Data Privacy
Name and address of the controller
The controller within the meaning of the EU General Data Protection Regulation and other national data protection laws in the member states and other legal provisions related to data protection is:
Universität Duisburg-Essen (UDE)
Duisburg campus:
Forsthausweg 2
47057 Duisburg, Germany
Tel.: +49 203 379 – 0
Fax.: +49 203 379 – 3333
Essen campus:
Universitätsstraße 2
45141 Essen, Germany
Tel.: +49 201 183 – 0
Fax.: +49 201 183 – 3536
Website: www.uni-due.de
UDE is represented by its Rector:
Prof. Dr. Barbara Albert
rektorin (at) uni-duisburg-essen.de
Duisburg campus:
Tel.: +49 203 379 – 0
Essen campus:
Tel.: +49 201 183 – 0
Website: www.uni-due.de/en/university_board_rector.php
Name and address of the Data Protection Officer
The controller’s Data Protection Officer is:
Dr. Kai-Uwe Loser
(Data Protection Officer of Universität Duisburg-Essen)
Forsthausweg 2
47057 Duisburg
Tel.: +49 234 32 28720
kai-uwe.loser (at) uni-due.de
Website: www.uni-due.de/verwaltung/datenschutz
General information about data processing
1. Scope of processing of personal data
We generally process personal data of our users only to the extent that this is necessary to ensure the functioning of our websites and to provide our contents and services. As a rule, the processing of personal data of our users will always be subject to their prior consent. An exemption applies where it is not possible to obtain prior consent for factual reasons and the data processing is permitted by law.
2. Legal basis for the processing of personal data
Where we obtain the data subject’s consent to the processing of personal data, the legal basis is provided by Art. 6 (1) (a) General Data Protection Regulation (GDPR).
Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, the legal basis is provided by Art. 6 (1) (b) GDPR. This also applies to any processing required in order to take steps prior to entering into a contract.
Where the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, the legal basis is provided by Art. 6 (1) (c) GDPR.
Where the vital interest of the data subject or another person requires the processing of personal data, the legal basis is provided by Art. 6 (1) (d) GDPR.
Where the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and where such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, the legal basis for the processing is provided by Art. 6 (1) (f) GDPR.
3. Data erasure and retention period
We will erase or block the personal data of a data subject as soon as the specific purpose of retention ceases to exist. A further retention may happen where this is required by European or national lawmakers in EU regulations, national laws or other provisions applying to the data controller. We will also block or erase the data upon expiry of a legal retention period stipulated in any of the rules referred to above, unless it is still necessary to retain the data for concluding or performing a contract.
Provision of websites and creation of log files
Each time you visit our websites our system will automatically collect data and information from the computer system you use.
This refers to the following data:
- Information about the type of browser and the specific version used
- Operating system of the user
- IP address of the user
- Resulting from this: Origin of the request (organisation, country, town)
- Internet service provider of the user
- Date and time of the request
- Length of stay
- Websites from which the user’s system was referred to our websites
Of this data only the following are saved in our system’s log files:
- Information about the type of browser and the specific version used
- Operating system of the user
- Date and time of the request
However, when storing these data they will not be linked with any other personal data of the user. Accordingly no personal Information is saved.
Use of cookies
1. Description and scope of data processing
Our websites use so-called session cookies. Session cookies are small text files that are stored in a user’s computer memory. Each session cookie contains a random unique identification number, called session ID. Moreover, cookies hold information about their origin and the retention period. These cookies can not save other data.
(There are also permanent cookies to be able to recognise visitors after a long time. This information is stored as a text file on the visitor’s computer hard disk. By contrast, the session cookies that we use are deleted as soon as your session ends.)
2. Legal basis for data processing
The legal basis for data processing by using cookies is provided by Art. 6 (1) (f) GDPR.
3. Purpose of data processing
The purpose of using technically necessary cookies is to make it easier for users to navigate the websites. Some functions of our websites cannot be offered without these cookies. They require that the browser is recognised after a page change.
User data collected by technically necessary cookies will not be used for the creation of user profiles.
