Privacy policy as per GDPR requirements
I. Name and address of the controller
Pursuant to the General Data Protection Regulation, national data protection laws of the various Member States, and other privacy regulations, the responsible entity (“Controller”) is:
Universität Hamburg
Mittelweg 177
20148 Hamburg
Tel.: +49 40 42838-0
Fax.: +49 40 42838-9586
Universität Hamburg is a corporate body organized in accordance with German public law. Prof. Dr. Dieter Lenzen, President of Universität Hamburg, Mittelweg 177, 20148 Hamburg, Germany is authorized to represent the University.
Name and the address of the representative
Prof. Dr. Thorsten Logge
Universität Hamburg
Fakultät für Geisteswissenschaften
Arbeitsbereich Public History
Überseering 35 #5
22297 Hamburg
Tel.: +49 40 42838 9061
E-Mail: thorsten.logge@uni-hamburg.de
II. Name and address of the data protection officer
The data controller has appointed the following data protection officer:
Datenschutzbeauftrager der Universität Hamburg
Mittelweg 177
20148 Hamburg
Deutschland
E-Mail: datenschutz@uni-hamburg.de
III. General information on the processing of personal data
1. Scope of processing of personal data
We process personal data from our users only to the extent required to ensure the functionality, content, and service provision of the website. As a rule, processing of personal data occurs only with user consent. Exceptions to this rule are made for cases in which consent was unable to be obtained for reasons of fact, and the processing of data is permitted by law.
2. Legal basis for the processing of personal data
Processing of data based on consent granted by the data subject is lawful pursuant to Article 6 paragraph 1 letter a General Data Protection Regulation (GDPR).
Processing of personal data for the purpose of fulfilling contractual obligations to the data subject is lawful pursuant to Article 6 paragraph 1 letter b GDPR. This also applies to the preparatory processes required for pre-contractual measures.
Processing of personal data required by law is lawful pursuant to Article 6 paragraph 1 letter c GDPR. Processing of personal data required by the vital interests of the data subject or another natural person is lawful pursuant to Article 6 paragraph 1 letter d GDPR.
Processing of personal data to safeguard a legitimate interest of our organization or that of a third party which is not outweighed by the interests, constitutional rights, and basic freedoms of the data subject is lawful pursuant to Article 6 paragraph 1 letter f GDPR.
3. Erasure of data and duration of storage
Personal data of the data subject will be deleted or blocked as soon as it is no longer required for the purpose for which it was collected. Further storage may occur when stipulated by European or national directives, laws, or other statutory instrument which so require. Blocking or erasure of data also occurs when the storage period stipulated by law expires, unless further storage of data is required to execute an agreement or fulfill a contractual obligation.
IV. Operation of the website and production of log files
1. Description and scope of the data processing
Whenever a user accesses our website, our system automatically captures data and information from the operating system of the accessing device.
The following data are collected:
- browser type and version
- operating system
- internet service provider
- IP address
- date and time the website was accessed
- referring website
- websites accessed by a user’s system through our website These data are also saved in our system log files. They are not saved in conjunction with any other personal data.
2. Legal basis for the processing of personal data
The temporary storage of data and log files is lawful pursuant to Article 6 paragraph 1 letter f GDPR.
3. Purpose of data processing
The IP address is temporarily stored in the system as it is necessary to provide website access to the user’s computer. The IP address is retained while that website is being accessed. The purpose of storage in log files is to facilitate the functioning of the website. We also use the data to optimize the website and ensure the safety of our IT systems. We do not process any data for marketing purposes. These purposes also constitute the basis for our legitimate interest in data processing pursuant to Article 6 paragraph 1 letter f GDPR.
4. Period of storage
The data will be deleted when they are no longer needed for the purpose for which they were collected. For data collected to provide access to the website, this will be at the end of every session. For log files, this will occur after seven days at the latest. Some data may be preserved for a longer period of time. In this case, user IP addresses are deleted or anonymized, rendering it impossible to link the data to any individual.
5. Right to object and right to withdraw consent
The collection of data and their storage in log files is necessary for operating the website. The user is not entitled to withdraw consent.
