Data Privacy - ERSTE Foundation

Data Privacy

We take the protection of your data very seriously. In order to fully inform you about the use of personal data, we ask you to take note of the following privacy policy.

Legal basis (EU General Data Protection Regulation
and Austrian Data Protection Act 2018)

The EU General Data Protection Regulation protects the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data. Personal data is any information relating to an identified or identifiable natural person.

In this privacy policy, we inform you about the most important aspects of data processing in the context of our activities as a non-profit foundation, namely:

material and non-material support (project management) in three thematic areas: social innovation, European cohesion and democracy, and contemporary culture; and
the operation of the ERSTE Foundation Library to support the research needs of the Foundation’s staff and project partners, as well as the interested public in general; and
additional processing activities:
- client and supplier management,
- participation management,
- public relations and marketing for our own purposes,
- image processing at events,
- functionalities of our website, and
- our newsletter.

Website operator and data controller:

ERSTE Stiftung
DIE ERSTE österreichisch
Spar-Casse Privatstiftung
Am Belvedere 1
1100 Vienna
Austria
T +43 50 100 15100
F +43 50 100 11094
M office(at)erstestiftung.org

No data protection officer has been appointed, as this is not required by law. By using our website, you consent to our collection of certain data. In return, we undertake to protect your data in accordance with the current state of the art.

Purposes of processing operations

We carry out the following processing operations that are relevant to you as a project partner, client, cooperation partner as a library user, as a person involved with our project partners, clients and cooperation partners, as a natural person (contact person) of project partners, clients and cooperation partners,

recipient categories

Within the scope of processing operations, we transfer data to the following categories of recipients, whereby the recipients act on our behalf or the transfer is necessary to fulfil contractual or legal obligations; for special processing operations, we list the specific recipients here:

Project partners and third parties who are involved or are to be involved in project implementation (e.g. tax advisors, auditors, liability and legal protection insurers, other insurance companies, notaries, translators, lawyers)
Banks for the processing of payment transactions
Contract processors within the scope of library, IT and communication services (library administration, software support, administrators of our network, server and clients, email service providers and telephone service providers)
Website (public)

We don’t plan to share your data with international organisations or people in other countries. If we need to share your data with people in other countries, we’ll make sure there are enough safeguards in place, like standard data protection clauses or an adequacy decision.

Purposes of use, storage period, data provision

a. Purposes of use
We receive the data from you as a prospective customer or contact, client or supplier. You approach us to initiate a contract (e.g. via the Internet, by email, via other clients) or we conclude contracts with you via various channels. The personal data we process is necessary for the performance of the contract and is also processed to fulfil legal obligations (e.g. tax retention obligations or warranty and compensation obligations). If you are a contact person of our contractual partner who is not a natural person, then it is in our legitimate interest to process your personal data for the purpose of smooth communication and documentation.
Within the scope of our subsidies, we also process data of persons involved in the subsidy relating to our service provision so that we can properly fulfil the subsidy (legitimate interest). These persons have a right to object (see point 14) within the scope of the statutory provisions.
b. Storage period
We store the data for the entire duration of the contractual relationship and beyond for a period of 7 years after its termination in order to comply with tax retention obligations, as well as 30 years after its termination in order to have the necessary documentation in the event of warranty and compensation claims, as claims are subject to the 30-year limitation period under the ABGB (Austrian General Civil Code). If official proceedings are ongoing, we will store the data for the duration of the proceedings.
c. Obligation to provide data
You are not obliged to provide us with data; however, if you do not provide the data, we will not be able to provide the service.

Use of image data (events, etc.)

