This data protection information, intends to inform our website visitors about how we process personal data or outline you about your rights. We are aware of the sensitive nature of processing personal data and accordingly observe all relevant legal requirements. The protection of your privacy is of utmost importance to us. All processing of your personal data is carried out in compliance with the current General Data Protection Regulation, as well as other data protection regulations.
Person responsible for data processing
Contact details of the data protection officer: eprivacy[at]heigit.org
Definition of terms
This data protection notice uses the terms of the General Data Protection Regulation (GDPR):
- “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Restriction of processing” means the marking of stored personal data with the aim of limiting their future processing.
- “Pseudonymisation” means the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without additional information, provided that such additional information is kept separately and is subject to technical and organisational measures which ensure that the personal data are not attributed to an identified or identifiable natural person.
- “File system” means any structured collection of personal data accessible according to specified criteria, whether such collection is maintained on a centralised, decentralised or functional or geographical basis.
- “Controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for by Union or Member State law.
- “Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
- “Recipient” means a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities which may receive personal data in the framework of a specific investigation mandate under Union or Member State law shall not be considered as recipients and the processing of such data by those authorities shall be carried out in accordance with the applicable data protection rules, in accordance with the purposes of the processing.
- “Third party” means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who are authorised to process the personal data under the direct responsibility of the controller or the processor.
- “Consent” means the freely given specific, informed and unambiguous indication of the data subject’s wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.
We collect and process the following personal data about you:
- Contact, event, API-Key and master data information if you have provided us with your contact information or registered on our site,
- Online identifiers (e.g. your IP address, browser type and version, operating system used, referrer URL, IP address, file name, access status, amount of data transferred, date and time of server request),
- for the purpose of contacting you,
- for information about our activities and offers,
- Contract data (e.g. subject matter of the contract, contract term, contract category),
- Application (by post, via e-mail),
- Implementation of events,
- Video conferences, sound and image recordings,
- Social media identifiers.
Data processing purposes
We process your data for the following purposes:
- to process our services e.g. openrouteservice,
- for quality assurance,
- for our statistics.
Legal basis for data processing
Your data is processed on the following legal bases:
- your consent according to Art. 6 para. 1 lit. a) GDPR,
- for the performance of a contract with you according to Art. 6 para. 1 lit. b) GDPR,
- to fulfil legal obligations according to Art. 6 Para. 1 lit. c) GDPR,
- for a legitimate interest according to Art. 6 para. 1 lit. f) GDPR.
If we base the processing of your personal data on legitimate interests within the meaning of. Art. 6 para. 1 lit. f) GDPR, such interests are
- the improvement of our offer,
- the protection against misuse,
- the management of our statistics.
We obtain the data from you (including via the devices you use). If we do not collect the personal data directly from you, we will also tell you the source of the personal data and, if applicable, whether it comes from publicly available sources.
In processing your data, we work with the following service providers who have access to your data:
- Web analytics tool providers,
- Web hosting providers,
- Administration service providers,
- Video conferencing service providers,
- Social media.
Data is transferred to third countries outside the European Union. This takes place on the basis of contractual regulations provided for by law, which are intended to ensure an appropriate level of protection for your data and which you can view on request.
Duration of processing
We only store your personal data for as long as is necessary to achieve the purpose of the processing or for as long as the storage is subject to a statutory retention period.
We store your data, if:
- you have consented to the processing, at most until you revoke your consent;
- we require the data for the performance of a contract, at most for as long as the contractual relationship with you exists or for as long as statutory retention periods apply,
- we use the data on the basis of a legitimate interest, at most for as long as your interest in deletion or anonymisation does not prevail.
Within specific limits depending on particular circumstances, you have the right to:
- request information free of charge about the processing of your data and to receive a copy of your personal data. Among other things, you can request information about the purposes of the processing, the categories of personal data that are processed, the recipients of the data (if the data are passed on), the duration of the storage or the criteria for determining the duration;
- rectify your data. If your personal data is incomplete, you have the right to complete the data, taking into account the purposes of the processing;
- have your data erased or blocked. Reasons for the existence of a right to erasure/blocking may be, among others, the revocation of the consent on which the processing is based, the data subject objects to the processing, the personal data have been processed unlawfully;
- to have the processing restricted;
- object to the processing of your data;
- withdraw your consent to the processing of your data for the future;
- complain to the competent supervisory authority about unlawful data processing.
Further information on data protection
We have taken extensive technical and organisational measures to protect your data against possible dangers, such as unauthorised access, unauthorised disclosure, modification or distribution, as well as against loss, destruction or misuse.
In order to protect your personal data from unauthorised access by third parties during transmission, we secure data transmissions using TLS encryption where necessary. This is a standardised encryption procedure for online services, designed especially for internet traffic.
Each time you access our website, usage data is transmitted by the respective internet browser and stored in our server´s log files. These data records contain the following data:
- Domain from which the user accesses the website,
- Date, time of access and the IP address of the accessing computer,
- website(s) visited by the user within the scope of the offer,
- amount of data transferred,
- browser type and version,
- operating system used,
- message as to whether the retrieval was successful.
These log file data records are evaluated anonymously in order to improve our offer and make it more user-friendly, to find and correct errors and to manage our servers.
Status of this data protection information