I. Name and address of the controller

The controller within the meaning of the EU General Data Protection Regulation and other national data protection laws in the member states and other legal provisions related to data protection is:

Universität Duisburg-Essen (UDE)

Duisburg campus:
Forsthausweg 2
47057 Duisburg, Germany
Tel.: +49 203 379 – 0
Fax: +49 203 379 – 3333

Essen campus:
Universitätsstraße 2
45141 Essen, Germany
Tel.: +49 201 183 – 0
Fax: +49 201 183 – 3536

Internet: www.uni-due.de

UDE is represented by its Rector:

Professor Dr. Ulrich Radtke
rektor@uni-duisburg-essen.de
Duisburg campus:
Tel.: +49 203 379 – 0
Essen campus:
Tel.: +49 201 183 – 0
Internet: www.uni-due.de/en/university_board_rector.php

II. Name and address of the Data Protection Officer

The controller’s Data Protection Officer is:

Dr. Kai-Uwe Loser
(Data Protection Officer of Universität Duisburg-Essen)
Forsthausweg 2
47057 Duisburg
Tel.: +49 234 32 28720
kai-uwe.loser@uni-due.de
Internet: www.uni-due.de/verwaltung/datenschutz

III. General information about data processing

1. Scope of processing of personal data

We generally process personal data of our users only to the extent that this is necessary to ensure the functioning of our websites and to provide our contents and services. As a rule, the processing of personal data of our users will always be subject to their prior consent. An exemption applies where it is not possible to obtain prior consent for factual reasons and the data processing is permitted by law.

2. Legal basis for the processing of personal data

Where we obtain the data subject’s consent to the processing of personal data, the legal basis is provided by Art. 6 (1) (a) General Data Protection Regulation (GDPR).

Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, the legal basis is provided by Art. 6 (1) (b) GDPR. This also applies to any processing required in order to take steps prior to entering into a contract.

Where the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, the legal basis is provided by Art. 6 (1) (c) GDPR.

Where the vital interest of the data subject or another person requires the processing of personal data, the legal basis is provided by Art. 6 (1) (d) GDPR.

Where the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and where such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, the legal basis for the processing is provided by Art. 6 (1) (f) GDPR.

3. Data erasure and retention period

We will erase or block the personal data of a data subject as soon as the specific purpose of retention ceases to exist. A further retention may happen where this is required by European or national lawmakers in EU regulations, national laws or other provisions applying to the data controller. We will also block or erase the data upon expiry of a legal retention period stipulated in any of the rules referred to above, unless it is still necessary to retain the data for concluding or performing a contract.

IV. Provision of websites and creation of log files

1. Description and scope of data processing

Each time you visit our websites our system will automatically collect data and information from the computer system you use.

This refers to the following data:

  • Information about the type of browser and the specific version used
  • Operating system of the user
  • IP address of the user
  • Resulting from this: Origin of the request (organisation, country, town)
  • Internet service provider of the user
  • Pages viewed within our system
  • Date and time of the request
  • Length of stay
  • Websites from which the user’s system was referred to our websites

This information is saved in our system’s log files. However, when storing these data they will not be linked with any other personal data of the user.

2. Legal basis for data processing

The legal basis for a temporary storage of the data and log files is provided by Art. 6 (1) (f) GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is required to deliver a website to the user’s computer. For this purpose the user’s IP address must be stored for the length of the visit.

The information is stored in log files to ensure that the websites are functional. In addition, we use the data to optimise our websites and ensure the safety of our IT systems. We do not analyse the data for marketing purposes in this context.

These purposes also constitute our legitimate interest in the data processing pursuant to Art. 6 (1) (f) GDPR.

4. Retention period

We will delete the data as soon as they are no longer necessary in relation to the purposes for which they were collected. For data collected to provide the website service, this refers to the moment when the specific session is completed.

Where we store the data in log files, this is the case after seven days at the latest. The backups of our log files are erased after 100 days.

5. Possibility of objection and elimination

The collection of data for the provision of the websites and the storage of the data in log files are strictly required for the operation of the websites. Consequently, the user has no possibility to object.

V. Use of cookies

1. Description and scope of data processing

Our websites use so-called session cookies. Session cookies are small text files that are stored in a user’s computer memory. Each session cookie contains a random unique identification number, called session ID. Moreover, cookies hold information about their origin and the retention period.

