Photo credit: Staatliche Schlösser und Gärten Baden-Württemberg

Data protection declaration of the University of Mannheim

Facebook / Instagram / LinkedIn / XING / YouTube

I. Identity and contact details of the controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is:

University of Mannheim
L1,1
68131 Mannheim

Phone: 0621/-181-1001
E-mail: rektor@uni-mannheim.de

II. Contact details of the data protection officer

Data protection officer of the University of Mannheim
L1,1
68131 Mannheim

E-Mail: datenschutzbeauftragte(at)uni-mannheim.de
Phone: 0621/181-1126

III. General information on data processing

1. Personal data
As defined in the General Data Protection Regulation (GDPR), personal data refers to any information relating to an identified or identifiable natural person. This is data such as the first and last name, address, e-mail address, phone number and, as a rule, the IP address.

2. Extent of personal data processing
Principally, we process personal data only as far as it is necessary in order to provide a functional website and our content and services. We only process personal data of our users after they have given their consent. An exception is made if it is not possible to get consent due to factual reasons and the processing is permitted by law.

We do not deliberately collect personal data of minors. We advise parents and legal guardians to watch their children’s activities online.

3. Legal basis for the processing of personal data
Provided that we have got the users’ consent to process their personal data, art. 6 subsection 1 letter a of the GDPR is the legal basis for the processing.

When processing personal data is necessary for the performance of a contract to which the data subject is party, art. 6 subsection 1 letter b of the GDPR is the legal basis for the processing. This also applies to processing operations that are necessary in order to take steps prior to entering into a contract.

Provided that the processing of personal data is necessary for compliance with a legal obligation to which the University of Mannheim is subject, art. 6 subsection 1 letter c of the GDPR is the legal basis for the processing.

If the processing of personal data is necessary to protect the vital interests of the data subject, art. 6 subsection 1 letter d of the GDPR is the legal basis for the processing.

If the processing is necessary for the purpose of a legitimate interest pursued by the University of Mannheim or by a third party and this interest is not overridden by the interests, fundamental rights and freedoms of the data subject, art. 6 subsection 1 letter f of the GDPR is the legal basis for the processing.

Our fundamental goal is to implement data-protection principles, such as data minimization, and to limit the processing of personal data while you are visiting our websites to the necessary minimum.

4. Deletion of data and storage period
The personal data of the data subject will be deleted or locked once the purpose for which they have been stored ceases to apply. Personal data may be stored for a longer period if provided for by European or national legislators in EU regulations, laws or other rules to which the controller is subject. The data will also be locked or deleted once a storage period specified in the above-mentioned rules has expired, unless further retention of the data is necessary to enter into or fulfill a contract.

IV. Provision of the website and creation of log files

1. Description and extent of data processing
Every time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data are collected:

information on the browser type and the version used
the user’s operating system
the user’s Internet service provider
the user’s IP address
date and time of access
websites from which the user’s system accesses our website
websites accessed by the user’s system via our website.

The log files contain IP addresses or other data that can be assigned to a user. This could be the case, for example, if the link to the website from which the user accesses the website or the link to the website to which the user switches contains personal data. The data are also stored in our system’s log files. These data are not stored together with other personal data of the user.

2. Legal basis for data processing
The legal basis for the temporary storage of data and log files is art. 6 subsection 1 letter f of the GDPR.

3. Purpose of data processing
The temporary storage of the IP address by the system is necessary to facilitate the delivery of the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

The data are stored in log files to ensure the functionality of the website. In addition, the data help us optimize our website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

These purposes also constitute our legitimate interest in data processing according to art. 6 subsection 1 letter f of the GDPR.

4. Storage period
The data will be deleted once the the purpose for which they have been collected ceases to apply. For the data collected in order to provide the website, this is the case when the respective session has ended.

If the data are stored in log files, this is the case after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or alienated so that the accessing client can no longer be identified.

5. Right to object and deletion of data
The collection of data for the provision of the website and the storage of data in log files is absolutely essential for the operation of the website. Consequently, the user has no possibility to object.

V. Use of cookies

1. Description and extent of data processing
Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer system. If a user accesses a website, a cookie can be stored in the user’s operating system. This cookie contains a characteristic string that enables a clear identification of the browser when the website is accessed again.

We use cookies to improve your experience on our website. Some elements on our website require that the accessing browser can be identified after the user changed to another website.

The following data are stored and transmitted:

a randomly generated session key of the website
login information (if necessary)

In addition, we use cookies on our website which enable us to analyze the online behavior of our users. See section VI Web analytics with Matomo.

