Our Handling of your Data and your Rights Information in accordance with Articles 13, 14, and 21 of the General Data Protection Regulation (GDPR)
This is to inform you about your entitlements and rights under the data protection regulations and how we process your personal data. Which data are processed in particular and how they are used largely depends on the services you use, some of which require an application.
Derogations from the present provisions are specified explicitly in separate privacy policies of the areas responsible.
1. What is the name of the automated processing concerned?
Web presence of Helmut Schmidt University / Bundeswehr University, Hamburg
(also known as website or home page of the Helmut Schmidt University / Bundeswehr University, Hamburg)
Welcome site accessible via URL https://www.hsu-hh.de
2. Who is responsible for data processing and whom should I approach?
The President of
Helmut Schmidt University
Bundeswehr University, Hamburg
Statutory representative (overall responsibility):
Prof. Dr. Klaus Beckmann
Data processing center, Helmut Schmidt University / Bundeswehr University, Hamburg
For information about data privacy, please contact:
Data Protection Officer, Helmut Schmidt University / Bundeswehr University, Hamburg
Zentrale Verwaltung (Central Administration)
phone 040 6541 2131
3. Which sources and data do we use?
We process the personal data which are required to provide and render the services you use.
Relevant personal data are particulars (name, address and other contact details, user credentials). They can also include data related to your use of our offered telemedia (for instance, time of website request, apps, visited sites or entries) as well as other data comparable with the mentioned categories.
Category and quantity of the processed personal data depend on the location of access (internal / external) and the right of the user:
- You use either the publicly accessible web server with an invariable copy of the web presence of Helmut Schmidt University / Bundeswehr University, Hamburg, or the internal web server as a guest user.
- You use the variable web presence with a connected content management system as a logged-in user. This is only accessible within the campus network.
4. For which purpose do we process your data and on which legal basis?
We process personal data in accordance with the provisions of the General Data Protection Regulation of the European Parliament and of the Council and the Federal Data Protection Act.
On the occasion of every access to / download from the web presence of Helmut Schmidt University / Bundeswehr University, Hamburg, the following data are recorded and used:
- IP address
- site visited (from where the file was requested)
- name of downloaded file
- date and time of request
- data transmission volume
- access status, i.e. an information if access/download was successful
- description of the type of web browser used
All logging data are processed on the basis of the “Rahmendienstvereinbarung zur Protokollierung informationstechnischer Systeme” (Basic Works Agreement on IT Systems Logging) between the Federal Ministry of Defense and the Central Staff Council at the Federal Ministry of Defense dated 3 May 2006.
In accordance with this Basic Works Agreement (see Section 6 Subsection (2)), log data are exclusively used for:
- monitoring the legitimacy of processing and using personal data
- examining and safeguarding the requirements regarding data protection rules
- analyzing and correcting technical faults
- ensuring system safety
- optimizing the network
- conducting a statistical analysis of the overall efficiency (see also 12)
- conducting sample checks
- preventing and discovering criminal acts, and
- analyzes as measures in case of infringement and abuse (in accordance with the above-mentioned Basic Works Agreement).
The purpose of “statistical analysis” is explained explicitly under 12 below. Furthermore, you have the possibility there to object and place an opt-out cookie.
For the purpose of identity management, authorization of users, modification logs and checking of access rights, personal data from a technical back-end system are used for access to the content management system of the website and to the services and applications offered; access thereto is only possible within the campus network. The following data are processed:
- central login data
- first name, last name
- functionary data (for example, the E-mail address)
- type, scope and time of content changes
- group membership (control of authorization)
In accordance with Article 30 GDPR, detailed procedural information is listed in the automated processing register of the Bundeswehr which is the record of processing activities.
4.1 On the basis of your consent in accordance with Article 6 (1) a) GDPR
If you have given consent to the processing of your personal data for specific purposes, processing will be lawful on the basis of this consent. A given consent can be revoked at any time. This also applies to the revocation of declarations of consent which had been given before the GDPR entered into force, that means before 25 May 2018.
