Data Protection Statement Applicants and students

WU (Vienna University of Economics and Business) is committed to protecting your personal data. Your personal data are kept confidential and processed in accordance with the provisions of the applicable data protection laws. In fulfillment of the regulations of the General Data Protection Regulation (GDPR), in particular Article 13 and 14, we would like to inform you about the types of personal data that are processed in connection with your degree program and also about the purposes for which these data are processed.

Contact Information

You can contact us at:

Controller:Data Protection Officer:
Vienna University of Economics and
Business (WU)
Welthandelsplatz 1, 1020 Wien
Vienna University of Economics and Business (WU)
c/o Data Protection Officer p.A. Legal Affairs Office
Welthandelsplatz 1, AR building, 1020 Vienna
Contact:
Vice-Rectorate for Academic Programs
and Student Affairs: wulehre@wu.ac.at
Welthandelsplatz 1, Gebäude AR, 1020 Wien

For any other matters related to data protection, please contact the WU data protection team at datenschutz@wu.ac.at.

1. What do we use your data for and to whom we transfer the data?

The purposes and legal basis for data processing are listed below. For some of these purposes, it may be necessary to transfer the data to third parties. If data are transferred, the respective categories of recipients are also listed. If you do not provide us with the respective required data, we will unfortunately not be able to provide you with our services.

1.1. Online pre-registration

The processing is carried out for the implementation of the application/admission procedure and for the eventual admission to the degree program applied for.

The following categories of data are processed: Name; dates of birth; gender; nationality; mother tongue; academic titles awarded and any other academic titles; contact details; home and mailing address; degree program applied for; data and certificates proving university entrance qualification;

The legal basis for the processing is the fulfillment of legal obligations pursuant to Art 6 para 1 lit c GDPR, including the Universities Act 2002 (Universities Act), By-laws of WU Person Group Ordinance 2018, University Entitlement Ordinance (UBVO), University Student Records Ordinance 2004, Education Documentation Act 2020 (BilDokG), University Statistics and Education Documentation Ordinance (UHSBV), Student Union Act 2014 (HSG), as well as the performance of a task in the
public interest pursuant to Art 6 para 1 lit e GDPR.

Recipients are the Data Network of the Universities, the Austrian Student Union (ÖH) and Statistics
Austria.

1.2. Student Administration

The processing is carried out for the implementation and handling of your degree program, such as communication, issuing of the student ID card, room reservations and access authorizations, prescribing/payment of any tuition fees or waiver/reimbursement or repayment, awarding of a meritbased
scholarship and conferral of an academic degree.

The following categories of data are processed: Name; dates of birth; gender; student ID number; social security number; nationality, in the case of foreigners the data of the travel document presented to establish identity; home and mailing address; academic titles awarded and any other academic titles, contact details; area-specific personal identifier (bPK); study application data; statistical marks for the census of persons and studies; bank details; contribution status according to §§ 91 and 92 of the Universities Act; amounts and value date of the tuition fee advance notice; amounts and value date of any subsequent claim; payment status and actual amount; last posting date; binding proof of waiver of tuition fees; number of semesters for which the proof is valid; university tuition fee account; education and qualification data; application, admission or start date of the degree program; form, date and issuance of the general university entrance qualification; Matura language and place; highest completed school education of parents (UHStat1); degree of any impairment; photograph for student ID card; admission status; any time limit on admission; notification of continuation of studies (re-registration); completion date and form of the respective education and the designation of the completed education; if available, data of previous university entrance examinations;

The legal basis for processing is the fulfillment of legal obligations pursuant to Art 6 para 1 lit c GDPR, including the Universities Act 2002 (Universities Act), By laws of WU, Person Group Ordinance 2018 (PersGV), University Entitlement Ordinance (UBVO), University Student Records Ordinance 2004, Tuition Fees Ordinance (StubeiV), Education Documentation Act 2020 (BilDokG), University Statistics and Education Documentation Ordinance (UHSBV), Delivery Laws (ZustG), Student Support Act (Student Support Act), Student Union Act 2014 (HSG), General Administrative Procedure Act 1991 (AVG), as well as the performance of a task in the public interest pursuant to Art 6 para 1 lit e GDPR.

Recipients are the Data Network of Universities, the Austrian Student Union (ÖH), banks, Statistics Austria.

