Data Protection

Privacy policy & data protection

  1. Fundamentals

In this privacy policy, you will find out which personal data we, the Vienna School of Osteopathy (e.V.), process with the help of automation, in what way and for what purpose, as well as what rights you have as a data subject.

  1. Controller

The person responsible is the Wiener Schule für Osteopathy GmbH, Moeringgasse 20/7, 1150 Vienna, Tel: 01 879 38, ZVR number: 686953754

The person responsible is Raimund Engel, raimund.engel@wso.at.

  1. Collection and processing of personal data

The protection of personal data is of particular concern to us. Your personal data will therefore only be processed to the extent permitted by law and necessary for the fulfilment of the respective purpose (membership management, provision of treatments, administration of students, fulfilment of legal obligations, sending of information material and advertising, sending of a newsletter).

The following personal data is collected and processed in the course of our activities for the following purposes:

3.1 To manage students:

We process the following data of students of basic education, students of university courses and students of PG seminars for the purpose of managing students' course contracts, enrolling in the DUK and filling out registration forms on the legal basis of contract performance.

3.2 To manage employees

To manage contracts with our employees, as well as to transfer salaries and register with the relevant social security institutions on the legal basis of contract performance.


3.3 To carry out treatments on our patients in the teaching clinic

In order to carry out medical treatments on our patients by our therapists, tutors and students, we process the following personal data on the legal basis of the performance of the contract.


3.4 To process the teaching contracts with our tutors

For the preparation of fee notes for our tutors, we process the following data on the legal basis of contract fulfilment.


3.5 To send you our email newsletter

In order to send you our newsletter and other information about services, courses, study programs and events of our association, we process the following data, if you have given us your consent to do so:

In doing so, we use the following communication channels, if you have provided them to us: e-mail and post.


3.6 Photo shoots at events

We have a legitimate interest in taking photos for marketing purposes at events and courses and publishing them on our website. However, recordings of patients or recordings that touch on the most personal area of the person concerned are never taken.

If you do not agree to this, you can object to processing and publication at any time, which will also be made known to you by means of a sign.

  1. Disclosure of personal data to third parties

Your personal data will not be disclosed to third parties, except

  1. Data processing on behalf of the company

If we engage a processor, we are still responsible for the protection of your personal data.

We therefore only commission external processors to perform activities that are necessary for the provision of our services, such as IT service providers for the operation and maintenance of our server and network infrastructure, namely Domainfactory or mailing service providers for sending newsletters, namely Sparkpost. They have committed themselves to complying with the applicable data protection regulations vis-à-vis us. A data processing agreement has been concluded in accordance with Article 28 GDPR.

We primarily use processors within the European Union. We will only use processors outside the European Union if (i) there is an adequacy decision of the European Commission for the third country in question, or (ii) we refer to the European Commission's Standard Contractual Clauses, or (iii) if appropriate safeguards, e.g. the EU/US Privacy Shield, are in place with the third country or (iv) we have agreed binding corporate rules with the processor.

You can request more information about the processors commissioned by us under datenschutz@wso.at .

  1. Duration of processing

We process your personal data – if necessary – for the duration of the contractual relationship or as long as you are registered with us as a patient.

Once the contract has been fully executed, your data will be stored until the expiry of the statutory retention periods applicable to us and any claims for limitation and damages and, beyond that, until the end of any legal disputes in which the data is required as evidence.

Personal data of students who have taken a course with us will be stored for 7 years due to tax regulations. In addition, we store the course data for another 25 years in order to be able to check eligibility for follow-up courses.

Employee data will be deleted by us after the end of the statute of limitations, whereby the data necessary for the creation of an employment reference will be stored for 30 years in order to be able to comply with the legal right of former employees to an employment reference within 30 years.

We also store patients' health data for up to 30 years for medical reasons.

We delete personal data from our customer base after 10 years from the last contact.

Data that you have provided to us for marketing and information purposes, such as sending a newsletter, will be stored until you object to the sending of the same or revoke any consent you may have given to it.

  1. Data security

We use technical and organizational security measures to protect your personal data against accidental or intentional manipulation, loss or destruction and against access by unauthorized persons. Our security measures are continuously improved in line with technical progress.

  1. Your rights

With regard to the processing of your personal data, you as a natural person may exercise the following rights under the General Data Protection Regulation and the national data protection law:

8.1 Right to information

You can ask us to confirm whether and to what extent we process your data. This confirmation contains information about the purposes for which your data is processed, the categories of personal data processed, the recipients or categories of recipients of the personal data, the duration of the data processing.

8.2 Right to rectification

At any time, you can request that inaccurate or incomplete data concerning you be corrected and/or completed without undue delay.

8.3 Right to erasure

You can ask us to erase your personal data if we process it unlawfully, if the processing disproportionately interferes with your legitimate interests, if the personal data is no longer necessary for the purposes for which it was collected, or if you have withdrawn your consent. Please note that there may be reasons that preclude immediate deletion, such as in the case of statutory retention obligations

8.4 Right to restriction of processing

You can ask us to restrict the processing of your data if:

From the time of the request for restriction, this data will only be processed with individual consent or for the assertion and enforcement of legal claims.

8.5 Right to data portability

You can ask us to provide you with the data you have provided to us in a structured, commonly used and machine-readable format, provided that:

  1. Right to object

You may at any time, on grounds relating to your particular situation, object to the processing of personal data concerning you which is necessary for the purposes of our legitimate interests or those of a third party. Your data will no longer be processed after the objection, unless there are compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms or the processing serves to assert, exercise or defend legal claims.

You can object to the sending of advertising at any time without giving reasons.

  1. Right to lodge a complaint

If you believe that we are in breach of national or European data protection law when processing your data, you can contact us at any time. Of course, you also have the right to contact the competent data protection authority and, from 25.05.2018, also the supervisory authority within the EU.

  1. Assertion of your rights

To assert any of the above rights against us, please use the following contact options:

To the extent that we are unable to determine your identity based on the data we hold, it may be necessary for us to request additional information to determine your identity (e.g. photo ID). Queries in this regard serve to protect your rights and privacy.