ACONVEST GmbH’s data protection concept
Information security and management system
Version 1.0 | 20.05.2025
This policy governs the data protection-compliant processing of personal data and responsibilities within ACONVEST GmbH and is binding for the entire company and all its employees.
All employees are obliged to comply with this policy. In particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and
Content
1 Responsible Body
2 ACONVEST GmbH’s Motivation for Data Protection
3 Responsibilities and Data Protection Organization
4 Continuous Improvement of the Data Protection Management System
4.1 Training and Awareness Raising
4.1.1 Data Protection Training
4.1.3 Employee Awareness Raising
5 Data Protection Processes and Documentation
5.1 Risk Analysis for All Processing Activities
5.2 General Regulations for Contract Processing
5.3 Data Protection Officer
5.4 Technical Data Protection
6 Legal Framework
7 Web Publications
1 Responsible Party
Company Name: ACONVEST GmbH
Legal Representative: Dr. Sari Abwa
Address (Street, House Number): Saumgasse 20
Postal Code: 8010
City: Graz
Country: Austria
Telephone Number: +43 664 1050006
Email: abwa@aconvest.com
Business Purpose: Management Consulting
2 ACONVEST GmbH’s Motivation for Data Protection
ACONVEST GmbH’s primary goal is compliance with data protection regulations in accordance with EU and national law. ACONVEST GmbH attaches particular importance to the protection of data subjects’ rights and the implementation of data protection processes. ACONVEST GmbH wishes to process the personal data of customers, prospective customers, suppliers, employees, and other data subjects transparently and fairly.
Personal data will only be processed in the following ways:
Lawfully, fairly, and in a manner that is transparent to the data subject.
It has been collected for specified, explicit, and legitimate purposes and must not be further processed in a manner incompatible with those purposes.
It is factually accurate and updated where necessary.
Storage is limited to a reasonable amount of time for the data subject.
It will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
3 Responsibilities and Data Protection Organization
There is no obligation to appoint a data protection officer. Currently, data protection responsibilities are handled directly by the Managing Director, Mr. Sari Abwa.
4 Continuous improvement of the data protection management system
4.1 Training and awareness-raising
4.1.1 Data Protection Training
To continuously inform employees about data protection, this topic is included in the information security training and is taught by the Managing Director.
4.1.3 Raising Employee Awareness
To raise awareness among ACONVEST GmbH employees about data protection, all employees were personally committed to data protection. They confirmed this by signing the “Confidentiality Commitment” document..
5 Data Protection Processes and Documentation
5.1 Risk Analysis for All Processing Activities
The risk analysis for processing activities was conducted and documented in the Risk Management document as part of the TISAX risk analysis. The risk potential is evaluated once a year and checked for relevance.
Filing Location: ACONVEST GmbH’s ISMS
5.2 General Regulations on Data Processing
All data processors are registered and bound by contracts that specify the subject matter and duration of the processing, the type and purpose of the processing, the type of personal data, the categories of data subjects, and the obligations and rights of the controller.
The need to appoint a data protection officer was reviewed; the controller came to the following conclusion: No appointment is necessary.
The need to appoint a data protection officer is reviewed at the following frequency: annually..
5.4 Technical Data Protection
The technical and organizational measures at ACONVEST GmbH are part of the Privacy by design
Privacy by default
Risk analysis of the deployment (balancing the interests of the data subject and the controller)
The data protection officer/controller of ACONVEST GmbH is actively involved in the acquisition process
6 Legal Framework
The following laws apply directly to data protection:
General Data Protection Regulation (GDPR)
Data Protection Act (including the ePrivacy Regulation)
Further legal bases apply in conjunction with data protection laws:
Companies Code
General Civil Code
Telecommunications Act
Federal Act Against Unfair Competition
Principles for the Proper Maintenance and Storage of Books, Records, and Documents in Electronic Form and for Data Access
Income Tax Act
Further legal frameworks are listed in the Relevant Laws and Standards document, which is located in the ISMS of ACONVEST GmbH.
7 Web Fonts
Google Fonts
We process connection data and browser data with our processor Google Fonts, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, for the purpose of providing the fonts required by the web browser to display the website. This data is only processed for the duration required to select and transmit the fonts. The legal basis for data processing is the legitimate interest (absolute technical necessity to provide and deliver the “website” service you expressly requested by accessing it) in accordance with Art. 6 (1) (f) GDPR. To the extent that Google Fonts carries out further independent processing of the data, Google is solely responsible for this. Details can be found in the Google Fonts privacy policy and FAQ.
Font Awesome
We process connection data and browser data with our processor Fontawesome, Fonticons, Inc., 6 Porter Road, Apartment 3R, Cambridge, MA 02140, USA, for the purpose of providing the fonts required by the web browser to display the website. This data is only processed for the duration necessary to select and transmit the fonts. The legal basis for data processing is the legitimate interest (the absolute technical necessity to provide and deliver the “website” service you expressly requested by accessing the website) pursuant to Art. 6 (1) (f) GDPR. If Fontawesome carries out further independent processing of the data, Fontawesome is the sole controller. Details can be found in Fontawesome’s privacy policy..
Adobe Fonts
We process connection data and browser data with our processor Adobe Systems Software Ireland Limited for the purpose of providing the fonts required by the web browser to display the website. This data will only be processed for the time necessary to select and transmit the fonts. The legal basis for data processing is the legitimate interest (the absolute technical necessity to provide and deliver the “website” service you expressly requested by accessing it) pursuant to Art. 6 (1) (f) GDPR..
To the extent that Adobe Systems Software Ireland Limited carries out further independent processing of the data, Adobe Systems Software Ireland Limited is the sole controller. Details can be found in the Adobe Systems Software Ireland Limited privacy policy and FAQs. https://fonts.adobe.com.