Logo of the University of Passau

Data privacy policy in accordance with GDPR

Data protection is an important concern for the University of Passau. We therefore attach great importance to data-efficient and user-friendly processing of personal data in connection with the fulfilment of our tasks.

This data privacy policy also applies to the processing of personal data and information within the meaning of § 25 TDDDG in the context of this website, including the services offered there.

1 Name and address of the data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and national data protection laws of the EU member states, as well as other data protection regulations is the:

University of Passau
Innstr. 41
94032 Passau
Germany
Phone: +49 851 5090
E-mail: president@uni-passau.de

2 Name and address of the data protection officer

Please contact our data protection officer directly if you have any questions relating to data privacy and data security:

insidas GmbH / actago GmbH
Weidenstr. 66
94405 Landau a. D. Isar
Phone: +49 9951 99990 500
E-Mail: datenschutz@uni-passau.de

3 General information

3.1 Purposes and legal basis for the processing of personal data

The purpose of the processing is to fulfil the public tasks assigned to us by law. Unless otherwise stated, the legal basis for the processing of your data results from Art. 4(1) Bavarian Data Protection Act (BayDSG) in conjunction with Art. 6(1)(e) GDPR. Accordingly, we are permitted to process the data required to fulfil a task incumbent upon us. Where you have consented to the processing of your data, such processing is based on Article 6(1)(a) GDPR.

3.2 Recipients of the personal data

If necessary, your data will be transmitted to the competent supervisory and auditing authorities to exercise the respective control rights.

Log data may be forwarded to the Landesamt für Sicherheit in der Informationstechnik (State Office for Information Security) on the basis of Art. 44 BayDiG in order to prevent threats to information security (for details, see "Logging").

3.3 Storage period for the personal data

Your data will be stored only as long as required for the fulfilment of responsibilities in compliance with the statutory retention periods.

3.4 Your rights

If we process your personal data, you have the following rights as a data subject:

  • You may request information as to whether we process your personal data. If this is the case, you have a right of access to this data and to further information related to the processing (Art. 15 GDPR). Please note that this right to information may be restricted or excluded in certain cases
    (cf. in particular Art. 10 BayDSG).
  • Where the personal data processed is inaccurate, you have the right to rectification (Art. 16 GDPR).
  • If the legal requirements are met, you have the right to erasure or restriction of processing (Art. 17 and 18 GDPR).
    However, the right to erasure pursuant to Art. 17(1) and (2) GDPR does not apply if the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Art. 17(3)(b) GDPR).
  • If you have consented to the processing of your personal data and processing is based on this consent, you have the right to withdraw your consent at any time.
    This does not affect the lawfulness of the data processing already carried out on the basis of the consent given until the date on which you withdraw your consent.
  • You have the right to object to the processing of your personal data at any time on grounds related to your specific situation (Article 21 GDPR). If the legal requirements are met, we will no longer process your personal data.

Further restrictions, modifications and, where applicable, exclusions of the aforementioned rights may result from GDPR or national legislation.

The data protection officer can provide more information on these rights.

3.5 Right of complaint to the supervisory authority

You have the right to lodge a complaint with the Bayerischer Landesbeauftragter für den Datenschutz (Bavarian state commissioner for data protection). The contact details are:

Postal address: Postfach 22 12 19, 80502 München, Germany

Street address: Wagmüllerstr. 18, 80502 München, Germany

Phone: +49 89 212672 0

Fax: +49 (0)89 212672 50

Online complaint form: https://www.datenschutz-bayern.de/service/complaint.html

4 Information about the website

4.1 Technical implementation

Our web server is operated by the University of Passau itself. The personal data you provide when visiting our website is primarily processed by the University of Passau itself.

4.2 Logging

When you access this or other pages, you transmit data to our web server via your web browser. The following data are recorded during an ongoing connection for communication between your web browser and our web server:

  • Date and time of the request
  • Name of the requested file
  • Page from which the file was requested
  • Access status (file transferred, file not found, etc.)
  • Web browser and operating system used
  • Complete IP address of the requesting computer
  • Amount of data transferred

We store this data for reasons of technical security, in particular to defend against attempted attacks on our web server. After seven days at the latest, the data is anonymised by shortening the IP address at domain level so that it is no longer possible to establish a reference to individual users.

This data is forwarded to the State Office for Information Security on the basis of Art. 44 BayDiG in order to prevent threats to information security.

4.3 Secure data transmission

By accessing this service, we offer a connection encrypted with HTTPS and Perfect Forward Secrecy, which is secured, at minimum, with the TLS 1.2 encryption protocol, so that your data are protected against unauthorised access by third parties during data transmission. We recommend that you keep your web browser up to date in order to use this option.

