Privacy Notice


Responsible body: The responsible body and data controller of your personal data is:

ICMPD Headquarters, Rothschildplatz 4 in 1020 Vienna Austria.

Contact for data protection queries: For queries, suggestions or complaints as to the processing of your data contact our data protection focal point at:

Letters: Data Protection Focal Point

ICMPD Headquarters

Rothschildplatz 4

1020 Vienna Austria


Supervisory authority: Responsible supervisory authority for data protection matters:

Letters: Österreichische Datenschutzbehörde

Barichgasse 40-42

1030 Wien



Data Protection Principles

For ICMPD trust is a vital cornerstone in every business relationship, which is why we attach great importance to the secure and sensitive management of your data. This data protection declaration is intended to give you an insight into which personal data is used, for what purpose and what options are available to you as the data subject for getting the best possible overview of what happens to your data and what rights you have in this regard. ICMPD operates a consistent and continuous data protection management system in order to systematically plan, organise, manage and monitor legal and operational data protection requirements. Our goal is to ensure the rights and freedoms of those concerned, and recognise business-related risks arising from data protection and to be able to manage these accordingly.

This means for you, as the data subject:

  • All personal data shall be processed in a fair and transparent manner.
  • All personal data shall be accurate and be kept up to date. When found to be inaccurate it shall be corrected as soon as possible.
  • Personal data shall only be used for the specified purpose for which active consent was obtained.
  • Personal data which is no longer used for the specified purpose or is known to be inaccurate shall be deleted/destructed or, where deletion is not feasible, access must be restricted so that no one apart from those responsible for technical maintenance of the space it is saved in has access.
  • While business contacts are available to all staff and made available to implementing partners, beneficiaries and contractors as required, access to private and sensitive data is restricted to persons who need access for carrying out their respective function for as long as they carry out this function based on a secure authentication mechanism including strong passwords.
  • Processing activities of personal data owned by ICMPD may only be performed by external parties based on the conclusion of a binding written contract that sets out the purpose and duration of the processing and ensures that the processor meets technical and organisational requirements to ensure the effective protection of the rights of the concerned data subjects.
  • ICMPD respects your rights under the data protection laws, such as the right to be informed about the lawful basis we rely on for processing your personal data.
  • Our information processing security measures comply with the latest standards and with statutory requirements.
  • Our employees are obliged to maintain confidentiality and receive regular training on data handling best practices.

In order to explain it to you as transparently as possible, we have endeavoured to describe the facts as simply as possible. Whether you are a long-standing implementing partner, beneficiary or contractor, we invite you to read this statement carefully and familiarise yourself with our practices.

If you have any questions, please do not hesitate to contact us - our contact details are set out at the beginning of this statement.

What type or categories of personal data we process

Personal data is all that information that relates to an identified or identifiable natural person.

We store and process personal data only as far as is directly necessary for developing and in the implementation of individual projects and services along our fields of expertise.

We also process data that we have rightfully obtained from publicly accessible sources (e.g. company registers or the land registry).

We process the personal data which you provide to us in various ways such as through your use of our website or in the course of an enquiry you have with us.

The following personal data is processed by us:

  • Personal data relating to partners, beneficiaries or contractors:
  • First name, Last name, address (address, zip, city, country)
  • Contact details (email address, telephone number)

Any further information you provide to us such as the content of an enquiry (via a free text field or over the phone)

Personal data relating to customer base/supplier base: We record very little data on suppliers. We merely need to ensure a trouble-free business relationship.

  • Supplier contacts (Name of Entity as per Registration, Contact Person first name, Contact Person last name)
  • Contact details (address, email address, telephone number)
  • Bank details

Personal data relating to applicants/bidders: there is a separate data protection declaration for these.

We guarantee that we will only use any personal data we collect for the purpose for which it was originally collected. It is especially important to us to ensure there is no lack of clarity around collection of personal data and that you know from the start how, why and by whom the data has been collected.


How we use personal data

The processing of the data subject's data is carried out on the basis of the performance of the contract and in exercise of the legal regulations addressed to the data controller (in particular the laws concerning the employee).

