Privacy policy

(Date: 12.05.2026)

>> Our Cookie Policy

1.) Who is responsible for data processing and who can I contact?

  • 1.1) Quality Austria Holding GmbH, with its operating subsidiaries Quality Austria Academy GmbH and Quality Austria Certification GmbH, is the leading Austrian authority for training and further education, as well as for personal, system, and product certifications, assessments, and validations, as well as the Austria Quality Seal. This is based on globally recognised accreditations and international approvals. In addition, the company has been awarding the Austrian Quality Award together with the Federal Ministry of Economic Affairs, Energy and Tourism since 1996. As the national market leader for the Integrated Management System for the assurance and improvement of corporate quality, Quality Austria is a driving force for Austria as a business location and stands for ‘Success with Quality’.
  • 1.2) Quality Austria, i.e. Quality Austria Holding GmbH (‘QA Holding’), Quality Austria Academy GmbH (‘QA Academy’) and Quality Austria Certification GmbH (‘QA Certification’) (collectively ‘Quality Austria’, ‘we’, ‘us’), each of which is a controller within the meaning of Article 4(7) of the General Data Protection Regulation (‘GDPR’).
  • 1.3) You can reach us as follows:

Quality Austria Holding GmbH
Zelinkagasse 10/3
1010 Vienna, Austria
Phone: +43 1 274 87 47
E-mail: datenschutz@qualityaustria.com

Quality Austria Academy GmbH
Zelinkagasse 10/3
1010 Vienna, Austria
Phone: +43 1 274 87 47
E-mail: academy-datenschutz@qualityaustria.com

Quality Austria Certification GmbH
Zelinkagasse 10/3
1010 Vienna, Austria
Phone: +43 1 274 87 47
E-mail: certification-datenschutz@qualityaustria.com

  • 1.4) CURRENT NEWS: If you are already a Quality Austria customer, we would like to inform you that, by way of a spin-off, your data was passed from Quality Austria - Trainings, Zertifizierungs und Begutachtungs GmbH on to the universal successor Quality Austria Academy GmbH or the universal successor Quality Austria Certification GmbH in order to be able to continue the contracts with you (Article 6(1)(b) GDPR). Quality Austria Academy GmbH and Quality Austria Certification GmbH are the new data controllers as of the spin-off and are thus responsible for your questions and concerns in connection with the GDPR. This privacy policy was updated accordingly.
  • 1.5) The controller takes the protection of your personal data very seriously. The controller therefore treats your personal data confidentially and in accordance with the applicable data protection regulations, in particular the GDPR and the Austrian Data Protection Act ("DSG").
  • 1.6) In this privacy policy you will find information on the data processing carried out. The terms laid down in the GDPR are used. For better comprehensibility, you will find below the most important terms according to their legal definition
    • Personal data: Any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
    • Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
    • Data subject: The person whose personal data is processed.
    • Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
    • Processor: The natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
    • Consent (of the data subject): Any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
  • In this privacy policy you will find information on the data processing carried out. The terms laid down in the GDPR are used. For better comprehensibility, you will find below the most important terms according to their legal definition
  • In this privacy policy you will find information on the data processing carried out. The terms laid down in the GDPR are used. For better comprehensibility, you will find below the most important terms according to their legal definition

2.) For what purposes and on what legal basis is your personal data processed?

Quality Austria Holding is the sole controller for the following data processing operations pursuant to Art 4(7) GDPR: Operation of the website (see point 2.1), enquiry by website, e-mail, post or telephone (see point 2.2), offering qualityaustria services and products (see point 2.3), advertising communication, newsletter, event participation (see point 2.4) and legal prosecution (see point 2.6);
The Quality Austria Academy is the sole controller for the following data processing pursuant to Art. 4(7) GDPR: Enquiry via website, e-mail, post or telephone (see point 2.2), offering qualityaustria services and products (see point 2.3), promotional communication, newsletter, event participation (see point 2.4) and legal prosecution (see point 2.6);
Quality Austria Certification is the sole controller for the following data processing pursuant to Art. 4(7) GDPR: Operation of the website (see point 2.1), enquiry by website, e-mail, post or telephone (see point 2.2), offering qualityaustria services and products (see point 2.3), advertising communication, newsletter, event participation (see point 2.4), certificate management (see point 2.5), legal prosecution (see point 2.6) and data processing within the framework of network partners (see point 2.7).

