HomePrivacy policy of the University of Liechtenstein

Privacy policy of the University of Liechtenstein

(Status May 27, 2024)

1. What is this privacy policy about?

"Personal data" is any information that can be associated with a specific person, and "process" means any handling of it, e.g. collection, use and disclosure. We therefore process personal data very often. We explain in this privacy statement how we do this in the context of our legal duties and in particular in relation to our website. If you would like more information about our data processing, please contact us (section 2).

2. Who is responsible for processing your data?

The University of Liechtenstein is the "data controller", i.e. the primary data protection authority (also "we") for data processing under this privacy policy. Our address is as follows:

Universität Liechtenstein (Foundation under public law)
9490 Vaduz Liechtenstein

E-Mail: info@uni.li
Tel.: 00423 265 11 11

If you have any questions about data protection, you can also contact our data protection officer by e-mail at datenschutz@uni.li or at the above postal address with the note "Data protection".

It may be that you provide us with data that also relates to other persons. If you do so, we will take this as confirmation that this data is correct. Since we often have no direct contact with these third parties, we ask you to inform them about our processing of their data (e.g. by referring to this privacy policy).

3. How do we process data within the scope of our legal duties?

3.1 Students, participants in continuing education and graduates

When we are in contact with you regarding your studies, we process personal data, e.g. if you have questions or would like to register. This mainly concerns data that you send us, e.g. name, contact details, date of birth, documents for the application for admission (certificates, passport copy, passport photo, etc.) and the date of contact.

During and after your studies, we process personal data in many different situations. This concerns e.g.:

- the handling of teaching and examination operations (data on grades and course achievements, etc.);

- Event and excursion handling within the scope of studies (data on participation, possibly travel data, etc.);

- Video and audio recordings if you are attending a conference or event that is being recorded. The camera is usually pointed at the speaker. Otherwise, the camera radius will be visible to you or you will be informed of this

- Invoicing and payment processing, e.g. for tuition fees (payment data, account data, possibly data on your entitlement to a reduction, etc.);

- Awarding of degrees and graduations and their publication (name, title, degree, predicate or other additions);

- Administration and support for activities abroad through programmes such as Erasmus+;

- Quality management and accreditations (e.g. sending evaluation surveys to your postal or e-mail address; evaluations for assurance of learning);

- Processing of discounts and other benefits that you claim (e.g. participation in an event with a discount for students).

- Organisation of residence permits

Study programmes and continuing education may be provided in cooperation with partners. In this case, certain personal data may also be made accessible to these partners, provided that this disclosure does not conflict with any confidential interests.

3.2 Alumni Club Membership

Alumni Club Membership

3.3 Applicants (staff / lecturers)

During the application process, in addition to salutation, surname, first name, and the usual correspondence data such as postal address, e-mail address, and telephone numbers, we also process application documents such as letters of motivation, curriculum vitae, picture data, professional, educational, and further training qualifications, references, and certificates of employments. We use software of the provider Haufe-umantis AG, Unterstrasse 11, 9001 St. Gallen (Switzerland) to organise the application process.

Application data of employees:

In rare cases, your documents are forwarded to us by recruitment agencies. In these cases, we understand this as confirmation that the data is correct, that you have consented to the forwarding of this data and that you have been informed about the data processing.

If you take up a job at the University of Liechtenstein, your personal data, or at most an extract thereof, will be placed in your personnel file. The application data will either be returned to you or destroyed after the employment relationship has ended.

If you have applied but no employment relationship is established, your documents will generally be deleted or made anonymous after 6 months (see also section 11). In the case of an existing consent for longer storage of application data, we keep this pending for 2 years.

Application data of internal and external lecturers:

If you start employment with the University of Liechtenstein as a lecturer or receive a teaching assignment, we are obliged to process documents from the application process (CV, certificates, degrees, etc.) as proof of professional qualifications within the framework of accreditation requirements based on contractual or legal obligations (Art. 38 para. 2 HSG). These data may be processed by an accreditation organisation for verification purposes. Currently, accreditations or accreditation processes exist with the AAQ, AACSB and RIBA organisations.

