Privacy Policy

This privacy policy applies to the website and the following social media sites:

I. Name and address of the data controller and contact data protection officer


Kempten University of Applied Sciences
Corporation under public law
Kempten Business School
Bahnhofstraße 61
D – 87435 Kempten
PO Box 1680
D – 87406 Kempten
Phone: +49 (0) 831 2523-0
E-mail: [email protected]

Contact details of the data protection officer

Data Protection Officer of Kempten University of Applied Sciences
Bahnhofstraße 61
87435 Kempten
Fax: 0831 2523-9283
E-Mail: [email protected]

II. general

Data protection is our concern and our legal obligation.

Purposes and legal bases of ¬the processing

In accordance with Art. 2 Para. 6 BayHSchG, Art. 4 Para. 1 S. 1 and 2 BayEGovG, we offer our services and administrative services as well as information for the public about our activities on our websites.

Our social media presences are part of our public relations work. Our aim is to inform and exchange with you in a way that is appropriate to the target group, Art. 2 para. 6 BayHSchG. We enable you to make fast electronic contact and communicate directly via the media of your choice, § 5 para. 1 no. 2 TMG.

We disclose and block or delete content and posts, requests which violate the rights of third parties or which constitute a criminal offence or misdemeanour, or which do not comply with legal or contractual obligations of conduct, by transmitting them to the competent authority or social media service.

Insofar as other or more specific legal bases are relevant, we will provide separate information about this in this data protection declaration.

Recipients or categories of recipients of the personal data

If you use our social media channels and pages, their providers also process your personal data.

Our IT service providers may also be recipients of your personal data as part of the contract processing agreements we have entered into. However, to ensure the security of our data processing facilities, we do not disclose our service providers.

Hosting of the website

This website is hosted by the following provider:

domainfactory GmbH
Oskar-Messter-Str. 33
85737 Ismaning


We use the service “Cloudflare”. The provider is Cloudflare Inc., 101 Townsend St., San Francisco, CA 94107, USA (hereinafter “Cloudflare”) as a content delivery network and for encrypting our websites.

Cloudflare offers a globally distributed content delivery network with DNS. This technically routes the transfer of information between your browser and our website via Cloudflare’s network. This enables Cloudflare to analyse the traffic between your browser and our website and to act as a filter between our servers and potentially malicious traffic from the internet. In doing so, Cloudflare may also use cookies or other technologies to recognise internet users, but these are used solely for the purpose described here.

The use of Cloudflare is based on our legitimate interest in providing our website as error-free and secure as possible (Art. 6 para. 1 lit. f DSGVO).

The data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:

Further information on the topic of security and data protection at Cloudflare can be found here:

Third country transfer

Among other things, we use tools and services from companies based in the USA or other third countries that are not secure under data protection law. If these tools are active, your personal data may be transferred to these third countries and processed there. We would like to point out that no level of data protection comparable to that in the EU can be guaranteed in these countries. For example, US companies are obliged to hand over personal data to security authorities. It can therefore not be ruled out that US authorities (e.g. intelligence services) process, evaluate and permanently store your data located on US servers for monitoring purposes. We have no influence on these processing activities.

