Privacy Policy on the Joint Controllership of the Ecosystem

Information pursuant to Art. 13/14 GDPR on joint responsibility within the startup ecosystem of Technical University of Munich, UnternehmerTUM and TUM Venture Labs

The Technical University of Munich (TUM), UnternehmerTUM GmbH and TUM Venture Labs Management gGmbH see themselves together as an "ecosystem" in the field of entrepreneurship, start-up support and start-up promotion, which offers the best possible conditions for start-ups, especially for students and employees of TUM, but also for related and other target groups. Within this ecosystem, the target groups are offered various programmes, formats and events that are intended to promote the entrepreneurial skills of the participants and support them on their way to founding a company. In order to be able to offer and implement these offers in the most target-oriented way possible, the parties operate a joint database with contact data of participants and information on their spin-off/ start-up projects as well as relevant specifications and contents of the various programmes, formats and/or events.

I. Joint Controllership

The participants in the ecosystem have jointly determined the purposes and means of data processing and are therefore jointly responsible for the processing of personal data, Art. 26 (1) sentence 1 GDPR.

Jointly responsible are the:

Technical University of Munich
Arcisstrasse 21
80333 Munich
gruendungsberatung@tum.de

UnternehmerTUM GmbH
Lichtenbergstraße 6
85748 Garching
info@unternehmertum.de

TUM Venture Labs Management gGmbH
Lichtenbergstraße 6
85748 Garching
contact@tum-venture-labs.de

- hereinafter also collectively referred to as "the parties involved in the ecosystem".

II. Contact details of the data protection officers

Data Protection Officer of the Technical University of Munich
Arcisstrasse 21
80333 Munich
beauftragter@datenschutz.tum.de

Data Protection Officer of UnternehmerTUM GmbH
Alexander Stolberg-Stolberg
SVF Lawyers
Oberanger 30
80331 Munich
stolberg@unternehmertum.de

Data Protection Officer of TUM Venture Labs Management gGmbH

Alexander Stolberg-Stolberg
SVF Lawyers
Oberanger 30
80331 Munich
stolberg@unternehmertum.de

III. Categories of data

Within the scope of shared responsibility, we regularly process the following data:

  • Contact data
  • Account data of the related organization/institution (e.g., company/start-up, professorship/chair)
  • Pitch decks and application documents relevant for inclusion in funding and incubation programs
  • Image and video files
  • Overview of contact points within the ecosystem journey
  • Information from consulting interviews
  • Information on company and team developments
  • Documentation of mandatory dates and milestones in funding programs

IV. Common purposes and means of data processing

The purpose of the processing is to build a joint ecosystem in the area of start-up support around the Technical University of Munich, its associated institute UnternehmerTUM and the joint TUM Venture Labs Initiative. Those interested in founding, founders and alumni are to be guided through this ecosystem in a targeted and efficient manner so that they can be provided with the best possible support geared to their respective needs.

The basis of such a joint ecosystem and its customer and stakeholder orientation is a uniform, resilient database with regards to the offers of the parties and the individuals and founding teams participating in them. The collected and processed data shall be used for the implementation of programmes, formats and events including advisory meetings as well as for sending information (e.g. about competitions, support and qualification offers, teaching events, infrastructure, events and event invitations, feedback opportunities). Furthermore, the collected and processed data shall be used for analysis and evaluation as well as reporting purposes, for marketing activities, for transfer within the ecosystem for the mediation of offers, for sending personalised addresses (e.g. for experts, mentors, speakers) and for recruiting for vacant staff positions within the ecosystem.

The data stored on the basis of a consent will be processed for the above purpose. For this purpose, the data is stored in particular in the IT infrastructure of UnternehmerTUM GmbH and stored in shared databases. The data is collected and entered by the party responsible for the respective section of the ecosystem journey (e.g. a qualification offer, a consulting service, an event or the provision of infrastructure). A certain amount of data that is relevant for the entire ecosystem journey will be visible and usable for all parties involved (e.g. contact and account data, pitch decks, overview of contact points within the ecosystem journey, information from advisory meetings and on company and team developments). The data collected and processed will not be passed on to third parties outside the three contracting parties involved in the ecosystem.

