We, the Research Institute AG & Co KG (also referred to as “Research Institute”, “RI” or “we” in this data protection declaration), are committed to the principles of personal data protection and data minimisation. The use of our website and our scientific and business activities generally involve the processing of personal data. In order to make this data processing comprehensible, we would like to inform you in our data protection statement about how we process personal data and what rights you have in this context. Should you have any further questions, you will find our contact details below.
I. Who we are and how you can contact us if you have any questions:
The data controller within the meaning of the General Data Protection Regulation (GDPR) is:
Research Institute AG & Co KG
Company registration number: FN 355966 f
Telephone: +43 1 524 3 524 – 0
You can reach our data protection officer as follows:
Data Protection Officer
p.A. Research Institute AG & Co KG
II. Our data processing – for what purpose and on what legal basis we process personal data:
II.1 General: We process personal data in compliance with the relevant data protection regulations, in particular the General Data Protection Regulation (GDPR, VO [EU] 2016/679) and the Austrian Data Protection Act (DSG). Processing by us therefore only takes place on the basis of a legal basis (in particular pursuant to Art 6 (1) lit a – f GDPR), which is specified below for the individual data processing operations. All our employees entrusted with the processing are obliged to maintain the confidentiality of your data (data secrecy). RI does not carry out any automated decision-making.
In principle, we collect personal data from the data subject. In individual cases, we collect and store personal data (in particular name, contact information) on the basis of correspondence with our customers and business partners or from publicly accessible sources (e.g. telephone directory, websites, company register) on the basis of Art 6 para 1 lit f GDPR (and thus not directly from the data subject), if this is necessary for our service provision or for contacting and administration, which is also our legitimate interest.
II.2 Operation of our website:
Each time you access our website (www.researchinstitute.at), your computer (terminal device) or browser automatically transmits certain information to enable the visit or operation of the website:
– IP address
– Date and time of the request
– Time zone difference to Greenwich Mean Time (GMT)
– Content of the request (page/content to be retrieved)
– Access status/HTTP(S) status code
– Browser and browser version
– Operating system and its interface
This data is stored in the log files of our system. This data is not stored together with other personal data of the user.
Legal basis and purpose of data processing
The legal basis for the processing of the data and their temporary storage in log files is Art 6 para 1 lit f DSGVO. The temporary storage of the aforementioned data by the system is necessary to enable delivery of the website to the user’s computer. The storage in log files takes place in order to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems, in particular to guarantee the integrity, confidentiality and availability of the data processed via our website. These purposes also constitute our legitimate interest in data processing pursuant to Art 6 (1) (f) DSGVO. This data is not stored together with other personal data of the user.
Duration of storage
The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. When storing the data in log files, this is the case after seven days at the latest, unless further processing is necessary to clarify a (suspected) attack.
Personal data that is collected during the operation of the website will only be transferred to third parties (in particular to experts and security authorities) in the event of a (suspected) data security incident or a criminal offence (e.g. an attack) for the purposes of clarification, prosecution and the assertion of legal claims.
Third-party websites: Our website sometimes contains hyperlinks to and from third-party websites (e.g. in our event notices). If you follow a hyperlink to one of these websites, please note that we cannot accept any responsibility or guarantee for third-party content or data protection conditions.
Legal basis and purpose for data processing
This purpose is also our legitimate interest in processing the personal data according to Art 6 (1) lit f DSGVO.
Duration of storage, possibility of objection and removal
We use the short message service “Twitter” under the handle @researchinst and make use of the platform of Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103 USA. The data controller (for persons living outside the USA) is: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland. We would like to point out that you use this short message service and its functions (e.g. Retweet, Like) on your own responsibility and that we have no influence on the data processing by Twitter. You can find more information on processing by Twitter in Twitter’s data protection declaration: https://twitter.com/de/privacy.
The data you publish on Twitter, in particular your handle (user name) and the content accessible under your account, are processed by us insofar as we retweet these (“tweets”) if necessary, reply to them or also write tweets from us that refer to your account.
II.5 Providing services and customer support and information in this context (selling and offering our services and managing these services):
We process personal data for the purposes of providing our services, customer support and information, including internal documentation and administration. The legal basis for processing the data is the performance of the contract or the implementation of pre-contractual measures (Art 6 para 1 lit b DSGVO); the fulfilment of legal obligations (Art 6 para 1 lit c DSGVO) as well as our legitimate interests (Art 6 para 1 lit f DSGVO), in particular interests of asserting or defending our own legal claims as well as internal administration within the company.
