Information on the processing of your personal data on our website:
1. Preliminary remark
We appreciate your interest in our University. The Catholic University of Eichstätt-Ingolstadt (KU) attaches particular importance to the protection of your personal data. In the following, we would like to inform you about how we treat your personal data in accordance with Section 15 Law on Data Protection in the Catholic Church in Germany (Gesetz über den Kirchlichen Datenschutz, KDG).
2. What is personal data?
All information concerning a specific or identifiable person. A person is deemed to be identifiable if such person can be identified directly or indirectly. This may be effected by allocating an identifier to such person, for example a name, an ID number, location data, online identification data or one or several distinctive characteristics.
3. Basic information
3.1 Who is responsible for processing my personal data?
Catholic University of Eichstätt-Ingolstadt (KU)
Ostenstraße 26, 85072 Eichstätt, Germany
Phone: +49 8421-93-0
3.2 How can I contact the University’s data protection officer?
SK-Consulting Group GmbH
Mr. Georg Möller
32549 Bad Oeynhausen, Germany
4. Further important information
4.1 Why does the KU process my personal data?
Our website provider generates anonymized data automatically in a standardized procedure that we are currently unable to deactivate.
Why is the KU allowed to process my personal data?
Section 6 para. 1 lit. b KDG serves as a legal basis for data processing operations for which we obtain an approval applicable to certain processing purposes. If the processing of personal data is necessary for the fulfillment of an agreement to which the data subject is a contractual party, as is the case, e.g. in processing operations which are necessary for the delivery of goods or other services or return services, such processing shall be governed by Section 6 para. 1 lit. c KDG. The same shall apply for processing operations necessary for the fulfillment of pre-contractual measures, e.g. in case of inquiries for our goods or services. If our University is governed by a legal obligation making the processing of personal data necessary, e.g. in order to fulfill tax obligations, such processing shall be governed by Section 6 para. 1 lit. d KDG. In exceptional cases, the processing of personal data may become necessary in order to protect vital interests of the data subject or another natural person. For example, this is the case when visitors are injured on our premises and their name, age, health insurance data or other vital information would have to be passed on to a doctor, hospital or other third parties as a consequence connected to the injury. In such a case, the processing of personal data would be governed by Section 6 para. 1 lit. e KDG. Ultimately, data processing operations can also be based on Section 6 para. 1 lit. g KDG. This serves as a legal basis for procession operations which are not covered by any of the aforementioned legal bases and if the processing of personal data becomes necessary in order to preserve a legitimate interest of our company or a third party, provided that no interests and fundamental rights and freedoms of the data subject prevail which would require protection of personal data.
4.3. Which of my data is collected?
By using cookies, the KU is able to provide more user-friendly services to website users, which would not be able without allowing cookies.
4.3.2 Collection of general data and information
The KU website collects a number of general data and information every time a data subject or an automated system accesses the web page. Such general data and information is stored in the server’s log files. The following data can be collected: (1) type and version of the used browser, (2) the operating system type used by the accessing system, (3) the website from which an accessing system is redirected to our web page (so-called ‘referrers’), (4) the sub-pages accessed on our web page via an accessing system, (5) the date and time when the website was accessed, (6) an internet protocol address (IP address), (7) the internet service provider of the accessing system and (8) other similar data and information used for the protection against attacks on our IT systems.
When processing such general data and information, the KU does not draw any conclusions to the data subjects. Rather, this information is necessary in order to (1) correctly display and provide the content on our website, (2) optimize the content on our website and advertisement for such content, (3) ensure stable functionality of our IT systems and technology of our web page and (4) be able to provide the necessary information for prosecution and law enforcement purposes in case of a cyberattack. Therefore, such anonymized data and information is analyzed both for statistical purposes and in order to improve data protection and data security in our company with the aim of being able to ensure the best possible level of protection for personal data processed by us. The anonymized data collected by the server log files are stored separately from any personal data entered by a data subject.
4.3.3. Registration on our website
You have the possibility to register on the KU website by entering personal data. Which kind of personal data is transferred for processing to the responsible department (data processor) is dependent on the respective input mask used for the registration. Any personal data you enter will exclusively be collected and stored for internal use and own purposes by the respectively responsible data processor. The KU is authorized to transfer such data to one or several processors, e.g. parcel services, who will equally use this personal data for internal purposes only which are connected to the department responsible for the processing.
When registering on the KU website, the IP address allocated by the data subject’s internet service provider (ISP) as well as the date and time of registration will be stored. This information is collected because this is the only way to prevent misuse of our services and because this data can support the investigation of crimes committed. This means that storage of this data is necessary for the protection of the responsible data processor. In general, this data is not transferred to third parties, unless there is a legal obligation to disclose or if disclosure becomes necessary in the context of criminal prosecution.