III. categories of data

  1. Log files
    When you access this or other Internet pages, you transmit data to our web server via your Internet browser. The following data is recorded during an ongoing connection for communication between your internet browser and our web server: –
    Date and time of the request
    – Name of the requested file – Page from which the file was requested
    – Access status (for example, file transferred, file not found)
    – Web browser and screen resolution used as well as the operating system used –
    – Complete IP address of the requesting computer –
    – Volume of data transferred
    For the operation of the website, it is absolutely necessary to record the above data and store it in server log files. No user profiles are created from this data.
    As a rule, log files are stored for a maximum of seven days.
  2. Administration and editing
    For administration and editing, function identifiers and personal identifiers with access protection mechanisms are created and changes made with these identifiers are logged. These identifiers are deactivated after the person concerned leaves.
  3. Communication
    If you communicate a concern or an opinion to us by e-mail, post, telephone or social media, the information provided will be processed for the purpose of dealing with the concern as well as for possible follow-up questions and for the exchange of opinions. We always use the same communication channel for this purpose, unless you request a change.
    Post, e-mails and social media contributions and messages are deleted no later than 6 years after the end of the year in which the respective transaction takes place.
  4. Forms: Data collection, storage and processing
    The website of Kempten University of Applied Sciences contains forms where users can voluntarily enter personal data (e.g. name, address, e-mail address, telephone number) for specific purposes (e.g. making contact). The data will only be used for the purpose stated in the form and will be deleted after the process has been completed. Personal data will not be passed on, sold or otherwise transferred to third parties. Personal data will only be used for marketing purposes (e.g. newsletters) with the express consent of the user. Users have the right to revoke their consent at any time with effect for the future. Unless there are legal reasons to the contrary, the data will be deleted immediately.
  5. Newsletter dispatch via Sendinblue
    If you would like to receive the newsletter offered on the website, we require an e-mail address from you as well as information that allows us to verify that you are the owner of the specified e-mail address and that you agree to receive the newsletter.
    This website uses Sendinblue to send newsletters. The provider is Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany. Sendinblue is a service with which, among other things, the sending of newsletters can be organised and analysed. The data you enter for the purpose of receiving the newsletter is stored on Sendinblue’s servers in Germany. With the help of Sendinblue, we are able to analyse our newsletter campaigns. For example, we can see whether a newsletter message has been opened and which links, if any, have been clicked on. In this way, we can determine, among other things, which links were clicked on particularly often. We can also see whether certain previously defined actions were carried out after opening/clicking (conversion rate). For example, we can see whether you have made a purchase after clicking on the newsletter. Sendinblue also enables us to subdivide (“cluster”) the newsletter recipients according to various categories. For example, newsletter recipients can be subdivided according to age, gender or place of residence. In this way, the newsletters can be better adapted to the respective target groups. Detailed information on the functions of Sendinblue can be found at the following link:
    The data processing is based on your consent (Art. 6 para. 1 lit. a DSGVO). You can revoke this consent at any time. The legality of the data processing operations already carried out remains unaffected by the revocation.
    You can unsubscribe from the newsletter at any time. For this purpose, we provide a corresponding link in every newsletter message.
    The data you provide for the purpose of receiving the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and will be deleted from the newsletter distribution list after you unsubscribe from the newsletter. Data that has been stored by us for other purposes remains unaffected by this.
    For more details, please refer to the data protection provisions of Sendinblue at:
    We have concluded an order processing agreement (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that this service only processes the personal data of our website visitors in accordance with our instructions and in compliance with the DSGVO.
  6. Registration for info evening
    You can register for information evenings on our website. To do so, you must provide the mandatory information requested and will then receive an event link by e-mail. The e-mails are sent via Sendinblue (for details, see the passage above).
    Your registration data for the info evening will be deleted immediately, at the latest within 2 weeks after the end of the event.
    The data processing is based on Art. 6 para. 1 lit. b DSGVO and on our legitimate interest in holding info-events (Art. 6 para. 1lit. f DSGVO).
  7. Statistical analysis with Matomo
    This website uses Matomo, an open source software for statistical analysis of visitor access. Matomo uses “cookies”, which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about your use of this website is stored on the provider’s server in Germany. The IP address is anonymised immediately after processing and before it is stored. The last two bytes of the visitor’s IP address are masked.
    When entering the website, the user himself can decide whether his visit is recorded (Art. 6 para. 1 p. 1 lit. a DSGVO and § 25 para. 1 TTDSG). This is done via the consent management tool. The user can change his or her decision at any time by clicking on the “Cookies” tab in the footer of the website.
  8. Integration of YouTube Videos
    YouTube videos are integrated on this website using framing technology in “extended data protection mode”. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.
    YouTube videos are loaded via the domain. YouTube videos are only displayed with the prior, explicit consent of the user (opt-in method). Simply calling up a page with YouTube videos does not set a cookie, nor does it initiate a data processing process.
    If the user watches the video, a connection to the Google advertising network is usually established.
    YouTube is only activated after the user has given his consent via the cookie consent tool (Art. 6 para. 1 p. 1 lit. a DSGVO and § 25 para. 1 TTDSG). The user can change his or her decision at any time by clicking on the “Cookies” tab in the footer of the website.
  9. Cookie consent via Borlabs Cookie
    Our website uses Borlabs Cookie Consent technology to obtain your consent to the storage of certain cookies in your browser or to the use of certain technologies and to document this in accordance with data protection law.
    The provider of this technology is Borlabs GmbH, Rübenkamp 32, 22305 Hamburg (hereinafter referred to as Borlabs).
    When you enter our website, a Borlabs cookie is stored in your browser, in which the consents you have given or the revocation of these consents are stored. This data is not shared with the Borlabs cookie provider.
    The data collected will be stored until you request us to delete it or until you delete the Borlabs cookie yourself or until the purpose for storing the data no longer applies. Mandatory legal retention periods remain unaffected. Details on the data processing of Borlabs Cookie can be found at
    Borlabs Cookie Consent Technology is used to obtain the legally required consent for the use of cookies. The legal basis for this is Art. 6 para. 1 lit. c DSGVO.
  10. Wordfence
    We have integrated Wordfence on this website. The provider is Defiant Inc, Defiant, Inc, 800 5th Ave Ste 4100, Seattle, WA 98104, USA (hereinafter “Wordfence”).
    Wordfence serves to protect our website from unwanted access or malicious cyberattacks. For this purpose, our website establishes a permanent connection to Wordfence’s servers so that Wordfence can compare its databases with the accesses made to our website and block them if necessary.

