Select your language

Data protection

1. General information

(1) In the following we provide information in accordance with Art. 13 GDPR about the collection of personal data when using our website www.stwno.de. Personal data are all data that can be related to you personally, e.g. name, address, e-mail addresses, user behaviour.

(2) The person responsible in accordance with Art. 4 para. 7 of the General Data Protection Regulation (GDPR):

Studentenwerk Niederbayern/Oberpfalz
legally represented by Doreen Steudte, managing director
Albertus-Magnus-Str. 4
93053 Regensburg
Tel: +49 (0)941/943-2200
E-Mail: This email address is being protected from spambots. You need JavaScript enabled to view it. (see our imprint).

You can reach our data protection officer at:
Studentenwerk Niederbayern/Oberpfalz
Nicolas Müller
Data protection officer of the Studentenwerk Ndb./Opf.
Albertus-Magnus-Str.4
93053 Regensburg
Phone: +49 (0)941/943-1836
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

(3) When you contact us by e-mail or via our contact form at https://www.stwno.de/de/feedback, the data you provide (voluntary information if you wish to receive a reply: your name, your first name, and your e-mail address) will be stored by us in order to answer your questions. The legal basis for the processing of the data is our legitimate interest in answering your request in accordance with Art. 6 para. 1 lit. f GDPR. If your contact is aimed at the conclusion of a contract, an additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR. We delete the data arising in this connection after storage is no longer required or restrict processing if there are legal obligations to retain data.

(4) If we use commissioned service providers for individual functions of our offer, we will inform you in detail about the respective processes below. In doing so, we will also state the specified criteria for the storage period.

2. Your rights

(1) You have the following rights in relation to the personal data concerning you:

  • Right to information,
  • Right of correction or deletion,
  • Right to restrict processing,
  • Right to object to the processing,
  • Right to data portability.


(2) You also have the right to complain to a data protection supervisory authority about the processing of your personal data by us:

The Bavarian State Commissioner for Data Protection
Dr. Thomas Petri
PO Box 22 12 19
80502 Munich
or:
Wagmüllerstrasse 18
80538 Munich
This email address is being protected from spambots. You need JavaScript enabled to view it.
https://www.datenschutz-bayern.de/

3. Hosting

(1) The hosting services used by us serve to provide the following services: Web hosting, web design, Joomla CMS administration and update, monthly backups of the website.

(2) In doing so, we or our hosting provider the sketch.media GmbH process IP addresses of the website visitors as well as e-mail addresses of the newsletter subscribers on the basis of our legitimate interests in an efficient and secure provision of this online offer in accordance with Art. 6 para. 1 lit. f GDPR in conjunction with Art. 28 GDPR (conclusion of contract processing agreement).

4. Accessing the website

(1) In the case of purely informational use of the website, i.e. if you do not register or otherwise provide us with information, we only collect the personal data that your browser sends to our server. If you wish to view our website, we collect the following data, which is technically necessary for us to display our website and to ensure its stability and security

  • IP address
  • Date and time of the request
  • Time zone difference to Greenwich Mean Time (GMT)
  • Content of the request (concrete page)
  • Access status/HTTP status code
  • Amount of data transmitted in each case
  • Website from which the request comes
  • Browser
  • Operating system and its interface
  • Language and version of the browser software.


We collect and store this data for a limited period of time due to our legitimate interest, in order to initiate a derivation to personal data in case of unauthorized access or attempted access to local servers (Art. 6 para. 1 lit. f GDPR).

5. Use of cookies

(1) In addition to the data mentioned above, cookies are stored on your computer when you use our website. Cookies are small text files that are stored on your hard disk, assigned to the browser you are using, and through which certain information flows to the site that sets the cookie (here by us). They serve to make the Internet offer altogether more user-friendly and effective.

(2) When you use our website, a single type of cookie is stored on your computer: essential cookies, without which the functionality of our website would not be guaranteed and are therefore necessary. Optional cookies for the purposes of website analysis or for personalisation for which your consent would be required in accordance with Art. 6 para. 1 lit. a GDPR are not set.

(3) The legal basis for the processing of cookie data is Art. 6 para. 1 lit. f GDPR insofar as the technical functionality of the website depends on these cookies, as this is in the particular interest of our company.

(4) You can also change the use of cookies by adjusting your browser software accordingly.

6. Use of Matomo

(1) This website uses the web analysis service Matomo to analyse and regularly improve the use of our website. With the statistics obtained we can improve our offer and make it more interesting for you as user. The legal basis for the use of Matomo is Art. 6 para. 1 lit. a GDPR.

