Data Processing and Privacy Policy
HM Hochschule München University of Applied Sciences
Data protection is a key priority for Hochschule München (HM) and a legal obligation. To ensure that personal data is adequately protected during transmission, HM uses state-of-the-art encryption methods (e.g. SSL/TLS) and secure technical systems.
Data controller
HM Hochschule München University of Applied Sciences
Lothstraße 34
D-80335 München
Tel.: +49 89 12 65 - 0
Fax: +49 89 12 65 - 3000
Email: kommunikation@hm.edu
Website: www.hm.edu
HM Hochschule München University of Applied Sciences is a public-law body. It is legally represented by its President, Prof. Dr Martin Leitner.
Government Data Protection Officer
The Data Protection Officer at Hochschule München can be contacted by email at datenschutzbeauftragter@hm.edu and by telephone on +49 9951 99990-500.
General information
Purposes and legal bases for processing
The purpose of the processing is to fulfil the public duties assigned to Hochschule München by the legislature.
Unless otherwise stated, the legal basis for the processing of personal data is set out in Article 4(1) of the Bavarian Data Protection Act (BayDSG) within the framework of the general authorisation clause in Article 6(2)─(3) in conjunction with paragraph 1, subparagraph 1, point (e) of the General Data Protection Regulation (GDPR). Accordingly, the University is permitted to process the data necessary to fulfil a task incumbent upon it.
Where consent has been given to the processing of data, the data processing is based on Article 6(1)(a) of the GDPR.
Recipients or categories of recipients of the personal data
IT service providers working for HM may act as recipients of personal data under the data processing agreements concluded with HM.
All content on HM’s central website is hosted, maintained and made available on servers belonging to Hochschule München and the Leibniz Computing Centre (LRZ), Boltzmannstraße 1, D-85748 Garching.
Where necessary, data will be transferred to the relevant supervisory and auditing authorities to enable them to exercise their respective supervisory powers.
Retention period for personal data
Data is only stored for as long as is necessary to fulfil our obligations, in accordance with statutory retention periods.
Personalised administrative and editorial access to the HM website will be restricted following the departure of the person concerned and deleted one year after the end of the financial year in which they left.
Log files, as personal data, are generally retained for a maximum of 7 days.
Hochschule München processes the personal data of its students, prospective students and alumni.
Information on data protection, in particular regarding the purpose and legal basis of data processing in the context of the application process, the students’ organisation and student administration, can be found in the Privacy Notice for Admission Candidates, Students and Alumni .
Further information on data protection in relation to online teaching and online examinations can be found in the Privacy Notice on Online Teaching and the Privacy Notice on Electronic Remote Examinations respectively.
Information on using the online Student Advice Centre and online appointment booking (https://online-studienberatung.hm.edu) is available here in the form of privacy notices for the online Student Advice Centre (instant chat and registration, chatbot) and online appointment booking.
Information on data processing for the purpose of paying the energy price allowance can be found here (Privacy notice on data processing for the purpose of paying the energy price allowance).
When applications are submitted for advertised vacancies at Hochschule München, the university processes the applicants’ data solely for this purpose. Further information on data processing, in particular regarding the purpose and legal basis, can be found in the privacy notice for applicants .
You will also find a link here to the privacy notice regarding personality assessments in the appointment procedure .
Hochschule München processes personal data for the purpose of conducting surveys for quality assurance and research purposes. Detailed information on data protection, in particular regarding the purpose and legal basis of this data processing, can be found in the data protection notice for survey participants .
Hochschule München processes personal data when the anny appointment booking system is used. It is used to book and organise reading room places, study rooms, online and face-to-face training sessions, advisory appointments and book collection appointments. Detailed information can be found in the privacy notice for the use of the anny appointment booking system .
Hochschule München processes personal data for the purpose of conducting course evaluations. Detailed information on data protection, in particular regarding the purpose and legal basis of this data processing, is set out in the data protection notice for lecturers in the context of course evaluations .
