other provisions with data protection character is:

GN Treuhand Anstalt
Landstrasse 104
9490 Vaduz
Liechtenstein

Tel.: +423 239 32 32
E-Mail: info@gntreuhand.com
Website: gntreuhand.com

3. Cookies

The webpages of GN Treuhand Anstalt use cookies. Cookies are text files that are placed and stored on a computer system using an internet browser.

Cookies are used by numerous webpages and servers. Many cookies contain what is called a cookie ID. A cookie ID is a distinct identifier of the cookie. It consists of a sequence of characters by which webpages and servers can be matched with the specific internet browser on which the cookie has been stored. This enables the webpages and servers visited to distinguish the data subject’s individual browser from other internet browsers that contain different cookies. Using the distinct cookie ID, a specific internet browser can be recognised and identified.

By the use of cookies, GN Treuhand Anstalt is able to provide more user-friendly services to the users of this website, which services would be impossible without setting cookies.

Cookies make it possible to optimise the information and offers on our website for the benefit of the user. As has been mentioned, cookies enable us to recognise the users of our webpage. The purpose of this recognition is to make it easier for users to use our website. For example, the user of a website that uses cookies need not enter his or her access data every time the website is visited because this is done by the website and by the cookie stored on the user’s computer system. Another example is the cookie of a shopping cart in an online shop. The online shop uses a cookie to remember the items put into the virtual shopping cart by a customer.

The data subject may at any time prevent the setting of cookies by our website by using suitable settings of the internet browser used, by which the setting of cookies is denied permanently. Also, any cookies that have already been set can be deleted at any time using an internet browser or other software. This is possible in all internet browsers that are in common use. If the data subject deactivates the setting of cookies in the internet browser used, it may be possible that not all functions of our website can be used to their full extent.

4. Recording of general data and information

Whenever the website of GN Treuhand Anstalt is accessed by a data subject or an automated system, it records various general data and information. This general data and information is recorded in the server’s logfiles. The following can be recorded: (1) the browser type and variant used, (2) the operating system used by the accessing system, (3) the website from where an accessing system arrives at our website (so-called ‘referrers’), (4) the subpages accessed on our website by an accessing system, (5) the date and time of access to our website, (6) an Internet Protocol address (IP address), (7) the internet service provider of the accessing system, and (8) other similar data and information that serve the averting of danger in the event of an attack on our information technology systems.

When using this general data and information, GN Treuhand Anstalt will not draw any conclusions as to the data subject. Rather, this information is required (1) to correctly deliver the content of our website, (2) to optimise the content of our website and advertising for it, (3) to ensure the permanent functioning of our information technology systems and the technology of our website, and (4) in the event of a cyberattack, to provide law enforcement authorities with the information necessary for prosecution. This data and information recorded anonymously by GN Treuhand Anstalt is therefore used firstly for statistic purposes and secondly with the goal to increase data protection and data security in our company to ultimately ensure an optimum level of protection of the personal data processed by us. The anonymous data of the server logfiles is stored separately from any personal data given by a data subject.

5. Contact through the website

Due to legal requirements, the website of GN Treuhand Anstalt includes information that makes it possible to contact our company quickly in electronic form and to have direct communication with us, which also includes a general address of what is called electronic mail (e-mail address). If a data subject contacts the controller through e-mail or through a contact form, the personal data sent by the data subject is stored automatically. Such personal data sent voluntarily by a data subject to the controller is stored for the purpose of processing or of contacting the data subject. This personal data will not be disclosed to any third party.

6. Routine erasure and blocking of personal data

The controller processes and stores personal data of the data subject only for the period of time that is required to achieve the purpose of storage or if this has been provided by the European bodies issuing directives and regulations or by any other legislator in laws or rules which the controller is subject to.

If the purpose of storage ceases or if a term for storage prescribed by the European bodies issuing directives and regulations or by any other competent legislator has expired, the personal data is blocked or erased as a routine process and in accordance with the provisions of the law.

7. Rights of the data subject

• a)    Right to confirmation

Every data subject has the right granted by the European bodies issuing directives and regulations to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. If a data subject wants to exercise this right to confirmation, he or she may at any time turn to an employee of the controller.

