NAME AND ADDRESS OF THE DATA CONTROLLER
Within the meaning of the General Data Protection Regulation (GDPR) and other German national data protection laws and regulations, the data controller is:
Gottfried Wilhelm Leibniz Universität Hannover
Tel. +49 511 762 – 0
Fax +49 511 762 – 3456
Leibniz University Hannover is a corporation under public law and is legally represented by its President, Prof. Dr. iur. Volker Epping.
GENERAL INFORMATION ON DATA PROCESSING
We process our users’ personal data only insofar as is necessary to provide a functioning website as well as our content and services. If individual web presences, websites or functions carry out processing in deviation from this data protection declaration, the corresponding information is provided in a separate data protection declaration.
PROVISION OF THE WEBSITE AND CREATION OF LOG FILES
Every time you visit our website, our system automatically collects data and information from the computer system of the accessingcomputer.
The following data is collected:
- information about the browser type and version used
- the user’s operating system
- the user’s Internet service provider
- the IP address of the user
- the date and time of access
- the website, from which the user’s system reaches our website
- websites accessed by the user’s system via our website
The data is also stored in the log files of our system. This data is not stored together with other personal data of the user.
The legal basis for temporary storage of data and log files is Article 6 (1) (e) (3) GDPR in conjunction with § 3 of the German Data Protection Act (NDSG) and § 3 of the Lower Saxony Higher Education Act (NHG).
Temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s computer. For this, the IP address of the user must remain stored for the duration of the session. The data is stored in the log files to ensure the functionality of the website. In addition, the data enables us to optimise the website and to ensure the security of our IT systems. Analysis of the data for marketing purposes does not take place in this context. The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. With respect to collection of data for the provision of the website, this is the case once the respective session has ended.
If the data is stored in log files, this is the case after seven days at the latest. Data may be stored for a longer period of time. In this case, the IP address of the user is deleted or anonymised, so that the accessing client can no longer be assigned to the user.
Collection of data for the provision of the website and storage of data in log files is – for technical reasons – essential for the operation of the website.
CONTACT FORM AND EMAIL CONTACT
There is a contact form on our website that can be used for electronic contact. If a user utilises this function, the data entered in the form will be transmitted to us and stored. Within the scope of the sending process, your consent will be obtained to process the data and reference is made to this privacy statement. Alternatively, you can contact us via the email address provided. In this case, the user’s personal data that is transmitted via email will be stored. In this context, the data will not be passed on to third parties. The data will be used exclusively for processing the conversation. The legal basis for processing data is Article 6 (1) (a) GDPR provided that the user has given consent. The legal basis for processing data transmitted in the course of sending an email is Article 6 (1) (e) (3) GDPR in conjunction with § 3 of the Lower Saxony Data Protecton Act (NDSG) and § 3 of the Lower Saxony Higher Education Act (NHG). If email contact is undertaken with the purpose of concluding a contract, the additional legal basis for processing is Article 6 (1) (b) GDPR.
Personal data that is entered in the input mask is processed solely for the purpose of establishing contact.
The other personal data that is processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our IT systems.
The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For personal data that was entered in the input mask of the contact form or sent via email, this is the case when the respective conversation with the user is finished. The conversation is terminated when it can be deduced from the circumstances that the facts in question have been conclusively clarified.
Additional personal data that is collected during the sending process will be deleted after a period of seven days at the latest.
The user can revoke consent to the processing of personal data at any time. If the user contacts us by email, he or she can object to the storage of personal data at any time. In such a case, the conversation cannot be continued and all personal data stored during the course of contacting us will be deleted.
On some Leibniz University Hannover websites it is possible to subscribe to a free newsletter using an online form. When registering for the newsletter, the data from the input mask is transmitted to us. In addition, the IP address of the accessing computer as well as the date and time of registration are collected and processed. In the course of the registration process, your consent will be obtained in order to process the data and reference is made to this privacy statement.
No data is disclosed to third parties in connection with data processing to deliver the newsletter. The data will be used solely for sending the newsletter.
The legal basis for processing data after the user has registered for the newsletter is Article 6 (1) (a) GDPR.
Collection of the user’s email address serves the purpose of sending the newsletter. Collection of other personal data as part of the registration process serves to provide proof of registration for the newsletter and, if necessary, to prevent misuse of the services or the email address used. The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. The user’s email address will therefore be stored for as long as subscription to the newsletter is active.
Consent to delivery of the newsletter can be revoked by the user at any time and the newsletter will be cancelled. For this purpose, there is a corresponding link in every newsletter.
