Note on gender-neutral language:

If any pronoun or word used in this privacy notice is specific to one gender only, such pronoun or word is to be read and interpreted as applying to both genders equally.

This privacy notice serves the sole purpose of fulfilling our obligation to provide information about our processing of personal data under data protection law.

This privacy notice contains information on who we are and how you can contact us, which activities and services this privacy notice relates to, which categories of personal data we process in the course of these activities and services, for what purposes and on which legal bases we process personal data, to whom we may transmit personal data, how long we store personal data for and which rights you have in relation to the data which we process.

Unless otherwise stated, the following abbreviations and definitions apply:

EZA-G

Federal Act on Development Cooperation (Bundesgesetz über die Entwicklungszusammenarbeit)

Federal Gazette I No. 49/2002, as amended.

GDPR

The General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, as amended.

DSG

Federal Act concerning the protection of natural persons with regard to the processing of personal data (Bundesgesetz zum Schutz natürlicher Personen bei der Verarbeitung personenbezogener Daten), Federal Gazette I No. 165/1999, as amended.

Content of this privacy notice

I. Name and address of the controller

II. Contact details data protection officer

III. General information on data processing

IV. Provision of the website and logfiles

V. Cookies

VI.  Google Analytics

VII. Promotion of measures in the field of development cooperation

VIII. Procurement of services, supplies or works by direct award procedure

IX. Newsletter

X. Contact form and email contact

XI. Subscription to Weltnachrichten

XII. Events and event documentation

XIII. Other publications and information materials

XIV. Whistleblower system - Integrity

XV. Social networks (Facebook, Instagram, Flickr, Twitter, YouTube)

XVI. Sweepstakes

XVII. Recruiting/application process

XVIII. Rights of the data subject

XIX. Updates and amendments to this privacy notice

I. Name and address of the controller

The controller within the meaning of the GDPR and the national data protection laws of the EU Member States is:

Austrian Development Agency

Zelinkagasse 2, 1010 Vienna, Austria

Tel: + 43 (0)1 90399 - 0
Fax: + 43 (0)1 90399 - 2290
Email: office(at)ada.gv.at
Website: entwicklung.at/en/

 

II. Contact details data protection officer

You can contact the data protection officer at the controller by sending an email to dpo@ada.gv.at or at the address of the controller.

You can address requests to enforce your rights pursuant to Section XVIII of this privacy notice to the data protection officer; please address any revocations of consent under data protection law to the same entity/office as you provided that consent to.

III. General information on data processing

1. Description and scope of data processing

We only collect and use personal data to the extent required to fulfil our statutory mandate pursuant to § 8 para. 1 EZA-G – to prepare and implement measures of development cooperation – and to provide a functioning website and our content and services. Where we rely on consent, we collect and use personal data only after having obtained consent.

Unless explicitly stated otherwise, we do not process any sensitive data (also referred to as “special categories of data”). Special categories of data mean data which reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Unless otherwise stated, we do not process any data on criminal convictions or criminal offences.

2. Legal basis for processing personal data

If we obtain data subjects’ consent to the processing of personal data, Art. 6 para. 1 point a GDPR is the legal basis.

When processing personal data for the purpose of performing a contract to which the data subject is a party, Art. 6 para. 1 point b GDPR is the legal basis. This also applies for processing operations which are required to perform pre-contractual measures.

If it is necessary to process personal data to fulfil a legal obligation to which we are subject, Art. 6 para. 1 point c GDPR is the legal basis.

If personal data is processed to perform a task which is in the public interest, Art. 6 para. 1 point e GDPR (possibly in conjunction with §§ 2 and 24 EZA-G) is the legal basis.

If processing is necessary to protect a legitimate interest of the Austrian Development Agency (ADA) or a third party and this interest is not overridden by the interests, basic rights and basic freedoms of the data subject concerned, Art. 6 para. 1 point f GDPR is the legal basis.

3. Erasure of data and storage period

The personal data of the data subject is erased as soon as the purpose for which it is stored no longer exists. Data may also be stored if this is stipulated by the European or national legislator in regulations, laws or other provisions to which ADA is subject.

IV. Provision of the website and logfiles

1. Description and scope of data processing

Every time our website is accessed, our system automatically records data and information from the system of the requesting device.

The following data is collected:

1. Information about the type of browser and the version used;
2. The user’s operating system;
3. The user’s IP address;
4. The date and time of access;
5. Website from which your system was directed to our website;
6. Websites which your system accessed via our website.

The data and information are saved in logfiles on our system. The logfiles are not stored together with any other personal data of the relevant user, nor is any comparison made with the relevant user’s other personal data.

2. Legal basis for processing data

The legal basis for temporarily storing the data and the logfiles is Art. 6 para. 1 point f GDPR.

3. The purpose of the data processing

The system needs to store the IP address temporarily to display the website on the user’s device. This user’s IP address must be stored for the duration of the session.

Data is stored in logfiles to ensure the functioning of the website. Furthermore, the data enables us to ensure that the website operations are secure and maintained. The data is not analysed for marketing purposes.

These purposes also constitute our legitimate interest in processing the data pursuant to Art. 6 para. 1 point f GDPR.

4. Period of storage

The data is erased as soon as it is no longer required for the purpose for which it was collected. With regard to the recording of data to make the website available, this is the case when the respective session finishes.

If the data is stored in logfiles, this is the case after a period of 60 days (maximum). It is possible for the data to be stored for a longer period. In this case, the IP addresses of the users are erased or anonymised so that it is no longer possible to identify the accessing client.

5. Transmission of your personal data

Users’ personal data may be collected by and sent to IT service providers which we engage and which have their registered office in an EU Member State. If IT service providers process personal data as processors, we will conclude appropriate agreements with them pursuant to Art. 28 GDPR. 

