DATA PROTECTION INFORMATION for job applicants or interested parties according to GDPR

Deutsche Version dieses Dokuments

Thank you for your interest in Ärzte ohne Grenzen Austria (“MSF”, “we”) and our activities. Please note that due to the General Data Protection Regulation of the European Union (“GDPR”), we are subject to numerous information obligations and further requirements in connection with data processing operations, with which we comply with the present disclosure. However, we are dependent on your cooperation so that we can get in touch with you, process your request and, if necessary, process job applications. Accordingly, we ask you to observe the following explanations.

Our practice of ensuring privacy is in accordance with the GDPR along with the Austrian Data Protection Act 2018 (DSG), the Telecommunications Act (TKG) and other relevant legal provisions.

The protection of your privacy is very important to us. With this in mind, we would like to inform you in detail about how we process your data and what rights you have in this regard in order to foster a trusting relationship over the long term.

As a general rule, data protection regulations are always to be observed whenever personal data are processed. The terms used in this data protection policy are to be understood as defined in the GDPR. Thus, the “processing” of personal data essentially comprises any handling of the same. To the extent that data processed by us are related to a person and – even if only through third parties, in a synopsis or by means of additional knowledge – make you identifiable as a person (in particular, reveal your full name), this is essentially personal data.

1.Who is responsible for data processing and whom can you contact?

If you have any questions or concerns regarding the processing of your personal data, please contact us:

Ärzte ohne Grenzen
Taborstrasse 10
1020 Vienna
Tel.: +43 1 409 72 76

E-mail: [email protected]

2.What data or categories of data will be processed and where will this data be sourced?

If you are interested in working for MSF or want to apply for a vacancy, we need to process certain data, otherwise we will not be able to contact you and take appropriate organisational action to process your request.

We base our privacy practices on the concept of data economy and only collect data that are strictly needed. You can, however, voluntarily provide us with additional information. First and foremost, the data processed in connection with job applications relate to the information we receive from you as part of our relationship, e.g. if you fill in forms, call us or otherwise provide us with written material. This concerns, for example, your master data, contact data, your occupation, all data from your job application documents or individual information from direct contacts (conversation, telephone conversation, correspondence) with you. In the job application process, we conduct various interviews and tests, the results of which we also process and save.

In the initial contact with interested parties, we collect at least the name and an e-mail address or other contact options, which makes targeted communication possible in the first place.

As far as you register or advertise via our online channels / website ( for (information) events, we also process your IP address and other metadata for statistical analysis purposes. We use “Citrix”, a web service provider that collects data automatically, to organise our online information events. As described in point 4, said provider has been contractually obliged to comply with strict data protection standards.

If you decide to submit a job application to us, we need a more comprehensive synopsis of your personal data so that we can properly evaluate your suitability for vacancies. This includes, among others (i) details of your technical or personal skills, competencies and experience, your motivation and your personal environment; (ii) information on (former) employment relationships and prior professional experience; (iii) information directly related to your person (date of birth, place of birth, nationality, marital status, postal address, e-mail address, telephone number).

3.For what purposes and on what legal basis will the data be processed?

We base the lawfulness of data processing on the legal foundations provided by the GDPR. In many cases, this involves the implementation of pre-contractual measures pursuant to Art. 6 (1) (b) GDPR.

Specifically, we process your personal data for the following purposes:

  • Communication with interested parties / job applicants (implementation of pre-contractual measures at the request of the data subject, Art. 6 (1) (b) GDPR)
  • Job application management: Administration, i.e. evaluation and assignment of job applications; (execution of pre-contractual measures at request of the data subject as well as for the performance of contracts, Art. 6 (1) (b) GDPR)
  • HR management (performance of contracts, Art. 6 (1) (b) GDPR, as well as compliance with legal obligations, e.g. statutory tax or social security requirements to the extent required by law, Art. 6 (1) (c) GDPR)

    Since contact in the cases dealt with is essentially established by you, data are often processed only for some of the purposes described here. As already mentioned, information transmitted to us is based to a large extent on voluntary self-disclosure.

If you submit a job application to us, we need information in the defined scope to process and review the same. In principle, these are measures which, with regard to a contract to be concluded in the future, are carried out at your request, which is to be regarded as a special case of the lawfulness of the performance of a contract (Art. 6 (1) (b) GDPR). In detail, however, there may also be differences in terms of the scope of information, as different (quality) requirements are placed on applicants depending on the field of activity.

If you become our employee, we process the data as part of HR management for contract performance. In this context, this may also include the updating of the data, the further storage thereof and further training management.

4.Who will receive my data?

We will send your personal data to the following recipients, for the above purposes:

Within our organisation, those bodies or employees receive your data that are needed to comply with their contractual or legal obligations as well as legitimate interests: These include the departments of Recruiting, Communications, Finance and Human Resources, as well as the head of the respective department for which the application is made (Hiring Manager) and the works council.

