Skip to main content

:gdpr

PRIVACY POLICY

(Published: 07/2025 Version 1.5)

We place the utmost importance on safeguarding our users’ personal data. As such, we diligently adhere to relevant data protection regulations, including the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG), throughout the processing of your personal information (e.g. as master data). This Privacy Policy covers our general processing activities and processing activities on and by our website: https://it-u.at.

Words with initial capital letters have the same meaning as defined in the GDPR.

Outlined below is a more detailed breakdown of our data processing procedures: If you are looking for a specific processing activity, please check the table below:

1. CONTROLLER

2. DATA SUBJECT RIGHTS / RIGHT OF OBJECTION AND REVOCATION / RIGHT OF APPEAL

2.1. YOUR RIGHTS AS DATA SUBJECT

2.2. YOUR RIGHTS WITH THE DATA PROTECTION AUTHORITY

3. INFORMATION ABOUT THE PROCESSING OF YOUR PERSONAL DATA

3.1. WEBSITE VISIT

3.2. ELECTRONIC CONTACT REQUESTS VIA THE WEBSITE

3.3. COOKIES / WEB ANALYTICS SERVICE

3.3.1. Dedicated Web Server

3.3.2. Use of Google Services

3.3.2.1. Google Fonts

3.3.2.2. Google Maps

3.3.2.3. Google Analytics

3.3.2.4. Google Ads

3.3.2.5. Google DV360 (former DBM)

3.3.2.6. Tag Manager

3.3.3. WordFence

3.3.4. Borlabs

3.3.5. Friendly Captcha

3.3.6. Microsoft Clarity

3.3.7. Vimeo

3.4. CUSTOMER RELATION MANAGEMENT AND MARKETING FOR OWN PURPOSES

3.5. SOCIAL MEDIA

3.5.1. LinkedIn

3.5.2. Facebook, Instagram (Meta Inc.)

3.5.3. TikTok (ByteDance)

3.6. ACCOUNTING, LOGISTICS, AND BOOKKEEPING

3.7. APPLICANT MANAGEMENT, FACULTY HIRING

3.7.1 ON-BOARDING

3.8. APPLICATION AND ADMISSION TO STUDY

3.9. ALUMNI

3.10. SURVEYS, POLLS AND DIGITAL FORMS

3.11. RESEARCH

4. INFORMATION ON DATA TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

5. CHANGE MANAGEMENT

CONTROLLER

Interdisciplinary Transformation University (IT:U)

Altenberger Straße 66c / OG 2
Science Park 4
4040 Linz

Telephone: +43 676 / 851307200

E-Mail: dataprotection[at]it-u.at

We have appointed a data protection officer and notified the Austrian Data Protection Authority following Art. 38 GDPR; the contact details of the data protection officer are

Attorney at law, Professor Dr. Peter Burgstaller, LLM

Landstraße 12 / Linzerie, 4020 Linz, dataprotection[at]it-u.at

2. DATA SUBJECT RIGHTS/RIGHT OF OBJECTION AND REVOCATION/RIGHT OF APPEAL

2.1 YOUR RIGHTS AS DATA SUBJECT

You have the following rights concerning personal data relating to you:

  • Right of access (Article 15 GDPR),
  • Right to rectification (Article 16 GDPR) or erasure (Article 17 GDPR),
  • Right to restriction of processing (Article 18 GDPR),
  • Right to data portability (Article 20 GDPR),
  • Right to object (Article 21 GDPR).

Right to object: If your personal data is processed based on legitimate interests (Article 6 para 1 lit f GDPR: legitimate interests), you can object to the processing at any time based on your situation. When you exercise your “Right to object”, we ask you to explain your reasons for refraining from processing your personal data as we have done. We will review the case’s merits and either stop or modify the data processing, or provide you with our compelling, legitimate grounds to continue the data processing. We will also continue to process the data if necessary for asserting, exercising, or defending legal claims.

You can exercise your “Right to object” to data processing for direct advertising and data analysis purposes at any time. If you do so, we will cease the data processing accordingly.

Right of revocation: If you have given us your consent to process your personal data, you can also revoke this consent at any time. Your revocation will not affect the lawfulness of data processing prior to your revocation.

To exercise the rights explained above, you must inform us in person, by telephone or in writing:

Interdisciplinary Transformation University (IT:U)

Altenberger Straße 66c / OG 2
Science Park 4
4040 Linz

Telephone: +43 676 / 851307200

E-Mail: dataprotection[at]it-u.at

Please note that we can only provide information if you can identify yourself.

2.2 YOUR RIGHTS WITH THE DATA PROTECTION AUTHORITY

Please let us know if you believe that data processing violates applicable data protection laws or that your data protection rights are being infringed. In that case, you also have the right to complain with the supervisory authority in the member state of your place of residence, your place of work or the location of the alleged violation.

