Privacy policy

Privacy Policy in accordance with Art. 13, 14 GDPR – Compliance with information requirements

All personal designations shall always be construed as gender-neutral and shall only serve the purpose of simplified legibility.

1. Entity responsible for data processing

The entity responsible in accordance with Art. 4 Para. 7 EU General Data Protection Regulation (GDPR) is

Schmiedgasse 38
8010 Graz

Tel: +43 50 2682


2. Data processing concerning persons in a business environment

2.1. Data processing in accordance with Art. 13 GDPR

We process such data as is placed at our disposal by a very wide variety of persons in user entries, e.g. within the scope of an email enquiry, in order to initiate and conclude a contract or business relationship.

2.2. Data processing in accordance with Art. 14 GDPR

Furthermore, we process data concerning persons that can be part of a contractual relationship which we have permissibly received within the scope of information disclosed by third parties (e.g. managers communicate to us data concerning their employees).

2.3. Persons involved

With regard to prospects we process the following data: Company name, name of the contact person and professional contact data and address data.

With regard to customers we process the following data: Salutation, sex, first name and surname, date of birth, address, nationality, contact data, legitimation data (e.g. copy of ID card), PEP status, customer number. Furthermore, order data, data deriving from compliance with contractual obligations or documentation data (e.g. consultation records), are also processed. Furthermore, order data, data deriving from compliance with contractual obligations or documentation data (e.g. consultation records), are also processed.

With regard to suppliers and business partners(for example, trade partners and settlement agents) we process the following data: Company name, title and names of the contact persons, professional address data and contact data, bank details, contract data.

2.4. Disclosure of data

We only disclose personal data to third parties if it is necessary for the purpose of contract settlement and contract fulfilment or as a result of legal regulations.

2.5. Retention/deletion of data

We delete the data as soon as storage is no longer required/allowed or as soon as legal retention obligations, e.g. for VAT purposes, have expired. If the basis of processing constitutes consent, we restrict processing or delete the data upon withdrawal of consent – legal regulations permitting.

2.6 Contact made by email

If you make contact with us by email, we save the data communicated by you on the basis of your consent so that any questions you may have can be answered. We delete the data arising in this context when processing is no longer necessary, or we restrict processing if any legal retention obligations exist.

2.7. Publication of the names of originators

We are legally obliged to disclose the names of originators of image data (photographs or videos) upon any publication of image data. We delete such personal data automatically as soon as we discontinue use of the image data.

2.8. Legal basis

The legal basis for data processing is

  • – contract initiation and fulfilment in accordance with Art. 6 Para. 1 b GDPR
  • – legal obligations in accordance with Art. 6 Para. 1 c GDPR (e.g. legally prescribed retention and documentation obligations, publication obligations in accordance with the Copyright Act)
  • – legitimate interests on the part of our company within the meaning of Art. 6 Para. 1 f GDPR (e.g. use of software, due dilligence)
  • Art. 6 Para. 1 a GDPR upon obtaining consents (e.g. for the processing of image data or for advertising purposes).

3. Data processing upon application

3.1. General

If you send us your application documents, we process the personal data contained in them as well as your curriculum vitae and your certificates and references for the purpose of staff recruitment and filling vacancies. In the event of a rejection we delete your documents 7 months after you have been sent the rejection.

Legal basis: Art. 6 Para. 1 b GDPR

If you consent to being kept on record for the purpose of making contact at a later point in time, we shall send you our own enquiry regarding the transmission of consent. If you explicitly give us this consent, we save your consent. If within one year there is no further option regarding the filling of a vacancy at our company, we delete all your application data one year after transmission of the consent to us.

Legal basis: Art. 6 Para. 1 a GDPR

3.1.1. Application platforms

We use various online application platforms to recruit employees for our company. For persons who are interested in working for the company it is possible to file an application directly on those applicant portals using a form made available by the operator of the applicant platform. Applicants decide for themselves what data they make available during use of such an online portal. You also have the option of uploading application documents. Personal data you have entered and any documents you have uploaded will be passed on to us by the operator of the applicant portal. Both the application platform and we ourselves process that data in our capacity as controller within the meaning of GDPR. Please refer to the privacy policies of the respective portal operators. In this context we are subject to section 3.4.1.

