Data Protection Declaration

Data Protection Declaration

This is a translation of TU Braunschweig’s Datenschutzerklärung (Data Protection Declaration). Only the German version is legally valid. In case of any differences in wording, meaning, or interpretation between the German and English versions, the German version shall prevail.

I. Name and Address of the Controller

The controller as described in the General Data Protection Regulation (GDPR) and other national data protection acts as a member states as well as other data protection provisions is:

Technische Universität Braunschweig
Universitätsplatz 2
38106 Braunschweig
Tel.: +49 (531) 391- 0
E-Mail: praesidentin(at)tu-braunschweig.de

Represented by the President
Prof. Dr. Angela Ittel
https://www.tu-braunschweig.de/en/president

II. Name and Address of the Data Protection Officer

The data protection officer at Technische Universität Braunschweig is:

Dr. Bernd Nörtemann
Bienroder Weg 80
38106 Braunschweig
Tel.: +49 (531) 391 - 7654
E-Mail: datenschutz(at)tu-braunschweig.de
https://www.tu-braunschweig.de/datenschutz

III. General Information on Data Processing

1. Extent of personal data processing

TU Braunschweig only collects and processes its users’ personal data to the extent necessary to ensure the website functions and as required for its content and services as long as there is a legal basis permitting TU Braunschweig to do so.

2. Legal basis for personal data processing

If the data subjects must consent to their personal data being processed for certain procedures, point (a) of Article 6(1) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data required to fulfil a contract to which the data subject is a party, point (b) of Article 6(1) GDPR serves as the legal basis. This also applies to processes required for carrying out pre-contractual matters.

If it is necessary to process personal data to fulfil one of TU Braunschweig’s legal obligations, point (c) of Article 6(1) GDPR serves as the legal basis.

If vital interests of the data subject or another natural person require personal data to be processed, point (d) of Article 6(1) GDPR serves as the legal basis.

If the processing is required to fulfil a task that is in the public interest or that is a part of exercising official authority that was transferred to TU Braunschweig, point (e) of Article 6(1) GDPR in conjunction with § 3 NDSG serve as the legal basis for processing the data.

If it is necessary to process the data to preserve TU Braunschweig’s legitimate interests or those of the third-party, and if the interests, basic rights and freedoms of the data subject do not override the aforementioned interests, point (f) of Article 6(1) GDPR serves as the legal basis.

3. Period for which personal data is stored

TU Braunschweig saves the data subject's personal data only for as long as the reason for saving the data exists. If the data is processed based on the data subject's consent, the data is saved only until the consent is revoked unless there is another legal basis for processing the data.

4. Rights of the data subjects

4.1 Right of access

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed by TU Braunschweig. If that is the case, he or she has a right of access to the personal data and the following information:

a) the purposes of the processing;

b) the categories of personal data concerned;

c) the recipients or categories of recipient to whom the personal data have been or will be disclosed;

d) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;

e) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

f) the existence of the right to lodge a complaint with a supervisory authority.

4.2 Right to rectification

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The controller shall immediately rectify the data.

4.3 Right to restriction of processing

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

d) the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the data subject's consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.

4.4 Right to erasure

A) Obligation to erase

The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;

c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);

d) the personal data have been unlawfully processed;

e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

B) Exceptions from the obligation to erase

The right to have data erased shall not apply to the extent that processing is necessary:

a) for exercising the right of freedom of expression and information;

b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);

d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or

e) for the establishment, exercise or defence of legal claims.

4.5 Right to notification

The controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort.

The controller shall inform the data subject about those recipients if the data subject requests it.

4.6 Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format. In addition, the data subjects have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(a) the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) or on a contract pursuant to point (b) of Article 6(1); and

(b) the processing is carried out by automated means.

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. This right shall not adversely affect the rights and freedoms of others.

The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4.7 Right to object

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1).

The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.

Data subjects have the right to withdraw their consent to their data being processed at any time. Withdrawing consent shall not affect the lawfulness of the processing done until the time consent was withdrawn.

4.8 Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.

