This data protection declaration informs you about the type, extent and purpose of the processing of personal data (in the following referred to as “data”) in the context of our online services and associated websites, functions and contents, including our online presence, such as our social media profile (in the following referred to generally as “online services”). To clarify the terms used, such as processing or responsible persons or bodies, please refer to the definitions in Art. 4 of the General Data Protection Regulation (Datenschutzgrundverordnung DSGVO).
Types of data:
- basic data (e.g. names, addresses)
- contact data (e.g. e-mail, telephone numbers)
- content data (e.g. texts, photos, videos)
- user data (e.g. websites visited, areas of interest, access times)
- meta/communication data (e.g. information about the device, IP addresses)
Categories of Affected Persons
Users of our online services (in the following referred to as “users”).
Purposes of the Processing
- to make our online services, functions and contents available
- to answer queries and to communicate with users
- to implement security measures
- to assess impact / marketing
“Personal data” means all the information related to an identified or identifiable natural person (in the following referred to as “affected person”); “identifiable” means that the natural person can be directly or indirectly identified by linking them to a marker such as a name, an identification number, location data, an online identification marker (such as a cookie), or to any other special features that are an expression of that natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity.
“Processing” means any process or series of processes that are applied in connection with personal data, whether with or without automatic procedures. The term is wide-reaching and includes practically any handling of the data.
“Pseudonymisation” means processing the personal data in such a way that without the enlistment of additional information they can no longer be associated with a specific affected person insofar as this additional information is stored separately and is subject to technical and organisational measures that ensure that the personal data cannot be associated with any identified or identifiable natural person.
“Profiling” means any kind of automatized procedure that processes personal data in order to evaluate, analyse or predict certain personal aspects related to a natural person, in particular, aspects connected to the work performance, economic status, health, personal preferences, interests, reliability, behaviour, location or change of location of a natural person.
A “responsible person or body” denotes any natural or legal person, authority, institution or other facility that alone or with others makes decisions about the purposes and means of processing personal data.
A “processor” is a natural or legal person, authority, institution or other facility that processes personal data on behalf of the responsible person or body.
We hereby inform you about the legal basis for our data processing in accordance with Art. 13 of the General Data Protection Regulation (Datenschutzgrundverordnung DSGVO). Where the legal basis in the data protection declaration is not specified, the following applies: the legal basis for the acquisition of consent is DSGVO art. 6, para. 1 (a), and art. 7; the legal basis for processing in order to fulfil our services, carry out contractual measures and answer queries is DSGVO art. 6, para. 1 (b); the legal basis for processing in order to fulfil our legal obligations is DSGVO art. 6. para. 1 (c); and the legal basis for processing in order to protect our legitimate interests is DSGVO art. 6. para. 1 (f). In cases in which processing personal data is required to protect the vital interests of an affected person or another natural person, DSGVO art. 6, para. 1 (d) serves as the legal basis.
In accordance with DSGVO art. 32, and taking into account state-of-the-art technical standards, implementation costs, the type, extent, conditions and purposes of the processing, and in consideration of the different probabilities and severity of risks to the rights and liberty of natural persons, we use appropriate technical and organisational measures to provide a proper level of security to prevent the occurrence of such risks.
These measures particularly include guaranteeing the confidentiality, integrity and availability of data by controlling physical access to the data as well as access parameters, entering, sharing, protecting availability and splitting of the data. Furthermore, we have established procedures to ensure the perception of user rights, deletion of data and reactions to risk to data. In addition, we consider the security of personal data in the development and selection of hardware, software and other procedures in accordance with the principle of data protection through technological design and organisation and through data protection-friendly settings (DSGVO art. 25).
Collaboration with Processors and Third Parties
Insofar as we reveal, share or allow any other form of access to data with other persons or bodies (contracted processors or third parties) during processing, this takes place only on the basis of legal authorisation (e.g. when the sharing of data with a third party, such as a payment services provider, is required by DSGVO art. 6, para. 1 (b) in order to fulfil contractual obligations), with your consent, if legally required, or on the basis of our legitimate interests (e.g. use of commissioned agents, web service providers, etc.).
Insofar as we commission third parties to process data on the basis of a so-called data processing contract, this takes place in accordance with DSGVO art. 28.
Transmission to a Third Country
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or do so in the context of utilising services from a third party or revealing/sharing data with a third party, we do so only if it is required to fulfil our contractual obligations, is based on your consent, a legal obligation, or our legitimate interests.
Subject to legal or contractual authorisation, we process data or have data processed in a third country only when the special conditions enumerated in DSGVO art. 44 ff. apply. I.e. the data is processed in accordance with particular guarantees such as the officially recognized data protection levels required by the EU (in the USA by the “Privacy Shield”) or in accordance with officially recognized special contractual obligations (so-called standard contractual clauses).
