Data Protection Declaration
The protection of personal data is of particular concern to the University of Graz, which is why we treat all processed personal data confidentially and in compliance with the statutory provisions.
In this guide, we would like to inform you about how we process your personal data. This includes specific information on data processing as well as more general information on the topic in connection with the University of Graz.
Contact information
University of Graz | +43 316 380 - 0 Universitätsplatz 3 8010 Graz |
Legal and organizational department | Universitätsplatz 3, 8010 Graz |
Data protection officer at the University of Graz | +43 316 380 - 2134 Universitätsplatz 3 8010 Graz |
Rights of data subjects:
In connection with the processing of personal data by the University of Graz, data subjects generally have the following rights:
- Right of access by the data subject (Art 15 GDPR);
- Right to rectification (Art 16 GDPR) or to erasure (Art 17 GDPR) and to restriction of processing (Art 18 GDPR);
- Right to data portability (Art 20 GDPR);
- Right to object (Art 21 GDPR);
- and if processing of data requires consent: Right to withdrawal of consent (Art 7 (3) GDPR), which does not affect the lawfulness of processing based on consent before its withdrawal;
You can assert your rights in writing:
By post:
University of Graz
Attn: Legal Department ‒ Data Protection, Universitätsplatz 3
8010 Graz, Austria
E-mail: datenschutz(at)uni-graz.at
In addition, data subjects have the right to lodge a complaint with a supervisory authority (Art 77 GDPR), which in Austria is the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Vienna, phone: +43 1 52 152-0, e-mail: dsb(at)dsb.gv.at.
In addition, data subjects may consult the data protection officer on all questions relating to the processing of their personal data and to exercising their rights. These inquiries are of course treated with utmost confidentiality.
If you have any inquiries, please contact the data protection officer directly:
By post:
University of Graz, Universitätsplatz 3
Attn: Data Protection Officer, 8010 Graz, Austria
By e-mail:
E-mail: dsba(at)uni-graz.at
Recipients or categories of recipients:
In principle, your personal data will only be processed within the university. If data processing also takes place externally (e.g. transfer to third parties, use of processors, data exchange between joint controllers), you will be informed about this in the course of the respective processing activities.
Storing of personal data:
Unless the storing of personal data and possible restrictions of the right to erasure, the right to withdraw consent or the right to object are addressed separately for a specific processing activity, the University of Graz stores your personal data as follows:
If the data subject has given consent to the processing (Art 6 [1] [a] GDPR): Personal data processed on the basis of given consent is stored until consent is withdrawn, but at the longest until the purpose of storing the personal data has been achieved. In addition, only absolutely necessary personal data (name, date of consent, proof of consent, e.g., signature) is stored for the purpose of proving consent or withdrawal thereof for a period of 3 years from the date of withdrawal.
If processing is necessary for the performance of a contract (Art 6 [1] [b] GDPR): Personal data is stored for as long as necessary to fulfil the contract. In addition, personal data is only stored until any statutory storage periods or statute of limitations with regard to potential legal claims expire.
If processing is necessary for compliance with a legal obligation (Art 6 [1] [c] GDPR): Personal data is stored for as long as this is legally required. In addition, personal data is only stored until any statutory storage periods or statute of limitations with regard to potential legal claims expire.
If processing is necessary for the performance of a task carried out in the public interest (Art 6 [1] [e] GDPR): Personal data is stored for as long as this is necessary due to the public interest or until a (justified) objection is raised. In addition, personal data is only stored until any statutory storage periods or statute of limitations with regard to potential legal claims expire.
If processing is necessary for the purposes of the legitimate interests pursued by the controller (Art 6 [1] [f] GDPR): Personal data is stored for as long as this is necessary to protect legitimate interests or until a (justified) objection is raised. In addition, personal data is only stored until any statutory storage periods or statute of limitations with regard to potential legal claims expire.
We would also like to point out that the University of Graz may continue to process data for archiving purposes in the public interest and for scientific or historical research purposes (Art 5 [1] [b] GDPR) as part of the fulfilment of our tasks (including in the area of scientific research and teaching). You are informed separately about such further processing.
Processing activities
Subscriptions
UNIZEIT
1. Description and scope of data processing
If you subscribe to the free magazine “UNIZEIT,” we process the following personal data for the
a) Print edition:
Form of address (optional), academic degree listed before the person's name (optional), first and last name, academic degree listed after the person's name (optional), address, e-mail address (optional)
b) Digital edition:
Name and e-mail address
Purpose of data processing
This personal data is processed for the purpose of registering the data subject for a subscription and sending the magazine “UNIZEIT” free of charge.