Where internet services allow personal or business data (e. g. email addresses, names, addresses) to be entered, disclosure of such data by the user shall take place on an explicitly voluntary basis. The legal basis for such processing is unless otherwise stated Article 6 (1) (a) GDPR. The collection and processing of data serves only the purpose stated in the respective online form. Divulgence or disclosure to third parties shall not occur. It is possible to use and pay for all offered services – insofar as this is technically possible and reasonable – without disclosure of such data or through the use of anonymised data or a pseudonym. The use of contact data provided in the legal notice or similar, such as postal addresses, telephone and fax numbers or email addresses by third parties to send information that was not explicitly requested is not permitted. We reserve the right to take legal action against the senders of spam mails that violate this clause.
We create anonymous statistics and analysis of the access to our website.
When saving the user IP address, the last two octets are not processed. The collection of the user ID is deactivated. For the analysis, the following data is collected in addition to the access to the site and the anonymized IP address: Date and time of the request, page title of the requested page, URL of the previously requested page (referrer URL), screen resolution of the client system, local time zone, URL of clicked and downloaded files, URL of clicked external domains, geolocation of the client (country, region, city), main language of the used browser, user agent of the used browser.
EMBEDDING YOUTUBE VIDEOS
SHARING VIA SOCIAL MEDIA SUCH AS FACEBOOK AND TWITTER
In some instances on the Leibniz University Hannover website, the option is given to share individual pages on social networks by means of share buttons. Via these plugins, data (including personal data) can reach external providers such as Facebook, Google and Twitter and can be used by them. The legal basis for the use of plugins is Article 6 (1) (a) GDPR.
Leibniz University Hannover itself does not use social media plugins to collect personal data or information about the use thereof. To prevent data reaching network providers without the deliberate action of the user, Leibniz University Hannover uses “Shariff”, a data-protection-friendly solution, on its website (for further information visit: http://m.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html).
Using this technology, a direct link between the user and external social media will only occur when the user actively clicks on one of these buttons. Only then can data be transferred to the external provider and stored there.
The external provider will then receive information that the corresponding subpage of our website has been accessed. For this, the user needs neither to have an account with the external provider nor to be logged in there. If the user is logged in with the external provider, this data is directly assigned to their user account with the external provider. If one of our pages is shared, the external provider will also generally store this information in the user account.
Leibniz University Hannover has no influence on whether, to what extent, for how long and for what purpose external providers collect personal data. However, it can be assumed that at least the IP address and device-related information are collected and used. Further information on the data protection policies of external social media platforms can be found on their respective websites:
a) Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA
b) Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA
c) Twitter Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA
d) Instagram, Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland
e) WhatsApp Inc, 650 Castro Street, Suite 120-219, Mountain View, California, 94041, USA
EMBEDDING ADVERTISING BANNERS
In cooperation with VariFast GmbH and using the ad server of Adition AG, advertising banners are displayed on some pages of the university’s website. The legal basis for the use of advertising banners is Article 6 (1) (f) GDPR.
Cookies are also used for this. Only session cookies and temporary cookies are used that statistically measure the number of readers/visitors and limit the numerically determined delivery of advertising media. For technical reasons, the visitor’s IP address is also forwarded to these two companies. Only technical data is collected, the visitor cannot be personally identified. All data, including the IP address, is analysed anonymously and purely statistically. The traffic data of the transmission is only stored on the web server of Adition AG temporarily; this data may be recorded in this respect without the express consent of the user.
All relevant data protection regulations, in particular those governed in the German Telemedia Act (TMG), the Federal Data Protection Act (BDSG) and the Lower Saxony Data Protection Act (NDSG), are observed by Leibniz University Hannover, VariFast GmbH and Adition AG.
Revocation of data collection by ADITION AG
By clicking the following link, collection of anonymised data will be stopped. In this case, ADITION will replace the current cookie with a new opt-out cookie. This opt-out cookie will delete the previously stored information, including the IP address, and will prevent further collection of anonymous information. If this opt-out cookie is deleted, ADITION can no longer determine that an opt-out has taken place. In this case, the opt-out process must be repeated.
RIGHTS OF THE DATA SUBJECT
If your personal data is processed, you are a data subject in the context of the GDPR and you have the following rights towards the data controller:
Right of access to information according to Article 15 GDPR
You can ask the data controller to confirm whether personal data concerning you is processed by us.
If such processing has taken place, you can request the following information from the data controller:
(1) the purposes for which the personal data is processed;
(2) the categories of personal data being processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the planned duration of storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage period;
(5) the existence of the right to rectification or erasure of personal data concerning you, the right to limitation of processing by the data controller or the right to object to such processing;
(6) the existence of the right to lodge a complaint with a supervisory authority;
(7) any available information on the origin of the data, if the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, in accordance with Article 22 (1) and (4) GDPR and – at least in those cases – meaningful information on the logic involved, as well as the significance and envisaged consequences of such processing for the data subject.
You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards according to Article 46 GDPR relating to the transfer.
Right to rectification according to Article 16 GDPR
You have the right to rectification and/or completion of personal data by the data controller if the processed personal data concerning you is incorrect or incomplete. The data controller shall promptly correct such data.
