Documents

Privacy Policy

DATA PROTECTION INFORMATION

1. OVERVIEW

The protection of your privacy when processing personal data and the security of this data is an important concern of the Christian Doppler Forschungsgesellschaft, Boltzmanngasse 20/1/3, 1090 Vienna; e-mail: office@cdg.ac.at, (hereinafter: CDG, "we"). We treat personal data and process it only in accordance with the applicable data protection regulations.

Our data protection information covers the following areas: 

  • the use of our website,
  • general contact via the contact details on our website,
  • the registration for our newsletter,
  • data processing via our suppliers and service providers,
  • Your application to us and
  • the assertion and defence of legal claims and the conduct of proceedings.

Our Privacy Policy does not apply to services offered by other companies or individuals, including products or websites displayed to you in search results, websites that may include CDG services, or other websites linked to our services. Our Privacy Policy does not cover the handling of information by other companies or organisations that advertise our services and may use cookies, pixel tags and other technologies to provide and offer relevant ads.

We want you, as a user of our services, to understand how we use information and what options you have to protect your data. As this is important, we ask you to read the following information carefully. If you have any questions, please feel free to contact us at datenschutz@cdg.ac.at

Our privacy policy explains in particular

  • What data we collect and use, for what purpose and on what legal basis we do so;
  • How long we process your data;
  • To which recipients we disclose your data;
  • What rights you have as a data subject.

2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE

2.1. Data processing for displaying the website

When you visit our website, the following data is processed in order to display the website to you. This data processing is carried out in order to provide you with a service you have expressly requested - the website (Section 165 (3) of the Telekommunikationsgesetz, hereinafter: TKG):

  • IP address
  • Time and date
  • URL
  • User agent of the browser
    • Browser version
    • Operating system
    • Device type
  • Referrer URL

You are not required to provide this data by law or contract, nor is it necessary for the conclusion of a contract. You are not obliged to provide this data. We will not be able to show you the website if you do not provide us with the relevant data.

In addition, a technically necessary cookie is set to save your consent status (no consent / consent) and for session management:

NamePosition (purpose of the cookie)Data categoriesStorage duration
fe_typo_user, staticfilecacheAssigns your browser to a session on the server. This only affects the content you see and is not analysed or processed by us.Session ID Session
CookieConsentSaves your consent to the use of cookiesNo consent / consent, in case of consent: Date of consent 1 year

We create log files in which we record the above-mentioned data. The log files are used to detect, and track cyberattacks or other unauthorised access. We process this data based on our legitimate interest in the security of our website (Article 6(1)(f) GDPR).

2.2. Data processing for embedded YouTube videos

We use the YouTube service (provided by Google LLC) to embed videos on our website. The embedded videos are provided by Google and data processing by YouTube (see https://policies.google.com/privacy) and the display of the videos only takes place after you have given your consent using the opt-in procedure (Section 163 (3) TKG in conjunction with Art 6 (1) (a) GDPR). This consent can be revoked at any time with effect for the future. The processing carried out up to that point will not become unlawful as a result of the revocation.

2.3. Data processing for analysis purposes

We use positions of the web analysis tool Matomo for analysis purposes. We will store and evaluate the pseudonymised information collected via this tool about your visits to our website and how you move around our website for analysis purposes in order to understand how visitors use our website so that we can make it even better and more intuitive.

The following data is processed for this purpose based on your consent (§ 165 TKG in conjunction with Art 6 (1) (a) GDPR): 

  • IP address
  • Time and date
  • URL
  • User ID
  • Browser
  • Operating system
  • Screen resolution
  • Location
  • Language
  • User agent of the browser
  • Clicks
  • Dwell time
  • Referrer URL

The following cookies are set as part of the website usage analysis based on your consent:

NamePosition (purpose of the cookie)Data categoriesStorage duration
_pk_idRecognition of the user.Visitor ID13 months
_pk_refUsed to store the information of the user's website of origin.Website of origin of the user6 months
_pk_ses, _pk_cvar, _pk_hsrShort-term cookie to store temporary data of the visit.Data on the use of the website30 minutes

You can revoke your consent at any time with effect for the future. The legality of the processing carried out up to that point is not affected by the revocation.

Matomo is used to collect pseudonymised usage data for our website. Matomo is hosted on a CDG server located in the EU, which means that no data is passed on to third parties.

3. DATA PROCESSING FOR GENERAL CONTACT VIA THE WEBSITE

If you contact us using the general contact details provided on the website, we will process your data (contact details and correspondence data) for the purpose for which you contacted us. 

For applications, please see point 6. 

