Data protection declaration for the website of the Catholic University of Eichstätt-Ingolstadt

We appreciate your interest in our University. The Catholic University of Eichstätt-Ingolstadt (KU) attaches particular importance to the protection of your personal data. In the following, we would therefore like to inform you on the handling of your data, which is collected directly while you are visiting our website and further use of our online offer, in accordance with Section 15 of the Law on Data Protection in the Catholic Church in Germany (Gesetz über den Kirchlichen Datenschutz, KDG).

1 Responsibilities and contact

If you have any questions that could not be answered by the information given here, you will find contact persons with their contact details for the relevant responsibilities below:

1.1 Name and address of the responsible person

The responsible party within the meaning of the KDG and the General Data Protection Regulation as well as other data protection regulations is the

Katholische Universität Eichstätt-Ingolstadt (KU)
represented by the Chairperson of the Foundation Jana Marlow
Ostenstraße 26
85072 Eichstätt, Germany
Phone: +49 8421-93-0
E-mail: info(at)ku.de

1.2 Name and address of the company’s data protection officer

The data protection officer of the responsible party is:

Mr. Ziar Kabir
SCO-CON:SULT GmbH
Hauptstraße 27
53604 Bad Honnef, Germany
E-mail: info(at)sco-consult.de
Phone: +49 2224 98829-0

 

2 Basic information on data collection and processing

Here, we would like to give you an overview of whether, when, where and how your personal data is collected, processed and stored while you are visiting our website. We will also provide information on the reasons why we collect and process such data and why this is legally permitted.

2.1 What is personal data?

All information concerning a specific or identifiable person is defined as personal data. A person is deemed to be identifiable if such person can be identified directly or indirectly. This may be effected by allocating an identifier to such person, for example a name, an ID number, location data, online identification data or one or several distinctive characteristics.

2.2 Why does the KU process my personal data?

Personal data is processed on the KU website only to the extent that this is necessary for the provision of a functioning website, for the presentation of the respective contents or for the provision of certain services. Personal data is processed either on the basis of a legal basis (see section 2.3) or user-related, explicit consent.

Specifically, the KU collects and processes personal data in three contexts:

  • Our website uses technically necessary cookies that do not require consent. These so-called “functional cookies” ensure technically smooth operation of the website and all its functionalities.
  • In addition, you can actively agree to the collection of data through so-called statistics cookies when visiting our website (see section 3.2.2). These are not technically necessary for functionality, but they make it easier for us to better tailor our website to your needs. By collecting this data, it is easier for us to determine, for example, whether our site structure is user-friendly. Of course, this data is also only processed in anonymized form (see section 3.2.2).
  • A third form of personal data that we process is directly collected data. Thus, for example, when you contact the KU using a contact form on our website, you are transmitting personal data such as your own e-mail address. Such data transmitted to the KU on a voluntary basis will be stored and used exclusively for the purpose of processing the inquiry made. This data will not be passed on to third parties.

 

2.3 Which of my personal data is collected by the KU and for what purposes is it used?

2.3.1 Provision of the website and creation of log files

Each time you access the KU website, your browser automatically transmits a number of general data and information to our web server on which the website is operated (hosted) in order to ensure the functionality of the site. Of these, the following information is stored by us in log files for a short period of time: 

  • Your Internet Protocol (IP) address – the address that is passed to the outside world when you access the web,
  • The subpages and files you request on our website,
  • Your device type used (e.g. desktop PC, tablet, smartphone),
  • Your operating system in use,
  • Your browser type and version (e.g. Mozilla Firefox, Google Chrome, etc.),
  • Date and time of access to our website.

If you have JavaScript enabled in your browser, the following data may also be transmitted, which is only used to optimize the display on your device:

  • The screen resolution of the device you are using (e.g. 1920 x 1080),
  • The color depth of the display of the device you are using,
  • The size of the browser window (e.g. 1920 x 977),
  • The installed fonts,
  • The installed plug-ins.

The log files are stored on the web servers and thus separately from any personal data entered by a data subject. The web servers are hosted by us. Your data will not be passed on to third parties. It is generally not possible for us to draw conclusions about individual persons on the basis of this data.

The collection and short-term storage of the general data listed here, including the IP address, is necessary to enable correct delivery of the website to the user's IT system. For this purpose, the user's IP address must remain stored for the duration of the session. The storage in log files is effected to ensure functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. Lastly, such information may also be used to provide law enforcement authorities with information necessary for prosecution in the event of a cyber attack.

We do not systematically evaluate the data for statistical or marketing purposes, but only in specific exceptional cases, for example to ensure and improve system security and thus data security.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In case of data collection for operation of the website, this is the case when the respective session has ended. In case of storage of data in log files, this is the case after seven days at the latest.

The collection of data for the provision of the website and the storage of the data in log files is mandatory for the operation of the website. Thus, there is no possibility for the user to object. The legal basis for temporary storage of data and log files is Section 6 para. 1 lit. g) of the KDG.

