Data Privacy Statement

Data Privacy Statement

1. Name and address of the controller

The controller within the meaning of the EU General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection regulations is the:

Medizinische Universität Graz
Neue Stiftingtalstraße 6, 8010 Graz
office.datenschutz(at)medunigraz.at
www.medunigraz.at/datenschutz

2. Contact data of the data protection officer

The data protection officer of the controller may be reached at the following contact data:

E-Mail: datenschutz(at)medunigraz.at

3. General information on data processing

Scope of the processing of personal data

In principle, we collect and use personal data of our users only to the extent necessary to provide a functional website and our content and services. The collection and use of personal data of our users takes place regularly only with the consent of the user. An exception applies to cases in which prior consent cannot be obtained for reasons of fact and the processing of the data is permitted by law.

Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing of personal data, Art. 6 para. 1 letter a GDPR serves as the legal basis for the processing of personal data.

In the processing of personal data necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 letter b GDPR serves as the legal basis. This also applies to processing operations required to carry out precontractual activities.

To the extent that processing of personal data is required to fulfil a legal obligation that governs our business, Art. 6 para. 1 letter c GDPR serves as the legal basis.

If the processing is necessary to safeguard the legitimate interests of our company or a third party, and the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 letter f GDPR serves as the legal basis for the processing.

Data deletion and retention duration

The personal data of the data subject will be deleted or blocked as soon as the purpose for the retention ceases to exist. In addition, such retention may take place if provided for by the European Union or national legislature, in EU regulations, laws or other regulations to which the controller is subject. Blocking or deletion of the data also takes place when a retention period prescribed by the standards mentioned expires, unless there is a need for further retention of the data for conclusion of a contract or fulfilment of the contract.

Provisioning of the website and creation of log files

Description and scope of the data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected here:

  • IP address
  • Information about the browser type and version used
  • Operating system of the user
  • Internet service provider of the user
  • Date and time of access
  • Websites from which the system of the user comes to our website
  • Websites that are accessed by the systems of the users through our website
  • Error log files

The IP address is fully retained for a period of 7 days and then automatically deleted. Other data that allows for the association of the data with a user will not be retained.

Legal basis for the data processing

The legal basis for the temporary retention of the data is Art. 6 para. 1 letter f GDPR.

Purpose of the data processing

The data is used to optimise the website and to ensure the security of our information technology systems. This also comprises our legitimate interest in data processing as per Art. 6 para. 1 letter f GDPR.

Retention period

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In the case of collecting the data for provisioning the website, this is the case when the respective session is completed.

Opt-out and removal options

The collection of data for the provision of the website and the retention of the data in log files is essential for the operation of the website. There is consequently no opt-out option on the part of the user.

5. Use of cookies

Description and scope of the data processing

Our website uses cookies. Cookies are text files that are retained by the Internet browser or the Internet browser on the computer system of the user. When a user accesses a website, a cookie may be retained on the operating system of the user. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened. Cookies that are already on the computer may be deleted at any time. The procedure for doing so can be found in your browser manual (under "Help" in the browser menu).

We use cookies to make our website more user-friendly. In this context, however, no personal data is generated; the IP address is automatically anonymised.

Legal basis for the data processing

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 letter f GDPR.

Purpose of the data processing

The purpose of using technically necessary cookies is to facilitate the use of websites for users. Some features of our website cannot be offered without the use of cookies. For these, it is necessary that the browser be recognised even after a site change.

For these purposes, our legitimate interest lies in the processing of personal data as per Art. 6 para. 1 letter f GDPR.

Retention period, opt-out and removal options

Cookies are retained on the computer of the user and transmitted by it to our site. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been retained may be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may not be possible to fully utilise all the functions of the website.

6. Newsletter / Information for alumni

Description and scope of the data processing

On our website, there is the possibility for alumni to subscribe to free information. The data from the input mask will be sent to us during registration.

  • First Name
  • Last Name
  • Gender
  • E-Mail

In addition, the following data is collected upon registration:

  • Date and time of registration

For the processing of the data, your consent is obtained during the registration process and reference is made to this data protection statement.

Legal basis for the data processing

The legal basis for the processing of the data after registration for the newsletter by the user is in the presence of consent of the user as per Art. 6 para. 1 letter a GDPR.

Purpose of the data processing

The collection of alumni data serves to provide information material.

The collection of other personal data in the context of the registration process serves to pre-vent misuse of the services or the email address used and to generate a personalised greeting.

Retention period

The data will be deleted as soon as it is no longer necessary for the purpose of its collection. The user’s data is therefore retained as long as the subscription is active.

Opt-out and removal options

The subscription may be terminated at any time by the affected user. For this purpose, there is a corresponding link in each newsletter.

