Current navigation level
Previous navigation level
Next navigation level
Current navigation level

Data Protection Declaration University of St.Gallen (HSG)

The purpose of this Privacy Policy is to inform you regarding data security, the processing of data in connection with the use of our websites and your rights with regard to the processing of data.

Overview using Privacy Icons

Type of personal data

General Data

General Data

We process general personal data about you, such as your name and contact details.

No Financial Data

No Financial Data

We do not process your financial data.

No Health Data

No Health Data

We do not process your health data.

No Location Data

No Location Data

We do not process your location data.

No Biometric Data

No Biometric Data

We do not process your biometric data.

No Intimate Data

No Intimate Data

We do not process intimate data about you.

Source of personal data

Provided Data

Provided Data

We process personal data that you provide to us.

Collected Data

Collected Data

We process personal data that we collect about you.

No received Data

No Received Data

We do not process personal data about you that we receive from third parties.

Purpose of processing



We use your personal data for marketing and advertising.

Product Development

Product Development

We use your personal data for the development and improvement of products and services.

No other Purposes

No Other Purposes

We do not use your personal data for other purposes without direct connection with the core service.

Special processes

No automated decision making

No Automated Decision-Making

We do not make significant decisions based on fully automated processing.

No Profiling

No Profiling

We do not analyze your behaviour and do not make assumptions about your interests and preferences.

Passing on to third parties

No Data Transfers

No Data Transfers

We do not transfer your personal data to other companies that decide themselves how to use the data.

No Data Sale

No Data Sale

We do not sell your personal data.

Place of processing



We also process your personal data outside of Switzerland and the EU.


This Data Protection Declaration of the University of St.Gallen (hereinafter «HSG») applies exclusively to the processing and protection of your personal data in connection with this online presence, not including the processing of personal data for example in the context of study or further education at the University. It is governed by Swiss Law as well as, where applicable, by the provisions of the European Union (EU), in particular the General Data Protection Regulation (GDPR).

This published Data Protection Declaration is current and applies to all websites accessible under and its accessable subdomains. The German version (accessible here) is authoritative.
Some websites of the HSG may have their own Privacy Policies. If they do, this Data Protection Declaration shall apply on a subsidiary basis. Under certain circumstances, as part of this online presence, one is referred to websites from third-parties. The University of St.Gallen accepts no liability for any legal deficiencies (regarding data protection) on such websites.

1. Responsible parties and contact

Unless otherwise specified individually, the party responsible for the data processing described here is:

University of St.Gallen
Dufourstrasse 50
CH-9000 St.Gallen
Phone: +41 71 224 21 11

Data Protection Officer of the University of St.Gallen:

University of St.Gallen
Legal Office
Dufourstrasse 50
CH-9000 St.Gallen

Data protection representative in the EU:

Attorney Frank E.R. Diem
Hölderlinplatz 5
D-70193 Stuttgart
contact information

2. Type, collection and processing of personal data

Personal data includes all information relating to a specific or identifiable person. When collecting and processing personal data, we comply with the legal requirements of the applicable data protection laws. The legal basis of the HSG on how personal data is treated is provided by art. 4 of the DSG-SG and art. 13 par. 1 of the DSG or, where applicable, art. 6 par. 1 of the GDPR.
With regard to the provisions of the GDPR in particular, data processing by the University is fundamentally based on a statutory legal basis. Therefore, we only process personal data in the following cases:

  • If legal regulations require us to;
  • If the processing is in the public interest;
  • If we have the consent of the person concerned. Once consent is granted, it can be revoked at any time, but this has no effect on data already processed;
  • If this is necessary to fulfil a contractual obligation with the person concerned or to initiate and conclude a contract with the person concerned;
  • If this is essential to protect the vital interests of the person concerned or another natural person;
  • If this serves to safeguard the legitimate interests of the University or third parties.

There are (essentially) two ways in which data is processed on this website:

Automatic collection of technically necessary data

This data is intended to make our website (cookies) more convenient for you to use or to enable reliable operation and to protect against misuse (log files).

Collection of data through your active voluntary consent / participation

In particular, this collection of personal data in particular is done by voluntarily filling out online forms e.g. registration for studies, ordering of documents, or registration for newsletters. The data will be processed for the respective purpose apparent or declared in the context of the data collection.

3. Duration of storage of personal data
As soon as the legal reason for processing specific data ceases or the collected data no longer serves the specific purpose, the data is deleted, provided that the deletion does not conflict with legal or contractual obligations.

Web-related personal data is stored as follows:

  • Data in team pages: As long as the person is employed by the University.
  • Data in galleries created by the CMS author: As long as the person is not actively deleted.
  • Data in web forms: As long as the CMS author does not actively delete the list of sent forms.
  • Data from Google Analytics: As long as the Analytics account exists or an admin does not actively delete all the data.
  • Data for specially closed areas with login (very few): As long as the CMS admin does not delete the created users.
  • Data in log files for statistics: anonymous unlimited;
  • Data in log files for provability of events: pseudonymized six [6] months;
  • Data in log files for troubleshooting: thirty [30] days.

Information about the duration of storage of personal data of third parties mentioned in this Data Protection Declaration aren’t part of the present Data Protection Declaration.

4. Rights of persons affected by data processing

Right to information
in particular, whether your personal data is processed by us and, if so, what kind of data is involved and what data is stored.

Right to correction and, if necessary, completion of your personal data.

Right to deletion of your personal data.

Right to restriction of data processing.

Right to withdrawal of previously granted content.

Right to objection to data processing.

To exercise the rights listed above you are generally required to unequivocally prove your identity. To assert your rights, you can contact us using the contact details provided in section 1.

