Data Protection Policy

I. Name and Address of the Data Controller

The data controller (hereinafter: 'Controller') as mandated by the General Data Protection Regulation and other national data protection laws from member states as well as other regulations relevant to data protection is:
University of Bonn
Institute for Microbiology and Biotechnology
Meckenheimer Allee 168, 53115 Bonn
Phone: +49 (0)228 73 7716
Fax: +49 (0)228 73 7576
E-Mail: ifmb@uni-bonn.de
Website: https://www.ifmb.uni-bonn.de/en

II. Name and Address of the Data Protection Officer 

The data protection officer of the Controller is:

N.N.
Genscherallee 3
53113 Bonn
E-Mail: datenschutz@uni-bonn.de
Tel: + 49 (0)228 -73 – 6758
https://www.datenschutz.uni-bonn.de

III. General Information on Data Processing

1. Scope of Processing of Personal Data

We process the personal data of our users only insofar as this is necessary for the provision of a functional website and our content and services. Routine processing of our users’ personal data is performed solely with the consent of the user. An exception comes in cases where the prior acquisition of consent is not possible for practical reasons and stipulations allowing for such processing are included in the legal requirements.

2. Legal Basis for the Processing of Personal Data

Insofar as we have obtained the consent of the data subject for the processing of their data, Art. 6 para. 1(a) GDPR serves as the legal basis for such processing.
The legal basis for the processing of personal data required for the fulfillment of a contract to which the data subject is a party is Art. 6 para. 1(b) GDPR. This also applies to measures in preparation of said contract.
The legal basis for the processing of personal data to fulfill a legal obligation on the part of the University of Bonn is Art. 6 para. 1(c) GDPR.
The legal basis for the processing of personal data as necessary to protect the vital interests of the data subject or another natural person is Art. 6 para. 1(d) GDPR.
The legal basis for processing required for the execution of duties in the public interest or the exercise of public authority that has been transferred to the University is Art. 6 para. 1(e) GDPR.

3. Erasure of Data and Duration of Storage

The personal data of the data subject is to be erased or locked as soon as the purpose for storage no longer applies. Storage can potentially extend beyond this point where necessitated by European or national legislation reflecting EU-wide directives, laws or other rules to which the Controller is subject. The data must then be locked or erased upon expiration of the retention period stipulated by the aforementioned standards, unless it is necessary to continue storage of the data for reasons of entering into or completing a contract.

IV. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Each time our internet pages are requested, our system automatically records data and information about the requesting computer's system.
The following data is recorded:

1. Information about the browser type and version
2. The user's operating system
3. The user's internet service provider
4. The user's IP address (pseudonymized, shortened IP address)
5. Date and time of access
6. Referrer website
7. Websites accessed by the user’s system via our website (within *.uni-bonn.de, details of referrers will not be communicated to third parties)

The log files contain IP addresses and other data that allows for identification of a user. This can for example be the case where a link from a referring website or from our pages to another website contains personal data.

The data is also stored in log files on our system. This data is not stored together with other personal data from the user.

2. Purpose of Data Processing

The temporary storage of the IP address by the system is required to allow for the website to be delivered to the user's computer. The IP address of the user must be stored for the duration of the session.
Log files are stored to ensure the functionality of the website. Beyond this, the data helps us optimize the website and ensure the security of our IT systems. No analysis of the data for marketing purposes is made in this context.

3. Duration of Storage

The data is erased as soon as it is no longer required to achieve the purpose for which it was collected. For data collected for the purpose of providing the website, this is the case once the respective session has ended.

For data stored in log files, this purpose expires seven days after it is collected. The data can potentially be stored beyond this point. In this case the user's IP address is erased or anonymized to prevent any further possibility of identifying the client that requested it.

4. Options for Objecting and Removal

The collection of data for the provision of the website and storage of data in log files is necessary for the operating of the internet site. As a result, the user has no option for objecting in this context.

V. Use of Cookies

1. Description and Scope of Data Processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user requests a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string of characters that allows for the unambiguous identification of the browser if the website is requested again.

We use cookies to make our website more user friendly. Some elements of our internet site require that the requesting browser can be identified even when a new page is opened.

Cookies store and transmit the following data:

1. Language settings
2. Login information

2. Legal Basis for Data Processing

The legal basis for the processing of personal data using cookies for analytical purposes is the acquisition of the user's consent in accordance with Art. 6 para. 1(a) GDPR.

3. Purpose of Data Processing

Cookies related to a necessary technical function are used to make the website easier to use. Some functions on our internet site cannot be provided without the use of cookies. It is necessary for example that the browser be recognized again when navigating between pages.
We require cookies for the following applications:

(1) Adoption of language settings

User data collected through technically necessary cookies are not used to create a user profile.

The use of analytical cookies serves to improve the quality of our website and its content. The analytical cookies provide us with insights on how the website is used, allowing us to constantly optimize our offerings.

4. Duration of Storage, Options for Objecting and Removal

Cookies are stored on the user's computer and from there transmitted to our pages. In this constellation, you as user retain full control over the use of cookies. By changing the settings of your internet browser, you can deactivate or restrict the transmission of cookies. Previously stored cookies can be erased at any time. This can also be performed automatically. If cookies are deactivated for our website, then portions of our website may potentially not display correctly.

