Privacy Policy

Content of this Privacy Policy

I. Name and address of the controller
The controller in accordance with the EU General Data Protection Regulation (“GDPR”) and other national data protection laws of the Member States and other data protection provisions is:

Heinrich Heine University Düsseldorf
Universitätsstraße 1
40225 Düsseldorf
Tel. +49 211 81-11118
Website: www.hhu.de

II. Name and address of the Data Protection Officer
The Data Protection Officer of the controller is:

Datenschutzbeauftragter und Leiter der Stabsstelle Datenschutz
Kurt Finkbeiner
Universitätsstraße 1
Building: 16.11
Floor/Room: 01.81
40225 Düsseldorf
Tel.: +49 211 81-13214
Fax: +49 211 81-10549
E-mail: Datenschutzbeauftragter @ hhu.de
Website: www.hhu.de

III. General information on data processing
1. Scope of the processing of personal data
In principal, we only process our users’ personal data when it is necessary to do so in order to provide a functioning website and for our content and services. The processing of personal data is generally only carried out with the user’s consent. An exception applies in cases in which obtaining prior consent is not feasible for practical reasons and the processing of personal data is permitted by law.

2. Legal basis for the processing of personal data
Insofar as we obtain consent for processing operations for personal data from the data subject, the legal basis for the processing of personal data is Art. 6 (1) (a) GDPR.
In case of processing operations that are necessary for the performance of a contract to which the data subject is party, the legal basis for the processing of personal data is Art. 6 (1) (b) GDPR. This also applies to processing operations necessary in order to take steps at the request of the data subject prior to entering into a contract.
Insofar as a processing of personal data is necessary for compliance with a legal obligation to which the controller is subject, the legal basis for the processing of personal data is Art. 6 (1) (c) GDPR.
In the case that the processing is necessary for the vital interests of the data subject or of another natural person, the legal basis for the processing of personal data is Art. 6 (1) (d) GDPR.

Is the processing necessary for the purposes of the legitimate interests pursued by the controller or by a third party and such interests are not overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, the legal basis for the processing of personal data is Art. 6 (1) (f) GDPR.

3. Data erasure and storage period
Personal data of the data subject will be erased or made unavailable as soon as the purpose of the storage of such data ceases to apply. Personal data may also be stored if this is provided for by European or national provisions in EU regulations, legislation or other rules to which the controller is subject. Personal data will also be erased or made unavailable if a storage period prescribed by the aforementioned rules expires, unless the continued storage of such data is necessary for the conclusion or performance of a contract.

IV. Operation of the website and creation of log files
1. Description and scope of data processing
With every visit of this website our system automatically records data and information on the device system used by the accessing device.

The following data is processed:
• Information on the browser type and its version used
• The operation system of the user’s device
• The user’s internet service provider
• The user’s IP address
• Date and time of access
• Websites, from which the user’s system enters our website
• Websites, that the user’s system enters via our website

This data is also stored in our system’s log files. It is not stored together with other personal data of the user.

2. Legal basis for the processing of personal data
The legal basis for the temporary storage of the data and log files is Art. 6 (1) (f) GDPR.

3. Purpose of the processing
The temporary storage of the user’s IP address is necessary for the system to provide for the display of the website to the user. For this purpose, the user’s IP address must be stored for the duration of the session.
The storage of the log files is necessary to ensure the functionality of the website. Additionally, this data serves us to optimise the website and to ensure the security of our IT systems. This data is not analysed for marketing purposes.
Our legitimate interest in the data processing pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.

4. Storage period
The data will be erased as soon as the purpose of the storage of such data ceases to apply. Concerning data collected for the operation of the website, that is the case when the relevant session is terminated.
Concerning the storage of log files, that is the case after seven days at the latest. Extended storage is possible. Should that be the case, the user’s IP addresses will be erased or alienated so that an assignment to the accessing client is no longer possible.

5. Right to objection and erasure
The processing of data for the operation of the website and the storage of data in log files is strictly necessary for running the website. Therefore, the user does not have any right to object.

V. Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are text files that are stored in the user’s internet browser or by the internet browser in the user’s computer system. If a user accesses the website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic character string which allows the browser to be clearly identified when the website is accessed again.
We use cookies to design our website to be more user-friendly. Some elements of our website require that the accessing browser can be re-identified after switching between websites.
In these cookies the following data is stored and transmitted:
• Session ID
• Time-zone and other information concerning the display of the website
• Information for the purposes of PDF creation

2. Legal basis for the processing of personal data
The legal basis for the processing of personal data via the use of cookies is Art. 6 (1) (f) GDPR.

3. Purpose of the processing
The purpose of the use of technically necessary cookies is to simplify the use of the website for the user. Some of our website’s functions cannot be used without enabling the necessary cookies. It is essential for these functions that the accessing browser can be re-identified after switching between websites.

