General Data Protection Policy for the Internet Pages of the Ludwig-Maximilians-Universität Munich (hereinafter the “LMU”)
I. Contact Information in Connection with the Internet Presence of the LMU
I.1. Information on the Person Responsible for Data Protection at the LMU
The person responsible for the LMU internet pages within the meaning of the General Data Protection Regulation (DSGVO) and of other national data protection laws or other provisions relating to data protection, is the LMU, which is legally represented by their president. Contact information can be found here (copyright).
The particular facilities of the LMU are each responsible for the content offered on the internet pages of the LMU. Please direct any questions relating to a particular internet page of the LMU to the particular contact party who is listed for the particular internet page in the copyright notice.
I.2 Name and Address of the Official LMU Data Protection Officer
The contact data of the official LMU data protection officer is found on the internet page of the LMU at https://www.uni-muenchen.de/einrichtungen/orga_lmu/beauftragte/dschutz/index.html.
The official data protection officer is available to answer questions about data protection at the LMU. Please use the contact form on the internet page of the official LMU data protection officer for any questions: https://www.uni-muenchen.de/einrichtungen/orga_lmu/beauftragte/dschutz/Datenschutzkontaktformular.html. Please also use this form to report any data protection events which become known to you from your use of the LMU internet pages.
II. General Information about Data Processing on the LMU Internet Pages
II.1 Applicability of the Data Protection Policy
This data protection policy applies to the processing of personal data in connection with the LMU internet presence.
- According to Art. 4 item 1 DSGVO, “personal data” means all information which relates to an identified or identifiable, natural person; the term “identifiable” is deemed to mean a natural person who can be identified directly or indirectly, in particular through assignment of an identifier such as a name, an identifying number, location data, an online identity or one or several special features which are an expression of physical, physiological, genetic, psychic, financial, cultural or social identity of this natural person.
- According to Art. 4 item 2 DSGVO, “processing” means any process executed with or without the aid of automated methods, or any such set of methods in connection with personal data, such as the collection, acquisition, organization, ordering, saving, adapting or changing, read-out, query, use, disclosure by means of transmittal, dissemination or any other form of manipulation, coordination or linking, limitation, deletion or destruction.
II.2 Purpose and Legal basis for processing of personal data
In accordance with Art. 2 para. 6 BayHSchG, Art. 4 para. 1 lines 1 and 2 BayEGovG, on our web pages we offer our services and administrative services, and also information for the public about our activities. Personal data will only be processed on the LMU internet pages provided this is necessary to provide a functioning internet page, to present the particular content, or to provide certain services or offers. The processing of personal data occurs either owing to a legal requirement or based on the user’s consent. When processing of personal data is based on a consent, then such processing shall occur based on Art. 6 para. 1 (a) DSGVO. Art. 6 para. 1 (b) DSGVO serves as the legal basis for the processing of personal data required for the performance of a contract to which the user is a party. Insofar as processing personal data is required to fulfil a legal obligation to which the LMU is subject, the applicable legal basis is provided by Art. 6 para. 1 (c) DSGVO. In the event that the vital interests of the affected person or other natural person require the processing of personal data, the applicable legal basis is provided by Art. 6 para. 1 (d) DSGVO. The processing may also be required in fulfillment of a mission which has been assigned to the University and which is in the public interest (Art. 6 para. 1 (b) DSGVO). Additional legal basis may also arise from special-legal or other legal regulations, to which reference is made in the particular, individual case.
II.3 Data Deletion and Retention Period
The personal data of users of the LMU internet pages will be deleted or erased inasmuch as and provided the particular purpose of the retention has expired and there is no archiving requirement. Deletion or erasure of the data will also occur when a retention period as specified by the European or domestic legislature in EU regulations, laws or other specifications to which the LMU is subject, has expired, unless there is a requirement for continued retention of the data for completion of or fulfillment of a contract. If provided in the referenced regulation, retention for a longer period is possible.
II.4 Data Security
In order to protect your data in a reasonable and comprehensive manner during the processing, and in particular to protect against its transmittal, where necessary and with reference to the prior art, we use appropriate encryption techniques and secure technical systems (e.g. SSL/TLS).
