Data protection regulation
Privacy Notice of the BMKOES according to Article 13 of the GDPR
The Federal Ministry for Arts, Culture, the Civil Service and Sport (BMKOES) gives top priority to handling personal data in a responsible way.
As our websites continue to be developed and new technologies are implemented, changes to this Privacy Notice may become necessary. Therefore, we recommend you to read this Privacy Notice again from time to time.
Legal basis of data protection
- The BMKOES and its websites process data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR) as amended as well as the Austrian Data Protection Act (https://www.ris.bka.gv.at/Dokumente/Erv/ERV_1999_1_165/ERV_1999_1_165.html) as amended, and relevant subject-specific legal acts (e.g. Art Promotion Act – ) as amended.
- The BMKOES is the controller of the data obtained from the users under the terms of the GDPR.
- Processor
We use external service providers (processors), for example, for developing, making available and updating content. Separate data processing agreements have been made with those service providers in order to ensure the protection of your personal data.
We co-operate with the following service providers:
section.d – design.communication gmbh (in particular, development of the web application)
Alexandra Grausam (in particular, ongoing content development for the website)
BRZ GmbH (in particular, hosting and ongoing technical support for the website)
Current versions of the legal acts are accessible free of charge in the Legal Information System of the Republic of Austria at www.ris.bka.gv.at.
Definitions
Legislation requires that personal data are processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”). To comply with these principles, we include information on the legal terms and definitions also used in this Privacy Notice:
1. Personal data
“Personal data” is any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
2. Processing
“Processing” is any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
3. Restriction of processing
“Restriction of processing” is the marking of stored personal data with the aim of limiting their processing in the future.
4. Profiling
“Profiling” is any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Profiling: Personal user profiles are not generated.
5. Pseudonymization
“Pseudonymization” is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
6. Filing system
“Filing system” any structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis.
7. Controller
“Controller” is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
8. Processor
“Processor” is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
9. Recipient
“Recipient” is a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing.
10. Third party
“Third party” is a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
11. Consent
The “consent” of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Lawfulness of processing
The processing of personal data is lawful only if there is a legal basis for processing. In accordance with Article 6 (1) (a) to (f) of the GDPR, such a legal basis exists if:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- c) processing is necessary for compliance with a legal obligation to which the controller is subject;
- d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
- Which data do we collect from visitors of our website and how do we use these data?
We consider it our prime task to keep confidential the personal data you provide in the context of your visit to the AWAY website and to protect them against unauthorized access. Therefore we take utmost care and apply state-of-the-art security standards to ensure maximum protection of your personal data.
The Federal Ministry for Arts, Culture, the Civil Service and Sport as well as the private-sector company section.d – design.communication gmbh that is responsible for the website’s design and implementation, the small businesswoman Alexandra Grausam and BRZ GmbH are subject to the provisions of the GDPR and DSG. We have taken technical and organizational measures that ensure compliance with data protection legislation both by us and the external service providers we commissioned.
The legal bases for processing your personal data within the framework of our website are Article 6 (1) (e) and, in the case that we obtain your consent, Article 6 (1) (a) of the GDPR. The legitimate interest according to Article 6 (1) (f) lies in the secure and reliable provision of information on the website and the user-friendly and effective implementation of website visits.
Information on the collection of personal data
(1) We inform you below about the collection of personal data when you use our website. Personal data are, for example, name, address, e-mail address and user data.
(2) When you contact us by e-mail or telephone, the data you communicate (your e-mail address and, if applicable, your name and telephone number as well as your request) are stored by us to answer your questions. We delete the data gathered in this context when their storage is not required any more or, in case of legal retention obligations, we restrict processing.
Collection of personal data during visits in our website server logs
When you only use the website to obtain information, i.e. if you do not register or communicate information to us in any other way, we only collect the personal data that your browser transmits to our server. When you want to view our website, we collect the following data that are technically required to display our website to you and to ensure stability and security. Each access to the website is registered in a server log file with the following personal data for 30 days:
- IP address
- date and time of the access
- time zone difference to Greenwich Mean Time (GMT)
- content of request (specific webpage)
- access status/HTTP status code
- data volume transmitted
- website from which the request originates
- browser
- operating system and its interface
- language and version of the browser software.
The collection of these data is indispensable for making available and operating the website, in particular for displaying the website and ensuring stability and security.
The web application is developed by the private-sector company section.d – design.communication gmbh while BRZ GmbH is responsible for hosting and ongoing technical support.
These data are exclusively used for the purpose of checking system security. They do not serve for personal data analyses or profiling. Your IP address is examined in case of attacks on internet infrastructure.
The data are processed while you use this website. You are not obliged by law or contract to make available your personal data and you can avoid further data processing by leaving the website.
