Datenschutzhinweise Meldung von Datenschutzvorfällen
This privacy information refers to the processing of personal data in the context of the provision of data protection breach notifications at the university.
1. Contact details of the controller
The controller, i.e. the organisation responsible for data processing as defined in data protection legislation, especially the General Data Protection Regulation (GDPR), is the:
Academy of Fine Arts Munich
Akademiestrasse 2-4, 80799 München
Telephone: +49 89 3852 -0
Fax: +49 89 3852 - 252
E-mail:
The Academy of Fine Arts Munich is an organisation under public law and a state institution. It is legally represented by its President, Professor Karen Pontoppidan.
2. Contact details of the Data Protection Officer
You can contact our official Data Protection Officer at:
Data Protection Officer of the Academy of Fine Arts Munich
Akademiestrasse 2-4
80799 München
E-Mail:
3. Purpose of and legal basis for the processing of personal data
When reporting data protection violations, personal data will be collected and processed for the following purposes:
• For internal processing and documentation purposes, the personal data provided by the notifying person will be collected.
• If the personal data breach leads to a risk to the rights and freedom of natural persons, a notification is made to the Bavarian Data Protection Commissioner.
Legal basis:
The legal basis for data processing is and 6 (1) point c) articles 33, 34 of the GDPR in conjunction with article 4 (1) of the Bavarian Data Protection Act (Bayerisches Datenschutzgesetz - BayDSG).
4. Categories of personal data
For internal processing and documentation, personal data provided by the reporting person is collected. This includes:
• Information about the reporting person: surname, first name, contact details (e-mail address, telephone no., facility).
• Time and general description of the incident
• Information on measures taken
• Information on the categories of personal data and scope (number of persons involved and number of data sets affected).
5. Categories of data subjects
The personal data of the person reporting the incident and, if applicable, of the persons affected by the data protection incident are processed.
6. Recipients of personal data
Information on data breaches is sent by email to the email address
Pursuant to article 33 (1) of the GDPR, the university is legally obliged to transmit the data recorded in the notification of a data protection breach to the Bavarian State Commissioner for Data Protection.
In individual cases, data may also be transferred to third parties on the basis of legal permission, for example to law enforcement agencies for the purpose of investigating criminal offences within the framework of the provisions of the Code of Criminal Procedure (Strafprozessordnung - StPO).
If technical service providers are given access to personal data, this is done on the basis of a contract in accordance with article 28 of the GDPR.
7. Transferring Personal Data to a non-EU Country
Not planned at present.
8. Storage period for personal data
The legal basis for the retention is article 33 (5) of the GDPR in conjunction with section 195 of the German Civil Code (Bürgerliches Gesetzbuch - BGB); the data is retained for 3 years.
9. Rights of the data subject
Pursuant to articles 15 et seq. of the GDPR, you, the data subject, are entitled to the following rights concerning the processing of your data:
• You can ask for information about whether data concerning you is being processed. If this is the case, you are entitled to information about which data is processed and other information relating to the processing (article 15 of the GDPR). Please note that this right to information can be restricted or excluded in certain cases (see in particular article 10 of the BayDSG).
• If the personal data concerning you is/has become inaccurate or incomplete, you can request that this data is rectified and/or completed (article 16 of the GDPR).
• If the legal requirements are met, you can request that your personal data be deleted (article 17 of the GDPR) or processing of your data be restricted (article 18 of the GDPR). The right to deletion pursuant to article 17 (1) and (2) of the GDPR does not apply in certain cases, however, such as if the processing of personal data is vital for the performance of a task that is in the public interest or is performed in the exercise of official authority (article 17 (3) point b) of the GDPR).
• You are entitled to file a complaint concerning the processing of your personal data with a supervisory authority as defined in article 51 of the GDPR. The pertinent supervisory authority for the Bavarian public service is the Bavarian Data Protection Commissioner, Wagmüllerstraße 18, 80538 München. In addition to the right of appeal, you can also seek a judicial remedy.
If you choose to exercise the rights stated above, the public office will check whether the legal requirements for doing so have been met.
10. Amendments to our data protection declaration
We reserve the right to change this data protection declaration to accommodate changes to legislation or changes in the services we provide (e.g., if we introduce new services).
If you have any further questions, please feel free to contact the Data Protection Officer.