Legal basis: Art. 6 Para. 1 a GDPR

3.1.2 Applicant portal

For individuals who are interested in working for our company, there is the option to apply directly on our website using a form provided there. For this, we require the salutation, first and last name, email address, telephone number, and place of residence. Further along in the application process, there is the opportunity to upload application documents (e.g., CV). In case of a rejection, we will delete your documents no later than 7 months after the rejection has been sent to you.

Legal basis: Art. 6 Para. 1 b GDPR

If you consent to being kept on record for the purpose of making contact at a later point in time, we shall send you our own enquiry regarding the transmission of consent. If you explicitly give us this consent, we save your consent. If within one year there is no further option regarding the filling of a vacancy at our company, we delete all your application data one year after transmission of the consent to us.

Legal basis: Art. 6 Para. 1 a GDPR

4. Data processing upon visiting our website

4.1. Informational use of the website

Upon merely informational use of the website we only collect the personal data that your browser sends to our server (server logfiles). If you wish to view our website, we only collect the data that we require for technical purposes in order to display our website to you and ensure stability and security:

That data is not merged with personal data sources. We reserve the right to check that data in due course if we become aware of any specific evidence suggesting unlawful use and – if there has been a hack attack – to pass the data on to the law enforcement authorities. There will be no further disclosure to third parties.

Legal basis: Art. 6 Para. 1 f GDPR

4.2 Cookies

When you use our website, cookies will be saved on your computer. Cookies are small text files that are saved on your hard disk and assigned to the browser you are using and as a result of which certain information is transmitted to the party setting the cookie (in this case ourselves or a third-party provider). Cookies cannot execute programs or transmit viruses to your computer.

By virtue of the cookie you can be recognised again when you visit the website without your having to re-enter data that you have already entered previously.

The information contained in the cookies is, for example, used in order to establish whether you are logged in or what data you have already entered, or in order to recognise you as a user again whenever a connection is made between our web server and your browser.

We differentiate between technical cookies, which solely serve to ensure operation of a website, and other cookies, which are set by us or third-party providers for the purpose of statistical analyses, tracking or advertising/marketing.

Legal basis: Art. 6 Para. 1 f GDPR (in the case of technical cookies), Art. 6 Para. 1 a GDPR (in the case of all other cookies).

4.3. Data processing in the USA

It is not possible to rule out the risk of personal data being transmitted to the USA when you visit our website. If this is the case, we draw attention to it separately in this Privacy Policy.

For data transmission to a third country or an international organisation GDPR requires so-called appropriate safeguards in accordance with Art. 46 GDPR. There are none for the USA.

Potential risks, which, for you as an affected party, cannot be ruled out in connection with the aforementioned information at present, include in particular:

When you consent to the processing of (advertising and marketing) cookies you explicitly consent to data transmission to the USA. You can remove cookies saved on your PC yourself at any time by deleting the temporary Internet files.

Legal basis: Art. 6 Para. 1 a GDPR

5. Social media presence

We operate social media pages on LinkedIn and Xing. Upon visiting our social media presence, personal data, including the IP address of the service provider, is processed and cookies are used for data collection. vom Anbieter To determine exactly what items of information are transmitted, please refer to the privacy policy of the service. There you will also find information about possible methods of contact and for various settings.

We opt for comprehensive customer satisfaction and use this service primarily in order to be able to make contact or communicate with you. Furthermore, we regard it as an additional possibility concerning our other existing information offerings.

In a service related to the US the data collected is usually sent to a server in the USA, where it is stored. We do not have any influence over or any method of checking the type and volume of data processed by that service, the type of processing and use, or any disclosure of that data to third parties. For ways of restricting the processing of the data in the respective settings of that service please refer to the detailed descriptions of the service provider’s privacy policies.