2.3.2 Use of cookies

The KU web pages use cookies. Cookies are text files that are placed and stored by a web browser on the user's device for each website visited.

Numerous websites and servers use cookies. Many cookies have a so-called cookie ID. A cookie ID is a unique identification code of the cookie. It consists of a character sequence with which websites and servers can be traced back to the specific web browser in which the cookie was saved. This allows accessed websites and servers to differentiate between individual browsers used by the data subject and other web browsers, which contain different cookies. Like this, individual web browsers can be recognized and identified by their unique cookie ID.

Cookies thus make it possible to recognize users when they access a website. This recognition process is important in order to be able to facilitate the use of our website for all users. In this way, information and offers can be optimized in the interests of the user. Internet users who allow cookies will not have to enter their login data every time they re-visit the page – this is taken care of by the website and the cookie stored on the user’s computer system.

We must distinguish between technically necessary cookies that do not require consent (also: functional cookies) and cookies that are not necessary from a technical point of view and that do require consent (e.g. statistics cookies). You can control which cookies you wish to allow when using our website via the cookie consent banner that appears when you access our website, or via the "Cookie settings" button below.

You can adjust the cookie settings for this website for future use here:

Cookie settings

The legal basis for the processing of personal data using functional cookies is Section 6 para. 1 lit. g) of the KDG. In case of processing of personal data using cookies for statistical and analysis purposes, provided that the user has given their consent, this is done on the basis of Section 6 para.1 lit. b) of the KDG.

You also have the possibility to delete cookies at any time in the settings of the web browser or another software program. In addition, you can prevent future storage of cookies. This function is available in all common web browsers. Please note: If you deactivate the use of cookies in your web browser, you might not be able to make full use of all functions on our web page.

a. Functional cookies

Technically necessary cookies are essential for the functionality of websites, some functions cannot be offered without the use of such cookies. In addition, the use of functional cookies serves to simplify use of our website. All functional cookies used by us can be found in the cookie consent banner. These are session cookies that save certain settings of the user in order to make them available to them again when they use our website again later. Specifically, on our site, this is log-in data.

In our cookie consent banner, you will find these functional cookies already preselected as "Necessary cookies".

b. Statistics cookies – application and use of Matomo

If you give us your consent, we use so-called statistics cookies from Matomo. The KU has integrated the web analysis software Matomo (www.matomo.org) on its website for this purpose. The operator is InnoCraft Ltd., 7 Waterloo Quay PO625, 6140 Wellington, New Zealand.

These cookies are not technically necessary for functionality, you could also use our web offer without agreeing to these statistics cookies. At the same time, you make it easier for us to better tailor our website to your needs if you do not deactivate these statistics cookies. By collecting this data, it is easier for us to determine, for example, whether our site structure is user-friendly. We only use these cookies if you explicitly agree to the data collection and processing by the KU via the cookie consent banner. You can revoke your consent at any time with effect for the future. In order to do this, you can use the "cookie settings" button above. In this case, a so-called opt-out cookie is stored in your browser, which means that Matomo does not collect any session data. Important: If you delete your cookies in your browser settings, this also results in deletion of the opt-out cookie, which might then have to be reactivated.

Web analysis means the collection, compilation and analysis of data on the behavior of website visitors. Amongst others, a website analysis tool collects data on the websites from which data subjects were referred to our website, on how many sub-pages of the website were accessed or how many times and for how long a sub-page was accessed. Web analysis mainly serves the purpose of optimizing a website and for cost-benefit-analyses of internet advertising. The KU uses the Matomo software accordingly to analyze the flow of visitors to its website and the use of the website.

Matomo works in the following way: Matomo places a cookie in the IT system of the data subject. For an explanation on cookies, please see above. With every access to one of the sub-pages of this web service, the Matomo component automatically triggers a data transfer by the internet browser on the user’s IT system to our server for the purposes of online analysis. Cookies store personal information, such as the date and time as well as the location and origin of the access and the frequency of visits to our website.

This usage information, including the IP address of the internet connection used by the data subject, is transferred to our server with every access to our websites. The software is operated on the KU server; log files that are sensitive data under data protection law are stored exclusively on our internal server for usage analysis purposes only. We do not transfer such personal data to third parties. Your IP address is immediately made anonymous during this process, so that you as a user remain anonymous to us.

Any analysis carried out by Matomo supports us in optimizing our websites. By collecting anonymized data, we are able to draw conclusions as to whether a website structure is user friendly and adapt the structure if necessary to better meet the requirements of our users. 

2.3.3 Registration and contact on our website

You have the possibility to register on the KU website by entering personal data. Which kind of personal data is transferred for processing to the responsible department (data processor) is dependent on the respective input mask used for the registration.