III. Specific Information on Data Processing on the LMU Internet Pages
Every time you visit an LMU website, the LMU system automatically collects data and information from the computer system of the accessing computer. In addition, we process your personal data to the extent you provide such data via the LMU internet pages. In the processing of your personal data we take into account in particular the principles of data protection relating to necessity, purpose, data minimizing, legality, correctness and integrity.
III.1 Use of Active Components and Cookies
Sometimes cookies are placed merely due to a visit to the LMU internet, for example, to identify user-sessions, and also to configure the internet pages in a user-friendly manner. Cookies are text files that are stored on the Internet browser or by the Internet browser on the user's computer system. If a user visits an internet page, a cookie may be stored in the user's operating system. This cookie contains a unique character sequence that permits the browser to be specifically identified upon a subsequent visit to the internet page.
A session-ID is saved in the cookies for public offers exclusively for identification of the user-session (session-cookie). These session-cookies are automatically deleted at the end of your visit by closing your browser.
The saving of these cookies can be turned off at any time by making a corresponding setting in the internet browser; this can also be done automatically.
However, several elements of our internet pages require that the calling internet browser can also be identified even after a page-change. If cookies are deactivated for the LMU internet pages, it is possible that not all functions of the LMU internet pages can still be accessed.
The following services can only be used when the saving of cookies is allowed:
- Web forms
- The event calendar www.lmu.de/aktuelles/veranstaltungen
- All offers saved via the central authentication mechanism
The transmission of flash-cookies cannot be disabled via the settings in your internet browser, but by changing the setting of the flash player.
III.2 Use of Webpage Analysis Tool Matomo (formerly PIWIK)
Programs for evaluation of user behavior on the LMU internet pages are only used by the LMU in an anonymized form. On several internet pages we use the Open-Source-Software-Tool Matomo (formerly PIWIK) for analysis of your surfing behavior. This software places a cookie on your computer. If individual pages - even sub-pages - of our internet pages are called, then the following anonymized data is saved.
- Two bytes of the IP address of the calling system (user’s system)
- The called internet page
- The internet page from which the user has arrived at the called internet page (referrer)
- The sub-pages which are called from the called internet page
- The dwell-time on the internet page
- The frequency of call-up of the internet page
- Information about the operating system, type of browser, video display resolution
The software is set up so that full IP addresses are not saved, but rather two bytes of the IP address are masked. In this way an unambiguous association with the calling computer is not possible. Therefore, your IP address is also always anonymized before any evaluation.
The software runs exclusively on the servers of the LMU. Any saving of data occurs only on these servers. Any transmittal to third parties does not occur. Additional information on Matomo is found at https://matomo.org/docs/privacy/ (external link).
The use of Matomo can be disabled in general by making a corresponding setting in your internet browser.
You can decide whether an unambiguous internet analysis cookie may be saved in your browser in order to allow the operator of the internet page to acquire and analyze various statistical - not personal - data. The use of an internet analysis cookie serves the purpose of improving the quality of the internet pages and their content, and for improving user convenience. Web analysis cookies make it clear how the internet page is being used, so that the offering can be optimized.
However, if you decide against it, then please activate the checkbox to set the Matomo deactivation cookie in your browser.
Your visit to this webpage is currently detected and anonymized by the Matomo web analysis tool. Please click here so that your visit will no longer be detected.
The use of Google Analytics on the LMU web servers does not occur for reasons of data protection.
III.3 Use of Social Media Icons or Internet Links
No automatic transmittal of your personal data occurs when using Social Media icons of Facebook, Twitter, Instagram, YouTube, etc. on the LMU internet pages. To prevent automatic data transmission to the vendor of social media, an internet link to these media is disabled on the internet pages of the LMU. For reasons of data security, active social media plugins are not used.
LMU does not share responsibility under data protection law if your data is processed by these vendors for their own purposes.
Our social media presence is a part of our publicity work. Our endeavor is to provide and to exchange information with specific target groups.
All our social media vendors are certified under the EU-US Privacy Shield and are transparent to any person, so that a legally reasonable level of protection exists for personal data, for example:
- Facebook, Inc. (https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active)
- Twitter Inc. (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active).
III.4 Use of RSS
An RSS feed is a form of the classical newsletter that you can read either with your browser or with a special program (RSS reader). When we offer an RSS feed, we will use it to inform you about current events. A list of central RSS feeds is provided at https://www.en.uni-muenchen.de/funktionen/rss.