If you wish to submit your complaint to the supervisory authority in Austria, please address it to:

Austrian Data Protection Authority

Barichgasse 40-42 

1030 Vienna

Austria

3. INFORMATION ABOUT THE PROCESSING OF YOUR PERSONAL DATA

3.1 Website visit

  • Purpose: When you use our website for informational purposes only (no registration and no transmission of other information), we collect personal data from your browser to our server. The transmission is necessary to display our website and guarantee its stability and security.
  • Data subject: Website visitors
  • Legal basis: Legitimate Interest (Article 6 para 1 lit f GDPR), § 165 para 3 Austrian Telecommunications Act, short TKG 2021.
  • Legitimate Interests: To provide a reliable, secure, and user-friendly online service (such as our website) to inform the public about our organisation and promote our products and services; assertion, exercise, and defence of legal claims.
  • The following data is processed: IP address, date and time of the request, time zone difference to GMT, content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, requesting website, browser, operating system and interface, language and version of the browser software.
  • Retention period: As long as you use our website.
  • Recipients/categories of recipients: Processor.

3.2 ELECTRONIC CONTACT REQUESTS VIA THE WEBSITE

  • Purpose: To process contact requests via email or any other form of contact provided on our website.
  • Data subject: Website visitors who use the contact (or other) form.
  • Legal basis: Fulfilment of a contract, necessary for the implementation of pre-contractual measures (Article 6 para 1 lit b GDPR), Legitimate Interest (Article 6 para 1 lit f GDPR), § 165 para 3 TKG 2021.
  • Legitimate Interests: To provide a reliable, secure, and user-friendly online service (such as our website); to receive and answer requests; assertion, exercise, and defence of legal claims.
  • The following data is processed: Master data and content data of the request.
  • Retention period: Until the request has been answered. If there are legal obligations to retain data, processing will be restricted until then.
  • Recipients/categories of recipients: Processor.

3.3 COOKIES/WEB ANALYTICS SERVICE

  • Purpose: improvement of the range of services, web presence and direct advertising
  • Data subject: Website visitors.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), fulfilment of a contract, necessary for the implementation of pre-contractual measures (Article 6 para 1 lit b GDPR), Legitimate Interest, esp. to improve our own services for the benefit of users (Article 6 para 1 lit f GDPR), § 165 para 3 TKG 2021
  • Legitimate Interests: Improvement of our services, technical stability; compiling statistics for plausibility check of invoices from the use of cookies and web analysis services, assertion, exercise, and defence of legal claims.
  • The following data are processed: IP address
  • Recipients/recipient categories: Company of the analysis service/service provider

3.3.1 DEDICATED WEB SERVER

In providing our website services through the dedicated web server of Infotech EDV-Systeme GmbH, Schärdinger Straße 35, A-4910 Ried im Innkreis, Austria, we may process and store personal data in Infotech’s server log files. This data includes, but is not limited to, IP addresses, session durations, page views, and other data necessary for our services’ effective delivery and security.

  • Purpose: To ensure the high-speed and secure presentation of our website, enhance user experience, and maintain the integrity of our services. Data processing aids in troubleshooting, performance analysis, and improving the website’s security and stability.
  • Data subject: Website visitors.
  • Legal basis: Legitimate Interest (Article 6 para 1 lit f GDPR), § 165 para 3 TKG 2021.
  • Legitimate Interests: To provide a reliable, secure, and user-friendly online service, and faster website loading times; assertion, exercise, and defence of legal claims.
  • The following data is processed: IP address, date and time of the request, time zone difference to GMT, content of the request (specific page), access status/HTTP status code, amount of data transferred in each case, requesting website, browser, operating system and interface, language and version of the browser software.
  • Storage period: As long as you use our website.
  • Recipients/recipient categories: Processor.

3.3.2 USE OF GOOGLE SERVICES

This website uses services of Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States (“Google”); if you are a resident of the European Union, the European Economic Area and Switzerland, Google Ireland Limited (registration number: 368047), Gordon House, Barrow Street, Dublin 4, Ireland. In the text below, we will explain exactly which services we use on our website. When utilising Google Inc.’s services, your information may be transferred to the United States of America (USA). We will indicate whether a transfer to the USA is possible for each application.

  • Transferred to the following third countries according to data protection law:

USA: Companies that have completed the Data Privacy Framework Program are considered to have an adequate level of protection under the provisions of the EU-US and Swiss-US Data Privacy Frameworks. The transfer of information to these companies is permitted under the Data Privacy Framework.

Details of the specific data collection and processing practices of each operator can be found at the following links:

https://www.youtube.com/static?gl=DE&template=terms&hl=de  and https://policies.google.com/privacy

Google LLC has committed to complying with the EU-US and Swiss-US Data Privacy Frameworks requirements by becoming certified under the Data Privacy Framework Program. Information on participation can be found by searching for “Google LLC” here: https://www.dataprivacyframework.gov/s/participant.

3.3.2.1 GOOGLE FONTS

This website uses third-party fonts, so-called “Google Fonts”. Google Fonts is set up locally and does not transfer personal data to the servers of Google LLC. in the USA.

  • Purpose: Coherent presentation of our web content across platforms.
  • Data subjects: Website visitors.
  • Legal basis: Legitimate Interest (Article 6 para 1 lit f GDPR), § 165 para 3 TKG 2021.
  • Legitimate Interests: Improvement of our services, technical stability, standardised presentation and faster website loading times; assertion, exercise, and defence of legal claims.
  • The following data is processed: IP address.
  • Retention period: As long as you visit our website.

