The protection of your personal data is of particular concern to us. We therefore process your data exclusively on the basis of the relevant legal provisions (in Austria: EU-GDPR, Data Protection Act and Telecommunications Act 2003 and EU-GDPR). This data protection declaration informs you about the type, scope and purpose of the processing of personal data (hereinafter referred to as "data") within the framework of our website and the associated websites, about functions and content of these websites as well as about our external online presence, such as our Social Media Profiles.
1. Who we are
The Atlas of Torture is a project of the Ludwig Boltzmann Institute of Human Rights (BIM). The institute belongs to the Ludwig Boltzmann Society. The Atlas of Torture aims at increasing the impact of stakeholders fighting against torture and ill-treatment, by raising awareness, empowering individuals and organizations as well as fostering cooperation, through documentation, learning, and exchange. For further information please refer to the project description under “About us”.
Ludwig Boltzmann Institute for Human Rights - Research Association
Freyung 6 (Schottenhof), 1st courtyard, Stair II, 4th floor, 1010 Vienna.
Should you have any concerns or questions regarding the processing of your personal data by our project, we kindly ask you to either contact us under firstname.lastname@example.org., or our data protection officer Martin Neubauer at the above address of the Ludwig Boltzmann Institute for Human Rights.
The purpose of the Atlas of Torture is to facilitate the work of the relevant stakeholders in the field of the prevention of torture and ill-treatment as well as to raise awareness on the issue. This is achieved by increasing the impact of those fighting against torture and ill-treatment by raising awareness, empowering individuals and organizations as well as fostering cooperation through documentation, learning, and exchange. Therefore, publicly available documents (jurisprudence, legislation, reports, guidebooks etc.) are collected in a user-friendly database, e-learning materials of various kinds in a learning platform and projects and activities (country missions, conferences, lectures etc.) are displayed in a map. In addition, users can communicate and exchange in a forum-like setting via an exchange platform. For further information please refer to the project description under “About us”.
3. Legal basis
In accordance with art. 6 1. (f) GDPR the processing of data is lawful if the “processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.” The legitimate interest in processing the data pursued by the Atlas of Torture is constituted by its nature of being a research project affiliated to a scientific research institute. Therefore, the legitimate interest relates to the general work of the Ludwig Boltzmann Institute for Human Rights in dealing with relevant human rights issues in a national, European and international context. In addition, this interest also entails the relevance of raising awareness on the issue of torture and ill-treatment, going beyond the purpose of facilitating the work of professionals in the field of torture prevention.
4. Duration of data storage
Regarding the duration data is being stored, it has to be distinguished between four different kinds of data, namely content data, access data, contact data and account data.
- Content data: The substantial content data of the Atlas of Torture is being stored for an unlimited amount of time as this is necessary for the legitimate interest underlying the purpose of the Atlas of Torture according to art. 6 1. (f) GDPR (see also above),
- Access data: The access data is stored for 90 days in order to provide for the best user experience. After these 90 days, the access data is deleted.
- Contact data: The contact data provided by the user to the Atlas of Torture when either using the contact form or when using the online submission form to upload content to the website is (in accordance with art. 6 1. (a)) stored for the time a user is a registered member of the website. The right to withdraw consent (art. 7 3. GDPR) may be exercised at any time at email@example.com. The contact data will be deleted accordingly.
- Account data: The account data provided by the user to the Atlas of Torture when creating an account in order to use the exchange platform is stored for an unlimited amount of time in accordance with art. 6 1. (a). The right to withdraw consent (art. 7 3. GDPR) may be exercised at any time at firstname.lastname@example.org. The account data will be deleted accordingly.
5. Collection and processing of your personal data
The legislator's definitions of the following terms can also be found in art. 4 GDPR.
‘Personal data’ means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or with one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. You may also visit this website without providing any personal information. However, in order to improve our online services, we store access data to this website without personal reference.
Personal data revealing ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health data or data relating to sex life or sexual orientation of a natural person.
The term "processing" shall mean any operation or set of operations which is carried out with or without the aid of automated procedures and which is related to personal data. The term is broad and covers practically every handling of data. We process your personal data only with the explicit permission of the users concerned or only on the basis of one of the cases provided for by law pursuant to art. 6 1. GDPR (lawfulness of processing).
In accordance with art. 14 1. (c), the data subject has the right to be provided with “the purposes of the processing for which the personal data are intended as well as the legal basis for the processing”. Besides the substantial purpose (see 2. Purpose), the Atlas of Torture processes personal data that have been obtained from the data subject for the purpose of optimizing the online offer, its functions and contents. The legal basis for processing this data is the legitimate interest of the Atlas of Torture of being a research project affiliated to a scientific research institute (art. 6 1. (f) GDPR). For further information please see 3. Legal basis.
