Privacy Policy

DATA PROTECTION INFORMATION

1. OVERVIEW

The protection of your privacy when processing personal data and the security of this data is an important concern of the Christian Doppler Forschungsgesellschaft, Boltzmanngasse 20/1/3, 1090 Vienna; e-mail: office@cdg.ac.at, (hereinafter: CDG, "we"). We treat personal data and process it only in accordance with the applicable data protection regulations.

Our data protection information covers the following areas: 

• the use of our website,
• general contact via the contact details on our website,
• Using the CDG ePortal and setting up a user account,
• Processing of personal data in the context of funding,
• the registration for our newsletter,
• data processing via our suppliers and service providers,
• Your application to us and
• the assertion and defence of legal claims and the conduct of proceedings.

Our Privacy Policy does not apply to services offered by other companies or individuals, including products or websites displayed to you in search results, websites that may include CDG services, or other websites linked to our services. Our Privacy Policy does not cover the handling of information by other companies or organisations that advertise our services and may use cookies, pixel tags and other technologies to provide and offer relevant ads.

We want you, as a user of our services, to understand how we use information and what options you have to protect your data. As this is important, we ask you to read the following information carefully. If you have any questions, please feel free to contact us at datenschutz@cdg.ac.at

Our privacy policy explains in particular

• What data we collect and use, for what purpose and on what legal basis we do so;
• How long we process your data;
• To which recipients we disclose your data;
• What rights you have as a data subject.

2. DATA PROCESSING IN CONNECTION WITH THE USE OF THE WEBSITE

2.1. Data processing for displaying the website

When you visit our website, the following data is processed in order to display the website to you. This data processing is carried out in order to provide you with a service you have expressly requested - the website (Section 165 (3) of the Telekommunikationsgesetz, hereinafter: TKG):

• IP address
• Time and date
• URL
• User agent of the browser
  • Browser version
  • Operating system
  • Device type
• Referrer URL

You are not required to provide this data by law or contract, nor is it necessary for the conclusion of a contract. You are not obliged to provide this data. We will not be able to show you the website if you do not provide us with the relevant data.

In addition, a technically necessary cookie is set to save your consent status (no consent / consent) and for session management:

We create log files in which we record the above-mentioned data. The log files are used to detect, and track cyberattacks or other unauthorised access. We process this data based on our legitimate interest in the security of our website (Article 6(1)(f) GDPR).

2.2. Data processing for embedded YouTube videos

We use the YouTube service (provided by Google LLC) to embed videos on our website. The embedded videos are provided by Google and data processing by YouTube (see https://policies.google.com/privacy) and the display of the videos only takes place after you have given your consent using the opt-in procedure (Section 163 (3) TKG in conjunction with Art 6 (1) (a) GDPR). This consent can be revoked at any time with effect for the future. The processing carried out up to that point will not become unlawful as a result of the revocation.

2.3. Data processing for analysis purposes

We use positions of the web analysis tool Matomo for analysis purposes. We will store and evaluate the pseudonymised information collected via this tool about your visits to our website and how you move around our website for analysis purposes in order to understand how visitors use our website so that we can make it even better and more intuitive.

The following data is processed for this purpose based on your consent (§ 165 TKG in conjunction with Art 6 (1) (a) GDPR): 

• IP address
• Time and date
• URL
• User ID
• Browser
• Operating system
• Screen resolution
• Location
• Language
• User agent of the browser
• Clicks
• Dwell time
• Referrer URL

The following cookies are set as part of the website usage analysis based on your consent:

You can revoke your consent at any time with effect for the future. The legality of the processing carried out up to that point is not affected by the revocation.

Matomo is used to collect pseudonymised usage data for our website. Matomo is hosted on a CDG server located in the EU, which means that no data is passed on to third parties.

3. DATA PROCESSING FOR GENERAL CONTACT VIA THE WEBSITE

If you contact us using the general contact details provided on the website, we will process your data (contact details and correspondence data) for the purpose for which you contacted us. 

For applications, please see point 10. 

