Privacy notice / Datenschutzbestimmungen

Privacy notice / Datenschutzbestimmungen

Privacy notice for Saarland University websites

Saarland University regards the protection of personal data as an essential part of its digitalization strategy. Ensuring that individuals have the right to decide on the disclosure and processing of their personal data is of utmost priority to the university. This privacy notice refers to the websites that Saarland University is responsible for. If the scope of data processing on a Saarland University website goes beyond the procedures described here, this will be stated explicitly on the relevant website.

Name and address of the data controller

The data controller as defined by the General Data Protection Regulation, national data protection laws of member states and other data protection regulations is:

Saarland University
represented by the University President
Campus
66123 Saarbrücken
Tel.: +49 681 302-0
postzentrale(at)uni-saarland.de

Contact details for the data protection officer

Meerwiesertalweg 15
66123 Saarbrücken
Tel.: +49 681 302-2813
datenschutz(at)uni-saarland.de
www.uni-saarland.de/datenschutz

General information on data processing

Purpose and scope of processing personal data

Saarland University processes personal data only to the extent necessary to provide a functioning website, to deliver website content and to offer services. As a rule, personal data are only processed after the user gives their consent. An exception applies in those circumstances in which it is not possible to obtain the user’s prior consent and the processing of such data is permitted by law.

Legal basis for processing personal data

Art. 6(1)(a) of the EU General Data Protection Regulation (GDPR) forms the legal basis for Saarland University to obtain the consent of a data subject for their personal data to be processed.

Art. 6(1)(b) GDPR forms the legal basis for processing personal data required for the performance of a contract to which the data subject is party. This also applies if data have to be processed prior to entering into a contract.

Art. 6(1)(c) GDPR forms the legal basis if personal data have to be processed in order to fulfil a legal obligation on the part of Saarland University.

Art. 6(1)(d) GDPR forms the legal basis when processing of personal data is necessary to protect vital interests of the data subject or another natural person.

Insofar as Saarland University is acting to fulfil its legally assigned research and teaching duties, the legal basis for processing data is Section 3(13), Saarland Higher Education Institutions Act.

Art. 6(1)(f) GDPR forms the legal basis if data processing is necessary in order to protect the legitimate interests of Saarland University or of a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

Erasure of data and storage period

The personal data of the data subject are erased or blocked as soon as the reason for storing them ceases to exist. Storage beyond this time period may occur if provided for by European or national legislators in Union regulations or national legislation and rules to which the data controller is subject. Such data shall also be blocked or erased if a storage period prescribed by one of the aforementioned legal standards expires, unless further storage of the data is necessary for entering into or performing a contract.

Providing content and log files

Description and scope of data processing

Each time a Saarland University website is accessed, our system automatically collects data and information from the user’s computer system in order to deliver website content. The following data are collected:

  • The user’s IP address
  • Date and time of access
  • Referrer website
  • Data transfer size
  • HTTP error code (error log)

The data are stored in our system’s log files. We do not store the user’s IP addresses or other data that make it possible to assign the data to a specific user. The IP addresses are truncated by the last two octets (e.g: 192.168.xxx.xxx). These data are not stored together with the user’s personal data.

Legal basis for data processing

The legal basis for the temporary storage of data and log files is Art. 6(1)(f) GDPR.

Purpose of data processing

The temporary storage of the IP address by the system is necessary in order to deliver the website to the user’s computer. The user’s IP address is stored for the duration of the session.

Data are stored in log files to ensure the website’s functionality. These data also help us optimize the website and ensure that our IT systems are secure. Data evaluation for other purposes does not take place in this context.

The purposes stated above constitute our legitimate interests in processing data in accordance with Art. 6(1)(f) GDPR.

Storage period

Data are erased as soon as they are no longer required for the purpose for which they were collected. Data that have been collected for the purpose of providing the website are erased at the end of the respective session.

Data stored in log files are erased after no more than seven days. A longer storage period is possible. In this case, the users‘ IP addresses will be erased or shortened by the last two octets (e.g: 192.168.xxx.xxx), so that they cannot be assigned to specific users.

Options for filing an objection or requesting removal

The collection of data for the purpose of providing the website and the storage of such data in log files is essential to the website’s operation and the user cannot therefore object to such use.

