Data Privacy Statement

In principle, we collect and use personal data of our users only to the extent necessary to provide a functional website and our content and services. The collection and use of personal data of our users takes place regularly only with the consent of the user. An exception applies to cases in which prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.

Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 letter a GDPR serves as the legal basis for the processing of personal data.

In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 letter b GDPR serves as the legal basis. This also applies to processing operations required to carry out precontractual activities.

To the extent that processing of personal data is required to fulfil a legal obligation that governs our business, Art. 6 para. 1 letter c GDPR serves as the legal basis.

If the processing is necessary to safeguard the legitimate interests of our company or a third party, and the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 letter f GDPR serves as the legal basis for the processing.

The personal data of the data subject will be deleted or blocked as soon as the purpose for the retention ceases to exist. In addition, such retention may take place if provided for by the European Union or national legislature, in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also takes place when a retention period prescribed by the standards mentioned expires, unless there is a need for further retention of the data for conclusion of a contract or fulfilment of the contract.

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected here:

• IP address
• Information about the browser type and version used
• Operating system of the user
• Internet service provider of the user
• Date and time of access
• Websites from which the system of the user comes to our website
• Websites that are accessed by the systems of the users through our website
• Error log files

The IP address is fully retained for a period of 7 days and then automatically deleted. Other data that allows for the association of the data with a user will not be retained.

The legal basis for the temporary retention of the data is Art. 6 para. 1 letter f GDPR.

The data is used to optimise the website and to ensure the security of our information technology systems. This also comprises our legitimate interest in data processing as per Art. 6 para. 1 letter f GDPR.

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In the case of collecting the data for provisioning the website, this is the case when the respective session is completed.

The collection of data for the provision of the website and the retention of the data in log files is essential for the operation of the website. There is consequently no opt-out option on the part of the user.

Our website uses cookies. Cookies are text files that are retained by the Internet browser or the Internet browser on the computer system of the user. When a user accesses a website, a cookie may be retained on the operating system of the user. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened. Cookies that are already on the computer may be deleted at any time. The procedure for doing so can be found in your browser manual (under "Help" in the browser menu).

We use cookies to make our website more user-friendly. In this context, however, no personal data is generated; the IP address is automatically anonymised.

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 letter f GDPR.

The purpose of using technically necessary cookies is to facilitate the use of websites for users. Some features of our website cannot be offered without the use of cookies. For these, it is necessary that the browser be recognised even after a site change.

For these purposes, our legitimate interest lies in the processing of personal data as per Art. 6 para. 1 letter f GDPR.

Cookies are retained on the computer of the user and transmitted by it to our site. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been retained may be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may not be possible to fully utilise all the functions of the website.

On our website, there is the possibility for alumni to subscribe to free information. The data from the input mask will be sent to us during registration.

• First Name
• Last Name
• Gender
• E-Mail

In addition, the following data is collected upon registration:

• Date and time of registration

For the processing of the data, your consent is obtained during the registration process and reference is made to this data protection statement.

The legal basis for the processing of the data after registration for the newsletter by the user is in the presence of consent of the user as per Art. 6 para. 1 letter a GDPR.

The collection of alumni data serves to provide information material.

The collection of other personal data in the context of the registration process serves to pre-vent misuse of the services or the email address used and to generate a personalised greeting.

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. The user’s data is therefore retained as long as the subscription is active.

The subscription may be terminated at any time by the affected user. For this purpose, there is a corresponding link in each newsletter.

You may ask the controller for a confirmation as to whether personal data concerning you is processed by us.

If such processing is available, you may request disclosure from the controller regarding the following information:

1. The purposes for which the personal data is processed;
2. The categories of personal data that are processed;
3. The recipients or categories of recipients to whom the personal data concerning you has been disclosed or is still being disclosed;
4. The planned duration of the retention of your personal data or, if specific information is not available, criteria for determining the retention period;
5. The existence of a right to rectification or deletion of the personal data concerning you, a restriction on processing by the controller or a right to opt-out from this processing;
6. The existence of a right of appeal to a supervisory authority;
7. All available information on the source of the data if the personal data is not collected from the data subject;
8. The existence of automated decision-making including profiling as per Art. 22 para. 1 and 4 GDPR and, at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on the data subject. 

