Data protection

Data protection information for data subjects as per Article 13 and Article 14 of the GDPR

Data protection is a matter of trust and your trust is important to us. We respect your privacy and personal sphere. The protection and lawful collection, processing and use of your personal data is therefore an important matter for us. In order to ensure that you feel secure when you visit our websites, we strictly adhere to the legal regulations when processing your personal data and would like to inform you here about how we collect and use your data.

Data protection guideline

General data protection guideline of the Musik und Kunst Privatuniversität der Stadt Wien GmbH (Music and Arts University of the City of Vienna)

Introduction

Musik und Kunst Privatuniversität der Stadt Wien GmbH (MUK) collects data in order to fulfil its statutory mandate of operating a private university.

To do this, it is necessary to collect information – particularly about course applicants, students, employees and other culture enthusiasts. The collection of data must be severely restricted as part of the General Data Protection Regulation (GDPR) so that only the most necessary information (data minimisation) is collected.

However, negligent or illegal use can lead to a loss of personal information and other confidential information. In turn, this can threaten IT security, endanger the reputation of the MUK and violate the rights of other people.
For this reason, we require all our employees to handle all our data and IT systems responsibly and carefully.
The aim of this guideline is to set minimum standards for usage and operation as well as to ensure that personal and confidential information is processed in compliance with the law.

Measures should be taken to ensure that

  • only authorised employees can view the data needed for their work,
  • Data can be assigned to its source at all times, it can be ascertained who has used and processed which data when and
  • Data is kept complete and current.


It must also be taken into account that the effort involved is reasonable in relation to the protective purpose.


Scope of the guideline

The guideline described here applies to all IT systems and applications (both analogue and digital), which use and process personal data and specific categories of personal data.

Personal data describes any information, which relates to an identified or identifiable person. A natural person is identifiable as soon as they can be directly or indirectly identified, particularly through the classification of special characteristics (name, ID number, bank details, DOB, address, etc.).
One specific category of personal data is sensitive data. This includes all information, from which the racial and ethnic origin, political opinion, religious or ideological beliefs, union membership, health data and information about sexual orientation can be deduced.


Instructions on how to comply with data protection at the MUK

The following points must be complied with, without exception:

  • All workstations must be secured so that unauthorised persons cannot see or gain access to this data. This applies particularly to workstations, at which sensitive data is being processed.
  • Monitors and printers must be set up in such a way that third parties cannot gain access.
  • Printouts containing sensitive data must be removed from the printer immediately.
  • If written documents are no longer needed, they must be destroyed so that their content is no longer legible (e.g. by using a shredder).
  • Mobile data carriers should not be accessible to third parties.
  • Data carriers with sensitive data that is no longer needed must be deleted so that the data is no longer accessible.
  • Sensitive data and that which is worthy of protection must not be forwarded to unauthorised persons under any circumstances, except for a specific legal use.
  • All employees with access to sensitive data must be bound by confidentiality.
  • Without exception, any requests for information must be handled via the data protection coordinate (datenschutz@muk.ac.at) and in written format.
  • Sensitive data must only be transmitted if confidentiality can be ensured.
  • Only authorised persons should be able to access sensitive data.


Inquiries or complaints about data protection officer must only be answered by the data protection officer or the data protection coordinator. All other employees should answer data protection inquiries or complaints as follows:

“Dear…,
Thank you for your inquiry about data protection at Musik und Kunst Privatuniversität der Stadt Wien GmbH. We adhere to the legal regulations concerning data protection and are happy to deal with your concern. Due to the General Data Protection Regulation (EU-GDPR) and the Data Protection Act of 2000 in its current version, the employees of the MUK are not permitted to deal directly with your inquiries. Please send your request by email, along with a copy of your ID, to the following address: datenschutz@muk.ac.at. We will then process your inquiry in line with the legal regulations.

For more information about data protection at the Music and Arts University of the City of Vienna, please see our website at www.muk.ac.at/datenschutz.

Yours sincerely,
Name
Signature“

Purpose of data processing

Legal basis for data processing

Student management:

  • Contract/contract initiation
  • Statutory/legal obligation


Personnel management:

  • Contract/contract initiation
  • Statutory/legal obligation


Use of university library:

  • Contract/contract initiation


Marketing activities:

  • Marketing (general): legitimate interest
    The legitimate interest is the interest of the company in making initial business contact and intensifying the business relationship with existing and potential customers
  • Newsletters, use of photos: consent
    This consent can be revoked at any time (see newsletter)


Communication to recipients in countries outside the Union:
The data from the aforementioned processing activities are not usually transmitted to recipients outside the Union.

As far as photos are published on the homepage or on social networks, this data will also be published, and therefore made available to an undefined group of recipients.