  • 2.1) Operation of the website
    • 2.1.1) In order to make the website available to you and to be able to recognise, prevent and investigate attacks on our website, Quality Austria processes the following personal data on the basis of our aforementioned legitimate interests (Art 6 para 1 lit f GDPR) the URL called up; the date and time of the call; the IP address of the computer or mobile device; the name and version of the web browser; the browser type and settings data (screen resolution, colour depth, time zone settings, browser extensions, fonts, language); the operating system; and the website (URL) from which you visit our website ("referrer").
  • 2.2) Enquiry by website, email, post or telephone
    • 2.2.1) If you send an enquiry to Quality Austria via the contact form on the website, by e-mail or by telephone, Quality Austria processes the following personal data to answer the enquiry in order to fulfil pre-contractual measures or to fulfil the contract (Art 6 para 1 lit b GDPR) or on the basis of our legitimate interests in being able to process your enquiry (Art 6 para 1 lit f GDPR): Name; e-mail address; address; telephone number; content of the enquiry; other information you provide to us; personal information about our qualityaustria services and products.
  • 2.3) Offering qualityaustria services and products (incl. customer processing)
    • 2.3.1) Within the scope of our qualityaustria services and products in the areas of system certification, assessment and validation, awarding of the Austrian Quality Award as well as personal certification and training and further education, we process (i) personal data that you provide to us, (ii) personal data that our customers provide to us as clients of qualityaustria services and products and (iii) personal data that we collect ourselves in the course of providing qualityaustria services and products. For the aforementioned purposes, we process name, address and other contact data, date and place of birth, legitimisation data (including ID data, certificates, electronic signature) and other personal data in connection with the respective order (including audit documentation, event documentation, certificate data, billing data, bank data). Without the processing of the aforementioned data, we cannot offer qualityaustria services and products and cannot carry out ongoing customer processing. The legal basis for this processing is the implementation of pre-contractual measures or the fulfilment of the contract (Art 6 para 1 lit b GDPR) and, where relevant, the fulfilment of legal obligations (Art 6 para 1 lit c GDPR). Audit reports and audit documentation are generally stored for 12 years, unless there are longer normative or statutory retention obligations.
  • 2.4) Advertising communication, newsletter, event participation
    • 2.4.1) We send our customers electronic mail (by email, SMS, MMS or Messenger) to advertise our products or services ("promotional messages"). For this purpose, we process your name, contact details and other information that you provide to us in connection with the receipt of promotional messages. The customer can object to the sending of promotional messages at any time by sending an email to datenschutz@qualityaustria.com with the objection. We will also give you the opportunity to opt out of receiving further promotional messages with each promotional message. The legal basis for sending advertising messages is Section 174 (4) TKG 2021.
    • 2.4.2) We send you postal letters with advertising communication on the basis of our legitimate interests in advertising products or services of interest to you (Art. 6 para. 1 lit. f GDPR). For this purpose, we process your name, contact details and other information that you provide to us in connection with the receipt of advertising messages. You can exercise your right to object to postal advertising communication by sending an email to the email address listed in point 1.3.
    • 2.4.3) If you, as a non-customer, voluntarily provide us with your contact details and other data provided by you for the purpose of sending newsletters, participating in events or other information transmissions, we will process your data on the basis of your consent (Art 6 para 1 lit a GDPR). You can revoke your consent at any time by sending an e-mail to the e-mail address listed in point 1.3.
  • 2.5) Certificate management
    • 2.5.1) Quality Austria makes it possible to check or query valid certifications that have been issued. For this purpose, personal data can also be processed, specifically name, academic title, certificate name, certificate title and certificate number. (for further details, see point 3.3 below). The legal basis for this is Art. 6 para. 1 lit c GDPR in conjunction with the Accreditation Act 2021 (as well as relevant standards, in particular EN ISO/IEC 17021-1, ISO/IEC 17065, ISO 17024 and relevant regulations of the accreditation bodies) and our legitimate interest pursuant to Art. 6 para. 1 lit f GDPR to carry out all activities related to certificate management.
    • 2.5.2) Due to normative requirements (in particular EN ISO/IEC 17021-1 and IAF MD 28), Quality Austria is obliged to make certain information about issued certifications available to the public. For this purpose, the following data is published: name/company and address of the certified organisation, certificate number, certified locations, scope and applicable normative documents, status of the issued certification, date of issue and period of validity. Publication takes place via the certificate search on the Quality Austria website. In the case of certifications according to IAF MD 28, the aforementioned information is also published in the IAF database. The legal basis for this data processing is Article 6(1)(c) GDPR in conjunction with the relevant standards and - where necessary - our legitimate interest pursuant to Article 6(1)(f) GDPR in ensuring the transparency and verifiability of the certifications issued.
