Data protection statement

§ 1 Controller and scope

The controller according to the General Data Protection Regulation (GDPR) and other national data protection acts of member states as well as other statutory data protection regulations is:

University of Vienna
Universitätsring 1
1010 Wien
E-mail: dsba@univie.ac.at
Website: univie.ac.at

This Data Protection Declaration applies to all websites of the University of Vienna available under the domains reconnectchina.univie.ac.at, reconnectchinaaccount.univie.ac.at as well as the associated subdomains (henceforth “our websites” or “web presence”). In addition, it applies to the data processing activities specified below.

§ 2 Data protection officer and contact persons

The controller has authorised the following external data protection officers:

Daniel Stanonik and Karsten Kinast, representing each other alternately

For requests regarding the ReConnect China website, such as requests to exercise your right to information, right to erasure, etc., please directly contact the account team via reconnectchinaaccount.ostasienwissenschaften@univie.ac.at, which will handle your request and relay it to the data protection officer if necessary.

If the rights of data subjects according to section 13 of this Data Protection Declaration (e.g. right to information, right to erasure, etc.) are asserted, the relevant requests or applications can also be sent to dsba@univie.ac.at or via mail to:

University of Vienna
Data protection officer of the University of Vienna
Universitätsring 1
1010 Wien

§ 3 What are personal data?

Personal data is individual information concerning personal or material details of an identified or identifiable natural person (data subject). These include, for example, information, such as your name, address, telephone number, date of birth and e-mail address. Information that cannot be linked to your person (or only involving a disproportionate effort), such as anonymised information, is not considered personal data.

§ 4 General information about data processing

a) Scope

As a general principle, we collect and use personal data of our users only to the extent that is necessary for carrying out the relevant data processing activity. We use your personal data to provide information, products and desired services offered by the University, to answer your questions, to fulfil our legal mandate and statutory obligations, as well as to operate and improve our websites and applications.

We collect and use personal data of our users only based on a relevant legal foundation in accordance with the GDPR, e.g. only if the individual user has given their consent. Further details regarding the individual consents granted are specified in section 7 of this Data Protection Declaration under the respective processing activity.

Your personal data will not be used for any other purpose. Your personal data will not be transferred to third parties or used, for example, for advertising purposes without your consent, except in the cases specified below, and unless we are required by law to disclose the data.

b) Legal basis

Where processing is subject to the data subject's consent to the processing of their personal data, the legal basis for the processing is article 6, para. 1, sub-para. a of the EU General Data Protection Regulation (GDPR). If the processing of personal data is necessary to perform a contract to which the data subject is a party, article 6, para. 1, sub-para. b of the GDPR provides the legal basis. This also applies to processing activities that are necessary to take necessary steps prior to entering into a contact. Where processing of personal data is necessary for compliance with a legal obligation to which the University of Vienna is subject, article 6, para. 1, sub-para. c of the GDPR provides the legal basis.

If the processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, article 6, para. 1, sub-para. d of the GDPR provides the legal basis. If the processing is necessary for the purposes of the legitimate interests pursued by the University of Vienna or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, article 6, para. 1, sub-para. f of the GDPR provides the legal basis for the processing activity.

If the University of Vienna processes personal data for academic and research purposes, the University of Vienna reserves the right to use suitable provisions specified in the Forschungsorganisationsgesetz (Austrian research organisation act, FOG) as a legal basis in addition to the legal foundations specified above. This also applies in connection with a declaration of consent (broad consent) with regard to the special provisions pursuant to section 2d, para. 3 of the FOG.

c) Erasure of data and storage period

Personal data of the data subject will be erased or blocked as soon as the purpose of the processing activity has been fulfilled. Furthermore, data may also be stored if specified by the European or national legislative authority in Union law regulations, laws, or other regulations to which the controller is subject. Personal data will also be erased or blocked when a storage period stipulated by one of the norms listed above expires, unless it is necessary to further store the data for the purpose of concluding or executing a contract.