For interested parties and (potential) business partners, we process the data for contract initiation, contract conclusion and contract processing (Art (1) (b) GDPR). If you contact us as an employee or other associated person of a corporate body with which we have a contractual relationship or with which such a relationship is to be initiated, we process your data to protect our legitimate interest in the initiation, conclusion and processing of contractual relationships with the corporate body for which you are acting (Art. 6 (1) (f) GDPR). The provision of data is not required by law. However, it is required for the conclusion or fulfilment of a contract. In the event of an upright contract with us, the corporate body for which you are acting is obliged to provide us with this data so that we can process the contractual relationship. We cannot process business enquiries if we do not have the necessary personal data (contact details and correspondence data). 

For other enquiries, we process your data to protect our legitimate interest in responding to enquiries and maintaining our contacts (Art 6 (1) (f) GDPR). You are not legally or contractually obliged to provide us with your data, nor are they required for the conclusion of a contract. You are not obliged to provide data to contact us. However, we will not be able to answer your enquiry if you do not provide us with the contact data required to answer it.

We provide information on the data processing that takes place within the scope of our contractual relationships in the data protection information attached to the respective contracts and in point 9 (Data processing suppliers and service providers).

4. DATA PROCESSING IN CONNECTION WITH THE USE OF THE CDG ePORTAL

4.1. Data processing for the presentation and use of the ePortal

When you visit our ePortal, the following data is processed in order to display the ePortal to you. This data processing is carried out in order to provide you with a service that you have expressly requested – the ePortal (Section 165 (3) of the German Telecommunications Act, hereinafter referred to as TKG):

• IP address
• Time and date
• URL
• User agent of the browser
  • Browser version
  • Operating system
  • Device type
• Referrer URL

You are neither legally nor contractually obliged to provide this data, nor is it necessary for the conclusion of a contract. You are not obliged to provide this data. We cannot display the ePortal to you if you do not provide us with the relevant data.

We create log files in which we log the above-mentioned data. The log files are used to detect and track cyberattacks or other unauthorised access. We process this data on the basis of our legitimate interest in the security of our ePortal (Art. 6 para. 1 lit f GDPR). Furthermore, a protocol is created for access to personal data that is processed automatically in the context of the funding process in order to fulfil our legal obligation in this regard in § 2d para. 1 no. 1 FOG (= Research Organisation Act, processing due to legal obligation, Art. 6 para. 1 lit c GDPR).

4.2. Data processing for the creation of a user account in the ePortal

When using the ePortal, the following data is processed for the purpose of creating a user account:

• First name and last name
• Contact details (email address, phone number)

You are not legally or contractually obliged to provide this data. However, you will not be able to use the ePortal's positions if you do not provide us with your first name, last name and email address. The phone number can be provided voluntarily.

After registration, the following additional data can be provided voluntarily:

• Date of birth
• Place of birth
• Researcher ID
• Title (before and after name)

4.3. Use of reCAPTCHA

In connection with the use of the ePortal, the use of reCAPTCHA is intended to prevent machines, computer programs or malware (e.g. bots) from registering via the ePortal registration and gaining access to our systems.

The following data is processed:

• Website that integrates reCAPTCHA
• User's IP address
• Date and time zone
• Referrer URL (the address of the website from which visitors come)
   
• Information about the operating system (Windows, Linux, iOS)
• If applicable, cookies
• Mouse movements and keyboard strokes
• Length of stay
• Settings of the user device (e.g. language settings, location, browser, etc.)

The processing of this data is technically necessary to enable secure use of the ePortal (Section 165 (3) TKG).

4.4. Duration of processing, storage period

We store the protocol data generated in connection with your visit to the ePortal and the data collected in connection with reCAPTCHA for the purpose of detecting and preventing unauthorised access and cyber attacks for as long as is necessary to detect unauthorised access and attacks. This processing is carried out to protect our legitimate interest in detecting and preventing unauthorised access and cyber attacks (Art. 6 (1) (f) GDPR).

4.5. Recipients of data in the context of the ePortal

In the context of the data processing activities described in points 4.1 to 4.3, data is disclosed to the following recipients (groups):

5. DATA PROCESSING IN THE CONNTEXT OF THE FUNDING PROCESS

The CDG (as funding body) processes personal data of the funding recipients, the Head of Laboratory/Head of Centre and the laboratory/centre staff in connection with the application for funding from potential funding recipients and in connection with the operation of a Christian Doppler Laboratory or Josef Ressel Centre by the funding recipient. The following information relates to personal data that either falls directly within the scope of the GDPR or is protected by the Data Protection Act.

