Privacy Policy

General information

The protection of your personal data is very important to us. We process your personal data exclusively on the basis of the applicable legal provisions, in particular the General Data Protection Regulation (GDPR), the Data Protection Act (DSG) and the Telecommunications Act 2021 (TKG 2021).

Personal data is data that can be used to identify you personally.

This privacy policy informs you about the processing of personal data in connection with the use of our website, in cooperation with our business partners (e.g. customers, suppliers and service providers) and applicants.

Responsibility holder

Responsible for processing your personal data is

Merz RailServices GmbH
Doctor Mehes-Gasse 17
2344 Maria Enzersdorf
Austria

UID number: ATU82607804

Merz-RailServices.com

Represented by:
Ing. Mag. (FH) Matthias Merz
Matthias.Merz@Merz-RailServices.com
+43 664 2122820

A data protection officer has not been appointed, as there is no legal obligation to do so under Article 37 of the GDPR.

Data processing within the scope of the website

Hosting

Our website is hosted externally by easyname GmbH, based in 1100 Vienna, Canettistraße 5/10. We have a data processing agreement with the hosting service provider in accordance with Art. 28 GDPR. This is a contract required by data protection law, which ensures that the hosting service provider only processes the personal data of our website visitors in accordance with our instructions and in compliance with the GDPR.

The personal data collected on our website is stored on the host's servers.

Our host will only process your data to the extent necessary to fulfil its service obligations and will follow our instructions regarding this data.

Access data / server log files

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in ensuring the security and stability of our website and in error analysis).

Our hosting provider collects data about access to the website, which your browser automatically transmits to us, and automatically stores this data as server log files.

The following data can be recorded:

  • Website visited
  • Date and time of access
  • Amount of data transferred
  • Source/reference from which you accessed the page (referrer URL)
  • IP address (in anonymised form)
  • Host name of the accessing computer
  • Browser type and browser version
  • operating system used

This data is evaluated solely for the purpose of ensuring technical operation and improving our offering – for this purpose, the server log files must be recorded.

This data is not evaluated on an individual basis or combined with other data sources.

Cookies

Our website only uses technically necessary cookies that are required for the operation and basic functions of the website. These cookies are stored on the basis of Art. 6 (1) lit. f GDPR and do not require consent. For all cookies/tools that are not absolutely necessary, we obtain your consent in advance (Art. 6(1)(a) GDPR; Section 165(3) TKG 2021).

You can disable or restrict the storage of cookies in your browser. However, this may impair the functionality of our website.

Web analytics tools

Legal basis: Art. 6(1)(a) GDPR (consent)

Our website does not use web analytics services.

Purposes and legal bases of processing

The data you provide will be processed within the framework of your business relationship. This means that if you contact us by email or via a contact form, the data you provide will be stored for the purpose of processing your enquiry and in case of follow-up questions.

We would like to point out that, for the purpose of simplifying the quotation process and subsequent contract processing, the necessary data (e.g. company name, address, contact person and email address) will be stored in a merchandise management system.

We process personal data that you provide to us in the course of our cooperation as a customer, supplier, business partner or applicant. This includes in particular:

  • Company data: Company name, address, company registration number, VAT number.
  • Contact details: Name, position, telephone number, email address.
  • Bank details: for the processing of payments within the framework of existing contractual relationships (legal basis: Art. 6(1)(b) GDPR).
  • Date of birth: if you voluntarily provide us with this information, for example so that we can send you greetings on special occasions (legal basis: Art. 6(1)(a) GDPR).
  • Enquiry and order details as well as other information necessary for the execution of the contract.

