Information according to §5 E-Commerce Act of the Republic of Austria:
The website www.playyourskills.eu and the associated products are provided to you by:
E.N.T.E.R. GmbH
Geidorfplatz 2
8010 Graz, Austria
Tel: +43316329005
Fax: +43316329006
e-mail: office@enter-network.eu
Legal representatives: Dr. Georg Müllner, Dr. Michael Schwaiger
Commercial register: Graz
Commercial register number: FN423006v
UID-Nr.: ATU69012347
Agency according to ECG: BH Graz
Data protection declaration
Data protection declaration
Unless stated otherwise below, the provision of your personal data is neither legally nor contractually obligatory, nor required for conclusion of a contract. You are not obliged to provide your data. Not providing it will have no consequences. This only applies as long as the processing procedures below do not state otherwise.
“Personal data” is any information relating to an identified or identifiable natural person.
Server log files
You can use our websites without submitting personal data. Every time you access our website, user data is transmitted by your internet browser and stored in protocol files (server log files). This stored data includes e.g. name of the site called up, date and time of the request, amount of data transferred and the provider making the request. This data serves exclusively to ensure smooth operation of our website and to improve our offering. It is not possible to assign this data to a particular person.
Use of your email address for mailing of newsletters
We use your email address outside of contractual processing exclusively to send you a newsletter for our own marketing purposes, if you have explicitly agreed to this. The processing will be carried out on the basis of art. 6 (1) lit. a GDPR with your consent. You can withdraw your consent at any time without affecting the legality of the processing carried out with your consent up to the withdrawal. You can unsubscribe from the newsletter at any time using the relevant link in the newsletter or by contacting us. Your email address will then be removed from the distributor.
Cookies
Our website uses cookies. Cookies are small text files which are saved in a user’s internet browser or by the user’s internet browser on their computer system. When a user calls up a website, a cookie may be saved on the user’s operating system. This cookie contains a characteristic character string which allows the browser to be clearly identified when the website is called up again. We use cookies to make our offering more user-friendly, effective and secure. Cookies also allow our systems to recognise your browser after a page change and to offer you services. Some functions of our website cannot be offered without the use of cookies. These services require the browser to be recognised again after a page change.
Our website also uses cookies to allow us to analyse the surfing behaviour of visitors to our website.
We also use cookies to address visitors to other websites with targeted marketing relating to their interests.
Processing is carried out on the basis of § 15 (3) TMG (Telemedia Act) as well as art. 6 (1) lit. f GDPR due to our justified interest in the purposes above.
The data collected in this way is pseudonymised using technological measures. It is therefore not possible to connect the data to your person. The data will not be stored together with other personal data pertaining to you.
You have the right to veto this processing of your personal data according to art. 6 (1) lit. f GDPR by contacting us, for reasons relating to your personal situation.
Cookies will be stored on your computer. You therefore have full control over the use of cookies. By choosing corresponding technical settings in your internet browser, you can prevent the storage of cookies and transmission of the data they contain. Cookies which have already been saved may be deleted at any time. We would, however, like to point out that this may prevent you from making full use of all the functions of this website.
Using the links below, you can find out how to manage cookies (or deactivate them, among other things) in major browsers:
Chrome Browser: https://support.google.com/accounts/answer/61416?hl=en
Internet Explorer: https://support.microsoft.com/en-us/help/17442/windows-internet-explorer-delete-manage-cookies
Mozilla Firefox: https://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences
Safari: https://support.apple.com/guide/safari/manage-cookies-and-website-data-sfri11471/mac
Use of YouTube
Our website uses YouTube LLC’s function for the embedding of YouTube videos. (901 Cherry Ave., San Bruno, CA 94066, USA; “YouTube”).
YouTube is an affiliated company of Google Inc. (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;“Google”).This feature shows YouTube videos in an iFrame on the website. The option “advanced privacy mode” is enabled here. This prevents YouTube from storing information on visitors to the website. It is only if you watch a video that information is transmitted to and stored by YouTube.Further information on the data collected and used by YouTube and Google, your rights and privacy can be found in YouTube’s privacy policy (https://www.youtube.com/t/privacy).