For interested parties and (potential) business partners, we process the data for contract initiation, contract conclusion and contract processing (Art (1) (b) GDPR). If you contact us as an employee or other associated person of a corporate body with which we have a contractual relationship or with which such a relationship is to be initiated, we process your data to protect our legitimate interest in the initiation, conclusion and processing of contractual relationships with the corporate body for which you are acting (Art. 6 (1) (f) GDPR). The provision of data is not required by law. However, it is required for the conclusion or fulfilment of a contract. In the event of an upright contract with us, the corporate body for which you are acting is obliged to provide us with this data so that we can process the contractual relationship. We cannot process business enquiries if we do not have the necessary personal data (contact details and correspondence data). 

For other enquiries, we process your data to protect our legitimate interest in responding to enquiries and maintaining our contacts (Art 6 (1) (f) GDPR). You are not legally or contractually obliged to provide us with your data, nor are they required for the conclusion of a contract. You are not obliged to provide data to contact us. However, we will not be able to answer your enquiry if you do not provide us with the contact data required to answer it.

We provide information on the data processing that takes place within the scope of our contractual relationships in the data protection information attached to the respective contracts and in point 5 (Data processing suppliers and service providers).

4. DATA PROCESSING IN CONNECTION WITH OUR NEWSLETTER

If you give us your consent, we will process your data for the purpose of sending you our newsletter, depending on the newsletter you have selected (Art 6 (1) (a) GDPR). For this purpose, we process your email address and the time of your registration for the respective newsletter.

You are not required to provide this data by law or contract, nor is it necessary for the conclusion of a contract. You are not obliged to provide this data. We cannot send you our newsletter if you do not provide us with the relevant data.

If you do not wish to provide this information, please do not subscribe to the newsletter. You can unsubscribe from the newsletter at any time at, for example on our website under "Unsubscribe from CDG newsletter" and in any newsletter we send by clicking on the link provided there, thereby revoking your consent with effect for the future. You can also contact us to withdraw your consent using the contact details provided at the beginning and end. 

4.1. Use of reCAPTCHA

The use of reCAPTCHA in connection with the newsletter is intended to prevent machines, computer programmes or malware (e.g. bots) from registering via the newsletter registration and gaining access to our systems.

The following data is processed:

  • Website that integrates reCAPTCHA
  • IP address of the user
  • Date and time zone
  • Referrer URL (the address of the website from which the visitors come)
  • Information about the operating system (Windows, Linux, iOS)
  • Cookies, if applicable
  • Mouse movements and keyboard strokes
  • Length of visit
  • Settings of the user device (e.g. language settings, location, browser, etc.)

The processing of this data is technically necessary in order to enable secure newsletter registration (Section 165 (3) TKG.

5. DATA PROCESSING VIA OUR SUPPLIERS AND SERVICE PROVIDERS

We process data of our suppliers and service providers for the purpose of contract initiation, contract conclusion and contract fulfilment (Art 6 (1) (b) GDPR). If you contact us as an employee or other associated person of a corporate body with which we have a supplier/service provider contractual relationship or with which such a relationship is to be initiated, we process your data to protect our legitimate interest in the initiation, conclusion and processing of contractual relationships with the corporate body for which you are acting (Art. 6 (1) (f) GDPR). We process the following data for the purpose described above name, role/position in the company, professional contact data, correspondence data.

The provision of data is not required by law. However, it is necessary for the conclusion or fulfilment of a contract. In the event of an upright contract with us, the legal entity for which you are acting is obliged to provide us with this data so that we can process the contractual relationship. We cannot process business enquiries if we do not have the necessary personal data (contact details and correspondence data). 

6. DATA PROCESSING IN CONNECTION WITH JOB APPLICATIONS

As part of the processing and handling of applications, we process your application data on a pre-contractual basis regarding the conclusion of a service contract (Art 6 (1) (b) GDPR). The provision of your data is not required by law or contract but is necessary in order to determine the suitability of applicants. You send us your application documents voluntarily. Failure to provide your data from the application documents would mean that we would not be able to process your application. 

If you do not apply directly to us, but via one of our job advertisements on LinkedIn, we will receive your application data that you provide for the respective job advertisement from LinkedIn Ireland Unlimited Company. We only receive the data from LinkedIn that you provide to us via LinkedIn. LinkedIn is not a publicly accessible source of your data.

Special categories of data within the meaning of Art 9 GDPR are not required for the application process. If you send us such data, we will delete it immediately upon receipt or redact it from the application documents and not process it any further.

We process your application data for the duration of the application process. In addition, we process your data in the event that you are hired by us as part of the employment relationship.

