Data protection policy
This English translation is offered as a service.
1. Name and address of the responsible party
The responsible party, as defined by the General Data Protection Regulation (GDPR) and other national data protection laws of the member states, as well as other data protection regulations, is:
University of Bonn
Institute of Language, Media and Music Studies
Department of Media Studies
Tel.: (+49) 0228/73-4746
E-mail: ogon@uni-bonn.de
Website: medienwissenschaft.uni-bonn.de
2. Name and address of the data protection officer
Official data protection officer:
Dr. Jörg Hartmann
Genscherallee 3 53113 Bonn
Email: joerg.hartmann@uni-bonn.de
Representative:
Eckhard Wesemann
Department 1, Section 1.0
Regina-Pacis-Weg 3 53113 Bonn
Email: wesemann@verwaltung.uni-bonn.de
3. General information on data processing
3.1. Scope of processing of personal data
We generally process personal data of our users only to the extent necessary to provide a functioning website as well as our content and services. The processing of personal data of our users is regularly only carried out with the consent of the user. An exception applies in those cases where obtaining prior consent is not possible for factual reasons and the processing of the data is permitted by legal regulations.
3.2. Legal basis for processing personal data
Where we obtain the consent of the data subject for processing of personal data, Art. 6 (1) lit. a) GDPR serves as the legal basis.
Where the processing of personal data is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Where the processing of personal data is necessary for compliance with a legal obligation to which the University of Bonn is subject, Art. 6 (1) lit. c) GDPR serves as the legal basis.
Where the processing of personal data is necessary to protect the vital interests of the data subject or of another natural person, Art. 6 (1) lit. d) GDPR serves as the legal basis.
Where the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University, Art. 6 (1) lit. e) GDPR serves as the legal basis for the processing.
3.3. Data erasure and storage duration
Personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage may also take place if this is provided for by the European or national legislator in Union regulations, laws or other provisions to which the controller is subject. Data will also be blocked or deleted when a storage period prescribed by the aforementioned standards expires, unless there is a necessity for further storage of the data for conclusion of a contract or fulfillment of a contract.
4. Provision of the Website and Creation of Log Files
4.1 Description and Scope of Data Processing
When our website is accessed, our system automatically collects data and information from the computer system of the calling computer. The following data is collected:
(1) Information about the type of browser and the version used
(2) The user's operating system
(3) The user's Internet service provider
(4) The user's IP address (pseudonymized, shortened IP address)
(5) Date and time of access
(6) Websites from which the user's system reaches our website
(7) Websites accessed by the user's system through our website (within aws.uni-bonn.de, referrers to external sites are not passed on)
The log files contain IP addresses or other data that enable attribution to a user. This could be the case, for example, if the link to the website from which the user accesses the website or the link to the website to which the user switches contains personal data.
The data is also stored in the log files of our system. Storage of this data together with other personal data of the user does not take place.
4.2 Purpose of Data Processing
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. Storage in log files is also done to ensure the functionality of the website. In addition, we use the data to optimize the website and ensure the security of our information technology systems. Data analysis for marketing purposes does not take place in this context.
4.3 Duration of Storage
The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of collecting data for providing the website, this is the case when the respective session is ended. In the case of storage of data in log files, this is the case after seven days at the latest. Further storage is possible. In this case, the IP addresses of the users are deleted or anonymized so that an allocation of the accessing client is no longer possible.
4.4 Right to Object and Removal Options
The collection of data for providing the website and the storage of data in log files is mandatory for the operation of the website. Therefore, there is no possibility of objection on the part of the user.
5. Use of Cookies
5.1 Description and Scope of Data Processing
Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that allows the browser to be uniquely identified when the website is accessed again. We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser can also be identified after a page change.
The following data is stored and transmitted in the cookies:
1) Language settings
(2) Log-in information
We also use cookies on our website that enable us to analyze users' surfing behavior.
The following data can be transmitted in this way:
(1) Search terms entered
(2) Frequency of page views
(3) Use of website functions
5.2 Purpose of Data Processing
The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary that the browser is recognized again after a page change. We require cookies for the following applications:
(1) Transfer of language settings
The user data collected through technically necessary cookies is not used to create user profiles. The use of analysis cookies is aimed at improving the quality of our website and its content. Through the analysis cookies, we learn how the website is used and can continuously optimize our offer.
5.3 Duration of Storage, Objection, and Removal Options
Cookies are stored on the user's computer and transmitted to our site. Therefore, you as a user have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Stored cookies can be deleted at any time, including through automated means. If cookies for our website are deactivated, it may no longer be possible to fully utilize all website functions.
6. Registration
6.1 Description and Scope of Data Processing
On our website, we offer users the possibility to register by providing personal data. The data is entered into an input mask and transmitted and stored by us. The data is not passed on to third parties. The following data is collected as part of the registration process:
(1) University ID
At the time of registration, the following data is also stored:
(1) The user's IP address
(2) Date and time of registration
As part of the registration process, the user's consent to the processing of this data is obtained.
6.2 Legal Basis for Data Processing
The legal basis for data processing is Art. 6 (1) lit. a GDPR, provided that the user has given consent.
