Data protection
I. Name and address of the Controller
The Controller as defined in the General Data Protection Regulation (GDPR) and other member states’ national data protection legislation, as well as other data protection regulations is:
University of Applied Arts Vienna
Oskar-Kokoschka-Platz 2
A-1010 Vienna
Email: info@uni-ak.ac.at
www.dieangewandte.at
Responsible for content
Managing Rector
Maria Zettler
Responsible for editing
Media Affairs and Communication
Isabella Pohl (Head of Department)
Email: isabella.pohl@uni-ak.ac.at
Bernadette Schmatzer
Email: bernadette.schmatzer@uni-ak.ac.at
Each institute, department or other facility of the University of Applied Arts Vienna is responsible for content and editing for its own website.
II. Name and address of the Data Protection Officer
The Controller’s Data Protection Officer is:
Alexander Albrecht
Email: dsb@uni-ak.ac.at
III. General information on data processing
1. Scope of processing of personal data
We only collect and use the personal data of our users to the extent that this is necessary in order to provide a functional website, as well as our content and services. Our users’ personal data are generally collected and used only after the user has given their consent. However, in cases where it is not possible to obtain prior consent for practical reasons, data processing is permitted under the statutory regulations.
2. Legal basis for processing of personal data
If we obtain consent from the data subject for processing procedures for their personal data, the legal basis is Article 6(1)(a) GDPR.
With regard to processing of personal data where this is necessary for the performance of a contract to which the data subject is party, the legal basis is Article 6(1)(b) GDPR. This also applies to processing procedures carried out in order to take steps prior to entering into a contract.
If the processing of personal data is necessary for compliance with a legal obligation that our organisation is subject to, the legal basis is Article 6(1)(c) GDPR.
In cases where processing is necessary in order to protect the vital interests of the data subject or of another natural person, the legal basis is Article 6(1)(d) GDPR.
If processing is necessary for the purposes of a legitimate interest pursued by our organisation or by a third party, and such an interest is not overridden by the interests or fundamental rights and freedoms of the data subject, the legal basis for processing is Article 6(1)(f) GDPR.
3. Erasure of data and storage period
Data subjects’ personal data will be deleted or made unavailable as soon as the purpose for which they were stored no longer applies. In addition, data may be stored where this is provided for by European or national legislation under EU regulations, laws or other legislation that the Controller is subject to. Data will also be made unavailable or deleted if the storage period specified in the regulations mentioned above expires, unless continued storage of the data is necessary in order to enter into or perform a contract.
IV. Provision of the website and creation of logfiles
1. Description and scope of data processing
Whenever you visit our website, our system automatically records data and system information about the device used to access the site.
The following data are collected:
(1) Information on the browser type and version
(2) The operating system on the user’s device
(3) The user’s internet service provider
(4) The user’s IP address
(5) Date and time of access
(6) Websites from which the user’s system reaches our site
(7) Websites accessed by the user’s system via our site
These data are also stored in the logfiles on our system. However, this does not apply to the user’s IP address or other data that enable the data to be associated with a particular user. These data are not stored together with other personal data of the user concerned.
2. Legal basis for data processing
The legal basis for the temporary storage of data and logfiles is Article 6(1)(f) GDPR.
3. Purpose of data processing
Temporary storage of the IP address on our system is necessary in order to display the website on the user’s device. To do this, the user’s IP address must be stored for the duration of their visit.
Storage of data in logfiles ensures that the website functions properly. We also use the data to optimise our website and safeguard the security of our IT systems. In this regard, data are not evaluated for marketing purposes.
These purposes also form the basis of our legitimate interest in data processing under Article 6(1)(f) GDPR.
4. Storage period
The data are deleted as soon as they are no longer required for the purpose for which they were collected. Regarding the collection of data in order to provide the website, this is the case when the respective visit ends.
With regard to the storage of data in logfiles, this is the case after seven days at the latest. However, data may be stored beyond this period. In such cases, the user’s IP address will be deleted or anonymised, meaning that it can no longer be associated with the client where the website is accessed.
5. Objection and erasure
The collection of data in order to provide the website, and the storage of data in logfiles, are essential for the proper operation of the website. Consequently, it is not possible for the user to object to such data collection and storage in logfiles.