3.4 Employees / Workers

If you start an employment at the University of Liechtenstein as a staff member or lecturer, we process personal data in many different situations. This concerns, for example:

- Salary and wage accounting (data on the employment, time and performance records, identification data, residence or address data, data on bank details, salary, wage or fee data);

- Settlement of travel expenses (identification data, travel or meal data and data on bank details);

- Personnel requirements or budget planning (data on cost centres, name, function, employment, salary, wage or fee data);

- Accounting and reporting to domestic and foreign social insurance institutions (AHV, IV, unemployment insurance, etc.) or reporting of contributions for pension insurance. This includes, in particular, data concerning your identification, contact data, domicile or address data, employment relationship, salary, wage or fee data, etc.).

- Notifications in the event of accidents and illness regarding possible insurance claims (in particular identification data, contact data, domicile or address data, employment relationship, salary, wage or fee data, illness or accident data, medical certificates, etc.).

- Organisation and verification of residence or cross-border commuter permits (identification data, copies of identity documents, passport photo, proof of health insurance, residence or address data, employment contract data, etc.);

- Keeping the personnel file (personnel master data, data on bank accounts, health data, data on employment contracts or teaching assignments, picture data; in the case of employees also data on personnel development, data on secondary employment, etc.);

- Time and effort recording (identification data, e-mail address, proof of time and effort recording, holiday data, data on cost centres or projects, etc.);

- Quality management (processing with regard to quality improvements, e.g. evaluations and surveys, etc.).

3.5 Beneficiaries in general

- If you make use of our services, e.g. if you use the library of the University of Liechtenstein (see section 3.5.2), obtain a place in a student residence or attend one of our events, we process data for the preparation of the conclusion of the contract and for the performance of the corresponding contract:

- If we are in contact with you with regard to a contract, e.g. when you register for events, rent accommodation in the student residence or register for the use of the library. This applies in particular to data that you provide to us, e.g. name, contact details or date of birth, details of services requested and the date of contact.

- If we conclude a contract with you, we process the data from the run-up to the conclusion of the contract (see above) and the information on the conclusion of the contract itself (e.g. on the conclusion date and the subject matter of the contract).

- We also process personal data during and after the term of the contract. This concerns, for example, information on the purchase of services, but also on payments, contacts with our administration, complaints, photographs at events, in the case of services available online also access data and logins, data on the termination of the contract and - if disputes should arise in connection with the contract - also on these and corresponding procedures. We use this data because we cannot process contracts without it.

- Certain services that you obtain from us can be provided in cooperation with partners / processors. These include, for example, Switch as an authentication service provider, SLSP AG for media loans in the library, the private and public cooperation partners for joint events or the processor for our internal billing system regarding i.e. printing, 3D-printing or laser cutting. In this case, your data may also be made accessible to these partners, provided that there is a legal basis and that this disclosure does not conflict with any confidential interests. 

The data recipient and at the same time our contractually obligated processor for our internal billing system is KUARIO B.V. (Netherlands). For this purpose, user data (e-mail address, user account, location of the device), time stamp and the billing amount for the purchased product are processed for billing purposes. The legal basis for this is the contractual obligation for the purchase of the service. The account and billing data are deleted either until the membership is terminated or after 7 years of inactivity.  

3.5.1 Switch edu-ID / AAI (authentication and autorisation service provider)

The Switch edu-ID service provides end users with a personal digital identity (edu-ID) that enables access to services of the Switch edu-ID federation in Switzerland, and via the Inter-Federation, with other international identity federations.

The use of Switch edu-ID is open to all natural persons who are interested in creating an edu-ID account to access services of the Switch edu-ID federation. The purpose is therefore the authentication and authorisation service for services of this federation. If you create an account with Switch, their terms of use must be observed.

The following categories of personal data are processed when using a Switch account: Personal contact data (first name, surname, email address, profile photo (optional), technical identifiers, attribute specification (e.g. date of birth, address, telephone number, SSH key, group information), authentication means (e.g. email address and password), log data (e.g. IP addresses, time, action), support data (surname, first name, email address and edu-ID identifier of the support requester), log data (e.g. IP addresses, time, action), support data (surname, first name, email address and edu-ID identifier of the support requestor (swissEduPersonUniqueID and eduPersonTargetedID), time, subject, problem description, attachments provided by the user).