d) Transfer of data to third countries

We do not transfer any personal data to third countries unless we expressly inform you about this. In this case, the transfer of personal data to third countries takes place in accordance with articles 45 and 46 of the GDPR. In the absence of an adequacy decision by the European Commission, standard protection clauses adopted in accordance with article 46 of the GDPR guarantee an adequate level of protection. In individual cases, we will also obtain your consent for the transfer of personal data to third countries. In this case, it is our obligation to inform you that the level of data protection in third countries might not be comparable to that in the European Union. This poses a risk to your personal data since they may be accessed, in particular, by public authorities which are not subject to the legal protection mechanisms applicable within the European Union.

§ 5 Transfer of data to third countries during professorial appointment procedures, habilitation procedures or similar procedures

During a professorial appointment procedure, habilitation procedure or similar procedure (e.g. doctoral procedure), your personal data are transferred to external reviewers who may be located in third countries outside the European Union or the European Economic Area. These third countries may have a lower statutory level of data protection. However, we have to transfer your personal data to allow for a review of your documents. The processing of your personal data is based on article 6, para. 1, sub-para. c of the GDPR and section 2g of the Austrian Forschungsorganisationsgesetz (research organisation act, FOG). The transfer of data is permissible according to article 49, para. 1, sub-para. b and sub-para. c of the GDPR as well as with to article 49, para. 1, sub-para. d of the GDPR.

§ 6 Processing of event photographs

We organise different events, such as lectures, conferences and similar events, also outside of regular teaching hours. During these events, we may take photographs or make video recordings of the event participants. We use and process these photographs/videos to present the event, offline and/or online (e.g. in magazines, on social media or on websites).

The legal basis for the data processing specified above is determined in article 6, para. 1, sub-para. f of the GDPR and section 12, para. 2, sub-para. 4 of the Austrian Data Protection Act (Datenschutzgesetz, DSG). The processing of the data specified above is necessary for the presentation of the events. Therefore, it serves the purposes of the legitimate interests pursued by the University of Vienna. Where necessary, we will obtain your consent to the processing of your photographs (article 6, para. 1, sub-para. 1 of the GDPR).

The University of Vienna erases photographs and videos as soon as they are no longer required for a legitimate interest to present the relevant event. This may be the case, for example, if the University does not have to advertise the event any longer because there will be no follow-up event.

§ 7 Individual processing activities

If you wish to use services provided by us, such as our text search, account management, etc., you have to provide further data. For further details see the description of specific data processing activities below. In particular, personal data are used as follows:

a) Registration/user account

Some activities on the website may require user registration and subsequent login. In the process of registration, your E-Mail address will be processed and stored to serve as a unique username on the website, to be used in conjunction with a password for login. The legal basis for the processing of this data is article 6, para. 1, sub-para. b, with the E-Mail address being necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Registration data is stored for the sole purpose of user account management and will not be shared with third parties.

After users have entered the required data in an input mask, the data are transferred to and stored by the University of Vienna. We will not transfer your personal data to third parties. The following data are collected during the registration process and will be erased after no more than 30 days:

• IP address of the calling computer
• Date and time of access
• Name and URL of the retrieved file
• Volume of data transmitted
• Message whether the request was successful
• Identification data of the accessing browser as well as operating system Website from which the user accessed the service

The following data is be collected upon registration and will be kept until the account is deleted:

• A random ID,
• E-mail address,
• Creation date of the account,
• whether or not the E-Mail has been verified,
• the date and time when the terms and conditions were accepted.