• b)    Right of access

Every data subject has the right granted by the European bodies issuing directives and regulations to obtain from the controller confirmation at any time on the personal data stored on him or her and to receive a copy of this information. Furthermore, the European bodies issuing directives and regulations have granted the data subject access to the following information:

• the purposes of processing
• the categories of personal data being processed
• the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations
• where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
• the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
• the existence of a right to lodge a complaint with a supervisory authority
• where the personal data is not collected from the data subject: any available information as to the source of the data
• the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

Furthermore, the data subject has the right to be informed whether personal data has been transferred to a third country or to an international organisation. Where this is the case, the data subject also has the right to be informed of the appropriate safeguards relating to the transfer.

If a data subject wants to exercise this right to information, he or she may at any time turn to an employee of the controller.

• c)   Right to rectification

Every data subject has the right granted by the European bodies issuing directives and regulations to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed, including by means of providing a supplementary statement.

If a data subject wants to exercise this right to rectification, he or she may at any time turn to an employee of the controller.

• d)    Right to erasure (right to be forgotten)

Every data subject has the right granted by the European bodies issuing directives and regulations to obtain from the controller the erasure of personal data concerning him or her without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies and as far as processing is not necessary:

• The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
• The data subject withdraws consent on which the processing is based according to point (a) of Art. 6(1) or point (a) of Art. 9(2) GDPR, and where there is no other legal ground for the processing.
• The data subject objects to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Art. 21(2).
• The personal data has been unlawfully processed.
• The personal data has to be erased for compliance with a legal obligation under Union or Member State law to which the controller is subject.
• The personal data has been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.

Where any of the reasons stated above applies and the data subject wants to effect the deletion of personal data stored at GN Treuhand Anstalt, he or she may at any time turn to an employee of the controller. The employee of GN Treuhand Anstalt will effect that the request for erasure will be complied with forthwith.

Where GN Treuhand Anstalt has made the personal data public and is obliged pursuant to Art. 17(1) GDPR to erase the personal data, GN Treuhand Anstalt – taking account of available technology and the costs of implementation – will take reasonable steps, including technical measures, to inform controllers which are processing the published personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, that personal data, as far as processing is not necessary. The employee of GN Treuhand Anstalt will take the necessary measures in the individual case.

• e)    Right to restriction of processing

Every data subject has the right granted by the European bodies issuing directives and regulations to obtain from the controller restriction of processing where one of the following applies:

• The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.
• The processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead.
• The controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims.
• The data subject has objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where any of the reasons stated above applies and the data subject wants to demand the restriction of personal data stored at GN Treuhand Anstalt, he or she may at any time turn to an employee of the controller. The employee of GN Treuhand Anstalt will effect the restriction of processing.

• f)    Right to data portability

Every data subject has the right granted by the European bodies issuing directives and regulations to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, and machine-readable format. The data subject also has the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, where the processing is based on consent pursuant to point (a) of Art. 6(1) GDPR or point (a) of Art. 9(2) GDPR or on a contract pursuant to point (b) of Art. 6(1) GDPR, and the processing is carried out by automated means, provided that the processing is not necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

In exercising the right to data portability, the data subject also has the right pursuant to Art. 20(1) GDPR to effect that the personal data is transmitted directly by one controller to another controller as far as this is technically feasible and does not impair the rights and liberties of other persons.

To assert the right to data portability, the data subject may at any time turn to an employee of GN Treuhand Anstalt.

• g)    Right to object

Every data subject has the right granted by the European bodies issuing directives and regulations to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on point (e) or (f) of Art. 6(1) GDPR, including profiling based on those provisions.

GN Treuhand Anstalt will no longer process the personal data in the event of objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or that the processing serves the establishment, exercise, or defence of legal claims.

Where GN Treuhand Anstalt processes personal data for direct marketing purposes, the data subject has the right to object at any time against the processing of the personal data for the purpose of such marketing. This also applies to profiling as far as it is in connection with such direct marketing. If the data subject objects to GN Treuhand Anstalt against the processing of data for direct marketing purposes, GN Treuhand Anstalt will no longer process the personal data for such purposes.

