Data Privacy

1    Overview

Data is processed by the Bundesanstalt KZ-Gedenkstätte Mauthausen/Mauthausen Memorial (Federal Institution) according to the provisions of the European General Data Protection Regulation (GDPR), the Austrian Data Protection Act (DSG) and the Austrian Memorials Act (GStG).

This Privacy Statement describes how the Bundesanstalt KZ-Gedenkstätte Mauthausen/Mauthausen Memorial, Argentinierstraße 13, Top 103+104, 1040 Vienna ("we") processes your personal data.

2    What is personal data?

Personal data is all information which relates to an identified or identifiable natural person (e.g. name, contact details, address, invoicing data, IP address, and so on).

3    How do we process your personal data?

We process your personal data in different ways depending on whether you are visiting our website (item 3.1), are subscribing to our newsletter (item 3.2), are a survivor of the Mauthausen concentration camp or a relative of a survivor (item 3.3), are a customer, interested person or a business partner (item 3.4), are supporting our work by making a donation (item 3.5), are using the integrated payment function on our website (item 3.6), are applying for a position with us (item 3.7), are visiting our premises in Vienna or are taking part in an event (e.g. education programmes at the Mauthausen Memorial) (item 3.8), or are communicating with us in the course of online meetings or conference calls (item 3.9):

3.1 Extent and purpose of data processing when visiting our website

The information in the present section 3.1 applies to our following web pages and their subpages:

• https://www.mauthausen-memorial.org  
• https://www.mauthausen-memorial.org/de/Gusen
• https://zadb.mauthausen-memorial.org
• https://booking.mauthausen-memorial.org
• https://raumdernamen.mauthausen-memorial.org
• https://mm-tours.org
• https://comments.mauthausen-memorial.org

3.1.1 Log data on the web servers

Our website providers of the pages automatically collect and temporarily store information on their web servers in the form of server log files, which are automatically transmitted to us by your browser. This takes place by virtue of our predominantly legitimate interest (Art. 6 para. 1 point f GDPR) for the purposes of systems security and operational stability and includes the following categories of data:

• Domain names
• Browser type and browser version
• Operating system used
• Referrer URL
• Host name of the accessing computer
• Date and time of the server request
• IP address of the requesting computer
• http response code
• transferred amounts of data

Whenever our pages are accessed by users and whenever a file is retrieved, data relating to this operation is stored in a log file. We reserve the right to analyse this log file on an anonymised basis and by virtue of our predominantly legitimate interest (Art. 6 para. 1 point f GDPR) for the purposes of improving our Internet offering. Access will furthermore be anonymised and transferred as aggregate data to the Austrian Federal Ministry of the Interior as proof of fulfillment with the statutory tasks incumbent on ourselves (Section 13 subsection 4 GStG).

This data will not be merged with other data sources. The above personal data in log files will be stored for 3 years.

It may be necessary for operation of our website that we disclose your data to the following recipients:

3.1.2 Data security and further security measures as defined by Art. 28 GDPR

To protect the web pages (https://www.mauthausen-memorial.org, https://www.mauthausen-memorial.org/de/Gusen and https://mm-tours.org), our third-party data processor WH-Interactive GmbH uses a web application firewall of its subcontracted processor Sucuri LLC (https://sucuri.net). This web application firewall operates as a filter, i.e. as a protective mechanism between our servers and potentially malicious data traffic from the Internet. It affords protection from fraudulent activities such as bad bots, hacking attempts, zero-day exploits, DDoS attacks, brute force attacks, SQL injections and cross-site scripting, thus also ensuring your protection when using our website. High availability and redundancy with network failure are guaranteed with the CDN-based technology of a globally distributed anycast network used here. In this conjunction, it may however come about that personal data belonging to visitors to the website is also processed outside the EU/EEA and secure third countries. We do not actively send any personal information to Sucuri LLC, but Sucuri LLC may also process personal information of visitors to the website, for example IP addresses, while checking data traffic for potentially malicious content.

To ensure an appropriate level of data protection with use of the Sucuri LLC web application firewall, a corresponding processor agreement has been concluded. An appropriate level of data protection for processing activities in third countries is guaranteed through use of the EU standard contractual clauses (2010/87/EU) of the European Commission.

The implementing decision (EU) 2021/914 of the Commission dated 4 June 2021 relating to standard contractual clauses for the transfer of personal data to third countries according to Regulation (EU) 2016/679 of the European Parliament and of the Council will be implemented with the processors concerned as soon as possible and within the statutory deadline.