3.3.2.2 GOOGLE MAPS

This website uses the Google Maps mapping service, which depends on your IP address’s storage. This information is typically transferred to and saved on a Google server in the USA.

  • Purpose: To offer a location mapping service to help you find us.
  • Data subjects: Website visitors who agree to display map services.
  • Legal basis: Consent (Article 6(1)(a) GDPR), Explicit consent (Article 49(1)(a) GDPR)
  • The following data will be processed: IP address, content of the request
  • Recipients/categories of recipients: Service provider company and data processor
  • Transfers to countries outside the EU/EEA: USA (for details, see point 3.5.)

3.3.2.3 GOOGLE ANALYTICS

  • Purpose: Improvement of the range of services, website, and direct advertising. We use user behaviour analysis to optimise our website and advertising.Furthermore, we use Google Analytics to track some of our surveys.
  • Data subjects: Visitors to the website who agree to this cookie.
  • Legal basis: Consent (Article 6(1)(a) GDPR), Explicit consent (Article 49(1)(a) GDPR), Legitimate Interest (Article 6 para 1 lit f GDPR).
  • Legitimate Interests: Improvement of our services, compiling statistics for plausibility check of invoices from the use of cookies and web analysis services; assertion, exercise, and defence of legal claims.
  • The following data will be processed: approximate location (region), IP address (in abbreviated form), technical information about the browser and the end devices used (e.g. language setting, screen resolution), the visitor’s Internet provider, and the referrer URL (via which website/advertising medium you came to this website).
  • Processing-triggering events: Processing of your data is only started if one or more of the following events occur when you visit the website: Page views, first visit to the website, the start of the session, your “click path”, interaction with the website, scrolls (whenever a user scrolls to the bottom of the page (90%)), clicks on external links, internal search queries, interaction with videos, file downloads, adverts viewed/clicked, language setting.
  • Retention period: Details are provided in the cookie banner.
  • Recipients/categories of recipients: Service provider company and data processor.
  • Transfers to countries outside the EU/EEA: USA (for details, see point 3.5.)

3.3.2.4 GOOGLE ADS

  • Purpose: To address visitors to the website with targeted advertising by displaying personalised, interest-based ads to visitors when they visit other websites in the Google Display Network.
  • Data subjects: Visitors to the website, Interested Parties.
  • Legal basis: Consent (Article 6(1)(a) GDPR), Legitimate Interest (Article 6 para 1 lit f GDPR), § 165 para 3 TKG 2003, explicit consent (Article 49(1)(a) GDPR), assertion, exercise, and defence of legal claims (Article 49 para 1 lit e GDPR).
  • Legitimate Interests: Improvement of our services; public relations and commercials for our organisation; compiling statistics for plausibility check of invoices from the use of cookies and web analysis services; assertion, exercise, and defence of legal claims.
  • The following data will be processed: IP address, unique user ID, and the content of the request (e.g., information about the advertisement).
  • Retention period: Details are provided in the cookie banner.
  • Recipients/categories of recipients: Service provider company and data processor
  • Transfers to countries outside the EU/EEA: USA (for details, see point 3.5.)

3.3.2.5 GOOGLE DV360 (FORMER DBM)

Using Google DV360 enables us to create, optimise, and manage digital advertising campaigns. This includes designing advertising media, organising target group data, purchasing advertising space in different ad networks, and optimising campaigns.

  • Purpose: Creating, optimising, and managing display and TV ads; Definition and optimisation of the target group(s); creating our target groups; using data of Google target groups; Measurements of our success (view rates, click rates); purchasing and settlement of advertising space.
  • Data subjects: Visitors to our website who consent to using Google DV360 (via Cookie Consent).
  • Legal Basis: Consent (Article 6(1)(a) GDPR), § 165 para 3 TKG 2003, explicit consent (Article 49(1)(a) GDPR), Legitimate Interest (Article 6 para 1 lit f GDPR)
  • Legitimate Interests: Improvement of our services; public relations and commercials for our organisation; compiling statistics for the plausibility check of invoices from digital services; assertion, exercise, and defence of legal claims.
  • The following data will be processed: IP address, unique user ID (including third-party identifiers and publisher-provided identifiers), and the content of the request (e.g., information about the advertisement).
  • Recipients/categories of recipients: Service provider and data processor. Depending on the respective campaign, data may also be shared with connected services, including Analytics 360, YouTube, and selected third-party platforms.
  • Transfers to countries outside the EU/EEA: USA (for details, see point 3.5.)
  • The following data may be collected by a third party: target group data. DV360 enables us to gain a deeper understanding of target groups by combining self-collected, third-party, and Google data and creating unified target groups from diverse datasets.

3.3.2.6 TAG MANAGER

This website uses Google Tag Manager, which allows us to integrate snippets of code, such as tracking code or conversion pixels, into the website without modifying the source code.

  • Purpose: Organisation and simplified integration of applications into the website.
  • Data subjects: Visitors to the website
  • Legal basis: Consent (Article 6(1)(a) GDPR), Explicit consent (Article 49(1)(a) GDPR)
  • The following data will be processed: IP address, content of the request
  • Recipients/categories of recipients: Service provider company and data processor
  • Transfers to countries outside the EU/EEA: USA (for details, see point 3.5.)