Use of cookies

Description and scope of data processing

Saarland University websites may use cookies. Cookies are text files that are stored by the web browser on the user’s computer system. When a user accesses a website, a cookie may be stored in the user’s operating system. This cookie contains a character string that allows the unique identification of the browser when the website is accessed again.

We use cookies to make the browsing experience more user-friendly. Some elements of our websites require that the requesting browser can also be identified after changing pages or when using specific services. In such cases, the user is informed about the use of cookies for analysis purposes, and their consent to the processing of the personal data used in this context is obtained. The user will also be informed about this privacy notice.

Legal basis for data processing

The legal basis for the processing of personal data with the use of cookies is Art. 6(1)(f) GDPR.

Once the user has granted consent, the legal basis for data processing with the use of cookies for analysis purposes is Art. 6(1)(a) GDPR.

Purpose of data processing

Cookies that are required for technical reasons are used to enhance the user experience. Some functions on Saarland University websites cannot be offered without the use of cookies. In order for these functions to work correctly, it is necessary that the browser is recognized when the user accesses another page.

The user data collected by cookies that are required for technical reasons are not used to create user profiles.

Storage period, options for filing an objection or requesting removal

As cookies are stored on the user’s computer and are transmitted from it to our website, users have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing the settings in their web browser. Cookies that are already stored can be erased at any time. This may also be done automatically. If you deactivate cookies on a Saarland University website, you may not be able to use some of the website’s functions in full.

Newsletters

Description and scope of data processing

Some Saarland University websites offer subscription to a free newsletter. If you register for a newsletter, the data from the input form will be transmitted to us.

  • Email address
  • Area of interest
  • Newsletter frequency
  • Regional or national edition

In addition, the following data are collected during registration:

  • User’s IP address
  • Date and time of registration

In the course of the registration process, we request the user’s consent for processing personal data and draw their attention to this privacy notice.

No data are disclosed to third parties in connection with data processing for the dispatch of newsletters. Such data are used exclusively for the purpose of sending the newsletter.

Legal basis for data processing

Once the user has granted consent, the legal basis for data processing following the user’s registration for a newsletter is Art. 6(1)(a) GDPR.

Purpose of data processing

The user’s email address is needed to deliver the newsletter.

Storage period

Data are erased as soon as they are no longer required for the purpose for which they were collected. Users‘ email addresses are therefore stored for as long as they subscribe to the newsletter.

Options for filing an objection or requesting removal

Users may unsubscribe from a newsletter at any time. Each newsletter contains a link for this purpose. This also allows subscribers to revoke their consent to the storage of personal data collected during the registration process.

Contact form and contact by email

Description and scope of data processing

Contact forms are available on some Saarland University websites and may be used to contact us electronically. If a user contacts us in this way, the data they enter in the input form are transmitted to us and stored. As the data collected are specific to each contact form, please refer to the relevant contact form.

The following data are also stored when the message is transmitted:

  • The user’s IP address
  • Date and time of registration

Before the message is sent, we request the user’s consent for processing their personal data and draw their attention to this privacy notice.

Alternatively, they contact us using the email address provided. In this case, the personal data of the user transmitted with the email will be stored.

No data are disclosed to third parties in connection with the data processing required for this purpose. The data are used exclusively for processing the conversation (i.e. email communication) with the user.

Legal basis for data processing

Once the user has granted consent, the legal basis for data processing is Art. 6(1)(a) GDPR.

The legal basis for the processing of data transmitted by email is Art. 6(1)(f) GDPR. If the purpose of the email contact is to enter into a contract, the additional legal basis for data processing is Art. 6(1)(b) GDPR.

Purpose of data processing

The personal data from the input form are processed solely for the purpose of contacting the user. If the user contacts us by email, this also constitutes our legitimate interest in processing the data.

All other personal data processed during the transmission of an email prevent misuse of the contact form and to ensure that our IT systems are secure.

Storage period

Data are erased as soon as they are no longer required for the purpose for which they were collected. This is the case for the personal data from the contact form and those data sent by email when the respective conversation with the user has ended. The conversation will be deemed to have ended when it can be inferred from the circumstances that the subject matter in question has been conclusively settled.

Any additional personal data collected during the transmission process will be erased after a period of no more than seven days.

Options for filing an objection or requesting removal

Users can withdraw their consent for the processing of their personal data at any time. If the user contacts us by email, they may withdraw their consent for the storage of their personal data at any time.

In such cases, the conversation cannot be continued and all personal data stored when contact was made will be erased.

