Legal matter Data Protection Declaration
Data protection declaration in accordance with the GDPR
I. Name and address of the responsible controller
II. Name and address of the data protection officer
III. General information on data processing
IV. Provision of website and creation of log files
V. Use of cookies
VI. Fathom web analytics platform
VII. External services (Google, YouTube, etc.)
VIII. Rights of the data subject
I. Name and address of the responsible controller
The responsible controller as defined in the EU General Data Protection Regulation (GDPR) and other national data protection laws of the EU member states as well as other data protection-related provisions is
Universität Heidelberg
Grabengasse 1
69117 Heidelberg
Germany
II. Name and address of the data protection officer
The data protection officer appointed by the responsible controller is:
Ass. jur. Christoph Wassermann
Seminarstr. 2
69117 Heidelberg
+49 6221 54-12070
datenschutz@uni-heidelberg.de
III. General information on data processing
1. Scope of processing personal data
We collect and use the personal data of our users insofar as necessary for operating a functional website and delivering our content and services. The personal data of our users is collected and used only after obtaining consent from the user. The only exception to this is where it is actually impossible for us to obtain prior consent and processing of the data is legally allowed.
2. Legal basis for processing personal data
Whenever we obtain consent from a data subject to process personal data, Art. 6 (1 a) GDPR serves as the legal basis.
For processing personal data required to fulfil a contract to which the data subject is a party, Art. 6 (1 b) GDPR serves as the legal basis. This also applies to the processing necessary to accommodate preparations for entering into a contract.
Where processing of personal data is necessary for compliance with a legal obligation to which our organisation is subject, Art. 6 (1 c) GDPR serves as the legal basis.
Where processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, Art. 6 (1 d) GDPR serves as the legal basis.
Where processing is necessary to protect the legitimate interests of Heidelberg University or of a third party, and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6 (1 f) GDPR serves as the legal basis.
3. Deletion of data and data storage period
The data subject’s personal data will be deleted or locked as soon as the purpose for which it has been collected has been fulfilled. Data may remain on record beyond this period if such is specified in European or national legislation from European Union regulations, laws or other provisions to which the controller is subject. Data will also be locked or deleted if a storage period specified in the above standards expires unless conclusion or fulfilment of a contract requires the data to remain on record further.
IV. Provision of website and creation of log files
1. Description and scope of data processing
Any time our website is accessed, our system automatically records data and information concerning the accessing computer.
The following data is recorded:
- information on the browser type and version used
- the user's operating system
- the user's IP address
- date and time of access
- websites from which the user's system was directed to our website
- websites which the user's system accesses via our website.
The data is compiled in log files on our system, whereby the IP address is truncated immediately after collection, i.e. an IPv4 address is truncated to the first two bytes, an IPv6 address to the first 32 bits. Personal profiles cannot be generated based on truncated IP addresses. This data is not stored with other personal data of the user.
2. Legal basis for data processing
The legal basis for temporarily recording data and log files is Art. 6 (1 f) GDPR.
3. Purpose of data processing
The temporary storage of the IP address on our server is necessary for granting the user’s system access to our website. For this purpose, the user’s IP address must remain stored on our server for the duration of the session.
Data storage in log files is required to ensure the functionality of the website. Furthermore, the data enables us to optimise the website and guarantee the security of our IT systems. Data analysis for marketing-related purposes is not performed in this context.
The above purposes also constitute our legitimate interests in data processing under Art. 6 (1 f) GDPR.
4. Data storage period
The data is erased as soon as it is no longer required for the purpose for which it was requested. Data collected for website availability is deleted when the respective session has ended.
All data stored in log files is deleted within seven days. Data can be stored for longer. In such cases, the user's IP address is truncated so that the querying client cannot be identified.
5. Right to object and options for removal
The website cannot be provided without recording the data, and the operation of the site on the internet is impossible without storing the data in log files. There is consequently no option for the user to object.
V. Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are text files saved in or by the web browser on the user’s computer system. When a user accesses a website, a cookie may be stored in the user’s operating system. This cookie contains a unique character string that allows the website to identify the browser when it accesses the website again.
We use cookies to provide basic functions of our website. Some of our website’s elements need to be able to identify the accessing browser even after it has left the site.
2. Legal basis for data processing
The legal basis for processing personal data is Art. 6 (1 f) GDPR.
3. Purpose of data processing
Cookies are technically necessary to enable users to access websites. Several of our website’s functions will not work without using cookies. These functions require the browser to be recognised again after leaving and returning to our website.
User data collected via technically required cookies is not used to create user profiles.
The above purposes also constitute our legitimate interests in data processing under Art. 6 (1 f) GDPR.
4. Data storage period, right to object, and options for removal
Cookies are stored on the user's computer and transferred to our site. Consequently, you as the user have complete control over how cookies are used. By changing the settings in your web browser, you can deactivate or restrict the transmission of cookies to external websites. You can also delete all saved cookies on your system at any time. Restrictions on cookie usage can be managed automatically by your browser. If you disable cookies for our website, you may no longer be able to use the site’s full range of functions.
VI. Fathom web analytics platform
1. Scope of processing personal data
Our website uses the software tool Fathom (www.usefathom.com; provided by Conva Ventures Inc. and hereinafter called “Fathom”), which has been optimised for data protection while analysing the browsing behaviour of our users. Fathom does not save any cookies on your computer. Person-related data required to operate our website is not transmitted to Fathom. You IP address is transmitted to Fathom’s server where it is anonymised, and not stored, before processing even starts.
2. Legal basis for processing personal data
The legal basis for processing personal data is Art. 6 (1 f) GDPR.
3. Purpose of data processing
We use Fathom to improve the quality of our website and its contents. It lets us know how our website is being used, allowing us to continually improve it.
4. Data storage period, right to object, and options for removal
Fathom does not evaluate or save your personal data.
Most browsers also have a “Do not track” option which prevents websites from tracking your user activities. We have integrated Fathom in such a way that it respects this option and ignores your data.
VII. External services (Google, Youtube, etc.)
We use Google for queries. Google uses cookies, i.e. text files saved on your computer that allow for analysis of your use of our website. The information generated by the cookie on your usage of this website (including your non-anonymised IP address) is transferred to a Google server in the US, and saved there. Google can use this information to analyse your usage of the website, to compile reports on the website activities for the website operators, and to deliver additional services associated with website and Internet use. Google may also transfer this information to third parties if so specified by law or if the third parties process this data on behalf of Google. You can prevent cookies from being saved using the appropriate setting in your browser software; however, we must point out that it may keep you from using all the functions on this website. By using these search query fields, you agree that the data Google collects about you may be processed in the manner previously described and for the purpose stated above.
The university makes available content from external sources, which may be in the form of pictures, documents, scripts, etc. In the process, personal data such as IP address, date of access and the like are transferred to the external source. We have no influence on the storage duration or possible analysis of such data.
We also use Frame technology to incorporate videos, maps and other external content (such as YouTube, Vimeo.com, OpenStreetMap). Copyright reasons prevent us from realising this in any other way in many cases. Frame technology can trigger sending information such as the non-anonymised IP address or access date to the external provider when the page is accessed. It allows the external provider to save cookies on your computer which can be used for advertising purposes, etc. If you are logged into your YouTube or Google account, YouTube can associate your surfing behaviour with you personally. To avoid this, you should log off. Currently it is not technologically possible to implement an opt-out function in this case. If you want to avoid cookies, you can deactivate them in your browser.
VIII. Rights of the data subject
If your personal data is processed, you are a data subject as defined in the GDPR and consequently have the following rights:
1. Right of access
You are entitled to request information from the controller on whether we are processing any personal data related to yourself.