3.3.3 WORDFENCE

This website uses WordFence, a WordPress security application of Defiant Inc., 800 5th Ave., Suite 4100, Seattle, WA 98104, USA.

  • Purpose: WordFence is used to identify and block malicious traffic, protect our website from security threats such as hacking attempts and malware, and identify and block IP addresses. The application acts like a firewall and offers security and error detection features. It enables us to detect and prevent unauthorised access attempts and technical vulnerabilities that could allow such access.
  • Data subject: Website visitors.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), Fulfilment of a Legal Obligation(Article 6 para 1 lit c GDPR), Legitimate Interest (Article 6 para 1 lit f GDPR), § 165 para 3 TKG 2021
  • Legitimate Interests: Improvement of our services; defence and security of our website and hosting structure; compiling statistics for the plausibility check attacks and of invoices from the use of digital services; assertion, exercise, and defence of legal claims.
  • The following data is processed: IP addresses, browser types, referring URLs, time of access, and security logs.
  • Retention period: as long as necessary to protect our website and its users from security threats.
  • Recipients/categories of recipients: Service provider.
  • Transmission to the following third countries under data protection law: USA

The legal requirements do not guarantee a sufficient level of security for companies that have not completed the Data Privacy Framework Program.

WordFence, operated by Defiant Inc., relies on the Standard Contractual Clauses for International Data Transfers (SCC) issued by the European Commission to transfer personal data. Details can be found here:

https://www.wordfence.com/standard-contractual-clauses

https://www.wordfence.com/privacy-policy

3.3.4 BORLABS

This website uses BorlabsCookie as a consent management tool for cookies and third-party services. You can update your cookie preferences anytime by clicking on the “Manage Cookies” option at the bottom left of the screen.

  • Purpose: BorlabsCookie is used to obtain, record, manage, and revoke user consent, specifically for using cookies, third-party applications, and similar technologies. These technologies store, read, and process information on user devices, facilitating targeted functionalities and data processing strategies.
  • Data subject: Website visitors.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), Fulfilment of a Legal Obligation(Article 6 para 1 lit c GDPR), Legitimate Interest (Article 6 para 1 lit f GDPR), § 165 para 3 TKG 2021
  • Legitimate Interests: Ensuring the proper and legally compliant operation of the website, including the management of user consents and the ability to document and demonstrate compliance with data protection obligations; assertion, exercise, and defence of legal claims.
  • The following data is processed: Content data on user consent status
  • Retention period (Lifetime): Information is provided in the consent management tool.
  • Recipients/categories of recipients: Company of the analysis service/service provider.

3.3.5 FRIENDLY CAPTCHA

This website uses Friendly Captcha, an application issued by Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee/Germany. Friendly Captcha does not use cookies to deliver its services.

  • Purpose: The application guards our website contact form. We use this function to distinguish whether an input is made by a natural person or abusively by machine and automated processing. Friendly Captcha serves to secure our website.
  • Data subject: Website visitors who use our website contact form.
  • Legal basis: Legitimate Interest (Article 6 (1) (f)).
  • Legitimate Interests: Website security against DOS-attacks (Denial-of-services) and other attacks against our website; exercise and defence of legal claims, assertion of rights.
  • The following data is processed: IP address, timestamp of the request, referrer URL, device settings (language, browser, location, screen resolution), interaction data (movement and clicks), puzzle ID, solution time, and accuracy.
  • Retention period: As long as you use our website.
  • Recipients/categories of recipients: Processor.

Details about the processing activities for end users are provided here: https://friendlycaptcha.com/de/legal/privacy-end-users/

3.3.6 MICROSOFT CLARITY

  • Purpose: Analysis of user behaviour on our website to improve user-friendliness, functionality and design. Microsoft Clarity records mouse movements, scrolling behaviour, clicks and aggregated navigation patterns (“session replay”, heat maps) to give us anonymised insights into user behaviour.
  • Data subject: Website visitors.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), Fulfilment of a Legal Obligation (Article 6 para 1 lit c GDPR), Legitimate Interest (Article 6 para 1 lit f GDPR), § 165 para 3 TKG 2021
  • Legitimate Interests: Improvement of our services, technical stability; compiling statistics for plausibility check of invoices using digital services, assertion, exercise, and defence of legal claims.
  • The following data is processed: Device information (e.g. browser type/version, operating system, screen resolution), usage data (e.g. mouse movements, clicks, scrolling behaviour), IP address (shortened/anonymised), language settings, referrer URL and date and time of access. According to Microsoft, form content is not recorded.
  • Retention period: 30 days
  • Recipients/categories of recipients: Processor.
  • Transfers to the following third countries under data protection law: USA

Companies that have completed the Data Privacy Framework Program are considered to have an adequate level of protection under the provisions of the EU-US and Swiss-US Data Privacy Frameworks. The transfer of information to these companies is permitted under the Data Privacy Framework.

Microsoft has committed to comply with the EU-US and Swiss-US Data Privacy Frameworks requirements by becoming certified under the Data Privacy Framework Program. Information on participation can be found by searching for “Microsoft” at https://www.dataprivacyframework.gov/s/participant-search.

