Shibboleth privacy policy
Basic information
Controller
Julius-Maximilians-University Würzburg
(Statutory body under public law)
Its president represents the university.
Sanderring 2, 97070 Würzburg
Phone: +49(0)931-31-0
Fax: +49(0)931-31-82600
Contact details of the data protection officer
Data Protection Officer of the Julius-Maximilians-University Würzburg
Sanderring 2
97070 Würzburg
Phone: +49(0)931-31-0
E-Mail: datenschutz@uni-wuerzburg.de
General
With regard to the processing of your personal data, you, as a data subject, have the following rights under Art. 15 e.g. GDPR to:
- You can request information about whether we process personal data from you. If this is the case, you have the right to information about these personal data as well as to other information related to the processing (Art. 15 GDPR). Please note that in certain cases this right of access may be limited or excluded (see in particular Art. 10 BayDSG).
- In the event that personal data about you is no longer (no longer) accurate or incomplete, you may request a correction and, if necessary, completion of such data (Art. 16 GDPR).
- If the legal requirements are met, you can request the deletion of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR). However, the right to erasure under Art. 17 sec. 1 and 2 GDPR does not exist, among other things, if the processing of personal data is necessary for the performance of a task. This is in the public interest or is in the exercise of official authority (Art. 17 sec. 3(3) (b GDPR).
- If you have consented to the processing or if there is a contract for data processing and the data processing is carried out by means of automated procedures, you may have the right to data portability (Art. 20 GDPR).
- If there is an international transfer of personal data without the basis of an adequacy decision of the EU Commission, you have the right to obtain a copy of the contractual guarantees upon request to us.
- You have the right to complain to a supervisory authority within the meaning of Article 51 GDPR about the processing of your personal data. The Bavarian State Commissioner for Data Protection, Wagmüllerstraße 18, 80538 Munich, is responsible for the supervisory authority for Bavarian public authorities. In addition to the right of complain, you may also seek for a judicial remedy.
Withdrawal of consent
Insofar as the processing is carried out on the basis of consent, you have the right to withdraw your consent at any time. The revocation only works for the future; that is, the revocation does not affect the legality of the processing carried out on the basis of the consent until the revocation.
Right to object (article 21 GDPR)
For reasons arising from your particular situation, you can also object to the processing of personal data concerning you by us at any time (Art. 21 GDPR). If the legal requirements are met, we will no longer process your personal data.
The obligation to archive with its precedence over the deletion remains unaffected in the context of limits for the deletion of data.
Purposes of the processing
Shibbloeth serves to provide a SingleSignOn for login and use of services to fulfill university tasks with their help or to provide teaching and working materials.
Legal bases of the processing
Art. 6 para. 1 lit. e GDPR in connection with Art. 2 BayHSchG or Art. 4 para. 1 BayDSG.
Provision obligation
The provision of master data is required for use. In addition, usage data is generated during use.
Source of data
The released attributes come from our central directory service.
In addition, further data is generated within the scope of service performance.
Categories of personal data
Inventory data, from our directory service for transfer to the requested service
- eduPersonAffiliation: student, employee, member. Multiple nominations are possible, member and employee are mutually exclusive. The status is independent of the affiliated institution.
- eduPersonPrimaryAffiliation: contains the affiliation with the highest priority.
- eduPersonTargetedID: a unique characteristic per user that remains the same over time, but does not allow any conclusions to be drawn about the user's personal data.
- eduPersonEntitlement: a unique value that is authorized for certain applications.
- Surname
- call sign
- email address
- username
- group memberships
data generated by the provision of services
- Cookies
- transaction data
- meta data
- log data
Recipients and
| Recipients | Jurisdiction |
|---|---|
| Intern | German, Bavaria |
| Service provider within the DFN-AAI | Depending on service |
| Service provider with other federations | Depending on service |
| Centre National de Oeuvres Univeristaires et Scolaries (CNOUS) | France |
International data transfer
In the legal meaning of the term, the data is collected by the service provider directly from the persons using the service, so that there is no transfer within the meaning of Art. 44 et seq. of the GDPR. However, since the service is also offered in the European Economic Area, the providers are directly subject to the provisions of the GDPR.
Limits for the deletion of the different categories of data
Inventory data from our directory service for disclosure to the desired service, are held in Shibboleth only during the processing of the request.
Cookies are deleted after ending the browser session.
Log data from traffic data and control data are stored for a maximum of one year for disclosure monitoring purposes. Log data, that contains error messages, will be kept with the required data until the error has been clarified.
Other
There is no automated decision making including profiling. Our service is not an automated process as defined by law.
