Administration of data pertaining to students attending degree and non-degree programmes
In this document, the Johannes Kepler University Linz (hereinafter referred to as “JKU”) provides information about the processing of your personal data (more precisely: the personal data referring to you) as set out in Art. 4(1) General Data Protection Regulation (hereinafter “GDPR”). These data must be protected as described in the currently valid data privacy legislation[1]. Processing within the meaning of Art. 4(2) GDPR refers in particular to the collection, recording and storage of personal data, whether or not by automated (technical) means.
I. Data controller’s contact information:
The data controller responsible for the processing of personal data as defined in Art. 4(7) GDPR is the Johannes Kepler University Linz (JKU), Altenberger Straße 69, 4040 Linz, datenschutz(at)jku.at.
The data protection officer within the meaning of Art. 37 GDPR can be contacted at the Johannes Kepler University Linz (JKU), Stabstelle Datenschutz [Department of Data Protection], Altenberger Straße 69, 4040 Linz, datenschutz(at)jku.at.
II. Background to the processing / information on the purpose for which personal data are processed / legal basis of the processing / recipients of personal data:
1. On the occasion of the admission to degree and non-degree programmes and assessing / billing student contributions, tuition fees (including any tuition fee remissions/reimbursements requested) and/or course fees, the JKU processes personal data for the purpose of the administrative and organisational management of your studies at JKU, including any internships within the framework of your studies, in particular admitting students to their selected degree or non-degree course, collecting student contributions and/or any tuition or course fees due, keeping records of all content relating to examinations and assessments, awarding academic degrees / academic titles, conducting surveys and appraisals, and implementing quality assurance measures; in short, the JKU processes the data for the purpose of performing its statutory tasks and ensuring compliance with the applicable statutory obligations. These data encompass the following in particular:
-
- Contact data, including your name, home address, correspondence address, date of birth, gender, photograph, nationality, e-mail address, and any other data disclosed by you, e.g. your telephone number
- Social insurance data / alternative identification
- Data relating to your previous education, e.g. your CV, university entrance qualification, proofs of academic achievement, degree certificate etc.
- Study data, e.g. matriculation number, information about your general university entrance qualification, admission data (e.g. admission date and admission status), study programme code, mandatory requirements or supplementary examinations if applicable, evidence of language skills if applicable, registration system data relating to lectures/examinations, examination data and assessment documents (all content relating to examinations and assessments, data / information on academic theses), information and proof relating to academic leaves, information on disabilities if applicable, academic degrees awarded, data relating to your participation in international mobility and exchange programmes, any correspondence
- Information about the background and education paths of your parents
- Study fee data ([Bank)] data for the assessment and payment of student contributions or tuition fees or any course fees, requests for tuition fee remissions or reimbursements including a proof of reason given)
Furthermore your data may be used for the assertion, exercising or defence of possible legal claims and the investigation of violations of the law and legal disputes
1.1. The legal basis for the processing of these personal data is Art. 6(1)(c) and (e) and Art. 6(3) and Art. 9(2)(g) GDPR in conjunction with the relevant national provisions, in particular according to Universities Act 2002[2], the Federal Act on Documentation in Education 2020[3], the University and Higher Education Statistics and Education Documentation Regulation[4], the Tuition Fee Regulation[5] and the Statute of the JKU[6] in the respective applicable version, as well as Art 6(1)(f) and Art 9(2)(f) GDPR. The processing of the personal data specified above is lawful since it is necessary for compliance with a legal obligation to which the controller is subject, and for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In addition, the data processing is necessary for the assertion, exercising or defence of possible legal claims and the investigation of violations of the law and legal disputes.
Since the provision of personal data for these types of processing is required by law, any failure to provide these data may render the JKU unable to fulfil its obligations to you.
If the processing of your personal data is not permitted on the basis of the legislation mentioned above, the JKU may only process your data on the basis of your voluntary (explicit) consent as described in Art. 6(1)(a) GDPR and Art. 9(2)(a) GDPR.