As part of its efforts to promote research and support early career researchers, Hochschule München processes personal data. Further information on data processing, in particular regarding the purpose and legal basis, can be found in the FORWIN department’s privacy notice .
You will also find a link here to the privacy policy for the HM Research Information System .
When you visit the Hochschule München website, personal data is processed. Further information on data processing, in particular regarding the purpose and legal basis, can be found in the privacy notice for website visitors .
In accordance with Article 2(2), sentences 3 and 5 of the Bavarian Higher Education Act (BayHIG) and Article 17(1) of the Bavarian Digital Information Act (BayDIG), Hochschule München provides services and administrative support on its website, as well as information for the public about its activities. Further information on data processing, in particular regarding the purpose and legal basis, can be found in the privacy notice for the use of social media .
Personal data is processed when taking part in competitions organised by Hochschule München. Further information on data processing, in particular regarding the purpose and legal basis, can be found in the privacy notice for competition entrants .
To deliver the statutory occupational health and safety training required under Section 12 of the Occupational Safety and Health Act (ArbSchG), Hochschule München currently utilises a procedure provided by TÜV Rheinland Akademie GmbH. An agreement on data processing, as required under data protection law pursuant to Article 28 of the GDPR, has been concluded between TÜV Rheinland Akademie GmbH, acting as an external service provider, and Hochschule München. In this agreement, the external service provider undertakes to protect the data of university staff and to process such data exclusively on our behalf and in accordance with our instructions, in compliance with the applicable data protection regulations.
For the purpose of delivering the training courses, and in fulfilment of our legal obligations and the tasks entrusted to us, we are entitled to have the Human Resources department compile a list of the university’s staff, forward it to the relevant recipients, and carry out regular updates. The training certificates are retained for two years and are then deleted by the Human Resources department.
Hochschule München makes HM-AI available to all members of the university community, thereby offering an opportunity to integrate artificial intelligence (AI) into their work processes. Further information can be found in the guidelines on the processing of personal data in connection with the use of HM-AI.
Personal data is processed as part of research projects carried out by the ‘Cooperative Autonomous Systems’ group. Further information can be found in the privacy notice for projects carried out by the IAMLIS ‘Cooperative Autonomous Systems’ research group."
Hochschule München responds to enquiries and any concerns or opinions raised, and sends circular emails to members of the university, project and cooperation partners, and other individuals to provide them with general information and details on specific topics, and to invite them to take part in surveys as part of research and quality assurance activities, or to attend events.
Further information can be found in the privacy policy in the Rundmailtool .
Hochschule München uses a CRM system to manage and maintain our relationships with project and cooperation partners, as well as with interested parties. The CRM system enables us to manage your contact details, respond to your enquiries, send you newsletters on general and specific topics, and invite you to events.
Further information can be found in the guidance on data processing when using a CRM system .
We, Hochschule München (hereinafter also referred to as ‘the University’, ‘we’ or ‘us’), set out below the purposes for which, and the legal basis on which, we process your personal data for the purposes specified here, and for how long, if you submit an application for a PhD position and/or your doctoral project has been accepted. You can find out what rights you have regarding data processing via the following link: https://hm.edu/datenschutz/
Please take the time to read our privacy policy, as it contains important information about how we handle your personal data.
Contents of these notes
Wherever we use the term ‘data’ in this text, we refer exclusively to personal data within the meaning of Article 4(1) of the GDPR.
Management of doctoral projects
When you apply for a doctorate at one of our doctoral centres, we process the data you provide to us as part of the application process via our doctoral candidate portal, ‘docDaten’. We process your data solely for the purpose of handling and administering your PhD application. We collect the information necessary to enable us to decide whether to accept your doctoral project. Essentially, this comprises the following categories of information:
- Personal details (personal information);
- Contact details;
- Details of qualifications, including certificates;
- Details of the doctorate, including the dissertation, reviews of the dissertation and publications.
