Data Privacy

Name and Address of the Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection regulations of the Member States as well as other provisions on data protection is:

Clausthal University of Technology
Adolph-Roemer-Strasse 2a
D-38678 Clausthal-Zellerfeld
Phone: +49 5323 72-0
Fax: +49 5323 72-3500
www.tu-clausthal.de/en
Imprint: https://www.tu-clausthal.de/en/imprint

Clausthal University of Technology is a corporation under public law and is legally represented by the President (Link: https://www.tu-clausthal.de/en/university/management-administration/presidium).
The competent regulatory body is the

State Commissioner for Data Protection in Lower Saxony
Prinzenstrasse 5 
30159 Hannover
Telephone: +49 511 120-4500
Fax: +49 511 120-4599
E-mail: poststelle@lfd.niedersachsen.de

Data Protection Officer

Official Data Protection Officer of Clausthal University of Technology:

Clausthal University of Technology
- Data Protection Officer -

Mr. Jamie Crookes
Adolph-Roemer-Strasse 2A
D-38678 Clausthal-Zellerfeld
Phone: +49 151 44064125

E-mail: dsb@tu-clausthal.de
Website: https://www.tu-clausthal.de/en/data-privacy

 

General Information on Data Processing

Clausthal University of Technology (TU Clausthal) processes personal data of website users only as necessary for the operation of a functioning website, its contents and services. The processing of personal data is generally subject to the consent of the user. Exempt are cases in which the consent could not previously be obtained due to factual reasons and in which data processing is permitted by legal regulations.

Legal basis for the processing of personal data

Should the processing operations of personal data require consent of the data subject, art. 6 subpara. 1 lit. a EU General Data Protection Regulation (GDPR) serves as legal basis.

For the processing of personal data for the performance of a contract, with the data subject being an involved party, art. 6 subpara. 1 lit. b GDPR serves as legal basis. This includes data processing conducted for the implementation of pre-contractual measures.

Should the processing operations of personal data be required for TU Clausthal to comply with legal requirements, art. 6 subpara. 1 lit. c GDPR serves as legal basis.

Should the processing of personal data be required due to vital interests of the data subject or another natural person, art. 6 subpara. 1 lit. c GDPR serves as legal basis.

Should the processing be required to carry out a task in the public interest or in the exercise of official authority vested in the controller, art. 6 subpara. 1 lit. e GDPR in conjunction with art. 3 of the Lower Saxony Data Protection Act (NDSG, Niedersächsisches Datenschutzgesetz) serves as legal basis.

TU Clausthal Websites

Type and scope of the collected data

When accessing the websites of TU Clausthal, our systems automatically collect the following data:

  • IP-address of the user’s computer,
  • information on the browser type and version,
  • the user’s operating system (name and version),
  • date and time of access,
  • the previous website (referrer) from which the user’s system accessed the website,
  • documents retrieved by the user’s system.

This data will also be stored in the logfiles of our systems. This data is not stored in connection with other personal user data. The storage takes place on site of Clausthal University of Technology in Clausthal-Zellerfeld, only using internal infrastructure.

For the temporary storage of data and logfiles art. 6 subpara. 1 lit. e GDPR in conjunction with art. 3 of the Lower Saxony Data Protection Act (NDSG) serves as legal basis.

Data storage period

The temporary storage of the IP-address by the system is essential to provide the user’s computer with requested documents. Thus, the user’s IP-address needs to be saved for the session duration.

The storage in logfiles is necessary to ensure the website functionality. This data also serves to optimize the website and to ensure the IT-system security. The data will not be used for marketing purposes.

The data will be deleted once it is no longer required to fulfill the purpose of its collection. For data collection for website operation this is the case once the respective session was terminated.

Data stored in logfiles is generally deleted after seven days. Storage for a longer period is only intended for technical and legal purposes.

Opportunity to object

Collection of data and storage in logfiles is essential for the provision and operation of the website. Thus, the user shall not have an opportunity to object.

