The protection of your privacy is our priority. We comply with the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG), and all other applicable laws regarding the protection, lawful handling, and confidentiality of personal data. This policy explains how we process your personal data and your rights. For questions, please contact us using the details below.
1. Controller and Data Protection Officer
1.1 Name and address of the responsible party
The controller within the meaning of the EU General Data Protection Regulation (GDPR) is the
Responsible party:
adapa Holding GesmbH,
IZ NÖ-Süd Straße 1, Obj. 50C
2351 Wiener Neudorf
Austria
Contact:
adapa Group Compliance Officer
Telephone: +43 2252 266014 72
Email: dataprotection@adapa-group.com
External Data Protection Officer:
Data Protection Consulting Services / TÜV SÜD Akademie GmbH
Mr. Jean-Claude Endert, LL.M., MA
Email: jean-claude.endert@tuvsud.com
2. Purposes of processing and legal basis Website
2.1 Logging of activities on our website (log files)
When you visit our website, we collect and store access data in log files (so-called log files or access logs) in order to be able to guarantee the long-term functionality of the website. In this context, we process the following data:
- IP address
- Date and time of access
- Path/URL
- Browser/Operating System
The legal basis for data processing is our legitimate interest in accordance with Art. 6 (1) (f) GDPR. This lies in ensuring the functionality, security and accessibility of the website for all site visitors, if necessary in the collection, defence and assertion of legal claims.
You have the right to object to this data processing (data subject’s right to object to data processing in legitimate interest pursuant to Art. 21 para. 1 GDPR). In this case, we will only process your data if there are compelling legitimate grounds on our part for further processing.
It is not possible to draw direct conclusions about your identity from the information. The data will be automatically deleted after the aforementioned purposes have been achieved.
As a rule, we only pass on your data collected on the basis of the use of our website to the extent that this is absolutely necessary to fulfil the purposes set out (e.g. operation and maintenance of the website via external service providers). However, we may also be legally or officially obliged to pass on data to third parties (e.g. data transfer to law enforcement authorities).
We keep log file data for a period of 10 days from the end of your website visit.
On our website, we provide a contact form to make it easy for you to get in touch with us. To use this form, please provide the requested information so that we can process and respond to your inquiry.
3. Purpose of Processing
We process your personal data exclusively for the purpose of answering your inquiry or contacting you. Processing is based on:
- Legitimate interest under Article 6 (1) (f) GDPR (our legitimate interest lies in providing low-threshold electronic contact options and ensuring traceability of communication), and
- Performance of a contract under Article 6 (1) (b) GDPR, where applicable.
3.2.1. Data Sharing Within the adapa Group
Depending on the nature of your request, your personal data may be shared with other entities within the adapa Group, including specific locations, if this is necessary to process your inquiry. Such sharing is carried out exclusively for the purpose of handling your request and in accordance with our joint data protection agreement and applicable data protection laws.
All entities within the adapa Group that receive your data are bound by strict contractual and organizational measures to ensure compliance with GDPR and to maintain the confidentiality and security of your information. Data transfers are limited to what is necessary and are subject to appropriate technical and organizational safeguards.
3.2.2. Joint Responsibility
For certain processing activities where purposes and means are jointly determined, adapa Holding GesmbH and the adapa Group entities act as joint controllers under Article 26 GDPR. This joint responsibility ensures secure processing and effective protection of your rights. Key points include:
- Central Contact: adapa Holding GesmbH serves as your primary point of contact for all data subject inquiries.
- Information and Rights: adapa Holding GesmbH provides information under Articles 13 and 14 GDPR and handles requests to exercise rights under GDPR.
- Data Exchange: Personal data may be transmitted or compared between adapa Holding GesmbH and the listed locations for processing under joint responsibility.
- Uniform Protection: A consistent level of data protection and security applies to all processing activities under joint responsibility.
3.2.3. Your Rights
You have the right to object to processing based on legitimate interest (Article 21 (1) GDPR). In such cases, we will only continue processing if there are compelling legitimate grounds on our part. You also have the right to request information about which entities have received your data and for what purpose, as well as other rights under Articles 15–21 GDPR (access, rectification, erasure, restriction, portability, and objection).