Our (external) processors receive or process your data if they need it for the services to be provided to us. All processors will be placed under a corresponding contractual obligation to handle your data confidentially and only to process it within the framework of the provision of their service. These shall include:

  • IT service providers used by us (including database providers and IT support),
  • further training providers,
  • insurance companies (S-Versicherung),
  • Webinar providers, in case of participation in the online information evening (Citrix),
  • travel agencies,
  • hotels.

Your data will also be transmitted to external recipients who are not processors. This relates mainly to courts, public authorities (Labour Inspectorate, Federal Ministry of Finance) and other legally stipulated recipients, such as social insurance providers, which process the personal data to the extent required. Furthermore, our external payroll clerk (tax consultant) as well as notaries based in Austria, whose activities are strictly regulated by law, receive certain data that are necessary for the performance of the contract of employment.

Some of these processors/recipients are located outside of Austria or the EU or process your personal data there. However, we only transfer your personal data to countries for which the EU Commission has determined that they have an adequate level of data protection, or we take measures to ensure that all recipients have an adequate level of data protection. For example, we include standard contractual clauses or use processors who have a Privacy Shield certification.

Our processors are contractually bound to our privacy practices and will treat your personal data as strictly confidential. In no case will they transfer your data without your consent to third parties or use them for purposes other than those required to perform their duties vis-à-vis MSF and as expressly authorised by us. An up-to-date list of our processors can be provided on request.

5.How long will my data be stored for?

Your personal data will only be stored by us for as long as is necessary to achieve the purposes set out in item 3 and as permitted under applicable law. In any case, we will store your personal data for as long as there are statutory retention periods or statutes of limitations in respect of potential legal claims have not yet expired.

If a service or other employment-related relationship is established, we will retain the data for the duration of the employment and delete it upon expiration of the statutory retention obligations. If a service or other employment-related relationship does not materialise, the data will be kept for a maximum of one year from the job application date and then deleted. Said data will only be stored for a longer period of time if so desired by you and if you have given us a separate consent.

6.Am I obliged to provide data?

As part of the communicative relationship with MSF and any application process, you only need to provide personal data that are required in the context. Unfortunately, if you do not provide us with these data, we will be unable to process/accept your requests. You are, however, not obliged to provide us with any additional data. Voluntary transmission of data is at your own discretion. Data processing, which is based (exclusively) on voluntary data, can be terminated at any time at your request with effect for the future. Please contact us at [email protected].

7.What data protection rights do I have?

An essential aspect of data protection law is to grant you certain dispositions over your personal data even once data processing has already begun. For this purpose, there are a number of data subject rights, which we will comply with immediately upon request, but at the latest within one (1) month. In order to exercise your rights, contact us via the following e-mail address: [email protected].

Specifically, the following rights are defined:

  1. If you exercise your right of access and there are no legal restrictions, we will inform you comprehensively about our processing of your data. To this end, we will send you (i) copies of the data (e-mails, database extracts, etc.), as well as information about (ii) data specifically processed, (iii) processing purposes, (iv) categories of processed data, (v) recipients, (vi) the retention period or criteria for their determination, (vii) the origin of the data and (viii) if necessary further information depending on the individual case. Please note, however, that we cannot provide documents that could negatively affect the rights of others.
  2. With the right to rectification, you can request that we correct inaccurately recorded, obsolete or (for the respective processing purpose) incomplete data. Your request will then be reviewed and the processing of such data may be restricted for the duration of the review upon request.
  3. The right to erasure (of data) may be exercised (i) if not necessary with regard to the processing purpose, (ii) in the case of revocation of consent granted by you, (iii) in case of special objection, to the extent that the data processing concerned is based on the legitimate interests of MSF, (iv) in case of unlawful data processing, (v) if there is a legal erasure obligation as well as (vi) when processing the data of minors under 16 years.
  4. An accompanying right to restriction, according to which, if exercised, data may only be stored, exists in special cases and only for a limited time, namely e.g. if the correctness of the data is denied by you, during our examination of the correctness of the data, or if we no longer need the data for our purposes, but you need it, for example, to enforce legal claims, or if you make an objection to the processing and it is examined whether our legitimate reasons prevail over yours during the time of this review. Restriction means that the marked data marked may only be stored from this point in time onwards and, beyond which, may only be processed with the consent of the person concerned or for the establishment, exercise or defence of legal claims or to defend the rights of another natural or legal person or for reasons of important public interest of the European Union or a member state.
  5. In addition, you have a fundamental right to object to data processing at any time. However, this only applies if the processing is based on the legitimate interests of MSF. Please note, however, that legitimate interests as the legal basis for processing operations may only be used in individual cases.
  6. You may also exercise your right to lodge a complaint: If you believe that we violate applicable data protection laws when processing your data, you have the right to lodge a complaint with the Austrian Data Protection Authority. The requirements for such a complaint are based on Sec. 24 et seq. of the Data Protection Act. However, we ask you to contact us in advance in order to clarify any questions or problems.

Please note that we may be unable to comply with your request due to compelling, legitimate reasons for the processing (balance of interests) or processing due to the establishment, exercise or defence of legal claims (on our part). The same applies in the case of excessive applications, although a fee may be charged in such cases as well as to comply with unjustified enquiries.