This data protection information refers to the processing of personal data in connection with the internal reporting office in accordance with the Whistleblower Protection Act (Hinweisgeberschutzgesetz - HinSchG).

1. Contact details of the controller

Responsible for the processing within the meaning of the data protection laws, in particular the General Data Protection Regulation (GDPR), is the

University of Music Würzburg
Hofstallstr. 6-8
97070 Würzburg
Phone: +49 (0)931-32187-0
Fax: +49 (0)931-32187-2800

The University of Music Würzburg is a corporation under public law and a state institution (Art. 4 para. 1 BayHIG). It is represented by the President of the University of Music Würzburg Prof. Dr. Christoph Wünsch.

Internal reporting office

If you have any questions regarding content, please get in touch with the relevant contact person directly:

Zentraler Dienst der Bayerischen Staatstheater
Internal Reporting Office
Alter Hof 3
80803 Munich
Email: hinweisgeberschutz@staatstheater.bayern.de
Phone: +49 (0)89 - 2185-1866

2. Contact details of the data protection officer

You can reach the data protection officer as follows

Data Protection Officer of the University of Music Würzburg
Daniel Bachmeier
Hofstallstr. 6–8
97070 Würzburg
E-mail: datenschutz@hfm-wuerzburg.de

3. Purposes and legal bases for the processing of personal data

The Whistleblower Directive Directive (EU) 2019/1937 and its transposition into national law by the Whistleblower Protection Act are intended to protect persons working for a public or private organization when they report violations of Union law that affect the public interest. The university ensures compliance with these requirements by introducing an internal reporting office for whistleblowers.

The purpose of the internal reporting office is to receive and process reports of (suspected) violations of the law in a secure and confidential manner. The purpose of processing personal data is to detect and prevent abuses and the associated risk of damage and liability to the university.

At the university, the internal reporting office is operated externally by the Central Service of the Bavarian State Theatre. This unit is responsible for receiving and processing incoming reports, i.e. it operates the reporting channels (email inbox and (remote) oral reporting), carries out the reporting procedure and takes follow-up measures in accordance with the HinSchG.

Legal basis:

The legal basis for the processing of personal data is Art. 6 para. 1 lit. c) GDPR in conjunction with § 10 HinSchG.

4. Categories of personal data

As part of the submission of reports to and the processing of reports by the internal reporting office, your personal data is collected and processed for the following purposes:

For reporting information

• Name and contact details, if applicable
• Personal data that is the content of your report

To initiate follow-up actions

• Personal data required for taking follow-up measures.

For documenting the report

• Contents of the report
• Verbatim or content log of the (remote) verbal report
• Audio recording of the report or meeting, if applicable

5. Categories of data subjects

• Reporting office contact
• People who provide information
• Employees and employers
• Others mentioned in the report

6. Recipients of personal data

• Reporting office contact
• Persons in charge of follow-up actions

7. Transferring Personal Data to a non-EU Country

Not planned at present.

8. Storage period for personal data

Inventory data from our directory service for transmission to the requested service, are kept in Shibboleth only during the processing of the request.

1. General regulations

Pursuant to articles 15 et seq. of the GDPR, you, the data subject, are entitled to the following rights concerning the processing of your data:

• You can ask for information about whether data concerning you is being processed. If this is the case, you are entitled to information about which data is processed and other information relating to the processing (article 15 of the GDPR). Please note that this right to information can be restricted or excluded in certain cases (see in particular article 10 of the BayDSG).

• If the personal data concerning you is/has become inaccurate or incomplete, you can request that this data is rectified and/or completed (article 16 of the GDPR).

• If the legal requirements are met, you can request that your personal data be deleted (article 17 of the GDPR) or processing of your data be restricted (article 18 of the GDPR). The right to deletion pursuant to article 17 (1) and (2) of the GDPR does not apply in certain cases, however, such as if the processing of personal data is vital for the performance of a task that is in the public interest or is performed in the exercise of official authority (article 17 (3) point b) of the GDPR).

• If you have consented to data processing or there is a contract concerning data processing and data is processed automatically, you may be entitled to data portability (article 20 of the GDPR).

• If there is an international transfer of personal data without the basis of an adequacy decision of the EU Commission, you have the right to obtain a copy of the contractual safeguards from us upon request.

• You are entitled to file a complaint concerning the processing of your personal data with a supervisory authority as defined in article 51 of the GDPR. The pertinent supervisory authority for the Bavarian public service is the Bavarian Data Protection Commissioner, Wagmüllerstraße 18, 80538 München. In addition to the right of appeal, you can also seek a judicial remedy.

2. Right of revocation

Insofar as processing is based on consent, you have the right to revoke your consent at any time. The revocation is only effective for the future; this means that the revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

3. Right to object

You may object to the processing of your personal data at any time due to reasons based on your personal circumstances (pursuant to article 21 of the GDPR).
If the legal requirements are met, we will then not further process your personal data.

If you choose to exercise the rights stated above, the public office will check whether the legal requirements for doing so have been met.

We reserve the right to change this data protection declaration to accommodate changes to legislation or changes in the services we provide (e.g., if we introduce new services).

If you have any further questions, please feel free to contact the Data Protection Officer.