Please note that we reserve the right, for our part, to enforce the statutory restrictions, for example, if we are required to retain or process certain data, have an overriding interest in doing so (insofar as we are entitled to invoke it) or require it for the assertion of claims. If you incur costs, we will inform you in advance.

You are able to report data protection violations to the following authority:

Data Protection Department of the Canton of St.Gallen
Government Building
9001 St.Gallen, Switzerland

If the GDPR is applicable, you have the right to appeal to the relevant data protection supervisory authority.

5. Personal data in log files, in the event of approach and information


CMS and web server (

Our websites collect the following data with each query:

  • IP address,
  • Date and time of the query,
  • Time zone difference to GMT,
  • Contents of the request,
  • Access status / http status code,
  • Amount of data transferred,
  • Web page from which the request originates,
  • Browser (including language and version),
  • Operating system.

The data is stored in the log files on our servers. Collection of this data is necessary for technical reasons in order to display our website to you and to ensure its stability and security.

If you contact us using the specified email address and/or the contact form provided, we will always comply with the applicable data protection regulations when handling the data from your inquiry. The data you provide is used solely to process your request.
Please note that the data you enter via our contact form is transmitted unencrypted.

IIT application at HSG (for example Compass, Atlas, Personenprofilmanager)

During their use, application specific log files are continuously created and updated. The following data will be stored:

  • Browser (including language and version),
  • Operating system,
  • date of the protocolled events,
  • Information about the URL (path inside the IT application)
  • Information about errors
  • Information about users


By granting your consent, you can subscribe to our newsletter, which contains information about our latest interesting offers. We use what is known as the ‘double opt-in process’ when subscribing users to our newsletter. This means that after you subscribe we send an email to the specified email address asking you to confirm that you want to receive the newsletter. The only information you have to enter to receive the newsletter is your email address, which we save after you subscribe.
Furthermore, we can send you our newsletter as part of your user or contractual relationship.
You can revoke your consent to the sending of the newsletter at any time and unsubscribe from the newsletter. This revocation or cancellation can be declared by clicking the link provided in every newsletter or via all the contact information declared in this Data Protection Declaration.


In some cases, we offer blogs on our websites where we publish various articles on topics related to our activities. Certain blogs allow you to leave public comments, which can be published with your username. We encourage you to use a pseudonym rather than your real name as a username. You are required to enter your username and email address; all other entries are voluntary. When you submit a comment, we store your IP address so that we can defend against liability claims in the event that unlawful content is published.
Comments are not reviewed prior to publication. However, we reserve the right to remove comments after publication at our sole discretion if we consider them to contain offensive or unlawful content.

6. Cookies, web tracking and other technologies in connection with the use of our website

Cookies: CMS and web server (

Only for the current session

Name: .ASPXAUTH, ASP.NET_SessionId, persistedCtx, sharedCtx_unisg


  • Check if the user is logged in
  • SessionsID to ensure the same web server is used
  • Display language of the user for transferring it to the intranet
  • Information about the display of login information oft he authenticated user

Permanently valid
Name: website#lang

Description: Display language selected by user

Cookies: Google

Only for the current session

Name: _dc_gtm_UA-36273831-1, _gat_UA-36273831-1

Description: Google Tag Manager Cookie, Google Analytics Cookie

Permanently valid or at least for a few days

Name: _ga, _gid

Description: Google Analytics Cookie

Cookies: Pinterest

Permanently valid

Name: _pinterest_cm

Description: Pinterest Cookie (possibly via Google Tag Manager)

Cookies: Google Maps
No Cookies
When you use Google Maps on our website, information about the use of the website (including IP address) is transmitted to Google in the United States. For more information, visit this page.


No Cookies
Targeting/marketing cookies: When videos are embedded, YouTube stores data about user behaviour. For more information, visit this page.

Cookies: Facebook, Twitter, LinkedIn, Flickr

No Cookies
Twitter messages and sharing options are only available as bouncing hyperlinks.

Web tracking: Google Analytics

Our website uses Google Analytics, a web analytics service provided by Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland («Google»).

Google Analytics uses cookies that enable analysis of website usage. The information generated by the cookie about your use of the website is transferred in anonymised form to a Google server in the United States and stored there. Thanks to anonymisation, this data cannot be linked to a specific person. Google processes this information in order to evaluate your use of the website, to compile reports on user activities and to provide other services related to website and internet usage. Google may transfer this information to third parties.

You can prevent the data generated by the cookie about your use of the website (including your IP address) from being sent to and processed by Google by downloading and installing the browser plug-in available at the following link.

For more information about data processing by Google, please refer to Google's Data Protection Declaration.

Web tracking: Social media plug-ins

Our website uses social media plug-ins and tools and therefore personal data can be transmitted to the respective plug-in provider. The plug-in provider stores the data collected about you as usage profiles and uses it for purposes of advertising, market research and/or to customise the design of its website. We have no control over the collected data or the data processing operations of the plug-in providers. For more information on the purpose and scope of the data collection and the processing of the data by the plug-in provider, please refer to the providers’ privacy statements listed below.


7. Automated decisions and profiling

In connection with this online presence, no personal data is collected or even brought together centrally to build up a profile and make this data available to certain individuals for evaluation nor using it to conduct behaviour control.
Automated decisions does not take place.

8. Countries in which data is stored

CMS and web server (

All the data for the operation of the CMS and the delivery of the websites is held by the Swiss hosting provider ‘Aspectra’. Data is therefore exclusively stored in Switzerland and there is no data transferred abroad.
Log files aren’t shared with third parties.

Third parties:

Third parties appointed in this Data Protection Declaration can transfer and store personal data abroad, especially in the United States of America.
With regards to the guarantee of compliance with Swiss Data Protection Laws as well as compliance with the GDPR based on the effectiveness of specific agreements and possibly applicable additional guarantees, these third parties provide information in their designated Privacy Policies.