Images will be taken at various events, in particular at workshops, press conferences and other events organised by us or at which persons who work on our premises or for us or with our support give presentations or perform.
Invitations to events will indicate in advance that photographs will be taken. Unless media privilege (§ 9 DSG) applies, the photographer will be instructed to obtain consent from small groups that are photographed. If larger groups are photographed at events, the images will be used to raise awareness of our organisation and promote its image, and we will publish these images on the internet and in printed information about our organisations (legitimate interest).
If you are photographed in a small group, the photographer will ask for your consent before taking the picture, and you will have the opportunity to step aside and not be photographed. Unless media privilege (§ 9 DSG) applies, you have the right to withdraw your consent at any time with effect for the future (see also point 14).
In the event of withdrawal, the recordings will be removed as far as technically possible, and attempts will be made to arrange for their removal from any other media. Printed brochures will not be destroyed after revocation. Upon receipt of the revocation, the data will no longer be processed for the purpose. If the revocation and any prohibition of further use result in costs (changes to the website, destruction of printed information) and there is no legitimate interest in revocation, the costs of the changes shall be borne by the data subject.
There is a right to object (see point 14) within the framework of the statutory provisions if the processing is based on legitimate interests. Since you have entered a public space for an event in which our organisation has an interest in marketing, this expectation must also be taken into account when considering an objection.
The data will be deleted after 3 years or upon revocation of consent, provided that it is published on our own website. If this data is published on social networks, it will only be deleted upon revocation of consent.

Supplier and client management (for handling our purchasing and back office operations)

We receive the data from you within the scope of your relationship as a supplier and/or contractor to our company. This data is necessary for the fulfilment of the contract and is also processed for the fulfilment of legal obligations (e.g. tax retention obligations or warranty and compensation obligations). If you are a contact person of our contractual partner who is not a natural person, then it is in our legitimate interest to process your personal data for the purpose of smooth communication and documentation.
We store the data for the entire duration of the business relationship and beyond for a period of 7 years after its termination, in particular to comply with tax retention obligations and for as long as warranty and compensation claims (max. 30 years for services relating to immovable property) require the data to be processed, in which case it will be processed in an archive.
You are not obliged to provide us with data; however, if you do not provide the data, we will not be able to provide the service.

Marketing and public relations (to inform customers and prospective customers and to acquire new customers)

We conduct marketing and public relations activities to inform you and the general public about our services and projects and to provide you with general information. This is based on our legitimate interest in presenting our services and informing you about them (when sending information by post) and on your consent (when sending information by email).
You have the right to object to or withdraw your consent at any time (see point 14) within the framework of the statutory provisions.
We store the data for a period of 3 years after the last contact.
You are not obliged to provide the data. If you do not provide the data, we cannot send you any information.

Contact database (from public sources or business cards)

We process personal data relating to individuals with whom we or our employees have been in personal contact (e.g. at events, trade fairs, invitations, etc.) when business cards are exchanged,

for the purpose of establishing contact in specific projects,
for the purpose of creating a contact database, and
for customer acquisition (legitimate interest).

We supplement the data obtained from business cards with data from public sources (e.g. company register, company website).

You have the right to object (see point 14) within the framework of the statutory provisions. Unless a contractual relationship arises, the data will be deleted three years after the last contact.

Contact forms on the website (for answering questions or contacting our team members)

You can send us enquiries about our services or general enquiries using the contact forms on the website; this data will then be used for documentation and to respond to your enquiry (legitimate interest). If you are a contact person of our cooperation partner who is not a natural person, then it is in our legitimate interest to process your personal data for the purpose of smooth communication and documentation. You have the right to object within the scope of the statutory provisions (see point 14). We store the data for a period of 12 months, unless longer storage is required for legal reasons. You are not obliged to provide the data specified in the contact form. If you do not provide the data, we will not be able to process your enquiry.

Information sent by email to existing contacts

Within the framework of existing relationships, we reserve the right, in accordance with Section 107 (3) TKG – whereby a separate notice regarding the possibility of refusal will be provided when the data is collected – to provide information about events by electronic mail (including SMS). You have the right to object to the use of data collected within the scope of the customer relationship for this purpose (both at the time of collection and each time it is used) at any time. In this case, the processing of your data is based on our legitimate interest, namely customer service and customer acquisition, and you have the right to object to this processing within the scope of the statutory provisions (see point 14).
We store the data for a period of 3 years after the last contact.
You are not obliged to provide the data. If you do not provide the data, we will not be able to send you any information.

Newsletter (for customer acquisition and informing existing customers)

You have the option of subscribing to a newsletter (topic: statements and ideas from civil society) via the website, among other things. The personal data transmitted to the controller when ordering the newsletter is determined by the input mask used for this purpose. We then process this data for the purpose of providing customer information (public relations and presentation of the activities of the ERSTE Foundation) and for customer acquisition.