3.3.7 VIMEO

  • Purpose: This website uses Vimeo, a service provided by Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA, to display our videos in an appealing way.
  • Data subject: Website visitors.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), Fulfilment of a Legal Obligation(Article 6 para 1 lit c GDPR), Legitimate Interest, esp. to improve our own services for the benefit of users (Article 6 para 1 lit f GDPR), § 165 para 3 TKG 2021
  • Legitimate Interests: Improvement of our services, technical stability; faster website and video loading times; compiling statistics for plausibility check of invoices using digital services, assertion, exercise, and defence of legal claims.
  • The following data is processed: IP address, details about the website visit
  • Retention period: During website visit.
  • Recipients/categories of recipients: Processor.
  • Transfers to the following third countries under data protection law: USA
  • Companies that have completed the Data Privacy Framework Program are considered to have an adequate level of security following the provisions of the EU-US and Swiss-US Data Privacy Framework. It is permissible under data protection law to transfer information to these companies within the framework of the Data Privacy Framework.

Vimeo.com, Inc. has committed to complying with the EU-US and Swiss-US Data Privacy Framework requirements by becoming certified under the Data Privacy Framework Program. Information on participation can be found under the search term “Meta Platforms, Inc.” here: https://www.dataprivacyframework.gov/s/participant-search.

Details of the specific data collection and processing by each operator can be found at the following link: https://vimeo.com/privacy

3.4 CUSTOMER RELATION MANAGEMENT AND MARKETING FOR OWN PURPOSES

  • Purpose: Processing of prospective interested parties’ and research partners’ data, either owned or purchased, to initiate contacts concerning the services offered, implement advertising measures, and dispatch newsletters; customer relation management.
  • Data subject: Interested parties.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), fulfilment of a contract, necessary for the implementation of pre-contractual measures (Article 6 para 1 lit b GDPR), Fulfilment of a Legal Obligation (Article 6 para 1 lit c GDPR), Legitimate Interest, in particular defense, exercise and assertion of legal claims (Article 6 para 1 lit f GDPR).
  • Legitimate Interests: Defence, exercise and assertion of legal claims; evaluation of opening rates and statistics on the success of our campaigns to optimise public relations communication; economic interest in customer and supplier loyalty.
  • The following data is processed for the newsletter dispatch via our website: Master data (first and family name, address, e-mail address).
  • Retention period: The data may be stored until the end of the third year after the last contact with the data subject unless longer contractual or legal retention periods exist.
  • Recipients/categories of recipients: Processor.

3.5 SOCIAL MEDIA

  • Purpose: We are also represented on social media, in addition to our website, to increase awareness of our Institute and conduct marketing activities. Personal information may be transmitted to the social media operator when you visit one of our online sites. In addition, the operator may link your profile to ours if you are logged into the relevant network.
  • Data subjects: Visitors to our social media sites.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), Legitimate Interest (Article 6 para 1 lit f) GDPR), explicit consent (Article 49 para 1 lit a GDPR)
  • Legitimate Interests: Defence, exercise and assertion of legal claims; evaluation of opening rates, ranges and statistics on the success of our campaigns to optimise public relations communication.
  • The following data is processed: date and time of actions performed, user ID (only for logged-in users), location data (country/city), language setting, age/gender group (for logged-in users from the user profile), previously visited website and identification of hardware (computer/mobile device).
  • Recipients/recipient categories: Operator of visited social media platform.

3.5.1 LINKEDIN

LinkedIn is a network for business contacts and is part of Microsoft Corporation. The services are operated by LinkedIn Corporation, Sunnyvale, California, United States; if you are a resident of the European Union, the European Economic Area and Switzerland, LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2 Ireland, which is responsible for processing personal data by using LinkedIn.

Details of the specific data collection and processing by the operator can be found at the following link

https://de.linkedin.com/legal/privacy-policy (general privacy policy)

  • Transfers to the following third countries under data protection law: USA: Companies that have completed the Data Privacy Framework Program are considered to have an adequate level of protection under the provisions of the EU-US and Swiss-US Data Privacy Frameworks. The transfer of information to these companies is permitted under the Data Privacy Framework.

LinkedIn Corporation has committed to comply with the EU-US and Swiss-US Data Privacy Frameworks requirements by becoming certified under the Data Privacy Framework Program. Information on participation can be found by searching for “LinkedIn Corporation” at https://www.dataprivacyframework.gov/s/participant-search.

3.5.2 FACEBOOK, INSTAGRAM (META INC.)

Meta Inc. is the parent company of Facebook and Instagram. The services are operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland, which is the Controller for processing personal data in relation to the use of Facebook and Instagram.

Details of the specific data collection and processing by each operator can be found at the following links:

Facebook: https://de-de.facebook.com/about/privacy/ (general privacy policy) and https://www.facebook.com/legal/terms/page_controller_addendum# (particular data collection for Page Insights)

Instagram: https://help.instagram.com/155833707900388

  • Transmission to the following third countries under data protection law: USA: Companies that have completed the Data Privacy Framework Program are considered to have an adequate level of security following the provisions of the EU-US and Swiss-US Data Privacy Framework. It is permissible under data protection law to transfer information to these companies within the framework of the Data Privacy Framework.

