Data policy

The Technische Universität Wien (TU Wien) is pleased that you are visiting its websites. Data protection and data security are very important to us when you use our websites. So, at this point, we would like to tell you which items of your personal data we collect when you visit our websites and which purposes they are used for.

As changes in the law or in our internal processes may make it necessary to adapt this data protection declaration, we would ask you to read this data protection declaration regularly. The data protection declaration can be retrieved, saved and printed at any time at “data protection declaration” at (

1. Controller and scope of application

The controller within the meaning of the European Union’s General Data Protection Regulation (GDPR) and other national data protection laws of the EU member states and other legal data protection provisions is the

Rectorate of TU Wien
Karlsplatz 13
1040 Vienna

This data protection declaration applies to the website of TU Wien, which can be retrieved at the domain and the various subdomains (referred to below as “our websites” or “internet presence”).

2. Data protection officer

Mag. Christina Thirsfeld
TU Wien
Karlsplatz 13/018

If the rights of data subjects within the meaning of this data protection declaration (e.g. the right to information, right to erasure, etc.) are asserted, all such applications or requests must be addressed to:

3. What are personal data?

Personal data are individual information about the personal or factual circumstances of a specific or identifiable natural person (“data subject”). This includes such information as your name, address, telephone number, date of birth or email address. Information with which we cannot establish any connection to your person (or can only do so with undue effort), e.g. as by anonymising the information, is not personal data.

4. General remarks on data processing

a) Scope

We generally collect and use our users’ personal data only to the extent necessary to provide functional websites and our content and services. We use your personal data to provide the information, products and services we offer, to answer your questions and to operate and improve our websites and applications.
We collect and use our users’ personal data only in accordance with a corresponding statutory basis within the GDPR1, for example based on a legal obligation, such as according to 2002 University Act (UG), a contractual obligation, the public interest or the consent of the user.

We will make no further use of your personal data. We will not transfer your personal data to third parties or use your data for advertising purposes without your consent except in the cases described below, unless we are legally obliged to disclose data.

b) Statutory basis

If we obtain the consent of the data subject to process personal data, we do so on the basis of sec 6, par 1 (a) EU General Data Protection Regulation (GDPR). Section 6, par 1 (b) GDPR serves as the statutory basis for the processing of personal data required in order to perform contracts to which the data subject is a party. This also applies to processing required in order to implement pre-contractual measures. If it is necessary to process personal data in order to fulfil a statutory obligation to which the TU Wien is subject, this is done according to sec 6, par 1 (c), GDPR.

Should vital interests of the data subject or another natural person make it necessary to process personal data, sec 6, par 1 (d) GDPR serves as a statutory basis. If processing is necessary to safeguard a legitimate interest of TU Wien or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not outweigh the first-mentioned interest, sec 6,par 1 (f), GDPR serves as the statutory basis for processing.

c) Erasing and duration of storage

As soon as the purpose of the storage no longer applies, the personal data of the data subject will be erased or blocked. However, the data may be stored if European or national legislatures have made provision for this in EU Regulations, legislation or other regulations to which the person responsible is subject. The data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless it is necessary to further store the data in order to enter into or perform a contract.

5. Individual processing operations

If you wish to make use of the services offered in our internet presence, it will be necessary to provide further data. You will find details below in the description of actual data processing procedures. In particular, personal data are used as follows:

b) Providing websites and creating logfiles

Every time you visit our website, our system automatically collects data and information from the computer system of the calling computer. The following data is collected:

  • the IP address of the requesting computer;
  • the date and time of access;
  • the name and URL of the file retrieved;
  • the quantity of data transmitted;
  • a report on whether the request was successful;
  • identification data of the accessing browser and operating system;
  • the internet site which accesses our website.

The log files contain IP addresses and other data that can be associated with a user. For example, this might be if the link to the website from which the user accesses the website or if the link to the website which the user accesses, contains personal data.

The data is also stored in the log files of our system. These data are not stored together with other personal data of the user.

The statutory basis for the temporary storage of data and log files is sec 6, par 1 (f) GDPR.

The data is stored in log files in order to ensure the functionality of the website. The data is also used to optimise the website and to ensure that our information technology systems are secure. There is no evaluation of the data for marketing purposes in this context.

These purposes also include our legitimate interest in processing data in accordance with sec 6, par 1 (f) GDPR.

The data are erased as soon as they are no longer required for the purpose of their collection. This is done after 30 days at the latest. Collecting data in order to make the website available is essential for the operation of the website. The user is therefore not able to object.

6. Security measures used to protect the data stored with us

We undertake to protect your privacy and to treat your personal data confidentially. In order to prevent the loss or misuse of data stored by us, we take extensive technical and organisational security precautions which are regularly checked and adapted to technological progress. However, we should point out that due to the structure of the internet, it is possible that the data protection rules and the above-mentioned security measures may not be observed by other persons or institutions for which we are not responsible. In particular, unencrypted data can be read by third parties – e.g. if this is done by email. We have no technical control over this. It is the responsibility of the user to protect the data provided by him/her against misuse through the use of encryption or in some other way.

7. Hyperlinks to external websites

Our websites contain so-called hyperlinks to websites of other providers. If you activate these hyperlinks, you will be redirected from one of our websites directly to the website of other providers. You will recognize this by the change of URL, for example. We cannot accept any responsibility for the confidential handling of your data on these third-party websites, as we have no control over whether these companies comply with data protection regulations. Please inform yourself directly on these websites about how these companies handle your personal data.

8. Objections

When processing your personal data on the basis of legitimate interests, you have the right to object to the processing of your personal data if there are reasons for doing so which arise from your particular situation or from the use of direct advertising. In the case of direct advertising, you have a general right of objection which we put into effect without your having to state a particular situation.

9. Rights of data subjects

In your capacity as a data subject, GDPR grants you the following rights when your personal data are processed:

  • the right to information;
  • the right to rectification;
  • the right to erasure;
  • the right to restriction of processing of your personal data;
  • the right to data portability;
  • the right to object.

If you believe that the processing of your data breaches data protection law or that your data protection claims have been breached in some other way, you can complain to the Data Protection Authority.