V. Cookies
a) Description and scope of the data processing
Our website uses cookies. Cookies are small data files, created and stored by the Internet browser on the user’s computer’s hard drive. Accessing a website may result in a cookie being saved on the user’s operating system. This cookie contains a specific string of characters that allows the browser to be clearly recognized every time the website is accessed.
We use cookies to make our website more user-friendly. Some parts of our website require identification of the accessing browser even after it switches to another web page.
b) Legal basis for the processing of personal data
The processing of personal data based on the use of cookies is lawful pursuant to Article 6 paragraph 1 letter f GDPR.
c) Purpose of data processing
The purpose of these technical cookies is to simplify website use. Without using cookies, we would be unable to provide certain functions of our website. These functions require identification of the accessing browser even after it switches to another web page.
These purposes also constitute the basis for our legitimate interest in the processing of personal data pursuant to Article 6 paragraph 1 letter f GDPR.
e) Duration of storage, right to object and right to withdraw consent
Cookies are stored on the user’s computer and transferred to our website. That is why you, as the user, have full control over cookie implementation. You can deactivate or restrict cookies by changing your browser settings. You can erase stored cookies at any time. This process may also be automated. Disabling cookies for our website may result in some functions not working correctly. To disable flash cookies, use the settings of the Flash Player rather than those of your browser.
VI. Web Analysis
1. Matomo
The Universität Hamburg website uses Matomo, an open source software for the analysis and statistical evaluation of user access.
Matomo uses “cookies,” text files that are saved on your computer hard drive to enable analysis of your use of the website. The information gathered through the use of cookies regarding your use of our Internet service are saved on a server at Universität Hamburg. The IP address is anonymized immediately after processing and before the data are stored.
This information is used to evaluate the use of our website, and to enable us to adapt our website to your needs. This data processing is lawful under Article 6 paragraph 1 lit. f GDPR.
You can block the installation of cookies by adjusting the settings of your browser software. Please note, however, that this may prevent you from using all the functions of the website.
VII. Registration
1. Description and scope of the data processing
Our website allows users to register by submitting certain personal data. The data are entered into a form, transferred to us and saved. This information will not be passed on to third parties. The registration process collects the following data: At the time of registration, the following data are also saved:
(1) IP address
(2) date and time of registration
You, as the user, will be asked to grant consent for the processing of this data as part of the registration process.
2. Legal basis for the processing of personal data
These data are processed subsequent to user consent pursuant to Article 6 paragraph 1 letter a GDPR.
3. Purpose of data processing
The user must register an account to access certain content and services on our website. The user must register an account for the performance of a contract to which the user is party and for the implementation of pre-contractual measures.
4. Period of storage
The data will be deleted when they are no longer needed for the purpose for which they were collected.
The data collected during the registration process are no longer needed once the user cancels or modifies their registration on our website.
5. Right to object and right to withdraw consent
You, as the user, may cancel your registration at any time. You may request that your stored personal data be modified at any time.
VIII. Contact form and email contact
1. Description and scope of the data processing
Our website contains a contact form that facilitates electronic communication with us. When a user avails themselves of this option, the data entered into the form are transferred to us and saved. These data are as follows:
At the time the message is submitted, the following data are also saved:
(1) IP address
(2) date and time of registration
Your consent is required for the processing of this data, and you will be referred to our Privacy Statement and asked to grant your consent when you send the form.
Alternatively, contact may be initiated using an email address provided by you. In this case, the personal data provided in the email will be stored.
These data are not shared with any third parties. They are only stored for the purposes of processing that communication.
2. Legal basis for the processing of personal data
These data are processed subsequent to user consent pursuant to Article 6 paragraph 1 letter a GDPR.
The processing of information received from the sending of an email is lawful under Article 6 paragraph 1 letter f GDPR. If the email communication takes place for the purpose of concluding a contract, the processing of information is further lawful pursuant to Article 6 paragraph 1 letter b GDPR.
3. Purpose of data processing
We process the personal data entered into the contact form for the sole purpose of facilitating the intended communication. When a user contacts us by email, this also constitutes the basis for our legitimate interest in processing the data.
Any other personal data processed during the submission of a contact inquiry serve the purpose of preventing abuse of the contact form and safeguarding our IT systems.