You have the right to request information about whether the personal data concerning you is sent to a third-party country or an international organisation. In this regard, you may request that you be informed about the appropriate guarantees as per Art. 46 GDPR in connection with the transmission.

You have a right to rectification and/or completion with the controller, if the processed personal data concerning you is incorrect or incomplete. The controller must make the correction without delay.

You may request the restriction on processing of your personal data under the following conditions:

1. If you contest the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal data;
2. The processing is unlawful and you reject the deletion of the personal data and instead request the restriction on the use of the personal data;
3. The controller no longer needs the personal data for the purposes of processing, you, however, require them for the assertion, exercise or defence of legal claims, or
4. If you object to the processing as per Art. 21 para. 1 GDPR and it is not yet certain whether the legitimate reasons of the controller prevail over your reasons. 

If the processing of personal data concerning you has been restricted, this data may only be used - apart from its retention - with your consent or for the assertion, exercise or defence of legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.

If the limitation on processing after the above-mentioned conditions is restricted, you will be informed by the controller before the limitation is lifted.

a) Deletion obligation

You may require the controller to delete your personal information without delay and the controller is required to delete that information immediately, if one of the following reasons applies:

1. Your personal data is no longer necessary for the purposes for which they were collected or otherwise processed.
2. You revoke your consent to the processing as per Art. 6 para. 1 letter a or Art. 9 para. 2 letter a GDPR and there is no other legal basis for the processing.
3. You object, as per Art. 21 para. 1 DSVGO to the processing and there are no overriding level legitimate grounds for processing, or you object, as per Art. 21 para. 2 GDPR, to the processing. 
4. Your personal data has been processed unlawfully.
5. The deletion of personal data concerning you is necessary to fulfil a legal obligation under European Union or member state law to which the controller is subject.
6. Your personal data has been collected in relation to information society services offered as per Art. 8 para. 1 GDPR. 

b) Information to third parties

If the controller has made your personal data public and is required, as per Art. 17 para. 1 GDPR, to delete it, taking into account the available technology and the implementation costs, it shall take appropriate measures, including technical means, to inform the processors, that you, the data subject, have requested that they delete all links to such personal data or copies or replications of such personal data.

c) Exceptions

The right to deletion does not exist if the processing is necessary

1. To exercise the right to freedom of expression and information;
2. To fulfil a legal obligation required by the law of the European Union or of the Member States to which the controller is subject, or to carry out a task of public interest or in the exercise of official authority delegated to the controller;
3. For reasons of public interest in the area of public health, as per Art. 9 para. 2 letter h and in a broader sense per Art. 9 para. 3 GDPR;
4. For archival purposes of public interest, scientific or historical research purposes or for statistical purposes, as per Art. 89 para. 1 GDPR, insofar as the law referred to in section a) is likely to render impossible or seriously prejudice the achievement of the objectives of that processing, or
5. For the assertion, exercise or defence of legal claims.  

If you have the right of rectification, deletion or limitation on processing vis-a-vis the controller, it is obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or limitation on processing, unless this proves impossible or involves a disproportionate effort.

You have a right against the controller to be informed about these recipients.

You have the right to receive the personal data that you have provided to the controller in a structured, common and machine-readable format, if technically possible. In addition, you have the right to transfer this data to another controller without hindrance by the controller for providing the personal data, provided that

1. the processing is based on consent as per Art. 6 para. 1 letter a GDPR or Art. 9 para. 2 letter a GDPR or on a contract as per Art. 6 para. 1 letter b GDPR and
2. the processing is done using automated procedures. 

In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, insofar as this is technically feasible. Freedoms and rights of other persons may not be affected.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.

You have the right, due to reasons which result from a special situation, at any time, to opt-out from the processing of your personal data, which arise due to Art. 6 para. 1 letter e or f GDPR.

The controller will no longer process your personal data unless it can demonstrate compelling legal grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the assertion, exercise or defence of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to opt-out at any time from the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

If you opt-out from the processing for the purpose of direct advertising, your personal data will no longer be processed for these purposes.