V. Use of cookies
a) Description and scope of data processing
Our website uses cookies, which are text files stored on the user’s device, either in or by the web browser. If a user visits a website, a cookie may be stored in the operating system on the user’s device. This cookie contains a sequence of characters that enable the browser to be uniquely identified when the website is accessed again.
We use cookies in order to make our website more user-friendly. Some elements of our website also require the browser displaying the site to be identifiable after moving to a different site.
The following data are stored and transferred in the cookies:
(1) Language settings
(2) Articles in a shopping cart
(3) Login details
Our website also uses cookies that allow us to analyse users’ surfing behaviour.
The following data can be transferred by these cookies:
(1) Search terms entered
(2) Frequency of visits to the website
(3) Use of website functions
User data collected in this way are pseudonymised by means of technical measures, meaning that the data can no longer be associated with the user who accesses the site. The data are not stored together with other users’ personal data.
Users are informed about the use of cookies for analytical purposes and referred to this Privacy Notice by means of a banner which is displayed when they visit our website. In this regard, information on how the storage of cookies can be blocked in the browser settings is also provided.
b) Legal basis for data processing
The legal basis for the processing of personal data by means of cookies is Article 6(1)(f) GDPR.
c) Purpose of data processing
The purpose of using essential cookies is to simplify use of the website for users. Some of the functions on our website cannot be provided without the use of cookies. For these functions, it is necessary that the browser is also identifiable after moving to a different site.
We require cookies for the following applications:
(1) Shopping cart
(2) Accepting language settings
(3) Saving search terms
The user data collected with essential cookies are not used to create user profiles.
The purpose of using analytical cookies is to improve the quality of our website and content. Analytical cookies enable us to find out how our website is used, allowing us to constantly optimise the site.
These purposes also form the basis of our legitimate interest in processing personal data under Article 6(1)(f) GDPR.
d) Storage period, objection and erasure
Cookies are stored on the user’s device and transferred from the device to our website. Consequently, as the user, you have complete control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings in your web browser. Stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated on our website, it may not be possible to use the website’s full functionality.
VI. Newsletter
1. Description and scope of data processing
Users have the option of subscribing to a free newsletter on our website. When registering for the newsletter, the data are transferred to us from the registration form.
The following data are also collected during registration:
(1) IP address of the device on which the website is accessed
(2) Date and time of registration
Your consent to data processing is obtained during the registration process, and reference is made to this Privacy Notice.
No data are transferred to third parties in connection with data processing for the delivery of newsletters. The data are used solely for newsletter delivery.
2. Legal basis for data processing
The legal basis for data processing after a user registers for the newsletter is the user’s consent in accordance with Article 6(1)(a) GDPR.
3. Purpose of data processing
The user’s email address is collected in order to deliver the newsletter.
The purpose of collecting other personal data during the registration process is to prevent misuse of the services or of the email address provided.
4. Storage period
The data are deleted as soon as they are no longer required for the purpose for which they were collected. This means that the user’s email address will be stored for as long as they subscribe to the newsletter.
Other personal data collected during the registration process are usually deleted after seven days.
5. Objection and erasure
The user can cancel their newsletter subscription at any time. A link for this purpose can be found in each newsletter mail.
This enables the user to withdraw their consent to the storage of personal data collected during the registration process, unless erasure contravenes any contractual or statutory obligations.
VII. Contact form and contact by email
1. Description and scope of data processing
Our website includes a contact form that can be used to contact us electronically. If you use this form, the data you enter will be transferred to us and saved. This only refers to the data entered in the form.
When a message is sent, the following data are also saved:
(1) The user’s IP address
(2) Date and time that the message was sent
Your consent to data processing is obtained in the process of sending the message, and reference is made to this Privacy Notice.
Alternatively, we can be contacted using the email address provided. In this case, the user’s personal data transferred with the email will be saved.
No data are transferred to third parties in this regard. The data are used solely for processing the correspondence.
2. Legal basis for data processing
The legal basis for data processing is the user’s consent in accordance with Article 6(1)(a) GDPR.
The legal basis for the processing of data transferred in the course of sending an email is Article 6(1)(f) GDPR. If the purpose of contact by email is to enter into a contract, Article 6(1)(b) GDPR represents an additional legal basis for processing.