4. Retention period, possibility of objection and elimination
The session cookies we use are essential for the functioning of our websites and are deleted as soon as you end your session.
Newsletter / Sending of press information
Not applicable for the websites we maintain. You can find Information about the data protection regrading the newsletter of the university in the central data protection information of the UDE.
Contact sheets and application forms
1. Description and scope of data processing
Sometimes the website may use contact forms, which can be used for electronic contact. Where a user uses this option the data entered into the corresponding input mask are submitted to us and stored by us. These data involves:
- Desired contact person
- name
- email address
- reference / message.
At the time of delivery we also store the following data:
- Date and time of the message.
- IP address of the user, resulting from this: Origin of the request (organisation, country, town), Internet service provider of the user
Consent to data processing is obtained in the context of the submission process, while reference is made to this privacy policy.
We do not disclose any data to third parties in this context.
2. Legal basis for data processing
The legal basis for processing data is provided by Art. 6 (1) (a) GDPR where the user has given consent.
The legal basis for processing data submitted by sending an email is provided by Art. 6 (1) (f) GDPR.
Where the email communication is aimed at concluding a contract, the additional legal basis for processing is Art. 6 (1) (b) GDPR.
3. Purpose of data processing
Personal data from the input mask are only processed for the purpose of processing the intention specified in the form.
All other personal data processed during the submission process serve the purpose of avoiding misuse of our contact form and ensuring the safety of our IT systems.
4. Retention period
We will delete the data as soon as they are no longer necessary in relation to the purposes for which they were collected. This is the case for general contact forms, if the respective user conversation has ended. The data of login forms will be deleted, if the registration period is over and the applicants are assigned. In case of an application to university, the data is saved for up to twelve month past the date of confirmation or rejection.
5. Possibility of objection and elimination
Users have the right to withdraw consent to the processing of their personal data at any time. Where users contact us per email, they may object to the storage of their personal data at any time. The conversation cannot be continued under these circumstances.
In such a case all personal data stored in the course of the communication will be deleted.
Third-party services
1. Social media activities
Our website services include links to our social media channels hosted with the following providers:
- Google+
- YouTube
- Flickr
- Wordpress.com
For accessing these channels it is necessary that the user’s IP address becomes visible to the providers, because without the IP address no content can be delivered to the browser of the specific user. This means that the IP address is necessary for displaying these contents. We cannot influence whether and how third-party providers save and use IP addresses.
Privacy at Facebook
The privacy policies of Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Irland:
https://www.facebook.com/privacy/explanation
Privacy at Twitter
The privacy policies of Twitter Inc., 795 Folsom Street, Suite 600, San Francisco, CA 94107, USA:
https://twitter.com/de/privacy
Privacy at Instagram
https://help.instagram.com/155833707900388
Privacy at Google+
The privacy policies of Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA:
https://policies.google.com/privacy?hl=de&gl=de
Privacy at Youtube
The privacy policies of Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA:
https://policies.google.com/privacy?hl=de&gl=de
Privacy at Flickr
https://policies.oath.com/ie/de/oath/privacy/products/flickr/index.html
Privacy at XING
https://privacy.xing.com/de/datenschutzerklaerung
Privacy at LinkedIn
https://legal.linkedin.com/dpa
Privacy at Wordpress.com
https://automattic.com/privacy
2. Integration of GoogleMaps
Our websites use social plugins (“plugins”) of the social online network Google, operated by Google Inc., 1600 Amphitheatre Parkway, Mountain View, California 94043, USA.
Where you access a page of our websites containing such a plugin, your browser will establish a direct connection with Google’s servers. The content of the plugin is submitted directly to your browser by Google and thus integrated into the website services.
Through this integration of the plugin, Google+ receives the information that you have accessed the corresponding page of our websites. When you are logged in to Google+ at this moment, Google+ can link your visit to your Google+ account. As far as the purpose and scope of the data collection and further processing and use of the data by Google+ and your corresponding rights and privacy configuration options are concerned, please refer to Google’s privacy policy under: https://policies.google.com/privacy?hl=en&gl=en
3. Integration of YouTube videos
You may find YouTube videos integrated into the websites of University of Duisburg-Essen. As a rule, this requires that the user’s IP address becomes visible to the provider, because without the IP address no content can be delivered to the browser of the specific user. This means that the IP address is necessary for displaying these contents. We cannot influence whether and how third-party providers save and process IP addresses.
The privacy policy for the use of YouTube can be consulted under:
https://policies.google.com/privacy?hl=en&gl=en
Rights of the data subject
Where we process your personal data, you are a data subject within the meaning of the GDPR and have the following rights with regard to the controller:
1. Right of access
You may obtain from the controller confirmation as to whether or not we process any personal data concerning you.
Where this is the case, you may request the controller to provide you with the following information:
(1) The purposes of processing the personal data;
(2) The categories of personal data concerned;
(3) The recipients or categories of recipients to whom the personal data have been or will be disclosed;
(4) The envisaged period for which the personal data concerning you will be stored, or, if not possible, the criteria used to determine that period;
(5) The existence of the right to request from the controller rectification or erasure of the personal data or restriction of processing of personal data concerning you or to object to such processing;
(6) The right to lodge a complaint with a supervisory authority.
(7) Any available information as to the source of the data, where the personal data are not collected from the data subject;
(8) The existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to obtain information whether the personal data concerning you are disclosed to third countries or international organisations. In this context you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR with regard to the transfer.
This right to access may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.
2. Right to rectification
You have a right to obtain from the controller the rectification and/or completion, where the processed personal data concerning you are inaccurate or incomplete. The controller must undertake the rectification without delay.
Your right to rectification may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.
3. Right to restriction of processing
Under the following conditions you may demand a restriction of the processing of personal data concerning you:
(1) You contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;
(2) The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) The controller no longer needs the personal data for the purposes of the processing, but you still require them for the establishment, exercise or defence of legal claims; or
(4) You have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your interest.
Where processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Where restriction of processing has been obtained under the conditions above, you will be informed by the controller before the restriction of processing is lifted.
Your right to restriction of processing may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.
4. Right to erasure
(a) Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:
(1) The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) You withdraw consent on which the processing is based according to Art. 6 (1) (a), or Article 9 (2) (a) GDPR, and where there is no other legal ground for the processing;
(3) You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR;
(4) The personal data concerning you have been unlawfully processed;
(5) The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) The personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
(b) Information to third parties
Where the controller has made public the personal data concerning you and is obliged pursuant to Art. 17 (1) GDPR to erase them, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform data controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
(c) Exceptions
The right to erasure does not exist to the extent that processing is necessary:
(1) For exercising the right of freedom of expression and information;
(2) For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) For reasons of public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) as well as Art. 9 (3) GDPR;
(4) For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR in so far as the right referred to in section (a) above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) For the establishment, exercise or defence of legal claims.
5. Right to be informed
Where you have exercised your right to rectification, erasure or restriction of processing, the controller is obliged to communicate any rectification or erasure of personal data concerning you or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.
You also have the right to be informed about these recipients by the controllers.
6. Right to data portability
You have the right to receive the personal data concerning you, which you provided to the controller, in a structured, commonly used and machine-readable format. Moreover, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(1) The processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR; and
(2) The processing is carried out by automated means.
In exercising this right you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others may not be affected adversely hereby.
The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6 (1) (e) or (f) GDPR, including profiling based on those provisions.
The controller will no longer process the personal data concerning you, unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purposes of establishing, exercising or defending legal claims.
Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, the personal data concerning you are no longer processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
You also have the right, on grounds relating to your particular situation, to object to processing of personal data concerning you, where these are processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR.
Your right to object may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.
8. Right to withdraw consent given under data protection law
You have the right to withdraw consent given under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
(1) Is necessary for entering into, or performance of, a contract between you and the data controller;
(2) Is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
(3) Is based on your explicit consent.
However these decisions must not be based on special categories of personal data referred to in Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3) above, the data controller implements suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.