Deletion of personal data
You have the right to request deletion of any personal data submitted by you and stored by the VAM Realities project. If you wish to request a deletion of your data, please write to: office@enter-network.eu
Rights of the affected person
If the legal requirements are fulfilled, you have the following rights according to art. 15 to 20 GDPR: Right to information, correction, deletion, restriction of processing, data portability. You also have a right of objection against processing based on art. 6 (1) GDPR, and to processing for the purposes of direct marketing, according to art. 21 (1) GDPR.
Contact us at any time. Our contact details can be found in our imprint.
Right to complain to the regulatory authority
You have the right to complain to the regulatory authority according to art. 77 GDPR if you believe that your data is not being processed legally.
Last update: 16 May 2018
Project GDPR
1. Introduction
This data protection plan represents the list of actions and strategies that Play Your Skills Project Partners will employ so as to ensure that all actions, products and outputs of Play Your Skills project will be compliant with the GDPR.
This exploitation strategy covers the project period, which began in October 2019, and will run until September 2021. This plan, which has been drafted by Otto-von-Guericke-University on behalf of the Play Your Skills project consortium, outlines:
- Key terms associated with data privacy,
- Risk analysis
- Policies, procedures and monitoring
- Data protection policy for the Play your Skills App
This data protection plan outlines and discusses the basic procedures that are relevant for GDPR compliance in the remaining months of the project lifecycle.
While the responsibility for developing the plan rests with Otto-von-Guericke-University, the responsibility for the implementation of the plan is shared among all partners. There are four main sections to this plan as follows:
- Data Privacy Definitions – this section outlines the common definitions associated with data protection, that are relevant for our project. This section is included as a guide to all partners to ensure common understanding of the key terms across the consortium.
- GDPR Risk Analysis – this section identifies and analyses the key risks the project is facing in relation to the GDPR and provides an evaluation on probability of occurrence and severity of impact.
- Rules and Procedures – this section provides a list of specific rules and procedures to be undertaken by all partners to ensure GDPR compliance of the Play your Skills project
- Data Protection for mobile App – this section presents the data protection policy as part of the app that has been developed within the project
This data protection plan contains a series of quantitative and qualitative indicators that can be used by consortium members and project reviewers to make sure that compliance is achieved.
2. Data Privacy Definitions
The GDPR lays down rules relating to the protection of natural persons and protects their fundamental rights and freedoms. It does so by governing the processing of personal data.
The regulations of the GDPR apply to our project from both, material and territorial perspective. To make sure there is a common understanding of its key terms, the most relevant definitions are included in this section. The definitions are based on Art. 4 of the GDPR.
- personal data means any information relating to an directly or indirectly identified or identifiable natural person (‘data subject’), especially when an identifier such as a name, an identification etc. is used;
- processing means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
- profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
- personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
- pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person;
- controller means the natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data;
- consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
For more definitions, the text of the GDPR can be found here: https://gdpr-info.eu
In addition to the definitions, there are certain key principles that are to applied when working with personal data. Personal data shall be
- processed lawfully, fair and transparent,
- collected for specified, explicit and legitimate purposes
- adequate, relevant and limited to what is necessary
- accurate and up to date
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
- processed in a manner that ensures appropriate security of personal data.
The controller is responsible to ensure compliance with these principles. This strategy shows, how compliance will be ensured.
3. Risk Analysis
A Data Protection Impact Assessment (DPIA) is required under the GDPR any time a new project is started that is likely to involve “a high risk” to other people’s personal information. This chapter will analyze and determine if there is such a “high risk” in this project.
In our project, we collect personal data for the following purposes:
- taking photographs during meetings for documentation and dissemination
- gathering dissemination information about stakeholders and sending it to coordinator
- data processing for administrative purposes
- gathering personal information about participants of feedback loops and surveys
- processing of personal information within the App
The photographs and other information from partners are legally based on consent, given by the participants directly at any event or when pictures are taken, resp. When gathering information for dissemination, either publicly available information is being used or the information is transferred with the consent of the data subjects. The transfer of data for administrative purposes is based on legal obligations.
