OBLIGATION TO INFORM WHEN COLLECTING PERSONAL DATA IN ACCORDANCE WITH THE GENERAL DATA PROTECTION REGULATION

In connection with the use of the "Easy Reading" software framework

Johannes Kepler University of Linz (hereinafter “JKU”) is informing you below about the computer assisted processing of your personal data (more precisely: personal data relating to you) within the meaning of art 4, numeral 1 of the General Data Protection Regulation (hereinafter: “GDPR”), whose protection the applicable data protection law [1] serves. Computer assisted processing within the meaning of art 4, numeral 2 GDPR means in particular the collection, registration and storage of personal data with the aid of automated (computerised / technical) processes.

I. Contact details of the controller:
Controller of the data processing described below within the meaning of art 4, numeral 7 GDPR is Johannes Kepler University of LInz (JKU), Altenberger Strasse 69, 4040 Linz, datenschutz@jku.at.
The data protection officer within the meaning of art 37 GDPR can be reached at Johannes Kepler University of Linz (JKU), Staff Unit for Data Protection, Altenberger Strasse 69, 4040 Linz, datenschutz@jku.at.

II. Background of processing / Indication of the purpose for which the personal data are to be processed / Legal basis of processing / Recipients of the personal data:

1. With the cloud-based Easy Reading software framework, JKU, Institute of Integrated Studies as operator provides users with cognitive impairments with a browser extension or support tool to support and simplify the cognitive accessibility and use of websites.

In the course of using support services of the Easy Reading Software Framework, personal data of the user as data subjects, namely the language settings selected by the user, other settings such as the type of user interface and the assistance services used and its configuration, and statistics of the assistance services used by the client, are processed. In principle, the user has the option of setting up a permanent Easy Reading Account by logging in with an active Facebook or Google account; in this case, his/her Facebook or Google ID and e-mail address will also be processed. The account will be active after the user logs out, so that the user can access the previously saved and customized settings at a later date. Apart from this, the users are free to create a temporary Easy Reading Account in an anonymous form; in this case, the user will be provided with an anonymous user ID by the central cloud server for the duration of the use of the support tool; as soon as the user logs out, his/her account will be deleted. In addition, information such as browser type/browser version, operating system used, referrer URL, access time and IP address is stored in server log files. These data do not allow for the identification of a specific person. This data is not used to evaluate behaviour patterns and is not linked to other data sources.

This personal data is stored on a central cloud server of Amazon Web Services, Inc. If and to the extent that a final processing of the user's enquiries or selected help settings cannot be carried out using the central cloud server, these enquiries will be sent for further implementation to external cloud servers of Microsoft Corporation (Microsoft Azure), Texthelp Ltd. (Texthelp) or IBM (IBM Bluemix or IBM Cloud).

2. Personal data is processed for the purpose of creating and managing an Easy Reading Account and for processing or implementing the support functions (requests) selected by the user and thus for adapting the web content to the individual needs of the user by means of personalised user interfaces. The creation and processing of statistics on the support services used by the user is carried out for the purpose of providing further support tool recommendations tailored to the needs of the user. With the help of the server log files, error messages and calls of functions in the system are analysed and logged anonymously.
For the purpose of implementing the services used by the user, a session cookie is used to store the log-in data and language settings in the settings dialog of the browser extension, which is automatically deleted when the session is ended by closing the browser window.

3. The legal basis for the specific processing of personal data is article 6, paragraph 1, letter f GDPR. The processing of the personal data and log files is lawful, as it is necessary to ensure a comfortable application of the browser extension or support tools tailored to the individual needs of the user, as well as for the technical implementation and guarantee of the functionality of the settings or support functions selected by the user and thus to protect the legitimate interests of JKU. By using the session cookie, log-in data and language settings of the user are processed. This cookie is technically necessary for the implementation of the services used by the user and is therefore also necessary to protect the legitimate interests of JKU.

There is no obligation to provide the personal data, but if the data is not provided, the above mentioned purpose cannot be achieved.