Categories of data:
The personal data that have not been obtained from the data subject but is processed by the Atlas of Torture (art. 14 1. (d) GDPR) is data that is normally contained in documents such as judicature, scientific texts, guidebooks and reports. The processing of this data is within the legitimate interest of the Atlas of Torture, being a research project affiliated to a scientific research institute, to ensure the operational basis of the website (art. 14 2. (b) & art. 6 1. (f) GDPR). For further information please see 3. Legal basis.
Data subjects have the rights listed in art.s 15 – 22 GDPR; the procedure for exercising these rights is regulated in art. 12 GDPR:
Especially, you are entitled to request information about whether and which personal data we have stored about you, to request the rectification of incorrect data or erasure of your personal data which are not processed in accordance with the law; moreover, you may request under certain circumstances the restriction of the processing of your personal data. Further rights are the right to object to the processing of your personal data processed on grounds of art. 6 (1)(e) or (f) or for marketing purposes. Under certain circumstances you have a right to recover data provided by you (right to data portability). If you are of the opinion that your data is processed contrary to the applicable data protection law, you have the right to lodge a complaint before the competent data protection authority. Below you will find the legal basis authorising you to undertake the steps mentioned above:
- Right of access by the data subject (art. 15 GDPR)
- Right to rectification (art. 16 GDPR)
- Right to erasure (‘right to be forgotten’) (art. 17 GDPR)
- Right to restriction of processing (art. 18 GDPR)
- Notification obligation regarding rectification or erasure of personal data or restriction of processing (art. 19 GDPR)
- Right to data portability (art. 20 GDPR)
- Right to object (art. 21 GDPR)
- Automated individual decision-making, including profiling (art. 22 GDPR)
6. Collection and processing of your access data
We, the website operator, collect data on access to the website based on our legitimate interest (see art. 6 1. (f) GDPR) (see 3. Legal basis) and store these as "server log files" on the server of the website.
The following data is logged in this way: • Visited website • Time at the time of access • Source/reference from which you came to the page • Browser used • Operating system used • IP address used
The server log files are stored for a maximum of 90 days and then deleted (see 4. Duration of data storage). The data is stored for security reasons, e.g. to clarify cases of misuse. If data have to be kept for reasons of proof, they are excluded from deletion until the incident has been finally clarified.
7. Transfer of data to third parties
We use embeds, meaning embedded content, for example, from Youtube or Vimeo to display videos. This works with framing, merely inserting an HTML-link in our website’s codes. As soon as you start the video, the provider of the embedded content can send tracking information and place cookies.
If we disclose/transfer data to other persons and companies in the course of our processing, or otherwise grant them access to the data, this will be done strictly in accordance with art. 6 (1) GDPR; where necessary, users will be asked for their consent (art. 4 11. GDPR).
Project partners and other third parties:
Third parties, to whom data may be disclosed, are national, international/ European project partners. If your data is passed on to such third parties, we will in turn advise them to comply with the applicable data protection regulations. Please note that we select our partners with the utmost care.
Transfers to third countries:
If we transfer data to a third country without adequate data protection, e.g. for service processing, this will only occur if all relevant safeguards and special requirements of art. 44 ff. GDPR are fulfilled. Users may contact our data protection officer for all details on cases of transfer of data relating to them, especially concerning the existing safeguards.
“Cookies" are small files that are stored on the user's computer. A cookie is primarily used to store information about a user (or, more precisely, about the device on which the cookie is stored) during or after the user's visit to an online service. Different data can be stored within the cookies. Cookies that are used by the Atlas of Torture are referred to as “first-party cookies” and those used by our partners/others as “third-party cookies”.
In addition, common browsers offer the option not to accept cookies. Stored cookies can be deleted in the system settings of the browser. However, the exclusion of cookies can lead to functional limitations of this online service.
9. Contact us
If you contact us via the contact options offered (e.g. via contact form, e-mail, telephone or via social media), the contact enquiry and its processing will be processed in accordance with art. 6 1. (b) and (f) GDPR. This data will not be passed on to third parties without your consent. User data may be stored in a customer relationship management system ("CRM system") or comparable inquiry organisation based on art. 6 (1)(f) GDPR. We delete enquiries if they are no longer necessary. We check the necessity each year. Unless otherwise stated in our data protection declaration, we process the data of users who communicate with us within the social networks and platforms, e.g. write articles on our online presence or send us messages.