Legal basis for data processing
This personal data is processed for the performance of the subscription contract or in order to take the required steps prior to entering into the contract in accordance with Art 6 (1b) GDPR.
Since processing of the personal data is necessary for the conclusion of the contract or prior to entering the contract, failure to provide the personal data automatically means that the contractual service (delivery of the “UNIZEIT” magazine) cannot be provided.
Support of Alumni
Description and scope of data processing
According to the Austrian Universities Act (UG 2002), universities are responsible for maintaining contacts with graduates (§ 3 (10) UG 2002) and continuing education of graduates (§ 3 (5) UG 2002) as well as the advancement of science, research and teaching (§ 3 (1) UG 2002).
On the one hand, the University of Graz fulfils these tasks itself within its organisational structure (individual institutes, centres, departments, etc.) and on the other hand through the association “alumni UNI graz. das absolventInnen-netzwerk” (ZVR directory number 790183860) as a processor to fulfil these tasks.
These tasks are fulfilled in a variety of activities (e.g., organising various events, conducting study and educational trips, providing information [e.g., sending out newsletters], surveying graduates, making the fulfilment of these tasks visible through public relations work, etc.).
In particular, the following data categories are processed in connection with support of graduates:
Personal data, e.g.:
- First name
- Last name
- Highest qualification
- Academic degree
- Date of birth
- Field of study
- Registration number
- Date of graduation
Contact details, e.g.:
- Address
- Telephone number
- E-mail address
Other, e.g.:
- Communication content data
- Event registration information
Purpose of data processing
In the context of support for graduates, personal data is processed for the purpose of fulfilling the tasks assigned to us, in particular maintaining contacts with graduates (§ 3 (10) UG 2002), continuing education of graduates (§ 3 (11) UG 2002) and providing public information on the performance of the university’s tasks (§ 3 (11) UG 2002) and the advancement of science, research and teaching (§ 3 (1) UG 2002).
Legal basis for data processing
The above personal data is processed for the purpose of performing the tasks assigned to us and thus for compliance with a legal obligation to which the university is subject in accordance with Art 6 (1c) GDPR on the one hand, and for the performance of a task carried out in the public/legitimate interest (Art 6 (1e) and (1f) GDPR) of the University of Graz in public relations work and making university services visible to the public as well as on the basis of consent given (Art 6 (1a) GDPR) on the other. The personal data in the course of an event registration (e.g., further education events, educational trips) is processed for the performance of the contract with you or in order to take the required steps prior to entering into the contract in accordance with Art 6 (1b) GDPR. If processing of personal data is necessary due to legal obligations or for the conclusion of the contract or prior to entering the contract, failure to provide the personal data automatically means that the contract cannot be concluded or that the legal obligations cannot be met.
Recipient
The University of Graz fulfils certain task in relation to support for graduates through the association “alumni UNI graz. das absolventInnen-netzwerk” as a processor (see above section “Description and scope of data processing”).
University of Library Services
A) Library card, lending (order, reservation, overdue fees reminder)
Description and scope of data processing
The following personal data is processed when using the services of the University Library:
- E-mail address
- Company
- Form of address/gender
- First name
- Last name
- Postal address
- Payment reference (e.g., registration number, ...)
- Gender
- Date of birth
- Library card number
- Registration number
- UNIGRAZonline user name
Purpose of data processing
The personal data is processed by the University Library for the purpose of issuing a library card and administering the lending process (orders, reservations, overdue fee reminders).
Legal basis for data processing
This personal data is processed for the performance of the contract or in order to take required steps prior to entering into the contract in accordance with Art 6 (1b) GDPR.
Since processing of the personal data is necessary for the conclusion of the contract or prior to entering the contract, failure to provide the personal data automatically means that the contractual service (issuing of the library card, lending) cannot be provided.
B) Open Journal Systems OJS
Description and scope of data processing
For the purpose of administration and publication of scientific journals, we process the following personal data:
- Form of address
- Gender
- First name
- Last name
- Date of birth
- Nationality
- Postal/invoice address
- Telephone number
Purpose of data processing
This personal data is processed for the purpose of handling the publication process from submission to review to publication in a scientific journal.
Legal basis for data processing
This personal data is processed for the performance of the contract or in order to take required steps prior to entering into the contract in accordance with Art 6 (1b) GDPR.
Since processing of the personal data is necessary for the conclusion of the contract or prior to entering the contract, failure to provide the personal data automatically means that the contractual service (administration and publication of articles in scientific journals) cannot be provided.
