Data protection policy

I. Name and Address of the Data Controller

The data controller (hereinafter: 'Controller') as mandated by the General Data Protection Regulation and other national data protection laws from member states as well as other regulations relevant to data protection is:

Rheinische Friedrich-Wilhelms-Universität Bonn
Stabsstelle Chancengerechtigkeit und Diversität
Poppelsdorfer Allee 15
53115 Bonn
email: chancengerechtigkeit@uni-bonn.de
Phone: +49 (0)228 73-60321
Website: www.chancengerechtigkeit.uni-bonn.de

II. Name and Address of the Data Protection Officer

The data protection officer of the Controller is:
Dr. Jörg Hartmann
Genscherallee 3
53113 Bonn
Email: joerg.hartmann@uni-bonn.de
Phone: + 49 (0)228 73-6758
Website: www.datenschutz.uni-bonn.de

Deputy:
Eckhard Wesemann
Dezernat 1, Abt. 1.0
Regina-Pacis-Weg 3
53113 Bonn
E-Mail: wesemann@verwaltung.uni-bonn.de

III. General Information on Data Processing

1. Scope of Processing of Personal Data

We process the personal data of our users only insofar as this is necessary for the provision of a functional website and our content and services. Routine processing of our users’ personal data is performed solely with the consent of the user. An exception comes in cases where the prior acquisition of consent is not possible for practical reasons and stipulations allowing for such processing are included in the legal requirements.

2. Legal Basis for the Processing of Personal Data

Insofar as we have obtained the consent of the data subject for the processing of their data, Art. 6 para. 1(a) GDPR serves as the legal basis for such processing.
The legal basis for the processing of personal data required for the fulfillment of a contract to which the data subject is a party is Art. 6 para. 1(b) GDPR. This also applies to measures in preparation of said contract.
The legal basis for the processing of personal data to fulfill a legal obligation on the part of the University of Bonn is Art. 6 para. 1(c) GDPR.
The legal basis for the processing of personal data as necessary to protect the vital interests of the data subject or another natural person is Art. 6 para. 1(d) GDPR.
The legal basis for processing required for the execution of duties in the public interest or the exercise of public authority that has been transferred to the University is Art. 6 para. 1(e) GDPR.

3. Deletion of Data and Duration of Storage

The personal data of the data subject is to be deleted or locked as soon as the purpose for storage no longer applies. Storage can potentially extend beyond this point where necessitated by European or national legislation reflecting EU-wide directives, laws or other rules to which the Controller is subject. The data must then be locked or deleted upon expiration of the retention period stipulated by the aforementioned standards, unless it is necessary to continue storage of the data for reasons of entering into or completing a contract.

IV. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Each time our internet pages are requested, our system automatically records data and information about the requesting computer's system. The following data is recorded:

(1) Information about the browser type and version
(2) The user's operating system
(3) The user's internet service provider
(4) The user's IP address (partially anonymized and shortened IP address)
(5) Date and time of the request
(6) Websites from which the user's system navigated to our internet site
(7) Websites which are requested by the user's system via our website (within *.uni-bonn.de, referrals to external sites are not forwarded)

The log files contain IP addresses and other data that allows for identification of a user. This can for example be the case where a link from a referring website or from our pages to another website contains personal data. The data is also stored in log files on our system. This data is not stored together with other personal data from the user.

2. Purpose of Data Processing

The temporary storage of the IP address by the system is required to allow for the website to be delivered to the user's computer. The IP address of the user must be stored for the duration of the session.
Log files are stored to ensure the functionality of the website. Beyond this, the data helps us optimize the website and ensure the security of our IT systems. No analysis of the data for marketing purposes is made in this context.

3. Duration of Storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For data collected for the purpose of providing the website, this is the case once the respective session has ended.
For data stored in log files, this purpose expires seven days after it is collected. The data can potentially be stored beyond this point. In this case the user's IP address is deleted or anonymized to prevent any further possibility of identifying the client that requested it.

4. Options for Objecting and Removal

The collection of data for the provision of the website and storage of data in log files is necessary for the operating of the internet site. As a result, the user has no option for objecting in this context.

V. Use of Cookies

1. Description and Scope of Data Processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user requests a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string of characters that allows for the unambiguous identification of the browser if the website is requested again.
We use cookies to make our website more user friendly. Some elements of our internet site require that the requesting browser can be identified even when a new page is opened.
Cookies store and transmit the following data:

(1) Language settings
(2) Log-In information

Beyond this, our website uses cookies that allow for an analysis of the user's surfing habits. A software tool called Matomo (formerly PIWIK) is used for this. More details can be found under point VIII.

2. Legal Basis for Data Processing

The legal basis for the processing of personal data using cookies for analytical purposes is the acquisition of the user's consent in accordance with Art. 6 para. 1(a) GDPR.

3. Purpose of Data Processing

Cookies related to a necessary technical function are used to make the website easier to use. Some functions on our internet site cannot be provided without the use of cookies. It is necessary for example that the browser be recognized again when navigating between pages.
We require cookies for the following applications:

(1) Adoption of language settings

User data collected through technically necessary cookies are not used to create a user profile. The use of analytical cookies serves to improve the quality of our website and its content. The analytical cookies provide us with insights on how the website is used, allowing us to constantly optimize our offerings.