(There are also permanent cookies to be able to recognise visitors after a long time. This information is stored as a text file on the visitor’s computer hard disk. By contrast, the session cookies that we use are deleted as soon as your session ends.)

Some of the university’s facilities produce websites with the CMS system WordPress (also with external hosting providers). To ensure the functionality of these websites WordPress also uses session cookies.

2. Legal basis for data processing

The legal basis for data processing by using cookies is provided by Art. 6 (1) (f) GDPR.

3. Purpose of data processing

The purpose of using technically necessary cookies is to make it easier for users to navigate the websites. Some functions of our websites cannot be offered without these cookies. They require that the browser is recognised after a page change.

User data collected by technically necessary cookies will not be used for the creation of user profiles.

4. Retention period, possibility of objection and elimination

The session cookies we use are essential for the functioning of our websites and are deleted as soon as you end your session.

VI. Newsletter / Sending of press information

1. Description and scope of data processing

On our websites you have the opportunity to subscribe to the free UDE newsletter “Campus:Aktuell” and to the university’s press information.

When you register for them, the information from the input screen is transmitted to us. Specifically, this refers to:

  • Your email address; name (optional)

In the course of the registration process you are requested to consent to the processing of your data.

Moreover, we collect the following data upon registration:

  • IP address of the computer sending the request (not in combination with the service offered, yet in the server log files for seven days); date and time of the registration

When processing data for the purpose of delivering the newsletter, we do not disclose any data to third parties. We use the data exclusively for delivering the newsletter.

2. Legal basis for data processing

The legal basis for processing data after a user has registered for the newsletter is Art. 6 (1) (a) GDPR provided that the user has given consent.

3. Purpose of data processing

The email address of the user is collected and used to be able to send the newsletter. The collection of other personal data in the context of the registration is meant to prevent an abuse of the service and/or of the email address used.

4. Retention period

We will delete the data as soon as they are no longer necessary in relation to the purposes for which they were collected. This means a user’s email address is stored as long as the subscription to the newsletter is active.

As a rule, we erase all the other personal data collected in the context of the registration after a seven-day period.

5. Possibility of objection and elimination

The newsletter is delivered following the user’s registration on the website: in the same way it is possible to withdraw consent to our storing the personal data entered during the registration process.

VII. Contact sheets, input masks and email contact

1. Description and scope of data processing

We use contact and other input forms on our websites. Where a user uses this option the data entered into the corresponding input mask are submitted to us and stored by us, for example:

  • Desired contact person, name, email address and reference / message.

At the time of delivery we also store the following data:

  • Date and time of the message.

Consent to data processing is obtained in the context of the submission process, while reference is made to this privacy policy.

Of course, contact can also be made via the displayed email addresses. In these cases we will store the user’s personal data submitted with the email.

We do not disclose any data to third parties in this context. The use of the data is only for processing the corresponding conversation.

2. Legal basis for data processing

The legal basis for processing data is provided by Art. 6 (1) (a) GDPR where the user has given consent.

The legal basis for processing data submitted by sending an email is provided by Art. 6 (1) (f) GDPR. Where the email communication is aimed at concluding a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR.

3. Purpose of data processing

Personal data from the input mask are only processed for the purpose of processing the communication. In the case of communication via email this will also constitute the required legitimate interest for data processing.

All other personal data processed during the submission process serve the purpose of avoiding misuse of our contact form and ensuring the safety of our IT systems.

4. Retention period

We will delete the data as soon as they are no longer necessary in relation to the purposes for which they were collected.

We erase the additional personal data collected during the submission process after a seven-day period at the latest.

5. Possibility of objection and elimination

Users have the right to withdraw consent to the processing of their personal data at any time. Where users contact us per email, they may object to the storage of their personal data at any time. The conversation cannot be continued under these circumstances.

In such a case all personal data stored in the course of the communication will be deleted.

VIII. Web analysis via AWStats

1. Scope of the processing of personal data

Our websites use the open-source software tool AWStats (http://www.awstats.org/) to analyse our users’ browsing patterns. Among other things, this software reads what is called the HTTP user agent string. When subpages of our websites are accessed we collect the following data:

  • Information about the type of browser and the specific version used
  • Operating system of the user
  • IP address of the user
  • Resulting from this: Origin of the request (organisation, country, town)
  • Internet service provider of the user
  • Date and time of the request
  • Pages viewed within our system.
  • Length of stay
  • Websites from which the user’s system was referred to our websites

The software runs exclusively on our own servers.

