Privacy Notice (EU/EEA)

For European Business Transformation Hub, short EBTHub, an association established in Vienna, Austria (ZVR Number 1203089427).

See controller’s information

Who we are. This notice explains how we process personal data when you visit our website, contact us, become a member, attend our events, or collaborate as a partner. We provide this information in line with Articles 13–14 GDPR.

Lead supervisory authority: Austrian Data Protection Authority, Barichgasse 40–42, 1030 Vienna, Austria; dsb@dsb.gv.at; +43 1 52 152‑0. You have the right to lodge a complaint with the DSB or with your local EU supervisory authority

What data we process, for what purposes, and legal bases

We only process what we need, for defined purposes:

  • Website operation & security (server logs). IP address, timestamp, URL, referrer, device/OS.
    Legal basis: our legitimate interests in running a secure, reliable site (Art. 6(1)(f) GDPR).

  • Strictly necessary cookies. To make the site function (e.g., load balancing, session management).
    Legal basis: necessary for the service (Art. 6(1)(b) or 6(1)(f) GDPR) and exempt from consent under Austrian telecom rules.

  • Non‑essential cookies & similar tech (e.g., analytics, marketing, embeds).
    Legal basis: your consent (Art. 6(1)(a) GDPR) and §165(3) Telecommunications Act 2021 (TKG 2021). Consent must be active and can be withdrawn any time via the cookie banner/settings. (Non‑essential tools are not loaded until you consent.)

  • Newsletters & event mailings. Email address and basic profile to send updates you request.
    Legal basis: your consent (Art. 6(1)(a) GDPR); Austrian rules also require prior consent for unsolicited electronic marketing (§174 TKG 2021), with limited exceptions. You can unsubscribe at any time.

  • Membership administration. Identity and contact data, membership details, payment records, participation in member activities.
    Legal basis: contract performance / pre‑contractual steps (Art. 6(1)(b) GDPR).

  • Partner & stakeholder relations (B2B). Work contact details to plan and deliver joint activities.
    Legal basis: our legitimate interests in running the association and collaborating (Art. 6(1)(f) GDPR).

  • Events & photos. Registration data; optional photos/videos from events.
    Legal basis: contract (Art. 6(1)(b)) and/or legitimate interests (Art. 6(1)(f)). Photos used for publicity rely on consent where required (Art. 6(1)(a)).

If you do not provide data that are necessary for membership, event participation, or a requested service, we may be unable to provide that service.

Cookies

We use a consent tool that lets you accept or reject non‑essential categories and change your choice anytime by clicking “Cookie preferences” at the bottom of the page.

Where we get your data

  1. Directly from you (forms, emails, sign‑ups, event registrations, membership applications).

  2. From your device when you browse our site (technical data, subject to your consent for non‑essential cookies).

  3. From partners only where lawful (e.g., joint event guest lists)—we’ll tell you when this happens (Art. 14 GDPR).

Recipients and processors

We share data only as needed with:

  • IT/hosting, email/newsletter, event, analytics, and payment service providers acting as processors under Art. 28 GDPR, bound by our instructions and security terms.

  • Partners/co‑organisers when you register for joint activities (you will always see who the partners are).

  • Public bodies where required by law (e.g., tax/accounting).

International data transfers

If providers are outside the EU/EEA, we ensure an adequate level of protection by:

  • Using providers certified under the EU–U.S. Data Privacy Framework (DPF) (adequacy decision of 10 July 2023), or EUR-LexEuropean Commission

  • Standard Contractual Clauses (SCCs) with supplementary measures where needed, following the EDPB’s recommendations post‑Schrems II. European Data Protection Board

You can ask us which transfer tool applies to a given service provider.

Retention

We keep personal data only as long as necessary for the purposes above, then delete or anonymize them. In particular:

  • Business records (incl. invoices, membership fee records): generally 7 years to comply with §132 Federal Fiscal Code (BAO) and §§190, 212 Austrian Commercial Code. Longer where legally required (e.g., pending proceedings).

  • Other data (e.g., inquiries, event lists, consent logs): for the period needed to handle your request, run the event, or prove compliance, then erased. Actual periods are set in our internal retention policy (available on request).

Your rights

Within the GDPR’s scope, you can access, rectify, erase, restrict, object (including to direct marketing), and port your data; where processing relies on consent, you can withdraw it at any time (this doesn’t affect past processing). To exercise rights, contact us at privacy@ebthub.com.

Direct marketing by email/phone

We’ll only send electronic marketing where permitted—typically with your prior consent—and always with an easy unsubscribe. Austrian law (TKG 2021 §174) sets specific rules on unsolicited messages and calls.

Security

We apply proportionate technical and organisational measures (access controls, encryption in transit, need‑to‑know access, processor due diligence) to protect your data.

Children

Our services are not directed to children under 14. If we learn we hold such data without appropriate authorisation, we’ll delete it.

Changes to this notice

We may update this notice to reflect legal or operational changes. We’ll post the new version here and indicate the effective date.

Effective date: 9 August 2025
Document owner: President, Ruth Pauline Wachter

EBTHub, a Non-Profit Association
Aßmayergasse 30, 1120 Vienna
office@ebthub.com