The data subject’s registration and voluntary disclosure of personal data enables the KU to provide the data subject with content or services that can only be offered to registered users due to the nature of the content or service. Registered persons have the possibility to have their personal data, which they entered upon registration, changed or deleted from the responsible department’s database at any time.
The KU will provide information on the nature of personal data stored for the respective data subject at any time upon request. Furthermore, the data subject can request that the responsible data processor corrects or deletes personal data, unless an opposing statutory storage obligation is in place.
4.3.4. Newsletter subscription
On the KU website, you have the possibility to subscribe to the University‘s newsletter. The relevant input mask provides information on which type of personal data must be disclosed to the responsible processor in order to be able to register for the newsletter. Newsletter forms from Cleverreach and Mailerlite are integrated on the KU website.
With its newsletter, the KU provides interested readers information on news and events at the University in a regular interval. Our University’s newsletter can generally only be received by a data subject if (1) the data subject has a valid e-mail address and (2) the data subject has subscribed to the newsletter. For legal reasons, a confirmation e-mail will be sent to the e-mail address provided for that purpose for the first time in a double opt in process as soon as a data subject has subscribed to the newsletter. This confirmation e-mail serves the purpose of verifying whether the holder of the e-mail address as the data subject has authorized receipt of the newsletter.
When a person subscribes to the newsletter, we further store the IP address provided by the internet service provider (ISP) of the computer system that was used by the data subject at the point in time of registration as well as the date and time of the subscription. It is necessary to collect this type of data in order to be able to retrace any (possible) misuse of the data subject’s e-mail address at a later point in time. Thus, it serves as legal protection for the responsible data processor.
The personal data collected upon subscription for the newsletter is solely used for the purpose of sending our newsletter. Furthermore, subscribers to the newsletter could be informed by e-mail if necessary for the operation of the newsletter service or a registration connected to it, as would be the case for changes to the newsletter service or to the technical conditions. Personal data collected in the context of the newsletter service will not be passed on to third parties. You can cancel your subscription to our newsletter at any time. You can also revoke your consent on the storage of personal data for the purpose of sending out the newsletter at any time. If you want to revoke your consent, please use the corresponding link that is included in every newsletter. You can also unsubscribe from the newsletter directly on the website of the responsible data processor or notify the responsible data processor that you no longer want to receive the newsletter in any other way.
4.3.5. Newsletter tracking
KU newsletters include so-called tracking pixels. A tracking pixel is a miniature graphic embedded into the e-mails which are sent in HTML format. They enable log file recording and analysis. This allows statistical evaluation of the success or failure of online marketing campaigns. The embedded tracking pixel enables the KU to see if and when an e-mail was opened by the recipient and which links contained in the e-mail were accessed by the person.
Any personal data collected by the tracking pixel used in newsletters is stored and analyzed by the responsible data processor in order to improve the newsletter service and to be able to tailor the content of future newsletters to the interests of the recipients. This personal data will not be passed on to third parties. Data subjects shall be entitled to revoke their consent, which they gave separately with regard to this in the double opt in process, at any time. After revocation, this personal data will be deleted by the responsible data processor. If a data subject unsubscribes from the newsletter, the KU deems this an automatic revocation.
4.3.5. Contact via the website
In accordance with statutory provisions, the KU website contains information offering the user a quick electronic way of contacting our University and enabling direct communication with us. This also includes a general e-mail address. If a person contacts the KU via e-mail or the contact form, any personal data transferred by the respective data subject is stored automatically. Such personal data which was passed on to the KU on a voluntary basis by the data subjects is stored for the purpose of processing their request or contacting the relevant data subject. This personal data will not be passed on to third parties.
4.4 How long will you store my personal data?
The KU only processes and stores personal data of the data subject for the period of time which is necessary for the storage purpose or if this is provided for by a European regulator or issuer of directives or another legislator or is stipulated in a law or regulation to which the responsible data processor is subject.
If the storage purpose lapses or a deadline stipulated by a European regulator or issuer of directives or another responsible legislator expires, such personal data will be deleted or blocked in a routine procedure in accordance with statutory provisions.
4.5 Do I have to provide my personal data?
In order to fulfill the reasons stipulated in 4.1, it is necessary that you provide us with your personal data.
It is mandatory and prescribed by law that you provide your personal data for the fulfillment of the agreement between you and the KU. If you deny provision of your data, we will not be able to conclude an agreement with you.
