The Technical University of Munich (TUM), UnternehmerTUM GmbH and TUM Venture Labs Management gGmbH see themselves together as an "ecosystem" in the field of entrepreneurship, start-up support and start-up promotion, which offers the best possible conditions for start-ups, especially for students and employees of TUM, but also for related and other target groups. Within this ecosystem, the target groups are offered various programmes, formats and events that are intended to promote the entrepreneurial skills of the participants and support them on their way to founding a company. In order to be able to offer and implement these offers in the most target-oriented way possible, the parties operate a joint database with contact data of participants and information on their spin-off/ start-up projects as well as relevant specifications and contents of the various programmes, formats and/or events.
I. Joint Controllership
The participants in the ecosystem have jointly determined the purposes and means of data processing and are therefore jointly responsible for the processing of personal data, Art. 26 (1) sentence 1 GDPR.
Jointly responsible are the:
Technical University of Munich
TUM Venture Labs Management gGmbH
- hereinafter also collectively referred to as "the parties involved in the ecosystem".
II. Contact details of the data protection officers
Data Protection Officer of the Technical University of Munich
Data Protection Officer of UnternehmerTUM GmbH
Data Protection Officer of TUM Venture Labs Management gGmbH
Within the scope of shared responsibility, we regularly process the following data:
- Contact data
- Account data of the related organization/institution (e.g., company/start-up, professorship/chair)
- Pitch decks and application documents relevant for inclusion in funding and incubation programs
- Image and video files
- Overview of contact points within the ecosystem journey
- Information from consulting interviews
- Information on company and team developments
- Documentation of mandatory dates and milestones in funding programs
IV. Common purposes and means of data processing
The purpose of the processing is to build a joint ecosystem in the area of start-up support around the Technical University of Munich, its associated institute UnternehmerTUM and the joint TUM Venture Labs Initiative. Those interested in founding, founders and alumni are to be guided through this ecosystem in a targeted and efficient manner so that they can be provided with the best possible support geared to their respective needs.
The basis of such a joint ecosystem and its customer and stakeholder orientation is a uniform, resilient database with regards to the offers of the parties and the individuals and founding teams participating in them. The collected and processed data shall be used for the implementation of programmes, formats and events including advisory meetings as well as for sending information (e.g. about competitions, support and qualification offers, teaching events, infrastructure, events and event invitations, feedback opportunities). Furthermore, the collected and processed data shall be used for analysis and evaluation as well as reporting purposes, for marketing activities, for transfer within the ecosystem for the mediation of offers, for sending personalised addresses (e.g. for experts, mentors, speakers) and for recruiting for vacant staff positions within the ecosystem.
The data stored on the basis of a consent will be processed for the above purpose. For this purpose, the data is stored in particular in the IT infrastructure of UnternehmerTUM GmbH and stored in shared databases. The data is collected and entered by the party responsible for the respective section of the ecosystem journey (e.g. a qualification offer, a consulting service, an event or the provision of infrastructure). A certain amount of data that is relevant for the entire ecosystem journey will be visible and usable for all parties involved (e.g. contact and account data, pitch decks, overview of contact points within the ecosystem journey, information from advisory meetings and on company and team developments). The data collected and processed will not be passed on to third parties outside the three contracting parties involved in the ecosystem.
V. Legal basis
Article 6 I lit. a GDPR serves as the legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, the processing is based on Art. 6 I lit. b GDPR. The same applies to processing operations that are necessary for the performance of pre-contractual measures, for example in the case of enquiries about our products or services. If our company is subject to a legal obligation by which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c GDPR. Individual processing operations may be based on Art. 6 I lit. f GDPR if none of the aforementioned legal bases apply and the pro-cessing is necessary to protect a legitimate interest, provided that the interests, fundamental rights and freedoms of the data subject are not overridden.
We use Mailchimp by The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA (Mailchimp) to send the newsletter and other information on the ecosystem. This allows us to contact customers and interested individuals directly. In addition, we analyse your usage behaviour in order to optimise our offer. For this purpose, we pass on the e-mail address provided to Mailchimp.