V. Legal basis

Article 6 I lit. a GDPR serves as the legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, the processing is based on Art. 6 I lit. b GDPR. The same applies to processing operations that are necessary for the performance of pre-contractual measures, for example in the case of enquiries about our products or services. If our company is subject to a legal obligation by which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c GDPR. Individual processing operations may be based on Art. 6 I lit. f GDPR if none of the aforementioned legal bases apply and the pro-cessing is necessary to protect a legitimate interest, provided that the interests, fundamental rights and freedoms of the data subject are not overridden.

VI. Newsletter via Mailchimp

We use Mailchimp by The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA (Mailchimp) to send the newsletter and other information on the ecosystem. This allows us to contact customers and interested individuals directly. In addition, we analyse your usage behaviour in order to optimise our offer. For this purpose, we pass on the e-mail address provided to Mailchimp.

Mailchimp is the recipient of your personal data and acts as a processor for us as far as the sending of our newsletter is concerned. The processing of the data provided in this section is neither legally nor contractually required. Without your consent and the transmission of your personal data, we cannot send out a newsletter to you.

In addition, Mailchimp collects the following personal data using cookies and other tracking methods: Information about your terminal device (IP address, device information, operating system, browser ID, information about the application you use to read your emails and other information about hardware and internet connection. In addition, usage data is collected such as date and time, when you opened the email / campaign and browser activity (e.g. which emails / web pages were opened). Mailchimp needs this data to ensure the security and reliability of the systems, compliance with the terms of use and the prevention of misuse. This corresponds to the legitimate interest of Mailchimp (according to Art. 6 para. 1 lit. f GDPR) and serves the execution of the contract (according to Art. 6 para. 1 lit. b GDPR). Mailchimp also evaluates performance data, such as email delivery statistics and other communication data. This information is used to create usage and performance statistics for the services. Mailchimp also collects information about you from other sources. In an unspecified period and scope, personal data is collected via social media and other third party data providers. We have no influence on this process.

You can find further information on objection and removal options vis-à-vis Mailchimp at: https://mailchimp.com/legal/privacy/#3._Privacy_for_Contacts

The legal basis for this processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent to the processing of your personal data at any time. A corresponding link can be found in all mailings. In addition, the revocation can be made via the specified contact options. The declaration of revocation does not affect the lawfulness of the processing carried out to date.

Your data will be processed as long as a corresponding consent has been given. Apart from that, they will be deleted after the termination of the contract between us and Mailchimp, unless legal requirements make further storage necessary. Mailchimp has implemented compliance measures for international data transfers. These apply to all global activities where Mailchimp processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit: https://mailchimp.com/legal/data-processing-addendum/

VII. Responsibilities for individual phases of data processing

1. Collection and storage of personal data

The personal data collected is stored in a shared database. We use the service provider Salesforce for this purpose. The operating company of Salesforce is

Salesforce.com Germany GmbH
Erika Mann Str. 31
80636 Munich
Germany.

Salesforce's privacy policy can be viewed here: https://www.salesforce.com/de/company/privacy/.

We are supported by an agency in the administration and maintenance of the database. These are:

cloudworxGmbH
Rupert-Mayer-Straße 44, Building 64.07a
81379 Munich

The privacy policy of cloudworx can be viewed here: https://www.cloudworx.agency/datenschutz

We also use the productivity tool Notion. The service provider is the American company Notion Labs Inc.

Notion Labs Inc
2300 Harrison Street
San Francisco, CA 94110
USA.

Notion also processes your data in the USA, among other places. Notion is an active participant in the EU-US Data Privacy Framework, which regulates the correct and secure transfer of personal data from EU citizens to the USA. You can find more information on this at https://commission.europa.eu/document/fa09cbad-dd7d-4684-ae60-be03fcb0fddf_en.

