Last Updated: April, 2023
Here, we – Studio Firefly SRL (“StudioFirefly” or “we”) – are informing you about our processing of your personal data in line with the General Data Protection Regulation (“GDPR”).
I. General Information
1. Data Privacy Controller
The Controller, within the meaning of the GDPR and other national data privacy laws of the Member States, as well as any other data privacy provisions, is:
Studio Firefly SRL
Strada Cuza Vodă 1
2. Data Privacy Officer
The Data Privacy Officer is:
Prof. Dr. Christian Rauda
Attorney-at-Law and Lawyer specializing in Information Technology Law
Graef Rechtsanwälte Digital Part GmbB
3. Legal Basis for the Processing of Personal Data
We process some of your personal data on the following legal basis:
a) Consent of the Data Subject
In so far as we obtain the data subject’s consent to the processing for a particular purpose, Art. 6(1)(1)(a) GDPR is the legal basis.
b) Fulfillment of contractual obligations
When the processing is necessary in order to fulfill a contract, to which said contracting party is the data subject, Art. 6(1)(1)(b) GDPR is the legal basis. This also applies to processing procedures that are required in order to implement precontractual measures.
c) Statutory requirements and obligations
Should the processing be necessary in order to fulfill a legal obligation, to which we are subject, Art. 6(1)(1)(c) GDPR is the legal basis.
d) Taking on a task in the public interest or to exercise official authority
Should the processing be necessary in order to take on a task that is in the public interest, or is being carried out to exercise official authority that has been conferred upon us, Art. 6(1)(1)(e) GDPR is the legal basis.
e) Preserving legitimate interests
Should the processing be necessary in order to preserve our legitimate interest or that of a third party, and should the interests, basic rights and basic freedoms of the data subject not outweigh the first-mentioned interest, Art. 6(1)(1)(f) GDPR is the legal basis.
f) Processing sensitive data (= special categories of personal data)
Should we process health data based on consent, Art. 9(2)(a) GDPR is the legal basis.
4. Duration of storage and erasure of personal data
The personal data of the data subject will be erased or blocked once no purpose for the processing any longer exists. It may be saved beyond that point in time should that have been stipulated by the European or national legislative authorities in any EU regulations, laws or other provisions to which we are subject. Any blocking or erasure of the personal data will also be carried out if a storage period prescribed by said regulations expires, unless a legal basis for the processing still exists.
5. Recipients of Personal Data
At our company, only the offices which need the personal data to fulfill their processing purposes process it. This also applies to the processors deployed by us, such as service providers and vicarious agents. All offices and individuals working with personal data are obliged to data secrecy, and are informed about handling such data with great care.
Personal data is only passed on to third parties if doing so is in line with the data privacy provisions. In particular individuals deployed to carry out our business operations (e.g. banks, tax advisers, service providers for EDP and IT services), as well as government offices/authorities, in so far as this is necessary in order to fulfill a statutory obligation, may be given your personal details.
6. Data processing in non-EU countries
On technical grounds, it is sometimes necessary, within the scope of our services, for our data processors to use servers in non-EU countries, which means that personal data is also being processed in said jurisdictions. Explicit details of this are given below. Should any data be processed outside the EU/EEA, and no data privacy level corresponding to the European standard that has been confirmed by the EU Commission by means of an adequacy decision pursuant to Art. 45(3) GDPR exist, in order to produce suitable guarantees within the meaning of Art. 46 GDPR we have concluded standard EU contractual clauses with the companies concerned. You can see a copy of the standard EU contractual clauses here:
7. Data Subject Rights
Should your personal data be processed, you are, within the meaning of the GDPR, a data subject, and you have the following rights vis-à-vis us as Controller:
a) Right to be provided with information
Pursuant to Art. 15 GDPR, you are entitled to request information about the personal data processed by us. You can in particular request the following:
- Information about the purposes of the processing;
- the categories of the data;
- the categories of recipients to whom your data has been, or will be, disclosed, as well as the information concerning whether the personal data is being transmitted to a non-EU country or an international organization (in this connection, you can request to be informed about the suitable warranties pursuant to Art. 46 GDPR);
- the scheduled storage period;
- the existence of a right to rectification, erasure, restriction of the processing or to file an objection;
- the existence of a right to complain, and the origin of the data, should it not have been gathered by us,
- as well as the existence of automated decision making, including profiling, pursuant to Art. 22(1) and (4) GDPR, and – at least in such cases – meaningful information about the logic involved, as well as the reach and the intended effects of such processing on behalf of the data subject.
b) Right to Rectification
Pursuant to Art. 16 GDPR, you are entitled to assert a right of rectification and/or completion of your personal data vis-à-vis us in so far as it is incorrect or incomplete. We are required to undertake the rectification without delay.
c) Right to Restriction of the Processing
Pursuant to Art. 18 GDPR, you are entitled to request that the processing of your data be restricted, if the accuracy of the data is disputed by you or the processing is illegitimate.