Disclosures can also be made:

1. to assert, exercise or defend against legal claims, provided that there is no reason to assume that there is an overriding legitimate interest in not disclosing the data;
2. if there is a statutory obligation to disclose;
3. it is permitted by law and is required to perform contractual relationships with you.

V. Cookies

1. Description and scope of data processing

Our website uses cookies. A cookie banner informs users about the individual cookies and their purposes, and will ask for user’s consent as required. The settings can be adjusted by re-accessing the cookie banner, which can be done by opening this Privacy Notice.

Consult the cookie banner for additional information.

2. Legal basis for processing data

The legal basis for using cookies is Art. 6 para. 1 point f GDPR concerning technically necessary cookies and Art. 6 para. 1 point a GDPR concerning all other cookies.

3. Purpose of data processing

The purpose of each cookie is described in the cookie banner.

4. Period of storage

The retention period of each cookie is described in the cookie banner.

By adjusting your browser settings, you can opt out of cookies or restrict their use. Cookies which have already been saved can be deleted at any time. This can also be done automatically. If you opt out of cookies for our website, certain features of the website may not be available.

VI. Google Analytics

1. Description and scope of data processing

This website uses Google Analytics, a web analytics service of Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”). Google Analytics uses cookies, that is text files which are saved on your computer and enable your use of the website to be analysed.

This website usees IP anonymisation as provided by Google Analytics. As part of this, Google shortens/anonymises your IP address as soon as it obtains it (IP masking). Google will use this information on our behalf to analyse your use of the website, to compile reports on website activities and to provide further services to us relating to the use of the website and the internet for the purposes of market research and making this website more user-friendly. Under no circumstances will your IP address be combined with other data of Google.

You can find further information on data protection in relation to Google Analytics on the Google website at https://marketingplatform.google.com/about/analytics/terms/us/ or https://policies.google.com/privacy?hl=en.

You can download and install the Google Analytics opt-out browser plug-in via this link.

2. Legal basis for processing personal data

The legal basis for using Google Analytics is Art. 6 para. 1 point a GDPR.

3. Purpose of data processing

Google uses the information collected by Google Analytics to analyse usage of the website, to compile reports on website activities for the website operator and to provide other services related to the use of the website or the internet.

Google Analytics enables the surfing behaviour of the users of our website to be analysed. By analysing the data collected, we are able to compile information about the use of the individual components of our website. This helps us to continually improve our website and its user-friendliness.

4. Period of storage

The retention period of each cookie is described in the cookie banner.

5. Transmission of your personal data

The information on usage of this website generated by cookies (including your IP address and the URLs of websites accessed) is transmitted to a Google server in the USA and stored there.

Google may also transmit this information to third parties if this is required by law or if third parties process this data on behalf of Google. Under no circumstances will Google link your IP address to other Google data.

VII. Promotion of measures in the field of development cooperation

1. Description and scope of data processing

Promotion of measures in the field of development cooperation within the meaning of § 2 EZA-G including (i) cooperation with partner governments in the framework of general budget support, sector financing, national execution, pooled funding/joint financing, (ii) cooperation with international organisations and national development cooperation agencies and funds, (iii) cooperation with development cooperation organisations and international civil society in the framework of individual projects, framework programmes, strategic partnerships, technical assistants programme, EU cofinancing, migration and development, contributions to multi-donor initiatives, calls for proposals and programmes to strengthen civil society, (iv) cooperation with businesses in the framework of business partnerships, strategic partnerships with the private sector, initiatives in Austria, (v) humanitarian aid financed by the Foreign Disaster Aid Fund, (vi) measures in the area of development communication and education in Austria, and (vii) projects and programmes that ADA is implementing and that are (partly) financed by third party funding, including in the framework of the Delegated Cooperation modality of the European Union and as accredited entity with the Green Climate Fund.

The provision of personal data – unless agreed otherwise – is voluntary. However, without providing this data an application for funding cannot be assessed and will not be considered.

Data categories, which are regularly processed in the context of grant applications and awards

