Skip to content Skip to mainnavigation Skip to footer

Data Protection Officer

The Data Protection Officer (DPO) supports and advises Schmalkalden University of Applied Sciences (SUAS) in ensuring data protection.


What are the tasks of the Data Protection Officer?

The tasks of the DPO at Schmalkalden University of Applied Sciences include in particular:

  • Processing of personal data: The Data Protection Officer assists the controller in implementing data protection measures for the processing of personal data.
  • Advice, information and monitoring: The Data Protection Officer advises the Authority on the implementation of and compliance with data protection laws (e.g. the EU General Data Protection Regulation, the German Federal Data Protection Act, the Thuringian Data Protection Act and the Thuringian Higher Education Act) and monitors compliance with data protection guidelines and procedures.
  • Contact person: The DPO is the contact person for all university members in matters of data protection
  • Data protection impact assessment: The DPO carries out an impact assessment in order to identify and minimise risks to individuals' data protection rights.
  • Training: The DPO trains the Authority's staff on data protection laws and procedures.
  • Cooperation with supervisory authorities: The Data Protection Officer cooperates with supervisory authorities and informs them of breaches of data protection laws or procedures.
  • Data Breaches: The DPO is responsible for monitoring and reporting data breaches and assists the Authority in preparing reports on breaches.
  • Documentation: The DPO keeps a record of processing activities in which all processing of personal data is recorded.
  • Network: The DPO represents SUAS in the Working Group of Data Protection Officers of Thuringian Universities
  • Teaching: The DPO teaches data protection in relevant (interdisciplinary) courses


What is personal data?

Personal data is information relating to an identified or identifiable natural person. An identified person is one who can be identified, directly or indirectly, for example by a name, matriculation number, location data or online identifiers such as IP addresses or cookies. An identifiable individual is one who can be identified by combining information that is available either alone or in combination with other information.


What does the right to informational self-determination involve?

The fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data are derived from the general right of personality, which is enshrined in Art. 2 (1) in conjunction with Art. 1 (1) of the German Basic Law. In its case law, the Federal Constitutional Court has repeatedly emphasized this right to informational self-determination and emphasized its importance. In the EU Charter of Fundamental Rights, the right to the protection of personal data in Art. 8 (1) and relates to the protection of personal data. Although the term "informational self-determination" is not explicitly mentioned in the EU Charter of Fundamental Rights, it is often used as a synonym for the right to the protection of personal data.

Informational self-determination refers to the right of a person to decide for himself when, how and to what extent personal data is collected, processed, used and passed on.

The right to informational self-determination includes the following aspects:

  • Informational self-determination: The right of a person to decide for himself which personal data about him is collected, processed and used.
  • Transparency: The right to be informed about what personal data is stored about an individual and who has access to it.
  • Purpose limitation: The right to have personal data used only for the purpose for which it was collected.
  • Right to rectification and erasure: The right of an individual to have inaccurate or incomplete personal data corrected or deleted.
  • Data economy: The principle that personal data may only be collected and processed to the extent necessary for the respective purpose.
  • Data security: The obligation to adequately protect personal data to prevent its loss, misuse or unauthorized disclosure.

The right to informational self-determination is important to ensure the privacy and protection of individuals' personal data and to allow a balance to be struck between the interests of individuals and those of data processors and users.


What special features apply to Thuringian universities?

§ 11 Thuringian Higher Education Act (ThürHG)

'Processing and use of personal data

(1) The university may process and use personal data of its members and relatives, its applicants and examination candidates, insofar as this is necessary for

1. access to studies and the implementation of studies and further education as well as admission to examinations, doctoral studies or habilitation,

2. the evaluation of research and teaching and art according to § 9,

3. the higher education development planning of the Land, the framework agreements pursuant to § 12 (1) with the higher education institutions and the associated target and performance agreements pursuant to § 13 (1), the structural and development planning of the universities, the evaluation of the work of the universities in research and teaching and the promotion of young scientists,

4. performance evaluations for internal university funding allocation and management,

5. the fulfilment of assigned tasks or tasks of academic self-administration,

6. the implementation of the gender equality and diversity mandate,

7. the use of facilities of the university as well as

8. the fulfilment of tasks within the framework of higher education statistics and other statistical purposes.

(2) Members and affiliates of higher education institutions, applicants and examination candidates are obliged to provide their personal data insofar as this is necessary for the fulfilment of the tasks referred to in paragraph 1.

(3) Authorities which conduct state examinations pursuant to Section 54 (1) shall be obliged to transmit to the university the personal data required to fulfil its tasks pursuant to subsection (1) for task-related processing. The university may process data transmitted to it for the reasons stated in paragraph 1 nos. 1, 2 and 7, insofar as this is necessary to achieve the purpose of the transmission.

(4) The universities may process and use personal data of their former members and relatives insofar as this is necessary for the purpose of the survey within the framework of quality assurance and evaluations according to § 9 or for maintaining the relationship with these persons and these do not object. Respondents must be informed of the voluntary nature of their information and their possibility of objecting.

(5) Details of the processing and use of the data referred to in paragraphs 1 and 4, in particular of the facts to be recorded and the group of persons to be interviewed, shall be determined by the Ministry by ordinance.

(6) Higher education institutions may, by statute, establish an obligation for their members and affiliates to use mobile data carriers which are used for automated data processing, in particular for the purposes of access control, identity verification, time recording, billing or payment.'