Table of Contents
I. Name and Address of the Data Controller
II. General information on data processing
III. Specific processing operations
- Management of funding in the own sphere of responsibility
- Management of funding within the entrusted sphere of responsibility
- eCall
- Marketing
- Newsletter Service
- Internship database
- “Application procedure”
- Dealing with complaints under the Austrian Web Accessibility Act (Web-Zugänglichkeitsgesetz, WZG)
- Data processing by the funding service department (“Förderservice”)
- Handling of research and development services
- FFG - Quick check
- Event registration and event organisation
- Online-Meetings
- Photos and video recordings at events
- Database for the Innovationsscheck
- Use of reCAPTCHA
IV. Rights of the data subject
I. Name and Address of the Data Controller
Data Controller according to the data protection laws regarding the processing of your personal data is:
Austrian Research Promotion Agency (Österreichische Forschungsförderungsgesellschaft mbH)
1090 Vienna, Sensengasse 1
FN 252263a HG Wien
Tel: +43 (0)5 7755 - 0
Fax: +43 (0)5 7755 - 97900
datenschutz@ffg.at
The data protection officer is Mag. Felix Koch, felix.koch@ffg.at.
II. General information on data processing
The Austrian Research Promotion Agency (Forschungsförderungsgesellschaft, FFG) uses different automated systems for managing, storing and processing personal data, including without limitation, data of funding applicants, funding recipients and recipients of cash/non-cash benefits relating to Article 89 of the General Data Protection Regulation (GDPR) (“Article 89 benefits”), and pursues different purposes by means of these systems (e.g. handling of funding, advising on individual funding, or newsletter dispatch).
Your personal data will be deleted or made unavailable by FFG once the purpose for storing and processing of such data no longer applies, provided that longer retention cannot be justified by statutory obligations or that no legal claims which may still be asserted against us and require retention exist.
In some cases of data processing, FFG is not the sole controller within the meaning of the GDPR. This will be mentioned specifically below in the description of the data processing operations concerned.
Within the scope of electronic data processing, FFG uses IT service providers (data processors) who might obtain access to your personal data in the course of their work in case they require the data to render the respective service. These service providers were obligated by the FFG to take appropriate technical and organisational measures to ensure the security of your data. These service providers are not permitted to pass on your data (except in cases stipulated by law).
Based on these principles, specific processing operations concerning personal data are performed, on which FFG provides detailed information to its clients as follows:
III. Specific processing operations
1. Management of funding in the own sphere of responsibility
1.1. Purpose of data processing
FFG has to promote research, technology development, innovation and digitalisation (RTI+D) for the benefit of Austria. The agency is obligated to implement and handle any measures and activities on a national and international level which serve the promotion of RTI+D (section 3 Research Promotion Agency Act (Forschungsförderungsgesellschaftsgesetz, FFG-G)).
Based on this function, FFG manages funding programmes autonomously (own sphere of responsibility).
FFG processes your data in the context of handling such public funding.
The purpose of data processing is thus the granting and managing of funding for commercial and scientific research and development projects.
1.2. Scope of the processing of personal data
FFG collects the following personal data of funding applicants, it being understood that the actual scope of data types will vary depending on the funding programme managed by FFG and applied for by you:
- Information on the funding applicant/funding recipient (designation / first name and last name, legal form, date of birth, academic degree; title, salutation, place of birth, gender, nationality/registered address, postal address, tax identification number, company register number, telephone number, fax number, URL, year of incorporation)
- Identification information (ID number, issuing authority, issuing date of the official photo ID, national identification in the form of sector-specific personal identifiers)
- Project manager of the funding applicant
- Economic information concerning the funding applicant/funding recipient (object of the enterprise, industry, information on creditworthiness, turnover, number of employees)
- Funding provided by other bodies
- Project details (project name, project description, duration, research topic, classification, project location, project costs)
- Information on the institution of the person filing the application (designation, legal form, electronic identifier pursuant to section 6 (3) E-Government Act (E-Government-Gesetz, E-GovG), address and contact details, contact person)
- Information on project partners of the funding applicant/funding recipient
- Information on the education/training and scientific career, including without limitation,
- start and duration of the education/training and success achieved,
- educational institutions attended, if possible also indicating the programme code and the course of studies,
- information on mobilities pursuant to section 10a Act on the Austrian Agency for International Cooperation in Education and Research (OeAD) (OeAD-Gesetz, OeADG),
- main research fields,
- previous publications,
- academic recognitions,
- previous projects,
- previous cooperation partners,
- previous academic functions and scientific career,
- other Article 89 benefits (section 2b (2) Austrian Research Organisation Act (Forschungsorganisationsgesetz, FOG) applied for and having been granted,
- photos of all natural persons involved in the project
- other information, including without limitation,
- bank details,
- job position,
- data (section 2b (5) FOG) required for the proper handling and evaluation of applications, offers and contracts, and
- data (section 2b (5) FOG) concerning the discontinuation and reclaiming of Article 89 benefits (section 2b (2) FOG)
- information on all persons employed in the project, including in particular
- employment contracts,
- details of the employment relationship,
- records of working time,
- absences,
- payslips,
- qualification measures and career path, and
- information on travels and on lectures held
The following data are collected by FFG from the submission of an application to the granting of funding and/or during the funding relationship:
- Information on the funding (funding approved, funding applied for, project duration, type of funding, cash value of the funding, research-related expenses during the financial year, date of application, type of contract, date of conclusion of the contract)
- Expert opinion on the eligibility of a project for funding
- Decision on funding
The contact and project details are provided on a voluntary basis when submitting your funding application; if you do not provide these data, however, we cannot review your funding application and are therefore not able to assess your entitlement to funding.
1.3. Legal basis for processing personal data
Article 6(1)(b) GDPR forms the legal basis in cases where we require your personal data for the initiation or performance of a contract (e.g. grant agreement) with you.
