Data protection declaration in accordance with the GDPR

Provision of website and creation of log files

1. Description and scope of data processing
Any time our website is accessed, our system automatically records data and information concerning the accessing computer. The following data is recorded:

1. information on the browser type and version used
2. the user’s operating system
3. the user’s IP address
4. date and time of access
5. websites from which the user’s system was directed to our website
6. websites which the user’s system accesses via our website

The data is compiled in log files on our system, whereby the IP address is truncated immediately after collection, i.e. an IPv4 address is truncated to the first two bytes, an IPv6 address to the first 32 bits. Personal profiles cannot be generated based on truncated IP addresses. This data is not stored with other personal data of the user.

2. Legal basis for data processing
The legal basis for temporarily recording data and log files is Art. 6 (1 f) GDPR.

3. Purpose of data processing
The temporary storage of the IP address on our server is necessary for granting the user’s system access to our website. For this purpose, the user’s IP address must remain stored on our server for the duration of the session.

Data storage in log files is required to ensure the functionality of the website. Furthermore, the data enables us to optimise the website and guarantee the security of our IT systems. Data analysis for marketing-related purposes is not performed in this context.

The above purposes also constitute our legitimate interests in data processing under Art. 6 (1 f) GDPR.

4. Data storage period
The data is erased as soon as it is no longer required for the purpose it was requested. Data collected for website availability is deleted when the respective session has ended.

All data stored in log files is deleted within seven days. Data can be stored for longer. In such cases, the user’s IP address is truncated so that the querying client cannot be identified.

5. Right to object and options for avoidance
The website cannot be provided without recording the data, and the operation of the site on the Internet is impossible without storing the data in log files. There is correspondingly no option for the user to object.

Use of cookies

1. Description and scope of data processing
Our website uses cookies. Cookies are text files saved in or by the web browser on the user’s computer system. When a user accesses a website, a cookie may be stored in the user’s operating system. This cookie contains a unique character string that allows the website to identify the browser when it accesses the website again.

We use cookies to make our website more user-friendly. Some of our website’s elements need to be able to identify the accessing browser even after it has left the site.

When a user visits our website, he or she is notified that we use cookies for analysis purposes; the user’s permission to process personal data used in this context is obtained. This Data Protection Declaration is also referenced at this time.

2. Legal basis for data processing
The legal basis for processing personal data is Art. 6 (1 f) GDPR.

3. Purpose of data processing
Cookies are technically necessary to simplify using websites. Several of our website’s functions will not work without using cookies. These functions require the browser to be recognised again after leaving and returning to our website.

User data collected via technically required cookies is not used to create user profiles.

The above purposes also constitute our legitimate interests in data processing under Art. 6 (1 f) GDPR.

4. Data storage period, right to object, and options for avoidance
Cookies are stored on the user’s computer and transferred to our site. Consequently, you as the user have complete control over how cookies are used. By changing the settings in your web browser, you can deactivate or restrict the transmission of cookies to external websites. You can also delete all saved cookies on your system at any time. Restrictions on cookie usage can be managed automatically by your browser. If you disable cookies for our website, you may no longer be able to use the site’s full range of functions.

Matomo web analytics platform

1. Scope of processing personal data
Our website uses the open-source software tool Matomo (formerly PIWIK) for analysing the browsing behaviour of our users. Matomo uses cookies which are stored on your computer and allow for anonymised analysis of your session. Your IP address is immediately anonymised after processing and before storage to prevent its being attributed to a specific person.

2. Legal basis for processing personal data
The legal basis for processing personal data is Art. 6 (1 f) GDPR.

3. Purpose of data processing
We use Matomo to improve the quality of our website and its contents. It lets us know how our website is being used, allowing us to continually improve it.

4. Data storage period, right to object, and options for avoidance
Cookies used by Matomo are stored on the user’s computer and transferred to our site. Consequently, you as the user have complete control over how cookies are used. You can also delete all saved cookies on your system at any time. Restrictions on cookie usage can be managed automatically by your browser.

If you do not wish to have your data saved and analysed, you can withdraw your consent on cookie storage and usage at any time. In such cases, Matomo places an “opt-out cookie” onto your browser which prevents it from collecting any data during your visit to our website. If, however, you intentionally or unintentionally delete this cookie, your withdrawal of consent is cancelled and you will have to reactivate the opt-out cookie on your next visit.

Embedded videos via YouTube plugin

On some of our websites we embed videos via YouTube plugin. This video platform allows video publishers to post video clips free of charge and other users to view, rate and comment on them.

The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.

When you visit a page with a YouTube plugin, a connection to YouTube servers is established – only after activation by a click. Within the scope of this technical procedure, YouTube (and Google) receive knowledge of which specific sub-page of our website is visited by you. This takes place regardless of whether you play a video using the YouTube plugin or not.

The privacy policy published by YouTube, which is available at https://www.google.de/intl/de/policies/privacy/, provides information about the collection, processing and use of personal data by YouTube and Google.

