23390
page-template-default,page,page-id-23390,qode-social-login-1.1.3,qode-restaurant-1.1.1,stockholm-core-2.3,select-child-theme-ver-1.1,select-theme-ver-8.9,ajax_fade,page_not_loaded,paspartu_enabled,menu-animation-underline,fs-menu-animation-underline,header_top_hide_on_mobile,,qode_grid_1300,qode_menu_center,qode-mobile-logo-set,wpb-js-composer js-comp-ver-6.6.0,vc_responsive
Privacy Policy

Privacy policy & data protection

I. Controller’s name and address

 

The controller, as defined in the General Data Protection Regulation (GDPR) and other national privacy laws of the member states as well as other regulations relevant to data privacy, is:
Ludwig-Maximilians-Universität München
Geschwister-Scholl-Platz 1
80539 Munich
Contact data protection officer at LMU Munich
Phone: +49 89 2180 – 2414 (team assistant)
E-Mail: Contact Form

 

II. General provisions on data processing

 

1. Scope of the processing of personal data

 

We process our users’ personal data only to the extent required to provide a functional website, our content and our services. Our users’ personal data is processed regularly and only with the user’s consent. Cases in which prior consent is manifestly impossible to obtain and legal statutes permit data processing constitute an exception.

 

2. Legal basis for processing personal data

 

PERSONAL DATA ARE PROCESSED ON THE BASIS OF THE FOLLOWING LEGAL PROVISIONS OF THE GENERAL DATA PROTECTION REGULATION (GDPR):

 

  • ARTICLE 6(1)(A) GDPR SERVES AS THE LEGAL BASIS WHERE THE DATA SUBJECT HAS GIVEN CONSENT TO THE PROCESSING OF PERSONAL DATA.
  • ARTICLE 6(1)(B) GDPR SERVES AS THE LEGAL BASIS WHERE PROCESSING IS NECESSARY FOR THE PERFORMANCE OF A CONTRACT TO WHICH THE DATA SUBJECT IS PARTY OR IN ORDER TO TAKE STEPS AT THE REQUEST OF THE DATA SUBJECT PRIOR TO ENTERING INTO A CONTRACT.
  • ARTICLE 6(1)(C) GDPR SERVES AS THE LEGAL BASIS WHERE PROCESSING IS NECESSARY FOR COMPLIANCE WITH A LEGAL OBLIGATION TO WHICH THE CONTROLLER IS SUBJECT.
  • ARTICLE 6(1)(E) GDPR PROVIDES THE LEGAL BASIS WHERE PROCESSING IS NECESSARY FOR THE PERFORMANCE OF TASKS CARRIED OUT IN THE PUBLIC INTEREST OR IN THE EXERCISE OF OFFICIAL AUTHORITY VESTED IN THE CONTROLLER. AS A PUBLIC INSTITUTION, LUDWIG-MAXIMILIANS-UNIVERSITÄT MÜNCHEN PROCESSES PERSONAL DATA PRIMARILY ON THIS BASIS, IN PARTICULAR IN CONNECTION WITH RESEARCH, TEACHING, ACADEMIC COMMUNICATION AND PUBLIC INFORMATION ACTIVITIES.

 

3. Erasure and period of storage

Personal data of data subjects will be erased or restricted as soon as the purpose for the storage expires. Storage may also continue as required for the controller to comply with provisions of directives, laws, and other regulations of the European Union and national legislators. Unless required for the completion or performance of a contract, personal data will also be restricted or erased when the storage period expires, as required by the norms mentioned.

 

III. Provision of the website and creation of logfiles

 

1. Description and scope of data processing

Whenever our webpage is accessed, our system automatically collects information pertaining to the computer accessing it. The following data are collected:

 

(1) Information about the type of browser and the version used
(2) The user’s operating system
(3) The user’s internet service provider (ISP)
(4) The user’s IP address
(5) Date and time of access to the website
(6) Websites through which users’ systems access our website
(7) Websites users access through our website

 

The data will also be stored in our system’s logfiles. These data are not saved in combination with users’ other personal data.