3.2.4. Alternative Contact Options
As an alternative to using the contact form, you can contact us via the e-mail address, phone number, or postal address provided.
3.2.5. Data Transfers to Third Parties
We only pass on your data to third parties to the extent necessary to process the communication.
3.2.6. Storage Period
Data transmitted to us via the electronic contact form will be retained for a period of 3 years from the end of the calendar year in which the communication took place. HubSpot data deletion will occur after this 3-year period.
3.3 Newsletter
Our website offers a subscription option for our newsletter, which provides regular updates about our products and services, as well as news and useful information.
To register, please enter the data requested in the registration form. We use your personal data to send the newsletter and to perform statistical evaluations and performance measurements (e.g., checking whether newsletters have been opened and whether embedded links have been clicked).
Processing is based on your consent under Art. 6(1)(a) GDPR, which you provide by selecting the checkbox and confirming your subscription. You may revoke your consent at any time with effect for the future. To do so, use the unsubscribe link included in each newsletter or contact us by post or email (see controller contact details). Revocation does not affect the lawfulness of processing prior to withdrawal.
You are not obliged to provide consent or personal data for these purposes; however, without consent, you will not receive the newsletter. Your personal data will be processed for the duration of your newsletter subscription.
When registering, we also store your IP address and the date and time of registration to prevent misuse of the service or your email address. This processing is based on our legitimate interests under Art. 6(1)(f) GDPR. You have the right to object to this processing (Art. 21(1) GDPR).
In such cases, we will only continue processing if compelling legitimate grounds exist.
To protect your personal data, we use a double opt-in procedure. Your newsletter registration is only valid once you confirm the link sent to your email address.
Your data is shared with our newsletter service provider, HubSpot.
Data is retained for three years from the end of the calendar year in which the newsletter was sent.
3.4 Jobs/Applications
You can find job offers on our website and may apply either by e-mail or via an external link to LinkedIn.
When you submit an application, we process the personal data you provide to manage the application procedure, assess your suitability for the position, and take necessary steps to establish an employment relationship if applicable. With your consent, we may also keep applicant data on record for future opportunities if you are not selected or if no vacancies are available.
The legal basis for processing your data is primarily Article 6(1)(b) GDPR, which covers contractual and pre-contractual relationships. If you consent to us keeping your data on record, processing is based on Article 6(1)(a) GDPR. In specific cases, such as the collection, assertion, or defence of legal claims, processing is based on Article 6(1)(f) GDPR.
Special categories of personal data, such as health data, religious affiliation, or degree of disability, are only processed if you have given explicit consent under Article 9(2)(a) GDPR or if another legal permission applies under Article 9(2)(b) GDPR.
If you apply via LinkedIn, your data is first processed by LinkedIn as an independent controller. LinkedIn may use your data according to its own privacy policy, which you can review at https://www.linkedin.com/legal/privacy-policy?.
Once your application is forwarded to adapa Holding GesmbH, we process your data for recruitment purposes as described above. Data you send directly to us by e-mail is processed solely by adapa Holding GesmbH for recruitment purposes. We only transfer your data to third parties if necessary for the application process or if required by law.
Personal data transmitted to us in connection with job applications is retained for a period of seven months after the end of the application process, that is, after a hiring decision has been made.
3.5 Contact via the internal whistleblower system
The adapa Group is committed to integrity and transparency. To support this, we provide employees and business partners with a secure and confidential channel to report suspected misconduct or violations of our Code of Conduct.
If you observe or suspect behaviour that may breach our Code of Conduct, you can report it via the adapa Integrity Line: https://adapa.integrityline.com.
Reports can be submitted anonymously, and all information is treated with strict confidentiality – whether or not you provide your name. Even if you are unsure or do not have complete evidence, we encourage you to share any relevant information. The Integrity Line is hosted on a secure external platform provided by EQS Group AG, ensuring that concerns can be raised safely and without fear of retaliation. The adapa Group does not tolerate any form of retaliation against individuals who report concerns in good faith or participate in investigations.
Reports submitted via the Integrity Line are handled with the highest level of confidentiality.