The legal basis for the processing of your personal data is the performance of a contract pursuant to Art. 6 para. 1 lit. b GDPR. The transfer of your personal data to Switch is based on an adequacy decision pursuant to Art. 45 para. 1 GDPR.

As long as end users have an active affiliation with an organisation, Switch, as the organisation's contractor, is not authorised to delete the edu-ID account. The edu-ID account of all other end users can be deleted at any time via eduid-support@switch.ch. Deletion of the edu-ID account results in the loss of the rights to use the edu-ID account and the associated functionalities. When the edu-ID account is deleted, all personal data will be deleted. The deleted edu-ID account cannot be restored. The deletion of the edu-ID account does not automatically lead to the deletion of the data that the service operators process when using the services. Deletion of this data must be requested from the service operators.

The recipient of the personal data is Switch, Werdstrasse 2, 8004 Zürich, Switzerland.

3.5.2. Library System (Media Loans etc.)

To use our library services, such as borrowing media, you need to use swisscovery from SLSP AG (Swiss Library Service Platform). To log in to swisscovery (SLSP) and access library content, you need a Switch edu-ID account with which you register with SLSP (see section 3.5.1). Further information on data processing by the swisscovery service can be found in SLSP's privacy policy.

The purposes in relation to the processing of your data are as follows:
-   Processing of media loans and bookkeeping
-   Invoicing and processing of reminders (incl. processing of losses or damage)
-   Registration on the SLSP registration platform by the user, including verification with the Switch edu-ID
-   Organisation of access to/from affiliated libraries in the Institutional Zone (IZ)

In the course of lending media and the necessary platform registrations, the following personal data is processed by the University of Liechtenstein and SLSP (SLSP refers to this as ‘transaction data’): Information on orders for copies, reservations, acquisition proposals, interlibrary loans, bookings, fees, loan history over a defined period (completed loans, note fields in user data records), blocks, user groups. As registration via a Switch-edu-ID account is required to use swisscovery (SLSP), further personal data is required for processing. Beyond that, as an option the enduser can specify the following data: Barcodes from library cards, matriculation number, information on affiliation (assignment) to a university institution and preferred language. Further information on the authentication and authorisation service Switch can be found under section 3.5.1. The data processed by Switch will be transmitted to SLSP AG after registration of the account with your consent and synchronised on an ongoing basis. The transmission of this data is mandatory for the use of the service.

The legal basis for the processing of your personal data is the fulfilment of a contract pursuant to Art. 6 para. 1 lit. b GDPR. The transfer of your personal data to Switch and subsequently to SLSP AG (both Switzerland) is based on an adequacy decision pursuant to Art. 45 para. 1 GDPR.

The so-called SLSP transaction data (loans, fees, etc.) is anonymised after two years. The remaining SLSP account data (Swisscovery) is deleted after 10 years of inactivity. You can also request the deletion of your personal data from Switch at any time via your personal account with Switch or directly via SLSP AG (provided your data does not still need to be processed for an active transaction).

In addition to the University of Liechtenstein, the recipients of your personal data are
-   Switch, Werdstrasse 2, 8004 Zurich, Switzerland
-   SLSP AG, Kasernenstrasse 77A/B, CH-8004 Zurich, Switzerland, info@slsp.ch - www.slsp.ch
-   Libraries of the Institutional Zone (IZ) (see link) 

4. How do we process data in connection with our public relations work?

4.1 Newsletter

We also process personal data to promote our services, in particular with our newsletters. These contain information on events, invitations, information on further education offers and on developments at the university. The content of the newsletters is also aimed at the respective target group and may be based on our overriding legitimate interest, especially in the case of beneficiaries (contract fulfilment), e.g.:

- Prospective students: Information on info events, fairs and degree programmes;

- Students: Information about career services and campus life;

- Alumni / Alumnae: Information on portraits or events in which alumni / alumnae can participate;

- Those interested in further education and lectures: Information on events and further education.

If you register for one of our newsletters, we will immediately send an e-mail containing a hyperlink to the e-mail address you provided. By clicking on this link, you confirm your newsletter registration (double opt-in procedure). If this confirmation of registration is not received within 30 days, we will delete your data from our temporary list and registration will not have taken place. If you confirm the newsletter registration, you consent to the storage of your e-mail address including the date of registration.