We prevent the unconscious and unintentional collection and transmission of data to YouTube (and Google) when simply calling up a web page in which a video is embedded by means of a click solution: to activate a desired video, it must first be activated by clicking on the video image. A note about the activation of the YouTube plugin when clicking is also located below the video. Only the activation of the YouTube plugin by click triggers the collection of information and its transmission to YouTube. We ourselves do not collect any personal data by means of the plugins or about their use.

External services

We use various commercial search engines for queries. Some of these search engines use cookies, i.e. text files saved on your computer that allow for analysis of your use of our website. The information generated by the cookie on your usage of this website (including your non-anonymised IP address) is transferred to a server of the search engine operator, such as Google in the US, and saved there. The search engine operator can use this information to analyse your usage of the website, to compile reports on the website activities for the website operators, and to deliver additional services associated with website and Internet use. The search engine operator may also transfer this information to third parties if so specified by law or if the third parties process this data on behalf of the search engine operator. You can prevent cookies from being installed using the appropriate setting in your browser software; however we must point out that it may keep you from using all the functions on this website. By using these search query fields, you agree that the data search engine operator collects about you may be processed in the manner previously described and for the purpose previously stated.

The university makes available content from external sources, which may be in the form of pictures, documents, scripts, etc. In the process, personal data such as IP address, date of access and the like are transferred to the external source. We have no influence on the storage duration or possible analysis of such data.

We also use Frame technology to incorporate videos (such as YouTube, OpenStreetMap). Copyright reasons prevent us from realising this in any other way in many cases. Frame technology can trigger sending information such as the non-anonymised IP address or access date to the external provider when the page is accessed. It allows the external provider to save cookies on your computer which can be used for advertising purposes, etc. If you are logged into your YouTube or Google account, YouTube can associate your surfing behaviour with you personally. To avoid this, you should log off. Currently it is not technologically possible to implement an opt-out function in this case. If you want to avoid cookies, you can deactivate them in your browser.

Rights of the data subject

If your personal data is processed, you are a data subject as defined in the GDPR and consequently have the following rights:

1. Right of access
You are entitled to request information from the controller on whether we are processing any personal data related to yourself.

If we do, you can further request information from the controller on the following:

(1) the purposes for which the personal data is being processed;

(2) the categories of personal data processed;

(3) the recipients or categories of recipients to whom your personal data is or will be disclosed;

(4) the period for which your personal data is intended to remain on record or, if this cannot be specified, the criteria for defining the storage period;

(5) whether you are entitled to demand correction or deletion of your personal data , to demand limitation of processing by the controller, or to object to processing;

(6) whether you are entitled to file a complaint with a supervisory authority;

(7) everything available on the data’s source if the entity you are enquiring with did not obtain it themselves;

(8) whether there was any automated decision-making and profiling as per Art. 22 (1) and (4) GDPR and – at least where such was the case – useful information on the underlying logic and the impact and desired effects of this processing on the data subject.

You are entitled to request information on whether your personal data will be transmitted to a non-EU member state or international organisation. You are entitled in this context to request information on suitable safeguards according to Art. 46 GDPR related to the transmission.

Where data is processed for research or statistical purposes, the right of access can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.

2. Right to rectification
You are entitled to request that the controller corrects and/or completes your personal data if this data is incorrect or incomplete. The controller is obliged to do so without delay.

Where data is processed for research or statistical purposes, the right of rectification can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.

3. Right to restriction of processing
You can request limits to the processing of your personal data if the following applies:

(1) If you contest the correctness of your personal data for a period that allows the controller to check the data’s correctness

(2) Processing of the data is illegal and you object to deletion of the data in favour of restricting the personal data’s use;

(3) The controller no longer requires the personal data for the purposes of processing, but you need it to assert, exercise, or defend a legal claim; or

(4) You have objected to processing in accordance with Art. 21 (1) GDPR and it has not yet been established whether the controller’s legitimate interests outweigh your own.

If the processing of your personal data has been restricted, such data may be processed – apart from its storage – only with your consent, or for the purpose of asserting, exercising, or defending rights, or protecting the rights of another individual or legal entity, or on grounds of important public interest of the European Union or any Member State.

If processing has been restricted in accordance with the above conditions, you will be notified by the controller before the restriction is lifted.

Where data is processed for research or statistical purposes, the right to limitation of processing can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.

4. Right to erasure

a. Obligation to delete

You can request that the controller delete your personal data immediately; the controller is then obliged to delete the data immediately, provided one of the following conditions applies:

(1) Your personal data is no longer required to achieve the purposes for which it was collected or otherwise processed.

(2) You withdraw your consent under which processing became legitimate as per Art. 6 (1 a) or Art. 9 (2 a) GDPR, and there is no other legal basis for processing.