Article 6(1)(c) GDPR forms a key legal basis for such processing. The legal basis for the granting and managing of funding pursuant to Article 89 GDPR is, in particular, section 2g of the Federal Law on General Affairs pursuant to Article 89 GDPR and the Organisation of Research (FOG), Federal Law Gazette No. 341/1981 as amended.
In certain cases the legitimate interests of the controller pursuant to Article 6(1)(f) GDPR shall also be named as a legal basis for the processing. The legitimate interest here is in the interest of FFG as a funding agency to carry out the necessary proccessing in connection with the awarding and administration of grants, such as the eligibility check, the monitoring and the evaluation of the funding.
If that prior consent is obtained, processing shall be based on such consent pursuant to Article 6(1)(a) GDPR.
1.4. Data retention period
In any case, the data are stored for 10 years
a) as of the last communication if the application or offer was withdrawn or not followed up, or a negative decision was issued, and
b) as of the end of the year in which the total funding or the total compensation was paid if a positive decision was issued.
If statutory provisions or provisions under EU law stipulate longer terms, these shall apply.
1.5. Data recipients
Your data are passed on to the following third parties under the terms of a legal obligation:
- to the ministries owning FFG (Federal Ministry for Climate Action, Environment, Energy, Mobility, Innovation and Technology (Bundesministerium für Klimaschutz, Umwelt, Energie, Mobilität, Innovation und Technologie, BMK) and the Federal Ministry for Labour and Economy, (Bundesministerium für Arbeit und Wirtschaft, BMAW) (Article 6(1)(c) GDPR in conjunction with section 38 in conjunction with sections 18, 27, 28 of the General Guidelines for the Granting of Federal Funds (Allgemeine Rahmenrichtlinien für die Gewährung von Förderungen aus Bundesmitteln, ARR), section 12 of the Act on the Promotion of Research and Technology (Forschungs- und Technologieförderungsgesetz, FTFG), section 9 FFG-G), unless the responsibility is shared;
- Bodies and officials of the Court of Audit (in particular section 3 (2), section 4 (1) and section 13 (3) of the Court of Audit Act (Rechnungshofgesetz), Federal Law Gazette No. 144/1948 as amended from time to time),
- Federal Ministry of Finance (in particular sections 43 to 47 of the Federal Budgeting Act (Bundeshaushaltsgesetz), Federal Law Gazette No. 213/1986 as amended from time to time),
- EU institutions and other federal authorities concerned with funding,
- Contracting parties involved in the handling of funding (ERP Fund, Fund Austria (Österreich-Fonds), National Trust for Research, Technology and Development (Nationalstiftung für Forschung, Technologie und Entwicklung), unless the responsibility is shared already.
Furthermore, in cases where the FFG handles funding by an Austrian province, your data will be passed on to the respective provincial funding authority providing the funding:
- Business Service Burgenland AG – WIBAG
- KWF Kärntner Wirtschaftsförderungsfonds (Carinthian business agency)
- Office of the Provincial Government of Lower Austria, department V/2 – Fund for business promotion and structural improvement of Lower Austria
- Province of Upper Austria, department of commerce
- Office of the Provincial Government of Salzburg, department 15/02 – Promotion of business and technology
- SFG – Steirische Wirtschaftsförderungsges. mbH) Styrian Business Promotion Agency)
- Office of the Provincial Government of Tyrol, department 1d – Business promotion
- Office of the Provincial Government of Vorarlberg, department Via – General business affairs
- WWFF – Vienna Business Agency
In each case, the relevant legal basis is Article 6(1)(c) GDPR in conjunction with section 38 in conjunction with sections 18, 27, 28 of the 2018 ARR, Article 15a of the Agreement, section 12 FTFG, section 9 FFG-G, and the respective agreements between the federal government and the provincial governments pursuant to Article 15a of the Federal Constitutional Law (Bundesverfassungsgesetz, B-VG).
If we collect data on your creditworthiness, your identity data will be passed on to credit bureaus.
In all other cases, FFG will transfer your data to third parties only if this is stipulated by law or in case the data subject has consented to the disclosure.
2. Management of funding within the entrusted sphere of responsibility
2.1 Purpose of data processing
The key purpose of such processing is granting and managing public funding in the areas of research, development, technology, innovation and digitisation.
In this context, the BMK and the BMAW are in particular tasked with ensuring the efficient granting of public funds in the field of “innovation and technology”; for this purpose, various funding programmes are created by these federal ministries. FFG is obligated (by section 3 FFG-G) to implement and handle any measures and activities on a national and international level which serve the promotion of RTI+D, and has thus been mandated by the BMK and the BMAW to handle such funding programmes (Section 12 (1) FTFG).
The BMK, the BMAW and other funding providers manage your data jointly with FFG when handling such public funding; the data are collected and stored by the FFG, which has been tasked with handling the granting of funding, the funding contract and with monitoring the funding granted. The BMK and the BMAW as well as other controllers process the data to decide on the granting of funding.