Meta Platforms, Inc., the parent company of Instagram platform services, has committed to complying with the EU-US and Swiss-US Data Privacy Framework requirements by becoming certified under the Data Privacy Framework Program. Information on participation can be found under the search term “Meta Platforms, Inc.” here: https://www.dataprivacyframework.gov/s/participant-search.

3.5.3 TIKTOK (BYTEDANCE)

TikTok is operated by the Chinese company ByteDance. TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland, is responsible for processing personal data in the context of TikTok use.

Details about TikTok’s specific data collection and processing can be found here: https://www.tiktok.com/legal/page/eea/privacy-policy/en.

  • Transmission to the following third countries under data protection law:

USA, China, Malaysia:

USA: For companies that have not completed the Data Privacy Framework Program, a sufficient level of security cannot be guaranteed under the legal requirements.

China: The Chinese Multi-Level Protection Scheme 2.0 obliges companies based in China to disclose data to Chinese authorities and to guarantee them unrestricted access to servers. As a result, an adequate level of security and compliance with European data protection requirements cannot be guaranteed.

Malaysia: Malaysia has enacted statutory data protection regulations, but there is currently no adequacy decision. Consequently, adequate security and compliance with European data protection requirements cannot be conclusively guaranteed.

TikTok, operated by the Chinese company ByteDance, relies on the Standard Contractual Clauses for International Data Transfers (SCC) issued by the European Commission for the transfer of personal data. Details can be found here:

https://www.tiktok.com/legal/page/eea/privacy-policy/en#share-info

https://www.tiktok.com/legal/page/eea/transferee-countries/en

3.6. ACCOUNTING, LOGISTICS, AND BOOKKEEPING

  • Purpose: processing personal data in the context of any business relationship with suppliers, including systematically recording all business transactions relating to income and expenditure.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), fulfilment of a contract, necessary for the implementation of pre-contractual measures (Article 6 para 1 lit b GDPR), Fulfilment of a Legal Obligation(Article 6 para 1 lit c GDPR), Legitimate Interest, esp. defence, exercise, and assertion of legal claims (Article 6 para 1 lit f GDPR), explicit consent (Article 9 para 2 lit a GDPR).
  • Legitimate Interests: Defence, exercise and assertion of legal claims
  • Retention period: Until the end of the business relationship or until the expiry of the guarantee, warranty, limitation and statutory retention periods applicable to the client (especially federal tax regulations, Federal Procurement Act); furthermore, until the end of any legal disputes in which the data is required as evidence.
  • Recipients/categories of recipients: Tax office, courts and authorities, suppliers, debt collection agencies, banks involved in the payment to the data subject or to third parties, legal representatives, auditors, payroll processors.

The provision of your personal data is necessary for the fulfilment of the contract or the implementation of pre-contractual measures. Without this data, we cannot conclude a contract with you.

3.7 APPLICANT MANAGEMENT, FACULTY HIRING

  • Purpose: To use and record personal data provided by job applicants where the data subject has provided such data; to actively approach potential employees via various channels and through contracted recruitment consultants; to conduct human resources management and planning on a global level; including ensuring appropriate staffing; to plan and manage the skills of potential employees; to perform the application process including academic recruitment; to be able to refer to applications received at a later date concerning potential employment.
  • Data subject: Applicants.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), explicit consent (Article 9 para 2 lit a GDPR), the assertion, exercise, and defense of legal claims (Article 9 para 2 lit f GDPR), and Legitimate Interest (Article 6 para 1 lit f GDPR; Article 10 GDPR in connection with § 4 para 3 lit 2 DSG).
  • Legitimate Interests: Defence, exercise and assertion of legal claims; Validation of documents submitted by the applicant; Documentation of the selection process, including analyses and interview notes.
  • The following data is processed: letter of application, name, salutation (Mr./Mrs./Ms.) including academic title, name affix, photo (if provided), gender, address, date and place of birth, e-mail address, telephone number, citizenship, position for which you are applying, type of application (e.g. e-mail, LinkedIn, unsolicited application), earliest starting date, period of notice, salary expectations, curriculum vitae, education (school, university etc.), previous professional experience, personal skills and competencies, signature, certificates and references, notes from the interview, any assessments, communication data (including e-mail correspondence) and other data provided by you as part of the application process.
  • Information in accordance with the AI Regulation (esp. Article 50 AI Regulation): As part of the application process, an automated service (processor) is used to verify the authenticity of certificates. This service is classified as an AI system in accordance with Regulation (EU) 2024/1689 on artificial intelligence (the “AI-Act”). This processing is carried out to maintain the integrity of the application process and prevent fraud involving the submission of forged documents. The AI system is based on technical methods for automated document analysis and is used exclusively to support the assessment of submitted certificates’ authenticity. The final decision on recognition remains with human decision-makers.
  • Retention period: Applicant data will be deleted immediately after the advertised position has been filled or after the expiry of the claim period under the Equal Treatment Act (7 months) unless consent has been given to keep the data. Unsolicited applications will be kept on file for the intended purpose until revoked by the data subject); furthermore, until the end of any legal disputes requiring the data as evidence.
  • Data collection by third parties: Recruitment agencies and recruitment platforms.
  • Recipients/categories of recipients: Companies within the meaning of Section 1 (3) of the Federal Act on the Establishment of the Institute of Digital Sciences Austria; departments responsible for the respective appointment; departments accountable for the respective appointment; the Search Committee appointed by us, during the appointment process for professorships, under the Provisional Articles of Association of the Institute of Digital Sciences Austria or the Interdisciplinary Transformation University (IT:U), Part IV, processors, consultants, service providers and processors for the publication of job ads, hotels and other accommodation establishments, if organised by IT:U.