The gathering of data via surveys for IO1 is being conducted using a tool hosted at the Otto-von-Guericke-University Magdeburg. The survey is anonymous and based on consent, that needs to be given before the questionnaire is being shown. At the end of the survey, the participants have the opportunity to provide their E-Mail address, if they are interested to be contacted for further feedback related to the project, especially to participate in the feedback loops for the app development.
The processing of personal information within the app is minimal. A pseudonym is being used instead of the name and the information that is recorded consists of
- date and time of login
- mini game that has been played and
- score for the game
There is no transfer of any of these data, it will only be stored on the device of the player. The app calculates from the game scores the message that is being shown to the player. Then the player can click on a given link to access a website containing further information. The website does not collect any data from the player, especially not the IP-address of the device the player is using, and will not identify who is visiting the website via an in-game-link. If a player wants to share information from the app, he or she needs to take a screenshot of the information and send it via another communication channel, such as mail or messenger.
There are links within the App, that lead to videos on the YouTube platform. If a user is logged in into his or her YouTube account while activating the link, the video will be added to his or her list of watched videos. This is due to the YouTube terms and services, and can be avoided by the player by not logging in and using the web browser in an anonymous way. Nevertheless, no data are transferred between YouTube and any third party through the App when watching the video.
However, while the App is only processing data on the device of the user and will not share any of it, there are the data privacy regulations of the Apple App Store and Google Play Store. This is beyond the responsibility of Play your Skills and is a contract between each user and the respective entity related to the device and operating system he or she is using.
To ensure the compliance with the GDPR, a data protection impact assessment (DPIA) is required under certain circumstances. It states that:
“Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”
(see: https://gdpr.eu/data-protection-impact-assessment-template/)
To clarify this statement, additional specific examples are given of types of conditions that would require a DPIA:
- If new technologies are being used
- If people’s location or behaviour is being tracked
- If a publicly accessible place is systematically monitored on a large scale
- If personal data related to “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation” are being processed
- If data processing is used to make automated decisions about people that could have legal (or similarly significant) effects
- If children’s data are processed
- If the data processed could result in physical harm to the data subjects if it is leaked
In Play your Skills, we are dealing with young people, especially during the feedback loops and surveys. But since these persons are not under the age of 16, we can ask them for their consent without further measures.
The automated decisions that are being made within the App, result in different information presented to the player. These information are not transferred to any other entity and don’t have any legal or otherwise significant effects. Therefore, the conclusion is that a DPIA is not required for the Play your Skills project.
4. Privacy Policy for Play your Skills Project
According to Art. 13 GDPR, it is a requirement to provide information where personal data are collected from data subjects. For the data collected from partners and stakeholders for use within the project the following policy applies.
(a) Name and Address of the Data Controller
Jugend Am Werk Steiermark GmbH
Lendplatz 35
A-8020 Graz
Austria
Tel. +435079001100
E-Mail: contact@playyourskills.eu
(b) Name and Address of the Data Protection Officer
The data protection officer of “Jugend am Werk” will be the contact person for questions regarding data privacy in Play your Skills. It is Mag.a Claudia Posch, her email is claudia.posch@jaw.or.at
(c) General Information on Data Processing
In principle, we only collect and use the personal data of our partners to the extent necessary for the execution of the project. Art. 6 of the GDPR forms the legal basis for the processing of personal data. The processing of the personal data in Play your Skills is lawful because either
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- c) processing is necessary for compliance with a legal obligation to which the controller is subject;
The personal data of the data subject will be erased or made unavailable as soon as the reason for storage no longer applies. Moreover, they may be stored if this is provided for by the European or national legislator under the Union regulations, laws or other mechanisms to which the controller is subject. The data shall also be made unavailable or erased when a storage period prescribed by the standards mentioned elapses, unless there is a requirement to continue to store the data in order to enter into a contract, or for the performance of a contract.
(d) Third-Party Data for Newsletter and Dissemination
The address and contact data for newsletters and other dissemination will be collected either from publicly available sources, like organizational websites or registers, or will be given voluntarily to the project from the data subjects. The following data are collected:
- Contact data, including address, phone number, E-Mail
- Name of a contact person
- what kind of organization (VET organization
No data is passed on to third parties in connection with data processing for the sending of newsletters. The data are only used for the purposes of sending the newsletter. The e-mail address of the user is only collected in order to deliver the newsletter. The data are erased as soon as they are no longer required in order to achieve the purpose for which they were collected. Accordingly, the contact information will routinely only be stored for as long as the subscription to the newsletter is active. A newsletter subscription can be terminated at any time by the data subject. There is a link in every newsletter for this purpose. This also makes it possible to revoke the consent to store the personal data collected during the registration process.