If we do not hire you, we will process your application data for a period of seven months from the rejection of your application for the purpose of defence against claims in connection with the GlBG. The processing is carried out to protect our legitimate interests in the defence against (unjustified) claims (Art. 6 (1) (f) GDPR in conjunction with § 17 (1) (1) in conjunction with § 26 (1) in conjunction with § 29 (1) GlBG).

It is also possible that we may process your data for longer for the purpose of asserting or defending legal claims and conducting legal or official proceedings (see point 7).

7. DATA PROCESSING FOR THE ASSERTION AND DEFENCE OF CLAIMS AND FOR THE CONDUCT OF PROCEEDINGS

We process your data (potentially, if necessary, all within the scope of point 2 to 5 as well as data that we do not collect from you - see below) also for the purpose of the assertion, exercise or defence of legal claims and for the handling of proceedings before authorities and courts on the basis of our legitimate interest in the enforcement of our claims and in the defence against unjustified claims and in the efficient conduct of proceedings (Art 6 (1) (f) GDPR). 

Information according to Art 14 GDPR: We also collect your data from other sources for the purpose of asserting, exercising or defending legal claims and conducting proceedings before authorities and courts. The sources include, where necessary and available, your website or the website of your company, data from public registers (Central Register of Residents, Register of Companies, Land Register, Central Register of Associations, Edict File) and credit reference agencies. This data is only partially publicly accessible.

8. DATA FORWARDED BY US - RECIPIENTS

As a matter of principle, we do not pass on any personal data to companies, organisations or persons outside CDG. Should personal data be passed on, this will only take place in one of the following cases:

8.1. With your consent

We pass on personal data to companies, organisations or persons outside CDG if we have received your consent to do so. Consent can be revoked at any time with effect for the future.

8.2. For processing by other organisations

We make personal data available to our partners, other trusted companies or people who process it as processors (see also point d below). This is done based on a contract with the respective processor and by applying appropriate confidentiality and security measures.

8.3. For legal reasons

We will disclose personal data to companies, organisations or persons outside CDG if we can provide a legal basis for this in accordance with Art. 6 (1) GDPR, if we can assume in good faith that access to this data or its use, storage or disclosure is reasonably necessary to

  • comply with applicable laws, regulations or legal proceedings or comply with an enforceable governmental order.
  • enforce applicable terms of use, including investigating possible violations.
  • detect, prevent or otherwise combat fraud, security flaws or technical problems.
  • Protect the rights, property or safety of CDG, our users or the public from harm to the extent permitted or required by law.

8.4. Recipients of data

Within the framework of the measures described in points 2 to 7 data processing activities described in points 2 to 7, data is disclosed to the following recipients (groups):

  • Hetzner Online GmbH: Hosting provider based in Germany (hosting takes place on servers in Germany). A legal basis in accordance with Art. 6 GDPR is not required for the transfer, as this is a processor.
  • plusserver GmbH: Cloud service provider based in Germany. A legal basis in accordance with Art. 6 GDPR is not required for the transfer, as it is a processor.
  • Sendinblue GmbH: Processor for newsletter dispatch based in Germany. A legal basis in accordance with Art. 6 GDPR is not required for the transfer, as it is a processor.
  • Security software provider to detect and prevent attacks on the website. A legal basis in accordance with Art. 6 GDPR is not required for the transfer, as this is a processor.
  • Google Ireland Limited, based in Ireland: Provider for reCAPTCHA. A legal basis in accordance with Art. 6 GDPR is not required for the transfer, as it is a processor. However, personal data may also be transferred to the parent company Google LLC, based in the USA. The EU Commission has issued an adequacy decision for the USA in accordance with Article 45 GDPR (so-called "EU-US Data Privacy Framework"). Google LLC is certified according to the "EU-US Data Privacy Framework".
  • Google LLC, based in the USA: Provider of the interface for embedded YouTube videos and platform operator of YouTube. The legal basis for the transfer is your consent. The EU Commission has issued an adequacy decision for this third country, which you can view here can access here. Google LLC is certified under the EU-U.S. Data Privacy Framework on which the EU Commission's adequacy decision is based. You can access the certification here
  • lawyers and, if necessary, authorities and courts for the purposes described above. The transfer is carried out to protect our legitimate interest in the assertion and defence of legal claims (Art 6 (1) (f) GDPR).
  • Microsoft Corporation, based in the USA, purpose: Cloud service provider for Microsoft 365; for this third country there is an adequacy decision of the EU Commission, which you can find here which you can access here. Microsoft Corporation is certified under the EU-U.S. Data Privacy Framework on which the EU Commission's adequacy decision is based. You can access the certification here. A legal basis according to Art. 6 GDPR is not required for the transfer, as it is a processor.