5.1 Application for the establishment of a CD Laboratory/JR Centre

a. Initiation and conclusion of the funding contract with the funding recipient

As part of the application for funding, the following data of the funding recipient will be processed for the purpose of initiating and concluding the funding contract for a research unit to be established:

• Data on the ePortal user account
• Master data of the funding recipient
• Data on the research unit
• Data on commercial partners
• Information on the use of the honorarium for heading a research unit
• Information on other funding from the public purse received by the funding recipients
• Data on the budget, including personnel costs for laboratory/centre staff
• Data on research content, scientific proposal
• Data on excluded reviewers
• Documents uploaded by the funding recipients
   

Data from the funding contract

Information according to Art. 14 GDPR:

Furthermore, for the purpose of initiating and concluding the funding contract, it is determined through transparency portal queries in accordance with § 32 (5) TDBG 2012 and, if necessary, through queries with other funding agencies, whether the funding recipients or the Head of Laboratory/Head of Centre have received other funding or whether funding is intended to be granted. Some of this data is publicly accessible. Furthermore, in the case of non-university research institutions applying for funding, a query is made at the KSV. In this case, creditworthiness and contact data are processed to safeguard our legitimate interest in assessing the creditworthiness of applicants and to avoid defaults in the event of any recovery claims for funding (Art. 6 para. 1 lit f GDPR).
 

In addition to this data, the following data of the Head of Laboratory/Head of Centre will be processed for the purpose of initiating and concluding the funding contract:

• Name, academic title
• Gender
• Date of birth, place of birth
• Researcher ID
• Address, professional contact details of the Head of Laboratory/Head of Centre
• Period and extent of employment (at the research institution, in the CD Laboratory or JR Centre)
• If applicable, information on salary classification (Head of Laboratory endowed by the CDG)
• Data on payroll accounting, information on the commercial partner and any interdependencies with it
• Information on other publicly funded funding received by the head of the laboratory/centre
• Uploaded documents, including CVs if applicable
• data from the funding contract
• information on publications and citation databases

The processing of this data from funding recipients and the Head of Laboratory/Head of Centre is carried out on a contractual basis (Art. 6 para. 1 lit b GDPR and § 2g para. 1 no. 1 and para. 2 FOG). Although the provision of this data is not legally mandatory, it is necessary for the conclusion of the funding contract. Your application cannot be processed if the data marked as mandatory in the application form is not provided to us.

Information according to Art 14 GDPR: The following data of the other laboratory staff/centre staff will be processed for the purpose of initiating and concluding the funding contract:

• Classification in cost category
• Name, academic title
• Gender
• Period and extent of employment (at the research institution, in the CD Laboratory or JR Centre)
• Information on salary classification
• CVs
• Data for payroll accounting
• Information on publications and citation databases
   

The data are processed vis-à-vis the other laboratory/centre staff in order to safeguard the legitimate interest of the applicant in the processing of the application (Art. 6, para. 1, letter f of the GDPR in conjunction with § 2g, para. 1, no. 1, para. 2 and para. 4 of the Austrian Law on the Accounting of Organisations (FOG). The data are transmitted to us by the applicant/funding recipient. These are not, as a rule, data that are accessible to the public.

As part of the evaluation of the application, the data will also be passed on to the CDG committees.

For the purpose of the review, data will be submitted to external reviewers (selected according to their expertise) after the submission of a funding application, provided that the initial internal review has been successful. Data will be transferred to reviewers in third countries in accordance with the provisions of Chapter V of the GDPR.

Furthermore, the data from the application will also be forwarded to other funding institutions to check for any cumulation of funding. This transfer of data to CDG committees, external reviewers and other funding institutions is carried out vis-à-vis the Head of Centre on the basis of Art. 6 (1) (b) GDPR (in the case of § 2g (1) (1) FOG). In relation to the other laboratory/centre staff, the data are processed to protect the legitimate interests of the funding recipients in the processing of the application (Art. 6 para. 1 lit f GDPR in conjunction with § 2g para. 1 no. 1, para. 2 and para. 4 FOG).

b. Execution of the funding contract with the funding recipient

For the purposes of executing the funding contract and monitoring the proper use of the funding by the CDG, the following categories of data are processed:

• The categories of data already mentioned in point 5.1;
• Documentation data (in particular documentation of the awarding of funding, such as receipt of the funding application, reviews in preparation for the funding decision, reasons for the funding decision; documentation of controls or of the acceptance of the report on expenditure of funds, content summaries of research progress, publications and the use of research funds);
• Correspondence data, processing results generated by the funding agency itself (e.g. evaluation data and evaluation results; archiving of files).

