Data Privacy Statement pursuant to Article 13 GDPR
The following information pursuant to Article 13 General Data Protection Regulation (GDPR) is provided by the following data controller:
City of Vienna – Press and Information Services
Email: post@ma53.wien.gv.at
Purpose and Legal Bases of Processing
Please note that the personal data you have provided will be processed by the above-mentioned data controller for the following public relations purposes if you have explicitly consented to the respective processing and have thus given your consent under data protection law:
Consent to the Use of WienBot via the Messenger Service Signal
Purpose
- Automatic reply to questions you send to WienBot via Signal.
Legal basis
- Consent (Article 6 (1) (a) in conjunction with Article 49 (1) (a) GDPR)
Register queries
- No register queries are carried out in the course of processing.
This data processing serves the purpose of automatically answering questions you put to WienBot via Signal. When communicating with the Signal server for the purpose of transmitting messages, the telephone number of the person to whom the message is addressed is included. The telephone number of the person sending a message is generally not disclosed to the Signal server (so-called “sealed sender”). Accordingly, when a Signal message is sent to a person, the telephone number is transmitted to the Signal server in pseudonymised form in order to deliver the message correctly.
Altogether, the following types of data are processed:
- Telephone number
- Time of consent to use
The message to WienBot and the reply by WienBot however are not considered personal data.
We process your data only for the purpose of answering the questions sent to WienBot via Signal. Your questions to WienBot are stored only anonymously in order to continuously improve our service.
Transmission of Personal Data
The above-mentioned personal data are forwarded to Municipal Department 01 – Information Technology, Stadlauer Straße 54-56, 1220 Vienna, as the municipal administration’s internal processor for the purpose of providing the WienBot servers and software.
For the purpose of transmitting WienBot’s reply, your telephone number, but not the unencrypted content of the message, will be transferred via Signal to Signal Technology Foundation, 650 Castro Street, Suite 120-223, 94041 Mountain View, CA, United States of America, for delivery of the message.
Signal Technology Foundation is a recipient in a third country within the meaning of Article 44 GDPR (states that are not members of the European Union or the European Economic Area) for which there is no adequacy decision by the European Commission.
This transfer to an unsafe third country is based on derogation pursuant to Article 49 (1) (a) GDPR. Accordingly, you must give your explicit consent before the transfer of your personal data to the third country is initiated, after you have been informed of the possible risks of such transfers for you due to the absence of an adequacy decision and appropriate safeguards.
As regards the transfer of your personal data, this processing carries the following risks:
Signal uses servers from US companies (Amazon Web Services – AWS, Google, Microsoft and Cloudflare), which are thus located in a third country for which there is no adequacy decision by the European Commission. The precise location of the Signal servers, i.e. the place of processing of the personal data, cannot be determined given the use of cloud infrastructure. It is therefore assumed that processing is basically possible worldwide in any country.
The Signal app uses a data-minimising protocol and encryption of messages in the form of end-to-end encryption (E2EE). However, when the message is sent, the phone number and meta data are also transmitted. The telephone number, which is absolutely necessary for addressing, must accordingly be transmitted to the Signal server.
The processing and possible storage of the telephone number and any metadata on these servers is therefore beyond the control of European legislation. According to its own information, Signal only stores the account (i.e. your telephone number) and the times of the last connection of the account to Signal and the time of creation of the account for a longer term. In view of these circumstances, there is a risk that at least your telephone number as well as the metadata generated when sending messages via Signal, which are outside the sphere of influence of the City of Vienna – Press and Information Services, will be processed by Signal and made accessible to third parties.
It is therefore possible that your telephone number and other metadata could be obtained by persons or organisations or bodies in a third country, with the possibility that these processes may not be based on a procedure equivalent to the European legal order. Accordingly, there may not be corresponding rights and remedies (such as your data subject rights under the GDPR) in this regard available to you in these third countries.
Moreover, the processing carried out with these data might not comply with the fundamental values and principles of European legislation. There is also the possibility that the personal data could be stored or retained for an indefinite period of time.
The resulting further risks are country- and person-specific and cannot be further assessed.
Notes
Your telephone number will be processed for the duration of the reply and then stored after having been converted using a one-way function (hashing) to avoid the need to give consent to use the service again. The time of consent to use is stored until revoked and deleted upon revocation, as is the stored phone number converted with a hash function.
The provision of personal data is necessary for the use of the Signal service.
Failure to provide these data would, as a consequence, mean that you cannot make requests to WienBot via Signal.
Your data will not be used in the context of automated decision-making including profiling within the meaning of Article 22 GDPR.
Rights of Data Subjects
As a data subject, you have the right of access to the personal data concerning you, as well as the right to rectification, erasure or restriction of processing, or to object to processing.
If processing is based on consent within the meaning of Article 6 (1) (a) or Article 9 (2) (a) GDPR, you have the right to withdraw your consent at any time by entering “withdraw data protection consent” in the Signal chat with WienBot. By withdrawing your consent, your personal data will be deleted and you will have to give your consent again if you want to use the service again. However, we would like to point out that the processing based on consent was lawful until such withdrawal.
If you believe that your rights are not, or not sufficiently, complied with, you may file a complaint with the Austrian Data Protection Authority:
Barichgasse 40-42, 1030 Vienna
Email: dsb@dsb.gv.at
Data Protection Officer
If you have any questions regarding data protection, please contact the data protection officer of the City of Vienna at datenschutzbeauftragter@wien.gv.at.
Further Information