Privacy policy (in accordance with Article 13 of the General Data Protection Regulation)
The protection of your personal data is of particular concern to us. In this privacy policy, we inform you about the data processing within the framework of the Fake Shop Detector.
What is the purpose of the Fake Shop Detector?
The Fake Shop Detector is a piece of software that can be installed in a browser or used via a web service of ÖIAT. The purpose of the Fake Shop Detector is to protect you from dubious web shops, so-called "fake shops" and other fraudulent online offers.
The Detector checks every website you visit in two steps: First, a database curated by experts on reputable and fraudulent online shops is searched. If a website is unknown, the second step is an optional real-time analysis by artificial intelligence (AI) on the server of the fake shop database, which retrieves the website, analyses it according to known fraud patterns and reports the result back to the Fake Shop Detector. You can read more about how the Fake Shop Detector works under About Us.
What personal data does the Fake Shop Detector process?
The Fake Shop Detector (FSD for short) follows a "Security and Privacy by Design" approach: In order to prevent fraudulent forces from wilfully attempting to disrupt or cripple the operation and thus the quality of the service for consumers of the FSD through targeted attacks, maintaining the highest possible operational security has top priority. This makes it necessary to record the IP addresses (and the time of requests) from server requests that reach the FSD in the log files of the service. This data is stored for 14 days and then automatically deleted. This data processing is essential in order to detect targeted attacks on the system, based on legitimate interests (Art 6 para 1 lit f DSGVO), to react to wilful or fraudulent actors and to deliberately exclude them from using the service. Only in this way can we guarantee unrestricted operation of the FSD service for consumers.
Since data protection is an important concern for us: "As a matter of principle" the Fake Shop Detector does not process any personal data! Why only "in principle"? That depends somewhat on the operating mode of the Fake Shop Detector and whether you contact us about it:
- Display for known websites: All assessments for already known and curated websites are generated via the FSD plugin's memory. The plugin cache is updated when the browser is restarted and every 24 hours. The Fake Shop Detector does not use any information about the user. Only the IP address of your device, as well as the time of the retrieval, will be processed in server log files for a maximum of 14 days during the data transfer for updating the plug-in (based on legitimate interest) in order to able to reliably operate the infrastructure necessary for the operation of the Fake Shop Detector (see below).
- Automatic classification for unknown websites: The automatic classification for unknown websites can be optionally activated in the settings. When a website unknown to the Fake Shop Detector is called up for the first time, only the web address (URL) of this page is transmitted to the Fake Shop Detector database, then centrally evaluated by the AI and then checked by experts. Here too, only your IP address and the website accessed are processed in the server log files (see below).
Consent under data protection law
By activating the corresponding setting in the Fake Shop Detector, you give your consent for the websites you visit to be transmitted to the AI for verification. If you do not activate the corresponding setting, you can continue to use the Fake Shop Detector, but you do not contribute to its improvement and are not protected against new and previously unknown threats.
- Error messages: In order to track errors and further develop the Fake Shop Detector, an anonymous UUID is generated, which you can send us voluntarily when contacting us or reporting problems with the Fake Shop Detector. We cannot establish a connection between this UUID and you unless you provide us with the UUID and personal data when contacting us (see next point). If you report errors, we process the data provided on the basis of the legitimate interest in improving the Fake Shop Detector.
- Manual contact: If you would also like to manually report shops or websites for inspection, complain about errors in the plug-in or incorrectly classified shops or websites, you have the option of contacting us via the websites https://www.fakeshop.at/contact/ and https://www.watchlist-internet.at/. This data processing is carried out on the basis of the legitimate interest in processing your enquiries or reports for the improvement of the Fake Shop Detector. For more information, please refer to the privacy policy of the respective website.
In other words, the majority of the threat potential assessments of websites that are visited are returned from the local browser cache of known and curated websites, so we do not know which websites our users visit and how often websites are visited in total. Only the analysis of a non-curated and therefore unknown website - if voluntarily activated in the settings - is sent to the system of the Fake Shop Detector in order to query the threat potential calculated by the AI. As soon as the threat potential that is determined has been confirmed by human experts, is this website also returned from your local browser cache. While you have activated the Fake Shop Detector and are surfing the Internet, no personal information is passed on to third parties.
Server log files: If you have activated the automatic classification for unknown websites in the Fake Shop Detector, we collect personal data to the extent that is technically necessary, as part of this automated notification of potential fake shop websites. This is also done to update or transfer the plug-in cache. For this purpose, we process the date and time of the retrieval of a website or the cache, the IP address of the accessing device, type and version identifier of the accessing browser and the action that took place (retrieval of the plug-in cache or notification of potential fake shops) in order to make the Fake Shop Detector and the underlying AI and databases available to you, and to be able to analyse errors. No attempts are made to attribute this data to specific persons. We exclude any form of surfing profiling. The data is also not merged with data from other data sources or passed on to third parties. When retrieving the plug-in cache, this data is processed on the basis of our legitimate interests (Art 6 para 1 lit f DSGVO) to reliably operate the infrastructure necessary for the Fake Shop Detector and, in the case of automatic classification for unknown websites, on the basis of your voluntary consent (Art 6 para 1 lit a DSGVO). This data and the underlying server log files are automatically deleted after 14 days.
Names and contact details of the responsible persons
The Fake Shop Detector is a result of various research projects and is constantly being further developed. The project is led by the Austrian Institute for Applied Telecommunications ("ÖIAT", Ungargasse 64-66/3/404, 1030 Vienna, office@oiat.at, +43 1 595 21 12); it is carried out in cooperation with AIT Austrian Institute of Technology GmbH ("AIT", Giefinggasse 4, 1210 Vienna, fs-detector@ait.ac.at, +43 50550-4042; AIT Data Protection Officer: Giefinggasse 4, 1210 Vienna, dpo@ait.ac.at; +43 50550-2003 ) and X-Net Services GmbH ("X-Net", Spittelwiese 15, 4020 Linz, office@x-net.at, +43 732 773142-0). They are also jointly responsible for the processing ("Joint Controllers" according to Art. 26 DSGVO), because they determine the purposes and means of data processing in the context of the (further) development of the project, as well as being responsible for the technical and organisational data protection and data security measures.
Contact point for affected persons
The obligations to keep the necessary registers, information obligations when collecting personal data (Art 13 DSGVO) and all measures to ensure or fulfil your rights as a data subject are taken by the Austrian Institute for Applied Telecommunications (ZVR number 922972340), reachable at the address Ungargasse 64-66/3/404, 1030 Vienna, and the telephone number +43 1 595 21 12 (9h to 17h), as well as at the e-mail address office@oiat.at. This association will also provide you with the essence of the Shared Responsibility Agreement upon request.
Rights of data subjects
You are generally entitled to the rights of access (Art 15 GDPR), rectification (Art 16 GDPR), erasure (Art 17 GDPR) and restriction (Art 18 GDPR) and data portability (Art 20 GDPR). If your data is processed on the basis of your consent, you can revoke this consent at any time. The revocation does not affect the lawfulness of the processing until the time of revocation. Furthermore, you have the right to object (Art 21 GDPR).
If you wish to exercise your rights, please contact: office@oiat.at.
If you believe that the processing of your data violates data protection law or that your data protection rights have been violated in any other way, you can contact the supervisory authority. In Austria, this is the data protection authority in Vienna (www.dsb.gv.at).