  • 2.6) Legal prosecution
    • 2.6.1) If an administrative or judicial dispute arises, the data necessary for the appropriate legal prosecution will be processed and, if necessary, transmitted to legal representatives, courts and administrative authorities. In this context, your contact details (first and last name, academic title, address) and other data in connection with the legal dispute in question (your behaviour in relation to the use of the website) will be processed. The aforementioned personal data is processed on the basis of our legitimate legal interests in legal prosecution pursuant to Art. 6 para. 1 lit f GDPR and pursuant to Art. 9 para. 2 lit f GDPR.
  • 2.7) Video Surveillance in the Entrance Area
    • 2.7.1 Quality Austria processes video recordings made in the designated entrance area in front of the building at Werdertorgasse 10, 1010 Vienna, based on the legitimate interest pursuant to Article 6(1)(f) of the GDPR and Section 12(2)(4) of the Austrian Data Protection Act (“DSG”), for the following purposes:
      • 2.7.1.1. Enforcement of property rights and protection of property as well as safety of employees, customers, and other visitors;
      • 2.7.1.2. Prevention, containment, and investigation of criminal offenses (in particular vandalism and theft).
    • 2.7.2 The video recordings capture and store the following personal data about you:
      • 2.7.2.1 Image data (appearance, behavior);
      • 2.7.2.2 Location and time of the recording;
      • 2.7.2.3 Identity and role (perpetrator, victim, witness, etc.), to the extent recognizable from the recording.
    • 2.7.3 The video cameras record only when and for as long as the cameras detect movement within the recording area. There is a video camera in the area marked by signs in front of the entrance to Quality Austria at Werdertorgasse 10, 1010 Vienna. The field of view of the video camera is set so that only those persons are captured who are directly in the entrance area or on the sidewalk around the entrance area, at a maximum distance of 50 cm from the building wall.
    • 2.7.4 We store the aforementioned personal data for 72 hours. We will only store personal data for longer if this is necessary to pursue or defend against legal claims in specific cases. In such cases, we will store the personal data for as long as necessary to pursue or defend against legal claims.
    • 2.7.5 An evaluation, i.e., review of the video recordings, takes place exclusively in specific cases, that is, only in those instances where Quality Austria becomes aware of damage, theft, or other circumstances requiring investigation. Only specific employees of Quality Austria are authorized to review video recordings when necessary. Access to reviewed video recordings is granted to these employees as well as to those employees whom Quality Austria has entrusted with handling the respective case.
  • 2.8) Data processing in the context of network partners
    • 2.8.1) We process personal data of auditors, assessors, inspectors, technical experts, validators, verifiers, assessors and observers (hereinafter referred to as "network partners") who work within the framework of qualityaustria services of Quality Austria Certification GmbH (in particular audits, inspections, assessments and comparable activities).
    • 2.8.2) Due to normative requirements for certification bodies (in particular ISO/IEC 17021-1, ISO/IEC 17065, ISO/IEC 17029), we are obliged to keep records of the qualifications, training, experience, professional affiliation, professional status, competence and known conflicts of interest of the network partners and to monitor their competence on an ongoing basis. We process the following personal data for this purpose: Proof of qualifications and training, information on professional experience, information on professional status, documentation on training, information on conflicts of interest, competence assessments and other information collected in the course of the collaboration.
    • 2.8.3) The processing of this data is necessary for the appointment as a network partner and for the implementation of qualityaustria services. The legal basis for this processing is the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR).
    • 2.8.4) To the extent necessary for submitting offers and obtaining orders, CVs of network partners, including information on qualifications and competences, may be transmitted to potential client organisations. This may also include transfer to countries outside the EU/EEA, including third countries without an adequate level of data protection. The legal basis for this processing is the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, as Quality Austria and the potential client organisations have a legitimate interest in proving the qualifications of the auditors used. Further details on third country transfers can be found under point 3.4.
    • 2.8.5) For the purpose of audit planning, information on the competences of network partners may also be made available to other network partners and lead auditors. The legal basis is the legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR, as Quality Austria has a legitimate interest in efficient and standard-compliant audit planning.
    • 2.8.6) If a network partner accepts an order for the provision of qualityaustria services, we process personal data about the network partner for the purpose of contract fulfilment, in particular for the preparation of audit and examination documentation. For this purpose, the data may also be transmitted to the commissioning organisation and to the respective competent accreditation or licensing body. The legal basis is the fulfilment of the contract (Art 6 para 1 lit b GDPR). You can find more information on the recipients of this data under point 3.