If we do, you can further request information from the controller on the following:
(1) the purposes for which the personal data is being processed;
(2) the categories of personal data processed;
(3) the recipients or categories of recipients to whom your personal data is or will be disclosed;
(4) the period for which your personal data is intended to remain on record or, if this cannot be specified, the criteria for defining the storage period;
(5) whether you are entitled to demand correction or deletion of your personal data , to demand limitation of processing by the controller, or to object to processing;
(6) whether you are entitled to file a complaint with a supervisory authority;
(7) everything available on the data’s source if the entity you are enquiring with did not obtain it themselves;
(8) whether there was any automated decision-making and profiling as per Art. 22 (1) and (4) GDPR and – at least where such was the case – useful information on the underlying logic and the impact and desired effects of this processing on the data subject.
You are entitled to request information on whether your personal data will be transmitted to a non-EU member state or international organisation. You are entitled in this context to request information on suitable safeguards according to Art. 46 GDPR related to the transmission.
Where data is processed for research or statistical purposes, the right of access can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.
2. Right to rectification
You are entitled to request that the controller corrects and/or completes your personal data if this data is incorrect or incomplete. The controller is obliged to do so without delay.
Where data is processed for research or statistical purposes, the right of rectification can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.
3. Right to restriction of processing
You can request limits to the processing of your personal data if the following applies:
(1) If you contest the correctness of your personal data for a period that allows the controller to check the data's correctness
(2) Processing of the data is illegal and you object to deletion of the data in favour of restricting the personal data’s use;
(3) The controller no longer requires the personal data for the purposes of processing, but you need it to assert, exercise, or defend a legal claim; or
(4) You have objected to processing in accordance with Art. 21 (1) GDPR and it has not yet been established whether the controller’s legitimate interests outweigh your own.
If the processing of your personal data has been restricted, such data may be processed - apart from its storage - only with your consent, or for the purpose of asserting, exercising, or defending rights, or protecting the rights of another individual or legal entity, or on grounds of important public interest of the European Union or any Member State.
If processing has been restricted in accordance with the above conditions, you will be notified by the controller before the restriction is lifted.
Where data is processed for research or statistical purposes, the right to limitation of processing can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.
4. Right to erasure
a. Obligation to delete
You can request that the controller delete your personal data immediately; the controller is then obliged to delete the data immediately, provided one of the following conditions applies:
(1) Your personal data is no longer required to achieve the purposes for which it was collected or otherwise processed.
(2) You withdraw your consent under which processing became legitimate as per Art. 6 (1 a) or Art. 9 (2 a) GDPR, and there is no other legal basis for processing.
(3) You object to processing as per Art. 21 (1) GDPR and your objection is not overridden by legitimate reasons for processing, or you object to processing as per Art. 21 (2) GDPR.
(4) Your personal data has been processed unlawfully.
(5) Deletion of your personal data is necessary for the controller to fulfil a legal obligation imposed by European Union law or the national laws of European Union member states.
(6) Your personal data has been collected in connection with the offer of information society services as per Art. 8 (1) GDPR.
b. Notification of third parties
If the controller has published your personal data and has become obliged to delete it as per Art. 17 (1) GDPR, the controller will take action, including technical measures, using the available technology and at appropriate expense with the aim of notifying any controllers processing your personal data that you as the data subject have requested deletion of all links to said personal data or to copies or reproductions thereof.
c. Exceptions
The right to erasure becomes void if processing is necessary
(1) to exercise of the right to free expression and information;
(2) to fulfil a legal obligation requiring the controller to process the data imposed by European Union law or the national laws of a European Union member state, or to complete a duty in the public interest or to perform executive duties appointed to the controller;
(3) in the interests of public health and safety as per Art. 9 (2 h and i) and Art. 9 (3) GDPR;
(4) for archiving purposes in the public interest, for scientific or historical research or for statistical purposes as per Art. 89 (1) GDPR, provided that the right described in section a) can be reasonably assumed to prevent or seriously impede achievement of the processing purposes;
(5) to assert, exercise, or defend legal claims.
