Data Protection Officer

You can contribute to data protection yourself with simple measures:

• Lock your office when nobody is in it.
• Keep your desk tidy and make sure that no documents containing personal data are lying around or can be viewed by visitors.
• Switch off PCs at the end of the working day and automate screen locks for short absences from the office.
• Lock away documents with personal data when they are not in use.
• Dispose of data carriers (e.g. paper, DVDs) in accordance with data protection regulations when they are no longer needed.
• Be careful with mobile data carriers.
• Obtain the appropriate authorisation before using new services (e.g. software).
• Never share passwords and log-in data with others, not even with friends and family.
• All cloud services such as Dropbox, messengers such as Skype and social networks as well as the use of private email accounts and data storage are currently highly critical under data protection law and are no longer permitted for the exchange of personal data. In particular, do not disclose any third-party data, as this could make you yourself the responsibility of a data processor. So if you find an ID card, for example, do not post a photo of it on Facebook, however well-intentioned it may be.
• Take care of your ID documents and important papers and do not disclose any unnecessary personal information.
• Do not use foreign, open WLAN networks and do not take unencrypted data carriers and mobile devices with stored access data with you when travelling outside Europe.

Each organisational unit of the University observes the statutory data protection regulations in the performance of its tasks. Should a breach of data protection nevertheless occur, the University will report it to the State Data Protection Officer within 72 hours of becoming aware of it. If the breach of data protection poses a high risk to the personal rights and freedoms of those affected, they will be notified immediately. Violations of the statutory data protection regulations may lead to complaints by the Bavarian State Data Protection Commissioner and to claims for damages.

Legal basis

All data processing is subject to the principle of necessity, purpose limitation and data minimisation. Data that is no longer required is deleted unless archiving is prescribed.

The legal basis for any data collection is either a legal obligation or the consent of the data subject. The University of Würzburg is legally obliged to use "the possibilities of information and communication technology" in teaching (Art. 55 para. 2 sentence 3 BayHSchG). Data that is not absolutely necessary for these and other statutory tasks is therefore only collected with the consent of the data subject.

Data security, server location and data transfer

The processing of your data within the area of responsibility of the University of Würzburg takes place on our own servers within the university. Data will only be transferred to third parties if this is necessary for the fulfilment of the University's tasks. You will be informed of this in the individual processing activities.

In order to guarantee the confidentiality and integrity of the data, the responsible departments ensure appropriate security, taking technical progress into account. The University pays particular attention to protection against unauthorised modification and unlawful use and to ensuring that the data is up to date.

Employees of the university

University employees are made aware of the special confidentiality of official data before they start work. This obligation to data protection continues even after the end of employment.

Homepage

Detailed information on data protection with reference to the University of Würzburg homepage can be found at https://www.uni-wuerzburg.de/sonstiges/datenschutz/.

Data protection information on other online services of the University can be obtained directly from the respective service.

The new legal standards define the term personal data more broadly than before. The four components of personal data are information, personal reference, natural person and identification or identifiability.

With regard to the information content, not only verifiable statements, such as date of birth, are affected, but also assessments and judgements, regardless of their truthfulness. The way in which the information is stored is irrelevant under the new law. Any structured collection of personal data is included, meaning that paper-based files are also covered, for example.

The personal reference is also given if the data subject was not the target of the data processing, but is indirectly affected by it.

The new General Data Protection Regulation only relates to the protection of natural persons. Legal persons are not covered.

Personal data does not necessarily require the exact identification of a person, e.g. by name. It is sufficient if a person can be identified by specific characteristics, e.g. with regard to their physical, physiological, psychological, economic, cultural or social identity. A person is always identifiable if any third party can identify the person with the help of this data.

As a data subject, you have a right to information about the data stored about you. Upon request, you will receive information about

• the purposes of processing,
• the categories of personal data
• the recipients (categories) to whom this data has been disclosed or will be disclosed in the future
• the duration of storage or the criteria that lead to this storage period and
• the origin of the data if it was not collected directly from you.

If incorrect data about you is stored, you have the right to have the data corrected. You also have the right to erasure, restriction of processing or objection to processing, unless the data must continue to be processed in individual cases due to legal obligations (e.g. under higher education law, examination law, archive law, etc.). In the event of data breaches, for example due to hacking or human error, you and the responsible data protection supervisory authority will be informed within 72 hours and measures will be taken to protect your data and the systems.

If you become aware of possible data breaches at the University of Würzburg, please inform us immediately using our reporting form with.

Personal data must be deleted as soon as it is no longer required for the purpose provided for in the legal basis or in the consent. The deletion period therefore depends on the intended purpose.

The data subject can effectively request the deletion of their data at any time if this does not conflict with legal obligations.