 

2. Legal basis for data processing

The temporary storage of data and logfiles is based on Article 6(1)(e) and Article 6(3) GDPR in conjunction with Article 4(1) of the Bavarian Data Protection Act (BayDSG), as such processing is necessary for the performance of tasks carried out in the public interest and in the exercise of official authority vested in Ludwig-Maximilians-Universität München, in particular for providing information about academic activities and ensuring the secure operation and technical functionality of university web services.
Where applicable, processing may additionally rely on Article 6(1)(f) GDPR for purposes of maintaining IT security and system stability.

 

3. Purpose of data processing

 

Temporary storage of IP addresses on the system is required to transfer the website’s contents to the users’ computer. The user’s IP address must be stored for the duration of the session.
Storing the logfile is required to maintain the functionality of the website. The data also serve to help maintain the security of our IT systems. The data are not analysed for marketing purposes. These purposes are part of our legitimate interests as per Article 6(1f) of the GDPR.

 

4. Storage period

 

The data will be erased as soon as they are no longer required to fulfil the purpose for which they were collected. In case of data collected in the course of accessing the website, the purpose expires when the session is over. In the case of stored logfiles, the purpose expires no later than 30 days after the session.

 

5. Objection and rectification

Data collected to provide the website and storage of data in the logfiles is strictly required to operate the website. Therefore, the user has no right to object.

 

IV. Use of cookies

 

1. Description and scope of data processing

 

Our website uses cookies. Cookies are text files stored on the user’s computer system by the web browser. A cookie can be stored on the user’s operating system when the user accesses a website. The cookie contains a unique sequence of characters that allows that particular browser to be identified upon the next visit.

 

We use cookies to make our website more user friendly. Some elements of our website require a browser accessing it to be identifiable when switching pages.

 

The following data are stored and transmitted in the cookies:

 

(1) the type of device (mobile or desktop device), the user’s setting to use the desktop view on mobile devices;
(2) the user’s selection of the contrast view;
(3) session information extending across several instances of accessing the page (e.g. filling, checking and sending a form);
(4) login information.

 

2. Legal basis for data processing

 

The use of technically necessary cookies and active components is based on Article 6(1)(e) and Article 6(3) GDPR in conjunction with Article 4(1) of the Bavarian Data Protection Act (BayDSG) and Articles 4, 16 and 17 of the Bavarian Digital Act (BayDiG), as their use is required to provide the website and its functions within the scope of the university’s public information and communication mandate and to ensure the secure and functional operation of university web services.

 

Where the storage of information on the user’s terminal device or access to such information requires consent, processing is carried out on the basis of Article 6(1)(a) GDPR in conjunction with Section 25 of the German Telecommunications Digital Services Data Protection Act (TDDDG).

 

Cookies that are not technically necessary are used only after the user has given consent.

 

3. Purpose of data processing

 

The purpose of using technically necessary cookies is to simplify the user experience. Our website can be used without cookies in principle. Some functions will not work without cookies. Such functions require the particular browser to be identifiable between pages on the site.

 

The purposes for which we require cookies are listed in section V.1.

 

Users’ data collected in the course of applying technically necessary cookies are not used to produce user profiles.

 

 

4. Period of storage, the right to object and the right to rectification

 

Cookies are stored on the user’s computer and transmitted to our website. This gives you, the user, complete control over the use of cookies. By adjusting the setting in your web browser, you can deactivate or restrict the transmission of cookies. Cookies already stored on your computer can be erased at any time. This can also be automated. If cookies are deactivated for our website, some functions of the website might no longer be fully operational.

 

V. Rights of data subjects

 

If your personal data are being processed, then you are the data subject according to the GDPR, and you have the following rights with respect to the controller.

 

1. Right of access

 

You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed.
Where that is the case, you can demand access to the following information and access to the personal data from the controller:
(1) the purposes of processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom your personal data have been or will be disclosed;
(4) the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where your personal data are not collected from you, any available information as to their source;
(8) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.

 

You have the right to be informed when your personal data are transferred to a third country or to an international organisation. In such cases, you have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.

 

2. Right to rectification

 

You have the right to obtain from the controller without undue delay the rectification or completion of inaccurate or incomplete personal data.

 

3. Right to restriction of processing

 

You have the right to obtain restriction of processing your personal data where one of the following applies:
(1) if you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of personal data, requesting the restriction of their use instead;
(3) the controller no longer needs your personal data for the purposes of the processing, but you require them for the establishment or defence of legal claims;
(4) you object to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override yours.