2.2 Scope of the processing of personal data
Within the scope of certain funding programmes, FFG processes the following personal data of funding applicants jointly with the controllers for which funding is handled by FFG (the actual scope of data types may vary depending on the funding programme you apply for):
- Information on the funding applicant/funding recipient (designation / first name and last name, legal form, date of birth, academic degree; title, salutation, place of birth, gender, nationality/registered address, postal address, tax identification number, company register number, telephone number, fax number, URL, year of incorporation)
- Identification information (ID number, issuing authority, issuing date of the official photo ID, national identification in the form of sector-specific personal identifiers)
- Project manager of the funding applicant
- Economic information concerning the funding applicant/funding recipient (object of the enterprise, industry, information on creditworthiness, turnover, number of employees)
- Funding provided by other bodies
- Project details (project name, project description, duration, research topic, classification, project location, project costs)
- Information on the institution of the person filing the application (designation, legal form, electronic identifier pursuant to section 6 (3) E-Government Act (E-Government-Gesetz, E-GovG), address and contact details, contact person)
- Information on project partners of the funding applicant/funding recipient
- Information on the education/training and scientific career, including without limitation,
- start and duration of the education/training and success achieved,
- educational institutions attended, if possible also indicating the programme code and the course of studies,
- information on mobilities pursuant to section 10a Act on the Austrian Agency for International Cooperation in Education and Research (OeAD) (OeAD-Gesetz, OeADG),
- main research fields,
- previous publications,
- academic recognitions,
- previous projects,
- previous cooperation partners,
- previous academic functions and scientific career,
- other Article 89 benefits (section 2b (2) Austrian Research Organisation Act (Forschungsorganisationsgesetz, FOG) applied for and having been granted,
- photos of all natural persons involved in the project
- other information, including without limitation,
- bank details,
- job position,
- data (section 2b (5) FOG) required for the proper handling and evaluation of applications, offers and contracts, and
- data (section 2b (5) FOG) concerning the discontinuation and reclaiming of Article 89 benefits (section 2b (2) FOG)
- information on all persons employed in the project, including in particular
- employment contracts,
- details of the employment relationship,
- records of working time,
- absences,
- payslips,
- qualification measures and career path, and
- information on travels and on lectures held
The following data are collected by FFG from the submission of an application to the granting of funding and/or during the funding relationship:
- Information on the funding (funding approved, funding applied for, project duration, type of funding, cash value of the funding, research-related expenses during the financial year, date of application, type of contract, date of conclusion of the contract)
- Expert opinion on the eligibility of a project for funding
- Decision on funding
The contact and project details are provided on a voluntary basis when submitting your funding application; if you do not provide these data, however, we cannot review your funding application and are therefore not able to assess your entitlement to funding.
2.3 Legal basis for processing personal data
Article 6(1)(b) GDPR forms the legal basis in cases where we require your personal data for the initiation or performance of a contract (e.g. grant agreement) with you.
Article 6(1)(c) GDPR forms a key legal basis for such processing. The legal basis for the granting and managing of funding pursuant to Article 89 GDPR is, in particular, section 2g of the Federal Law on General Affairs pursuant to Article 89 GDPR and the Organisation of Research (FOG), Federal Law Gazette No. 341/1981 as amended.
In certain cases the legitimate interests of the controller pursuant to Article 6(1)(f) GDPR shall also be named as a legal basis for the processing. The legitimate interest here is in the interest of FFG as a funding agency to carry out the necessary proccessing in connection with the awarding and administration of grants, such as the eligibility check, the monitoring and the evaluation of the funding.
If that prior consent is obtained, processing shall be based on such consent pursuant to Article 6(1)(a) GDPR.
Public authorities may also process your data for the performance of a task carried out in the public interest or in the exercise of official authority vested in them purusant to Article 6 (1)(e) GDPR.
2.4 Information on shared responsibility:
Joint controller agreements for the data processings described in Clause 2.2 were entered into between the FFG and the respective funding provider pursuant to Article 26 GDPR.
It was agreed that the FFG shall act as the central contact point for data protection issues.
Further information on the allocation of tasks and the shared responsibility can be found at datenschutz@ffg.at.
In certain cases, the FFG also acts with other institutions as a joint funding agency. In the case of IPCEI funding, the FFG and Austria Wirtschaftsservice Gesellschaft mbH (aws) are joint controllers for the data processing regarding the funding.
2.5 Data retention period
In any case, the data are stored for 10 years
a) as of the last communication if the application or offer was withdrawn or not followed up, or a negative decision was issued, and
b) as of the end of the year in which the total funding or the total compensation was paid if a positive decision was issued.
If statutory provisions or provisions under EU law stipulate longer terms, these shall apply.
2.6 Data recipients
Your data are passed on to the following third parties under the terms of a legal obligation:
- Bodies and officials of the Court of Audit (in particular section 3 (2), section 4 (1) and section 13 (3) of the Court of Audit Act, Federal Law Gazette No. 144/1948 as amended from time to time).
- Federal Ministry of Finance (in particular sections 43 to 47 of the Federal Budgeting Act, Federal Law Gazette No. 213/1986 as amended from time to time).
- EU institutions and other authorities concerned with federal funding.
If we collect data on your credit worthiness, your identity data will be passed on to credit bureaus.
In all other cases, the FFG will transfer your data to third parties only if this is stipulated by law or in case the data subject has consented to the disclosure.
3. eCall
3.1 Purpose of data processing
We process your data in eCall to enable you to create and manage your user account in eCall and to use eCall’s functions as digital support within the funding process from submitting the application to the granting and monitoring of funding.
The purpose of the processing of protocol data is to monitor the use of eCall to detect, prevent and investigate attacks on our website.
Subject to compliance with statutory requirements, in particular with the requirements of the Telecommunications Act (Telekommunikationsgesetz, TKG), we will use your indicated e-mail address to send you information on activities of FFG and general information which may be of interest to you.
3.2 Scope of the processing of personal data
For registering a user account in eCall and in the course of your use of the platform, we will process the following data:
- First name, last name
- Company name, designation of the related enterprise
- Postal address
- Position held by the data subject with the funding applicant
- Power of representation of the data subject
- Details on representation in eCall
- E-mail address
- Login data (username, password)
Furthermore, we collect the following data automatically upon your registration:
- Information on transactions executed in eCall,
- log data on the date of the last activity in the user account,
- status of an application in eCall,
- protocol and documentation data (e.g. IP address, name and version of your web browser).