(e) Rights of the Data Subjects
If personal data are processed, the data subject has the following rights vis à vis the data controller:
Right of Access
You may request confirmation from the data controller regarding whether or not your personal data have been processed by us. If your data have been processed, you may request information from the data controller regarding the following:
(1) the purposes for which the personal data have been processed;
(2) the categories of personal data that have been processed;
(3) the recipients and/or the categories of recipients to whom your personal data have been or are still being disclosed;
(4) the planned duration of storage of your personal data or, if specific information is not available on this, criteria for specifying the duration of storage;
(5) the existence of a right to correction or erasure of your personal data, a right to restrict the processing by the data controller or a right of objection to this processing;
(6) the existence of the right to lodge a complaint to a supervisory authority;
(7) all available information on the origin of the data, if the personal data was not collected from the data subject;
(8) the existence of automated decision-making including profiling as per Article 22(1) and (4) of the GDPR and at least in these cases meaningful information on the logic involved and the consequences and intended effects of this kind of processing for the data subject.
You also have the right to request information about whether or not your personal data have been transmitted to a third country or to an international organisation. In this connection you may ask to be informed of the appropriate safeguards in accordance with Article 46 of the GDPR in connection with their transmission.
Right to Rectification
You have the right to rectification and/or completion by the data controller if the personal data concerning you that have been processed are incorrect or incomplete. The data controller must rectify the data immediately.
Right to Restriction of Processing
You may require the processing of data about you to be restricted under the following conditions:
(1) if you contest the accuracy of the personal data about you for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you decline the erasure of the personal data and request that their use be restricted instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
(4) you have objected to processing pursuant to Article 21(1) of the GDPR pending verification whether the legitimate grounds of the controller override your own.
Where processing of your personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained restriction of processing, you shall be informed by the controller before the restriction of processing is lifted.
Right to Erasure
- a) Duty to erase
You may request the data controller to immediately erase the data concerning you, and the data controller shall be obliged to erase these data without delay, if one of the following reasons applies:
(1) The personal data concerning you are no longer required for the purposes for which they were collected or processed in any other way.
(2) You revoke your consent upon which the processing was based pursuant to Article 6(1) point (a) or Article 9(2) point (a) of the GDPR, and there is no other legal basis for the processing.
(3) You file an objection against the processing in accordance with Article 21(1) of the GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing in accordance with Article 21(2) of the GDPR.
(4) The personal data concerning you were processed unlawfully.
(5) The erasure of your personal data is required in order to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
(6) Your personal data were collected in relation to the use of information society services in accordance with Article 8(1) of the GDPR.
- b) Information to third parties
If the data controller has published your personal data and if it is obliged to erase them in accordance with Article 17(1) of the GDPR, then it shall take appropriate measures, including of a technical nature, taking into account the available technology and implementation costs, to inform those responsible for processing the personal data that you, as the data subject, have required them to erase all links to this personal data or copies or replications of this personal data.
- c) Exceptions
There is no right to erasure insofar as the processing is required
(1) for exercising the right of freedom of expression and information;
(2) in order to fulfil a legal obligation that requires the processing under Union or Member State law to which the data controller is subject, or in order to perform a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health as stipulated by Article 9(2) points (h) and (i) as well as Article 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific of historical research purposes or for statistical purposes in accordance with Article 89(1) of the GDPR, insofar as the right referred to in point (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
(5) for the establishment, exercise or defence of legal claims.
Right to Information
If you have exercised your right to information, erasure or restriction of processing vis à vis the data controller, then the controller shall be obliged to notify all recipients to whom your personal data were disclosed of this rectification or erasure of data or restriction of processing, unless this should prove impossible or would involve disproportionate effort. You have the right, vis à vis the data controller, to be notified of these recipients.
