General data protection information

Preamble
The University of Salzburg PreambleAs one of the largest universities in Austria, the Paris Lodron University of Salzburg (hereinafter referred to as “PLUS”) is also a role model in the area of data protection. Naturally, a large amount of personal data is processed at PLUS in a wide variety of ways. The protection of this personal data is therefore particularly important to the PLUS. With this privacy policy, we are fulfilling our duty to provide information in accordance with Articles 13 and 14 of the General Data Protection Regulation (hereinafter “GDPR”). Here you will find information about which personal data is processed at the university, for what purpose and on what legal basis.attaches great importance to the protection of personal data and we treat all processed personal data confidentially and in compliance with the legal provisions.

Declaration on the duty to inform:
The protection of your personal data is of particular concern to us. The University of Salzburg handles your personal data carefully and conscientiously. We therefore process your data exclusively on the basis of the legal provisions of national and European law.We would like to point out that you have the right to information, correction, deletion, restriction of processing and the right to object to processing of your personal data within the scope provided by law. Enquiries or requests in this context can be sent to datenschutz(at)sbg.ac.at.If the processing is based on consent, you can also revoke this at any time by sending an e-mail to datenschutz(at)sbg.ac.at, whereby the lawfulness of the data processing carried out until the revocation remains unaffected by the revocation. Please address revocations against the consent to receive a newsletter directly to the sender.You have the right to lodge a complaint against unlawful data processing with the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, telephone: +43 1 52 152-0, e-mail: dsb(at)dsb.gv.at as the competent supervisory authority.

Overview:
I. Data protection at the PLUS
II General information on data protection
III Rights of the data subjects
IV. Processing activities of the PLUS
V. Possibility of filing a complaint with the data protection authority

The privacy information was last updated on 01.12.2023.

I. Data protection at the PLUS

PLUS is the “controller” within the meaning of Article 4(7) GDPR for the processing of personal data. In order to ensure the best possible protection of your personal data and to comply with our obligations under data protection law, the PLUS has appointed an external data protection officer who, in cooperation with the internal data protection coordinator, is responsible for the protection of your personal data. This organization ensures that data protection at the PLUS is independent and free of conflicts of interest. Internally, numerous trained data protection contact persons are also available to university members.

Responsible for data processing:
Paris Lodron University of Salzburg
Kapitelgasse 4-6
5020 Salzburg

Tel: 0043(0) 662 8044-0

Data Protection Officer:
Michael Hasler
Kapitelgasse 4-6
5020 Salzburg

Tel: 0043(0) 662 8044-2007

 

II. General Information Regarding Data Protection

The main legal bases for data protection at PLUS are

  • the General Data Protection Regulation (GDPR)
  • the Austrian Data Protection Act (DSG)
  • the Austrian Telecommunications Act (TKG)
  • the Austrian Universities Act (UG)
  • the Austrian Research Organization Act (FOG)
  • the Austrian Education Documentation Act (BilDokG)
  • the Austrian Federal Archives Act

This is not an exhaustive list. Numerous other legal sources may be relevant for the solution of a data protection issue.

How important is data protection?
The protection of natural persons with regard to the processing of personal data is a fundamental right, i.e. a subjective right guaranteed under constitutional law. Everyone is entitled to the confidentiality of personal data concerning them, in particular with regard to respect for their private and family life, insofar as there is an interest worthy of protection (see constitutional provision § 1 DSG).

What is personal data?
According to Article 4(1) GDPR, “personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What is meant by the “processing” of personal data?
According to Article 4(2) GDPR, “processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The “processing” of personal data therefore includes practically all behavior that involves personal data. This does not necessarily have to be done digitally; personal data can also be processed in analog form, for example by using paper.

