1. Personal Data
Our website may basically be used without any personal data being provided. However, using individual services may be subject to differing regulations, to which we refer you separately. Apart from the cookies still described in detail hereinafter, if any, we basically gather and retain only data you provide to Us yourself by entering them into our input masks or actively interact with our website in any other manner whatsoever. Personal data means any information relating to an identified or identifiable natural person. This includes, for example, your name, address, telephone number or date of birth, but also your IP address or geolocation data, which may be used to draw any conclusion about you.
a. Where you use our website for information purposes only, meaning that you do not register for any service or provide Us with information otherwise, for instance using a contact form, we gather only the relating (personal) data transferred by your browser to our servers. Where you want to visit our website, we collect the data set out hereinafter which is technically required by Us to display the website to you and to ensure its stability and security under point (f) of Art. 6(1) GDPR:
-data and time of the request
-time zone difference to the Greenwich Mean Time (GMT)
-content of the request
-access status / http status code
-respective transmitted amount of data
-website from which the request originates
-operating system and its interface
-language and version of the browser software
This data is not processed, however, beyond the purpose of displaying our website.
b. In addition to the data referred to above, first-party and third-party cookies are stored on your computer if you use our website; these are small text files which are stored on your hard disk allocated to the browser you use. As a result, the party that places a cookie (either we or a third party explicitly specified by Us) is provided with certain information.
c. Basically, a distinction can be made between first-party cookies, third-party cookies and third-party requests.
-Wallee payment method
-Remember form entries
Third-party cookies are stored in your browser by a third-party provider. These are mostly tracking or marketing tools which, on the one hand, serve to evaluate your user behaviour and, on the other hand, make it possible for the third-party provider to recognise you on any other websites you visit as well. In general, retarget marketing, for example, is based on the function of cookies of that kind. Cookies of the following providers are stored on our website and may optionally be activated or deactivated at any time:
-YouTube (to display videos)
-SendinBlue (to track newsletter data)
-StoreLocator (to load Google Maps on this site)
d. A cookie banner placed by Us on each website in line with the ECJ judicature of 01/10/2019, C673/17 (Planet 49), as well as further relevant decisions, is displayed to you the first time you access our websites to comprehensively inform you about the cookies used by Us. Any and all cookies used, including their function, storage period and origin, are represented in this cookie banner. we store cookies only if you agree with the use of some or all of them. An exception to this may be any cookies that are technically stringently required, since our website might not be displayed correctly without such cookies being used
e. It is possible for you at any time to change your browser settings accordingly, for instance to the effect that you refuse any acceptance of third-party cookies or all cookies. Please note, however, that you might no longer be able to use all functions of our website in this case.
3. Collection and Processing of Personal Data
a. Website When operating our website, we process any personal data beyond the information stored by cookies exclusively if you provide it to Us voluntarily of your own accord, for instance if you register with Us, enter into any contractual relationship with Us or otherwise make any contact with Us. This exclusively includes contact data as well as information on the matters for which you approach Us.
We use the personal data specified by you exclusively to the extent that this is required in pursuance of the respective purpose of processing (e.g. registration, sending a newsletter, handling a PO, sending information material and advertising, performing a sweepstake, replying to a question, allowing access to specific information) and legally (esp. under Art. 6 or Art. 9 GDPR) admissible (e.g. sending advertising and information material to existing customers under point (f) of Art. 6(1) GDPR). The purpose of processing your data is to operate our website and to provide targeted company-specific information, including to illustrate the range of our goods and services (marketing). We use your data beyond that only to the extent that you haven given your explicit prior consent, we need your data to perform any contract concluded with you or are obliged to keep it due to any statutory provision. As still explained in detail hereinafter, you may withdraw at any time for the future each consent given by you.
b. Contract Handling, Marketing and More In general, we use any personal data of our customers, suppliers and other contracting and cooperation partners, e.g. contact persons, their contact data and marketing-relevant information, for the purpose of handling the contract and as part of statutory duties of safekeeping (e.g. accounting) and, beyond that, based on a legitimate interest, for instance for marketing and customer care purposes. For the eventuality that it is required by any legitimate interest and/or any other statutory obligation (e.g. the Gun Control Act) to keep data longer, we reserve the right to actually implement this conformable to law (e.g. product liability).