We use the provider CleverReach (CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany) to organise the mailing of our newsletter. We have concluded a data processing agreement with CleverReach - you can find out more about the data protection policy at the following address: https://www.cleverreach.com/en-de/privacy-policy/. The newsletter can also be sent via the provider "The Rocket Science Group LLC d/b/a MailChimp, (675 Ponce De Leon Ave NE, Suite 5000, Atlanta, Georgia 30308 USA, privacy@mailchimp.com), in short "Mailchimp". Further information can be found at https://mailchimp.com/legal/. The data transfer takes place based on standard contractual clauses - an adequacy decision of the European Commission for the USA is existing.

In this context, in addition to your name and email address, we also process information about which services you have already used, whether you open our newsletter and which links you click on. For this purpose, our email delivery service provider provides a function that essentially works with invisible image data that is loaded from a server via a coded link and thereby transmits the corresponding information. This is a common method that helps us to assess the effect of newsletters and to optimise our newsletters. You can avoid this measurement by setting your email programme accordingly (e.g. by switching off the automatic loading of image files).

4.2. Photo and video recordings

In some cases, we take photos and videos of teaching and training events or of our staff for the purposes of public relations, marketing and documentation. The recordings are used on our website and for reporting in the press, print media and social media (see also section 9).

If you are the focus of these recordings, we usually ask for your consent. In other cases, especially in the case of photographs of larger groups of people, we base this processing on our legitimate interest in public relations (see also section 13 for the legal basis). You can object to the publication of your image or withdraw your consent at any time (see also section 14).

4.3 Audio recordings (Podcasts)

As part of our public relations work, we also offer audio content in the form of podcasts for listening and downloading. Based on your consent, usage data, audio content, contact or identification data and, if applicable, image data are processed for a contribution.

We use the podcast hosting service Anchor.fm of the provider Spotify USA, Inc, 150 Greenwich St, New York, NY 10007, USA. In the European Union or the European Economic Area, the data controller is Spotify AB, Regeringsgatan 19, 111 53 Stockholm, Sweden. The podcasts are loaded by or transmitted through Anchor.fm. Anchor.fm processes IP addresses and technical data in order to enable podcast playback and downloads and to determine statistical data, such as access figures. This data is anonymised or pseudonymised before being stored in the database unless it is necessary for the provision of the podcasts. Privacy policy: https://anchor.fm/privacy.

5. How do we cooperate with other authorities?

We are an independent foundation under public law (Art. 1 No. 1 LUG) and may be legally obliged to disclose personal data to other authorities or companies. For example, the University must disclose personal data to other authorities or commissioned research institutions for the purposes of educational controlling, statistics and research (Art. 34 LUG). In addition, the government or the education authority (‘Schulamt’) may process data of teaching staff or students (Art. 32 No. 2 and Art. 33 No. 2 in conjunction with Art. 33 No. 2 LUG).

Based on the IUV (‘Interkantonale Vereinbarung über die Beiträge an die Ausbildungskosten von universitären Hochschulen’), the University of Liechtenstein is obliged to transmit student data (e.g. identification data, residence data, study programme data and data on tuition fees) to the ‘Schweizerische Konferenz der kantonalen Erziehungsdirektoren’ (EDK) on the basis of legal obligations (Art. 25, IUV).

6. How do we cooperate with service providers?

6.1 IT service providers

We use various services from third parties, especially IT services (e.g. providers for hosting or data analysis services), shipping services and services from banks, the post office, consultants, etc.

- The University uses various Microsoft 365 applications. Information on the processing of personal data can be found separately under the following link
- One of the main IT service providers is the ‘Amt für Informatik’ (Landesverwaltung des Fürstentums Liechtenstein, Amt für Informatik, Heiligkreuz 8, 9490 Vaduz, Liechtenstein). This service provider performs central tasks to provide our IT infrastructure and guarantee our IT security. The majority of personal data in information systems that are operated via our IT infrastructure are therefore also processed by this office.

You will find information on service providers for our website under section 8. These service providers may also process personal data to the extent necessary.