It may thus be necessary for implementation of the technical security measures for our website that we disclose your data to the following recipients:

^*) Sucuri LLC is a subcontracted processor of WH-Interactive GmbH

3.1.3 Technical data in cookies

When you visit our website, the following data may be additionally processed in technical cookies:

• Browser type
• Operating system
• Country
• Date
• Time and duration of access
• IP address and pages visited on our website including entrance and exit pages

The "technical" cookies used are enabled as soon as you visit our home page. Their function is to make our offer more user-friendly and effective. Cookies are little text files placed on your computer and stored by your browser.

You can either disable the storage of cookies in your browser or activate a message as soon as cookies are sent. If you refuse cookies, this may impair functionality when using our website.

Cookies allow us to analyse how the website is used. Their function is to recognise visitors to the website and to temporarily save their data. We only ever use cookies to the minimum extent necessary in order to communicate with you via the home page.

The following cookies (First Party) are used on our website by virtue of our predominantly legitimate interest (Art. 6 para. 1 point f GDPR):

The following cookies and third-party requests (Third Party) are used on our website by virtue of our predominantly legitimate interest (Art. 6 para. 1 point f GDPR):

3.1.4 Links to external providers

Individual pages may contain links to other providers outside the Mauthausen Memorial who are not covered by the Privacy Statement, i.e. we can accept no liability whatsoever for this content. We select linked content with care. Should however a link malfunction, please be so kind as to inform us. We will remove or update it at once.

3.2 Extent and purpose of data processing when using our newsletters

If you register for our newsletter, we will use the data required for this purpose or which you supplied separately in order to regularly send you our newsletter by e-mail to keep you informed about the services we offer subject to your consent. Processing will be carried out on the basis of your consent to the processing of personal data concerning yourself (Art. 6 para. 1 point a GDPR). You can unsubscribe from the newsletter and thus be removed from our mailing list at any time. This is possible either by contacting us as described below or by using a link in the newsletter provided for this purpose.

It may be necessary for operation of our mailing list that we disclose your data to the following recipients:

3.3 Extent and purpose of the processing of data belonging to survivors of the Mauthausen concentration camp, their relatives, persons with a connection to the Mauthausen concentration camp and third parties with a scientific interest

In the framework of our legal mandate we process personal data, e.g. belonging to survivors of the Mauthausen concentration camp and their relatives, and to persons with a connection to the Mauthausen concentration camp and its subcamps.

With the transfer of personal data belonging to survivors or other persons with a connection to Mauthausen concentration camp or its subcamps to relatives of data subjects or to third parties for the purposes of scientific investigation, we process personal data of such persons seeking information by virtue of the performance of a task carried out in the public interest (Art. 6 para. 1 point e GDPR). The processing of data and the activity relating to the provision of information comply with Sections 3 and 29 GStG. Section 29 para. 3 GStG stipulates that, in the case of personal information, proof of identity in a suitable form is obligatory.

We likewise process the personal data of persons seeking information with the disclosure of data not traceable to any individual (e.g. scientific enquiries relating to the collections of the Mauthausen Memorial) by virtue of the performance of a task carried out in the public interest (Art. 6 para. 1 point e GDPR).

The data of the persons seeking information is stored by virtue of legitimate interest according to Art. 6 para. 1 point f GDPR and Section 3. para. 4 GStG.

During the activity of providing information it may be necessary that we transfer data belonging to the persons seeking information to the following recipient:

Should a legal or a supervisory obligation exist, public bodies and institutions (e.g. Austrian National Audit Office, National Council) may also be provided with your personal data.

3.4 Extent and purpose of data processing of customers, potentially interested persons and business partners

In the context of our business relations with customers, potentially interested persons and business partners, we process your personal data on the basis of contractual (precontractual obligations, fulfilment of the contractual relationship with you, the accounting of services, communication and mailing of digital materials during performance of the contract; Art. 6 para. 1 point b GDPR) and legal obligations (statutory obligation of retention as defined by Section 132 Austrian Federal Tax Code (BAO) and Sections 190 and 212 Austrian Business Enterprise Code (UGB); Art. 6 para. 1 point c GDPR) and by virtue of our legitimate interest or that of third parties (Art. 6 para. 1 point f GDPR), whereby these interests are lawfully processed to the necessary extent in the following functions:

• For in-house administration and management of your business case to the necessary extent (e.g. processing of your business case, its forwarding to different departments, filing of documents, purposes of archiving, correspondence with yourself);
• For the assertion and defence of legal claims

Your data is processed for the purposes of initiating, maintaining and managing our business relations. The specific details of the types of data to be collected can be found in the relevant contractual documents. If you do not provide us with this data, we will not be able to deal with your business case.

