Information on data protection

Here you can find all information on data protection at Nuremberg University of Music:

Information on data protection concerning our website

Data Protection Declaration

 

This data protection declaration covers the processing of personal data on this website, including the services offered there as well as our social media channels and to the extent that no special information is provided.

 

For more information on the processing of your data, please use the contact details given below.

 

 
  1. General information
 

 

Contact details of the controller

The controller, i.e. the organisation responsible for data processing as defined in data protection legislation, especially the General Data Protection Regulation (GDPR), is the:

 

University of Music Nuremberg

Veilhofstraße 34

90489 Nuremberg

Telephone: +49 (0)911 21522-102

Telefax: +49 (0)911 21522-104

Email: info@hfm-nuernberg.de

 

The University of Music Nuremberg is an organisation under public law and a state institution (article 11 (1) of the Bavarian Higher Education Act (BayHSchG)). It is represented by the president, Prof. Rainer Kotzian.

 

Contact details of the Data Protection Officer

Data Protection Officer of the University of Music Nuremberg

Mr Falk Hartwig

University of Music Nuremberg

Veilhofstraße 34

90489 Nürnberg

Telephone: +49 (0) 911 215 22-180

Email: falk.hartwig@hfm-nuernberg.de

 

Purpose of and legal basis for the processing of personal data

The purpose of our data processing is to perform public services delegated to us by law, especially those tasks of public information.

The legal basis for processing your personal data, unless indicated otherwise, is article 4 (1) of the Bavarian Data Protection Act (BayDSG) in combination with Article 6 (1) point e) of the General Data Protection Regulation (GDPR). Pursuant to this legislation, we are authorised to process data required for us to fulfil our responsibilities.

Where you have given consent for your data to be processed, processing is covered by article 6 (1) point a) of the GDPR.

 

Recipients of personal data

Technical operation of our data processing systems is conducted by

 

University of Music Nuremberg

Central IT

Kesslerplatz 12

90489 Nürnberg

Telephone: +49 911 5880 4848

Email: rz-hotline(x)th-nuernberg.de

 

 

Storage period for personal data

Your data is only stored as long as it is necessary to complete relevant tasks whilst observing legal retention requirements.

 

 
  1. Rights of the data subject
 

 

General regulations

Pursuant to article 15 of the GDPR, you, the data subject, are entitled to the following rights concerning the processing of your data:

 
  • You can ask for information about whether data concerning you is being processed. If this is the case, you are entitled to information about which data is processed and other information relating to the processing (article 15 of the GDPR). Please note that this right to information can be restricted or excluded in certain cases (see in particular article 10 of the BayDSG).
 
 
  • If the personal data concerning you is/has become inaccurate or incomplete, you can request that this data is rectified and/or completed (article 16 of the GDPR).
 
 
  • If the legal requirements are met, you can request that your personal data be deleted (article 17 of the GDPR) or processing of your data be restricted (article 18 of the GDPR). The right to deletion pursuant to article 17 (1) and (2) of the GDPR does not apply, however, if the processing of personal data is vital for the performance of a task that is in the public interest or is performed in the exercise of official authority (article 17 (3) point b) of the GDPR).
 
 
  • If you have consented to data processing or there is a contract concerning data processing and data is processed automatically, you may be entitled to data portability (article 20 of the GDPR).
 
 
  • If there is an international transfer of personal data without the basis of an adequacy decision of the EU Commission, you have the right to obtain a copy of the contractual safeguards from us upon request.
 
 
  • You are entitled to file a complaint concerning the processing of your personal data with a supervisory authority as defined in article 51 of the GDPR. The pertinent supervisory authority for the Bavarian public service is:

Bavarian Data Protection Commissioner, Wagmüllerstraße 18, 80538 München.

In addition to the right of appeal, you can also seek a judicial remedy.

 

Right of revocation

Insofar as processing is based on consent, you have the right to revoke your consent at any time. The revocation is only effective for the future; this means that the revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

 

Right to object

You may object to the processing of your personal data at any time due to reasons based on your personal circumstances (pursuant to article 21 of the GDPR). If the legal requirements are met, we will then not further process your personal data.