3.3 Legal basis for processing personal data
We process these data to enable you to use eCall as desired and thus for the performance of a contract pursuant to Article 6(1)(b) GDPR.
To the extent the data of your visit to eCall are processed, this processing is justified by our legitimate interest pursuant to Article 6(1)(f) GDPR, which is, in particular, to protect our website from attacks and misuse and to safeguard the security and stability of our systems.
3.4 Data retention period
We will process your data until your application has been processed, your funding has been handled or for the time you maintain a valid user account with us; we will store your data beyond these dates in accordance with the retention periods stipulated by law, or for as long as relevant warranty periods or statutes of limitation still apply.
3.5 Data recipients
For the purpose of further developing eCall, we use an IT service provider who may, in certain cases and based on our order and our instructions, also obtain access to personal data to render the commissioned IT services.
In all other cases, FFG will transfer your data to third parties only if this is stipulated by law or in case the data subject has consented to the transfer.
4. Marketing
4.1 Purposes of data processing
We will use your personal data for sending you general messages and information on activities of FFG, its funding programmes and other offers from the field of science and research which may be of interest to you. This is only part of our direct marketing measures.
Moreover, we will use your personal data to determine the interests reflected in our funding recipients’ subsequent enquiries, and the impact of advertising campaigns on you, as well as to make statements about the potential future research behaviour and to adjust our programmes and other corporate strategies accordingly. The results of these processing operations are not correlated to your identity.
In the cases described, your indicated contact details are used in compliance with other statutory requirements, in particular with the requirements of the Telecommunications Act (TKG).
4.2 Scope of the processing of personal data
The following categories of data are processed by FFG for marketing purposes:
- First name, last name
- Gender
- Company name, designation of the enterprise
- Serial numbers
- Telephone and fax number
- Postal address
- E-mail address
- Indicator showing objection to advertising material
- Prohibition of data transfer to mailing list providers
- Designation of the profession, industry or business
- Correspondence language
- Company register data
- Date of birth, if indicated
- Interests reflected in subsequent enquiries
- Information on services provided
- Reaction of the data subject to FFG services
- Other response behaviour
- Subscription to the newsletter (Yes/No)
- Function and affiliation with the client or interested party
4.3 Legal basis for processing personal data
The processing of these personal data for direct marketing purposes constitutes a legitimate interest of FFG to reach interested parties and funding recipients as best as possible and to adjust its PR strategies accordingly. The legitimate interest pursuant to Article 6(1)(f) in particular is thus the legal basis for data processing.
If prior consent is obtained (e.g. when subscribing to a newsletter), processing shall be based on such consent pursuant to Article 6(1)(a) GDPR.
In certain cases, Article 6(1)(c) GDPR in conjunction with section 2 (1) FOG also forms the legal basis for the contacting of recipients of Article 89 benefits or applicants.
4.4 Data retention period
The FFG stores your master data for up to three years following the termination of the funding contract: for FFG’s own marketing purposes, for sending advertising materials on its own activities and funding programmes, and for the purpose of establishing a business relationship based on these offers, unless you object to the processing of your data for these purposes. Your data will therefore be deleted three years from your last communication with FFG or earlier in case you submit an objection.
4.5 Data recipients
We may use service providers to render marketing services, to implement marketing activities and, in particular, to send mailings and newsletters.
In all other cases, the FFG will transfer your data to third parties only if this is stipulated by law or in case the data subject has consented to the transfer.
5. Newsletter service
5.1 Purpose of data processing
We process your contact details for the purpose of sending you the newsletter you subscribed to.
Collecting other personal data when registering serves to prevent any misuse of the services or of the e-mail address used.
The data are used in compliance with statutory requirements, in particular with the requirements of the Telecommunications Act (TKG).
5.2 Scope of the processing of personal data
You have the possibility to subscribe to our newsletter for free on our website. We will collect the following personal data upon registration for the newsletter:
- First name, last name
- E-mail address
Furthermore, the following data are automatically collected upon registration:
- IP address of the accessing computer
- Date and time of registration
5.3 Legal basis for processing personal data
During the registration process for the newsletter, you will be asked to consent to the processing of your data; thus, the legal basis is Article 6 (1)(a) GDPR.
We use the so-called double opt-in procedure to ensure that the newsletter is sent based on your consent. In the course of this procedure, the potential recipient is added to a mailing list. In the next step, the user is sent a confirmation e-mail for him/her to confirm the subscription with legal certainty. The address will be activated in the mailing list only if the subscription is confirmed.
The automatic collection of the personal data upon registration is justified by our legitimate interest pursuant to Article 6(1)(f), which is to prevent the misuse of the services or of the e-mail address used.
5.4 Withdrawal of consent
You may unsubscribe from the newsletter at any time.
You may at any time withdraw your consent to the storing of your data, your e-mail address and its use for newsletter dispatch, e.g. by clicking the “unsubscribe” link in the newsletter.
5.5 Data retention period
Your data will be stored for the duration of your newsletter subscription.
5.6 Data recipients
For the purpose of sending the newsletter, we use a marketing service provider (Newsletter2Go GmbH) as processor, who may, based on our order and our instructions, also obtain access to personal data to render the commissioned services.
In all other cases, the FFG will transfer your data to third parties only if this is stipulated by law or in case the data subject has consented to the transfer.
5.7 Tracking in Newsletter2Go
Newsletter2Go, the newsletter software used by FFG, has its own tracking system. It serves to measure the number of newsletter recipients who have actually opened the newsletter and how many of them clicked the individual links.
This information is anonymised and subsequently aggregated; this means that figures are available, but they cannot be attributed to individual persons.
The information is used for evaluating how the newsletter is used, to create reports on the activities of the recipients, to design the newsletter based on needs and to provide interesting content. Such use of the aggregated data constitutes a legitimate interest of FFG. Since FFG is not able to attribute the data to individual recipients, the fundamental rights and freedoms of the data subject are not threatened.
