I. Name and Address of the Data Controller
The data controller (hereinafter: 'Controller') as mandated by the General Data Protection Regulation and other national data protection laws from member states as well as other regulations relevant to data protection is:
University of Bonn
Regina-Pacis-Weg 3
53113 Bonn
Germany
Phone: +49 228 73-0
Email: kommunikation@uni-bonn.de
Website: https://www.uni-bonn.de
II. Name and Address of the Data Protection Officer
The data protection officer of the Controller is:
Derya Kartal
Adenauerallee 72-74
53115 Bonn, Germany
Email: datenschutz@uni-bonn.de
Phone: +49 228 73 - 4096
III. General Information on Data Processing
1. Scope of Processing of Personal Data
We process the personal data of our users only insofar as this is necessary for the provision of a functional website and our content and services. Routine processing of our users’ personal data is performed solely with the consent of the user. An exception comes in cases where the prior acquisition of consent is not possible for practical reasons and stipulations allowing for such processing are included in the legal requirements.
2. Legal Basis for the Processing of Personal Data
Insofar as we have obtained the consent of the data subject for the processing of their data, Art. 6 para. 1(a) GDPR serves as the legal basis for such processing. The legal basis for the processing of personal data required for the fulfillment of a contract to which the data subject is a party is Art. 6 para. 1(b) GDPR. This also applies to measures in preparation of said contract.
The legal basis for the processing of personal data to fulfill a legal obligation on the part of the University of Bonn is Art. 6 para. 1(c) GDPR.
The legal basis for the processing of personal data as necessary to protect the vital interests of the data subject or another natural person is Art. 6 para. 1(d) GDPR.
The legal basis for processing required for the execution of duties in the public interest or the exercise of public authority that has been transferred to the University is Art. 6 para. 1(e) GDPR.
The legal basis for the processing of personal data as necessary to provide a secure and optimized user experience is Art. 6 para. 1(f) GDPR.
3. Erasure of Data and Duration of Storage
The personal data of the data subject is to be erased or locked as soon as the purpose for storage no longer applies. Storage can potentially extend beyond this point where necessitated by European or national legislation reflecting EU-wide directives, laws or other rules to which the Controller is subject. The data must then be locked or erased upon expiration of the retention period stipulated by the aforementioned standards, unless it is necessary to continue storage of the data for reasons of entering into or completing a contract.
IV. Provision of the Website and Creation of Log Files
1. Description and Scope of Data Processing
Each time our internet pages are requested, our system automatically records data and information about the requesting computer's system.
The following data is recorded:
Information about the browser type and version
The user's operating system
The user's internet service provider
The user's IP address
Date and time of access
Referrer website Websites accessed by the user’s system via our website (within *.uni-bonn.de, details of referrers will not be communicated to third parties)
The log files contain IP addresses and other data that allows for identification of a user. This can for example be the case where a link from a referring website or from our pages to another website contains personal data. The data is also stored in log files on our system. This data is not stored together with other personal data from the user.
2. Legal Basis for Data Processing
The legal basis for the processing of personal data regarding the user's computer system is our own legitimate interest of operating this website and guarantee its secure functioning in accordance with Art. 6 para. 1(f) GDPR.
3. Purpose of Data Processing
The temporary storage of the IP address by the system is required to allow for the website to be delivered to the user's computer. The IP address of the user must be stored for the duration of the session. Log files are stored to ensure the functionality of the website. Beyond this, the data ensures the security of our IT systems. No analysis of the data for statistical or marketing purposes is made in this context.
4. Duration of Storage
The data is erased as soon as it is no longer required to achieve the purpose for which it was collected. For data collected for the purpose of providing the website, this is the case once the respective session has ended. For data stored in log files, this purpose expires fourteen days after it is collected.
5. Options for Objecting and Removal
The collection of data for the provision of the website and storage of data in log files is necessary for the operating of the internet site. As a result, the user has no option for objecting in this context.
V. Use of Cookies
1. Description and Scope of Data Processing
Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user requests the website, a cookie, referred to as session, is stored on the user's operating system. This cookie contains a characteristic string of characters that allows for the unambiguous identification of the browser if a resource hosted on the website is requested at a later point. Some elements of our internet site require that the requesting browser can be identified even when a new page is opened.
Beyond this, options effecting how elements of the website are displayed as well as time zone information is stored within the session.
2. Legal Basis for Data Processing
The legal basis for the processing of personal data using cookies is our own legitimate interest of providing a user friendly service in accordance with Art. 6 para. 1(f) GDPR.
3. Purpose of Data Processing
Cookies related to a necessary technical function make the website easier to use. Some functions on our internet site cannot be provided without the use of cookies. It is necessary for example that the browser be recognized again when navigating between pages. Specifically, once a person has submitted their personal login information, a cookie is used to authenticate any resource requested within the scope of the website in order to prevent the requirement of submitting an authentication for every request individually.
User data collected through technically necessary cookies are not used to create a user profile. No data related to or acquired through the use of cookies is processed for analytical or marketing purposes.
4. Duration of Storage, Options for Objecting and Removal
Cookies are stored on the user's computer and from there transmitted to our pages. In this constellation, you as user retain full control over the use of cookies. By changing the settings of your internet browser, you can deactivate or restrict the transmission of cookies. Previously stored cookies can be erased at any time. This can also be performed automatically. If cookies are deactivated for our website, then portions of our website may potentially not display correctly.
The maximum duration for which cookies are stored on our servers is thirty-one days.
VI. Contact by Email
1. Description and Scope of Data Processing
You may contact us at the email addresses provided. In this case, the user’s personal data transmitted with the email will be stored. The data will not be shared with third parties. The data is used exclusively for processing the conversation (i.e. email communication) with the user.
2. Legal Basis for Data Processing
Once the user has granted consent, the legal basis for data processing is Art. 6 para.1(a) GDPR.
If the purpose of the email contact is to enter into a contract, the additional legal basis for data processing is Art. 6 para. 1(b) GDPR.
If the processed data includes financial information, the Controller may be subject to additional legal obligations. In these cases, the additional legal basis for data processing is Art. 6 para. 1(c) GDPR.
3. Purpose of Data Processing
The personal data obtained through any contact form is processed solely for the purpose of contacting the user.
4. Duration of Storage
The data is erased as soon as its retention is no longer required to achieve the purpose for which it was recorded. For data sent by email this is the case when the respective conversation with the user has ended. The conversation is deemed to have ended once the circumstances of the conversation indicate that the relative topic of discussion has been fully clarified.
For information sent by email which is required to fulfill a contract between the user and the Controller the storage may extent until the contract is either fulfilled or terminated. In cases where data is processed relating to financial transactions, such as bank information or receipts, the mandatory storage period for such data is either six, eight or ten years depending on the nature of the data.
5. Options for Objecting and Removal
Users may withdraw their consent for the processing of their personal data at any time. If the user has only engaged in contact with us via email, then objection to the storage of their personal data can be submitted at any time; in such a case, however, the conversation will not be continued beyond a confirmation of carrying out the deletion of their personal data.
If consent is revoked, all personal data stored when contact was made will be erased. Please note that for personal data processed in order to fulfill a contract additional terms of storage may apply. Especially financial data is subject to regulations that require a storage of six, eight or ten years depending on the nature of the data. If data has to be retained for such purposes, the user is informed accordingly.
VII. Application and Registration Forms
1. Description and Scope of Data Processing
Some of the events listed on the website require users to submit personal data in order to participate. This data may be processed to support users with their travel arrangements, provide financial support or evaluate their suitability as participants. The user has full control over what personal data is submitted. However, certain data may be required to fulfill the request.
Before this data is shared with third parties for example in order to book an accommodation, the user is asked their consent. Furthermore, we may be compelled by law to share the entered data with government authorities in whole or in part.
The data entered by users into application and registration forms may also be subject to statistical evaluations that is shared with third parties in order to apply for funding. Data processed for this purpose is de-personalized i.e., all personal information is removed from the data set.
2. Legal Basis for Data Processing
Once the user has granted consent, the legal basis for data processing is Art. 6 para.1(a) GDPR.
Some of the data may be used to fulfill a contract which may include third parties e.g., if the user is provided an accommodation as part of their participation in one of our events or if funding is obtained from a third party. In such cases, the additional legal basis for data processing is Art. 6 para. 1(b) GDPR.
