PRIVA
CY POLICY

Information according to Art. 13 and 14 GDPR

 

1. Who we are and how you can reach us for questions:

The data controller in accordance with the General Data Protection Regulation (GDPR) is:
Univ.-Doz. Dr. Martin Brunner
1090 Wien, Borschkegasse 8b/E06
Tel: (+43/0) 1 40400 21470
Fax: (+43/0) 1 40400 16900
ethik-kommeduniwien.ac.at

 

 

Data Protection Officer:
Mag. (FH) David Bachler
6020 Innsbruck, Innrain 43
Tel: (+43/0) 512 504-25443
Fax: (+43/0) 512 504-22295
david.bachlertirol-kliniken.at

 

2. Our data processing activities - why and on what legal bases we process personal data:

 

2.1. General information:

We process personal data in compliance with the relevant data protection regulations, especially the General Data Protection Regulation (GDPR, Regulation [EU] 2016/679) and the Austrian Data Protection Act (DSG). Therefore, our processing is based on a legal basis (particularly in accordance with Article 6(1) (a) - (f) of the GDPR), which will be specified for each data processing activity below. All of our employees involved in processing are obligated to maintain the confidentiality of your data (data secrecy). No automated decision-making is carried out.

In principle, we collect personal data directly from the data subject. In individual cases, we collect and store personal data (especially name, contact information) based on correspondence with our customers and business partners, or from publicly available sources (e.g., telephone directories, websites, commercial registers) under the legal basis of Article 6(1)(f) of the GDPR (and therefore not directly from the data subject). This collection is carried out when it is necessary for the provision of our services, contact purposes, and administration, which also aligns with our legitimate interests.

 

2.2. Operation of our website:

With each access to our website (ethikkommission.at), your computer (end device) or browser automatically transmits certain information to enable the visit or operation of the website. This data is stored in the log files of our system:

  • IP address
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (page/content being accessed)
  • Access status/HTTP(S) status code
  • Browser and browser version
  • Operating system and its interface

Storage of this data along with other personal user data, personal analysis, or profiling does not occur.

Legal basis and purpose of data processing

The legal basis for processing the data and its temporary storage in log files is Art. 6(1)(f) of the GDPR. The temporary storage of the mentioned data by the system is necessary to deliver the website to the user's computer. The storage in log files is carried out to ensure the functionality of the website. Additionally, we use the data to optimize the website and ensure the security of our information technology systems, particularly to ensure the integrity, confidentiality, and availability of the data processed through our website. Our legitimate interest in data processing under Art. 6(1)(f) of the GDPR is also aligned with these purposes.


The duration of storage

The data will be deleted as soon as they are no longer necessary for the purpose of their collection. For data collected to provide the website, this is the case when the respective session is terminated. For data stored in log files, this occurs after a maximum of seven days, unless further processing is required for the investigation of a (suspected) attack.

Personal data collected and logged during the operation of the website will only be transmitted by us in the event of a (suspected) data security breach or a criminal act (e.g., disruption of the functionality of a computer system, unauthorized access to a computer system) for the purposes of investigation, prosecution, and enforcement of legal claims to third parties (especially experts and law enforcement authorities). Transmission of logged data to third parties may also occur if we are legally obligated or required to do so by a court decision.

Third-party websites

Our website contains hyperlinks to and from third-party websites, and those websites are independently responsible entities. When you follow a hyperlink to one of these websites, please note that we cannot assume any responsibility or guarantee for the content or privacy policies of third-party websites.

 

2.3 Use of cookies

Our website uses cookies. Cookies are small text files that are stored on your device by your browser. They are used to make our offerings more user-friendly, effective, and secure.

2.3.1 TYPO3 session cookie

During your visit to our website, a so-called "session cookie" is set. This cookie is named "fe_typo_user" and serves to uniquely identify your device during a browser session. This is necessary to enable certain functions of our website and to secure your session. This cookie does not store any personal data and will be automatically deleted after you close your browser.

The legal basis for using this cookie is Article 6(1)(f) of the GDPR. Our legitimate interest lies in the security and error-free functionality of our website.

2.3.2 Disabling cookies

You can prevent the storage of cookies by adjusting your browser software settings; however, we would like to point out that in this case, you may not be able to use all functions of our website to their full extent.

 

2.4. Provision of services as well as customer support and information in this context (sales and offering of our services as well as administration of these services):

We process personal data for the purposes of providing our services, customer support, and information, including internal documentation and administration. The legal bases for processing the data are the fulfillment of a contract or the performance of pre-contractual measures (Article 6(1)(b) of the GDPR), compliance with legal obligations (Article 6(1)(c) of the GDPR), and our legitimate interests (Article 6(1)(f) of the GDPR), especially interests in asserting or defending our own legal claims and internal administration within the company.

For the conclusion of a contract, the provision of certain personal data is legally or contractually required, to which the respective data subject is obligated; otherwise, a contract (and therefore also no service provision) is not possible.

 

2.5. Job Applications:

We process data from applicants based on Article 6(1)(b) of the GDPR (pre-contractual measures) as well as Article 6(1)(f) of the GDPR for the purpose of conducting the application process and contacting the applicant.

If you apply for a job opening and no employment occurs, we store your personal data for six months from the end of the application process (deadline for asserting claims under §§ 15(1) and 29 of the Austrian Equal Treatment Act) based on Article 6(1)(f) of the GDPR. If the applicant gives consent in individual cases, we keep the specific application documents for an additional period of up to two years for reference.

If it's an unsolicited application, we process the application documents for a maximum of two years based on Article 6(1)(f) of the GDPR in order to contact the applicant for suitable positions. However, objections against this processing can be raised at any time without formalities.