Electronic payment
Description and scope of data processing
If you pay electronically for a service provided by the University of Graz (tuition fees, events, donations, cost sharing for admission procedures...), the following personal data is processed:
- E-mail address
- Company
- Form of address/gender
- First name
- Last name
- Postal address
- Date of birth
- Payment reference (e.g., registration number, ...)
In order for the payment to be assigned to you, the following data must be transmitted to the payment service provider:
- Payment reference (e.g., registration number, ...)
- First name
- Last name
On the part of the payment service provider, further personal data may be collected.
Purpose of data processing
This personal data is processed for the purpose of processing electronic payments and donations.
Legal basis for data processing
This personal data is processed for the performance of the contract or in order to take the required steps prior to entering into the contract in accordance with Art 6 (1b) GDPR along with § 91 Universities Act (UG 2002) with regard to tuition fee payments.
Since processing of the personal data is necessary for the conclusion of the contract or prior to entering the contract, failure to provide the personal data automatically means that the contractual service (electronic payment) cannot be provided.
Research
As University we have the legal mandate to serve scientific research and through this also to contribute responsibly to the solution of human problems as well as to the prosperous development of society and the natural environment. In research and in research-led academic teaching, universities are oriented towards the production of new scientific knowledge (§§ 2 and 3 Z 1 UG - Austrian Universities Act). At the same time, research is also a fundamental right of scientists (pursuant to Art 17 StGG - Basic Law on the General Rights of Nationals in the Kingdoms and Länder represented in the Council of the Realm; Art 13 Charter of Fundamental Rights of the European Union).
The processing of personal data in the context of research projects is carried out in compliance with the principles and requirements resulting from the legal provisions (GDPR, DSG - Federal Act concerning the Protection of Personal Data and FOG - Research Organisation Act). While ensuring appropriate protection for the personal data, only those data are processed that are necessary to achieve the purpose.
The research projects carried out within the framework of our legal mandate are very individual, which is why the following can only provide general information about data processing within the framework of research at the University of Graz. Details on data processing in the context of specific research projects can be found in the data protection declaration of the respective research project.
Description, scope and purpose of data processing
In many disciplines and research projects, the human being is the reference object. In this context, the information on individual natural persons required for the successful achievement of the respective research project is processed.
The processing of personal data for scientific research purposes within the meaning of the General Data Protection Regulation (GDPR) is interpreted broadly to include processing for, for example, technological development and demonstration, fundamental research, applied research and privately funded research (cf. rec. 159 of the GDPR).
The GDPR contains numerous privileges of data processing for scientific research purposes.
In the context of research projects, all types of personal data can be processed in order to achieve the research objective (e.g. various contact data for contacting specific target groups, research data in the narrower sense for scientific analysis and possible publications, usage data and metadata in connection with various IT systems).
Legal basis for data processing
1. The processing of personal data in the context of research projects of the University of Graz is generally based (alternatively or cumulatively) on the following legal basis:
In the case of processing of non-sensitive personal data:
- Art 6 (1) (a) GDPR: Consent to the processing of non-sensitive data can also be given conclusively (implicitly), for example through documented actions that clearly indicate that you agree to the data processing.