For example, the purposes of data processing are as follows

  • Personal contact data for the establishment, processing and management of contracts and business relationships
  • Payroll and general payments for various projects
  • For financial and business accounting purposes
  • Data used in the context of consultancy activities
  • All data necessary for the handling of internal processes (e.g. accounting, personnel administration, etc.)
  • Personal data required for purchasing purposes (e.g. supplier contact details).

In addition, in order to safeguard our legitimate interests, the following data processing purposes are pursued, for example

  • Marketing to inform interested parties about projects
  • Processing and transfer of data in the context of implementing and securing new IT solutions.

If the purpose for which the data was originally collected no longer applies, we may continue to store your data only if we obtain your consent to do so or if there is another important exceptional reason.


Existence of automated decision-making

We do not currently undertake any automatic decision-making or profiling.


Legal basis for the collection and processing of your data

As a rule, we try to make the collection and processing of your data as transparent as possible. Therefore, we adhere exactly to the guidelines set out in Art. 6 ff of the GDPR and use these as the legal basis for the processing and collection of your data. We process your personal data in accordance with the provisions of the European Data Protection Regulation (GDPR).

Legal basis for data processing:

  • Consent granted pursuant to Art. 6 (1) lit. a GDPR for the processing of your personal data for specific purposes (e.g. consent for newsletter transmission).
  • The processing of personal data (Art. 4 No. 2 GDPR) is carried out as far as necessary for the implementation of our contracts with you and the execution of your orders as well as for the implementation of pre-contractual measures according to Art. 6 Para. 1 lit. b GDPR.
  • Legal obligations pursuant to Art. 6 Para. 1 lit. c GDPR, which we must fulfil, such as legally prescribed storage and documentation obligations.
  • Safeguarding legitimate interests pursuant to Art. 6 Para. 1 lit. f GDPR. Where necessary, data processing may be carried out to protect legitimate interests within the framework of balancing interests in favour of ICMPD. In the following cases, data processing is carried out to safeguard legitimate interests. Examples of such cases are

Personal data will only be disclosed or transferred to third parties if this is required by law or for the purpose of contract execution.

Stored personal data will be deleted if you, as a user of our website and/or interested party and/or customer, revoke your consent to data processing, if your data is no longer required to fulfil the purpose for which it was stored, or if its storage is or becomes inadmissible for other legal reasons. Data that is required for contract processing, accounting purposes or to comply with other legal obligations (documentation obligations) is not affected by a request for deletion.


Disclosure and transfer

We will only disclose personal data to third parties if we have a legal basis to do so, for example, if we are required to do so by law, if it is necessary to perform our contract with you or if you have given your prior consent.

With third party processors

We use third party processors (in particular IT service providers) to help us with certain functions and we may disclose your personal data to them if they need it to perform their respective services. All processors are contractually bound to keep your data confidential and to process it only as part of the agreed service provision.

Data processed outside the EEA

No data will be processed outside the EEA.


Data access and security

Those involved in the implementation and process within ICMPD have access to your data depending on operational and organisational requirements.

Privacy and data security are important to us. We have implemented technical and organisational measures to secure our data processing. These measures protect against unauthorised or unlawful processing, accidental loss, accidental destruction or accidental damage. This applies in particular to the protection of your personal data. Examples of the measures we take to protect your personal information include:

  • we protect against unlawful access to personal data by applying a role authorisation policy, a data security policy and physical safeguards;
  • We have information security policies in place within the company.

All technical and organisational security measures are continuously reviewed in line with technological developments. External and internal IT security is regularly reviewed by an external IT security company. Our central IT service provider regularly provides us with an ISO 27001 audit report on its internal control system.


Your rights as a data subject

As a data subject, you have a number of rights which we have set out below. To exercise your rights or if you have any queries, please contact our Data Protection Focal Point:

Letters: Data Protection Focal Point

ICMPD Headquarters

Rothschildplatz 4

1020 Vienna Austria


We may require you to prove your identity in an appropriate manner before we are able to comply with your request, in order to prevent unauthorised third parties from gaining access to your personal data and/or to prevent unauthorised changes and/or deletions from being made. to unauthorised third parties and/or to prevent unauthorised changes and/or deletions.