1.3. Teaching and exam administration, learning and media platforms

The processing is carried out for the announcement, implementation, support and administration of courses and exams, such as registration and deregistration, attendance control via WU Check-in, provision of teaching and learning content as well as communication, documentation of courses as well as examination performance and academic work including plagiarism checks.

The following categories of data are processed: account data for courses/examinations; examination data in the scope of examination reports including university entrance examination; semester hours of examinations taken; semester hours of positively assessed examinations; ECTS credits earned and ECTS credits; examination recognition data; type and date of examinations successfully passed; additional examinations; data on academic papers; plagiarism case data; name; email; organizational affiliation; account data, course data; exam data; course information; calendar entries and synchronized appointments (e.g., LV appointments); metadata/log data (e.g., IP addresses, device/hardware information); text, audio, and video data; content data (e.g., file uploads, web
recordings).

The legal basis for the processing is the fulfillment of legal obligations according to Art 6 para 1 lit c GDPR (among others § 78 Universities Act), the performance of a task in the public interest according to Art 6 para 1 lit e GDPR, Art 89 GDPR (scientific research purposes), the Universities Act 2002 (Universities Act), the Research Organization Act (FOG) as well as By-laws of WU, the WU Examination Regulations and the curriculum.

Recipients are the public (e.g. obligation to publish a list of courses according to § 59 Abs 5 Universities Act; obligation to publish positively evaluated academic work of students according to § 86 Universities Act), surveyors as well as data processors used by WU for digital teaching.

1.4. Use of video conferencing systems

The processing is carried out for the purpose of holding courses in hybrid form (partly distance and partly presence) or online using the videoconferencing systems MS Teams and Zoom, in order to ensure the proper operation of studies.

The following categories of data are processed: Metadata such as participant IP addresses; device/hardware information; connection data; text input when using the chat function; audio and video data when activating the camera and microphone; Microsoft Teams or Zoom account data; presentations provided.

The legal basis for the processing is the fulfillment of legal obligations pursuant to Art 6 para 1 lit c GDPR (§ 3 (1), (6) and (7) and § 76 ff Universities Act 2002) as well as the performance of a task in the public interest pursuant to Art 6 para 1 lit e GDPR; in particular, to guarantee the right to education pursuant to Art 14 of the Charter of Fundamental Rights of die European Union (GRC), freedom of study pursuant to § 2 Universities Act and the right of students to attend the courses necessary for the achievement of their educational goal pursuant to § 59 Universities Act. With regard to communication with each other, WU invokes the legitimate interest pursuant to Art 6 para 1 lit f GDPR., easily accessible and location-independent communication.

The recipients are the video conferencing systems of Zoom Video Communications Inc. (Zoom) and Microsoft (Microsoft Teams) based in the USA. Virtually participating persons receive text, video and audio data of the other participating persons as part of the transmission. In addition, the names of the virtually participating persons are also visible to the other participants.

1.5. Online supervision for online exams

The processing is carried out for the purpose of conducting and ensuring the integrity of the online exam, in particular to ensure that the exam is processed exclusively by you, that there is no oral exchange with third parties and that no unauthorized resources (Internet, own computer) are accessed.

The following categories of data are processed: Name; student ID number; contact details; audio and video data when the camera and microphone are activated; uploaded photos/ID;

The legal basis for the processing is the performance of a task in the public interest pursuant to Art 6 para 1 lit e of the GDPR, in particular for the determination and assessment of academic performance pursuant to § 72 of the Universities Act. Pursuant to § 73 Universities Act, an assessment shall be declared void by notice if the assessment was cheated during an exam, in particular by using unauthorized aids. Further legal bases are Art 9 para 2 lit j GDPR in conjunction with Art 89 para 1 GDPR and § 2f para 5 Research Organization Act (FOG).

1.6. Evaluation and quality assurance in teaching

The data from the student and alumni surveys as well as the evaluation of the admission test are processed for the purpose of quality assurance and further development of the portfolio of courses. The WU Student Panel provides us with important information about the study situation from the students perspective over the entire student lifecycle as a basis for the further development of study quality at WU.