Please note that the revocation will take effect only in the future. Processing before the revocation is therefore not affected.
5. Who receives my data?
The respective bodies within Helmut Schmidt University / Bundeswehr University, Hamburg, receive those data from you which they require to fulfill their official and legal responsibilities.
Transfer of information to third parties will take place only on the basis of legal obligations and powers or your consent.
6. For how long will my data be saved?
If required, we process and save your personal data for the duration of your website visit. Maximum retention time for the logging data of the web server (see 4) will be 6 months.
Functionary data and other voluntary information (for example on a member site of a professorial chair) are collected from the respective person who can decide how long the data will be saved beyond the duration of the employment relationship (see 4.1 and 8.3).
7. Are data transferred to a third country or an international organization?
Data are not transferred to third countries (states outside the European Economic Area – EAA).
8. Which data protection rights do I have?
Each data subject has the right of access in accordance with Article 15 GDPR, the right to rectification in accordance with Article 16 GDPR, the right to erasure in accordance with Article 17 GDPR, and the right to restriction of processing in accordance with Article 18 GDPR. With regard to the right of access and the right to erasure, the restrictions in accordance with Sections 34 and 35 of the Federal Data Protection Act will apply. In addition, there is the right to lodge a complaint with a supervisory authority (in accordance with Article 77 GDPR in conjunction with Section 19 of the Federal Data Protection Act).
Information on processing (for instance file name and storage location) is included in the record of processing activities (see 4).
The following paragraphs inform you about your rights as a data subject.
8.1 Right of access
In accordance with Article 15 GDPR, the data subject has the right to obtain confirmation as to whether personal data concerning him or her are being processed. If this is the case, the data subject will be provided with the required information on the processing and will be informed about his or her rights.
Should you identify incorrect or incomplete data concerning you which you cannot correct yourself, please address the above-mentioned controller. Alternatively, you can address the responsible data protection officer of Helmut Schmidt University / Bundeswehr University, Hamburg.
8.2 Right to rectification
In accordance with Article 16 GDPR, the data subject has the right to obtain without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject will have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
8.3 Right to erasure
In accordance with Article 17 GDPR, the data subject has the right to obtain the erasure of personal data concerning him or her without undue delay. Under certain circumstances, the controller has the obligation to erase personal data without undue delay. This applies if
- the personal data are no longer necessary in relation to the purposes for which they were collected
- the data subject withdraws consent and there is no other legal ground for the processing
- the data subject makes a justified objection
- the personal data have been unlawfully processed
Consequence of the user ID erasure (see 4) is the subsequent exclusion from the content management system of the internet presence of Helmut Schmidt University / Bundeswehr University, Hamburg.
The logging data will be erased in accordance with the Basic Works Agreement between the Federal Ministry of Defense and the Central Staff Council at the Federal Ministry of Defense dated 8 March 2006 (see 4)
The erasure of your data will be made upon request. The application is to be submitted to the controller or the data protection officer of Helmut Schmidt University / Bundeswehr University, Hamburg.
8.4 Right to restriction of processing
In accordance with Article 18 GDPR, the data subject has the right to obtain restriction of processing under certain circumstances. The following cases are possible:
- The accuracy of the personal data is contested by the data subject.
- The processing is unlawful and the data subject opposes the erasure of the personal data.
- The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims:
Upon request, the data will be marked for restricted processing. Should marking not be possible, the data will be saved prior to processing (for example via screenshot). The application is to be submitted to the controller or the data protection officer of Helmut Schmidt University / Bundeswehr University, Hamburg.
- The data subject has objected to processing pursuant to Article 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.
In this case, too, your data will be marked for restricted processing upon request. Should marking not be possible, the data will be saved prior to processing (for example via screenshot). The application is to be submitted to the controller or the data protection officer of Helmut Schmidt University / Bundeswehr University, Hamburg.
