Privacy policy of Ernst & Young denkstatt GmbH

1. General

This Privacy Policy describes how Ernst & Young denkstatt GmbH, registered in the Commercial Register of the Commercial Court of Vienna under FN 294077 t with its registered office in Vienna and business address at Wagramer Straße 19, 1220 Vienna (hereinafter “EY denkstatt”, “we” or “us”) processes your personal data.

In this Privacy Notice, “EY denkstatt”, “EY” “our”, “we” or “us” refers to the global organization of member firms of Ernst & Young Global Limited, each of which is a separate legal entity, or to one or more of those member firms. The entities responsible for processing your data are one or more of the EY member firms listed here (see the list of EY member firms and their affiliates).

EY denkstatt processes personal data for various purposes. For example, we request it directly from you when you instruct us to do so. In addition, we obtain your personal data from publicly accessible sources. This Privacy Policy applies to all of the above scenarios.

Among other things, we process your personal data for the following purposes:

2. Name and contact details of the person responsible for data processing

If you have any questions regarding the processing of your personal data, please contact EY denkstatt’s data protection team, who will forward your request to the responsible employee or team within our organization. The data protection team can be reached using the following contact details:

Ernst & Young denkstatt GmbH

Wagramer Straße 19

1220 Vienna


3. What data is covered by this privacy policy?

In this privacy policy, “personal data” means any information relating to an individual who is directly or indirectly identifiable – in particular by reference to an identifier such as a name, an identification number, location data or an online identifier. Personal data also refers to one or more characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of a person.

4. Purposes of data processing

Visitors to our website and marketing activities

Personal data that we collect about you when you visit our website is assigned to different categories.

Information that you transmit directly

We collect personal data that you have voluntarily provided to us via our website. This is the case, for example, when you fill out online forms to contact us. The information collected in this way may include the following information:

Our website also uses various social media plugins.

The purposes for which we process your personal data when you visit our website include:

The processing of personal data of visitors to our website is based on the following legal bases:

Service delivery

If you engage us to provide consulting services to you, we will collect and use personal data where we have a legitimate business reason in connection with those services.

As part of the provision of consulting services, we also process personal data of persons who are not direct clients of ours (e.g. employees, clients or suppliers of our clients).

Most of the personal data that we collect and use for the provision of our services is provided to us voluntarily by our clients (or is collected at the request of our clients). Therefore, if you are a client of EY denkstatt, it will be natural for you that we collect and use your personal data. This information may include the following:

Contact data in our customer relationship and marketing systems (hereinafter CRM systems)

We process personal data about contacts in our CRM systems (see below). These CRM systems support the marketing activities of EY denkstatt. The contacts stored in our CRM systems receive newsletters and marketing materials.

We process the following categories of personal data in our CRM systems:

We do not specifically collect sensitive data unless you provide us with such data (for example, special dietary requirements that reveal your religious affiliation or any food intolerances).

The processing of personal data of business contacts is based on the following legal bases:

5. Disclosure of personal data

EY member firms operate in more than 150 countries worldwide. Certain parts of the EY infrastructure, including the IT services provided to member firms, are centralized. In addition, all employees within the EY organization working on these matters must be able to access certain information when engagements span more than one jurisdiction. Therefore, your personal data will be transferred to, and stored at, a destination outside the country in which you are located. This includes countries outside the European Economic Area (EEA) and countries whose legislation does not necessarily provide an adequate level of protection with regard to the processing of personal data under EU or other laws.

We have taken appropriate security and legal precautions to ensure the security and integrity of personal data transferred within the EY organization. EY denkstatt and all member firms implement Binding Corporate Rules (BCRs) that enable the global transfer of personal data from the EEA within the EY organization in accordance with applicable European data protection laws. The BCRs require all EY member firms worldwide to apply the same standards for the protection of personal data.

To read our BCR, please click here.

Your personal data is also processed by service providers who support our internal processes. For more information, please read the following paragraph:

Service provider

We transmit or transfer the personal data we collect to third-party providers (and their subsidiaries and affiliates) if we commission them to support our internal processes. For example, we commission service providers with the provision, operation and support of our IT infrastructure (e.g. identity management, hosting, data analysis, back-ups, security and cloud storage services) and with the archiving and secure disposal of our files and documents in paper form.

As a matter of principle, we only work with service providers who ensure an adequate level of data protection, security and confidentiality and who comply with all applicable legal requirements for the transfer of personal data outside the country in which it was originally collected. For data collected in the EEA that relates to data subjects within the EEA, we require the use of an appropriate data transfer mechanism to comply with applicable legal requirements.

