:gdpr | IT:U

Privacy Policy

(Published: 05/2024 Version 1.0)

We place the utmost importance on safeguarding our users’ personal data. As such, we diligently adhere to relevant data protection regulations, including the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG), throughout the processing of your personal information (e.g. as master data.) This Privacy Policy covers our general processing activities and processing activities on and by our website: https://it-u.at.

Words with initial capital letters have the same meaning as defined in the GDPR.

Outlined below is a more detailed breakdown of our data processing procedures:

1. Controller

Institute of Digital Sciences Austria

Altenberger Straße 66c / OG 2
Science Park 4
4040 Linz

Telephone: +43 676 / 851307200
E-Mail: dataprotection[at]it-u.at

We have appointed a data protection officer and notified the Austrian Data Protection Authority following Art. 38 GDPR; the contact details of the data protection officer are
Attorney at law, Professor Dr. Peter Burgstaller, LLM
Landstraße 12 / Linzerie, 4020 Linz, dataprotection[at]it-u.at

2. DATA SUBJECT RIGHTS/RIGHT OF OBJECTION AND REVOCATION/RIGHT OF APPEAL

2.1 You have the following rights concerning personal data relating to you:

Right of access (Art 15 GDPR),
Right to rectification (Art 16 GDPR) or erasure (Art 17 GDPR),
Right to restriction of processing (Art 18 GDPR),
Right to data portability (Art 20 GDPR),
Right to object (Art 21 GDPR).

Right to object: If your personal data is processed based on legitimate interests (Art 6 para 1 lit f GDPR: legitimate interests), you have the right to object to the processing at any time based on your particular situation. When you exercise your “Right to object”, we ask you to explain your reasons for refraining from processing your personal data as we have done. We will review the case’s merits and either stop or modify the data processing or provide you with our compelling, legitimate grounds to continue the data processing. We will also continue to process the data if necessary for asserting, exercising, or defending legal claims.

You can exercise your “Right to object” to data processing for direct advertising and data analysis purposes at any time. If you do so, we will cease the data processing accordingly.

Right of revocation: If you have given us your consent to process your personal data, you can also revoke this consent at any time. Your revocation will not affect the lawfulness of data processing prior to your revocation.

To exercise the rights explained above, you must inform us in person, by telephone or in writing:

Institute of Digital Sciences Austria

Altenberger Straße 66c / OG 2
Science Park 4
4040 Linz

Telephone: +43 676 / 851307200
E-Mail: dataprotection[at]it-u.at

Please note that we can only provide information if you can identify yourself.

2.2 If you believe that the data processing violates applicable data protection law or that we are violating your data protection rights, you also have the right to lodge a complaint with the supervisory authority in the member state of your place of residence, your place of work or the location of the alleged violation.

If you wish to submit your complaint to the supervisory authority in Austria, please address it to:

Austrian Data Protection Authority
Barichgasse 40-42
1030 Vienna
Austria

3. Information about the processing of your personal data

3.1 Website visit

Purpose: When you use our website for informational purposes only (no registration and no transmission of other information), we collect personal data and transmit it from your browser to our server. The transmission is necessary to display our website and guarantee its stability and security.
Legal basis: Legitimate interest (Art 6 para 1 lit f GDPR), § 165 para 3 Austrian Telecommunications Act, short TKG 2021.
The following data is processed: IP address, date and time of the request, time zone difference to GMT, content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, requesting website, browser, operating system and interface, language and version of the browser software.
Retention period: As long as you use our website.
Recipients/categories of recipients: Processor.

3.2 Electronic contact requests via the website

Purpose: To process contact requests via email or any other form of contact provided on our website.
Legal basis: Fulfilment of a contract, necessary for the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR), legitimate interest (Art 6 para 1 lit f GDPR), § 165 para 3 TKG 2021.
The following data is processed: Master data and content data of the request.
Retention period: Until the request has been answered. If there are legal obligations to retain data, processing will be restricted until then.
Recipients/categories of recipients: Processor.

