This data protection declaration informs you about the type, extent and purpose of the processing of personal data (in the following referred to as “data”) in the context of our online services and associated websites, functions and contents, including our online presence, such as our social media profile (in the following referred to generally as “online services”). To clarify the terms used, such as processing or responsible persons or bodies, please refer to the definitions in Art. 4 of the General Data Protection Regulation (Datenschutzgrundverordnung DSGVO).
Types of data:
- basic data (e.g. names, addresses)
- contact data (e.g. e-mail, telephone numbers)
- content data (e.g. texts, photos, videos)
- user data (e.g. websites visited, areas of interest, access times)
- meta/communication data (e.g. information about the device, IP addresses)
Categories of Affected Persons
Users of our online services (in the following referred to as “users”).
Purposes of the Processing
- to make our online services, functions and contents available
- to answer queries and to communicate with users
- to implement security measures
- to assess impact / marketing
“Personal data” means all the information related to an identified or identifiable natural person (in the following referred to as “affected person”); “identifiable” means that the natural person can be directly or indirectly identified by linking them to a marker such as a name, an identification number, location data, an online identification marker (such as a cookie), or to any other special features that are an expression of that natural person’s physical, physiological, genetic, psychological, economic, cultural or social identity.
“Processing” means any process or series of processes that are applied in connection with personal data, whether with or without automatic procedures. The term is wide-reaching and includes practically any handling of the data.
“Pseudonymisation” means processing the personal data in such a way that without the enlistment of additional information they can no longer be associated with a specific affected person insofar as this additional information is stored separately and is subject to technical and organisational measures that ensure that the personal data cannot be associated with any identified or identifiable natural person.
“Profiling” means any kind of automatized procedure that processes personal data in order to evaluate, analyse or predict certain personal aspects related to a natural person, in particular, aspects connected to the work performance, economic status, health, personal preferences, interests, reliability, behaviour, location or change of location of a natural person.
A “responsible person or body” denotes any natural or legal person, authority, institution or other facility that alone or with others makes decisions about the purposes and means of processing personal data.
A “processor” is a natural or legal person, authority, institution or other facility that processes personal data on behalf of the responsible person or body.
We hereby inform you about the legal basis for our data processing in accordance with Art. 13 of the General Data Protection Regulation (Datenschutzgrundverordnung DSGVO). Where the legal basis in the data protection declaration is not specified, the following applies: the legal basis for the acquisition of consent is DSGVO art. 6, para. 1 (a), and art. 7; the legal basis for processing in order to fulfil our services, carry out contractual measures and answer queries is DSGVO art. 6, para. 1 (b); the legal basis for processing in order to fulfil our legal obligations is DSGVO art. 6. para. 1 (c); and the legal basis for processing in order to protect our legitimate interests is DSGVO art. 6. para. 1 (f). In cases in which processing personal data is required to protect the vital interests of an affected person or another natural person, DSGVO art. 6, para. 1 (d) serves as the legal basis.
In accordance with DSGVO art. 32, and taking into account state-of-the-art technical standards, implementation costs, the type, extent, conditions and purposes of the processing, and in consideration of the different probabilities and severity of risks to the rights and liberty of natural persons, we use appropriate technical and organisational measures to provide a proper level of security to prevent the occurrence of such risks.
These measures particularly include guaranteeing the confidentiality, integrity and availability of data by controlling physical access to the data as well as access parameters, entering, sharing, protecting availability and splitting of the data. Furthermore, we have established procedures to ensure the perception of user rights, deletion of data and reactions to risk to data. In addition, we consider the security of personal data in the development and selection of hardware, software and other procedures in accordance with the principle of data protection through technological design and organisation and through data protection-friendly settings (DSGVO art. 25).
Collaboration with Processors and Third Parties
Insofar as we reveal, share or allow any other form of access to data with other persons or bodies (contracted processors or third parties) during processing, this takes place only on the basis of legal authorisation (e.g. when the sharing of data with a third party, such as a payment services provider, is required by DSGVO art. 6, para. 1 (b) in order to fulfil contractual obligations), with your consent, if legally required, or on the basis of our legitimate interests (e.g. use of commissioned agents, web service providers, etc.).
Insofar as we commission third parties to process data on the basis of a so-called data processing contract, this takes place in accordance with DSGVO art. 28.
Transmission to a Third Country
Insofar as we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or do so in the context of utilising services from a third party or revealing/sharing data with a third party, we do so only if it is required to fulfil our contractual obligations, is based on your consent, a legal obligation, or our legitimate interests.
