Data Pri­va­cy State­ment

This Pri­va­cy Pol­i­cy clar­i­fies the nature, scope and pur­pose of the pro­cess­ing of per­son­al data (here­inafter referred to as ‘data’) by our web­site and relat­ed web­sites, fea­tures and con­tent, as well as our exter­nal web pres­ence, such as our social media pro­files (col­lec­tive­ly referred to as ‘web­site’). Regard­ing ter­mi­nol­o­gy such as ‘per­son­al data’ or its ‘pro­cess­ing’, we refer to the def­i­n­i­tions in Arti­cle 4 of the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR).

Respon­si­ble organ­i­sa­tion:
Green4Cities GmbH.
West­bahn­straße 7 Top 6a
1070 Vien­na Aus­tria
Com­pa­ny Reg­is­tra­tion No.: FN 418654 v
Man­ag­ing Direc­tor: Doris Schnepf
Tele­phone: +43 676 67 00 215

Types of data held:

Per­son­al data
Con­tact details
Con­tent data
Usage data (such as web­sites vis­it­ed, inter­est in con­tent, access times)
Meta / com­mu­ni­ca­tion data (e.g. device infor­ma­tion, IP address­es)

Only data that has been express­ly giv­en by users is stored, such as data entered in an online form.

Cat­e­gories of data sub­jects:

Cus­tomers / inter­est­ed par­ties / sup­pli­ers
Web­site vis­i­tors and online users

Here­inafter, we refer to any per­sons con­cerned as ‘users’.

Pur­pose of hold­ing data:

Answer­ing con­tact requests and com­mu­ni­cat­ing with users, as of 25.05.2018.
Rel­e­vant legal frame­work

In accor­dance with Arti­cle 13 of the GDPR, we are inform­ing you of the legal basis of our data pro­cess­ing. Unless refer­ring to anoth­er legal basis in the data pro­tec­tion dec­la­ra­tion, the fol­low­ing applies: the legal basis for obtain­ing con­sent is Arti­cle 6 (1) (a) and Arti­cle 7 of the GDPR; the legal basis for pro­cess­ing data to car­ry out our ser­vices and con­trac­tu­al oblig­a­tions and answer­ing inquiries about our ser­vices is Arti­cle 6 (1) (b) of the GDPR; the legal basis for pro­cess­ing data to ful­fil our legal oblig­a­tions is Arti­cle 6 (1) © of the GDPR; and the legal basis for pro­cess­ing data to pro­tect our legit­i­mate inter­ests is Arti­cle 6 (1) (f) of the GDPR. If, in the inter­ests of the data sub­ject or anoth­er indi­vid­ual per­son­al, data requires pro­cess­ing, Arti­cle 6 (1) (d) of the GDPR is our legal basis.

Changes and updates to our Pri­va­cy Pol­i­cy

We ask you to inform your­self reg­u­lar­ly about the con­tent of our Pri­va­cy Pol­i­cy. We adjust the pri­va­cy state­ment when­ev­er changes to our data process­es require. We will inform you when­ev­er action on your part (such as con­sent) or any oth­er indi­vid­ual noti­fi­ca­tion is required by the amend­ments.

Secu­ri­ty mea­sures

3.1. We take appro­pri­ate tech­ni­cal mea­sures in accor­dance with Arti­cle 32 of the GDPR, tak­ing into account the state of the art, imple­men­ta­tion costs and the nature, scope, cir­cum­stances and pur­pos­es of the pro­cess­ing, as well as the like­li­hood and sever­i­ty of risk to the rights and free­doms of nat­ur­al per­sons and organ­i­sa­tion­al mea­sures to ensure a lev­el of pro­tec­tion appro­pri­ate to the risk. In par­tic­u­lar, mea­sures include ensur­ing the con­fi­den­tial­i­ty, integri­ty and acces­si­bil­i­ty of data by con­trol­ling phys­i­cal access to the data, as well as online access, input, dis­clo­sure, avail­abil­i­ty and sep­a­ra­tion. In addi­tion, we have estab­lished pro­ce­dures that ensure data sub­ject rights, data era­sure and response to data vul­ner­a­bil­i­ty. Fur­ther­more, we also con­sid­er the pro­tec­tion of per­son­al data when devel­op­ing or select­ing hard­ware, soft­ware and pro­ce­dures, in accor­dance with the prin­ci­ple of data pro­tec­tion by tech­nol­o­gy design and by pri­va­cy-friend­ly default set­tings (Arti­cle 25 of the GDPR).