When registering on the KU website, the IP address allocated by the data subject’s internet service provider (ISP) as well as the date and time of registration will be stored. This information is collected because this is the only way to prevent misuse of our services and because this data can support the investigation of crimes committed. This means that storage of this data is necessary for the protection of the responsible data processor. In general, this data is not transferred to third parties, unless there is a legal obligation to disclose or if disclosure becomes necessary in the context of criminal prosecution.

The data subject’s registration and voluntary disclosure of personal data enables the KU to provide the data subject with content or services or to fulfill its tasks.

The website of the KU contains information that enables a quick electronic contact to our University as well as an immediate communication with us. If a person contacts the KU via e-mail or the contact form, any personal data transferred by the respective data subject is stored automatically and used for the purpose of processing the submitted inquiry.

2.3.4 Subscription to a newsletter via our website

At various points on the KU website, you are given the opportunity to subscribe to a newsletter (e.g. newsletter for prospective students or newsletter of the Center for Teacher Education). The relevant input mask provides information on which type of personal data must be disclosed to the responsible processor in order to be able to register for the newsletter. For legal reasons, a confirmation e-mail will be sent to the e-mail address provided for that purpose for the first time in a double opt in process as soon as a data subject has subscribed to the newsletter. This confirmation e-mail serves the purpose of verifying whether the holder of the e-mail address as the data subject has authorized receipt of the newsletter.

When a person subscribes to the newsletter, we further store the IP address provided by the internet service provider (ISP) of the computer system that was used by the data subject at the point in time of registration as well as the date and time of the subscription. It is necessary to collect this type of data in order to be able to retrace any (possible) misuse of the data subject’s e-mail address at a later point in time. Thus, it serves as legal protection for the responsible data processor.

The personal data collected upon subscription for the newsletter is solely used for the purpose of sending the respective newsletter. Furthermore, subscribers could be informed by e-mail if necessary for the operation of the newsletter service or a registration connected to it, as would be the case for changes to the newsletter service or to the technical conditions. Personal data collected in the context of the newsletter service will not be passed on to third parties.

You can cancel your subscription to a newsletter at any time. You can also revoke your consent on the storage of personal data for the purpose of sending out the newsletter at any time with effect for the future. If you want to revoke your consent, please use the corresponding link that is included in every newsletter. As a rule, you can also unsubscribe from the newsletter directly on the website of the responsible data processor or notify the responsible data processor that you no longer want to receive the newsletter in any other way.

The KU uses SuperWebMailer, CleverReach and MailerLite as newsletter softwares.

a. Newsletter distribution and analysis via SuperWebMailer

This website uses SuperWebMailer for sending newsletters. SuperWebMailer is a service that can be used to organize and analyze newsletter distribution. The software and the license were provided by Mirko Böer, Malachitstraße 16, 04319 Leipzig, Germany. The service provider ("Host") is the KU itself. The data you enter to receive the newsletter (e.g. e-mail address) is stored exclusively on the KU's own servers.

Our newsletters sent with SuperWebMailer allow us to analyze the behavior of newsletter recipients. In this context, among other things, it can be analyzed how many recipients have opened the newsletter and how often which link in the newsletter was clicked on. The data collected in this way is evaluated by the data processor in order to optimize the newsletter dispatch and to better adapt the content of future newsletters to the interests of newsletter recipients. These data will not be passed on to third parties.

The data processing is based on your consent, which you explicitly give by subscribing to the newsletter. You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing already carried out remains unaffected by the revocation.

If you wish to unsubscribe from the newsletter, you will find a corresponding link in every newsletter message. Data entered to set up the subscription will be deleted from our servers and SuperWebMailer's servers as soon as you unsubscribe.

b. Newsletter distribution and analysis via CleverReach

This website uses CleverReach for sending newsletters. The provider is CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede, Germany. CleverReach is a service that can be used to organize and analyze newsletter distribution. The data you enter to receive the newsletter (e.g. e-mail address) is stored on CleverReach’s servers in Germany and/or Ireland.

Sending newsletters with CleverReach also allows us to analyze the behavior of our newsletter recipients. The analysis shows, among other things, how many recipients opened their newsletter and how often which link in the newsletter was clicked on. CleverReach collects the opening rate via a so-called tracking pixel, a miniature graphic that is embedded in the newsletter and the download of which is counted. The click rate is determined by creating links in the newsletter as tracking links.

For details on data analysis by CleverReach, please visit: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/.

The data collected in this way is evaluated by the data processor in order to optimize the newsletter dispatch and to better adapt the content of future newsletters to the interests of the data subject. This personal data will not be passed on to third parties.

Data processing is based on your consent, which you explicitly give by subscribing to the newsletter. You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing already carried out remains unaffected by the revocation.

If you wish to unsubscribe from the newsletter, you will find a corresponding link in every newsletter message. Data entered to set up the subscription will be deleted from our servers and CleverReach's servers as soon as you unsubscribe.

In order to fully comply with the legal data protection requirements, we have concluded an order processing agreement with CleverReach.

