Data Privacy

The Austrian Federal Institute “KZ-Gedenkstätte Mauthausen/Mauthausen Memorial (Bundesanstalt)” processes data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

Trust is important, especially when dealing with your data. That is why we see it as our obligation to manage your data with the utmost care and to do everything possible to protect your information from misuse.

The Federal Institute adheres strictly to the data-protection regulations when collecting and processing your data. The following information provides a detailed explanation of what data is recorded during your visit to our website and how we use it.

This Data Protection Statement applies to the following websites of the Federal Institute:,,, and

Some pages may contain links to websites maintained outside of the Federal Institute to which the Data Protection Statement does not apply. This means that we cannot accept any liability for the content of these websites.

We carefully select the linked content. However, if you do find an erroneous link please inform us. We will remove or update it without delay.

1. Name of department responsible

Responsible for data processing:

KZ-Gedenkstätte Mauthausen/Mauthausen Memorial
Argentinierstraße 13, Top 103+104
1040 Wien

2. Federal Institute’s external data protection officer

Contact: will follow shortly

3. Contact at department responsible

Contact: Robert Vorberg,

4. Purpose of collection, processing and use of data

We process your personal data in accordance with the data-protection regulations:

  • to meet contractual obligations (art. 6, para. 1b GDPR):
    It is necessary to process your data (personal data, art. 4, no. 2 GDPR) in order to carry out transactions with you. In addition, we need the data to implement our contracts with you and to carry out your requests.
    You can find the specific details of the purpose of data processing in the relevant contractual documents.
5. Legal basis:
  • For meeting legal obligations (art. 6, para. 1c GDPR):
    certain legal obligations to which the Federal Institute is subject may make it necessary to process personal data. Such obligations may result, for example, from the Austrian Memorial Law (GStG), the Austrian Commercial Code (UGB) or
  • As part of your declaration of consent (art. 6, para. 1a GDPR):
    If you have given us your consent to process your personal data, any processing will only take place in accordance with the purposes specified in the declaration of consent and to the extent agreed therein. Once given, consent may be revoked at any time with effect for the future.
  • As part of your declaration of consent (art. 6, para. 1f GDPR):
    If it is necessary, for purposes of protecting the justified interests of the Federal Institute or of a third party, to process your data to an extent greater than fulfilling the contract, such data processing may take place.
  • Pursuant to section 29 of the Austrian Law Concerning the Establishment of the Federal Institute “KZ-Gedenkstätte Mauthausen/Mauthausen Memorial” (“Austrian Memorial Act”/GStG)

(1) As part of universal succession (section 21 para. 1), the Federal Institute takes on the function of principal pursuant to section 4 line 4 of the DSG 2000, Federal Law Journal (BGBl) I no. 165/1999, for the data in use in the area of the Mauthausen Memorial on the day before the universal succession.

(2) The Federal Institute is authorised to use personal data insofar as this is necessary for meeting its assigned duties. This in particular includes the right to commission suitable persons and institutions to process personal data from historical sources.

(3) The Federal Institute is authorised to provide information to affected parties and to transfer or transmit survivors’ personal data (such as, in particular, names and identities of former prisoners of the Mauthausen concentration camp and its subcamps) or that of other persons in connection with the Mauthausen concentration camp or its subcamps to relatives of affected parties or to third parties for purposes of historical research. In all these cases, identity must be proved in a suitable form.

6. Category of affected persons:

We process the personal data of persons in the following categories:

  • survivors of the Mauthausen concentration camp and their relatives,
  • researchers, 
  • customers,
  • interested persons,
  • employees
7. Categories of personal data:

We process the following categories of personal data:

  • address data,
  • contact data,
  • birth data,
  • contract data,
  • billing data,
  • telephone numbers,
  • gender and
  • family relationships
8. Recipients or categories of recipients with whom the data may be shared

Within the Federal Institute, your data is received by the departments or employees that need it to meet the contractual or statutory obligations and to protect justified interests. In addition, contractors appointed by us (in particular, IT and back-office service providers) receive your data insofar as they need it for meeting their respective obligations. All contractors are in turn contractually obliged to treat your data confidentially and only to process it within the scope of their service provision.

If there is a statutory or regulatory obligation, public agencies and institutions (e.g. Austrian Court of Audit, National Council) may receive your personal data.

9. Time limits for deletion of data

For the duration of the entire business relationship (from initial contact via processing up to completion of the contract) and beyond in accordance with the statutory retention and documentation obligations. These are based on legislation including:

  • the Austrian Corporate Code (UGB)
  • the Austrian Federal Fiscal Code (BAO)

In addition, the storage duration is subject to considerations of the statutory periods of limitation, which can amount, for example pursuant to the Austrian General Civil Code (ABGB), to up to 30 years (the general period of limitation is three years).

In the event of an enquiry regarding a person search or a research query, we store your personal data for an indefinite period unless you claim your entitlement to rectification, erasure or blocking.

