Elections of the Clausthal University of Technology

This supplementary declaration contains information on how, to what extent and for what purpose personal data is processed in the context of elections by the Electoral Office of Clausthal University of Technology. The additional general data protection declaration for the websites of Clausthal University of Technology can be viewed at www.tu-clausthal.de/datenschutz/. There you will find information on connection data that is also transmitted by your end device as soon as you visit a web instance of Clausthal University of Technology. This data is collected and processed separately from the election data in the case of an online election.

The purpose of the processing is to conduct elections in accordance with the applicable election regulations at Clausthal University of Technology.

The legal basis for the creation of electoral registers is Art. 6 para. 1 lit. c) GDPR in conjunction with § 16 NHG. Participation in the election is voluntary and takes place with your consent; Art. 6 para. 1 lit. a GDPR serves as the legal basis for data collection. You will not suffer any direct disadvantages if you do not vote.

Software is used to create electoral lists, which is available to the electoral office on a decentralized basis. To prepare for the elections, current electoral lists must be generated from the upstream systems such as SAP HR (employees) or HIS-SOS (students) and imported into the electoral system. The electoral lists then define the group of eligible voters in accordance with the election regulations.

The following categories of personal data are processed for this purpose:

First name, last name, form of address, title, address, personnel number, matriculation number (for students) faculty affiliation, institute, date of birth, degree program (for students), group affiliation (wiss. MA, MTV, professors, students).

If a postal vote is requested by an eligible voter, this is also noted in the electoral list. Address data is processed for the transmission of postal voting documents.

Eligible voters who apply for postal voting documents will be removed from the electoral list for the online election. If no postal voting documents are requested by the voter by the specified deadline, the following categories of personal data are processed:

RZ abbreviation, associated faculty, student/employee status

This data is encrypted using a hash function and transmitted to an external provider of online elections (Polyas GmbH). The external provider does not draw any conclusions about the eligible voters from the anonymized hash values. The electoral list ensures that eligibility to vote can be established.

During the registration process on the TU's own web instance for online voting, the user account of the TU Computing Center is processed.

The following categories of personal data are processed for this purpose:

RZ abbreviation RZ password

After the registration process has been completed, the computer center code is also transmitted in encrypted form to the external provider for online elections (Polyas GmbH) using a hash function and compared with the stored electoral list. The system then displays one or more possible ballot papers depending on the authorization status. Eligible voters can cast a fixed number of votes in accordance with the election regulations. Voting is anonymous, i.e. TU Clausthal does not draw any conclusions between the personal data of the voters and the votes cast. A vote cast is noted in the encrypted voting list to prevent multiple votes being cast.

This is a certified "zero trust procedure" in which the external provider of the digital ballot box (Polyas GmbH) cannot draw any conclusions about the eligible voters and the TUC cannot draw any conclusions about the vote cast by an eligible voter. The election result of the online election is transmitted in aggregated form.

The postal voting documents consist of a ballot paper and the ballot papers. The ballot paper guarantees eligibility to vote and serves to prevent multiple voting. The individual ballot papers are securely stored in a sealed ballot paper envelope with the ballot paper in a sealed ballot box until the votes are counted manually, thus ensuring anonymized voting.

The data is stored until the end of the election period (3 years, or 1 year for students or 2 years for doctoral student representatives).

Pseudo-anonymized data will be transmitted to the external provider of the online election: POLYAS GmbH, Marie-Calm Str. 1-5, 34131 Kassel.

Data is not transferred to third countries.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

You can request confirmation from the controller as to whether personal data concerning you is being processed by Clausthal University of Technology.

If such processing is taking place, you can request information from the controller. Please contact the electoral office within the specified deadlines to inspect the electoral

to inspect the electoral lists. In the event of incorrect entries, you have the right to have your personal data corrected or deleted if the processed personal data concerning you is incorrect or incomplete. The controller must make the correction without delay.

Assignment to an electoral list is based on automated decision-making in accordance with Art. 22 (1) and (4) GDPR. You can request information about the logic involved and the scope and intended effects of such processing.

You may request the restriction of the processing of your personal data under the following conditions:

1. if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
2. the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
3. the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
4. if you have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your grounds.

If the processing of personal data concerning you has been restricted, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (1) The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed. (2) You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing. (3) You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR. (4) The personal data concerning you has been processed unlawfully. (5) The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the controller is subject. (6) The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.

If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Article 17(1) GDPR, it shall take reasonable steps, including technical measures, taking into account the available technology and the cost of implementation, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

The right to erasure does not exist if the processing is necessary (1) for exercising the right of freedom of expression and information; (2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; (3) for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h and i and Art. 9 para. 3 GDPR; (4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or (5) for the establishment, exercise or defense of legal claims.

If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right vis-à-vis the controller to be informed about these recipients.

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format.

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, and the controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

You can only withdraw your consent to the processing of your personal data with effect for the future. Since a deletion request can only be fulfilled for data that can be clearly assigned to your person, it is not possible to withdraw your vote.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision (1) is necessary for entering into, or performance of, a contract between you and the controller, (2) is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or (3) is based on your explicit consent. With regard to the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.