Privacy Policy
This privacy policy informs about the processing of personal data when visiting the website www.mwcc.eu in accordance with the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG). The legally binding version is the German one at /datenschutz/.
1. Controller
MWCC Markus Weigl Consulting & Coaching e.U.
Schlossgasse 30, 2100 Stetten, Austria
E-mail: mw@mwcc.eu · Phone: +43 664 210 29 81
No data protection officer has been appointed; there is no statutory obligation to do so.
2. Categories of data processed
2.1 Server logs (web hosting)
This website is hosted with World4You Internet Services GmbH, Hafenstraße 35, 4020 Linz, Austria (FN 244752 b). A Data Processing Agreement under Art. 28 GDPR is in place. Server logs (truncated IP, time, URL, referrer, browser, OS) are processed for operations and security; legal basis Art. 6(1)(f) GDPR; retention typically 14 days.
Note: E-mail correspondence under the @mwcc.eu domain is not processed by the web host but by Microsoft 365 / Exchange Online (see section 4).
2.2 Contact by e-mail, phone or contact form
When you contact us by e-mail, phone or the contact form on /en/contact/, we process the data you provide (name, contact details, optional organisation, message content, timestamps).
Processing chain for the contact form: input is transmitted via TLS to our web server at World4You; a PHP script on the same server processes the data and sends an e-mail to our @mwcc.eu mailbox. This e-mail is delivered via World4You mail transport and stored in our Microsoft 365 / Exchange Online mailbox (Microsoft Ireland, EU Data Boundary). No external form platform is involved.
Data processed: name, e-mail address, optional organisation, message text, truncated IP for spam protection. You receive an automatic confirmation e-mail.
Legal basis: Art. 6(1)(b) GDPR (pre-contractual / contractual) and Art. 6(1)(f) GDPR (legitimate interest in handling your inquiry and spam protection).
Retention: until your matter is concluded, max. 6 months; if a contractual relationship follows, in line with statutory retention obligations (especially § 132 of the Austrian Federal Fiscal Code: 7 years).
2.3 Newsletter
For sign-up we collect only your e-mail address, via double opt-in (confirmation link). Additionally stored: timestamps of sign-up and confirmation, sign-up IP (proof of consent under Art. 7 GDPR).
Processing chain: the subscriber list is stored as a file on the World4You webspace. Confirmation and newsletter e-mails are dispatched via the hosting provider's mail transport (PHP mail() over World4You SMTP). No external bulk-mail service is used (no CleverReach, no Brevo, no Mailchimp).
Legal basis: Art. 6(1)(a) GDPR (consent).
Retention: until withdrawal; after unsubscribe the entry is marked "unsubscribed" and fully deleted after 12 months if no new sign-up occurs. Sign-up IP is deleted after 3 years.
Withdrawal: every newsletter e-mail includes a personal one-click unsubscribe link; alternatively a short note to mw@mwcc.eu. No open or click tracking.
2.4 Cookies and tracking
This website uses only technically necessary cookies. No consent under § 165(3) Austrian Telecommunications Act 2021 is required. No tracking cookies, no analytics cookies, no third-party cookies; no profiling, no web analytics, no social media plugins, no embedded videos or maps.
3. Web fonts
The fonts Cormorant Garamond and Mulish are hosted locally on our server (self-hosting, woff2 files under /assets/fonts/). No connection to Google Fonts, Adobe Fonts, Bunny Fonts or any other external font service.
4. Recipients and data processors
To provide this website and the associated communication, the following external providers are used. Where providers process personal data on our behalf, a Data Processing Agreement under Art. 28 GDPR is in place:
- Web hosting
- World4You Internet Services GmbH, Hafenstraße 35, 4020 Linz, Austria (FN 244752 b). Processes: server logs, contact-form and newsletter-form input, the newsletter subscriber file, backups, outgoing mails from the PHP backend. Servers located in Austria. Privacy policy: world4you.com/de/agb/datenschutz.