Rights of Affected Persons
You have the right to demand confirmation as to whether relevant data are being processed and to obtain information about these data and other information and a copy of these data in accordance with DSGVO art. 15.
In accordance with DSGVO art. 16, you have the right to demand that incomplete or incorrect data affecting you be completed or corrected.
In accordance with DSGVO art. 17, you have the right to demand that data affecting you be deleted immediately, alternatively, in accordance with DSGVO art. 18, that the data be processed in a limited way.
You have the right to demand that data affecting you and that you have provided to us in accordance with DSGVO art. 20 be shared with you and to demand that they be shared with other responsible persons or bodies.
Further, in accordance with DSGVO art. 77, you have the right to complain to the relevant regulatory authority.
Right of Revocation
You have the right to revoke consent given in accordance with DSGVO art. 7, para. 3 with effect in the future.
Right of Veto
You can veto future processing of data affecting you in accordance with DSGVO art. 21 at any time. The veto can apply in particular to processing for direct advertising.
Cookies and Right of Veto
“Cookies” are small files that are stored on users’ computers. Different tasks can be saved on them. Cookies are primarily used to store information about users (or about the device on which the cookie is saved) during or after access to an online service. Cookies that are deleted after users leave an online service and close their browser are known as “temporary”, “session” or “transient” cookies. Such cookies can save information such as the user’s login data. Cookies that remain after the browser has been closed are called "permanent” or “persistent”. For example, users’ login data can be saved if they log into a website again after several days. Similarly, cookies can save information about users’ interests for assessing impact or marketing purposes. Cookies that are offered by other service providers than the body responsible for the online service are called “third party” cookies (otherwise they are called “first party” cookies).
We can use temporary and permanent cookies and hereby provide information about them as part of our data protection declaration.
Saved cookies can be deleted in the system settings. Deleting cookies can lead to limited functioning of the online service.
You can prevent the installation of cookies by means of the appropriate setting in your browser’s software. However, please note that if you do this, you may not be able to use all the functions on the website to their full extent.
In addition, you can use the following method to prevent the collection, transmission and processing of data that was saved by a cookie and that gives information about your use of the website (incl. your IP address).
Deactivation of Matomo Tracking (Opt-Out)
If you don not consent to the storage and processing of data concerning your access to our website by Matomo, you can veto the storage and use of this data by mouse click at any time. If you do this, a so-called “opt out” cookie will be installed in your browser which prevents Matomo from collecting any session data.
Please note. If you delete cookies, this also causes the opt out cookie to be deleted; in this case, you may have to reactivate it.
Deletion of Data
Data processed by us will be deleted in accordance with DSGVO arts. 17 and 18 or their use will be limited. The stored data will be deleted as soon as they are no longer required for the purpose for which they were collected and deleting them does not contravene any legal requirements to store them unless expressly otherwise specified in this data protection declaration. If the data are not deleted because they are required for other purposes allowed by law, their processing will be limited. I.e. the data will be locked and not used for other purposes. This applies, for example, to data that are required by law to be stored for business or tax reasons.
According to German law, the following documents are required to be stored for the following number of years: 10 years in accordance with the Tax Code (AO) §§ 147 para. 1, Tax Code (AO), 257 para. 1 (1) & (4), and the Commercial Code (HGB) para. 4: books, records, annual reports, accounting records, account books, and other documents relevant for taxation purposes, etc.; and for 6 years in accordance with the Commercial Code (HGB) § 257, para.1 (2) & (3), para. 4: business letters.
According to Austrian law, the following documents are required to be stored for the following number of years: for 7 years in accordance with the Austrian Tax Code (BAO) § 132, para. 1: accounting records, receipts/invoices, accounts, records, business documents, income and expenditure accounts, etc.; for 22 years in connection with land and real estate; and for 10 years for documents in connection with electronically delivered services, telecommunications, radio and television services that are delivered to non-business recipients in EU member states and for mini-one-stop-shop (MOSS) services that are made use of.
Administration, Accounting, Office Organisation, Contacts
We process data concerned with university administration, accounting, and in order to fulfil legal obligations, e.g. archiving. To do this, we process the same data that we process in order to fulfil our contractual obligations. The legal basis for this processing is DSGVO art. 6, para. 1(c) and DSGVO art. 6, para. 1 (f). Persons affected by this processing are clients, interested parties, business partners and visitors to our website. The purposes of our interest in such processing lie in administration, accounting, office organisation, and the archiving of data, that is, functions that serve our organisation’s activities, promote the perception of our responsibilities and perform our responsibilities. The deletion of data in the context of fulfilling our contractual obligations and contractual communications is carried out in accordance with the above-named processing activities. To do this, we reveal or transfer data to fiscal authorities and advisors, e.g. tax advisors or auditors, fee-collecting authorities and payment services providers.