For more details, please refer to CleverReach's privacy policy at: https://www.cleverreach.com/de/funktionen/datenschutz-sicherheit/

C. Newsletter distribution and analysis via MailerLite

This website uses MailerLite for sending newsletters. The provider is MailerLite UAB, Paupio g. 246, LT-11341 Vilnius. The data you enter to receive the newsletter (e.g. e-mail address) is stored on the servers of MailerLite UAB in Lithuania.

The newsletter is sent via software of the provider. Any other processing or disclosure of the registered e-mail addresses to third parties is excluded.

You can cancel or revoke your subscription to this newsletter and thus your consent to the storage of your data at any time with effect for the future. You can unsubscribe at any time using a link at the end of each newsletter. The recipient's e-mail address will then be deleted from the newsletter directory and can only be re-entered by registering again.

In order to fully comply with the legal data protection requirements, we have concluded an order processing agreement with MailerLite.

For more details, please refer to MailerLite UAB's privacy policy at: https://www.mailerlite.com/privacy-policy

d. Newsletter distribution and analysis via Matoma Newsletter Marketing Center

This website uses Matoma Newsletter Marketing Center to send e-mail newsletters in the context of alumni management. Provider is Matoma GmbH, Achauerstraße 8, 78647 Trossingen (https://matoma.de).

The Newsletter Marketing Center is GDPR compliant, uses German software and the location of the servers is exclusively in Germany.

The newsletter is sent via the software of the provider. You can cancel or revoke your subscription to this newsletter and thus your consent to the storage of your data at any time with effect for the future. You can unsubscribe at any time using a link at the end of each newsletter. The recipient's e-mail address will then be deleted from the newsletter directory and can only be re-entered by registering again. In order to fully comply with the legal data protection requirements, we have concluded an order processing agreement with Matoma.

 

2.4 What is the legal basis for data processing?

Section 6 para. 1 lit. b KDG serves as a legal basis for data processing operations for which we obtain an approval applicable to certain processing purposes. If the processing of personal data is necessary for the fulfillment of an agreement to which the data subject is a contractual party, as is the case, e.g. in processing operations which are necessary for the delivery of goods, implementation of an event or other services or return services, such processing shall be governed by Section 6 para. 1 lit. c KDG. The same shall apply for processing operations necessary for the fulfillment of pre-contractual measures, e.g. in case of inquiries for our goods or services. If the KU is governed by a legal obligation making the processing of personal data necessary, e.g. in order to fulfill tax obligations, such processing shall be governed by Section 6 para. 1 lit. d KDG. If the processing is necessary to protect a legitimate interest of the KU or a third party and the interests, fundamental rights and freedoms of the data subject, which require the protection of personal data do not take precedence, the data processing shall be based on Section 6 para. 1 lit. g KDG.

Automated decision-making based on the collected personal data (e.g. profiling) is not effected (cf. Section 7.7).

2.5 How long will my personal data be stored?

The KU only processes and stores personal data of the data subject for the period of time which is necessary for the storage purpose or if this is provided for by a European regulator or issuer of directives or another legislator or is stipulated in a law or regulation to which the responsible data processor is subject.

If the storage purpose lapses or a deadline stipulated by a European regulator or issuer of directives or another responsible legislator expires, such personal data will be deleted or blocked in a routine procedure in accordance with statutory provisions.

2.6 Do I have to provide my personal data?

In section 2.2, it was explained why it is necessary for the KU to process various personal data.

As mentioned, some data is essential to ensure the smooth operation, technical functionality and security of our website (see also sections 3.1 and 3.2.1). For the conclusion and fulfillment of a contract between you and the KU (as is the case when using various offers and functions of our website), it is mandatory and also required by law that you provide us with your data. If you object to the collection of your data, we will not be able to conclude an agreement with you.

Other data helps us to optimize the content of our website with regard to your needs. In this case, you must first explicitly agree to the collection and processing of data by the KU via the cookie consent banner - otherwise the data mentioned here will also not be collected by us. Since these are not technically necessary cookies (functional cookies), you can also refrain from giving your consent or, if given, also revoke it at any time with effect for the future.

 

3 Facebook

Furthermore, we have a company profile on Facebook (fan page). On our website, we do not use a Facebook social plugin that leads to this fan page. The reference is identified by a logo on our website and is only included as a link to Facebook. After clicking on the corresponding logo, the Facebook page will open in a new tab. Only then is user information actually transferred to Facebook.