Access to these reports is strictly limited to the Compliance Officer at adapa Holding GesmbH, who is responsible for reviewing and processing the information. If necessary for investigation purposes, relevant details may be shared with designated individuals at other adapa Group locations, but only under strict confidentiality and in compliance with applicable data protection laws.
The controllers within the meaning of the GDPR for data processing related to the Integrity Line are the adapa Group entities. The technical operation of the Integrity Line is carried out on our behalf by EQS Group AG, which acts as a processor under GDPR.
3.6 Disclosure of personal data
The adapa Group operates internationally and has offices in various countries within and outside the European Union (UK). Inspection of the stored data is only possible by specially authorised persons within the Group. Insofar as this is necessary to fulfil the stated purpose, specially authorised persons of our subsidiaries may also be entitled to inspect as joint controllers. This is particularly the case if the investigation of their report is carried out in the country concerned. All persons authorised to inspect are expressly obliged to maintain confidentiality.
In order to fulfil the stated purpose, it may also be necessary for us to transfer your personal data to external bodies such as law firms, criminal or competition authorities, inside or outside the European Union (UK).
If we pass on your personal data within the group or externally, a uniform level of data protection is ensured by means of internal data protection regulations and/or corresponding contractual agreements. In all cases, the responsibility for data processing remains with the company. For our location in the UK, the existing adequacy decision applies as the legal basis.
Finally, we transfer your personal data to EQS for technical implementation to the extent described above. To this end, we have concluded a data processing agreement with EQS to ensure data protection.
We process the data and information provided exclusively for the purposes of checking the information received, the investigation procedure and answering or contacting you, as provided for in the Whistleblower Protection Act. Documentation and logging are also required by law.
The data is used on the basis of the legal basis of compliance with a legal obligation Article 6 (1) (c) GDPR (Whistleblower Protection Act).
Storage period: In this context, we retain data for a period of five years from the last processing or transmission and beyond that for as long as it is necessary to conduct administrative or judicial proceedings that have already been initiated or an investigation under the Code of Criminal Procedure. After that, the personal data will be deleted.
The log data on processing operations will be retained from the last time they were processed or transmitted until three years after the aforementioned retention obligation has ceased to apply.
3.7 LinkedIn
We maintain an official presence on LinkedIn to share updates and engage with our community. Please note that LinkedIn Inc./Microsoft is independently responsible for its own data processing activities. For details, refer to LinkedIn’s privacy policy: https://www.linkedin.com/legal/privacy-policy.
We do not actively transfer your personal data to LinkedIn simply by maintaining a presence.
Data sharing occurs only when you interact with our LinkedIn page, such as by liking, commenting, following, or sending us messages. In these cases, LinkedIn processes your data and may provide us with aggregated analytics (e.g., audience demographics, engagement statistics). These analytics are typically anonymized.
Any personal data you provide directly through LinkedIn (e.g., in messages or comments) is processed by LinkedIn under its own responsibility.
LinkedIn may transfer data to the United States under the EU–US Data Privacy Framework. While we cannot fully rule out that your personal data may be processed in the USA, such transfers are covered by an adequacy decision ensuring an appropriate level of protection.
4. Data transfer and recipients in general
We only pass on personal data to the extent that this is strictly necessary to fulfil the purposes set out. For all data transfers, we make sure to transmit only the absolutely necessary information and comply with the data protection requirements for data transfer (e.g. strict obligation of processors to follow instructions via Article 28 contracts, obligation of secrecy and confidentiality, obligation to fully comply with a sufficient level of protection in the processing of personal data).
If necessary, we may also be legally or officially obliged to pass on data to third parties (e.g. data transfer to law enforcement authorities and courts).
Details on data transfers and recipients can be found in the explanations of the processing purposes.
5. General storage period of the data
Your data will only be stored for as long as this is technically and organisationally necessary to achieve the stated purposes and to fulfil our legal obligations. We may also retain your personal data for certain periods of time on the basis of legitimate interest (e.g. collection, assertion and defence of legal claims). When determining the periods, we ensure that your rights and freedoms are fully respected.. If the data retention is no longer necessary, we will delete your data immediately.
Detailed information on the specified storage period can be found under the respective processing purpose.