 

 
  1. Information about the website
 

 

Technical implementation

Our web server is operated by IT centre of the Nuremberg Institute of Technology (in the following: RZ). The personal data transmitted by you when you visit our website is therefore processed by

 

University of Music Nuremberg

Central IT

Kesslerplatz 12

90489 nuremberg

Telephone: +49 911 5880 4848

Email: rz-hotline(x)th-nuernberg.de

 

on our behalf.

 

Creation of log files

By using this or other web pages, you transmit data to our web server through your internet browser. The following data is recorded during any open connection for communication between your internet browser and our web server:

 
  • IP address of the requesting computer
 
 
  • Date and time of access
 
 
  • Name and URL of the accessed file and data volume transmitted
 
 
  • Access status (file transmitted, not found etc.)
 
 
  • Identifying data of browser and operating system used (if transmitted by the browser accessing the site)
 
 
  • The website from which our website is accessed (if transmitted by the browser accessing the site)
 

The data in this log file is processed as follows:

 
  • In some instances, for example if an error or security breach is reported, a manual analysis is performed.
 

The IP addresses contained in the log files are not combined with other data, so that the RZ cannot draw conclusions about individual users.

 

After the end of the connection, data is anonymised by shortening the IP address at domain level so that it is no longer possible to connect the data to individual users.

 

SSL encryption

We use state-of-the-art encryption processes (such as SSL) using HTTPS to protect your data while it is being transferred.

 

Active Components

We use no active components such as JavaScript, Java-Applets or Active-X-Controls.

 

Cookies

We do not set or use cookies.

 

 
  1. Information on specific instances of data processing
 

 

Social Media

On our social media pages, we create content within the scope of our public relations activities and our freedom of research, teaching and art, and we see the contributions and interactions of the community there. We endeavour to inform our users according to the needs of our target audience and to engage in a dialogue with our target audience.

 

We will expose any content, contributions or enquiries that violate the rights of third parties or that constitute a criminal or regulatory offence by transmitting it to the responsible authority or the social media provider; we will also block or delete it.

 

The legal basis for data processing on our social media pages and elements is article 6 (1) point e) of the GDPR in connection with article 2 (6) of the Bavarian Higher Education Act (BayHSchG), article 3 of the BayHschG, article 4 (1) sentences 1 and 2 of the BayEGovG, section 5 (1) point 2) of the German Broadcast Media Act (TMG) and, if applicable, the contract between the respective service provider pursuant to article 6 (1) point b) of the GDPR.

 

Social media posts and messages that you transmit to us in non-public form are checked at regular intervals, as to whether storing these requests is still necessary for the purpose of dealing with possible follow-up questions. If it is no longer necessary to store them, their processing will be limited and they will still be stored in accordance with legal retention requirements and archiving regulations.

 

If you have publicly communicated with us via social media, you can decide yourself how long the data should remain public or ask us to delete it. We will then delete this data in accordance with archiving regulations within our area of responsibility. Should any copies of the data remain after deletion, their processing will be restricted and they will be stored in accordance with legal retention requirements and archiving regulations.

 

Additional data protection information on the service providers or services

Social media providers often create extensive profiles of their members and of those they are in contact with via tele-media services (for example by clicking a like button or accessing a website). These profiles are used for the purpose of selling advertisements, amongst other things. So if you use our services with these providers, they will know that there is a connection between you and us. As we are jointly responsible for some of this data processing, we provide further information on the processing by the social media providers.

 

You can limit the scope of data processing to some extent by adjusting your browser setting or installing browser add-ons. Useful information about this is available at https://www.privacy-handbuch.de/handbuch_21.htm (available only in German). The providers also offer individual settings to regulate advertising and tracking, for example. This may only be possible if you have an account with the respective provider. We have listed important information sources as well as terms of use for the most important ones here.

 

 

Facebook (including Instagram)

Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland and Facebook, Inc. 1601 Willow Road Menlo Park, California 94025, USA

  
  
  
  
  
  
  
  
  
  
  
  
  
  

 

Google YouTube

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

  
  
  
  
  

 

 

Events

For our events, we process the data necessary for registration and organisation in accordance with article 6 (1) point e) of the GDPR. Data is deleted in accordance with legal retention periods, i.e. after six years for business letters and after ten years for invoices, unless the data of the participants is required beyond these periods to be able to issue copies or confirmations.