3.2. One of the secu­ri­ty mea­sures is the encrypt­ed trans­fer of data between your brows­er and our serv­er.

Coop­er­a­tion with sub­con­trac­tors and third par­ties

4.1. If in the course of pro­cess­ing, we dis­close data to oth­er per­sons and com­pa­nies (sub­con­trac­tors or third par­ties), share data with them or oth­er­wise grant access to data, this is done only where legal­ly per­mit­ted (e.g. shar­ing data with third par­ties as required by pay­ment ser­vice providers, pur­suant to Arti­cle 6 (1) (b) of the GDPR in order to ful­fil the con­tract), with your con­sent or in pur­suit of our legit­i­mate inter­ests (such as the use of agents, web­site hosts, etc.).

4.2. If we com­mis­sion third par­ties to process data on the basis of a ‘pro­cess­ing con­tract’, this is done on the basis of Arti­cle 28 of the GDPR.

Inter­na­tion­al trans­fer of per­son­al data

If we process data in a third coun­try (i.e. out­side the Euro­pean Union (EU) or the Euro­pean Eco­nom­ic Area (EEA)) or when using third par­ty ser­vices or dis­clo­sure or trans­mis­sion of data to third par­ties, this will only be done if it is to ful­fil our (pre) con­trac­tu­al oblig­a­tions, with your con­sent, to ful­fil a legal oblig­a­tion or in pur­suit of our legit­i­mate inter­ests. Sub­ject to legal or con­trac­tu­al per­mis­sions, we process or have the data processed in a third coun­try only under spe­cial con­di­tions of Arti­cle 44 et seq. of the GDPR, that pro­cess­ing is sub­ject to spe­cif­ic guar­an­tees, such as offi­cial­ly rec­og­nized lev­el of data pro­tec­tion (e.g. in the USA, through the Pri­va­cy Shield) or com­pli­ance with offi­cial­ly rec­og­nized spe­cial con­trac­tu­al oblig­a­tions (so-called ‘stan­dard con­trac­tu­al claus­es’).

Rights of the per­sons con­cerned

6.1. You have the right to ask for con­fir­ma­tion about whether your per­son­al data is being processed, for infor­ma­tion about your data and for any oth­er infor­ma­tion, and a copy of your data in accor­dance with Arti­cle 15 of the GDPR.

6.2. In accor­dance with Arti­cle 16 of the GDPR you have the right to demand the com­ple­tion of your data or the cor­rec­tion of any incor­rect data con­cern­ing you.

6.3. You have the right to demand the rel­e­vant data be delet­ed imme­di­ate­ly in accor­dance with Arti­cle 17 of the GDPR, or alter­na­tive­ly to require a restric­tion of the pro­cess­ing of your data in accor­dance with Arti­cle 18 of the GDPR.

6.4. You have the right to demand that the per­son­al data you have pro­vid­ed us with be obtained by and request its trans­mis­sion to oth­er respon­si­ble per­sons, in accor­dance with Arti­cle 20 of the GDPR.

6.5. In accor­dance with Arti­cle 77 of the GDPR you have the right to file a com­plaint with the rel­e­vant super­vi­so­ry author­i­ty.

Right to with­draw con­sent

You have the right under Arti­cle 7 (3) of the GDPR to with­draw your con­sent with effect in per­pe­tu­ity.

Right to refuse

You can refuse any future pro­cess­ing of your data at any time, in accor­dance with Arti­cle 21 of the GDPR. Refusal in par­tic­u­lar can be made to pro­cess­ing your data for direct mar­ket­ing pur­pos­es.

Cook­ies and your right to refuse direct mar­ket­ing

We set tem­po­rary and per­ma­nent cook­ies, small files that are stored on users’ devices (for an expla­na­tion of the term and func­tion, see the last sec­tion of this Pri­va­cy Pol­i­cy). Cook­ies are part­ly used for secu­ri­ty or to car­ry out our web­site (for exam­ple, the pre­sen­ta­tion of the web­site) or to save a user’s deci­sion when con­firm­ing the cook­ie ban­ner. In addi­tion, we or our tech­nol­o­gy part­ners use cook­ies for audi­ence analy­sis and for mar­ket­ing pur­pos­es, as users are informed about in this Pri­va­cy Pol­i­cy.