Should you have any complaints, you can contact the relevant data protection supervision (responsible data protection officer of the diocese) at any time.
You are entitled to a judicial examination of the issue in accordance with Section 49 para. 1 KDG against a supervisory authority or in accordance with Section 49 para. 2 KDG against us.
4.6 Automated decision making/profiling
There will be no automated decision making/profiling.
5. What are my rights?
5.1 Information on your rights
As a data subject, you have amongst others the following rights in accordance with the KDG (in the following also referred to as “Data Subject Rights”):
5.2 Right to information in accordance with Section 17 KDG
You have the right to request information as to whether or not we process your personal data. If we process your personal data, you have the right to know
- the purposes of the processing
- the type of personal data which is processed
- the recipient or categories of recipients to which such personal data was disclosed or will be disclosed, in particular if the recipient is in a third country or an international organization
- if possible, the planned period for which your personal data will be stored or, if this is not possible, the criteria used to determine that period
- the right to notification or deletion of personal data concerning your person or the right to request restrictions of processing by the respective responsible processor or the right to object to the processing
- the right to appeal to the data protection supervision
- if the personal data was not collected from the data subject directly, all available information on the origin of your data
- the existence of an automated decision making process including profiling in accordance with Section 24 para. 1 and 4 KDG and – at least in those cases – relevant information about the logic involved as well as the significance and the envisaged consequences of such processing for the data subject
- that you are entitled to be informed whether, and if so, on the basis of which guarantees, your data is adequately protected by the data recipient in case of a transfer of your personal data to a country outside the European Union;
- about your right of requesting a copy of your personal data.
The first copy is issued free of charge; an appropriate fee may be charged for any further copies. A copy can only be provided if no rights of another person are affected thereby.
5.3 Right to rectification of personal data in accordance with Section 18 KDG
You have the right to request rectification of your personal data in case it is incorrect and/or incomplete. This right also includes the right to completion by additional statements or notifications. Any rectifications and/or additions must be made without undue delay.
5.4 Right to erasure of personal data in accordance with Section 19 KDG
You have the right to request erasure of your personal data if
- such personal data is no longer required for the purposes for which it was collected and processed;
- processing of your personal data is effected on the basis of your consent and you have withdrawn such consent; however, this shall not apply if such data processing is permitted by another statutory authorization;
- you have filed an objection to the processing of your personal data which is permitted by law on the basis of the so-called “legitimate interest”; however, an erasure must not be effected if legitimate reasons for a continued processing have priority;
- you have filed an objection to the processing of your personal data for the purposes of direct marketing
- your personal data has been unlawfully processed;
You shall not be entitled to a right of erasure of personal data if
- the right to freedom of expression and information is opposed to the deletion request;
- the processing of personal data is necessary
- for the fulfillment of a legal obligation (e.g. statutory storage obligations),
- for the purposes of public tasks or interests in accordance with applicable law (this also includes “public health”) or
- for archiving or research purposes;
- the personal data is required for asserting, exercising or defending legal claims.
Erasure must be effected immediately (without undue delay). If we have publicly disclosed personal data (e.g. on the internet), it is our responsibility to ensure, to the extent technically possible and reasonable, that other data processors are informed of the erasure request including the erasure of links, copies and/or other duplicates.
5.5 Right to restrictions of data processing in accordance with Section 20 KDG
You have the right to request restrictions in the processing of your personal data in the following cases:
- If you have contested the accuracy of your personal data, you can request that we do not use your data for other purposes during the period in which its accuracy is verified, thus request a restriction of processing of such data.
- In case of unlawful processing of your personal data, you can request restriction of processing instead of erasure of the data;
- If you require your personal data for the assertion, exercise or defense of legal claims, but we no longer require your personal data, you can request that we impose restrictions on the processing for prosecution purposes;
- If you have filed an objection against data processing and if it is still unclear whether our interests in a processing take precedence over your interests, you can request that your data is not used for other purposes for the duration of the verification and thus request a restriction of processing.
Any personal data, the processing of which was restricted upon your request, may, subject to storage, only be processed for
- asserting, exercising or defending legal claims
- the protection of the rights of other natural persons or legal entities or
- reasons of an important public interest,
provided that you give your consent.
You will be informed in advance if a processing restriction is to be lifted.
5.6 Right to data portability in accordance with Section 22 KDG
You have the right to request that we provide you with the data you have provided to us in a common electronic format (e.g. PDF or excel file).
You can also request that we directly transfer such data to another company (as named by you) as far as technically possible for us.
The prerequisite for your right to such request is that the processing is effected on the basis of a consent or for the implementation of an agreement and by using automated processes.