Please refer to the form on the portal for details of the specific types of data we process in connection with PhD applications. The information requested in the form as mandatory fields (mandatory details) is marked as such with an asterisk (*). It is not possible to apply for a PhD without providing the mandatory details.
All other information requested is provided on a voluntary basis. We ask for this information so that we can offer you specific support services, such as childcare.
Once we have accepted your doctoral project, we will process the information provided as part of your application for the doctorate in your student file for the purposes of administering your doctorate programme.
Purpose and legal basis
We process your data in order to be able to effectively manage the submitted doctoral projects, both as part of the decision-making process regarding their acceptance and following their acceptance.
We process the mandatory data provided as part of applications for doctoral programmes in accordance with Article 6(1)(c), (2) and (3) of the GDPR in conjunction with (i.V.m.) Article 97(4) and Article 87(3) of the Bavarian Higher Education Act (BayHIG) in conjunction with Article 6(1)(e), (2) and (3) of the GDPR in conjunction with Article 4(1) of the Bavarian Data Protection Act (BayDSG) in conjunction with the Framework Doctoral Regulations of the University of Applied Sciences München. We process the information provided voluntarily on the basis of consent pursuant to Article 6(1)(a), Article 7 and Article 4(11) of the GDPR.
Recipient
Our PhD Student Portal is hosted on our own servers, which we operate ourselves. Your data will not be disclosed to any other recipients.
Management of user accounts
To use the PhD student portal we provide, you must register and create a user account.
In connection with the mere registration and provision of a user account, we process the username, email address and a password chosen by the user. We process the password exclusively in hashed form.
Registration is always linked to the intention to submit a doctoral project. This means that registration on our portal takes place in connection with your doctoral application.
Purpose and legal basis
Registration on our portal is voluntary and is based on your consent in accordance with Article 6(1)(a) and Article 4(11) in conjunction with Article 7(4) of the GDPR.
The processing of your data in connection with the provision of a user account on our portal is carried out in pursuit of our legitimate interest in managing the relevant information about individuals undertaking a PhD with us in an efficient, effective and data-minimising manner. The legal basis for this is Article 6(1)(e), (2) and (3) of the GDPR in conjunction with Article 4(1) of the Bavarian Data Protection Act (BayDSG), in conjunction with the relevant provisions in the applicable special laws, in particular the Act on Digitalisation in the Free State of Bavaria.
Recipient
Your data will be processed exclusively on our servers, as described above. Your data will not be disclosed to any other recipients or transferred to a third country – i.e. a country outside the scope of the GDPR – or to any International organisations.
Retention and deletion
If your application for a PhD place has been unsuccessful and we have not accepted your doctoral project, we will delete your PhD application documents once the period during which you may lodge an appeal against our decision has expired; this is usually one month after you have received the decision.
Provided that we have accepted your doctoral project, we will process your data after the completion of your doctorate only for as long as is necessary for the purposes for which it was collected or otherwise processed. This is usually the end of the winter semester following the calendar year in which the dissertation is published, including the deposit of statutory copies with the libraries.
Your user account on our portal will be deleted, provided you are staff at the Doctoral Research Center, upon your departure from your post, or at the latest upon your departure from the university. If you have set up a user account as part of a PhD application, we will delete it once we no longer require the data processed therein for the purposes for which it was collected. This means that we will delete user accounts once the aforementioned time limits have expired.
Compilation of promotional statistics
For the purposes of reporting to government departments and the public, we use some of the data processed on our portal exclusively in an anonymised form, without any personal references. In doing so, the data is handled in such a way that it is not possible to identify any specific individual.
For anonymised statistical purposes, in particular in fulfilment of our obligations under the Higher Education Statistics Act, only the data required by law are processed. At present, this comprises the following information: gender; month and year of birth; nationality, additional nationalities; country, district and year of acquisition, as well as the type of higher education entrance qualification; if the higher education entrance qualification was acquired outside the Federal Republic of Germany, the country of acquisition; name of the higher education institution, as well as the semester and year of initial enrolment for studies; if initially enrolled at a higher education institution outside the Federal Republic of Germany, the country in which the institution is located; type, subject, semester, month and year of the degree already obtained, as well as examination results and overall marks for examinations taken; the higher education institution at which the previous degree was obtained; if the previous degree was obtained outside the Federal Republic of Germany, the country in which the previous degree was obtained; the name of the higher education institution at which the doctorate is being pursued; type of doctorate; doctorate subject; Type of registration as a doctoral candidate; enrolment as a doctoral student; month and year of commencement and completion of the doctoral procedure; participation in a structured doctoral programme; employment status at the higher education institution; type of dissertation.
The legal basis for this is Article 6(1)(c), (2) and (3) of the GDPR, in conjunction with the relevant provisions of the Higher Education Statistics Act (HStatG) and the Act on Statistics for Federal Purposes (BStatG). The university’s obligation to provide information arises from Section 10(1) of the Higher Education Statistics Act (HStatG) in conjunction with Section 15 of the Act on Statistics for Federal Purposes (BStatG). Under Section 10(2) of the HStatG, the management of the institutions referred to in Section 2(1) of the HStatG are obliged to provide information. Under Section 10(4) of the HStatG, the information must be provided on the basis of the records held by these institutions. The data to be processed is currently set out in Section 5(2) of the HStatG.
Further information
If you have any questions regarding the processing of your data, please feel free to contact the Data Protection Officer at datenschutzbeauftragter@hm.edu. If you have any questions regarding the administration of doctoral projects, please contact promotionszentren@hm.edu.
Last updated: 23 April 2024
The University of Applied Sciences München uses Microsoft 365 as a cloud-based solution, particularly for email communication, document management and Office applications. Microsoft 365 comprises the Office 365 online service, the Office web applications and, optionally, local Office programmes as part of a software subscription. Use of the service is based on an existing framework agreement, which ensures the provision of licences and access to central services for staff and students.
1. Data controller or data processor
Microsoft Ireland Operations Limited
One Microsoft Place, South County Business Park, Leopardstown Dublin 18, Ireland
Microsoft Corporation
One Microsoft Way Redmond, Washington 98052, United States of America
Microsoftprivacy
information page with FAQs and contact details Microsoft
Privacy Statement
2. General information
a. Purpose
The purpose of processing personal data is to provide and use the ‘Microsoft 365’ service made available by the University of Applied Sciences München. The processing serves to fulfil tasks in teaching, research, administration, knowledge transfer and innovation, as well as organisational and administrative communication. Microsoft 365 serves, in particular, to facilitate comprehensive collaboration and communication as a tool for modern teaching, research, administration and external collaboration; to organise online events; to enable collaborative work on internal and external projects; to provide and share documents and other files; to facilitate communication with other universities and government bodies, as well as other external users from the business sector, politics and civil society; ensuring and continuously improving IT Security; defending against and/or identifying attacks on accounts or functions within the system environment; and implementing and optimising digital processes, including within the context of workflows.
This includes, in particular, the use of the licensed products and services, the provision of updates, ensuring information security, and technical and customer support.
In addition, as part of Microsoft 365, Microsoft processes certain diagnostic, service and usage data to ensure the functionality, security and further development of the services.
Personal data may be disclosed to Microsoft for the following purposes:
1. Billing and account management, in particular in connection with the management of user accounts and payment processes
2. Remuneration and related accounting and settlement processes
3. Internal reporting and business modelling, including for the management, analysis and further development of business processes
4. Combating fraud and other measures to prevent misuse
5. Prevention, detection and defence against cybercrime or cyber-attacks, as well as similar threats
6. Improvement and further development of core functionality, particularly with regard to accessibility, data protection, security and energy efficiency
7. Financial reporting and associated documentation and evidence requirements
8. Compliance with statutory obligations and other regulatory and legal requirements
b. Legal basis
The legal basis for the processing of personal data for the aforementioned purposes is Article 6(1)(e) of the GDPR in conjunction with Article 4 of the Bavarian Data Protection Act (BayDSG) and other relevant statutory provisions (including Articles 2, 3, 7 and 59 of the Bavarian Hospital Act (BayHIG), Article 103 of the Bavarian Building Code (BayBG) and Section 106 of the Trade Regulation Act (GewO)).
