This privacy information refers to the processing of personal data in the context of the provision of data protection breach notifications at the university.

The controller, i.e. the organisation responsible for data processing as defined in data protection legislation, especially the General Data Protection Regulation (GDPR), is the:

University of Music Würzburg
Hofstallstr. 6-8
97070 Würzburg

Phone: +49 (0)931-32187-0
Fax: +49 (0)931-32187-2800

The University of Music Wuerzburg is an organisation under public law and a state institution (article 4 (1) of the Bavarian Higher Education Innovation Act (BayHIG)).
It is represented by the president, Professor Dr. Christoph Wünsch.

You can contact the official data protection officer at

Data Protection Officer
Hofstallstr. 6-8
97070 Würzburg

E-mail: datenschutz@hfm-wuerzburg.de

When reporting data protection violations, personal data will be collected and processed for the following purposes:

• For internal processing and documentation purposes, the personal data provided by the notifying person will be collected.
• If the personal data breach leads to a risk to the rights and freedom of natural persons, a notification is made to the Bavarian Data Protection Commissioner.

The personal data provided by the reporting person is recorded for internal processing and documentation. This includes

• Information about the reporting person: surname, first name, contact details (e-mail address, telephone number, institution)
• Time and general description of the incident
• Information on measures taken
• Information on the categories of personal data and scope (number of persons affected and number of data records affected).

Legal basis:

The legal basis for data processing is and 6 (1) point c) articles 33, 34 of the GDPR in conjunction with article 4 (1) of the Bavarian Data Protection Act (Bayerisches Datenschutzgesetz - BayDSG).

The personal data of the person reporting the incident and, if applicable, of the persons affected by the data protection incident are processed.

Information on data breaches is sent by email to the email address datenschutzvorfall@hfm-wuerzburg.de. It serves as a permanent, person-independent contact point for reports of data protection violations. The incoming e-mails are processed and evaluated by an incident team.

Pursuant to article 33 (1) of the GDPR, the university is legally obliged to transmit the data recorded in the notification of a data protection breach to the Bavarian State Commissioner for Data Protection.

In individual cases, data may also be transferred to third parties on the basis of legal permission, for example to law enforcement agencies for the purpose of investigating criminal offences within the framework of the provisions of the Code of Criminal Procedure (Strafprozessordnung - StPO).

If technical service providers are given access to personal data, this is done on the basis of a contract in accordance with article 28 of the GDPR.

Not planned at present.

The legal basis for the retention is article 33 (5) of the GDPR in conjunction with section 195 of the German Civil Code (Bürgerliches Gesetzbuch - BGB); the data is retained for 3 years.

Pursuant to articles 15 et seq. of the GDPR, you, the data subject, are entitled to the following rights concerning the processing of your data:

• You can ask for information about whether data concerning you is being processed. If this is the case, you are entitled to information about which data is processed and other information relating to the processing (article 15 of the GDPR). Please note that this right to information can be restricted or excluded in certain cases (see in particular article 10 of the BayDSG).
• If the personal data concerning you is/has become inaccurate or incomplete, you can request that this data is rectified and/or completed (article 16 of the GDPR).
• If the legal requirements are met, you can request that your personal data be deleted (article 17 of the GDPR) or processing of your data be restricted (article 18 of the GDPR). The right to deletion pursuant to article 17 (1) and (2) of the GDPR does not apply in certain cases, however, such as if the processing of personal data is vital for the performance of a task that is in the public interest or is performed in the exercise of official authority (article 17 (3) point b) of the GDPR).
• You are entitled to file a complaint concerning the processing of your personal data with a supervisory authority as defined in article 51 of the GDPR. The pertinent supervisory authority for the Bavarian public service is the Bavarian Data Protection Commissioner, Wagmüllerstraße 18, 80538 München. In addition to the right of appeal, you can also seek a judicial remedy.

If you choose to exercise the rights stated above, the public office will check whether the legal requirements for doing so have been met.

We reserve the right to change this data protection declaration to accommodate changes to legislation or changes in the services we provide (e.g., if we introduce new services).

If you have any further questions, please feel free to contact the Data Protection Officer.