Moreover, we gather personal data of prospects (e.g. contact persons, their contact data and marketingrelevant information) in the course of our acquisition and sales activities. we are always looking for potential contracting partners on the Internet, at trade fairs and during any other events and maintain a marketing database to that end to enable targeted advertising for our products and services. Unless we have received any explicit consent by the data subject beyond that, we perform any and all of the measures stated here for marketing purposes as our legitimate interest under point (f) of Art. 6(1) GDPR in conjunction with recital 47 for a duration of three years as from the end of any contractual relationship (customers & suppliers) or the contact established by Us (prospects) for the first time (to no avail). If we do not collect personal data for marketing purposes from the data subject himself/herself, we also let the data subject know under Art. 14 GDPR, the first time a contact is established, where we have collected his/her data. If you wish to purchase or reserve goods in our webshop, it is necessary for the conclusion of a contract with us that you provide various personal data that are required for the processing of your order or reservation.
For this purpose, we mark mandatory data separately in the ordering process and also when you create an account; all other data is optional and - if entered - serves to improve your shopping experience. We process the data you provide to process your order or reservation and - if you voluntarily provide additional information - for customised advertising. In addition, depending on the selected payment method, we also collect your credit card, bank or invoice data in the course of payment processing We process your payment data for payment processing. These are the name of the account or credit card holder, name of the credit institution or credit card company, IBAN and BIC or the credit card number and the expiry date of the credit card. If payment by credit card is selected as the payment method, we only store the card type (VISA, MasterCard, etc.), expiry date and the last 4 digits of the credit/debit card number during registration. Otherwise, your payment data will only be stored by our payment service provider (see point 7. e.). Your payment data is only transmitted to payment service providers who process this data in accordance with the international PCI-DSS standard. We do not have access to this data. The legal basis for this is Art. 6 para. 1 p. 1 lit. b) DSGVO.
c. Job Application Management We gather any data of applicants for job opportunities vacant with Us for the purpose of initiating a potential employment relationship under point (b) of Art. 6(1) GDPR or, if need be, based on an explicit consent for evidentiary purposes.
4. Retention Period
5. Data Transfer
a. In General As a matter of principle, your data will not be passed on to third parties unless we are legally obliged to do so, the passing on of data is necessary for the implementation of a contractual relationship concluded between us - e.g. passing on of the credit card/debit card number to processing bank institutes/payment service providers for the purpose of debiting the purchase price - or you have previously expressly consented to the passing on of your data. Subject to your consent, any external processors or other cooperation partners are provided with your data only to the extent that this is required to handle a contract, we have any relating legitimate interest, which is always notified by Us separately in the case in question, or where this is required due to any special norms. We neither alienate nor otherwise market your personal data to any third parties. Where our contracting partners or processors are based in any third country, hence any state outside the European Economic Area (EEA), we inform you about the consequences of this fact in the offer specification. We ensure that any of our processors who is able to access your personal data complies with the regulations of the data protection laws in the same manner as we do.
b. Data Transfer to the USA We occasionally offer some services in the course of which data transfer to the USA takes place or may take place. The transfer of data to the USA has always led to legal challenges in recent years. There are several legal bases for a legally compliant data transfer to the USA, whereby we basically rely on two different legal bases:
• Data transfer based on the existence of an adequacy decision.
On 10 July 2023, a new adequacy decision pursuant to Art. 45 GDPR was adopted by the European Commission for the USA - namely the EU-U.S. Data Privacy Network. However, this adequacy decision only applies to those data importers in the U.S. that are registered on the Data Privacy Framework List (https://www.dataprivacyframework.gov/s/participant-search).