In connection to this company page, we would like to notify as follows:

Within the meaning of the EU General Data Protection Regulation (GDPR) and any other data protection regulations, the following parties are collectively responsible for the operation of the KU’s Facebook page:

Facebook Ireland Ltd. (Hereinafter referred to as „Facebook“)
4 Grand Canal Square
Grand Canal Harbour
Dublin 2
Irland

and

Catholic University of Eichstätt-Ingolstadt (KU)
Ostenstraße 26
85072 Eichstätt, Germany

As soon as you access our fan page on Facebook, your browser establishes a connection with Facebook and transfers information. The following data will be transmitted among others:

  1. For users who are not registered with or logged onto Facebook:
  • IP address: When a Facebook company page is accessed, Facebook automatically identifies the accessing user’s IP address.
  • Cookies: If you access our fan page, Facebook will automatically place cookies. According to information provided by Facebook, the so-called datr cookie enables Facebook to identify the web browser with which the connection to the Facebook page is established. This cookie plays a key role when it comes to protecting the social network from “malicious activity”. The datr cookie is valid for two years, but can be deleted by changing the browser settings.
  1. For users who are registered with and logged onto Facebook:
  • IP address: Facebook also collects the IP address of users who are logged in (see above).
  • Cookies: In this case as well, Facebook places a datr cookie (see above).
  • If you are a member of Facebook and are logged on to Facebook while visiting our company profile, the c_user cookie will be additionally activated. Facebook will then connect the fact that you access the company page to your personal user account. This allows Facebook to draw conclusions on your user behavior.

Facebook processes user data for the following purposes:

  • Advertising, analysis, creation of personalized advertising
  • Creation of user profiles
  • Market research

When the KU’s fan page on Facebook is accessed, Facebook automatically stores information transferred by your browser to Facebook in a log file. We explicitly state that we neither have any knowledge of the extent and content of the data collected by Facebook nor of its processing and use or possible transfer to third parties by Facebook.

Furthermore, Facebook provides operators of company pages with the tool “Facebook Insights” for measuring statistical information (=non-personal data) on how their pages are accessed and used. These are, for example, the total number of page views and "likes", page activity, post interactions, video views, post reach, comments, shared content, replies, proportion of men and women, origin in terms of country and city, language.

What you can do to prevent this: If you are a member of Facebook and you do not want Facebook to collect your data via our fan page and connect such data to your member data stored on Facebook, you have to:

  • Log off from Facebook before you access our company profile,
  • In a next step delete all cookies stored on your computer
  • And quit and restart your browser.

Like this, according to Facebook’s own statement, all Facebook information by which you could be identified is being deleted.

Objection options (a so-called opt-out) can be found here https://www.facebook.com/settings?tab=ads and here http://www.youronlinechoices.com/ .

In accordance with the GDPR, you can exert your data subject rights primarily towards Facebook Ireland or towards us. In accordance with the judgment of the European Court of Justice (ECJ), the fan page is jointly controlled by Facebook and us within the meaning of Art. 26 GDPR (in this context, please see Page Controller Addendum athttps://www.facebook.com/legal/terms/page_controller_addendum).

In accordance with the GDPR, the primary responsibility for the processing of insights data lies with Facebook and Facebook fulfills any and all obligations arising from the GDPR in connection with the processing of insights data (https://de-de.facebook.com/legal/terms/information_about_page_insights_data).

Facebook Ireland shall provide the data subject with main information regarding the Page Insights Addendum. Only Facebook Ireland shall make decisions on the processing of insights data and carry out such processing. We, the KU, do not make any decisions on the processing of insights data and all other information arising from Art. 13 GDPR, including the legal basis, identity of the controller and the period for which cookies are stored on the users’ devices.

The legal basis for the processing of insights data arises from Art. 6 para. 1 sentence 1 lit. f GDPR (our legitimate interest). Our aim is to make the page more attractive for our users.

Your data may also be transferred to the USA. When personal data is being transferred, there are risks under data protection law for the person whose data is transferred to the USA. U.S. authorities (especially intelligence services) are entitled to audit rights (especially under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order 12 333) without EU citizens being able to object. These U.S. legal bases allow data access for electronic communications services to non-U.S. citizens even without a court order and legal protection.

In terms of judicial relief, EU citizens do not have the same legal options (remedies) as U.S. citizens to challenge the processing of personal data by U.S. authorities.

The United States engages in mass data processing without providing protections equivalent in substance to those guaranteed by Articles 7 (respect for private and family life) and 8 (protection of personal data) of the EU Charter of Fundamental Rights. Since 2018, there is also the Cloud Act, which allows U.S. authorities to access stored data from U.S. companies (and also their subsidiaries in Europe) that is not stored in the United States.

For information on Facebook’s data protection policy, please click here www.facebook.com/policy.php to access Facebook’s privacy statement.

 

4 YouTube

This website uses plugins from the YouTube site operated by Google Inc. The operator of the site is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States ("Google"). The company providing the service in the European Economic Area and Switzerland is Google Ireland Limited, a company incorporated and operated under the laws of Ireland (Registration number: 368047) with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland.

We use embedded YouTube videos in privacy-enhanced mode. The "privacy-enhanced mode" function blocks YouTube cookies from being set until the user actively clicks on the play button. By clicking the play button, you consent to YouTube setting cookies on the device you are using, which may also be used to analyze user behavior for market research and marketing purposes. In the course of this, YouTube will at least record and process your IP address, the date and time as well as the website you visit. Furthermore, a connection to Google’s advertising network "DoubleClick" will be established.

