IDENTITY AND CONTACT DETAILS OF THE CONTROLLER
University of Applied Sciences Erfurt,
represented by the President Prof. Dr. Frank Setzer
Altonaer Straße 25
Tel.: +49 361 6700-7011/-7012
Fax: +49 361 6700-7021
DATA PROTECTION OFFICER
Prof. Dr.-Ing. Kay Gürtzig
Tel.: +49 361 6700-5513
GENERAL FACTS ABOUT THE PROCESSING OF PERSONAL DATA
Scope of Processing
Generally, we only process the personal data of our users to the extent that it is necessary for the provision of a functional website as well as our contents and services. The processing of our users’ personal data is usually based on their explicit consent, with the exception of cases where factual reasons do not allow the prior request of consent or the processing of the data is allowed in compliance with legal obligations.
Lawfulness of Processing
Provided we request the consent of the individual for the processing of their personal data, our legal basis is point (a) of Article 6(1) General Data Protection Regulation of the EU (GDPR).
Regarding the processing of personal data required for the performance of a contract to which the data subject is party, the legal basis is point (b) of Article 6(1) GDPR. This also applies for processing activities in order to take preparatory steps before entering into a contract.
As far as the processing of personal data is required for compliance with legal obligations our institution is subject to, point (c) of Article 6(1) GDPR is the legal basis.
If the protection of vital interests of the data subject or another natural person require the processing of personal data, our legal basis shall be point (d) of Article 6(1) GDPR.
If processing is necessary to protect legitimate interests pursued by our institution or by a third party except where these are overridden by the interests or fundamental rights and freedoms of the data subject, our legal basis is point (f) of Article 6(1) GDPR.
Erasure of Data and Storage Period
The personal data of the data subject will be erased or their processing restricted as soon as the purpose for which they were collected no longer exists. Processing may continue, however, if a European Union or national law or other legal obligation to which our institution is subject requires so. An erasure or restriction of processing will also take place if the storage time limits envisaged by the named obligations expire, except where there is a necessity to further store or process the data in order to enter into a contract or to perform a contract.
COLLECTION OF INFORMATION
The University of Applied Sciences Erfurt collects and automatically stores in its server log files the following categories of information transmitted by your browser:
- browser type / version
- operating system in use
- website from which the access takes place (referrer)
- host name of the requesting computer (IP address)
- date and time of the server request
- name and URL of the requested content
- quantity of data transmitted
- flag whether the request was successful (http status code)
These data cannot be assigned to specific persons by the University of Applied Sciences Erfurt. They are used to analyse system security and stability, to investigate abusive activities, and to ensure the comfortable performance of our website. These data will not be combined with other sources of data. Moreover, the data will be regularly erased after statistical analysis. They will not be transferred to third parties.
The legal basis for this processing is point (f) of Article 6(1) GDPR.
This site performs an SSL encryption for security reasons and to protect the transmission of all contents.
An encrypted connection can be recognised by the address field of your browser changing from “http://” to “https://” and from the lock symbol in your browser line.
In order to facilitate the use of our website, so-called “cookies” are used. Cookies are small text files that are created by the web server and sent to your internet browser, which saves them or stores them locally on your computer.
If you configure your browser in such a way that it generally denies cookies then we would like to draw your attention to the fact that you might not be able to use the full range of functions and services of our website.
Two categories of cookies may be employed:
- Essential cookies
- Statistic cookies
The essential cookies apply to security-related functions and your privacy preferences. When you log in to an access-limited region of the web pages a personalised database entry, consisting of a session ID, an anonymised IP address, a timestamp, a user ID, and session data, will be created. It will be removed again on logging out. In addition, a personalised cookie will be placed, which will be removed at the end of the browser session.
On our website, we use the open-source software Matomo for the analysis of the surfing behaviour of our users. This is to help us continuously improve our website and its usability. The legal basis of this processing is your freely given consent. The software will place a cookie on your computer, provided you have givenyour consent (for information regarding cookies, see above).
When certain pages of our website are accessed, then the following data, pseudonymised by technical measures, will be stored:
- two Bytes of the IP address of your system;
- the website accessed;
- the website from which you accessed the website (referrer);
- the subpage links you followed from the website accessed;
- the period of time spent on the website;
- the access frequency of the website.