7. Rights of the data subjects

If your personal data is processed, you are the data subject and have the following rights with the controller:

Right to information

You may ask the controller for a confirmation as to whether personal data concerning you is processed by us.

If such processing is available, you may request disclosure from the controller regarding the following information:

  1. The purposes for which the personal data is processed;
  2. The categories of personal data that are processed;
  3. The recipients or categories of recipients to whom the personal data concerning you has been disclosed or is still being disclosed;
  4. The planned duration of the retention of your personal data or, if specific information is not available, criteria for determining the retention period;
  5. The existence of a right to rectification or deletion of the personal data concerning you, a restriction on processing by the controller or a right to opt-out from this processing;
  6. The existence of a right of appeal to a supervisory authority;
  7. All available information on the source of the data if the personal data is not collected from the data subject;
  8. The existence of automated decision-making including profiling as per Art. 22 para. 1 and 4 GDPR and, at least in these cases, meaningful information about the logic involved, and the scope and intended impact of such processing on the data subject. 

You have the right to request information about whether the personal data concerning you is sent to a third-party country or an international organisation. In this regard, you may request that you be informed about the appropriate guarantees as per Art. 46 GDPR in connection with the transmission.

Right to rectification

You have a right to rectification and/or completion with the controller, if the processed personal data concerning you is incorrect or incomplete. The controller must make the correction without delay.

Right to restriction on processing

You may request the restriction on processing of your personal data under the following conditions:

  1. If you contest the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal data;
  2. The processing is unlawful and you reject the deletion of the personal data and instead request the restriction on the use of the personal data;
  3. The controller no longer needs the personal data for the purposes of processing, you, however, require them for the assertion, exercise or defence of legal claims, or
  4. If you object to the processing as per Art. 21 para. 1 GDPR and it is not yet certain whether the legitimate reasons of the controller prevail over your reasons. 

If the processing of personal data concerning you has been restricted, this data may only be used - apart from its retention - with your consent or for the assertion, exercise or defence of legal claims or protecting the rights of another natural or legal person or for reasons of important public interest of the European Union or a Member State.

If the limitation on processing after the above-mentioned conditions is restricted, you will be informed by the controller before the limitation is lifted.

Right to deletion

a) Deletion obligation

You may require the controller to delete your personal information without delay and the controller is required to delete that information immediately, if one of the following reasons applies:

  1. Your personal data is no longer necessary for the purposes for which they were collected or otherwise processed.
  2. You revoke your consent to the processing as per Art. 6 para. 1 letter a or Art. 9 para. 2 letter a GDPR and there is no other legal basis for the processing.
  3. You object, as per Art. 21 para. 1 DSVGO to the processing and there are no overriding level legitimate grounds for processing, or you object, as per Art. 21 para. 2 GDPR, to the processing. 
  4. Your personal data has been processed unlawfully.
  5. The deletion of personal data concerning you is necessary to fulfil a legal obligation under European Union or member state law to which the controller is subject.
  6. Your personal data has been collected in relation to information society services offered as per Art. 8 para. 1 GDPR. 

b) Information to third parties

If the controller has made your personal data public and is required, as per Art. 17 para. 1 GDPR, to delete it, taking into account the available technology and the implementation costs, it shall take appropriate measures, including technical means, to inform the processors, that you, the data subject, have requested that they delete all links to such personal data or copies or replications of such personal data.

c) Exceptions

The right to deletion does not exist if the processing is necessary

  1. To exercise the right to freedom of expression and information;
  2. To fulfil a legal obligation required by the law of the European Union or of the Member States to which the controller is subject, or to carry out a task of public interest or in the exercise of official authority delegated to the controller;
  3. For reasons of public interest in the area of public health, as per Art. 9 para. 2 letter h and in a broader sense per Art. 9 para. 3 GDPR;
  4. For archival purposes of public interest, scientific or historical research purposes or for statistical purposes, as per Art. 89 para. 1 GDPR, insofar as the law referred to in section a) is likely to render impossible or seriously prejudice the achievement of the objectives of that processing, or
  5. For the assertion, exercise or defence of legal claims.  

Right to notification

If you have the right of rectification, deletion or limitation on processing vis-a-vis the controller, it is obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or limitation on processing, unless this proves impossible or involves a disproportionate effort.

You have a right against the controller to be informed about these recipients.

Right to data portability

You have the right to receive the personal data that you have provided to the controller in a structured, common and machine-readable format, if technically possible. In addition, you have the right to transfer this data to another controller without hindrance by the controller for providing the personal data, provided that

  1. the processing is based on consent as per Art. 6 para. 1 letter a GDPR or Art. 9 para. 2 letter a GDPR or on a contract as per Art. 6 para. 1 letter b GDPR and
  2. the processing is done using automated procedures. 