7. Can we disclose data abroad?

The recipients of data are not only located in Liechtenstein. This applies in particular to IT service providers. These have locations both within the EU or the EEA (e.g. in Germany, but also in other countries worldwide, e.g. Switzerland or the USA). We may also transfer data to authorities and other persons abroad if we are legally obliged to do so or, for example, in the context of judicial proceedings (see section 9). Not all of these countries have adequate data protection. We compensate for the lower level of protection through appropriate contracts, in particular the so-called standard contractual clauses of the European Commission, which can be accessed here. In certain cases, we can also transfer data without such contracts in accordance with data protection requirements, e.g. if you have consented to the corresponding disclosure or if the disclosure is necessary for the performance of the contract, for the establishment, exercise or enforcement of legal claims or for overriding public interests.

8. How do we process data in connection with our website?

Every time you use our website, certain data is collected for technical reasons and temporarily stored in log files (log data), in particular the IP address of the end device, information about the Internet service provider and the operating system of your end device, information about the referring URL, information about the browser used, the date and time of access and the content accessed when visiting the website. We use this data so that our website can be used, to ensure system security and stability, to optimise our website and for statistical purposes.

Our website also uses cookies, i.e. files that your browser automatically saves on your terminal device. This allows us to distinguish individual visitors, but usually without identifying them. Cookies may also contain information about pages accessed and the duration of the visit. Certain cookies ("session cookies") are deleted when the browser is closed. Others ("persistent cookies") remain stored for a certain duration so that we can recognise visitors on a subsequent visit.

When accessing our websites, you usually have the option of activating or deactivating certain categories of cookies via a button displayed in the browser. We will also inform you about further details on the cookies, e.g. how long they are stored. Furthermore, you can configure your browser in the settings so that it blocks certain cookies or similar technologies or deletes cookies and other stored data. You can find more information on this in the help pages of your browser (usually under the keyword "data protection").

These cookies and other technologies may also come from third party companies that provide us with certain functions. These may also be located outside the EEA or Switzerland (see section 7 for details). For example, we use analysis services so that we can optimise our website. Cookies and similar technologies from third-party providers also enable them to target you with individualised advertising on our websites or on other websites and social networks that also work with this third party, and to measure how effective advertisements are (e.g. whether you arrived at our website via an advertisement and what actions you then take on our website). The relevant third parties may record website usage and combine their recordings with other information from other websites. In this way, they can record user behaviour across several websites and end devices in order to provide us with statistical evaluations on this basis. The providers may also use this information for their own purposes, e.g. for personalised advertising on their own website or other websites. If a user is registered with the provider, the provider can assign the usage data to the relevant person.

A key third party provider is Matomo, an analytics service provided by InnoCraft (7 Waterloo Quay P0625, 6140 Wellington, New Zealand). Matomo collects certain information about the behaviour of users on the website and about the terminal device used. The IP address is anonymised before it is stored by Matomo. Matomo provides us with analyses based on the recorded data. Information on Matomo's data protection can be found here, and if you no longer wish to be recorded by this service, you can unsubscribe as follows:

To integrate social networks on our website, we use so-called social plug-ins from various social networks (e.g. Facebook, Twitter, Instagram, YouTube, LinkedIn, Pinterest or Xing; "plug-in providers"). When you click on a social plug-in, a connection is automatically established between your browser and the servers of a plug-in provider. In the process, data (log files such as IP addresses) are transmitted to the servers of the respective plug-in provider. These servers may also be outside the EU or the EEA (e.g. in the USA). If you have an account on the respective social network, this data can also be linked to it. Furthermore, interactions, in particular the use of a comment function, the clicking of a "Like", "Share" or "Re-Tweet" button are also passed on to the plug-in providers.

If you do not want this data to be assigned to your account, please do not click on any plug-ins. It also helps if you deactivate or restrict cookies in your browser via your browser settings. Finally, you can completely prevent the loading of plug-ins by installing so-called script blockers on your browser.

We use the service "reCAPTCHA" (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) on our website so that we can recognise whether, for example, online forms are filled out by humans and not by so-called "bots" (machine-controlled entries). This may include processing of device information (IP addresses, operating system, devices, etc.) as well as data on location, language, mouse movements, website activity and results of recognition processes. We use this service on the basis of legitimate interest. Privacy policy: https://policies.google.com/privacy?hl=en; Settings for advertising: https://adssettings.google.com/authenticated.