Should the processing have been restricted, you will be notified by us prior to the restriction being lifted.
d) Right to erasure
Pursuant to Art. 17 GDPR, you have the right to request that your personal data be erased, unless the processing is necessary in order to exercise the right to freely express opinions and obtain information or to fulfill a legal obligation, based on the public interest or in order to assert, exercise or defend any legal claims.
e) Right to notification
Should you have asserted the right to rectification, erasure or restriction of the processing vis-à-vis us, we are obliged to inform any recipients to whom the personal data has been disclosed about said rectification, erasure of the personal data or restriction of the processing, unless this proves impossible or involves disproportionate effort.
You are also entitled to assert against us the right to be notified about said recipients.
f) Right to data portability
Pursuant to Art. 20 GDPR, you have the right to be given your personal data with which you provided us, in a structured, well-established and machine-readable format, or request that it be transmitted to another controller.
g) Right to object
Pursuant to Art. 21 GDPR, in so far as the processing is carried out based on Art. 6(1)(1)(e) or (f) GDPR you are entitled to file an objection to the processing. Should it not be an objection to direct advertising that is concerned, we would ask you to explain the reasons why we are not supposed to process your data in the way that we do it, when exercising such a right of objection. We will, in such a case, check the circumstances, and will either stop processing the data or adjust the processing, or let you know our reasons that are absolutely worthy of protection based on which we will continue to process the data.
h) Right to revoke the declaration of consent granted under data privacy law
Pursuant to Art. 7(3) GDPR, you are entitled to revoke your declaration of consent under data privacy law at any time. The legitimacy of the processing that has been carried out based on the consent prior to revocation is not affected by the consent being revoked.
i) Automated decisions in the individual case, including profiling
You have the right not to be made the subject of any decision based exclusively on automated processing – including profiling – insofar as this decision has legally valid consequences for you or significantly adversely affects you in a similar manner.
This does not apply if the decision
(1) is necessary for the conclusion or fulfillment of an agreement between you and the Controller;
(2) is legitimate based on legislation of the European Union or the Member States to which the Controller is subject and said legislation includes appropriate measures to preserve your rights and freedoms, as well as your legitimate interests; or
(3) if the decision is taken with your express consent.
Such decisions may not, however, be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9(2) (a) or (g) applies and appropriate measures have been taken in regard to the protection of the rights and freedoms, as well as your legitimate interests.
In regard to the cases mentioned in (1) and (3), the Controller will take appropriate steps to preserve the rights and freedoms, as well as your legitimate interests, which at least includes the right to arrange for the intervention of a person on the part of the Controller, the right to explain one’s own position and the right to contest the decision.
j) Right to complain to a supervisory authority
Pursuant to Art. 77 GDPR, you are entitled to complain to a data privacy regulatory authority about our processing of your personal data.
II. Supplementary Information in regard to the Website
We are responsible for our website https://studiofirefly.io , as well as its sub-pages (hereinafter referred to as “Website”). Through the use of our Website, personal data will be processed. We are informing you in detail below about the data processing that takes place.
a) Technically necessary cookies
We use technically necessary cookies so that our system recognizes whether the user has consented to or restricted processes requiring consent, such as the placing of cookies, in his or her browser (“Opt-out Cookies”). These technically necessary cookies are not used to ascertain the user’s identity or create user profiles. The legal basis for the storage of the technically necessary cookies is Sec. 25(2) Act on Data Protection and the Protection of Privacy in Telecommunications and Telemedia (TTDSG). For the processing of the personal data arising thereby it is Art. 6(1)(1)(f) GDPR. The use of said cookies is technically necessary in order to operate the Website. Consequently, there is no option for the user to raise objections.
Said necessary cookies are deleted after 14 days .
b) Optional Cookies
We essentially use optional analysis cookies of external media and services on our Website. Optional cookies are used for functional, analysis or marketing purposes. The use of said cookies is based on the user’s consent, which the user grants when visiting the Website for the first time, and, firstly, comprises storing and accessing cookies as such, as well as processing the personal data arising therefrom for analysis purposes. The legal basis for storing and accessing the analysis cookies is Sec. 25(1) Act on Data Protection and the Protection of Privacy in Telecommunications and Telemedia (TTDSG). In regard to the processing of the personal data arising therefrom it is Art. 6(1)(1)(a) GDPR.