- contact and identification details (name, postal address, telephone number, e-mail address, facsimile, web address, tax identification number, legal form);
- information included in the financial identification form / bank details (including account name, bank name, IBAN, SWIFT / BIC, account number, credit advice);
- founding date;
- membership in platforms, networks;
- authorized representatives, including identification documents;
- statutes or by-laws;
- excerpt from public registers (e.g., company register, register of associations);
- annual report including audit report/financial statement of the past two business years;
- organisational chart;
- institutional profile;
- capability Statement;
- experience in project management and project cycle management;
- description of the available human and material resources, including available experts and key personnel in the relevant thematic area;
- reference projects;
- project or programme description, including planning matrix, time schedule, project budget, monitoring plan (if applicable), Environmental, Gender and Social Standards Checklist;
- information on the grant (grant type applied for, grant decision, project duration, modality, date of application, contract type, date of the grant agreement);
- name, function, award decision or recommendation, declaration of impartiality and confidentiality of the members of the evaluation commission;
- database excerpt of a reliable credit reporting agency, genereally of KSV1870 Information GmbH (service product: Business Profile Standard): name, position of legal representatives and officers in connection with general business data (name of business, legal form, size, sector, year of incorporation, etc.). KSV1870 or any other credit reporting agency is a controller separate from ADA, see also the KSV1870 data protection notice;
- screening using the World Check One database of the provider Refinitiv (due diligence examination including know your customer, anti-money laundering, countering the financing of terrorism, anti-bribery/corruption, restrictive measures [sanctions], and combating financial crime). Refinitiv is a controller separate from ADA. Refinitiv provides information on data protection regarding its product and the Refinitiv Privacy Statement;
- screening using the European Commission’s Early Detection and Exclusion System (EDES) (exclusively in the framework of projects and programmes with the EU under the Delegated Cooperation modality, i.e., projects with EU funding); EDES has the objective of protecting the EU's financial interests. Information on EDES and data protection provided by the European Commission;
- name, contact details (professional telephone number, e-mail address, facsimile, postal address), title, employment contracts, work time records, salary statement, records regarding official travel, CVs of directors, officers and employees of (i) the grant recipient, (ii) local partner organisations and/or (sub‑)contractors and/or (sub-)grant recipients of the grant recipient, if any, as well as (iii) other stakeholders of the project or programme;
- name, contact details (professional telephone number, e-mail address, facsimile, postal address), title, employment contracts, work time records, salary statement, records regarding official travel, CVs of seconded or posted experts financed by ADA;
- name, contact details (professional telephone number, e-mail address, facsimile, postal address), title of (i) member of the executive and/or legislative bodies on the local, regional and/or national level, (ii) civil servants;
- personal data, which is transferred or disclosed to ADA through, e.g., project- or programme-related reports (EGSIA, RMSP, progress-, audit- or evaluation reports, PR materials), or which are collected by ADA during checks/audits or evaluation missions;
- Expert opinions regarding eligibility of the project or programme to receive a grant;
- Informaton on grants received from third parties for the same project or programme, if any;
- photographs, audio recordings and/or video recordings of individuals involved in the project or programme, in particular representatives of the target group, beneficiaries, partner organisations, host countries;
- statement concerning any de-minimis state aid received or applied for, or statement regarding non-economic activity.

Data categories that are regularly processed if the measure is set up as a competitive tender or as far as information on tenders is disclosed to ADA in connection to projects and programmes (e.g., in case of audits of grant recipients)

- first name, last name, title, address and contact details of the bidders;
- first name, last name, title, address, contact details and position held of personnel and subcontractors of the bidders;
- CVs (in particular name, photo, date of birth, details and proofs of education, work experience, citizenship), addresses and contact details of personnel, experts and subcontractors;
- references of the personnel and experts, including possibly data of previous clients or employers and data concerning further public contracting authorities;
- credit report of the bidders/subcontractors;
- possibly data concerning the financial and economic capacities of the bidders/ subcontractors;
- extract from the Register of Companies (Firmenbuch) or another professional/commercial register concerning the bidders and possibly its subcontractors;
- identification numbers (for example VAT number, ANKÖ number);
- possibly the most recent debit advice of the competent social security authority or an equivalent document of the company’s country of origin that shows that the bidders and its subcontractors are meeting their obligations in accordance with the applicable legal provisions to pay social security contributions;
- possibly the most recent statement of account (Rückstandsbescheinigung) pursuant to Section 229a of the Federal Tax Act (Bundesabgabenordnung), Federal Law Gazette no. 194/1961, or an equivalent document issued by the competent authorities of the company’s country of origin that shows that the bidders and its subcontractors comply with their obligations to pay taxes and charges as required under the applicable legal provisions;
- possibly an excerpt from the Criminal Records (Strafregisterauskunft) (or equivalent document issued by a court or administrative authority of the company’s country of origin) of the bidders and its subcontractors or, for a legal entity, registered business partnership or consortium, of all persons who are part of its management, members of the supervisory board and officers with statutory authority;
- banking details (IBAN) of the bidders and its subcontractors;
- possibly an excerpt from the Commercial Register (Gewerberegister) or submission of the authorisation required for performing the relevant services in the country of origin of the bidders or subcontractors or an official document evidencing membership in a particular organisation required in the company’s country of origin for performing the relevant services.

Recipients or categories of recipients of personal data, including transfer to third countries or international organisations

- processors within the scope of their respective service contracts, e.g., IT service providers;
- members of the evaluation commission who are not attributable to ADA (external experts);
- third parties contracted by ADA to conduct an audit or evaluation of a project or programme (co‑)financed by ADA;
- if the measure is set up as a competitive tender or as far as information on tenders is disclosed to ADA in connection to projects and programmes: Wiener Zeitung GmbH (for the publication of the contract award notification), administrative authorities competent for reviewing the procurement procedure, external consultants (in particular attorneys-at-law, engineering companies and experts), Open Data Österreich (data.gv.at, limited to the so-called metadata of the core data in accordance with the Austrian Federal Public Procurement Act 2018 [Bundesvergabegesetz] as amended from time to time); possibly the European Commission concerning obligatory notifications under state aid rules;
- European Union in the framework of Delegated Cooperation; privacy notice of the European Commission: Processing of personal data by the European Commission takes place pursuant to Regulation 2018/1725 (Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC Text with EEA relevance, OJ L 295, 21.11.2018, p.39.) and in accordance with the European Commission’s privacy statement;
- Federal Ministry for European and International Affairs as representative of ADA’s sole shareholder and federal ministry competent for development cooperation as well as the Austrian embassy accredited to the partner country where the measure is implemented (regarding the project fact sheet);
- Austrian Foundation for Development Research [Österreichische Forschungsstiftung für Internationale Entwicklung (ÖFSE)] for publication in the development cooperation project database (project fact sheet);
- Austrian Economic Chambers [Wirtschaftskammer Österreich] (project fact sheet);
- Austrian Federal Ministry for Digital and Economic Affairs (project fact sheet);
- ERP-Fund and Austria Wirtschaftsservice Gesellschaft mbH, if the measure is (co-)financed using ERP funds;
- in case of contractual or otherwise obligatory reporting obligations in the respective case: other donors for sector-specific donor co-ordination in the partner country or region;
- for control purposes: other possible donors (to check possible double or multiple funding), financial authorities or banking institutions;
- in specific cases to comply with a legal obligation (see also legal basis for processing:
     (i) the Austrian Court of Audit [Rechnungshof];
     (ii) the Federal Ministry of Finance;
     (iii) institutions, bodies, offices and agencies of the European;
- during or related to procurement procedures (direct award) in specific cases:
     (i) Federal Ministry of Finance, central register of convictions for illegal employment of foreign nationals [zentrale Verwaltungsstrafevidenz für die Kontrolle der illegalen Ausländerbeschäftigung] in accordance with Section 28b of the Austrian Act Governing the Employment of Foreign Nationals [Ausländerbeschäftigungsgesetz, AuslBG], BGBl. No. 218/1975, as amended;
     (ii) Austrian Health Insurance Fund [Österreichische Gesundheitskasse], administrative offences register as the designated competence centre for combatting wage and social dumping (LSDB Competence Centre) pursuant to Section 35 Austrian Act on Combatting Wage and Social Dumping [Lohn- und Sozialdumping-Bekämpfungsgesetz (LSD-BG)] BGBl. Nr. 44/2016, as amended;
- Austrian State Archives, in accordance with the Federal Act on the Safekeeping, Storage and Use of Archival Holdings of the Federal Government.