10. Security and integrity of your data
The security of your data is our top priority. We therefore take appropriate technical and organisational measures in accordance with art. 32 GDPR, taking into account the state of the art, the implementation costs and the specific risks of processing to the rights and freedoms of natural persons, in order to ensure an appropriate level of protection. Your data will be processed on servers within the European Union.
The measures for ensuring appropriate data security include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data as well as access to input, transmission, availability and separation of the data concerning them. In addition, we have established procedures to ensure the exercise of data subjects' rights, especially concerning deletion of data and response to data breaches. Furthermore, we take the protection of personal data into account as early as the development or selection of hardware, software and processes, in accordance with the principle of data protection through technology design and data protection-friendly default settings (art. 25 GDPR).
11. Data storage and deletion of data
The data processed by us will be deleted or their processing restricted in accordance with art. 5 1.(e) GDPR. If there are no special legal storage obligations/permissions, we will delete your data as soon as they are no longer required for their intended purpose. If the data are not deleted because they are required for another legally permissible purpose, their processing will be restricted. This means that access to the data for all other purposes will be blocked. This applies, for example, if data must be stored for commercial or tax reasons.
12. Integration of services and content data from third parties
Within the scope of our online offer, and acting on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of art. 6 para. 1 lit. f of GDPR) we use content and service offers from third parties in order to integrate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content").
This always presupposes that the third-party providers of this content get to know the IP address of the user, since they would not be able to send the content to user’s browser without the IP address. The IP address is therefore required for the provision of this content. We make every effort to use only such providers of content who use the IP address exclusively for delivering content required by a user. Third party providers may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. “Pixel tags" can be used to evaluate information about visitor traffic on the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may contain, among other things, technical information about the browser and operating system, referring web pages, visit times and other information about the use of our online services; it may be further be linked to such information from other sources.
In order to analyse the data relating to the use made of the website, the Atlas of Torture applies Matomo, provided for by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand. For this purpose, pseudonymised user profiles can be created by evaluating user data. Cookies can be used for this purpose. The information generated by the cookie in the pseudonymous user profile is not used to personally identify the visitor to this website and is not merged with personal data about the bearer of the pseudonym.
b) Use of social plugins
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer in the sense of art. 6 para. 1 lit. f. GDPR) we use Social Plugins ("Plugins") of the social network facebook.com, which is operated by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), as well as of twitter.com, which is operated by Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland (“Twitter”). The plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and can be recognized by one of the Facebook logos (white "f" on a blue tile, the terms "like", "like" or a "thumb up" sign), are marked with the addition "Facebook Social Plugin" or by the Twitter, Inc.’s Twitter buttons. The list and appearance of the Facebook Plugins can be viewed here http://developers.facebook.com/docs/plugins. The list and appearance of the Twitter Plugins can be viewed here http://developer.twitter.com/en/docs/twitter-for-websites/overview.html.
Facebook is established in the EU (Ireland) and thus is subject to the GDPR; moreover Facebook Inc., situated in the U.S., is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law: http://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active. Twitter is also established in the EU (Ireland) and thus is subject to the GDPR; Twitter Inc. is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law, too: http://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO#privacy-policy-1.
When a user calls up a function of these online services containing such a plugin, his device establishes a direct connection with the Facebook and/or Twitter servers. The content of the plugin is transmitted directly from Facebook and/or Twitter to the user's device and integrated into the online service by the user. User profiles can be created from the processed data. We therefore have no influence on the extent to which Facebook and/or Twitter collects data with the help of this plugin.
By integrating the plugins, Facebook and/or Twitter uses third-party plugins to receive the information that a user has called up the corresponding page of the online offer. If the user is logged into Facebook and/or Twitter, Facebook and/or Twitter can assign the visit to his Facebook and/or Twitter account. When users interact with the plug-ins, for example by clicking the Like button or posting a comment, the corresponding information is transferred directly from your device to Facebook and/or Twitter and stored there. If a user is not a member of Facebook and/or Twitter, it is still possible for Facebook and/or Twitter to find out his IP address and save it.
The purpose and scope of the data collection and the further processing and use of the data by Facebook as well as the relevant rights and setting options to protect the privacy of users can be found in Facebook's data protection information http://http://www.facebook.com/about/privacy. The purpose and scope of the data collection and the further processing and use of the data by Twitter as well as the relevant rights and setting options to protect the privacy of users can be found in Twitter’s data protection information http://http://twitter.com/en/privacy.
13. Your Consent
We reserve the right to amend this data protection declaration in order to adapt it to changed legal situations or to changes in our offers and the data procession associated with them.