Privacy Policy

This privacy policy offers information on the method, extent and purpose of processing personal data (subsequently 'data') within our online presence and its connected websites, functions and contents as well as external online presences as, for instance, our social media profiles (subsequently 'online presence'). Regarding the terms used in this Privacy Policy, for instance 'processing' or 'controller', we point out the definitions from Art. 4 of the General Data Protection Regulation (GDPR).

Controller

Prof. Dr. Kai-Christian Bruhn, University of Applied Sciences, Lucy-Hillebrand-Straße 2, 55128 Mainz, Germany

bruhn@hs-mainz.de

Impressum: mainzed.org/en/#imprint

Contact data protection officer:

The state representative for data protection and freedom of information Rhineland-Palatinate (LfDI), PO box 3040, 55020 Mainz, Germany

Types of processed data:

Categories of data subjects

Visitors and users of the online presence (subsequently data subjects are also referred to by 'user').

Purpose of processing

Definitions of terms used

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

‘processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Relevant legal framework

In accordance with Art. 13 GDPR we acquaint you with the legal frame work of our data processing. In case the legal framework is not mentioned in this privacy policy, the following is valid: The legal framework for obtaining the consent is Art. 6 (1) lit. a and Art. 7 GDPR, the legal framework for processing in order to fulfil our performances and perform contractual measures as well as to answer requests is Art. 6 (1) lit. b GDPR, the legal framework for processing in order to fulfil our legal obligations is Art. 6 (1) lit. c GDPR and the legal framework for processing in order to maintain our legitimate interests is Art. 6 (1) lit. f GDPR. In case essential interests of the data subject or another natural person require processing of personal data, Art. 6 (1) lit. d GDPR is the legal framework.

Security measures

According to Art. 32 GDPR, we take suitable technical and organisational measures in consideration of the state of the art, implementation costs and the method, extent, circumstances and the purposes of processing as well as the different probabilities of occurrence and the severity of the risk for rights and liberties of natural persons in order to guarantee a level of protection that is appropriate for the risk.

Part of these measures are especially the protection of confidentiality, integrity and availability of data by controlling the physical access to data as well as the access concerning the data, input, transfer, protection of availability and separation of data. Furthermore, we established processes that guarantee a perception of the rights of individuals, the deletion of data and reaction to the exposure of data. Additionally, in the course of the development or choice of hardware, software as well as processes we already take the protection of personal data into account in accordance with the principle of data protection by design and by default (Art. 25 GDPR).

Cooperation with processors and third parties

Provided that in the course of our processing we disclose data towards other persons or companies (processers or third parties), transmit or allow access to the data, this only takes place on the basis of a legal permission (e.g. when the transmission of data to third parties as payment service providers is necessary for the performance of a contract according to Art. 6 (1) lit. b GDPR), if you agreed to it, if a legal obligation provides this or on the basis of our legitimate interests (e.g. the employment of representatives, webhosts etc.).

Provided that we instruct third parties to process data on the basis of a so called ‘processor contract‘, this takes place on the basis of Art. 28 GDPR.

Transmission to third countries

Provided that we process data in a third country (in other words, outside of the European Union (EU) or the European Economic Area (EEA)) or in the course of the utilisation of services by third parties or the disclosure or transmission of data to third parties, this only takes place if our pre(contractual) duties are carried out, on the basis of your consent, a legal obligation or our legitimate interests. Subject to legal or contractual permissions, we process data ourselves or they are processed in a third country only in the presence of the special prerequisites of Art. 44 ff. GDPR. In other words, processing takes place, for instance, on the basis of special guarantees as the official assessment of a data protection level that corresponds to the one of the EU (e.g. the ‘Privacy Shield‘ for the US) or the consideration of special contractual obligations that are officially recognised (so called ‘standard contractual clauses‘).

Rights of data subjects

You have the right to obtain confirmation as to whether or not personal data are being processed and further information on these data according to Art. 15 GDPR.

According to Art. 16 GDPR you have the right to have incomplete personal data completed or to obtain from the controller without undue delay the rectification of inaccurate personal data.

According to Art. 17 GDPR you have the right to obtain from the controller the erasure of personal data and, alternatively, the restriction of processing of data according to Art. 18 GDPR.