When we receive a request from you exercising your rights, we will respond promptly and no later than one month after we receive your request. Our response will provide an initial view or response to your concern, or whether, and if so why, the period for providing our view has been extended by up to two months.


ICMPD Website, Newsletter and Cookies

ICMPD is committed to safeguarding the privacy of the users of the ICMPD website ( and newsletter, while aiming to provide a user-friendly and valuable service. Personal information is only collected via registration forms with the requirement of an explicit written consent for ICMPD to process and/or use any personal data in the manner and for the purpose described below in this privacy notice.

During a visit to the website and use of the newsletter tool, the following types of information are collected: browsing patterns, website preferences, location of the user. This information is only used in aggregate forms: statistical reports on number of monthly visits, typical user paths, etc. These reports are used: 

  • to monitor the use of the website
  • to identify audience profiles
  • to support strategic planning.

Newsletter usage monitoring is personalised in order to support the evaluation and improvement of ICMPD’s services based on the interest in specific policy topics by individual target groups. The data is saved on the server of our web-based e-mailing system by Cleverreach whose servers are based in the EU guaranteeing the best possible data protection to ICMPD. Please see Cleverreach’s data protection policy here for more details:

ICMPD processes personal information collected via its website and newsletter tool solely for communication purposes of the organisation. Only authorised staff members and contractors bound by the GDPR have access to the information and it will not be shared with any third parties. ICMPD uses secure data networks that are protected by firewall, mal-ware and password protection systems that are consistent with industry standards. 

A cookie is a data file that, if your browser settings allow, is stored by us on your computer when you visit our website or carry out certain actions. The cookie contains information that we have sent to your computer. It stores certain settings and data for interaction with our system via your browser.

We use so-called session cookies, which are stored during your visit to our website. They are deleted when you close your browser session. We also use persistent cookies, which remain on your computer after a browser session has ended. Persistent cookies contain an identification number that allows us to identify your computer. This allows us to improve our services when you return to our websites. We cannot link this identification number to any personally identifiable information.

If you do not wish to use cookies, please adjust the cookie handling in the security settings of your browser. You can find these settings in most browsers in the "Tools" menu under "Preferences" or "Internet Options" and in the "Privacy" tab. You can also use these settings to delete cookies that have already been set.

Please note, however, that certain cookies are necessary to ensure the basic functionality of the website. Some pages of our websites may not function properly if you do not accept cookies. Below you will also find information on how to prevent certain cookies from being set.

As far as our cookies are concerned, it is up to you when you want to delete them. In any case, they are stored in your browser until you decide to delete them. As a user, you also have full control over the use of cookies. However, please note that if you choose to disable cookies, you may not be able to use all the features of our website.


Google Tag Manager

Our website uses Google Tag Manager, a service provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

The Tag Manager is used to manage the tools and external services we use on our website and allows the use of so-called tags. A tag is a code element that is stored in the source code of the website, for example to control which page or service elements and tools are activated and loaded in which order. The tool triggers other tags, which in turn may collect data and which are further explained in this privacy policy. Some of the data is processed on a Google server in the USA.

We have concluded a data processing agreement with Google Ireland Limited for the use of Google Tag Manager. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46(2)(c) GDPR. In addition, we also obtain your explicit consent for the transfer of your data to third countries in accordance with Art. 49(1)(a) GDPR.

You can find more information about this in Google’s information about Tag-Manager. (LINK)


Google Analytics 4

Our website uses the web analytics service Google Analytics 4, provided for persons from the European Economic Area and Switzerland by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland and for all other persons by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (“Google”).

We integrate Google Analytics 4 via the Google Tag Manager. If you have not consented to the use of the analytics tools, your data will not be collected as part of Google Analytics 4.