- Art 6 (1) (f) resp (e) GDPR in conjunction with §§ 2 and 3 UG: legitimate interest or public interest in the fulfilment of a task vested in the university for scientific research on the basis of a balancing of interests, e.g. if consent as defined by the GDPR cannot be obtained or other reasons speak against obtaining consent
- Art 6 (1) (e) GDPR in conjunction with § 7 (1) (1 and 3) DSG: public interest in the fulfilment of the task of scientific research vested in the university, which does not objective at personal results, whereby the data are publicly accessible or pseudonymised for the University of Graz and the University of Graz cannot determine the identity of the person concerned by legally permissible methods
- Art 6 (1) (e) GDPR in conjunction with § 7 (2) and (3) GDPR: public interest in the fulfilment of the task vested in the university for scientific research with the approval of the data protection authority
In the case of processing special categories of personal data pursuant to Art 9 (1) of the GDPR (“sensitive data”):
- Art 9 (2) (a) GDPR: explicit consent for the processing of special categories of personal data pursuant to Art 9 (1) GDPR (“sensitive data”)
- Art 9 (2) (j) in conjunction with Art 89 GDPR in conjunction with § 2d FOG: public interest in the fulfilment of the tasks vested in the University for scientific research in compliance with the appropriate measures provided for in the FOG
- Art 9 (2) (j) in conjunction with Art 89 GDPR in conjunction with § 7 (1) (1 and 3) DSG: public interest in the fulfilment of the tasks vested in the university for scientific research which does not have personal results as its objective, whereby the data are publicly accessible or pseudonymised for the University of Graz and the University of Graz cannot determine the identity of the person concerned by legally permissible methods
- Art 9 (2) (j) in conjunction with Art 89 GDPR in conjunction with § 7 (2) (3) DSG: public interest in the performance of scientific research tasks vested in the university with the approval of the data protection authority
The GDPR allows for the further processing of personal data for archiving purposes in the public interest and for scientific or historical research purposes according to Art 5 (1) (b). In this case, the processing of the data is based (alternatively or cumulatively) on the following legal basis:
- Art 6 (1) (e) GDPR in conjunction with § 7 (1) (2) DSG resp. Art 9 (2) (j) GDPR in conjunction with Art 89 GDPR in conjunction with § 7 (1) (2) DSG: in the case of purpose-changing processing of sensitive or non-sensitive data, if the processing does not have personal results as its objective and if it concerns data lawfully collected internally for another purpose
Storage period
Differences from the general criteria for the storage period stated under "Storing of personal data" arise in the area of research as a result of
- Art 5(1)(e) in conjunction with Art 89 GDPR: according to which the storage of data for the purpose of use for scientific research is possible for longer if appropriate technical and organisational measures (e.g. pseudonymisation, protected separate storage) are taken
- the need to retain primary data that were the basis of a publication for the purpose of demonstrating good scientific practice
Storage for the purpose of demonstrating good scientific practice is based on the following (alternative or cumulative) legal basis:
- Art 6 (1) (c) resp (e) resp Art 9 (2) (j) GDPR in conjunction with §§ 5 and 19 UG in conjunction with § 3 of the statutes "Principles to ensure good scientific practice and to prevent misconduct in science" as a legal obligation to or in the public interest in the storage of research data on which the publication was based for 7 years from the date of publication
- Art 6 (1) (f) resp (e) GDPR in conjunction with §§ 2 and 3 UG: storage of raw data for 10 years from publication in accordance with international research practice (e.g. DFG: Guidelines for Safeguarding Good Scientific Practice - Guideline 17)
- Art 6 (1) (e) resp Art 9 (2) (j) GDPR in conjunction with § 2f (3) (1) FOG: when the FOG is applied as the legal basis, in compliance with the appropriate measures pursuant to § 2d FOG: storage of raw data for at least 10 years
Transfer of your data/recipients
It is not unusual for data to be exchanged with other researchers/collaboration partners and service providers during the course of the research project. It is also conceivable that research data will be made available to other researchers afterwards.
Information on any data transfers (also to third countries) and cooperations as well as on any provision of research data in repositories is provided in the data protection declaration of the respective project.
Data subject rights – possible restrictions in research projects
In connection with the processing of your personal data, you always have the general "data subject rights" pursuant to Art 15 et seq. of the GDPR (see "Rights of data subjects"), whereby restrictions are possible in the area of research under certain conditions.
a) Restriction according to Art 11 GDPR
Restrictions on data subject rights are possible if the processing is carried out without directly identifiable parameters such as names and thus the direct identification of the participating person (without any additional knowledge) is not possible and the data subject does not provide any information that would enable his or her identification.
b) The GDPR restricts the following data subject rights in the research context:
- the right to erasure (Art 17 [3] [d] GDPR), if is likely to render impossible or seriously impair the achievement of the objective (research objective)
- the right to object (Art 21 [6] GDPR) if "processing is necessary for the performance of a task carried out for reasons of public interest"
c) Restrictions according to Art 89 (2) GDPR in conjunction with Art 2d (6) FOG:
Accordingly, if the achievement of the purpose (research objective) is likely to be rendered impossible or seriously impaired, restrictions may be imposed in conformity with the GDPR:
- Right of access (Art 15 GDPR)
- Right to rectification (Art 16 GDPR)
- Right to restriction of processing (Art 18 GDPR)
- Right to object (Art 21 GDPR)
International Relations - Mobilities
Further information on the processing of personal data in the context of mobility programmes is available here:
Competence Portfolio Portal
Description and scope of data processing
a) Profile
A personal profile is created for each user of the competence portfolio portal, which is then updated in the event of any changes. This profile includes the following personal data:
- User name
- E-mail address
- First name
- Last name
- Password (in encrypted form)
You can manage and change the information this profile yourself (with the exception of the user name). You can access the website for managing and changing your personal settings here:
https://portfolio.uni-graz.at/doku.php?do=profile
First you must log in with your username and password. If you have forgotten your password, it is possible to request a password reset (“Setze neues Passwort” (set new password) on the login page). Please note: The web portal administrators are able to view essentially all profile data as part of their administrative access.