A guide to refus­ing the use of cook­ies for online mar­ket­ing pur­pos­es can be found on a vari­ety of ser­vices, espe­cial­ly in the case of track­ing, via the USA web­site or the EU web­site Fur­ther­more, cook­ies stor­age can be con­trolled by switch­ing them off in your brows­er set­tings. Please note it may not be pos­si­ble to use all fea­tures of this web­site.

Dele­tion of per­son­al data

10.1. The data processed by us are delet­ed or their pro­cess­ing lim­it­ed in accor­dance with Arti­cles 17 and 18 of the GDPR. Unless explic­it­ly stat­ed in this Pri­va­cy Pol­i­cy, data stored by us are delet­ed as soon as they are no longer required and if the dele­tion does not con­flict with any statu­to­ry stor­age require­ments. If the data is not delet­ed because it is required for oth­er legit­i­mate pur­pos­es, its pro­cess­ing will be restrict­ed, the data blocked and not processed for any oth­er pur­pose. This applies, for exam­ple to data that must be retained for com­mer­cial or tax rea­sons.

10.2. Under legal require­ments, data must be retained for 7 years in accor­dance with § 132 (1) (account­ing doc­u­ments, receipts / invoic­es, accounts, com­mer­cial doc­u­ments, state­ments of income and expens­es, etc.), 22 years for data relat­ing to land, and 10 years for data relat­ing to elec­tron­ic ser­vices, telecom­mu­ni­ca­tions, broad­cast­ing and tele­vi­sion ser­vices pro­vid­ed to pri­vate per­sons in EU Mem­ber States and for which the Mini One Stop Shop (MOSS) is used.


11.1. When con­tact­ing us (via con­tact form or email), the infor­ma­tion pro­vid­ed by the user will be used to process and respond to the con­tact request in accor­dance with Arti­cle 6 (1) (b) of the GDPR.

11.2. User infor­ma­tion may be stored in our Cus­tomer Rela­tion­ship Man­age­ment Sys­tem (‘CRM Sys­tem’) or a sim­i­lar request man­age­ment sys­tem.

11.3. We delete requests if they are no longer required. We check the neces­si­ty every two years; we store inquiries from cus­tomers with a cus­tomer account per­ma­nent­ly and record any dele­tion in the cus­tomer account details.

Com­ments and posts

12.1. If users leave com­ments or oth­er con­tri­bu­tions, their IP address­es are stored for 7 days based on our legit­i­mate inter­ests with­in the mean­ing of Arti­cle 6 (1) (f) of the GDPR.

12.2. For our own secu­ri­ty, if a per­son posts any ille­gal con­tent in com­ments and con­tri­bu­tions (insults, pro­hib­it­ed polit­i­cal pro­pa­gan­da, etc.) we our­selves can be pros­e­cut­ed for the com­ment or post, thus we there­fore need to be able to iden­ti­fy the author.

Col­lec­tion of access data and log­files

13.1. Based on our legit­i­mate inter­ests under Arti­cle 6 (1) (f) of the GDPR, we col­lect data every time the serv­er on which our ser­vice is locat­ed is accessed (known as serv­er log files). The access data includes the name of the retrieved web page, file, date and time of retrieval, quan­ti­ty of data trans­ferred, mes­sage about suc­cess­ful retrieval, brows­er type and ver­sion, the user’s oper­at­ing sys­tem, refer­rer URL (the page pre­vi­ous­ly vis­it­ed), IP address and the request provider.

13.2. Log­file infor­ma­tion is stored for secu­ri­ty pur­pos­es (for exam­ple to inves­ti­gate abu­sive or fraud­u­lent activ­i­ties) for a max­i­mum of sev­en days and then delet­ed. Data whose fur­ther reten­tion is required for any pur­pose of evi­dence is exempt from the can­cel­la­tion until final clar­i­fi­ca­tion of the inci­dent.

Online pres­ence on social media

14.1. We main­tain an online pres­ence on social net­works and plat­forms to com­mu­ni­cate with cus­tomers, prospec­tive cus­tomers and users active there, and to tell them about our ser­vices. For activ­i­ty on these net­works and plat­forms, terms and con­di­tions and data pro­cess­ing guide­lines apply to their respec­tive oper­a­tors.

14.2. Unless oth­er­wise stat­ed in our Pri­va­cy Pol­i­cy, users’ data will be processed when­ev­er they com­mu­ni­cate with us on social net­works and plat­forms, for exam­ple by writ­ing posts on our online pres­ence or send­ing us mes­sages.