When may personal data be processed?
In principle, the processing of personal data is prohibited (“prohibition principle”). However, it is permitted if there is a legal basis that allows the processing of personal data in individual cases (“permission principle”). Article 6(1) of the GDPR exhaustively lists all cases in which the processing of personal data is permitted by way of exception:

(a) The data subject has given consent to the processing of personal data concerning him or her for one or more specific purposes.
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
(c) Compliance with a legal obligation.
(d) Processing is necessary in order to protect the vital interests of the data subject or of another natural person.
(e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

How is the processing carried out?
Article 5 GDPR sets out the processing principles. The PLUS is responsible for compliance with these principles and must be able to demonstrate compliance (“accountability”). According to Article 5(1) GDPR, personal data must be

(a) processed lawfully, fairly and in a manner that is transparent to the data subject (“lawfulness, fairness and transparency”)
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes in accordance with Article 89(1) (“purpose limitation”);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”)
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data are processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1), subject to the implementation of appropriate technical and organizational measures required by this Regulation to safeguard the rights and freedoms of the data subject (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organizational measures (‘integrity and confidentiality’);

 

How is the security of processing guaranteed?
Data protection law grants data subjects numerous rights. However, these rights cannot completely rule out the possibility of personal data being lost by a controller or falling into the hands of third parties. Article 32 GDPR obliges controllers such as PLUS to take appropriate technical and organizational measures to achieve a high level of security in processing. PLUS has therefore taken numerous measures to ensure the security of processing:

  • Issuing a data protection guideline
  • Training of university staff
  • Two-factor authentication
  • Encryption of data
  • VPN use
  • IT security audits
  • Update management

For security reasons, it is not possible to list all the measures that PLUS has established to ensure the security of processing.

III. Data Subject Rights

Principles for asserting your rights
In accordance with Article 42 of the Data Protection Act (DSG), PLUS is obliged to process your requests in the most precise, comprehensible and easily accessible form possible and in clear and simple language. Where possible, our information must be provided in the same form as your request. For example, if you submit your request by e-mail, we will respond to your request by e-mail. We must also inform you immediately in writing of how your application has been dealt with. If we do not respond to your request immediately, we will inform you that we have received your request and that it is being processed. If the requirements are met, we are obliged to respond to your application within one month at the latest. This period may be extended by a further two months if this is necessary in view of the complexity and number of applications. In this case, you will be informed accordingly. Your rights are listed in detail below, with only excerpts from the relevant legal provisions.

Right of access – Art 15 GDPR
Article 15 GDPR grants data subjects the right of access. You have the right to request confirmation from PLUS as the controller as to whether personal data concerning you is being processed. If this is the case, you have the right of access to this personal data and to the following information

(a) the purposes of the processing
(b) the categories of personal data being processed
(c) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations
(d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
(e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
(f) the existence of the right to lodge a complaint with the data protection authority
(g) where the personal data are not collected from the data subject, any available information as to their source
(h) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject

Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to the transfer.

Right to rectification – Art. 16 GDPR
You have the right to obtain from PLUS without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

Right to erasure – Art. 17 GDPR
You have the right to obtain from PLUS the erasure of personal data concerning you without undue delay and PLUS is obliged to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2)
(d) The personal data have been processed unlawfully.
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1)

Right to data portability – Art. 20 GDPR

You have the right to receive the personal data concerning you, which you have provided to PLUS, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where

a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); andb) the processing is carried out by automated means.

Right to object – Art. 21 GDPR
The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions. The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

IV. Processing Activities

As a university, we process personal data in numerous ways. We are only obliged to provide visitors to the website with comprehensive information as part of the privacy policy on our homepage. If we process personal data in other ways, the information may be provided separately, for example when concluding a contract. We have provided additional information for members of the university on the intranet. Nevertheless, we provide a lot of information online. Below you will find an overview of the categories of data subjects at PLUS. For categories of data subjects for which a link is provided, this link will take you to data protection information about this category of data subject.

  • Graduates
  • Alumni Club members
  • Applicants
  • People seeking help from the AKG
  • Whistleblowers
  • Research projects
  • Suppliers
  • Employees
  • Mobility programs
  • Language course participants
  • Study applicantsstudents
  • USI customersVisitors to events
  • Website visitors

V. Possibility of filing a complaint at the supervisory authority

Austrian Data Protection Authority
Barichgasse 40-42
1030 ViennaTelephone:
+43 1 52 152-0