If the relevant data are necessary for the performance of a contract or to take necessary steps prior to entering into a contract, early erasure of these data is only possible if no contractual or statutory obligations prohibit it.

b) Provision of websites and creating log files

For every visit to our websites, our system automatically records data and information about the computer system of the calling computer. The following data are collected:

• IP address of the calling computer
• Date and time of access
• Name and URL of the retrieved file
• Volume of data transmitted
• Message whether the request was successful
• Identification data of the accessing browser as well as operating system
• Website from which the user accessed the service

The log files contain IP addresses or other data that can be linked to a specific user. For example, this could be the case when the link to the website from which the user is accessing the University’s website or the link to the website to which the user is switching contains personal data.

Also these data are recorded in the log files of your system. They are not stored together with other personal data of the user.

The legal basis for the temporary storage of the relevant personal data and the log files is article 6, para. 1, sub-para. f of the GDPR.

The storage of personal data in log files is necessary to ensure the functionality of the website. Furthermore, these data help us to optimise the website and ensure the security of our IT systems. The data will not be analysed for marketing purposes.

These purposes also constitute our legitimate interest in the data processing according to article 6, para. 1, sub-para. f of the GDPR.

The data will be erased as soon as their collection no longer serves the fulfilment of their purpose, at the latest after 30 days. The collection of these data for the provision of the website is essential for operating the website. Therefore, the user does not have any possibility to lodge an appeal.

c) E-mails sent by the University of Vienna

In connection with the use of offers and services of the University of Vienna, the University may send emails that do not require active consent of the data subject and therefore do not constitute newsletters according to section 7f of this Data Protection Declaration.

In any case, the e-mail address will be processed as personal data for such e-mails. Other personal data are processed according to the type and legal basis of the e-mail.

d) Audit data

We record certain security-relevant actions associated with your account with article 6, para. 1, sub-para. f of the GDPR as the legal basis in the form of event storage. This allows us to inform you about unusual activity in your account. Audit data is kept for up to seven days.

Event data includes:

• Date and time of the event,
• User ID associated with the account,
• Event type (login, logout, registration, confirmation of email, issuing of session tokens),
• IP address of the originator of the event,
• tokens currently associated with the session,
• name of the connected website.

§ 8 Use of cookies

We use so-called cookies. Cookies are small text files that are sent from our web server to your browser when you visit our websites. Your browser holds these cookies available on your computer for later retrieval. Cookies contain a characteristic string of characters that allows your browser to be uniquely identified when the website is accessed again. We use only so-called session cookies (also known as temporary cookies), i.e. cookies that are stored only temporarily (cached) for the duration of your visit to one of our websites.

We use the following cookies:

• Session cookies (ID)

The collected usage data do not allow for any conclusions regarding the user (except those cookies that serve the recording of data in connection with an active log-in). All usage data are collected in anonymised form; they will not be linked to your personal data and will be erased immediately after the end of the statistical analysis. All cookies are erased after termination of the session, i.e. as soon as you end your browser session.

Furthermore, on our websites we use cookies which allow for an analysis of our users’ surfing behaviour. This way, the following data may be transferred:

• Search terms entered
• Frequency of page views
• Use of website features

The legal basis for the processing of data, subject to the user’s consent, is article 6, para. 1, sub-para. a of the GDPR, the University of Vienna’s legitimate interest in accordance with article 6, para. 1, sub-para. f of the GDPR, unless these are cookies necessary for the operation of the website.

The legal basis for the processing of personal data when using technically necessary cookies is article 6, para. 1, sub-para. f of the GDPR.

In particular, the used cookies serve the purpose of analysing the frequency of use and the number of visitors to our websites. Furthermore, they are used to continue to identify your computer during a visit on our website when surfing from one page to the next, and to establish the end of your visit. This allows us to determine which sections of our websites and which other websites our users visited.

The purpose of using technically necessary cookies is to simplify the use of websites for their users. Some features of our web presence cannot be provided without the use of cookies. To provide these features, it is imperative to recognise your browser even when you have switched to a different page.

The following applications require cookies:

• Text search
• Account management console

The user data collected by technically necessary cookies are not used to create user profiles.