6. Profiling and automated decision-making
We do not carry out profiling measures (evaluation of certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements), nor do we make decisions on the basis of this information.
7. Cookies
Cookies are used on our websites. Cookies are small files that are stored either for the duration of your browser session in the cache of your internet browser (session cookies) or for a fixed period of time on your hard drive (permanent cookies). Cookies enable recognition so that you can be provided with content tailored to your needs and wishes more quickly and in a more targeted manner on future visits to our website.
For the use of cookies, we usually obtain your express consent via a cookie banner (legal basis Art. 6 para. 1 lit. a GDPR). The cookie banner allows you to select your cookie preferences. Cookies that are necessary to ensure the functionality of our websites are not covered by a choice . We use these on the legal basis of legitimate interest Art. 6 para. 1 lit. f GDPR.
7.1 Technically necessary cookies
Borlabs
E-Law 24
On our website, we use the Borlabs Cookie Plugin (“Borlabs”) to inform you about the cookies and other technologies we use, and to obtain, manage, and document your consent to the processing of personal data through these technologies. This is necessary under Art. 6 (1) sentence 1 (c) GDPR to comply with our legal obligation pursuant to Art. 7 (1) GDPR, which requires us to be able to demonstrate your consent.
Borlabs is a service provided by Borlabs GmbH, Hamburger Str. 11, 22083 Hamburg, Germany. When you visit our website, the Borlabs web server stores a so-called Borlabs cookie, which contains information such as the cookie duration and version, device and browser details, and your consent preferences. No personal data is transmitted to Borlabs.Storage and Deletion
Your consent data will be retained for one year. After this period, it will be deleted unless you have expressly consented to further use of your data under Art. 6 (1) sentence 1 (a) GDPR, or we are legally permitted to retain it for a longer period, in which case we will inform you accordingly in this privacy notice.
| Name | Function | Processed data | Storage period |
| borlabs-cookie | This cookie stores information regarding consent for service groups and individual services. | It contains the string “Yes” or “No”. | 60 days |
WordPress
WPML is a WordPress plugin that allows us to create a multilingual website. The selected language is stored in a cookie.
| Name | Function | Processed data | Storage period |
| _icl_visitor_lang_js | Stores the redirected language. This cookie is enabled for all site visitors if you use the Browser language redirect feature. | Language code (en, de). | 1 day |
| wpml_browser_redirect_test | Tests if cookies are enabled. This cookie is enabled for all site visitors if you use the Browser language redirect feature. | Language code (en, de). | Session |
| wp-wpml_current_admin_language_* | Stores the current language. | Language code (en, de). | 1 day |
| wp-wpml_current_language | Stores the current language. This cookie is enabled by default on sites that use the Language filtering for AJAX operations feature. | Language code (en, de). | 1 day |
7.2 Marketing cookies
These services help us understand your interests and optimise your experience by tracking your activity across our website. This allows us to personalise content, improve our communication, and tailor our website to be more relevant to you.
Hubspot
Hubspot uses cookies to manage our online marketing activities and better understand how you interact with our website. It tracks your visits, sessions, and helps us identify you as a returning visitor (anonymously) to personalise your experience, provide relevant content, and manage our customer relationships.