The EU Commission's press release on the EU-U.S. Data Privacy Network can be found at: https://ec.europa.eu/commission/presscorner/detail/en/ip_23_3721.
However, if a data importer is not registered in the Data Privacy Framework List, it is necessary - unless there is another justification such as the fulfilment of contractual obligations - that you consent to the use of your data collected via these services, if applicable also in the U.S. (Art. 49 para. 1 lit. a DSGVO).
This is because we are currently unable to assess how case law will develop as a result of the EU-U.S. Data Privacy Network. We record this consent - depending on the service - via our cookie banner or separately by means of a corresponding declaration of consent directly before the use of a service offered. Your consent is required because, according to recent official and court decisions and the case law of the ECJ, the USA is not certified as having an adequate level of data protection in the processing of personal data (C-311/18, Schrems II).
In particular, these decisions by authorities and courts critically point out that access by US authorities (FISA 0702) is not comprehensively restricted by law, does not require authorisation by an independent body and no relevant legal remedies are available to the data subjects in the event of such interventions. We have no direct influence - apart from the contracts concluded with US service providers - on access by US authorities to personal data transferred to service providers in the USA when using these services. Even if we assume that our service providers take the necessary steps to ensure the promised level of protection in accordance with the contractual agreements concluded with us, access by US authorities to data processed in the USA is still conceivable. We therefore request your consent to the processing of data in the USA before using such services. We will point out separately for each service or application that there is a possibility of data transfer to the USA.
You have the option to subscribe to our newsletter free of charge. After having registered for this newsletter, you are regularly provided with current news and information about our company as well as tailor-made advertising. You need a valid e-mail address in order to receive our newsletter. We verify the e-mail address you entered in our registration mask in order to see whether you actually wish to receive newsletters.
To that end, we send you an e-mail to the e-mail address specified by you, and you may confirm its receipt by clicking on a link provided to this effect. Having confirmed the e-mail, you are registered for our newsletter (double opt-in) We already retain your IP address as well as the date and time of your registration when you first register for the newsletter.
This is done for security reasons for the eventuality that any third party misuses your e-mail address and subscribes to the newsletter without your knowledge. we do not collect and process any further data for the newsletter subscription; the data is exclusively used for your subscription to the newsletter. Subject to your objection, we transfer your data, where appropriate, to enterprises affiliated with our company under corporate law, for the purpose of analysis as well as to transfer information for advertising purposes.
Your data you have provided to Us for the newsletter subscription is reconciled within the group of companies with data that we might collect otherwise (e.g. at the time a good is purchased or a service is booked). Any data you make available for the newsletter registration is not shared with any third parties who are not part of the group of companies. You may terminate the subscription to our newsletter at any time. Details on how to unsubscribe can be found in the confirmation e-mail and in each individual newsletter.
7. Tools and Applications used
Google uses this information on our behalf to evaluate your use of our website, to compile reports about the website activities and to provide to the website operator further services relating to the use of this website and of the Internet. The IP address transferred by your browser as part of Google Analytics is not amalgamated with any other data of Google.
You may prevent that the cookies required by Google Analytics be stored on your computer by changing the settings of your browser software accordingly, following which, however, you might not be able to make full use of any and all functions of this website, where appropriate. You may also prevent that any data generated by the cookie and relating to your use of the website (incl. your IP address) be gathered as well as transferred to and processed by Google by downloading and installing the browser plug-in available at the following link: https://tools.google.com/dlpage/gaoptout?hl=en-GB.
Google LLC is registered on the Data Privacy Framework List.
b. Moreover, we use the services of Google Maps on our website, which enables Us to directly display interactive maps to you on our website and makes it possible for you to conveniently use the map function to localise our location and to facilitate your journey to Us.
If you visit our website, Google is provided with both the information that you accessed the respective subsite of our website and the data set out under 2, irrespective of whether you are logged in via a Google account or not. Where you are logged into Google, your data is directly allocated to your account. If you do not agree with that, you have to log out from Google before using this service.
d. Moreover, you have the option of interacting with various social networks via plug-ins on our website, including the following:
-Facebook, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland. The parent company, Meta Platforms Inc., Menlo Park, California, is registered on the Data Privacy Framework List.