(2) This website uses Matomo with the extension "AnonymizeIP". This means that IP addresses are processed in a shortened form, a direct personal reference can be excluded. The IP address transmitted by your browser via Matomo is not merged with other data collected by us.

(3) The program Matomo is an open source project. Information of the third party provider on data protection can be found at https://matomo.org/privacy-policy/.

(4) The information about your visitor behaviour is not transferred to third parties. No cookies are used and the IP address is only stored anonymously. Nevertheless, we would like to offer you the possibility to decide against this tracking:

7. Integration of YouTube videos

(1) We have integrated YouTube videos into our online offer, which are stored at http://www.YouTube.com and can be played directly from our website. These are all integrated in "extended data protection mode", i.e. no data about you as a user is transferred to YouTube if you do not play the videos. Only when you give your consent and play the videos will the data mentioned in paragraph 2 be transferred. We have no influence on this data transfer.

(2) By visiting the website, YouTube receives the information that you have called up the corresponding subpage of our website. In addition, the data mentioned in paragraph 3 of this declaration will be transmitted. This occurs regardless of whether YouTube provides a user account through which you are logged in or whether no user account exists. If you are logged in at Google, your data will be assigned directly to your account. If you don't want your profile to be associated with YouTube, you must log out before activating the button. YouTube stores your data as user profiles and uses them for purposes of advertising, market research and/or demand-oriented design of its website. Such evaluation is carried out in particular (even for users who are not logged in) for the purpose of providing needs-based advertising and to inform other users of the social network about your activities on our website. You have a right of objection to the creation of these user profiles, whereby you must contact YouTube in order to exercise this right. The legal basis for the use of YouTube is Art. 6 para. 1 lit. a GDPR.

(3) Information from the third party provider: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland.

(4) You may also change the use of cookies by changing the settings of your browser software or in the cookie settings.

(5) Further information on the purpose and scope of data collection and its processing by the Provider can be found in the Provider's data protection declarations. There you will also find further information on your rights in this regard and setting options for protecting your privacy: http://www.google.de/intl/de/policies/privacy.

8. Integration of OpenStreetMaps

(1) On this website we use the services of OpenStreetMaps. Provider is the OpenStreetMap Foundation. This allows us to display interactive maps directly on the website and enables you to use the map function conveniently. Only when you give your consent and click on the maps will the data mentioned in paragraph 2 be transferred. We have no influence on this data transfer.

(2) The use of OpenStreetMap is in the interest of an attractive presentation of our online offers and easy findability of the locations we indicate on the website. The legal basis for the use of OpenStreetMaps is Art. 6 para. 1 lit. a GDPR.

(3) Information from the third party provider: OpenStreetMap Foundation, St John's Innovation Center, Cowley Road, Cambridge, CB4 0WS, United Kingdom.

(4) Further information on the purpose and scope of data collection and its processing by the Provider can be found in the Provider's data protection declarations. There you will also find further information on your rights in this regard and setting options for protecting your privacy: https://wiki.osmfoundation.org/wiki/Privacy_Policy.

9. Newsletter

(1) With your consent, you can subscribe to our newsletter, with which we will inform you about our menu and any other current offers.

(2) For the registration to our newsletter we use the so-called double opt-in procedure. This means that after your registration, we will send you an e-mail to the e-mail address provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration within 24 hours, your information will be blocked and automatically deleted after one month. In addition, we store your IP address and the time of registration and confirmation. The purpose of this procedure is to be able to prove your registration and, if necessary, to clarify any possible misuse of your personal data.

(3) Your e-mail address is the only mandatory information for sending the newsletter. The provision of further, separately marked data is voluntary. After your confirmation we will save your e-mail address for the purpose of sending the newsletter. The legal basis is Art. 6 para. 1 lit. a GDPR.

(4) You can revoke your consent to receive the newsletter at any time and unsubscribe from the newsletter. You can revoke your consent by clicking on the link provided in each newsletter e-mail, or by clicking on "unsubscribe" at the end of the registration form at https://www.stwno.de/de/home/newsletter.

10. Online presence in social media

We maintain online presences within social networks in order to inform the users active there about our services and, if interested, to communicate directly via the platforms.

All our social media channels can only be accessed by visitors to the website via an external link. We do not use any plug-ins or other interfaces on our website that offer the respective networks for embedding the offers on websites.

We have no influence on the data collection and its further use by the social networks. For example, we have no knowledge of the extent to which, where and for how long the data is stored, the extent to which the networks comply with existing deletion obligations, which evaluations and links are made with the data and to whom the data is passed on. We therefore expressly draw attention to the fact that user data (e.g. personal information, IP address) is stored and used for business purposes by the operators of the networks in accordance with their data use guidelines.

