Data protection is a matter of trust, and your trust is important to us. This is why we have published this privacy policy, to inform you how and for what purpose we collect, process and use your personal data.
Among other things, this privacy policy will tell you:

• what personal data we collect and process;
• the purposes for which we use your personal data;
• who has access to your personal data; 
• what benefits our data processing has for you;
• for how long we process your personal data;
• what rights you have in relation to your personal data; and 
• how you can contact us.

The University of Applied Sciences of the Grisons, Pulvermühlestrasse 57, 7000 Chur, Switzerland (“UAS Grisons”, “we” or “us”), is responsible for data processing in accordance with this privacy policy. 

• Personal data is an umbrella term for all information that refers to a specific or identifiable natural person. 
• A data subject is a person whose personal data is processed.
• Processing includes any handling of personal data, regardless of the means and procedures used, such as the retrieval, comparison, adaptation, archiving, storage, reading, disclosure, procurement, recording, collection, deletion, publication, ordering, organisation, saving, modification, dissemination, linking, destruction and use of personal data.
• Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person. In particular, this involves analysing or predicting aspects relating to the work performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or change of location of this natural person.
• Cookies are files that contain certain technical data and are stored and saved on a computer system via an Internet browser. The data subject can prevent cookies being stored by our website at any time by configuring their Internet browser accordingly and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs.
• The technical data includes, among other things:
  • the IP address of your device and other device IDs (e.g. MAC address);
  • identification numbers assigned to your device by cookies and similar technologies (e.g. pixel tags);
  • information about your device and its configuration, e.g. operating system or language settings;
  • details of the browser you are using to access the website and its configuration;
  • information about your movements and actions on our websites and in our apps;
  • information about your internet provider;
  • your approximate location and the time of use;
  • system-side records of instances of access and other processes (log data).
  • peripheral telecommunications data

We process data that is generated as part of the use of our websites, apps or Wi-Fi networks (technical data), that you provide to us (e.g. as part of newsletter registrations, registrations for events, filling out web forms or other orders) or that is generated as part of the contractual process. This can be in particular in connection with studies, further education, research or services.
We collect your personal data in particular when you contact us, for example via our websites, as an interested party, customer, applicant, person submitting a request, etc. We process personal data that we receive from our customers as part of our business relationship. In addition, we process – to the extent necessary for the provision of our services – personal data that we legitimately obtain from publicly accessible sources.
Relevant personal data are personal details (title/gender, name, address and other contact details, date and place of birth, nationality) and legitimisation data (e.g. ID card data). In addition, order data, data from the fulfilment of our contractual obligations, advertising and sales data, documentation data and other data comparable with the aforementioned categories may also be processed.
We may listen to or record telephone or video conferences for training, evidence and quality assurance purposes. In such cases, we will notify you separately (e.g. by means of a display or announcement) and you are free to inform us if you do not wish to be recorded or to terminate the communication (if you simply do not want your image to be recorded, please switch off your camera). We may also process personal data for organising, implementing and following up on events, in particular participant lists and the content of presentations and discussions, as well as image and audio recordings made during these events. 
If you use our website for purely informational purposes, i.e. if you do not fill out any web forms and do not register for an event or otherwise provide us with information, we collect technical data that your browser transmits. This data is not merged with other data sources. The sole purpose of this data collection is to optimise and improve the user-friendliness of our website. We reserve the right to check this data if we become aware of concrete evidence of unlawful use.

You may be able to log in to individual online services using the login of a third-party provider (e.g. Switch edu-ID). In this case, we receive access to certain data stored by the provider in question, such as your name and e-mail address. Information on this can be found in the privacy policy of the provider concerned.

Certain types of personal data are considered “particularly sensitive” under data protection law, e.g. information on health and biometric characteristics. Depending on the circumstances, personal data may also include such particularly sensitive personal data. However, we generally only process particularly sensitive personal data if this is necessary for the provision of a service, if you have provided us with this data yourself or if you have consented to the processing. We may also process particularly sensitive personal data if this is necessary to uphold rights or comply with domestic or foreign legal requirements, if the data in question has clearly been publicly disclosed by the data subject or if the applicable law permits its processing.

As an institution under public law, we process personal data on the legal basis of the Cantonal Act on Universities and Research (GHF, BR 427.200) in accordance with the provisions of the Cantonal Data Protection Act (KDSG, BR 171.100) of the Canton of Graubünden, the Swiss Federal Act on Data Protection (FADP, SR 235.1) and the European General Data Protection Regulation (GDPR, Regulation 2016/679), insofar as the corresponding regulations are applicable. As the GDPR requires us to list these individually, the legal bases for our processing, insofar as the GDPR applies, are listed below. When processing personal data in accordance with the KDSG or FADP, we rely on the comparable legal bases in these laws.

Within the UAS Grisons, those departments that need your data to fulfil our contractual and legal obligations will have access to it. Service providers employed by us may also receive data for these purposes. These include companies in the categories of personnel consulting, IT services, logistics, printing services, telecommunications, consulting and advisory services as well as sales and marketing.

All these categories of recipients may in turn involve third parties, meaning that your data may also become accessible to them. We can restrict processing by certain third parties (e.g. IT providers), but not by others (such as authorities and banks).

• Other recipients of personal data may include, for example
• Public bodies and institutions (e.g. authorities and courts) in the event of a legal or official obligation.
• Facilities within the UAS Grisons for risk management based on legal or official obligations.
• Those bodies for which you have given us your consent to transfer data or for which you have released us from the duty of confidentiality in accordance with the agreement or consent.