Web analysis by internal systems and external providers / use of cookies

The web analytics software Matomo (formerly: “PIWIK") of the provider InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand, is used on TU Clausthal websites. This open-source software analyzes the web presence of TU Clausthal. The program is operated on TU Clausthal servers and thus the collected analysis data is not disclosed or transmitted to third parties. The legitimate interests of TU Clausthal are the analysis and optimization of its web presence, and marketing purposes, for which art. 6 subpara. 1 lit. f GDPR in conjunction with art. 3 of the Lower Saxony Data Protection Act (NDSG) serves as legal basis. The software collects and evaluates the following data if not objected by the user:

Basic data:

  • IP-address, anonymized by shortening
  • Cookie to recognize different visitors
  • Previously visited URL (referrer) if transmitted by the browser
  • Name and version of the operating system
  • Name, version and language settings of the browser

Additionally, with activated JavaScript:

  • visited URLs on this website
  • times of website access           
  • monitor resolution and color depth
  • technologies and formats supported by the browser (e.g. cookies, Java, Flash, PDF, Windows Media)

Complying with data minimization, an automated anonymization function is run by the software Matomo which shortens the IP-address by two bytes leading to a pseudonymized analysis of user behavior. It is not possible for TU Clausthal to link your user profile to you or your internet connection. For data collection, Matomo stores a cookie on your terminal via your web browser. This cookie is valid for 6 months. These cookies, inter alia, enable the identification of the web browser so that the number of different users of the website can be monitored. Should you not consent to the processing, you can disable the storage of cookies in the settings of your web browser. In addition, you can always subsequently adapt the analysis of your user behavior by our cookie banner.

ReadSpeaker

ReadSpeaker is a text-to-speech software for web contents. If you click the button “Listen”, the selected text will be transmitted via your IP to the ReadSpeaker-server where the audio file will be generated during the streaming process and sent back to your IP. After transmitting the audio file, the process and the IP-address of the user will be deleted from the ReadSpeaker-server immediately. ReadSpeaker does not collect or store personal data. All services are operated from Europe (Sweden). When using ReadSpeaker-functions, technical cookies are stored on the terminal to save the user settings (highlighting of settings, font size etc.). After the session, or depending on the selected function, the cookies will be stored for a maximum period of 30 days. If the ReadSpeaker-function is not activated, no cookies will be stored on your terminal when visiting this website. Your consent to the use of ReadSpeaker as laid down in art. 6 subpara. 1 lit. a GDPR serves as legal basis. Please see the information on the withdrawal of consent in the data protection regulation.

Social media and external advertising

No code elements of social media providers are used which enable the direct sharing of TU Clausthal web contents. Consequently, no information related to accessing TU Clausthal websites is transmitted to social media providers.

There is no advertising on TU Clausthal websites. Consequently, no information related to accessing TU Clausthal websites is transmitted to external providers.

Our social media channels

We maintain public accounts in social networks. The individual social networks used by us can be found below. Social networks like Facebook, Twitter etc. can generally comprehensively analyze your user behavior  when you visit their website or a website with integrated social media contents (e.g. like-buttons or advertising banners). Visiting our social media triggers various data processing operations. In detail:

When being logged in to your social media account while visiting our social media, the operator of the social media portal can link this visit to your user account. Your personal data may also be collected without you being logged in or without having a user account with the respective social media portal. In such cases, the data is collected by the use of cookies which are stored on your terminal, or by the collection of your IP-address. The operators of the social media portals then use this data to create user profiles including your preferences and interests. Like this, interest-based advertising can be shown to you inside on the respective social media portal and on other websites. Should you have an account with the respective social network, interest-based advertising might be shown on all devices or terminals you are or were logged in. Please consider that we cannot track all data processing of the social media portals. Depending on the provider, the data might be further processed by the operators of the social media portals. For details please see the terms of use and privacy policy of the respective social media portal.

Legal basis:

Our social media is aimed at providing as extensive a web presence as possible. These tasks are carried out in the public interest within the meaning of art. 6 subpara. 1 lit. e GDPR in conjunction with art. 3 of the Lower Saxony Data Protection Act (NDSG). The analyzing processes initiated by the social networks  may be subject to other legal bases, which need to be indicated by the providers of the social networks (e.g. consent within the meaning of art. 6 subpara. 1 lit. a GDPR).

Controller and establishment of legal claims:

We and the operator of the social media platform share the responsibility for the data processing operations initiated by you visiting one of our social media profiles (e.g. Facebook). You may claim your rights (right of access, right to rectification, erasure, restriction of processing, data portability, and right to lodge a complaint) generally vis-à-vis us and the operator of the respective social media portal (e.g. vis-à-vis Facebook). Please take into account that we are not in complete control of the data processing of the social media portals despite joint responsibilities with the social media operators. Our possibilities follow the business policy of the respective provider.

Data storage period:

Data directly collected by us via social media will be erased from our systems immediately after you  request erasure, withdraw your consent to data retention or once the purpose for data retention does not exist anymore. Stored cookies stay on your terminal until deleted by you. Mandatory statutory regulations - particularly retention periods - remain unaffected. We do not control the data storage period of the data stored by the social network operators for their own purposes . More detailed information can be obtained directly from the respective operator of the social network (e.g. in their privacy policies, see below).