You have the right to receive the personal data that you have provided to us according to Art. 20 GDPR and to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

Further, you have the right to lodge a complaint with a supervisory authority according to Art. 77 GDPR.

Right of evocation

You have the right to withdraw your consent according to Art. 7 (3) GDPR.

Right of objection

You have the right to object the future processing of your personal data according to Art. 21 GDPR. Objections can be especially made where personal data are processed for direct marketing purposes.

Cookies and right of objection in the case of direct marketing purposes

‘Cookies’ are small files that are saved on the computers of users. Within cookies different information can be saved. A cookie primarily serves to save information on a user (or the device on which the cookie is saved) during or after visiting online presences. Temporary cookies or ‘session cookies’ or ‘transient cookies’ are cookies that are deleted after a user has left an online presence and closed his browser. In such a cookie the content of a cart within an online shop or login data can be saved. ‘Permanent’ or ‘persistent’ cookies are saved even after the browser has been closed. That way, for instance login data can be saved when users find them after some days. In such a cookie interests of user can be saved as well that are used for range measurement or purposes of marketing. ‘Third-party cookies’ are cookies that are offered by a different provider than the controller of the online presence (otherwise, we speak of ‘first-party cookies’).

We can use temporary and permanent cookies and explain this further in our privacy policy.

If users do not want their cookies to be saved on their computer, they are asked to deactivate the relevant option in the system settings of their browser. Saved cookies can be deleted in the system settings of the browser. The exclusion of cookies can lead to functional restrictions of this online presence.

A general objection to the use of cookies that are used for purposes of online marketing can be made towards a lot of services, especially in the case of tracking, via the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com/. Furthermore, the storage of cookies can be achieved by means of their deactivation in settings of the browser. Please note that in this case possibly not all functions of this online presence can be used. .

Deletion of data

Data that are processed by us are deleted according to Art. 17 and 18 GDPR or limited in their processing. Provided that in the course of this privacy policy this is not explicitly indicated, saved data will be deleted as soon as they are not necessary for their intended purpose anymore and no legal retention obligations hinder the deletion. Provided the data are not deleted because they are necessary for other and legally permitted purposes, their processing will be limited. In other words, data will be blocked and not processed for other purposes. This applies to data that have to be stored for commercial and fiscal reasons.

Hosting

Hosting services that are made use of by us serve the provision of the following services: services of infrastructure and platform, computing capacity, storage space and services of database, security services as well as services of technical support that we employ in order to operate this online presence. Here, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors of this online presence on the basis of our legitimate interests in an efficient and safe provision of this online presence according to Art. 6 (1) lit. f GDPR in connection with Art. 28 GDPR (processor contract).

Collection of access data and logfiles

We and our hosting provider collect data on the basis of our legitimate interests according to Art. 6 (1) lit. f GDPR via every access to our server, on which this service is located (so called server logfiles). Part of the access data are names of the accessed website, file, date and time of the access, transmitted data volume, notification on successful access, browser type together with version, operating system of the user, referrer URL (the website visited before), IP-address and the requesting provider.

Logfile information will be saved for a maximum period of 7 days for reasons of security (e.g. information on acts of misuse and fraud) and afterwards deleted. Data that collection is necessary for purposes of proof are excepted from deletion until the complete clarification of the particular incident.

Contact

If users want to contact us (e.g. via contact form, e-mail, telephone or social media), their data are processed in order to execute their contact request according to Art. 6 (1) lit. b GDPR. User information can be saved in a customer relationship management system (‘CRM System’) or in similar contact organisations.

We delete contact requests provided they are no longer required. Every other year, we check the requirement; furthermore, the legal archiving obligations apply.

Newsflash

In the following, we inform you about the contents of our newsletter and the application procedure, mailing procedure and the statistical evaluation procedure as well as your right of objection. By subscribing to our newsletter, you agree to the receipt and procedure described here.

Content of the newsletter: We only send newsletter, e-mails and further electronic messages with advertising information (in the following: ‘newsletter’) with the consent of the recipient or a legal permission. Provided that in the course of the application to our newsletter its contents are specifically outlined, they are essential for the consent of the users. Moreover, our newsletters contain information on our services and ourselves.