If you are also logged on to YouTube, YouTube will assign the connection information to your YouTube account. If you want to prevent this, you must either log out of YouTube before visiting our website or make the appropriate settings in your YouTube user account.

Google also processes personal data in the U.S. and relies, among other things, on the so-called standard contractual clauses of the European Commission, for more information, please see https://policies.google.com/privacy/frameworks?hl=de. Google may share your data with third parties. These are, for example, group-affiliated companies, business partners and advertising partners, who in turn apply tracking technologies to the Vimeo website. When personal data is being transferred, there are risks under data protection law for the person whose data is transferred to the USA: U.S. authorities (especially intelligence services) are entitled to audit rights (especially under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order 12 333) without EU citizens being able to object. These U.S. legal bases allow data access for electronic communications services to non-U.S. citizens even without a court order and legal protection. In terms of judicial relief, EU citizens do not have the same legal options (remedies) as U.S. citizens to challenge the processing of personal data by U.S. authorities.

The United States engages in mass data processing without providing protections equivalent in substance to those guaranteed by Articles 7 (respect for private and family life) and 8 (protection of personal data) of the EU Charter of Fundamental Rights.

If you do not agree to the described data processing on the part of YouTube, you have the possibility to prevent the storage of cookies by adjusting your web browser settings. You will find more information on this under "Cookies" above.

The legal basis for the use of the Youtube plugins on our website is Section 6 para. 1 lit. b) KDG, insofar as you have given us your consent. You can revoke such consent at any time with effect for the future. In this case, you will no longer be able to use the Youtube service.

For more information on the handling of user data, please see YouTube's privacy policy at: https://policies.google.com/privacy?hl=de.

 

5 Vimeo

This website also uses video plugins from the company Vimeo. The video portal is operated by Vimeo LLC, 555 West 18th Street, New York, New York 10011, USA.

When you access videos via Vimeo on our website, a connection is established to Vimeo's servers in the USA. This transmits certain information to Vimeo, irrespective of whether or not you have a Vimeo account. This includes, for example, your IP address, technical information on your browser, and information on the website from which you accessed the Vimeo page.

Vimeo stores cookies on your user device. In particular, the tracker Google Analytics. This is Vimeo's own tracking, to which we have no access. You can prevent tracking by Google Analytics by using the deactivation tools that Google offers for some web browsers. Users can also prevent the collection of data generated by Google Analytics and related to their use of the website (including your IP address) to Google and the processing of this data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de.

If you are logged in to Vimeo as a registered member, more data can usually be collected because more cookies may have already been set in your browser. In addition, your actions on our website are directly linked to your Vimeo account. If you want to prevent this, you must log out of Vimeo before visiting our website and delete the corresponding cookies placed in your browser by Vimeo.

Vimeo processes personal data in the U.S. and relies, among other things, on the so-called standard contractual clauses of the European Commission; for more information, please see https://vimeo.com/privacy#international_data_transfers_and_certain_user_rights in section “14.2 GDPR (EEA Users)”. Vimeo may share your data with third parties. These are, for example, group-affiliated companies, business partners and advertising partners, who in turn apply tracking technologies to the Vimeo website. When personal data is being transferred, there are risks under data protection law for the person whose data is transferred to the USA: U.S. authorities (especially intelligence services) are entitled to audit rights (especially under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order 12 333) without EU citizens being able to object. These U.S. legal bases allow data access for electronic communications services to non-U.S. citizens even without a court order and legal protection. In terms of judicial relief, EU citizens do not have the same legal options (remedies) as U.S. citizens to challenge the processing of personal data by U.S. authorities.

The United States engages in mass data processing without providing protections equivalent in substance to those guaranteed by Articles 7 (respect for private and family life) and 8 (protection of personal data) of the EU Charter of Fundamental Rights.

If you do not agree to the described data processing on the part of Vimeo, you have the possibility to prevent the storage of cookies by adjusting your web browser settings. You will find more information on this under "Cookies" above.

The legal basis for the use of the Vimeo plugins on our website is Section 6 para. 1 lit. b) KDG, insofar as you have given us your consent. You can revoke such consent at any time with effect for the future. In this case, you will no longer be able to use the Vimeo service.

For more information on data processing and privacy notices by Vimeo, please visit https://vimeo.com/privacy as well as the Cookie Policy at https://vimeo.com/cookie_policy.

 

6 Instagram

The KU uses the messaging service Instagram via the technical platform and services of Facebook Inc, 1601 Willow Road Menlo Park, CA 94025. Responsible for data processing for individuals living outside the United States is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

The reference to Instagram is identified by a logo on our website and is only included as a link to Instagram. After clicking on the corresponding logo, the Instagram page will open in a new tab. Only then is user information actually transferred to Instagram.