3.3 Cookies/Web analytics service

Purpose: improvement of the range of services, web presence and direct advertising
Legal basis: Consent (Art 6 para 1 lit a GDPR), fulfilment of a contract, necessary for the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR), legitimate interest, esp. to improve our own services for the benefit of users (Art 6 para 1 lit f GDPR), § 165 para 3 TKG 2021
The following data are processed: IP address
Recipients/recipient categories: Company of the analysis service/service provider

3.3.1 Dedicated Web Server

In providing our website services through the dedicated web server of Infotech EDV-Systeme GmbH, Schärdinger Straße 35, A-4910 Ried im Innkreis, Austria, we may process and store personal data in Infotech’s server log files. This data includes but is not limited to, IP addresses, session durations, page views, and other data necessary for the effective delivery and security of our services.

Purpose: To ensure the high-speed and secure presentation of our website, enhance user experience, and maintain the integrity of our services. Data processing aids in troubleshooting, performance analysis, and improving the website’s security and stability.
Legal basis: Legitimate interest (Art 6 para 1 lit f GDPR), § 165 para 3 TKG 2021
Data subjects: Website visitors.
The following data is processed: IP address, date and time of the request, time zone difference to GMT, content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, requesting website, browser, operating system and interface, language and version of the browser software.
Storage period: As long as you use our website.
Recipients/recipient categories: Processor.

3.3.2 Use of Google Services

This website uses services of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”); if you are a resident of the European Union, the European Economic Area and Switzerland, Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland. In the text below, we will explain exactly which services we use on our website. When utilising Google Inc.’s services, your information may be transferred to the United States of America (USA). We will indicate whether a transfer to the USA is possible for each application.

Transferred to the following third countries according to data protection law:
USA: Companies that have completed the Data Privacy Framework Program are considered to have an adequate level of protection under the provisions of the EU-US and Swiss-US Data Privacy Frameworks. The transfer of information to these companies is permitted under the Data Privacy Framework.

Details of the specific data collection and processing practices of each operator can be found at the following links: https://www.youtube.com/static?gl=DE&template=terms&hl=de and https://policies.google.com/privacy.

Google LLC has committed to complying with the EU-US and Swiss-US Data Privacy Frameworks requirements by becoming certified under the Data Privacy Framework Program. Information on participation can be found by searching for “Google LLC” here: https://www.dataprivacyframework.gov/s/participant.

3.3.2.1 Google Fonts

This website uses third-party fonts, so-called “Google Fonts”. Google Fonts is set up locally and does not transfer personal data to the servers of Google LLC. in the USA.

Purpose: Coherent presentation of our web content across platforms.
Legal basis: Legitimate interest (Art 6 para 1 lit f GDPR), § 165 para 3 TKG 2021.
The following data is processed: IP address.
Retention period: As long as you visit our website.

3.3.2.2 Google Maps

This website uses the Google Maps mapping service, which depends on your IP address’s storage. This information is typically transferred to and saved on a Google server in the USA.

Purpose: To offer a location mapping service to help you find us.
Legal basis: Consent (Article 6(1)(a) GDPR), Explicit consent (Article 49(1)(a) GDPR)
Data subjects: Visitors to the website
The following data will be processed: IP address, content of the request
Recipients/categories of recipients: Service provider company and data processor
Transfers to countries outside the EU/EEA: USA (for details, see point 3.5.)