Use of cookies
(1) In addition to the data listed above, technically required cookies are saved to your computer when you use our website. Cookies are small text files that are stored on your hard disk in association with the browser you use and providing certain information to the party placing the cookie. Cookies cannot execute programs or transfer viruses to your computer. They only serve for making the internet offering more user-friendly and more effective overall.
(2) This website uses the following types of technically required cookies whose scope and functioning is explained below:
- transient cookies (see (a))
- persistent cookies (see (b))
(a) Transient cookies are automatically deleted when you exit your browser. They include, in particular, session cookies. These contain the session ID that allows for attributing various requests of your browser to a session. As a result, your computer can be recognized when you return to our website. Session cookies are deleted when you log out or exit the browser.
(b) Persistent cookies are automatically deleted after a predefined period of time that may vary depending on the cookie. The cookies are stored on the user’s computer and transmitted by him/her to the website. Thus, as a user, you have full control on the use of cookies. By modifying the settings of your internet browser you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted anytime. This may also be done automatically. If you disable cookies for our website, you may not be able to fully use all the functionalities of the website.
(c) You may configure your browser settings in line with your preferences and, for example, reject third-party cookies or all cookies. “Third-party cookies” are cookies placed by a third party and, hence, not by the website you are currently visiting. Please note that you may not be able to use all the functions of this website when you disable cookies.
Social plug-ins
The website does not use social plug-ins and does not send any data to social media. There are, however, hyperlinks to social media that take you to the social media channels of Away that are opened in separate tabs. Data are not transmitted from the website to those social media channels. As soon as you leave the website, the BMKOES does not have any influence on data processing by the providers of social media channels. The data protection framework for those channels is defined in the privacy notices of the relevant providers.
Matomo
(1) This website uses the Matomo web analytics platform for analyzing the utilization of our website and for regularly improving it. Based on the data obtained (statistics), we are able to improve our offering and make it more interesting for our users.
(2) To optimize our internet offering, we use the Matomo web tracking tool (previously Piwik) that is operated on the server of BRZ GmbH. Matomo is applied in compliance with data protection regulations under the terms of the GDPR. Matomo immediately anonymizes the IP addresses so that the users cannot be identified. Anonymous statistical data are stored separately from any personal data you may have provided and cannot be traced back to a specific person.
(3) This website uses Matomo with the AnonymizeIP add-on. Thus, IP addresses are truncated for processing so that they cannot be directly related to specific persons. The IP address transferred by your browser by means of Matomo is not combined with other data collected.
(4) The Matomo software is an open source project. Information on data protection provided by this third party is available at https://matomo.org/privacy-policy.
Other features and services offered on our website
(1) In addition to reading information on our website, you may also be interested in using various services we offer. As a rule, this requires that you provide further personal data that we use to render the service in question subject to the above data processing principles.
(2) In part, we use external service providers (see above) to process your data. They have been carefully selected and commissioned by us, are bound to comply with our instructions and are controlled regularly.
Storage duration
Without prejudice to any information given on the applications, we point out that your data will be deleted as soon as they are not needed anymore or when another condition for deletion applies according to Article 17 of the GDPR.
Any other inquiries you address to the BMKOES are kept on file on paper or in an electronic format in line with the retention periods applying to correspondence. Your data are exclusively used for directly corresponding with you.
Transfer of personal data to third parties
Apart from the involvement of third parties (e.g. processor, artists, grant recipients) in providing information to you, your data will only be transferred to third parties based on legal obligations insofar and as long as they are processed within the framework of the website or the services offered, for example if required by a court decision or for the purpose of legal proceedings or criminal prosecution in case of attacks on the internet infrastructure.
Protection of minors
Persons aged less than 14 years should not transmit any personal data to us without the consent of their parents or guardian. We do not request any personal data from children and young people. We do not knowingly collect or pass on such data to third parties.
In the case of an information society service directly offered to a child, the consent given to processing the child’s personal data according to Article 6 (1) (a) of the GDPR is lawful if the child has completed his/her fourteenth year.
Profiling
Personal user profiles are not generated.
Your rights
On principle, you have the right of access, rectification, erasure, restriction of processing, data portability, withdrawal and objection. If you consider that the processing of your data infringes data protection law or your rights under data protection law have been violated in any way, you may lodge a complaint with the supervisory authority. In Austria, this is the Austrian Data Protection Authority.
You can exercise the following rights you have under the General Data Protection Regulation by sending an informal request to the BMKOES:
- You have the right of access, i.e. you can obtain a confirmation as to whether or not personal data concerning you are being processed. If this is the case, you have the right to get information on the personal data processed (Article 15 of the GDPR).
- If the personal data concerning you are inaccurate, you have the right to demand their rectification. If you find that the data processed are incomplete, you can demand that they are completed (Article 16 of the GDPR).