The following categories of data are processed: Study data; selection procedure and start of studies; socio-demographic data; study decision; activities prior to start of studies; study entitlements; planned course of studies; planned study-related stays abroad; plans after studies; workload during studies; career planning; satisfaction with studies; orientation during studies; attitudes towards studies; Self-assessment in the course of studies; planned course of further studies; satisfaction with technical infrastructure; job search; occupational situation; duration of occupation; occupational title; occupational experience; possible suggestions for improvement; financial situation; information on bachelor's / master's thesis; special knowledge and qualifications; account data;

The legal basis for the processing is the fulfillment of legal obligations pursuant to Art 6 para 1 lit c GDPR as well as the performance of a task in the public interest pursuant to Art 6 para 1 lit e GDPR (inter alia § 14 Universities Act; §§ 18ff Higher Education Quality Assurance Act; § 141 Universities
Act; Education Documentation Act; By-laws of WU).

1.7. IT user management and support, ensuring IT functionality and IT security

The processing is carried out for the administration of accounts, authorizations, user IDs and selfservices related to the WU account and associated services. For this purpose, WU also uses external IT service providers as data processors for the provision, support and/or maintenance of the IT applications and IT systems used by WU. Without this data processing, secure operation and data protection-compliant use of the IT systems is not possible.

The following categories of data are processed: WU login data; name; area-specific personal identifier
(bPK); contact details; student ID card photo; content data; log data; access authorizations;

The legal basis for the processing is the legitimate interest pursuant to Art 6 para 1 lit f GDPR (Interest in secure and functioning user* administration) and the fulfillment of a legal obligation pursuant to Art 6 para 1 lit c GDPR (Art 24, Art 32 GDPR) to take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.

Recipients are Microsoft Austria for the student email account (Microsoft 365). The data are stored by Microsoft within the EU. For the physical storage of the data (backup data), we use the Federal Government Failure Computer Center (Ausfallsrechenzentrum des Bundes) as a data processor. In addition, we use other IT service providers as data processors for the provision, support and/or maintenance of the IT applications and IT systems used by WU.

1.8. Support services for first-semester students

The data are processed and stored for the purpose of conducting study-accompanying tutorials to support first-year students at bachelor level in their social and academic integration at WU, as well as to divide first-year students into groups and to assign them to tutors. Furthermore, we process
the data of the tutors for the purposes of selection and, if applicable, for crediting the activity as a
free elective.

Categories of data students: Name; gender; date of birth; citizenship; Student ID number; contact details; degree program.

Categories of data tutors: Name; gender; date of birth; citizenship; student ID number; contact details; degree program; ECTS already completed; examination results.

The legal basis for the processing is the fulfillment of a legal obligation pursuant to Art 6 para 1 lit c GDPR (§ 60 para 1 c Universities Act - Establishment of Beginners' Tutorials). Virtually participating persons receive text, video and audio data of the other participating persons as part of the transmission. In addition, the names of the virtually participating persons are also visible to the other participants.

1.9. Student mobility

The processing is carried out for the purpose of the application procedure and subsequently for the organizing of the stay within the framework of a mobility program at WU.

The following categories of data are processed: Type of international mobility and host country of stay abroad; name; contact details; address; gender; nationality; emergency contact; degree program; start date; semesters completed at WU; collective certificate; grade point average; international experience; language skills; curriculum vitae; copy of passport; track record;

The legal basis for the processing is the fulfillment of a legal obligation pursuant to Art 6 para 1 lit c GDPR (§§ 2,3 Universities Act: obligation of the University to promote international mobility), consent pursuant to Art 6 para 1 lit a GDPR and the legitimate interest pursuant to Art 6 para 1 lit f GDPR.

Recipients are partner universities, insurance companies, funding agencies.

1.10. Graduate administration

Processing is done for maintaining contact with graduates, such as information on continuing education, events, field trips, surveys.

The following categories of data are processed: Name; contact details; date of birth; student ID number; graduation; degree program; title; salutation; gender; previous names; donations; event data.

The legal basis for the processing is the performance of a task in the public interest pursuant to Art 6 para 1 lit e GDPR (§ 3 para 10 of the Universities Act: maintaining contact with graduates; § 3 para 5 of the Universities Act: continuing education of graduates), in the case of participation in paid events the performance of a contract pursuant to Art 6 para 1 lit b GDPR and the legitimate interest pursuant to Art 6 para 1 lit f GDPR (public relations).

Recipients are printers, postal services, banks, payment providers, tax consultants, auditors, tax authorities. Data Dialog EDV Systeme GmbH is used as data processor.

1.11. Library management

The processing is carried out for the purpose of using the University Library and the library services offered borrowing included and, if necessary, for dunning purposes and any related law enforcement.