The FFG’s legitimate interest pursuant to Article 6(1)(f) GDPR is the legal basis for this processing operation.
6. Internship database
6.1 Purpose of data processing
Processing of data of interns applying for an internship via the website www.ffg.at and of the party offering the internship (contracting party) for the purpose of arranging the company placement and granting and handling the funding provided to the contracting party for the internship.
Your data entered via the online platform will be used by the respective contracting party exclusively for purposes related to processing your application and considering it in the application procedure for the placement you applied for. The platform is managed and coordinated by FFG and enables interested parties to apply for an internship.
All data regarding the contracting party, except the name of the contact person, will be published on the website www.ffg.at.
The name of the contact person will be published in the internship posting only if the data subject’s consent has been obtained.
6.2 Scope of the processing of personal data
The following data of internship applicants are collected:
- E-mail address
- First and last name
- Postal address
- Telephone number
- Date of application
- Internship title
- Date of birth
- Information on the attended school
- Grade
- Fall semester grade report
- Motivation letter
The information is collected in mandatory fields. Still, these data are provided on a voluntary basis; however, should you choose not to make available the data required in the fields marked as mandatory, the contracting party may be unable to process your application as certain information about you is required for assessing your suitability for a job.
The following data are collected within the scope of the publication of an offer by the contracting party and/or the contact person at the contracting party:
- First and last name of the contact person
- Designation/company name of the contracting party
- E-mail address
- Specific department (classification)
- Postal address
- Website
- Description of the internship (project)
- Timeframe of the internship
6.3 Legal basis for processing personal data
For the processing of the data, we refer to Article 6(1)(b) GDPR, namely processing to perform a contract or to take steps prior to entering into a contract, as legal basis.
If that prior consent is obtained, processing shall be based on such consent pursuant to Article 6(1)(a) GDPR.
6.4 Data retention period
Your data will be stored for as long as the position you applied for has not been staffed.
6.5 Data recipients
Your data will be passed on to the respective contracting party where you applied for a placement.
7. Application procedure
7.1 Purposes of data processing
The data you entered via the online form will be collected, stored and processed exclusively for purposes related to processing your application and considering it in the application procedure, as well as for choosing a candidate for the position you applied for.
If you separately consent to the retention of your candidate details in your candidate profile for potential future vacancies, storing your data will be necessary for us to be able to inform you of suitable positions becoming vacant in the future. If a candidate profile is created, FFG will thus store your candidate details until the profile is deleted and contact you in case of a vacancy.
7.2 Scope of the processing of personal data
The following data required by FFG for handling your application are processed:
- First name
- Last name
- Date of birth
- Nationality
- Postal address
- Telephone number
- E-mail address
- CV
The information is collected in mandatory fields. Still, these data are provided on a voluntary basis; however, should you choose not to make available the data required in the fields marked as mandatory, the contracting party may be unable to process your application as certain information about you is required for assessing your suitability for a job.
You can enter any other information not marked as mandatory, namely:
- Title
- Photograph
- Compulsory military service
- Salary expectations
- Education
- Grade reports and certificates
- Motivation letter
- Data from Xing profile
- Data from LinkedIn profile
on a voluntary basis and upload relevant documents which will then be used by FFG for the same purposes as the mandatory data.
In addition, the following data are collected with a view to creating a candidate profile:
- User name
- Password
7.3 Legal basis for processing personal data
The legal basis for the joint processing of candidate details is Article 6(1)(b) GDPR, namely processing to perform a contract or to take steps prior to entering into a contract. By applying for a position at our company, you direct to us a respective request for the processing of your candidate details within the scope of the application procedure, which requires the processing of data in the manner indicated above.
Insofar as the processing of data made available by you on a voluntary basis (also data subject to particular protection) is concerned (e.g. religious affiliation), the processing is based on your explicit consent within the meaning of Article 6(1)(a) in conjunction with Article 9(2)(a) GDPR which you have granted to us by filling in the online form.
Also in case that your data have been made available to us via a candidate profile created on a voluntary basis and thus without reference to a specific job offer, your data will only be processed based on your consent (Article 6(1)(a) GDPR).
7.4 Data retention period
Your personal data will be stored electronically for the duration of the application procedure as well as for as long as claims under the application procedure may be asserted.
Insofar as you have granted your consent to the processing of certain data, we might, if necessary, delete such data even earlier if you withdraw your consent.
You can withdraw your consent at any time in oral, written or electronic form, with effect for the future and without stating reasons.
7.5 Data recipients
Without your consent, your data will not be passed on to third parties for their own purposes.
8. Dealing with complaints under the Austrian Web Accessibility Act (Web-Zugänglichkeitsgesetz, WZG)
8.1 Purpose of processing:
The purpose of the processing is handling and documenting complaints under section 5 (1) (1) WZG.
FFG shall accept and examine complaints concerning infringements of the provisions of the Web Accessibility Act by the federal government or institutions attributable to it, in particular, deficiencies regarding conformity with accessibility requirements.
8.2 Scope of the processing of personal data:
The following personal data are processed by the complaints office in the course of dealing with and handling complaints under the Web Accessibility Act, it being understood that the specific scope may vary depending on the complaint:
Complainant:
- Name, first name
- E-mail address
- Telephone number and other contact details
- Further personal information depending on the content of the complaint (if indicated on a voluntary basis)
- Health information (if indicated on a voluntary basis)
Contact person with the entities concerned
- Name, first name
- Company name, related organisation, related organisational unit
- E-mail address and other information enabling us to contact you
- Attributable websites and mobile applications
8.3 Legal basis for processing personal data
The legal basis for this processing operation is provided by Article 6(1)(c) GDPR in conjunction with section 5 of the Web Accessibility Act, Federal Law Gazette I No. 59/2019 as amended, insofar as no special categories of personal data within the meaning of Article 9(1) GDPR are processed.