2. Legal basis for processing data

The legal basis for processing personal data for the promotion of measures in the field of development cooperation is Art. 6 para. 1 point a, point b, point c and point f GDPR as well as Art. 6 para. 1 point e GDPR in conjunction with the EZA-G, in particular §§ 2, 8, 9 and 24 EZA‑G.

The legal basis Art. 6 para. 1 point a GDPR applies in individual cases regarding photographs, audio recordings and/or video recordings of individuals involved in the project or programme, in particular representatives of the target group, beneficiaries, partner organisations, and host countries insofar as this processing is not justified on another legal basis (see in more detail Section XII);

The legal basis Art. 6 para. 1 point b GDPR applies to the processing of personal data of the recipient or contractor (provided data related to them constitute personal data) in preparation, execution and implementation of grant contracts or service or supply contracts, respectively.

The legal basis Art. 6 para. 1 point c GDPR applie to processing on the basis of the Austrian Federal Public Procurement Act 2018, as amended, and for the transfer of personal data to the Austrian Court of Audit [Rechnungshof] (in particular pursuant to Sections 3 (2), 4 (1) and 13 (3) of the Austrian Court of Audit Act, BGBl. No. 144/1948, as amended), to the Federal Ministry of Finance (in particular pursuant to Sections 57 to 61 and 47 Federal Budget Law 2013, as amended, as well as Section 14 of the General Framework Directive 2014 [ARR], BGBl. II No. 208/2014, as amended, and to the institutions, bodies, offices and agencies of the European Union pursuant to provisions of EU law.

The legal basis Art. 6 para. 1 point f GDPR in conjunction with recital 47 GDPR applies to due diligence assessments of grant applicants and bidders and their organs and officials.

In all other cases, the legal basis is Art. 6 para. 1 point e GDPR in conjunction with the EZA-G, in particular §§ 2, 8, 9 and 24 EZA‑G.

3. Purpose of data processing

Promotion of measures in the field of development cooperation in accordance with the statutory mandate of ADA, in particular through initiation and implementation of grant contracts and including controlling the agreed-on use of funds and compliance with contractual obligations and conditions.

4. Period of storage

Personal data is retained for as long as necessary for the purpose for which it was collected, taking into account statutory minimum retention requirements.

5. Data sources

Personal data are retained as they are transferred to ADA. Sources may include:

(i) public bodies on the local, regional or national level, (ii) international organisations, (iii) other donors for purposes of donor co-ordination, (iv) the grant applicant or grant recipient, (v) local partner organisations of the grant applicant or grant recipient, (vi) bidders or contractors, (vii) other third parties, including agents or (sub‑)contractors of (i) to (vi).

ADA further collects personal data from public registers (e.g., company register, register of associations, criminal records) and other registers for due diligence assessments as further described in Section VII.1.

VIII. Procurement of services, supplies or works by direct award procedure

1. Description and scope of data processing

Public contracting authorities are obliged to carry out public tendering in accordance with the Austrian Federal Public Procurement Act. The data processing takes place in the performance of tasks as public contracting authority and on the basis of the national procurement legalisation. ADA processes personal data in order to carry out a procedure for the direct award of a contract and in the context of the conclusion and performance of the contract with the selected bidder. This includes assessing the capacity and qualification of bidders and their subcontractors to perform the requested services and examining and evaluating the offers as well as concluding and performing the contract with the selected bidder. Generally, assessments are more comprehensive the higher the contract value is, in individual cases, however, comprehensive assessments and checks may be conducted even at low contract values.

Unless otherwise agreed, the submission of your personal data is voluntary. However, if you do not provide the necessary data, your offer cannot be examined and evaluated, and, thus, cannot be taken into consideration in the tender proceedings.

