Data Privacy Data Privacy Regulation Disclaimer I. General Preliminary Remarks The central web server www.uni-bremen.de together with the individual sites belonging to the University of Bremen present the University internally and externally, disseminate information and support the tasks of the university. The web presence has an independent, uniform design. However, the university institutes and faculties have a certain freedom when it comes to the individual design of their homepages and in this context also bear their own responsibility. II. Responsibilities and Competences No guarantee is given for the operation or for the correctness and topicality of the information contained in the web presence. The Center for Networks at the University of Bremen is responsible for the operation of the server. The respective editors are responsible for the organization in the individual faculties. The University Executive Board has general responsibility for content and decides in case of doubt about the admissibility of the data. The Content Management (Unit 03, University Communication and Marketing) maintains the landing pages of the central website at www.uni-bremen.de. Otherwise, the departments, units, Faculties and institutions of the University are responsible for the contents they present. I. Name and address of the person legally responsible University of Bremen The University President, Prof. Dr. Jutta Günther Bibliothekstrasse 1-3 28359 Bremen, Germany Phone: +49 421 218-1 Email: webuni-bremen.de Website: www.uni-bremen.de II. Name and address of the data protection officer: University of Bremen Katja Losch-Kremer Referat 06 Bibliothekstrasse 1-3 28359 Bremen, Germany Email: datenschutzuni-bremen.de Webseite: www.uni-bremen.de/infoportal-datenschutz III. General Information about Data Processing (1) The University of Bremen takes data privacy very seriously. We process the personal data collected when visiting our websites in full compliance with the applicable data privacy regulations. These include, in particular, the EU General Data Protection Regulation (GDPR), the Bremen Implementation Act on the EU General Data Protection Regulation (BremDSGVOAG), the Higher Education Act of the State of Bremen (Section 11 BremHG), and the Telecommunications and Telemedia Data Protection Act (TTDSG). (2) In principle, we process personal data of our users only insofar as this is necessary to provide a functioning website and present content and services (see points 6 and 7). The processing of our users’ personal data takes place only after obtaining their consent. An exception applies in cases where prior consent is de facto not possible and the subsequent processing is permitted by law. Any use of your personal data takes place solely for the stated purposes and to the extent necessary to serve these purposes. (3) Your data will neither be published by us nor without authorization passed on to third parties. We point out, however, that we are entitled in individual cases and on the order of the competent bodies to provide information on collected data for law enforcement purposes, to aid the police forces of the Länder in the prevention of risks and the Federal Intelligence Service in fulfilling the statutory duties of the constitutional protection authorities of the Federal Government and the Länder (legal basis Article 6 section 1 item (c) GDPR). In the following, we wish to inform you about the nature, scope, and purpose of the collection and use of personal data. 1. Data collection and processing when accessing from the Internet (1) On our websites, we use a consent management platform (consent or cookie banner). We process data in connection with the use of this consent management platform and the logging of your settings to play out our content according to your preferences and to be able to prove the consent(s) you have given. The legal basis for the temporary storage of data and log files is Article 6 section (1) item (f) GDPR. A cookie is used to store your individual settings, the consent you have given, and some of your usage data. This allows your settings and consent to be retained and stored for subsequent page requests. Further information on this is available under the “Cookies” section. The following data is recorded: The IP address of the requesting computer Date and time of access Access method / function desired by the requesting computer Name and URL of the retrieved file Transmitted amount of data Access status of the web server (file transfer, file not found, command not executed, etc.) The URL from which access is acquired (2) The login for access to protected areas is partially logged in order to detect attempts at abuse and password attacks. Thereby, no data is stored with the help of which personal profiles could be created about the user’s behavior. (3) The collection of such data and the storage of the data in log files is essential for the provision and the operation of the website. There is consequently no possibility for users to protest such use. 2. Cookies (1) We use necessary cookies on our websites. Cookies are small text files that are stored by the browser on your computer. A distinction is made between session cookies, which are deleted as soon as you close your browser, and persistant cookies, which are stored beyond individual sessions. We do not use these necessary cookies for analysis, tracking, or advertising purposes. Some of these cookies only contain information on certain settings and are not personally identifiable. They may also be necessary to enable user guidance, security, and running of the website. The legal basis for the use of these cookies is Article 6 section (1) item (f) GDPR. You can set your browser to inform you when cookies are placed. Additionally, you can delete them at any time via the corresponding browser setting and prevent the setting of new cookies. Please note that our websites may then not be displayed in full and some functions may no longer be technically available. The following cookies are set: session cookies (for session detection, duration: one session) TYPO3 session cookie (for session detection, duration, one session) JavaScript cookie for sound (for audio on / off, duration: one session) Matomo Cookies for web analytics (see “Web analytics” section) (2) In your browser settings, you can specify whether cookies may be set or not. 3. Web analytics by Matomo (formerly PIWIK) We use the “Matomo” web analytics