We will only store your data for as long as this is required to accomplish the purposes for which we collected it. In this context statutory obligations of retention should be borne in mind (this means that under fiscal legislation, contracts and other documents ensuing from our contractual relationship must always be retained for a period of seven years (Section 132 BAO)). In justified individual circumstances, for instance to assert and defend legal claims, we may also store your data for a period of up to 30 years after the end of our business relationship.

In the course of our business relations it may be necessary that we transfer your data to the following recipients:

3.5 Extent and purpose of data processing when making a donation to support our work

Our donations website provides the opportunity to support the Mauthausen Memorial by making a financial donation via the internet. When you make a donation, we will ask for your name and other personal information in order to process the online donation. You are free to decide whether to use the form on the donation website. Donations greater than €10,000 cannot be made via the website.

The Mauthausen Memorial is registered on the ‘list of beneficiaries for donations’ of the Federal Ministry of Finance. This means that your donation to us is tax deductible.

Should you wish to make your donation tax deductible, we will process your first name, last name, date of birth, email address and the amount of the donation. On request, this data will also be used to produce a donation receipt at the beginning of the calendar year following the donation. Once a year, your first name, last name and date of birth will be transmitted to the Federal Ministry of Finance via FinanzOnline.

If you do not wish to make your donation tax deductible, we will only process your email address and the amount of the donation.

Your email address will be used in order to contact you as a donor about your payment and the purpose of your donation as part of our donor communication emails.

You can unsubscribe from donor communication emails at any time. This will also delete the details you have provided us with. This can be done either by sending an email to spenden@mauthausen-memorial.org or by using the link provided in the donor communication emails.

Should you wish to make a donation greater than €10,000, or wish to make a donation by direct bank transfer to our donations account, we will be happy to help you by telephone +43 1 376 3000-1000 or by email spenden@mauthausen-memorial.org

We will only store your data for as long as this is required to accomplish the purposes for which we collected it. When processing your donation, we will process your personal data on the basis of contractual (processing your donation, art. 6 para. 1 point b GDPR) and legal obligations (special expenses data transmission regulation for tax deductibility; statutory obligation of retention as per § 132 Austrian Federal Tax Code (BAO) and §§ 190 and 212 Austrian Business Enterprise Code (UGB); art. 6 para. 1 point c GDPR).

When processing your donation, it may be necessary to transmit donors’ data to the following recipients:

3.6 Extent and purpose of data processing when using the integrated payment function on our website

When you use the integrated payment function on our website as a customer or donor, the payment is processed by our external online payment partner Unzer E-Com GmbH. When making a payment, you will be given the choice between different payment options and modalities.

One-off payments:

• Credit card (Visa, Mastercard) or
• One-time bank transfer via EPS online transfer. If you select this option, you will be forwarded to your online banking portal.

Recurring payments (monthly or annual):

• Credit card (Visa, Mastercard)

Recurring payments can be cancelled at any time or at the end of the month by sending an email to spenden@mauthausen-memorial.org

In order to process the payment securely, an anonymised transaction ID and details about the financial and payment conditions such as the amount and VAT rate are transmitted to our online payment partner. The data is sent in encrypted form. The Mauthausen Memorial does not retain any card or bank details.

Our online payment partner uses the transmitted data only for the purposes of completing payment processing and is bound by European data protection regulations. Furthermore, our online payment partner is an independent data controller (data protection statement available at https://www.unzer.com/en/datenschutz/) and is monitored by the German Federal Financial Supervisory Authority (BaFin).

Should you require a refund, we will process your bank account details only for this purpose and submit these to the relevant bank where the account is held.

When using the payment function, it may be necessary to transmit customers’ and donors’ data to the following recipients:

3.7 Extent and purpose of data processing of applicants

We process your personal data either to initiate and implement precontractual measures (conclusion of a (freelance) service contract, Art. 6 para. 1 point b GDPR), based on your explicit consent (Art. 6 para. 1 point a GDPR) where we would like to hold your application on file or to fulfil our statutory obligations (registration with social security institutions as an employee, Art. 6 para. 1 point c GDPR).

Your personal data will be processed in order to manage the application procedure and to register you for social security if we hire you. If you do not provide us with this data, we will not be able to deal with your application. The specific details of the types of data to be collected can be found in the relevant application documents completed and submitted by yourself.

We will store your personal data either for the duration of the application process or until you withdraw your consent (where you have given your consent that we may hold your application on file). Irrespective of this we will store your data for as long as there still exist legal obligations of retention or where any legal claims, for which the personal data is required for their assertion or defence, have not yet expired by limitation.

