Responsible body: The responsible body and data controller of your personal data is:
ICMPD Headquarters, Gonzagagasse 1, 5th floor in 1010 Vienna Austria.
Contact for data protection queries: For queries, suggestions or complaints as to the processing of your data contact our data protection focal point at:
Letters: Data Protection Focal Point
Gonzagagasse 1, 5th floor
1010 Vienna Austria
Supervisory authority: Responsible supervisory authority for data protection matters:
Letters: Österreichische Datenschutzbehörde
Data Protection Principles
For ICMPD trust is a vital cornerstone in every business relationship, which is why we attach great importance to the secure and sensitive management of your data. This data protection declaration is intended to give you an insight into which personal data is used, for what purpose and what options are available to you as the data subject for getting the best possible overview of what happens to your data and what rights you have in this regard. ICMPD operates a consistent and continuous data protection management system in order to systematically plan, organise, manage and monitor legal and operational data protection requirements. Our goal is to ensure the rights and freedoms of those concerned, and recognise business-related risks arising from data protection and to be able to manage these accordingly.
This means for you, as the data subject:
- All personal data shall be processed in a fair and transparent manner.
- All personal data shall be accurate and be kept up to date. When found to be inaccurate it shall be corrected as soon as possible.
- Personal data shall only be used for the specified purpose for which active consent was obtained.
- Personal data which is no longer used for the specified purpose or is known to be inaccurate shall be deleted/destructed or, where deletion is not feasible, access must be restricted so that no one apart from those responsible for technical maintenance of the space it is saved in has access.
- While business contacts are available to all staff and made available to implementing partners, beneficiaries and contractors as required, access to private and sensitive data is restricted to persons who need access for carrying out their respective function for as long as they carry out this function based on a secure authentication mechanism including strong passwords.
- Processing activities of personal data owned by ICMPD may only be performed by external parties based on the conclusion of a binding written contract that sets out the purpose and duration of the processing and ensures that the processor meets technical and organisational requirements to ensure the effective protection of the rights of the concerned data subjects.
- ICMPD respect your rights under the data protection laws, such as the right to be informed about the lawful basis we rely on for processing your personal data.
- Our information processing security measures comply with the latest standards and with statutory requirements.
- Our employees are obliged to maintain confidentiality and receive regular training on data handling best practices.
In order to explain it to you as transparently as possible, we have endeavoured to describe the facts as simply as possible. Whether you are a long-standing implementing partner, beneficiary or contractor, we invite you to read this statement carefully and familiarise yourself with our practices.
If you have any questions, please do not hesitate to contact us - our contact details are set out at the beginning of this statement.
What type or categories of personal data we process
Personal data is all that information that relates to an identified or identifiable natural person.
We store and process personal data only as far as is directly necessary for developing and in the implementation of individual projects and services along our fields of expertise.
We also process data that we have rightfully obtained from publicly accessible sources (e.g. company registers or the land registry).
We process the personal data which you provide to us in various ways such as through your use of our website or in the course of an enquiry you have with us.
The following personal data is processed by us:
- Personal data relating to partners, beneficiaries or contractors:
- First name, Last name, address (address, zip, city, country)
- Contact details (email address, telephone number)
Any further information you provide to us such as the content of an enquiry (via a free text field or over the phone)
Personal data relating to customer base/supplier base: We record very little data on suppliers. We merely need to ensure a trouble-free business relationship.
- Supplier contacts (Name of Entity as per Registration, Contact Person first name, Contact Person last name)
- Contact details (address, email address, telephone number)
- Bank details
Personal data relating to applicants/bidders: there is a separate data protection declaration for these.
We guarantee that we will only use any personal data we collect for the purpose for which it was originally collected. It is especially important to us to ensure there is no lack of clarity around collection of personal data and that you know from the start how, why and by whom the data has been collected.
How we use personal data
The processing of the data subject's data is carried out on the basis of the performance of the contract and in exercise of the legal regulations addressed to the data controller (in particular the laws concerning the employee).
For example, the purposes of data processing are as follows
- Personal contact data for the establishment, processing and management of contracts and business relationships
- Payroll and general payments for various projects
- For financial and business accounting purposes
- Data used in the context of consultancy activities
- All data necessary for the handling of internal processes (e.g. accounting, personnel administration, etc.)
- Personal data required for purchasing purposes (e.g. supplier contact details).
In addition, in order to safeguard our legitimate interests, the following data processing purposes are pursued, for example
- Marketing to inform interested parties about projects
- Processing and transfer of data in the context of implementing and securing new IT solutions.
If the purpose for which the data was originally collected no longer applies, we may continue to store your data only if we obtain your consent to do so or if there is another important exceptional reason.
Existence of automated decision-making
We do not currently undertake any automatic decision-making or profiling.
Legal basis for the collection and processing of your data
As a rule, we try to make the collection and processing of your data as transparent as possible. Therefore, we adhere exactly to the guidelines set out in Art. 6 ff of the GDPR and use these as the legal basis for the processing and collection of your data. We process your personal data in accordance with the provisions of the European Data Protection Regulation (GDPR).