(3) You object to processing as per Art. 21 (1) GDPR and your objection is not overridden by legitimate reasons for processing, or you object to processing as per Art. 21 (2) GDPR.

(4) Your personal data has been processed unlawfully.

(5) Deletion of your personal data is necessary for the controller to fulfil a legal obligation imposed by European Union law or the national laws of European Union member states.

(6) Your personal data has been collected in connection with the offer of information society services as per Art. 8 (1) GDPR.

b. Notification of third parties

If the controller has published your personal data and has become obliged to delete it as per Art. 17 (1) GDPR, the controller will take action, including technical measures, using the available technology and at appropriate expense with the aim of notifying any controllers processing your personal data that you as the data subject have requested deletion of all links to said personal data or to copies or reproductions thereof.

c. Exceptions

The right to erasure becomes void if processing is necessary

(1) to exercise of the right to free expression and information;

(2) to fulfil a legal obligation requiring the controller to process the data imposed by European Union law or the national laws of a European Union member state, or to complete a duty in the public interest or to perform executive duties appointed to the controller;

(3) in the interests of public health and safety as per Art. 9 (2 h and i) and Art. 9 (3) GDPR;

(4) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes as per Art. 89 (1) GDPR, provided that the right described in section a) can be reasonably assumed to prevent or seriously impede achievement of the processing purposes;

(5) to assert, exercise, or defend legal claims.

5. Notification obligation
If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is under obligation to notify all recipients to whom your personal data has been disclosed of the corresponding rectification or erasure of data or of the restriction of their processing. The controller is exempted from this obligation where such notification proves impossible or unreasonable.

You have the right to be informed of who these recipients are.

6. Right to data portability
You have the right to receive the personal data concerning yourself that you have provided to a controller in a structured, commonly used and machine-readable format. You are also entitled to transmit this data to another controller without the controller to whom you have provided the data hindering you from doing so and if

(1) you have consented to processing as per Art. 6 (1 a) GDPR or Art. 9 (2 a) GDPR or processing is governed by a contract as per Art. 6 (1 b) GDPR and

(2) processing occurs using automated methods.

When exercising this right, you can further request a controller to send your personal data directly to another controller, provided this is technically feasible. This must not adversely affect the liberties and rights of others.

The right to data portability does not extend to the processing of personal data where such processing is necessary for fulfilling a duty in the public interest or for exercising executive duties appointed to the controller.

7. Right to object
You are entitled to object for reasons arising from your own personal situation at any time against processing of your personal data where processing is legitimised by Art. 6 (1 e or f) GDPR; this applies in equal measure to profiling legitimised by these provisions.

The controller will cease to process your personal data unless the controller can prove compelling legitimate reasons for processing that override your interests, rights, and liberties, or processing pursues the assertion, exercise, or defence of legal claims.

If your personal data is processed for the purpose of direct advertising, you are entitled to object at any time to the processing of your personal data for this purpose; this applies equally to profiling where it occurs in connection with such direct advertising.

If you object to processing for direct advertising, your personal data will no longer be processed for this purpose.

You may, in connection with the use of information society services – Directive 2002/58/EC notwithstanding – exercise your right to object by means of automated methods that are subject to technical specifications.

You are entitled to object for reasons arising from your own personal situation at any time against processing of your personal data collected for scientific or historical research or statistical purposes pursuant to Art. 89 (1) GDPR.

Where data is processed for research or statistical purposes, the right to object can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.

8. Right to withdraw your consent under data protection law
You are entitled to withdraw your consent under data protection law at any time. Your withdrawing consent does not affect the legitimacy of any processing that has occurred with your consent prior to withdrawal.

9. Automated individual decision-making, including profiling
You have the right not to be subject to any decision that entails legal implications for yourself or has similar, substantially adverse effects on yourself if said decision is based solely on automated processing; this includes profiling. You do not have this right if the decision

(1) is necessary to allow conclusion or fulfilment of a contract between yourself and the controller,

(2) is legitimate under the legal provisions of the European Union or its member states to which the controller is subject and these legal provisions include appropriate measures safeguarding your rights, liberties, and legitimate personal interests, or

(3) is made with your express consent.

However, such decisions may have been made based on personal data of special categories as per Art. 9 (1) GDPR unless Art. 9 (2 a or g) GDPR also apply and appropriate measures have been taken to protect your rights, liberties, and legitimate personal interests.

With respect to cases (1) and (3), the controller shall take appropriate precautions to protect your rights, liberties, and legitimate personal interests; such precautions will include at least the right to enforce intervention by a human individual at the controller’s, to put forward your own opinion, and to contest the decision.

10. Right to complain to a supervisory authority
If you believe that processing of your personal data is in breach of the GDPR, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where you, your place of work, or the locale of the alleged infringement are located. This does not affect your recourse to other administrative or judicial remedies.

The supervisory authority receiving the complaint will keep the appellant up to date on the status and results of the complaint, including on recourse to judicial remedies as per Art. 78 GDPR.