Privacy statement

IV. General information on data processing

Description and scope of the data processing

As a matter of principle, we only process our users' personal data to the extent necessary for providing a functional website and our contents and services. Our users' personal data are regularly only processed following consent from the users. An exception applies in cases in which prior consent is not possible for factual reasons and the processing of the data has been permitted by statutory directives.

Legal basis for the processing of personal data

To the extent that we obtain consent from the data subject for processing of personal data, Art. 6 subsection 1 lit. a EU General Data Protection Regulation (GDPR) acts as the legal basis. In the processing of personal data necessary for fulfilment of a contract to which the data subject is a party, Art. 6 subsection 1 lit. b GDPR acts as the legal basis. This also applies to processing necessary for the implementation of pre-contractual measures. To the extent that processing of personal data is necessary for fulfilment of a legal obligation to which our university is subject, Art. 6 subsection 1 lit. c GDPR acts as the legal basis. In the event of vital interests of the data subject or any other natural entity making processing of personal data necessary, Art. 6 subsection 1 lit. d GDPR acts as the legal basis. If the processing is necessary to safeguard a legitimate interest of our university or a third party and if the interests, basic rights and basic freedoms of the data subject do not override the first named interest, Art. 6 subsection 1 lit. f GDPR acts as the legal basis for the processing.

Data erasure and period of storage

The data subject's personal data are erased or blocked as soon as the purpose of the storage no longer applies. Storage can take place over and above this if this has been provided for by European or national legislation in Union law ordinances, acts or other directives to which the controller is subject. Blockage or erasure of the data is also done if an archiving period prescribed by the aforementioned norms expires, unless there is a necessity of further storage of the data for conclusion of a contract or fulfilment of a contract.

V. Provision of the website and production of logfiles

Description and scope of the data processing

Each time our internet site is accessed, our system automatically records data and information from the system of the accessing computer. The following data are recorded in this context:

• the user's IP address
• date and time of the access

The data are stored in our system's logfiles. These data are not stored together with other personal data of the user.

Legal basis for the data processing

The legal basis for the temporary storage of the data and the logfiles is Art. 6 subsection 1 lit. f GDPR

Purpose of the data processing

Temporary storage of the IP address by the system is necessary in order to make a supply of the website to the user's computer possible. For this, the user's IP address must remain stored for the duration of the session.

Storage in the logfiles is done in order to ensure the functionality of the website. In addition, the data help us to optimise the website and to ensure the security of our information technology systems. Evaluation of the data for marketing purposes is not done in this connection.

These purposes are also our legitimate interest in the data processing according to Art. 6 subsection 1 lit. f GDPR.

Duration of storage

The data are erased as soon as they are no longer necessary to reach the purpose of their collection. In the event of recording of the data to provide the website, this is the case when the session in question has ended.

In the case of storage of the data in the logfiles, this is the case after 14 days at the latest. Storage over and above this is possible. In this case, the users' IP addresses are erased or alienated, with the result that allocation of the accessing client is no longer possible.

Possibilities of objection and removal

Recording of data for provision of the website and storage of the data in logfiles is absolutely necessary for the operation of the internet site. As a result, the user has no possibility of objection.

VI. Use of cookies

Description and scope of the data processing

Our website uses cookies. Cookies are text files which are stored in the internet browser or by the internet browser on the user's computer system. If a user accesses a website, a cookie can be stored in the operating system. This cookie contains a characteristic series of characters, which makes unambiguous identification of the browser possible when the website is accessed again.

We use cookies in order to make this website more user-friendly. Some elements of our internet site require that the accessing browser can be identified even after a change of site.

The following data are stored and transmitted in the cookies:

• Log-in information

On our website, we additionally use cookies which make an analysis of the users' surfing conduct possible. In this way, the following data can be determined:

• frequency of page accesses
• use of website functions
• time spent on sites
• sites from which an access to the site has taken place
• sites which a user has surfed to after visiting our site

The users' data collected in this way are pseudonymised by technical measures. For this reason, allocation of the data to the accessing user is no longer possible. The data are not stored together with other personal data from the users.

