Privacy policy

Statement on the protection of personal data

We are glad you are interested in the important topic that is protection of personal data. The protection of your personal data, its security and confidential handling are of utmost importance to us. In the following, we would like to inform you about the collection, storage and processing of personal data in the context of the use of our websites and services www.moxy-designs.com, www.moxy-web.com and www.moxy-group.com. Personal data is considered all information that identifies you as a person, such as the name, address, web address, online user behaviour... Moxy GmbH strictly adheres to statutory provisions on the protection of personal data. Our goal is not only to provide you with a sense of security while taking advantage of our services, but also to ensure you that your data is with Moxy GmbH in good hands.

1. Basic information

The controller responsible for data protection in accordance with Article 7 (7) of the General Data Protection Regulation Act (GDPR) for the entire website www.mox-designs.com, www.moxy-web.com and www.moxy-group.com is Moxy GmbH, Oberleitringer Strasse 39, A-8435 Leitring, Austria.

If you have any question regarding data protection and data usage related to abovementioned websites or Moxy GmbH in general, you can contact us at info@moxy-group.com.

2. Visiting our website and the use of cookies

If you are using our website for informative purposes only, that is, if you do not subscribe to e-news services or submit an inquiry through our contact form, we do not record any personal information. Websites www.mox-designs.com, www.moxy-web.com and www.moxy-group.com do not use any cookies for the purpose of tracking and recording data from their visitors.

3. Data security

We protect our websites and related systems with technical and organizational measures against loss, destruction, unauthorized access or alteration and spreading of your information by unauthorized persons.

When transferring personal data, we use so called security procedure SSL (Secure Socket Layer) in conjunction with a 256-bit code. The transfer of encrypted data is recognized by the key symbol or locked lock in the lower status bar of your browser. Encryption of the connection is done with first-rate encryption (AES-256 256 Bit), replacement of the key with RSA 2048 bits.

4. Principles for the storage and deletion of personal data

Personal data may only be stored for as long as it is necessary to achieve the purpose for which they were collected, or as predicted and regulated in the applicable legislation and regulations, such as, for example, tax or commercial law obligations of retention. When there is no legal obligations of retention for personal data (eg unsubscribing from our e-news service) or when the statutory retention period expires, the personal data in question is routinely and in accordance with legal regulations deleted or is their processing limited in accordants with the law, for example limited processing in the framework of tax or commercial law legal obligation to store personal data.

The processing of personal data on the basis of legal obligation, that is, the fulfilment of the legal obligation to store data, is based on Article 6 paragraph (1) point (c) of the General Data Protection Regulation Act (GDPR).

5. Use of e-news services

On our website we provide the option of registering for free e-news. The e-news keep you informed about useful information and also what is new and trendy in the field of graphic design, web design and web applications. We also inform you about our special offers and new services.

To sign up, you only have to share with us your e-mail address. In the process of providing these services, however, we do not collect any additional information.
When you send out the application form, you will receive an e-mail message confirming your subscription. The subscription will only become valid when you click on the link in the confirmation e-mail. If you do not click on the confirmation link in the email, the subscription will not be completed.

If you do not confirm the subscription within 30 days, the information you entered in the subscription form will be automatically deleted.
In addition, we would also like to point out that we are storing your IP address and both, the time you applied and the time you confirmed your subscription. The purpose of this procedure is to prove your application and, if necessary, provide an explanation in case of misuse of your personal information. The legal basis for such processing of personal data is set out in Article 6 paragraph (1) point (f) of the General Data Protection Regulation Act (GDPR).

You can revoke your consent to receiving e-news at any time, acting effectively for the future, and cancel the subscription to e-news. To this end, you can use a link that is intended for cancellation of the subscription to e-news and it is provided at the end of each e-mail message. Or you can contact us via e-mail address that you used to subscribe to our e-news at info@moxy-group.com and express your request for cancellation. Your e-mail address will be deleted from the email newsletter. The cancellation of the consent does not affect the legality of the processing on the basis of consent prior to its cancellation.