Moreover, we store information on suppliers, event managers and other business partners on the basis of our organisation’s interests, e.g. for future contact. We store such data, which is generally company-related, permanently.
Economic Analyses and Market Research
In order to run our organisation viably and recognise market trends, the wishes of contract partners and users, we analyse our existing data on transactions, contracts, queries, etc. To do this, we process inventory, contract, payment, use and meta data in accordance with DSGVO art. 6, para. 1 (f); affected persons include contract partners, interested parties, clients, and visitors and users of our online services.
The purposes of the analyses are economic evaluation, marketing and market research. To do this, we look at the profiles of registered users with their information, such as services used by them. The analyses serve to improve user-friendliness, and to optimise our services and economic viability. The analyses serve us alone and are not revealed to an external body unless they are anonymised with summarized values.
Analyses that are related to a person or profile are deleted or anonymised when users require this, otherwise they are deleted two years after the termination of the contract. Other analyses that are concerned with general economic analysis and general trends are compiled anonymously as far as possible.
Fulfilment of our Statutory and Organisation-related Services
We process data concerning our members, sponsors, interested parties, clients or other persons in accordance with DSGVO art. 6, para. 1 (b) insofar as we offer them contractual services or in the context of an existing business relationship, e.g. members who are themselves active or are themselves recipients of services and benefits. Other data on affected persons is processed on the basis of our legitimate interests in accordance with DSGVO art. 6, para. 1 (f), e.g. data on administrative responsibilities or public relations work.
The data thus processed, their type, extent and the necessity of processing them are determined according to the contractual agreement which underlies them. Such data include basic, personal, demographic data (e.g.name, address, etc.), contact data (e.g. e-mail addresses, telephone numbers, etc.), contractual data (e.g. services used, shared contents and information and names of contact persons), and payment data where the data are related to services or products liable to payment (e.g. bank details, payment history, etc.).
We delete data that are no longer required to fulfil our statutory and organisation-related purposes. This is carried out depending on the specific function and contractual relationship. In the case of business-related processing, we store the data for the period of time relevant to the fulfilment of the business and also with respect to any guarantees or liabilities that may be relevant. The requirement to store such data is reviewed every three years; otherwise, legal data storage requirements apply.
Data Protection in Application Procedures
We process data on applications in accordance with legal requirements and only for the purposes and in the context of applications. Data on applications is processed to fulfil our contractual obligations in the context of application procedures in accordance with DSGVO art. 6, para. 1 (b) and DSGVO art. 6, para. 1 (f) and only insofar as the data processing is necessary to us in the context of lawful procedures (in Germany, § 26 of the Federal Data Protection Act (BDSG) also applies).
Application procedures presuppose that applicants share their application data with us. The data necessary for the application are indicated in online form insofar as one is available for this purpose, otherwise can be found in the job description. In principle, application data includes information about the person, their postal and contact addresses and any relevant documentation such as covering letters, CV’s and certificates. Applicants may voluntarily provide additional information.
In sending your application to us, you express your consent to the processing of your data for the purpose of the application procedure to the type and extent as described in this data protection declaration.
If certain categories of personal data as laid out in DSGVO art. 9, para. 1 are shared voluntarily with us, their processing is subject to additional measures in accordance with DSGVO art. 9, para. 2 (b) (e.g. health-related data, such as a severe disability, or ethnic origin). If certain types of data as laid out in DSGVO art. 9, para. 1 are required by the application procedure, their processing is subject to additional measures in accordance with DSGVO art. 9, para. 2 (a) (e.g. health-related data, if these are required to perform the work).
If an online form exists on our website, applicants can use it to send us their application. The data transmitted to us will be encrypted in line with state-of-the-art technology.
Applicant may also send their applications to us by e-mail. In this case, we request applicants to note that in principle e-mails are not encrypted and that applicants themselves are responsible for encryption. For this reason, we cannot accept responsibility for the transfer of the application between the applicant and our server and recommend that applicants use either an online form or send their applications by post. Applicants may send their applications by post instead of by online form or e-mail.
If an application is successful, the data provided by applicants may be further processed for the purposes of the employment. If the application for a post is not successful, the applicants’ data will be deleted. Similarly, applicants’ data will be deleted if an applicant withdraws their application; applicants may do this at any time.
Unless an applicant makes use of their legitimate right of veto, the data will be deleted after a period of six months in order to allow us to clarify any questions resulting from the application and to comply with our obligation to provide evidence as laid out in the laws on equal opportunities. Invoices covering the refunding of travelling expenses will be archived in accordance with tax regulations.