In exercising this right, you also have the right to have your personal data transmitted directly from one controller to another, insofar as this is technically feasible. Freedoms and rights of other persons may not be affected.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.

Opt-out right

You have the right, due to reasons which result from a special situation, at any time, to opt-out from the processing of your personal data, which arise due to Art. 6 para. 1 letter e or f GDPR.

The controller will no longer process your personal data unless it can demonstrate compelling legal grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the assertion, exercise or defence of legal claims.

If your personal data is processed for direct marketing purposes, you have the right to opt-out at any time from the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.

If you opt-out from the processing for the purpose of direct advertising, your personal data will no longer be processed for these purposes.

You may, in the context of the use of information society services - notwithstanding Directive 2002/58/EC - exercise your opt-out right by means of automated procedures using technical specifications. 

Right to revoke the data protection consent declaration

You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.

Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of alleged infringement, if you believe that the processing of your personal data is in violation of the GDPR.

The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy as per Art. 78 GDPR.

8. Privacy Policy of the Medical University of Graz on the handling of personal data for research purposes

Principle

The Medical University of Graz is responsible for the processing of your personal data and implements technical and organisational measures to protect them appropriately. The processing of your personal data is carried out in accordance with applicable national and European laws and regulations, including without limitation, the EU General Data Protection Regulation (GDPR), the Austrian Data Protection Act (Datenschutzgesetz - DSG), the Austrian Research Organisation Act (Forschungsorganisationsgesetz - FOG), the Austrian Medicines Act (Arzneimittelgesetz - AMG), the Austrian Medical Devices Act (Medizinproduktegesetz - MPG) and the Austrian Hospitals and Sanatoriums Act (Krankenanstalten- und Kuranstaltengesetz - KAKuG).

The use of personal data

In cooperation with the Steiermärkische Krankenanstaltengesellschaft mbH, the Medical University of Graz treats patients at the University Hospital Graz according to the latest state of science. The knowledge thereby gained is of particular importance for research as well as for medical education.
In the context of your medical treatment, diagnostics, participation in clinical studies or clinical trials, your personal data will primarily be processed to provide you with the best possible medical care. In further consequence, the Medical University of Graz may also use them for medical research, the aim of which is to improve diagnostics, to deepen the understanding of the emergence of diseases, to find new approaches for treatment or to optimise medical care. The processing of your personal data for research purposes is of great importance for medical progress.
Your personal data will be processed in such a way that your identity cannot be inferred directly from the data. Before a research project involving human subjects is implemented, it is submitted for assessment to the ethics committee of the Medical University of Graz.
Eventually, within the context of research projects, your personal data will be passed on to partners and/or third parties in Austria, the European Union or third countries.
All persons who receive access to your personal data are legally and contractually bound to maintain data secrecy.
Your personal data will be processed on the basis of legal provisions for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Art. 9 para. 2 lit. j GDPR) or on the basis of your explicit consent (Art. 9 para. 2 lit. a GDPR).

Storage period

The personal data provided will be stored for the duration of statutory retention periods.

Information

You have the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object and the right to withdraw consent. Consent can be withdrawn by you at any time. Please note that the withdrawal does not affect the processing that has taken place up to that point.
In this regard, please contact the data protection officer (datenschutz@medunigraz.at), who will also be available to answer any questions you may have on the subject of data protection. We would also like to point out that complaints or claims in connection with data protection may be lodged with the data protection authority of the Republic of Austria.

9. Handling of personal data for events

Principle

The Medical University of Graz is responsible for the processing of your personal data and takes technical and organizational measures to protect it appropriately. This applies in particular to protection against manipulation, loss or destruction and against access by unauthorized third parties.

Use of data

The Medical University of Graz processes the personal data provided in the course of your registration and participation in the respective event for the purpose of administrative processing and implementation of the event as well as for sending information material and invitations to participate in voluntary anonymous surveys on the event topic. Your data will be processed on the basis of the applicable legal provisions or contractual agreements, to safeguard the legitimate interests of the controller and on the basis of your consent (Art. 6 para. 1 lit a, b and f EU GDPR). The data will be made accessible to the responsible employees of the Medical University of Graz.

Storage duration

The personal data provided will be stored for the duration of statutory retention periods.

Information

You have the right to information, rectification, erasure, restriction of processing, data portability and objection to data processing as well as the right to withdraw your consent at any time. To do so, please contact the data protection officer (datenschutz(at)medunigraz.at), who is also available to answer any questions you may have on the subject of data protection. We would also like to point out that complaints or claims in connection with data protection can be lodged with the Data Protection Authority of the Republic of Austria.