Pursuant to Art. 7(3) GDPR, the data subject may exercise their right of withdrawal without giving reasons and amend or totally withdraw the issued declaration of consent with future effect. This withdrawal must be communicated by postal mail using the contact data provided in section I or by sending an e-mail to datenschutz(at)jku.at. The withdrawal of your consent will not affect the lawfulness of the data processing carried out on the basis of your consent before it was withdrawn. Please note: if you withdraw your consent, it will no longer be possible to achieve the purpose for which your data are being processed.
1.2. The recipients of the personal data are the JKU organisational units involved in each type of processing (in particular the Department of Teaching and Studies Organisation and the Department of Information Management), the University Data Network at the Bundesrechenzentrum GmbH (BRZ), as well as all the other data recipients in accordance with the provisions of § 10 BilDokG 2020 and the Federal Institution under Public Law “Statistics Austria“ within the framework of federal statistics on the education system, any subcontractors engaged to provide technical support, hosting, maintenance and administration services insofar as their access to personal data cannot be ruled out by implementing suitable technical and organisation measures, any partner institutions involved in jointly offered study programmes or joint study programmes, any sponsors and cooperation partners of the JKU and any transfer recipients provided for in the respective funding conditions as well as our contract processor QENTA Payment CEE GmbH, Taborstr. 1-3/10, 1020 Wien in connection with payments, and any banking institution whose information you communicate to us.
If necessary, your data may also be forwarded to courts, authorities and legal representatives in order to assert, exercise or defend claims or to investigate legal violations and legal disputes; in this context, JKU must, for example, provide the administrative and penal authorities, the courts and other universities and university colleges, at their request, with the information necessary to establish the facts of the case and to forward the documents required for this purpose (Section 46 (6) UG). Apart from these cases, data transfer to third parties is only permitted if there is a legal basis (e.g. Auskunftspflichtgesetz) or another prevailing legitimate interest of JKU or a third party.
2. The application “myJKU” enables students to view the personal data being processed, e.g. their master data, study data and exam data, at any time using a mobile device. These personal data are retrieved from the JKU’s student administration system. When logging in to “myJKU”, personal data consisting of the user’s given name and surname, JKU user name and assignment are transmitted to the web application. Moreover, when using the web app “myJKU” through Shibboleth, technically necessary cookies are set and personal data are processed which is required in particular for authorisation and authentication purposes.
The processing of the above-mentioned data is mandatory for the provision of the “myJKU” app and its content since the application cannot be used unless these data are provided.
The mobile app “myJKU” also uses Firebase Cloud-Messaging (Android) or the Apple Push Notification Service (iOS) to send push notifications alerting “myJKU” users to data updates. When the push notification function is activated, personal data (Firebase installation ID or push token) may be processed by Google Ireland Limited, Google LLC or Apple Inc. respectively.
The user is not obliged to provide any personal data. However, the use of the push service requires the processing of personal data, i.e. no push notifications can be sent if these data are not provided.
Detailed information about data privacy and the processing of personal data can be accessed by clicking on the following links: https://firebase.google.com/terms/data-processing-terms, opens an external URL in a new window or https://firebase.google.com/support/privacy#international_data_transfers, opens an external URL in a new window, https://policies.google.com/privacy, opens an external URL in a new window and https://www.apple.com/legal/privacy/, opens an external URL in a new window
2.1 The legal basis for the processing and transfer of personal data in connection with the use of the push notification function is the data subject’s (explicit) consent (Art. 6(1)(a) GDPR and Art. 49(1)(a) GDPR). As the data subject, you can withdraw your consent to the receipt of push notifications at any time by changing your settings in the “myJKU” app, deactivating the service, or changing your browser settings. The withdrawal of your consent will not affect the lawfulness of the data processing carried out on the basis of your consent before it was withdrawn. Please note: if you withdraw your consent, it will no longer be possible to achieve the purpose for which your data are being processed.
Insofar as the processing of personal data is technically necessary to log in or to safeguard and improve the functioning of the web app “myJKU”, the legal basis for this processing is the legitimate interest of the JKU (Art. 6(1)(f) GDPR).
2.2 The recipients of the personal data are the JKU’s organisational units involved in the respective type of processing (in particular the Department of Information Management) and the company solvistas GmbH, Graben 18, 4020 Linz, as the JKU’s contract data processor.