3) To which recipients will your personal data be transmitted?

  • 3.1) We transmit your personal data to our cooperation partners of the relevant qualityaustria services and products to the extent necessary to process your enquiry or to provide the desired qualityaustria services and products. When booking co-operation products that are identified as such, the personal data will be passed on to the respective partners.
  • 3.2) We use processors who perform services on our behalf. The processors may only process the data provided to them in accordance with our instructions and to the extent necessary to perform services for us. We contractually oblige these processors to guarantee the confidentiality and security of the personal data processed within the scope of the order. For the purpose of providing the requested qualityaustria services and products, Quality Austria will forward the data to the external qualityaustria auditors, trainers, assessors and technical experts employed by it, who also act as processors of Quality Austria. In addition, Quality Austria uses external IT service providers.
  • 3.3) Due to normative requirements, Quality Austria is obliged to provide the accreditation and licensing bodies with information on qualityaustria services and/or to grant them access to such information upon their request. The accreditation and licensing bodies may also participate in on-site audits. In the course of this, personal data may also be passed on to the accreditation and licensing bodies. In addition, Quality Austria may transmit personal data to other recipients (such as authorities) in order to fulfil legal reporting obligations.
  • 3.4) The level of data protection in other countries outside the EEA may not correspond to that within the EEA. However, we only transfer your personal data to countries for which the European Commission has decided that they have an adequate level of data protection, or we take measures in accordance with Chapter V GDPR to ensure that all recipients in third countries guarantee an adequate level of data protection. For example, we conclude the standard contractual clauses issued by the European Commission with these recipients.

4) How long will your personal data be stored?

  • 4.1) In principle, your personal data will only be stored for as long as is necessary to fulfil the respective purpose.
  • 4.2) Notwithstanding point 4.1, Quality Austria will store your data for longer if and insofar as this is necessary to fulfil statutory retention obligations (e.g. pursuant to § 132 para. 1 BAO; §§ 190, 212 UGB: 7 years) or to pursue or defend legal claims (generally for a maximum period of 3 years), whereby in the case of imminent or ongoing proceedings, the data will be processed until the conclusion of the proceedings.
  • 4.3) Application documents, audit and assessment reports as well as other documents related to certification are generally stored for a period of 10 years in accordance with Section 12 (8) of the Accreditation Act 2012, unless normative or legal requirements require longer storage. For the pursuit or defence of legal claims, the aforementioned documents are generally processed for a maximum of 3 years, whereby longer processing of the data may be necessary in the event of imminent or specific proceedings.
  • 4.4) If the data processing is based on your consent, Quality Austria will process your data until revoked, unless the purpose of processing has already been achieved. In this case, the data will be deleted once it is no longer necessary to fulfil the purpose. You can withdraw your consent at any time by sending an e-mail to the e-mail address given in point 1.3. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

5) What rights do you have?