2. Legal basis for data processing

The legal basis for the processing of the users’ personal data is provided by Art. 6 (1) (f) GDPR.

3. Purpose of data processing

The processing of our users’ personal data gives us the opportunity to analyse their browsing patterns. By analysing the collected data we are able to understand how individual components of our websites are used. This helps us continuously improve our websites and their user-friendliness. These purposes constitute our legitimate interest in the data processing under Art. 6 (1) (f) GDPR. By anonymising the IP addresses the users’ interest in the protection of their personal data is sufficiently taken into account.

4. Retention period

AWStats only saves data in an anonymised way and for statistical purposes. A person-related analysis is not possible.

IX. Third-party services

1. Social media activities

Our website services include links to our social media channels hosted with the following providers:

  • Facebook, Twitter, Instagram, Google+, YouTube, Flickr, XING, LinkedIn, Wordpress.com

For accessing these channels it is necessary that the user’s IP address becomes visible to the providers, because without the IP address no content can be delivered to the browser of the specific user. This means that the IP address is necessary for displaying these contents. We cannot influence whether and how third-party providers save and use IP addresses.

2. UDE’s WhatsApp service

(https://www.uni-due.de/de/socialmedia/whatsapp.php)

If you contact us via the instant messaging service WhatsApp you will automatically send the university your phone number. We will also be able to see your WhatsApp nick name.

Please take into account that instant messaging services do not guarantee confidentiality and privacy. By installing and using WhatsApp on your smart phone and/or mobile device, you agree to the General Terms and Conditions of WhatsApp which we cannot influence. Among other things, these include that you permit WhatsApp Inc. to access your phone number and the contacts stored on your mobile device. Data are also stored on the servers of WhatsApp Inc. which are not subject to European data protection laws. We shall not be liable for any damage caused by using the corresponding platforms.

By actively registering you agree to the usage and storage of your phone number. The phone number will exclusively be used to make available the described/subscribed WhatsApp service of Universität Duisburg-Essen. We will not disclose your data to anyone else.

We retain the data for the period that you use the WhatsApp service of Universität Duisburg-Essen. You may cancel UDE’s WhatsApp service at any time. In this case, please send us a WhatsApp message with the corresponding message – as a rule, we will erase your data within the next 48 hours at the latest – or simply remove the university from your list of contacts.

Privacy at WhatsApp
You find the privacy policies and terms and conditions of use for WhatsApp under:
https://www.whatsapp.com/legal?eea=0&lang=en

3. Integration of GoogleMaps

Our websites use social plugins (“plugins”) of the social online network Google, operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA.

Where you access a page of our websites containing such a plugin, your browser will establish a direct connection with Google’s servers. The content of the plugin is submitted directly to your browser by Google and thus integrated into the website services.

Through this integration of the plugin, Google+ receives the information that you have accessed the corresponding page of our websites. When you are logged in to Google+ at this moment, Google+ can link your visit to your Google+ account. As far as the purpose and scope of the data collection and further processing and use of the data by Google+ and your corresponding rights and privacy configuration options are concerned, please refer to Google’s privacy policy under:
https://policies.google.com/privacy?hl=en&gl=en

4. Integration of YouTube videos

You may find YouTube videos integrated into the websites of Universität Duisburg-Essen. As a rule, this requires that the user’s IP address becomes visible to the provider, because without the IP address no content can be delivered to the browser of the specific user. This means that the IP address is necessary for displaying these contents. We cannot influence whether and how third-party providers save and process IP addresses.

The privacy policy for the use of YouTube can be consulted under:
https://policies.google.com/privacy?hl=en&gl=en

5. Integration of Twitter streams

Our websites use social plugins (“plugins”) of the social network twitter.com (“Twitter”), operated by Twitter Inc., 795 Folsom Street, Suite 600, San Francisco, CA 94107, USA.

Where you access a page of our websites containing such a plugin, your browser will establish a direct connection with Twitter’s servers. The content of the plugin is submitted directly to your browser by Twitter and thus integrated into the website services.

Through the integration of the plugin, Twitter receives the information that you have accessed the corresponding page of our websites. When you are logged in to Twitter at this moment, Twitter can link your visit to your Twitter account. As far as the purpose and scope of the data collection and the further processing and use of the data by Twitter and your corresponding rights and privacy configuration options are concerned, please refer to Twitter’s privacy policy under:
https://twitter.com/en/privacy

6. Integration of Flickr albums

Our websites use social plugins (“plugins”) of Flickr, operated by Oath (EMEA) Limited (formerly Yahoo! EMEA Limited), 5-7 Point Square, North Wall Quay, Dublin 1, Ireland.

