Data protection

Data subjects at the Med Uni Graz are

• Applicants (Data Protection Declaration of the Medical University of Graz for the Handling of Applicant Data)
• Employees (Information sheet: (future) employees, civil servants/contract staff, information sheet for employees IT-applications)
• Former employees
• Proper students
• Students (Information Sheet for: (proper and non-degree) Students, University Course (ULG) participants (non-degree students))
• External teachers
• Alumni
• Test subjects
• Patients

Research: Privacy Policy of the Medical University of Graz on the handling of personal data for research purposes

As per the GDPR, the data subjects have a right to information (Art. 15), a right to rectification (Art. 16), a right to deletion (Art. 17), a right to restriction on processing (Art. 18), a right to data portability (Art. 20) and a right to opt-out (Art. 21).

Requests are generally to be made in written form incl. more detailed information by e-mail or by mail to the specified contact details. 

At the Medical University of Graz, these rights of data subjects can be exercised as follows: We point out your obligation to cooperate in the application for a request for information. Therefore, we kindly ask you to tell us in what context (e.g. employees, students, applicants, etc.) or which processed data or what information your request for information relates to.

Employees and students can use the e-mail address of Med. Uni. Graz (no information about special categories of personal data, such as health data, faith, etc.) to make their request. In all other cases, proof of identity in the form of an official photo identification is necessary.

Duties of the Data Protection Officer  (governed in the data protection rules of the Med Uni Graz)

The Data Protection Officer is bound to observe secrecy or confidentiality in the performance of his duties (Art. 37 para. 4 and 5).

• Contact point for data subjects for the processing of their personal data and the exercise of their rights;

• Monitoring compliance with the GDPR, other European Union or Member State data protection legislation, and the policies of the responsible parties or processors for the protection of personal data, including the allocation of responsibilities, awareness-raising and training of employees involved in the processing operations, and checks thereof;

• Consultation on request - in the context of the data protection impact assessment and monitoring of its implementation as per Art. 35;

• Cooperation with the supervisory authority;

• Acting as a focal point for the supervisory authority in processing-related matters, including prior consultation as per Art. 36, and, if appropriate, advice on all other issues.

Data breach as per Art. 4, no. 12 of the GDPR, is the “breach of the protection of personal data”, a breach of security that, whether inadvertently or unlawfully, leads to the destruction, loss, alteration or unauthorised disclosure, or unauthorised access to personal data, which has been transmitted, retained or otherwise processed.

Examples of the loss of personal data of Med. Uni. Graz:

• Loss of cellphone, tablet, laptop, etc.
• E-mail to wrong recipients,
• Malicious software
• Blackmailer malware
• etc.

The notification of a data breach must be made immediately to the Data Protection Officer of Med Uni Graz. On the one hand, this is necessary to protect personal data or to protect the integrity of the IT structure and, on the other hand, to be able to comply with the reporting obligation to the supervisory authority.