 

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

 

If you have obtained restriction of processing under the conditions listed above, you will be informed by the controller before the restriction of processing is lifted.

 

4. Right to erasure

 

a) The duty to erase

 

(1) You have the right to obtain from the controller the erasure of your personal data without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(2) your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(3) you withdraw consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
(4) you object to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR;
(5) your personal data have been unlawfully processed;
(6) your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(7) your personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
b) Information to third parties

 

Where the controller has made your personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing your personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, your personal data.
c) Exceptions

 

The right to erasure does not apply to the extent that processing is necessary: (1) for exercising the right of freedom of expression and information; (2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR; (4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in point 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (5) for the establishment, exercise or defence of legal claims.

 

5. Right to notification

If you have demanded from the controller the rectification, erasure or restriction of your personal data or restriction of processing, the controller is obligated to communicate this demand to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

 

You have the right to be informed about those recipients from the controller upon request.

 

6. Right to data portability

 

You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (1) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and (2) the processing is carried out by automated means.
In exercising your right to data portability, you have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others will not be adversely affected.
The exercise of the right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

7. Right to object

 

You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

 

8. Right to withdraw consent to data storage and processing

 

You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

 

9. Automated individual decision-making, including profiling

 

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between you and the data controller;
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. In the cases referred to in points (1) and (3) above, the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

 

10. Right to lodge a complaint with a supervisory authority

 

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

 

VI. EXTERNAL SERVICES AND SOCIAL MEDIA

 

 

OUR WEBSITE MAY CONTAIN LINKS TO EXTERNAL ONLINE PLATFORMS AND SOCIAL MEDIA SERVICES USED FOR ACADEMIC COMMUNICATION AND DISSEMINATION OF RESEARCH ACTIVITIES.

 

WHEN ACCESSING SUCH EXTERNAL SERVICES, PERSONAL DATA MAY BE PROCESSED BY THE RESPECTIVE PROVIDERS. LUDWIG-MAXIMILIANS-UNIVERSITÄT MÜNCHEN HAS NO INFLUENCE OVER DATA PROCESSING CARRIED OUT BY THESE PROVIDERS ONCE USERS LEAVE THE UNIVERSITY WEBSITE.

 

FURTHER INFORMATION ON DATA PROCESSING BY THE RESPECTIVE PROVIDERS CAN BE FOUND IN THEIR PRIVACY POLICIES:

 

 

  1. META PLATFORMS IRELAND LTD. (FACEBOOK, INSTAGRAM):
    HTTPS://WWW.FACEBOOK.COM/PRIVACY/POLICY
    HTTPS://PRIVACYCENTER.INSTAGRAM.COM/POLICY
  2. X CORP. (FORMERLY TWITTER):
    HTTPS://X.COM/EN/PRIVACY
  3. LINKEDIN IRELAND UNLIMITED COMPANY:
    HTTPS://WWW.LINKEDIN.COM/LEGAL/PRIVACY-POLICY
  4. YOUTUBE / GOOGLE IRELAND LIMITED:
    HTTPS://POLICIES.GOOGLE.COM/PRIVACY

 

LINKS TO EXTERNAL SERVICES ARE PROVIDED IN FULFILMENT OF THE UNIVERSITY’S PUBLIC COMMUNICATION TASKS PURSUANT TO ARTICLE 6(1)(E) GDPR. WHERE EXTERNAL CONTENT IS ACTIVATED ONLY AFTER USER INTERACTION, PROCESSING MAY ADDITIONALLY BE BASED ON THE USER’S CONSENT PURSUANT TO ARTICLE 6(1)(A) GDPR.

 

Supplementary information

 

Further information on data protection at Ludwig-Maximilians-Universität München, including general institutional regulations, contact details of the university data protection officer and overarching information on data processing within the university, can be found in the central privacy policy of Ludwig-Maximilians-Universität München:

 

https://www.lmu.de/de/footer/datenschutz/

 

Status and updates of this privacy policy

 

This privacy policy reflects the current state of data processing on this website.
We reserve the right to amend this privacy policy where necessary in order to ensure compliance with applicable legal requirements or to reflect changes to our website, services or data processing practices.

 

Last updated: [April 2026]