4. Period of storage
The data will be deleted when they are no longer needed for the purpose for which they were collected. Personal data derived from the online data entry form and any data transmitted via email will be deleted once the communication with the user has been concluded. The conversation is deemed concluded when it becomes apparent that the relevant issue has been resolved in full.
Any further personal data collected during the submission process will be erased within no more than seven days.
5. Right to object and right to withdraw consent
The user may withdraw their consent to our processing of their personal data at any time. If the user contacts us by email, they may object to the storage of their personal data at any time. If that is the case, the conversation cannot be continued.
Insert text describing how the provider safeguards and implements the right to object and right to withdraw consent.
If this is the case, all personal data stored during the contact process will be erased.
VIII. Rights of the data subject
Under the GDPR, where your data is processed, you are the data subject, and as such, have the following rights:
1. Right to information
You have the right to ask for confirmation as to whether we are processing your personal data and the extent of that processing.
In the case of a processing of your data, you have the right to the following information:
- the purpose for which your personal data are being processed;
- the categories of personal data being processed;
- the recipients or categories of recipients who have seen or who may see your personal data;
- the intended duration of storage for your personal data, or where a specific duration is not known, the criteria by which this duration will be determined;
- the existence of a right to rectification or deletion of personal data, a right to restriction of processing or to object to processing of personal data by the Controller;
- the right to lodge a complaint with a supervisory authority;
- all available information regarding the data source when not collected directly from you;
- the existence of a decision-making process based solely on automated processing, including profiling in accordance with Article 22 paragraph 1 and paragraph 4 GDPR, and at least in such cases, to obtain meaningful, relevant information regarding the logical processes involved and the scope and intended effects of such processing for the data subject.
You have the right to demand information on whether your personal data will be transferred to another country or international organization. In this context, you may demand to be informed of the appropriate safeguards pursuant to Article 46 GDPR to which the transfer is subject.
2. Right to rectification
You have the right to obtain from the Controller the rectification and/or completion of any incorrect or incomplete data. The Controller must provide this without undue delay.
3. Right to restriction of processing
You have the right to restrict the processing of your personal data where one of the following applies:
- if you are contesting the accuracy of your personal data, you have the right to restrict processing for a period of time which enables the controller to verify the accuracy of the personal data;
- if processing is unlawful and you have rejected the erasure of your personal data and instead demand that the processing be restricted;
- the Controller no longer requires the data for the purposes for which it was collected, but you require it for establishing, exercising, or defending a legal claim; or
- if you have objected to the processing pursuant to Article 21 paragraph 1 GDPR and it has not yet been established if the legitimate interests of the controller override your interests.
Where processing of your personal data has been restricted, with the exception of its storage, such data may only be processed with your consent, or for the purpose of establishing, exercising, or defending a legal claim or to protect the rights of other natural or legal persons or for reasons of an important public interest of the Union or of a Member State.
Where the right to restriction of processing has been exercised pursuant to the above, you will be informed by the Controller prior to that restriction being lifted.
4. Right to erasure (“right to be forgotten”)
a) Obligation to erase
You may oblige the Controller to erase all personal data pertaining to you without undue delay, and the Controller is obliged to erase such data without undue delay where one of the following applies:
1) the personal data are no longer required for the purpose for which it was collected;
2) you withdraw your consent which constitutes the basis for the processing of your data pursuant to Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a GDPR, and there is no other legal basis for said processing.
3) you object to the processing pursuant to Article 21 paragraph 1 GDPR and there are no overriding legitimate grounds for the processing, or you have objected to the processing pursuant to Article 21 paragraph 2 GDPR;
4) the processing of your personal data is unlawful;
5) your personal data must be erased to comply with a legal obligation under Union or Member State law to which the Controller is subject;
6) your personal data have been collected in relation to the offer of information society services referred to in Article 8 paragraph 1 GDPR.
b) Information to third parties
Where the Controller has made the personal data public and is obliged to erase it pursuant to Article 17 paragraph 1 GDPR, the Controller shall take reasonable steps, including technical measures, in light of available technology and the cost of implementation, to inform controllers who may be processing the personal data that the data subject has requested erasure of copies or reproductions of such data and any links to it.