5 Cookies

We use cookies to ensure the correct technical and functional provision of this information service. Cookies are small text files that are stored on the device you are using.

The legal basis for the storage of information and the processing of personal data by means of technically necessary cookies is § 25(2) TDDDG and Art. 6(1)(e) GDPR in conjunction with Art. 4 BayDSG.

Technically necessary cookies are only valid for the current session and are automatically deleted as soon as you close your browser.

The use of functional cookies is voluntary. If these cookies are blocked, the provision of certain functions may be impeded.

The legal basis for the use of cookies that are not technically necessary is the user's consent in accordance with § 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR.

When you access this website, we store cookies (small files) on your device. These have a validity of:

Name: Lastpageuid Storage duration: 24 hours

6 Contact by e-mail

6.1 Description and scope of data processing

Contact can be made via the e-mail address provided. Your personal data transmitted with the e-mail is stored. No data will be passed on to third parties in this context.

The data is used exclusively for handling your enquiry.

6.2 Legal basis for data processing

The legal basis for the processing of your personal data transmitted in the course of sending an e-mail is Art. 6(1)(e) GDPR in conjunction with Art. 4 BayDSG. If the purpose of contacting us by e-mail is to conclude a contract, the additional legal basis for the processing is Art. 6(1)(b) GDPR.

6.3 Purpose of data processing

The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

6.4 Duration of storage

Your personal data will be deleted as soon as it is no longer needed to fulfil the purpose for which it was collected. For personal data sent by e-mail, this is the case when the conversation with you has concluded. The correspondence is deemed to have concluded when it can be inferred from the circumstances that the matter in question has been conclusively resolved.

The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

6.5 Right of objection and deletion

You have the option to object, at any time, to the processing of your personal data in the context of your e-mail enquiry. The conversation between you and us cannot then be continued. All personal data stored in the course of contacting us will be deleted in this case.

7 Electronic mail (e-mail)

Information that you send to us by unencrypted electronic mail (e-mail) can potentially be read by third parties during transmission. As a rule, we are unable to verify your identity and do not know who is behind an e-mail address. Legally compliant communication by simple e-mail is therefore not guaranteed. Like many e-mail providers, we use filters against unsolicited advertising ("spam filters"), which, in rare cases, automatically classify legitimate e-mails as unsolicited advertising and delete them. E-mails that contain harmful programmes ("computer viruses") are automatically deleted by us without exception.

If you have concerns about the transmission of personal or other sensitive data, please contact the intended recipient (our staff members) to agree on a suitable encryption method prior to transmission, or use letter post.

8 Active components

This service uses active components such as JavaScript, Java applets and ActiveX controls. You can switch this function off by changing the settings in your web browser.

9 Microsoft 365

We use Microsoft 365, a service that is provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland.

The processing of personal data is carried out for the purpose of fulfilling our statutory and official duties (under Art. 6(1)(e) GDPR, Art. 4 BayDSG in conjunction with other legal provisions, such as BayHIG, BayDiG, TDDDG, BayHO).

We have entered into a data processing agreement with Microsoft in accordance with Art. 28 GDPR for the use of the service.

Using this service may involve the transfer of data to a third country (the US). The provider is certified under the EU-US Data Privacy Framework and therefore offers an adequate level of data protection. In addition, data transfers are safeguarded by the EU Standard Contractual Clauses and supplementary technical and organisational measures.

Further information can be found in the provider’s privacy policy at the following URL: https://privacy.microsoft.com/de-de/privacystatement

10 Newsletters

10.1 Description and scope of data processing

Our website offers newsletters relating to university and student matters. To subscribe to the newsletter, you must provide a valid e-mail address. By subscribing to the newsletter, you agree to receive it and to the procedures described.

10.2 Legal basis for data processing

The legal basis for the processing of your personal data in connection with the sending of the newsletter is your consent, pursuant to Art. 6(1)(a) GDPR.

10.3 Purpose of data processing

We collect your personal data for the purpose of sending you the newsletter. The purpose of processing your personal data in connection with the newsletter is to keep you informed about the latest news and offers.

10.4 Duration of storage

Your personal data will be deleted as soon as it is no longer needed to fulfil the purpose for which it was collected. Your personal data will therefore be stored for as long as your newsletter subscription remains active.

10.5 Right of objection and deletion

You can unsubscribe from the newsletter at any time. To do so, you must click on the link provided in every edition of the newsletter. Once you have cancelled your subscription, your personal data will be deleted. Cancelling the subscription also allows you to withdraw your consent.