6. Contact options

On our website we offer different ways for you to contact our company and provide us with your message. This allows you to contact us by phone, email or through a special contact form. In event of you establishing contact with us in any of the above mentioned ways, we will store and process the information you provided us with (your email address, possibly your name and phone number) and your question in order to provide you with the best answer possible.

In this context the correspondent legal basis for the processing of personal information provides Article 6 paragraph (1) point (b) and (f) of the General Data Protection Regulation Act (GDPR). Our legitimate interest is in the efficient and structured collection and processing of customer questions and inquiries in order to provide quality services.

We safely delete all collected data after storing for the aforementioned purposes is no longer necessary, for example after the inquiry process with the customer has been completed, or we limit processing of the personal data if there exists legal obligation of retention of it.

Contact

If you have any question regarding data protection and data usage related to abovementioned websites or Moxy GmbH in general, you can contact us at info@moxy-group.com.

Individual rights

We are pleased to inform you of your rights as an "individual" in the General Data Protection Regulation Act (GDPR). Under the General Data Protection Regulation Act, as an individual, you have the rights regarding protection of your personal data as listed below:

The right to be informed;
The right of access;
The right to restrict processing;
The right to data portability;
The right to object; and
Rights in relation to automated decision making and profiling.

Below are brief explanation of each one of the eight main rights to give you a better understanding of them. The following is not a comprehensive explanation of the GDPR or the obligations under it and is not intended to provide legal advice. Its sole purpose is to provide general information about the basic rights of the individual to whom relates the personal data as to the GDPR.

The right to be informed

The GDPR emphasises the need for transparency over how personal data is used. The right to be informed relates to the GDPR principle of processing personal data in a lawful, fair and in a trans-parent manner. The data subject has the right to be informed of how and why their data is being processed.

With regards to collecting personal data directly from an individual, the data controller should provide the following information (before collecting the personal data):

Their identity and contact details (or, if applicable EU representative’s details);
Their Data Protection Officer‘s contact details (if applicable);
The purposes for which they are processing personal data (including their legal basis for processing the data and any justification for processing this data);
Who the recipients of any personal data will be;
Whether there is an intention to transfer any personal data outside of the jurisdiction and on what basis this transfer is legal;
How long they will store the personal data for;
Whether the individual must provide the personal data, for example, to enter into a contract or for other legal grounds. The consequences of the individual not providing their personal data should also be explained (i.e. cannot enter into the contract without delivery address);
Whether they use automated decision making and, if so, how this is used and the consequences for the individual; and
The individuals' rights including how to withdraw their consent and make a complaint.
This information should be concise, transparent and easily accessible. It is important that it is easily legible and written in clear and plain language so that it can be understood by the data subject. This information must also be provided free of charge.

If the data controller intends to use the personal data for a purpose different than it originally collected it for, it must provide notice of the new purpose to the data subject before processing the personal data for this purpose.

This right to be informed also includes right to be informed of any data protection breach.

The right of access

Data subjects have the right to access their personal data and other supplementary information. This supplementary information is set out in article 15 of the GDPR and includes confirmation that their data is being processed.

Before actioning a subject access request, the identity of the individual making such request should be verified using 'reasonable' means. It is important that personal data is not disclosed to someone who does not have the right to see it. This would be a breach of security under GDPR.

Under the GDPR rules, information requested should be provided free of charge. This being said, a data controller may charge a reasonable fee in dealing with requests which are manifestly unfounded or excessive. A fee may also be charged if the data controller is asked to provide further copies of the same information (within the same subject access request). Any fee charged must be based on the administrative cost of providing the information. The GDPR provides that information requests made electronically should have the information provided in a commonly used electronic format.

The right to rectification

The data subject has the right for any personal data processed to be correct, up to date and complete. The data subject may therefore request that any personal data held is amended. The data controller should respond to such a request within reasonable time, but no longer than one calendar month.