| Name | Function | Processed data | Storage period |
| __hs_initial_opt_in | This cookie is used by the opt-in privacy policy https://knowledge.hubspot.com/de/privacy-and-consent/what-cookies-does-hubspot-set-in-a-visitor-s-browser to ask the visitor to accept cookies again. It contains the character string “Yes” or “No”. | It contains the string “Yes” or “No”. | 7 days |
| __hs_opt_out | This cookie is used by the opt-in privacy policy https://knowledge.hubspot.com/de/privacy-and-consent/what-cookies-does-hubspot-set-in-a-visitor-s-browser to ask the visitor to accept cookies again. This cookie is set when you give visitors the choice to disable cookies. It contains the string “Yes” or “No”. | It contains the string “Yes” or “No”. | 6 months |
| __hssc | This cookie tracks sessions. It is used to determine whether the HubSpot software needs to increase the session count and timestamps in the __hstc cookie. It contains the domain, the number of page views (viewCount, increases with each page view [pageView] in a session) and the session start timestamp. | Domain, number of page views, timestamp. | 30 minutes |
| __hssrc | Whenever the HubSpot software changes the session cookie, this cookie is also set. This is used to determine whether the visitor has restarted the browser. If this cookie is not present when HubSpot manages cookies, it is considered a new session. It contains the value “1”, if available. | Simple value like “1” if present. | Session |
| __hstc | This cookie tracks sessions. It is used to determine whether the HubSpot software needs to increase the session count and timestamps in the __hstc cookie. It contains the domain, the number of page views (viewCount, increases with each page view [pageView] in a session) and the session start timestamp. | Domain, number of page views, timestamp. | 6 months |
| hubspotutk | The main cookie for visitor tracking. It contains the domain, the user token (hubspotutk), the first timestamp (of the first visit), the last timestamp (of the last visit), the current timestamp (for this visit) and the session number (increases with each subsequent session). | User token, timestamps (for first, last, and current visits), and session number. | 6 months |
LinkedIn Insight Tag
This website uses the LinkedIn Insight Tag, a web analysis service provided by LinkedIn Ireland Unlimited Company (hereinafter referred to as “LinkedIn”). As a company based in the European Union, we cooperate with LinkedIn’s Irish subsidiary.
The LinkedIn Insight Tag is a small snippet of code placed on our website that allows us to collect data about visits to our website, including the URLs visited, referrer, IP address, device and application characteristics, and timestamps.
This information is transmitted to LinkedIn’s servers and used on our behalf to help us understand website activity, track conversions, and create anonymised user profiles. Please note that your data may be transferred to the USA, which is covered by an EU-US Data Privacy Framework adequacy decision.
The use of this service is based on your voluntary consent, as per Article 6 (1) (a) of the GDPR. You can find more information in LinkedIn’s privacy policy at https://www.linkedin.com/legal/privacy-policy.
| Name | Function | Processed data | Storage period |
| bcookie | This cookie is a browser identifier. It is used to uniquely identify devices accessing LinkedIn and to detect misuse of the platform. Processed data: https://www.linkedin.com/legal/l/cookie-table? | Unique ID string for the browser/device. | 1 year |
| lang | This cookie stores the language setting of a user and ensures that LinkedIn.com is displayed in the language selected by the user in the settings. Processed data: https://www.linkedin.com/legal/l/cookie-table? | Language code (en, de). | Session |
| li_gc | This cookie is used to store the consent of guests to the use of non-essential cookies.
Lifetime: 6 months Purpose: Functional Type: HTTP |
String indicating consent status. | 6 months |
| lidc | This cookie ensures the selection of the data center. | String identifying the data center. | 24 hours |
Google Analytics 4
This website uses Google Analytics, a web analysis service provided by Google LLC. As a company based in the European Union, we cooperate with Google’s subsidiary Google Ireland Limited (hereinafter referred to as “Google”).
The information generated by the cookie about the use of the website is transmitted to Google servers and stored there.
On our behalf, Google uses this information to evaluate your use of our website, to compile reports on website activity and to provide other services related to website and internet use to the website operator. The transmitted data can be used to create user profiles of visitors to our website.
Please note that we cannot rule out the possibility that your personal data may go to the USA. There is an adequacy decision for the EU-US Data Privacy Framework.
The evaluation of your user behaviour of the website is based on your consent given in accordance with Article 6 (1) (a) of the GDPR. For more information on Google Analytics’ terms of use and privacy, please visit
https://marketingplatform.google.com/about/analytics/terms/gb/ or https://policies.google.com/privacy?hl=en-GB.
| Name | Function | Processed data | Storage period |
| _ga | Used to differentiate between individual users. | Randomly generated client identifier (Client ID) used to distinguish unique users. | 2 years |
| _ga_* | Used to save the session status. | Session-related identifiers such as timestamp, visit count and session number. | 2 years |
Google Tag Manager
We use the “Google Tag Manager” service as a central means of data collection, collection and forwarding of personal data linked to the website visit (a service of the company Google LLC – as a company based in the EU, we cooperate with the Google subsidiary Google Ireland Limited (hereinafter referred to as “Google”).