5. Notification obligation
If you have asserted your right to rectification, erasure or restriction of processing against the controller, the controller is under obligation to notify all recipients to whom your personal data has been disclosed of the corresponding rectification or erasure of data or of the restriction of their processing. The controller is exempted from this obligation where such notification proves impossible or unreasonable.
You have the right to be informed of who these recipients are.
6. Right to data portability
You have the right to receive the personal data concerning yourself that you have provided to a controller in a structured, commonly used and machine-readable format. You are also entitled to transmit this data to another controller without the controller to whom you have provided the data hindering you from doing so and if
(1) you have consented to processing as per Art. 6 (1 a) GDPR or Art. 9 (2 a) GDPR or processing is governed by a contract as per Art. 6 (1 b) GDPR and
(2) processing occurs using automated methods.
When exercising this right, you can further request a controller to send your personal data directly to another controller, provided this is technically feasible. This must not adversely affect the liberties and rights of others.
The right to data portability does not extend to the processing of personal data where such processing is necessary for fulfilling a duty in the public interest or for exercising executive duties appointed to the controller.
7. Right to object
You are entitled to object for reasons arising from your own personal situation at any time against processing of your personal data where processing is legitimised by Art. 6 (1 e or f) GDPR; this applies in equal measure to profiling legitimised by these provisions.
The controller will cease to process your personal data unless the controller can prove compelling legitimate reasons for processing that override your interests, rights, and liberties, or processing pursues the assertion, exercise, or defence of legal claims.
If your personal data is processed for the purpose of direct advertising, you are entitled to object at any time to the processing of your personal data for this purpose; this applies equally to profiling where it occurs in connection with such direct advertising.
If you object to processing for direct advertising, your personal data will no longer be processed for this purpose.
You may, in connection with the use of information society services – Directive 2002/58/EC notwithstanding – exercise your right to object by means of automated methods that are subject to technical specifications.
You are entitled to object for reasons arising from your own personal situation at any time against processing of your personal data collected for scientific or historical research or statistical purposes pursuant to Art. 89 (1) GDPR.
Where data is processed for research or statistical purposes, the right to object can be restricted if it may prevent or seriously impede the achievement of the specific purposes and if the restriction is required to fulfil the research and statistical purposes.
8. Right to withdraw your consent under data protection law
You are entitled to withdraw your consent under data protection law at any time. Your withdrawing consent does not affect the legitimacy of any processing that has occurred with your consent prior to withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to any decision that entails legal implications for yourself or has similar, substantially adverse effects on yourself if said decision is based solely on automated processing; this includes profiling. You do not have this right if the decision
(1) is necessary to allow conclusion or fulfilment of a contract between yourself and the controller,
(2) is legitimate under the legal provisions of the European Union or its member states to which the controller is subject and these legal provisions include appropriate measures safeguarding your rights, liberties, and legitimate personal interests, or
(3) is made with your express consent.
However, such decisions may have been made based on personal data of special categories as per Art. 9 (1) GDPR unless Art. 9 (2 a or g) GDPR also apply and appropriate measures have been taken to protect your rights, liberties, and legitimate personal interests.
With respect to cases (1) and (3), the controller shall take appropriate precautions to protect your rights, liberties, and legitimate personal interests; such precautions will include at least the right to enforce intervention by a human individual at the controller’s, to put forward your own opinion, and to contest the decision.
10. Right to complain to a supervisory authority
If you believe that processing of your personal data is in breach of the GDPR, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state where you, your place of work, or the locale of the alleged infringement are located. This does not affect your recourse to other administrative or judicial remedies.
The supervisory authority receiving the complaint will keep the appellant up to date on the status and results of the complaint, including on recourse to judicial remedies as per Art. 78 GDPR.