3. Purpose of data processing
The sole purpose of the processing of personal data from the contact form is to enable us to handle the correspondence. In the case of contact by email, this also constitutes the legitimate interest for which data processing is necessary.
The other personal data processed in the course of sending a message serve to prevent misuse of the contact form and safeguard the security of our IT systems.
4. Storage period
The data are deleted as soon as they are no longer required for the purpose for which they were collected. For personal data entered in the contact form and those sent by email, this is the case when the correspondence with the user concerned ends. The correspondence is deemed to have ended when circumstances indicate that the matter in question has been fully clarified.
Other personal data collected in the course of sending a message are deleted after seven days at the latest.
5. Objection and erasure
Users can withdraw their consent to the processing of their personal data at any time. If a user contacts us by email, they can object to the storage of their personal data at any time. In such cases, it will no longer be possible to continue the correspondence.
In this case, all personal data saved in the course of the correspondence will be deleted.
VIII. Web analytics
1. Scope of processing of personal data
Our website uses open source software to analyse users’ surfing behaviour. The software places a cookie on the user’s device (see above for further information on cookies). If individual pages on our website are displayed, the following data will be stored:
(1) Two bytes of the IP address for the user’s system where the page is displayed
(2) The page displayed
(3) The website from which the user reached the displayed page (referrer)
(4) The subpages reached from the displayed page
(5) The time spent on the website
(6) The frequency with which the website was displayed
The software only runs on our web servers. Users’ personal data are only stored on those servers. The data are not transferred to third parties.
The configuration of the software means that only two bytes of the IP address are saved (e.g. 192.168.xxx.xxx), and not the full IP address. As a result, the truncated IP address cannot be associated with the device on which the website is displayed.
2. Legal basis for processing of personal data
The legal basis for the processing of personal data is Article 6(1)(f) GDPR.
3. Purpose of data processing
The processing of users’ personal data enables us to analyse users’ surfing behaviour. Analysis of the data obtained allows us to compile information on the use of individual components of our website. This helps us to constantly improve our website and make it more user-friendly. These purposes also form the basis of our legitimate interest in data processing under Article 6(1)(f) GDPR. Anonymisation of IP addresses is sufficient to protect users’ interests in ensuring the protection of their personal data.
4. Storage period
Data are deleted as soon as they are no longer required for the purpose for which they were collected.
5. Objection and erasure
Cookies are stored on the user’s device and transferred from the device to our website. Consequently, as the user, you have complete control over the use of cookies. You can deactivate or restrict the transfer of cookies by changing the settings in your web browser. Stored cookies can be deleted at any time. This can also be done automatically. If cookies are deactivated on our website, it may not be possible to use the website’s full functionality.
IX. Rights of data subjects
If your personal data are processed, you are classified as a data subject as defined in the GDPR, and you have the following rights as regards the Controller:
1. Right of access
You have the right to request confirmation from the Controller as to whether we process personal data relating to you.
If such processing takes place, you can request details of the following information from the Controller:
(1) The purposes of processing the personal data
(2) The categories of personal data concerned
(3) The recipients or categories of recipient to whom personal data relating to you have been or will be disclosed
(4) The envisaged period for which personal data relating to you will be stored, or, if precise information on this cannot be provided, the criteria used to determine the storage period
(5) The existence of the right to request from the Controller rectification or erasure of personal data relating to you or restriction of processing or to object to such processing
(6) The right to lodge a complaint with a supervisory authority
(7) Where the personal data are not collected from the data subject, any available information as to their source
(8) The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information as to whether personal data relating to you are transferred to a third country or an international organisation. In this regard, you can request information on the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
This right of access may be restricted if the right is likely to prevent or seriously impair the achievement of research or statistical goals, and restriction of the right is necessary in order to achieve these goals.
2. Right to rectification
If processed personal data relating to you are inaccurate or incomplete, you have the right to rectification and/or completion by the Controller. The Controller must carry out rectification without delay.
Your right to rectification may be restricted if the right is likely to prevent or seriously impair the achievement of research or statistical goals, and restriction of the right is necessary in order to achieve these goals.