If personal data is collected within the scope of an application for an RSS feed, then this information will be processed exclusively for the purpose of performing the RSS, and will be deleted as soon as it is no longer needed, that is, either after you log off, or after cessation of the RSS.
III.5 Protocols and Preparation of Logfiles
Due to occurring security-related events, e.g. attempted hacking attacks, relevant access data will be saved for every access on all central hosted webpages. The LMU internet server is operated for the LMU by its IT department (Department VI), Geschwister-Scholl-Platz 1, 80539 München, E-Mail: email@example.com).
Depending on the used access protocol, the protocol data set contains data with the following content:
- IP address for the inquiring computer
- Date and time of the inquiry
- Access method/function requested by the inquiring computer
- Input values (file name etc.) transmitted by the inquiring computer.
- Access status of the web server (data file transmitted, data file not found, command not executed, etc.).
- Name of the requested data file
- URL from which the file was requested/the desired function was initiated
- Information on browser type
- The user’s operating system
- Internet pages from which the user's system accessed the LMU internet page
- Internet pages that are called from the LMU internet pages
Purpose of the protocol:
The saved data are used for purposes of identification and tracking of allowed access and of impermissible access attempts, for maintenance of the internet page functionality on the internet server, and - in anonymized form - for optimizing of the internet offering. Temporary saving of the IP address is also necessary in order to enable delivery of the LMU internet page to your computer. For this purpose the user’s IP address must remain stored for the duration of the session. This data is not stored by the LMU together with other personal data.
The recorded data are saved for a maximum of seven days and then deleted. A longer retention period may occur in an individual case, provided a violation related to security was discovered. Irrespective thereof, retention for an even longer period is possible. In such a case, your IP address will be deleted or scrambled so that an allocation to the calling client is no longer possible.
Evaluation of the protocol:
Evaluation of the protocol occurs by the authorized employee of the IT department (Department VI), Geschwister-Scholl-Platz 1, 80539 München, E-Mail: firstname.lastname@example.org) under contract with the LMU and observing the provisions of data protection law.
If the data is urgently required for maintenance of the internet page and the saving of the data in logfiles is required for operation of the internet page, then you will not be entitled to a right of objection.
III.6 Contact Form and Use of Email
You can contact the LMU via the LMU internet pages. Please use the contact form found on the particular internet page, or the email address mentioned on the internet page.
a) Use of a contact form
In addition to the data you provide, the following data is also stored at the time the message is sent:
On the application server:
- Referrer (URL from which the form was called up)
- User’s email address provided in the form
- Receiver’s email address for the form
The personal data processed during the application process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.
By using a contact form you will be informed about the data collected and about your particular rights.
b) Use of an email address
In addition to the contact form, it is also possible to send an email to an LMU email address provided for use of the particular internet page. If you send us an email, then your email address and the other data provided by you will only be used for correspondence with you, and will be saved only as long as necessary for this purpose, unless some other legal grounds will justify its continuing retention.
Please note that the use of a non-encrypted email is fundamentally unsecure, that is, it may possibly be read, changed or captured by third parties along the transmission route. Please remember this when you send us information in an email. Therefore the sending of confidential messages should be by regular mail, until the LMU has its own S/Mime encryption.
In the event that you wish to send us an encrypted message, please use the public X509-certificate for encryption of your message.
In order that we may also send you confidential messages, please also give us your postal address, if requested. Otherwise there is the possibility that no information can be shared.
In the event that you want to send us a non-encrypted email, then please use preferably a function address at the LMU, provided such an address is provided on the internet page.
Please note that in the case of an email inquiry, we cannot verify your identity and do not know who is concealed behind the email address. A legally secure communication by means of a simple, unsigned email is not ensured, not even if it is encrypted.
At the LMU we sometimes use filters against unwanted advertising (spam filters) that can also sometimes wrongly classify and delete emails as advertising. Emails that can contain harmful programs, e.g. viruses, are deleted automatically.
If you want to receive an encrypted email from us, then please provide us with the necessary information.
III.7 Collection of Other Personal Data, e.g. Newsletter Subscription
It is possible to input your personal data on the LMU internet pages. Your data basically will not be encrypted along the transmission route, unless the particular offers specifically make reference thereto.