The analytical software exclusively runs on dedicated servers within the University of Applied Sciences Erfurt. The analytical data are only stored there, separate from any other personal data. None of these data are transmitted to third parties.
If personal data (e.g. name, address, or e-mail address) are collected on certain forms on our website (e.g. a contact form), this will always be on a voluntary basis. In the forms, only those fields will be mandatory that are inevitably needed for using our service.
If you communicate a request via a contact form, then the values of the completed form fields, including your contained contact data, will be stored in order to respond to your application and for the case of potential follow-ups. Your transmitted data will not be disclosed or transferred to third parties without your explicit consent.
On this occasion we emphasise that data transfer through the internet (e.g. communication via e-mail) may be vulnerable to security leaks. A seamless protection of data against unauthorized access by third parties is possible.
More specific information about purposes, legal basis, period of storage, and responsibilities may be found on or with the respective forms.
VIDEO EMBEDDING VIA YOUTUBE
On our web pages, videos are usually embedded in such a way that, upon accessing the page, no connection to YouTube is established (no-cookie preference). Not before the preview image is explicitly clicked on will a connection to the YouTube server be started.
RIGHTS OF DATA SUBJECTS
If we process your personal data, you are the “data subject” as defined in the GDPR and are thus entitled to the following rights in relation to us as the “controller”:
Right of Access
You may obtain from the controller confirmation as to whether or not personal data concerning you are being processed.
If such processing is performed then you are entitled to obtain from the controller access to the following information:
- the purposes of the processing;
- the categories of personal data concerned;
- the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
- the right to lodge a complaint with a supervisory authority;
- where the personal data are not collected from you, any available information as to their source.
You have the right to be informed of the appropriate safeguards pursuant to Article 46 relating to any transfer of your personal data to a third country or to an international organisation.
With regard to data processing for purposes of scientific, historical or statistical research, the right of access may be limited if it would render impossible or seriously impede the achievement of these research purposes and if its restriction is necessary for the achievement of the research or statistical purposes.
Right to Rectification
You have the right to rectification and/or completion without undue delay from the controller if the processed personal data concerning you are inaccurate or incomplete.
With regard to data processing for purposes of scientific, historical or statistical research, your right to rectification may be limited if it would render impossible or seriously impede the achievement of these research purposes and if its restriction is necessary for the achievement of the research or statistical purposes.
Right to Restriction of Processing
You have the right to obtain from the controller restriction of processing of personal data concerning you where one of the following applies:
- if you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
- we (the controller) do no longer need the personal data for the purposes of the processing, but you require the data for the establishment, exercise or defence of legal claims;
- you have objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override yours.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If restriction of processing according to the above indications has been obtained then you shall be informed by the controller before the restriction is lifted.
With regard to data processing for purposes of scientific, historical or statistical research, derogations from the right to restriction of processing may be provided if it would render impossible or seriously impede the achievement of these research purposes and if the derogation is necessary for the achievement of the research or statistical purposes.
Right to Erasure
a) Obligation to erasure
You may obtain from the controller the erasure of your personal data with undue delay where one of the following grounds applies:
- The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
- You withdraw consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing.
- You object to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2).
- The personal data have been unlawfully processed.
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
- The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).
b) Informing third parties
Where the controller has made the personal data public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
The right to erasure shall not apply to the extent that processing is necessary
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in compliance with your right to rectification, erasure of data or restriction of processing to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.
You have the right to be informed about those recipients if you request so.
Right to Data Portability
You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where
- the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) GDPR or on a contract pursuant to point (b) of Article 6(1) GDPR; and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data transmitted directly from us to another controller, where technically feasible. The rights and freedoms of others shall not be adversely affected.
The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Right to Object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
We will no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where you object to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) GDPR, on grounds relating to your particular situation, you have the right to object to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
With regard to data processing for purposes of scientific, historical or statistical research, your right to object may be limited if it would render impossible or seriously impede the achievement of these research purposes and if its restriction is necessary for the achievement of the research or statistical purposes.
Right to Withdrawal of Consent
You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint with a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform you on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
The responsible supervisory authority for the University of Applied Sciences Erfurt pursuant to Article 51(1) GDPR is the “Thüringer Landesbeauftragte für Datenschutz und Informationsfreiheit” (www.tlfdi.de/tlfdi/kontakt).