Exercising the right to data portability must not adversely affect the rights and freedoms of other persons.
If you make use of your right to data portability, your right to erasure of data shall remain unaffected.
5.7 Right to object to certain data processing in accordance with Section 23 KDG
If your data is processed for the performance of tasks in the public interest or for the performance of legitimate interests, you can object to this processing. In doing so, you must state the reasons for your objection arising from your particular situation, such as e.g. special family circumstances or interests in confidentiality worthy of protection.
In case of an objection, we shall be obliged to refrain from processing your personal data, unless
- there are compelling and legitimate grounds for a processing which take precedence over your interests, rights and freedoms, or
- the processing is necessary for asserting, exercising or defending legal claims.
You have the right to object to a use of your personal data for direct marketing purposes at any time; this shall also apply to profiling, insofar as such profiling is connected to direct marketing. In case of an objection, we will no longer be authorized to use your personal data for direct marketing purposes.
Direct marketing and/or profiling is not arranged for or effected by us in any case.
5.8 Prohibition of automated decisions/profiling in accordance with Section 24 KDG
We are not allowed to base decisions taken by us, which have legal consequences or a significant adverse effect for you, exclusively on automated processing of personal data. The same shall apply to profiling. This prohibition shall not apply insofar as the automated decision making
- is necessary for the conclusion or implementation of an agreement with you,
- is permissible in accordance with legal provisions, if such legal provisions include appropriate measures for the protection of your rights and freedoms as well as your legitimate interests, or
- is effected with your explicit consent.
Decisions which are exclusively based on automated processing of special types of personal data (=sensitive data), are only permissible in cases when
- they are taken on the basis of your explicit consent or
- there is considerable public interest in the processing
and if appropriate measures were taken for the protection of your rights and freedoms as well as your legitimate interests.
5.9 Exercise of Data Subject Rights
Please contact us if you would like to exert your Data Subject Rights. Requests which are submitted electronically are generally answered electronically. In general, all information which is to be provided in accordance with the KDG as well as all notifications and measures including exercise of the Data Subject Rights are provided free of charge. We are entitled to request a reasonable fee for further copies in order to cover administrative costs
If there is reasonable doubt about your identity, we shall be entitled to request additional information from you for identification purposes.
In general, any requests for information are processed immediately within one month from receipt of the request. This deadline can be extended by a further two months if an extension is necessary in view of the complexity and/or number of requests; in case of a deadline extension, we shall inform you within one month after receipt of your request and state reasons for the delay. If we do not get active with regard to a request, we shall inform you immediately within one month after receipt of the request and state reasons for this. We shall also inform you of your possibility to file a complaint with a supervisory authority or seek judicial remedy before a court.
6. Data protection notice on integrated components on this website
6.1. Data protection regulations for the application and use of Facebook.
Furthermore, we have a company profile on Facebook. In connection to this company page, we would like to notify as follows:
- Within the meaning of the EU General Data Protection Regulation (GDPR) and any other data protection regulations, the following parties are collectively responsible for the operation of this Facebook page:
Facebook Ireland Ltd. (Hereinafter referred to as „Facebook“)
4 Grand Canal Square
Grand Canal Harbour
Catholic University of Eichstätt-Ingolstadt (KU)
85072 Eichstätt, Germany
- As soon as you access our company page, your browser establishes a connection with Facebook and transfers information. This transferred data includes, amongst others:
For users who are not registered with or logged onto Facebook:
IP address: When a Facebook company page is accessed, Facebook automatically identifies the accessing user’s IP address.
Cookies: If you access our company page, Facebook will automatically place cookies. According to information provided by Facebook, the so-called datr cookie enables Facebook to identify the web browser with which the connection to the Facebook page is established. This cookie plays a key role when it comes to protecting the social network from “malicious activity”. The datr cookie is valid for two years, but can be deleted by changing the browser settings.
For users who are registered with and logged onto Facebook:
IP address: Facebook also collects the IP address of users who are logged in (see above).
Cookies: In this case as well, Facebook places a datr cookie (see above).
If you are a member of Facebook and are logged on to Facebook while visiting our company profile, the c_user cookie will be additionally activated. Facebook will then connect the fact that you access the company page to your personal user account. This allows Facebook to draw conclusions on your user behavior.
- Facebook processes user data for the following purposes:
- Advertising, analysis, creation of personalized advertising
- Creation of user profiles
- Market research
When the company page is accessed, Facebook automatically stores information transferred by your browser to Facebook in a log file. We explicitly state that we neither have any knowledge of the extent and content of the data collected by Facebook nor of its processing and use or possible transfer to third parties by Facebook.