IV. Description of the Website and Creating Log Files

1. Description and scope of data processing

Each time TU Braunschweig’s website is accessed, the system automatically collects data and information from the system of the computer accessing the site.
The following data are collected:

  • Information about the browser type and version used
  • The user's operating system
  • The user's IP address
  • The date and time the website was accessed
  • Websites that were accessed by the user's system via TU Braunschweig’s website

The data are also saved in TU’s system log files. These data are not saved together with other personal data from the user.

2. Legal basis for data processing

The legal basis for temporarily saving the data is point (f) of Article 6(1) EU-GDPR.

3. Purpose of data processing

The system must save IP addresses temporarily to ensure services operate properly. For this purpose, the user's IP address must be saved for the duration of the session.

The data are saved in log files to ensure the website’s functionality. The data also serve to enable TU Braunschweig to optimise the website and ensure the security of the IT systems. The data are not analysed for marketing purposes.

The purposes listed above encompass the legitimate interest in data processing according to point (f) of Article 6(1) GDPR.

4. Period of storage

The data are erased when the respective session ends. For the data stored in log files, the data are erased at the latest after seven days.
It is possible to store the data for a longer period of time. In this case, the user’s IP address is erased or alienated so that it is no longer possible to determine which client accessed the site with that address.

V. Use of Cookies

1. Description and scope of data processing

TU Braunschweig’s website uses cookies to make its website more user-friendly. Some elements of its website require the browser being used to be able to be identified even after changing webpages.

In the cookies, a unique, randomly generated identification number of the website session is stored and transferred for the duration of the session.

2. Legal basis for data processing

The legal basis for processing personal data using technically necessary cookies is point (f) of Article 6(1) EU-GDPR.

3. Purpose of data processing

Technically necessary cookies are used to simplify the use of the website for users. Some functions of TU Braunschweig’s website cannot be offered without using cookies. For these, it is necessary for the browser to be recognised even after changing pages. The purposes listed above encompass the legitimate interest in personal data processing according to point (f) of Article 6(1) EU-GDPR.

Cookies are needed for the following applications:

a) providing the website

b) use/access to protected websites and content (only after login and only for members of the TU Braunschweig)

c) use/access to the content management system of the website to edit the website (only after login and only for authorised members of the TU Braunschweig)

The usage data collected by technically necessary cookies are not used to create usage profiles.

4. Period of storage, possibilities to object to and remove cookies

Cookies are saved on the user's computer by the internet browser and transferred to TU Braunschweig’s website from that computer. This means that users also have full control over the use of cookies. By changing the settings in their Internet browser, they can deactivate or restrict the transfer of cookies. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies for TU Braunschweig’s website are deactivated, it is possible that not all of the website’s functions will be able to be used to the full extent.

VI. Web Analysis with Matomo

1. Extent of personal data processing

On its website, TU Braunschweig uses the open source software tool Matomo to analyse users’ surfing behaviour. No cookie is stored on the end devices of users for the analysis. When individual pages of our website are accessed, the following data are saved:

  • The anonymised IP address of the user’s system
  • The website accessed
  • The website from which the user reached our website (referrer)
  • The sub-pages which were accessed using the accessed website
  • The length of time the user stayed on the website
  • The frequency with which the user accessed the website
  • The dates, time, and country of origin from which the site was accessed
  • The type of Internet browser and language settings
  • The monitor resolution used
  • Documents and files that were downloaded
  • Loading time of the accessed website

The mentioned data is not used to create usage profiles, but only to show in aggregated form how many visitors have accessed which web pages and when.

The software runs exclusively on TU Braunschweig’s servers, which are also situated in Braunschweig. The user's personal data are only stored there. The data are not transferred to third parties.

The software is set up such that the IP addresses are not completely saved. The final two octets of the IP address are masked (e.g. 192.168.xxx.xxx). This means it is not possible to assign the shortened IP address to the accessing computer.

If users do not want these data to be saved and analysed, they can object to the data being saved and used at any time by mouse click. They can also object to the data being saved on any TU Braunschweig site (other than the homepage) in the footer. Only in this case, an “opt-out cookie" is saved and Matomo then does not collect any data on the session. Please note: If the user deletes their cookies, then the opt-out cookie is also deleted and must be reactivated.

If the user has activated the "do not track" setting in their browser, no opt-out is necessary.