If the registration serves the fulfillment of a contract to which the user is a party or the implementation of pre-contractual measures, the additional legal basis for data processing is Art. 6 (1) lit. b GDPR.
6.3 Purpose of Data Processing
Registration of the user is necessary for providing certain content and services on our website.
(1) Administrative and editorial functions and content
6.4 Duration of Storage
The data is deleted as soon as its storage is no longer necessary to achieve the purpose for which it was collected.
This is the case for the data collected during the registration process when registration on our website is canceled or modified.
6.5 Objection and Removal Options
As a user, you have the option to terminate the registration at any time. You can also have the data stored about you modified at any time.
7. Rights of the Data Subject
If your personal data is processed, you, as the data subject according to the GDPR, have the following rights vis-à-vis the controller:
7.1 Right to information
You can request confirmation from the controller as to whether personal data concerning you is being processed. If such processing exists, you can request information from the controller regarding the following:
(1) The purposes for which the personal data are processed;
(2) The categories of personal data being processed;
(3) The recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) The planned duration of storage of the personal data concerning you or, if specific information about this is not possible, the criteria for determining the storage period;
(5) The existence of the right to rectification or erasure of personal data concerning you, the right to restriction of processing by the controller, or the right to object to such processing;
(6) The existence of a right to lodge a complaint with a supervisory authority;
(7) All available information about the origin of the data, if the personal data is not collected from the data subject;
(8) The existence of automated decision-making, including profiling, pursuant to Art. 22 (1) and (4) GDPR, and, at least in these cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to request information as to whether the personal data concerning you are being transferred to a third country or to an international organization. In this context, you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.
If the data processing is carried out for scientific, historical, or statistical research purposes, the right to information may be restricted to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfilment of the research or statistical purposes.
7.2 Right to rectification
You have the right to request the controller to correct and/or complete your data if the processed personal data concerning you is inaccurate or incomplete. The controller shall make the correction without undue delay.
In the case of data processing for scientific, historical or statistical research purposes, your right to rectification may be restricted to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfilment of the research or statistical purposes.
7.3. Right to restriction of processing
Under the following conditions, you have the right to request the restriction of processing of personal data concerning you:
(1) If you contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;
(2) If the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) If the controller no longer needs the personal data for the purposes of the processing, but you require them for the establishment, exercise, or defence of legal claims; or (4) If you have objected to processing pursuant to Article 21(1) of the GDPR, pending the verification whether the legitimate grounds of the controller override yours.
If the processing of personal data concerning you has been restricted under the aforementioned conditions, such personal data, with the exception of storage, shall only be processed with your consent or for the establishment, exercise, or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
The controller shall inform you before the restriction of processing is lifted, in case the processing has been restricted under the aforementioned conditions.
In case of data processing for scientific, historical or statistical research purposes, your right to restriction of processing may be limited to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the limitation is necessary for the fulfilment of the research or statistical purposes.
7.4. Right to erasure
a) Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(1) The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) You withdraw your consent on which the processing is based according to Art. 6(1)(a) or Art. 9(2)(a) GDPR, and where there is no other legal ground for the processing.
(3) You object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR.
(4) The personal data concerning you have been unlawfully processed.
(5) The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
b) Information to third parties
If the controller has made your personal data public and is obligated to delete them in accordance with Art. 17 para. 1 GDPR, the controller shall take reasonable steps, including technical measures, taking into account available technology and implementation costs, to inform controllers processing the personal data that you, as the data subject, have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Exceptions
The right to erasure does not apply to the extent that processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9(2)(h) and (i) as well as Art. 9(3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes in accordance with Art. 89(1) GDPR in so far as the right referred to in Section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
(5) for the establishment, exercise or defense of legal claims.
7.5 Right to information
Where you have exercised your right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of such rectification or erasure of the data or restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to be informed about these recipients by the controller.
7.6 Right to data portability
You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
(1) the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1)(b) GDPR; and
(2) the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. This must not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7.7. Right to object
You have the right to object at any time, for reasons arising from your particular situation, to the processing of personal data concerning you, which is carried out on the basis of Article 6(1)(e) GDPR, including profiling based on those provisions.
If you object, the controller shall no longer process the personal data concerning you, unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for scientific, historical or statistical research purposes pursuant to Article 89(1) GDPR, you have the right to object, on grounds relating to your particular situation, to processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
7.8. Right to withdraw consent under data protection law
You have the right to withdraw your consent to data protection at any time. Revoking your consent does not affect the lawfulness of any processing carried out before the withdrawal.
7.9. Automated individual decision-making, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
This does not apply if the decision:
(1) is necessary for entering into, or performance of, a contract between you and the controller,
(2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights, freedoms and legitimate interests or
(3) is based on your explicit consent.
However, these decisions must not be based on special categories of personal data referred to in Article 9(1) GDPR, unless Article 9(2)(a) or (g) GDPR applies and suitable measures to safeguard your rights, freedoms and legitimate interests have been taken.
In cases (1) and (3), the controller shall implement suitable measures to safeguard your rights, freedoms and legitimate interests, which shall include at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.
7.10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the EU General Data Protection Regulation.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 GDPR.
The competent supervisory authority is: Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen, Postfach 20 04 44, 40102 Düsseldorf.