c) Exceptions
There is no right to erasure where the processing is necessary:
- for the exercise of the right of freedom of expression and information;
- for compliance with a legal obligation which requires processing under the law of the Union or a Member State to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
- for reasons of public interest in the area of public health pursuant to Article 9 paragraph 2 letters h and i, and Article 9 paragraph 3 GDPR;
- for archiving purposes in the public interest, for academic or historical research purposes, or statistical purposes in accordance with Article 89 paragraph 1 GDPR insofar as the right referred in a) above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for establishing, exercising, or defending legal claims.
5. Right to notification
If you have exercised your right to rectification, erasure, or restriction of processing, the controller is obliged to inform all recipients to whom your personal data has been disclosed of this rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to request information from the Controller about any such recipients.
6. Right to data portability
You have the right to receive in a structured, commonly used, and machine-readable format any personal data concerning you which you have provided to the Controller. You also have the right to transmit this data to another Controller without hindrance from the Controller to whom the data was provided as long as:
- the processing is based on consent pursuant to Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a GDPR or in a contract pursuant to Article 6 paragraph 1 letter b GDPR and
- the processing is carried out by automated means.
In the exercise of this right, you also have the right to have the personal data transmitted directly from one Controller to another, where technically feasible. The rights and freedoms of others may not be adversely affected by this.
The right to data portability does not apply to the processing of personal data required for the performance of a task in the public interest or in the exercise of official authority vested in the Controller.
7. The right to object
You have the right to object, on grounds related to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6 paragraph 1 letters e or f GDPR. This also applies to profiling based on these provisions.
The Controller will no longer process your personal data unless able to demonstrate compelling reasons that override your interests, rights, and freedoms or the processing is required for establishing, exercising, or defending a legal claim.
Where your personal data are processed for direct marketing purposes, you have the right to object to the processing of your data for such purposes at any time; this also applies to profiling to the extent related to such direct marketing.
If you object to the processing of your data for direct marketing purposes, the personal data will no longer be processed for such purposes.
For data used by information society services, you may exercise your right to object notwithstanding Directive 2002/58/EC, by automated means using technical specifications.
You have the right to object, on grounds related to your particular situation, to the processing of personal data concerning you for academic or historical research purposes or statistical purposes based on Article 89 paragraph 1 GDPR.
Your right to object may be limited in cases where it would likely render the achievement of the research or statistical objectives impossible or pose a considerable obstacle to them and where the limitation of your right to object is necessary to ensure that the research or statistical purposes are achieved.
8. Right to withdraw data protection declaration of consent
You have the right to withdraw your data protection declaration of consent at any time. This does not affect the lawfulness of processing carried out based on your consent prior to its withdrawal.
9. Automated decision-making in individual cases, including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which precludes legal effects that otherwise significantly affect you. This does not apply if the decision
- is necessary for entering into or performance of a contract between you and the Controller;
- is authorized by Union or Member State law to which the Controller is subject and these legal provisions also lay down appropriate measures to safeguard your rights and freedoms as well as your legitimate interests; or
- is based on your explicit consent.
These decisions may not be based on special categories of personal data referred to in Article 9 paragraph 1 GDPR, as long as Article 9 paragraph 2 letters a or g apply and appropriate measures to safeguard your rights, freedoms, and legitimate interests are in place.
In the cases listed in (1) and (3), the Controller must implement appropriate measures to safeguard your rights, freedoms, and legitimate interests, which include at the least the right to human intervention on the part of the controller to express his or her point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the Member State in which you are habitually resident, where you work, or the location in which the alleged infringement took place if you consider that the processing of your personal data is in breach of the GDPR.
The supervisory authority with whom you lodge your complaint will inform the complainant about the progress and the outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
IX. Vimeo
Our website uses components of Vimeo, a service of Vimeo LLC, 555 West 18th Street, New York 10011, USA.