 

 
  1. Amendments to our data protection declaration
 

We reserve the right to change our data protection declaration, to accommodate changes to legislation or changes in the services we provide, (e.g., if we introduce new services). The new data protection policy will then apply to your future visit to our website.

 

Do you have any questions?

If you have questions about data protection, please write us an email or contact the person responsible for data protection in our organisation directly:

 

Data Protection Officer of the University of Music Nuremberg

Mr Falk Hartwig

University of Music Nuremberg

Veilhofstraße 34

90489 Nürnberg

Telephone: +49 (0) 911 215 22-180

Email: falk.hartwig@hfm-nuernberg.de

Information on data protection for use of video conferencing systems

Information on data protection for use of video conferencing systems

 

This privacy information refers to the processing of personal data in the context of the provision and use of video conferencing systems as a collaboration and communication solution.

Since 1 December 2021, meeting and webinar solutions provided by external video conferencing providers are so-called telecommunications services within the meaning of the Telekommunikation-Telemedien-Datenschutz-Gesetz (Telecommunications Telemedia Data Protection Act - TTDSG) and are therefore subject to telecommunications secrecy pursuant to § 3 TTDSG.

Note: If you join using the “Zoom” website or the website of another provider we use, the provider is responsible for the data processing.

A visit to the website may be necessary for the use of the respective video conferencing system in order to download the software (app).

However, the respective tool can also be used without the application by clicking on the respective invitation and, if necessary, entering further access data for the respective online lesson directly in the browser version of the tool. The basic functions of the respective tool can be used via the browser version, which can be found on the website of the respective tool.

 

 
  1. General information
 
 
  1. Contact details of the controller
 

The controller, i.e. the organisation responsible for data processing as defined in data protection legislation, especially the General Data Protection Regulation (GDPR), is the:

 

University of Music Nuremberg

Veilhofstraße 34

90489 Nürnberg

Telephone: +49 (0)911/21522-102

Telefax: +49 (0)911/21522-104

Email: info(a)hfm-nuernberg.de

 

The University of Music Nuremberg is an organisation under public law and a state institution (article 11 (1) of the Bavarian Higher Education Act (BayHSchG)). It is represented by the president, Prof. Rainer Kotzian.

 

 
  1. Contact details of the Data Protection Officer
 

You can contact our official Data Protection Officer at:

Data Protection Officer of the University of Music Nuremberg

Mr Falk Hartwig

Hofstallstr. 6–8

97070 Würzburg

Telephone: +49 (0) 911 215 22-180

Email: falk.hartwig(a)hfm-nuernberg.de

 

 
  1. Purpose of and legal basis for the processing of personal data
 

Personal data is processed exclusively for the provision and use of the video conferencing systems as an aid for teaching, research and administration, including statistical evaluation. The purpose of the data processing is the use for cooperation within the scope of the official activities at the university for the fulfilment of the university tasks according to article 2 of the BayHSchG.

 

This covers the use of licensed products and services, the provision of updates, the guarantee of information security as well as technical and customer-related support in the following scenarios:

 

doozzoo:

For seminars, lectures, events, etc. with the need for music-specific additional functions. Not suitable for confidential meetings/conversations and exchange of sensitive data. This offer is a contractually bound service of a commercial provider (https://doozzoo.com/de/datenschutz/).

 

Jitsi Meet:

For ad hoc video conferences in smaller groups for the purpose of general agreements. Limited suitability for video conferences of a confidential nature, e.g. committee meetings, internal consultations, examinations, defence.  Data processing takes place exclusively on servers of the university.

The organiser can protect the video conference with a password. If this is done, conferences with a confidential character are also possible.

 

Microsoft Teams

For seminars, lectures, events, etc. with a focus on presentation or discussion via audio/video. Not suitable for confidential meetings/conversations and exchange of sensitive data. Microsoft Teams is a service of Microsoft Corporation (https://www.microsoft.com/de-DE/microsoft-365/microsoft-teams/group-chat-software).