We provide detailed information about faculty hiring on our website.
Provisional Articles of Association – it:u – interdisciplinary transformation university Austria (it-u.at) and a printable version in the English language following this link: https://it-u.at/wp-content/uploads/2024/02/Provisional-Articles-of-Association-January-29-2024.pdf.

A printable version in the German language is provided here: https://it-u.at/wp-content/uploads/2024/02/2024-01-29_IDSA_Satzungsteile-I-bis-V_finale-Version.pdf.

  • Transmission to the following third countries under data protection law:

Some of the above recipients are located outside your country or process your personal data there. The level of data protection in other countries may not be the same as in your country. However, we only transfer your personal data to countries for which the EU Commission has decided that they have an adequate level of data protection. We can also take measures to ensure that all recipients have an adequate level of data protection. For example, we conclude standard contractual clauses for this purpose.

Please refrain from sharing any sensitive information during the application process, such as details regarding ethnic background, political views, religious beliefs, union membership, health status, or sexual orientation. If you voluntarily disclose such information without being prompted, please note that it will be stored as part of your application data.

3.7.1. ON-BOARDING

  • Purpose: The processing and transfer of personal data for relocation, obtaining necessary permits (e.g., Rot-Weiß-Rot Karte), payroll accounting, and fulfilling legal, collective bargaining, or contractual obligations. Processing includes the storage and use of personal data of future employees and their families if voluntarily provided, as well as organizing housing or accommodation if required.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), Fulfilment of a contract, necessary for the implementation of pre-contractual measures (Article 6 para 1 lit b GDPR), Fulfilment of a Legal Obligation(Article 6 para 1 lit c GDPR), explicit consent (Article 9 para 2 lit a GDPR), the assertion, exercise, and defense of legal claims (Article 9 para 2 lit f GDPR), and Legitimate Interest (Article 6 para 1 lit f GDPR; Article 10 GDPR in connection with § 4 para 3 lit 2 DSG).
  • The following data is processed: application letter, name, salutation (Mr./Mrs./Ms.) including academic title, name affix, photo (if provided/necessary), gender, address, date and place of birth, e-mail address, telephone number, citizenship, position for which you are applying, starting date, starting salary, curriculum vitae, education (school, university etc.), previous professional experience, personal skills and competencies, signature, certificates and references, communication data (including e-mail correspondence) and other data provided by you as part of the application process.
  • Retention period: Until the end of the relationship with the data subject and beyond that for as long as the statutory retention period exists or as long as legal claims arising from the (future) employment relationship can be asserted against the employer (in particular the issuing of references, etc.).
  • Data collection by third parties: Relocation agencies.
  • Recipients/categories of recipients: Companies within the meaning of Section 1 (3) of the Federal Act on the Establishment of the Institute of Digital Sciences Austria; departments responsible for the respective appointment; departments accountable for the respective appointment; tax office, courts and authorities, social insurance institutions (including company health insurance funds), labour inspectorate, consultants, service providers and processors, bodies representing organisation interests (in particular works council pursuant to § 89 Z 4 ArbVG (Labour Constitution Act), safety representative in accordance with § 10 ASchG (Employee Protection Act), youth representative pursuant to § 125ff ArbVG (Labour Constitution Act) and disabled person’s representative in accordance with § 22a BEinstG (Disability Employment Act)), apprenticeship office pursuant to § 19 BAG and vocational schools, labour market service, banks involved in the payment to the data subject or to third parties, trade union specified by the employee, with the consent of the data subject, statutory interest groups, pension funds, employee pension fund (MVK) pursuant to § 11 para. 2 Z and § 13 BMVG, legal representatives; chartered accountants; payroll accountants; hotels and other accommodation (if arranged by IT:U); relocation agencies.

The processing of your data is necessary to fulfil the employment contract or implement pre-contractual measures. We cannot conclude or fulfil your employment contract without the data described above.

