Data Protection Statement for the Johannes Gutenberg University Mainz (JGU) App
1. Name and contact information of the controller as well as of the data protection officer
1.1. Controller
Johannes Gutenberg University Mainz Phone: +49 6131 39-0
Represented by the president E-Mail: praesident@uni-mainz.de
Univ.-Prof. Dr. Georg Krausch
Saarstr. 21
55122 Mainz
1.2. Data protection officer
Data protection officer Phone: +49 6131 39-22109
Johannes Gutenberg University Mainz E-Mail: datenschutz@uni-mainz.de
Saarstr. 21
55122 Mainz
2. Processing purpose and data to be collected
Your personal data is processed for different reasons depending on which of JGU’s app’s functions you use:
a) Collection of contact details:
Name, address, phone number, user ID (Data Center account) and, if applicable, which account collects and sends someone else’s data (signing up third parties via personalized QR code), are relayed to JGU’s servers and stored there if you take part in an on-campus course in person. This occurs in order to allow contact tracing by the local health authority in case of a possible COVID-19 case in the context of official pandemic measures.
b) Identity card:
Your log-in information (username and the account transmitting data) is relayed to JGU’s servers in order to create an identity card for you. At the moment, this function only exists for the creation of a library card and an ID-card for RMU students. The created identity card is saved locally on your device and can be deleted at any time by signing off the app or deleting it in the “library” tab.
c) Map
You can use this function in order to search for rooms or buildings. These and your location (if you have allowed it) are displayed on your smartphone’s map system. JGU does not create a location profile, although the provider of your smartphone’s map system might.
d) Information on local public transport
In order to give you access to information regarding local transport timetables, we use information from the Rhein-Main-Verkehrsverbund. Your IP address is transferred when sending a query.
3. Legal basis for processing
The different processing purposes have different legal bases.:
a) Collection of contact details
We are legally obligated to collect your contact details in order to guarantee contact tracing in case of possible COVID-19 cases. The legal basis is Art. 6 Para. 1 lit. c) of the General Data Protection Regulation (GDPR) in connection with § 32 Sentence 1, 28 Para. 1 Sentence 1 and 2 IfSG and § 1 Para. 8 and § 2 Para. 3 11 CoBeLVO.
b) Identity card
The legal basis is Art. 6 Para. 1 lit. e) of the General Data Protection Regulation (GDPR) in connection with § 2 Para. 1 HochSchG RLP.
c) Map
The legal basis is the consent exercised by granting the necessary rights according to Art. 6 Para. 1 lit. a) of the General Data Protection Regulation (GDPR).
d) Information on local public transport
The legal basis is the consent resulting from use of the JGU app and specific functions according to Art. 6 Para. 1 lit. a) of the General Data Protection Regulation (GDPR).
4. Necessity of the provision of personal data
In view of the contact data processing procedure, we are legally obligated to collect your contact details. Therefore, you are not allowed to participate in on-campus courses if you do not submit your data.
In regard to the other processing procedures, you are free to indicate or refuse the necessary data. There is no legal obligation in this case. However, the functionality of the app will be limited if you do not allow your data to be processed.
5. Recipients of personal data: transfer to third parties
The data is transmitted to different recipients depending on the reason for processing:
a) Collection of contact details
If it is required for the fulfillment of their tasks, the contact data is transmitted to the local health authorities upon request.
b) Map
If you have granted the necessary rights, information could be exchanged with Apple via Apple API.
c) Information on local public transport
When using this function, your IP address is transmitted to the Rhein-Main-Verkehrsverbund.
6. Duration of storage
The collected contact details are saved for the period of one month and then irrevocably deleted if no other retention obligations exist.
The information on the identity card is regularly updated and calibrated with the Data Center’s servers and then re-saved on your smartphone. If you delete the identity card or are exmatriculated, the data is irrevocably deleted.
7. Rights
Every person affected by data processing has the following rights in particular:
- Right of access regarding the personal information stored relevant to them and its processing according to Art. 15 GDPR
- Right to rectification, if data concerning them is wrong or incomplete, according to Art. 16 GDPR
- Right to erasure, if one of the requirements according to Art. 17 GDPR is met
- Right to restriction of processing, if one of the requirements according to Art. 18 GDPR is met
- Right to data portability to a different responsible office and information regarding stored personal data in a machine-readable format, according to 20 GDPR
- Right to object to future processing of your personal data, according to Art. 21 GDPR
- Right to withdraw consent at any time according to Art. 7 subsection 3 GDPR. The withdrawal of consent can only apply to the future and does not have an effect on processes which took place before the withdrawal of consent was received by the office responsible for the data processing.
- Right to lodge a complaint with a supervisory authority according to Art. 13 subsection. 2 lit. d) GDPR, if the affected person is convinced their personal data was processed unlawfully:
State Commissioner for Data Protection and Freedom of Information Rhineland-Palatinate (Landesbeauftragter für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz).
Hintere Bleiche 34
55116 Mainz
Phone: +49 6131 8920 0
Fax: +49 6131 8920 299
E-Mail: poststelle@datenschutz.rlp.de