11 Web analytics using Matomo (formerly PIWIK)

11.1 Scope of the processing of personal data

We use the open-source software Matomo (formerly PIWIK) on our website to analyse our users’ browsing behaviour. This software places a cookie on the user's computer (see above for more information on cookies). When individual pages of our website are accessed, the following data is stored:

  • Two bytes of the IP address of the user’s system
  • The webpage that has been opened
  • The website from which the user accessed the current webpage (referrer)
  • The subpages accessed from the current webpage
  • The length of time spent on the webpage
  • How often the webpage is visited

The software runs exclusively on our website’s servers. Users’ personal data is stored only there and is not made available to any third parties.

The software is configured so that IP addresses are not stored in full; instead, 2 bytes of the IP address are masked (e.g. 192.168.xxx.xxx). This means that it is no longer possible to link the truncated IP address to the computer making the request.

11.2 Legal basis for the processing of personal data

The legal basis for the processing of your personal data is set out in Art. 6(1)(e) GDPR in conjunction with Art. 4(1) BayDSG and Art. 2 BayHIG.

11.3 Purpose of data processing

Processing your personal data enables us to analyse your browsing behaviour. By analysing the data collected, we are able to compile information on the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. Anonymising the IP address ensures that your interest in protecting your personal data is properly respected.

11.4 Duration of storage

Your personal data will be deleted as soon as it is no longer required for our record-keeping purposes. In our case, this happens after 180 days.

11.5 Right of objection and deletion

You have the right to object to the processing of your personal data for analytical purposes at any time.

If you exercise this right to object (“opt-out”), a technically necessary cookie (mtm_consent_removed) with a duration of 400 days will be set in your browser. This cookie is used solely to inform our systems that your data should no longer be collected.

The cookies contain only anonymised data; as the IP address is stored in an anonymised form, it is not possible to link it to a specific individual.

For more information on the privacy settings for the Matomo software, please visit the following link: https://matomo.org/docs/privacy/

12 Using YouTube videos

Our website features videos from the external video platform YouTube. By default, only disabled images from the YouTube channel are embedded; these do not establish an automated connection to YouTube’s servers. This means that the platform provider does not receive any data from the user when the webpage is accessed.

You can decide for yourself whether to enable YouTube videos. Only when you enable video playback by clicking on “Permanent activation” do you consent to the necessary data (including the URL of the current page and the user’s IP address) being transmitted to the platform provider.

To save the settings chosen by the user, we set a cookie that stores these parameters. When these cookies are set, we do not store any personal data; they contain only anonymised data used to customise the browser. The videos are then active and can be played by the user. If you wish to disable the automatic loading of YouTube videos, you can uncheck the consent box under the privacy icon. This will also update the cookie settings.

YouTube is a service provided by YouTube LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, a subsidiary of Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA. Further information on the purpose and scope of data processing (including processing outside the European Union and outside the USA), as well as information on privacy settings, can be found in the privacy policy:

https://policies.google.com/privacy?hl=de&gl=de

Google processes your personal data in the US and elswhere.

13 OpenStreetMap

This site uses the open-source mapping tool “OpenStreetMap” (OSM) via an API. The provider is the OpenStreetMap Foundation. In order to use the features of OpenStreetMap, we need to store your IP address. This information is usually transmitted to an OpenStreetMap server and stored there.

The provider of this website has no control over this data transfer. We use OpenStreetMap to ensure that our online content is presented in an appealing way and that the locations listed on our website are easy to find.

Personal data will only be disclosed following consent within the meaning of Art. 6(1)(a) GDPR.

You can find more information on how user data is handled on the OpenStreetMap data privacy page and at http://wiki.openstreetmap.org/wiki/Legal_FAQ

14 Vimeo

This website uses plugins from the video portal Vimeo. The provider is Vimeo Inc., 555 West 18th Street, New York, New York 10011, USA.

When you visit one of our pages that uses a Vimeo plugin, a connection is established with Vimeo’s servers. This tells the Vimeo server which of our pages you have visited. Vimeo also collects your IP address. This also applies if you are not logged in to Vimeo or do not have a Vimeo account. The information collected by Vimeo is transmitted to the Vimeo server in the USA.

When you are logged in to your Vimeo account, you allow Vimeo to link your browsing activity directly to your personal profile. You can prevent this by logging out of your Vimeo account.

The use of Vimeo is based on consent in accordance with Art. 6(1)(a) GDPR; consent may be withdrawn at any time.

For further information on how user data is handled, please refer to Vimeo’s privacy policy at: https://vimeo.com/privacy https://vimeo.com/privacy

15 BITE Recruitment Manager

15.1 Description and scope of data processing

There is a form on our website that can be used to submit online applications for job vacancies. If you choose this option, the data entered in the form will be sent to us and stored. This data is:

  • Salutation*
  • Title
  • Given name(s)*
  • Family name(s)*
  • Date of birth
  • E-mail address*
  • (Private) telephone number
  • Postcode*
  • Place of residence*
  • Street*
  • House number*
  • Country*
  • Highest level of school education attained*
  • Highest academic qualification attained*
  • Completed vocational training*
  • Current employer*
  • Are you, or have you previously been, employed by the Free State of Bavaria?*
  • Are you currently employed at the University of Passau*
  • Do you have a severe disability or a recognised equivalent status?
  • Earliest start date
  • Scope of employment
  • How did you find out about this vacancy?*
  • Other jobs boards
  • Attached files (cover letter, CV, employment and/or degree certificates, evidence of qualifications, and, where applicable, proof of severe disability)

*Required fields

When you submit the form, we will seek your consent to the processing of your data and refer you to this privacy policy.

The data will be used solely for the purpose of processing your application.

15.2 Legal basis for data processing

The legal basis for the processing of personal data in connection with the online application is the performance of a contract and the implementation of pre-contractual measures in accordance with Art. 6(1)(b) GDPR.

15.3 Purpose of data processing

We use the personal data you provide in the form solely for the purpose of processing your application.

The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

15.4 Duration of storage

Your personal data will be deleted as soon as it is no longer needed to fulfil the purpose for which it was collected. This applies to personal data provided in the online job application until the application process has been completed, any employment relationship that may have been established has ended and any applicable statutory retention periods have expired.

The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

15.5 Right of objection and deletion

You have the right to object to the processing of your personal data in connection with your online job application at any time. In such cases, the job application cannot be processed further. All personal data stored in connection with the job application will be deleted.

15.6 Handling the job application process

The job application process is managed using software provided by BITE GmbH, whose registered office is at Magirus-Deutz-Straße 12, D-89077 Ulm. This service provider is engaged on the basis of Art. 6(1)(a) and (b) GDPR and a data processing agreement in accordance with the first sentence of Art. 28(3) GDPR; the service provider does not use the personal data generated in this process itself or pass it on to third parties.

16 Social networks and platforms

As part of our public relations work, we maintain an online presence on social media networks and platforms; these form part of our public image and public relations activities in accordance with Art. 2(2) sentences 3 and 5 BayHIG and Art. 17(1) BayDIG. We strive to inform and communicate with interested parties and users in a manner appropriate to the target audience.

For our social media presence, we use the services of the following providers:

  • Facebook (Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland)
  • Instagram (Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland)
  • WhatsApp by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
  • X (formerly Twitter) (X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland)
  • YouTube, a Google service (Google Ireland Limited; registered office: Gordon House, Barrow Street, Dublin 4, Ireland)
  • LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.
  • Xing (New Work SE, Dammtorstraße 30, 20354 Hamburg)
  • TikTok (TikTok Technology Limited, The Sorting Office, Ropemaker Place, Dublin 2, D02 HD23, Ireland)
  • BlueSky (Ametros Ltd, Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, Ireland)

Any content, posts and enquiries that are held to be infringing upon the rights of others, constituting a regulatory or criminal offence or are held to be in breach of legal or contractual obligations will be divulged to the competent authorities and/or the social media service concerned. In addition, they will be blocked or deleted.

Please note that when using the services mentioned above, user data may be processed outside the European Union / European Economic Area. This can give rise to risks for users, such as potentially hindering the enforcement of users' rights. With regard to US providers who rely, among other things, on the European Commission's Standard Contractual Clauses, we wish to point out that they thereby commit to complying with EU data protection standards.

Furthermore, users’ data is generally processed for market research and advertising purposes. For example, user profiles can be created based on users’ browsing behaviour and the interests that arise from it. These usage profiles can in turn be used, e.g. to display adverts both on and off the platforms that are likely to match users’ interests. For these purposes, cookies are usually stored on users’ computers, in which their usage behaviour and interests are recorded. Furthermore, data may also be stored in user profiles irrespective of the devices used, particularly where the users are members of the relevant platforms and are logged in to them.