2. Legal basis for data processing
The legal basis for the processing of personal data using cookies is art. 6 subsection 1 letter f of the GDPR.

3. Purpose of data processing
The purpose of using cookies that are required for technical reasons is to simplify the use of website for users. Some features of our website cannot be offered without the use of cookies. For these features it is necessary that the browser is identified even after the user changed to another website.

We need cookies for the following applications:

forms
user login

The user data collected by cookies that are required for technical reasons are not used to generate user profiles.

The use of analysis cookies serves the purpose of improving the quality of our website and its content. Analysis cookies allow us to find out how the website is used in order to continuously optimize our services.

See section VI Web analytics with Matomo.
These purposes also constitute our legitimate interest in processing personal data according to art. 6 subsection 1 letter f of the GDPR.

4. Storage period, right to object and deletion of data
Cookies are stored on the user’s computer and transmitted to our website. Consequently, the user, has full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. You can also delete cookies which have been stored at any time. This can also be done automatically. If you deactivate cookies for our website, you may no longer be able to use the site’s full range of features.

VI. Web analytics with Matomo

1. Extent of personal data processing
On our website, we use the open source software tool Matomo (formerly Piwik) to analyze the online behavior of our users. The software saves a cookie on the user’s computer (for cookies, see V). If individual pages on our website are accessed, the following data are stored:

two bytes of the IP address of the user’s accessing system
the web page accessed
the website from which the user accessed the website accessed (referrer)
the web pages accessed from the website accessed
the amount of time spent on the website
the frequency of accessing the website

The software runs exclusively on the servers of our website. The users’ personal data are only stored on our servers. The data are not passed on to third parties.

The software is configured in a way that the IP addresses are not stored completely.Two bytes of the IP address are masked (example: 192.168.xxx.xxx). This way, the shortened IP address can no longer be assigned to the accessing computer.

2. Legal basis for data processing
The legal basis for the processing of users’ personal data is art. 6 subsection 1 letter f of the GDPR.

3. Purpose of data processing
The processing of users’ personal data allows us to analyze the online behavior of our users. By evaluating the data obtained, we are able to compile information on the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. These purposes also constitute our legitimate interest in processing personal data according to art. 6 subsection 1 letter f of the GDPR. By anonymizing the IP address, the users’ interest in protecting their personal data is sufficiently taken into account.

4. Storage period
The data will be deleted once the the purpose for which they have been collected ceases to apply, in our case after 7 days.

5. Right to object and deletion of data
Cookies are stored on the user’s computer and transmitted to our website. Consequently, the user, has full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. You can also delete cookies which have been stored at any time. This can also be done automatically. If you deactivate cookies for our website, you may no longer be able to use the site’s full range of features.

We offer the users of our website the option to opt out of the analysis procedure. To do this, you need to click the corresponding link. This way, another cookie is saved to your system which signals our system not to store your data. If you intentionally or unintentionally delete the corresponding cookie from your system, you need to save the opt-out cookie again.

Objection

In addition, most modern browsers have a “Do Not Track” option which enables you to inform websites not to track your user activities.

More information on the privacy settings of the Matomo software can be found on: https://matomo.org/docs/privacy/.

VII. Newsletter

1. Description and extent of data processing
On our website, you have the option to subscribe to free newsletters. The newsletters' administration with regard to subscriptions, deliveries and the recipients administration requires a software. We use the newsletter delivery software provided by rapidmail GmbH (Augustinerplatz 2, 79098 Freiburg im Breisgau, www.rapidmail.de/), a German supplier who was carefully selected according to the requirements of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG) and the Data Protection Act of the Land of Baden-Württemberg (LDSG BW).

Subscription to a newsletter takes place with a double opt-in , i.e. the subscription is only completed when you click on the corresponding link in the e-mail you receive to confirm your subscription. The data stored during the newsletter subscription process (e-mail address, IP address, date and time of your registration) are transmitted to a server of rapidmail GmbH in Germany and stored there in line with the European data protection regulations. Rapidmail is forbidden to use your data for any other purposes than the delivery of the newsletter. Rapidmail is not permitted to disclose your personal data.

When delivering newsletters, the delivery status is recorded in order to sort out recipient addresses that are no longer in service.

2. Legal basis for data processing
The legal basis for the processing of personal data after subscription to the newsletter by the users, once their consent has been obtained, is art. 6 subsection 1 letter f of the GDPR.

3. Purpose of data processing
The user’s e-mail address is processed for the purpose of delivering the newsletter.

The purpose of collecting other personal data in the course of the subscription process is to prevent the misuse of the services or of the e-mail address used.