The aforementioned processing of data from funding recipients and the Head of Laboratory/Head of Centre is carried out on a contractual basis (Art. 6 para. 1 lit b GDPR and § 2g para. 1 no. 1 and para. 2 FOG). With regard to the laboratory/centre staff, the data is processed to protect the legitimate interests of the funding recipients (Art. 6 para. 1 lit f GDPR in conjunction with § 2g para. 1 no. 1, para. 2 and para. 4 FOG).

If the funding recipients do not provide the personal data mentioned above, an ongoing funding contract cannot be continued and funding already granted must be repaid.

c. Duration of processing, storage period

The processing described in this section is carried out for the duration of the processing of the application and, in addition, for a period of ten years

• in the event of withdrawal or non-prosecution of the application or a negative decision, from the last contact (see Section 2g (1) (1) (a) FOG);
• in the event of the conclusion of a contract, from the end of the year in which the total Art. 89 funds were paid out (see § 2g para. 1 no. 1 lit b FOG).

d. Restriction of the rights of data subjects

For the processing operations pursuant to Section 2g (1) nos. 1 and 2 and (4) FOG, the right to erasure pursuant to Article 17 (3) (b) GDPR and the right to object pursuant to Article 21 (6) GDPR are excluded from the time of the attribution of Article 89 funds (see the definition in Section 2b no. 2 FOG) pursuant to Section 2g (5) FOG.

6. MEMBERS AND PARTNERS

For the purpose of initiating and processing a membership relationship of a company and its participation in a CD Laboratory or JR Centre, the following data of the company's representation on the CDG committees will be processed:

• Data on the company
• Name, academic title
• Position, proof of signature authority
• Address, professional contact details
• Data on the membership relationship
• Data on the CD Laboratory/JR Centre
• Data on participation in general assemblies
• Data on representation in the CDG committees (CDG Executive Board, Senate, Strategic Advisory Board)

The processing of this data is carried out to protect the legitimate interests of the member company and the CDG in the establishment and processing of the membership relationship (Art. 6 para. 1 lit f GDPR). The provision of this data is not legally mandatory, but it is necessary for the establishment of the membership relationship. Your application cannot be processed if the data to be indicated as mandatory directly in the application form is not provided to us.

The processing described in this point takes place for the duration of membership in the respective body and, in addition, for a maximum of the duration of membership of the CDG.

7. DATA PROCESSING DUE TO LEGAL OBLIGATIONS

In order to comply with legal obligations (Art. 6 (1) (c) GDPR), your data will be disclosed to the following recipients:
The processing of personal data is carried out for the purpose of fulfilling obligations imposed on the CDG by law (e.g. the 2013 Federal Budget Act in conjunction with the 2014 General Framework Directives, the Court of Auditors Act or EU regulations). In this context, data may be transferred to the State Financial Procurator, the Court of Auditors and also the European Union.
Personal data required for the fulfilment of legal requirements (such as data for reporting on the proper use of funding) will be provided to the Federal Ministry responsible for economic affairs and, if applicable, the Federal Ministry responsible for finance, the National Foundation for Research, Technology and Development and, in the event of an audit by the Austrian Court of Audit, the Austrian Court of Audit, in the context of fulfilling legal obligations within the meaning of Art. 6 (1) (c) GDPR, in particular on the basis of § 2h (2) FOG and § 8 (4) FoFinaG (= Research Funding Act).
Furthermore, personal data is transmitted to the federal ministry responsible for finance for processing in the context of the transparency database.

8. DATA PROCESSING IN CONNECTION WITH OUR NEWSLETTER

If you give us your consent, we will process your data for the purpose of sending you our newsletter, depending on the newsletter you have selected (Art 6 (1) (a) GDPR). For this purpose, we process your email address and the time of your registration for the respective newsletter.

You are not required to provide this data by law or contract, nor is it necessary for the conclusion of a contract. You are not obliged to provide this data. We cannot send you our newsletter if you do not provide us with the relevant data.

If you do not wish to provide this information, please do not subscribe to the newsletter. You can unsubscribe from the newsletter at any time at, for example on our website under "Unsubscribe from CDG newsletter" and in any newsletter we send by clicking on the link provided there, thereby revoking your consent with effect for the future. You can also contact us to withdraw your consent using the contact details provided at the beginning and end. 