We process the data of the users in the social media presences insofar as they contact and communicate with us via comments or direct messages, for example.
The legal basis for the processing of user data is Art. 6 para. 1 lit. b and f GDPR.

a) Twitter

Within our online offer no functions and contents of the service Twitter, offered by Twitter Inc., 795 Folsom Street, Suite600, San Francisco, CA 94107 or 1355 Market Street, Suite 900, San Francisco, CA 94103, USA, are integrated. The Twitter channels are only accessible via an external link.

If visitors to the website are members of the Twitter platform, Twitter can assign the access to the social media channel to the user's profile if the user visits our Twitter profile while logged in. Twitter is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law.

We would like to point out that we have no influence on the content, extent of use, of the data collected by Twitter Inc. For further information in this regard we refer to the pages of Twitter Inc. at: http://twitter.com/privacy. Furthermore, we would like to point out that you can make appropriate changes to your Twitter account to protect your privacy.

b) LinkedIn

No functions and contents of the service LinkedIn, offered by 1000 W Maude, Sunnyvale, CA 94085, USA, are integrated within our online offer. The LinkedIn channels are only accessible via an external link.

If visitors to our website are members of the LinkedIn platform, LinkedIn can assign the call to the social media channel to the user's profile there if the user visits the LinkedIn profile while logged in.

We would like to point out that we have no influence on the content, scope of use of the data collected by LinkedIn. For further information in this regard, please refer to LinkedIn's privacy policy.

c) Facebook

You can access the social media network Facebook via external links on our website. All functions in the social media network are offered by Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA. The Facebook channels are only accessible via an external link.

If you are logged in to Facebook with your own profile and access our social media channel, Facebook can assign your visit to your logged in profile. If you do not want your account to be assigned to your IP address, please log out of your Facebook account prior to using our website.

For further information on the processing of your data, we refer you to the Facebook privacy policy: https://facebook.com/privacy/explanation.

d) Instagram

You can access the Instagram social media network via external links on our website. All social media network features are provided by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The Instagram channels are only accessible via an external link.

If you are logged in to Instagram with your own profile and access our social media channel, Instagram can associate your visit with your logged in profile. If you do not wish to have your account associated with your IP address, please log out of your Instagram account prior to using our site.

For more information on how your data is processed, please refer to Instagram's Privacy Policy: https://help.instagram.com/155833707900388.

11. Privacy policy Facebook/Instagram Fanpage

The Studentenwerk Niederbayern/Oberpfalz operates online presences on Facebook and Instagram, so-called Facebook or Instagram Fanpages. The following additional information on data processing applies to visits to our fan pages. Information on data protection on Facebook and Instagram in general can be found here.

Note: Facebook and Instagram fan pages are referred to in the following only as "Facebook fan pages". The information for Facebook applies analogously to Instagram.

11.1 Joint responsibility, contact data, company data protection officer

We are jointly responsible with Facebook for the operation of our Facebook fan page in accordance with Art. 26 GDPR. To this end, we have concluded an agreement with Facebook to determine who fulfils which obligations with regard to data protection. This agreement can be viewed here. According to this agreement, Facebook is primarily responsible for providing the person concerned with information on joint processing and enabling him or her to exercise their data protection rights. Regardless of this, we hereby inform you about your visit to our fan page.

The contact details of the Studentenwerk Niederbayern/Oberpfalz and the contact details of the data protection officer can be found above.

You can reach Facebook at
Facebook Ireland Ltd.
4 Grand Canal Square,
Grand Canal Harbour,
Dublin 2, Ireland
Online you can reach Facebook here.

You can reach the data protection officer of Facebook at
https://www.facebook.com/help/contact/540977946302970.

11.2 Collection and storage of personal data as well as type and purpose and their use

a. Data collected by Facebook:

If you are a Facebook user, Facebook collects the information described in the Facebook Data Policy under "What kinds of information do we collect?” If you are not a Facebook user, cookies, small text files with identifiers, may still be stored in your browser, which allow tracking of your user behavior.

As a rule, when you visit Facebook, the user data is also processed by Facebook for market research and advertising purposes. On the basis of user behavior (also when visiting our fan page) complex user profiles are created, which Facebook can use to display personalized advertisements to the visitor inside and outside of Facebook. You can also find more detailed information on this in the Facebook data policy.