Subject to legal or contractual authorisation, we process data or have data processed in a third country only when the special conditions enumerated in DSGVO art. 44 ff. apply. I.e. the data is processed in accordance with particular guarantees such as the officially recognized data protection levels required by the EU (in the USA by the “Privacy Shield”) or in accordance with officially recognized special contractual obligations (so-called standard contractual clauses).
Rights of Affected Persons
You have the right to demand confirmation as to whether relevant data are being processed and to obtain information about these data and other information and a copy of these data in accordance with DSGVO art. 15.
In accordance with DSGVO art. 16, you have the right to demand that incomplete or incorrect data affecting you be completed or corrected.
In accordance with DSGVO art. 17, you have the right to demand that data affecting you be deleted immediately, alternatively, in accordance with DSGVO art. 18, that the data be processed in a limited way.
You have the right to demand that data affecting you and that you have provided to us in accordance with DSGVO art. 20 be shared with you and to demand that they be shared with other responsible persons or bodies.
Further, in accordance with DSGVO art. 77, you have the right to complain to the relevant regulatory authority.
Right of Revocation
You have the right to revoke consent given in accordance with DSGVO art. 7, para. 3 with effect in the future.
Right of Veto
You can veto future processing of data affecting you in accordance with DSGVO art. 21 at any time. The veto can apply in particular to processing for direct advertising.
Cookies and Right of Veto
“Cookies” are small files that are stored on users’ computers. Different tasks can be saved on them. Cookies are primarily used to store information about users (or about the device on which the cookie is saved) during or after access to an online service. Cookies that are deleted after users leave an online service and close their browser are known as “temporary”, “session” or “transient” cookies. Such cookies can save information such as the user’s login data. Cookies that remain after the browser has been closed are called "permanent” or “persistent”. For example, users’ login data can be saved if they log into a website again after several days. Similarly, cookies can save information about users’ interests for assessing impact or marketing purposes. Cookies that are offered by other service providers than the body responsible for the online service are called “third party” cookies (otherwise they are called “first party” cookies).
We can use temporary and permanent cookies and hereby provide information about them as part of our data protection declaration.
Saved cookies can be deleted in the system settings. Deleting cookies can lead to limited functioning of the online service.
You can prevent the installation of cookies by means of the appropriate setting in your browser’s software. However, please note that if you do this, you may not be able to use all the functions on the website to their full extent.
In addition, you can use the following method to prevent the collection, transmission and processing of data that was saved by a cookie and that gives information about your use of the website (incl. your IP address).
Deactivation of Matomo Tracking (Opt-Out)
If you don not consent to the storage and processing of data concerning your access to our website by Matomo, you can veto the storage and use of this data by mouse click at any time. If you do this, a so-called “opt out” cookie will be installed in your browser which prevents Matomo from collecting any session data.
Please note. If you delete cookies, this also causes the opt out cookie to be deleted; in this case, you may have to reactivate it.
Deletion of Data
Data processed by us will be deleted in accordance with DSGVO arts. 17 and 18 or their use will be limited. The stored data will be deleted as soon as they are no longer required for the purpose for which they were collected and deleting them does not contravene any legal requirements to store them unless expressly otherwise specified in this data protection declaration. If the data are not deleted because they are required for other purposes allowed by law, their processing will be limited. I.e. the data will be locked and not used for other purposes. This applies, for example, to data that are required by law to be stored for business or tax reasons.
According to German law, the following documents are required to be stored for the following number of years: 10 years in accordance with the Tax Code (AO) §§ 147 para. 1, Tax Code (AO), 257 para. 1 (1) & (4), and the Commercial Code (HGB) para. 4: books, records, annual reports, accounting records, account books, and other documents relevant for taxation purposes, etc.; and for 6 years in accordance with the Commercial Code (HGB) § 257, para.1 (2) & (3), para. 4: business letters.
According to Austrian law, the following documents are required to be stored for the following number of years: for 7 years in accordance with the Austrian Tax Code (BAO) § 132, para. 1: accounting records, receipts/invoices, accounts, records, business documents, income and expenditure accounts, etc.; for 22 years in connection with land and real estate; and for 10 years for documents in connection with electronically delivered services, telecommunications, radio and television services that are delivered to non-business recipients in EU member states and for mini-one-stop-shop (MOSS) services that are made use of.