Our newsletter can only be received by the data subject if

a) the data subject has a valid email address and b) the data subject has registered for the newsletter. For legal reasons, a confirmation email is sent to the email address entered by a data subject for the first time for the newsletter dispatch using the double opt-in procedure. This confirmation email serves to verify that the owner of the email address has authorised the data subject to receive the newsletter.

You have the option to revoke your consent (legal basis for processing) at any time within the scope of the statutory provisions (see point 14).

We store the data for a period of 3 years after the last contact.

You are not obliged to provide the data. If you do not provide the data, we cannot send you any information. For the purpose of revoking your consent, each newsletter contains a corresponding link. Furthermore, you can unsubscribe from the newsletter at any time directly on the website of the controller responsible for processing or inform the controller responsible for processing in another way.

Functions of the MailChimp service are implemented for sending the newsletter. These functions are provided by The Rocket Science Group LLC, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, Georgia 30308. Adequate data protection is achieved through the so-called ‘Privacy Shield’. The privacy policy published by MailChimp, which can be found at https://mailchimp.com/legal/privacy/, provides information about the collection, processing and use of personal data. Further information about MailChimp can be found at https://mailchimp.com/legal/.

Website Tracking

Cookies are used on our website erstestiftung.org to make our website more user-friendly and to provide you, as a user of our website, with tailored content (legitimate interest). None of the cookies used on our website collect information that can be used to identify you personally. Cookies are necessary for the use of erstestiftung.org.

Cookies are small text files that enable the recognition of users and the analysis of your use of our website. When you visit our websites, we only set cookies that are absolutely necessary to operate our website erstestiftung.org or to provide a service that you have expressly requested. Furthermore, cookies are used to store optional settings from a previous visit to the website (e.g. language, interests, etc.). Otherwise, we only collect and store data in personalised form by setting cookies after you have given your express consent.

Data processing is based on the consent of the user (through the settings of the web browser and a query when the website is first accessed), which can be revoked at any time within the scope of the statutory provisions (see point 14), and on legitimate interest (improvement of the offer and the website), whereby a right of objection exists within the scope of the statutory provisions (see point 14).

We store the data for a period of 6 (12) months.

a. Collection of anonymous data and information

Each time a user accesses our website, i.e. each time a file on this server is accessed or attempted to be accessed, data about this process is stored in a log file. This data is not personal; we cannot therefore trace which user has accessed which data. We do not attempt to collect this information.

The following data is stored for each access:

Name of the file accessed

Date and time of access

Amount of data transferred

Message indicating whether the access was successful

Message indicating why an access may have failed

The name of your Internet service provider through which you access our website

If applicable, the operating system and browser software of your computer

The website from which you visit us.

All of the above data is evaluated by us and by processors commissioned by us for statistical purposes only. We use this data to improve our website for you.

To prevent cookies from being set in general, you must configure your browser so that they are only created or rejected with your consent.

The procedures for managing and deleting cookies vary depending on which browser you use. To find out how to do this in a particular browser, you can use its built-in help function or alternatively visit http://www.aboutcookies.org, where you will find step-by-step instructions on how to manage and delete cookies in most popular browsers. The following websites provide detailed explanations of the various options available to you, as well as how to opt out of or object to usage-based online advertising and how to opt out of the automatic setting of cookies: http://www.aboutads.info/choices and http://www.youronlinechoices.eu/.

By giving your express consent, you agree to the use of the following cookies and plugins:

b. Matomo (local web analytics)

We use Matomo on this website, an open-source web analytics software for statistical analysis of visitor access. All data processing is carried out entirely on our own server, meaning no data is shared with third parties.

The purpose of this processing is to analyse user behaviour on our website in order to continuously improve content, functionality and usability.

Matomo is configured with a strong focus on data privacy:

– IP addresses are anonymised before being stored (e.g. by removing the last bytes)

– No personal user profiles are created

– All data remains on our server and is not shared with any third parties

– Cookies are either disabled or used with limited lifetime

During your visit, the following information may be collected:

– Pages visited and your interactions (e.g., clicks, time spent, scroll depth)

– Your approximate location (based on anonymised IP address)

– Technical information such as browser type, operating system, screen resolution, and device used

– The source of your visit (e.g., referring website or search engine)

This data is used exclusively in aggregated form for statistical evaluation and cannot be used to identify individual users.

