Privacy policy

§ 1 Information on collecting personal data

(1) In the following, we inform you about collecting personal data in the context of applying and enrolling to Hannover Medical School (MHH). Personal data are any data that can identify you as an individual, such as name, address, email addresses.

(2) The MHH Registrar’s office is responsible for collecting data in the context of application, enrolment and re-registration procedure as well as withdrawel from the university in accordance with Art. 4 Para. 7 of the EU General Data Protection Regulation (GDPR). The respective dean of studies is responsible for collecting data in the context of organising studies and examinations. You can contact our data protection officer at or at our postal address with the addition "Die Datenschutzbeauftragte, OE 0007”.

(3) MHH follows the legal requirements when processing student and applicant’s data. These are among others:

  • Collegiate Law of Lower Saxony (NHG)
  • Law on Higher Education Statistics (HStatG)
  • Regulations for the Licensing of Medical Doctors (ÄApprO)
  • Regulations for the Licensing of Dentists (ZÄPro)
  • Higher Education Admissions Regulation of Lower Saxony (NHZVO)
  • Part five of the German Social Security Code (SGB V).
  • MHH’s regulations for enrolment (ImmaO)
  • MHH’s selection regulations for the degree courses human medicine and dentistry (AuswahlO)
  • MHH’s selection regulations for international applications (AuswahlInt)


§ 2 Your rights

(1) Applicants and students have the following rights with regard to personal data concerning them:

  • Right of access by the data subject (Art. 15 EU GDPR),
  • Right to rectification (Art. 16 EU GDPR) or erasure* (Art. 17 EU GDPR),
  • Right to restriction of processing* (Art. 18 EU GDPR),
  • Right to notification regarding rectification or erasure of personal data or restriction of processing (Art. 19 EU GDPR),
  • Right to object to processing (Art. 19 EU GDPR),

           *unless the processing is mandatory on the basis of other legal bases

(2) You also have the right to complain to a data protection supervisory authority about the processing of your personal data by MHH.


§ 3 Collection of personal data during application, enrolment and the course of studies

(1) We only collect the personal data that we are obliged to collect in accordance with the legal basis stated in § 1 Para. 3 during the process of application, enrolment and the course of your studies. This includes:

  • Personal data (name, date of birth, place of birth, etc.)
  • Contact details
  • Details of your university entrance qualification
  • Details of your health insurance status
  • Information on study progress and performance
  • Proof of applications submitted
  • Photo for your student/guest student ID card, for the legally required record keeping in the Registrar’s office and, if applicable, for the purpose of study organisation.

(2) In return, you are obliged to provide us with the required data for the application, enrolment and further study organisation. If you do not provide us with the required data, it will not be possible to process your application, enrolment and organise your studies.

(3) The purpose of processing data is primarily to fulfil the tasks of the MHH in its function as a higher education institution in accordance with § 3 NHG. This includes, among other things, qualifying students for a profession, training young scientists, compiling statistics as well as evaluating and developing studies and teaching. In this context, the data is passed on to the IT services for creating your student email address, to the company’s medical service for regular examinations on infection protection as well as to the staff of the study deanery in order to organize courses and examinations. In the course of enrolment, names and email addresses are also passed on to the student representatives group “Gruppe für Erstsemesterarbeit (GEA)” exclusively for organising and realising an introductory event.

(4) Those authorised to access the collected data are the employees of the Registrar's office and Dean's office as well as the programme coordinators of the respective programmes, if they require the data to perform their duties. The data is stored exclusively on servers of the MHH or stored and destroyed as an analogue file on the premises of the MHH by the processing employees. An exchange of data with persons outside the MHH can take place in the context of procedures for administrative assistance with other authorities. Data is not transferred to third countries.


§ 4 Duration of storing data

(1) Storing, retaining and processing personal data takes place exclusively on the premises and servers of the MHH.

(2) The duration of storing your data in digital or analogue form is based on the relevant statutory storage obligations and the necessity of data retention/storage for the MHH, unless there are overriding interests. This also includes processing for research purposes (e.g. analyses of student’s progress and academic development) as well as for maintaining contacts of the MHH-Alumni e.V. association after completing your studies.

(3) The personal data will be processed until the purpose of the processing has been fulfilled and, after a subsequent retention period of 5 years, will be destroyed or anonymised in accordance with the provisions of the Lower Saxony Record Act (Nds. AktO).

(4) Notwithstanding the above, in connection with payment transactions your personal data will be kept for 10 years in accordance with the provisions of budgetary/tax law and will then be destroyed.

(5) Personal data that are necessary in connection with recreating a certificate (according to the circular of the MWK of 30.04.2013) or for preparing a proof of study time in order to apply for benefits from the German pension insurance are kept for 50 years.


§ 5 University portal/MHH Online Campus

Information on individual processing operations

Processing of Logfiles (Access Data)

When using this webservice the following data set is processed to provide the service and to detect and resolve errors within the system:

  • The requested URL
  • A code number indicating whether access to resources was successful or the error code respectively
  • Timestamp when the request was processed
  • Amount of transmitted data
  • IP address of the data subject in a condensed format

The IP address is stored in a shortened format, effectively making it impossible or at the very least requiring prohibitive and unreasonable amounts of effort to identify data subjects. All processing is carried out within the institution and is based on Art. 6 para. 1 lit. f GDPR, with the legitimate interest of the controller being the detection and resolution of system malfunctions and defence against attacks against its IT infrastructure. Logfile data is deleted after seven days.


User Account

For using non-public parts of this webservice (e.g. application or alumni management) a user account is required. The following data set is mandatory for the account creation and organisation:

  • Form of address
  • Given name and surname,
  • Email address,
  • Password, chosen by the user.

Without providing this dataset a user account cannot be created and non-public parts of this webservice cannot be accessed. The processing is based on Art. 6 para. 1 lit. e GDPR, its purpose being limiting access to non-public parts of Hannover Medical School‘s webservice to registered users only. Account data will not be made available to third parties unless to obey a legal obligation. The user account will be deleted 5 years after withdrawel from university at the end of the respective semester.