Data protection is not just about protecting data as such, but also the fundamental rights of individuals.

The processing of personal data has become an integral part of our everyday lives. However, the more personal data third parties have about a person and therefore know about them, the more predictable and therefore the more they can influence that person. Transparent, confidential, secure, conscientious and, above all, data protection-compliant handling of personal data is therefore a must!

The primary aim of data protection is therefore to protect the right to informational self-determination as part of the general personal rights of the persons concerned - because data protection is the protection of fundamental rights. At the same time, this protection should be reconciled in the best possible way with the interests of data processors (e.g. research, public relations, event planning, etc.).

Personal data is any information relating to an identified or identifiable person.

Examples of the type of information that enables the direct or indirect identification of an individual and can therefore be considered personal data are

• Name, surname, telephone numbers of customers, stakeholders, staff, vendors;
• identification numbers, such as a person's customer number, a person's employee number
• a booking reference;
• E-mail addresses, location data;
• A person's browser history;
• A person's purchase history and receipts;
• Photos, videos and audio recordings that contain images or sounds of individuals.

This personal data can be used to directly or indirectly identify an individual:

• For example, if your organization processes an individual's first or last name, this personal data allows that individual to be directly identified.
• For example, if your organization processes an individual's customer number or booking reference, this personal data may enable the indirect identification of that individual.
• Any type of information that is processed in relation to the directly or indirectly identified person (e.g. preferences, habits) is also considered personal data.

Personal data does not include

• anonymous data
• purely factual data (e.g. the purchase price or top speed of a car).

Special categories of personal data

Some types of personal data that are normally referred to as sensitive data belong to special categories that enjoy more protection. According to Art. 9 GDPR, sensitive data is information about

• the health of an individual;
• a person's sex life or sexual orientation;
• a person's racial or ethnic origin;
• a person's political opinions, religious or philosophical beliefs;
• a person's biometric and genetic data;
• trade union membership.

The processing of a person's sensitive data is generally prohibited, except in special circumstances that justify the processing (e.g. explicit consent).

The processing of personal data includes any type of activity (processing) that is carried out on or with personal data by automated means or not.

Examples of processing operations are the collection, recording, organization, use, modification, storage and disclosure of personal data of natural persons.

Even though the GDPR mainly refers to the automated processing of personal data, processing operations carried out manually are also subject to the GDPR from the moment the paper files are systematically organized, e.g. arranged alphabetically in a filing cabinet.

Data protection is a general human right that is regulated in more detail by the European General Data Protection Regulation (GDPR) and the Bavarian Data Protection Act (BayDSG).

Whenever personal data is to be processed, data protection regulations must be observed. Data protection regulations, i.e. regulations containing provisions on the processing of personal data, data subject rights and other "organizational" accompanying requirements, can be found "everywhere" (EU law, federal law, state/university law).

Data protection regulations are sometimes rather "hidden" in individual paragraphs (or individual sentences) in specialized laws, sometimes standardized in separate sections of a specialized law and sometimes in separate (data protection) laws.

Relevant regulations in data protection law in the university context are essentially

• the European General Data Protection Regulation (GDPR), which has been applicable throughout Europe since May 25, 2018
• in the Free State of Bavaria, the Bavarian Data Protection Act (BayDSG)
• other so-called sector-specific laws (e.g. Bavarian Higher Education Innovation Act (BayHIG), the German Social Code)

When processing the personal data of individuals, the university must comply with the following key principles of the GDPR.

Lawfulness (Art. 5 para. 1 lit. a GDPR)
Any processing of personal data requires a legal basis or, if permissible, the consent of the data subject (Art. 6, if applicable Art. 9 GDPR).

Purpose limitation (Art. 5 para. 1 lit. b GDPR)
Personal data may only be collected for specified purposes and may not be further processed against these purposes.

Data minimization (Art. 5 para. 1 lit. c GDPR)
Data processing must be proportionate to the purpose and limited to what is necessary in terms of content and time, for example: required information vs. further information.

Fairness (Art. 5 para. 1 lit. a GDPR)
Personal data may only be processed in a "fair" manner. Typical cases of "unfair" processing are hidden data processing, such as hidden video cameras or software for spying on users.

Transparency (Art. 5 para. 1 lit. a GDPR)
Personal data must be processed in a way that is comprehensible to the data subject, i.e. clarification of the "W questions" (Who? What? What for? Where to? How long?).

Accuracy (Art. 5 para. 1 lit. d GDPR)
Personal data must be correct and up to date, "incorrect" data must be corrected or deleted.

Storage limitation (erasure/blocking) (Art. 5 para. 1 lit. e GDPR)
If personal data is no longer required, it must be erased, unless erasure conflicts with statutory retention obligations. The data will not be erased for the duration of the retention period, but will be blocked from further use by the controller.

Integrity and confidentiality (Art. 5 para. 1 lit. f GDPR)
Personal data must be treated securely and confidentially. In particular, unauthorized persons must not have access to them and must not be able to use the data or the devices with which they are processed. Appropriate technical and organizational measures must be taken for this purpose (pursuant to Art. 32 GDPR).

Accountability (Art. 5 para. 2 GDPR)
The university must be able to demonstrate to supervisory authorities that it complies with all requirements of the GDPR. For this reason, you must document in detail the legal, technical and organizational measures you have taken to ensure data protection. Documentation means that you systematically store and archive the relevant documents, receipts and other materials in written or electronic form so that you have them immediately to hand in the event of an emergency. These documentation obligations also include, for example, keeping a processing directory).

The Data Protection Officer (DPO) is the point of contact for all questions relating to the handling of personal data within the respective art academy. Any employee can contact him or her without following official channels.

The data protection officer performs the tasks in accordance with Art. 39 para. 1 GDPR. These include in particular

• Informing and advising the University Board and employees of the university who process personal data with regard to their obligations under the GDPR and other data protection regulations of the European Union and national law
• Monitoring compliance with data protection regulations, e.g. GDPR, BayDSG
• Advice in connection with the data protection impact assessment and monitoring its implementation in accordance with Art. 35 GDPR
• Cooperation with the supervisory authority, the Bavarian State Commissioner for Data Protection (BayLfD)

The Data Protection Officer has no authority to issue instructions either to the University Board or to individual employees/function holders. At the end of the consultation and/or monitoring, there is therefore only a recommendation as to how to act in accordance with data protection regulations. The employees/function holders seeking advice and the University Board (decision-makers) are free to follow or disregard this advice. Responsibility for compliance with data protection regulations lies with the persons authorized to make decisions in each individual case, not with the data protection officer. Their responsibility lies in the proper fulfillment of the tasks specified in Art. 39 para. 1 GDPR.