- Instagram, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland. The parent company, Meta Platforms Inc., Menlo Park, California, is registered on the Data Privacy Framework List.
-Youtube, operated by Youtube LLC, 901 Cherry Avenue, San Bruno, CA 94066 USA.
If you click on a plug-in of any of these social networks, it is activated and, as described above, a connection to the respective server of such network is established. By activating these plug-ins, you agree with your data gathered via these plug-ins being used in the USA as well, where appropriate. We have no influence on the scope and content of any that is transferred to the respective operator of such social network by the click on the plug-in or might be accessed by US authorities in further consequence. If you want to obtain information on the nature, scope and purpose of the data collected by the operators of these social networks, we recommend reading the data protection provisions of the respective social network.
e. We offer you several payment options within the framework of the payment processing of our webshop, for example, by prepayment or payment by credit/debit card or PayPal via Wallee.
If you opt for payment processing via wallee, you will be redirected from our site to the corresponding website of the payment provider (bank; credit card company, PayPal, etc.) during the payment process, on which the payment process is actually carried out. Notwithstanding this, personal data may already be collected by the external payment service provider when the corresponding link is activated. For the execution of payment processing, we transmit your payment data to Wallee AG, General Guisan-Strasse 47, CH-8400 Winterthur (CH).
Your payment data is transmitted to a server of Wallee in a third country (Switzerland) declared as secure by adequacy decision of the EU Commission and processed there. This ensures that the standards and regulations of European data protection law are complied with. For more information on the adequacy decision, please visit https://eurlex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32000D0518&from=MT.
Visa Inc. and Mastercard Inc. are globally active payment providers and are each US companies. Visa Europe Services Inc. (1 Sheldon Square, London W2 6TT, GB) and Mastercard Europe SA (Chaussée de Tervuren 198 A, B-1410 Waterloo, BEL) are responsible for the European region. Visa and Mastercard also process data from you in the USA, among other places. We would like to point out that according to the opinion of the European Court of Justice, there is currently no adequate level of protection for the transfer of data to the USA. Visa and Mastercard are not registered in the Data Privacy Framework List. This may entail various risks for the legality and security of data processing. Visa and Mastercard use so-called standard contractual clauses in accordance with Article 46 of the GDPR as the basis for data processing for recipients based in third countries or for data transfers there. Standard contractual clauses are templates provided by the EU Commission and are intended to ensure that your data comply with European data protection standards even if they are transferred to third countries and stored there. Through these clauses, Visa and Mastercard undertake to comply with the European level of data protection when processing your personal data, even if the data is stored, processed and managed in the US. These clauses are based on an implementing decision of the EU Commission. You can find the decision at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.
For more information on Visa's standard contractual clauses, please visit https://www.visa.de/nutzungsbedingungen/visa-globale-datenschutzmitteilung/mitteilung-zuzustandigkeitsfragen-fur-den-ewr.html. For more information on the exact data processed through the use of Visa and/or Mastercard, please refer to the privacy statements of Visa and Mastercard: and https://www.visa.de/nutzungsbedingungen/visa-privacy-center.html and https://www.mastercard.de/de/de/datenschutz.html.
PayPal is a service of PayPal (Europe) S.a.r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg. As a European payment service provider, PayPal is also obliged to comply with the provisions of data protection (DSGVO) and provides detailed information on its website at https://www.paypalobjects.com/webstatic/de_AT/ua/pdf/privacy.pdf about the data collected and processed in the course of using PayPal
8. Joint Responsibilities under Art. 26 GDPR
a. Facebook Fan Page We operate a Facebook fan page at https://www.facebook.com/TMHTradingAustria. The purpose of this fan page is to share information on the activities of our company, to take marketing measures and to provide an additional channel of communication with Us.