When they access our website, the users are informed about the use of cookies for analysis purposes and reference is made to this privacy statement by an info banner. In this context, there is also reference to how the storage of cookies can be suppressed in the browser settings.

Legal basis for the data processing

The legal basis for the processing of personal data making use of cookies is Art. 6 subsection 1 lit. f GDPR.

Purpose of the data processing

The purpose of the use of technically necessary cookies is simplifying the use of websites for the user. Some functions of our internet site cannot be offered without the use of cookies. For them, it is necessary that the browser is recognised again even after a change of sites.

We need cookies for the following applications:

• provision of areas protected by a log-in
• views with a number of tabs use a cookie to note which tab was active last

The user data collected by technically necessary cookies are not used for the production of user profiles.

Analysis cookies are used for the purpose of improving the quality of our website and its contents. With the analysis cookies, we find out how the website is used and can thus permanently improve our offer.

These purposes are also our legitimate interest in the data processing according to Art. 6 subsection 1 lit. f GDPR.

Duration of storage, possibilities of objection and removal

Cookies are stored on the user's computer and transmitted to our site by it. Therefore, you as the user have complete control over the use of cookies. By changing the settings in your internet browser, you can deactivate or limit the transmission of cookies. Cookies which have already been stored can be deleted again at any time. This can also be done in an automated way. If cookies are deactivated for our website, it is possible that not all the functions of the website can be used to the complete extent any more.

VII. Contact forms and e-mail contact

Description and scope of the data processing

Our internet site contains contact forms, which can be used for making electronic contact. If a user makes use of this possibility, the data input into the mask are transmitted to us and stored.

For the processing of the data, your consent is obtained in the course of the transmission process and reference is made to this privacy statement.

As an alternative, contact via a provided e-mail address can be possible. In this case, the user's personal data transmitted with the e-mail are stored.

In this context, no data are forwarded to third parties. The data are exclusively used for the processing of the conversation.

Legal basis for the data processing

The legal basis for the processing of the data if the user has consented is Art. 6 subsection 1 lit. a GDPR.

The legal basis for the processing of the data transmitted in the course of transmission of an e-mail is Art. 6 subsection 1 lit f GDPR. If the e-mail contact aims at the conclusion of a contract, an additional legal basis for the processing is Art. 6 subsection 1 lit b GDPR.

Purpose of the data processing

The processing of the personal data from the input mask only serves us for attending to the contact. In the event of a contact by e-mail, this is also the necessary legitimate interest in the processing of the data. The other personal data processed during the transmission process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

Duration of storage

The data are erased as soon as they are no longer necessary to reach the purpose of their collection. For the personal data from the input mask of the contact form and those transmitted by e-mail, this is the case when the conversation in question with the user has been ended. The conversation has ended when it can be seen from the circumstances that the facts of the matter in question have finally been clarified.

The personal data additionally collected during the transmission process are erased after a period of seven days at the latest.

Possibilities of objection and removal

The user has the possibility at any time of withdrawing his/her consent to the processing of the personal data. If the user gets into contact with us via e-mail, he/she can object to the storage of his/her personal data at any time. In such a case, the conversation cannot be continued.

All personal data stored in the course of the contact shall be deleted in such a case.

VIII. Web analysis by Matomo

Scope of the processing of personal data

We use the Matomo open source software tool (formerly Piwik) on our website for analysis of our users' surfing conduct. The software places a cookie on the user's computer (see above, Cookies). If individual pages of our website are accessed, the following data are stored:

• two bytes of the IP address of the user's accessing system
• information about the browser type and the version used
• the user's operating system
• date and time of the access
• websites from which the user's system came to our internet site
• websites accessed by the user's system via our website
• the frequency of page accesses
• the duration spent on the website

The software runs exclusively on the servers of our website. Storage of the users' data is only done there. There is no forwarding of the data to third parties.

The software has been set such that the IP addresses are not completely stored, but 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, allocation of the curtailed IP address to the accessing computer is no longer possible.