3.3.2.3 Google Analytics

Purpose: Improvement of the range of services, website, and direct advertising. We use user behaviour analysis to optimise our website and advertising.
Legal basis: Consent (Article 6(1)(a) GDPR), Explicit consent (Article 49(1)(a) GDPR)
Data subjects: Visitors to the website
The following data will be processed: approximate location (region), IP address (in abbreviated form), technical information about the browser and the end devices used (e.g. language setting, screen resolution), the visitor’s Internet provider, the referrer URL (via which website/advertising medium you came to this website).
Processing-triggering events: Processing of your data is only started if one or more of the following events occur when you visit the website: Page views, first visit to the website, the start of the session, your “click path”, interaction with the website, scrolls (whenever a user scrolls to the bottom of the page (90%)), clicks on external links, internal search queries, interaction with videos, file downloads, adverts viewed/clicked, language setting.
Retention period: Details are provided in the cookie banner.
Recipients/categories of recipients: Service provider company and data processor
Transfers to countries outside the EU/EEA: USA (for details, see point 3.5.)

3.3.2.4 Tag Manager

This website uses Google Tag Manager, which allows us to integrate snippets of code, such as tracking code or conversion pixels, into the website without modifying the source code.

Purpose: Organisation and simplified integration of applications into the website.
Legal basis: Consent (Article 6(1)(a) GDPR), Explicit consent (Article 49(1)(a) GDPR)
Data subjects: Visitors to the website
The following data will be processed: IP address, content of the request
Recipients/categories of recipients: Service provider company and data processor
Transfers to countries outside the EU/EEA: USA (for details, see point 3.5.)

3.3.3 WordFence

This website uses WordFence, a WordPress security application of Defiant Inc., 800 5th Ave., Suite 4100, Seattle, WA 98104, USA.

Purpose: WordFence is used to identify and block malicious traffic, protect our website from security threats such as hacking attempts and malware, and identify and block IP addresses. The application acts like a firewall and offers security and error detection features. It enables us to detect and prevent unauthorised access attempts and technical vulnerabilities that could allow such access.
Data subject: Website visitors.
Legal basis: Consent (Art 6 para 1 lit a GDPR), fulfilment of a legal obligation (Art 6 para 1 lit c GDPR), legitimate interest, esp. to provide security for our services (Art 6 para 1 lit f GDPR), § 165 para 3 TKG 2021
The following data is processed: IP addresses, browser types, referring URLs, time of access, and security logs.
Retention period: as long as necessary to protect our website and its users from security threats.
Recipients/categories of recipients: Service provider.
Transmission to the following third countries under data protection law: USA
The legal requirements do not guarantee a sufficient level of security for companies that have not completed the Data Privacy Framework Program.
WordFence, operated by Defiant Inc., relies on the Standard Contractual Clauses for International Data Transfers (SCC) issued by the European Commission to transfer personal data. Details can be found here:
https://www.wordfence.com/standard-contractual-clauses/
https://www.wordfence.com/privacy-policy/

3.3.4 Borlabs

This website uses BorlabsCookie as a consent management tool for cookies and third-party services. You can update your cookie preferences anytime by clicking on the “Manage Cookies” option at the bottom left of the screen.

Purpose: BorlabsCookie is used to obtain, record, manage, and revoke user consent, specifically for using cookies, third-party applications, and similar technologies. These technologies store, read, and process information on user devices, facilitating targeted functionalities and data processing strategies.
Data subject: Website visitors.
Legal basis: Consent (Art 6 para 1 lit a GDPR), fulfilment of a legal obligation (Art 6 para 1 lit c GDPR), legitimate interest, esp. to improve our own services for the benefit of users (Art 6 para 1 lit f GDPR), § 165 para 3 TKG 2021
The following data is processed: Content data on user consent status
Retention period(Lifetime): Information is provided in the consent management tool.
Recipients/categories of recipients: Company of the analysis service/service provider.

3.3.5 Friendly Captcha

This website uses Friendly Captcha, an application issued by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee/Germany. Friendly Captcha does not use cookies to deliver its services.

Purpose: The application guards our website contact form. We use this function to distinguish whether an input is made by a natural person or abusively by machine and automated processing. Friendly Captcha serves to secure our website.
The following data is processed: IP address, timestamp of the request, referrer URL, device settings (language, browser, location, screen resolution), and interaction data (movement and clicks), puzzle ID, solution time, accuracy.
Data subject: Website visitors who use our website contact form.
Legal basis: Legitimate interest (Art 6 (1) (f)), mainly but not limited to website security and the exercise and defence of legal claims.
Retention period: As long as you use our website.
Recipients/categories of recipients: Processor.