In the course of the application procedure it may be necessary that we transfer your data to the following recipients:

3.8 Extent and purpose of data processing of visitors due to the COVID-19 pandemic at Mauthausen Memorial and its office premises in Vienna

If you visit our offices in Vienna or participate in an event (e.g. offers of guided tours to Mauthausen Memorial), we will process your data in the context of the COVID-19 pandemic for the purposes of contact tracing in relation to our visitor records. This data is processed in conjunction with our legitimate interest, namely the control and management of visitors in the framework of our domiciliary right (Art 6 Abs 1 point f GDPR) or on the basis of our legal obligations according to the Corona regulations in the last amended version (Art. 6 para. 1 point c GDPR).

The following personal data forms the subject of processing:

• Details of users: First name, last name
• E-mail address
• Telephone number
• Date and time of visit or participation in an event

We will hold your personal data on file for 28 days.  

3.9 Extent and purpose of data processing in the context of online meetings and conference calls with Mauthausen Memorial

Mauthausen uses the communication tool ZOOM to hold conference calls, online meetings and video conferences (referred to below as online meetings). ZOOM is a service offered by ZOOM Video Communications, Inc., based in the USA.

You can also use ZOOM if you enter the relevant meeting ID and any additional access data for the meeting directly in the ZOOM app. If you do not wish to use the ZOOM app or cannot use it, the basic functions are also available via a browser version, which is likewise to be found on the ZOOM website.

3.9.1 What data is processed here?

Different types of data are processed when using ZOOM. The extent of this data also depends on the specific data you give before or when participating in an online meeting.

The following personal data forms the subject of processing:

• Details of users: First name, last name, telephone (optional), e-mail address, password (if not using single sign-on), profile picture (optional), department (optional)
• Meeting metadata: Topic, description (optional), participants' IP addresses, device/hardware information
• During recordings (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of the online meeting chats.
• When dialling in by telephone: Incoming and outgoing call number, name of country, start and end time. Additional connection data such as the IP address of the device may be stored.
• Text, audio and video data: You may have the option of using the chat, raise hand or survey functions during an online meeting. In this regard the text input by yourself is processed for display in the online meeting and possibly for logging. The data from the microphone of your terminal device and any video camera present is processed accordingly during the meeting to enable the display of video and audio playback. You can switch off the camera or mute the microphone yourself at any time using the ZOOM apps.

To take part in an online meeting or join a breakout room you have to at least give your name.

3.9.2 Storage of data

The data of participants at a meeting registered with ZOOM as users is stored for a period of 12 months (name and e-mail address supplied, duration of participation at meetings, meeting metadata and data for telephone dial-in).

3.9.3 Extent of processing

The Mauthausen Memorial uses ZOOM to hold online meetings. If we wish to record online meetings, we will clearly notify you beforehand and ask for your consent where necessary in this regard. The ZOOM app will also show you that the meeting is being recorded.

If necessary in order to log the results of an online meeting, we will log the content which was presented and discussed. The logging of content will be announced at the beginning of the session.

3.9.4 Legal basis for data processing

Where personal data of applicants or employees of the Mauthausen Memorial is processed, this is necessary to fulfil a contractual obligation (contract of employment) according to Art. 6 para. 1 point b) GDPR and thus constitutes the legal basis for data processing. Where with the use of ZOOM personal data is not required for the substantiation, performance or termination of the employment relationship, but is nevertheless a fundamental component with the use of ZOOM, the legal basis for data processing is GDPR Art. 6 para. 1 point f). In such cases our interest lies in the effective implementation of online meetings.

In the case of customers, partners, suppliers and third parties, the legal basis for data processing with the performance of online meetings is Art. 6 para. 1 point b) GDPR where such meetings are held in the framework of contractual relations.

Should no contractual relations exist, the legal basis is Art. 6 para. 1 point f) GDPR. Once again our interest lies in the effective performance of online meetings.

3.9.5 Recipients / Disclosure of data

Personal data which is processed in the context of participation in online meetings is never disclosed to third parties unless specifically destined for disclosure. Please note that content from online meetings and personal meet-up discussions is in particular frequently used for the communication of information with customers, interested persons or third parties and is thus destined for disclosure.

Further recipients: The above data, where this is provided for in the framework of our data processing contract with ZOOM, comes by necessity to the notice of the provider of ZOOM.

3.9.6 Data processing outside the European Union

ZOOM is a service which is rendered by a provider from the USA. The processing of personal data is thus also carried out in a third country. We have concluded a data processing contract with the provider of ZOOM.