The following applications require the use of cookies:

PDF Printer

The user data processed by technically necessary cookies is not used to create user profiles.
Our legitimate interest in the data processing pursuant to Art. 6 (1) (f) GDPR also lies in these purposes.

4. Storage period, right to objection and erasure
Cookies are stored on the user’s device and transmitted to our site. Therefore, you as a user are in full control over the use of cookies. By changing the settings of your web browser, you may deactivate or limit the transmission of cookies. Cookies already stored may be deleted at any time. This can also take place automatically. Should you deactivate cookies for our website, you might not be able to use all of the website’s functions in full.

VI. Newsletter (CIP)
1. Description and scope of data processing
On some of our websites you are given the opportunity to subscribe to a free newsletter. When registering for the newsletter, the data from the form is transmitted to us.

For the registration, the e-mail address of the subscriber and optionally the subscriber’s name are processed.

Additionally, the following data is processed during registration:

(1) IP address of the accessing device
(2) Date and time of the registration

In connection with data processing for sending newsletters, none of the data is distributed to third parties. The data is used exclusively for sending the newsletter.

2. Legal basis for the processing of personal data
The legal basis for the processing of personal data after the registration to the newsletter by the user is Art. 6 (1) (a) GDPR.

3. Purpose of the processing
The processing of the user’s e-mail address is used to send the newsletter.
The processing of other personal data during the registration process serves to prevent misuse of the services or the e-mail address used.

4. Storage period
The data is erased as soon as the purpose of the storage of such data ceases to apply. The e-mail address is stored as long as the newsletter subscription is active.
Other personal data processed during the registration process is generally erased after the expiration of a period of seven days.

5. Right to objection and erasure
The user can cancel the subscription at any time. For this purpose, there is a respective link in every newsletter.
Additionally, this enables the user to revoke the consent given for the storage of personal data processed during the registration process.

VII. Contact form and contact via e-mail
1. Description and scope of data processing
On our website there is a contact form that may be used for electronic contact. If a user makes use of the contact form, the data entered into the form are transmitted to and stored by us. This data includes:
• Name
• E-mail address
• Subject
• Message

At the time the message is sent, the following data is stored as well:
• The user’s IP address
• Date and time of the registration

Your consent is obtained for the processing of data and a reference to this Privacy Policy is made in the context of the sending process.
Alternatively, you may contact us via the given e-mail address. In this context, the user’s personal data transmitted via e-mail are processed and stored.
In connection with data processing in this context, none of the data is distributed to third parties. The data is used exclusively for processing conversations.

2. Legal basis for the processing of personal data
The legal basis for the processing of personal data is Art. 6 (1) (a) GDPR, if consent is obtained.
The legal basis for the processing of personal data transmitted when an e-mail is sent, is Art. 6 (1) (f) GDPR. If the e-mail contact aims at the conclusion of a contract, then additionally, the legal basis for the processing of personal data is Art. 6 (1) (b) GDPR.

3. Purpose of the processing
The processing of personal data from the form solely serves the initiation of conversations. In the case of a conversation via e-mail our legitimate interest in the data processing pursuant to Art. 6 (1) (f) GDPR also lies in that purpose.
The other personal data processed during the sending process serves to prevent misuse of the contact form and to ensure the security of our IT systems.

4. Storage period
The data is erased as soon as the purpose of the storage of such data ceases to apply. Concerning personal data processed when using the contact form and that sent via e-mail, that is the case as soon as the conversation with the user is terminated. A conversation is terminated when the circumstances give reason to believe that the issue in question has been resolved definitively.
Personal data processed additionally during the sending process will be erased after the expiration of a period of seven days at the latest.

5. Right to objection and erasure
The user has the right to withdraw his or her consent to the processing of personal data at any time. If the user contacts us via e-mail he or she may at any time object to the processing of his or her personal data. Should that be the case, the conversation cannot be continued.
The withdrawal or the objection, respectively, must be addressed to the contact person named in the imprint either via e-mail, by post or via telephone at the given address.
All personal data stored when initiating contact will be deleted in that case.

VIII. Rights of the data subject
If your personal data is processed, you are the data subject in accordance with the GDPR and you have the following rights vis-à-vis the controller:

1. Right of access
You can request confirmation from the controller of whether we process personal data concerning you. If such processing is carried out, you can request details of the following information from the controller:
1. the purposes for which the personal data is processed
2. the categories of personal data which are processed
3. the recipients or categories of recipients to whom personal data concerning you has been or will be disclosed
4. the planned length of storage of the personal data concerning you or, if it is not possible to provide specific details of this, the criteria for determining the storage period
5. the existence of a right to the rectification or deletion of the personal data concerning you, a right to restrict the processing by the controller or a right to object to such processing
6. the existence of a right of appeal to a supervisory authority
7. all available information on the origin of the data, if the personal data is not obtained from the data subject;
8. the existence of automated decision-making, including profiling, in accordance with Art. 22 (1) and (4) GDPR and, – in these cases at least, – meaningful information on the logic involved as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information on whether personal data concerning you will be transferred to a third country or to an international organisation. In this regard, you can request information on the appropriate safeguards in accordance with Art. 46 GDPR related to transfer.