Users can open a user’s account. In the context of the registration, any compulsory data will be communicated to the user and processed for the purpose of providing a user’s account in accordance with DSGVO art. 6, para. 1 (b). The processed data includes especially login information (name, password and e-mail address). Data which is entered in the context of a registration will be used for the purposes of utilising the user’s account and its purposes.
Users can be informed about information that is relevant for their user’s account by e-mail, e.g. technical changes. If users cancel their user’s account, any data relevant to the user’s account will be deleted subject to the provisions of any legal obligation to store them. After cancelling their account, users are responsible for saving their data before the end of the contractual period. We have the right to irrevocably delete any data that was stored during the contractual period.
If users take up our registration and enrolment services and use their user account, we store the IP address and time of the relevant user activity. Such storage takes place in order to safeguard our legitimate interests and to protect users from misuse and other unauthorised usage. These data are not transmitted to a third party in principle unless a transfer in required in order to comply with our requirements or with a legal obligation as laid out in DSGVO art. 6, para. 1 (c). IP addresses are anonymised or deleted at the latest after seven days.
If users enter into contact with us (e.g. by contact form, e-mail, telephone or over social media), their data will be processed by us in the context of dealing with the purpose of the contact in accordance with DSGVO art. 6, para. 1 (b) (in the context of contractual /precontractual relationships) and with DSGVO art. 6, para. 1 (f) (other queries). Users’ data may be stored in a customer relationship management system (CRM system) or similar system for the management of contacts.
We delete all inquiries provided that they are no longer needed. We review the necessity to store inquiries every two years; moreover, legal obligations to archive material also apply.
In the following notes, we inform you about the contents of our newsletter, registration, distribution and statistical evaluations, and your right of objection. By subscribing to our newsletter, you consent to receiving it and to the described procedures.
Newsletter contents: We send newsletters, e-mails and other electronic news with advertising information (in the following “newsletter”) only with the consent of recipients or with legal permission. If a user registers for the newsletter, the contents of which have been materially defined, these contents apply for the registration. Our newsletters contain information about our services and us.
Double opt-in and recording: registration to receive our newsletter follows a so-called double opt-in procedure. I.e. after registering, you receive an e-mail asking you to confirm your registration. This confirmation is necessary to prevent anyone with another e-mail address logging in. Registrations to the newsletter are recorded in order to be able to demonstrate the registration process in accordance with legal requirements. This includes storing the times at which registration and confirmation took place as well as the IP address. Similarly, any changes made to your data as stored by the distribution service are also recorded.
Registration data: To register for our newsletter, it is sufficient to give us your e-mail address. We request you to give us your name (optional) so that we can address you personally in the newsletter.
Newsletters and the impact assessment connected to them are sent on the basis of the recipient’s consent in accordance with DSGVO art. 6, para. 1 (a), and DSGVO art. 7 in conjunction with § 7, para. 2 (3) of the Federal Law on Unfair Competition (UWG) or, if consent is not required, on the basis of our legitimate interests in direct marketing in accordance with DSGVO art. 6, para. 1 (f) in conjunction with UWG § 7, para. 3.
The registration procedure is recorded on the basis of our legitimate interests in accordance with DSGVO art. 6, para. 1 (f). We are concerned to provide a user-friendly and secure newsletter system that serves our organisation’s purposes and fulfils the expectations of our users, and that also allows us to demonstrate consent.
Cancellation/ right to withdraw: you can cancel your subscription to our newsletter at any time, i.e. withdraw your consent to receive it. You can find a link to cancel your subscription at the end of every newsletter. We can store deleted e-mail addresses for up to three years before deleting them on the basis of our legitimate interests in order to be able to demonstrate that consent was given. The processing of these data is limited to providing a defence against possible claims. It is possible to apply for individual data to be deleted at any time, provided that confirmation that consent was given is made at the same time.
Newsletter – Distribution Service
The newsletter is distributed in part by the distribution service provider CAS Software AG, CAS-Weg 1 – 5, 76131 Karlsruhe, Germany. You can see the data protection declaration of the distribution service provider under: www.cas.de/en/customer-centricity/customer-centricity/datensicherheit/datensicherheit.html and under: www.cas.en/de/impressum/datenschutz.html The distribution service is used on the basis of our legitimate interests in accordance with DSGVO art. 6, para. 1 (f). and an order processing contract in accordance with DSGVO art. 28, para. 3 (1).
The distribution service provider can use recipients’ data in the form of a pseudonym, i.e. without a connection to a user, in order to optimise or improve its own services, e.g. to optimise the technical distribution and the presentation of the newsletter or for statistical purposes. However, the distribution service provider does not use the data of our newsletter recipients in order to write to them nor does it share the data with a third party.