4. Duration of Storage, Options for Objecting and Removal

VI. Web Analysis by Matomo (formerly PIWIK)

1. Scope of Processing of Personal Data

Our website uses an Open Source software tool called Matomo (formerly PIWIK) to analyze the surfing habits of our users. The software places a cookie on the user's computer (for more on cookies, see above). When individual pages of our website are requested, the following data is stored:
(1) Two bytes of the IP address of the user's requesting system
(2) The requested web page
(3) The website from which the user navigated to our website (referrer)
(4) The sub-page from which the visited web page was requested
(5) The duration of the visit to the web page
(6) The frequency of requests for the web page

Within this context, the software runs exclusively on our website's servers. The user's personal data is only stored there. The data is never forwarded to third parties.

The software has been configured to prevent full storage of the IP address, with two bytes of the IP address masked (such as: 192.168.xxx.xxx). In this way, the shortened IP address can no longer be identified with the requesting computer.

2. Purpose of Data Processing

The processing of the user's personal data allows us the analyze the surfing habits of our users. We use analyses of the collected data to deduce information about the use of individual components of our website. This helps us constantly improve our website and its user friendliness. The IP address is anonymized to promote the interest of the user in the protection of his or her personal data.

3. Duration of Storage

The data is deleted as soon as it is no longer required for our analytical purposes. In our case, this is the case after 3 months.

4. Options for Objecting and Removal

Cookies are stored on the user's computer and from there transmitted to our pages. In this constellation, you as user retain full control over the use of cookies. By changing the settings of your internet browser, you can deactivate or restrict the transmission of cookies. Previously stored cookies can be deleted at any time. This can also be performed automatically. If cookies are deactivated for our website, then portions of our website may potentially not display correctly.
We offer users of our website the option to opt-out of the analysis process. To do so, you must click on the corresponding link. This then places an additional cookie on your system that signals to our computer not to store the user's data. If the user deletes that cookie at some point from their own system, then the opt-out cookie must then be re-set to be effective.
For more information about privacy settings on Matomo Software, please click on the following link: https://matomo.org/docs/privacy/.

VII. Rights of the Data Subject

If your personal data is processed, then you as data subject have the following rights against the Controller as established in the GDPR:

1. Right of Information

You can demand confirmation from the Controller whether your personal data is being processed.
If such processing exists, then you can demand the following information from the Data Controller:
(1) The purpose for which the personal data is being processed;
(2) The categories of personal data that are being processed;
(3) The recipients and/or category of recipients who have been or are still being provided with your personal data;
(4) The planned duration of storage of your personal data or, if concrete information cannot be provided here, the criteria for the determination of the duration of storage;
(5) The compliance with the right of rectification or erasure of your personal data, the right of restriction of processing by the Controller and the right of objection to such processing;
(6) Compliance with the right of complaint to an oversight authority;
(7) All available information about the source of the data if the personal data was not collected by the Controller;
(8) Any existence of an automatic decision-making mechanism, including profiling in accordance with Art. 22 Para. 1 and 4 of the GDPR and — at least in those cases —informative details on the logical algorithm and the extend and intended purpose of this type of processing for the Controller.

You have the right to demand information about whether your personal data has been forwarded to a third country or an international organization. In this context, you can demand to be informed about suitable guarantees as per Art. 46 GDPR related to such transfers.

Insofar as the data processing serves for scientific, historic or statistical research purposes, the right of information can be limited to the extent that it would make the feasibility of the research or statistical purposes impossible or seriously limited and the restriction is necessary for the fulfillment of the research or statistical purposes.

2. Right of Rectification

You have the right to rectification and/or completion of your data from the Controller, insofar as your processed personal data are incorrect or incomplete. The Controller must undertake the corrections immediately.
For data processing involving for scientific, historic or statistical research purposes, your Right of Correction can be limited to the extent that it would make the feasibility of the research or statistical purposes impossible or seriously limited and the restriction is necessary for the fulfillment of the research or statistical purposes.

3. Right to Restriction of Processing

Where the following pre-conditions are met, you can demand a restriction to the processing of your personal data:
(1) where you challenge the correctness of your personal data for a period that allows the controller to review the correctness of your personal data;
(2) where the processing is illegal and you refuse the erasure of your personal data and instead demand restriction to the use of your personal data;
(3) the Controller no longer requires the personal data for the purpose of processing, but still requires it for the assertion, exercise or defense of legal claims
(4) if you file an objection to processing in accordance with Art. 21 para. 1 GDPR and have not yet established whether the justifiable reasons on the part of the Controller override your reasons.

If processing of your personal data has been restricted, then that data — other than storage — may only be processed with your consent or for the assertion, exercise or defense of legal claims or to protect the rights of another natural person or legal entity or from reasons of important public interest to the European Union or one of its member states.