Legal basis for the processing of personal data

The legal basis for the processing of personal data making use of cookies is Art. 6 subsection 1 lit. f GDPR.

Purpose of the data processing

Processing of the users' personal data enables us to analyse our users' surfing conduct. By evaluating the data obtained, we are in a position to collate information about the use of the individual components of our website. This helps us permanently to improve our website and its user-friendliness. These purposes are also our legitimate interest in the processing of the data according to Art. 6 subsection 1 lit. f GDPR. By anonymisation of the IP address, the users' interest in protection of their personal data is sufficiently taken into account.

Duration of storage

The data are erased as soon as they are no longer needed for our recording purposes. In our case, this happens after 90 days.

Possibilities of objection and removal

Cookies are stored on the user's computer and transmitted to our site by it. Therefore, you as the user have complete control over the use of cookies. By changing the settings in your internet browser, you can deactivate or limit the transmission of cookies. Cookies which have already been stored can be deleted again at any time. This can also be done in an automated way. If cookies are deactivated for our website, it is possible that not all the functions of the website can be used to the complete extent any more.

On our website, we offer our users the possibility of an opt-out from the analysis procedure. For this, you must click on the pertinent link. In this way, a further cookie is set in your systems, signalising to our system not to store the user's data. If the user deletes the cookie in question from his/her own system in the meantime, the opt-out cookie must be set again.

You will find more information on the private sphere settings of the Matomo software under the following link: matomo.org/docs/privacy.

IX. Data subject's rights

If personal data of yours are processed, you are the data subject within the meaning of the GDPR and the following rights accrue to you against the controller:

Right to information

You can demand a confirmation from the controller whether personal data concerning you are processed by us.

If such a processing exists, you can demand information from the controller about the following matters:

1. the purposes for which the personal data are being processed;
2. the categories of personal data which are being processed;
3. the recipients or categories of recipients towards whom the personal data concerning you have been disclosed or will be disclosed;
4. the planned duration of storage of the personal data concerning you or, if specific statements are not possible on this, criteria for the stipulation of the duration of storage;
5. the existence of a right to rectification or erasure of the personal data concerning you, of a right to restriction of the processing by the controller or of a right of objection against this processing;
6. the existence of a right to complain to a supervisory authority;
7. all available information about the origin of the data if the personal data have not been collected from the data subject;
8. the existence of automated decision-making including profiling according to Art. 22 subsection 1 and 4 GDPR and – at least in these cases – meaningful information about the logic involved and the implications and the intended effects of such a processing for the data subject.

You have the right to demand information about whether the personal data concerning you are transmitted to a third country or to an international organisation. In this context, you can demand being informed about the appropriate safeguards according to Art. 46 GDPR in connection with the transmission.

Right to rectification

You have a right to rectification and/or completion against the controller to the extent that the processed personal data concerning you are incorrect or complete. The controller must make the rectification without delay.

Right to restriction of the processing

Under the following preconditions, you can demand restriction of the processing of the personal data concerning you:

1. if you dispute the correctness of the personal data concerning you for a duration enabling the controller to verify the correctness of the personal data;
2. the processing is unlawful and you reject the erasure of the personal data and instead demand restriction of the use of the personal data;
3. the controller no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercising or defence of legal claims, or
4. if you have made an objection against the processing according to Art. 21 subsection 1 GDPR and it is not yet clear whether the controller's legitimate reasons override your reasons.

If the processing of the personal data concerning you has been restricted, these data may only be processed – apart from their storage – with your consent or for the establishment, exercising or defence of legal claims or to protect the rights of another natural or legal entity or for reasons of an important public interest of the Union or of a member state.

If the processing has been restricted according to the aforementioned preconditions[KL1] , you will be notified by the controller before the restriction is rescinded.