Your personal data will be deleted if your account is deleted or if the competence portfolio portal as a whole is deleted. Please note: Your profile (along with the portfolio data) will be deleted five years after your last access of portfolio support, but not before May 24, 2023, without any further notification! If you are interested in continuing to use your portfolio, we recommend that you attend a workshop on creating a competence portfolio in good time.
b) Portfolio data
The competence portfolio portal is a web application for storing and managing your personal data in order for you to be able to make this data accessible to third parties. Since this data gives a broad insight into your personal circumstances, we strongly recommend that you exercise caution and restraint when publishing your personal data online via this portal. Please think carefully about which personal data you want to make accessible and to whom. The personal data you enter will be stored on the competence portfolio portal web server. Please note: The web portal administrators are able to view essentially all profile data as part of their administrative access. For the purpose of data security, copies of this personal data are generated on a regular basis and stored as back-ups on a data carrier (external hard drive) located in controlled operating facilities. The back-up copies are kept for at least one month and are deleted at the latest three months after the creation of the respective back-up copy.
Furthermore, the competence portfolio supervisor has access to the non-private sections of the portfolio in order to give feedback on the texts ‒ if requested by you as the portfolio creator ‒ and to be able to create a certified version of your portfolio. While creating the certified version of your portfolio (PDF document), the personal data is not stored locally, but rather is deleted immediately after uploading it to the portfolio platform (where you have access to it). The supervisor is obliged to maintain data protection secrecy and has thus signed a corresponding non-disclosure agreement.
Please note: Your portfolio data (along with the profile) will be deleted five years after your last access of portfolio support, but not before May 24, 2023, without any further notification! If you are interested in continuing to use your portfolio, we recommend that you attend a workshop on creating a competence portfolio in good time.
Purpose of data processing
The competence portfolio portal is a web application for storing and managing your personal data in order for you to be able to make this data accessible to third parties. In order to provide these services ‒ in particular to provide the electronic competence portfolio functionality using the software Dokuwiki ‒ the University of Graz processes the specified data to the necessary extent specified.
Legal basis for data processing
This personal data is processed for the performance of the contract or in order to take required steps prior to entering into the contract in accordance with Art 6 (1b) GDPR.
Since processing of the personal data is necessary for the conclusion of the contract or prior to entering the contract, failure to provide the personal data automatically means that the contractual service (use of database, creation and provision of a profile) cannot be provided.
Contact/feedback forms
Description and scope of data processing
Contacting the University of Graz (by e-mail, telephone or contact form) generally requires processing of some personal data in order for us to be able to process and answer your request. Usually, this involves the following personal data:
- First and last name
- Address
- E-mail address
- Registration number
In addition to the data listed above, other personal data may be processed should you provide it, specifically:
- Gender
- Academic degree
- Telephone number
- Institution/organisation/field of study
- Content data (if you leave a message)
Purpose of data processing
This personal data is processed for the purpose of answering to your request/feedback. The data is stored by us for at least six months in case of follow-up questions or for the period required to provide the services you have requested.
Legal basis for data processing
The above data is processed in particular for the purposes of the legitimate interests (Art 6 (1f) GDPR) of the University of Graz in processing and answering your request/feedback, if necessary, in order to take steps at your request according to Art 6 (1b) GDPR.
Since processing of the personal data is necessary for the conclusion of the contract or prior to entering the contract, failure to provide the personal data automatically means that the contractual service (answering your request) cannot be provided.
Learning platforms
Moodle
Description and scope of data processing
The online learning platform Moodle is used both to accompany/conduct courses, examinations and research and to facilitate collaborative group-working and general (internal) further education. The platform thus supports, among other things, the University of Graz in the fulfilment of its tasks in the areas of teaching, research and administration and is therefore necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the university.
When using Moodle, the following personal data is processed:
a) Login or profile data: User name, password in encrypted form, e-mail address, first name, last name, registration number
b) Content data (e.g., uploaded files, forum posts, course entries)
c) Cookies
d) Connection and usage data (e.g., IP address, browser type, date and time of access)
Ad a) Access data
Mandatory information:
Your personal information will only be processed to facilitate your participation in Moodle courses. A personal profile is created for each user with the following personal data:
- First name
- Last name
- E-mail address
- User name
- Registration number
Voluntary information:
In addition, you can voluntarily provide further personal information (e.g., a photo, ...) in your “personal profile”. By actively entering or uploading your personal data, you are giving your (explicit) consent to the processing of this data.