9. How do we process data via social media?

We operate our own websites on social networks and other platforms (e.g. Facebook fan pages). If you communicate with us there or comment on or disseminate content, we collect information that we use primarily for communication with you, for marketing purposes and for statistical evaluations (see sections 4 and 10). This mainly includes contact and content data. Please note that the provider of the platform also collects and uses data itself (e.g. user behaviour, meta and communication data, device information, IP addresses), possibly together with other data known to it (e.g. for marketing purposes or to personalise the platform content). Insofar as we are jointly responsible with the provider, we enter into a corresponding agreement, about which you can obtain information from the provider.

We use the services of the following social service providers on the basis of legitimate interests:

- Facebook (Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Irland): we are jointly responsible with Meta Platforms Ireland Limited for the collection of data from visitors to our Facebook page. Privacy policy: https://www.facebook.com/policy; Contract addendum for the transfer of European data:  https://www.facebook.com/legal/EU_data_transfer_addendum; Arrangement for joint controllers: https://www.facebook.com/legal/terms/information_about_page_insights_data;

- LinkedIn (LinkedIn Irland Unlimited Company, Wilton Plaza Wilton Place, Dublin 2, Irland): Privacy policy: https://www.linkedin.com/legal/privacy-policy; Data Processing Agreement: https://www.linkedin.com/legal/l/dpa; Standard Contractual Clauses (Ensuring the level of data protection in third countries): https://legal.linkedin.com/dpa; Option for objection (Opt-Out): https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out;

- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA): Privacy policy: https://privacycenter.instagram.com/policy/;

- Twitter (Parent company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA or for data processing of persons living outside the U.S.: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Irland): Privacy policy: https://twitter.com/privacy; Settings: https://twitter.com/personalization;

- Youtube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland): Privacy policy: https://policies.google.com/privacy?hl=en; Opt-Out: https://adssettings.google.com/authenticated.

- TikTok
(TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland bzw. Beijing Bytedance Technology Ltd., Peking, China): the social media platform TikTok is an "app" on which short videos or short video segments are created and distributed. The operator of the platform is the Chinese company ByteDance, which is why personal data is transmitted to or disclosed to the People's Republic of China when using TikTok. This country is considered a third country from the perspective of data protection - there is therefore no adequacy decision of the European Commission that guarantees an equivalent level of data protection with the EU/EEA area. Companies in China are obliged to disclose data to Chinese authorities under the Chinese Multi-Level Protection Scheme 2.0. This ensures unrestricted access to all data from Chinese companies. For this reason, European data protection requirements cannot be guaranteed when using the TikTok application. The transfer of this data to a third country for a specific purpose therefore takes place under the exceptional provision of Art. 49 Para. 1 lit. a GDPR, which presupposes your consent after clarification of the existing risks. We would like to point out that the University of Liechtenstein has no influence on the further processing of your personal data by TikTok. Privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/en; Standard Contractual Clauses: https://ads.tiktok.com/i18n/official/policy/controller-to-controller.

10. Is there any further processing?

Yes, because very many operations are not possible without processing personal data, including common and even unavoidable internal operations. This cannot always be precisely determined in advance, nor the amount of data processed in the process, but you will find details of typical (though not necessarily frequent) cases below:

- Communication: When we are in contact with you (e.g. when you call the welcome desk or communicate with us on a social media platform), we process communication content information about the nature, time and place of the communication. For your identification, we may also process information for proof of identity.

- Compliance with legal requirements: We may disclose data to authorities as part of legal obligations or powers and to comply with internal regulations (see also section 5).

- Prevention: We process data to prevent criminal data and other violations, e.g. as part of the fight against fraud or internal investigations. In the course of epidemics or pandemics, we also process data to implement a protection concept.

- Legal proceedings: Insofar as we are involved in legal proceedings (e.g. court or administrative proceedings), we process data e.g. about parties to the proceedings and other persons involved such as witnesses or respondents and disclose data to such parties, courts and authorities, possibly also abroad.

- Risk management, ICS and process management: Within the framework of legal obligations, the University of Liechtenstein also carries out processing in the area of risk management and ICS or process management (see Art. 16 para. 1 ÖUSG and No. 4.3 Owner's Strategy of 4 July 2019 for the University of Liechtenstein).