Where personal data is processed at GN Treuhand Anstalt for scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, the data subject – on grounds relating to his or her particular situation – has the right to object to the processing of personal data concerning him or her, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

To exercise the right to object, the data subject may directly turn to any employee of GN Treuhand Anstalt or any other employee. Also, in the context of the use of information society purposes, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.

• h)    Automated individual decision-making, including profiling

Data subjects have the right granted by the European bodies issuing directives and regulations not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, except where the decision (1) is necessary for entering into, or performance of, a contract between the data subject and a data controller; or (2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or (3) is based on the data subject’s explicit consent.

If the decision (1) is necessary for entering into or for the performance of a contract between the data subject and the data controller or (2) is taken with the data subject’s explicit consent, GN Treuhand Anstalt will implement suitable measures to safeguard the data subject’s rights, freedoms, and legitimate interests, which include at least the right to obtain human intervention on the part of the controller, the right to express his or her own point of view, and the right to contest the decision.

If the data subject wants to assert rights with regard to automated decisions, he or she may turn to an employee of the data controller at any time.

• i)    Right to revoke consent under data protection law

Every data subject has the right granted by the European bodies issuing directives and regulations to revoke at any time his or her consent to the processing of personal data.

If the data subject wants to assert his or her right to revoke consent, he or she may turn to an employee of the data controller at any time.

8. Legal basis of processing

Our company uses Art. 6(1)(a) GDPR as the legal basis for processing operations for which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is party, such as with processing operations that are necessary for the delivery of goods or the rendering of any other performance or counter-performance, processing is based on Art. 6(1)(b) GDPR. The same applies to processing operations that are necessary to carry out precontractual measures, such as with inquiries concerning our products or services. If our company is subject to a legal obligation which requires the processing of personal data, such as to fulfil tax obligations, processing is based on Art. 6(1)(c) GDPR. In rare cases, the processing of personal data may become necessary to protect vital interests of the data subject or of another natural person. This would for example be the case if a visitor were injured in our company and the visitor’s name, age, health insurance data, or other vital information would have to be disclosed to a doctor, a hospital, or other third party. In this case, processing would be based on Art. 6(1)(d) GDPR. Finally, processing operations might be based on Art. 6(1)(f) GDPR. This serves as the legal basis for processing operations that are not covered by any of the above legal bases and applies where processing is necessary for the purposes of a legitimate interest of our company or a third party, except where such interests are overridden by the interests or the fundamental rights and freedoms of the data subject. We are permitted to carry out such processing operations in particular because they have been expressly mentioned by the European legislator. The latter took the position that a legitimate interest could be assumed where the data subject is a client of the controller (consideration 47, 2^nd sentence GDPR).

9. Justified interests in processing pursued by the controller or a third party

If the processing of personal data is based on Article 6(1)(f) GDPR, our justified interest is the conduct of our business activities for the benefit of all our employees and our shareholders.

10. Term for which the personal data is stored

The criterion for the term of storing personal data is the respective legal deadline for retention. After the deadline has expired, the corresponding data is routinely erased, provided that it is no longer necessary for the performance or initiation of a contract.

11. Legal or contractual rules for providing the personal data; necessity for entering into contracts; obligation of data subjects to provide the personal data; possible consequences of not providing personal data

We would like to inform you that providing personal data is partly prescribed by law (such as by tax provisions) or may result from contractual provisions (such as information on the contracting party). For example, it may be necessary for entering into a contract that a data subject provides us with personal data, which then have to be processed by us. For example, the data subject is obliged to provide us with personal data if our enterprise enters into a contract with him or her. Not providing the personal data would have the consequence that the contract with the data subject could not be entered into. Before the data subject provides personal data, he or she must contact one of our employees. Our employee will inform the data subject on a case-by-case basis whether providing the personal data is legally or contractually required or necessary for entering into the contract; whether there is an obligation to provide the personal data; and what the consequences of not providing the personal data would be.

12. Existence of automated decision-making

Being a responsible company, we refrain from automatic decision-making and from profiling.

This sample Privacy Statement has been prepared by the Privacy Statement Generator of DGD Deutsche Gesellschaft für Datenschutz GmbH, which carries out data protection audits, in cooperation with media law firm WILDE BEUGER SOLMECKE.