If special categories of personal data within the meaning of Article 9 GDPR (e.g. data concerning health) are transferred to FFG along with the complaint, such data are processed only in an extent indispensable for handling the complaint procedure.
In this case the constituent elements of the processing are the substantial public interest within the meaning of Article 9(2)(g) GDPR in functioning and effective enforcement proceedings aimed at ensuring digital accessibility of the websites and mobile applications of the federal government and its institutions for the benefit of the Austrian population.
The necessity for such enforcement proceedings can be derived directly from Directive (EU) 2016/2102 on the accessibility of the websites and mobile applications of public sector bodies which support the member states of the European Union in meeting their national obligations concerning the accessibility of websites and implement the member states’ commitment to the UN Convention on the Rights of Persons with Disabilities with regard to the websites of public sector bodies.
8.4 Data retention period
In any case, your personal data will be stored for the duration of the complaint proceedings and will be deleted within six months after the last communication regarding the respective complaint at the latest.
8.5 Data recipients
If an infringement of provisions concerning the equal treatment requirement set out in federal laws is identified in the course of the complaint proceedings, the complaint may, pursuant to the provisions of the Web Accessibility Act, be passed on to the respective institution competent, in accordance with these provisions, for complaints of data subjects (e.g. Federal Disability Ombudsman or the Ombud for Equal Treatment).
Other than that your personal data will not be passed on to third parties without your consent.
9. Data processing by the funding service department (Förderservice)
9.1 Purpose of data processing
The funding service department is the key contact point when it comes to external enquiries regarding funding and advice provided by FFG. The purpose of the processing activities at hand is thus ensuring that (external) enquiries on funding and advice provided by FFG are handled and replied to in an effective and target-oriented manner.
9.2 Scope of the processing of personal data
Within the scope of an enquiry to the funding service department, among other things the following categories of personal data of the enquiring persons are processed:
- First name, last name
- Enterprise, related organisational unit
- Contact details, such as telephone number, e-mail address
- Information on the content of the enquiry
- Date of the enquiry / advice
9.3 Legal basis for processing personal data
To the extent that the relevant personal data are required for the initiation or performance of contractual obligations vis-à-vis you or for the performance of obligations vis-à-vis you prior to entering into a contract, Article 6(1)(b) GDPR shall form the legal basis.
The legitimate interests of the controller within the meaning of Article 6(1)(f) GDPR shall also be named as constituent elements for the processing. In the case at hand, such legitimate interests are ensuring that (external) enquiries on funding and advice provided by FFG are handled and replied to in an effective and target-oriented manner by the funding service department.
The active advice on funding and funding offers as well as their handling also forms part of FFG’s scope of responsibilities as set out in section 3 FFG-G.
9.4 Data retention period
Your personal data will be deleted or made unavailable by us as soon as the purpose for storing and processing such data no longer applies, provided that no longer retention period is stipulated by statutory provisions.
9.5 Recipients
Your personal data will not be passed on to third parties without your consent.
10. Handling of research and development services
10.1 Purposes of data processing:
Processing the data of bidders for handling tender procedures concerning orders related to research and development services by the controller.
Processing the data of bidders and/or contract partners with a view to handling the contracts.
10.2 Scope of the processing of personal data
Bidders and contract partners
- Designation / first and last name
- Legal form,
- Date of birth,
- Title,
- Salutation,
- Place of birth,
- Gender,
- Nationality/registered address,
- Postal address,
- TIN,
- Company register number,
- Telephone number,
- Fax number,
- URL,
- Year of incorporation,
- Information for identification (ID number, issuing authority, date of issuance of official photo ID, national identification in form of sector-specific personal identifiers)
- Project manager details,
- Project partner details,
- Economic information (object of the enterprise, industry, information on creditworthiness, turnover, number of employees),
- Project details (project name, project description, duration, research topic, classification, project location, project costs),
- Other information such as, in particular, bank details, job position, data required for the proper handling and evaluation of applications, offers and contracts
10.3 Legal basis for processing personal data
Processing is required for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b) GDPR).
Processing is required for compliance with a legal obligation the controller is under (Article 6(1)(c) GDPR).
10.4 Data retention period
Your personal data will be deleted or made unavailable by us as soon as the purpose for storing and processing such data no longer applies, provided that no longer retention period is stipulated by statutory provisions.
11. FFG - Quick check
11.1. Purposes of data processing:
The goal of the quick check (https://www.ffg.at/quickcheck) is in particular to provide support to our clients so that they receive a recommendation as to what funding instrument appears to best fit their situation, and thus to avoid incorrect or futile funding applications.
In this context, the purpose of the processing activities at hand is, in particular, ensuring that (external) enquiries on funding and advice provided by FFG are handled and replied to in an effective and target-oriented manner.
11.2. Scope of the processing of personal data
Enquiring clients:
- First name
- Last name
- Street
- Post code
- Place
- E-mail address
- Telephone number
If you include personal data in the key elements of your project, these data will also be recorded. (e.g. information on project partners entered by you).
11.3. Legal basis for processing personal data
Consent within the meaning of Article 6(1)(a) GDPR is being obtained via the registration form.
The active advice on funding and funding offers as well as their handling also forms part of FFG’s scope of responsibilities as set out in section 3 FFG-G.
The legitimate interests of the controller within the meaning of Article 6(1)(f) GDPR shall also be named as constituent elements for the processing. In the case at hand, such legitimate interests are thus the effective and target-oriented handling and replying to (external) enquiries on funding and advice provided by FFG. There is no threat to the rights and fundamental freedoms of data subjects, as both FFG and its employees are subject to a statutory obligation of confidentiality pursuant to section 9 (4) FFG-G.
