Imprint & Privacy Policy

Imprint

Responsible Institution:

Security & Privacy Group, Insitute of Logic and Computation, TU Wien (https://secpriv.tuwien.ac.at)
Favoritenstraße 9-11
1040 Vienna, Austria

Privacy Policy

The protection of your personal data is very important to us. Below we inform you about the processing of personal data when using our research website.

1. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
• Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

2. Name and Contact Details of the Controller

The controller for the processing of your personal data on this website is:

Philipp Beer, Security & Privacy Group, TU Wien, Austria
Favoritenstraße 9-11, HA 01 09
1040 Vienna, Austria
Email: webview-security@secpriv.tuwien.ac.at
Phone: +43 1 58801 192610

3. Data Collection when Visiting Our Website

When you visit our website, we record certain information. This includes for technical reasons:

• User agent string: Information about your browser and operating system.
• Time of the server request.
• IP address.

For research purposes, we furthermore collect the following data:

• Pages visited and time of visit: We record whether a visitor has accessed key pages on our website to understand engagement with our research. Specifically, we collect information on whether you have visited the main website, the research report page, or the survey initiation page and when you have visited it. We do not track every page view or your general browsing activity.
• The country you are visiting from: This is derived from your IP address and may not be precise.
• Organizational token: If you have received an email invitation to participate in our research survey, that email contains a unique token. When you click the link in the email and visit our website, this token allows our system to record that your organization has visited the website.

4. Purpose of Processing

This data is recorded and processed solely for the following purposes:

• To ensure the functionality and security of our website (technical reasons).
• To track the level of engagement from invited organizations by recording visits to key pages, such as the research report and the survey initiation page. This helps us measure the effectiveness of our outreach efforts (processing of pages visited and organizational token).
• To analyze the geographical distribution of visitors (processing of IP address).

5. Legal Basis for Processing

While we aim to anonymize data to the greatest extent possible and do not directly identify individuals, the collected information may be considered personal data under the General Data Protection Regulation (GDPR).

Our legal basis for processing this data is our legitimate interest in understanding the reach and engagement of our research invitations. This processing is necessary for the purposes of the legitimate interest pursued by our research project.

We have conducted a Legitimate Interests Assessment and concluded that these interests are not overridden by the interests or fundamental rights and freedoms of the data subjects. This assessment considers:

• The limited nature of the data collected, which excludes direct personal identifiers.
• Our explicit commitment to not linking this data to individual identities, focusing instead on organizational-level metrics.
• The reasonable expectation that invited organizations might have regarding basic, anonymized tracking of their engagement with a research invitation website.

The Legitimate Interest Assessment is available upon request.

6. Data Retention

The data will be deleted once it is no longer needed for the purposes for which it was collected, specifically upon the completion of the research project, or for as long as required by applicable laws and regulations.

7. Important Note Regarding Survey Participation

Please note that this data processing only applies to this website. When you decide to participate in the survey, you will be prompted to read the Participant Information Sheet, which provides detailed information about the survey and your rights.

8. Your Data Protection Rights Under GDPR

Under the General Data Protection Regulation (GDPR), you have certain rights regarding your personal data. As we process your data primarily at an organizational level and aim to minimize individual identification, exercising some of these rights directly through this website may require further clarification, especially if you believe your personal data is identifiable. You have the right to:

• Right to Access (Art. 15 GDPR): You have the right to obtain confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the personal data.
• Right to Rectification (Art. 16 GDPR): You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
• Right to Erasure (Art. 17 GDPR): You have the right to obtain the erasure of personal data concerning you without undue delay when certain conditions apply (e.g., the data is no longer necessary for the purposes for which it was collected).
• Right to Restrict Processing (Art. 18 GDPR): You have the right to obtain from us restriction of processing where one of the following applies:
  • the accuracy of the personal data is contested by you, for a period enabling us to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • we no longer need the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
  • you have objected to processing pursuant to Article 21(1) GDPR pending the verification whether our legitimate grounds override yours.
• Right to Data Portability (Art. 20 GDPR): You have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller without hindrance from us, where the processing is based on consent or on a contract and is carried out by automated means.
• Right to Object (Art. 21 GDPR): You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on our legitimate interests (Article 6(1)(f) GDPR). We will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
• Right to Lodge a Complaint with a Supervisory Authority (Art. 77 GDPR): Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The relevant supervisory authority in Austria is the Österreichische Datenschutzbehörde (Austrian Data Protection Authority).

How to Exercise Your Rights

To exercise any of these rights, please contact us using the contact details provided in Section 2. Please note that we may ask you to verify your identity before responding to such requests.

9. Changes to this Privacy Policy

We reserve the right to adapt this privacy policy from time to time so that it always complies with current legal requirements or to implement changes to our services in the privacy policy. The new privacy policy will then apply to your next visit.