If personal data is collected for a newsletter subscription, then it will be processed only for the purpose of sending you the newsletter. The particular newsletter can be canceled at any time. To do so, please use the email address provided for the person responsible for sending the newsletter. Additional information will be provided together with your subscription to the newsletter.
The search field on this webpage (“Google Custom Search”) is provided by Google Inc. (“Google”). The use of this search field, where personal data is also transmitted to Google, is governed by the Google Data Protection Regulations (at www.google.de/privacy.html). Your data will be transmitted when you send the form. If you do not want to accept these foreign data protection regulations, then please refrain from using the search function.
IV. Your Data Protection Rights as an Affected Person
As a part of the LMU internet presence, personal data is processed within the scope stated above. To this extent you are an affected person within the meaning of the DSGVO and are entitled to the following rights with respect to the LMU:
IV.1 Right to information
You can ask the LMU to confirm whether we process personal data concerning you.
If such data is processed, you can request the following information from the LMU:
- The purposes of the processing for which the personal data are intended;
- The categories of personal data processed;
- The recipients or categories of recipients to whom personal data concerning you have been or will be disclosed;
- The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- The right to request from the responsible officer to correct or delete your personal data, a right of restriction of processing or a right to object to processing as well as the right to data portability;
- A right to complain to an oversight authority, in the case of the LMU the directly cognizant data protection oversight authority is the Bavarian State Officer for Data Protection (https://www.datenschutz-bayern.de) (external link);
- All available information regarding the source of the data if personal data was not collected from you;
- The existence of automated decision-making, including profiling, referred to in Article 22 para. 1 and 4 DSGVO and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the affected person.
You have the right to request information concerning whether your personal data will be transferred to a third country or international organization. In such cases, you may request to be informed of the appropriate guarantees pursuant to Art. 46 DSGVO as related to this transfer.
Your right to information is subject to legal restrictions and is not absolute, rather, it is limited in particular in the following cases:
- If a large volume of information is saved for an affected person, then the responsible officer may request that the information be restricted to that information or processing which relates to the request for information.
- Obvious unfounded or excessive requests, or frequent repetitions may result in rejection or in compensation of costs.
- The granting of information must not affect the rights of the responsible officer or other persons (in this regard, professional secrets, business secrets, data with reference to other persons are exempted).
- The information may be withheld under the circumstances stated in Art. 10 BayDSG.
In the case of data processing for scientific or historical research purposes and for statistical purposes, your right to information may additionally be restricted if it is likely that the completion of the research or statistical work will be made impossible or seriously hampered, and the restriction is necessary to complete the research or statistical work.
IV.2 Right to Rectification
You have the right to rectify and/or to complete inaccurate and/or incomplete personal data saved by the LMU. The LMU will make the correction without delay.
In the case of data processing for scientific or historical research purposes and for statistical purposes, your right to rectification may be restricted if it is likely that the completion of the research or statistical work will be made impossible or seriously hampered, and the restriction is necessary to complete the research or statistical work.
IV.3 Right to Restriction of Processing
Under the following circumstances you may request a restriction of processing of your personal data:
- If you contest the accuracy of the personal data, the restriction will extend for a period enabling the responsible officer to verify the accuracy of the personal data;
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
- The responsible officer no longer needs the personal data for the purposes of the processing, but it is required by you for the establishment, exercise or defense of legal claims;
- If you have objected to processing pursuant to Article 21 para. 1 DSGVO pending the verification whether the legitimate grounds of the responsible officer override those asserted by you.
Where processing personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where processing personal data concerning you has been restricted, you will be informed by the LMU before the restriction of processing is lifted.
In the case of data processing for scientific or historical research purposes and for statistical purposes, your right to restriction of processing may be restricted if it is likely that the completion of the research or statistical work will be made impossible or seriously hampered, and the restriction is necessary to complete the research or statistical work.
IV.4 Right to Deletion
a) Deletion requirement
You can request the LMU to delete your personal data without delay. The LMU is required to delete this data without delay, provided one of the following reasons applies:
- The personal data concerning you is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
- You withdraw consent on which the processing is based according to Art. 6 para. 1 (a) or Art. 9 para. 2 (a) DSGVO, and where there is no other legal grounds for the processing.
- You object to the processing pursuant to Art. 21 para. 1 DSGVO and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 para. 2 DSGVO.
- Personal data concerning you have been unlawfully processed.