Administration, Accounting, Office Organisation, Contacts
Economic Analyses and Market Research
Fulfilment of our Statutory and Organisation-related Services
Data Protection in Application Procedures
Newsletter – Distribution Service
Collection of Access Data and Logfiles
Impact Assessment with Matomo
Online Presence in Social Media
Integration of Services and Contents from Third Parties
We integrate maps from “Google Maps” provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. In particular, the processed data can include users’ IP addresses and locations which, nevertheless, may not be gathered without their consent (generally obtained from the settings on mobile devices). These data may be processed in the USA. Data protection declaration: https://www.google.com/policies/privacy/, opt-out: https://adssettings.google.com/authenticated.
Generated by Data protection generator.de from RA Dr Thomas Schwenke
Esslingen University of Applied Sciences, Kanalstrasse 33, 73728 Esslingen, uses the news service provided by Facebook (in the following, “service”) through the technical platform and services of Facebook Inc., 1601 Willow Road Menlo Park, CA 94025 (in the following, “provider”): www.facebook.com/hochschule.es
The body responsible for processing data of persons living outside the USA is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland.
We advise that you use these services and functions at your own risk. This especially applies to the use of interactive Facebook functions, such as sharing, commenting or liking.
It is not necessary to use these services in order to contact us or to receive information from us. Any information that is published through this service is also available in the same or a similar form on Esslingen University’s Internet sites or in our various print publications.
If you visit our Facebook site, Facebook collects your IP address and other information that is available on your PC in the form of cookies. This information is used to provide us, as a Facebook site operator, statistical information about the use of our Facebook site. Further information on this topic is provided by Facebook under the following link.
Data collected about you in this context are processed by Facebook Ltd. and may be transferred to countries outside the European Union. Which data Facebook obtains and how they are used is described in a general way in Facebook’s regulations on data use. There, you can also find information about ways to contact Facebook as well as on setting options for advertising. These regulations on data use are available under the following link.
You can find the complete data regulations of Facebook here.
In what way Facebook uses the data resulting from visits to Facebook pages for its own purposes, to which extent activities on Facebook pages can be connected to individual users, how long Facebook stores these data and whether Facebook shares these data with third parties have not been definitively and clearly designated and are not known to us.
When you access a Facebook page, the IP address of your end device is transmitted to Facebook. According to Facebook, these IP addresses are anonymised (for “German” addresses) and deleted after 90 days. Furthermore, Facebook stores information about the end devices of its users (e.g. in the context of the function “log in information”); as the case may be, it is possible for Facebook to identify individual users from their IP addresses with this function.
When you are currently logged in to Facebook as a user, there is a cookie on your end device with your Facebook identification. This enables Facebook to see that you have visited a particular site and how you have used it. This applies to all Facebook sites. By means of a Facebook button embedded in websites, Facebook is able to record your visits to these websites and to connect them to your Facebook profile. This information can be used to tailor contents or advertising sent to you.
If you want to avoid all this, you should deregister from Facebook or deactivate the function “remain online”, delete existing cookies from your device, and end and restart your browser. In this way, Facebook information that could be directly used to identify you will be deleted. You can still use our Facebook site without revealing your Facebook identification. If you use an interactive function (like, comment, share, news, etc.), a log in screen is shown. After registering, you are again recognisable to Facebook as a user.
You can find out how to manage or delete existing information about yourself on the following Facebook support pages:
Data which is collected about you when you use the service, such as your IP address, are processed by the provider and may be transmitted to countries outside the European Union.
Esslingen University of Applied Sciences has no influence on the type and extent of the data processed by the provider, nor on the type of processing, use or transfer of these data to third parties, especially in countries outside the European Union.
Information about which data are processed by the provider and to what purpose they are used can be found in the data protection declaration of the provider. You can also find contact information here.
As provider of this information service, we do not collect or process any data resulting from your use of this service.
You can find the relevant version of this data protection declaration on our Facebook site.
If you have any questions about our information service, you can contact us under the followinge-mail address. You can contact the data protection representative of Esslingen University under the following e-mail address:Prof. Dr Dominik Schoop
The rationale for our information service can be found here.
This data protection declaration was generated with the help of the model data protection declaration provided by the Federal State Data Protection and Freedom of Information Representative for Rheinland-Pfalz.
Esslingen University of Applied Sciences provides academic education in the areas of technology, management and social sciences. A combination of excellent teaching with a high level of practical relevance has the highest priority at the University. Applied research is also a strong feature of the University which has its own doctoral programme, offering graduates a comprehensive scientific career.