For information on Facebook’s data protection policy, please click here (https://www.facebook.com/policy.php) to access Facebook’s privacy statement.
Furthermore, Facebook provides operators of company pages with a tool for measuring statistical information (=non-personal data) on how their pages are accessed and used. This includes, for example, the total number of page views, “Likes”,
page activity, interactions on posts, video views, reach of posts, shared contents, replies, share of men and women and the origin of users (country and city) as well as their language.
- What you can do to prevent this
If you are a member of Facebook and you do not want Facebook to collect your data via our company page and connect such data to your member data stored on Facebook, you have to:
- log off from Facebook before you access our company profile
- in a next step delete any and all cookies stored on your computer
- and quit and restart your browser.
Like this, according to Facebook’s own statement, any and all Facebook information by which you could be identified is being deleted.
can be activated here https://www.facebook.com/settings?tab=ads and here http://www.youronlinechoices.com/. Facebook Inc., the US-American parent company of Facebook Ireland Ltd. is certified under the EU-U.S. Privacy Shield and thus commits to adhere to European data protection guidelines.
- Additional information on Facebook’s Privacy Shield status is available here: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active. We, as operators of the company page, cannot rule out the transfer and further processing of personal user data to third countries, such as for example the USA, as well as any connected risks for users.
- In accordance with the GDPR, you can exert your data subject rights primarily towards Facebook Ireland or towards us,
- In accordance with the judgment of the European Court of Justice (ECJ), the company page is jointly controlled by Facebook and us within the meaning of Art. 26 GDPR; in this context, please see Page Controller Addendum.
- In accordance with the GDPR, the primary responsibility for the processing of insights data lies with Facebook and Facebook fulfills any and all obligations arising from the GDPR in connection with the processing of insights data,
- Facebook Ireland shall provide the data subject with main information regarding the Page Insights Addendum,
- Only Facebook Ireland shall make decisions on the processing of insights data and carry out such processing.
- We do not make any decisions on the processing of insights data and all other information arising from Art. 13 GDPR, including the legal basis, identity of the controller and the period for which cookies are stored on the users’ devices.
- The legal basis for the processing of insights data arises from Art. 6 para. 1 sentence 1 lit. f GDPR (overriding legitimate interest). Our aim is to make the page more attractive for our users.
6.2. Data protection regulations for the application and use of Matomo (previously Piwik)
If you do not agree to the storage and evaluation of this data regarding your visit, you can object to the storage and use of this data at any time with a simple mouse click. In this case, a so-called opt-out cookie is stored in your browser, which means that Matomo does not collect any session data. Please note: If you delete your cookies, this also results in deletion of the opt-out cookie, which might then have to be reactivated. The legal basis for use is provided by Section 6 para. 1 lit. g) KDG. Our legitimate interest lies in the optimization and economic operation of our online presence.
6.3. Data protection regulations for the application and use of YouTube
We use YouTube in our online presence. This is a video portal of YouTube LLC., 901 Cherry Ave., 94066 San Bruno, CA, USA, hereinafter only referred to as "YouTube". YouTube is a subsidiary of Google LLC., 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter only referred to as "Google".
We use YouTube in connection with the "Privacy-Enhanced Mode" feature to be able to display videos to you. The legal basis is provided in Section 6 para. 1 lit. g) KDG. Our legitimate interest lies in the quality improvement of our online presence.
According to YouTube, the function "Privacy-Enhanced Mode" has the effect that the data described in more detail below is only transmitted to the YouTube server when you actually start a video. Without this "Privacy-Enhanced Mode", a connection to the YouTube server in the USA is established as soon as you access one of our websites on which a YouTube video is embedded. This connection is necessary to display the respective video on our website via your web browser. In the course of this, YouTube will at least record and process your IP address, the date and time as well as the website you visit. Furthermore, a connection to Google’s advertising network "DoubleClick" will be established. If you are also logged on to YouTube, YouTube will assign the connection information to your YouTube account. If you want to prevent this, you must either log out of YouTube before visiting our website or make the appropriate settings in your YouTube user account.
For the purpose of functionality as well as for the analysis of usage behavior, YouTube permanently stores cookies via your web browser on your device. If you do not agree to this processing, you have the possibility to prevent the storage of cookies by adjusting your web browser settings. You will find more information on this under "Cookies" above. Google provides further information on the collection and use of data and your rights and protection options in this regard in the data protection information available at https://policies.google.com/privacy. Through certification in accordance with the EU-US Privacy Shield https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active, Google and its subsidiary YouTube guarantees that the EU's data protection regulations are also observed when processing data in the USA.