Insofar personal data is processed in order to satisfy legal obligations, the additional legal basis for data processing is Art. 6 para. 1(c) GDPR.
3. Purpose of Data Processing
The personal data obtained through application and registration forms is processed for the following purposes:
(1) Evaluating users' suitability as a participant of the respective event to which a given form is linked;
(2) Evaluating users' eligibility for financial support provided by the Controller;
(3) Supporting users' with their travel arrangements;
(4) Keeping statistical records which may be shared with third parties in order to apply for funding.
4. Duration of Storage
The data is erased as soon as its retention is no longer required to achieve the purpose for which it was recorded. For data entered into application and registration forms this is the case once the respective event linked to a given form has concluded.
Any data necessary to fulfill a contract between the user and the Controller is retained until the contract is either fulfilled or terminated. If this contract includes a third party, this party may process the data in accordance to its own data policy. In such cases, the Controller informs the user about any such policy prior to entering into a contract.
Data retained in order to satisfy legal obligations placed upon the Controller is retained as long as the relevant legal obligation stipulates. The Controller is obligated to retain Financial data for a period of six, eight or ten years depending on the nature of the data.
5. Options for Objecting and Removal
Users may withdraw their consent for the processing of their personal data at any time and we will delete any personal data as requested by the user. Insofar as the personal data is processed in order to fulfill a contract the relevant data is only deleted after the contract has been fulfilled or terminated. Insofar as the personal data is processed in order to comply with any legal obligations, the relevant data is only deleted after this obligation no longer applies.
Users are informed about the particular limitations which apply to their objections and requests for removal by the Controller upon receiving such an objection or request.
VIII. Rights of the Data Subject
If your personal data is processed, then you as data subject have the following rights against the Controller as established in the GDPR:
1. Right of Access
You can demand confirmation from the Controller whether your personal data is being processed. If such processing exists, then you can demand the following information from the Controller:
(1) The purposes for which your personal data are processed;
(2) The categories of personal data processed;
(3) The recipients and/or category of recipients who have been or are still being provided with your personal data;
(4) The planned duration of storage of your personal data or, if concrete information cannot be provided here, the criteria for determining the duration of storage;
(5) The existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
(6) The right to lodge a complaint with a supervisory authority;
(7) All available information on the source of the data if the personal data is not collected from the data subject;
(8) Information on the existence of automated decision-making, including profiling, referred to in Art. 22 para. 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to demand information about whether your personal data has been forwarded to a third country or an international organization. In this context, you can demand to be informed about suitable guarantees as per Art. 46 GDPR related to such transfers. Insofar as the data processing serves scientific, historical or statistical research purposes, the right of access can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.
2. Right of Rectification
You have the right to rectification and/or completion of your data from the Controller, insofar as your processed personal data are incorrect or incomplete. The Controller must undertake the corrections immediately. Where the data processing serves scientific, historical or statistical research purposes, the right of rectification can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.
3. Right to Restriction of Processing
Where the following conditions are met, you have the right to restrict processing of your personal data:
(1) You contest the accuracy of the personal data for a period that enables the Controller to verify their accuracy;
(2) The processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of their use;
(3) The Controller no longer requires the personal data for the purposes of processing, but you need them in order to assert, exercise or defend legal claims, or
(4) You have objected to processing in accordance with Art. 21 para. 1 GDPR pending verification whether the legitimate grounds of the Controller override your reasons.
If processing of your personal data has been restricted, then that data — other than storage — may only be processed with your consent or for the assertion, exercise or defense of legal claims or to protect the rights of another natural person or legal entity or from reasons of important public interest to the European Union or one of its member states. If processing is restricted based on the aforementioned conditions, then you will be informed by the Controller before the restrictions are lifted. Where data processing serves scientific, historical or statistical research purposes, your right to limit processing can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.
4. Right to Erasure
a) Right of Erasure
You can demand that the Controller immediately erase your personal data. The Controller is obligated to erase this data immediately, insofar as one of the following reasons applies:
(1) Your personal data is no longer needed for the purpose for which it was collected or otherwise processed.
(2) You revoke your consent that allowed for processing in accordance with Art. 6 para. 1(a) or Art. 9 para. 2(a) GDPR, and no other legal basis for processing applies.