Legal basis for data processing:
- Consent granted pursuant to Art. 6 (1) lit. a GDPR for the processing of your personal data for specific purposes (e.g. consent for newsletter transmission).
- The processing of personal data (Art. 4 No. 2 GDPR) is carried out as far as necessary for the implementation of our contracts with you and the execution of your orders as well as for the implementation of pre-contractual measures according to Art. 6 Para. 1 lit. b GDPR.
- Legal obligations pursuant to Art. 6 Para. 1 lit. c GDPR, which we must fulfil, such as legally prescribed storage and documentation obligations.
- Safeguarding legitimate interests pursuant to Art. 6 Para. 1 lit. f GDPR. Where necessary, data processing may be carried out to protect legitimate interests within the framework of balancing interests in favour of ICMPD. In the following cases, data processing is carried out to safeguard legitimate interests. Examples of such cases are
- Measures for business management and further development of services
- Data processing for the purpose of legal prosecution
- Assertion of legal claims and defence in legal disputes
- Ensuring IT security and IT operations to further improve the user-friendliness of its service facilities such as ICMPD web presence
Personal data will only be disclosed or transferred to third parties if this is required by law or for the purpose of contract execution.
Stored personal data will be deleted if you, as a user of our website and/or interested party and/or customer, revoke your consent to data processing, if your data is no longer required to fulfil the purpose for which it was stored, or if its storage is or becomes inadmissible for other legal reasons. Data that is required for contract processing, accounting purposes or to comply with other legal obligations (documentation obligations) is not affected by a request for deletion.
Disclosure and transfer
We will only disclose personal data to third parties if we have a legal basis to do so, for example, if we are required to do so by law, if it is necessary to perform our contract with you or if you have given your prior consent.
With third party processors
We use third party processors (in particular IT service providers) to help us with certain functions and we may disclose your personal data to them if they need it to perform their respective services. All processors are contractually bound to keep your data confidential and to process it only as part of the agreed service provision.
Data processed outside the EEA
No data will be processed outside the EEA.
Data access and security
Those involved in the implementation and process within ICMPD have access to your data depending on operational and organisational requirements.
Privacy and data security are important to us. We have implemented technical and organisational measures to secure our data processing. These measures protect against unauthorised or unlawful processing, accidental loss, accidental destruction or accidental damage. This applies in particular to the protection of your personal data. Examples of the measures we take to protect your personal information include:
- we protect against unlawful access to personal data by applying a role authorisation policy, a data security policy and physical safeguards;
- We have information security policies in place within the company.
All technical and organisational security measures are continuously reviewed in line with technological developments. External and internal IT security is regularly reviewed by an external IT security company. Our central IT service provider regularly provides us with an ISO 27001 audit report on its internal control system.
Your rights as a data subject
As a data subject, you have a number of rights which we have set out below. To exercise your rights or if you have any queries, please contact our Data Protection Focal Point:
Letters: Data Protection Focal Point
Gonzagagasse 1, 5th floor
1010 Vienna Austria
We may require you to prove your identity in an appropriate manner before we are able to comply with your request, in order to prevent unauthorised third parties from gaining access to your personal data and/or to prevent unauthorised changes and/or deletions from being made. to unauthorised third parties and/or to prevent unauthorised changes and/or deletions.
When we receive a request from you exercising your rights, we will respond promptly and no later than one month after we receive your request. Our response will provide an initial view or response to your concern, or whether, and if so why, the period for providing our view has been extended by up to two months.
ICMPD Website, Newsletter and Cookies
ICMPD is committed to safeguarding the privacy of the users of the ICMPD website (www.icmpd.org) and newsletter, while aiming to provide a user-friendly and valuable service. Personal information is only collected via registration forms with the requirement of an explicit written consent for ICMPD to process and/or use any personal data in the manner and for the purpose described below in this privacy notice.
During a visit to the website and use of the newsletter tool, the following types of information are collected: browsing patterns, website preferences, location of the user. This information is only used in aggregate forms: statistical reports on number of monthly visits, typical user paths, etc. These reports are used:
- to monitor the use of the website
- to identify audience profiles
- to support strategic planning.
Newsletter usage monitoring is personalised in order to support the evaluation and improvement of ICMPD’s services based on the interest in specific policy topics by individual target groups. The data is saved on the server of our web-based e-mailing system by Cleverreach whose servers are based in the EU guaranteeing the best possible data protection to ICMPD. Please see Cleverreach’s data protection policy here for more details: https://www.cleverreach.com/en-de/data-security/.
ICMPD processes personal information collected via its website and newsletter tool solely for communication purposes of the organisation. Only authorised staff members and contractors bound by the GDPR have access to the information and it will not be shared with any third parties. ICMPD uses secure data networks that are protected by firewall, mal-ware and password protection systems that are consistent with industry standards.
