Deutsch Intern
  • 50-jähriges Jubiläum des Rechenzentrums
Information Technology Centre

Shibboleth privacy policy

Basic information

Controller

Julius-Maximilians-University Würzburg
(Statutory body under public law)

Its president represents the university.

Sanderring 2, 97070 Würzburg

Phone: +49(0)931-31-0
Fax: +49(0)931-31-82600

Contact details of the data protection officer

Data Protection Officer of the Julius-Maximilians-University Würzburg
Sanderring 2
97070 Würzburg
Phone: +49(0)931-31-0
E-Mail: datenschutz@uni-wuerzburg.de

General

With regard to the processing of your personal data, you, as a data subject, have the following rights under Art. 15 e.g. GDPR to:

  • You can request information  about whether we process personal data from you. If this is the case, you have the right to information about these personal data as well as to other information related to the processing (Art. 15 GDPR). Please note that in certain cases this right of access may be limited or excluded (see in particular Art. 10 BayDSG).
  • In the event that personal data about you is no longer (no longer) accurate or incomplete, you may request a correction  and, if necessary,  completion of such data (Art. 16 GDPR).
  • If the legal requirements are met, you can request the deletion of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR). However, the right to erasure under Art. 17 sec. 1 and 2 GDPR does not exist, among other things, if the processing of personal data is necessary for the performance of a task. This is in the public interest or is in the exercise of official authority (Art. 17 sec. 3(3) (b GDPR).
  • If you have consented to the processing or if there is a contract for data processing and the data processing is carried out by means of automated procedures, you may have the right to data portability  (Art. 20 GDPR).
  • If there is an international transfer of personal data without the basis of an adequacy decision of the EU Commission, you have the right to obtain a copy of the contractual guarantees upon request to us.
  • You have the right to complain to a supervisory authority within the meaning of Article 51 GDPR about the processing of your personal data. The Bavarian State Commissioner for Data Protection, Wagmüllerstraße 18, 80538 Munich, is responsible for the supervisory authority for Bavarian public authorities. In addition to the right of complain, you may also seek for a judicial remedy.

Withdrawal of consent

Insofar as the processing is carried out on the basis of consent, you have the right to withdraw your consent at any time. The revocation only works for the future; that is, the revocation does not affect the legality of the processing carried out on the basis of the consent until the revocation.

Right to object (article 21 GDPR)

For reasons arising from your particular situation, you can also object to the processing of personal data concerning you by us at any time (Art. 21 GDPR). If the legal requirements are met, we will no longer process your personal data.

The obligation to archive with its precedence over the deletion remains  unaffected in the context of limits for the deletion of data.

Purposes of the processing

Shibbloeth serves to provide a SingleSignOn for login and use of services to fulfill university tasks with their help or to provide teaching and working materials.

Legal bases of the processing

 

Art. 6 para. 1 lit. e GDPR in connection with Art. 2 BayHSchG or Art. 4 para. 1 BayDSG.

Provision obligation

The provision of master data is required for use. In addition, usage data is generated during use.

Source of data

The released attributes come from our central directory service.

In addition, further data is generated within the scope of service performance.

Categories of personal data

Inventory data, from our directory service for transfer to the requested service

  • eduPersonAffiliation: student, employee, member. Multiple nominations are possible, member and employee are mutually exclusive. The status is independent of the affiliated institution.
  • eduPersonPrimaryAffiliation: contains the affiliation with the highest priority.
  • eduPersonTargetedID: a unique characteristic per user that remains the same over time, but does not allow any conclusions to be drawn about the user's personal data.
  • eduPersonEntitlement: a unique value that is authorized for certain applications.
  • Surname
  • call sign
  • email address
  • username
  • group memberships

data generated by the provision of services

  • Cookies
  • transaction data
  • meta data
  • log data

 

Recipients and

Overview

Recipients Jurisdiction
Intern German, Bavaria
Service provider within the DFN-AAI Depending on service
Service provider with other federations Depending on service
Centre National de Oeuvres Univeristaires et Scolaries (CNOUS) France

 

International data transfer

In the legal meaning of the term, the data is collected by the service provider directly from the persons using the service, so that there is no transfer within the meaning of Art. 44 et seq. of the GDPR. However, since the service is also offered in the European Economic Area, the providers are directly subject to the provisions of the GDPR.

Limits for the deletion of the different categories of data

Inventory data from our directory service for disclosure to the desired service, are held in Shibboleth only during the processing of the request.

Cookies are deleted after ending the browser session.
Log data from traffic data and control data are stored for a maximum of one year for disclosure monitoring purposes. Log data, that contains error messages, will be kept with the required data until the error has been clarified.

Other

There is no automated decision making including profiling. Our service is not an automated process as defined by law.