Right to erasure

Erasure duty

You can demand from the controller that the personal data concerning you are erased without delay and the controller is obliged to erase these data insofar as one of the following reasons applies:

1. the personal data concerning you are no longer necessary for the purposes for which they were collected or processed in any other way.
2. you withdraw your consent on which the processing was based according to Art. 6 subsection 1 lit. a or Art. 9 subsection 2 lit. a GDPR and there is no other legal basis for the processing.
3. you object to the processing according to Art. 21 subsection 1 GDPR and there are no overriding legitimate reasons for processing or you object to the processing according to Art. 21 subsection 2 GDPR.
4. the personal data concerning you have been processed unlawfully.
5. the erasure of the personal data concerning you is necessary to fulfil a legal obligation according to Union law or the law of the member states to which the controller is subject.
6. the personal data concerning you have been collected in relation to information society services according to Art. 8 subsection 1 GDPR.

Information to third parties

If the controller has made the personal data concerning you public and if it is obliged to erasure pursuant to Art. 17 subsection 1 GDPR, it shall take suitable measures, also of a technical nature, taking the available technology and the costs of implementation into due account, in order to inform controllers for the data processing of personal data about the fact that you as a data subject have demanded erasure of all links to these personal data or copies or replications of these personal data from them.

Exceptions

The right to erasure does not exist to the extent that processing is necessary

1. for exercising the right to a free expression of an opinion and information;
2. to fulfil a legal obligation which requires processing according to Union law or the law of the member states to which the controller is subject or for attending to a task which is in the public interest or is carried out in the public interest or in the exercise of official authority which has been vested in the controller;
3. for reasons of public safety in the area of public health pursuant to Art. 9 subsection 2 lit. h and i and also Art. 9 subsection 3 GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes according to Art. 89 subsection 1 GDPR, to the extent that the right stated under Section a) is likely to render impossible or seriously impair the achievement of the specific purposes;
5. to establish, to exercise or to defend legal claims.

Right to notification

If you have claimed the right to rectification, erasure or restriction of the processing against the controller, the latter is obliged to notify this rectification or erasure of the data or restriction of the processing to all recipients to whom the personal data concerning you have been disclosed, unless this proves to be impossible or to be connected with disproportionate efforts.

You have the right against the controller to be informed about these recipients.

Right to data portability

You have the right to receive the personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit these data to another controller without hindrance from the controller to whom the personal data were provided, insofar as

1. the processing is based on consent pursuant to Art. 6 subsection 1 lit. a GDPR or Art. 9 subsection 2 lit. a GDPR or on a contract pursuant to Art. 6 subsection 1 lit. b GDPR and
2. the processing is carried out by automatic means.

In exercising this right, you further have the right to have the personal data concerning you transmitted directly from one controller to another controller to the extent that this is technically feasible. Freedoms and rights of other persons may not be impaired by this.

The right to data portability does not apply to a processing of personal data which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to object

You have the right to object at any time, on grounds relating to your particular situation, to processing of personal data concerning you which is based on Art. 6 subsection 1 lit. e or f GDPR, including profiling based on these provisions.

The controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves establishment, exercising or defence of legal claims.

If the personal data concerning you are processed for direct marketing purposes, you have the right to object to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling to the extent that it is connected with such direct advertising.

If you object to processing for the purpose of direct advertising, the personal data concerning you will no longer be processed for these purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you have the opportunity of exercising your right to object by automated means using technical specifications.

Right to withdraw the declaration of consent under data protection law

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of the consent does not affect the lawfulness of the processing done on the basis of the consent until its withdrawal.

Automated individual decision-making including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

1. is necessary for entering into, or performance of, a contract between you and a data controller,
2. is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
3. is based on your explicit consent.

However, these decisions may not be based on specific categories of personal data according to Art. 9 subsection 1 GDPR, insofar as Art. 9 subsection 2 lit. a or g GDPR does not apply and suitable measures have been taken to protect rights and freedoms and your legitimate interests.

In the cases referred to in (1) and (3), the controller shall take suitable measures in order to safeguard rights and freedoms and your legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

Right to complain to a supervisory authority

Without prejudice to any other administrative law or judicial remedy, you have the right to complain to a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78, GDPR.