We process this data for the following purposes:

Contractual and pre-contractual purposes

Legal basis: Art. 6(1)(b) GDPR (performance of a contract)

  • Conclusion, execution and administration of contracts
  • Processing of enquiries, orders or complaints
  • Customer service and support

Legal obligations

Legal basis: Art. 6(1)(c) GDPR (legal obligation)

  • Fulfilment of legal retention obligations (e.g. invoices, accounting)
  • Compliance with tax and commercial law requirements
  • Identity checks, money laundering prevention

Legitimate interests

Legal basis: Art. 6(1)(f) GDPR (legitimate interest)

  • IT and data security
  • Direct marketing to existing customers (B2B): Direct marketing is carried out exclusively within the scope of the statutory exception for existing customers (Section 174(4) TKG 2021)
  • Improvement of products or services
  • Enforcement or defence of legal claims

Consent-based purposes

Legal basis: Art. 6(1)(a) GDPR (consent)

The processing of personal data is based on your express consent, in particular for the following purposes:

  • Sending newsletters, promotional emails or surveys to interested parties or non-existing customers
  • Sending information about products, services or events, provided that no existing customer relationship exists
  • Participation in competitions or marketing campaigns
  • Publication of photos, references or testimonials.

Consent is given voluntarily and can be revoked at any time with future effect.
Every electronic mailing contains an unsubscribe link that you can use to revoke your consent at any time.

Application management

Legal basis: Art. 6(1)(b), (f) GDPR

The processing of applicants' personal data is carried out exclusively for the purpose of conducting the application process and deciding on the establishment of an employment relationship.

The processing is carried out on the following legal bases:

  • Art. 6(1)(b) GDPR – implementation of pre-contractual measures in the context of the application process
  • Art. 6(1)(f) GDPR – legitimate interest in the defence and assertion of legal claims, in particular in connection with the Equal Treatment Act (GlBG)

If applicants voluntarily provide special categories of personal data in accordance with Art. 9 GDPR (e.g. health data) as part of the application process, this data will be processed exclusively on the basis of express consent in accordance with Art. 9 (2) (a) GDPR or insofar as this is necessary for the exercise of rights and obligations under labour law.

After completion of the application process, the application documents will be stored for a maximum period of 7 months (6 months in accordance with the GlBG plus 1 month reserve period) and then deleted or anonymised, unless there is a legal obligation or express consent for longer storage (e.g. applicant pool).

Communication and business relationships

Legal basis: Art. 6(1)(f) or (a) GDPR

  • Maintaining customer, supplier or partner contacts
  • Sending information about products or events
  • Customer support and
  • For our own advertising purposes, for example to send offers, advertising brochures and newsletters (in paper and electronic form), as well as for the purpose of referring to the existing or former business relationship with the customer (reference reference).

The legal bases for the processing of your personal data are:

  • Art. 6 (1) b GDPR – performance of a contract or pre-contractual measures
  • Art. 6 (1) f GDPR – legitimate interest
  • Art. 6 (1) a GDPR – consent

Without this data, we cannot conclude the contract with you.

Recipients / Processors

Your data will only be passed on to third parties if this is necessary for the fulfilment of the contract or if there is a legal obligation to do so. Your data will not be passed on to third parties for advertising purposes.

We use external IT service providers as processors for the technical operation and administration of our systems. We have contracts with these service providers in accordance with Art. 28 GDPR, which guarantee the security of your data. These include:

  • Transport and shipping companies for the delivery of goods
  • Tax advisors for the fulfilment of tax obligations
  • IT service providers for hosting, cloud services (e.g. office solutions, email), maintenance and support

If we use service providers whose headquarters or servers are located in a third country (e.g. Microsoft Corporation), this is done exclusively under the conditions specified in the section ‘Transfer to third countries’.

Storage period / deletion periods

We only store your personal data for as long as is necessary to fulfil the purpose or as long as contractual or legal obligations or legitimate interests exist (e.g. to provide a service you have requested, to comply with statutory retention obligations or to assert legal claims).

This means that we delete or anonymise personal data as soon as the reason for data processing no longer exists. If this is not possible, we will store your personal data securely and not make it available for further processing until deletion is possible.

If you wish to have your data deleted or revoke your consent to data processing, the data will be deleted as soon as possible and insofar as there is no obligation to store it.