- You have the right to demand that personal data concerning you are erased without undue delay (Article 17 of the GDPR); this demand has to be complied with if the conditions laid down in this provision are met.
- If the rectification or erasure of personal data can only be carried out at specific times for economical or technical reasons, the processing of the data in question has to be restricted until they are rectified or erased (Article 4 (2) of DSG). The restriction of processing means that, apart from their storage, the personal data concerning you can only be processed with your consent or for specific reasons laid down in legislation.
- You have the right to demand that the processing of your data is restricted if you
- contest the accuracy of your personal data processed until the BMKOES has verified them,
- prefer the restriction of processing over the erasure of unlawfully processed data,
- require the data for your legal claims and therefore do not want that they are erased by the BMKOES even though it does not need them anymore for the purposes for which they were collected (Article 18 of the GDPR).
Please send requests regarding data protection, in particular inquiries according to Article 15 of the General Data Protection Regulation (GDPR), to the following e-mail address: datenschutz@bmkoes.gv.at
The exercise of your rights does not result in any costs being charged by the BMKOES.
Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, a reasonable fee based on administrative costs may be charged or the request may be refused.
Hyperlinks to websites of other providers
Our website contains hyperlinks to websites of other providers, in particular the federal provinces. We do not have any influence on compliance with data protection regulations by those providers.
Complaints to the data protection supervisory authority
You have the right to lodge a complaint with the data protection supervisory authority – the Austrian Data Protection Authority – if you consider that the processing of personal data concerning you infringes the General Data Protection Regulation (Article 77 of the GDPR).
Controller
The BMKOES determines the purposes and means of data processing indicated above and hence is the controller according to Article 4 (7) of the GDPR.
Contact
Name and contact details of the controller according to Article 4 (7) of the GDPR
Federal Ministry for Arts, Culture, the Civil Service and Sport
Radetzkystraße 2, 1030 Vienna, Austria
E-mail: IVA6@bmkoes.gv.at
Federal Ministry for Arts, Culture, the Civil Service and Sport
Data Protection Officer
Radetzkystraße 2
1030 Vienna, Austria
E-mail: datenschutzbeauftragte@bmkoes.gv.at
2. Which data do we collect from artists and grant recipients presented on our website and how do we use these data?
The Federal Ministry for Arts, Culture, the Civil Service and Sport as well as the private-sector company section.d – design.communication gmbh that is responsible for the website’s design and implementation, the small businesswoman Alexandra Grausam and BRZ GmbH are subject to the provisions of the GDPR and DSG. We have taken technical and organizational measures that ensure compliance with data protection legislation both by us and the external service providers we commissioned.
The legal bases for processing your personal data within the framework of our website are Article 6 (1) (b) and (e) of the GDPR.
In this context, we refer to the data protection information according to Article 13 of the GDPR and the agreement you completed and signed in the course of your application submitted for the grant program “International residency for visual art, art photography and media art.”
Information on the collection of personal data
As an artist or grant recipient taking part in the international residency program of the BMKOES you have agreed to the processing of your personal data (see your completed application form and below) for the purpose of the implementation of the international residency program of the BMKOES as an integral part of your contract. As agreed this extends, in particular, to the conclusion and performance of the contract, the presentation of your person and your artistic work in publications (in the special case of the Art Report: in this Report, the name, grant amount and federal province of the grant recipients are published; according to Article 10 of the Arts Promotion Act (Kunstförderungsgesetz), Federal Law Gazette No. 146/1988 as amended, the Art Report has to be presented to the National Council by the federal government; see also Article 6 (1) (e) of the Genderal Data Protection Regulation) and on websites of the BMKOES as well as at events of the BMKOES, the accounting, auditing and documentation of the international residency program of the BMKOES, utilization for promoting the international residency program of the BMKOES as well as the provision of information on it by means of social media (e.g. Facebook, Instagram, Flickr, Vimeo, YouTube, LinkedIn…) and the website of the BMKOES (www.bmkoes.gv.at) as well as publication of information on your residency on the website www.away.co.at (e.g. which artist is currently staying where (outgoing/incoming, artist, period, program, place, country, grantor) and, if applicable, diary entries (e.g. artist, place, country, personal experiences, characteristics of the residency in question, tips for future participants, private insights into experiences made and artistic work, outline of exploratory trips…) and inclusion in the chronicle and presentation of projects and events/exhibitions) as well as information on the promotion activities of the BMKOES and the use of promotion funds for the general public (cf. the Art Report mentioned above and public interest in it).
There is no legal title to such processing, in particular to the publication of such information, and the decision about implementing individual processing activities is taken by the BMKOES on a case-by-case basis.