tool to customize our websites. Matomo creates user profiles using pseudonyms. For this purpose, we store persistent cookies on your end device retrieve information from them. This enables us to recognize returning visitors and count them as such. Data processing only takes place on the basis of your consent, provided that you have given your consent via our banner. You may revoke your consent at any time by following the link below and select the appropriate settings via our banner. The legal basis for the use of Matomo is Article 6 (1) item (a) GDPR. Cookie settings 4. Data security (1) Our technical-organizational security measures, with which we protect all data from the access of unauthorized persons, are always kept up-to-date. As far as your data is collected and recorded by us, it is stored on specially protected servers. These are protected by technical and organizational measures against loss, destruction, access, modification or distribution by unauthorized persons. Access to your data is only possible for a limited number of authorized persons. All our employees are sworn to confidentiality. Personal information is always transmitted in encrypted form. The transmitted data is stored in a database that is only accessible to administrators. (2) We point out, however, that data transmission via the Internet (for example, when communicating by email) may be vulnerable security wise. There is no complete protection from the data being accessed by third parties. 5. Links to websites of other providers Our Internet pages contain links (references) to external websites of third parties. Our websites may also contain links to external social networks; however, no plug-ins belonging to these networks are used. These websites are subject to the liability of the respective operator. Therefore, we cannot assume any liability for these external contents. At the time the links are included, there is no evidence of illegal contents on the respective pages. However, we have no influence on the current and future design and content of the linked sites. A permanent control of these third party sites would be unreasonable. If we become aware of a violation, we will remove the link immediately. When you leave this site, it is recommended that you carefully read the privacy policy of each website first. 6. YouTube Our websites use an iFrame of the Google Inc. powered YouTube site. The operator of these pages is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. When you visit one of our YouTube iFrame-equipped sites, you will be connected to the servers of YouTube. It tells the YouTube server which of our pages you’ve visited. If you’re logged into your YouTube account, you allow YouTube to associate your browsing behavior directly with your personal profile. You can prevent this by logging out of your YouTube account. Legal basis is Article 6 section 1 item (f). For more information on how user data is handled, please refer to the YouTube Privacy Policy at https.//www.google.de/intl/depolicies/privacy 7. Integrated Maps from Google Maps The website contains embedded maps from Google Maps to illustrate the university’s locations. The maps from Google Maps are a product of Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. When you visit a page with an embedded map, your browser usually connects directly to Google’s servers. By doing so, Google receives the information that your computer has called up the corresponding page of our website. This will also give Google your computer’s IP address and information about your browser. Google will receive this information even if you do not have a Google account. If you are logged in to your Google account when you visit the site, it is possible that Google may associate this directly with your account. If you use certain services of Google on the device used for retrieval and have not objected to access to your location data, processing of your location data may also occur in connection with accessing the page with the map. It is to be assumed that Google will use your data mentioned for commercial purposes in addition to enabling use, optimization, and prevention of misuse. For more information on data protection at Google, please visit policies.google.com/privacy. There you will also find information on how you can restrict the processing of your data at Google. The university has no influence on the processing of data at Google. 8. Contact form You can contact us via our contact form. To use our contact form, you must first complete the mandatory fields. We use this data on the basis of Article 6 (1) item (a) GDPR in order to respond to your inquiry. Your data will only be stored to answer your request. We will delete your data as soon as it is no longer required and if there are no legal obligations to retain it. This is usually the case 90 days after processing your request. You have the right to object to the storing of your data at any time in accordance with Article 6 (1) item (f) GDPR. To do so, please contact the email address provided in the legal notice below. 9. Newsletter data You can subscribe to our newsletter via our website. When registering for the newsletter, please note that we require certain data (at least your email address). The newsletter will only be sent if you have given us your explicit consent. Once you have subscribed, you will receive a confirmation email to the email address you have provided (known as double opt-in). You may revoke your consent at any time. An easy way to withdraw your consent is, for example, via the “unsubscribe” link in every newsletter. When you sign up for our newsletter, we store further data in addition to the above mentioned data in order to prove that you have subscribed to our newsletter. This may include storing your full IP address at the time of ordering or confirmation of the newsletter, as well as a copy of the confirmation email sent by us. Legal basis for the processing of data is Article 6 (1) item (f) GDPR. Our legitimate interest here is to account for the user’s consent to the newsletter delivery.. 