Around 6,000 students are enrolled Esslingen University of Applied Sciences on 28 Bachelor’s and 13 Master’s degree courses. The University has three campuses – Esslingen City Centre Campus, Esslingen Hilltop Campus, Flandernstrasse, and in Goeppingen with 55 laboratories.
Esslingen University of Applied Sciences regularly informs the public about its teaching and research as well as its varied university life. To make this information available, the University uses a variety of information channels – among them, Facebook.
With this rationale, we are informing you about our objectives and responsibilities regarding this information channel. Please see the data protection declaration for our Facebook site.
Facebook is a social network, enabling users to remain in contact with friends, partners, business partners and companies. It allows users to create private profiles to present their own person, companies to establish a business presence, and groups to discuss shared interests privately. Profiles can be shared via friendship queries; the number of subscribers is unlimited.
Registered users can use this service to publish photos, videos and information free of charge. Such posts are visible to users who register in the portal. Users can register as “followers” on other users’ sites in order to receive their texts, photos and videos.
The advantages of Facebook are its great reach as well as its simple and free distribution of information.
2. Objectives of our Use of Facebook
In setting up a Facebook channel, Esslingen University of Applied Sciences can meaningfully extend its existing communication channels, such as Internet, press releases, printed media, presence at trade fairs, and other events. Our Facebook channel primarily informs users about University news, teaching and research and life at the University.
Other existing communication instruments are no longer adequate for a number of target groups. We have especially noticed that reaching the target groups of young people, students, potential students and also former students is much more direct, faster and more up-to-date over Facebook. Interested recipients can subscribe to our Facebook site and obtain information directly from it.
Our Facebook channel allows us an extensive reach as well as providing better networking with other universities, companies, institutions and sources of information, and makes it possible to react directly to events.
Furthermore, we can obtain valuable, direct feedback and opinions from our “fans”, enabling us to fulfil our responsibilities optimally.
In addition, by providing information and advertising for our Bachelor’s and Master’s degree courses, Esslingen University of Applied Sciences is in competition with other universities and universities of applied sciences. This competition is bound to increase as numbers of school-leavers decrease due to demographic change. To remain competitive and to directly reach this important, young target group, our Facebook channel will also be used for marketing targeted at schools.
3. Type and Extent of our Use of Facebook
Our Facebook channel informs users about current topics from Esslingen University of Applied Sciences.
Regular contributions include:
- news about our Bachelor’s and Master’s degree courses
- important information from teaching and research at Esslingen University
- news of University life
- reactions/ interactions with potential students, students, former students, citizens, companies, institutions and other public bodies
In contrast, concrete administrative services, such as individual advice, are not offered over this communication pathway.
4. Responsibility for Editing /Technical Services
The responsibility for editing lies with the Office for Public Relations, Marketing and Fundraising at Esslingen University of Applied Sciences:e-mail.
5. Alternative Contacts
We remind users that our Facebook channel is merely one option among many to get in contact with Esslingen University of Applied Sciences, or to obtain information from us. All information available on this site can alternatively be obtained over our Internet services.
- In principle, you can contact ourcentral post inbox with all your questions.
- Telephone queries: 0711 / 397-49
- Postal address: Kanalstrasse 33, 73728 Esslingen
6. Our Commitment
This rationale for use will be reviewed once per semester with respect to the whys and wherefores of our Facebook use.
Valid from: 23rd July, 2018
In accordance with the general rule laid down in the European Data Protection Regulations (DSGVO) art. 35, para 1, a data protection impact assessment must be made if a form of dissemination, especially one involving the use new technologies, and due to its type, extent and objectives of processing, could potentially result in a high risk to the rights and liberties of natural persons.
The Federal State Representative for Data Protection and Freedom of Information (LfDI) has issued regulations on the use of social networks by public bodies which make it an obligatory requirement to carry out an assessment of the consequences of the planned processing for the protection of personal data, in anticipation of and in accordance with DSGVO that first came into effect on 25. Mai 2018.
Esslingen University’s use of its Facebook channel is associated with high risk due to its wide-ranging impact, especially arising from the evaluation of data by Facebook Inc. for advertising purposes, thus making a data protection impact assessment necessary.
In using their Facebook account, users expose themselves to systematic observation through Facebook Inc. In so doing, data of a sensitive nature, such as political opinions, sexual orientation or health issues may also be revealed and may be linked to each other and used to create a personal profile. Groups that are especially in need of protection, such as minors, can also be Facebook users and thus become affected. Even passive reading of Facebook without active sharing, posting or commenting can lead to the collection of sensitive data through the collection of log data, such as previously visited websites or the user’s location.