Ad b) Content data
Moodle allows you to publish personal content in forums, wikis, blogs or assignments, thereby making them available and accessible for other participants. Uploading and posting of content serves the purpose of conducting research and teaching.
No illegal content may be posted and the rights of third parties must not be violated. In this regard, all users are responsible for compliance with applicable data protection and copyright regulations.
Ad c) Cookies
Moodle saves two types of cookies on your device. The first cookie is called “MoodleSession” and saves the login data of the currently ongoing Moodle session. This cookie must agree to the use of this cookie so that the login data and thus the access rights within Moodle are retained throughout the session. This cookie is automatically deleted if you log out of Moodle or if you close the web browser. The second cookie is called “MoodleID” and, on request, saves the user name in the web browser so that it can be pre-entered for your next login. It aims to simplify the login process and can be activated at login if desired.
Ad d) Connection and usage data
Storage of connection data, in particular the IP address, by the system is necessary to ensure the usability of the service, system security and the technical administration of the network infrastructure.
In addition, your content contributions and activities are saved when using Moodle exclusively to conduct the respective course and for technical and user-friendly optimisation.
Only site administrators have access to connection and usage data.
Storage period
The usage data stored as part of accessing Moodle courses is automatically deleted after 180 days. Posts you have published in forums, chats, blogs, wikis, tasks etc. or files made available for retrieval are excluded from this automatic deletion process. These content contributions remain available until the respective Moodle course is deleted. Unless otherwise agreed, Moodle courses are deleted after 3 semesters + 2 months.
You are able to change or delete the personal data you have voluntarily provided (personal profile) yourself at any time.
Purpose of data processing
Purpose 1: Personal access, profile and usage data is processed for the purpose of supporting/conducting courses, examinations, research activities and further education events in teaching, research and administration. Processing is thus necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University of Graz on the one hand and for the purposes of the legitimate interests pursued by the University of Graz in the implementation of (internal) further education measures on the other.
Purpose 2: Connection and usage data as well as cookies are processed for the purpose of ensuring the usability of the platform, system security and the technical administration of the platform.
Legal basis for data processing
The above personal data is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University of Graz (Art 6 (1e) GDPR) in conjunction with § 1, § 2, § 3 and § 19 (2)-(4) Universities Act (UG 2002) as well as Art 20 Excerpt of Statutes: Provisions under Study Law as amended along with the relevant sections on e-learning and virtual teaching in the respective curricula of the University of Graz. Furthermore, the personal data is processed for the purposes of the legitimate interests pursued by the University of Graz in the implementation of further education measures (Art 6 (1f) GDPR).
If you actively enter or upload personal data (personal profile), your personal data is processed on the basis of your (explicit) consent to the processing for one or more specific purposes in accordance with Art 6 (1a) or Art 9 (2a) GDPR.
Newsletter and sharing of specific information
A) Newsletter
Description and scope of data processing
If you have signed up for one of our newsletters, the following personal data is processed:
- Form of address
- First and last name
- E-mail address
Purpose of data processing
This personal data is processed for the purpose of sending you the desired news and information.
Legal basis for data processing
The above personal data is processed on the basis of given consent to the processing (Art 6 (1a) GDPR), which you can withdraw at any time.
B) Sending specific information to university member
Description and scope of data processing
Processing of personal data is necessary for sending university members specific information (in the sense of § 94 Universities Act (UG 2002) to their university e-mail addresses. This involves the processing of the following personal data:
- Form of address
- First and last name
- University e-mail address
- If applicable, faculty, institute or department affiliation
- If applicable, field of study
Purpose of data processing
The above personal data is processed to pass on university information (e.g., relevant news, events, etc.) so that the university members are kept up to date and the University of Graz can fulfil its tasks according to § 3 UG 2002 in particular.
Legal basis for data processing
The above personal data is processed for the performance of a task carried out in the public/legitimate interest of the University of Graz in passing on essential university information to the university members (Art 6 (1e) and (1f) GDPR in conjunction with § 3 UG 2002).