Transfers to third countries

We generally process data in Austria or within the European Economic Area (EEA). In exceptional cases, if we transfer data to a third country (outside the EEA) or have it processed there (e.g. in connection with the use of Microsoft 365/cloud services or IT support), this will only be done if the requirements of Art. 44 ff. GDPR are met.

This means that processing is carried out on the basis of special guarantees, such as the officially recognised determination of a level of data protection equivalent to that of the EU (e.g. for the USA through the EU-US Data Privacy Framework). Microsoft Corporation is certified under the Data Privacy Framework. In the absence of an adequacy decision, we base the data transfer on the Standard Contractual Clauses (SCC) of the EU Commission to ensure an adequate level of protection.

Your rights as a data subject

In accordance with Articles 13 and 14 of the GDPR, we hereby inform you of the following rights to which you are entitled:

Information

According to Article 15 of the GDPR, you have the right to know whether we process your data. If this is the case, you have the right to receive a copy of the data and to obtain the following information:

  • the purpose for which we carry out the processing;
  • the categories, i.e. the types of data that are processed;
  • who receives this data and, if the data is transferred to third countries, how security can be guaranteed;
  • how long the data will be stored;
  • the existence of the right to rectification, erasure or restriction of processing and the right to object to processing;
  • that you can lodge a complaint with a supervisory authority (links to these authorities can be found below);
  • the origin of the data, if we did not collect it from you;
  • whether profiling is carried out, i.e. whether data is automatically evaluated in order to create a personal profile of you. There is no automated decision-making or profiling in accordance with Art. 22 GDPR.

Correction

According to Article 16 of the GDPR, you have the right to have your data corrected, which means that we must correct any data if you find errors.

Deletion

According to Article 17 of the GDPR, you have the right to erasure (‘right to be forgotten’), which specifically means that you may request the deletion of your data.

Restriction of processing

According to Article 18 of the GDPR, you have the right to restrict processing, which means that we may only store the data but may not use it further.

Data portability

According to Article 20 of the GDPR, you have the right to data portability, which means that we will provide you with your data in a commonly used format upon request.

Objection to processing

According to Article 21 of the GDPR, you have a right to object, which, once enforced, will result in a change in the processing.

  • If the processing of your data is based on Article 6(1)(e) (public interest, exercise of official authority) or Article 6(1)(f) (legitimate interest), you may object to the processing. We will then check as soon as possible whether we can legally comply with this objection.
  • If data is used for direct marketing purposes, you may object to this type of data processing at any time. We will then no longer be permitted to use your data for direct marketing purposes.
  • If data is used for profiling purposes, you may object to this type of data processing at any time. We will then no longer be permitted to use your data for profiling purposes.

Please direct your enquiries to Privacy@Merz-RailServices.com

Revocation and objection

All consents can be revoked independently of each other at any time. Revocation means that we will no longer process your data for the above-mentioned purposes from that point onwards and that you will therefore no longer be able to exercise the corresponding rights, benefits, etc.

For revocation, please contact: Privacy@Merz-RailServices.com.

Right to lodge a complaint with the data protection authority

You have the right to lodge a complaint under Article 77 of the GDPR. If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can lodge a complaint with the supervisory authority:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna

Phone: +43 1 52 152-0
Email: dsb@dsb.gv.at
www.dsb.gv.at

Data security

We take extensive technical and organisational measures to protect your personal data from loss, misuse and unauthorised access. These include, among other things:

  • Access restrictions: Only authorised persons have access to personal data.
  • Training our employees in the handling of personal data and data protection.
  • Physical security of the servers by our hosting service provider.
  • SSL/TLS encryption for secure data transmission via our website (HTTPS).
  • Regular data backups to ensure data availability and integrity.
  • Firewall and virus protection systems as well as the latest security updates.
  • Logging of accesses for the detection and prevention of security incidents.

Our security measures are regularly reviewed and adapted to the state of the art.

Changes to the privacy policy

We reserve the right to amend this privacy policy as necessary in order to adapt it to changes in the legal situation or technical developments. The current version can be found on our website.

Last update: 16 December 2025