8.1. Use of reCAPTCHA

The use of reCAPTCHA in connection with the newsletter is intended to prevent machines, computer programmes or malware (e.g. bots) from registering via the newsletter registration and gaining access to our systems.

The following data is processed:

• Website that integrates reCAPTCHA
• IP address of the user
• Date and time zone
• Referrer URL (the address of the website from which the visitors come)
• Information about the operating system (Windows, Linux, iOS)
• Cookies, if applicable
• Mouse movements and keyboard strokes
• Length of visit
• Settings of the user device (e.g. language settings, location, browser, etc.)

The processing of this data is technically necessary in order to enable secure newsletter registration (Section 165 (3) TKG.

9. DATA PROCESSING VIA OUR SUPPLIERS AND SERVICE PROVIDERS

We process data of our suppliers and service providers for the purpose of contract initiation, contract conclusion and contract fulfilment (Art 6 (1) (b) GDPR). If you contact us as an employee or other associated person of a corporate body with which we have a supplier/service provider contractual relationship or with which such a relationship is to be initiated, we process your data to protect our legitimate interest in the initiation, conclusion and processing of contractual relationships with the corporate body for which you are acting (Art. 6 (1) (f) GDPR). We process the following data for the purpose described above name, role/position in the company, professional contact data, correspondence data.

The provision of data is not required by law. However, it is necessary for the conclusion or fulfilment of a contract. In the event of an upright contract with us, the legal entity for which you are acting is obliged to provide us with this data so that we can process the contractual relationship. We cannot process business enquiries if we do not have the necessary personal data (contact details and correspondence data). 

10. DATA PROCESSING IN CONNECTION WITH JOB APPLICATIONS

As part of the processing and handling of applications, we process your application data on a pre-contractual basis regarding the conclusion of a service contract (Art 6 (1) (b) GDPR). The provision of your data is not required by law or contract but is necessary in order to determine the suitability of applicants. You send us your application documents voluntarily. Failure to provide your data from the application documents would mean that we would not be able to process your application. 

If you do not apply directly to us, but via one of our job advertisements on LinkedIn, we will receive your application data that you provide for the respective job advertisement from LinkedIn Ireland Unlimited Company. We only receive the data from LinkedIn that you provide to us via LinkedIn. LinkedIn is not a publicly accessible source of your data.

Special categories of data within the meaning of Art 9 GDPR are not required for the application process. If you send us such data, we will delete it immediately upon receipt or redact it from the application documents and not process it any further.

We process your application data for the duration of the application process. In addition, we process your data in the event that you are hired by us as part of the employment relationship.

If we do not hire you, we will process your application data for a period of seven months from the rejection of your application for the purpose of defence against claims in connection with the GlBG. The processing is carried out to protect our legitimate interests in the defence against (unjustified) claims (Art. 6 (1) (f) GDPR in conjunction with § 17 (1) (1) in conjunction with § 26 (1) in conjunction with § 29 (1) GlBG).

It is also possible that we may process your data for longer for the purpose of asserting or defending legal claims and conducting legal or official proceedings (see point 11).

11. DATA PROCESSING FOR THE ASSERTION AND DEFENCE OF CLAIMS AND FOR THE CONDUCT OF PROCEEDINGS

We process your data (potentially, if necessary, all within the scope of point 2 to 10 as well as data that we do not collect from you - see below) also for the purpose of the assertion, exercise or defence of legal claims and for the handling of proceedings before authorities and courts on the basis of our legitimate interest in the enforcement of our claims and in the defence against unjustified claims and in the efficient conduct of proceedings (Art 6 (1) (f) GDPR). 

Information according to Art 14 GDPR: We also collect your data from other sources for the purpose of asserting, exercising or defending legal claims and conducting proceedings before authorities and courts. The sources include, where necessary and available, your website or the website of your company, data from public registers (Central Register of Residents, Register of Companies, Land Register, Central Register of Associations, Edict File) and credit reference agencies. This data is only partially publicly accessible.