We would like to point out that you use the Instagram profile and its functions on your own responsibility. This applies in particular to the use of interactive functions (e.g. liking and commenting). Alternatively, you can find study or work-related information offered through this page on our website.

Information on which data is processed by Instagram and for which purposes can be found in Instagram's privacy policy: https://help.instagram.com/155833707900388/

In case of using Instagram, your data will be collected, transferred, stored, disclosed and used by Facebook Ireland Ltd. In this context, Instagram processes your voluntarily entered data on the one hand, such as name and username, e-mail address, phone number or the contacts of your address book when you upload or synchronize it. On the other hand, Instagram also analyzes the content you share to determine what topics you are interested in, stores and processes confidential messages you send directly to other users, and may use GPS data, wireless network information, or your IP address to determine your location in order to provide you with advertising or other content.

For evaluation, Instagram may use analytics tools such as Instagram Insights or Google Analytics. The KU has no influence on the use of such tools by Instagram and was not informed about such potential use. If tools of this kind are used by Instagram for the KU's Instagram profile, the KU has neither commissioned, approved nor otherwise supported this in any way. Nor will it be provided with the personal data obtained during the analysis. Only certain non-personal, aggregated information regarding activity, such as the number of likes or clicks on a particular post or profile, can be viewed by the KU in its account. Moreover, the KU has no possibility to prevent or disable the use of such tools on its Instagram profile.

Your data may also be transferred to the USA. When personal data is being transferred, there are risks under data protection law for the person whose data is transferred to the USA. U.S. authorities (especially intelligence services) are entitled to audit rights (especially under Section 702 of the Foreign Intelligence Surveillance Act (FISA 702) and Executive Order 12 333) without EU citizens being able to object. These U.S. legal bases allow data access for electronic communications services to non-U.S. citizens even without a court order and legal protection.

In terms of judicial relief, EU citizens do not have the same legal options (remedies) as U.S. citizens to challenge the processing of personal data by U.S. authorities.

The United States engages in mass data processing without providing protections equivalent in substance to those guaranteed by Articles 7 (respect for private and family life) and 8 (protection of personal data) of the EU Charter of Fundamental Rights. Since 2018, there is also the Cloud Act, which allows U.S. authorities to access stored data from U.S. companies (and also their subsidiaries in Europe) that is not stored in the United States.

You have options to restrict the processing of your data in the general settings of your Instagram profile under the various menu items listed there.

For further information and the currently applicable Instagram data protection regulations, please visit https://help.instagram.com/155833707900388 and https://www.instagram.com/about/legal/privacy/.

 

7 What are my rights?

As a data subject, you have amongst others the following rights in accordance with the KDG (in the following also referred to as “Data Subject Rights”):

7.1 Right to information in accordance with Section 17 KDG

You have the right to request information as to whether or not we process your personal data. If we process your personal data, you have the right to know

  • the purposes of the processing
  • the type of personal data which is processed
  • the recipient or categories of recipients to which such personal data was disclosed or will be disclosed, in particular if the recipient is in a third country or an international organization
  • if possible, the planned period for which your personal data will be stored or, if this is not possible, the criteria used to determine that period
  • the right to notification or deletion of personal data concerning your person or the right to request restrictions of processing by the respective responsible processor or the right to object to the processing
  • the right to appeal to the data protection supervision
  • if the personal data was not collected from the data subject directly, all available information on the origin of your data
  • the existence of an automated decision making process including profiling in accordance with Section 24 para. 1 and 4 KDG and – at least in those cases – relevant information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject
  • that you are entitled to be informed whether, and if so, on the basis of which guarantees, your data is adequately protected by the data recipient in case of a transfer of your personal data to a country outside the European Union;
  • about your right of requesting a copy of your personal data.
    The first copy is issued free of charge; an appropriate fee may be charged for any further copies. A copy can only be provided if no rights of another person are affected thereby.

7.2 Right to rectification of personal data in accordance with Section 18 KDG

You have the right to request rectification of your personal data in case it is incorrect and/or incomplete. This right also includes the right to completion by additional statements or notifications. Any rectifications and/or additions must be made without undue delay.

7.3 Right to erasure of personal data in accordance with Section 19 KDG

You have the right to request deletion of your personal data if

  • such personal data is no longer required for the purposes for which it was collected and processed;
  • processing of your personal data is effected on the basis of your consent and you have withdrawn such consent; however, this shall not apply if such data processing is permitted by another statutory authorization;
  • you have filed an objection to the processing of your personal data which is permitted by law on the basis of the so-called “legitimate interest”; however, an erasure must not be effected if legitimate reasons for a continued processing have priority;
  • you have filed an objection to the processing of your personal data for the purposes of direct marketing
  • your personal data has been unlawfully processed;

You shall not be entitled to a right of erasure of personal data if

  • the right to freedom of expression and information is opposed to the deletion request;
  • the processing of personal data is necessary
    • for the fulfillment of a legal obligation (e.g. statutory storage obligations),
    • for the purposes of public tasks or interests in accordance with applicable law (this also includes “public health”) or
    • for archiving or research purposes;
  • the personal data is required for asserting, exercising or defending legal claims.