 

Zoom:

For seminars, lectures, events, etc. with a focus on presentation or discussion via audio/video. Suitable for video conferences of a confidential nature such as committee meetings, internal consultations, examinations, defences, provided the conference is protected via end-to-end encryption.  This offer is a contracted service of the telecommunications provider Zoom Video Communications Inc.

For further information on the processing of personal data by the provider itself, please refer to Zoom's privacy policy: https://zoom.us/privacy

In principle, it is possible for all communication participants using Zoom to communicate with you. Support is provided by Zoom under its own responsibility. Please avoid disclosing personal data unless necessary for the resolution of the problem.

 

Data processing for purposes other than those specified or permitted by law (e.g., for internal security system checks and to ensure internal network and information security in accordance with article 6 (1) of the Bavarian Data Protection Act (BayDSG)) does not take place.

 

Any use for private purposes within the scope of the licenses provided is excluded.

 

There will be no performance or behavioural monitoring based on your use. Use for the creation of personal statistics is not permitted.

 

Automated decision-making or profiling in the legal sense does not take place. You cannot use the application without providing your personal data.

 

Legal basis:

 

Scope of application

Legal basis

Provision of the service and statistics:

article 6 (1) point e of the GDPR in connection with article 4 of the BayDSG (article 2, 10, 55 BayHSchG)

Provision as a working tool:

article 6 (1) point b of the GDPR in connection with article 4 of the BayDSG (section 106 of the Trade, Commerce and Industry Regulation Act (GewO))

article 6 (1) point c and e of the GDPR in connection with article 4 of the BayDSG (article 33 (5) Basic Law for the Federal Republic of Germany (Grundgesetz – GG))

article 6 (1) point c of the GDPR in connection with section 3a (1) of the Workplace Ordinance (ArbStättV)

For recordings of events

article 6 (1) point b of the GDPR in the case of contracts with record-ing obligations

Art. 6 para. 1 lit. a GDPR in the other cases

 

 

 
  1. Categories of personal data
 

Depending on the type and scope of use of the video conferencing systems, the following personal data may be processed.

 

doozzoo:

 

No.

Description of the data

1

Name of the students

2

Email address of the students

3

Login data (username=email address and password)

4

Video streams

5

All data provided by studentsin their online lessons in their user access or media library and chat

6

Usage data resulting from the use of the functionalities of doozzoo, such as anonymised access figures, anonymised application histories

7

browser type, device type, operating system, IP address, time zone

8

Data provided by the user to doozzoo through other means, such as a support ticket or email request.

 

 

Jitsi Meet:

 

No.

Description of the data

1

Meeting organisation (freely selectable user name, freely selectable meeting name and room, session and setting cookies)

2

Meeting participation (freely selectable user name, freely selectable screen, camera and sound transmission, session and setting cookies)

3

Chat history data

4

Traffic and control data (IP address with time and date, client information

 

 

Microsoft Teams:

 

No.

Description of the data

1

Account Information

2

Profile and participant information

3

Contacts and calendar integrations

4

Settings of services

5

Content and context of meetings, webinars and messages

6

Recordings of meetings or webinars

7

Data from the operation of the telecommunication service

 

 

Zoom:

 

No.

Description of the data

1

Account Information

2

Profile and participant information

3

Contacts and calendar integrations

4

Settings of services

5

Content and context of meetings, webinars and messages

6

Recordings of meetings or webinars

7

Data from the operation of the telecommunication service

 

 
  1. Categories of data subjects
 

doozzoo:

 

Category no.

Description of the data

1-8

Staff members (employees/officials) of the person responsible.

1-8

"Teachers" who have doozzoo teacher access as users of doozzoo.

1-8

"Learners" who have doozzoo student access as users of doozzoo

1-8

Users who operate doozzoo in test mode without registration

 

 

Jitsi Meet:

 

Category no.

Description of the data

1, 3, 4

Organisers

2, 3, 4

Participants

3, 4

Persons about whom the meeting is about

 

 

Microsoft Teams

 

Category no.