ADA regularly processes the following data categories

- first name, last name, title, address and contact details of the bidders;
- first name, last name, title, address, contact details and position held of personnel and subcontractors of the bidders;
- CVs (in particular name, photo, date of birth, details and proofs of education, work experience, citizenship), addresses and contact details of personnel, experts and subcontractors;
- references of the personnel and experts, including possibly data of previous clients or employers and data concerning further public contracting authorities;
- credit report of the bidders/subcontractors;
- possibly data concerning the financial and economic capacities of the bidders/ subcontractors;
- screening using the European Commission’s Early Detection and Exclusion System (EDES) (exclusively in the framework of projects and programmes with the EU under the Delegated Cooperation modality, i.e., projects with EU funding); EDES has the objective of protecting the EU's financial interests. Information on EDES and data protection provided by the European Commission;
- check against European Union restrictive measures [EU sanctions] (exclusively in the framework of projects and programmes with the EU under the Delegated Cooperation modality, i.e., projects with EU funding);
- extract from the Register of Companies (Firmenbuch) or another professional/commercial register concerning the bidders and possibly its subcontractors;
- identification numbers (for example UID number, ANKÖ number);
- most recent debit advice of the competent social security authority or an equivalent document of the company’s country of origin that shows that the bidders and its subcontractors are meeting their obligations in accordance with the applicable legal provisions to pay social security contributions;
- most recent statement of account (Rückstandsbescheinigung) pursuant to Section 229a of the Federal Tax Act (Bundesabgabenordnung), Federal Law Gazette no. 194/1961, or an equivalent document issued by the competent authorities of the company’s country of origin that shows that the bidders and its subcontractors comply with their obligations to pay taxes and charges as required under the applicable legal provisions;
- excerpt from the Criminal Records (Strafregisterauskunft) (or equivalent document issued by a court or administrative authority of the company’s country of origin) of the bidders and its subcontractors or, for a legal entity, registered business partnership or consortium, of all persons who are part of its management, members of the supervisory board and officers with statutory authority;
- banking details (IBAN) of the bidders and its subcontractors;
- excerpt from the Commercial Register (Gewerberegister) or submission of the authorisation required for performing the relevant services in the country of origin of the bidders or subcontractors or an official document evidencing membership in a particular organisation required in the company’s country of origin for performing the relevant services.

Recipients or categories of recipients of personal data, including transfer to third countries or international organisations

- members of the evaluation committee;
- IT service providers (e.g., for the internal processing of data);
- Wiener Zeitung (for the publication of the contract award notification) and its e-tendering platform Lieferanzeiger;
- bodies competent for reviewing of the procurement procedure;
- courts of law;
- administrative authorities;
- external consultants (including lawyers, engineering firms and other experts);
- the Federal Ministry for European and International Affairs;
https://www.data.gv.at;
- in specific cases to comply with a legal obligation (see also legal basis for processing):
     - Austrian Court of Audit [Rechnungshof];
     - Federal Ministry of Finance;
     - institutions, bodies, offices and agencies of the European Union;
     - Federal Ministry of Finance, central register of convictions for illegal employment of foreign nationals [zentrale Verwaltungsstrafevidenz für die Kontrolle der illegalen Ausländerbeschäftigung] in accordance with Section 28b of the Austrian Act Governing the Employment of Foreign Nationals [Ausländerbeschäftigungsgesetz, AuslBG], BGBl. No. 218/1975, as amended;
     - Austrian Health Insurance Fund [Österreichische Gesundheitskasse], administrative offences register as the designated competence centre for combatting wage and social dumping (LSDB Competence Centre) pursuant to Section 35 Austrian Act on Combatting Wage and Social Dumping [Lohn- und Sozialdumping-Bekämpfungsgesetz (LSD-BG)] BGBl. Nr. 44/2016, as amended;
- Austrian State Archives, in accordance with the Federal Act on the Safekeeping, Storage and Use of Archival Holdings of the Federal Government.

2. Legal basis for processing data

The legal basis for processing personal data for the procurement of services, supplies or works by direct award procedure is Art. 6 para. 1 point b and point c GDPR in conjunction with the Austrian Federal Public Procurement Act 2018 [Bundesvergabegesetz, BVergG], notably § 46 BVergG.

The legal basis Art. 6 para. 1 point c GDPR applies to processing on the basis of the BVergG, to processing pursuant to a legal basis as indicated in the lists above, and to the transfer of personal data to the Austrian Court of Audit [Rechnungshof] (in particular pursuant to Sections 3 (2), 4 (1) and 13 (3) of the Austrian Court of Audit Act, BGBl. No. 144/1948, as amended), to the Federal Ministry of Finance (in particular pursuant to Sections 57 to 61 and 47 Federal Budget Law 2013, as amended), and to the institutions, bodies, offices and agencies of the European Union pursuant to provisions of EU law. The same legal basis applies to checks against restrictive measures on the basis of regulations of the Council of the European Union.

The legal basis Art. 6 para. 1 point b GDPR applies to the processing of personal data of the contractor (provided data related to the contractor constitutes personal data) in preparation, execution and implementation of service, supply or work contracts.

3. Purpose of data processing

Procurement of services, supplies and works in performance of ADA’s statutory mandate.

4. Period of storage

ADA retains personal data for as long as necessary for achieving the purposes while adhering to statutory retention periods.

5. Data sources

ADA processes personal as transferred to ADA by the bidders/subcontractors/other public contracting authorities. ADA may also collect personal data from public registers (for example Register of Companies, Commercial Register).

IX. Newsletter

1. Description and scope of data processing

Our website provides the option to subscribe to our newsletter free of charge. When you subscribe, the data you enter on the input form is sent to us.

Your email address is collected. In addition, users may also provide the following information on a voluntary basis, although it is not mandatory and does not have any effect on the newsletter (these fields are provided to order the magazine Weltnachrichten, see Section XI of this privacy notice): first name, surname, form of address, company name, department and address (street, country, postcode, town/city).

As part of the subscription process, your consent to the processing of data is obtained and you will be referred to this privacy notice.

You can unsubscribe from the newsletter at any time (withdraw your consent). Each newsletter contains a link for this purpose. You can also unsubscribe by sending an email with an appropriate reference to oeza.info(at)ada.gv.at.