Vimeo is a video portal that allows its users to watch videos free of charge. Vimeo offers website operators the option of integrating its videos on their own website. It provides a code segment that incorporates the video into the website using an inline frame. When a user accesses our website or one of its subpages containing such an embedded element, their internet browser starts downloading video components of the embedded video or video clip. This process requires Vimeo to read your IP address. Otherwise, it cannot transfer the video to your browser. If you are logged into Vimeo, it will be able to detect that you have visited one of our pages with an embedded Vimeo video. This information is transferred to Vimeo even if you do not click the video. Vimeo collects this information and associates it with your Vimeo account. Purpose: We use Vimeo components on our website in order to show you and allow you to interact with videos and video clips from the Vimeo website. Legal basis: Our use of Vimeo components is based on our legitimate interest in optimizing and designing our website; it is lawful pursuant to Article 6 paragraph 1 letter f GDPR. Opt-out: You can prevent the described transfer of information at any time by logging out of your Vimeo account.
Information about the third-party provider: Privacy policy: https://vimeo.com/privacy
X. Our online presences in social networks
We operate online presences in the social networks listed below. When you visit one of our social media presences, the network provider collects and processes your usage data. Normally, this is done by saving cookies on your device. For an explanation of cookies, consult the corresponding section above. The cookies contain information about your use of the website and your interests; they are used to create usage profiles. These profiles may also contain other data in addition to information about your device. In particular, this is the case if you are a member of the social media platform in question and signed into your account.
We have embedded plug-ins (social media buttons) for the networks we use on our website. You can identify the plug-ins by the logos they use. When you access one of our web pages that contains such a plug-in, your browser automatically establishes a connection with the servers of the corresponding network provider, and a cookie is stored on your device. Data may be transferred even if you do not have an account with the social network or if you do have an account but are not signed into it while visiting our website. Any further interaction with the social media plug-in causes a transfer of data to the provider (e.g. clicking the ‘Like’ button on Facebook or the ‘re-tweet’ button on Twitter).
Generally, social media providers use the collected data for advertising and market research purposes by creating usage profiles. They may use those profiles to show you advertisements that are relevant to your interests. You have the right to object to the creation of usage profiles. Contact the social media provider in question directly to exercise that right. If you have an account with the provider, your usage data can be linked to that account. To prevent that, sign out of your social media accounts before visiting our website.
Consult the following privacy policies of the social media providers to learn the purpose and extent of their data collection processes. We do not have any influence on which data are collected and how the providers use them. If you wish to request information or exercise your rights as the data subject, we recommend that you contact the providers directly, as only they have access to your data.
Please note that your user data may be transferred and processed outside the European Union. If this is the case, you may encounter difficulties in exercising your rights as the data subject. US providers that are certified under the Privacy Shield framework have committed to upholding EU privacy standards. To find out whether a provider holds a Privacy Shield certificate, consult information about the providers listed below.
Legal basis: If any of the following providers haves asked you to consent to the processing of your data, that processing will be lawful pursuant to Article 6 paragraph 1 letter a GDPR. In all other cases, your data are processed on the basis of our legitimate interest in contacting you and communicating with you pursuant to Article 6 paragraph 1 letter f GDPR. Opt-out: Please consult the following links about the individual providers to learn about your opt-out options.
We operate online presences in the following social networks:
a) Twitter
Twitter is a service of Twitter Inc., 795 Folsom St., Suite 600, San Francisco, CA 94107 – USA EU headquarters: Twitter Inc., 26 Fernian St, Dublin – Ireland
- Privacy policy at: https://twitter.com/de/privacy
- Opt-out: https://twitter.com/personalization
- Privacy
Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status =Active.
b) Instagram
Instagram is a service of Instagram LLC, 1601 Willow Rd, Menlo Park CA 94025 – USA
- Privacy policy at: https://help.instagram.com/155833707900388
- Opt-out: http://instagram.com/about/legal/privacy c) Facebook
Facebook is a service of Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304 – USA.
EU headquarters: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 – Ireland
- Privacy policy at: https://www.facebook.com/about/privacy/
- Opt-out: https://www.facebook.com/settings?tab=ads and
http://www.youronlinechoices.com
- Privacy
Shield: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status =Active
XII. Security measures
We have also implemented state-of-the-art technical and organizational security measures to comply with all privacy regulations and protect your data from accidental or intention