4. Recipients of personal data are the organizational units of the JKU necessary for the appropriate processing - in particular the Institute of Integrated Studies (IIS) as well as the cloud providers Amazon Web Services, Inc. and - if applicable - for the implementation or processing of requests and selected help settings Microsoft Corporation (Microsoft Azure), Texthelp Ltd. or IBM (IBM Bluemix or IBM Cloud) as data processors.

Amazon Web Services, Inc. (AWS) is a U.S. cloud computing provider with a headquarter at 410 Terry Ave North, Seattle, WA 98108-1226, USA and a subsidiary of Amazon.com, Inc. Data storage is located in a cloud data center in Frankfurt am Main, Germany. Further information on data protection can be found at https://aws.amazon.com/de/privacy/ and https://aws.amazon.com/de/compliance/gdpr-center/.

Microsoft Azure is a cloud computing platform from Microsoft Corporation, headquartered at One Microsoft Way Redmond, WA 98052-6399, USA. Location is in the Netherlands. Further information on data protection can be found at https://www.microsoft.com/de-at/trust-center/privacy/data-location and https://privacy.microsoft.com/de-de/privacystatement.
IBM Bluemix (IBM Cloud) is a cloud computing platform as a service developed by International Business Machines Corporation (IBM) and located at 1 New Orchard Road, Armonk, NY 10504 -1722, USA. The service described under point 4 is provided via servers in the USA. Further information on data protection can be found at https://www.ibm.com/privacy/de/de/.
However, it should be noted that both Amazon Web Services, Inc. (AWS), Microsoft Corporation and IBM are US companies that have a valid EU-US Privacy Shield certification and are therefore currently considered to be DSGVO compliant companies: In its decision of 12.07.2016, the EU Commission stated that the transfer of data from a controller or processor in the EU to organisations in the USA that have committed themselves to compliance with data protection principles by self-certification with the Department of Commerce is permissible (implementing decision [EU] 2016/1250 see https://eur-lex.europa.eu/legal-content/DE/TXT/PDF/?uri=CELEX:32016D1250&from=DE).

Texthelp Ltd., headquartered at Lucas Exchange, 1 Orchard Way, Greystone Road, Antrim, Northern Ireland, is a provider of various technology solutions, digital tools and services for cognitive accessibility. The service described under point 4 is provided via servers in Northern Ireland. The United Kingdom of Great Britain and Northern Ireland withdrew from the European Union at the end of January 31, 2020 and the withdrawal agreement negotiated for this purpose entered into force on February 1st 2020, 00:00 CET. With or as a result of the conclusion of this withdrawal agreement, the EU body of law GDPR applicable to trade in goods with the United Kingdom, will continue to apply during the transitional period until December 31st 2020, so that the same rules will continue to apply as for EU Member States. Further information on data protection can be found at https://www.texthelp.com/en-gb/privacy/ and https://www.texthelp.com/en-us/compliance/.

III. Information on the storage period:
Personal data is stored or processed for the duration of any statutory retention periods. In addition, the storage period is determined according to criteria such as topicality and relevance with regard to the purpose mentioned under point II. as well as any proof required for the correct performance of the services/assistance offered in connection with any disagreements or disputes, and this up to three years after this proof has been provided.

IV. Rights of the data subject in accordance to articles 15 to 21 GDPR:

• Right to information
• Right to correction
• Right to erasure
• Right to restriction of processing
• Right to data portability
• Right to object

V. Information on the data protection authority:
In addition to this, the data subject may complain about any (in its view) impermissible data processing to the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, tel: +43 1 52 152-0, or email: dsb@dsb.gv.at.

Status as of: July 2020

------------------------

[1] Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR); Federal Act to Protect Natural Persons with regard to the processing of personal data (DSG), BGBl. I, no. 165/1999, most recently amended by BGBl. I, no. 14/2019; (EU) Directive 2016/680 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA of the Council (The Data Protection Directive for Justice and Home Affairs), implemented in §§ 36-61 DSG.