2. Responsibility and Contact
FASresearch manages its data sources exclusively within the regulatory framework created by various prevailing data privacy and data protection laws:
- the EU data protection basic regulation (DSGVO)
- the Research Organisation Act (FOG)
FASresearch Sozialwissenschaftliche ForschungsgesmbH
Porzellangasse 2/34, 1090 Vienna/Austria
Data protection officer:
Mag. Christian Gulas
+43 1 319 26 55 – 28
3. Scope of application
As a research consulting company, FASresearch employs an wide array of scientific tools and methods that by definition necessitate the processing of personally sensitive data, namely:
- Social Network Analysis (SNA)
- Referential Network Analysis (RNA; or “snowball sampling”)
- Workshop participation data
- Large-scale quantitative analysis (“big data”)
Each of these methods depends on well-established techniques of empirical social science research (regression modeling, matrix algebra, graph theory, etc.) that frequently involve summarizing personally sensitive data in conjunction with non-personally sensitive information.
3.1 Referential network analysis
Referential network analysis (RNA) is a data collection and analysis method based on the principle of peer sampling, where consenting participants recommend other individuals (usually their peers) for participation as the research progresses, with the ultimate goal of identifying key players and communities and their interconnections within and across specific social fields. In general RNA data are collected through expert interviews over the telephone, in-person meetings, or, less often, email questionnaires. The collection of personally identifying information is inherent to the RNA method. RNA participants are formally reminded before their involvement in the research of their rights under data protection laws. They are also provided with information about FASresearch’s data management policies and practices, and sign a formal document expressing their consent to participate. This consent can be withdrawn at any time for any reason.
3.2 Social network analysis
Social network analysis (SNA) is a method of analyzing relationships (or social structures) among persons and organizations (social actors), and between persons and their respective organizations (social affiliations). Unlike Referential network analysis, SNA does not collect data directly from study participants but rather indirectly from other publicly available resources: business listings, records of professional activity (such as conferences or awards), board memberships, publications, media events, co-sponsorships, political initiatives, and joint ventures. In each case, the fact of affiliation between organizations and persons, and among cohorts of persons, rather than specific names, addresses, or other sensitive details, is the key research data source. Personal relationships such as kinship, friendship, or marriage) are excluded from SNA research. Since professional affiliation data are publicly available, and moreover publicly promoted by the very individuals they describe, the burden of consent is implicit. Typical data sources are the Austrian Business Register (provider: Compass-Verlag GmbH, 1140 Vienna), the Register of Associations of the BMI (ZVR), specific organizational websites, professional profile websites, and aggregation resources for various types of professional activity. Even though these data are fundamentally public in nature, FASresearch nevertheless treats them as though they were personally sensitive in accordance DSGVO and FOG (and the concept of privacy by design).
3.3 FASresearch workshop participation data
FASresearch routinely organizes and hosts collaborative awareness and insight workshops for its clients. The purpose of these workshops is to enable organizations to develop their awareness from the often fragmented perspectives of their individual staff members to a more comprehensive understanding of their shared situation, helping them to identify key challenges and build consensus around high-impact solutions. Participating individuals provide data during these workshops in the form of opinions and evaluations of various ideas and paths to action. For large-scale workshops these data are, like survey research, sometimes correlated with demographic information or other potentially identifying details in the process of summarizing and analyzing results. Yet all data collected are fully anonymized by design: participants use FASresearch’s proprietary tools and technologies to share their responses and thus are not identifiable to other participants or identifiable in the resulting dataset (this anonymity allows for great freedom of expression, and generally improves the quality of results). Participation in the workshops, which requires physical or virtual presence, is tacit consent to sharing data, and because data are anonymized form the moment of their origin, no personally sensitive data are stored.