An appropriate level of data protection is guaranteed by conclusion of the EU standard contractual clauses. To ensure additional protective measures, we have furthermore set up our ZOOM configuration so that only computer centres in the EU, the EEA and secure third countries are used for the performance of online meetings.

The implementing decision (EU) 2021/914 of the Commission dated 4 June 2021 relating to standard contractual clauses for the transfer of personal data to third countries according to the Regulation (EU) 2016/679 of the European Parliament and of the Council will be implemented with the processor ZOOM concerned as soon as possible and within the statutory deadline.

Note: Where the ZOOM app is not used but the ZOOM Internet page called up, ZOOM itself is responsible for data processing. It is however only necessary to call up the Internet page to use ZOOM in order to download the software for using ZOOM. The ZOOM data protection statment can be found at https://explore.zoom.us/docs/de-de/privacy.html

3.10 Image, audio and video recordings at sites of Mauthausen Memorial in the context of events

Photographs and/or video recordings incl. audio may be made at the sites of the Mauthausen Memorial in the context of events and used for the media of the Mauthausen Memorial (website, print, social media, etc.) within the legally permitted framework (e.g. Section 78 Austrian Copyright Act (UrhG)).

Photographs or video recordings incl. audio are produced by virtue of a legitimate interest as defined by Art. 6 para. 1 point f GDPR and Sections 12, 13 DSG. The legitimate interest of the Mauthausen Memorial consists in public relations and publicity for the activities of the Mauthausen Memorial and in documentary interest in the activities of the Mauthausen Memorial and as such is also carried out in the public interest.

Reference is made to the production and use of photographs, video recordings and audio data prior to and during the event itself. 

4 Collection of personal data from sources other than data subjects themselves (Art. 14 GDPR)

In the course of a business relationship or when initiating such relations, it is of course necessary to make enquiries into business partners. This takes place only to the minimum extent necessary to initiate and implement precontractual measures (conclusion of a contract, Art. 6 para. 1 point b GDPR). In this context data may be retrieved from the following public sources and subjected to processing:

5 What are your rights in relation to data processing?

You hold the following rights where provided by the statutory requirements:

• right of access free of charge to information relating to the personal data processed by ourselves (Art. 15 GDPR), auf
• right to rectification or supplementation of incorrect or incomplete data relating to yourself (Art. 16 GDPR)
• right to erasure of your data (Art. 17 GDPR) and
• right to restriction of processing of your personal data where you
  • contest the correctness of the personal data, namely for a period of time that allows us to verify the correctness of the personal data, or if the data processing is unlawful and you reject erasure of the personal data and request instead the restriction of processing of the personal data,
  • the data is no longer required by us for the envisaged purpose,
  • you might however still need this data for the assertion or defence of legal claims or
  • you exercise your right to object (Art. 18 GDPR).

In the case of processing activities necessary to protect our legitimate interests or those of a third party, you have the right to object where you have an interest in preserving the confidentiality of your data that outweighs our interest in processing your data further (Art. 21 GDPR).

You also have the right to receive the data provided by you in a structured, commonly used and machine-readable format (Art. 20 GDPR).

Where we process your data based on your consent, you have the right to withdraw this consent at any time by means of an e-mail. This does not affect the lawfulness of the data processing carried out until such time (Art. 7 para. 3 GDPR).

6 What rights to lodge a complaint do you hold?

Should, contrary to expectation, infringement of your right to the lawful processing of your data come about, please be so kind as to contact us either by e-mail or post. We will then endeavour to deal with your concern at once. You however also have the right to lodge a complaint with the supervisory authority competent as regards issues of data protection in your individual case. The competent supervisory authority in Austria is the Austrian Data Protection Authority. For contact information please see https://www.data-protection-authority.gv.at

7 How can you get in touch with us?

Should you have further questions about the processing of your data, do not hesitate to contact our data protection coordinator

Mag. Robert Vorberg, robert.vorberg@mauthausen-memorial.org

or with our data protection officer

Dipl.-Ing. Reinhard Fiegl, MBA MSc CISA, datenschutz@fiegl.org

8 Controller as defined by GDPR and DSG

The controller as defined by Art. 4 No. 7 GDPR for the processing of your data in the processing activities listed under item 3 is:

Bundesanstalt
KZ-Gedenkstätte Mauthausen/Mauthausen Memorial
Argentinierstraße 13, Top 103+104
A-1040 Vienna
E-mail: office@mauthausen-memorial.org

version 2.0, realease date 09/20/2021