This is all the more pertinent as Facebook Inc. cannot be monitored or can be only monitored to a limited extent. As the data are not processed in Germany, but in Ireland, there are more significant obstacles to obtaining access to (judiciary) rights of protection than in companies with their seat in Germany.
Esslingen University of Applied Sciences therefore presumes that public bodies that use social networks for their public relations work and to provide general information also have a joint responsibility. For this reason, it has taken upon itself the task of carrying out an impact assessment of planned processing procedures, comparable with the data protection impact assessment required by DSGVO art. 35 (c.f. the LfDI regulations on the use of social networks by public bodies).
Joint responsibility does not mean that Esslingen University of Applied Sciences confirms or guarantees that Facebook Inc. products conform to data protection regulations (c.f. the University’s data protection declaration). Under the circumstances, this is not possible. Instead, joint responsibility means being aware and making others aware of the risks of social networks. The University’s presence on Facebook ensures that a large group of users is reached, helped and advised in a way that is not possible by other means, e.g. through our homepage or brochures, etc. At the same time, Facebook users are advised of alternative, data-protection-friendlier communication pathways, such as the University’s homepage.
Users are informed about the risks that are associated with the use of social media in general not only in our data protection declaration for Esslingen University’s Facebook account, but also through regular postings on our homepage and on our Facebook account with education and awareness materials.
Esslingen University of Applied Sciences has committed itself to these measures in its rationale for use. The advantages and disadvantages of using Facebook will be regularly evaluated, taking the user conditions of Facebook Inc. into consideration.
Our use of Facebook is thus embedded in a package of measures. Against this background, our assessment of the consequences of Esslingen University’s use of Facebook are as follows:
1) Risk Identification
In principle, the risks associated with Facebook usage exist independently of the University’s own Facebook usage. In addition, in the majority of cases, the posts made by Esslingen University do not contain personal data but rather make factual content available.
Finally, the data that are processed through interaction with the University’s Facebook or other accounts – namely, posts and the account name of Facebook fans – are already publicly/generally available on the Internet.
Nevertheless, through appearing on our Facebook site, and through being made available to a broader and more specific public, the University can achieve greater publicity and dissemination than without this interaction.
Furthermore, as users “like” or follow Esslingen University’s Facebook or other accounts, additional connections and information about Facebook users are generated; this allows the University to assess the interest in University-related topics through “likes” or participation in events.
Finally, users’ log data are also collected by Facebook, even if they only passively read Facebook pages.
The University’s usage of Facebook thus increases the amount of data that are used and evaluated by Facebook Inc.
2) Risk Analysis
The enlargement of the circle of recipients and increase in contact possibilities makes it easier for Facebook Inc. to process data for other purposes and generate secret profiles. Additionally, the channel’s openness can lead to disadvantageous social consequences such as inappropriate or discriminating comments or the dissemination of sensitive data in users’ contributions.
Even if such risks were intrinsic to Facebook, they would be increased by Esslingen University’s Facebook profile to a very limited extent. This is because, to a large extent, the data are already available to Facebook Inc. Through the University’s Facebook services, there is no compulsion to open a Facebook account as there are enough alternative options to contact the University and obtain information.
Moreover, University topics of degree courses and education are only suitable to provoke hateful debates to a very circumscribed extent, so that the probability of such damage occurring is very limited.
3) Risk Assessment
Overall, the additional risk caused by the University’s Facebook account is therefore assessed as being low to medium (c.f. theShort paper no. 5 of the data protection conference on the data protection impact assessment).
Moreover, it is possible to implement corrective measures to reduce the risk further. Nevertheless, the majority of the measures have to be implemented by users themselves: users can protect themselves to a certain extent by various settings, such as by deleting their browser history, deactivating cookies, or by disabling location when using photos.
In addition, our continuous editing and monitoring allows us to intervene and even close an account where comments are malicious, dishonourable or offensive. To this end, Esslingen University has formulated a netiquette for the use of its accounts and adheres to it in its supervision of the website.
In view of the described risks and intended, binding measures for reducing them, Esslingen University’s Facebook usage is acceptable. Esslingen University is committed to observe further developments and to review the situation regularly - at least once per semester – and to revise procedures if necessary.
Valid from: 25th July, 2018