10. SSL encryption This site uses SSL encryption for security reasons and to protect the transmission of sensitive content, such as the requests you send to us as the site operator. You can recognize an encrypted connection when the address line of the browser changes from “http: //” to “https: //” and the lock symbol appears in your browser line. When SSL encryption is enabled, it is virtually impossible for third parties to read the data you transmit to us. IV. Rights of the Data Subject Insofar as the University of Bremen processes the personal data you provide, you, as the person affected, are entitled in accordance with GDPR to the following rights: 1. Right of access by the data subject (Article 15 GDPR) You have the right to obtain confirmation as to whether or not personal data concerning you is being processed; if that is the case, you have a right to access this personal data and the information listed in detail in Article 15 GDPR. 2. Right to rectification (Article 16 GDPR) You have a right to rectification and / or completion vis-à-vis the controller if the personal data processed is incorrect or incomplete. The controller must make the correction without delay. 3. Right to restriction of processing (Article 18 GDPR) You have the right to request the restriction of processing of your personal data if one of the conditions listed in article 18 GDPR is met, for example example, if you have lodged an objection to the processing, for a period of time that enables the controller to verify your personal information. 4. Right to erasure (“right to be forgotten”) (Article 17 GDPR) You have the right to obtain that personal data concerning you be erased immediately if one of the grounds listed in Article 17 GDPR applies. 5. Notification obligation (Article 19 GDPR) If you have declared your right of rectification, erasure or restriction of processing to the controller, he/she is obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort. You shall have a right vis–vis the controller to be informed about these recipients. 6. Right to data portability (Article 20 GDPR) In certain cases, which are listed in detail in Article 20 GDPR, you have the right to receive the personal data concerning you in a structured, commonly used, and machine-readable format and to request the transmission of this data to another controller. 7. Right to object (Article 21 GDPR) If data is collected on the basis of Article 1 (1) item (f) GDPR (data processing for the purposes of legitimate interests) or on the basis of Article 6 (1) item (e) GDPR (data processing to protect the public interest or in the exercise of official authority), you have the right to object to the processing at any time on grounds relating to your particular situation. We will then no longer process the personal data unless there are demonstrably compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purpose of establishing, exercising, and defending legal claims. 8. Right to withdrawal of consent (Article 7 (3) GDPR) If the processing of data is based on your consent, you have the right to withdraw your consent to the use of your personal data at any time in accordance with Article 7 (3) GDPR. Please note that the withdrawal of consent only takes effect for the future. It shall not affect the lawfulness of processing based on consent before its withdrawal. For this purpose and for further questions on the subject of personal data, you can contact the above addresses as well as by email to the following address: contentuni-bremen.de. 9. Automated individual decision-making, including profiling (Article 22 GDPR) You shall have the right not to be subject to any decision based solely on automated processing, including profiling, which will have legal effect or affect you in a similar manner. This does not apply if the decision (1) is required for the conclusion or performance of a contract between you and the controller, (2) is permitted by European Union or Member State legislation to which the controller is subject, and where such legislation contains appropriate measures to safeguard your rights and freedoms and legitimate interests, or (3) with your express consent. However, these decisions must not be based on special categories of personal data pursuant to Article 9 (1) GDPR, unless Article 9 (2) item (a( or (g) GDPR applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests. With regard to the cases referred to in (1) and (3), the controller shall take appropriate measures to uphold your rights and freedoms and your legitimate interests, including at least the right to obtain the intervention of a person by the controller, to explain his/her own position and be heard. 10. Right to lodge a complaint with a supervisory authority (Article 77 GDPR) In accordance with Article 77 GDPR, you have the right to lodge a complaint with a supervisory authority if you consider that the processing of personal data relating to you infringes data protection regulations. The right to lodge a complaint can be exercised in particular with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement. 11. Assertion of your rights Unless otherwise described above, please contact the body named in the legal notice to assert your rights as a data subject. V. Processing of Personal Data on Internal Access Protected Websites (1) In the case of access-protected internal websites of the University of Bremen, which only concern information platforms accessible to university members, the logged-in and registered users (students, employees, university members with user account) have the following personal data collected during their stay on these pages: a) name of the user, (b) the email address associated with the account, (c) if applicable, the membership of the user to a specific user group. (2) Legal basis for the processing of the personal data is the consent of the user in accordance with Article 6 section (1) item (a) GDPR. The collection of data serves to enable the use of restricted Internet sites (establishing connection), as well as for purposes of system security, technical administration, the network infrastructure and to optimize the offers. The data shall be deleted as soon as it is no longer necessary to achieving the purpose of its collection. This is deemed to be the case after logging off or closing the web browser. VI. Validity and Timeliness of the Privacy Policy (as of July 2018) By using our website, you consent to the use of the data as described above. This privacy policy is immediately valid and supersedes all prior statements. This statement will be updated as necessary to bring it into line with the content of the website as well as more generally with legislative changes. The English version of this text is for informational purposes only. Only the German version is legally binding.