To the content

Data protection

The protection of your personal data is of particular concern to us. With this privacy policy we would like to inform you about how we process your personal data when you visit this website. We place great importance on the protection, accuracy and integrity of your personal data. Use of the website is voluntary. If you do not wish your data to be processed, you can leave this website at any time. This privacy policy may be updated or amended by Bundesbeschaffung GmbH at any time.

Basic information on data processing and legal basis

The innovation platform of the IÖB service unit (hereinafter referred to as the "website") is operated at Bundesbeschaffung GmbH, Lassallestraße 9b, 1020 Vienna. The responsible party within the meaning of the GDPR and other data protection regulations is Bundesbeschaffung GmbH. If you have any questions about the protection and security of your data or if you wish to assert your rights and claims in connection with data protection (e.g. to object to the use of your data or to correct it), please contact us via our contact page.

For the terms used, such as "personal data" or their "processing", we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

We process users' personal data only in compliance with the relevant data protection regulations. This means that the users' data is only processed if there is a legal permission. In other words, this shall apply, in particular, if the data processing is necessary for the provision of our contractual services (e.g. processing of orders) and online services, or is required by law, or if the users have given their consent, as well as on the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation and security of our online offer within the meaning of Art. 6 (1) f of the GDPR, in particular in the case of reach measurement, creation of profiles for advertising and marketing purposes and collection of access data and use of the services of third-party providers).

Security measures

We take organisational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of the data protection laws are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorised persons.

The security measures include in particular the encrypted transmission of data between your browser and our server.

Provision of contractual services

We process inventory data (e.g. names and addresses as well as contact data of users), contractual data (e.g. services used, names of contact persons, payment information) for the purpose of fulfilling our contractual obligations and services pursuant to Art. 6 (1) (b) GDPR.

Users can optionally register on our website in order to, on the one hand, present their solution on the Innovation Marketplace as a company and/or to submit their idea to a challenge. On the other hand, registered users of the public administration can call out a challenge. As part of the registration process, the required mandatory information is provided to the users. User accounts are not public and cannot be indexed by search engines. If users terminate their user account by contacting the IÖB Service Point, their data relating to the user account will be deleted; subject to their retention being necessary for reasons of commercial or tax law in accordance with Art. 6 (1) (c) GDPR. We are entitled to irretrievably delete all of the user's data stored during the term of the contract.

Within the scope of registration and/or renewed registration as well as use of our online services, we store the IP address and the time of the respective user action.

We process usage data (e.g. the websites of our online offer visited, interest in our services) and content data (e.g. entries in newsletter forms or user profile) for advertising purposes in a user profile, for example to show the user information based on the services they have previously used.

Disclosure of data to third parties and third-party providers

Data is only passed on to third parties within the framework of legal requirements. We only pass on user data to third parties if this is necessary for contractual purposes, for example on the basis of Article 6 (1) (b) GDPR or on the basis of legitimate interests in accordance with Art. 6 (1) (f) GDPR in the economic and effective operation of our business operations.

Data relevant to the respective individual case may also be passed on to third-party providers such as e.g. Facebook and Twitter.

If we use subcontractors to provide our services, we take appropriate legal precautions and appropriate technical and organisational measures to ensure the protection of personal data in accordance with the relevant statutory provisions.


When contacting us (e.g. by e-mail, registration, telephone), the information provided by the user is processed to process the contact request and its processing in accordance with Art. 6 (1) (b) GDPR.

Users' details may be stored in our Customer Relationship Management system ("CRM System") or comparable enquiry organisation.

We use the "Microsoft Dynamics CRM" CRM system from the provider Microsoft (location in Austria: Microsoft Österreich GmbH; Am Europlatz 3, 1120 Vienna) on the basis of our legitimate interests (efficient and fast processing of user enquiries).

Collection of access data, log files and cookies

On the basis of our legitimate interests within the meaning of Art. 6 (1) (f) GDPR, we collect data about every access to the server on which this service is located (so-called server log files). The access data includes the name of the website accessed, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), the IP address and the requesting provider.

The server logs are saved in order to be able to check system security, technically administer the websites and optimise the offer. If hacking has taken place, this data will be passed on to the data protection authority. Any further disclosure to third parties will not take place. The server logs are stored for a maximum of 90 days.