2. Legal basis for processing data

The legal basis for processing data after a user subscribes to the newsletter is Art. 6 para. 1 point a GDPR.

3. Purpose of data processing

Newsletters are a free service provided by ADA for public relations activities, the information of the public about ADA and development policy in general, the announcement of upcoming events, and information about news and publications.

4. Period of storage

The data is erased as soon as it is no longer required for the purpose for which it was collected. The data is stored until the subscription is terminated.

5. Transmission of your personal data

No data is disclosed to third parties in connection with the processing of data when sending the newsletter. The data is used solely for the purpose of sending the newsletter.

X. Contact form and email contact

1. Description and scope of data processing

Our website includes a contact form which can be used to get in touch with us online. If you make use of this option, the data you enter into the input fields will be transmitted to us and stored. The following data is required to process your enquiry: first name, surname, email address, reference and message text.

Alternatively, you can get in touch with us using one of the email addresses provided. In such cases, the personal data of the user which is transmitted with the email will be stored. For e‑mail communication, we use a processor who provides cloud services (computing power and other computer system resources, especially data storage, which can be accessed via a network, e.g., the internet). We concluded an appropriate agreement with the processor, so that the processor processes personal data exclusively according to our instruction. The processor may only transfer the personal data to authorized recipients.

No data is disclosed to third parties in this regard, unless this is explicitly requested. The data is only used to process the correspondence.

2. Legal basis for processing data

The legal basis for processing the data is Art. 6 para. 1 point a and point f GDPR.

If the aim of the email correspondence is to conclude a contract, Art. 6 para. 1 point b GDPR is the legal basis for the processing.

3. Purpose of data processing

The processing of personal data entered into the input fields serves the sole purpose of processing the correspondence. If contact is made by email, the same purpose constitutes the legitimate interest in processing the data.

4. Period of storage

The data is erased as soon as it is no longer required for the purpose for which it was collected. This is the case for personal data entered in the input fields of the contact form and personal data which was sent by email when the respective chain of correspondence with the user is completed. The chain of correspondence is complete when it is clear from the circumstances that the relevant issue has been resolved. Subsequently, the data are stored for archiving purposes.

In exceptional cases, data can be stored for a longer period to protect ADA’s rights under Art. 6 para. 1 point f GDPR.

XI. Subscription to Weltnachrichten

1. Description and scope of data processing

Our website provides the option to subscribe to the magazine Weltnachrichten free of charge. This is delivered by post. When you subscribe, the data you enter in the input fields is sent to us.

Your first name, surname and address (street, country, postcode, town/city) are collected. In addition, the user can provide the following data on a voluntary basis: form of address, email address (this is required to subscribe to the newsletter, see also Section VIII of this privacy notice), company name and department (for deliveries to companies and organisations).

You can unsubscribe from Weltnachrichten at any time (withdraw your consent). To do this, send an email with an appropriate reference to oeza.info(at)ada.gv.at.

2. Legal basis for processing data

The legal basis for processing data after subscribing to Weltnachrichten is Art. 6 para. 1 point a GDPR.

3. Purpose of data processing

Weltnachrichten is a free service provided by ADA for public relations purposes, the information of the public about ADA and Austrian development cooperation, development policy in general, and the announcement of upcoming events.

4. Period of storage

The data is erased as soon as it is no longer required for the purpose for which it was collected. The users’ data is stored until the subscription is terminated.

5. Transmission of your personal data

To send Weltnachrichten, the data we collect is sent to third parties we engage, including the printing company, to the necessary extent. The data is used solely for the purpose of sending Weltnachrichten.

XII. Events and event documentation

1. Description and scope of data processing

ADA can organise events as part of its statutory mandate. When planning and organising such events, it may be necessary to process participants’ basic personal details. Events can be documented by photographs, audio recordings and/or video recordings. These recordings may be used/published in publications, including print- and digital media, electronic newsletters, press releases, social media services and on the general or project-specific website(s).

If you do not want to be featured on photos or videos, please inform the photographer of this at the event itself or keep to areas where no photographs are being taken or films are being made (where individual people could be recognised).

If, in spite of this, you are featured on photos or videos in a way which means you can be recognised, please contact us and we will do our best, even if we are not under any legal obligation, to delete or edit (pixelate) the relevant photo/video.

2. Legal basis for processing data

The legal basis for processing is Art. 6 para. 1 point e GDPR in conjunction with § 2 para. 3 letter g and § 24 para. 5 EZA-G and §§ 9 and 12 DSG and Article 85 GDPR and – in individual cases – Art. 6 para. 1 point a GDPR.

3. Purpose of data processing

The basic personal details you provide when you register for events are processed for the purposes of planning, preparing and organising the event as well as sending event documents, executing the event, documenting the event (incl. using lists of participants), and possibly for transmitting the presentation documents and to document and evaluate the event.

Events are documented for the purposes of information, education, cultural and public relations activities on development policy in Austria.

4. Period of storage

The data is erased as soon as it is no longer required for the purpose for which it was collected.

5. Transmission of your personal data

To the extent necessary, basic personal details are shared with co-organisers. Photos and video recordings documenting the event may be sent to other event participants, co-organisers and social media services, other print- and digital media and press agencies as well as to third-party donors in the framework of third-party funded projects.

XIII. Other publications and information materials

1. Description and scope of data processing

From time to time, ADA sends information materials (e.g. press releases, press reviews, business reports, annual reports, handbooks, studies and analyses, country strategies, 3-year programmes, guidelines on various subjects, strategic guidelines, focus papers, folders, brochures, other publications) to interested groups or the interested public. This material may also be ordered from ADA. When you place an order, the basic personal details you provide will only be used for the purposes of executing the order.