For the conclusion of a contract, the provision of certain personal data is required by law or contract, which the respective data subject is obliged to do; otherwise, no conclusion of a contract (and thus no provision of services) is possible.
II.6 Contacting us:
When contacting us (e.g. via contact form or e-mail), the information provided by the enquirer (name, contact details, other information) is processed for the documentation, processing and answering of the enquiry. We offer a contact form on our website. We have marked the data that is absolutely necessary to answer an enquiry as mandatory fields. The provision of further data is voluntary.
The basis for this is our legitimate interest in the proper documentation, processing and answering of the enquiry (Art 6 para 1 lit f DSGVO); in the event of contact being made in an existing customer relationship or the initiation of a business relationship, we base this on the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 para 1 lit b DSGVO).
If you contact us in order to fulfil your obligations under labour or civil law as an employee (service user) for your employer or other client, we also have a legitimate interest in the proper documentation, processing and response to the enquiry (Art 6(1)(f) DSGVO), which also includes your data as an external contact person; in the event of contact being made in a valid customer relationship or the initiation of a business relationship, we base this on the fulfilment of the contract or the implementation of pre-contractual measures (Art 6(1)(b) DSGVO).
We process data of applicants on the basis of Art 6 para 1 lit b DSGVO (pre-contractual measures) and Art 6 para 1 lit f DSGVO for the purpose of carrying out the application procedure and contacting the applicant.
If you apply for a vacancy and are not hired, we store the personal data for six months from the end of the application procedure (deadline for asserting claims according to §§ 15 para. 1 and 29 GlBG) on the basis of Art 6 para. 1 lit f DSGVO. If the applicant consents to this in the respective individual case, we keep the specific application documents on record for a further period of up to two years.
If it is a speculative application, we process the application documents for a maximum of two years on the basis of Art 6 para 1 lit f DSGVO in order to be able to contact the applicant for suitable positions, whereby an informal objection to the processing can be raised at any time.
In any case, it is necessary to provide proof of qualification in order to conclude a contract. In individual cases, depending on the requirements for filling a position, it may also be necessary to submit further data (e.g. criminal record extract). If the required data are not submitted, such an application cannot be considered. In the event of contact by us with references provided by the applicant, data and information on a previous employment relationship may be collected by appropriate third parties. In the event that an employment relationship is established, the application documents will be further used for the purpose of personnel administration.
II.8 Online meetings via “BigBlueButton”:
Purpose of the processing
We use the tool “BigBlueButton” to conduct telephone conferences, online meetings, video conferences and/or webinars (hereinafter “online meetings”). For the hosting of “BigBlueButton”, we use JAR Media GmbH (operator of the portal bbbserver.de) with its place of business in Germany as a processor.
Categories of data processed
Various types of data are processed when using “BigBlueButton”. The scope of the data also depends on the data you provide before or during participation in an “online meeting”:
Personal master data (e.g. name – if you provide this).
Communication data, insofar as this is technically necessary (e.g. IP address)
Image and sound data and text/chat messages within online meetings; you can mute your camera or microphone yourself at any time.
Meeting metadata (e.g. topic of the meeting; survey results in “BigBlueButton”; duration)
when dialing in with the telephone: information on the incoming and outgoing call number, country name, start and end time.
Scope of data processing
We use “BigBlueButton” to conduct “online meetings”. If we want to record “online meetings”, we will transparently inform you in advance and – if necessary – ask for your consent. The fact of the recording will also be displayed to you in the “BigBlueButton” interface.
Where necessary for the purposes of logging the outcomes of an online meeting, we will log the chat content. In the case of webinars, we may also process the questions asked by webinar participants for the purpose of recording and following up webinars.
Automated decision-making within the meaning of Article 22 of the GDPR does not take place.
Legal basis for data processing
The legal basis for the processing of data is the fulfilment of the contract or the implementation of pre-contractual measures (Art 6 para 1 lit b DSGVO) as well as our legitimate interests (Art 6 para 1 lit f DSGVO), in particular interests of effective communication.
A recording of the video conference event or of shared screen content is only made after consent has been granted in accordance with Art 6 Para 1 lit a DSGVO. The default settings in BigBlueButton are defined in such a way that no automatic recording takes place. Recording may only take place with the consent of all participants concerned and only insofar as this is necessary for official or contractual purposes or for the specific fulfilment of tasks. The fact of recording is indicated to the participants in the BigBlueButton interface by a “red record symbol”.