We process data required for the assertion, exercise or defence of legal claims for this purpose, depending on the circumstances of the individual case, for up to 30 years after the end of the business relationship or after the legal dispute or the event giving rise to the claim in question, in each case in accordance with the longest applicable limitation period. In the event of the assertion of data subject rights under the GDPR (for details, see point 15), we store the related data for three years from the last contact in connection with the assertion of a data subject right. In the event of official or judicial proceedings, we store your data for the duration of these proceedings and, depending on the subject matter and outcome of the proceedings, for up to a further 30 years from the legally binding conclusion of the proceedings (in line with the limitation period for judicature debts).
As part of the data processing described in this section, data is transmitted to the following recipients (groups): lawyers and, if necessary, authorities and courts for the purposes described above. The transmission is carried out to protect our legitimate interest in the assertion of and defence against legal claims (Art. 6 (1) (f) GDPR).

12. DATA FORWARDED BY US - RECIPIENTS

As a matter of principle, we do not pass on any personal data to companies, organisations or persons outside CDG. Should personal data be passed on, this will only take place in one of the following cases:

12.1. With your consent

We pass on personal data to companies, organisations or persons outside CDG if we have received your consent to do so. Consent can be revoked at any time with effect for the future.

12.2. For processing by other organisations

We make personal data available to our partners, other trusted companies or people who process it as processors (see also point d below). This is done based on a contract with the respective processor and by applying appropriate confidentiality and security measures.

12.3. For legal reasons

We will disclose personal data to companies, organisations or persons outside CDG if we can provide a legal basis for this in accordance with Art. 6 (1) GDPR, if we can assume in good faith that access to this data or its use, storage or disclosure is reasonably necessary to

• comply with applicable laws, regulations or legal proceedings or comply with an enforceable governmental order.
• enforce applicable terms of use, including investigating possible violations.
• detect, prevent or otherwise combat fraud, security flaws or technical problems.
• Protect the rights, property or safety of CDG, our users or the public from harm to the extent permitted or required by law.

12.4. Recipients of data

Within the framework of the measures described in points 2 to 11 data processing activities described in points 2 to 7, data is disclosed to the following recipients (groups):

• Hetzner Online GmbH: Hosting provider based in Germany (hosting takes place on servers in Germany). A legal basis in accordance with Art. 6 GDPR is not required for the transfer, as this is a processor.
• plusserver GmbH: Cloud service provider based in Germany. A legal basis in accordance with Art. 6 GDPR is not required for the transfer, as it is a processor.
• Sendinblue GmbH: Processor for newsletter dispatch based in Germany. A legal basis in accordance with Art. 6 GDPR is not required for the transfer, as it is a processor.
• Security software provider to detect and prevent attacks on the website. A legal basis in accordance with Art. 6 GDPR is not required for the transfer, as this is a processor.
• Google Ireland Limited, based in Ireland: Provider for reCAPTCHA. A legal basis in accordance with Art. 6 GDPR is not required for the transfer, as it is a processor. However, personal data may also be transferred to the parent company Google LLC, based in the USA. The EU Commission has issued an adequacy decision for the USA in accordance with Article 45 GDPR (so-called "EU-US Data Privacy Framework"). Google LLC is certified according to the "EU-US Data Privacy Framework".
• Google LLC, based in the USA: Provider of the interface for embedded YouTube videos and platform operator of YouTube. The legal basis for the transfer is your consent. The EU Commission has issued an adequacy decision for this third country, which you can view here can access here. Google LLC is certified under the EU-U.S. Data Privacy Framework on which the EU Commission's adequacy decision is based. You can access the certification here.
• lawyers and, if necessary, authorities and courts for the purposes described above. The transfer is carried out to protect our legitimate interest in the assertion and defence of legal claims (Art 6 (1) (f) GDPR).
• Microsoft Corporation, based in the USA, purpose: Cloud service provider for Microsoft 365; for this third country there is an adequacy decision of the EU Commission, which you can find here which you can access here. Microsoft Corporation is certified under the EU-U.S. Data Privacy Framework on which the EU Commission's adequacy decision is based. You can access the certification here. A legal basis according to Art. 6 GDPR is not required for the transfer, as it is a processor.

In the context of the data processing activities described in points 4 to 8, in addition to the recipients already listed in these two points, data will be disclosed to the following recipients:

• Banks: for the purposes of bank transfers and liquidity checks; for bank transfers, the legal basis is the performance of a contract (Art 6 (1) (b) GDPR). For liquidity checks, CDG has a legitimate interest in checking the liquidity of contract partners (Art 6 (1) (f) GDPR).