In this context, we are “joint controllers” with Facebook, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, which makes this service available to Us. Facebook basically enables you to select in your settings the personal data shared with Us. If you do not agree with that, all information on the use of our fan page and personal data on its visitors are provided to Us in anonymised form.
We entered into an ‘Art. 26 GDPR Arrangement’ with Facebook to that end in which the mutual rights and duties of Us and of Facebook have been set forth. It is available at https://www.facebook.com/- legal/EU_data_transfer-_addendum/update.
b. Instagram Profile We operate several Instagram profiles at
We want to take marketing measures, call attention to our products and services and establish an additional channel of communication with our customers. In this context, we are “joint controllers” with Instagram, operated by Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland, which makes this service available to Us. Facebook basically enables you to select in your settings the personal data shared with Us.
If you do not agree with that, all information on the use of our fan page and personal data on its visitors are provided to Us in anonymised form. we entered into an ‘Art. 26 GDPR Arrangement’ with Facebook to that end in which the mutual rights and duties of Us and of Facebook have been set forth.
we implement numerous technical and organisational security measures to protect your personal data against manipulations, loss, destruction and against access by third parties. our security measures are subject to ongoing improvements in line with technological evolution on the Internet. If you want to obtain more detailed information on the nature and scope of the technical and organisational measures we take, we are gladly at your disposal for corresponding written requests at any time.
10. Your rights
As data subject of our data processing, you have the following rights and legal remedies under the General Data Protection Regulation and the Austrian Data Protection Act:
• Right of Access (Art. 15 GDPR)
As data subject of by the above-described and other data processing, you have the right to obtain from Us information as to whether and, if so, what personal data concerning you is being processed. For your own protection, i.e. to ensure that no unauthorised party obtains any information about your data, we verify your identity in an appropriate manner before we provide such information.
• Right to Rectification (Art. 16) and Erasure (Art. 17 GDPR)
You have the right to obtain from Us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the data processing, you also have the right to have incomplete personal data completed as well as to have your data erased, provided that the criteria of Art. 17 GDPR have been met.
• Right to Restriction of Processing (Art 18 GDPR)
You have the right to obtain from Us restriction of processing of any and all personal data collected under the statutory conditions. Commencing with the request for restriction, such data continues to be processed only subject to your individual consent or for the establishment and enforcement of legal claims.
• Right to Data portability (Art. 20 GDPR)
You have the right to request that any personal data you have provided to Us be transferred to you or any third party without hindrance and limitation.
• Right to Object (Art. 21 GDPR)
You have the right to object, on grounds relating to your particular situation, at any time to processing of any personal data concerning you that is required to safeguard our legitimate interests or those of any third party. Your data is no longer processed following your objection, unless there are any compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims. You may object at any time with effect for the future to any data processing for direct marketing purposes.
• Withdrawal of Consent
You may withdraw at any time any consent separately given by you to the processing of your data. Any such withdrawal affects the permissibility of the processing of your personal data once you have given notice of withdrawal to Us. If you take any measure to enforce your rights from the GDPR as set out above, TMH has to state its position on the measure applied for or comply with the application without delay, but no later than within one month of receipt of your application. We respond to all reasonable requests free of charge and as promptly as possible within the limits of statutory regulations.
The entity in charge of applications regarding any violation of the right of access or any violation of the rights to non-disclosure, correction or erasure is the Austrian Data Protection Authority, which may be contacted as follows: Österreichische Datenschutzbehörde Barichgasse 40-42 1030 Vienna firstname.lastname@example.org
11. Contact Information / Contact Person
a. Controller’s Contact Information
TMH Trading GmbH
Ennser Straße 39 4407 Steyr-Gleink Austria
Tel.: +43 7252 50900
b. Data Protection Officer’s Contact Information
RAA Mag Toni Brnada
Summereder Pichler Wächter Rechtsanwälte GmbH
Dr. Herbert-Sperl-Ring 3,
A - 4060 Leonding
+43 732 272887
FN 441762a Linz RC ADVM code: P430533