Google Analytics 4 uses JavaScript and pixels to read information on your device and cookies to store information on your device. This is done to analyze your usage behavior and improve our website. On our behalf, the access data is combined by Google into pseudonymous user profiles and transmitted to a Google server in the USA. We will use the information to evaluate the use of our website and to compile reports on website activities.

As part of the evaluation, Google Analytics 4 also uses artificial intelligence such as machine learning for automated analysis and enrichment of the data. For example, Google Analytics 4 models conversions to the extent that not enough data is available to optimize the evaluation and reports. Information on this can be found in the associated Google documentation. The data evaluations are carried out automatically with the help of artificial intelligence or on the basis of specific, individually defined criteria. You can find more about this in the associated Google documentation

The data collected as part of the usage analysis of Google Analytics 4 is enriched with data from the Google Search Console and linked with data from Google Ads, in particular to measure the success of our advertising campaigns (so-called conversions).

Processed data: The following data can be processed by Google Analytics 4:

  • IP address;
  • User ID and device ID;
  • referrer URL (previous visited page);
  • Pages viewed (date, time, URL, title, duration of visit);
  • downloaded files;
  • clicked links to other websites;
  • Achievement of specific goals (Conversions);
  • Technical information (operating system; browser type, version and language; device type, brand, model and resolution);
  • approximate location (country, region and city, if applicable, based on anonymized IP address).

Privacy settings: We have made the following privacy settings for Google Analytics 4:

  • Anonymisation of the IP address;
  • deactivated advertising function;
  • deactivated personalized advertising;
  • deactivated remarketing;
  • retention period of 2 months (and no reset of retention period with new activity);
  • deactivated cross-device and cross-page tracking (Google Signals);
  • deactivated data shares (especially Google products and services, benchmarking, technical support, account specialist).

Used cookies: Google Analytics 4 sets the following cookies for the specified purpose with the respective storage period:

"_ga" (400 days) and "_gid" (24 hours): Recognition and distinction of visitors by a user ID;

"_ga_XXXXXX" (400 days): Retention of the information of the current session.

We have concluded a data processing agreement with Google Ireland Limited for the use of Google Analytics 4. In the event that personal data is transferred from Google Ireland Limited to the USA, Google Ireland Limited and Google LLC have concluded standard contractual clauses (Implementing Decision (EU) 2021/914, Module 3) pursuant to Art. 46(2)(c) GDPR. In addition, we also obtain your explicit consent for the transfer of your data to third countries in accordance with Art. 49(1)(a) GDPR.

You can find more information about Google Analytics 4 in Google’s privacy statement and in the Google Analytics privacy policy.


Updating the rules

Please note that we may need to update and amend this document from time to time. For example, to reflect changes to the EU General Data Protection Regulation. Any changes to this policy will be posted on this website.



The documents, design and images on this website are provided for informational purposes only and the information herein is subject to change without notice. The information presented on does not necessarily reflect the views of the governments of ICMPD Member States and as such is not an official record.

ICMPD does not guarantee, either expressed or implied, the accuracy, completeness, reliability or suitability of the information. More information on ICMPD’s copyright policy can be found here. The use of particular designations of countries or territories, as well as maps, does not imply any judgement by ICMPD as to the legal status of such countries or territories, of their authorities and institutions or of the demarcation of their boundaries. ICMPD does not guarantee the accuracy of and disclaims any liability whatsoever in connection with sites to which it provides links. Their contents and the documents therein reflect solely the views of their authors.

While ICMPD makes every effort to ensure that documents available on its website are free of any software virus, it cannot guarantee that the material is free from any or all software viruses. ICMPD is not responsible for any loss or damage caused by the software and related codes, including viruses and worms.



Content on the ICMPD website is subject to copyright. Text, photos or any other material credited to ICMPD on this website may be reproduced without charge for non-commercial purposes only. ICMPD must be credited as source when using content from its website. For texts, the publication or page the texts originate from must be given.

If the attribution indicates that the information (including photos and graphics) is from a source or site external to ICMPD, permission for reuse must be sought from the originating organisation. The content of this publication/ this website is the sole responsibility of ICMPD and can in no way be taken to reflect the views of the donors.