If you do not agree with this, you can object here (opt-out).

b. Data used by us ("Page Insights") and legal basis:

Facebook provides us with statistics and usage data that we can use to analyze the use of our fan page (so-called "Page-Insights"). This enables us to continuously improve our Facebook offer. We as operators do not make any decisions regarding the processing of Insights data and all other information resulting from Art. 13 GDPR, such as the storage period of cookies on user terminals. The primary responsibility in accordance with the GDPR for the processing of Insights data lies with Facebook and Facebook fulfils all obligations under the GDPR with regard to the processing of Insights data.

We as site administrators have no other option, not even via user tracking, to evaluate user behaviour on our fan page. It is also generally not possible for us to identify the visitor of the fan page by means of the page Insights. In particular, according to the agreement, we have no right to require Facebook to disclose individual visitor data. We can only identify a visitor if we can assign individual profile pictures to "I like” information for the Page, but only if our fan page has been marked "I like”" by the respective visitor and the "I like”" information is set to "public".

You can find out what information Facebook uses to create the Page Insights here.

The operation of the Faceboook fan page and the use of the Page-Insights serve our legitimate interest in an effective external presentation and efficient communication with our customers and interested parties. This interest justifies the operation of the page both against the legitimate interests of Facebook users, as well as against visitors to our fan page who do not have a Facebook account. The legal basis is accordingly Art. 6 para. 1 sentence 1 lit. f) GDPR.

11.3 Transfer of data to third parties

Data collected by Facebook is exchanged and processed within the entire Facebook group. For example, the Facebook group also includes Instagram, WhatsApp and Oculus. For example, information collected through Facebook is used to display personalized advertising to users on Instagram, or information from WhatsApp is used to take action against accounts that send spam through WhatsApp on Facebook. This information can be found in the Facebook Data Policy under "How does the Facebook Companies work together?”

When Facebook processes data, user data may be transferred outside the European Economic Area (EEA), particularly the United States. Facebook has therefore submitted to the EU-US privacy shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.

11.4 Right of objection

If your personal data are processed on the basis of legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, you have the right to object to the processing of your personal data pursuant to Art. 21 GDPR, if there are reasons for doing so that arise from your particular situation or if the objection is directed against direct advertising. In the latter case, you have a general right of objection, which will be implemented by us without indicating a special situation. If you wish to exercise your right of revocation or objection, simply send an e-mail to This email address is being protected from spambots. You need JavaScript enabled to view it..

11.5 Rights of data subjects

You have the right to revoke your consent to us at any time. As a result, we may not continue the data processing based on this consent in the future. In addition, you have the right to information in accordance with Art. 15 GDPR, the right to correction in accordance with Art. 16 GDPR, the right to deletion in accordance with Art. 17 GDPR, the right to restriction of processing in accordance with Art. 18 GDPR, and the right to data transferability in accordance with Art. 21 GDPR. There is also a right of appeal to a competent data protection supervisory authority (Art. 77 GDPR).

In principle, you can assert your rights as a data subject both against Facebook and against us. Since only Facebook has direct access to your user data, you can most effectively assert your rights of data subjects against Facebook.

12. Agreement on the processing of personal data of international tenants in joint responsibility with the International Offices of the universities and universities of applied sciences

The Studentenwerk Niederbayern/Oberpfalz together with the International Offices of the Universität Regensburg (U), the Ostbayerische Technische Hochschule Regensburg (OTH Regensburg), the Hochschule für angewandte Wissenschaften Landshut (Hochschule Landshut) and the Technische Hochschule Deggendorf (TH Deggendorf) –  hereinafter only referred to as "Universities" – have concluded an agreement on the processing of personal data in joint responsibility according to Art. 26 GDPR. In the following we will inform you about the essential contents of this agreement:

12.1 Joint responsibility, contact details, data protection officer:

The contact details of the Studentenwerk Niederbayern/Oberpfalz as well as the contact details of the data protection officer can be found above.

You can reach the Universität Regensburg at
Universität Regensburg
Universitätsstraße 31
93053 Regensburg

You can reach the data protection officer of the Universität Regensburg at:
Susanne Stingl
Data protection officer of Universität Regensburg
Landshuter Straße 4
93047 Regensburg
Tel: +49 (0)941/943 5376
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

You can reach the OTH Regensburg at
Ostbayerische Technische Hochschule Regensburg
Prüfeninger Straße 58
93049 Regensburg

You can reach the data protection officer of the OTH Regensburg at
Hans Buberger
Data protection officer of OTH Regensburg
Prüfeninger Straße 58
93049 Regensburg
Tel: + 49 (0)941/943 02
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

You can reach the Hochschule Landshut at
Hochschule für angewandte Wissenschaften Landshut
Am Lurzenhof 1
84036 Landshut

You can reach the data protection officer of the Hochschule Landshut at
Dr. Ulrich Möncke
Data protection Officer of Hochschule Landshut
Am Lurzenhof 1
84036 Landshut
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

You can reach the TH Deggendorf at
Technische Hochschule Deggendorf
Dieter-Görlitz-Platz 1
94469 Deggendorf

You can reach the data protection officer of TH Deggendorf at
Prof. Dr. Sascha Kreiskott
Data protection officer of TH Deggendorf
Dieter-Görlitz-Platz 1
94469 Deggendorf
E-mail: This email address is being protected from spambots. You need JavaScript enabled to view it.

