The University of St.Gallen (hereinafter ‘University’, as well as ‘we’ and ‘us’) feels exceptionally committed to the protection of personal data.
In some cases, the university refers to third-party websites as part of its online presence. The University of St.Gallen accepts no liability for any legal deficiencies (regarding data protection) on such websites.
2. Responsible parties and contact persons
Unless otherwise specified individually, the party responsible for the data processing described here is:
University of St.Gallen
Phone +41 71 224 21 11
Data Protection Officer of the University of St.Gallen:
University of St.Gallen
9000 St.Gallen, Switzerland
Data protection representative in the EU as per art. 27 of the GDPR is Atty. Frank E.R. Diem, Hölderlinplatz 5, 70193 Stuttgart, Germany. You can find his contact information here.
3. Type, collection and processing of personal data
Personal data means all information relating to a specific or identifiable person.
Within the scope of its online presence, the University collects data via various online forms, e.g. for enrolment in a degree course, for ordering documents or for registering to receive newsletters. In addition, your use of our website causes our system to generate data that may enable you to be identified (log files and cookies).
In particular, the collection and processing of personal data is carried out by yourself by voluntarily filling out online forms. The log files and cookies are generated without your active involvement.
4. Purpose and legal basis of data processing
When collecting and processing personal data, we comply with the legal requirements of the applicable data protection laws. The legal basis is provided by art. 4 of the DSG-SG and art. 13 par. 1 of the DSG or, where applicable, art. 6 par. 1 of the GDPR.
The data you voluntarily disclose is made available for the evident or declared purpose for which it was collected. The data generated without your involvement is intended to make our website (cookies) more convenient for you to use or to enable reliable operation and to protect against misuse (log files).
With regard to the provisions of the GDPR in particular, data processing by the University is fundamentally based on a statutory legal basis. Therefore, we only process personal data in the following cases:
- If legal regulations require us to;
- If the processing is in the public interest;
- If we have the consent of the person concerned. Once consent is granted, it can be revoked at any time, but this has no effect on data already processed;
- If this is necessary to fulfil a contractual obligation with the person concerned or to initiate and conclude a contract with the person concerned;
- If this is essential to protect the vital interests of the person concerned or another natural person;
- If this serves to safeguard the legitimate interests of the University or third parties.
5. Duration of storage of personal data
As soon as the legal reason for processing specific data ceases or the collected data no longer serve the specific purpose, the data is deleted, provided that the deletion does not conflict with legal or contractual obligations. (cf. section 6).
Web-related personal data is stored as follows:
- Data in teampages: As long as the person is employed at the University.
- Data in galleries created by the CMS author: As long as the person is not actively deleted.
- Data in web forms: As long as the CMS author does not actively delete the list of sent forms.
- Data from Google Analytics: As long as the Analytics account exists or an admin does not delete all the data.
- Data for specially closed areas with login (very few): As long as the CMS admin does not delete the created users.
6. Rights of persons affected by data processing
You have certain rights with regard to your personal data in the context of the applicable data protection law and insofar as provided therein. Namely, you have a right to
- Information, in particular whether your personal data is processed by us and, if so, what kind of data is involved and what data is stored.
- Correction and, if necessary, completion of your personal data.
- Deletion of your personal data.
- Restriction of data processing.
- Objection to data processing.
- Withdrawal of previously granted consent.
Please note that we reserve the right, for our part, to enforce the statutory restrictions, for example, if we are required to retain or process certain data, have an overriding interest in doing so (insofar as we are entitled to invoke it) or require it for the assertion of claims. If you incur costs, we will inform you in advance.
To exercise the rights listed above you are generally required to unequivocally prove your identity (for example, by providing a copy of your ID in cases where your identity is otherwise unclear or cannot be verified). To assert your rights, you can contact us using the contact details provided in section 2.
Each data subject also has the right to enforce their claims in court. You have the right to report any privacy breaches to the Data Protection Department of the Canton of St.Gallen, Government Building, 9001 St.Gallen, Switzerland (www.datenschutz.sg.ch). If the GDPR is applicable, you have the right to appeal to the relevant data protection supervisory authority.
7. Obligation to provide personal information
You generally have no legal obligation to provide us with data when visiting our website. However, we wish to point out that the website cannot be used unless certain information (such as IP address) is disclosed in order to safeguard the data traffic.
8. General data collection (log files)
Our websites collect a series of data with each query. This general data and information is stored in the log files. The following data is collected:
- IP address,
- Date and time of the query,
- Time zone difference to GMT,
- Contents of the request,
- Access status/http status code,
- Amount of data transferred,
- Web page from which the request originates,
- Browser (including language and version),
- Operating system.
This general data is not assigned to a specific person when used. Collection of this data is necessary for technical reasons in order to display our website to you and to ensure its stability and security.