- The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the responsible person is subject.
- The personal data concerning you have been collected in relation to an offer of services of the information company referred to in Art. 8 para. 1 DSGVO.
b) Notification to third parties
Where the LMU has made the personal data public and is obliged pursuant to Art. 17 para. 1 DSGVO to erase the personal data, the responsible officer, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform officers who are processing the personal data, that you have requested the deletion by such officers of any links to, or copy or replication of, that personal data.
The right to erasure does not apply to the extent processing is necessary
- For exercising the right of freedom of expression and information;
- For completion of a legal obligation which requires the processing according to the laws of the EU or of member states to which the LMU is subject, or to complete a task in the public interest or in exercise of official authority which has been conferred upon the LMU;
- For reasons of public interest in the area of public health in accordance with Art. 9 para. 2 (h) and (i) as well as Art. 9 para. 3 DSGVO;
- For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 DSGVO in so far as the right referred to in letter a) above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- For the establishment, exercise or defense of legal claims.
IV. 5 Right to notification
If you have asserted your right to rectification, erasure or restriction of processing vis-a-vis the LMU, then we are obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed by the LMU about such recipients.
IV. 6 Right to data portability
You have the right to receive the personal data concerning you which you provided to the LMU, in a structured, commonly used and machine-readable format. In addition, you have the right to transfer this data to one or another responsible officer without hindrance by the LMU, provided
- The processing is based on consent pursuant to Art. 6 para. 1 DSGVO or Art. 9 para. 2 DSGVO or on a contract pursuant to Article 6 para. 1 (b) DSGVO; and
- The processing is carried out by automated means.
In exercising your right to data portability, you have the right to have the personal data transmitted directly from the LMU to another responsible officer, where technically feasible. The exercise of this right cannot adversely affect the rights and freedoms of others.
The right to data portability does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the LMU.
IV. 7 Right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Article 6 para.1 (e) or (f) DSGVO.
In such cases, the LMU shall no longer process the personal data concerning you unless the LMU can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
In the context of the use of information company services, and notwithstanding Directive 2002/58/EC, you are entitled to exercise your right to object by using automated means, in which technical specifications are applied.
In the case of processing of your personal data for scientific or historical research purposes and for statistical purposes pursuant to Art. 89 para. 1 DSGVO, you have the right to object to this data processing for reasons relating to your particular situation.
Your right to objection may be restricted if it is likely that the completion of the research or statistical work will be made impossible or seriously hampered, and the restriction is necessary to complete the research or statistical work.
IV. 8 Right to revoke consent to data processing
You have the right to revoke your consent to data processing with future effect; however, this revocation shall not affect the legitimacy of the data processing already occurred based on your consent given until the time of revocation. This revocation must always be submitted to the agency within the LMU which has received the consent.
IV. 9 Right to lodge a complaint with an Oversight Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection oversight authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the DSGVO. In the case of the LMU the directly cognizant data protection oversight authority is the Bavarian State Officer for Data Protection (https://www.datenschutz-bayern.de) (external link); The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 DSGVO.
If you believe that the processing of your personal data is in violation of the DSGVO, then we request that you first turn to the officer responsible for the content of the particular internet page, who is named in the copyright statement, and/or to the official data protection officer at the LMU, since this will allow a rapid examination or remedy, if necessary, of your concerns. It is our goal and responsibility to examine all arriving questions of data protection immediately and to solve potential problems under data protection law.
V. Applicability of the General Data Protection Policy and Scope of the Supplemental Data Protection Policy of the Person Responsible for the Content of the Internet Page
The general data protection policy applies to those internet pages of the LMU for which the LMU bears responsibility. A supplemental data protection policy may also apply to a particular internet page of the LMU, provided the person responsible for the content of the internet page is performing additional processing of personal data and gives notice of such processing. This applies in particular when specific services are offered by individual departments. The supplemental data protection policy can expand, but not replace, the general data protection policy. The general data protection policy is a part of any supplemental data protection policy.
VI. Status, Revisions and Applicability of the LMU General Data Protection Policy
This general data protection policy was created on 05/2018. We reserve the right to update this data protection policy on a regular basis in order to take proper account of current legal requirements and technical changes, and also to implement our services and offers in compliance with data protection. The most recent version of this policy applies to your visit to an LMU web page.