Collection of Access Data and Logfiles
We, or our hosting supplier, collect data on every access to the server which provides this service (so-called server logfiles); this data is collected on the basis of our legitimate interests in accordance with DSGVO art. 6, para. 1 (f). The access data include the name of the website visited, files, date and time of the access, the amount of data transferred, notification of a successful call, browser type and version, the operating system of the user, referrer URL (the last site visited), IP address and the inquiring provider.
For security reasons (e.g. to investigate misuse or fraud), logfile information is stored for a maximum of four weeks and then deleted. Data that are required for the purpose of providing proof are excluded from being deleted until the case being investigated has been clarified.
Google AdWords and conversion measurement
We use the services of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”) on the basis of our legitimate interests (i. e. our interest in the analysis, optimisation and economic viability of our online service pursuant to Art. 6 (1)(f) GDPR).
Google is certified under the Privacy Shield Framework and thereby provides a guarantee that it adheres to European data protection legislation (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
We use the Google “AdWords” online marketing system to place advertisements in the Google advertising network (e. g., in search results, in videos, on websites, etc.) so that they are shown to users who are presumed to have an interest in the advertisements. This allows us to enhance the targeting of our advertisements for and within our online service so users are only shown advertisements which potentially correspond to their interests. When a user is shown advertisements for products in which they have shown an interest on other online websites, this is known as “remarketing”. To this end, Google itself executes a Google code when our or other websites on which the Google advertisement network is active are called up, and so-called (re)marketing tags (invisible graphics or code, also called “Web Beacons”) are embedded into the website. They are used to save an individual cookie, i. e. a small file, on the user’s electronic device (comparable technologies can be used instead of cookies). This file stores information about which websites the user visits, the content in which they have shown an interest and the services the user has clicked on; it also stores technical information on the browser and the operating system, referrer websites, time spent on a website, and further information on the use of the online service.
In addition, we obtain an individual “conversion cookie”. The information obtained with the aid of the cookie allows Google to compile conversion statistics for us. We are only told about the pseudonymised total number of users who have clicked on our advertisement and were forwarded on to a page equipped with a conversion tracking tag. We do not receive any information whereby users can be personally identified, however.
The user data are processed using pseudonyms within the Google advertisement network. This means Google does not save and process the names or email addresses of the users, for example, but processes the relevant data on the basis of cookies as part of pseudonymised user profiles. This means that, from Google’s point of view, the advertisements are not administered and displayed for a specific, identifiable person, but for the cookie owner, regardless of who this cookie owner is. This does not apply when a user has expressly allowed Google to process the data without this pseudonymisation. The information collected about the users is forwarded to Google and stored on Google’s servers in the USA.
Impact Assessment with Matomo
In the context of carrying out impact analyses with Matomo and on the basis of our legitimate interests (i.e. interests in analysis, optimisation and the economic viability of our organisation in line with DSGVO art. 6, para. 1 (f)) the following data are processed: your browser type and version, your operating system, your country of origin, the date and time of the access to the server, the number of visits, the length of time spent on the website and any external links clicked by you. IP addresses are anonymised before being stored.
Users can veto future anonymised data collection through the Matomo programme at any time by clicking on the link shown above. In such cases, a so-called opt-out cookie will be installed in your browser which prevents Matomo from collecting any session data. However, if users delete their cookies, the opt-out cookie will also be deleted and users will therefore have to reactivate it.
The records with user data will be deleted at the latest after six months.
Online Presence in Social Media
We maintain an online presence in social media networks and platforms in order to communicate with clients, interested parties and users and to inform them about our services.
We advise that user data may be processed outside the European Union area. This may involve risk to users because, e.g. the application of users’ rights may be more difficult. With respect to US providers that are certified under the Privacy Shield, we point out that they are thus legally bound to comply with EU data protection standards.
Furthermore, users’ data will generally be used for market research and advertising purposes. In this way, user profiles can be generated, e.g. from users’ behaviour and the interests that are implied by it. User profiles can further be used, e.g. to switch on advertising within and outside the platform that is assumed to address users’ interests. For these purposes, cookies are generally stored on users’ computers on which the users’ usage patterns and interests are stored. Furthermore, data may be stored in user profiles independently of the devices used by the users (especially if users are members of a relevant platform and are logged into it).
Personal user data is processed on the basis of our legitimate interests in effective communication to and with users in accordance with DSGVO art. 6, para. 1 l (f). In cases where users are requested by providers to give consent to the processing of their data (i.e. users give their consent by ticking a check box or clicking a button) the legal basis is DSGVO art. 6, para. 1 (a) and art. 7.
A detailed description of the processing and possibilities for vetoing it (opting-out) can be found under the link to the provider’s information given below.
In cases where users have queries or wish to claim user rights, we advise that this can be achieved most effectively by contacting the provider in question. Only providers have access to their user data and are able to take direct steps and give information. Nevertheless, if you still need help, you can contact us.
- Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) – Data protection declaration: https://www.facebook.com/about/privacy/, opt-out: https://www.facebook.com/settings?tab=ads and http://www.youronlinechoices.com, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
- Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) – Data protection declaration: https://policies.google.com/privacy, opt-out: https://adssettings.google.com/authenticated, Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Integration of Services and Contents from Third Parties
On the basis of our legitimate interests (i.e. interests in analysis, optimisation and the economic viability of our organisation in line with DSGVO art. 6, para. 1 (f)), we place contents or service offers from third party providers on our online services in order to integrate them in our online services, e.g. videos or texts (in the following referred to as “contents”).
This makes it necessary for third party providers of these contents to know users’ IP addresses as without an IP address, they cannot send contents to their browsers. Thus, IP addresses are required to present such contents. We make efforts to only use contents whose providers use IP addresses solely for the purpose of delivering contents. Third parties can, moreover, use so-called “pixel tags” (invisible graphic images also known as “web beacons”) for statistical or marketing purposes. Pixel tags enable information to be evaluated, such as visitor traffic to the website pages. This pseudonymised information can moreover be stored in cookies on users’ devices and contain, among other things, technical information about the browser, operating system, referring website, length of time of visit, as well as other information about the use of our online services; the information may also be connected to information from other sources.
We integrate videos from the “YouTube” platform, provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
We integrate Google Fonts provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
We integrate maps from “Google Maps” provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. In particular, the processed data can include users’ IP addresses and locations which, nevertheless, may not be gathered without their consent (generally obtained from the settings on mobile devices). These data may be processed in the USA. Data protection declaration: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
Generated by Data protection generator.de from RA Dr Thomas Schwenke
Esslingen University of Applied Sciences, Kanalstrasse 33, 73728 Esslingen, uses the news service provided by Facebook (in the following, “service”) through the technical platform and services of Facebook Inc., 1601 Willow Road Menlo Park, CA 94025 (in the following, “provider”): www.facebook.com/hochschule.es
The body responsible for processing data of persons living outside the USA is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
We advise that you use these services and functions at your own risk. This especially applies to the use of interactive Facebook functions, such as sharing, commenting or liking.
It is not necessary to use these services in order to contact us or to receive information from us. Any information that is published through this service is also available in the same or a similar form on Esslingen University’s Internet sites or in our various print publications.
If you visit our Facebook site, Facebook collects your IP address and other information that is available on your PC in the form of cookies. This information is used to provide us, as a Facebook site operator, statistical information about the use of our Facebook site. Further information on this topic is provided by Facebook under the following link.
Data collected about you in this context are processed by Facebook Ltd. and may be transferred to countries outside the European Union. Which data Facebook obtains and how they are used is described in a general way in Facebook’s regulations on data use. There, you can also find information about ways to contact Facebook as well as on setting options for advertising. These regulations on data use are available under the following link.
You can find the complete data regulations of Facebook here.
In what way Facebook uses the data resulting from visits to Facebook pages for its own purposes, to which extent activities on Facebook pages can be connected to individual users, how long Facebook stores these data and whether Facebook shares these data with third parties have not been definitively and clearly designated and are not known to us.
When you access a Facebook page, the IP address of your end device is transmitted to Facebook. According to Facebook, these IP addresses are anonymised (for “German” addresses) and deleted after 90 days. Furthermore, Facebook stores information about the end devices of its users (e.g. in the context of the function “log in information”); as the case may be, it is possible for Facebook to identify individual users from their IP addresses with this function.
When you are currently logged in to Facebook as a user, there is a cookie on your end device with your Facebook identification. This enables Facebook to see that you have visited a particular site and how you have used it. This applies to all Facebook sites. By means of a Facebook button embedded in websites, Facebook is able to record your visits to these websites and to connect them to your Facebook profile. This information can be used to tailor contents or advertising sent to you.
If you want to avoid all this, you should deregister from Facebook or deactivate the function “remain online”, delete existing cookies from your device, and end and restart your browser. In this way, Facebook information that could be directly used to identify you will be deleted. You can still use our Facebook site without revealing your Facebook identification. If you use an interactive function (like, comment, share, news, etc.), a log in screen is shown. After registering, you are again recognisable to Facebook as a user.
You can find out how to manage or delete existing information about yourself on the following Facebook support pages:
Data which is collected about you when you use the service, such as your IP address, are processed by the provider and may be transmitted to countries outside the European Union.
Esslingen University of Applied Sciences has no influence on the type and extent of the data processed by the provider, nor on the type of processing, use or transfer of these data to third parties, especially in countries outside the European Union.
Information about which data are processed by the provider and to what purpose they are used can be found in the data protection declaration of the provider. You can also find contact information here.
As provider of this information service, we do not collect or process any data resulting from your use of this service.