9. DATA SECURITY

We make every effort to protect the CDG and our users from unauthorised access to or unauthorised modification, disclosure or destruction of data. In particular:

  • We encrypt many of our services using SSL/TLS.
  • Review our collection, storage and processing practices, including physical security measures, to protect against unauthorised access to systems.
  • Restrict access to personal data to CDG employees and contractors who need to know the data in order to process it for us and who are subject to strict confidentiality obligations and who may face labour, administrative and/or criminal penalties if they fail to comply with these obligations.

10. DURATION OF PROCESSING AND STORAGE

We store the log data generated in connection with your website visit for the purpose of detecting and preventing unauthorised access and cyberattacks for as long as it is necessary to detect unauthorised access and attacks. This processing is carried out to protect our legitimate interest in detecting and preventing unauthorised access and cyberattacks (Art. 6 (1) (f) GDPR).

In connection with the analysis of website usage, we process your data based on your consent for a period of one year from the collection of the data, but for no longer than until you withdraw your consent. 

We process the data of interested parties who contact us using the contact details provided on the website for the duration of the respective correspondence. 

In the event of the conclusion of a contract (suppliers, service providers and from the general contact according to point 3), we process your data for the duration of the contract. Furthermore, we process data from receipts and accounting documents subject to retention for a period of seven years to fulfil our statutory retention obligations (§ 212 UGB and § 132 BAO; see the respective provision for the start of the period). 

If you order our newsletter and consent to data processing for the newsletter dispatch, we will process your data for this purpose until you withdraw your consent. 

For the duration of the processing of your data in the case of applications, please see the relevant explanations in point 6 above.

Depending on the circumstances of the individual case, we also process data required for the assertion, exercise or defence of legal claims for this purpose for up to 30 years after the end of the business relationship or after the event triggering the legal dispute or the claim in question, in each case in accordance with the longest applicable limitation period. In the event of the assertion of data subject rights under the GDPR (for details, see point 11), we store the associated data for three years from the last contact in connection with the assertion of a data subject right. In the event of official or judicial proceedings, we store your data for the duration of these proceedings and, depending on the subject matter and outcome of the proceedings, for up to a further 30 years from the legally binding conclusion of the proceedings (in accordance with the limitation period for judgement debts).

11. RIGHTS OF DATA SUBJECTS

Whenever you use our services, we endeavour to give you access to your personal data. If this data is incorrect, we will endeavour to give you the opportunity to update or delete it quickly. Please contact us in this regard at datenschutz@cdg.ac.at.

Due to the legal data protection regulations, you have extensive rights regarding your data. You can exercise these rights, for example, by sending an e-mail to datenschutz@cdg.ac.at and by post. These include in particular

a. Right to information

You have the right to request confirmation from CDG as to whether personal data concerning you is being processed. If this is the case, you have a right to information in accordance with Art. 15 GDPR. 

b. Right to rectification

You have the right to have your personal data corrected, supplemented or amended by CDG at any time. 

c. Right to data portability

You have a right to data portability in accordance with Art. 20 GDPR.

d. Right to cancellation

You have a right to erasure in accordance with Art. 17 GDPR.

e. Right to object

If we process your data on the basis of a legitimate interest, you have the right to object to the data processing in accordance with Art. 21 GDPR if there are reasons for this arising from your particular situation. These reasons must be weighed against the reasons in favour of data processing.

f. Right to restriction of processing

In accordance with Art. 18 GDPR, you have a right to restriction of processing if one of the conditions specified in Art. 18 GDPR is met.

12. RIGHT OF CANCELLATION

You can revoke your consent to the processing of your data in whole or in part at any time with effect for the future. Until the time of revocation, the processing of your data is lawful. To do so, please contact us at datenschutz@cdg.ac.at.

13. RIGHT TO LODGE A COMPLAINT WITH THE DATA PROTECTION AUTHORITY

You have the right to lodge a complaint with the Austrian Data Protection Authority or with another data protection supervisory authority in the EU, at your place of residence or work. 

14. CHANGES

Our privacy policy may change from time to time. Any changes to the privacy policy will be published by us on this page.

15. CONTACT DETAILS OF THE DATA PROTECTION OFFICER

KPMG Law - Buchberger Ettmayer Rechtsanwälte GmbH, 

available at: datenschutz@cdg.ac.at. 

Status: July 2024

Christian Doppler Forschungsgesellschaft

Boltzmanngasse 20/1/3 | 1090 Wien | Tel: +43 1 5042205 | Fax: +43 1 5042205-20 | office@cdg.ac.at

© 2020 Christian Doppler Forschungsgesellschaft