The right to erasure

This is also known as the right to be forgotten. In the following circumstances the data subject may request that their personal data is erased:

The processing of the data subjects personal data is no longer necessary for the purpose for which the data controller collected it for;
The data subject has withdrawn their consent for the processing of their personal data and no other lawful basis for processing the personal data or no overriding legitimate interest applies;
The data subject wishes to have their personal data erased for the purposes of direct marketing;
The data controller is unlawfully processing the data subject’s personal data (in breach of the GDPR);
The data subjects personal information has to be erased in order to comply with a legal obligation; and/or
The personal data is processed in relation to the offer of information society services (online services) to a child.

Once a data subject requests erasure for one of the above reasons, the data controller must erase it without delay unless continued retention is necessary for:

Exercising the right of freedom of expression and information;
Complying with a legal obligation under EU or member state law;
The performance of a task carried out in the public interest;
Exercising official authority vested in the data controller;
Public health reasons consistent with the exceptions for processing sensitive personal data such as health information;
Archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, under certain circumstances; and/or
The establishment, exercise, or defence of a legal claim (however personal data should not be held on the basis that there may be a legal claim in the future).

If the data subject’s right of erasure applies and the data controller has disclosed the personal data to third parties, the data controller must inform the third party that the data should be erased (unless this is impossible or is dis-proportionate in the circumstances).

The right to restrict processing

Data subjects may request that the processing of their personal data is restricted in the following circumstances:

If the data subject contests the accuracy of their personal data, the data controller must restrict processing the contested data until the data’s accuracy can be verified;
If the data controller is unlawfully processing the data subject’s personal data, instead of the using their right of erasure, the data subject may request that the processing of their personal data is restricted ;
If the data controller no longer requires to process the personal data however the data subject requires the personal data for the establishment, exercise or defence of a legal claim; or
If the data subject objects to the processing of their personal data (please see right of objection) however the data controller is processing the data subject’s personal data on the basis that it is necessary for the performance of a public interest task or on the basis of a legitimate interest; the data subject can request that processing of their personal data is restricted whilst the data controller considers whether legitimate grounds for processing override the rights of the individual.

During this restriction period, the data controller may continue to store the personal data however they can no longer actively process it. The data controller is however, able to hold enough data to note on their file that a restriction on processing is in place, to establish, exercise or defend legal claims, to protect the rights of another individual (legal or corporate) or for important public interest purposes. If the data controller has disclosed any of the data subject’s personal data (which is subject to the restriction) to a third party, the third party should be notified of this restriction unless it is impossible or disproportionate to do so. Again, there are strict time frames to comply with.

The right to data portability

The right to data portability is a new right which is being introduced by the GDPR. It will allow data subjects to reuse their personal data across different organisations by moving their personal data from one IT systems to another (where possible). This must be done in a safe and secure way. There is no obligation on a data controller to adopt technical systems which are compatible with other organisations.

This right to data portability only applies to personal data which is automated and is being processed on the grounds of the individual’s consent or for the performance of a contract.

The right to object

The GDPR provides data subjects with the right to object to data processing under certain circumstances, including, but not limited to:

For direct marketing purposes; and/or
For scientific, statistical or historical research (unless the research is carried out in the public interest).

Rights in relation to automated decision making and profiling

Individuals have the right to not be subject to automated decision making, including profiling, which has legal or other significant effects on the data subject. This right does not apply when the automated decision is:

Necessary for entering into or performing a contract with the data subject;
Authorized by EU or member state law applicable to the data controller if the law requires suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
Based on explicit data subject consent.

If the data controller is processing personal data by automated means, they must provide any personal data in a commonly used and computer readable format.

Accountability and documentation

The GDPR creates an accountability obligation where the data controller must be able to demonstrate their compliance with the GDPR through evidence. This requires more than having policies in place. Such policies must be tested to ensure they are effective and that the technology and processes used ensure compliance with the GDPR.