Details about the processing activities for end users are provided here: https://friendlycaptcha.com/de/legal/privacy-end-users/

3.4 Customer relation management and marketing for own purposes

Purpose: Processing of prospective interested parties’ and research partners’ data, either owned or purchased, to initiate contacts concerning the services offered, implement advertising measures, and dispatch newsletters; customer relation management.
Legal basis: Consent (Art 6 para 1 lit a GDPR), fulfilment of a contract, necessary for the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR), fulfilment of a legal obligation (Art 6 para 1 lit c GDPR), legitimate interest, in particular defence, exercise and assertion of legal claims (Art 6 para 1 lit f GDPR).
The following data is processed for the newsletter dispatch via our website: Master data (first and family name, address, e-mail address).
Retention period: The data may be stored until the end of the third year after the last contact with the data subject unless longer contractual or legal retention periods exist.
Recipients/categories of recipients: Company of the analysis service/service provider.

3.5 Social Media

Purpose: We are also represented on social media, in addition to our website, to increase awareness of our Institute and conduct marketing activities. Personal information may be transmitted to the social media operator when you visit one of our online sites. In addition, the operator may link your profile to ours if you are logged into the relevant network.
Data subjects: Visitors to our social media sites.
Legal basis: Consent (Art 6 para 1 lit a GDPR), legitimate interest (Art 6 para 1 lit f) GDPR), explicit consent (Art 49 para 1 lit a GDPR)
The following data is processed: date and time of actions performed, user ID (only for logged-in users), location data (country/city), language setting, age/gender group (for logged-in users from the user profile), previously visited website and identification of hardware (computer/mobile device).
Recipients/recipient categories: Operator of visited social media platform.

3.5.1 LinkedIn

LinkedIn is a network for business contacts and is part of Microsoft Corporation. The services are operated by LinkedIn Corporation, Sunnyvale, California, United States; if you are a resident of the European Union, the European Economic Area and Switzerland, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2 Ireland, which is responsible for processing personal data by using LinkedIn.
Details of the specific data collection and processing by the operator can be found at the following link
https://de.linkedin.com/legal/privacy-policy (general privacy policy)

Transfers to the following third countries for data protection purposes
USA: Companies that have completed the Data Privacy Framework Program are considered to have an adequate level of protection under the provisions of the EU-US and Swiss-US Data Privacy Frameworks. The transfer of information to these companies is permitted under the Data Privacy Framework.

LinkedIn Corporation has committed to comply with the EU-US and Swiss-US Data Privacy Frameworks requirements by becoming certified under the Data Privacy Framework Program. Information on participation can be found by searching for “LinkedIn Corporation” at https://www.dataprivacyframework.gov/s/participant-search.

3.5.2 Facebook, Instagram (Meta Inc.)

Meta Inc. is the parent company of Facebook and Instagram. The services are operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, which is the Controller for processing personal data in relation to the use of Facebook and Instagram.

Details of the specific data collection and processing by each operator can be found at the following links:
Facebook: https://de-de.facebook.com/about/privacy/ (general privacy policy) and https://www.facebook.com/legal/terms/page_controller_addendum# (specific data collection for Page Insights)
Instagram: https://help.instagram.com/155833707900388

Transmission to the following third countries under data protection law:
USA: Companies that have successfully completed the Data Privacy Framework Program are considered to have an adequate level of security following the provisions of the EU-US and Swiss-US Data Privacy Framework. It is permissible under data protection law to transfer information to these companies within the framework of the Data Privacy Framework.