Web analysis using Matomo (formerly PIWIK)

Scope of processing of personal data

Saarland University websites may use the Matamo open-source software tool (formerly PIWIK) to analyse our users‘ browsing behaviour. The software places a cookie on the user’s computer (please see above for more information about cookies). If the user accesses individual pages on a Saarland University website, the following data are stored:

  • Two bytes of the user’s IP address
  • The accessed website
  • The referrer website
  • Other pages retrieved via the accessed website
  • Time on site
  • Access frequency
  • Number of actions on the website (page views, downloads, use of external links, internal search queries)

The software used for such analyses runs exclusively on our servers. Users‘ personal data are stored on these servers only. Data are not disclosed to third parties.

The software is configured so that it does not store IP addresses in full, but instead marks two bytes of the IP address (e.g. 192.168.xxx.xxx). In this way, the truncated IP address can no longer be traced to the accessing computer.

Legal basis for processing personal data

The legal basis for the processing of users‘ personal data is Art. 6(1)(f) GDPR.

Purpose of data processing

Processing our users‘ personal data allows us to analyse their browsing behaviour. By evaluating the collected data we are able to collate information about the use of Saarland University websites. This helps us to continuously improve our content and user-experience. The reasons stated above constitute our legitimate interests in processing data in accordance with Art. 6(1)(f) GDPR. Anonymizing the IP address takes appropriate account of users‘ interests in the protection of their personal data.

Storage period

Data are erased as soon as we no longer need them for tracking purposes, which in our case means after six months.

Options for filing an objection or requesting removal

As cookies are stored on the user’s computer and are transmitted from it by a Saarland University website, users have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing the settings in their web browser. Cookies that are already stored can be erased at any time. This may also be done automatically. If you deactivate cookies for a Saarland University website, you may not be able to use some of the website’s functions in full.

Our users can opt out of the analysis process. To do this, you must uncheck the corresponding check box. This places an additional cookie on the user’s system that signals to our system not to store the user’s data. If the user subsequently deletes this cookie from their own system, they must set the opt-out cookie again.

You can find further information about Matomo software and its privacy settings under the following link: https://matomo.org/docs/privacy/

Rights of the data subject

If any of your personal data are processed, you are considered a data subject within the meaning of the GDPR and have the following rights in relation to Saarland University:

Right of access

You have the right to obtain confirmation from the data controller as to whether or not we are processing your personal data.

If your data are being processed, you have the right to request the following from the data controller:

  • The purposes for which your personal data are processed
  • The categories of personal data processed
  • The recipients or categories of recipients to whom your personal data have been or will be disclosed
  • The planned storage period for your personal data or, if details cannot be provided, the criteria used to determine the storage period
  • The existence of the right to rectification or erasure of your personal data, a right to limitation of processing by the data controller or a right to object to such processing
  • The right to lodge a complaint with a supervisory authority
  • All available information on the source of the data if the personal data are not collected from the data subject
  • Information on the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information as to whether your personal data are transmitted to a third country or to an international organization. Where personal data are transferred to a third country or to an international organization, you may request that you are informed of the appropriate safeguards in accordance with Art. 46 GDPR.

This right of access may be restricted if it is likely to render impossible or seriously impair the research or statistical purposes for which the data are required and restricting the right of access is necessary to achieve the required research or statistical purposes.

Right to rectification

You have the right to obtain from the data controller the rectification and/or completion of your personal data if the data processed are inaccurate or incomplete. The data controller must rectify such data without delay.

Your right to rectification may be restricted insofar as it is likely to render impossible or seriously impair the research or statistical purposes for which the data are required and restricting the right to rectification is necessary for achieving the required research or statistical purposes.

Right to restriction of processing

You may request that the processing of your personal data is restricted in the event that one of the following applies:

  • You contest the accuracy of the personal data for a period that enables the data controller to verify their accuracy.
  • The processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of their use.
  • The data controller no longer requires the personal data for the purposes of processing, but you need them in order to assert, exercise or defend legal claims.
  • You have objected to processing in accordance with Art. 21(1) GDPR pending verification whether the legitimate grounds of the controller override your reasons.

If the processing of your personal data has been restricted, the data may, with the exception of storage, only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or for protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.

If processing has been restricted in accordance with the above conditions, the data controller shall inform you before the restriction is lifted.