4. Storage period
The data will be deleted once the the purpose for which they have been collected ceases to apply. Therefore, the user’s e-mail address will be stored until the user unsubscribes from the newsletter or it has been established that the e-mail address is no longer in service.

5. Right to object and deletion of data
You can withdraw your consent to receiving the newsletter at any time and without having to state any reasons and unsubscribe from the newsletter free of charge. To that end, each newsletter contains a corresponding link.

VIII. HERE map services

Our website uses map services of the provider HERE to visually display geographical information. When using the map services, HERE also processes data relating to the visitors’ use of the map functions.

We are not being informed of the kind of data transmitted and their use by HERE. Information on the purpose, extent, further processing and use of data collected by HERE as well as your rights in relation to such processing can be found in the HERE Privacy Policy (https://legal.here.com/de-de/privacy/policy). The University of Mannheim does not assume responsibility for these contents or the privacy policy.

IX. Social networks

We are not being informed about the content of the data transmitted and their use by social networks (e.g. Facebook, Google+, Instagram, LinkedIn, Twitter, YouTube). Information on the purposes, extent, further processing and use of data collected by each social network as well as your rights in relation to such processing can be found in the respective privacy policies. The University of Mannheim does not assume responsibility for these contents or the privacy policy.

We do not know what kind of data are collected and how they are used by the respective social network. It is very likely that at least the following data are collected even if you are not signed in:

IP address
time when the website was accessed
URL of the website that uses the plugin
location-based information (on mobile devices)
device-related information (e.g. the operating system used and browser information)
websites which were visited previously for advertising purposes
data of uninvolved third parties (e.g. e-mail addresses (in case of recommendations)).

Unless otherwise specified, it can be assumed that the following technologies are used for data processing:

cookies (e.g. permanent storage of your login data), this can also happen via third party providers such as advertising customers
log files (storage of the cookie data on the service’s servers)
analysis scripts (e.g. tracking of the clicking behavior on a website)
forwarding of posted links
local data storage (e.g. permanent storage of pictures)

1. Facebook
Our website uses plugins of the social network Facebook provided by Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. You can recognize Facebook plugins by the Facebook logo or the “Like” button. An overview of the Facebook plugins can be found here: http://developers.facebook.com/docs/plugins/.

If you visit a page on our website that uses such a plugin, your browser sets up a direct connection with the Facebook server. This way, Facebook receives information that you have visited our website with your IP address. If you are logged in to your Facebook account, Facebook can link your visit to our website to your user account. If you do not wish Facebook to link the data collected via our website to your Facebook account, please log out of your Facebook account before visiting our website.

We are not being informed of the kind of data transmitted and their use by Facebook. Information on the purpose, extent, further processing and use of data collected by Facebook as well as your rights regarding such processing can be found in the Facebook Privacy Policy (https://facebook.com/policy.php). The University of Mannheim does not assume responsibility for these contents or the privacy policy.

2. Instagram
Our website uses features of the Instagram service provided by Instagram LLC, 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged in to your Instagram account, you can link the contents of our website to your Instagram profile by clicking on the Instagram button. This way, Instagram can link your visit to our website to your user account. We are not being informed of the kind of data transmitted and their use by Instagram. Information on the purpose, extent, further processing and use of data collected by Instagram as well as your rights in regarding such processing can be found in the Instagram Privacy Policy (https://help.instagram.com/155833707900388). The University of Mannheim does not assume responsibility for these contents or the privacy policy.

3. LinkedIn
Our website uses features of the LinkedIn network provided by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. If you visit a page on our website that uses LinkedIn features, your browser sets up a direct connection with the LinkedIn server. This way, LinkedIn receives information that you have visited our website. If you click on the LinkedIn “Recommend” button while you are logged in to your LinkedIn account, LinkedIn can link your visit to our website to your user account. We are not being informed of the kind of data transmitted and their use by LinkedIn. Information on the purpose, extent, further processing and use of data collected by LinkedIn as well as your rights regarding such processing can be found in the LinkedIn Privacy Policy (https://www.linkedin.com/legal/privacy-policy). The University of Mannheim does not assume responsibility for these contents or the privacy policy.

4. Twitter
Our website uses features of the Twitter service provided by Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107, USA. By using Twitter and the “Retweet” feature, the websites visited by you are linked to your Twitter account and disclosed to other users. This way, Twitter can link your visit to our website to your user account. We are not being informed of the kind of data transmitted and their use by Twitter. Information on the purpose, extent, further processing and use of data collected by Twitter as well as your rights regarding such processing can be found in the Twitter Privacy Policy https://twitter.com/privacy. The University of Mannheim does not assume responsibility for these contents or the privacy policy.