Moreover, we draw attention to the fact that you use the respective service and its functions on your own responsibility. This particularly applies to use of the interactive functions (e.g. share, comment or evaluate).

The provider of the social media service has made available to us appropriate agreements – in most cases agreements concerning joint responsibility for data processing. The use of social media is based on our legitimate commercial interest.

Legal basis: Art. 6 Para. 1 f GDPR

6. Data processing in Google services

We have concluded a contract with Google Ireland Limited (“Google”), a company registered and operated according to Irish law (registration number: 368047) based in Gordon House, Barrow Street, Dublin 4, Ireland. Nevertheless, it may happen that data from Europe is transmitted to the USA, although as a company we have no influence over that.

When that service is used, personal data is transmitted to the USA or such a risk cannot be ruled out – for more details refer to 4.3 of this policy. – More information can be found in te section 4.3 of this declaration.

6.1. Google Analytics

We have integrated Google Analytics into our website, a Google web analytics service that enables us to analyse visitor flows and the length of stay on our website.

This website uses the function “Activation of IP anonymisation” (i.e. Google Analytics has been extended to include the code “gat._anonymizeIp();” in order to ensure anonymised identification of IP addresses (so-called IP masking)). As a result, your IP address is first of all shortened by Google within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the complete IP address transmitted to a Google server in the USA, where it is shortened.

According to statements from Google, Google will use the information obtained to evaluate usage of the website in order to compile reports on website activity and to provide us with other services associated with website usage and Internet usage. The IP address transmitted by your browser within the scope of Google Analytics will not be merged with any other data in Google’s possession. However, Google may, if need be, transmit such information to third parties inasmuch as it is required by law or inasmuch as third parties process that data on behalf of Google. You are able to prevent the saving of cookies by making an appropriate setting in your browser software. However, we wish to point out that in such a case you will not be able to make full use of all the website functions. Furthermore, you can prevent collection of the data generated by the cookie and related to your use of the website (incl. your anonymised IP address) and transmission thereof to Google, as well as the processing of that data by Google, by downloading and installing the browser plug-in available at the following link

You will find more detailed information about conditions of use and privacy at or

Legal basis: Art. 6 Para. 1 a GDPR

6.2 Google Tag Manager

In order to identify your user behaviour we use the so-called Google Tag Manager. Google Tag Manager is a solution with which marketers can manage website tags via an interface. The tool itself processes the following personal data: IP address of the user. The tool ensures the triggering of other tags, which for their part possibly collect data. Google Tag Manager does not access that data. Google Tag Manager can set cookies, at all events in the administrator’s preview and debug mode, but also outside it. If deactivation has been performed at domain or cookie level, it continues to apply to all tracking tags that are implemented with Google Tag Manager.

You can obtain more detailed information here:

Legal basis: Art. 6 Para. 1 a GDPR

7. Your rights

Vis-à-vis ourselves you have the following rights as regards the personal data concerning you:

  • – Right to information, rectification and deletion
  • – Right to restriction of processing
  • – Right to object to processing
  • – Right to data portability
  • – Right to file a complaint with the Austrian Data Protection Authority

Barichgasse 40 – 42, 1030 Vienna, Austria, Telephone: +43 1 52 152-0


If you should believe that in processing your data we are violating Austrian or European data protection law and have thereby infringed your rights, we request you to contact us so that we can clarify any issues.

Please email your enquiries and concerns to or contact us by using the contact data cited.

8. Amendtments to this Privacy Policy

We reserve the right to make adjustments to our Privacy Policy from time to time. We will publish all amendments to the Privacy Policy on this page. In this respect please always observe the latest version of our Privacy Policy.

9. Disclaimer

CMTA AG accepts no responsibility for content on third-party websites to which reference is made by links. The content of linked sites is the sole responsibility of their owners.

Follow us for industry-relevant news

Follow us for industry-relevant news