You can find the relevant version of this data protection declaration on our Facebook site.
If you have any questions about our information service, you can contact us under the followinge-mail address. You can contact the data protection representative of Esslingen University under the following e-mail address:Prof. Dr Dominik Schoop
The rationale for our information service can be found here.
This data protection declaration was generated with the help of the model data protection declaration provided by the Federal State Data Protection and Freedom of Information Representative for Rheinland-Pfalz.
Esslingen University of Applied Sciences provides academic education in the areas of technology, management and social sciences. A combination of excellent teaching with a high level of practical relevance has the highest priority at the University. Applied research is also a strong feature of the University which has its own doctoral programme, offering graduates a comprehensive scientific career.
Around 6,000 students are enrolled Esslingen University of Applied Sciences on 28 Bachelor’s and 13 Master’s degree courses. The University has three campuses – Esslingen City Centre Campus, Esslingen Hilltop Campus, Flandernstrasse, and in Goeppingen with 55 laboratories.
Esslingen University of Applied Sciences regularly informs the public about its teaching and research as well as its varied university life. To make this information available, the University uses a variety of information channels – among them, Facebook.
With this rationale, we are informing you about our objectives and responsibilities regarding this information channel. Please see the data protection declaration for our Facebook site.
Facebook is a social network, enabling users to remain in contact with friends, partners, business partners and companies. It allows users to create private profiles to present their own person, companies to establish a business presence, and groups to discuss shared interests privately. Profiles can be shared via friendship queries; the number of subscribers is unlimited.
Registered users can use this service to publish photos, videos and information free of charge. Such posts are visible to users who register in the portal. Users can register as “followers” on other users’ sites in order to receive their texts, photos and videos.
The advantages of Facebook are its great reach as well as its simple and free distribution of information.
2. Objectives of our Use of Facebook
In setting up a Facebook channel, Esslingen University of Applied Sciences can meaningfully extend its existing communication channels, such as Internet, press releases, printed media, presence at trade fairs, and other events. Our Facebook channel primarily informs users about University news, teaching and research and life at the University.
Other existing communication instruments are no longer adequate for a number of target groups. We have especially noticed that reaching the target groups of young people, students, potential students and also former students is much more direct, faster and more up-to-date over Facebook. Interested recipients can subscribe to our Facebook site and obtain information directly from it.
Our Facebook channel allows us an extensive reach as well as providing better networking with other universities, companies, institutions and sources of information, and makes it possible to react directly to events.
Furthermore, we can obtain valuable, direct feedback and opinions from our “fans”, enabling us to fulfil our responsibilities optimally.
In addition, by providing information and advertising for our Bachelor’s and Master’s degree courses, Esslingen University of Applied Sciences is in competition with other universities and universities of applied sciences. This competition is bound to increase as numbers of school-leavers decrease due to demographic change. To remain competitive and to directly reach this important, young target group, our Facebook channel will also be used for marketing targeted at schools.
3. Type and Extent of our Use of Facebook
Our Facebook channel informs users about current topics from Esslingen University of Applied Sciences.
Regular contributions include:
- news about our Bachelor’s and Master’s degree courses
- important information from teaching and research at Esslingen University
- news of University life
- reactions/ interactions with potential students, students, former students, citizens, companies, institutions and other public bodies
In contrast, concrete administrative services, such as individual advice, are not offered over this communication pathway.
4. Responsibility for Editing /Technical Services
The responsibility for editing lies with the Office for Public Relations, Marketing and Fundraising at Esslingen University of Applied Sciences:e-mail.
5. Alternative Contacts
We remind users that our Facebook channel is merely one option among many to get in contact with Esslingen University of Applied Sciences, or to obtain information from us. All information available on this site can alternatively be obtained over our Internet services.
- In principle, you can contact ourcentral post inbox with all your questions.
- Telephone queries: 0711 / 397-49
- Postal address: Kanalstrasse 33, 73728 Esslingen
6. Our Commitment
This rationale for use will be reviewed once per semester with respect to the whys and wherefores of our Facebook use.
Valid from: 27th February, 2019
In accordance with the general rule laid down in the European Data Protection Regulations (DSGVO) art. 35, para 1, a data protection impact assessment must be made if a form of dissemination, especially one involving the use new technologies, and due to its type, extent and objectives of processing, could potentially result in a high risk to the rights and liberties of natural persons.
The Federal State Representative for Data Protection and Freedom of Information (LfDI) has issued regulations on the use of social networks by public bodies which make it an obligatory requirement to carry out an assessment of the consequences of the planned processing for the protection of personal data, in anticipation of and in accordance with DSGVO that first came into effect on 25. Mai 2018.
Esslingen University’s use of its Facebook channel is associated with high risk due to its wide-ranging impact, especially arising from the evaluation of data by Facebook Inc. for advertising purposes, thus making a data protection impact assessment necessary.