Website

Disclaimer

This website may contain references to property rights and information on copyrights, the compliance and observation of which are mandatory. This applies particularly to logos, images, sound files and videos. Downloading, printing and storing files from this website is only permitted for private use. Any use beyond this requires the explicit consent of the Musik und Kunst Privatuniversität der Stadt Wien GmbH. The Musik und Kunst Privatuniversität der Stadt Wien GmbH accepts no liability for data loss or other technical impairments, which can arise when viewing or downloading data from this website. The Musik und Kunst Privatuniversität der Stadt Wien GmbH accepts no liability for the content of any links to other websites.
The information provided on this website is carefully checked and regularly updated by the Musik und Kunst Privatuniversität der Stadt Wien GmbH. The university accepts no liability that the information provided as part of this website is complete, up-to-date and accurate. Subject to change and errors excepted. Furthermore, the Musik und Kunst Privatuniversität der Stadt Wien GmbH reserves the right to change the data and design of this website at any time without prior notification.


Use of the Google Analytics web analytics service

This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of this website (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for the website operator and providing other services relating to website activity and internet usage to the website provider. Google may also transfer this information to third parties if required by law or where such third parties process the information on Google's behalf. Google will not associate your IP address with any other data held by Google. You may refuse the installation of cookies by selecting the appropriate settings on your browser; however, please note that if you do this, you may not be able to use the full functionality of this website. By using this website, you agree to the processing of data collected about you by Google in the aforementioned manner and for the aforementioned purpose.


Use of Google Remarketing

Due to our legitimate interest in analysis, optimisation and profitability, MUK also uses Google Remarketing Technology, a service of Google Inc., 1600 Amphitheatre Pkwy, Mountain View, CA 94043, United States of America. This feature allows you, as a website visitor, to be targeted with advertising by placing personalised, interest-based advertisements when you visit other web pages on the Google DoubleClick display network. Google uses cookies, which are stored on your computer, to evaluate your website usage, demographic characteristics and interests. Google uses cookies, which are stored on your computer, to analyse your use of the website, which then makes interest-based advertisements possible. The information generated by the cookie is transferred to a Google server and stored there and can be evaluated by MUK with the help of statistics and used to create interest-based advertisements. Google may transfer this information to third parties when required to do so by law, or when such third parties process the information on Google's behalf. You may cancel the collection and storage of data at any time with effect for the future.
You can disable Google’s use of cookies by visiting the http://www.google.com/policies/technologies/ads/ page to disable Google advertising. Alternatively, you can disable the use of cookies by third parties by visiting the Network Advertising Initiative disable page at http://www.networkadvertising.org/managing/opt_out.asp. You can find more information about Google's privacy policy at http://www.google.com/intl/de/privacy.


Use of Facebook like buttons

This website links to a like button on Facebook at the end of every news article and event. By clicking on this link you leave this website and establish a direct connection between your browser and Facebook’s servers. You can find information on the data that Facebook Inc subsequently collects here: https://www.facebook.com/privacy/explanation


Use of Facebook Pixels

Due to our legitimate interest in analysis, optimisation and profitability, MUK’s online offer also uses code known as the "Facebook pixel" provided by the Facebook social network, 1601 South California Avenue, Palo Alto, CA 94304, USA or, if you are resident in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Using this Facebook pixel enables us to identify website visitors as the target audience for displaying Facebook advertisements.

Newsletter

Content of the newsletter
We only send newsletters with the consent of recipients. Our newsletter contains information about the classes and courses on offer at the MUK, events at the MUK and its partners (this can specifically include information on blog articles, lectures, workshops, concerts and online presence).

Legal basis of the General Data Protection Regulation
In accordance with the regulations of the General Data Protection Regulation (GDPR), we hereby inform you that consent is provided by sending email addresses on the basis of Article 6(1)(a) and Article 7 of the GDPR. We focus on using a user-friendly and secure newsletter system, which satisfies our business interests and corresponds to the expectations of our users.

Double opt-in and logging
A double opt-in method is used to register for our newsletter. I.e. after registering, you will receive an email, in which you are asked to confirm your registration. This confirmation is required so that people cannot sign up with email addresses that do not belong to them.
Registrations to the newsletter are logged so that we can prove the registration process complies with legal requirements. This includes saving the time of registration and confirmation.

Newsletter delivery using TYPO3 extension
The MUK uses a function of its website www.muk.ac.at, the “direct_mail” TYPO3 extension, to deliver the newsletter. This ensures that the personal data of newsletter subscribers is only located on the hosted servers of the MUK. An order processing contract, which ensures the secure processing of data, has been concluded with the relevant partner.

Registration data
To register for the newsletter, we will need your email address and your first name and surname. Your names are only used to personalise the newsletter and are not used for any other purpose. You can also provide address details if you require postal delivery. This information is not passed on to third parties.

Statistical surveys and analyses
We do not intend to monitor individual users. In particular, no technical data is accessed (e.g. information about browser and your system, IP address, time of access). General statistical evaluations (e.g. click rates, etc.) are permitted by the newsletter system, but do not allow any inference to individual users.