Storage duration
Your data will be deleted in line with the records management provisions for electronic files applying at the Federal Ministry for Arts, Culture, the Civil Service and Sport (retention period of 10 years) in the course of the next deletion routine unless they are to be archived or published (in that case, they will not be deleted but retained for the purpose of implementing the international residency program of the BMKOES and on ground of public interest).
Transfer of personal data to third parties
For specific processing activities, relevant extracts of your data will be transferred – if required for organizational reasons – to organizational units of the BMKOES that need to receive them within the framework of contract performance and public relations work and, if appropriate, to processors involved in processing and, if applicable, to legal representatives (for the enforcement of rights or the defense against claims or in the framework of judicial or administrative proceedings) as well as, if necessary, to other federal ministries or persons in the context of the foreign residency program of the BMKOES (e.g. jury members, applicants). Your personal data are processed for the conclusion and performance of the contract as well as for auditing purposes and can be transferred, in particular, to bodies and representatives of the Austrian Court of Audit (in particular Article 3 (2), 4 (1) and 13 (3) of the Court of Audit Act (Rechnungshofgesetz), Federal Law Gazette No. 144/1948 as amended), the European Union in accordance with provisions of European Union law and the Federal Ministry of Finance (in particular Federal Budget Act 2013 (Bundeshaushaltsgesetz), Federal Law Gazette I No. 139/2009, as amended in combination with the Federal Regulation on Propositions (Vorhabensverordnung), Federal Law Gazette II No. 22/2013, as amended).
Further transfers of data going beyond the above or going beyond any publication, for example, on the social media channels and websites of the BMKOES in particular to recipients in a third country (outside the EU) or to international organizations are not envisaged.
Profiling
There is no automated decision-making (profiling).
Your rights
On principle, you have the right of access, rectification, erasure (see above for information on data filing/archiving/publication), restriction of processing, data portability, withdrawal and objection. If you consider that the processing of your data infringes data protection law or your rights under data protection law have been violated in any way you may lodge a complaint with the supervisory authority. In Austria, this is the Austrian Data Protection Authority.
You can exercise the following rights you have under the General Data Protection Regulation by sending an informal request to the BMKOES:
- You have the right of access, i.e. you can obtain a confirmation as to whether or not personal data concerning you are being processed. If this is the case, you have the right to get information on the personal data processed (Article 15 of the GDPR).
- If the personal data concerning you are inaccurate, you have the right to demand their rectification. If you find that the data processed are incomplete, you can demand that they are completed (Article 16 of the GDPR).
- You have the right to demand that personal data concerning you are erased without undue delay (Article 17 of the GDPR); this demand has to be complied with if the conditions laid down in this provision are met.
- If the rectification or erasure of personal data can only be carried out at specific times for economical or technical reasons, the processing of the data in question has to be restricted until they are rectified or erased (Article 4 (2) of DSG). The restriction of processing means that, apart from their storage, the personal data concerning you can only be processed with your consent or for specific reasons laid down in legislation.
- You have the right to demand that the processing of your data is restricted if you
- contest the accuracy of your personal data processed until the BMKOES has verified them,
- prefer the restriction of processing over the erasure of unlawfully processed data,
- require the data for your legal claims and therefore do not want that they are erased by the BMKOES even though it does not need them anymore for the purposes for which they were collected (Article 18 of the GDPR).
- You have the right to request that the data you provided to the BMKOES under a contract according to Article 6 (1) (b) of the GDPR are transferred to another controller (right to data portability according to Article 20 of the GDPR).
Please send requests regarding data protection, in particular inquiries according to Article 15 of the General Data Protection Regulation (GDPR), to the following e-mail address: datenschutz@bmkoes.gv.at
The exercise of your rights does not result in any costs being charged by the BMKOES.
Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, a reasonable fee based on administrative costs may be charged or the request may be refused.
Further (data protection) information
For further (data protection) information, please see your application containing the data protection information according to Article 13 of the GDPR, your contract and the website www.bmkoes.gv.at.
Complaints to the data protection supervisory authority
You have the right to lodge a complaint with the data protection supervisory authority – the Austrian Data Protection Authority – if you consider that the processing of personal data concerning you infringes the General Data Protection Regulation (Article 77 of the GDPR).
Controller
The BMKOES determines the purposes and means of data processing indicated above and hence is the controller according to Article 4 (7) of the GDPR.
Contact
Name and contact details of the controller according to Article 4 (7) of the GDPR
Federal Ministry for Arts, Culture, the Civil Service and Sport
Radetzkystraße 2, 1030 Vienna, Austria
E-mail: IVA6@bmkoes.gv.at
Federal Ministry for Arts, Culture, the Civil Service and Sport
Data Protection Officer
Radetzkystraße 2
1030 Vienna, Austria
E-mail: datenschutzbeauftragte@bmkoes.gv.at