When using the above-named Google service (Firebase) or Apple service, personal data is transmitted to Google LLC or Apple Inc., which are both based in the USA. Due to the adequacy decision for the EU-US Privacy Framework, personal data can be transferred to US companies participating in the framework without the need to take any GDPR safeguards. If the transfer does not fall in the frame of the adequacy decision and no appropriate safeguards (such as standard contractual clauses - EU SCC) are provided, the transfer is based on the data subject´s explicit consent pursuant to Art. 49(1)(a) GDPR. In this case, compliance with the European data protection requirements cannot be guaranteed, which entails various risks with regard to the lawfulness and security of data processing.
3. When submitting written paper during the course of your chosen degree or non-degree programme, particularly final thesis/dissertations, take-home assignments, seminar papers and Bachelor’s theses, your personal data – particularly your given name and surname, title, matriculation number, and the entire content of the written work you have submitted – will be processed for the purpose of reviewing your compliance with ethical principles and the rules of good scientific practice, and preventing breaches of third-party intellectual property rights by using the plagiarism detection software provided by the company Turnitin LLC.
3.1. The legal basis for the processing of these personal data is Art. 6(1)(c) and (e) and Art. 6(3) GDPR in conjunction with §§ 2, 3 and 19 UG and § 38(4) Study Law Statute[7]. The processing of the personal data specified above is lawful since it is necessary for compliance with a legal obligation to which the JKU is subject, and for the performance of a task carried out in the public interest or in the exercise of official authority vested in the JKU.
There is no obligation to provide these personal data; however, if the data is not provided, it will not be possible to achieve the purposes specified in section 3.
3.2. The recipients of the personal data are the JKU organisational units involved in each type of processing, particularly the university library, the Department of Teaching and Studies Organisation and the Department of Information Management.
The plagiarism detection software provider Turnitin LLC, head office 2101 Webster Street, Suite 1800, Oakland CA 94612 USA, is a contract processor engaged by the JKU. Pursuant to Art. 28(7) in conjunction with Art. 46(2)(c) GDPR, the JKU and Turnitin LLC have agreed to the standard contractual clauses issued by the European Commission on 4 June 2021 and set out in Commission Implementing Decision (EU) 2021/914, which can be viewed in the JKU’s Department of Legal Affairs. These guarantee an appropriate level of data protection as understood in the GDPR.
Turnitin LLC subcontracts the provision of various technical and administrative support services and the task of comparing submitted texts against data sources in the internet and databases in the USA to Turnitin UK Ltd., 6th Floor, Wellbar Central, 36 Gallowgate, Newcastle upon Tyne, NE1 4TD, UK, Turnitin India Pvt. Ltd., Suite #1603, Floor 16, Max Towers, Sector - 16B Noida, Uttar Pradesh 201301, India, Turnitin Netherlands B.V., Stadsplateau 7, 3521 AZ Utrecht, Netherlands, UKU Group Ltd., SP Hall 28-A Stepana Bandery Avenue Office 302, Kyiv, Ukraine 04073, ExamSoft Worldwide LLC., 5001 LBJ Freeway, Suite 700, Dallas, TX 75244 USA, Microsoft Corporation, One Microsoft Way, Redmond, Washington 98052-6399, USA, and SDL Limited, New Globe House, Vanwall Business Park, Vanwall Road, Maidenhead SL6 4UB, UK. In accordance with clause 9 of the above-mentioned standard contractual clauses, Turnitin LLC also ensures that their subcontractors fulfil the obligations to which Turnitin LLC as the contract processor is subject.
4. As part of the digital attendance monitoring performed on Med Campus I, the JKU processes access data, lecture data (in particular lecture dates, types of course, topics, lecturers, registrations, cancellations and participation), student data, exam data and correspondence using the “Cardea” system. These personal data are processed for the purpose of monitoring student attendance at lectures, creating digital attendance lists, and managing lectures and lecture participation.
4.1. The legal basis for the processing of the personal data is Art. 6(1)(c) and (e) and Art. 6(3) GDPR in conjunction with §§ 51 to 93a UG, § 19(2) line 4 UG and the Study Law Statute (ST-StR). The processing of the personal data specified above is lawful since it is necessary for compliance with a legal obligation to which the JKU is subject, and for the performance of a task carried out in the public interest or in the exercise of official authority vested in JKU.