Online access and data management
There are times when we direct newsletter recipients to the MUK website. E.g. our newsletters contain a link, with which newsletter recipients can access the newsletter online (e.g. if there are problems viewing it in your email programme). Newsletter recipients can also amend their data retroactively, e.g. email address. In individual cases, the newsletter may also contain links to external websites, i.e. the websites of third parties. However, the MUK has no influence on the content of these links and the data protection standards of such linked sites. For this reason, the MUK is not liable for external links.
In this context, we refer you to the fact that cookies are used on the MUK website, meaning personal data is processed by the MUK and the service providers it employs. You can find more information on this in the Data Protection Statement of the MUK.

Cancellation/retraction
You can stop receiving our newsletter at any time, i.e. revoke your consent. You will find a link to unsubscribe from the newsletter at the bottom of each newsletter.

Furthermore, we would like to inform you that you can revoke consent to the future processing of your personal data at any time, in accordance with the legal regulations as per Article 21 of the GDPR.

You can find more information, particularly relating to Article 13 and 14 of the GDPR, at Rights of Data Subjects.

Rights of data subjects

General information according to Article 13 of the GDPR

The data subject (this is the natural person, whose personal data is being processed) benefits from various – very extensive – rights against the controller (this is the organisation, i.e. in this specific case Musik und Kunst Privatuniversität der Stadt Wien GmbH).

These rights ensure that personal data is processed in a transparent manner. The data subject should be able to find out and should also know who, in which way, and why their data is being processed.

The data subject has the following rights against the controller:

  • Right to confirmation
  • Right to information
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to object to processing (only for legitimate interest)
  • Right to data portability (only for contract relationship or consent)
  • If the processing is based on consent, the data subject has the right to revoke the consent at any time (marketing for own purposes); the revocation does not concern the lawfulness of any processing that has been carried out on the basis of consent up to the point of revocation.
  • Right to lodge a complaint with the supervisory authority


The data subject can exercise all rights by sending an email to datenschutz@muk.ac.at or using the contact form on the website.
The data subjects must identify themselves and provide identification in order to ensure that the actual data subject is addressed in the response to exercising the specific right.


General information according to Article 14 of the GDPR

Article 14 of the GDPR states that data subjects must also be informed about the use of personal data beyond the data categories and origin (source of data) if this data has not been obtained from the data subject (personally).
 
This occurs:

  • when developing and maintaining a contact database for personal purposes from public sources


Contact database:
Processing of the following data categories:

  • Master data (name, title, gender)
  • Contact details


Origin of data:

  • publicly accessible data (e.g. commercial register, telephone directory, homepages, social media).


Type of information provision according to Article 14 of the GDPR:
The information provisions in the sense of Article 14 of the GDPR occurs as part of the initial use of the data, but no longer than 1 month from the collection (disclosure of the data to third parties is not provided); the reference to data protection information is contained in the email signature so that the third party receives the information upon initial contact.

Contact persons

Data protection officer and data protection coordinator

Controller:
Musik und Kunst Privatuniversität der Stadt Wien GmbH
Johannesgasse 4a, A-1010 Vienna
Phone: +43 1 5127747
Email: office@muk.ac.at

Representative of the controller:
Vice-Chancellor Dr. Andreas Mailath-Pokorny
Johannesgasse 4a, A-1010 Vienna
Phone: +43 1 5127747 101
Email: rektor@muk.ac.at

Data protection officer:
Mag. Ing. Markus Oman, CSE (O.P.P.)
Email: datenschutz@muk.ac.at

As a public body, the MUK is obligated to appoint a data protection officer (Article 37(1)(a) under the GDPR in conjunction with Section 2 of the German Research Organisation Act (Forschungsorganisationsgesetz).

The tasks of the data protection officer according to Art. 39 of the GDPR are primarily:

  • To inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
  • To monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
  • To provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
  • To cooperate with the supervisory authority;
  • To act as the point of contact for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

 

Data protection coordinator:
Mario Löchler, IT-Management MUK
Johannesgasse 4a, A-1010 Vienna
Phone: +43 1 5127747 270
Email: m.loechler@muk.ac.at

As well as the statutory tasks of a data protection officer according to Article 39 of the GDPR, other regular activities concerning the fulfilment of data protection compliance as per the GDPR are required after developing a data protection management system.

Tasks of the data protection coordinator:

  • Contact person for internal queries about data protection
  • Contact person for external queries about data protection
  • Point of contact for requests for erasure/information/rectification, etc.
  • Link to the data protection officer
  • Regular maintenance and updating of the process directory
  • Ongoing, structured collection of data uses and help in completing the process directory
  • Providing assistance in completing the data protection impact assessment
  • Regular documentation of technical and organisational measures (TOM) and identification of prioritised improvement measures
  • Regular updating, documentation and improvement of the data subject rights
  • Regular updating, documentation and improvement of the data breach process
  • Regular updating, documentation and improvement of the data protection guideline
  • Regular review of the processor framework
  • Support in complying with requirements relating to Privacy by Design and Privacy by Default