3.8 APPLICATION AND ADMISSION TO STUDY

  • Purpose: To process applications, evaluate whether applicants meet the necessary study requirements, and carry out the relevant application procedure.
  • Data subjects: Prospective students who want to study at IT:U.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR); Explicit Consent (Article 9 para 2 lit a GDPR), Fulfilment of a Legal Obligation (Article 6 para 1 lit c GDPR), The assertion, exercise and defense of legal claims (Article 9 para 2 lit f GDPR), and Legitimate Interest (Article 6 para 1 lit f GDPR).
  • Legitimate Interests: Defence, exercise and assertion of legal claims; Validation of documents submitted by the applicant; Documentation of the selection process, including analyses and interview notes.
  • The following data are processed: title, name, address, e-mail address, date of birth, nationality, CV, letter of motivation and certificates.
  • Information in accordance with the AI Regulation (esp. Article 50 AI Regulation): As part of the application process, an automated service (processor) is used to verify the authenticity of certificates. This service is classified as an AI system in accordance with Regulation (EU) 2024/1689 on artificial intelligence (the “AI-Act”). This processing is carried out to maintain the integrity of the application process and prevent fraud involving the submission of forged documents. The AI system is based on technical methods for automated document analysis and is used exclusively to support the assessment of submitted certificates’ authenticity. The final decision on recognition remains with human decision-makers.
  • Retention period: If the application is rejected, applicant data will be deleted after three (3) years. Successful applications will be added to your student record and stored for at least 80 years (§ 53 UG 2002, § 10 para 10 BilDokG 2020) ); furthermore, until the end of any legal disputes requiring the data as evidence.
  • Recipients/categories of recipients: Processor.

3.9 ALUMNI

  • Purpose: To disseminate information about IT:U activities and to prepare, organise, execute and oversee events and Alumni gatherings; Membership Management.
  • Data subjects: Alumni who studied at IT:U.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), Fulfilment of a contract, necessary for the implementation of pre-contractual measures (Article 6 para 1 lit b GDPR), Fulfilment of a Legal Obligation (Article 6 para 1 lit c GDPR), the assertion, exercise and defence of legal claims (Article 9 para 2 lit f GDPR), and Legitimate Interest (Article 6 para 1 lit f GDPR).
  • Legitimate Interests: Defence, exercise and assertion of legal claims.
  • The following data are processed: Master data (title, name, address, e-mail address, degree program).
  • Retention period: Until the end of the membership or until the expiry of statutory retention periods applicable to the data processing (especially federal tax regulations); furthermore, until the end of any legal disputes in which the data is required as evidence.
  • Recipients/categories of recipients: Processor.

3.10 SURVEYS, POLLS AND DIGITAL FORMS

For surveys, polls, and digital forms, we use the Limesurvey service provided by LimeSurvey GmbH, Umfragedienste & Beratung, Papenreye 63, 22453 Hamburg, Germany. Participation in surveys is possible mainly without registration and is often anonymous. The survey organisers responsible for that particular questionnaire determine whether personal data is collected during a survey. The organisers will inform participants about any data processing on the survey’s start page and, if necessary, obtain consent.

  • Purpose: To collect and analyse responses and gather participant insights to evaluate opinions, preferences, and experiences.
  • Data subjects: Interested Parties, survey participants, including but not limited to students, employees, professors and governing bodies, survey organisers.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), and Legitimate Interest (Article 6 para 1 lit f GDPR); for research purposes § 2d Abs 3 FOG (broad consent).
  • Legitimate Interests: Compiling statistics of the questionnaires; defence, exercise and assertion of legal claims.
  • The following data are processed: IP addresses of participants, email addresses of participants, public statistics, browser cookies to prevent multiple submissions, log data, timestamps, time tracking, Google Analytics settings, name and email address(es) of the organiser(s).
  • Retention period: 6 months for general purposes; for research purposes: 10 years; data needed for the assertion, exercise and defence of legal claims: 30 years; in some instances, data relating to research work in the public interest will be stored indefinitely.
  • Recipients/categories of recipients: Personal data are only made accessible to members of the university’s research team and, where necessary, to cooperation partners or processors. Data may also be transferred to other scientific institutions or journals in pseudonymised or anonymised form, if required for the purpose of the research.

Details of the processor’s specific data collection and processing can be found at the following link: https://www.limesurvey.org/privacy-notice?tid=137686620 (in English only).

3.11 RESEARCH

IT:U conducts research in the public interest to advance scientific knowledge, improve societal outcomes, and fulfil its statutory mandate as a research institution.

  • Purpose: The purpose of data processing is to carry out scientific research projects that contribute to the advancement of knowledge and innovation in accordance with the university’s legal mandate and the public interest.
  • Data subjects: Interested Parties, survey participants, including but not limited to students, employees, professors, governing bodies, and research organisers.
  • Legal basis: Consent (Article 6 para 1 lit a GDPR), and Legitimate Interest (Article 6 para 1 lit f GDPR); for research purposes FOG, especially but not limited to § 2d Abs 3 FOG (broad consent), Section 7 DSG.
  • Legitimate Interests: conducting research that contributes to scientific progress, supports evidence-based decision-making, to fulfils the public service mission; defence, exercise and assertion of legal claims.
  • The following data are processed: Depending on the specific research project, this may include personal data such as age, gender, education, occupation, contact details, and any other information necessary for achieving the research purpose.
  • Retention period: For research purposes: 10 years; data needed for the assertion, exercise and defence of legal claims: 30 years; in some instances, data relating to research work in the public interest will be stored indefinitely.

4. INFORMATION ON DATA TRANSFERS TO THIRD COUNTRIES OR INTERNATIONAL ORGANISATIONS

The personal data we process will not be transferred to third countries or international organisations unless otherwise specified in Clause 3.

5. CHANGE MANAGEMENT

Our website has the latest version of our data protection declaration available for you to access. If there is anything you are unsure about regarding an earlier version, feel free to contact the person appointed in Clause 1. They will be more than happy to help you out with any questions you may have.