Erasure must be effected immediately (without undue delay). If we have publicly disclosed personal data (e.g. on the internet), it is our responsibility to ensure, to the extent technically possible and reasonable, that other data processors are informed of the erasure request including the erasure of links, copies and/or other duplicates.

7.4 Right to restrictions of data processing in accordance with Section 20 KDG

You have the right to request restrictions in the processing of your personal data in the following cases:

  • If you have contested the accuracy of your personal data, you can request that we do not use your data for other purposes during the period in which its accuracy is verified, thus request a restriction of processing of such data.
  • In case of unlawful processing of your personal data, you can request restriction of processing instead of erasure of the data;
  • If you require your personal data for the assertion, exercise or defense of legal claims, but we no longer require your personal data, you can request that we impose restrictions on the processing for prosecution purposes;
  • If you have filed an objection against data processing and if it is still unclear whether our interests in a processing take precedence over your interests, you can request that your data is not used for other purposes for the duration of the verification and thus request a restriction of processing.

Any personal data, the processing of which was restricted upon your request, may, subject to storage, only be processed for

  • asserting, exercising or defending legal claims
  • the protection of the rights of other natural persons or legal entities or
  • reasons of an important public interest

provided that you give your consent.

You will be informed in advance if a processing restriction is to be lifted.

7.5 Right to data portability in accordance with Section 22 KDG

You have the right to request that we provide you with the data you have provided to us in a common electronic format (e.g. PDF or excel file). You can also request that we directly transfer such data to another company (as named by you) as far as technically possible for us.

The prerequisite for your right to such request is that the processing is effected on the basis of a consent or for the implementation of an agreement and by using automated processes. Exercising the right to data portability must not adversely affect the rights and freedoms of other persons. If you make use of your right to data portability, your right to erasure of data shall remain unaffected.

7.6 Right to object to certain data processing in accordance with Section 23 KDG

If your data is processed for the performance of tasks in the public interest or for the performance of legitimate interests, you can object to this processing. In doing so, you must state the reasons for your objection arising from your particular situation, such as e.g. special family circumstances or interests in confidentiality worthy of protection.

In case of an objection, we shall be obliged to refrain from processing your personal data, unless

  • there are compelling and legitimate grounds for a processing which take precedence over your interests, rights and freedoms, or
  • the processing is necessary for asserting, exercising or defending legal claims.

You have the right to object to a use of your personal data for direct marketing purposes at any time with effect for the future; this shall also apply to profiling, insofar as such profiling is connected to direct marketing. In case of an objection, we will no longer be authorized to use your personal data for direct marketing purposes. Direct marketing and/or profiling is not arranged for or effected by us in any case.

7.7 Prohibition of automated decisions/profiling in accordance with Section 24 KDG

We are not allowed to base decisions taken by us, which have legal consequences or a significant adverse effect for you, exclusively on automated processing of personal data. The same shall apply to profiling. This prohibition shall not apply insofar as the automated decision making

  • is necessary for the conclusion or implementation of an agreement with you,
  • is permissible in accordance with legal provisions, if such legal provisions include appropriate measures for the protection of your rights and freedoms as well as your legitimate interests, or
  • is effected with your explicit consent.

Decisions which are exclusively based on automated processing of special types of personal data (=sensitive data), are only permissible in cases where

  • they are taken on the basis of your explicit consent or
  • there is considerable public interest in the processing

and if appropriate measures were taken for the protection of your rights and freedoms as well as your legitimate interests.

 

8 Exercising Data Subject Rights

Please contact us if you would like to exert your Data Subject Rights (see contact details under “responsible person”). Requests which are submitted electronically are generally answered electronically. In general, all information which is to be provided in accordance with the KDG as well as all notifications and measures including exercise of the Data Subject Rights are provided free of charge. We are entitled to request a reasonable fee for any further copies in order to cover administrative costs.

If there is reasonable doubt about your identity, we shall be entitled to request additional information from you for identification purposes.

In general, any requests for information are processed immediately, i.e. within one month from receipt of the request. The deadline may be extended by another two months to the extent necessary, taking into account the complexity and/or number of requests. In case of an extension of the deadline, we will inform you about the delay and its reasons within one month after receiving your request. If we do not get active with regard to a request, we shall inform you immediately within one month after receipt of the request and state reasons for this. We shall also inform you of your possibility to file a complaint with a supervisory authority or seek judicial remedy before a court.

 

9 Right of appeal to the data protection supervisory authority

In case of complaints, you have the right to contact the data protection supervisory authority (Gemeinsame Datenschutzaufsicht der bayerischen (Erz-)Diözesen, Kapellenstr. 4, 80333 Munich, Germany).