In using their Facebook account, users expose themselves to systematic observation through Facebook Inc. In so doing, data of a sensitive nature, such as political opinions, sexual orientation or health issues may also be revealed and may be linked to each other and used to create a personal profile. Groups that are especially in need of protection, such as minors, can also be Facebook users and thus become affected. Even passive reading of Facebook without active sharing, posting or commenting can lead to the collection of sensitive data through the collection of log data, such as previously visited websites or the user’s location.
This is all the more pertinent as Facebook Inc. cannot be monitored or can be only monitored to a limited extent. As the data are not processed in Germany, but in Ireland, there are more significant obstacles to obtaining access to (judiciary) rights of protection than in companies with their seat in Germany.
Esslingen University of Applied Sciences therefore presumes that public bodies that use social networks for their public relations work and to provide general information also have a joint responsibility. For this reason, it has taken upon itself the task of carrying out an impact assessment of planned processing procedures, comparable with the data protection impact assessment required by DSGVO art. 35 (c.f. the LfDI regulations on the use of social networks by public bodies).
Joint responsibility does not mean that Esslingen University of Applied Sciences confirms or guarantees that Facebook Inc. products conform to data protection regulations (c.f. the University’s data protection declaration). Under the circumstances, this is not possible. Instead, joint responsibility means being aware and making others aware of the risks of social networks. The University’s presence on Facebook ensures that a large group of users is reached, helped and advised in a way that is not possible by other means, e.g. through our homepage or brochures, etc. At the same time, Facebook users are advised of alternative, data-protection-friendlier communication pathways, such as the University’s homepage.
Users are informed about the risks that are associated with the use of social media in general not only in our data protection declaration for Esslingen University’s Facebook account, but also through regular postings on our homepage and on our Facebook account with education and awareness materials.
Esslingen University of Applied Sciences has committed itself to these measures in its rationale for use. The advantages and disadvantages of using Facebook will be regularly evaluated, taking the user conditions of Facebook Inc. into consideration.
Our use of Facebook is thus embedded in a package of measures. Against this background, our assessment of the consequences of Esslingen University’s use of Facebook are as follows:
1) Risk Identification
In principle, the risks associated with Facebook usage exist independently of the University’s own Facebook usage. In addition, in the majority of cases, the posts made by Esslingen University do not contain personal data but rather make factual content available.
Finally, the data that are processed through interaction with the University’s Facebook or other accounts – namely, posts and the account name of Facebook fans – are already publicly/generally available on the Internet.
Nevertheless, through appearing on our Facebook site, and through being made available to a broader and more specific public, the University can achieve greater publicity and dissemination than without this interaction.
Furthermore, as users “like” or follow Esslingen University’s Facebook or other accounts, additional connections and information about Facebook users are generated; this allows the University to assess the interest in University-related topics through “likes” or participation in events.
Finally, users’ log data are also collected by Facebook, even if they only passively read Facebook pages.
The University’s usage of Facebook thus increases the amount of data that are used and evaluated by Facebook Inc.
2) Risk Analysis
The enlargement of the circle of recipients and increase in contact possibilities makes it easier for Facebook Inc. to process data for other purposes and generate secret profiles. Additionally, the channel’s openness can lead to disadvantageous social consequences such as inappropriate or discriminating comments or the dissemination of sensitive data in users’ contributions.
Even if such risks were intrinsic to Facebook, they would be increased by Esslingen University’s Facebook profile to a very limited extent. This is because, to a large extent, the data are already available to Facebook Inc. Through the University’s Facebook services, there is no compulsion to open a Facebook account as there are enough alternative options to contact the University and obtain information.
Moreover, University topics of degree courses and education are only suitable to provoke hateful debates to a very circumscribed extent, so that the probability of such damage occurring is very limited.
3) Risk Assessment
Overall, the additional risk caused by the University’s Facebook account is therefore assessed as being low to medium (c.f. theShort paper no. 5 of the data protection conference on the data protection impact assessment).
Moreover, it is possible to implement corrective measures to reduce the risk further. Nevertheless, the majority of the measures have to be implemented by users themselves: users can protect themselves to a certain extent by various settings, such as by deleting their browser history, deactivating cookies, or by disabling location when using photos.
In addition, our continuous editing and monitoring allows us to intervene and even close an account where comments are malicious, dishonourable or offensive. To this end, Esslingen University has formulated a netiquette for the use of its accounts and adheres to it in its supervision of the website.
In view of the described risks and intended, binding measures for reducing them, Esslingen University’s Facebook usage is acceptable. Esslingen University is committed to observe further developments and to review the situation regularly - at least once per semester – and to revise procedures if necessary.
Valid from: 27th February, 2019