Cook­ies and audi­ence analy­sis

15.1. Cook­ies are infor­ma­tion trans­mit­ted from our web serv­er or third-par­ty web servers to users’ web browsers and stored there for lat­er retrieval. Cook­ies can be small files or oth­er types of infor­ma­tion stor­age.

15.2. This Pri­va­cy Pol­i­cy informs users about the use of cook­ies in rela­tion to pseu­do­nymised audi­ence analy­sis.

15.3. If users do not want cook­ies stored on their com­put­er, they will be asked to dis­able the option in their browser’s sys­tem set­tings. Saved cook­ies can be delet­ed in the sys­tem set­tings of the brows­er. Dis­abling cook­ies can lead to restrict­ed online func­tion­al­i­ty.

15.4. You can opt out of the use of cook­ies for audi­ence analy­sis and pro­mo­tion­al pur­pos­es through the Net­work Adver­tis­ing Initiative’s opt-out page, the US web­site or the Euro­pean web­site

Google Ana­lyt­ics

16.1. We use Google Ana­lyt­ics, a web ana­lyt­ics ser­vice pro­vid­ed by Google LLC (‘Google’), based on our legit­i­mate inter­ests (the analy­sis, opti­mi­sa­tion and eco­nom­ic oper­a­tion of our web­site under Arti­cle 6 (1) (f) of the GDPR). Google uses cook­ies. The infor­ma­tion gen­er­at­ed by the cook­ie about the use of the web­site by users is usu­al­ly trans­mit­ted to a Google serv­er in the USA and stored there.

16.2. Google is cer­ti­fied under the Pri­va­cy Shield Agree­ment, which gives a guar­an­tee to com­ply with Euro­pean pri­va­cy leg­is­la­tion (

16.3. Google uses this infor­ma­tion on our behalf to analyse the use of our web­site by users, to com­pile reports on online activ­i­ties and to pro­vide us with fur­ther ser­vices relat­ed to the use of our web­site and inter­net pres­ence. In this case, anonymised user activ­i­ty pro­files may be cre­at­ed from the processed data.

16.4. We only use Google Ana­lyt­ics with acti­vat­ed IP pseu­do­nymi­sa­tion. This means that the IP address of users will be short­ened by Google with­in Mem­ber States of the Euro­pean Union or in oth­er states in the Euro­pean Eco­nom­ic Area who have signed up to the agree­ment. Only in excep­tion­al cas­es will the full IP address be sent to a Google serv­er in the USA and short­ened there.

16.5. The IP address sub­mit­ted by the user’s brows­er will not be merged with oth­er data pro­vid­ed by Google. Users can pre­vent the stor­age of cook­ies by set­ting their brows­er soft­ware accord­ing­ly; users may also pre­vent the col­lec­tion by Google of data gen­er­at­ed by cook­ies and relat­ed to their use of the web­site as well as the pro­cess­ing of this data by Google, by down­load­ing and installing the brows­er plug-in avail­able under the fol­low­ing link:

16.6. For more infor­ma­tion about Google’s data usage, and opt­ing in or out, please vis­it Google’s web­sites:  (‘How Google uses infor­ma­tion from sites or apps that use our ser­vices’), (‘Adver­tis­ing’), and (‘Con­trol the infor­ma­tion Google uses to show you ads’).

Face­book social plu­g­ins

17.1. In pur­suit of our legit­i­mate inter­ests (the analy­sis, opti­mi­sa­tion and eco­nom­ic oper­a­tion of our web­site under Arti­cle 6 (1) (f) of the GDPR) we use the social plu­g­ins (‘plu­g­ins’) of the social net­work, oper­at­ed by Face­book Ire­land Ltd., 4 Grand Canal Square, Grand Canal Har­bor, Dublin 2, Ire­land (‘Face­book’). The plu­g­ins can rep­re­sent inter­ac­tion ele­ments or con­tent (such as videos, graph­ics or text con­tri­bu­tions) and can be rec­og­nized by one of the Face­book logos (white ‘f’ on a blue tile, the term ‘Like’ or a ‘thumbs up’ sign) or are marked with the addi­tion ‘Face­book Social Plu­g­in’. The list and appear­ance of Face­book Social Plu­g­ins can be viewed here:

17.2. Face­book is cer­ti­fied under the Pri­va­cy Shield Agree­ment, which pro­vides a guar­an­tee to com­ply with Euro­pean pri­va­cy leg­is­la­tion (

17.3. When a user invokes a fea­ture of this web­site that includes such a plu­g­in, their device estab­lish­es a direct con­nec­tion to Face­book servers. The con­tent of the plu­g­in is trans­mit­ted by Face­book direct­ly to the device of the user and incor­po­rat­ed by them into the web­site. In the process, user pro­files can be cre­at­ed from the processed data. We there­fore can­not con­trol the amount of data Face­book col­lects with the help of plu­g­ins and there­fore we inform users that this is our under­stand­ing.