You may, in the context of the use of information society services - notwithstanding Directive 2002/58/EC - exercise your opt-out right by means of automated procedures using technical specifications. 

You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of alleged infringement, if you believe that the processing of your personal data is in violation of the GDPR.

The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy as per Art. 78 GDPR.

Die Medizinische Universität Graz ist für die Verarbeitung Ihrer personenbezogenen Daten verantwortlich und trifft technische und organisatorische Maßnahmen, um diese angemessen zu schützen. Die Verarbeitung Ihrer Daten erfolgt im Einklang mit den geltenden nationalen und europäischen Rechtsnormen, wie insbesondere der Datenschutzgrundverordnung (DS-GVO), dem Datenschutzgesetz (DSG), dem Forschungsorganisationsgesetz (FOG), dem Arzneimittelgesetz (AMG), dem Medizinproduktegesetz (MPG) und dem Krankenanstalten- und Kuranstaltengesetz (KAKuG).

In Zusammenarbeit mit der Steiermärkischen Krankenanstaltengesellschaft mbH versorgt die Medizinische Universität Graz am Landeskrankenhaus-Universitätsklinikum Graz Patientinnen und Patienten nach dem neuesten Stand der Wissenschaft. Die dabei gewonnenen Erkenntnisse sind sowohl für die Forschung als auch für die medizinische Ausbildung von besonderer Wichtigkeit. Im Rahmen Ihrer medizinischen Behandlung, Diagnostik, Teilnahme an klinischen Studien oder klinischen Prüfungen werden Ihre personenbezogenen Daten primär dazu verarbeitet, um Ihnen eine bestmögliche medizinische Versorgung zu gewährleisten. In der Folge können diese seitens der Medizinischen Universität Graz auch für die medizinische Forschung verwendet werden, deren Ziel es ist, die Diagnostik zu verbessern, das Verständnis für die Entstehung von Krankheiten zu vertiefen, neue Ansätze für die Behandlung zu finden oder die medizinische Versorgung zu optimieren. Die Verarbeitung Ihrer personenbezogenen Daten in der Forschung ist für den medizinischen Fortschritt von großer Bedeutung. Ihre Daten werden dabei so verarbeitet, dass aus den Daten nicht auf Ihre Identität geschlossen werden kann. Bevor ein Forschungsvorhaben am Menschen umgesetzt wird, wird es der Ethikkommission der Medizinischen Universität Graz zur Begutachtung vorgelegt. Gegebenenfalls werden Ihre Daten an Partner und/oder Dritte in Österreich, der Europäischen Union oder Drittländern im Rahmen von Forschungsprojekten weitergegeben. Sämtliche Personen, die Zugang zu Ihren Daten erhalten, sind gesetzlich und vertraglich zur Geheimhaltung und Wahrung des Datengeheimnisses verpflichtet. Ihre Daten werden auf Grundlage gesetzlicher Bestimmungen zur Wahrung im öffentlichen Interesse liegender Archivzwecke, wissenschaftlicher oder historischer Forschungszwecke oder für statistische Zwecke (Art 9 Abs 2 lit j DSGVO, Universitätsgesetz) oder aufgrund Ihrer ausdrücklichen Einwilligung (Art 9 Abs 2 lit a DSGVO) verarbeitet.

Die angegebenen personenbezogenen Daten werden für die Dauer gesetzlicher Aufbewahrungsfristen gespeichert.

Ihnen stehen die Rechte auf Auskunft, Berichtigung, Löschung, Einschränkung der Verarbeitung, Datenübertragbarkeit, Widerspruch gegen die Datenverarbeitung und Widerruf der Einwilligung zu. Eine Einwilligung kann von Ihnen jederzeit widerrufen werden. Bitte beachten Sie, dass durch den Widerruf die bis dahin erfolgte Verarbeitung nicht berührt wird. Dafür wenden Sie sich bitte an den Datenschutzbeauftragten (datenschutz@medunigraz.at), der Ihnen auch bei Fragen zum Thema Datenschutz zur Verfügung steht. Weiters weisen wir Sie darauf hin, dass Beschwerden oder Ansprüche im Zusammenhang mit Datenschutz bei der Datenschutzbehörde der Republik Österreich geltend gemacht werden können.