10.  Affected persons’ rights

At any time, you have the right to:

  • request information, notification, erasure or restriction of the processing of your stored data
  • object to the processing of your data
  • data portability in accordance with the requirements of data-protection law

You can submit any complaints to the Austrian Data Protection Authority (DSB):

11. Are you obliged to provide data?

You must provide such personal data as is necessary for the initiation and implementation of our business relationship.

If you do not want to provide us with the data, this usually means that we must decline to conclude the contract or to fulfil the request. If there is an existing contract, we can no longer implement it and must therefore terminate it.

You are not, however, obliged to consent to the processing of such data as is not relevant for the implementation of the contract or is not statutorily or regulatorily required.

If you make use of the option to send us a request for a person search or and/or a research enquiry, we will ask for your personal details, your address and for other information that we need to process your request. You are free to decide whether or not to share this data with us. However, without it we cannot fulfil your contact request.

Pursuant to section 29 GStG you are obliged to provide proof of your identity in a suitable form when requesting information about a person.

12. Is there any automated decision-making including profiling?

We do not use any automated decision-making methods pursuant to art. 22 GDPR for making a decision about the establishment and implementation of the business relationship.

13. Social Media

The Federal Institute cooperates with a wide range of operators of social networks. As part of this cooperation, your browser is automatically connected with the selected service provider (e.g. Facebook) when using a service. For example, your IP address, cookies and other information are transferred to the service provider if you have previously visited its website. We prevent this transfer as far as possible and it only takes place if you interact with the social network. If you are logged into the platform of the social network in question, the latter can assign your visit to our website to your user account.

We also use plug-ins (for example the Facebook symbol) from various platforms. By clicking on one of these symbols you consent to communication with the platform in question and to the transfer of information (e.g. IP address) to the service provider. For more detailed information on the specific uses of your data please see the data protection statements of the respective service providers.

14. Newsletter

If you would like to receive the newsletter offered on the website, we require from you an email address along with information that allows us to check whether you are the owner of the email address provided and that you consent to receive the newsletter. No other data is collected. We use this data exclusively for sending the information requested. We do not pass it on to third parties.

You may at any time revoke your consent to the storage of the data, the email address and the use of the same to send out the newsletter. One way of doing so is via the “unsubscribe” link in the newsletter.

15. Data security

Your data security is of the utmost importance to us. It is our stated aim to take all technical and organisational measures necessary to ensure security in data processing and to process your personal data in such a way that it is protected from access by unauthorised third parties. Our IT infrastructure uses the latest security software and meets international security standards. Access to your data is only permitted for a small number of people with the highest security clearance who are entrusted with the technical, commercial or editorial maintenance of the server.

16. Hyperlinks to external websites

Our website contains hyperlinks to websites operated by other providers. By activating these hyperlinks, you will be transferred directly from our website to the other provider’s website. You can recognise this by, for example, the change in the URL. We cannot accept any liability for the confidential treatment of your data on these websites by third parties since we have no influence on these companies’ compliance with data-protection regulations. Please see these companies’ websites for information on how they deal with your personal data.

17. Use of Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”) to enable us to analyse usage of the website. The information generated by Google Analytics about your use of this website (including your IP address) is stored by Google Inc. Google will use this information solely for analysing usage of the website. Anonymised analyses and graphics about the number of visits, number of pages accessed per user etc. will be produced. We only use these for controlling purposes and for designing our websites so that they are optimised and meet demand. You can find more information on Google Analytics at

18. Use of Google Maps

This website uses the product Google Maps provided by Google Inc in order to produce an interactive map of the Memorial with a visualisation of locations of historic significance. By using this website, you declare your consent to the collection, processing and use of the data automatically obtained by Google Inc. as well as by the company’s agents and third parties. 

You can find the terms of service for Google Maps at

19. Use of Cookies

In our websites we sometimes use “cookies”. These enable us to make our offer more user-friendly and effective. Cookies are small text files that are stored on your computer and are saved by your browser.

We do not collect any personal data by means of cookies. You can either block cookies from being saved in your browser or activate a notification to appear whenever cookies are sent. If you do not use cookies, this may impair your usage of our website.

20. Storage of access data

Access data is stored whenever a file from our websites is requested. Each dataset consists of: IP address, previous page (if provided by browser), file name, date and time, data volume transferred, access status, type of browser. We analyse the data solely for statistical purposes. It is not transferred to third parties, even in extract form.

This data cannot be ascribed to particular persons. The data is not combined with other data sources. We reserve the right to audit this data subsequently if there is specific evidence of unlawful usage.

21. SSL encryption

For reasons of security and to protect the transfer of confidential content, such as the enquiries that you send us, our websites use SSL encryption. You can identify an encrypted connection by the address line, which will change from “http://” to “https://” and by the lock symbol in your browser line.

If SSL encryption is activated, the data that you send to us cannot be read by third parties using technology of the current state of the art.

22. Email communication

Please note that data transfer in the internet (e.g. communication by email) can be subject to security flaws. It is not possible to completely protect your data from access by third parties. Your emails will be transferred to us without additional encryption techniques. All information sent could therefore potentially be accessed by third parties during transmission. For security reasons, you should not send passwords, credit-card numbers or other information that you want to keep secret.