Privacy policy & data protection
I. Controller’s name and address
The controller, as defined in the General Data Protection Regulation (GDPR) and other national privacy laws of the member states as well as other regulations relevant to data privacy, is:
Ludwig-Maximilians-Universität München
Geschwister-Scholl-Platz 1
80539 Munich
Telephone: +49 89 2180-0
Email: poststelle@verwaltung.uni-muenchen.de
II. General provisions on data processing
1. Scope of the processing of personal data
We process our users’ personal data only to the extent required to provide a functional website, our content and our services. Our users’ personal data is processed regularly and only with the user’s consent. Cases in which prior consent is manifestly impossible to obtain and legal statutes permit data processing constitute an exception.
2. Legal basis for processing personal data
Article 6(1a) of the GDPR provides the legal basis for us to process personal data in cases where the user has given consent.
Article 6(1b) of the GDPR provides the legal basis for us to process personal data for the performance of a contract to which the data subject is a party. This also applies to data processing or in order to take steps at the request of the data subject prior to entering into a contract.
Article 6(1c) of the GDPR provides the legal basis for us to process personal data in cases in which we are legally obligated to do so.
Article 6(1d) of the GDPR provides the legal basis for us to process personal data in order to protect the vital interests of a data subject or of another natural person,
Article 6(1f) of the GDPR provides the legal basis for us to process personal data for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.
3. Erasure and period of storage
Personal data of data subjects will be erased or restricted as soon as the purpose for the storage expires. Storage may also continue as required for the controller to comply with provisions of directives, laws, and other regulations of the European Union and national legislators. Unless required for the completion or performance of a contract, personal data will also be restricted or erased when the storage period expires, as required by the norms mentioned.
III. Provision of the website and creation of logfiles
1. Description and scope of data processing
Whenever our webpage is accessed, our system automatically collects information pertaining to the computer accessing it. The following data are collected:
(1) Information about the type of browser and the version used
(2) The user’s operating system
(3) The user’s internet service provider (ISP)
(4) The user’s IP address
(5) Date and time of access to the website
(6) Websites through which users’ systems access our website
(7) Websites users access through our website
The data will also be stored in our system’s logfiles. These data are not saved in combination with users’ other personal data.
2. Legal basis for data processing
Article 6(1f) of the GDPR provides the legal basis for the temporary storage of the logfile.
3. Purpose of data processing
Temporary storage of IP addresses on the system is required to transfer the website’s contents to the users’ computer. The user’s IP address must be stored for the duration of the session.
Storing the logfile is required to maintain the functionality of the website. The data also serve to help maintain the security of our IT systems. The data are not analysed for marketing purposes. These purposes are part of our legitimate interests as per Article 6(1f) of the GDPR.
4. Storage period
The data will be erased as soon as they are no longer required to fulfil the purpose for which they were collected. In case of data collected in the course of accessing the website, the purpose expires when the session is over. In the case of stored logfiles, the purpose expires no later than 30 days after the session.
5. Objection and rectification
Data collected to provide the website and storage of data in the logfiles is strictly required to operate the website. Therefore, the user has no right to object.
IV. Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are text files stored on the user’s computer system by the web browser. A cookie can be stored on the user’s operating system when the user accesses a website. The cookie contains a unique sequence of characters that allows that particular browser to be identified upon the next visit.
We use cookies to make our website more user friendly. Some elements of our website require a browser accessing it to be identifiable when switching pages.
The following data are stored and transmitted in the cookies:
(1) the type of device (mobile or desktop device), the user’s setting to use the desktop view on mobile devices;
(2) the user’s selection of the contrast view;
(3) session information extending across several instances of accessing the page (e.g. filling, checking and sending a form);
(4) login information.
2. Legal basis for data processing
Article 6(1f) of the GDPR provides the legal basis for processing personal data in the course of using cookies.
3. Purpose of data processing
The purpose of using technically necessary cookies is to simplify the user experience. Our website can be used without cookies in principle. Some functions will not work without cookies. Such functions require the particular browser to be identifiable between pages on the site.
The purposes for which we require cookies are listed in section V.1.
Users’ data collected in the course of applying technically necessary cookies are not used to produce user profiles.
4. Period of storage, the right to object and the right to rectification
Cookies are stored on the user’s computer and transmitted to our website. This gives you, the user, complete control over the use of cookies. By adjusting the setting in your web browser, you can deactivate or restrict the transmission of cookies. Cookies already stored on your computer can be erased at any time. This can also be automated. If cookies are deactivated for our website, some functions of the website might no longer be fully operational.
V. Rights of data subjects
If your personal data are being processed, then you are the data subject according to the GDPR, and you have the following rights with respect to the controller.
1. Right of access
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed.
Where that is the case, you can demand access to the following information and access to the personal data from the controller:
(1) the purposes of processing;
(2) the categories of personal data concerned;
(3) the recipients or categories of recipient to whom your personal data have been or will be disclosed;
(4) the envisaged period for which your personal data will be stored, or, if not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of your personal data or restriction of processing of your personal data or to object to such processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where your personal data are not collected from you, any available information as to their source;
(8) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for you.
You have the right to be informed when your personal data are transferred to a third country or to an international organisation. In such cases, you have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.
2. Right to rectification
You have the right to obtain from the controller without undue delay the rectification or completion of inaccurate or incomplete personal data.
3. Right to restriction of processing
You have the right to obtain restriction of processing your personal data where one of the following applies:
(1) if you contest the accuracy of your personal data, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of personal data, requesting the restriction of their use instead;
(3) the controller no longer needs your personal data for the purposes of the processing, but you require them for the establishment or defence of legal claims;
(4) you object to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override yours.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If you have obtained restriction of processing under the conditions listed above, you will be informed by the controller before the restriction of processing is lifted.
4. Right to erasure
a) The duty to erase
(1) You have the right to obtain from the controller the erasure of your personal data without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(2) your personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(3) you withdraw consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;
(4) you object to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR;
(5) your personal data have been unlawfully processed;
(6) your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(7) your personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
b) Information to third parties
Where the controller has made your personal data public and is obliged pursuant to Article 17(1) to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing your personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, your personal data.
c) Exceptions
The right to erasure does not apply to the extent that processing is necessary: (1) for exercising the right of freedom of expression and information; (2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR; (4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in point 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (5) for the establishment, exercise or defence of legal claims.
5. Right to notification
If you have demanded from the controller the rectification, erasure or restriction of your personal data or restriction of processing, the controller is obligated to communicate this demand to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed about those recipients from the controller upon request.
6. Right to data portability
You have the right to receive your personal data, which you have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where: (1) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1) of the GDPR; and (2) the processing is carried out by automated means.
In exercising your right to data portability, you have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others will not be adversely affected.
The exercise of the right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on point (e) or (f) of Article 6(1) of the GDPR, including profiling based on those provisions. The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to withdraw consent to data storage and processing
You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between you and the data controller;
(2) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) is based on your explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. In the cases referred to in points (1) and (3) above, the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority