Open

Privacy

Basic Information

Responsible entity for Processing Personal Data in relation to this webservice is Hochschule Musterstadt, Musterstrasse 1, 11111 Musterstadt Hochschule Musterstadt, Musterstrasse 1, 11111 Musterstadt, represented by its president.

Contact Details of the Controller:

      Hochschule Musterstadt       Rektorat/Praesidium       Postfach 1111       11111 Musterstadt       E-mail: rektorat@hochschule-musterstadt.de       Telefon: 0111-222-2222

Contact Details of the Controller’s Data Protection Officer:

      Hochschule Musterstadt       Die behoerdliche Datenschutzbeauftragte       Musterstrasse 1       11111 Musterstadt       E-mail: datenschutz@hochschule-musterstadt.de       Telefon: 0111-222-0007

 

Your Rights as a Data Subject

Article 15 of the EU General Data Protection Regulation (GDPR) provides the right of access to personal data for data subjects. Any natural person may request whether personal data related to him or her is being processed or not. If personal data is processed and no legal restriction to this right applies, the data subject may request a copy of personal data related to him or her. If personal data processed by a controller is incomplete or inaccurate, Art. 16 GDPR provides the data subject with the right to obtain rectification of this incorrect data from the controller (including the option for the data subject to provide a supplementary statement to be included) Further Data Subject Rights:

• Art. 17 GDPR: Right to erasure of personal data if requirements provided in Art. 17 para 1 lit a to f are fulfilled.
• Art. 18 GDPR: Right to restriction of data processing if the requirements Art. 18 para 1 lit. a to d are fulfilled.
• Art. 20 GDPR: Right to transfer personal data provided by the data subject to a controller chosen by the data subject on request and right to obtain the data in a structured, commonly used and machine-readable format, if the processing is based on consent or on a contract.
• Art. 21 GDPR: Based on particular personal circumstances the data subject has a right to object to an otherwise lawful processing of his or her personal data.
• Art. 22 GDPR: In cases of solely automated processing with legal effects, special rights are granted for data subjects.

 

Right to lodge a complaint

Any data subject has the right (stipulated in Art. 77 GDPR) to lodge a complaint with a data protection supervisory authority, including the supervisory authority in charge for the controller:

      Der Landesbeauftragte fuer Datenschutz Musterland       Musterstrasse 1       11111 Musterstadt

 

Information on selected processing activities affecting all users

Note for implementation: These are separate processing activities affecting all users of the webservice. If personal data is collected via a form, this information is to be placed above and close to the respective form and the basic information stated in the main privacy statement is to be linked to. This is more transparent than providing all information in an extended privacy statement.  

Processing of Logfiles (Access Data)

When using this webservice the following data set is processed to provide the service and to detect and resolve errors within the system:

• The requested URL
• A code number indicating whether access to resources was successful or the error code respectively
• Timestamp when the request was processed
• Amount of transmitted data
• IP address of the data subject in a condensed format

The IP address is stored in a shortened format, effectively making it impossible or at the very least requiring prohibitive and unreasonable amounts of effort to identify data subjects. All processing is carried out within the institution and is based on Art. 6 para. 1 lit. f GDPR, with the legitimate interest of the controller being the detection and resolution of system malfunctions and defence against attacks against its IT infrastructure. Logfile data is deleted after seven days.

 

User Account

For using non-public parts of this webservice (e.g. application or alumni management) a user account is required. The following data set is required for the account creation and organisation:

• Form of address, [The university needs to discuss, whether the form of address is required. The best solution would make this field optional.]
• Given name and surname,
• E-mail address,
• Password, chosen by the user.

Without providing this dataset a user account cannot be created and non-public parts of this webservice cannot be accessed. The processing is based on Art. 6 para. 1 lit. e GDPR, its purpose being limiting access to non-public parts of Hochschule Musterstadt’s webservice to registered users only. Account data will not be made available to third parties unless to obey a legal obligation. The user account will be deleted on explicit request by the user or after an inactivity period of XXX months or years.

