Information obligations under GDPR
Data Protection Declaration for the University of Linz Webshop
The protection of your personal data is very important to us. The Johannes Kepler University Linz is controller of the personal data described within the meaning of the General Data Protection Regulation (GDPR) and is hereby complying with its relevant information obligations. We ask you to take note of the following notification relating to the administrative and technical processing in connection with making use of the Webshop of Johannes Kepler University Linz.
I. Inputting contact data
Controller of data processing described below is Johannes Kepler University Linz (JKU), Altenberger Strasse 69, 4040 Linz, firstname.lastname@example.org.
The data protection officer can be reached at Johannes Kepler University Linz (JKU), Staff Unit for Data Protection, Altenberger Strasse 69, 4040 Linz, email@example.com.
II. Background of processing / indication of the purpose for which the personal data is to be processed / legal basis of processing / categories of recipients of the personal data
1. JKU operates its own webshop in order to make it possible to register for university events (in particular conferences, meetings, the university ball, etc.). Users may avail themselves of these services by inputting their personal data. For this, user registration by means of a corresponding user account is a prerequisite. The data are in that case entered into an entry mask and processed by JKU.
JKU in that case collects the following personal data from you as the data subject in order to make it possible for you to avail yourself of this internet service.
First and last name
Company or organisation
Password (only encrypted - with entry via the Shibboleth Login, there is no collection of the password by JKU unless it concerns university's own employees or students)
Payment data (in particular credit card or other financial information, data on transactions or orders)
Other personal information you provide voluntarily
Please note that for purposes of simplifying the purchasing process and of subsequent contract processing by JKU as the webshop operator, the IP data of the connecting party is saved by means of cookies, as are also name, address and payment data (e.g. purchaser’s credit card number).
2.The legal basis for the personal data collected in connection with the contractual agreement with the data subject is the requirement of processing for execution of the contract of which the data subject is the contracting party (purchase contract in the webshop), or for carrying out pre-contractual measures (filling up the virtual shopping trolley prior to contract closing) occurring at the request of the data subject.
When using the webshop for other (ongoing training) events, the legal basis for processing of personal data is that the processing is largely required to protect the justified interests of JKU in regard to the functions of the advanced training being offered in regard to the University Act of 2002, in particular to university graduates and educators, as well as for information to the public on fulfilment of university functions (articles 6, paragraph 1, letter f) of GDPR in connection with § 3 and numerals 5 and 11 of the University Act).
There is no statutory obligation to provide personal data, but, in case of failure to provide it, contract closing or participation in the specific event cannot occur.
In case of voluntary uploading of a profile and/or indication of other personal data by the user, the legal basis for processing of this personal data in the webshop as well as for purposes of the specific event (including any eventual resulting sensitive data (Racial and ethnic origin, political opinions; religious or ideological convictions; membership in a trades union; genetic data; biometric data processed for unambiguous identification of an individual; health data; data on sexual life or sexual orientation.)) is based on the data subject’s consent. The latter is entitled to at any time withdraw in writing consent to such processing operations by the particular institute or department without indication of any reasons and without impairing the legality of the processing occurring up until withdrawal of consent.
3. Recipients of the personal data are the organisational units of JKU necessary for corresponding processing, in particular the institute or department organising the particular event, the department of financial accounting, event management, the legal department as well as banking institutions, commissioned payment agents and external consultants (e.g. tax accounts, auditors). It is maintained that any further forwarding to third parties will only occur if this is statutorily required or allowed.
If any eventual court and/or regulatory authority disputes should ensue during or after the termination of the legal relationship, then the data required for appropriate enforcement will be transmitted to legal representatives, courts or public authorities.
III. Indication of the criteria for determination of the retention period
In case of any contract closing or participation in an event, the personal data will be processed by JKU for the duration of statutory retention as well as up through the end of the time-bars for potential legal claims. Subsequently, the data will be erased unless there are other justified JKU interests warranting further storage.
IV. Information on the rights of the data subject
Under GDPR you have the following rights:
Right to information
Right to rectification and erasure
Right to limitation of processing
Right to object
Right to data portability
V. Right to appeal to the supervisory authority
In addition, you can appeal against any data processing not allowed in your opinion to the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, telephone +43 1 52 152-0, or email firstname.lastname@example.org.
Version: May 2020