Privacy Policy on the Joint Controllership of the Ecosystem

As of: 04.07.2023

The Technical University of Munich (TUM), UnternehmerTUM GmbH and TUM Venture Labs Management gGmbH see themselves together as an "ecosystem" in the field of entrepreneurship, start-up support and start-up promotion, which offers the best possible conditions for start-ups, especially for students and employees of TUM, but also for related and other target groups. Within this ecosystem, the target groups are offered various programmes, formats and events that are intended to promote the entrepreneurial skills of the participants and support them on their way to founding a company. In order to be able to offer and implement these offers in the most target-oriented way possible, the parties operate a joint database with contact data of participants and information on their spin-off/ start-up projects as well as relevant specifications and contents of the various programmes, formats and/or events.

1. Joint Controllership

The participants in the ecosystem have jointly determined the purposes and means of data processing and are therefore jointly responsible for the processing of personal data, Art. 26 (1) sentence 1 GDPR.

Jointly responsible are the:

Technical University of Munich
Arcisstrasse 21
80333 Munich

UnternehmerTUM GmbH

Lichtenbergstraße 6

85748 Garching

TUM Venture Labs Management gGmbH

Lichtenbergstraße 6

85748 Garching

  • hereinafter also collectively referred to as "the parties involved in the ecosystem".

2. Contact details of the data protection officers

Data Protection Officer of the Technical University of Munich

Arcisstrasse 21
80333 Munich

Data Protection Officer of UnternehmerTUM GmbH

Alexander Stolberg-Stolberg
SVF Lawyers
Oberanger 30
80331 Munich

Data Protection Officer of TUM Venture Labs Management gGmbH

Alexander Stolberg-Stolberg
SVF Lawyers
Oberanger 30
80331 Munich

3. Categories of data

Within the scope of shared responsibility, we regularly process the following data:

  • Contact data

  • Account data of the related organization/institution (e.g., company/start-up, professorship/chair)

  • Pitch decks and application documents relevant for inclusion in funding and incubation programs

  • Image and video files

  • Overview of contact points within the ecosystem journey

  • Information from consulting interviews

  • Information on company and team developments

  • Documentation of mandatory dates and milestones in funding programs

4. Common purposes and means of data processing

The purpose of the processing is to build a joint ecosystem in the area of start-up support around the Technical University of Munich, its associated institute UnternehmerTUM and the joint TUM Venture Labs Initiative. Those interested in founding, founders and alumni are to be guided through this ecosystem in a targeted and efficient manner so that they can be provided with the best possible support geared to their respective needs.

The basis of such a joint ecosystem and its customer and stakeholder orientation is a uniform, resilient database with regards to the offers of the parties and the individuals and founding teams participating in them. The collected and processed data shall be used for the implementation of programmes, formats and events including advisory meetings as well as for sending information (e.g. about competitions, support and qualification offers, teaching events, infrastructure, events and event invitations, feedback opportunities). Furthermore, the collected and processed data shall be used for analysis and evaluation as well as reporting purposes, for marketing activities, for transfer within the ecosystem for the mediation of offers, for sending personalised addresses (e.g. for experts, mentors, speakers) and for recruiting for vacant staff positions within the ecosystem.

The data stored on the basis of consent will be processed for the above purpose. For this purpose, the data is stored in particular in the IT infrastructure of UnternehmerTUM GmbH and stored in shared databases. The data is collected and entered by the party responsible for the respective section of the ecosystem journey (e.g. a qualification offer, a consulting service, an event or the provision of infrastructure). A certain amount of data that is relevant for the entire ecosystem journey will be visible and usable for all parties involved (e.g. contact and account data, pitch decks, overview of contact points within the ecosystem journey, information from advisory meetings and on company and team developments). The data collected and processed will not be passed on to third parties outside the three contracting parties involved in the ecosystem.

5. Legal basis

Article 6 I lit. a GDPR serves as the legal basis for processing operations in which we obtain consent for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, the processing is based on Art. 6 I lit. b GDPR. The same applies to processing operations that are necessary for the performance of pre-contractual measures, for example in the case of enquiries about our products or services. If our company is subject to a legal obligation by which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c GDPR. Individual processing operations may be based on Art. 6 I lit. f GDPR if none of the aforementioned legal bases apply and the processing is necessary to protect a legitimate interest, provided that the interests, fundamental rights and freedoms of the data subject are not overridden.

6. Newsletter via Mailchimp

We use Mailchimp by The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE Suite 5000, Atlanta, GA 30308 USA (Mailchimp) to send the newsletter and other information on the ecosystem. This allows us to contact customers and interested individuals directly. In addition, we analyse your usage behaviour in order to optimise our offer. For this purpose, we pass on the e-mail address provided to Mailchimp.

Mailchimp is the recipient of your personal data and acts as a processor for us as far as the sending of our newsletter is concerned. The processing of the data provided in this section is neither legally nor contractually required. Without your consent and the transmission of your personal data, we cannot send out a newsletter to you.