2. Google Services
We use a number of Google services. In that respect, our contractual partner is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”). Recipients of the data at Google may be:
- Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as data processors pursuant to Art. 28 GDPR)
- Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
- Alphabet Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Should Google, in the process, process any data outside the EU/EEA, and no data privacy level corresponding to the European standard exist, Google Ireland Limited has, in order to produce suitable warranties pursuant to Art. 46 GDPR, concluded EU standard contractual clauses with its group companies Google LLC and Alphabet Inc., who have their respective registered offices in California, USA. You can find a copy of the contractual clauses here:
It cannot be excluded that data is transmitted to the USA and that the US authorities access data stored with Google. From a data privacy perspective, the USA currently counts as a third-party country. You do not have the same rights there as you do within the EU/EEA. It is possible that you will have no legal remedies against access by authorities.
III. Supplementary Information in regard to Communicating with Us
You can contact us via email, telephone or letter. In this respect, your details resulting from the inquiry, including the contact details given by you there, are exclusively used by us for the purpose of handling the inquiry and for the eventuality of any follow-up questions. The legal basis for the processing of the data is Art. 6(1)(1)(f) GDPR.
The data will be erased once it is no longer needed in order to achieve the purpose for which it was gathered. This is usually the case once the respective conversation with the user has ended. The conversation has been terminated once it can be inferred from the circumstances that the issue concerned has conclusively been clarified.
Should the communication be aimed at concluding a contract, the legal basis for the processing is Art. 6(1)(1)(b) GDPR.
IV. Supplementary Information for Service Providers, Suppliers and other External Third Parties
In line with the applicable data privacy provisions pursuant to the GDPR and the Federal Data Protection Act (BDSG), in some cases we process some of your personal data for purposes, and on the legal bases, specified below.
What specific data of yours is processed can be seen from the services commissioned or agreed. We use the personal data solely for the purpose for which it is made available to us. Such details are, for example, personal particulars (name, address and other contact details, such as email address and date and place of birth). It may, moreover, also include order data (e.g. payment order), data from the fulfillment of our contractual obligations (e.g. turnover data in payment transactions), information about your financial situation (e.g. creditworthiness data), promotional and distribution data, and also any other data comparable with the categories mentioned.
1. Purposes of the processing
a) Fulfillment of contractual obligations (Art. 6(1)(b) GDPR.
We predominantly process your data for the purpose of substantiating and carrying out our procurement and maintenance processes, and thus purchase/work/service contracts.
Your data will, moreover, sometimes be processed within the scope of contractual secondary obligations or pre-contractual arrangements.
b) Legitimate interests of the company (Art. 6(1)(1)(f) GDPR)
We furthermore process your data based on our legitimate interests, which we are specifying to you here below:
- Making contact and managing communication
- Profitability checks
- Managing contracts/projects
- Ensuring the operation of information and telecommunications systems
c) Statutory requirements and obligations (Art. 6(1)(c) GDPR)
We, as a company, are bound to various legal obligations, which are to be complied with based on applicable laws and ordinances.
We process your data for the purpose of complying with the tax and trade law regulations, which we are citing here by way of example:
- Financial accounting
- Business correspondence
d) Consent of the Data Subjects (Art. 6(1)(a) GDPR)
In so far as we have obtained from you consent to the processing of your data for certain purposes, we substantiate the legitimacy of the processing by way of said consent.
2. Recipients of the Data
Within our company, the offices which need your data to fulfill their processing purposes have access to it. This also applies to the service providers and vicarious agents deployed by us. All offices and individuals working with your personal data are obliged to data secrecy, and are informed about handling personal data with great care.
Your data is only passed on outside the company if that is in line with the data privacy regulations. This is the case if said transmission is necessary in order to fulfill the purposes or we have obtained consent from you to use your data and pass it on. The following categories of recipients may, in certain circumstances, be given your data:
- Tax Authorities
- Tax advisers/certified public accountants
- IT service providers
Your data will not be transmitted by us outside the European Union.
3. Duration of storage of the data
Essentially, the duration of storage of your personal data is only for as long as is necessary for the purpose of the processing. Your data is stored for a longer period if we are obliged to store it for a certain period of time based on legislation (for example, archival obligations under fiscal law) or the evaluation or handling of legal claims makes it necessary.
4. Further information on the gathering and processing
Should the legal basis for the data being gathered exist due to legislation (for example, fiscal regulations) or in order to fulfill a contract (for example a purchase contract), it may sometimes be mandatorily necessary for the data to be provided by the data subject and processed by us. Without the provision and processing of said data, we would, under certain circumstances, not be in a position to fully implement the legal or contractual requirements.
Your personal data will never be used by us for automated decision-making (for instance, profiling).
5. Data sources
We predominantly receive your personal data directly from you, and may, moreover, make use of public sources (websites, contact directories, etc.) for making initial contact.
In so far as we are given your data by other third parties (for example, recommendations from other partners), we will inform you about said data sources when making initial contact with you.