Right to Data Portability
You have the right to obtain the personal data that you provided to the data controller in a structured, commonly used and machine-readable format. Furthermore, you are entitled to transmit these data to another data controller without hindrance from the controller to which the personal data were provided, where
(1) the processing is based on consent pursuant to Article 6(1) point (a) or Article 9(2) point (a) of the GDPR or on a contract pursuant to Article 6(1) point (b) of the GDPR and
(2) the processing is carried out by automated means.
Furthermore, in exercising this right, you are entitled to have your personal data transmitted directly from one controller to another, where technically feasible. This may not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to Object
You have the right to object, on grounds relating to your particular situation, at any time, to processing of personal data concerning you which is based on Article 6(1) points (e) or (f) of the GDPR; this applies also to profiling based on these provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing purposes; this applies also to profiling to the extent that it is related to such direct marketing.
Should you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes. In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Right to Revoke the Data Protection Declaration of Consent
You have the right, at any time, to revoke your data protection declaration of consent. The legality of the processing undertaken on the basis of the consent provided up until the time of revocation shall be unaffected by the revocation of consent.
Automated Individual Decision-Making Including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and the data controller,
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or
(3) is based on your explicit consent.
However, these decisions may not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless Article 9(2) points (a) or (g) apply and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, which shall at least include the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes this Regulation.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.
5. Data Protection for mobile App
For the app, the information about processing of personal data is part of the software and will be shown when used for the first time or in the menu, resp. For the data collected from players the following policy applies.
(a) Name and Address of the Data Controller
Jugend Am Werk Steiermark GmbH
Lendplatz 35
A-8020 Graz
Austria
Tel. +435079001100
E-Mail:
(b) Name and Address of the Data Protection Officer
The data protection officer of “Jugend am Werk” will be the contact person for questions regarding data privacy in Play your Skills. It is Mag.a Claudia Posch, her email is claudia.posch@jaw.or.at
(c) General Information on Data Processing
The processing of the personal data in the Play your Skills app only happens in the app itself. There is no communication with or transfer to any third-party entity. Therefore, it is in the responsibility of the player to share any data from the app with others or make sure that no one has access to his or her device. In addition, the terms and regulations of the service providers for the mobile devices apply.
A pseudonym is being used and game scores are being stored under this pseudonym. By using the app, the data subject has given consent to the processing of his or her personal data on his or her device. Since the app and app developer are not processing any data in their own responsibility, the GDPR does not even apply to the app.
Appendix A: Privacy Policy for Play your Skills Project
Name and contact data of the controller | Jugend Am Werk Steiermark GmbH Lendplatz 35 A-8020 Graz Austria Tel. +435079001100 E-Mail: contact@playyourskills.eu |
Name and contact data of the data privacy officer | Mag.a Claudia Posch |
Purpose and legal basis of data processing | The processing of the personal data is lawful under at least one of the following conditions:
a) consent b) performance of a contract c) legal obligation |
Rights of the data subject | Right of Access, Right to Rectification, Right to Restriction of Processing, Right to Erasure, Right to Restriction of Processing, Right to Information, Right to Data Portability, Right to Object, Right to Evoke Consent, Automated individual decision-making |
Right to Lodge a Complaint with a Supervisory Authority | Oesterreichische Datenschutzbehoerde Barichgasse 40-42 1030 Vienna, Austria email: dsb@dsb.gv.at |
Appendix B: Privacy Policy for Play your Skills App
Name and contact data of the controller | Jugend Am Werk Steiermark GmbH Lendplatz 35 A-8020 Graz Austria Tel. +435079001100 E-Mail: contact@playyourskills.eu |
Name and contact data of the data privacy officer | Mag.a Claudia Posch |
Purpose and legal basis of data processing | The processing of the personal data is lawful under at least one of the following conditions:
a) consent |
Rights of the data subject | Right of Access, Right to Rectification, Right to Restriction of Processing, Right to Erasure, Right to Restriction of Processing, Right to Information, Right to Data Portability, Right to Object, Right to Evoke Consent, Automated individual decision-making |
Right to Lodge a Complaint with a Supervisory Authority | Oesterreichische Datenschutzbehoerde Barichgasse 40-42 1030 Vienna, Austria email: dsb@dsb.gv.at |