TU Braunschweig uses the software Matomo for anonymised web analysis. The data serve to optimise the web offer.
You can find more information in our data protection declaration.

2. Legal basis for data processing

The legal basis for processing users’ personal data is point (f) of Article 6(1) GDPR.

3. Purpose of data processing

Processing the user's personal data enables to TU Braunschweig to analyse users’ surfing behaviour. By analysing the data obtained, TU Braunschweig is able to compile information about the use of individual components of its website. This helps it to continually improve its website and the website’s user-friendliness. The purposes listed above encompass the legitimate interest in data processing according to point (f) of Article 6(1) GDPR. By anonymising the IP addresses and the possibility of objecting to the use of the visit data at any time, the users’ interest in protecting their personal data is sufficiently considered.

4. Period of storage, possibilities to object to and remove cookies

The data are deleted as soon as they are no longer needed for the purposes for which we gathered them. At TU Braunschweig, this means that they are deleted after two years.

On its website, TU Braunschweig offers its users the possibility of opting out of the analysis process. To do so, they can object to the data being saved here in the data protection declaration or in the footer of every page. This leads to a cookie being sent to the user’s system that signals to TU Braunschweig’s system that it should not save the user’s data. If the user deletes the opt-out cookie from their own system, then they must reactivate this cookie.

VII. Newsletter

1. Description and scope of data processing

On TU Braunschweig’s website, it is possible to subscribe to a free newsletter. When signing up for the newsletter, the data from the form is sent to TU Braunschweig’s system. The data entered by the recipients for the purpose of receiving the newsletter is transmitted to the service provider responsible for the processing, rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg im Breisgau, Germany, and stored on rapidmail servers in Germany. Rapidmail is used to organise and analyse the dispatch of newsletters.

For the purpose of analysis, the newsletters sent with rapidmail contain a so-called tracking pixel, which connects to the servers of rapidmail when the email is opened. In this way, it can be determined whether a newsletter message has been opened. Furthermore, it can be determined whether and which links in the newsletter message are clicked on. All links in the email are so-called tracking links, with which the number of clicks of all recipients can be counted anonymously. A profiling does not take place.

When registering for the newsletter, the IP address of the recipients and the date and time of registration are stored.

To process the personal data collected while signing up for the newsletter, during the registration process the user is informed about this data protection declaration and must give their consent.

The newsletter registration is carried out in a so-called double opt-in procedure. This means that the recipients receive an e-mail after registration in which they are asked to confirm their registration. This confirmation is necessary so that no one can register with other people's email addresses.

The data is used exclusively for sending the newsletter. The data will not be transferred to third countries.

You can find more information on the data protection information of rapidmail at: https://www.rapidmail.de/datenschutz

2. Legal basis for data processing

The legal basis for processing data after the user signs up for the newsletter is point (a) of Article 6(1) EGDPR if the user's consent has been given.

3. Purpose of data processing

The user's email address is collected in order to send the newsletter.

The other personal data collected as part of the registration procedure serve to prevent the services or email address used from being abused.

4. Period of storage, possibilities to object to and remove cookies

The user's email address is stored as long as the subscription to the newsletter is active. The user may cancel their subscription to the newsletter at any time. There is a link to cancel the subscription in every newsletter. This also makes it possible to withdraw consent to saving the personal data collected during the registration process.

VIII. Contact

1. Description and scope of data processing

On TU Braunschweig’s website, it is possible to contact the University using forms or email addresses that are provided. In this case, the personal data transferred by the user are stored.

The data are not transferred to third parties. The data are used exclusively for processing for the purpose stated above.

2. Legal basis for data processing

The legal basis for processing the data transferred when making contact with the University is Article 6(1) GDPR.

3. Purpose of data processing

TU Braunschweig only processes the personal data for the purpose of making contact. This purpose makes up the legitimate interest in data processing.

4. Period of storage, possibilities to object to and remove cookies

The personal data that were transferred shall be deleted when the respective purpose has been fulfilled.

If the user makes contact with TU Braunschweig, he or she can object to his or her personal data being saved at any time. In this case, communication cannot be continued or restarted. All personal data that were saved as part of the communication process will then be deleted.