We process your data to fulfill our mutual obligations in connection with your studies (including prospective studies), your pursuit of a doctoral degree, and/or to comply with legal requirements, such as those set forth in the Higher Education Act and the Higher Education Statistics Act.

Data protection law permits us, pursuant to Section 6(1)(c), to process personal data that is necessary for the performance of a contract or for the implementation of pre-contractual measures. If you voluntarily provide us with information about yourself beyond what is necessary, data protection law permits us to do so on the basis of your consent (pursuant to Section 6(1)(b) of the KDG). Data protection law permits us, under Section 6(1), first sentence, letter a of the KDG, to process your data if there is a legal obligation to do so (e.g., the Bavarian Higher Education Innovation Act (BayHIG)).

As part of data processing, your data may be transferred to:

• Service providers who are contractually bound and obligated to maintain confidentiality.
• Government agencies, where necessary.

We do not plan to do this. The only exception would be if you requested it or if it were necessary for your studies.

We store your data for as long as we need it to fulfill the purposes described in section 4.1 above. However, there are legal requirements (e.g. Section 147 of the German Fiscal Code) that require us to retain certain documents for six or ten years. Once the retention period has expired, we delete any data that is no longer needed.

In order to achieve the objectives outlined in Section 4.1, it is necessary for you to provide us with your personal data. For enrollment, the collection of the data specified in Section 87(2) of the Bavarian Higher Education Act (BayHIG) is required. For doctoral candidates, the collection of such data is required under Section 97(4) of the Bavarian Higher Education Innovation Act (BayHIG).

There will be no automated decision-making/profiling.

As a data subject, you have the following rights under the Church Data Protection Act (KDG) (hereinafter also referred to as “data subject rights”):

You have the right to request information regarding whether or not we process personal data about you. If we process personal data about you, you have the right to know:

• why we process your data (see also Section 4.1);
• what types of data we process about you;
• what types of recipients receive or are intended to receive your data (see also Section 4.3);
• how long we will store your data; if it is not possible to specify the storage period, we must explain how the storage period is determined (e.g., after the expiration of statutory retention periods) (see also Section 4.5);
• that you have the right to rectification and erasure of the data concerning you, including the right to restrict processing and/or the right to object (see also sections 5.2, 5.3, and following);
• that you have the right to lodge a complaint with the data protection supervisory authority;
• where your data comes from, if we did not collect it directly from you;
• whether your data is used for automated decision-making and, if so, to learn the logic underlying the decision and the potential effects and implications of the automated decision for you;
• that, if data about you is transferred to a country outside the European Union, you have the right to know whether—and if so, on the basis of which safeguards—an adequate level of protection is ensured by the data recipient;
• that you have the right to request a copy of your personal data. Data copies are generally provided in electronic form. The first copy is free of charge; a reasonable fee may be charged for additional copies. A copy can only be provided to the extent that this does not infringe upon the rights of other individuals.

You have the right to request that we correct your data if it is inaccurate and/or incomplete. This right also includes the right to have the data completed through supplementary statements or notifications. Any correction and/or supplementation must be made without undue delay.

You have the right to request that we delete your personal data if

• the personal data is no longer necessary for the purposes for which it was collected and processed;
• the data processing is based on your consent and you have withdrawn that consent; however, this does not apply if there is another legal basis for the data processing;
• You have objected to data processing based on a legal basis of “legitimate interest”; however, erasure is not required if there are overriding legitimate grounds for further processing;
• Your personal data has been processed unlawfully.

Erasure is necessary to comply with a legal obligation under state or church law to which the controller is subject.

There is no right to erasure of personal data if

• the law on freedom of expression and information conflicts with the request for erasure;
• the processing of personal data
  • is necessary to fulfill a legal obligation (e.g., statutory retention obligations),
  • to perform public tasks and serve public interests under applicable law (this also includes “public health”), or
  • for archiving and/or research purposes;
• the personal data is necessary for the establishment, exercise, or defense of legal claims.

