Your rights as a data subject
People whose personal data are processed are referred to as data subjects. Pursuant to the applicable data protection legislation, in particular Articles 15 to 21 of the General Data Protection Regulation (GDPR), data subjects at all times have the following rights regarding their personal data:
The right to gain access to and information about their personal data used for processing
The right to rectification of inaccurate data and completion of incomplete data
The right to request deletion of the personal data (right to be forgotten)
The right to restriction of data processing
The right to receive the personal data in a structured, commonly used, and machine-readable format (right to data portability)
The right to object to the processing of personal data on grounds relating to the data subject’s particular situation.
How to exercise your rights
To exercise your rights vis-a-vis WU (Vienna University of Economics and Business), acting as the controller responsible for the processing of your personal data, you can send an email to email@example.com or contact WU by postal mail: WU (Vienna University of Economics and Business), attn. Data Protection Officer, c/o Legal Affairs Office, AR building, Welthandelsplatz 1, 1020 Vienna.
Please submit your request by email or postal mail, including details that clearly establish your identity, to the addresses named above.
A closer look at the individual rights of data subjects:
Right to information and access to the data (Art. 15 of the GDPR)
You can request information from the controller (WU) to find out whether the controller is processing any of your personal data. If this is the case, you can request the following information from the controller:
Purposes of the data processing
Categories of personal data being processed
Recipients or categories of recipients to which personal data have been disclosed or are being disclosed, in particular regarding recipients in third countries or at international institutions
If possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
Information about your right to request that your personal data be corrected or deleted, your right to request restriction of the data processing, and your right to object to the data processing
Information about your right to file a complaint with the supervisory authority
In case the personal data were not collected from you (the data subject), information about the origin of the data
Information about whether automated decision-making, including profiling, within the meaning of Art. 22 (1) and (4) of the GDPR is used. At least in cases where this is the case, you can also request meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you as the data subject.
As a university, it is clear that WU processes large amounts of personal data. If you would like to exercise your right to information and access, you therefore need to specify exactly which information or which processing activities your request refers to before we can provide you with the requested information (cf. Recital 63 of the GDPR, last sentence). Please let us know in which role you are submitting your request for information (e.g. WU employee, student, job applicant, prospective student applying for admission, etc.). Please also indicate the type of processed information that your request refers to.
The right to information and access to the data is not given
In areas in which WU is exercising its public tasks, if the provision of such information would jeopardize WU’s capability to perform a task assigned to it by law, or
If the provision of such information would jeopardize a business or trade secret of WU or a third party.
Right to rectification of data (Art. 16 of the GDPR)
You have the right to request the correction of inaccurate personal data concerning you. You can also request the completion of an incomplete data set by filing a supplementary declaration.
Right to erasure of the data (Art. 17 of the GDPR)
You may submit a request to the controller to to have your personal data deleted without delay. The controller is obligated to delete this data immediately if one of the following applies:
The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
You withdraw the consent on which the processing is based pursuant to Art. 6 (1) item a or Art. 9 (2) item a of the GDPR and no other legal basis for the processing exists.
You object to the processing pursuant to Art. 21 (1) of the GDPR and there are no overriding legitimate grounds for the data to be processed, or you object to the processing for direct marketing purposes (Art. 21  of the GDPR).
Your personal data was processed unlawfully.
The deletion of the personal data is necessary for compliance with a legal obligation under EU law or the law of a member state to which WU is subject.
The personal data was collected in relation to information society services offered pursuant to Art. 8 (1) of the GDPR.
The right to erasure is not given (Art. 17  of the GDPR) if the processing is necessary
To exercise the right to freedom of expression and information
To comply with a legal obligation which requires processing under EU law or the law of a member state to which WU as the controller is subject, or to perform a task carried out in the public interest or in the exercise of the official authority vested in WU as the controller
For reasons in the public interest in the area of public health pursuant to Art. 9 (2) items h and i and Art. 9 (3) of the GDPR
For archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes pursuant to Art. 89 (1) of the GDPR, if the abovementioned “right to be forgotten” is likely to make the purposes of the processing impossible or seriously impair the purposes of the processing
For the establishment, exercise, or defense of legal claims
If you consider the processing to be unlawful but do not want your data deleted, you may request restriction of processing pursuant to Art. 18 of the GDPR (Art. 18  item b of the GDPR).
Right to restrict the data processing (Art. 18 of the GDPR)
This right is intended to allow data subjects to restrict processing without having the data deleted. Restricted processing may be requested parallel to the right to correction of data and the right to object to the processing of your data.
You may request the restriction of the processing of your personal data under the following conditions:
If you contest the accuracy of your personal data for a period long enough to allow WU as the controller to verify the accuracy of your personal data
The processing is unlawful but you do not want your personal data deleted, and instead request a restriction of the use of your personal data
WU, as the controller, no longer needs the personal data for the purposes of processing, but you need them for the establishment, exercise, or defense of legal claims
If you have objected to the processing pursuant to Art. 21 (1) of the GDPR and it is not yet clear whether the legitimate interests of the controller override your grounds for objection
Right to data portability (Art. 20 of the GDPR)
You have the right to receive your own personal data in a structured, commonly used, and machine-readable format and to give this data to another controller for processing. This right is only given if the processing is based on consent pursuant to Art. 6 (1) item a or Art. 9 (2) item a of the GDPR or a contractual obligation (Art 6  item b of the GDPR) and the processing is carried out by automated means.
Right to object (Art. 21 of the GDPR)
On grounds relating to your particular situation, you have the right to object to the processing of your personal data based on Art. 6 (1) item e (public interest or in the exercise of official authority) or item f (safeguarding legitimate interests) of the GDPR at any time. This also applies to profiling based on these provisions.
There is also a special right to object to the use of your data for direct marketing.
Right not to be subject to a decision based solely on automated processing (Art. 22 of the GDPR)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
This right is not given if the decision
Is necessary for the conclusion or performance of a contract between you and WU as the controller
The decision is lawful under EU law or the law of a member state to which WU as the controller is subject, and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, or
If the decision has been made with your explicit consent
Right to file a complaint with the Austrian Data Protection Authority (Art. 77 of the GDPR)
If you believe that the processing of your data is in violation of the applicable data protection regulations, you can lodge a complaint with the appropriate supervisory authority. For more information, please see the website of the Austrian Data Protection Authority: https://www.data-protection-authority.gv.at.