Your data which are processed in WebUntis and/or Untis Mobile are safe with us (Untis GmbH)! We are obliged to protect your personal data processed in the course of our mutual business relation, and we take this very seriously. We would like to ask you to please take your time to thoroughly read this data protection information so that you can understand why we collect your data and how we are processing them.
- We process personal data for the operation of the systems we provide our products with. Therefore, we are (depending on the specific functionality and the service we owe to our contract partner) responsible and data processor within the meaning of GDPR.
See item 3
- We process personal data in WebUntis and Untis Mobile on behalf of and on the instruction of our contract partners (data processor within the meaning of GDPR).
See item 4
2. What is personal data?
Personal data is information relating to natural persons (students, students’ parents or teachers) whose identity has been identified or is identifiable (e.g.: name, contact details, billing data, IP address).
3. Operation of systems we provide our products with
The following information, which in general is related to the specific user, is processed in order to be able to offer our products:
- User name
- User ID
- Date and time of access
- URL accessed
- Referrer URL
- Educational institution
- IP address
- Browser used
- Operating system used
Data is transmitted by TLS encryption.
The aforementioned data is processed for the reliable and safe availability of our products, and are deleted after six months from the data collection date. Saving the data for six months is necessary in order to be able to identify, attribute and resolve any technical problems which might occur. Additionally, it can be used to support investigating authorities in detecting crimes.
4. Data processing in WebUntis and Untis Mobile
Both WebUntis and Untis Mobile are platforms for the same database, and contain the same data sets. The functionalities available are mostly the same.
When you use WebUntis or Untis Mobile, processing of personal data is based on the order processing agreement according to Article 28 of the GDPR concluded with the respective responsible party (this is the educational institution you or your child attends or at which you teach).
Regardless of the respective user role and the rights that go with it, the school defines which data are necessary and who will have access to them. We provide the platform to realise the requirements of the specific institution. The platforms comprise the following features depending on the respective user rights:
- Room bookings
- Timetable and substitution planning
- Electronic class register
- Parent-teacher day planning
- Course registering
Click here for a comprehensive description of currently available features.
As part of our contractual relationship with you, we will in general save your data for seven years (starting with the end of the respective fiscal year) due to our corporate and fiscal documentation requirement according to para. 212 UGB (Austrian Commercial Code) and para. 132 BAO (Austrian Federal Fiscal Code). In justified individual cases, e.g. in the assertion of or defence against specific rights, we can save your data for up to 30 years after terminating our business relationship.
Regarding all the processing operations for which we are not data processor within the meaning of GDPR but rather a commissioned data processor, we refer to the privacy policies of the responsible educational institute.
Untis Mobile uses services provided by Firebase (a Google product):
- Firebase Cloud Messaging, for sending push notifications,
- Firebase Crashlyrics, for analysis of automatically created error messages (e.g. in the event of a computer crash),
- Firebase Remote Config, for configuration adjustments in the app, without having to release a new app version in the store.
When installing the app, the following rights are requested:
- Camera: Access to the camera is necessary in order to be able to recognise and process QR codes. QR codes are used to assist you when you register. The rights can be deleted afterwards in the application settings.
- Photos and videos: Access to photos and videos are required for the data transfer to WebUntis.
- Push notifications: The user gets relevant information via push notifications, e.g. on changes in the timetable. This right can be deleted afterwards in the application settings.
If you do not grant the aforementioned rights or if you deactivate them after installation, you can only use Untis Mobile to a limited extent.
Furthermore, we would like to point out that Untis Mobile does not contain any advertisements (the note about this from the Google Play Store is made due to Untis Mobile being linked to Untis Messenger).
5. Automation-supported decision taking
We will not carry out processing of your data that results in a decision based solely on automated processing (including profiling) which results in legal effects for you or significantly disadvantages you in a similar way (Article 22 GDPR). Any decision having the respective effect is taken by a natural person.
6. Collecting data from other sources (information according to Art. 14 GDPR)
No data is collected from other sources. We only use the information that you enter or provide during use (e.g. saved homework or absence messages).
Depending on the respective function, further processing of collected and processed data takes place (e.g.: registration for office hours based on the assignment of information to students and teachers).
No additional information is transmitted to us when used. All data generated that goes beyond that of WebUntis is stored exclusively on the user's device; this data is NOT synchronized with the Untis systems.
7. Which rights do you have regarding data processing?
We would like to inform you that you have the right to
- request information about which of your data we process. The right of access also includes the right to obtain a copy of the data as long as this does not adversely affect the rights and freedoms of others (see in detail Article 15 GDPR);
- obtain the rectification of inaccurate personal data (see in detail Article 16 GDPR);
- obtain erasure of personal data (see in detail Article 17 GDPR). The right to erasure does not apply to the extent that processing is necessary, e.g. for compliance with legal or contractual obligations;
- obtain restriction of the processing of your data under certain circumstances (see in detail Article 18 GDPR);
- object to the processing of personal data which are necessary to respect our rights or the rights of a third party. In the case of objection, we will not process your data any longer, unless processing your data serves the establishment, exercise or defence of legal claims or we demonstrate compelling legitimate grounds which override your interests. When objecting to the processing for direct marketing purposes, we shall not process your personal data for this purpose any more (see in detail Article 21 GDPR);
- receive the personal data that you have provided in a structured, commonly used and machine-readable format. However, the right of data portability is only given if it is based on your consent or on a contract (see in detail Article 20 GDPR).
To exercise the aforementioned rights, please contact the respective educational institution.
If your request concerns data processing beyond the extent provided by your educational institution, please send an e-mail to datenschutz(at)untis.at or send a letter to Untis GmbH, Belvederegasse 11, A2000 Stockerau referring to your educational institution. We would like to inform you that processing your request can only be done in cooperation with your educational institution.
If, however, your right to the lawful processing of your data is – against expectation - violated despite our obligation to process your data lawfully, please contact us via mail or e-mail (see contact details below), informing us about your concerns so that we can address them. However, you also have the right to lodge a complaint at the Austrian Data Protection Authority or at another EU data protection supervisory authority, in particular at your place of residence or work.
We hope we have made clear in which form and for which purpose your data are processed. If, however, you still have any questions regarding the processing of your personal data, do not hesitate to contact us.
A-2000 Stockerau, Belvederegasse 11
VAT No (UID): ATU69811938, Commercial Register No (FNr) 437283p, Regional Court of Korneuburg
phone: +43 (0)2266/62241/0
fax: +43 (0)2266/62241/6