3.4 Big data
FASresearch frequently analyzes social structures on a very large scale to identify broad patterns of affiliation across diverse communities and the evolution of these patterns over time. This “high altitude” perspective is a key aspect of our work, providing context for more detailed RNA, SNA and workshop studies. The source data for FASresearch’s big data analyses generally consist of public or proprietary datasets that describe relationships between persons or institutions in a specific economic sector. The datasets are generally so large that they can only be processed by machine code; direct human intervention is not feasible. Any identifying information these datasets contain is either encrypted by the supplier or by FASresearch on ingest. After the lifecycle of a big data project ends, the source data are scrubbed from our systems, leaving only the summary statistics and visualizations, which contain no personally sensitive or identifying information (for example, patterns of activity between countries).
4. Data Security
Data security is a bedrock concept for both data management and privacy by design. FASresearch depends on a safe, clean, and reliable reservoir of data resources to provide its core services to clients; without secure data we cannot exist. Data security is thus baked it into the design of our data management systems and workflows. FASresearch data, whether personal or anonymized, is always processed, secured, and disseminated in accordance with applicable law.
FASresearch’s core database systems are stored on locally behind our firewall on password protected servers. Each database is uniquely password protected, and sensitive data tables and columns within these databases are further restricted to designated staff. Research staff are permitted access only to data resources relevant to their work at hand. Our cloud servers are used only for downstream “production” data, which contain no personally sensitive information.
Data security extends beyond access restrictions. FASresearch implements workflows to support physical, electronic and administrative security policies that protect data against accidental or unlawful destruction, loss, alteration, or unlawful disclosure.
FASresearch’s data security policies and workflows are derived from international standards and are routinely reviewed and updated as our clients, business needs, research methods, data suppliers, and data management technologies evolve.
FASresearch complies with all applicable laws regard notifications and remedies in event of a breach in data security that affects personally sensitive or identifying information.
5. Rights Concerned
Individuals who share their personal data with FASresearch either directly (such as research participants) or indirectly have rights under the law. FASresearch takes these rights seriously (we enjoy their protections as well) and will respond appropriately to any concerns raised by our community of research participants and partners.
Right to withdraw consent: You are entitled to revoke consent to use your data for research purposes at any time by following the procedure described in the respective consent form. We ensure that your consent can always be revoked in the same way as it was given, e.g. by electronic means
Right of rectification: You may request us to rectify personal data concerning you
Right to limit processing: You may ask us to limit the processing of your personal data if:
- you dispute the accuracy of your personal data (while we check its accuracy)
- processing is unlawful and you request a restriction on processing instead of deletion of your personal data
- we no longer need your personal data, but you do need it to assert, exercise or defend a legal claim
- you object to the processing (while we check whether there is a supervening justification for processing)
Right to information: You can request information from us regarding any personal data of yours that we process; you are entitled to request a free copy of the personal data we hold
Right of transferability: Upon your request, we will transfer your personal data to another controller (if technically possible) and provided that the processing is based on your consent or is necessary for the performance of a contract; instead of receiving a copy of your personal data, you may request that we transfer the data directly to another controller of your choice
Right of deletion: You may request us to delete your personal data if
- these data are no longer necessary for the purpose for which they were collected or otherwise processed
- you have the right to object to further processing of your personal data (see below) and to exercise this right to object to processing
- the processing is based on your consent, you have withdrawn your consent and there is no other legal basis for the processing
- the personal data have been processed unlawfully; unless the processing is necessary to comply with a legal obligation requiring us to process the data or to comply with legal data retention obligations or to exercise, exercise or defend legal claims
Right of objection: You are entitled to object at any time to the processing of your personal data on the basis of a specific situation, provided that the processing is not based on your consent but on our legitimate interests or the legitimate interests of third parties. In such cases, we will discontinue processing your personal data unless we can demonstrate convincing legitimate reasons for doing so and an overriding interest in the processing or in the assertion, exercise or defence of legal claims. If you object to processing, please indicate whether you wish your personal data to be deleted or whether you wish us to restrict processing
Right of appeal: In the event of an alleged breach of applicable data protection laws, you may lodge a complaint with the data protection supervisory authority in the country where you live or where the alleged breach has occurred.