2. Legal basis for processing data

The legal basis for processing is Art. 6 para. 1 point e GDPR in conjunction with § 2 para. 3 letter g and § 24 para. 5 EZA-G as well as § 9 DSG.

3. Purpose of data processing

Information, education, cultural and public relations activities on development policy in Austria.

4. Period of storage

The data is erased as soon as it is no longer required for the purpose for which it was collected.

5. Transmission of your personal data

The basic personal details you provide when placing orders may be transmitted to distribution companies engaged by ADA.

XIV. Whistleblower system - Integrity

Our website provides the option - including for contractual partners of ADA or interested members of the public - to file a report. You can find the details, including information on the processing of personal data here.

Whistleblowers may not incur any detriment, either personal or legal, for reports filed according to their best knowledge and belief.

XV. Social networks (Facebook, Instagram, Flickr, Twitter, YouTube)

1. Description and scope of data processing

ADA operates channels/pages with the following providers: Facebook, Instagram, Flickr, Twitter, YouTube. You can access these channels/sites via links on ADA’s website. The website does not use any social media plug-ins.

Therefore, we explicitly highlight that these providers store the personal data of their users and use it for business purposes according to their own terms and conditions.

2. Facebook

ADA operates a Facebook fan page which can be accessed via a link on the ADA website. ADA and Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 Ireland (“Facebook”) are the joint controllers within the meaning of the GDPR for this Facebook fan page.

Facebook collects the personal data of the users when they use the site. Further information about this can be found in Facebook’s privacy guidelines. However, it must be assumed that - in all probability - Facebook will record and analyse all information provided and actions taken by its users.

The agreement pursuant to Article 26 GDPR between ADA and Facebook is available here. Essentially, Facebook "assumes the responsibility for compliance with the applicable obligations under the GDPR for the processing of Insights Data". Furthermore, Facebook warrants that it will bear the sole responsibility for the personal data processed in connection with Page Insights and provide it to people requesting access.

The ADA Facebook fan page uses the tool “Page Insights”. This tool summarises aggregated data which ADA can use to draw conclusions on how the users interact with the website (e.g. information on the number of “Likes”, total number of people who have visited the site, number of user interactions according to type, success of individual types of contributions). Facebook informs about the categories of personal data processed on a separate page.

3. Instagram

Instagram is a service provided by Facebook, see the entry above on Facebook. Facebook collects the personal data of the users when they use Instagram. Further information about this can be found in Instagram’s privacy guidelines.

4. Flickr

ADA operates a Flickr account which can be accessed via a link on the ADA website. Flickr, Inc. is a subsidiary of SmugMug, Inc., Suite 200, 67 E Evelyn Avenue, Mountain View, CA 94041, USA.

Flickr collects personal data of the users when they use the site. Further information about this can be found in Flickr’s Privacy Policy.

5. Twitter

ADA operates a Twitter account which can be accessed via a link on the ADA website. Twitter Inc., 1355 Market Street #900, San Francisco, California 94103, USA, or, for users outside of the USA: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland processes personal data of users. Further information about this can be found in Twitter’s Privacy Policy.

7. YouTube

ADA operates a YouTube channel which can be accessed via a link on the ADA website. YouTube is a service provided by (in the EEA and Switzerland) Google Ireland Limited, a company incorporated and operating under the laws of Ireland, (Registered Number: 368047), located at Gordon House, Barrow Street, Dublin 4, Ireland, and (outside the EEA and Switzerland) Google LLC, a company operating under the laws of Delaware, located at 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, both entities being subsidiaries of the Alphabet Inc. corporate group.

Further information about the processing of personal data when using YouTube is available at Google’s privacy policy.

7. Legal basis for processing data

If users enter their own personal data on any of ADA’s social media channels, consent (Art. 6 para. 1 point a GDPR) is the legal basis.

Personal data is also published in the public interest based on Article 6 para. 1 point e GDPR in conjunction with § 2 para. 3 letter g EZA-G (information, education, cultural and public relations activities on development policy in Austria) and §§ 9 and 12 DSG.

8. Purpose of data processing

Information, education, cultural and public relations activities on development policy in Austria.

9. Period of storage

The data is erased as soon as it is no longer required for the purpose for which it was collected.

XVI. Sweepstakes

1. Description and scope of data processing

From time to time, ADA holds sweepstakes. To participate, you must fill out the contact form provided on our website. If you want to take part, the data you enter into the input fields is sent to us and stored. The following data is required to process the information you enter: first name, surname, email, message text. You may also state the following on a voluntary basis: address (street, postcode, town/city)

When submitting the form, your consent to the processing of the data is obtained and you will be referred to this privacy notice.

No data is disclosed to third parties in this regard. The data is used for the sole purpose of managing participants.

If you win, we will get in touch with you. In this case, we will request your consent to your contact details being transmitted to our contractual partners, who will send you your prize on our behalf. If you do not consent to your contact details being transmitted, you will not be able to receive your prize.

However, you have the option to withdraw your consent to the processing of your personal data by email at any time. The withdrawal of consent does not affect the lawfulness of the processing done based on that consent in the period until it is withdrawn. In such cases, you will be deleted from the list of participants and will no longer be taken account of in the sweepstake.

2. Legal basis for processing data

The legal basis for processing the data is Art. 6 para. 1 point a GDPR apart from where the aim of the processing is to conclude a contract: in the latter case, Art. 6 para. 1 point b GDPR is the legal basis for the processing.

3. Purpose of data processing

Processing the personal data from the input fields enables us to record participants and their contact details.

4. Period of storage

The data will be erased as soon as it is clear who the winner is.

In exceptional cases, data can be stored for a longer period to protect ADA’s rights.

XVII. Recruiting/application process

1. Description and scope of data processing

We process personal data in the extent you send it to us.

2. Legal basis for processing data

The legal basis for the processing is Art. 6 para. 1 point a and - to the extent that application documents contain personal data belonging to special categories - Art. 9 para. 2 point a GDPR.

3. Purpose of data processing

The evaluation of applications with a view to a possible appointment.

4. Period of storage

If the process does not culminate in an appointment, the applicant’s data will be stored for a period of seven months running from the day of the relevant communication.

5. Transmission of your personal data

When applying for a position, your personal data may be processed by our processor Prescreen International GmbH, Mariahilfer Straße 17, 1060 Vienna, Austria, with whom we have concluded appropriate processing agreements pursuant to Art. 28 GDPR. Before personal data is transferred to the processor, you will be provided with a detailed privacy notice.

XVIII. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights with regard to the controller:

You can address requests to enforce your rights to the Data Protection Officer; please also address any revocations of consent under data protection law to the same entity/office as you provided that consent to.

1. Right of access

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, access to the following information:

1. the purposes of the processing;
2. the categories of personal data being processed;
3. the recipients or categories of recipient to whom the personal data concerning you have been or will be disclosed;
4. where possible, the envisaged period for which the personal data concerning you will be stored, or, if it is not possible to provide specific information on this, the criteria used to determine that period;
5. the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
6. the right to lodge a complaint with a supervisory authority;
7. where the personal data is not collected from the data subject, any available information as to their source;
8. the existence of automated decision-making, including profiling, referred to in Art. 22 para. 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to be informed if personal data is transferred to a third country or to an international organisation. In this case, you have the right to be informed of the appropriate safeguards pursuant to Article 46 GDPR relating to the transfer.

2. Right to rectification

You have the right to obtain from the controller the rectification/completion of inaccurate/incomplete personal data concerning you. The controller must perform the rectification without undue delay.

3. Right to restriction of processing

You have the right to obtain from the controller restriction of processing where one of the following applies:

1. If you contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;
2. The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
3. The controller no longer needs the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defence of legal claims;
4. You have objected to processing pursuant to Article 21 para. 1 GDPR pending the verification whether the legitimate grounds of the controller override yours.

If the processing of personal data concerning you has been restricted, such personal data will, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

If processing has been restricted according to the above requirements, you will be informed by the controller before the restriction of processing is lifted.

4. Right to erasure

a) Obligation to erase

You have the right to obtain from the controller the erasure of your personal data without undue delay where one of the following grounds applies:
1. The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
2. You withdrew consent on which the processing is based according to Art. 6 para. 1 point a or Art. 9 para. 2 point a GDPR, and there is no other legal ground for the processing;
3. You object to the processing pursuant to Article 21 para. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 para. 2 GDPR;
4. The personal data concerning you has been unlawfully processed;
5. The personal data has to be erased for compliance with a legal obligation under the law of the European Union or a Member State to which the controller is subject;
6. Information for third parties

If the controller has made your personal data public and is obliged pursuant to Art. 17 para. 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, as the data subject, have requested the erasure by such controllers of any links to, or copies or replications of, this personal data.

If personal data which is processed by automated means cannot be erased without undue delay, because this can only be done at certain times due to economic or technical considerations, pursuant to § 4 para. 2 DSG, the processing of the relevant personal data will be restricted with the effects set out under Art. 18 para. 2 GDPR until such time as it can be erased (restriction of processing).

5. Notification obligation

If you have successfully enforced your right to rectification, erasure or restriction of processing against the controller, the controller must notify each recipient to whom the personal data has been disclosed of this rectification or erasure of data or restriction on processing, unless this proves impossible or involves disproportionate effort.

You are entitled to notification by the controller about those recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to a controller, in a structured, commonly used and machine-readable format. Furthermore, you have the right to transmit this data to another controller without hindrance from the controller to which the personal data have been provided, where:

1. the processing is based on consent pursuant to Art. 6 para. 1 point a GDPR or Art. 9 para. 2 point a GDPR or on a contract pursuant to Art. 6 para. 1 point b GDPR; and
2. the processing is carried out by automated means.

In exercising this right, you have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This may not adversely affect the rights and freedoms of others.

The right to data portability does not apply to processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on Art. 6 para. 1 point e or point f GDPR, including profiling based on those provisions.

The controller will no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or the processing serves the purpose of establishing, exercising or defending legal claims.

Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for such purposes.

8. Right to withdraw consent

You may at any time withdraw any consents under data protection law which you have given. The withdrawal of consent does not affect the lawfulness of the processing based on consent before its withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

1. is necessary for entering into, or performance of, a contract between you and a data controller;
2. is authorised by European Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and your legitimate interests; or
3. is based on your explicit consent.

However, the decisions may not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, if neither Art. 9 para. 2 point a nor point g GDPR apply and appropriate measures have been taken to safeguard rights and freedoms and your legitimate interests.

In the cases referred to in (1) and (3), the data controller will implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with the supervisory authority

Without prejudice to any other legal remedies you may have under administrative law or before the courts, you have the right to lodge a complaint with the supervisory authority, including in the Member State where you are resident, where you have your place of work or the place where the alleged breach took place if you are of the opinion that the processing of the relevant personal data breaches the GDPR.

The supervisory authority where the complaint was lodged will inform the complainant about the status and the results of the complaint including the possibility of judicial remedies according to Art. 78 GDPR.

XIX. Updates and amendments to this privacy notice

This privacy notice is currently valid and was last amended in March 2021.

It may be necessary to amend this privacy notice due to changes in our website and the offers made on it or due to changes to the legal framework or official requirements. You can download and print out the currently valid privacy notice from our website at any time.