- IT and facility security: We also process data for monitoring, controlling, analysing, securing and checking our IT infrastructure (e.g. access and entry authorisations by means of logins and badges), but also for backups and archiving data.

- Academic exchange: We process data about other universities and colleges. We may also process data about staff, lecturers, students or alumni/alumnae who have a specific exchange with us (in particular name, contact details, role or function and public statements).

- Mobility: If e-bikes or parking spaces of the University of Liechtenstein are used, the following data may be processed: Name, registration number, date, parking fine if applicable. If you have purchased a reduced parking permit, we require data on your name, place of residence, length of journey, registration number and vehicle type.

- Research: in the course of research projects, we may also process personal data of research participants. As a rule, you as the participant will be informed separately about the specific data processing, which takes place on the basis of your consent.

- Other purposes: We process data to the extent necessary for other purposes such as administration (e.g. contract management or accounting), enforcing and defending claims, evaluating and improving internal processes, compiling statistics and evaluations; acquiring or selling receivables and ensuring other legitimate interests.

11. How long do we process personal data?

We process your personal data as long as it is necessary for the purpose of processing (in the case of contracts, usually for the duration of the contractual relationship), as long as we have a legitimate interest in storing it (e.g. to enforce legal claims, for archiving or to ensure IT security) and as long as data is subject to a statutory retention obligation (for certain data, for example, a ten-year retention period applies). After these periods have expired, we delete or anonymise your personal data.

12. How do we protect personal data?

We take appropriate security measures of a technical and organisational nature to maintain the security of your personal data, to protect it against unauthorised or unlawful processing and to protect it against the risk of loss, accidental alteration, unauthorised disclosure or access. However, we cannot exclude data security breaches with absolute certainty; certain residual risks are unavoidable.

Security measures on a technical basis include, for example, the encryption and pseudonymisation of data, logging, access or entry restrictions and the storage of backup copies. Security measures of an organisational basis include, for example, instructions to our employees, confidentiality agreements and controls. We also oblige our processors to take appropriate technical and organisational security measures.

13. Legal basis

Data processing is only permitted if the applicable law specifically allows it. As a public university, we base the processing of your personal data primarily on the fact that it is required or permitted by law. The relevant legal provisions can be found, for example, in Art. 50a of the ‘Hochschulgesetz’ (HSG) and Art. 32 et seq. of the ‘Gesetz über die Universität Liechtenstein’ (LUG).

However, we may also base the processing on your separate consent, e.g. if you ask us to pass on your data to third parties (e.g. in the context of a reference or because you wish to take advantage of third-party offers, e.g. a student housing exchange, or participate in student associations).

Furthermore, we may base the processing on the fact that it is necessary for the preparation and execution of contracts, that it is necessary for the legitimate interests of us or third parties, e.g. for statistical evaluations or for marketing purposes. You will find the relevant provisions on the legal basis in Art. 6 and 9 of the GDPR.

Incidentally, you are not always obliged to disclose data to us, with the exception of individual cases (e.g. if you have to fulfil a contractual obligation and this involves disclosing data to us). However, for legal and other reasons, we must process data when you use our services. The use of our website is also not possible without data processing (see section 8).

14. What are your rights?

You have certain rights under applicable data protection law so that you can obtain further information about and act on our data processing:

- You can request further information about our data processing. We are at your disposal for this purpose. You can also submit a request for access if you would like further information and a copy of your data;

- You can object to our data processing, especially in connection with direct marketing;

- You can have inaccurate or incomplete personal data corrected or completed or supplemented by a note of objection;

- You also have the right to receive the personal data you have provided to us in a structured, commonly used and machine-readable format, insofar as the corresponding data processing is based on your consent or is necessary for the performance of the contract;

- If we process data on the basis of your consent, you can withdraw your consent at any time. The withdrawal is only valid for the future and we reserve the right to continue to process data on a different basis in the event of a withdrawal.

If you wish to make use of such a right, please contact us (section 2). As a rule, we will have to verify your identity (e.g. by means of a copy of your ID card). You are also free to file a complaint against our processing of your data at the responsible supervisory authority - in Liechtenstein at the ‘Datenschutzstelle’ (DSS), Städtle 38, P.O. Box 684, FL-9490 Vaduz (T +423 236 60 90, e-mail: info.dss@llv.li).