17.4. By inte­grat­ing the plu­g­ins, Face­book receives infor­ma­tion that the user has accessed the cor­re­spond­ing page of the web­site. If the user is logged in to Face­book, Face­book can assign the vis­it to their Face­book account. If users inter­act with the plu­g­ins, for exam­ple, press the Like but­ton or leave a com­ment, the infor­ma­tion is trans­mit­ted from your device direct­ly to Face­book and stored there. If a user is not a mem­ber of Face­book, there is still the pos­si­bil­i­ty that Face­book will learn of and save their IP address. Accord­ing to Face­book, only an anony­mous IP address is stored in Ger­many.

17.5. The pur­pose and scope of the data col­lec­tion and the fur­ther pro­cess­ing and use of the data by Face­book, as well as relat­ed rights and set­tings options for pro­tect­ing the pri­va­cy of users, can be found in Facebook’s Pri­va­cy Pol­i­cy:

17.6. If a user is a Face­book mem­ber and does not want Face­book to col­lect data about them via this web­site and link it to their mem­ber data stored on Face­book, they must log out of Face­book and delete their cook­ies before using our web­site. Oth­er set­tings and con­trols in the use of data for adver­tis­ing pur­pos­es are avail­able with­in Face­book pro­file set­tings: or via the US Amer­i­can site or the EU page The set­tings are inde­pen­dent of the plat­form, and can be applied to any device, such as desk­top com­put­ers or mobile devices.

Inte­gra­tion of third par­ty ser­vices and con­tent

18.1. With­in our web­site based on our legit­i­mate inter­ests (inter­est in the analy­sis, opti­mi­sa­tion and eco­nom­ic oper­a­tion of our web­site with­in the mean­ing of Arti­cle 6 (1) (f) of the GDPR), we make use of third par­ty con­tent or ser­vice offers to pro­vide con­tent and ser­vices, such as embed­ding videos or fonts (col­lec­tive­ly referred to as ‘con­tent’). This always assumes the third par­ty sees the user’s IP address, since they could not send con­tent to their brows­er with­out the IP address. The IP address is there­fore required for the pre­sen­ta­tion of this con­tent. We endeav­our to use only con­tent whose respec­tive providers use the IP address sole­ly for the deliv­ery of the con­tent. Third par­ties may also use so-called pix­el tags (invis­i­ble graph­ics, also referred to as ‘web bea­cons’) for sta­tis­ti­cal or mar­ket­ing pur­pos­es. The ‘pix­el tags’ can be used to analyse infor­ma­tion such as vis­i­tor traf­fic to the pages of our web­site. The pseu­do­nymised infor­ma­tion may also be stored in cook­ies on the user’s device and may include, but is not lim­it­ed to, tech­ni­cal infor­ma­tion about the brows­er and oper­at­ing sys­tem, refer­ral web sites, vis­it time, and oth­er infor­ma­tion regard­ing the use of our web­site.

18.2. The fol­low­ing pre­sen­ta­tion pro­vides an overview of a third-par­ty provider and its con­tent, as well as links to its Pri­va­cy Pol­i­cy, with fur­ther notes on the pro­cess­ing of data and, as already men­tioned, refusal options such as opt-out:

– Exter­nal fonts from Google LLC, (‘Google Fonts’). The inte­gra­tion of Google fonts is done by a server’s call to Google (usu­al­ly in the USA). Pri­va­cy Pol­i­cy: and opt-out:

– Maps pro­vid­ed by Google Maps of third par­ty Google LLC, 1600 Amphithe­ater Park­way, Moun­tain View, CA 94043, USA. Pri­va­cy Pol­i­cy: and opt-out:

– Videos on the plat­form YouTube of third-par­ty Google LLC, 1600 Amphithe­ater Park­way, Moun­tain View, CA 94043, USA. Pri­va­cy Pol­i­cy: and opt-out: