Glossary

Anonymization

Anonymization refers to a technological, usually automated process used to modify personal data in such a way that it is no longer possible to attribute the data to any specific person.

Binding corporate rules

These are personal data protection policies which are adhered to by a controller or processor established on the territory of an EU member state for transfers or a set of transfers of personal data to a controller or processor in one or more third countries within a group of undertakings, or group of enterprises engaged in a joint economic activity.

Biometric data

are data that result from specific technical processes and that relate to the physical, physiological, or behavioral characteristics of a natural person, which make it possible to verify or confirm the unique identity of that natural person, such as facial images or dactyloscopic data. The processing of biometric data is subject to special conditions, specified in Article 9 of the GDPR.

Consent

of the data subject means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Controller

The controller is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Cross-border processing

means either of the following:

a) Processing of personal data which takes place in the context of the activities of a controller’s or processor’s establishments in more than one member state in the EU, in cases where the controller or processor is established in more than one member state; or

b) Processing of personal data which takes place in the context of the activities of a single establishment of a controller or processor in the EU, but which substantially affects or is likely to substantially affect data subjects in more than one member state

Data breach

A data breach is an incident that compromises the confidentiality, integrity, or accessibility of personal data.

Data concerning health

are personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about that person’s health status. The processing of data concerning health is subject to special conditions, specified in Article 9 of the GDPR.

Data Protection Officer

The Data Protection Officer is a person named by the controller or processor (in some cases, the controller or processor is obligated to name a Data Protection Officer). The Data Protection Officer supports the controller or processor in ensuring compliance with the GDPR and the Data Protection Act (Datenschutzgesetz, DSG). In this capacity, the Data Protection Officer performs an advisory and supervisory function.

Data subject

The data subject is the person whose personal data are processed. According to the GDPR, only natural persons qualify as data subjects.

Enterprise

An enterprise is defined as a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity.

Genetic data

are personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question. The processing of genetic data is subject to special conditions, specified in Article 9 of the GDPR.

Group of undertakings

This refers to a controlling undertaking (enterprise) and its controlled undertakings.

International organization

An international organization is an organization and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries.

Main establishment

means

a) In the case of a controller with establishments in more than one member state, the place of its central administration in the EU, unless the decisions on the purposes and means of the processing of personal data are taken at another establishment of the controller in the EU and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment

b) In the case of a processor with establishments in more than one member state, the place of its central administration in the EU, or, if the processor has no central administration in the EU, the establishment of the processor in the EU where the main processing activities in the context of the activities of an establishment of the processor take place to the extent that the processor is subject to specific obligations under the GDPR.

Personal data

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Personal data breach

This refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed.

Processing

Processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor

is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller pursuant to Article 28 of the GDPR.

Profiling

Profiling is defined as any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

Pseudonymization

Pseudonymization is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. In contrast to anonymous data, pseudonymized data are regarded as personal data and are therefore subject to the regulations of the GDPR.

Recipient

is a natural or legal person, public authority, agency, or another body to which the personal data are disclosed, regardless of whether this is a third party or not. However, public authorities which may receive personal data as part of a particular inquiry in accordance with EU or member state law are not regarded as recipients. In these cases, the processing of such data by public authorities is in compliance with the applicable data protection rules according to the purposes of the processing.

Representative

A representative is a natural or legal person established in the EU who, designated by the controller or processor in writing pursuant to Article 27 of the GDPR, represents the controller or processor with regard to their respective obligations under the GDPR.

Special categories of personal data

This refers to personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

Supervisory authority

This is an independent, national institution set up by EU member states pursuant to Article 51 of the GDPR. In Austria, the national supervisory authority is the Austrian Data Protection Authority. For more information, please go to www.dsb.gv.at.

Third party

is any natural or legal person, public authority, agency, or body other than the data subject, the controller, the processor, and any persons who, under the direct authority of the controller or processor, are authorized to process personal data.

Name	Purpose	Lifetime	Provider
CookieConsent	Saves your consent to using cookies.	30 days	WU
site-popup	Saves if popup was filled or closed.	30 days	WU
BACH_PRXY_ID	To be able to display some WU-specific content, it is necessary that some information must be accessed by back-end WU systems. Required to assign the appropriate answer to a request.	20 years	WU
BACH_PRXY_SN	To be able to display some WU-specific content, it is necessary that some information must be accessed by back-end WU systems. Required to assign the appropriate answer to a request.	session	WU
fe_typo_user	Required for login and access to protected content or for editing the user’s personal profile.	session	WU
be_typo_user	Required for login and editing content in the TYPO3 back end.	session	WU
be_lastLoginProvider	Stores the last method used for logging in to the TYPO3 back end.	90 days	WU
ASP.NET_SessionId	Required for assigning visitors to forms.	session	WU (forms.wu.ac.at)
__RequestVerificationToken	Required to protect forms against attacks.	session	WU (forms.wu.ac.at)
ESRASOFTSID	Required for identifying the logged-in user in the Business Language Center’s course registration system.	session	WU (esrasoft.wu.ac.at)
esraSoftWiData	Required to track the language and language courses selected by the user.	session	WU (esrasoft.wu.ac.at)
esraSimpleSAMLAuthToken	Required for identifying WU employees during the course registration process.	session	WU (esrasoft.wu.ac.at)
esraSimpleSAML	Required for identifying WU employees during the course registration process.	session	WU (esrasoft.wu.ac.at)
SimpleSAML	Required for identifying WU employees during the course registration process.	session	WU (esrasoft.wu.ac.at)

Name	Purpose	Lifetime	Provider
_pk_id	Used by Matomo Analytics to store a few details about the user, such as the unique visitor ID.	30 days	WU (piwik.wu.ac.at)
_pk_ref	Used by Matomo Analytics to store the attribution information, the referrer initially used to visit the website.	6 months	WU (piwik.wu.ac.at)
_pk_ses	Created by Matomo Analytics, short-lived cookies used to temporarily store data for the current visit.	1 hours	WU (piwik.wu.ac.at)
_gcl_au	Contains a randomly generated user ID.	3 months	Google
AMP_TOKEN	Contains a token that can be used to retrieve a Client ID from AMP Client ID service. Other possible values indicate opt-out, request in progress or an error retrieving a Client ID from AMP Client ID service.	1 year	Google
_dc_gtm_--property-id--	Used by DoubleClick (Google Tag Manager) to help identify the visitors by either age, gender or interests.	2 years	Google
_ga	Contains a randomly generated user ID. Using this ID, Google Analytics can recognize returning users on this website and merge the data from previous visits.	2 year	Google
_gat_gtag	Certain data is only sent to Google Analytics a maximum of once per minute. As long as it is set, certain data transfers are prevented.	1 minute	Google
_gid	Contains a randomly generated user ID. Using this ID, Google Analytics can recognize returning users on this website and merge the data from previous visits.	24 hour	Google
_gac_gb	Contains campaign-related information for the user. If Google Analytics and Google Ads accounts are linked, the conversion tags on the Google Ads website read this cookie.	90 day	Google
_dc_gtm	Used to throttle the request rate.	1 minute	Google
IDE	Contains a randomly generated user ID. Using this ID, Google can recognize the user across different websites across domains and display personalized advertising.	1 year	Google
player	This cookie saves user-specific settings before an embedded Vimeo video is played. This means that the next time you watch a Vimeo video, your preferred settings will be loaded.	1 year	Vimeo
vuid	This cookie is used to save the usage history of the user.	2 year	Vimeo
__cf_bm	This cookie is used to distinguish between humans and bots. This is necessary for Vimeo to collect valid data about the use of the service.	1 day	Vimeo
_uetvid	This cookie is set to enable the use of the Vimeo video player.	1 year	Vimeo
_tt_enable_cookie	This cookie is used to enable the vimeo video embedding on the WU Website and for other unspecified purposes.	1 year	Vimeo
afUserId	This cookie collects data from users who interact with embedded Vimeo videos.	2 years	Vimeo
_abexps	This cookie saves settings made by the user, e.g. Default language, region or username as well as interaction data of the user with Vimeo	10 months	Vimeo
_clck	This cookie enables the use of the embedded Vimeo video player	1 year	Vimeo
has_logged_in	This cookie stores login information and if the user has ever logged in.	10 years	Vimeo
language	This cookie remembers the language setting of a user. This ensures that Vimeo appears in the language selected by the user.	11 years	Vimeo
_ttp	This cookie is set to enable the use of the Vimeo video player	1 year	Vimeo
sd_client_id	This cookie stores data about the users current video settings and a personal identification token	2 year	Vimeo
_rdt_uuid	This cookie collects data about the users actions on websites that have a vimeo video embedded.	3 months	Vimeo
vimeo_cart	This cookie is used to check how many times a video has been played by the user.	10 years	Vimeo
OptanonConsent	This cookie stores information about the consent status of a visitor.	1 year	Vimeo
_scid	This cookie is used to assign a unique ID to a user	10 months	Vimeo
hjSessionBenutzer_	Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Hotjar does not track users across different sites. Ensures data from subsequent visits to the same site are attributed to the same user ID.	1 year	Hotjar
_hjid	This is an old cookie which is not set anymore, but if a user has it unexpired in their browser. It will be reused and migrated to _hjSessionUser_{site_id}. Set when a user first lands on a page. Persists the Hotjar User ID which is unique to that site. Ensures data from subsequent visits to the same site are attributed to the same user ID.	1 year	Hotjar
_hjFirstSeen	Identifies a new users first session. Used by Recording filters to identify new user sessions.	30 minutes	Hotjar
_hjHasCachedUserAttributes	Enables us to know whether the data set in _hjUserAttributes Local Storage item is up to date or not.	session	Hotjar
_hjUserAttributesHash	Enables us to know when any User Attribute has changed and needs to be updated.	2 minutes	Hotjar
_hjBenutzerAttribute	Stores User Attributes sent through the Hotjar Identify API. No explicit expiration.	session	Hotjar
hjViewportId	Stores user viewport details such as size and dimensions.	session	Hotjar
hjActiveViewportIds	Stores user active viewports IDs. Stores an expirationTimestamp that is used to validate active viewports on script initialization.	session	Hotjar
_hjSession_	Holds current session data. Ensures subsequent requests in the session window are attributed to the same session.	30 minutes	Hotjar
_hjSessionTooLarge	Causes Hotjar to stop collecting data if a session becomes too large. Determined automatically by a signal from the server if the session size exceeds the limit.	1 hour	Hotjar
_hjSessionResumed	Set when a session/recording is reconnected to Hotjar servers after a break in connection.	session	Hotjar
_hjCookieTest	Checks to see if the Hotjar Tracking Code can use cookies. If it can, a value of 1 is set. Deleted almost immediately after it is created.	session	Hotjar
_hjLocalStorageTest	Checks if the Hotjar Tracking Code can use Local Storage. If it can, a value of 1 is set. Data stored in _hjLocalStorageTest has no expiration time, but it is deleted almost immediately after it is created.	none	Hotjar
_hjSessionStorageTest	Checks if the Hotjar Tracking Code can use Session Storage. If it can, a value of 1 is set. Data stored in _hjSessionStorageTest has no expiration time, but it is deleted almost immediately after it is created.	none	Hotjar
_hjIncludedInPageviewSample	Set to determine if a user is included in the data sampling defined by your site's pageview limit.	2 minutes	Hotjar
_hjIncludedInSessionSample_	Set to determine if a user is included in the data sampling defined by your site's daily session limit.	2 minutes	Hotjar
_hjAbsoluteSessionInProgress	Used to detect the first pageview session of a user.	30 minutes	Hotjar
_hjTLDTest	We try to store the _hjTLDTest cookie for different URL substring alternatives until it fails. Enables us to try to determine the most generic cookie path to use, instead of page hostname. It means that cookies can be shared across subdomains (where applicable). After this check, the cookie is removed.	session	Hotjar

Name	Purpose	Lifetime	Provider
test_cookie	Is set as a test to check whether the browser allows cookies to be set. Does not contain any identification features.	15 minute	Google
IDE	Contains a randomly generated user ID. Using this ID, Google can recognize the user across different websites across domains and display personalized advertising.	1 year	Google
_gcl_au	Contains a randomly generated user ID.	90 day	Google
_gcl_aw	This cookie is set when a user clicks on a Google ad on the website. It contains information about which ad was clicked.	90 day	Google
xs	Used to maintain a Facebook session. It works in combination with the c_user cookie to authenticate the user's identity on Facebook.	1 year	Facebook
fr	Used to serve advertisements and measure and improve their relevance.	90 day	Facebook
m_pixel_ratio	Performance cookie used by Facebook with Facebook pixels.	session	Facebook
wd	Used for analysis purposes. Technical parameters are logged (e.g. aspect ratio and dimensions of the screen) so that Facebook apps can be displayed correctly.	7 day	Facebook
dpr	Used for analysis purposes. Technical parameters are logged (e.g. aspect ratio and dimensions of the screen) so that Facebook apps can be displayed correctly.	7 day	Facebook
sb	Used to save browser details and Facebook account security information.	2 year	Facebook
dbln	Used to save browser details and Facebook account security information.	2 year	Facebook
spin	Cookie for advertising purposes and reporting on social campaigns.	session	Facebook
presence	Contains the "Chat" status of a logged in user.	1 month	Facebook
x-referer	Performance cookie that is used by Facebook in combination with Facebook pixels.	session	Facebook
cppo	Cookie for statistical purposes.	90 day	Facebook
datr	Identifies the browser for security and website integrity purposes, including account recovery and identification of potentially compromised accounts.	2 year	Facebook
locale	Saves language settings.	session	Facebook
_fbp	A cookie for Facebook advertising that is used to track and improve relevance and to serve ads on Facebook.	90 day	Facebook
_fbc	A cookie for Facebook advertising that is used to track and improve relevance and to serve ads on Facebook.	90 day	Facebook
UserMatchHistory	This cookie is used to synchronize the LinkedIn Ads IDs.	30 day	LinkedIn
AnalyticsSyncHistory	This cookie saves the time at which the user was synchronized with the "lms_analytics" cookie.	30 day	LinkedIn
li_oatml	This cookie is used to identify LinkedIn members outside of LinkedIn for advertising and analysis purposes.	30 day	LinkedIn
lms_ads	This cookie is used to identify LinkedIn members outside of LinkedIn.	30 day	LinkedIn
lms_analytics	This cookie is used to identify LinkedIn members for analysis purposes.	30 day	LinkedIn
li_fat_id	This cookie is an indirect member identification that is used for conversion tracking, retargeting and analysis.	30 day	LinkedIn
li_sugr	This cookie is used to determine probabilistic matches of the identity of a user.	90 day	LinkedIn
U	This cookie identifies the user’s browser.	3 month	LinkedIn
_guid	This cookie is used to identify a LinkedIn member for advertising via Google Ads.	90 day	LinkedIn
BizographicsOptOut	This cookie is used to determine the rejection status for tracking by third-party providers.	10 year	LinkedIn
lidc	This cookie makes it easier to select LinkedIn's data center.	24 hours	LinkedIn
aam_uuid	This cookie is used for ID synchronization with Adobe Audience Manager.	30 days	LinkedIn
AMCV_XXX_at_AdobeOrg	This cookie contains a unique identifier for the Adobe Experience Cloud.	180 days	LinkedIn
li_mc	This cookie is used as a temporary cache. It is used to have the user's consent information from the database available client side.	2 years	LinkedIn
lang	This cookie stores the language settings of a user. This ensures that the LinkedIn.com website appears in the language selected by the user.	session	LinkedIn
twll	This cookie is set when X is embedded on the page. X collects data that is mainly used for tracking and targeting.	4 year	X
secure_session	This cookie is set when X is embedded on the page. E.g. X's like or sharing functions.	14 year	X
guest_id	This cookie is set by X when a visitor shares content from the WU website on X.	2 year	X
personalization_id	This cookie is set by X to measure the performance of X advertising campaigns in a user's browsers and devices	2 year	X
remember_checked	This cookie is set by when X is embedded on the page. X collects data that is mainly used for tracking and targeting.	4 year	X
remember_checked_on	This cookie is set when X is embedded on the page. E.g. X's like or sharing functions.	4 year	X
mbox	This cookie is intended for identifying X users, for analyzing interaction with the X Service and advertising whitin the service.	2 years	X
guest_id_ads	This cookie is set due to X integration and for sharing content to social media.	10 months	X
d_prefs	This cookie ist used to check referral links and the login status.	90 days	X
ct0	This cookie is set due to X integration and sharing capabilities for the social media.	10 months	X
kdt	This cookie is used to monitor the users login status on X.	10 months	X
guest_id_marketing	This cookie is set for tracking and analytics purposes.	10 months	X
twid	This cookie checks if you are logged in to X during a browser session.	1 year	X
auth_token	This cookie is required for authentication and checks whether the user is logged in.	10 months	X
external_referer	This cookie collects statistical data, including how often you visit X and how long a user stays on X.	1 day	X
NID	This cookie contains a unique ID that is used to save user-specific settings and other information, in particular your preferred language, how many search results should be displayed per page and whether the Google SafeSearch filter should be activated.	6 month	YouTube
1P_JAR	This Google cookie is used to optimize advertising, to provide ads that are relevant to users, to improve reports on campaign performance or to prevent a user from seeing the same ads multiple times.	1 month	YouTube
CONSENT	This cookie is used to support Google's advertising services.	20 year	YouTube
OTZ	Aggregated analysis of website visitors.	17 day	YouTube