(3) You file an official objection to processing in accordance with Art. 21 para. (1) GDPR and no overriding justification for the processing applies, or you file an official objection to processing in accordance with Art. 21 para. (2) GDPR.
(4) Your personal data were processed in an illegal manner.
(5) The erasure of your personal data is required to fulfill a legal obligation based on EU law or the law of the Controller’s member state.
(6) Your personal data was collected in the context of services provided by the IT company in accordance with Art. 8 para. (1) GDPR.
b) Information to Third Parties
If the Controller has made your personal data public and is obliged pursuant to Art. 17 para. 1 GDPR to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other data controllers who are processing your personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, the personal data.
c) Exceptions
The right of erasure does not apply where data processing is necessary
(1) to exercise the right to freedom of expression and information;
(2) to fulfill a legal obligation which requires processing in accordance with Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 para. 2(h) and 9 para. 2(i) and Art. 9 para. 3 GDPR;
(4) for archiving purposes in the public interest or for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. (1) GDPR, insofar as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
(5) for the assertion, exercise or defense of legal claims
5. Right of Information
If you have exercised your right of notification, erasure and restriction of processing against the Controller, then the Controller is obligated to inform all recipients who received your personal data about that notification, erasure or restriction of processing, unless this is impossible or involves an unreasonable amount of cost and complexity. You have the right to demand of the Controller information about those recipients.
6. Right to Data Portability
You have the right to receive your personal data that you have provided the Controller in a structured, commonly used machine-readable format. Furthermore you have the right to transfer that data to a different Controller, without impediment by the Controller who received the personal data, insofar as
(1) the processing is based on consent provided according to Art. 6 para. 1(a) GDPR or Art. 9 para. 2(a) GDPR or on a contract pursuant to Art. 6 para. 1(b) GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you furthermore have the right to demand that your personal data be transferred directly from one controller to another controller, insofar this is technically feasible. Freedoms and rights of other persons may not be violated in this process. The right to data portability does not apply in cases of processing of personal data required for execution of duties in the public interest or the execution of public authority that has been transferred to the Controller.
7. Right to object
You have the right to object at any time for reasons related to your specific situation to the processing of your personal data on the basis of Art. 6 para. 1(e) GDPR, including profiling based on that provision. In the event of an objection, the Controller will no longer process your personal data, unless he or she can provide urgent defensible reasons for processing that outweigh your interests, rights and freedoms, or where the processing serves the assertion, exercise or defense of legal claims. Where data processing is for scientific, historical or statistical research purposes as per Art. 89 para. (1) GDPR, you shall have the additional right to object to the processing of your personal data on grounds relating to your particular situation, unless the processing is necessary for the fulfillment of tasks in the public interest.
8. Right of Revocation of Declaration of Consent to Processing
You have the right to revoke your declaration of consent to data processing at any time. Revoking consent does not affect the legality of the data processing performed before the point of rescission on the basis of the consent provided.
9. Automated Individual Decision-Making, Including Profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, that has legal effects for you or that has a similarly significantly impact on you. This shall not apply if the decision
(1) is necessary for entering into a contract between you and the Controller or for the performance of such a contract;
(2) is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms
and legitimate interests; or(3) is based on your explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Art. 9 para. 1 GDPR, unless Art. 9 para. 2(a) or Art. 9 para. 2(g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place. In the cases referred to in (1) and (3) above, the Controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.
10. Right of Complaint to a Supervisory Authority
Irrespective of any other available administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, including particularly the authority competent for the member state of your residence, at your place of work or at the place of the alleged violation, if you believe that your personal data are being processed in breach of the EU’s GDPR. The supervisory authority receiving the complaint will inform the complainant about the status and results of the complaint, including the option for legal remedy in accordance with Art. 78 GDPR.
The competent supervisory authority for the University of Bonn is the:
Landesbeauftragte für Datenschutz und Informationsfreiheit
Nordrhein-Westfalen
[State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia]
Postfach 20 04 44
40102 Düsseldorf
Germany
Phone: +49 211 38424-0
Fax: +49 211 38424-10
Email: poststelle(at)ldi.nrw.de