The legal basis for the processing of civil servants’ personal data is Article 6(1)(c) of the GDPR in conjunction with Article 4 of the Bavarian Data Protection Act (BayDSG) and the relevant provisions of civil service law (including Article 33(5) of the Basic Law (GG)). For all other staff, processing is carried out on the basis of Article 6(1)(b) of the GDPR.
The legal basis for the processing of students’ data is primarily Article 6(1)(e) of the GDPR in conjunction with Article 4 of the Bavarian Data Protection Act (BayDSG) and Article 2 of the Bavarian Higher Education Act (BayHIG) for the purposes of carrying out the studies; where, in addition, processing is carried out on the basis of consent, this is governed by Article 6(1)(a) of the GDPR in conjunction with Article 7 of the GDPR.
c. Categories of data
The following categories of data are processed:
1. Basic personal data and contact details
2. Authentication details
3. Unique identification numbers and signatures
4. Pseudonymised identifiers
5. Location data
6. Content data
7. Device information (including information about the service used)
8. Human Resources and recruitment data
d. Categories of data subjects
The following categories of people are affected:
- Individuals who use or administer Microsoft 365, including university staff, students and external users (data categories 1–8)
- Individuals who can be identified in communications and documents (data categories 1 and 6)
e. Recipients or categories of recipients of personal data
The Microsoft 365 providers and their sub-processors are made aware of the necessary data under the data processing agreement in accordance with Article 28 of the GDPR. Should data also be transferred to the aforementioned providers, the following legal bases apply: Article 6(1)(b) of the GDPR, Article 49(1)(c) of the GDPR or, where beyond the contractual requirements, Article 5(1), first sentence, point 2 of the Bavarian Data Protection Act (BayDSG) and Article 49(1)(d) of the GDPR.
Further information on data processing in Microsoft 365 can be found here: Microsoft Privacy Statement – Microsoft Privacy
Personal data will be disclosed to the following organisations:
- People with whom you communicate or work
- IT staff members at the University of Applied Sciences in Munich
- Microsoft Ireland Operations Limited (data processing and contract fulfilment)
- Microsoft Corporation (data processing on behalf of others, fulfilment of contractual obligations and for its own purposes)
- As well as theirsubcontractors and support service providers
f. Retention period for personal data
Your personal data will be erased as soon as it is no longer necessary for the purpose for which it was collected. Such a requirement may exist, in particular, where data is needed to fulfil contractual obligations, to assert or defend claims, or to comply with statutory retention obligations; in the case of processing based on consent, until such consent is withdrawn, provided there is no other legal basis.
Further information on data retention, deletion and destruction in Microsoft 365 can be found via this link.
g. Your rights
Under the General Data Protection Regulation, you have the following rights:
- If your personal data is being processed, you have the right to obtain information about the data held about you (Article 15 of the GDPR).
- Should any inaccurate personal data be processed, you have the right to have it rectified (Article 16 of the GDPR).
- If the legal conditions are met, you may request the erasure or restriction of processing, and you may object to the processing (Articles 17, 18 and 21 of the GDPR).
- If you have consented to the processing of your data or if a data processing agreement is in place and the data processing is carried out using automated means, you may have a right to data portability (Article 20 of the GDPR).
Should you wish to exercise the rights set out above, Hochschule München will check whether the legal requirements for doing so have been met.
If you have given your consent to the data collection carried out by the data controller mentioned above by means of a corresponding declaration, you may withdraw that consent at any time with effect for the future in accordance with Article 7(3) of the GDPR. The lawfulness of any data processing carried out on the basis of that consent up until the time of withdrawal remains unaffected by this withdrawal.