5. YouTube
Our website uses plugins of the Google-operated website YouTube provided by YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

If you visit a page on our website that uses such a plugin, your browser sets up a direct connection with the YouTube server. This way, YouTube receives information that you have visited our website. If you are logged in to your YouTube account, YouTube can link your visit to our website to your user acount. If you do not wish YouTube to link the data collected via our website to your YouTube account, please log out of your YouTube account before visiting our website.

We are not being informed of the kind of data transmitted and their use by YouTube. Information on the purpose, extent, further processing and use of data collected by YouTube as well as your rights regarding such processing can be found in the YouTube Privacy Policy (https://www.google.de/intl/de/policies/privacy). The University of Mannheim does not assume responsibility for these contents or the privacy policy.

X. Rights of the data subject

If your personal data are being processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the controller:

1. Right of access
You have the right to obtain confirmation as to whether or not we are processing your personal data.

Where this is the case, you have the right to obtain the following information from the controller:
(1) the purpose for the which your personal data are being processed;

(2) the categories of personal data which are being processed;

(3) the recipients or categories of recipients to whom your personal data have been or will be disclosed;

(4) the projected period for which your personal datawill be stored or, if not possible, the criteria used to determine that period;

(5) the existence of the right to request from the controller rectification or erasure of your personal data or restriction of processing of personal data concerning you or to object to such processing;

(6) the right to lodge a complaint with a supervisory authority;

(7) where personal data are not collected from the data subject themselves, any available information as to their source;

(8) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to obtain information as to whether or not your personal data are being transmitted to a third country or an international organization. In this context, you have the right to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR relating to the transfer.

Your right of access may be restricted in so far as the right is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

2. Right to rectification
You have the right to obtain the rectification and/or completion of inaccurate or incomplete personal data concerning you from the controller. The controller must rectify the data immediately.

Your right to rectification may be restricted in so far as the right is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

3. Right to restriction of processing
You have the right to demand the restriction of the processing of personal data concerning you where one of the following conditions applies:
(1) you contest the accuracy of personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;

(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;

(3) the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims; or

(4) if you have objected to processing pursuant to Article 21(1) of the GDPR and the verification whether the legitimate grounds of the controller override your grounds is pending.

Where processing of personal data concerning you has been restricted, such personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Where processing has been restricted under one of the above conditions, you will be informed by the controller before the restriction of processing is lifted.

Your right to restriction of processing may be restricted in so far as the right is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

4. Right to erasure
a) Obligation to erase data
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay. The controller is obliged to erase these data without undue delay where one of the following grounds applies:

(1) the personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

(2) you withdraw consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2) of the GDPR, and where there is no other legal ground for the processing;

(3) you object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 2(2) of the GDPR;

(4) the personal data concerning you have been unlawfully processed;

(5) the personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;

(6) the personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) of the GDPR.

b) Notification of third parties
Where the controller has made personal data concerning you public and is obliged pursuant to Article 17(1) of the GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you, the data subject, have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) Exceptions
The right to erasure does not apply where the processing is necessary
: (1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) of the GDPR in so far as the right referred to in subsection (a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defense of legal claims.

5. Right to be informed
Where you have asserted your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to inform each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right to be informed by the controller about who these recipients are.

6. Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit those data to another controller without hindrance from the controller to whom the personal data have been provided, unless
(1) the processing is based on consent pursuant to point (a) of Article 6(1) or Article 9(2) of the GDPR or on a contract pursuant to point (b) Article 6(1) of the GDPR; and

(2) the processing is carried out by automated means.

Furthermore, in exercising the right to data portability, you have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of other persons may not be affected by such transmission.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right to object
On grounds relating to your particular situation, you have the right to object to the processing of your personal data according to point (e) or (f) of Article 6(1) of the GDPR at any time, including profiling based on those provisions.

The controller may no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

Where your personal data are processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, your personal data may no longer be processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89(1) of the GDPR, you have the right to object to processing of personal data concerning you on grounds relating to your particular situation.

Your right to object may be restricted in so far as the right is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

8. Withdrawal of consent
You have the right to withdraw your consent at any time.The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
: (1) is necessary for entering into, or performance of, a contract between you and a data controller;

(2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

(3) is based on your explicit consent.

However, these decisions may not be based on special categories of personal data referred to in Article 9(1) of the GDPR, unless point (a) or (g) of Article 9(2) of the GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

Regarding the cases referred to in (1) and (3), the data controller must implement suitable measures to safeguard your data rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged informs the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.