The Google Tag Manager service bundles the applications we use into a central management interface, which makes it easier for us to administer the website applications. The use of the Google Tag Manager requires the setting of a Google cookie and the forwarding of data to Google (the information generated by the cookie about the use of the website is transmitted to Google’s servers and stored there).
Please note that we cannot rule out the possibility that your personal data may go to the USA. There is an adequacy decision for the EU-US Data Privacy Framework.
Our legal basis for the use of Google Tag Manager is your voluntary consent under data protection law in accordance with Art. 6 (1) (a) GDPR via the selection in the cookie banner.
Information on Google’s handling of user data can be found in Google’s privacy policy: https://policies.google.com/privacy?hl=en-GB.
| Name | Function | Processed data | Storage period |
| GoogleTagManager _ga |
This cookie identifies users. | A unique, randomly generated client ID string (a long number) to distinguish between individual users. | 13 months |
Use on a legal basis of: Consent
Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Telephone: +1 650 253 0000
Email: dpo-google@google.com
Contact: https://support.google.com/
Privacy policy: https://policies.google.com/privacy?hl=en-GB
You can revoke your consent at any time without giving reasons with effect for the future.
You have the right to object to data processing on the legal basis of our legitimate interest (data subject’s right to object to data processing in legitimate interest pursuant to Art. 21 para. 1 GDPR). In this case, we will only process your data if there are compelling legitimate grounds on our part for further processing.
To do this, please activate the cookie banner in the footer under “Cookie settings” and select the appropriate settings.
In the following, we inform you about the processing purposes and background pursued with the respective cookie.
8. Links
From time to time we refer to the websites of third parties. Even with a conscientious selection of the websites to which we refer, we cannot assume any liability or liability for the correctness or completeness of the content and the data security of third-party websites. This privacy policy also does not apply to linked websites of third parties.
9. Rights of data subjects/your rights to protect your personal data
You have a number of rights in relation to your personal data that we process. You can assert all these rights free of charge and informally (by e-mail, telephone or post), if necessary after proving your identity, at the address below. Your rights in detail:
Right to information: You can request information about the data processed by us at any time. In this case, we will inform you in writing what data we have stored about you, for what purposes we use it, to which categories of recipients we pass it on and how long we intend to store it. We will comply with your request for information without undue delay, but no later than within one month.
Right to erasure: You have the right to request the deletion of your data processed by us at any time. We will comply with this request if your data is no longer necessary for the purpose of collection, if you revoke any existing consent, in the case of unlawful data processing or if the deletion is necessary to comply with a legal obligation.
Right to rectification: If we process incorrect or incomplete data about you, we will of course correct it. An informal message addressed to us is sufficient for this purpose.
Right to restriction of processing: If the deletion of your data is not possible or if you do not wish to do so, but you do not consent to a use beyond the storage of the data, we are obliged to restrict the further processing of your personal data upon your notification.
Right to data portability: We will make the data we hold about you, which we have received on the basis of a contract or on the basis of your consent, available to you free of charge in a commonly used file format upon your informal notification. You can use this data for your own purposes and pass it on to future contractual partners. If you wish to do so and it is technically feasible, we will also transfer your data directly to an addressee named by you. In this case, we will inform you after the transfer has taken place. We will comply with your request immediately, but no later than within one month.
Right to revoke consent: You can revoke your consent to data processing at any time with effect for the future. In this case, we will stop processing the data. The lawfulness of the data processing carried out up to this point in time is not affected by a revocation of consent.
Right to object: If we process your data on the basis of our legitimate interest, you have the right to object to the further processing of your data in accordance with the General Data Protection Regulation. If you exercise this right, we will no longer process your data for the purpose for which you have objected – unless there are legitimate grounds on our part for further processing that outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
10. Right of appeal
The EU General Data Protection Regulation and the German Federal Data Protection Act guarantee you the rights mentioned above. If you believe that any of these rights have been violated by us, you have the option of complaining to a data protection supervisory authority.
The data protection authority responsible for us is the
Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Tel: 01/52 152-0
E-mail: dsb@dsb.gv.at
Status of data protection information: 11/2025