Description of the data

1-7

Users

5, 6

Other persons mentioned in the communication

 

 

Zoom:

 

Category no.

Description of the data

1-7

Users

5, 6

Other persons mentioned in the communication

 

 
  1. Recipients of personal data
 

doozzoo:

Personal data processed in connection with the use of doozzoo will in principle not be disclosed to third parties unless it is specifically intended to be disclosed.

The video conferencing provider doozzoo as well as any subcontractors necessarily receive knowledge of the processed data insofar as this is required or provided for in the context of the order processing contract or any contractual relationships with subcontractors.

For details, please refer to the following overview.

 

Category
no.

Recipient

Reason for Disclosure

Data Storage Location

1-7

Company C. Bechstein Digital GmbH

Data processing

EEA

1-7

Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland

Firebase" service:

  • Database with audio, video data, music notes, text messages.
  • Authentication.
 

Storage of persistent data: EEA

Anonymised, non-persistent, token-based processes: European Economic Area EEA (EEA),

partly USA

1-7

Vonage Holdings Corp., 23 Main St

Holmdel, NJ 07733, USA

Service "Tokbox" to:

  • Technical provision of the encrypted live stream
 

Video stream server: Edge network with the nearest node: EEA

1-8

Freshdesk, Neue Grünstraße

17, 10179 Berlin, Deutschland

Support Ticketing Service to:

  • Acceptance and handling of support requests via e-mail ticketing.
 

Server: EEA

 

 

Jitsi Meet:

Unless otherwise stipulated by law, no data is transferred to third parties. This may become necessary in the context of hardware and software maintenance.

 

Microsoft Teams

Personal data processed in connection with the use of Microsoft Teams will not be disclosed to third parties unless it is intended for disclosure.

The video conferencing provider Microsoft Teams as well as any subcontractors necessarily receive knowledge of the processed data insofar as this is required or provided for within the framework of the order processing contract or any contractual relationships with subcontractors.

For details, please refer to the following overview.

 

Category
no.

Recipient

Reason for Disclosure

Data Storage Location

7

Telecommunications Service Provider

Telecommunications

Worldwide

1-6

Microsoft Ireland Operations Limited

Data processing and contract fulfilment

1-7 Germany

1-6

Microsoft Corporation

Date processing, contract fulfilment and own purposes

8, 9 EEA, England, United States of America

5

Participants

Communications

Worldwide

1

User

Telecommunications

Publication

 

 

Zoom:

Personal data processed in connection with the use of Zoom will generally not be disclosed to third parties unless it is specifically intended for disclosure.

The video conferencing provider Zoom as well as any subcontractors necessarily obtain knowledge of the processed data to the extent that this is required or provided for in the context of the order processing agreement or any contractual relationships with subcontractors.

For details, please refer to the following overview.

 

Category
no.

Recipient

Reason for Disclosure

Data Storage Location

7

Telecommunications Service Provider

Telecommunications

Worldwide

1-6

Zoom Video Communications, Inc. and subprocessors

Data Processing

EU, Japan, Canada, USA

5

Participants

Communications

Worldwide

1

User

Telecommunications

Publication

 

 

 
  1. Transferring Personal Data to a non-EU Country
 

doozzoo:

Data processing outside the European Union (EU) does not take place as a matter of principle, as we have limited our storage location to data centres in the European Union (currently: Frankfurt and Amsterdam). However, we cannot exclude the possibility that data is routed via internet servers located outside the EU. This may be the case in particular if participants in video conferences are located in a third country. However, the data is encrypted during transport over the internet and thus protected against unauthorised access by third parties. For more information, please refer to the following links of the provider and its sub-processors:

 

Jitsi Meet:

Unless otherwise stipulated by law, no data is transferred to a third country. This may become necessary in the context of hardware and software maintenance.

 

Microsoft Teams:

Data processing outside the European Union (EU) does not take place as a matter of principle, as we have restricted our storage location to data centres in the European Union. However, we cannot exclude the possibility that data is routed via internet servers located outside the EU. This can be the case in particular if participants in video conferences are in a third country. However, the data is encrypted during transport via the internet and thus protected against unauthorised access by third parties.