Please note: We may need to request further information in order to verify your identity.
h. Obligation to provide the data
Where processing is based on consent, the provision of your data is voluntary. In cases where a different legal basis applies, such as for civil servants and other staff, there is an obligation to provide the necessary information. Where processing is necessary for the performance of a task carried out in the public interest, the provision of the data required for this purpose may be mandatory, in particular for the use of centralised systems in the context of studies or employment. Without this data, the system cannot be used.
i. Right to lodge a complaint with the supervisory authority
Furthermore, in accordance with Article 77 of the GDPR, you have the right to lodge a complaint with the Bavarian State Commissioner for Data Protection. You can contact the Commissioner using the following contact details:
Postal address: PO Box 22 12 19, 80502 Munich
Address: Wagmüllerstraße 18, 80538 Munich
Telephone: 089 212672-0
Fax: 089 212672-50
Online report: https://www.datenschutz-bayern.de/service/complaint.html
Photography
As part of our press and public relations work, photographs are taken at events and appointments in which guests may be recognisable. The legal basis for taking photographs of individuals is the authorising provision in Section 4(1) of the Bavarian Data Protection Act (BayDSG), and for the publication of such images, the authorising provision in Section 5(1), first sentence, No. 1 of the BayDSG. In this context, Hochschule München balances its interest in publication for public relations purposes against the fundamental right of the persons depicted to informational self-determination. If, in Hochschule München’s discretion, there is a legitimate interest worthy of protection in preventing publication, the photographs in question will not be published. Consent to the taking and/or publication of photographs may be withdrawn at any time.
If you wish to lodge an objection, please use the contact details provided below.
Communication
Any enquiries or opinions submitted via email, post, telephone, fax or social media, and the information provided therein, will be processed for the purpose of dealing with the enquiry, as well as for any follow-up questions and for the exchange of views.
Rights of those affected
Under the General Data Protection Regulation, you have the following rights:
- Where personal data is processed, data subjects have the right to obtain information about the data held about them (Article 15 of the GDPR).
- If inaccurate personal data is processed, you have the right to have it rectified (Article 16 of the GDPR).
- Where the legal conditions are met, data subjects may request the erasure or restriction of processing (Articles 17 and 18 of the GDPR).
- Where consent has been given for data processing, or where a contract for data processing exists and the data processing is carried out using automated means, data subjects may have a right to data portability (Article 20 of the GDPR).
- Data subjects have the right to withdraw their consent under data protection law at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of that consent prior to its withdrawal (Article 7 of the GDPR).
- Data subjects have the right to request information as to whether automated decision-making, including profiling, is taking place (Article 22 of the GDPR).
- Data subjects have the right to object at any time to the processing of their data on grounds relating to their particular situation, where the processing is carried out solely on the basis of Article 6(1)(e) or (f) of the GDPR (Article 21(1), first sentence, of the GDPR).
Should the rights set out above be exercised, the public authority will check whether the legal requirements for doing so have been met.
Furthermore, you have the right to lodge a complaint with a supervisory authority. The authority responsible for Hochschule München is the Bavarian State Commissioner for Data Protection.
You can contact them using the following contact details:
Postal address:
Postfach 22 12 19
80502 München
Address:
18 Wagmüllerstraße
80538 München
Tel.: +49 89 212672 - 0
Fax: +49 89 212672 - 50
Email: poststelle@datenschutz-bayern.de
Website: https://www.datenschutz-bayern.de/
Further information regarding our Privacy Policy
Hochschule München reserves the right to amend the Privacy Policy from time to time to ensure that it always complies with the latest legal requirements or to reflect changes to the services described in the Privacy Policy, for example when new services are introduced. The new Privacy Policy will then apply to any subsequent visits to the website.
If you have any questions, please feel free to contact the Data Protection Officer (datenschutzbeauftragter@hm.edu) or send an email to: kommunikation@hm.edu.
Last updated: 28 March 2024
The information on this page was translated into English for your convenience. In case of any discrepancies between the English and German versions, the German version shall prevail.