If you do not agree to the storage and analysis of this data, you may opt out at any time. An opt-out cookie will be placed in your browser that permanently prevents Matomo from collecting your data, as long as the cookie is not deleted or your browser settings reset.

You can opt out of Matomo tracking here:

For more information about Matomo and privacy compliance, please visit: https://matomo.org/gdpr/

c. Google Maps

This website uses the online map service Google Maps provided by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (‘Google’) to display map information. When using Google Maps, Google also collects, processes and uses data about the use of the map functions by visitors to the websites. For more information about data processing by Google, please refer to Google’s privacy policy at https://policies.google.com/privacy/. There you can also change your settings in the privacy centre so that you can manage and protect your data.

d. Data protection provisions for the use of YouTube

Functions of the YouTube service are implemented on our website. These functions are provided by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. The embedded videos store cookies on users’ computers when the website is accessed. If you have disabled cookies for the Google advertising programme, you will not encounter such cookies when accessing YouTube videos. However, YouTube also stores non-personal usage information in other cookies. If you wish to prevent this, you must block it in your browser.

Each time one of the individual pages on erstestiftung.org, which is operated by the controller and on which a YouTube component (YouTube video) has been integrated, is accessed, the Internet browser on the information technology system of the data subject is automatically prompted by the respective YouTube component to download a representation of the corresponding YouTube component from YouTube. Further information about YouTube can be found at https://www.youtube.com/yt/about/de/. As part of this technical process, YouTube and Google are informed about which specific subpage of our website is visited by the data subject.

If the data subject is logged in to YouTube at the same time, YouTube recognises which specific subpage of our website the data subject is visiting when a subpage containing a YouTube video is accessed.

This information is collected by YouTube and Google and assigned to the respective YouTube account of the data subject. YouTube and Google always receive information via the YouTube component that the data subject has visited our website if the data subject is logged into YouTube at the time of accessing our website; this occurs regardless of whether the data subject clicks on a YouTube video or not.

If the data subject does not want this information to be transferred to YouTube and Google, they can prevent this by logging out of their YouTube account before visiting our website.

The privacy policy published by YouTube, which can be found at https://policies.google.com/privacy/, provides information about the collection, processing and use of personal data by YouTube and Google.

Your rights as an affected person

a. We do not create profiles of data subjects or other persons, do not engage in profiling, and do not use automated decision-making in the course of our activities.

b. As a data subject, you have the right to information, correction, deletion, restriction and data portability within the scope of the statutory provisions. However, we would like to point out that these rights may be restricted if the disclosure of information would jeopardise a business or trade secret of the controller or a third party (Section 4 (6) DSG).

c. If you have given us your consent to process your data, you have the right to revoke this consent at any time. This does not affect the lawfulness of the processing of the data until revocation. After revocation, the data will no longer be used for the purpose for which you gave your consent (e.g. sending an email newsletter).

d. If the processing of the data is based on a legitimate interest, you have the right to object to this. If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes. If we process data for other purposes based on legitimate interest, we will no longer process the personal data unless we have compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

e. To exercise your rights, please contact us by email at office@erstestiftung.org, by telephone on +43 50 100 15100 or by post at the following address: Am Belvedere 1, 1100 Vienna, Austria. When making an enquiry, it would be helpful if you could provide us with the necessary information to clearly identify you.

f. If you believe that the processing of your personal data violates data protection law or that your data protection rights have been violated in any other way, you are free to lodge a complaint with the Austrian Data Protection Authority. The website of the Data Protection Authority can be found at www.dsb.gv.at.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
pll_language	1 year	The pll _language cookie is used by Polylang to remember the language selected by the user when returning to the website, and also to get the language information when not available in another way.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__Secure-ROLLOUT_TOKEN	6 months	Description is currently not available.
iutk	6 months	Issuu sets this cookie to recognise the user's device and what Issuu documents have been read.
mc	1 year 1 month	Quantserve sets the mc cookie to track user behaviour on the website anonymously.
NID	6 months	Google sets the cookie for advertising purposes; to limit the number of times the user sees an ad, to unwanted mute ads, and to measure the effectiveness of ads.
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt.innertube::nextId	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.

Cookie	Duration	Description
_pk_id.*	1 year 1 month	Matomo set this cookie to store a unique user ID.
_pk_ses.*	1 hour	Matomo set this cookie to store a unique session ID for gathering information on how the users use the website.