12.2 Collection and storage of personal data as well as type and purpose and their use

Personal data is processed for the purpose of renting out the accommodation. The legal basis for the processing of personal data by the universities and the Studentenwerk Niederbayern/Oberpfalz is Art. 6 para. 1 letter b GDPR, namely the initiation and execution of a rental contract for housing. Processing of this personal data is the joint responsibility of the universities and the Studentenwerk Niederbayern/Oberpfalz in accordance with Art. 26 GDPR.

Your personal data will be collected directly from you by the university and passed on to the Studentenwerk Niederbayern/Oberpfalz for the common purpose of renting accommodation. The universities comply with the obligation to inform when personal data is collected from the person concerned in accordance with Art. 13 GDPR.

Furthermore, the Studentenwerk Niederbayern/Oberpfalz and the universities are responsible for the following processing:

Studentenwerk Niederbayern/Oberpfalz

a. Processing of personal data for the preparation of rental contracts
b. Storage of personal data for the duration of the tenancy and beyond, as far as legal regulations require it
c. Communication with tenants in the form of tenant information
d. Communication of processed data with the universities during and until complete settlement of the tenancy (information exchange)

The following personal data are processed for the purpose of concluding a rental agreement:

  • Name and first name
  • Postcode, town, street and house number in the home country
  • E-mail address
  • Date of birth
  • Gender
  • Nationality
  • Rental start and end (period of stay)
  • Program (these can be indicated during the online application)


Universität Regensburg


a. Collection of personal data from the tenant

  • First and last name(s), maiden name (if applicable)
  • Date of birth
  • Place of birth
  • Gender
  • Nationality(-ies)
  • Home address
  • Course of studies
  • E-mail address
  • Phone number(s)
  • Period of stay at UR
  • Amount of financial resources available each month for living expenses
  • special needs placed on the living space (if applicable)


b. Passing on personal data to the Studentenwerk Niederbayern/Oberpfalz, insofar as it is necessary for the preparation of tenancy agreements and the administration of the tenancy
c. Communication of processed data with the Studentenwerk Niederbayern/Oberpfalz during and until complete settlement of the tenancy (exchange of information)

Data that is forwarded to the Studentenwerk Niederbayern/Oberpfalz for the rental contract:

  • First and last name(s), maiden name (if applicable)
  • Date of birth
  • Gender
  • marital status (if applicable), moving spouse, number of children
  • Nationality(-ies)
  • Home address
  • Course of studies
  • E-mail address
  • physical impairment (if applicable)
  • Period of stay (rental period)


OTH Regensburg


a. Collection of personal data from the tenant

  • Name and first name
  • Date of birth
  • Place of birth
  • Gender
  • Nationality
  • Home address
  • Course of studies
  • E-mail address
  • Phone number
  • Period of stay
  • Amount of financial resources available each month for living expenses.


b. Passing on personal data to the Studentenwerk Niederbayern/Oberpfalz, insofar as it is necessary for the preparation of tenancy agreements and the administration of the tenancy
c. Communication of processed data with the Studentenwerk Niederbayern/Oberpfalz during and until complete settlement of the tenancy (exchange of information)

Data that is forwarded to the Studentenwerk Niederbayern/Oberpfalz for the rental contract:

  • First and last name
  • Date of birth
  • Place of birth
  • Gender
  • Nationality
  • Home address
  • Course of studies
  • E-mail address
  • Phone number
  • Period of stay


Hochschule Landshut


a. Collection of personal data by filling in the application form
b. Passing on personal data to the Studentenwerk Niederbayern/Oberpfalz, insofar as it is necessary for the preparation of tenancy agreements and the administration of the tenancy
c. Communication of processed data with the Studentenwerk Niederbayern/Oberpfalz during and until complete settlement of the tenancy (exchange of information)

Data that is forwarded to the Studentenwerk Niederbayern/Oberpfalz for the rental contract:

  • First and last name
  • Postcode, town, street and house number in the home country
  • E-mail address
  • Date of birth
  • Gender
  • Nationality
  • Rental start and end (period of stay)
  • Program
  • Accommodation request (street name of the student residence)


