FASresearch General Data Protection Regulations

1. General

This declaration serves to fulfil FASresearch’s legal and ethical obligation to provide details about its data privacy policies and data management practices in accordance with the requirements of data protection law. As as organization composed of individuals equally concerned for the protection of our own privacy, FASresearch is particularly committed to careful handling of personally sensitive data. The core principle running through this document is that FASresearch carries out the collection, processing, and analysis of personally identifying or personally sensitive information only when required for core business or research purposes, strictly within the context of applicable laws, and exclusively with the explicit and revokable consent of the individuals who share their data. When it comes to personal data, FASresearch promotes an ethic of minimalism and a practice of privacy by design.

In what follows we will explain:

  • who we are and how you can get in contact with us
  • the scope of products to which this privacy policy applies
  • the types and forms of personally sensitive data we process, the sources we from which obtain those data, the purposes for which we acquire and process personal data, and the legal framework within which we conduct our data processing work;
  • the persons and organization we to whom we may transfer personally sensitive data
  • how long we store personally sensitive data
  • the rights you have in relation to data we process that may include your personal information

Any research or business-related activities that require the collection and processing of personal data are carried out exclusively by fulltime employees of FASresearch. These staff are professionally trained in the use of scientific data collection instruments, as well as data management, analysis, and visualization tools. They are also formally trained in all relevant data protection guidelines (DSG, DSGVO, and FOG). In addition, FASresearch employees are contractually obligated to maintain the confidentiality of any personal information they may encounter over the course of their work.

FASresearch does not collect, process, or disseminate any personally sensitive data that are not specific to its core business and research activities.

FASresearch permanently removes all personally sensitive data collected through business or research work from its data management systems on completion of their designated purpose or lifecycle.

In certain circumstances, such as the maintenance “Do not contact” lists, FASresearch may be required by law to retain personally sensitive data for an extended period of time. For example, FASresearch often collects personally sensitive data (with explicit participant consent) for research projects using various survey instruments, including telephone interviews and email questionnaires (see below, methods section). In cases where a participant opts to forestall all future participation in FASresearch projects, we retain their basic contact information so as to know not to reach out to them again. We consider the request for non-contact as consent to store data (such as telephone numbers or email address) necessary to avoid accidental contact.

In the following sections we describe FASresearch’s polices and implementation with respect to the collection, processing, analysis, and dissemination of its scientific data resources, which can include personally identifying or sensitive data.

2. Responsibility and Contact

FASresearch manages its data sources exclusively within the regulatory framework created by various prevailing data privacy and data protection laws:

  • the EU data protection basic regulation (DSGVO)
  • the Research Organisation Act (FOG)

The party responsible for FASresearch’s privacy policy and for all processing of personal data in connection with the areas of application described below is:

FASresearch Sozialwissenschaftliche ForschungsgesmbH
Porzellangasse 2/34, 1090 Vienna/Austria
Data protection officer:
Mag. Christian Gulas
Mail. christian.gulas@fas.at
+43 1 319 26 55 – 28

3. Scope of application

As a research consulting company, FASresearch employs an wide array of scientific tools and methods that by definition necessitate the processing of personally sensitive data, namely:

  • Social Network Analysis (SNA)
  • Referential Network Analysis (RNA; or “snowball sampling”)
  • Workshop participation data
  • Large-scale quantitative analysis (“big data”)

Each of these methods depends on well-established techniques of empirical social science research (regression modeling, matrix algebra, graph theory, etc.) that frequently involve summarizing personally sensitive data in conjunction with non-personally sensitive information.

3.1 Referential network analysis

Referential network analysis (RNA) is a data collection and analysis method based on the principle of peer sampling, where consenting participants recommend other individuals (usually their peers) for participation as the research progresses, with the ultimate goal of identifying key players and communities and their interconnections within and across specific social fields. In general RNA data are collected through expert interviews over the telephone, in-person meetings, or, less often, email questionnaires. The collection of personally identifying information is inherent to the RNA method. RNA participants are formally reminded before their involvement in the research of their rights under data protection laws. They are also provided with information about FASresearch’s data management policies and practices, and sign a formal document expressing their consent to participate. This consent can be withdrawn at any time for any reason.

3.2 Social network analysis

Social network analysis (SNA) is a method of analyzing relationships (or social structures) among persons and organizations (social actors), and between persons and their respective organizations (social affiliations). Unlike Referential network analysis, SNA does not collect data directly from study participants but rather indirectly from other publicly available resources: business listings, records of professional activity (such as conferences or awards), board memberships, publications, media events, co-sponsorships, political initiatives, and joint ventures. In each case, the fact of affiliation between organizations and persons, and among cohorts of persons, rather than specific names, addresses, or other sensitive details, is the key research data source. Personal relationships such as kinship, friendship, or marriage) are excluded from SNA research. Since professional affiliation data are publicly available, and moreover publicly promoted by the very individuals they describe, the burden of consent is implicit. Typical data sources are the Austrian Business Register (provider: Compass-Verlag GmbH, 1140 Vienna), the Register of Associations of the BMI (ZVR), specific organizational websites, professional profile websites, and aggregation resources for various types of professional activity. Even though these data are fundamentally public in nature, FASresearch nevertheless treats them as though they were personally sensitive in accordance DSGVO and FOG (and the concept of privacy by design).