Social networks in detail:

Facebook:

We have and use a Facebook profile. This service is provided by Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. According to Facebook, the collected data is also transmitted to the USA and other third countries.

 We entered into an agreement with Facebook regarding joint data processing (controller addendum). This agreement stipulates which data processing operations we or Facebook are responsible for when you visit our Facebook-page. Please see the following link for this agreement: www.facebook.com/legal/terms/page_controller_addendum

You can individually adjust your advertising preferences in your user account. Please click the following link and log in: https://www.facebook.com/settings?tab=ads.

The transmission of data to the USA is based on the Standard Contractual Clauses of the EU Commission. For details, please see: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381. For details, please see the data policy of Facebook: https://www.facebook.com/about/privacy/.

Twitter

We use the short message service Twitter. Twitter is provided by the Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. You can individually adjust your privacy settings in your user account. Please click the following link and log in: https://twitter.com/personalization. The transmission of data to the USA is based on the Standard Contractual Clauses of the EU Commission. For details, please see: https://gdpr.twitter.com/en/controller-to-controller-transfers.html. For details, please see the data policy of Twitter: https://twitter.com/de/privacy.

Instagram

We have and use an Instagram account. Instagram is provided by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. The transmission of data to the USA is based on the Standard Contractual Clauses of the EU Commission. For details, please see: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875 and https://de-de.facebook.com/help/566994660333381. For details on the handling of your personal data by Instagram, please see their privacy policy: https://help.instagram.com/519522125107875.

XING

We have and use a XING account. XING is provided by New Work SE, Dammtorstrasse 30, 20354 Hamburg, Germany. For details on the handling of your personal data by XING, please see their privacy policy: https://privacy.xing.com/en/privacy-policy.

LinkedIn

We have and use a LinkedIn account. LinkedIn is provided by the LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies. In order to disable LinkedIn advertising cookies, please see the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. The transmission of data to the USA is based on the Standard Contractual Clauses of the EU Commission. For details, please see: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs. For details on the handling of your personal data by LinkedIn, please see their privacy policy: https://www.linkedin.com/legal/privacy-policy

YouTube

We have and use a YouTube account. YouTube is provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on the handling of your personal data by YouTube, please see their privacy policy: https://policies.google.com/privacy?hl=de.

E-mail contact and contact forms

Our website comprises a contact form which can be used for contacting us electronically. Should a user contact us via this from, the data entered into the form will be stored and transmitted to us. Alternatively, contact can be made via the provided e-mail address. In this case, the user’s personal data transmitted with the e-mail will be stored. This data is not disclosed or transmitted to third parties. The data is only used to process the conversation. Art. 6 subpara. 1 lit. a GDPR serves as legal basis for the consented data processing. Should the e-mail contact be directed at the conclusion of a contract, art. 6 subpara. 1 lit. b GDPR additionally serves as legal basis.

Processing the personal data from the form only serves to process the contacting. For contact via e-mail, this included the legitimate interest in processing the data.

The data will be deleted once it is no longer required to fulfill the purpose of its collection. For personal data from the form or sent via e-mail, this is the case once the respective conversation with the user was finished. A conversation is finished when it can be assumed by the circumstances that the matter was resolved.

The personal data collected additionally during the transmission process is handled as laid down in “Data storage period”.

Institutes and facilities

Should individual institutes and facilities of TU Clausthal enable the user to additionally give personal or professional data (e-mail addresses, names, addresses) on their websites, the user explicitly gives this information freely. Art. 6 subpara. 1 lit. a GDPR serves as legal basis for this processing. The data is only collected and processed for the purpose indicated in the respective online form. The data is not disclosed or passed on to third parties.

Opportunity to Object

Users can withdraw their consent to the processing of personal data at any time. The user can object the storage of personal data at any time by contacting us via e-mail. In this case the conversation cannot be continued. All personal data stored during the contacting process will be deleted in this case.

Events

By registering for an event of TU Clausthal, you consent to the collection, retention and usage of the aforementioned personal data for the purpose of the event. This includes the registration for the event, the creation of a list of participants and, if applicable, the creation of a certificate of attendance.

By registering I explicitly agree that TU Clausthal may pass on my personal data to third parties concerned with the event. TU Clausthal ensures that participants’ rights are respected.

I herewith consent that my surname, first name, company/institution and function are given in the list of participants.

The e-mail address may only be used to send out invitations and information material of TU Clausthal. The electronic sending of invitations equals the sending via post.

I can withdraw my consent at any time with effect for the future.