There is no obligation to provide these personal data; however, if the data is not provided, it will not be possible to achieve the purposes specified in section 4.
4.2. The recipients of the personal data are the JKU organisational units involved in each type of processing (in particular the Center for Medical Education, the Department of Teaching and Studies Organisation, the Department of Information Management, and the lecturers, who are responsible for their own lectures) and the company X-Net Services GmbH, Spittelwiese 15, 4020 Linz, as the JKU’s contract data processor.
III. Information on storage periods:
The JKU will store these data for the following periods of time:
-
- According to § 53 UG, the titles of examinations, the topics of scientific theses or artistic submissions, the number of ECTS credits awarded, the grade, the names of the examiners or assessors, the date of the examination / assessment and the student’s name and matriculation number must be stored in a suitable (e.g. electronic) form for at least 80 years.
- §79(3) UG stipulates that if the assessment documents (particularly examiners’ reports, corrected written examinations and assessment papers) are not surrendered to the student, steps must be taken to ensure that they are held in safekeeping for at least six months after the announcement of the result. According to §79(4) UG, records of examinations must be held in safekeeping for at least six months after the announcement of the result.
- With regard to academic dissertations and theses, i.e. Bachelor’s theses, graduate diploma’s and Master’s theses, artistic graduate diploma’s and Master’s theses and (scientific and artistic) dissertations, any assessment documents (in particular examiners’ reports and corrected papers) not surrendered to the student must be held according to § 84(1) UG in safekeeping for at least six months after the results are announced.
- According to § 4(7) BilDokG 2020, the social insurance numbers or alternative identification stored in student records must be erased no later than two years after the student leaves the educational institution.
- Proofs relating to the remission of tuition fees must be retained for at least three years as set out in §4(6) StubeiV.
- Unlimited storage period: data classified as archival material pursuant to the Austrian Federal Archives Act[8]
Moreover, the personal data are stored in accordance with the criteria established for the storage period, such as their current validity and relevance in terms of the purposes specified in section II, and if they constitute proof required for the correct performance of procedures relating to disputes, they will be stored for up to three years following the submission of the respective proof.
IV. Rights of the data subject pursuant to Art. 15 to 21 GDPR:
- Right of access
- Right to rectification and erasure
- Right to restriction of processing
- Right to data portability
- Right to object
V. Information on the data protection supervisory authority and the data subject’s right to complain:
The data subject may also submit complaints about any data processing they consider inadmissible to the Austrian Data Protection Authority, Barichgasse 40-42, 1030 Wien, phone: + 43 1 52 152-0, e-mail: dsb(at)dsb.gv.at.
Last updated: November 2023
[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR); Federal Act Concerning the Protection of Personal Data (DSG), Federal Law Gazette I no. 165/1999, last amended by Federal Law Gazette I no. 14/2019; Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (the data protection regulation for the areas of justice and home affairs), implemented in §§ 36 - 61 DSG.
[2] Austrian Federal Act on the Organisation of Universities and Their Studies [Universitätsgesetz] 2002, hereinafter referred to as UG.
[3] Austrian Federal Act on Documentation in Education [Bildungsdokumentationsgesetz] 2020, hereinafter referred to as BilDokG 2020
[4] Regulation by the Austrian Federal Minister of Education, Science and Research on data transfer, record-keeping, coding and the statistical evaluation and processing activities performed by universities, colleges of education, providers of study programmes at universities of applied science and private universities (University and Higher Education Statistics and Education Documentation Regulation [Universitäts- und Hochschulstatistik- und Bildungsdokumentationsverordnung]), hereinafter referred to as UHSBV
[5] Regulation by the Austrian Federal Minister of Education, Science and Research on tuition fees at universities and colleges of education (Tuition Fee Regulation [Studienbeitragsverordnung]), hereinafter referred to as StubeiV
[6]
www.jku.at/rechtsabteilung/mtb-satzung-co/, opens an external URL in a new window
[7] Section on Study Regulations of the Johannes Kepler University Linz (ST-StR).
[8] Federal Act on the Safekeeping, Storage and Use of Archival Holdings of the Federal Government [Bundesarchivgesetz]