9. Contact and the contact form
If you contact us using the specified email address and/or the contact form provided, we will always comply with the applicable data protection regulations when handling the data you send us. The data you provide is used solely to process your request. Please note that the data you enter via our contact form is transmitted unencrypted.
10. Cookies and other technologies in connection with the use of our website
Functional cookies: To recognise login information or personal settings.
Performance cookies: To determine anonymous information on website usage.
Targeting/marketing cookies: When integrating cookies used by third parties.
Specifically, the following cookies are used on the University’s websites:
Functional cookies: Checking the user’s login; checking the user’s display language.
Performance cookies: Checking which of the two web servers for displaying the websites is less busy and redirecting the user to that one.
Targeting/marketing cookies: Google Tag Manager stores anonymised data about the behaviour of users on the University’s websites. For more information, visit this page.
Google Maps: When you use Google Maps on our website, information about the use of the website (including IP address) is transmitted to Google in the United States. For more information, visit this page.
Youtube.com: Targeting/marketing cookies: When videos are embedded, YouTube stores data about user behaviour. For more information, visit this page.
Pinterest: No cookies.
Instagram: No cookies.
Facebook: No cookies.
Twitter: No cookies.
11. Web tracking
You can prevent the data generated by the cookie about your use of the website (including your IP address) from being sent to and processed by Google by downloading and installing the browser plug-in available at the following link.
Google is certified under the Privacy Shield Agreement and therefore guarantees a level of data protection equivalent to Swiss and European data protection law.
12. Social media plug-ins and tools
We currently use the social media plug-ins and tools listed in the following table. When visiting our websites, the data listed in section 8 of this Policy can be transmitted to the plug-in provider without confirmation. The plug-in provider stores the data collected about you as usage profiles and uses it for purposes of advertising, market research and/or to customise the design of its website.
We have no control over the collected data or the data processing operations of the plug-in providers. These are subject to the privacy policies of the third parties. For more information on the purpose and scope of the data collection and the processing of the data by the plug-in provider, please refer to the providers’ privacy statements listed below.
By granting your consent you can subscribe to our newsletter, which contains information about our latest interesting offers. We use what is known as the ‘double opt-in process’ when subscribing users to our newsletter. This means that after you subscribe we send an email to the specified email address asking you to confirm that you want to receive the newsletter. The only information you have to enter to receive the newsletter is your email address, which we save after you subscribe.
You can revoke your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. This revocation or cancellation can be declared by clicking the link provided in every newsletter or via the contact information in section 2 of this Policy.
Furthermore, we can send you our newsletter as part of your user or contractual relationship. You can unsubscribe from the newsletter at any time by clicking the link provided in every newsletter or via the contact information in section 2 of this Policy.
In some cases, we offer blogs on our websites where we publish various articles on topics related to our activities. Certain blogs allow you to leave public comments, which can be published with your username. We encourage you to use a pseudonym rather than your real name as a username. You are required to enter your username and email address; all other entries are voluntary. When you submit a comment, we store your IP address so that we can defend against liability claims in the event that unlawful content is published. Comments are not reviewed prior to publication. However, we reserve the right to remove comments after publication at our sole discretion if we consider them to contain offensive or unlawful content.
We publish open job offers on our websites regularly. If you send us your application electronically or by post, we will treat your application documents as strictly confidential. We will not disclose them to third parties and will use them solely for the purpose of filling the position you have applied for.
Application documents from applicants who are not being considered will be deleted six months after the position is filled, because we have to comply with legal requirements pertaining to this period (e.g. compliance with SECO guidelines).
16. Profiling and automated decisions
When users visit the University’s websites, no personal data is collected or even brought together centrally to build up a profile and make this data available to certain individuals for evaluation. The Intranet and StudentWeb require every user to log in with a personal account, but this is only for authentication purposes; the Sitecore CMS does not store this or any other data associated with the person in a linked manner. The integrated Google Analytics only stores anonymous clicks, without linking to or passing on user data (e.g. account name or the like).
Personal data such as first name, last name and address are stored in a user account, which is required for logging on to the Intranet/StudentWeb. This data is captured and stored in the University’s User Management System. The profile is only accessible to the authenticated user themselves. This data is not stored on the websites; it is only output (including in the Intranet/StudentWeb).
17. Data transfer and data transmission abroad
All the data for the operation of the CMS and the delivery of the websites is held by the Swiss hosting provider ‘Aspectra’ and is therefore stored in Switzerland. In addition, services provided by the University on its systems are queried and integrated. No data is transferred abroad, except in the cases indicated.
18. Data security
We employ reasonable technical and organizational security measures to protect your personal data from unauthorized access and misuse. For example, we use SSL encryption when transmitting University website data from the server to the visitor's browser. In addition, Intranet and StudentWeb pages are protected by ADFS (Active Directory Federation Service) and are therefore only accessible to authenticated users from the University.