 

Automated login using mobile devices

[Only if activated and with consent of the users] When using this webservice with a user account and with a mobile device (e.g. tablet computer or smartphone) you may request to stay logged in even after closing the web browser. A cookie with an encrypted string of username and password is stored on the particular device. A digital fingerprint of the device is stored on the server. The digital fingerprint comprises the following information:

• SCREEN_SIZE_AND_COLOR_DEPTH (screen size and colour depth)
• DEVICE_ATTRIBUTES: id, model, vendor, build, device_os_version (data of the device: model number [not IMEI], name of the model, manufacturer, type, version of the operating system)
• ACCEPT_LANGUAGE (preferred languages)
• TIME_ZONE (time zone)
• DEVICE_TYPE (type of device)
• BROWSER_TYPE (software used for access (i.e. web browser))

This data is used to identify and verify the device and is stored on a server owned and operated by the controller. The processing of this personal data is based on consent in line with Art. 6 para. 1 lit. a GDPR, which is granted by the user through activating the automated login for this device. No data is transmitted to a third-party and data is processed for the singular purpose of distinctively identifying the device in connection with the automated login token. An automated login will take place only if the digital fingerprint of the device matches the digital fingerprint stored on the server, if username and password can be decrypted from the login token and if username and password are valid and can be used for a login.

If the automated login has not been used for a period of four weeks, corresponding data is deleted from the servers. The user may also deactivate the automated login for any particular device (e.g. the device got lost) using the settings section of the user account for this webservice. By storing the dataset listed above on the university’s server the user can distinguish devices for which the automated login is activated and may deactivate the automated login for each device through the web interface. The processing of personal data is lawful until the person withdraws his or her consent. This withdrawal of the consent does not affect the lawfulness of the prior processing.

 

Cookies

Our web application uses cookies. Cookies are small text files (or files utilizing other storage technologies) stored by your computer’s browser to retain information. By deploying cookies, we process certain information about you, such as your browser, location data, or IP address.

If you prevent or restrict the installation of cookies, not all of the functions on our site may be fully usable.  

Name	Inhalt (Beispiel)	Zweck	Gueltig bis
JSESSIONID	R5E0F8CC126518A2FF92F4614XYZABC	This cookie is placed to authenticate the users login.	Zum Ende der Sitzung
oam.Flash.RENDERMAP.TOKEN	-z4rkkxnzp	This cookie is a security feature that provides a temporary backup of the user interface.	Zum Ende der Sitzung
lastRefresh	1406342235039	This cookie logs the time of the last refresh/last access to the application (timestamp).	Zum Ende der Sitzung
sessionRefresh	0	In case of an automatic logout due to inactivity, this cookie makes it possible to determine the time since login/the residual time until automatic logout of the current user session.	To the end of the session.
download-complete		When this cookie is set, it informs the browser that a file download has been completed.	To the end of the session.
cs.sys.hisinoneAutoLogin	abc1234___::___def5678	By enabling automatic login this cookie saves an access key which enables it to be recognized next time visiting this website until logging out of the device manually.	Zum Logout auf dem jeweiligen Geraet. Die serverseitigen Daten koennen in der Geraeteverwaltung auch fuer andere Geraete geloescht werden.
cs.sys.requestPerformance	a4d76e62-eb45-44df-ad7e-19b612f36956	An active performance analysis tool will distinguish between server-sided and client-sided handling of the browser request.	To the end of the session.
XSRF-TOKEN	sc45cb68-9e99-4a14-bb34-788ea2cck5f5	Serves as protection against Cross Site Request Forgery (Cyber-attack on a computer system).	To the end of the session.

 

Processing of Log Data to Analyse User Behaviour [If applicable; exemplifying Matomo]

This webservice uses the software Matomo to analyse user behaviour on this webservice. Through a cookie on the users’ device, data about the data subjects’ usage behaviour of this webservice including the condensed IP address is collected, transferred to and processed on the servers. Personal data is anonymised and then processed for the purpose of usage analysis. After anonymisation of the data, an identification of the requesting device and its user is with current technology not feasible. Data collected or processed by means of cookie usage is processed entirely on servers owned and operated by the controller. No personal data is transmitted or published to third parties. Processing of this personal data is based on Art. 6 para. 1 lit. f GDPR and the legitimate interest for the processing is the need for usage analysis to improve the webservice. [Please note that supervisory authorities argue that consent of the data subject is required for this type of processing. Precaution is needed!]