Double-opt-in and logging: The application to our newsletter is part of a so-called double-opt-in procedure. In other words, you will receive an e-mail after your application, that requests the confirmation of your application. This confirmation is necessary to guarantee that nobody can apply with someone else’s e-mail address. The applications to our newsletter are logged in order to attest the application process according to the legal requirements. Part of this is the storage of the date and time of the application. Changes of your data that are stored with the shipping provider are also logged.

Application data: In order to apply to the newsletter, it is sufficient if you provide your e-mail address.

The mailing of the newsletter and its connected performance measurement take place on the basis of the consent of the recipients according to Art. 6 (1) lit. a, Art. 7 GDPR in conjunction with § 7 (2) lit. 3 UWG (law against unfair competition) or on the basis of legal allowance according to § 7 (3) UWG.

The application procedure is logged on the basis of our legitimate interests according to Art. 6 (1) lit. f GDPR. Our interest focusses on the employment of a user-friendly and safe newsletter system that serves our commercial interests as well as matches the expectations of the user and further allows us to verify the consent.

Withdrawal: You can cancel the receipt of the newsletter anytime or in other words, withdraw your consent. You can find a link leading to the withdrawal of the newsletter at the bottom of every newsletter. We can save the e-mail addresses that were cancelled up to three years on the basis of our legitimate interests before we delete them in order to attest a former consent. The processing of these data will be restricted to the purpose of a possible resistance to claims. An individual request of deletion is possible anytime provided that a former consent is simultaneously confirmed.

Newsletter - mailing service provider

The newsletter is dispatched by the mailing service provider [lists.hs-mainz.de der Hochschule Mainz]. You can take a look at the privacy policy of the mailing service provider here:[Datenschutz der Hochschule Mainz]. The mailing service provider is employed on the basis of our legitimate interests according to Art. 6 (1) lit. f GDPR and on the basis of processor contract according to Art. 28 (3) GDPR. The mailing service provider can use the data of the recipients as pseudonyms or in other words without an allocation to a user in order to optimise or improve the services, e.g. using them for the technical optimisation of mailing and displaying the newsletter or for statistical purposes. However, the mailing service provider does not use the data of our newsletter recipients in order to write to them directly or to transmit data to third parties.

Online presence in social media

We have online presences in social networks and platforms in order to communicate with active customers, interested parties and users and to inform them about our services. When retrieving the networks and platforms, terms and conditions and guidelines of data processing of the respective providers apply.

Provided that it is not stated differently in the course of our privacy policy, we process data of users if they communication with us within social networks and platforms, e.g. if they post something on our online presences or send us messages.

Incorporation of services and contents of third parties

Within our online presence we employ content and service offerings of third parties on the basis of our legitimate interests (in other words, interest in the analysis, optimisation and economic operation of our online presence according to Art. 6 (1) lit. f GDPR) in order to incorporate their contents and services like videos or fonts (in the following consistently referred to as ‘contents’).

This always implies that third-party suppliers of these contents perceive the IP address of the users because the cannot send the contents to their browsers without the IP address. Hence, the IP address is responsible for the display of these contents. We attempt to use only contents of those providers, who use the IP address merely to deliver contents. Third-party suppliers can also use so-called pixel tags (invisible graphics, also called ‘web beacons’) for statistical or marketing purposes. With ‘pixel tags’ information like the visitor traffic can on the pages of this website can be evaluated. Pseudonymous information can also be saved as cookies on the device of the user and contain among others technical information on the browser, operating system, referencing websites, visiting time as well as further information on the usage of our online presence and be connected with such information from other sources.

Google Fonts

We incorporate the fonts (‘Google Fonts’) of the provider Google LLC, 1160 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy policy: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.

Twitter

Within our online presence functions and contents of the service Twitter (provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA) can be incorporated. These can include contents like pictures, videos or texts and buttons with which users declare their appreciation regarding the contents, subscribe to the authors of the contents or our posts. Provided that the users are members of the platform Twitter, Twitter is able to match the retrieval of the contents and functions mentioned above with the profiles of the users there. Twitter is certified to the Privacy Shield arrangement and thus guarantees to adhere to the European privacy policy (https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active). Privacy policy: https://twitter.com/de/privacy, Opt-Out: https://twitter.com/personalization.