Meta Platforms, Inc., the parent company of Instagram platforms services, has committed to complying with the EU-US and Swiss-US Data Privacy Framework requirements by becoming certified under the Data Privacy Framework Program. Information on participation can be found under the search term “Meta Platforms, Inc.” here: https://www.dataprivacyframework.gov/s/participant-search.

3.5.3 TikTok (ByteDance)

TikTok is operated by the Chinese company ByteDance. TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, is responsible for processing personal data in the context of TikTok use.
Details about TikTok’s specific data collection and processing can be found here: https://www.tiktok.com/legal/page/eea/privacy-policy/en.

Transmission to the following third countries under data protection law:
USA, China, Malaysia:
USA: For companies that have not completed the Data Privacy Framework Program, a sufficient level of security cannot be guaranteed under the legal requirements.
China: The Chinese Multi-Level Protection Scheme 2.0 obliges companies based in China to disclose data to Chinese authorities and to guarantee them unrestricted access to servers. As a result, an adequate level of security and compliance with European data protection requirements cannot be guaranteed.
Malaysia: Malaysia has enacted statutory data protection regulations, but there is currently no adequacy decision. Consequently, adequate security and compliance with European data protection requirements cannot be conclusively guaranteed.

TikTok, operated by the Chinese company ByteDance, relies on the Standard Contractual Clauses for International Data Transfers (SCC) issued by the European Commission for the transfer of personal data. Details can be found here:
https://www.tiktok.com/legal/page/eea/privacy-policy/en#share-info
https://www.tiktok.com/legal/page/eea/transferee-countries/en

3.6. Accounting, logistics, and bookkeeping

Purpose: processing personal data in the context of any business relationship with suppliers, including systematically recording all business transactions relating to income and expenditure.
Legal basis: Consent (Art 6 para 1 lit a GDPR), fulfilment of a contract, necessary for the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR), fulfilment of a legal obligation (Art 6 para 1 lit c GDPR), legitimate interest, esp. defence, exercise, and assertion of legal claims (Art 6 para 1 lit f GDPR), explicit consent (Art 9 para 2 lit a GDPR).
Retention period: Until the end of the business relationship or until the expiry of the guarantee, warranty, limitation and statutory retention periods applicable to the client (especially federal tax regulations, Federal Procurement Act); furthermore, until the end of any legal disputes in which the data is required as evidence.
Recipients/categories of recipients: Tax office, courts and authorities, suppliers, debt collection agencies, banks involved in the payment to the person concerned or to third parties, legal representatives, auditors, payroll processors.

The provision of your personal data is necessary for the fulfilment of the contract or the implementation of pre-contractual measures. Without this data, we cannot conclude a contract with you.

3.7 Applicant Management, Faculty Hiring

Purpose: To use and record personal data provided by job applicants where the data subject has provided such data; to actively approach potential employees via various channels and through contracted recruitment consultants; to conduct human resources management and planning on a global level; including ensuring appropriate staffing; to plan and manage the skills of potential employees; to perform the application process including academic recruitment; to be able to refer to applications received at a later date concerning potential employment.
Legal basis: Consent (Art 6 para 1 lit a GDPR), explicit consent (Art 9 para 2 lit a GDPR), the assertion, exercise, and defence of legal claims (Art 9 para 2 lit f GDPR), and legitimate interest (Art 6 para 1 lit f GDPR; Art 10 GDPR in connection with § 4 para 3 lit 2 DSG).
The following data is processed: letter of application, name, salutation (Mr./Mrs./Ms.) including academic title, name affix, photo (if provided), gender, address, date and place of birth, e-mail address, telephone number, citizenship, position for which you are applying, type of application (e.g. e-mail, LinkedIn, unsolicited application), earliest starting date, period of notice, salary expectations, curriculum vitae, education (school, university etc.), previous professional experience, personal skills and competencies, signature, certificates and references, notes from the interview, any assessments, communication data (including e-mail correspondence) and other data provided by you as part of the application process.
Retention period: Applicant data will be deleted immediately after the advertised position has been filled or after the expiry of the claim period under the Equal Treatment Act (7 months) unless consent has been given to keep the data. Unsolicited applications will be kept on file for the intended purpose until revoked by the person concerned); furthermore, until the end of any legal disputes requiring the data as evidence.
Data collection by third parties: Recruitment agencies and recruitment platforms.
Recipients/categories of recipients: Companies within the meaning of Section 1 (3) of the Federal Act on the Establishment of the Institute of Digital Sciences Austria; departments responsible for the respective appointment; departments accountable for the respective appointment; the Search Committee appointed by us, during the appointment process for professorships, under the Provisional Articles of Association of the Institute of Digital Sciences Austria or the Interdisciplinary Transformation University (IT:U), Part IV.