Rights of Data Subjects

If your personal data is processed, you are a data subject in the sense of the GDPR and thus you can exercise the following rights vis-à-vis the controller:

Right of access by the data subject as laid down in art. 15 GDPR

You can demand a confirmation of the controller stating which of your personal data was processed by us.
Should your personal data be processed, you can demand the following information of the controller:
(1) the processing purposes;
(2) the categories of personal data processed;
(3) the recipients or categories of recipients the personal data was or will be disclosed to;
(4) the period for which the personal datawill be stored, or if that is not possible, the criteria used to determine that period;
(5) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing;
(6) the right to lodge a complaint with a supervisory authority;
(7) where the personal data is not collected from the data subject, any available information as to their source;
(8) the existence of automated decision-making, including profiling, referred to in art. 22 subpara. 1 and 4, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to demand information stating whether your personal data is transmitted to a third country or an international organization. In this context, you can demand information on the appropriate safeguards as laid down in art. 46 GDPR regarding the transmission.

Right to rectification as laid down in art. 16 GDPR

You have the right to obtain from the controller the rectification and/or completion, should the processed personal data concerning you be inaccurate or incomplete. The controller shall rectify the data immediately.

Right to restriction of processing as laid down in art. 18 GDPR

You can demand restriction of processing of your personal data on the following conditions:
(1) you contest the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data;
(2) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
(3) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims;
(4) you have objected to processing pursuant to art. 21 subpara 1 GDPR pending the verification whether the legitimate grounds of the controller override yours.
Where processing of personal data has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Should you have obtained restriction of processing pursuant to the aforementioned conditions, you shall be informed by the controller before the restriction of processing is lifted.

Right to erasure as laid down in art. 17 GDPR

a) Obligation to data erasure
You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(1) The personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed.
(2) You withdraw your consent on which the processing was as laid down in art. 6 subpara. 1 lit. a or art. 9 subpara. 2 lit. a GDPR, and where there is no other legal ground for the processing.
(3) You object to the processing pursuant to art. 21 subpara. 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to art. 21 subpara. 2 GDPR.
(4) Your personal data has been unlawfully processed.
(5) Your personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
(6) Your personal data has been collected in relation to the offer of information society services referred to in art. 8 subpara. 1 GDPR.

b) Disclosing information to third parties
Should a controller have made your personal data public and pursuant to art. 17 subpara. 1 GDPR be obliged to data erasure, the controller should take reasonable steps, taking into account available technology and the means available to the controller, including technical measures, to inform the controllers which are processing the personal data of your request to erase any links to, or copies or replications of those personal data.

c) Exceptions
The right to erasure shall not apply to the extent that processing is necessary.
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health in accordance with lit. h and i of art. 9 subpara. 2 as well as art. 9 subpara. 3 GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with art. 89 subpara. 1 in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defense of legal claims.

Right to information as laid down in art. 19 GDPR

Should you exercise your right to rectification, erasure or restriction of processing against the controller, the controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with art. 16, art. 17 subpara. 1 and art. 18 to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort.
The controller shall inform you about those recipients if requested.

Right to data portability as laid down in art. 20 GDPR

You have the right to receive the personal data concerning you which you have provided to the controller in a structured, commonly used and machine-readable format. Moreover, you have the right to transmit that data to another controller without hindrance from the controller to which the personal data has been provided, if
(1) the processing is based on consent pursuant to art. 6 subpara. 1 lit. a GDPR or art. 9 subpara. 2 lit. a GDPR or on a contract pursuant to art. 6 subpara. 1 lit. b GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you shall also have the right to have your personal data transmitted directly from one controller to another, where technically feasible. This shall not adversely affect the rights and freedoms of others.
The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right to object as laid down in art. 21 GDPR

You shall have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data which is based on art. 6 subpara. 1 lit. e or f GDPR, including profiling based on those provisions.
The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.
Where personal data is processed for direct marketing purposes, you shall have the right to object at any time to processing of your personal data for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, your personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

Right to withdraw consent under data protection law pursuant to art. 7 subpara. 3 GDPR
You shall have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Automated individual decision-making, including profiling as laid down in art. 22 GDPR
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply where and insofar as (1) the decision is necessary for entering into or performing a contract between you and the controller,
(2) the decision is expressly laid down by Union or Member State law to which the controller is subject and which provide appropriate measures to protect your legitimate interests and rights and freedoms or
(3) if you freely and explicitly give consent.
However, these decisions shall not be based on special categories of personal data referred to in art. 9 subpara 1 GDPR, unless art. 9 subpara. 2 lit. a or g GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to art. 78 GDPR.