 

Category
no.

Third country or international organisation

Appropriate safeguards in case of transfer pursuant to Art. 49 (1) subparagraph 2 GDPR

1-6

Worldwide

Standard contractual clauses

7

Worldwide

Confidentiality of telecommunications

5

Worldwide

Outside the scope of application according to Art. 85 GDPR

 

 

Zoom:

We use a software solution from the provider Zoom, headquartered in San Jose, California/USA, for the provision and execution of video conferences. Thus, data processing takes place in a third country. An adequate level of data protection is guaranteed by the conclusion of so-called EU standard data protection clauses, which Zoom has concluded with the subcontractors (see article 46 of the GDPR).

 

Category
no.

Third country or international organisation

Appropriate safeguards in case of transfer pursuant to Art. 49 (1) subparagraph 2 GDPR

1-6

Worldwide

Standard contractual clauses

7

Worldwide

Confidentiality of telecommunications

5

Worldwide

Outside the scope of application according to Art. 85 GDPR

 

 

 
  1. Storage period for personal data
 

We will delete your data pursuant to article 17 (1) point a of the GDPR if we no longer need it for the purposes for which it was collected or otherwise processed. In the event that your data is processed on the basis of a declaration of consent or if you have submitted a justified objection to processing, we will delete your data immediately. Something else applies in the event that we are obligated to retain the data due to legal retention obligations or if the data is transferred to the state archives (Landesarchiv).

 

Zoom: Time limits for the deletion of the different categories of data

Category
no.

Deletion period

1, 3, 4

30 days after deletion of the account or end of the contract

2

30 days after the end of the event.

In aggregated form also 12 months. There is no cloud-based storage.

5

If no recording was made, chat messages will be deleted after 12 months.

6

After revocation of consent required for publication and storage of the recording or after discontinuation of the need for publication and storage of the recording. Cloud-based storage does not take place.

7

Under the responsibility of the telecommunication service provider

 

 

 

 
  1. Rights of the data subject
 
 
  1. General regulations
 

Pursuant to articles 15 et seq. of the GDPR, you, the data subject, are entitled to the following rights concerning the processing of your data: 

 
  • You can ask for information about whether data concerning you is being processed. If this is the case, you are entitled to information about which data is processed and other information relating to the processing (article 15 of the GDPR). Please note that this right to information can be restricted or excluded in certain cases (see in particular article 10 of the BayDSG).
 
 
  • If the personal data concerning you is/has become inaccurate or incomplete, you can request that this data is rectified and/or completed (article 16 of the GDPR).
 
 
  • If the legal requirements are met, you can request that your personal data be deleted (article 17 of the GDPR) or processing of your data be restricted (article 18 of the GDPR). The right to deletion pursuant to article 17 (1) and (2) of the GDPR does not apply in certain cases, however, such as if the processing of personal data is vital for the performance of a task that is in the public interest or is performed in the exercise of official authority (article 17 (3) point b) of the GDPR).
 
 
  • If you have consented to data processing or there is a contract concerning data processing and data is processed automatically, you may be entitled to data portability (article 20 of the GDPR).
 
 
  • You are entitled to file a complaint concerning the processing of your personal data with a supervisory authority as defined in article 51 of the GDPR. The pertinent supervisory authority for the Bavarian public service is the Bavarian Data Protection Commissioner, Wagmüllerstraße 18, 80538 München. 
 

 

 
  1. Right of revocation
 

Insofar as processing is based on consent, you have the right to revoke your consent at any time. The revocation is only effective for the future; this means that the revocation does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

 

 
  1. Right to object
 

You may object to the processing of your personal data at any time due to reasons based on your personal circumstances (pursuant to article 21 of the GDPR).

If the legal requirements are met, we will then not further process your personal data.

 

If you choose to exercise the rights stated above, the public office will check whether the legal requirements for doing so have been met.

 

 
  1. Amendments to our data protection declaration
 

We reserve the right to change this data protection declaration to accommodate changes to legislation or changes in the services we provide (e.g., if we introduce new services).

 

If you have any further questions, please feel free to contact the Data Protection Officer.