- E-mail mailbox
- Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland. Processes incoming and outgoing e-mails of the mwcc.eu domain (e.g. mw@mwcc.eu, dao@mwcc.eu) as a Microsoft 365 mailbox (Exchange Online) and related metadata. Storage and processing within the Microsoft EU Data Boundary; narrowly scoped auxiliary services (e.g. global customer-requested support) may, in technically and contractually safeguarded cases, be performed outside the EU. The processor agreement is concluded via the Microsoft Products and Services Data Protection Addendum (DPA) incorporating the EU Standard Contractual Clauses (SCC, Commission Decision 2021/914) plus technical and organisational measures (encryption in transit and at rest, multi-factor authentication, audit logging). Microsoft is certified to ISO/IEC 27001, ISO/IEC 27018 and SOC 2 Type II, and listed under the EU–US Data Privacy Framework (Commission Adequacy Decision (EU) 2023/1795 of 10 July 2023). DPA: microsoft.com…DPA.
- Telephony
- Austrian mobile carrier. No call recording.
- Accounting & tax
- Engaged tax-advisory / audit firm (DPA in place). Only invoicing and tax-relevant data are transferred to comply with statutory obligations.
Disclosure to authorities only where required by law (fiscal authorities, law-enforcement authorities).
Should additional processors be added in the future (e.g. a cookie-less analytics tool, an external newsletter dispatch service), this privacy policy will be updated accordingly.
5. Third-country transfers
No active transfer of personal data to third countries outside the EU/EEA takes place. All processors listed above are seated within the EU.
A theoretical residual access by US authorities to Microsoft 365 remains possible under the US CLOUD Act even where data are processed within the EU Data Boundary. This residual risk is safeguarded by the EU Standard Contractual Clauses anchored in the Microsoft DPA (Art. 46(2)(c) GDPR) and cumulatively by Microsoft Corporation's certification under the EU–US Data Privacy Framework (Art. 45 GDPR). Microsoft applies additional technical and organisational measures (Customer Lockbox, customer-key encryption with BYOK option, transparent government-request reports) to minimise and disclose such access.
6. External content; automated decision-making
No external content (videos, maps, social-media buttons, analytics, advertising networks) is embedded; no third-country transfers via embedded resources occur.
No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place.
7. Your rights
You have the rights to access (Art. 15), rectification (Art. 16), erasure (Art. 17, subject to statutory retention obligations), restriction (Art. 18), data portability (Art. 20), objection (Art. 21) as well as to withdraw a granted consent with effect for the future. An informal message to mw@mwcc.eu is sufficient.
8. Right to lodge a complaint
If you consider that the processing infringes the GDPR, you may lodge a complaint with the Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna.
9. Data in the context of advisory or coaching engagements
Where an advisory or coaching engagement, a clarity day, a one-to-one sparring or a leadership retreat is entered into, additional data are processed for contractual performance (address, role, organisation, optional date of birth for retreat travel arrangements, voluntarily disclosed health indications). All conversation and advisory contents are subject to strict confidentiality — both professional (for the activity as life and social counsellor under § 119 of the Austrian Trade Act 1994) and contractual. Disclosure to third parties only with your explicit consent or where mandatory by law.
Image and audio recordings only with explicit written consent. Special categories of personal data (Art. 9 GDPR, in particular health or belief data) are processed exclusively for safe participation and only with your explicit consent; deletion after the end of participation, subject to statutory retention obligations.
10. Minors
The offers of this website are directed at executives, board members, managing directors, owners and similarly responsible persons — that is, adults aged 18 and over. No data of children or adolescents is intentionally collected or processed.
11. Data security
This website is served exclusively over HTTPS (TLS 1.2/1.3). HSTS (HTTP Strict Transport Security) is active with a two-year lifetime, includeSubDomains and preload preparation. Technical and organisational measures within the meaning of Art. 32 GDPR are implemented (access and authorisation controls, multi-factor authentication on management interfaces, restrictive Content Security Policy, regular backups, up-to-date software, segregated mail transport and storage paths).
12. Changes to this privacy policy
We reserve the right to update this privacy policy as the legal situation, processing activities or processors change. The version available on this page is the one in force.
As of .