Your right to restriction of processing may be restricted insofar as it is likely to render impossible or seriously impair the research or statistical purposes for which the data are required and this restriction is necessary for achieving the required research or statistical purposes.

Right to erasure

Duty to erase

You may request that the data controller erase your personal data without delay. The data controller is obliged to erase these data without delay in the event that one of the following applies:

  • Your personal data are no longer required for the purposes for which they were collected or otherwise processed.
  • You withdraw your consent on which the processing was based in accordance with Art. 6(1)(a) or Art. 9(2)(a) GDPR and there is no other legal basis for the processing.
  • You object to the processing in accordance with Art. 21(1) GDPR and there are no overriding legitimate reasons for the processing, or you object to the processing in accordance with Art. 21(2) GDPR.
  • Your personal data have been processed unlawfully.
  • The erasure of your personal data is necessary to fulfil a legal obligation under Union or Member State law to which the data controller is subject.
  • Your personal data have been collected in relation to information society services in accordance with Art. 8(1) GDPR.

Obligation to inform third parties

If the data controller has made your personal data public and is obliged to erase them in accordance with Art. 17(1) GDPR, the controller shall, taking account of available technology and the cost of implementation, take reasonable steps to inform data controllers responsible for processing such personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, these personal data.

Exceptions

The right to erasure does not apply insofar as the processing is necessary:

  • To exercise the right to freedom of expression and information
  • To fulfil a legal obligation that requires processing in accordance with Union or Member State law to which the data controller is subject or to perform a task in the public interest or in the exercise of official authority vested in the data controller
  • For reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) and Art. 9(3) GDPR
  • For archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89(1) GDPR insofar as the right referred to in Art. 89(1)(a) is likely to render impossible or seriously impair the achievement of the objectives of such processing.
    To assert, exercise or defend legal claims.

Right to notification

If you have exercised your right to have the data controller rectify, erase or restrict the processing of your personal data, he or she is obliged to inform all recipients to whom such data have been disclosed of their rectification or erasure or of the restriction of processing, unless this proves impossible or involves disproportionate effort.

You have the right to be informed of these recipients by the controller.

Right to data portability

You have the right to receive the personal data you made available to the data controller in a structured, common and machine-readable format. You also have the right to transmit these data to another data controller without hindrance from the data controller to whom they were made available, provided that:

  • The processing is based on consent in accordance with Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract in accordance with Art. 6(1)(b) GDPR.
  • The processing is carried out by automated means.

In exercising this right, you also have the right to have your personal data transmitted directly from one data controller to another insofar as this is technically feasible. This must not compromise the freedoms and rights of other persons.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority vested in the data controller.

Right to object

You have the right, on grounds relating to your particular situation, to object at any time to the processing of your personal data that occurs on the basis of Art. 6(1)(e) or (f) GDPR; this also applies to profiling activities undertaken on the basis of these provisions.

Saarland University shall no longer process your personal data, unless it produces compelling legitimate reasons for such processing that outweigh your interests, rights and freedoms or such processing is necessary for asserting, exercising or defending legal claims.

In connection with the use of information society services, and notwithstanding Directive 2002/58/EG, you may exercise your right to object by automated means using technical specifications.

You also have the right, on grounds relating to your particular situation, to object to the processing of your personal data that occurs for scientific or historical research purposes or for statistical purposes in accordance with Art. 89(1) GDPR.

Your right to object may be restricted insofar as it is likely to render impossible or seriously impair the achievement of research or statistical purposes, and this restriction is necessary for achieving such research or statistical purposes.

Right to withdraw a declaration of consent concerning data protection

You have the right to withdraw your declaration of consent concerning data protection at any time. Withdrawing your consent does not affect the lawfulness of data processing based on your consent before its withdrawal.

Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement if you consider that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.

The regulatory authority responsible for Saarland University is:

Unabhängiges Datenschutzzentrum Saarland
Die Landesbeauftragte für Datenschutz und Informationsfreiheit
Fritz-Dobisch-Straße 12
66111 Saarbrücken
Tel.: +49 681 94781-0
poststelle(at)datenschutz.saarland.de

Updates to this privacy notice

Please note that Saarland University’s online services are subject to constant change and development and this privacy notice will be updated accordingly. You should therefore read this privacy notice regularly to keep informed about changes with regard to the processing of your personal data. We will notify you if these changes require your consent.

Successfully