If processing is restricted based on the aforementioned conditions, then you will be informed by the Controller before the restrictions are lifted. For data processing involving for scientific, historic or statistical research purposes, your right to limit processing can be limited to the extent that it would make the feasibility of the research or statistical purposes impossible or seriously limited and the restriction is necessary for the fulfillment of the research or statistical purposes.

4. Right to Erasure

a) Right of Erasure
You can demand that the Controller immediately deletes your personal data. The Controller is obligated to delete this data immediately, insofar as one of the following reasons applies:
(1) Your personal data is no longer needed for the purpose for which it was collected or otherwise processed.
(2) You revoke your consent that allowed for processing in accordance with Art. 6 Para. 1(a) or Art. 9 Para. 2(a) GDPR, and no other legal basis for processing applies.
(3) You file an official objection to processing in accordance with Art. 21 Para. 1 GDPR and no overriding justification for the processing applies, or you file an official objection to processing in accordance with Art. 21 Para. 2 GDPR.
(4) Your personal data were processed in an illegal manner.
(5) The deletion of your personal data is required to fulfil a legal obligation based on EU law or the law of the Controller’s member state.
(6) Your personal data was collected in the context of services provided by the IT company in accordance with Art. 8 Para. 1 GDPR.

b) Information to Third Parties If the Controller has shared your personal data and is obligated under Art. 17 para. 1 GDPR to delete that data, then measures, technical or otherwise, must be undertaken, accounting for the available technology, to inform the processor of the personal data that you as data subject demand the deletion of all links to that personal data or demand all copies and facsimiles of that personal data.

c) Exceptions The right of erasure does not apply where processing is necessary
(1) for the exercise of rights of free speech and information;
(2) to fulfill a legal obligation to processing related to the laws of the European Union or its member states to which the Controller is subject, or for the fulfillment of a task in the public interest or in the execution of public authority that has been transferred to the Controller;
(3) for reasons of public interest related to public health as per Art. 9 para. 2(h) and (i) and Art. 9 para. 3 GDPR;
(4) for archival, scientific or historical research purposes in the public interest or for statistical purposes as per Art. 89 para. 1 GDPR and the law mentioned in a), insofar as the right potentially severely limits or makes impossible the realization of these;
(5) for the assertion, exercise or defense of legal claims

5. Right of Information

If you have exercised your right of notification, erasure and restriction of processing against the Controller, then the Controller is obligated to inform all recipients who received your personal data about that notification, erasure or restriction of processing, unless this is impossible or involves an unreasonable amount of cost and complexity.
You have the right to demand of the Controller information about those recipients.

6. Right to Data Portability

You have the right to receive your personal data that you have provided the Controller in a structured, commonly used machine-readable format. Furthermore you have the right to transfer that data to a different controller, without impediment by the controller who received the personal data, insofar as
(1) the processing is based on consent provided according to Art. 6 para. 1(a) GDPR or Art. 9 para. 2(a) the processing is based on consent provided according to Art. 6 para. 1(b) GDPR and
(2) processing is made using an automated process.

In exercising this right, you furthermore have the right to demand that your personal data be transferred directly from one controller to another controller, insofar this is technically feasible. Freedoms and rights of other persons may not be violated in this process.
The right to data portability does not apply in cases of processing of personal data required for execution of duties in the public interest or the execution of public authority that has been transferred to the controller.

7. Right of Objection

You have the right to object for reasons related to your specific situation to the processing of your personal data on the basis of Art. 6 para. 1(e) GDPR; this also applies any profiling undertaken for this purpose.
In the event of an objection, the Controller will no longer process your personal data, unless he or she can provide urgent defensible reasons for processing that outweigh your interests, rights and freedoms, or where the processing serves the assertion, exercise or defense of legal claims.
For data processing related to scientific, historical or statistical research purposes as per Art. 89 para. 1 GDPR, you have the additional right to object to the processing of your personal data for personal reasons, unless the processing is necessary for the fulfillment of tasks in the public interest.

8. Right of Revocation of Declaration of Consent to Processing

You have the right to revoke your declaration of consent to data processing at any time. Revoking consent does not affect the legality of the data processing performed before the point of rescission on the basis of the consent provided.

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
This shall not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and the data controller;
(2) is authorized by European Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or
(3) is based on your explicit consent.

With that said, these decisions may not be based on special categories of personal data referred to in Article 9 para. 1 GDPR, unless Art. 9 para 2(a) or (g) applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points (1) and (3), the Controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right of Complaint to a Supervisory Authority

Irrespective of any other available administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, including particularly the authority competent for the member state of your residence, at your place of work or at the place of the alleged violation, if you believe that your personal data are being processed in breach of the EU’s GDPR.
The supervisory authority receiving the complaint will inform the complainant about the status and results of the complaint, including the option for legal remedy in accordance with Art. 78 GDPR.

The competent supervisory authority for the University of Bonn is the:

Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein‐ Westfalen
Postfach 20 04 44
40102 Düsseldorf, Germany
email: poststelle@ldi.nrw.de
Phone: +49 (0)211 38424-0
Fax: +49 (0)211 38424-10