We enable certain third parties to collect personal data from you on our website and at our events, including on their own responsibility (e.g. media photographers, providers of tools that we have integrated into our website (see section 13.4), etc.). Insofar as we are not decisively involved in this data collection, the responsibility for this lies solely with these third parties. If you have any concerns and wish to assert your data protection rights, please contact these third parties directly.

We generally process personal data in Switzerland and the European Economic Area (EEA). However, it is possible for personal data to be exported or transferred to other countries, in particular in order to process it or have it processed there, provided that

• this is required by law, or
• the third countries are on the list of countries with adequate data protection, or
• we have provided suitable guarantees through appropriate mechanisms (e.g. contracts), or
• you have given us your consent.
   

We take appropriate technical and organisational measures to protect your data from unauthorised access and misuse. 
Our employees and the service providers we commission are pledged by us to uphold data security and comply with the data protection regulations. Furthermore, they are only granted access to personal data to the extent necessary.

We generally process your data for as long as required by our purposes for the processing and by the statutory retention periods, in particular for documentation and evidence purposes, or for as long as storage is necessary from a technical standpoint (e.g. for backups). Provided there are no legal, contractual or technical reasons to the contrary, we generally delete or anonymise your data after the retention period has expired as part of our usual processes.

As an institution under public law, we are obliged under the Act on Record Keeping and Archiving (GAA, BR 490.200) of the Canton of Graubünden to offer all documents to the State Archives after the retention period has expired. The documents managed by the State Archives are subject to a protection period of 30 years, or 50 years in the case of particularly sensitive personal data and are only accessible after this period has expired.

You have the right to object to data processing, especially if we process your personal data on the basis of a legitimate interest and the other applicable requirements are met. You can also object to data processing in connection with direct marketing (e.g. advertising e-mails) at any time. This also applies to profiling, insofar as this is associated with such direct marketing.

As long as the applicable requirements are met and no statutory exceptions apply, you also have the following rights:

• the right to request information about your personal data stored by us;
• the right to have incorrect or incomplete personal data rectified;
• the right to request the erasure or anonymisation of your personal data;
• the right to request the restriction of the processing of your personal data;
• the right to receive certain personal data in a structured, commonly used and machine-readable format;
• the right to revoke consent with effect for the future, insofar as processing is based on consent. Processing that took place before the revocation is not affected by this.

Please note that these rights may be restricted or excluded in individual cases, e.g. if there are doubts about your identity or if this is necessary to protect other persons, to safeguard legitimate interests or to comply with legal obligations. In any case, the processing of your claim according to your rights will only begin after a successful identity check.
If the GDPR is applicable, the following applies: Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to object under Art. 21 GDPR and the right to data portability under Art. 20 GDPR. In addition, you have the right to lodge a complaint with a competent data protection supervisory authority (Art. 77 GDPR).

Please submit any requests to exercise your rights in writing to the contact indicated under point 13.

You are also free to lodge a complaint with a competent supervisory authority if you have concerns as to whether the processing of your personal data complies with the law.

• Competent supervisory authorities in Switzerland:
  • Data Protection Officer of the Canton of Graubünden;
  • Federal Data Protection and Information Commissioner (FDPIC).

As part of our business relationship, you must provide the personal data that is necessary for the establishment and implementation of a business relationship and the fulfilment of the associated contractual obligations or that we are legally obliged to collect. Without this data, we will generally not be able to conclude or fulfil a contract with you.

Generally speaking, the technical data and cookies collected by us do not contain any personal data. However, personal data about you that is stored by us or by third-party providers commissioned by us (e.g. if you have a user account with us or these providers) may be linked to the technical data or to the information stored in and obtained from cookies and thus possibly to your person. 

We use special audio and video conferencing services to communicate online. These services enable us, for example, to hold virtual meetings or organise online courses and webinars. Such meetings, courses or webinars may be recorded for teaching, training or evidence purposes. Before we start recording, we will obtain your consent. The legal texts of the individual services also apply to participation in audio and video conferences. These include, for example, privacy policies and terms of use. We use the following in particular: 

• Webex: Provider: Cisco Systems Inc. (USA)
• Teams: Provider: Microsoft Ireland Operations Limited (Ireland)
• Zoom: Provider: Zoom Video Communications Inc. (USA)

The following data protection information provides an overview of the collection and processing of your data in the Learning Management System (https://moodle.fhgr.ch) of the UAS Grisons (hereinafter referred to as “Moodle”). Moodle is an open-source learning management system (LMS) and is used at the UAS Grisons as a central learning platform. The courses serve as an information and learning resource for students, and Moodle is also used for performance assessments. This data protection information is aimed at all users of Moodle, in particular students and teachers.

The following data protection information provides an overview of the collection and processing of your data on the application platform (https://jobs.fhgr.ch/) of the UAS Grisons. The application platform is based on a solution from Abacus Umantis AG (Switzerland) and is used at the UAS Grisons as a central application platform. The data is stored and processed on the systems of Abacus Umantis AG. The legal texts of Abacus Umantis AG also apply to the use of the application platform. These include, for example, privacy policies and terms of use. This data protection information is aimed at all users of the application platform. 

If you have any questions about this privacy policy or the processing of your personal data, you can contact us at the following address.

UAS Grisons
Martin Berger
Data Protection Officer 
Pulvermühlestrasse 57
7000 Chur, Switzerland
datenschutz@clutterfhgr.ch

This privacy policy is not part of a contract with you. We can amend this privacy policy at any time. The version published on this website is the current version. We reserve the right to actively inform persons whose contact details are registered with us in the event of significant changes. The version of the privacy policy that is valid at the start of the relevant data processing applies to said processing.