§ 9 Security measures for protecting data stored by the University of Vienna

We commit ourselves to protecting your privacy and treating your personal data strictly confidential. To prevent manipulation, loss, or abuse of your personal data stored by us, we have implemented extensive technical and organisational security measures which are reviewed on a regular basis and updated in accordance with technological advances. These security measures include, among other things, the use of recognised encryption methods (TLS). However, please note that due to the nature of the Internet, other persons or institutions outside our area of responsibility may not adhere to the rules of data protection and the security measures specified above. In particular, data that are revealed without encryption – for example, data transferred via e-mail – may be accessed by third parties. We have no technical influence on this. It is the user’s responsibility to protect the data they provide against misuse by means of encryption or other measures.

§ 10 Hyperlinks to third-party websites

On our websites, we place so-called hyperlinks to websites of other providers. Activating these hyperlinks will redirect you from one of our websites directly to the website(s) of the other provider. For example, you can recognise this by the change of the URL. Since it is beyond our scope of influence whether third parties adhere to the data protection regulations, we cannot assume any responsibility for the confidential handling of your data on the websites of third parties. For information about the handling of your personal data by these companies, please refer directly to the respective companies’ websites.

§ 11 Right to object

Regarding the processing of your personal data based on the legitimate interest of the University of Vienna in accordance with article 6, para. 1, sub-para. f of the GDPR, you have the right to object to the processing of your personal data on grounds relating to your particular situation and/or to object against the use of your personal data for direct marketing purposes. In case of direct marketing, you have a general right to object which we will enforce without you having to specify a particular situation. Please contact us at dsba@univie.ac.at or at the e-mail address specified for the relevant processing activity.

§ 12 Your rights as a data subject

The GDPR specifies the following rights for data subjects regarding the processing of personal data:

• In accordance with article 15 of the GDPR, you have the right to obtain information from us about the personal data we are processing. In particular, you have the right to obtain information about the purposes of the processing, the categories of personal data concerned, the categories of recipients to whom the personal data have been or will be disclosed, the envisaged period for which the personal data will be stored, the existence of the right to request the rectification or erasure of your personal data or restriction of processing your data or to object to such processing, the right to lodge a complaint with a supervisory authority, the source of personal data collected about but not from you, the transfer of your data to third countries or international organisations, as well as about the existence of automated decision-making, including profiling and, if applicable, meaningful information about the logic involved.
• In accordance with article 16 of the GDPR, you have the right to request from us the rectification of inaccurate personal data concerning you and to have incomplete personal data completed.
• In accordance with article 17 of the GDPR, you have the right to request from us the erasure of personal data concerning you, unless the processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise or defence of legal claims.
• In accordance with article 18 of the GDPR, you have the right to request the restriction of processing of personal data concerning you, if you contest the accuracy of the personal data, if the processing is unlawful, if the University no longer needs the personal data, and if you oppose the erasure of the personal data because they are required for the establishment, exercise or defence of legal claims. Your right pursuant to article 18 of the GDPR also applies if you object to the processing in accordance with article 21 of the GDPR.
• In accordance with article 20 of the GDPR, you have the right to receive the personal data which you have provided to us in a structured, commonly used and machine-readable format and to transmit those data to another controller
• In accordance with article 7, para. 3 of the GDPR, you have the right to withdraw your consent to the processing of your data at any time. Consequently, the University of Vienna may no longer continue the data processing based on this consent in future.
• In accordance with article 77 of the GDPR, you have the right to lodge a complaint with a supervisory authority. In general, you can lodge a complaint with the supervisory authority in your habitual residence, your place of work, or our registered place of business. In Austria, the responsible supervisory authority is the Data Protection Authority, Barichgasse 40-42, 1030 Vienna, Telephone: +43 1 52 152-0, E-mail: dsb@dsb.gv.at, Website: dsb.gv.at 

To export data associated with a ReConnect China account in a machine-readable format, consider using the ReConnect China GDPR console. You can further use the account console to delete your account at any time.