  • 5.1) You have the right of access under Art 15 GDPR, the right to rectification under Art 16 GDPR, the right to erasure under Art 17 GDPR, the right to restriction of processing under Art 18 GDPR, the right to object under Art 21 GDPR, the right not to be subject to automated individual decision-making, including profiling, under Art 22 GDPR and the right to data portability under Art 20 GDPR. You also have the right to lodge a complaint with a competent data protection supervisory authority in accordance with Art 77 GDPR. You can find more information about your rights at: https://www.dsb.gv.at/rechte-der-betroffenen.
  • 5.2) The competent supervisory authority is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna (https://www.dsb.gv.at/).
  • 5.3) If you have any questions in connection with the processing of your personal data or wish to assert any rights under the GDPR, such as your right to cancellation or your right to information, please contact Quality Austria as described above in point 1.3.

6) Essential information on joint responsibility pursuant to Art. 26 para. 2 GDPR

  • 6.1 What is the reason for joint controllership? The responsible parties (QA Holding, QA Certification, QA Academy and CIS - Certification & Information Security Services GmbH) process personal customer data in a data pool under joint responsibility if the relevant consent has been given, which means that marketing resources can be pooled. Through this cooperation, customers benefit from more effective marketing activities and higher customer satisfaction. Those responsible benefit from increased efficiency and effectiveness of their marketing strategies.
  • 6.2 For which data processing operations/process sections is there joint responsibility? The controllers have jointly determined the processing of your personal data in the individual areas of activity. They are therefore jointly responsible for the protection of your personal data within the areas of activity described below (Art. 26 GDPR).
  • 6.3 What have the two controllers agreed? The controllers have agreed on who fulfils which obligations under the GDPR within the scope of the jointly responsible activities. This applies in particular to the exercise of the rights of data subjects and the fulfilment of the information obligations under Art. 13 and 14 GDPR.

Areas

Description of the processing opeartion

Responsible controller (fulfilment of obligations towards data subjects)

A

Operation of the database for the shared data pool:

-          Entering the data

-          Updating the data

-          Deletion of the data

QA Holding 

B

Collection of data by means of a declaration of consent on the website

QA Holding

C

Collection of data when selling own products and services by means of a declaration of consent

QA Certification

D

Collection of data when selling own products and services by means of a declaration of consent

QA Academy

E

Collection of data when selling own products and services by means of a declaration of consent

CIS

F

Processing of requests from data subjects in accordance with the GDPR (Art 12-21 GDPR), notification of personal data breaches (Art 33, 34 GDPR)

QA Holding in charge by supporting the respective controller

G

Creation and dispatch of the newsletter

QA Holding

H

Reciprocal advertising of customers with reciprocal products and services of another responsible party

QA Certification, QA Academy, CIS

I

Authorisation to commission processors and control (Art. 28 GDPR) for data processing under joint responsibility

QA Holding

J

Security of processing: risk analysis and definition and documentation of technical and organisational measures as well as regular review and updating (Art. 24 para. 1 in conjunction with Art. 32 GDPR) If necessary, regulations for the implementation of internal control measures (if necessary) and certifications (if intended)

QA Holding

  • 6.4) What does this mean for data subjects? Even if there is joint responsibility, the parties fulfil the data protection obligations in accordance with their respective responsibilities as follows:
    • The controllers shall provide the data subjects with the information required under Art 13 and Art 14 GDPR in a concise, transparent, intelligible and easily accessible form, using clear and plain language, free of charge. Each controller shall provide the other controller with all necessary information from their area of activity.
    • The data controllers shall inform each other immediately of any enquiries/legal positions asserted by data subjects. They shall provide each other with all information necessary for responding to requests for information.
    • You can assert your rights as a data subject within the scope of joint responsibility with Quality Austria Holding. If you have any questions in connection with the processing of your personal data or wish to assert any rights under the GDPR, such as your right to erasure or your right to information, please contact us using the contact details listed in point 1.3.

>> Privacy policy - Whistleblower system

+43 732 34 23 22
0