Med Uni Graz data protection management

The responsibly party for the processing is

• The legal entity (e.g. Med Uni Graz) in whose interest the processing is carried out and who can dispose of it (data controller),

• The legal entity (KAGES, external firms, etc.) performing processing activities on behalf of the responsible person (processor),

• Natural persons (such as employees) who process data as the responsible parties or processors or for such personal data.



Through the implementation of internal guidelines (guidelines, etc.), strategic and operational processes, as well as an ongoing monitoring and improvement process, the following requirements (rights and obligations) or goals for a data protection management are ensured:

  • Compliance with regulatory compliance (responsibility for the admissibility of data use (Purpose limitation: Collection and processing for specified, explicit and legitimate purposes only), selection of appropriate processors, maintenance of data secrecy, data minimisation, notification, information and disclosure requirements, provision for appropriate data security measures (e.g. retention limit: as soon as possible or pseudonymisation or final removal of the personal reference, etc.)
  • Compliance with rights of the data subjects
  • Obligation to report data breach
  • Duty of proof and accountability (verifiability or documentation of compliance with obligations)
  • Ensuring transparency


General information on personal data

EU General Data Protection Regulation (EU GDPR) and Data Protection Amendment Act of 2018 (DSG): Data protection applies to all processing activities with personal data.

Processing activities are:

  • Electronic processing of personal data (such as Excel spreadsheets, etc.) 
  • Non-electronic file systems (organised according to personal information, such as lists of names, etc.)

Personal data is:

  • Direct personal data (name, location data, online identification, etc.) 
  • Indirectly personal data, if the data can be assigned to a person with the help of further information or technical aids (pseudonymous data, IP address, genetic data, etc.)

Pseudonymous data is:

Personal data that can no longer be attributed to a specific data subject without the need for additional information, provided that such additional information is kept separate and subject to technical and organisational measures to ensure that the personal data is not assigned to an identified or identifiable natural person. Caution: Pseudonymous data is subject to data protection!

Anonymous data is:

Data that cannot be assigned to a person. Anonymous or anonymised data is excluded from data protection.

Affected rights

Data subjects at the Med Uni Graz are

Research: Privacy Policy of the Medical University of Graz on the handling of personal data for research purposes

As per the GDPR, the data subjects have a right to information (Art. 15), a right to rectification (Art. 16), a right to deletion (Art. 17), a right to restriction on processing (Art. 18), a right to data portability (Art. 20) and a right to opt-out (Art. 21).

Requests are generally to be made in written form incl. more detailed information by e-mail or by mail to the specified contact details. 

At the Medical University of Graz, these rights of data subjects can be exercised as follows: We point out your obligation to cooperate in the application for a request for information. Therefore, we kindly ask you to tell us in what context (e.g. employees, students, applicants, etc.) or which processed data or what information your request for information relates to.

Employees and students can use the e-mail address of Med. Uni. Graz (no information about special categories of personal data, such as health data, faith, etc.) to make their request. In all other cases, proof of identity in the form of an official photo identification is necessary.

Contact Affected rights

OE Recht und Risikomanagement
Co-ordination office Data protection 
Medical University of Graz
Neue Stiftingtalstraße 6, 8010 Graz
T: +43 316 385 74032

Data protection officer

Duties of the Data Protection Officer  (governed in the data protection rules of the Med Uni Graz)

The Data Protection Officer is bound to observe secrecy or confidentiality in the performance of his duties (Art. 37 para. 4 and 5).

• Contact point for data subjects for the processing of their personal data and the exercise of their rights;

• Monitoring compliance with the GDPR, other European Union or Member State data protection legislation, and the policies of the responsible parties or processors for the protection of personal data, including the allocation of responsibilities, awareness-raising and training of employees involved in the processing operations, and checks thereof;

• Consultation on request - in the context of the data protection impact assessment and monitoring of its implementation as per Art. 35;

• Cooperation with the supervisory authority;

• Acting as a focal point for the supervisory authority in processing-related matters, including prior consultation as per Art. 36, and, if appropriate, advice on all other issues.


Data breach as per Art. 4, no. 12 of the GDPR, is the “breach of the protection of personal data”, a breach of security that, whether inadvertently or unlawfully, leads to the destruction, loss, alteration or unauthorised disclosure, or unauthorised access to personal data, which has been transmitted, retained or otherwise processed.

Examples of the loss of personal data of Med. Uni. Graz:

  • Loss of cellphone, tablet, laptop, etc.
  • E-mail to wrong recipients,
  • Malicious software
  • Blackmailer malware
  • etc.

The notification of a data breach must be made immediately to the Data Protection Officer of Med Uni Graz. On the one hand, this is necessary to protect personal data or to protect the integrity of the IT structure and, on the other hand, to be able to comply with the reporting obligation to the supervisory authority.

For confidential enquiries about personal data protection and notification of a (possible) data breach, please contact us by e-mail (see contact details "Data Protection Officer").
Requests from data subjects and general enquiries about personal data protection and data security should also be sent to the Data Protection Coordination Office by e-mail (

Contact Data protection officer

Co-ordination office Data protection 
T: +43 664 88961748