11.4. Data retention period
Your personal data will be deleted or made unavailable by us as soon as the purpose for storing and processing such data no longer applies, provided that no longer retention period is stipulated by statutory provisions.
12. Event registration and event organisation
12.1. Purposes of data processing:
Using the data of event participants and persons interested in events for the purpose of planning and organising events, sending invites and administrating participation in the events.
12.2. Scope of the processing of personal data
Event participants:
- Salutation
- First name
- Last name
- E-mail address
- Telephone number
- Postal address
- Billing address
- Related organisation (company name/designation)
- The participant’s function in the organisation (optional)
- Designation of the profession, industry or business
- Consent to receiving promotions
- Special needs
- Consent to event photos being used on the website and on social media platforms for the purpose of advertising the event
Please take into account that the personal data requested within the scope of the registration may vary depending on the event.
12.3. Legal basis for processing personal data
Consent within the meaning of Article 6(1)(a) GDPR is being obtained via the registration form.
The legitimate interests of the controller within the meaning of Article 6(1)(f) GDPR shall also be named as constituent elements for the processing. In the case at hand, such legitimate interests mean FFG and its cooperation partners and/or co-organisers being able to handle the event in an effective and target-oriented manner.
12.4. Data retention period
Deletion will be carried out in accordance with statutory provisions.
In any case, the data will be stored until the event and/or its follow-up is over or until consent is withdrawn.
12.5. Data recipients
Certain data are passed on to cooperation partners of FFG and/or to co-organisers of the events for the purpose of organising and handling the respective event.
It is not possible to provide an exhaustive list of all co-organisers and cooperation partners at this point. For this, please take note of the specific description of the event and the involved event organisers.
In all other cases, your personal data will not be passed on to third parties without your consent.
12.6. Note on further processing for statistical purposes and target group optimisation
We evaluates data from event participants for statistical purposes and to optimise target groups.
Certain information (e.g. number of participants, gender distribution) is used in anonymised form in order to evaluate our events in a comparable manner and to generate data for impact monitoring.
The anonymised evaluations are made available to third parties, in particular the federal government of Austria ("Bund").
The legal basis for this processing is our legitimate interest pursuant to Article 6(1)(f) GDPR. Our legitimate interest is to make anonymised evaluations for statistical purposes and, if necessary, to improve our events or to better adapt them to the target audience.
13. Online-Meetings
13.1 Purposes of data processing:
The purpose of processing is communication via the video conferencing and web conferencing platform "Zoom" to carry out phone conferences, online meetings, video conferences and/or webinars (hereinafter "Online Meetings").
13.2 Scope of the processing of personal data:
The scope of data will depend on which data you provide prior to or during participation in the Online Meeting.
The following personal data may be the subject-matter of the processing:
User:
- First name,
- Last name,
- Telephone number (optional),
- E-Mail adress,
- Password (if „Single-Sign-On“ is not used),
- Profile picture (optional),
- Department (optional)
- Text, audio and video data
You may be able to use the chat, question or polling functions during the Online Meeting. In this case, the text you enter will be processed in order to display and record the text entered during the Online Meeting. The data captured by the microphone or the video camera of your device will be processed throughout the duration of the meeting in order to display video and playback audio.
Meeting Metadata:
- Topic,
- Description (optional),
- participant IP addresses,
- device/hardware information
Telephony Usage Data (Optional):
- Call In Number,
- Call Out Number,
- Country Name,
- Start and End time,
- Host Name,
- Host Email,
- MAC Address of device used
Recordings (optional):
- Mp4 of all video, audio and presentations,
- M4A of all Audio,
- Text file of all in meeting chats,
- Audio transcript file
13.3 Legal basis for processing personal data
The legal basis for the data processing involved in conducting Online Meetings is Art. 6(1)(b) GDPR as long as the meetings are necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
If there is no contractual relationship, the legal basis is the legitimate interest according to Art. 6(1)(f) GDPR. The legitimate interest in this context is the effective conduct of Online Meetings and the associated communication on the part of the data controller.
If recordings are made during the Online Meeting, the prior consent of the data subjects will be obtained according to Art. 6(1)(a) GDPR.
13.4 Data retention period
Your personal data will be deleted by us as soon as the purpose for storing and processing such data no longer applies, provided that no longer retention period is stipulated by statutory provisions.
13.5 Recipients
The IT service provider Zoom Video Communications, Inc. is used as the data processor for Online Meetings. The processor may have access to personal data on our behalf and according to our instructions in order to be able to provide the necessary services.
The FFG has concluded a data processing agreement with Zoom Video Communications, Inc. in compliance with Art. 28 GDPR.
Zoom Video Communications, Inc. is based in the United States. An adequate level of data protection is provided by the conclusion of the EU standard contractual clauses.
In all other cases the FFG will only transmit or disclose data to third parties if mandated by statutory provisions or if the data subject has given his/her consent.
14. Photos and video recordings at events
14.1 Purposes of data processing:
The purpose of processing is to create photos and video recordings for publications via various
media.
It covers, for example, the taking, storage and transmission of photographs and video recordings in
word and image in connection with the activities of the data controller. The data may be published in
various media (analogue and digital).
14.2 Scope of the processing of personal data:
Participants at events:
- photos,
- video recordings.
14.3 Legal basis for processing personal data:
If informed consent is obtained (e.g. event registration), processing shall be based on such consent
pursuant to Article 6(1)(a) GDPR.
In all other cases, the photographs and video recordings are taken on the basis of a legitimate
interest pursuant to Article 6(1)(f) GDPR.
The legitimate interest of the data controller for the recording and dissemination of the recordings
and photos made consists in the public relations work of the data controller, the presentation of his
or her activities and the fulfilment of the tasks assigned to him or her under the Research Promotion
Agency Act (Forschungsförderungsgesellschaftsgesetz – FFGG).