Qualified electronic signature
Validation
Description and scope of data processing
If you want to use the qualified electronic signature as a form of signature equivalent to your handwritten signature in business transactions with the University of Graz (e.g., employment contract, travel expenses, guest lecture, etc.), it is always necessary to validate the qualified electronic signature issued. When using the validation service, the following personal data is processed:
- Time of signature/seal creation
- Data of the document to be checked
- Time of the validation process
- Information related to the validation report
Purpose of data processing
Within the validation framework for qualified electronic signatures, personal data is processed for the purpose of creating legal certainty with regard to the validity of qualified electronic signatures or for the possible assertion, exercise or defence of legal claims.
Legal basis for data processing
Within the validation framework for qualified electronic signatures, the personal data is processed for the purposes of the legitimate interests pursued by the University of Graz (Art 6 (1f) GDPR) in establishing legal certainty with regard to the validity of qualified electronic signatures or for the possible assertion, exercise or defence of legal claims.
Recipient
In the course of validating the qualified electronic signature, the signed document, together with the personal data contained in the document to be validated, is transmitted to an external qualified validation service, RTR GmbH, in accordance with § 14 (2) Signature and Trust Services Act (SVG) to carry out the validation in accordance with Art 32 eIDAS Regulation.
Social media
Description and scope of data processing
The University of Graz is active online on a number of social media networks and platforms in order to communicate with the users represented there and to inform them about the goings-on at the university (partly also by means of campaigns).
The University of Graz has no influence on the type and scope of personal data processed by the operator of the respective network/platform or on the type of processing, use or possible transmission of this personal data to third parties. The University of Graz also has no effective control options in this respect. We would like to point out that users use the social media networks/platforms and their functions voluntarily and on their own responsibility. The terms of service and privacy policies of the respective operators apply when deciding to use the respective service.
Please note: The social media networks are only an additional way of getting in touch with the University of Graz or to receive information from us. All relevant university information ‒ from study opportunities and access to research to contact information to relevant press releases ‒ is always also available on the university communication channels (website, newsletter, etc.).
Purpose of data processing
An online presence in social media networks and platforms complements the existing university communication channels, such as websites, press releases, newsletters, print media and events, in a meaningful and necessary way.
Legal basis for data processing
The University of Graz makes use of social media networks and platforms for the performance of a task carried out in the public/legitimate interest in accordance with Art 6 (1e) and (1f) GDPR in conjunction with § 3 (4)-(5), (7)-(8) and (10)-(11) Universities Act (UG 2002) within the framework of effective and target group-specific public relations.
Currently, the University of Graz has an online presence on:
-
Facebook Ltd.: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Privacy policy: https://de-de.facebook.com/policy.ph
-
Instagram (Facebook Ltd.): Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Privacy policy: https://help.instagram.com/519522125107875
-
Twitter Inc.: 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Privacy policy: https://twitter.com/de/privacy
-
YouTube (Google LLC): 1600 Amphitheatre Parkway, Mountain View, California 94103, USA: Privacy policy: https://policies.google.com/privacy/partners
-
LinkedIn Inc.: LinkedIn Ireland Unlimited Company, Gardner House, 2 Wilton Pl, Dublin 2, D02 CA30, Ireland; Privacy policy: https://de.linkedin.com/legal/privacy-policy?trk=homepage-basic_footer-privacy-policy
-
Kununu: New Work SE, Am Standkai 1, 20457 Hamburg, Germany; Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung
-
XING: New Work SE, Am Strandkai 1, 20457 Hamburg, Germany; Privacy policy: https://privacy.xing.com/de/datenschutzerklaerung
-
whatchado: whatchado GmbH, Mariahilfer Strasse 103/4/66, 1060 Vienna, Austria; Privacy policy: https://www.whatchado.com/en/terms/users
-
Snapchat (Snap Group Limited): 77 Shaftesbury Avenue, London, W1D 5DU, Vereinigtes Königreich; Datenschutzerklärung: https://values.snap.com/de-DE/privacy/privacy-policy?_ga=2.78899356.940919398.1684746329-703276488.1684746328
-
TikTok (TikTok Technology Limited): 10 Earlsfort Terrace, Dublin, D02 T380, Irland; Datenschutzerklärung: https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE
Events
A) Organisation of events using the university event tool (esraSoft)
Description and scope of data processing
For the administration, announcement/advertising and payment for events, we process the following personal data:
- Gender
- Academic degree
- First name
- Last name
- E-mail address
- Date of birth
- Nationality
- Graduated from [school type]
- Postal address
- Telephone number
- Relationship category (staff, student, external)
- Field of study
Purpose of data processing
This personal data is processed for the purpose of event administration and implementation as well as to announce/advertise the event.
