Deutsch Intern
    Information Technology Centre

    Shibboleth privacy policy

    Information about data processing of our Shibboleth service

    Data protection is our legal responsibility and duty. We use appropriate means in line with current technological developments and legal regulations in order to protect your personal data. 

    Shibboleth implements Single-Sign-On for the login to internal services as well as to external services that are part of a federation, such as the DFN or eduGain.

    Julius-Maximilians-University Würzburg
    (public corporation)

    Legal representative is the president of the university.

    Sanderring 2, 97070 Würzburg

    Phone (09 31) 31-0
    Fax (09 31) 31-82600

    Information Technology Centre Würzburg University
    Am Hubland
    97074 Würzburg
    Phone: (0931) 31 - 85050


    Data Protection Officer of the Julius-Maximilians-University Würzburg
    Sanderring 2
    97070 Würzburg
    Phone (09 31) 31-0


    Data subject rights

    With regard to this processing of your personal data, you as a data subject are entitled to the following rights pursuant to Art. 15 et seq. of the German Data Protection Act. GDPR:


    • You can request information as to whether we process your personal data. If this is the case, you have the right to information about this personal data as well as further information in connection with the processing (Art. 15 GDPR). Please note that this right of access may be restricted or excluded in certain cases (cf. in particular Art. 10 BayDSG).
    • In the event that personal data about you is (no longer) accurate or incomplete, you may request that this data be corrected and, if necessary, completed (Art. 16 GDPR).
    • If the legal requirements are met, you can demand that your personal data be deleted (Art. 17 GDPR) or that the processing of this data be restricted (Art. 18 GDPR). However, the right to deletion pursuant to Art. 17 (1) and (2) DSGVO does not apply, inter alia, if the processing of personal data is necessary for the performance of a task. This is in the public interest or in the exercise of official authority (Art. 17 para. 3 letter b GDPR).
    • You have the right to complain to a supervisory authority within the meaning of Art. 51 GDPR about the processing of your personal data. The competent supervisory authority for Bavarian public bodies is the Bavarian State Commissioner for Data Protection, Wagmüllerstraße 18, 80538 Munich.

    We will inform you separately about your right to object.

    Right to object

    For reasons arising from your particular situation, you may also object at any time to the processing of your personal data by us (Art. 21 GDPR). If the legal requirements are met, we will no longer process your personal data.


    Data processing

    Shibbloeth serves to provide a SingleSignOn for login and use of services to fulfill university tasks with their help or to provide teaching and working materials.



    Art. 6 para. 1 lit. e GDPR in connection with Art. 2 BayHSchG or Art. 4 para. 1 BayDSG.


    The released attributes come from our central directory service.

    In addition, further data is generated within the scope of service performance.

    Inventory data, from our directory service for transfer to the requested service

    • eduPersonAffiliation: student, employee, member. Multiple nominations are possible, member and employee are mutually exclusive. The status is independent of the affiliated institution.
    • eduPersonPrimaryAffiliation: contains the affiliation with the highest priority.
    • eduPersonTargetedID: a unique characteristic per user that remains the same over time, but does not allow any conclusions to be drawn about the user's personal data.
    • eduPersonEntitlement: a unique value that is authorized for certain applications.
    • Surname
    • call sign
    • email address
    • username
    • group memberships

    data generated by the provision of services

    • Cookies
    • transaction data
    • meta data
    • log data


    Recipients International data transfer
    Intern No
    Service provider within the DFN-AAI Depending on service
    Service provider with other federations Depending on service


    Service providers, cooperation partners and contractual partners come from all over the world. Insofar as we disclose personal data to them, there is either an exception pursuant to Art. 49 GDPR, the recipient or the country of residence of the recipient has an adequate level of data protection or guarantees exist, currently in particular in the form of the Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors in third countries pursuant to Directive 95/46/EC of the European Parliament and of the Council.

    Inventory data from our directory service for disclosure to the desired service, are held in Shibboleth only during the processing of the request.

    Cookies are deleted after ending the browser session.
    Log data from traffic data and control data are stored for a maximum of one year for disclosure monitoring purposes. Log data, that contains error messages, will be kept with the required data until the error has been clarified.

    There is no automated decision making including profiling. Our service is not an automated process as defined by law.



    Version status

    2019 January 22th