13. DATA SECURITY

We make every effort to protect the CDG and our users from unauthorised access to or unauthorised modification, disclosure or destruction of data. In particular:

• We encrypt many of our services using SSL/TLS.
• Review our collection, storage and processing practices, including physical security measures, to protect against unauthorised access to systems.
• Restrict access to personal data to CDG employees and contractors who need to know the data in order to process it for us and who are subject to strict confidentiality obligations and who may face labour, administrative and/or criminal penalties if they fail to comply with these obligations.

14. DURATION OF PROCESSING AND STORAGE

We store the log data generated in connection with your website visit for the purpose of detecting and preventing unauthorised access and cyberattacks for as long as it is necessary to detect unauthorised access and attacks. This processing is carried out to protect our legitimate interest in detecting and preventing unauthorised access and cyberattacks (Art. 6 (1) (f) GDPR).

In connection with the analysis of website usage, we process your data based on your consent for a period of one year from the collection of the data, but for no longer than until you withdraw your consent. 

We process the data of interested parties who contact us using the contact details provided on the website for the duration of the respective correspondence. 

In the event of the conclusion of a contract (suppliers, service providers and from the general contact according to point 3), we process your data for the duration of the contract. Furthermore, we process data from receipts and accounting documents subject to retention for a period of seven years to fulfil our statutory retention obligations (§ 212 UGB and § 132 BAO; see the respective provision for the start of the period). 

If you order our newsletter and consent to data processing for the newsletter dispatch, we will process your data for this purpose until you withdraw your consent. 

For the duration of the processing of your data in the case of applications, please see the relevant explanations in point 10 above.

Depending on the circumstances of the individual case, we also process data required for the assertion, exercise or defence of legal claims for this purpose for up to 30 years after the end of the business relationship or after the event triggering the legal dispute or the claim in question, in each case in accordance with the longest applicable limitation period. In the event of the assertion of data subject rights under the GDPR (for details, see point 15), we store the associated data for three years from the last contact in connection with the assertion of a data subject right. In the event of official or judicial proceedings, we store your data for the duration of these proceedings and, depending on the subject matter and outcome of the proceedings, for up to a further 30 years from the legally binding conclusion of the proceedings (in accordance with the limitation period for judgement debts).

15. RIGHTS OF DATA SUBJECTS

Whenever you use our services, we endeavour to give you access to your personal data. If this data is incorrect, we will endeavour to give you the opportunity to update or delete it quickly. Please contact us in this regard at datenschutz@cdg.ac.at.

Due to the legal data protection regulations, you have extensive rights regarding your data. You can exercise these rights, for example, by sending an e-mail to datenschutz@cdg.ac.at and by post. These include in particular

a. Right to information

You have the right to request confirmation from CDG as to whether personal data concerning you is being processed. If this is the case, you have a right to information in accordance with Art. 15 GDPR. 

b. Right to rectification

You have the right to have your personal data corrected, supplemented or amended by CDG at any time. 

c. Right to data portability

You have a right to data portability in accordance with Art. 20 GDPR.

d. Right to cancellation

You have a right to erasure in accordance with Art. 17 GDPR.

e. Right to object

If we process your data on the basis of a legitimate interest, you have the right to object to the data processing in accordance with Art. 21 GDPR if there are reasons for this arising from your particular situation. These reasons must be weighed against the reasons in favour of data processing.

f. Right to restriction of processing

In accordance with Art. 18 GDPR, you have a right to restriction of processing if one of the conditions specified in Art. 18 GDPR is met.

16. RIGHT OF CANCELLATION

You can revoke your consent to the processing of your data in whole or in part at any time with effect for the future. Until the time of revocation, the processing of your data is lawful. To do so, please contact us at datenschutz@cdg.ac.at.

17. RIGHT TO LODGE A COMPLAINT WITH THE DATA PROTECTION AUTHORITY

You have the right to lodge a complaint with the Austrian Data Protection Authority or with another data protection supervisory authority in the EU, at your place of residence or work. 

18. CHANGES

Our privacy policy may change from time to time. Any changes to the privacy policy will be published by us on this page.

19. CONTACT DETAILS OF THE DATA PROTECTION OFFICER

KPMG Law - Buchberger Ettmayer Rechtsanwälte GmbH, 

available at: datenschutz@cdg.ac.at. 

Status: October 2024