The erasure must take place without undue delay (without culpable delay). If personal data has been made public by us (e.g., on the Internet), we must ensure, to the extent technically feasible and reasonable, that other data processors are also informed of the request for erasure, including the removal of links, copies, and/or replicas.

You have the right to have the processing of your personal data restricted in the following cases:

If you have contested the accuracy of your personal data, you may request that we not use your data for any other purpose while we verify its accuracy, thereby restricting its processing.

In the event of unlawful data processing, you may request the restriction of data use instead of data erasure.

If you need your personal data to assert, exercise, or defend legal claims, but we no longer need your personal data, you may request that we restrict processing to the purposes of legal proceedings.

If you have objected to data processing (see also Section 5.7) and it has not yet been determined whether our interests in processing outweigh your interests, you may request that your data not be used for other purposes for the duration of the review, thereby restricting its processing.

Personal data whose processing has been restricted at your request may—subject to storage—only be processed with your consent,

• to assert, exercise, or defend legal claims,
• to protect the rights of other natural or legal persons, or
• for reasons of substantial public interest.

If a restriction on processing is lifted, you will be notified in advance.

You have the right to request that we provide you with the data you have provided to us in a commonly used electronic format (e.g., as a PDF or Excel document).

You may also request that we transfer this data directly to another company (of your choosing), provided that this is technically feasible for us.

The prerequisite for you to have this right is that the processing is based on consent or for the performance of a contract and is carried out using automated means.

Exercising the right to data portability must not infringe upon the rights and freedoms of others.

If you exercise the right to data portability, you retain the right to data erasure.

If your data is processed for the performance of tasks carried out in the public interest or to safeguard legitimate interests, you may object to such processing. To do so, you must provide us with the reasons for your objection, which must be based on your specific circumstances. These may include, for example, special family circumstances or legitimate interests in confidentiality.

In the event of an objection, we must cease any further processing of your data for the stated purposes, unless there are compelling legitimate grounds for processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

You may object at any time to the use of your data for direct marketing purposes; this also applies to profiling, insofar as it is related to direct marketing. In the event of an objection, we may no longer use your data for direct marketing purposes.

Decisions made by us that have legal consequences for you or significantly affect you may not be based solely on the automated processing of personal data. This includes profiling. This prohibition does not apply if the automated decision is necessary for the conclusion or performance of a contract with you, is permitted by law provided that such laws include appropriate measures to protect your rights and freedoms as well as your legitimate interests, or is made with your explicit consent.

Decisions based solely on the automated processing of special categories of personal data (=sensitive data) are only permissible if they are based on your explicit consent or if there is a substantial public interest in the processing and appropriate measures have been taken to protect your rights and freedoms as well as your legitimate interests.

To exercise your data subject rights, please contact the entity listed in Section 3.1. Requests submitted electronically will generally be answered electronically. The information, notifications, and measures required to be provided under the KDG, including “the exercise of data subject rights,” are generally provided free of charge. Only in the case of manifestly unfounded or excessive applications are we entitled to charge a reasonable fee for processing or to refrain from taking action
If there are reasonable doubts regarding your identity, we may request additional information from you for identification purposes. 

If we are unable to identify you, we are entitled to refuse to process your application. We will notify you separately—to the extent possible—if we are unable to verify your identity.

Requests for information are generally processed without delay, within one month of receipt of the request. The deadline may be extended by an additional two months if necessary, taking into account the complexity and/or the number of requests; In the event of an extension, we will inform you of the reasons for the delay within one month of receiving your application. If we do not act on an application, we will inform you of the reasons for this without delay within one month of receiving the application and inform you of the possibility of filing a complaint with a supervisory authority or seeking judicial remedy.

Please note that you may exercise your data subject rights only within the limits and restrictions provided for by the Union or the Member States.