IV. Data subject rights

You have the following rights under the General Data Protection Regulation:

If your personal data is processed, you have the right to obtain information about the data stored about you (Art. 15 DSGVO).

If inaccurate personal data is processed, you have the right to rectification (Art. 16 GDPR).
If the legal requirements are met, you may request the erasure or restriction of processing as well as object to processing (Art. 17, 18 and 21 DSGVO).

If you have consented to the data processing or if there is a contract for data processing and the data processing is carried out with the help of automated procedures, you may have a right to data portability (Art. 20 DSGVO).

Should you make use of your above-mentioned rights, the public body will check whether the legal requirements for this are met.

If you have given your consent to data processing, you can revoke this consent at any time for the future. If you have given consent on our website via our cookie consent tool, you can revoke or change this consent by clicking on the “Cookies” tab in the footer of this website.

Furthermore, there is a right of appeal to the Bavarian State Commissioner for Data Protection.

V. Our social media presence

We maintain publicly accessible profiles on social networks. The individual social networks we use can be found below.

Social networks such as Facebook, Twitter, etc. can usually comprehensively analyse your user behaviour when you visit their website or a website with integrated social media content (e.g. like buttons or advertising banners). By visiting our social media presences, numerous data protection-relevant processing operations are triggered. In detail:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can assign this visit to your user account. However, your personal data may also be collected under certain circumstances if you are not logged in or do not have an account with the respective social media portal. In this case, this data collection takes place, for example, via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this way, the operators of the social media portals can create user profiles in which your preferences and interests are stored. In this way, interest-based advertising can be displayed to you inside and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are or were logged in.
Please also note that we cannot track all processing operations on the social media portals. Depending on the provider, further processing procedures may therefore be carried out by the operators of the social media portals. For details, please refer to the terms of use and data protection provisions of the respective social media portals.

Legal basis

The legal basis for the use of social media in general can be found above under II.

Responsible person and assertion of rights

If you visit one of our social media sites (e.g. Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. In principle, you can assert your rights (information, correction, deletion, restriction of processing, data portability and complaint) both adressing us and adressing the operator of the respective social media portal (e.g. Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are largely determined by the corporate policy of the respective provider.

Storage period

The data collected directly by us via the social media presence will be deleted from our systems as soon as you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies. Stored cookies remain on your end device until you delete them. Mandatory legal provisions – in particular retention periods – remain unaffected.

We have no influence on the storage period of your data, which is stored by the operators of the social networks for their own purposes. For details, please contact the operators of the social networks directly (e.g. in their privacy policy, see below).

Social networks in detail

We have a profile on Facebook. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (hereinafter Meta). According to Meta, the data collected is also transferred to the USA and other third countries.

We have entered into a Joint Processing Agreement (Controller Addendum) with Meta. This agreement specifies the data processing operations for which we or Meta are responsible when you visit our Facebook page. You can view this agreement at the following link:

You can adjust your advertising settings independently in your user account. To do so, click on the following link and log in:
For details, please refer to Facebook’s privacy policy:


We have a profile on Instagram. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
For details on how they handle your personal data, please refer to Instagram’s privacy policy:


We have a profile on XING. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. Details on how they handle your personal data can be found in the XING privacy policy:


We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies.
If you would like to deactivate LinkedIn advertising cookies, please use the following link: For
details on how they handle your personal data, please refer to LinkedIn’s privacy policy:


We have a profile on YouTube. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Details on how they handle your personal data can be found in YouTube’s privacy policy:

VI. Other information on our privacy policy

We reserve the right to amend this data protection declaration from time to time so that it always complies with the current legal requirements or in order to implement changes to our services in the data protection declaration, e.g. when introducing new services. The new data protection statement will then apply to your next visit.