TH Deggendorf


a. Collection of personal data from Mobility Online (online application platform) or personally from the tenant
b. Passing on personal data to the Studentenwerk Niederbayern/Oberpfalz, insofar as it is necessary for the preparation of tenancy agreements and the administration of the tenancy
c. Communication of processed data with the Studentenwerk Niederbayern/Oberpfalz during and until complete settlement of the tenancy (exchange of information)

Data that is forwarded to the Studentenwerk Niederbayern/Oberpfalz for the rental contract:

  • First and last name
  • Gender
  • Date of birth
  • Nationality
  • E-mail address
  • Address in home country


With the termination of the rental agreement, the following data will also be forwarded to the Studentenwerk Niederbayern/Oberpfalz:

  • Phone number
  • New address
  • E-mail address for deposit refund with PayPal
  • Bank details


12.3 Rights of international tenants


Both the Studentenwerk Niederbayern/Oberpfalz and the universities take the technical and organisational measures to ensure that the rights of the persons concerned according to Chapter III of the GDPR (information, disclosure, correction and deletion, data transferability, objection, as well as automated decision-making in individual cases) can be fulfilled at any time within the legal deadlines.

The Studentenwerk Niederbayern/Oberpfalz and the universities commit themselves to fulfilling the rights of the data subjects for their respective processing operations. In order to exercise their rights as data subjects, the international tenants may contact both the Studentenwerk Niederbayern/Oberpfalz and the universities.

13. Data Protection Declaration for the Bridging Assistance of the Federal Ministry of Education and Research (BMBF) for Students in Pandemic Emergency Situations

The Federal Ministry of Education and Research (BMBF) provides a bridging aid for students in pandemic-related emergencies (bridging aid). The Studentenwerke are responsible for examining applications and allocating funds. The Deutsches Studentenwerk (DSW) provides support and project coordination measures to ensure rapid project implementation throughout Germany. The Studentenwerke have concluded a framework agreement with the DSW that regulates the data protection aspect of the processing of personal data. You can find the detailed data protection statement for the "Überbrückungshilfe" project here: https://www.studierenden-nothilfe.de/ppde.php

13.1 Responsibility, contact details, data protection officer

Responsible for processing personal data is the Studentenwerk/Studierendenwerk responsible for the student(s), in this case the Studentenwerk Niederbayern/Oberpfalz.

You can find the contact information of the Studentenwerk Niederbayern/Oberpfalz and the contact details of the data protection officer above.

13.2 Purpose of processing

The purpose of the processing is the implementation of bridging assistance for students in pandemic emergency situations (collection, processing of applications, payment, verification, statistical analysis).

13.3 Legal basis

The legal basis for this processing is the consent of the applicant pursuant to Art. 6 para. 1 letter a GDPR. The processing is also carried out on the basis of Art. 6 para. 1 letter e GDPR in connection with the legally assigned task of the Studentenwerk/Studierendenwerk for the social advancement of students. A further legal basis for the processing may be a contract pursuant to Art. 6 Para. 1 lit. b GDPR. Processing for the fulfilment of legal obligations (e.g. bookkeeping obligations, obligations to provide evidence) is also carried out on the basis of Art. 6 Para. 1 lit. c GDPR.

The transfer of data to the German Centre for Research on Higher Education and Science (DZHW) for the purpose of conducting the survey of applicants is based on their consent.

Finally, we also process data to protect our legitimate interests or those of a third party in accordance with Art. 6 para. 1 lit. f GDPR. These consist, for example, in optimising our administrative activities by external hosting and in safeguarding IT security.

13.4 Recipient of personal data

Within the Studentenwerk/Studierendenwerk, the clerks responsible for processing applications receive the necessary data. In addition, employees of the accounting, auditing, and IT departments have access to this data in the course of their duties.

The external recipients of data are the offices that are called in for the payment of emergency aid, usually banks.

Another external recipient is the Deutsches Studentenwerk e.V., which commissions and centrally coordinates the programming and hosting.

In addition, the Federal Ministry of Education and Research is also a recipient, insofar as sovereign tasks have to be fulfilled. Recipients can also be the federal and state audit offices.

If consent is given to participate in the DZHW survey, the DZHW will receive the e-mail address and name of the applicant.

Other external recipients of the data are software developers, hosters and other IT service providers within the narrow scope of their contractual duties. Contractual arrangements have been made with these recipients which serve to protect personal data. In the case of recipients in third countries, there are guarantees to protect the rights and freedoms in accordance with Art. 44 ff GDPR.