We provide detailed information about faculty hiring on our website.  Provisional Articles of Association – it:u – interdisciplinary transformation university Austria (it-u.at) and a printable version in the English language following this link: https://it-u.at/wp-content/uploads/2024/02/Provisional-Articles-of-Association-January-29-2024.pdf.
A printable version in the German language is provided here: https://it-u.at/wp-content/uploads/2024/02/2024-01-29_IDSA_Satzungsteile-I-bis-V_finale-Version.pdf.
Transmission to the following third countries under data protection law:
Some of the above recipients are located outside your country or process your personal data there. The level of data protection in other countries may not be the same as in your country. However, we only transfer your personal data to countries for which the EU Commission has decided that they have an adequate level of data protection. We can also take measures to ensure that all recipients have an adequate level of data protection. For example, we conclude standard contractual clauses for this purpose.

Please refrain from sharing any sensitive information during the application process, such as details regarding ethnic background, political views, religious beliefs, union membership, health status, or sexual orientation. If you voluntarily disclose such information without being prompted, please note that it will be stored as part of your application data.

3.8 Application and admission to study

Purpose: To process applications, evaluate whether applicants meet the necessary study requirements, and carry out the relevant application procedure.
Data subjects: Prospective students who want to study at IT:U.
Legal basis: Consent (Art 6 para 1 lit a GDPR), explicit consent (Art 9 para 2 lit a GDPR), fulfilment of a legal obligation (Art 6 para 1 lit c GDPR), the assertion, exercise and defence of legal claims (Art 9 para 2 lit f GDPR), and legitimate interest (Art 6 para 1 lit f GDPR).
The following data are processed: title, name, address, e-mail address, date of birth, nationality, CV, letter of motivation and certificates.
Retention period: If the application is rejected, applicant data will be deleted after three (3) years. Successful applications will be added to your student record and stored for at least 80 years (§ 53 UG 2002, § 10 para 10 BilDokG 2020) ); furthermore, until the end of any legal disputes requiring the data as evidence.

3.9 Alumni

Purpose: To disseminate information about IT:U activities and to prepare, organise, execute and oversee events and Alumni gatherings; Membership Management.
Data subjects: Alumni who studied at IT:U.
Legal basis: Consent (Art 6 para 1 lit a GDPR), Fulfilment of a contract, necessary for the implementation of pre-contractual measures (Art 6 para 1 lit b GDPR), fulfilment of a legal obligation (Art 6 para 1 lit c GDPR), the assertion, exercise and defence of legal claims (Art 9 para 2 lit f GDPR), and legitimate interest (Art 6 para 1 lit f GDPR).
The following data are processed: Master data (title, name, address, e-mail address, degree program).
Retention period: Until the end of the membership or until the expiry of statutory retention periods applicable to the data processing (especially federal tax regulations); furthermore, until the end of any legal disputes in which the data is required as evidence.

4. Information on data transfers to third countries or international organisations

The personal data we process will not be transferred to third countries or international organisations unless otherwise specified in Clause 3.

5. Change management

Our website has the latest version of our data protection declaration available for you to access. If there is anything you are unsure about regarding an earlier version, feel free to contact the person appointed in Clause 1. They will be more than happy to help you out with any questions you may have.