Right to restrict processing according to Article 18 GDPR
Under the following conditions, you may request that the processing of personal data concerning you is restricted:
(1) if you dispute the accuracy of the personal data concerning you for a period that enables the data controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the deletion of the personal data and instead request that the use of the personal data be restricted;
(3) the data controller no longer needs the personal data for the purposes of the processing, but you need it to assert, exercise or defend legal rights, or
(4) if you have filed an objection to the processing according to Article 21 (1) GDPR and it has not yet been determined whether the legitimate grounds of the data controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, such data may only be processed – with the exception of storage – with your consent, or for the purpose of asserting, exercising or defending legal rights, or for the purpose of protecting the rights of another natural or legal person, or on the grounds of important public interest of the Union or a Member State.
If processing has been restricted according to the above conditions, you will be informed by the data controller before the restriction is lifted.
Right to erasure according to Article 17 GDPR
a) Obligation to delete
You may request the data controller to promptly delete the personal data concerning you. The data controller is then obliged to promptly delete this data if one of the following reasons applies:
(1) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
(2) You revoke your consent, upon which the processing was based as per Article 6 (1) (a) or Article 9 (2) (a) GDPR, and there is no other legal basis for such processing.
(3) You file an objection against the processing as per Article 21 (1) GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing as per Article 21 (2) GDPR.
(4) The personal data concerning you has been processed unlawfully.
(5) Deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the data controller is subject.
(6) The personal data concerning you was collected in relation to information society services offered as per Article 8 (1) GDPR.
b) Information to third parties
If the data controller has made personal data concerning you public and is obliged to delete it as per Article 17 (1) GDPR, he or she shall take the appropriate measures, including technical measures (taking into account the available technology and implementation costs) to inform data processors who process the personal data that you, the data subject, have requested the deletion of all links to this personal data and copies or replications thereof.
The right to erasure does not exist insofar as processing is necessary
(1) to exercise freedom of expression and information;
(2) for compliance with a legal obligation required for processing under Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority assigned to the controller;
(3) for reasons of public interest in the field of public health as per points (h) and (i) of Article 9 (2) as well as Article 9 (3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes as per Article 89 (1) GDPR, insofar as the law referred to under a) is likely to make it impossible or seriously impair the attainment of the objectives of such processing, or
(5) to assert, exercise or defend legal claims.
Right to be informed according to Article 19 GDPR
If you have exercised your right to have personal data concerning you corrected, deleted or processing thereof limited, the data controller is obliged to inform all recipients to whom such data has been disclosed of this correction, deletion or restriction on processing, unless this proves impossible or involves a disproportionate effort.
Upon request, the data controller shall inform the data subject about these recipients.
Right to data portability according to Article 20 GDPR
You have the right to receive the personal data concerning you that you provided to the data controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another data controller without obstruction by the data controller to whom the personal data was disclosed, provided that
(1) processing is based on consent as per Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, or based on a contract according to Article 6 (1) (b) GDPR and
(2) processing is carried out by automated means.
In exercising this right, you also have the right to request that the personal data concerning you be transferred directly from one data controller to another data controller, insofar as this is technically feasible. The freedom and rights of others shall not be affected by this.
The right to data portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority assigned to the controller.
Right to object according to Article 21 GDPR
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you according to point (e) or (f) of Article 6(1) GDPR; this shall also apply to profiling based on these provisions.
The data controller shall no longer processes the personal data concerning you, unless he or she can demonstrate compelling legitimate reasons for the processing, which outweigh your interests, rights and freedom, or the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such advertising; this also applies to profiling, insofar as it is associated with such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes. You may exercise your right to object in connection with the use of information society services by automated means using technical specifications, notwithstanding Directive 2002/58/EC.
Right to revoke the data protection declaration of consent as per Article 7 (3) GDPR
You have the right not to be subject to a decision based exclusively on automated processing – including profiling – that has a legal effect on you or significantly affects you in a similar manner. This shall not apply if the decision is
(1) necessary for the conclusion or fulfilment of a contract between you and the data controller,
(2) admissible according to Union or Member State legislation to which the data controller is subject and the legislation contains appropriate measures to safeguard your rights, freedom and legitimate interests; or
(3) is based on your express consent. However, these decisions may not be based on special categories of personal data as per Article 9 (1) GDPR, unless point (a) or (g) of Article 9 (2) GDPR applies and appropriate measures have been taken to protect your rights, freedom and your legitimate interests.
In the cases referred to in (1) and (3), the data controller shall take reasonable measures to safeguard your rights, freedom and legitimate interests, including at least the right to obtain human intervention on the part of the data controller, to state his or her own position and to challenge the decision.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State where you reside, your place of work, or the place of the alleged infringement, if you believe that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the progress and outcome of the complaint, including the possibility of a judicial remedy as per Article 78 GDPR.