A cookie is a data file that, if your browser settings allow, is stored by us on your computer when you visit our website or carry out certain actions. The cookie contains information that we have sent to your computer. It stores certain settings and data for interaction with our system via your browser.
We use so-called session cookies, which are stored during your visit to our website. They are deleted when you close your browser session. We also use persistent cookies, which remain on your computer after a browser session has ended. Persistent cookies contain an identification number that allows us to identify your computer. This allows us to improve our services when you return to our websites. We cannot link this identification number to any personally identifiable information.
Please note, however, that certain cookies are necessary to ensure the basic functionality of the website. Some pages of our websites may not function properly if you do not accept cookies. Below you will also find information on how to prevent certain cookies from being set.
Google Tag Manager
Our website uses Google Tag Manager, a service provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
We have concluded a data processing agreement with Google Ireland Limited for the use of Google Tag Manager. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46(2)(c) GDPR. In addition, we also obtain your explicit consent for the transfer of your data to third countries in accordance with Art. 49(1)(a) GDPR.
You can ﬁnd more information about this in Google’s information about Tag-Manager. (LINK)
Google Analytics 4
Our website uses the web analytics service Google Analytics 4, provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).
We integrate Google Analytics 4 via the Google Tag Manager. If you have not consented to the use of the analytics tools, your data will not be collected as part of Google Analytics 4.
As part of the evaluation, Google Analytics 4 also uses artiﬁcial intelligence such as machine learning for automated analysis and enrichment of the data. For example, Google Analytics 4 models conversions to the extent that not enough data is available to optimize the evaluation and reports. Information on this can be found in the associated Google documentation. The data evaluations are carried out automatically with the help of artiﬁcial intelligence or on the basis of speciﬁc, individually deﬁned criteria. You can ﬁnd more about this in the associated Google documentation
The data collected as part of the usage analysis of Google Analytics 4 is enriched with data from the Google Search Console and linked with data from Google Ads, in particular to measure the success of our advertising campaigns (so-called conversions).
Processed data: The following data can be processed by Google Analytics 4:
- IP address;
- User ID and device ID;
- referrer URL (previous visited page);
- Pages viewed (date, time, URL, title, duration of visit);
- downloaded ﬁles;
- clicked links to other websites;
- Achievement of speciﬁc goals (Conversions);
- Technical information (operating system; browser type, version and language; device type, brand, model and resolution);
- approximate location (country, region and city, if applicable, based on anonymized IP address).
Privacy settings: We have made the following privacy settings for Google Analytics 4:
- Anonymization of the IP address;
- deactivated advertising function;
- deactivated personalized advertising;
- deactivated remarketing;
- retention period of 2 months (and no reset of retention period with new activity);
- deactivated cross-device and cross-page tracking (Google Signals);
- deactivated data shares (especially Google products and services, benchmarking, technical support, account specialist).
Used cookies: Google Analytics 4 sets the following cookies for the specified purpose with the respective storage period:
"_ga" (400 days) and "_gid" (24 hours): Recognition and distinction of visitors by a user ID;
"_ga_XXXXXX" (400 days): Retention of the information of the current session.
We have concluded a data processing agreement with Google Ireland Limited for the use of Google Analytics 4. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46(2)(c) GDPR. In addition, we also obtain your explicit consent for the transfer of your data to third countries in accordance with Art. 49(1)(a) GDPR.
Updating the rules
Please note that we may need to update and amend this document from time to time. For example, to reflect changes to the EU General Data Protection Regulation. Any changes to this policy will be posted on this website.
The documents, design and images on this website are provided for informational purposes only and the information herein is subject to change without notice. The information presented on www.icmpd.org does not necessarily reflect the views of the governments of ICMPD Member States and as such is not an official record.
ICMPD does not guarantee, either expressed or implied, the accuracy, completeness, reliability or suitability of the information. More information on ICMPD’s copyright policy can be found here. The use of particular designations of countries or territories, as well as maps, does not imply any judgement by ICMPD as to the legal status of such countries or territories, of their authorities and institutions or of the demarcation of their boundaries. ICMPD does not guarantee the accuracy of and disclaims any liability whatsoever in connection with sites to which it provides links. Their contents and the documents therein reflect solely the views of their authors.
While ICMPD makes every effort to ensure that documents available on its website are free of any software virus, it cannot guarantee that the material is free from any or all software viruses. ICMPD is not responsible for any loss or damage caused by the software and related codes, including viruses and worms.
Content on the ICMPD website is subject to copyright. Text, photos or any other material credited to ICMPD on this website may be reproduced without charge for non-commercial purposes only. ICMPD must be credited as source when using content from its website. For texts, the publication or page the texts originate from must be given.
If the attribution indicates that the information (including photos and graphics) is from a source or site external to ICMPD, permission for reuse must be sought from the originating organisation. The content of this publication/ this website is the sole responsibility of ICMPD and can in no way be taken to reflect the views of the donors.