In addition, Notion uses so-called standard contractual clauses (= Art. 46 (2) and (3) GDPR). Standard Contractual Clauses (SCC) are templates provided by the EU Commission and are intended to ensure that your data complies with European data protection standards even if it is transferred to third countries (such as the USA) and stored there. Through the EU-US Data Privacy Framework and the Standard Contractual Clauses, Notion undertakes to comply with the European level of data protection when processing your relevant data, even if the data is stored, processed and managed in the USA. These clauses are based on an implementing decision of the EU Commission. You can find the decision and the corresponding standard contractual clauses here: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de.

You can find more information on the standard contractual clauses at Notion at https://www.notion.so/Data-Processing-Addendum-361b540101274b1fa7e16b90402b0d99.

We hope we have been able to provide you with the most important information about Notion's data processing. You can find out more about the data that is processed through the use of Notion in the privacy policy at https://www.notion.so/Privacy-Policy-3468d120cf614d4c9014c09f6adc9091.

2. disclosure of personal data

The data collected within the scope of joint responsibility will not be disclosed to third parties without expressed consent or the existence of another legal basis within the meaning of Art. 6 GDPR.

3. use of personal data

The above-mentioned parties involved in the ecosystem may use the data for the purposes mentioned under point IV. insofar as the data subject has consented to the corresponding use or other legal bases within the meaning of Art. 6 GDPR apply.

4. responsibility for data processing

The above-mentioned parties involved in the ecosystem are jointly responsible for the lawfulness of all data processing operations, notwithstanding the details of the joint responsibility agreement pursuant to Art. 26(1) GDPR.

Within the framework of joint responsibility, the parties involved have also agreed on the following responsibilities:

Process section: Provision and maintenance of the database management system (Salesforce, Notion), information to data subjects, deletion according to deletion deadlines or on request, statistics
Responsible: UnternehmerTUM GmbH

Process section: Exercise of the information obligations in the event of a personal data breach
Responsible: Technical University of Munich, UnternehmerTUM GmbH, TUM Venture Labs Management gGmbH - the respective party responsible for the infringement

Process section: Collecting and entering data
Responsible: Technical University of Munich, UnternehmerTUM GmbH, TUM Venture Labs Management gGmbH - the party responsible for collecting the data in each case

Process section: Use of the data in accordance with the General Consent for the primary use cases in accordance with the purpose of the data processing stated under point IV.
Responsible: Technical University of Munich, UnternehmerTUM GmbH, TUM Venture Labs Management gGmbH - the respective party responsible for the performance

The contact addresses of the parties for the purpose of notifying the respective responsible persons can be found in sections I. and II. of this privacy statement.

VIII. Data subjects' rights

The following obligations exist for the exercise of the rights of the data subjects:

1. fulfilment of the information obligations

All parties involved in the ecosystem ensure compliance with the information obligations when collecting personal data pursuant to Art. 13 GDPR (collection from the data subject) and Art. 14 GDPR (collection not from the data subject).

For this purpose, we provide the information required in each case free of charge in a precise, transparent, comprehensible and easily accessible form in clear and simple language.

2. processing and responding to requests for the exercise of data subjects' rights

Data subjects may contact any party involved in the ecosystem to exercise their respective data subject rights. In such a case, the other parties involved in the ecosystem are obliged to forward the data subject's request to the other parties involved.

3. security of data processing

The parties involved in the ecosystem shall ensure that all appropriate technical and organisational measures are implemented in such a way that the data processing is carried out in accordance with the requirements of applicable data protection regulations (in particular the GDPR) and ensures the protection of the rights of the data subject.

4. the use of processors

The parties involved in the ecosystem may use the services of third parties to process data on their behalf ("processors").

Currently, these are Salesforce.com Germany GmbH, Notion Labs Inc (USA) and cloudworx GmbH (cf. Section VII.1 of this data protection declaration).