Involvement of service providers

As part of the execution of assignments, we may use network companies such as members of the global network of Ernst & Young companies (“EY members” – a list of the locations of EY members is available at as well as selected service providers and IT service providers including external data storage (cloud services).

All service providers used to provide our services are obliged by EY denkstatt, if necessary, to comply with professional secrecy and data protection principles. If we use service providers outside the European Union to provide our services, an adequate level of data protection is ensured.

Please note that, if necessary, the following list of service providers and IT service providers may be amended.

Our service providers

We commission the following service providers to ensure the efficient execution of our orders:

d & e consulting GmbH: We commission this service provider to carry out various projects in the field of energy & energy efficiency. In addition to energy audits, this also includes energy monitoring, measure evaluations and decarbonization projects (including roadmaps). Various analysis and data management tools are used to implement these projects. We take appropriate measures to ensure that this third-party provider processes personal data in accordance with applicable data protection laws and our instructions.

Microsoft (Azure Cloud, Office365 Cloud): EY denkstatt uses Microsoft, based in Redmond (USA), and global data centers as a provider of comprehensive services in the field of cloud computing. Germany, the Netherlands and Ireland are used as the primary data centers for data storage

Mailchimp: To perform certain business functions such as sending e-mails or marketing, we use the “Mailchimp” service provided by The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. The data you provide (e-mail address, name) is transferred to a Mailchimp server in the USA and stored there. Mailchimp uses this information for sending and statistical analysis on our behalf. Furthermore, Mailchimp may, according to its own information, use this data to optimize or improve its own services, e.g. for the technical optimization of the dispatch and presentation of the newsletter or for economic purposes in order to determine from which countries the recipients come. However, Mailchimp does not use the data to write to them itself or pass it on to third parties.

As Mailchimp is a provider in an insecure third country, we have concluded an order processing contract with the company in which the agreed standard contractual clauses of the European Commission are implemented. Mailchimp’s obligation to comply with the Standard Contractual Clauses (SCC) ensures that your data complies with European data protection standards even if it is transferred to and stored in third countries (such as the USA). Mailchimp undertakes to comply with the European level of data protection.

Vertec: We use the business software Vertec GmbH, Mariahilfer Straße 101/1/23 1060 Vienna, to manage our customers’ contact data, and Vertec stores customers’ personal data, including name, position and email address. This data is processed for the purpose of customer management and the performance of our contractual obligations in accordance with Art. 6 para. 1 lit. b GDPR.

Matomo: Our website uses Matomo, an open source software for the statistical analysis of visitor access. Matomo uses cookies, which are stored on your computer and enable your use of the website to be analyzed. Your IP address is immediately anonymized, so that you remain anonymous as a user. The information generated by the cookie about your use of this website is not passed on to third parties.

You can prevent the use of cookies by selecting the appropriate settings in your browser software. However, we would like to point out that in this case you may not be able to use all the functions of our website to their full extent.

6. Duration of the storage of your personal data

We only store personal data for as long as it is necessary for the purposes described in section 4. Please note that the retention periods vary from country to country and are determined in accordance with local statutory and professional retention obligations.

In order to comply with our professional and legal requirements, assert, exercise or defend our legal rights and for archiving and tracking purposes, we need to retain information for an extended period of time.

The duration of the statutory retention periods may result, for example, from the following laws: WTBG, BAO, UGB, UStG, GewO. The retention periods vary in length, and in justified individual cases (e.g. preservation of evidence) the retention period may also be longer (e.g. for limitation periods of up to 30 years; whereby the regular limitation period is seven years). If the data concerned is subject to different retention periods, the longest retention period shall apply.

7. Your rights in relation to your personal data

You have the following rights in relation to the processing of your personal data:

If you have any questions or wish to assert your rights, please contact the data protection officer named by us in point 2.

8. Complaints

If you suspect that EY denkstatt may have violated data protection law or other laws, you can contact our data protection officer. They will investigate your complaint and inform you of the next steps.

In addition, you have the right to lodge a complaint with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, or with the competent data protection supervisory authority.

9. Updating your personal data

We ensure that the personal data we store is always complete and correct. It is important that you inform us of any changes to your contact details or other personal data so that we always have the latest information about you. Please get in touch with your contact person or our data protection team.

10. Minors

Our website is not intended for use by minors under the age of 16. We do not knowingly collect, publish or sell the personal information of minors under the age of 16. If you are under the age of 16, please do not provide any personal data, even if you are asked to do so. If you believe that you have inadvertently provided personal information, please ask your parent or guardian to notify us and we will delete your personal information.