For a contract to be concluded, it is necessary to provide proof of qualifications. In specific cases, depending on the requirements for a job placement, it may also be necessary to provide additional data (such as a criminal record certificate). If the required data is not provided, such an application cannot be considered. When we contact references provided by the applicant, data and information about a previous employment relationship can be collected from relevant third parties. In the event of an employment relationship being established, the application documents will be used for personnel administration purposes.

 

2.6. To whom do we transmit personal data?

We only transmit your personal data as necessary and only in the following cases - please also refer to the additional information in the individual usage scenarios:

  • With your consent
  • When using our SaaS (Software as a Service) solution ECS (Ethics Commission System) and digitally signing your PDFs, the following data is transmitted to ID-Austria for authentication using "Digitales Amt": Last name, first name, and date of birth.
  • For the processing of contractual relationships or to carry out pre-contractual measures
  • If legally required
  • To companies that support us in providing our services; these service providers act as data processors and are only allowed to process the data according to our instructions (as part of a data processing agreement)
  • When necessary to protect our legitimate interests (such as asserting, exercising, or defending legal claims) or those of a third party, and there is no reason to believe that you have an overriding, legitimate interest in not disclosing your data.

In the aforementioned cases, the following third parties may be involved: contract and business partners participating in delivery or services (e.g., logistics companies), banks (for payment processing), legal representatives, courts, business consultants/tax advisors, administrative authorities, self-governing bodies (social insurance providers), and insurance companies.

In principle, there is no intention to transmit personal data to recipients in third countries or international organizations. Such transmission may occur if an affected person or involved party is located in a third country (e.g., in the case of a customer headquartered outside the EU). If we transfer data to a country without adequate legal data protection, we ensure an appropriate level of protection by using suitable safeguards, such as appropriate contracts (standard contractual clauses) or binding corporate rules, or we rely on the exceptions provided for in the GDPR (consent, contract performance, establishment, exercise or defense of legal claims, overriding public interests, publication of personal data, or protection of the integrity of the data subjects). For a copy of the mentioned contractual guarantees, please contact us using the provided contact information.

In this context, we also want to point out that any data voluntarily published by users of our services (e.g., online comments on the website) are publicly accessible and potentially accessible worldwide.

 

2.7 Matomo

No cookie consent is needed because:

  • Tracking cookies are not used
  • The data is not used for any other purpose than analytics (compared to GA which uses it for other purposes and therefore always requires consent)
  • Visitors aren’t tracked across websites (compared to GA which does track visitors across many websites)
  • A user cannot be tracked across days within the same website (no user profiles can be generated when cookies are disabled)

 

3. How long do we store personal data?

Unless otherwise specified in the respective processing, we generally store personal data for as long as necessary to ensure the fulfillment of the stated purposes or as long as we are legally obligated to do so.

That means, regarding business letters, contracts, bookings, etc., according to § 212 (1) UGB and § 132 (1) BAO, we store data until the termination of the business relationship or until the expiration of the statutory limitation and retention periods applicable to us (in particular, at least 7 years to demonstrate compliance with tax, levy, and corporate law retention obligations); furthermore, data is stored until the conclusion of any legal disputes where the data is required as evidence. For services where claims for damages or other titles are asserted, data is stored for the necessary duration (between 3 and 30 years).

For inquiries (contacting us): Personal data voluntarily provided by you will be stored by us for the purpose of processing the associated request and record keeping (up to 3 years after completion or termination), unless a longer storage period is required for the purpose of fulfilling a legal obligation or asserting or defending legal claims.

 

4. Rights of the data subject

If the respective legally prescribed conditions are met, you can assert the following data subject rights:

  • Right to information: You can request confirmation of whether personal data concerning you is being processed and obtain information about this data and the details according to Article 15 of the GDPR.
  • Right to rectification: If we process incorrect or incomplete data about you, you have the right to have it corrected according to Article 16 of the GDPR.
  • Right to erasure: You have the right to have your personal data deleted if the conditions of Article 17 of the GDPR are met.
  • Right to restriction of processing: Article 18 of the GDPR grants you the right to restrict the processing of your data.
  • Right to data portability: According to Article 20 of the GDPR, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and you have the right to transmit this data to another data controller if the processing is based on consent (Article 6(1)(a)) or on a contract (Article 6(1)(b)) and is carried out by automated means.
  • If processing is based on legitimate interests (Article 6(1)(f) of the GDPR), you have the right, according to Article 21 of the GDPR, to object to the processing of your personal data for reasons arising from your particular situation. This right exists without restrictions in cases of direct marketing.
  • You can revoke any granted consent for the processing of personal data at any time. Please contact us for this purpose (see our contact details). The revocation of consent does not affect the lawfulness of processing based on consent before its withdrawal.
  • Right to lodge a complaint: You also have the right to lodge a complaint with the competent supervisory authority if you believe that the processing of personal data concerning you violates the GDPR or your data subject rights have been violated. You can contact the supervisory authority at your place of residence or the competent authority in Austria using the following contact address:

    Österreichische Datenschutzbehörde (DSB)
    Barichgasse 40-42, A-1030 Wien
    Telefon: +43 1 52 152-0
    E-Mail: dsbdsb.gv.at
    Web: www.dsb.gv.at

We kindly request that in cases where you were not entirely satisfied with our services, you first get in touch with us so that we have the opportunity to address any issues and rectify any potential mistakes.

 

5. Changes to our privacy policy

We consistently keep our privacy policy up to date and make adjustments as necessary. The current version of our privacy policy can be accessed at ethikkommission.at/datenschutz.

Status 24.05.2023