8.5 Right to object
In accordance with Article 21 GDPR, a data subject has the right to object, on grounds relating to his or her particular situation, at any time to the processing of personal data concerning him or her which is based on point (e) or (f) of Article 6 (1). The controller will no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.
In accordance with Article 6 (1) point (e) GDPR, personal data are processed in this application which are necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Helmut Schmidt University / Bundeswehr University, Hamburg.
Helmut Schmidt University / Bundeswehr University, Hamburg, is a Bundeswehr agency and, in terms of its tasks, structures and rights, organized in accordance with Hamburg Land law.
If a data subject objects to the processing of his/her data, participation in services of Helmut Schmidt University / Bundeswehr University, Hamburg, by means of technical procedures is no longer possible.
The objection is to be submitted to the controller or the data protection officer of Helmut Schmidt University / Bundeswehr University, Hamburg.
8.6 Right to data portability
In accordance with Article 20 GDPR, data subjects are entitled to receive a copy of the personal data concerning him or her in a commonly used and machine-readable format.
That right will not apply to the performance of tasks carried out in the exercise of official authority vested in the controller. This applies to the automated processing of personal data by Helmut Schmidt University / Bundeswehr University, Hamburg (see 8.5).
Thus, the right to data portability will not apply there.
8.7 Right to revoke the consent
This right will take effect in the future in each individual case.
As the processing of personal data on the internet presence of Helmut Schmidt University / Bundeswehr University, Hamburg, is covered by a legal basis and not by consent, the right to revoke the consent does not apply there.
Voluntary information, for instance on a member site, can be removed independently at any time by persons authorized to do the web administration of the sites concerned.
8.8 Right to lodge a complaint with a supervisory authority
In accordance with Article 77 GDPR, every data subject has the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the GDPR.
Supervisory authorities in terms of the GDPR are the Federal Commissioner for Data Protection and Freedom of Information and the Data Protection Commissioners of the Länder. The Federal Commissioner for Data Protection and Freedom of Information is the competent supervisory authority for Helmut Schmidt University / Bundeswehr University, Hamburg, the latter being a Bundeswehr agency and a higher federal authority.
(Federal Commissioner for Data Protection and Freedom of Information)
Irrespective of the right to lodge a complaint with a supervisory authority, the complaint may also be lodged with the Bundeswehr Commissioner for Data Protection.
(Bundeswehr Commissioner for Data Protection)
9. Am I obliged to provide data?
For viewing the public internet presence of Helmut Schmidt University / Bundeswehr University, Hamburg, personal data in addition to log data will not be needed. The provision of personal data is necessary to use the content management system (see 4). Without these data, preparing and processing internet sites in the content management system is not possible.
Member sites require voluntary information (photo, contact details) which can be entered by the user himself/herself or a colleague who is entrusted with this task.
10. To what extent does an automated individual decision-making exist?
There is no automated decision-making in accordance with Article 22 GDPR.
11. To what extent are my data used for scoring?
Your personal data will be automatically processed. However, profiling or scoring will not take place
If you disagree with this data being saved and analyzed, you can object to the saving and using at any time via mouse click. In this case, a so-called opt-out cookie is placed on your browser, which means that Matomo collects no session information at all. Important note: Clearing cookies means that the opt-out cookie is also deleted and you might have to enable it again.
We take the current discussion for data protection in the social media networks very seriously. At present, it is not legally resolved if and to what extent all networks are offering their services in accordance with European data protection provisions.
For this reason, we expressly point out the fact that the services also used by HSU/UniBw H, such as YouTube, Facebook, Instagram, Twitter and Snapchat, save their users’ data in accordance with their data usage policies and exploit these data for commercial purposes. HSU/uniBw H has no influence on the collection of data and their further use by social networks. We do not have any knowledge on the extent, location and duration of data storage, the extent to which networks comply with obligations to delete data, which evaluations and links are made with the data and to whom data are transferred.
Letzte Änderung: 26. June 2018