Where you access a page of our websites containing such a plugin, your browser will establish a direct connection with the servers of Flickr. The content of the plugin is submitted directly to your browser by Flickr and thus integrated into the website services.

Through the integration of the plugin, Flickr receives the information that you have accessed the corresponding page of our websites. When you are logged in to Flickr at this moment, Flickr can link your visit to your Flickr account. As far as the purpose and scope of the data collection and further processing and use of the data by Flickr and your corresponding rights and privacy configuration options are concerned, please refer to Flickr’s privacy policy under:
https://policies.oath.com/ie/en/oath/privacy/products/flickr/index.html

X. Rights of the data subject

Where we process your personal data, you are a data subject within the meaning of the GDPR and have the following rights with regard to the controller:

1. Right of access

You may obtain from the controller confirmation as to whether or not we process any personal data concerning you.

Where this is the case, you may request the controller to provide you with the following information:

  1. The purposes of processing the personal data;
  2. The categories of personal data concerned;
  3. The recipients or categories of recipients to whom the personal data have been or will be disclosed;
  4. The envisaged period for which the personal data concerning you will be stored, or, if not possible, the criteria used to determine that period;
  5. The existence of the right to request from the controller rectification or erasure of the personal data or restriction of processing of personal data concerning you or to object to such processing;
  6. The right to lodge a complaint with a supervisory authority.
  7. Any available information as to the source of the data, where the personal data are not collected from the data subject;
  8. The existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to obtain information whether the personal data concerning you are disclosed to third countries or international organisations. In this context you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR with regard to the transfer.

This right to access may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.

2. Right to rectification

You have a right to obtain from the controller the rectification and/or completion, where the processed personal data concerning you are inaccurate or incomplete. The controller must undertake the rectification without delay.

Your right to rectification may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.

3. Right to restriction of processing

Under the following conditions you may demand a restriction of the processing of personal data concerning you:

  1. You contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;
  2. The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  3. The controller no longer needs the personal data for the purposes of the processing, but you still require them for the establishment, exercise or defence of legal claims; or
  4. You have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your interest.

Where processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Where restriction of processing has been obtained under the conditions above, you will be informed by the controller before the restriction of processing is lifted.

Your right to restriction of processing may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.

4. Right to erasure

(a) Obligation to erase

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. You withdraw consent on which the processing is based according to Art. 6 (1) (a), or Article 9 (2) (a) GDPR, and where there is no other legal ground for the processing;
  3. You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR;
  4. The personal data concerning you have been unlawfully processed;
  5. The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. The personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.

(b) Information to third parties

Where the controller has made public the personal data concerning you and is obliged pursuant to Art. 17 (1) GDPR to erase them, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform data controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

(c) Exceptions

The right to erasure does not exist to the extent that processing is necessary:

  1. For exercising the right of freedom of expression and information;
  2. For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. For reasons of public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) as well as Art. 9 (3) GDPR;
  4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR in so far as the right referred to in section (a) above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. For the establishment, exercise or defence of legal claims.

5. Right to be informed

Where you have exercised your right to rectification, erasure or restriction of processing, the controller is obliged to communicate any rectification or erasure of personal data concerning you or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You also have the right to be informed about these recipients by the controllers.

6. Right to data portability

You have the right to receive the personal data concerning you, which you provided to the controller, in a structured, commonly used and machine-readable format. Moreover, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  1. The processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR; and
  2. The processing is carried out by automated means.

In exercising this right you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others may not be affected adversely hereby.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6 (1) (e) or (f) GDPR, including profiling based on those provisions.

The controller will no longer process the personal data concerning you, unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purposes of establishing, exercising or defending legal claims.

Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you are no longer processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

You also have the right, on grounds relating to your particular situation, to object to processing of personal data concerning you, where these are processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR.

Your right to object may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.

8. Right to withdraw consent given under data protection law

You have the right to withdraw consent given under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:

  1. Is necessary for entering into, or performance of, a contract between you and the data controller;
  2. Is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  3. Is based on your explicit consent.

However these decisions must not be based on special categories of personal data referred to in Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3) above, the data controller implements suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.