3.3 FASresearch workshop participation data

FASresearch routinely organizes and hosts collaborative awareness and insight workshops for its clients. The purpose of these workshops is to enable organizations to develop their awareness from the often fragmented perspectives of their individual staff members to a more comprehensive understanding of their shared situation, helping them to identify key challenges and build consensus around high-impact solutions. Participating individuals provide data during these workshops in the form of opinions and evaluations of various ideas and paths to action. For large-scale workshops these data are, like survey research, sometimes correlated with demographic information or other potentially identifying details in the process of summarizing and analyzing results. Yet all data collected are fully anonymized by design: participants use FASresearch’s proprietary tools and technologies to share their responses and thus are not identifiable to other participants or identifiable in the resulting dataset (this anonymity allows for great freedom of expression, and generally improves the quality of results). Participation in the workshops, which requires physical or virtual presence, is tacit consent to sharing data, and because data are anonymized form the moment of their origin, no personally sensitive data are stored.

3.4 Big data

FASresearch frequently analyzes social structures on a very large scale to identify broad patterns of affiliation across diverse communities and the evolution of these patterns over time. This “high altitude” perspective is a key aspect of our work, providing context for more detailed RNA, SNA and workshop studies. The source data for FASresearch’s big data analyses generally consist of public or proprietary datasets that describe relationships between persons or institutions in a specific economic sector. The datasets are generally so large that they can only be processed by machine code; direct human intervention is not feasible. Any identifying information these datasets contain is either encrypted by the supplier or by FASresearch on ingest. After the lifecycle of a big data project ends, the source data are scrubbed from our systems, leaving only the summary statistics and visualizations, which contain no personally sensitive or identifying information (for example, patterns of activity between countries).

4. Data Security

Data security is a bedrock concept for both data management and privacy by design. FASresearch depends on a safe, clean, and reliable reservoir of data resources to provide its core services to clients; without secure data we cannot exist. Data security is thus baked it into the design of our data management systems and workflows. FASresearch data, whether personal or anonymized, is always processed, secured, and disseminated in accordance with applicable law.

FASresearch’s core database systems are stored on locally behind our firewall on password protected servers. Each database is uniquely password protected, and sensitive data tables and columns within these databases are further restricted to designated staff. Research staff are permitted access only to data resources relevant to their work at hand. Our cloud servers are used only for downstream “production” data, which contain no personally sensitive information.

Data security extends beyond access restrictions. FASresearch implements workflows to support physical, electronic and administrative security policies that protect data against accidental or unlawful destruction, loss, alteration, or unlawful disclosure.

FASresearch’s data security policies and workflows are derived from international standards and are routinely reviewed and updated as our clients, business needs, research methods, data suppliers, and data management technologies evolve.

FASresearch complies with all applicable laws regard notifications and remedies in event of a breach in data security that affects personally sensitive or identifying information.

5. Rights Concerned

Individuals who share their personal data with FASresearch either directly (such as research participants) or indirectly have rights under the law. FASresearch takes these rights seriously (we enjoy their protections as well) and will respond appropriately to any concerns raised by our community of research participants and partners.

Right to withdraw consent: You are entitled to revoke consent to use your data for research purposes at any time by following the procedure described in the respective consent form. We ensure that your consent can always be revoked in the same way as it was given, e.g. by electronic means

Right of rectification: You may request us to rectify personal data concerning you

Right to limit processing: You may ask us to limit the processing of your personal data if:

  • you dispute the accuracy of your personal data (while we check its accuracy)
  • processing is unlawful and you request a restriction on processing instead of deletion of your personal data
  • we no longer need your personal data, but you do need it to assert, exercise or defend a legal claim
  • you object to the processing (while we check whether there is a supervening justification for processing)

Right to information: You can request information from us regarding any personal data of yours that we process; you are entitled to request a free copy of the personal data we hold

Right of transferability: Upon your request, we will transfer your personal data to another controller (if technically possible) and provided that the processing is based on your consent or is necessary for the performance of a contract; instead of receiving a copy of your personal data, you may request that we transfer the data directly to another controller of your choice

Right of deletion: You may request us to delete your personal data if

  • these data are no longer necessary for the purpose for which they were collected or otherwise processed
  • you have the right to object to further processing of your personal data (see below) and to exercise this right to object to processing
  • the processing is based on your consent, you have withdrawn your consent and there is no other legal basis for the processing
  • the personal data have been processed unlawfully; unless the processing is necessary to comply with a legal obligation requiring us to process the data or to comply with legal data retention obligations or to exercise, exercise or defend legal claims

Right of objection: You are entitled to object at any time to the processing of your personal data on the basis of a specific situation, provided that the processing is not based on your consent but on our legitimate interests or the legitimate interests of third parties. In such cases, we will discontinue processing your personal data unless we can demonstrate convincing legitimate reasons for doing so and an overriding interest in the processing or in the assertion, exercise or defence of legal claims. If you object to processing, please indicate whether you wish your personal data to be deleted or whether you wish us to restrict processing

Right of appeal: In the event of an alleged breach of applicable data protection laws, you may lodge a complaint with the data protection supervisory authority in the country where you live or where the alleged breach has occurred.

6. GDPR declaration for applicants

Download GDPR Declaration for applicants (only availble in German)