3. Right to restriction of processing
You have the right to request the restriction of processing of personal data relating to you if:
(1) you contest the accuracy of the personal data relating to you, for a period that enables the Controller to verify the accuracy of the data
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
(3) the Controller no longer needs the personal data for the purposes of the processing, but you require the data in order to establish, exercise or defend legal claims, or
(4) you have objected to processing in accordance with Article 21(1) GDPR, pending verification as to whether the legitimate grounds of the Controller override your grounds.
If the processing of personal data relating to you has been restricted, the data will – with the exception of storage – only be processed with your consent or for the establishment, exercise or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of an important public interest of the Union or of a member state.
If processing has been restricted in accordance with the conditions above, you will be informed by the Controller before the restriction is lifted.
Your right to request the restriction of processing may be limited if doing so is likely to prevent or seriously impair the achievement of research or statistical goals, and limitation is necessary in order to achieve these goals.
4. Right to erasure
a) Obligation to erase data
You can request that the Controller erases personal data relating to you without undue delay. The Controller will be obliged to erase the data without undue delay where one of the following grounds applies:
(1) The personal data relating to you are no longer required for the purpose for which they were originally collected or otherwise processed.
(2) You withdraw your consent on which the processing was based according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, and there is no other legal ground for the processing.
(3) You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2).
(4) The personal data relating to you have been unlawfully processed.
(5) The personal data relating to you must be erased in order to comply with a legal obligation in Union or member state law that the Controller is subject to.
(6) The personal data relating to you have been collected in relation to the offer of information society services in accordance with Article 8(1) GDPR.
b) Informing third parties
If the Controller has made the personal data relating to you public and is obliged to erase the personal data pursuant to Article 17(1) GDPR, the Controller – taking the available technology and the cost of implementation into account – will take reasonable steps, including technical measures, to inform controllers which are processing the data that you, as the data subject, have requested the erasure by these controllers of any links to, or copies or replications of, these data.
c) Exceptions
The right to erasure does not apply where processing is necessary for:
(1) exercising the right of freedom of expression and information
(2) compliance with a legal obligation which requires processing under Union or member state law to which the Controller is subject or the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller
(3) reasons of public interest in the area of public health in accordance with Article 9(2)(h) and (i) as well as Article 9(3) GDPR
(4) archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR, if the right referred to in section a) above is likely to prevent or seriously impair the achievement of the objectives of this processing, or
(5) the establishment, exercise or defence of legal claims.
5. Right to be informed
If you have exercised the right to rectification, erasure or restriction of processing with the Controller, the Controller is obliged to communicate the rectification or erasure of data or restriction of processing to each recipient to which the personal data relating to you have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to request Information about these recipients by the Controller.
6. Right to data portability
You have the right to receive the personal data relating to you that you provided to the Controller, in a structured, commonly used and machine-readable format. You also have the right to transmit these data to another controller without hindrance from the controller that you provided the personal data to, where
(1) processing is based on consent in accordance with Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract in accordance with Article 6(1)(b) GDPR, and
(2) the processing is carried out by automated means.
When you exercise this right, you also have the right to have the personal data relating to you transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.
7. Right to object
You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data relating to you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.
The Controller will no longer process the personal data unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
If personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to processing of these data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you can exercise your right to object by automated means using technical specifications.
If personal data relating to you are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, you also have the right to object to this processing, on grounds relating to your particular situation.
Your right to object may be restricted if the right is likely to prevent or seriously impair the achievement of research or statistical goals, and restriction of the right is necessary in order to achieve these goals.
8. Right to withdraw declaration of consent in accordance with data protection regulations
You have the right to withdraw your declaration of consent in accordance with data protection regulations at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of your consent prior to withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects that concern you, or has a similarly significant effect on you. This does not apply if the decision
(1) is necessary for entering into or performing a contract between you and the Controller
(2) is authorised by Union or member state law to which the Controller is subject and which also sets out suitable measures to safeguard your rights, freedoms and legitimate interests, or
(3) is based on your explicit consent.
However, these decisions must not be based on special categories of personal data referred to in Article 9(1) GDPR, unless Article 9(2) (a) or (g) GDPR applies and suitable measures are in place to safeguard your rights, freedoms and legitimate interests.
In the cases referred to in points (1) and (3) above, the Controller must implement suitable measures to safeguard your rights, freedoms and legitimate interests, including, as a minimum, the right to obtain human intervention on the part of the Controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement if you believe that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged must inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Article 78 GDPR.