These include:

NETQUES . daten und diagnostik GmbH, Wuppertal (software development and hosting)
and their subcontractors:

Digital Ocean
We use the cloud provider "Digital Ocean", 101 Ave of the Americas 10th Floor New York 10013, USA. The server location is Frankfurt am Main, Germany. A contract processing agreement was concluded with Digital Ocean. Digital Ocean is also subject to the EU-US Privacy Shield Agreement. For more information about Digital Ocean's data security, please visit https://www.digitalocean.com/security/.

Google reCAPTCHA
On this website we use the reCAPTCHA feature of Google Ireland Limited, Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland ("Google"). This function is mainly used to distinguish whether an entry is made by a natural person or abusively by machine and automated processing. The service includes the sending of the IP address and any other data required for the reCAPTCHA service to Google and is carried out in accordance with Art. 6 para. 1 lit. f GDPR on the basis of our legitimate interest in avoiding misuse and spam. The use of Google reCAPTCHA may also involve the transmission of personal data to the servers of Google LLC. in the USA.

In the event that personal data is transferred to Google LLC. based in the USA, Google LLC. has certified itself for the us-European data protection agreement "Privacy Shield", which guarantees compliance with the level of data protection applicable in the EU. A current certificate can be viewed here: https://www.privacyshield.gov/. Further information about Google reCAPTCHA and Google's privacy policy can be found at: https://www.google.com/intl/de/policies/privacy/.

Mailgun
The e-mails for the sign-up on the application form are sent via "Mailgun", an e-mail dispatch platform of the US provider Mailgun Technologies, Inc., 535 Mission St., San Francisco, CA 94105. The provider is certified as Privacy-Shield certified (https://www.privacyshield.gov/participant?id=a2zt0000000PCbmAAG&status=Active), which covers compliance with the DS- GMO as well as all other data protection laws or regulations of a data protection nature applicable in the member states of the EU. Further information on data processing by the provider can be found at https://www.mailgun.com/privacy-policy.

Clicksend
This website uses Clicksend [PO Box 867, Canning Bridge, Applecross WA 6151 Australia 8/34 Charles St, South Perth, WA 6151] to send personal tokens for final submission of the application form via SMS services of the provider Clicksend [PO Box 867, Canning Bridge, Applecross WA 6151 Australia 8/34 Charles St, South Perth, WA 6151]. Further information on data protection can be found at: https://www.clicksend.com/de/legal/gdpr-dps/. The data exchange is based on a standard contract.

Google Fonts
In our internet presence we use Google Fonts to display external fonts. This is a service of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, hereinafter referred to as "Google" only. Through the certification according to the EU-US Privacy Shield, Google commits itself to comply with the data protection requirements of the EU also when processing data in the USA. To enable the display of certain fonts on our website, a connection to the Google server in the USA is established when our website is called up. The integration of these web fonts is done by a server call, usually a Google server in the USA. This transfers to the server which of our Internet pages you have visited. The IP address of the browser of the end device of the visitor to this website is also saved by Google. You will find more detailed information in the Google data protection information, which you can download here: www.google.com/fonts#AboutPlace:about www.google.com/fonts#AboutPlace:about, www.google.com/policies/privacy/Google.

13.5 Data storage and minimization

The personal data will only be stored for as long as they are needed for the purpose of the processing and the retention periods have not yet expired. In the case of contracts, the statutory retention period is six years; in the case of tax-relevant documents, the retention period can be ten years.

If a given consent is revoked in whole or in part, the data covered by it will be deleted immediately, unless it may or must continue to be stored for another legal reason.

13.6 Rights of affected persons

Data subjects have the following rights in relation to data concerning them:

  • The right of access to their data in accordance with Art. 15 GDPR,
  • the right of rectification under Art. 16 GDPR,
  • the right to deletion in accordance with Art. 17 GDPR and to restriction of processing in accordance with Art. 18 GDPR, provided that the legal requirements for this are met,
  • the right to data transferability according to Art. 20 GDPR,
  • the right to object to the processing pursuant to Art. 21 GDPR,
  • the right to appeal to a data protection supervisory authority under Art. 77 GDPR.


In addition, pursuant to Art. 7 para. 3 GDPR, data subjects have the right to revoke any consent given at any time with effect for the future. Revocation of consent does not affect the lawfulness of the processing that has taken place on the basis of the consent until revocation.

14. Booking of rehearsal rooms, workshop and projects for cultural promotion

The Studentenwerk Niederbayern/Oberpfalz provides booking systems on its website for the allocation of rehearsal times and rehearsal rooms, for the registration of workshops and for cultural projects. The processing of personal data is necessary for the receipt of cultural promotion services from the Studentenwerk Niederbayern/Oberpfalz (= purpose of processing).