The following categories of data are processed: Name; student ID number; gender; date of birth; contact details; library card data; user ID; borrowing data; billing and payment data; dunning data; log data.

The legal basis for the processing is the performance of a task in the public interest pursuant to Art 6 para 1 lit e GDPR and the legitimate interest in the provision of services by the library pursuant to Art 6 para 1 lit f GDPR and Art 9 para 2 lit f GDPR for the assertion or defense of legal claims.

Recipients are external service providers (Ex Libris GmbH, Discoverysystem Primo, Smartfreq Ltd. and k42-Gregor Dorfbauer), Austrian Library Network, Financial Procurator's Office, Mensa cafeteria.

1.12. Locker management

The processing is carried out for the purpose of using electronic lockers.

The following categories of data are processed: Name; student ID number; gender; date of birth; contact details; locker number; library card data; period of use; log data.

The legal basis for the processing is the performance of the contract pursuant to Art 6 para 1 lit b GDPR and the legitimate interest in the protection of the property pursuant to Art 6 para 1 lit f GDPR.

Recipient is the company Gantner Electronic GmbH, which uses WU as a data processor.

1.13. Legal disputes

The processing is carried out for the assertion, exercise or defense of legal claims.

The following categories of data are processed: Name, contact details, student ID number, file contents;

The legal basis for the processing is WU's legitimate interest in asserting, exercising or defending legal claims pursuant to Art 6 para 1 lit f GDPR.

Recipients are involved persons, such as courts and legal representatives, public prosecutor's office.

2. Will your data be passed on to recipients outside the EU / EEA?

In the context of student administration, no data is usually transferred to recipients outside the EU / EEA. However, in connection with the use of cloud providers, data may be transferred to third countries. In this case, the regulations according to Art 44 ff GDPR may apply. The transfer takes place either on the basis of an adequacy decision pursuant to Art 45 GDPR or with the express consent of the data subjects pursuant to Art 49 para lit 1 lit a GDPR or for the performance of a contract concluded with the data subjects or in their interest pursuant to Art 49 para 1 lit b GDPR or for important reasons of public interest pursuant to Art 49 para 1 lit d GDPR.

If it is possible by reasonable means, we avoid the use of data processors from third countries. If the use of data processors from a third country cannot be avoided, we ensure the conclusion of appropriate contractual agreements (in particular the conclusion of standard contractual clauses pursuant to Art. 46 para 2 lit c GDPR) and the promise of appropriate guarantees in order to guarantee an equivalent level of data protection.

3. How long do we store your data?

WU is required by various legal provisions, including the Universities Act 2002, the Education Documentation Act, and the University Student Records Ordinance 2004, to keep a variety of data on its students, including, for example, name, date of birth, gender, nationality, address, start and end dates of education, student ID number and examination data.

The home address and mailing address shall be stored for 10 years. With regard to ensuring the proper allocation of student ID numbers, the student ID number, last name and first name(s), date of birth, gender, nationality, date of general university entrance qualification, identification as invalid student ID number, area-specific personal identifier (BF) must be stored for 99 years. Examination data must be stored for at least 80 years in accordance with § 53 Universities Act. Examination reports, corrections of written exams, assessment sheets and examination forms must be kept for 6 months after the announcement of the assessment (§§ 79, 84 Universities Act). The students' social security number or substitute identification number contained in their records are deleted by the educational institution no later than 2 years after their departure. Data related to bank payments are kept for 7 years in accordance with § 132 BAO and deleted thereafter.

Student and alumni survey data are deleted after six years. Online supervision data is stored during the 4-week assessment period and beyond that during the 2-week appeal period, after which it is deleted. In the event of an appeal, the data will be stored until the conclusion of the relevant proceedings and then deleted. Locker management data will be deleted from the system 14 days after use. In the event of legal disputes, data is generally retained at least as long as claims can be asserted against WU and until the conclusion of any legal disputes in which the data is needed as evidence. Statutory limitation periods are usually 3 years and 30 years at the longest.

4. What rights do you have as a data subject?

As a data subject in the context of these data processing operations, you have the following rights vis-a-vis WU as the controller: information and access, rectification, deletion, restriction of data processing, data portability, and objection. As a data subject, you also have the right to file a complaint with the Austrian Data Protection Authority. Further information on your rights as a data subject is available on our website at www.wu.ac.at/betroffenenrechte

To exercise any of these rights, please contact the WU data protection team at datenschutz@wu.ac.at.