2. Right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. The controller must carry out the rectification immediately.

3. Right to restriction of processing
Under the following circumstances, you can request the processing of personal data concerning you to be restricted:
1. for a period enabling the controller to verify the accuracy of the personal data, if you are contesting the accuracy of the personal data concerning you
2. when the processing is unlawful and you oppose the erasure of the personal data and request the restriction of use of the personal data instead
3. when the controller no longer needs the personal data for processing purposes, but you need it to establish, exercise or defend your legal rights, or
4. when you have objected to the processing in accordance with Art. 21 (1) GDPR and verification of whether the controller’s legitimate grounds override your grounds is still pending.
Where the processing of personal data concerning you has been restricted, this data may, – with the exception of storage, – only be processed with your consent or to establish, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State. Where processing has been restricted under the aforementioned conditions, you will be informed by the controller before the restriction is lifted.

4. Right to erasure
a) Duty to erase
You can ask the controller to erase personal data concerning you immediately and the controller is obliged to erase this data immediately where one of the following grounds applies:
1. The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
2. You withdraw your consent on which the processing is based in accordance with Art. 6 (1) (a) or Art. 9 (2) (a) and there are no other legal grounds for the processing.
3. You submit an objection to the processing in accordance with Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you submit an objection to the processing in accordance with Art. 21 (2) GDPR.
4. The personal data concerning you was processed unlawfully.
5. The erasure of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of a Member State to which the controller is subject.
6. The personal data concerning you was collected in relation to information society services offered in accordance with Art. 8 (1) GDPR.

b) Disclosing information to third parties
If the controller has made personal data concerning you public and is obliged to erase it in accordance with Art. 17 (1) GDPR, it shall take reasonable steps, taking into account available technology and implementation costs, including technical measures, for the data processing to inform controllers processing the personal data that you, the data subject, have requested the erasure of all links to this personal data or of copies or replications of this personal data.

c) Derogations
The right to erasure is not granted if the processing is necessary
1. to exercise the right of freedom of expression and information;
2. to fulfil a legal obligation which requires processing in accordance with the law of the Union or the Member States to which the controller is subject or to perform a task that is carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons in the public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR, if the right provided in (a) is likely to render impossible or seriously impair the achievement of the objectives of this processing, or
5. to establish, exercise or defend legal claims.

5. Right to information
If you have asserted the right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to inform all recipients to whom the personal data
concerning you was disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or would involve a disproportionate effort.
You have the right vis-à-vis the controller to information on these recipients.

6. Right to data portability
You have the right to receive personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, if
1. the processing is based on consent in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract in accordance with Art. 6 (1) (b) GDPR and
2. the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, where this is technically feasible. The freedom and rights of others may not be adversely affected by this.
The right to data portability does not apply for the processing of personal data that is necessary to perform a task that is carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right of objection
You have the right, for reasons of your own particular situation, to object at any time to the processing of personal data concerning you that is performed in accordance with Art. 6 (1) (e) or (f) GDPR; this also applies to any profiling based on these provisions.
The controller will no longer process the personal data concerning you, unless it can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or the processing facilitates the establishment, exercise or defence of legal claims.
Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to the processing for direct advertising purposes, the personal data concerning you will no longer be processed for these purposes.
Notwithstanding – Directive 2002/58/EC, – you are also entitled in the context of the use of information society services to exercise your right of objection by means of automated procedures for which technical specifications are used.

8. Right to withdraw declaration of consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent will not affect the lawfulness of processing carried out based on the consent prior to withdrawal.

9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, – including profiling, – which has legal effects for you or similar significant adverse effects for you. This does not apply if the decision
1. is necessary for the conclusion or performance of a contract between you and the controller,
2. is permissible under the law of the Union or the Member States to which the controller is subject, and this law provides adequate measures to safeguard your rights and freedoms and your legitimate interests, or
3. is made with your express consent.
However, these decisions may not be based on special categories of personal data in accordance with Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) applies and suitable steps to protect rights and freedoms and your legitimate interests have been taken.
In the cases stated in (1) and (3), the controller will take suitable steps to safeguard rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to express your own point of view and to contest
the decision.

10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you believe that the processing of the personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint was lodged will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.