Legal basis for data processing
This personal data is processed for the performance of the contract or in order to take required steps prior to entering into the contract in accordance with Art 6 (1b) GDPR.
Since processing of the personal data is necessary for the conclusion of the contract or prior to entering the contract, failure to provide the personal data automatically means that the contractual service (administration of the event, registration, payment) cannot be provided.
Recipient
The personal data is processed using esraSoft in connection with the processor Kaindl Informatics GmbH.
B) Event registration via the homepage form
Description and scope of data processing
Generally speaking, when registering for an event, the following personal data is processed:
- First and last name
- Address
- E-mail address
In addition to the data listed above, other personal data may be processed should you provide it, specifically:
- Gender
- Academic degree
- Telephone number
- Institution/organisation/field of study
- Content data (if you leave a message)
Purpose of data processing
The above personal data is processed as part of the registration, organisation and implementation of the event.
Legal basis for data processing
This personal data is processed in particular for the performance of a contract or in order to take required steps prior to entering into a contract in accordance with Art 6 (1b) GDPR.
Processing of this personal data is absolutely necessary for the administration of the event. If you do not provide us with this personal data, participation in the event is unfortunately not possible.
C) Event documentation
Description and scope of data processing
The University of Graz, its administrative and organisational units or individual institutes or centres take photos or short videos of visitors during events. These photos/short videos are published for public relations purposes and to showcase our activities on core university media channels (e.g., university website, institute or centre websites, university magazine “UNIZEIT”, etc.) as needed.
Purpose of data processing
The image data is processed for the purpose of public relations, to highlight university activities and to inform the public about the fulfilment of the university's tasks.
Legal basis for data processing
The data is processed in particular for the purposes of the legitimate interests (Art 6 (1f) GDPR) of the University of Graz.
D) Sending electronic event invitations to similar events to existing, potentially interested contacts
Description and scope of data processing
If you provide your contact details (e-mail address) to the University of Graz, its administrative and organisational units or individual institutes or centres as part of registrations for university events, the University of Graz may process these contact details by sending invitations to similar university events.
Purpose of data processing
The contact details are processed for the purpose of fulfilling the university’s tasks, specifically for the purpose of providing information about and actively promoting further education, for supporting the use and implementation of research results in practical application and for supporting the social integration of such research results.
Legal basis for data processing
The personal data is (further) processed in particular for the purposes of the legitimate/public interest of the University of Graz (Art 6 (1e) and (1f) GDPR in conjunction with § 3 (5) and (8) Universities Act (UG 2002) ‒ depending on the specific individual case possibly in conjunction with Art 6 (4) GDPR.
In addition, your contact details are processed exclusively in compliance with the legal provisions of § 174 (4) Telecommunications Act (TKG 2021).
Degree programmes with restricted admission
Description and scope of data processing
If you have registered for a degree programme with restricted admission, the following personal data is processed:
- Gender
- First name
- Last name
- Date of birth
- Nationality
- Graduated from [school type]
- Postal address
- Telephone number
- German language skills
- Registration number
- Copy of passport/valid identity card
- Proof of qualifications to study (e.g., graduation certificate, qualifying examination)
- Passport photo
- Examination result
- Disability or other impairments (if you need an alternative examination method due to a disability, chronic or mental illness. Impairments must be verified in a specialist medical report ‒ we will contact you in such cases.)
Purpose of data processing
The above personal data is processed for the purpose of allowing you to participate in the admissions process for degree programmes with restricted admission.
In addition, for statistical and evaluation purposes, aggregated data (e.g., registration and admission numbers, distribution of registrations/admissions according to certain criteria, etc.) is processed without identifiers (e.g. name, e-mail address) that directly relate to an individual, aiming for complete anonymisation.
If, in the case of a smaller group size, it cannot be ruled out that certain data may relate to an individual, processing is nevertheless necessary for the performance of a task carried out in the public/legitimate interest (Art 6 (1e) and (1f) GDPR) of the University of Graz in conjunction with fulfilment of the legal requirements according to § 71b (7) Universities Act (UG 2002) and the corresponding statutory reporting obligations and internal quality management.
Legal basis for data processing
The above data is processed in particular for the purposes of the legitimate interests (Art 6 (1f) GDPR) of the University of Graz.
Furthermore, personal data is processed for the purpose of providing alternative examination methods for those suffering from a disability or impairment which makes it impossible to take an examination in the prescribed manner in accordance with § 59 (1)-(12) UG 2002.
The privacy policy is also available as a PDF document.