11. Cookies

Cookies are used on our website.

A cookie is a small file that can be stored on your computer when you visit a website. Basically, cookies are used to provide users with additional functions on a website. For example, they can be used to make it easier for you to navigate a website, enable you to continue using a website where you left it and/or save your preferences and settings when you visit the website again. Cookies cannot access, read or modify any other data on your computer.

Most of the cookies on our website are so-called session cookies. They are automatically deleted when you leave our website. Persistent cookies, on the other hand, remain on your computer until you delete them manually in your browser. We use persistent cookies to recognize you the next time you visit our website.

If you want to control cookies on your computer, you can select your browser settings so that you receive a notification when a website wants to store cookies. You can also block or delete cookies if they have already been stored on your computer. If you would like to know more about how to take these steps, please use the “Help” function in your browser.

If cookies are required to carry out the electronic communication process or to provide certain functions you have requested, we will store them.

Please note that blocking or deleting cookies may affect your online experience and prevent you from making full use of this website.

12. Safety

EY denkstatt protects the confidentiality and security of the information it collects in the course of its business activities. Access to this data is restricted and policies and procedures have been implemented to protect the information from loss, misuse and improper disclosure.

13. Other disclosures

EY denkstatt discloses your personal data in the following cases:

In particular, we would like to point out that in certain jurisdictions EY denkstatt is required by law to report suspicious transactions and other activities to the relevant regulatory authorities in the context of anti-money laundering, terrorist financing and insider trading or related laws. We are not legally permitted in all cases to inform you in advance or at all about the disclosure.

The recipients of personal data from third parties include, among others:

14. Social Media Websites

We use various social media platforms, for example for recruitment or marketing purposes. We use social media to provide information about our job vacancies and events, to present our services and to increase awareness of our brand.

EY denkstatt is responsible for the content that we publish via social media platforms, but not for the administration of the social media platforms (for example, for the creation of user statistics or the placement of cookies). By using the social media platforms, you undertake to comply with the legal and data protection provisions of the providers of these platforms. These providers collect personal data about you, including data about your use of the social media platforms, which is used to compile statistics and analyses. This includes, for example, a list of the pages you have visited, your “likes”, recent visits and posts you have published or posts that you found interesting.

If you wish to access this data or exercise any of your other rights (for example, the right to object to the processing of your data), you should contact the social media platform provider. Some social media platform providers provide EY denkstatt with aggregated data relevant to our websites, such as the number of “likes” clicked on in relation to our content or the number of posts, visitors to our websites, photos downloaded or links clicked on.

Social media plugins (e.g. “Like” and “Share” buttons)

We implement so-called plugins on our website. When you call up a web page that displays one or more of these buttons, your browser establishes a direct connection to the corresponding social network server and loads the buttons from there. At the same time, the social media operator is informed that the relevant page of the website has been accessed. We have no influence on what data is collected by the social media operators using the buttons. To avoid this, please log out of your social media accounts before visiting our website. Social media operators also use cookies, unless you have deactivated the acceptance and storage of cookies in your browser settings.

YouTube plugins

Our website uses plugins from the Google-operated video portal YouTube.

When you visit one of our websites that contains a YouTube plugin, a connection to the YouTube servers is established. The YouTube server receives information about which web pages you have visited.

If you are logged in to your YouTube account, you have the option of linking your browsing behavior directly to your personal profile. You can avoid this by logging out of your YouTube account. If you are not yet logged in to your YouTube account, you can click on a YouTube button to display the YouTube login screen and enter your access data.

For more information, see Google‘s privacy policy.

LinkedIn plugins

Our website uses functions of the LinkedIn network. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA.

Each time one of our pages containing LinkedIn functions is accessed, a connection to LinkedIn servers is established. LinkedIn is informed that you have visited our website with your IP address. If you click on the LinkedIn ‘Recommend’ button and are logged into your LinkedIn account, LinkedIn is able to associate your visit to our website with you and your user account. We would like to point out that, as the provider of the pages, we have no knowledge of the content of the transmitted data or its use by LinkedIn.

Further information on this can be found in LinkedIn’s privacy policy at:

15. Changes to this privacy policy

We will update this Privacy Policy from time to time to reflect changes to our practices and services. When we make changes to this Privacy Statement, we will also change the date at the top of this statement to reflect the most recent update. If we make material changes to the way we collect, use and disclose personal information, we will notify you by placing a prominent notice of the changes on our website. We recommend that you visit this website from time to time to check for changes to this Privacy Policy.