If you do not agree with the taking of photos or video recordings of yourself, you can object at any
time to the person taking the pictures or a member of staff of the data controller present on site.
14.4 Data retention period
Your personal data will be deleted by us as soon as the purpose for storing and processing such data
no longer applies, provided that no longer retention period is stipulated by statutory provisions.
Your data will also be deleted as soon as you successfully object or revoke your consent.
14.5 Recipents
Your data may be passed on to the following recipients in particular:
- marketing service providers,
- ministries,
- Co-organiser,
- Media owner for publication,
- other processors.
15. Database for the Innovationsscheck
15.1 Purposes of data processing
The purpose of the processing is to operate a publicly accessible database on the FFG website (https://www.ffg.at/forschungspartner-fuer-den-innovationsscheck), which can be used to search for potential research partners. In addition to key data on the individual institutions, further information and the relevant contact persons are also published.
15.2 Scope of the processing of personal data
The following data of the institutions concerned will be published:
- Name
- Address
- Website
- Type of organisation
- R&D staff
- Branch(es)
- Additional keywords, if applicable
- If applicable, additional information on the organisation
- Contact (e.g. first name, last name, title, position, organisational unit, telephone number, e-mail address)
The following data is processed from the persons making entries:
- Name of the organisation
- User name
- Password
- If applicable, consent to receive additional information
- Technical data in connection with use and registration (e.g. log data, IP address)
15.3 Legal basis for processing personal data
If that prior consent is obtained, processing shall be based on such consent pursuant to Article 6(1)(a) GDPR.
Likewise, the legitimate interest of the data controller pursuant to Article 6(1)(f) DSGVO is to be named as the legal basis. The legitimate interest here is the interest of FFG in enabling the data subjects to use the database effectively.
15.4 Data retention period
Your personal data will be deleted or made unavailable by us as soon as the purpose for storing and processing such data no longer applies, provided that no longer retention period is stipulated by statutory provisions.
15.5 Data recipients
The data designated for publication will be made available to the public.
16.Use of reCAPTCHA
16.1 Purposes of data processing:
The reCAPTCHA application from Google is used on the website for the eCall registration (https://ecall.ffg.at/Registrieren).
The purpose of using this application is to prevent machines, computer programmes or malware (e.g. bots) from registering on the website and gaining access to our systems.
16.2 Scope of the processing of personal data:
In particular, the following data is processed:
- Website that integrates reCAPTCHA
- IP address
- Date and time zone
- Referrer URL (the address of the website from which the visitor came)
- Information about the operating system (Windows, Linux, iOS)
- Cookies, if applicable (other Google cookies from the last 6 months)
- Mouse movements and keyboard strokes
- Length of visit
- Settings of the user device (e.g. language settings, location, browser, etc.)
16.3 Legal basis for processing personal data:
The legal basis for the processing is the legitimate interest of FFG pursuant to Article 6(1)(f) GDPR.
FFG has a legitimate interest in using reCAPTCHA to prevent and stop the misuse of FFG's online services.
16.4 Data retention period:
The personal data will be deleted by FFG as soon as the purpose of storage and processing no longer applies, provided that there is no legal obligation for longer storage.
16.5 Recipients:
The service provider of reCAPTCHA is Google Ireland Limited, a company based in Ireland.
However, personal data may also be transferred to its parent company Google LLC. This company is based in the United States of America (USA).
An adequacy decision of the European Commission pursuant to Article 45 GDPR (so-called "EU-US Data Privacy Framework") has been issued for the USA. Google LLC is certified according to the "EU-US Data Privacy Framework".
IV. Rights of the data subject
1. Right to access
You have the right, vis-à-vis us, to request access to all data concerning you processed by FFG. In particular, you may request the following information from us:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from the data subject, any available information as to their source;
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information as to whether your personal data is passed on to recipients in third countries or international organisations. In this context, you may demand to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.
2. Right to rectification and right to restriction of processing
You may request the rectification of inaccurate data or have incomplete data completed. You may, under certain circumstances, for example if the accuracy of the data is contested, demand restriction of processing until the accuracy of the data is verified to the extent that such data may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
3. Right to data portability
You may demand that FFG transmits to you - or if technically feasible to a third party indicated by you - a copy of your data in a structured, commonly used and machine-readable format. In addition, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
- the processing is based on consent pursuant to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract pursuant to Article 6(1)(b) GDPR, and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have the relevant personal data transmitted directly from one controller to another, where technically feasible. Rights and freedoms of others shall not be adversely affected by the above.
4. Right to erasure
Under certain circumstances, you have the right to obtain erasure of your data, e.g. if your data is not processed in accordance with data protection requirements.
If you have asserted your right to rectification, erasure or restriction of processing vis-à-vis FFG, we are obligated to communicate such rectification or erasure of data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
5. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions.
In that case, the controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
6. Right to withdraw declaration of consent under data protection law
You have the right to withdraw your declaration of consent at any time.
The withdrawal of consent shall not affect the lawfulness of any consent-based processing performed until the withdrawal.
7. Supervisory authority
Irrespective of the possibility to bring an action before a Regional Court (Landesgericht) pursuant to section 29 (2) of the Austrian Data Protection Act or of other remedies, if any, you shall have the right to lodge a complaint with the national supervisory authority in your place of residence if it is assumed that the processing of personal data is carried out unlawfully.
In Austria, this national supervisory authority is the Data Protection Authority (https://www.data-protection-authority.gv.at/).
V. Contact
In connection with any of the above matters, in particular, with regard to exercising your rights as data subject, as well as in case you have any further questions, please contact the following e-mail address:
If you wish to exercise your data protection rights, please enclose an adequate proof of identity.