It is possible to object to this particular processing. Using the following link, you may opt-out from this processing: $LINK

Further details regarding objection: After clicking on the link, a cookie will be stored on the device, preventing any further data collection in regard to usage analysis for this webservice. You will have to opt-out on any device you are using for a comprehensive objection to the usage analysis. As the cookie is stored with the particular web browser you will have to object with all web browsers on each device used for this webservice. If cookies on the device are deleted, please be aware that you will have to object again by clicking on the link.  

Contact form [If applicable; exemplifying Matomo]

If you get in touch with us via the contact form, your personal data (salutation, surname, first name and e-mail address) will be processed. The processing of this personal data is based on Art. 6 (1)(e) GDPR and your personal data will only be used to handle and reply to your request . A transfer of personal data to a third-party does not take place. Data is transmitted to Hochschule using an SSL-encrypted connection, which makes it significantly more difficult for unauthorised persons to intercept it. Enquiries to the university via e-mail or the contact form are deleted after the retention period of ... months/years.

 

Plugins zu Sozialen Medien [Nur falls zutreffend, kein Muster nur Hinweise]

Von der Verwendung solcher Plugins wird aus Sicht des Datenschutzes ausdrücklich abgeraten. Sollten diese dennoch eingesetzt werden, so muss den Nutzern gegenüber z.B. transparent gemacht werden, dass unabhängig von einer Mitgliedschaft in dem betreffenden Sozialen Netzwerk personenbezogene Daten an die Server des Anbieters übermittelt werden, wobei die Anbieter häufig in einem Land außerhalb der EU sitzen. Auch ist es - insbesondere bei einem Anbieter im EU Ausland – zum rechtssicheren Einsatz solcher Plugins notwendig, vor einer Datenübermittlung von den Nutzern eine individuelle und insbesondere informierte Einwilligung nach Art. 6 (1) a) DSGVO zur Datenerhebung bei dem jeweiligen Anbieter einzuholen. Webseitenbetreiber müssen beim Einsatz solcher Plugins (Art. 7 (1) DSGVO folgend) nachweisen können, dass Nutzer in die Datenübermittlung/-erhebung eingewilligt haben, was ggf. weiteren organisatorischen Aufwand (insofern eingesetzte 2-Klick Buttons dies nicht schon unterstützen) bedeutet. Im Allgemeinen kommen auf den Webseiten Betreiber durch den Einsatz von Social Plugins eine Reihe von Informationspflichten nach den Artikeln 12 fortfolgende DSGVO zu, welche die Nutzerinnen und Nutzer noch vor der Datenübermittlung z.B. über die Empfängerin oder den Empfänger der Daten, deren Nutzung und weiterer für die Entscheidung relevanten Informationen aufklären soll. Bei vielen Plugins ist zudem für den Webseitenbetreiber meist selbst nicht transparent, welche Daten genau übermittelt werden und ob dort eine Verknüpfung mit anderen Daten erfolgt. Eine von der DSGVO geforderte informierte Einwilligung vor der Datenübermittlung ist somit nur schwer für Webseitenbetreiber durchführbar. In jedem Falle ist der Einsatz einer 2-Klick-Lösung vorzuziehen, da der direkte Einsatz von Social-Plugins, insbesondere dann, wenn diese schon beim Seitenaufruf Daten an die Anbieterinnen und Anbieter übermitteln, nicht als rechtskonform betrachtet werden kann. 2-Klick-Lösungen verlagern und vereinfachen so die von der DSGVO geforderte Einwilligung in die Datenübermittlung, machen es aber immer noch notwendig, dass Nutzerinnen und Nutzer des Buttons ausreichend über die Datenübermittlung informiert werden.