II.9 To whom do we transfer personal data?
We transmit your personal data only to the extent necessary and only in the following cases:
with your consent;
for the processing of contractual relationships or for the implementation of pre-contractual measures;
as far as we are legally obliged to do so;
to companies that support us in providing our services; these service providers act as order processors who may only process the data in accordance with our instructions (within the framework of an order processing contract);
insofar as this is necessary to protect our legitimate interests (e.g. to assert, exercise or defend legal claims) or those of a third party and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data.
In the above-mentioned cases, the following third parties come into question: contractual and business partners involved in the delivery or service (e.g. logistics companies), banks (for processing payment transactions), legal representatives, courts, chartered accountants/tax consultants, administrative authorities, self-governing bodies (social insurance institutions), insurance companies.
In principle, the RI does not intend to transfer personal data to recipients in third countries or international organisations. Such a transfer is possible if a data subject or a party involved in the specific case has its registered office in a third country (e.g. in the case of a customer with headquarters outside the EU). If we transfer data to a country without adequate legal data protection, we ensure an adequate level of protection through the use of appropriate guarantees in the form of corresponding contracts (standard contractual clauses) or binding internal data protection regulations (Binding Corporate Rules) or rely on the exceptional circumstances otherwise provided for in the GDPR (consent, the performance of a contract, the establishment, exercise or enforcement of legal claims, overriding public interests, published personal data or because it is necessary to protect the integrity of the data subjects). For a copy of the contractual guarantee mentioned, contact us at the contact details provided.
In this context, we also point out that any data voluntarily published by users of our services themselves (e.g. online comments on the website) are public and potentially accessible worldwide.
Personal data processed in connection with participation in “online meetings” will not be disclosed to third parties as a matter of principle, unless it is specifically intended for disclosure. Please note that the content of online meetings, as well as on-site meetings, is often used to communicate information with customers, interested parties or third parties and is therefore intended to be passed on.
III. How long do we store personal data?
Unless stated otherwise in the respective processing, we generally store personal data for as long as is necessary to ensure the fulfilment of the stated purposes or for as long as we are legally obliged to do so.
This means in the case of business letters, contracts, bookings etc. in accordance with § 212 para. 1 UGB and § 132 para. 1 BAO: until the end of the business relationship or until the expiry of the limitation and statutory retention periods applicable to us (in particular at least 7 years to prove compliance with retention obligations under tax, duty and company law); in addition, until the end of any legal disputes in which the data is required as evidence. In the case of services where claims for damages or other titles are asserted, for the required period (between 3 and 30 years).
In the case of enquiries (contacting us): Personal data that you voluntarily disclose to us will be stored by us for the purpose of providing the associated processing and evidence (for up to 3 years after completion or termination), unless a longer storage period is also required for the purpose of fulfilling a legal obligation or for asserting or defending legal claims.
IV. Rights of the data subject
Provided that the respective statutory requirements are met, you may assert the following data subject rights:
Right to information: you can request confirmation as to whether personal data relating to you is being processed and request information about this data and the information pursuant to Art 15 DSGVO.
Right to rectification if we process inaccurate or incomplete data about you (Art 16 GDPR).
Right to erasure of personal data concerning you if the conditions of Art 17 GDPR are met.
Right to restrict the processing of your data (Art 18 GDPR).
Right to data portability of your data provided to us, if the processing is based on consent (Art 6(1)(a)) or on a contract (Art 6(1)(b)) to which you are a party and the processing is carried out with the help of automated procedures (Art 20 GDPR).
In the case of processing based on legitimate interests (pursuant to Article 6(1)(f) of the GDPR), you have the right to object to the processing of your personal data pursuant to Article 21 of the GDPR, provided that there are grounds for doing so that arise from your particular situation. In the case of processing for the purpose of direct marketing, this right exists without restrictions.
You can revoke consent given for the processing of personal data at any time, please contact us (see our contact details). The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
Right of complaint: You have the right to lodge a complaint with a supervisory authority responsible for you (in Austria: data protection authority, www.dsb.gv.at) if you are of the opinion that the processing of personal data concerning you violates the GDPR or your data subject rights have been violated. We request that you first contact us in cases where you were not completely satisfied with our work, so that we have an opportunity to rectify any errors.