The processing of users’ personal data is carried out on the basis of our legitimate interests in providing users with effective information and communicating with them in accordance with Art. 6(1)(e) GDPR, Art. 4 BayDSG in conjunction with Art. 2(2) sentences 3 and 5 BayHIG and Art. 17(1) BayDIG. If users are asked by the respective platform providers to consent to the data processing described above, the legal basis for the processing is Art. 6(1)(a) and Art. 7 GDPR.

A detailed explanation of the specific processing activities and the options for opting out is available directly from the respective providers.

We should like to point out that requests for information and the exercise of user rights are most effectively dealt with by the service providers themselves. Only the service providers have access to users’ data and are able to take appropriate action and provide information directly. Details of the services used can be found as follows:

  • Facebook (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)

Privacy policy: https://www.facebook.com/about/privacy/

Opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com

  • Google/YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland)

Privacy policy: https://policies.google.com/privacy

Opt-out: https://adssettings.google.com/authenticated

  • Instagram (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)

Privacy Policy / Opt-out: http://instagram.com/about/legal/privacy/.

  • LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland.

Privacy Policy: https://www.linkedin.com/legal/privacy-policy

Opt-out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

  • X (X Internet Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland)

Privacy policy: https://x.com/de/privacy

Opt-out: https://x.com/settings/account/personalization

  • Xing (XING AG, Dammtorstraße 29–32, 20354 Hamburg, Germany)

Privacy Policy / Opt-out: https://privacy.xing.com/de/datenschutzerklaerung.

  • TikTok (TikTok Technology Limited, The Sorting Office, Ropemaker Place, Dublin 2, D02 HD23, Ireland)

Privacy Policy / Opt-out: https://www.tiktok.com/legal/page/eea/privacy-policy/de

  • BlueSky (Ametros Ltd, Unit 3D, North Point House, North Point Business Park, New Mallow Road, Cork, Ireland)

Privacy Policy / Opt-out: https://bsky.social/about/support/privacy-policy

  • WhatsApp by WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.

Privacy Policy / Opt-out: https://www.whatsapp.com/privacy

17 StudyCheck

We use StudyCheck on our website. The service is provided by OAK – Online Akademie GmbH, whose registered office is at Zollstockgürtel 63, 50969 Cologne. The service allows users to submit reviews and ratings of higher education institutions, which are subsequently used to compile rankings.

The legal basis for this processing is consent pursuant to Art. 6(1)(a) GDPR.

The purpose of the processing is to allow users to participate in and complete the study evaluation.

The University of Passau has no control over the storage of personal data by StudyCheck.

You have the right to object to the processing of your data by StudyCheck at any time. In that case, all data collected in connection with the service will be deleted.

For further information on how StudyCheck handles personal data, please visit:
https://www.studycheck.de/datenschutz

18 Spotify

Our website uses plugins from Spotify, an audio streaming platform operated by Spotify AB, Birger Jarlsgatan 61, 113 56 Stockholm, Sweden.

You can find an overview of the Spotify plugins at: https://developer.spotify.com/. We use Spotify by embedding individual audio files, albums, playlists or podcasts from the platform on our website as so-called iFrames, so that they can be played directly on our website as a stream.

When you visit a page on our website that contains an embedded Spotify plugin, a connection is established with the Spotify servers and the plugin is displayed on our website. This sends information to Spotify about which website you have visited. Your IP address may also be transmitted to Spotify. When you play an embedded audio file, an album or a playlist, this information is also shared with Spotify. If you are logged in as a Spotify user, Spotify will associate this data with your user account.

If you do not want Spotify to be able to link your visit to our website to your Spotify account, please log out of your Spotify account. For further information on data protection at Spotify, please visit www.spotify.com/de/legal/privacy-policy

19 Note on the privacy policy

Unless otherwise regulated, the use of all information we have about you is subject to this data privacy policy.

The controller reserves the right to continuously adapt this data privacy policy to the necessary security measures in line with technological developments and will announce any changes here.

Last revised in April 2026

20 Additional notes

20.1 Technical and organisational measures

The controller has put in place technical and organisational measures to protect your data from loss, destruction and unauthorised access.

In addition, the controller’s staff and any service providers are obliged to maintain confidentiality and to comply with data privacy regulations.

20.2 SSL or TLS encryption

For security reasons and to protect the transmission of confidential content that you send to us, the website owner, our website uses SSL or TLS encryption. This means that any data that you transmit via this website cannot be read by third parties. You can recognise an encrypted connection by the address starting with "https://" and the padlock symbol in the URL line.

I agree that a connection to the Vimeo server will be established when the video is played and that personal data (e.g. your IP address) will be transmitted.
I agree that a connection to the YouTube server will be established when the video is played and that personal data (e.g. your IP address) will be transmitted.
Show video