In addition, Mailchimp collects the following personal data using cookies and other tracking methods: Information about your terminal device (IP address, device information, operating system, browser ID, information about the application you use to read your emails and other information about hardware and internet connection. In addition, usage data is collected such as date and time, when you opened the email / campaign and browser activity (e.g. which emails / web pages were opened). Mailchimp needs this data to ensure the security and reliability of the systems, compliance with the terms of use and the prevention of misuse. This corresponds to the legitimate interest of Mailchimp (according to Art. 6 para. 1 lit. f GDPR) and serves the execution of the contract (according to Art. 6 para. 1 lit. b GDPR). Mailchimp also evaluates performance data, such as email delivery statistics and other communication data. This information is used to create usage and performance statistics for the services. Mailchimp also collects information about you from other sources. In an unspecified period and scope, personal data is collected via social media and other third party data providers. We have no influence on this process.

You can find further information on objection and removal options vis-à-vis Mailchimp at:

The legal basis for this processing is your consent in accordance with Art. 6 para. 1 lit. a GDPR. You can revoke your consent to the processing of your personal data at any time. A corresponding link can be found in all mailings. In addition, the revocation can be made via the specified contact options. The declaration of revocation does not affect the lawfulness of the processing carried out to date.

Your data will be processed as long as a corresponding consent has been given. Apart from that, they will be deleted after the termination of the contract between us and Mailchimp, unless legal requirements make further storage necessary. Mailchimp has implemented compliance measures for international data transfers. These apply to all global activities where Mailchimp processes personal data of individuals in the EU. These measures are based on the EU Standard Contractual Clauses (SCCs). For more information, please visit:

7. Responsibilities for individual phases of data processing

7.1. Collection and storage of personal data

The personal data collected is stored in a shared database. We use the service provider Salesforce for this purpose. The operating company of Salesforce is Germany GmbH

Erika Mann Str. 31

80636 Munich


Salesforce's privacy policy can be viewed here:

We are supported by an agency in the administration and maintenance of the database. These are:

cloudworx GmbH

Rupert-Mayer-Straße 44, Building 64.07a

81379 Munich

The privacy policy of cloudworx can be viewed here:

7.2. Collection and storage of personal data

The data collected within the scope of joint responsibility will not be disclosed to third parties without expressed consent or the existence of another legal basis within the meaning of Art. 6 GDPR.

7.3. Use of personal data

The above-mentioned parties involved in the ecosystem may use the data for the purposes mentioned under point 4 insofar as the data subject has consented to the corresponding use or other legal bases within the meaning of Art. 6 GDPR apply.

7.4. Responsibility for data processing

The above-mentioned parties involved in the ecosystem are jointly responsible for the lawfulness of all data processing operations, notwithstanding the details of the joint responsibility agreement pursuant to Art. 26(1) GDPR.

Within the framework of joint responsibility, the parties involved have also agreed on the following responsibilities:

Process section


Provision and maintenance of the database management system (Salesforce), information to data subjects, deletion according to deletion deadlines or on request, statistics

UnternehmerTUM GmbH

Exercise of the information obligations in the event of a personal data breach

Technical University of Munich, UnternehmerTUM GmbH, TUM Venture Labs Management gGmbH - the respective party responsible for the infringement

Collecting and entering data

Technical University of Munich, UnternehmerTUM GmbH, TUM Venture Labs Management gGmbH - the party responsible for collecting the data in each case

Use of the data in accordance with the General Consent for the primary use cases in accordance with the purpose of the data processing stated under point 4

Technical University of Munich, UnternehmerTUM GmbH, TUM Venture Labs Management gGmbH - the respective party responsible for the performance

The contact addresses of the parties for the purpose of notifying the respective responsible persons can be found in sections 1 and 2 of this privacy statement.

8. Data subjects' rights

The following obligations exist for the exercise of the rights of the data subjects:

8.1. Fulfilment of the information obligations

All parties involved in the ecosystem ensure compliance with the information obligations when collecting personal data pursuant to Art. 13 GDPR (collection from the data subject) and Art. 14 GDPR (collection not from the data subject).

For this purpose, we provide the information required in each case free of charge in a precise, transparent, comprehensible and easily accessible form in clear and simple language.

8.2. Processing and responding to requests for the exercise of data subjects' rights

Data subjects may contact any party involved in the ecosystem to exercise their respective data subject rights. In such a case, the other parties involved in the ecosystem are obliged to forward the data subject's request to the other parties involved.

8.3. Security of data processing

The parties involved in the ecosystem shall ensure that all appropriate technical and organisational measures are implemented in such a way that the data processing is carried out in accordance with the requirements of applicable data protection regulations (in particular the GDPR) and ensures the protection of the rights of the data subject.

8.4. The use of processors

The parties involved in the ecosystem may use the services of third parties to process data on their behalf ("processors").

Currently, these are Germany GmbH and cloudworx GmbH (cf. Section 7.1 of this data protection declaration).