14.1 Type of personal data

The following personal data are required to fulfill this purpose: surname, first name, email address, street and house number, zip code, place of residence, country, telephone number, matriculation number.

14.2 Legal Basis

The processing of personal data takes place on a voluntary basis. Legal basis: Art. 6 Para. 1 lit. a GDPR / Bayerisches Hochschulgesetz Art. 88.

14.3 Recipients of the personal data

Internally, only those persons who are involved in the intended processing have access to the data, in this case the employees of the cultural promotion department of the Studentenwerk Niederbayern/Oberpfalz. The data will not be passed on to a third country or to international organizations.

14.4 Duration of storage of personal data

The Studentenwerk deletes all personal data after the necessary reasons for use or the legal proof purposes for storage have ceased to exist (Art. 1 Para. 3 lit. b GDPR). In the case of payment transactions, the storage period can be up to ten years.

14.5 Automated decision-making including profiling

There is no automated decision-making including profiling.

14.6 Data Subject Rights

Consenters have the right to withdraw their consent at any time without affecting the legality of the processing carried out on the basis of the consent up to the point of withdrawal. In this case, data is no longer used again.

In addition, data subjects have the right to information about their data as well as to correction, deletion and restriction of processing; There is also a right to object to processing, the right to data portability and the right to lodge a complaint with a supervisory authority.

The data subject's rights, including the right of withdrawal, can be asserted with the data protection officer by e-mail or by letter (contact see above).

15. establishment of an internal reporting office and reporting of violations under the Whistleblower Protection Act (Hinweisgeberschutzgesetz)

15.1 Purposes of the processing of personal data

The Whistleblower Protection Act (HinSchG for short), which came into force on 02.07.2023, regulates the process for reporting violations that have far-reaching consequences for other persons and the Studentenwerk Niederbayern/Oberpfalz. Persons who have observed a violation of a law or an internal regulation (= whistleblower) have the opportunity to report this in an uncomplicated and confidential manner by setting up an internal reporting office. The internal reporting office receives, checks and processes reports of such violations. With reference to the statutory purposes, the following purposes can be stated for processing

These purposes can be named:

  • Establishment & operation of reporting channels (Section 16 HinSchG)
  • Documentation of reports from whistleblowers (Section 11 HinSchG)
  • Confirmation of receipt to whistleblowers (Section 17 para. 1 no. 1 HinSchG)
  • Examination of reports from whistleblowers with regard to the material scope of application (Section 17 para. 1 no. 2 HinSchG)
  • Checking the validity of reports (Section 17 para. 1 no. 4 HinSchG)
  • Communication with whistleblowers (Section 17 para. 1 no. 3 HinSchG)
  • Implementation of follow-up measures (Section 18 HinSchG)
  • Feedback to whistleblowers (Section 17 (2) HinSchG)


15.2 Type of personal data

Reports to the internal reporting office can generally be made anonymously. In this case, no personal data will be collected. If the whistleblower reports a violation by letter or telephone and wishes to receive feedback on the processing of a reported violation, contact details, e.g. first name, surname, (business) e-mail address or (business) telephone number of the internal reporting office must be provided. Via the whistleblower portal set up on the website of the Studentenwerk Niederbayern/Oberpfalz, feedback can be provided by the internal reporting office entirely without the collection of contact details, i.e. anonymously.

15.3 Legal basis

The processing of personal data is based on the fulfillment of a legal obligation to which the controller is subject (HinSchG, Art. 6 para. 1 lit. c GDPR).

15.4 Recipients of the personal data

Internally, only those persons have access to the data who are involved in the intended processing, in this case the employees of the internal reporting office of the Studentenwerk Niederbayern/Oberpfalz: the Head of Internal Audit/Risk Management/IT Security and the Data Protection Officer.

15.5 Storage period of personal data

The documentation of the reported violations will be deleted by the data protection officer three years after completion of the procedure. The documentation may be retained for longer in order to comply with the requirements of this Act or other legislation, as long as this is necessary and proportionate (Section 11 (5) HinSchG).

15.6 Automated decision-making including profiling

There is no automated decision-making including profiling.

15.7 Rights of data subjects

Data subjects have the right to withdraw their consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. In this case, data will no longer be reused.

In addition, data subjects have the right to information about their data and to rectification, erasure and restriction of processing; they also have the right to object to processing, the right to data portability and the right to lodge a complaint with a supervisory authority.

The rights of data subjects, including the right of revocation, can be asserted with the data protection officer by e-mail or letter (see above for contact details).


Privacy Policy Studentenwerk Niederbayern/Oberpfalz, Version 2.5 from November 29th 2023.