Data protection

The protection of your data is important to Cyber Trust Services GmbH (hereinafter “CTS”). We therefore process your data exclusively based on the statutory provisions in accordance with the EU General Data Protection Regulation (GDPR). In this data protection declaration, we inform you about the most important aspects of data processing within our company.


The person responsible in accordance with Article 4 (7) of the EU General Data Protection Regulation (GDPR) is

  • Cyber Trust Services GmbH
  • Wienerbergstraße 11/12A A-1100 Vienna
  • You can contact our data protection officer at:
I. Collection of personal data when using our website

When using the website, we collect the data described below to enable convenient use of the functions. If you want to use our website, we collect the following data, which is technically necessary for us to offer you the functions of our website and to guarantee stability and security:

  • IP address
  • Location (place of the inquirer)
  • Date and time of the request
  • Content of the request
  • Browser
  • Operating system and its interface and processor (user agent)
  • Version of the browser software.

The processing of the log data is used for statistical purposes and to improve the quality of our website, in particular the stability and security of the connection (legal basis is Article 6 (1) (f) GDPR). The legal basis for this processing is a legitimate interest in accordance with Article 6 Paragraph 1 lit f GDPR (ensuring the security of our information technology systems and the detection and prevention of criminal threats and actions).

II. Data collection and use when contacting us and using the request form

When you contact us by e-mail or via our request form, the data you provide (this can include: your e-mail address, your name, your telephone number or other information you have provided) will be stored by us in order to be able to answer your questions. To be able to process your label request, we collect and save the following data: first name, last name, email address, telephone number, company, role, industry and address. The payment transaction data also collected for the payment of the service are not stored at CTS but are processed exclusively by our commissioned payment service provider Novalnet AG. The legal basis for this processing is contract initiation and fulfillment in accordance with Article 6 Paragraph 1 lit b GDPR.

III. Data deletion and storage duration

The data is only stored for as long as it is necessary to fulfill the contract. The data will then be deleted. In addition, there may be statutory retention requirements, e.g. according to the Corporate Code (UGB) and the Federal Fiscal Code (BAO). After the statutory retention periods have expired, we will immediately delete your personal data from our databases (both digitally and physically).

IV. Transmission of data to processors

CTS uses third parties for processing, especially in the IT area. These process the data as so-called contract processors, i.e. on the basis of a written contract in accordance with Article 28 GDPR, in which the details of data processing on behalf of CTS are regulated and in which the contract processor undertakes to handle the data carefully. Such order processing exists, for example, when CTS stores data in an external data center. The processors are carefully selected by CTS, paying special attention to the suitability of the technical and organizational measures they have taken, and their compliance is checked. CTS generally processes the data in Austria and in the European Union.

V. Data transfer to third parties

We do not share personal information with third parties unless this is necessary for our legitimate business needs and the performance of a contract, and / or when required or permitted by law or professional standards. The necessary contact details are passed on to Nimbusec GmbH for the creation of the cyber risk rating required for the award of the label. This is necessary for the fulfillment of the contract. Reference is also made to the data protection declaration of Nimbusec GmbH.

VI. Data processing security

We use suitable technical and organizational security measures to protect your data against accidental or deliberate manipulation, partial or complete loss, destruction or against unauthorized access by third parties (e.g. TLS encryption for our website), taking into account the state of the art and implementation costs and the nature, scope, context and purpose of the processing as well as the existing risks of a data breach (including its probability and effects) for the data subject. Our security measures are continuously improved in line with technological developments.

VII. Your rights

You have the following rights vis-à-vis us regarding your personal data:

  • Right to information,
  • Right to correction or deletion,
  • Right to restriction of processing,
  • Right to object to processing,
  • Right to data portability.

You also have the right to lodge a complaint with the responsible supervisory authority (in Austria, the data protection authority based in Vienna). The data protection authority can be reached at the following address:

  • Austrian data protection authority
  • Barichgasse 40-42 1030 Vienna
  • Telefon: +43 1 52 152-0
  • E-Mail:
VIII. Update of the data protection declaration

We reserve the right to make changes to this data protection declaration at any time. The privacy policy is updated regularly, and all changes are published automatically.