Cookies are pieces of information that are transmitted from our web server or third-party web servers to the users' web browsers and stored there for later retrieval. Cookies can be small files or other types of information storage. We use "session cookies" (e.g. PHPSESSID), which are only stored for the duration of the current visit to our online presence (e.g. to be able to save your login status). A randomly generated unique identification number, a so-called session ID, is stored in a session cookie. In addition, a cookie contains information about its origin and the storage period. These cookies cannot store any other data. Session cookies are deleted when you have finished using our online offer and log out or close the browser, for example. Should users wish to not have cookies stored on their computer, they are asked to deactivate the corresponding option under their browser's system settings. Stored cookies can be deleted under the browser’s system settings. However, the exclusion of cookies may lead to functional restrictions of this online offer.

Reach analysis with Matomo (formerly PIWIK)

On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 (1) (f) GDPR) we use Matomo, an open source software for the statistical evaluation of user access. The IP address of the user is shortened before it is stored. However, Matomo uses cookies that are stored on the user's computer and that enable an analysis of the use of this online offer by the user. Pseudonymous user profiles can be created from the processed data.

The information generated by the cookie about your use of this online offer is stored on our server and not passed on to third parties.

Google Tag Manager

This website uses the Google Tag Manager. Google Tag Manager is a solution that allows marketers to manage website tags through one interface. The tool itself (which implements the tags) is a cookie-less domain and does not collect any personal data. The tool triggers other tags, which in turn may collect data. Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, this will remain in place for all tracking tags implemented with Google Tag Manager.


The following information explains the contents of our newsletter as well as the registration, dispatch and statistical evaluation procedures and your rights of objection. By subscribing to our newsletter, you agree to receive it and to the procedures described.

Content of the newsletter: We send newsletters, emails and other electronic notifications with company-specific or PPPI-relevant information (hereinafter "newsletter") only after prior consent of the recipients. Insofar as the contents of the newsletter are specifically described when registering for the newsletter, they are decisive for the consent of the user. Furthermore, our newsletters contain information about our products, offers, promotions and our company.

You have the possibility to subscribe to our newsletter via our website. For this purpose, we require personal data: name, organisation, email address. You provide this data in the course of registering for the newsletter. You can unsubscribe to the newsletter at any time without giving any reason.

Dispatch service provider: The newsletter is sent by mailworx (eworx Network & Internet GmbH; Hafenstraße 2a, Linz), hereinafter referred to as the "dispatch service provider". You can view the data protection provisions of the dispatch service provider here:

From 1 October 2021, BBG mailings, such as the newsletter, will be sent via Microsoft CRM Dynamics 365. You can view Microsoft's privacy policy here: Data Protection with Microsoft Privacy Principles | Microsoft Trust Center

The use of the dispatch service provider, the performance of the statistical surveys and analyses as well as the logging of the registration procedure are carried out on the basis of our legitimate interests in accordance with Art. 6 (1) (f) GDPR. We are interested in providing a user-friendly and secure newsletter system that serves our business interests and meets the expectations of our users.

Termination/Revocation: You can unsubscribe to our newsletter at any time, i.e. revoke your consent. At the same time, your consent to its dispatch by the dispatch service provider and the statistical analyses expire. A separate revocation of the dispatch by the dispatch service provider or the statistical evaluation is unfortunately not possible. You will find a link to unsubscribe to the newsletter at the end of each newsletter. If a user has subscribed to the newsletter only and has subsequently unsubscribed, his or her personal data will be deleted.

Rights of the users

Users are generally entitled to the rights of information, correction, deletion, restriction, data portability, revocation and objection. If you believe that the processing of your data violates data protection law or your data protection rights have otherwise been violated in any way, please contact us as a matter of priority. We strive to clarify all open questions. However, you can also complain to the supervisory authority. In Austria, this is the data protection authority.

Austrian Data Protection Authority
Barichgasse 40-42, 1030 Vienna
Phone: +43 1 531 15-202525
Fax: +43 1 531 15-202690

Strong partners stand behind the Austrian Competence Centre for Innovation Procurement

An initiative of:

In cooperation with:


We use cookies to make sure we give you the best experience on our website.

Find out more under "Collection of access data, log files and cookies" in our Privacy Policy.

To the main navigation