Mailchimp is the recipient of your personal data and acts as a processor for us as far as the sending of our newsletter is concerned. The processing of the data provided in this section is neither legally nor contractually required. Without your consent and the transmission of your personal data, we cannot send out a newsletter to you.
You can find further information on objection and removal options vis-à-vis Mailchimp at: https://mailchimp.com/legal/privacy/#3._Privacy_for_Contacts
The legal basis for this processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent to the processing of your personal data at any time. A corresponding link can be found in all mailings. In addition, the revocation can be made via the specified contact options. The declaration of revocation does not affect the lawfulness of the processing carried out to date.
Your data will be processed as long as a corresponding consent has been given. Apart from that, they will be deleted after the termination of the contract between us and Mailchimp, unless legal requirements make further storage necessary. Mailchimp has implemented compliance measures for international data transfers. These apply to all global activities where Mailchimp processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit: https://mailchimp.com/legal/data-processing-addendum/
VII. Responsibilities for individual phases of data processing
1. Collection and storage of personal data
The personal data collected is stored in a shared database. We use the service provider Salesforce for this purpose. The operating company of Salesforce is
Salesforce.com Germany GmbH
Erika Mann Str. 31
We are supported by an agency in the administration and maintenance of the database. These are:
Rupert-Mayer-Straße 44, Building 64.07a
2. disclosure of personal data
The data collected within the scope of joint responsibility will not be disclosed to third parties without expressed consent or the existence of another legal basis within the meaning of Art. 6 GDPR.
3. use of personal data
The above-mentioned parties involved in the ecosystem may use the data for the purposes mentioned under point IV. insofar as the data subject has consented to the corresponding use or other legal bases within the meaning of Art. 6 GDPR apply.
4. responsibility for data processing
The above-mentioned parties involved in the ecosystem are jointly responsible for the lawfulness of all data processing operations, notwithstanding the details of the joint responsibility agreement pursuant to Art. 26(1) GDPR.
Within the framework of joint responsibility, the parties involved have also agreed on the following responsibilities:
Process section: Provision and maintenance of the database management system (Salesforce), information to data subjects, deletion according to deletion deadlines or on request, statistics
Responsible: UnternehmerTUM GmbH
Process section: Exercise of the information obligations in the event of a personal data breach
Responsible: Technical University of Munich, UnternehmerTUM GmbH, TUM Venture Labs Management gGmbH - the respective party responsible for the infringement
Process section: Collecting and entering data
Responsible: Technical University of Munich, UnternehmerTUM GmbH, TUM Venture Labs Management gGmbH - the party responsible for collecting the data in each case
Process section: Use of the data in accordance with the General Consent for the primary use cases in accordance with the purpose of the data processing stated under point IV.
Responsible: Technical University of Munich, UnternehmerTUM GmbH, TUM Venture Labs Management gGmbH - the respective party responsible for the performance
The contact addresses of the parties for the purpose of notifying the respective responsible persons can be found in sections I. and II. of this privacy statement.
VIII. Data subjects' rights
The following obligations exist for the exercise of the rights of the data subjects:
1. fulfilment of the information obligations
All parties involved in the ecosystem ensure compliance with the information obligations when collecting personal data pursuant to Art. 13 GDPR (collection from the data subject) and Art. 14 GDPR (collection not from the data subject).
For this purpose, we provide the information required in each case free of charge in a precise, transparent, comprehensible and easily accessible form in clear and simple language.
2. processing and responding to requests for the exercise of data subjects' rights
Data subjects may contact any party involved in the ecosystem to exercise their respective data subject rights. In such a case, the other parties involved in the ecosystem are obliged to forward the data subject's request to the other parties involved.
3. security of data processing
The parties involved in the ecosystem shall ensure that all appropriate technical and organisational measures are implemented in such a way that the data processing is carried out in accordance with the requirements of applicable data protection regulations (in particular the GDPR) and ensures the protection of the rights of the data subject.
4. the use of processors
The parties involved in the ecosystem may use the services of third parties to process data on their behalf ("processors").
Currently, these are Salesforce.com Germany GmbH and cloudworx GmbH (cf. Section VII.1 of this data protection declaration).