XI. Rechte der betroffenen Person

If your personal data is processed, then you as data subject have the following rights against the Controller as established in the GDPR:

1. Right of Access

You can demand confirmation from the Controller whether your personal data is being processed.
If such processing exists, then you can demand the following information from the Controller:

(1) The purposes for which your personal data are processed;

(2) The categories of personal data processed;

(3) The recipients and/or category of recipients who have been or are still being provided with your personal data;

(4) The planned duration of storage of your personal data or, if concrete information cannot be provided here, the criteria for determining the duration of storage;

(5) The existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;

(6) The right to lodge a complaint with a supervisory authority;

(7) All available information on the source of the data if the personal data is not collected from the data subject;

(8) Information on the existence of automated decision-making, including profiling, referred to in Art. 22 para. 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to demand information about whether your personal data has been forwarded to a third country or an international organization. In this context, you can demand to be informed about suitable guarantees as per Art. 46 GDPR related to such transfers.

Insofar as the data processing serves scientific, historical or statistical research purposes, the right of access can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.

2. Right of Rectification

You have the right to rectification and/or completion of your data from the Controller, insofar as your processed personal data are incorrect or incomplete. The Controller must undertake the corrections immediately.
Where the data processing serves scientific, historical or statistical research purposes, the right of rectification can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.

3. Right to Restriction of Processing

Where the following conditions are met, you have the right to restrict processing of your personal data:

(1) You contest the accuracy of the personal data for a period that enables the Controller to verify their accuracy;

(2) The processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of their use;

(3) The Controller no longer requires the personal data for the purposes of processing, but you need them in order to assert, exercise or defend legal claims, or

(4) You have objected to processing in accordance with Art. 21 para. 1 GDPR pending verification whether the legitimate grounds of the Controller override your reasons.

If processing of your personal data has been restricted, then that data — other than storage — may only be processed with your consent or for the assertion, exercise or defense of legal claims or to protect the rights of another natural person or legal entity or from reasons of important public interest to the European Union or one of its member states.
If processing is restricted based on the aforementioned conditions, then you will be informed by the Controller before the restrictions are lifted.

Where data processing serves scientific, historical or statistical research purposes, your right to limit processing can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.

4. Right to Erasure

a) Right of Erasure

Right of Erasure
You can demand that the Controller immediately erase your personal data. The Controller is obligated to erase this data immediately, insofar as one of the following reasons applies:

(1) Your personal data is no longer needed for the purpose for which it was collected or otherwise processed.

(2) You revoke your consent that allowed for processing in accordance with Art. 6 para. 1(a) or Art. 9 para. 2(a) GDPR, and no other legal basis for processing applies.

(3) You file an official objection to processing in accordance with Art. 21 para. (1) GDPR and no overriding justification for the processing applies, or you file an official objection to processing in accordance with Art. 21 para. (2) GDPR.

(4) Your personal data were processed in an illegal manner.

(5) The erasure of your personal data is required to fulfil a legal obligation based on EU law or the law of the Controller’s member state.

(6) Your personal data was collected in the context of services provided by the IT company in accordance with Art. 8 para. (1) GDPR.

b) Information to Third Parties

If the Controller has made your personal data public and is obliged pursuant to Art. 17 para. 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other data controllers who are processing your personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, the personal data.

c) Exceptions

The right of erasure does not apply where data processing is necessary

(1) to exercise the right to freedom of expression and information;

(2) to fulfill a legal obligation which requires processing in accordance with Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

(3) for reasons of public interest in the area of public health in accordance with Art. 9 para. 2(h) and 9 para. 2(i) and Art. 9 para. 3 GDPR;

(4) for archiving purposes in the public interest or for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. (1) GDPR, insofar as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or

(5) for the assertion, exercise or defense of legal claims

5. Right of Information

If you have exercised your right of notification, erasure and restriction of processing against the Controller, then the Controller is obligated to inform all recipients who received your personal data about that notification, erasure or restriction of processing, unless this is impossible or involves an unreasonable amount of cost and complexity.

You have the right to demand of the Controller information about those recipients.

6. Right to Data Portability

You have the right to receive your personal data that you have provided the Controller in a structured, commonly used machine-readable format. Furthermore you have the right to transfer that data to a different Controller, without impediment by the Controller who received the personal data, insofar as
(1) the processing is based on consent provided according to Art. 6 para. 1(a) GDPR or Art. 9 para. 2(a) GDPR or on a contract pursuant to Art. 6 para. 1(b) GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you furthermore have the right to demand that your personal data be transferred directly from one controller to another controller, insofar this is technically feasible. Freedoms and rights of other persons may not be violated in this process.

The right to data portability does not apply in cases of processing of personal data required for execution of duties in the public interest or the execution of public authority that has been transferred to the controller.

7. Right to object

You have the right to object at any time for reasons related to your specific situation to the processing of your personal data on the basis of Art. 6 para. 1(e) GDPR, including profiling based on that provision.

In the event of an objection, the Controller will no longer process your personal data, unless he or she can provide urgent defensible reasons for processing that outweigh your interests, rights and freedoms, or where the processing serves the assertion, exercise or defense of legal claims.

Where data processing is for scientific, historical or statistical research purposes as per Art. 89 para. (1) GDPR, you shall have the additional right to object to the processing of your personal data on grounds relating to your particular situation, unless the processing is necessary for the fulfillment of tasks in the public interest.

8. Right of Revocation of Declaration of Consent to Processing

You have the right to revoke your declaration of consent to data processing at any time. Revoking consent does not affect the legality of the data processing performed before the point of rescission on the basis of the consent provided.

9. Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, that has legal effects for you or that has a similarly significantly impact on you.

This shall not apply if the decision

(1) is necessary for entering into a contract between you and the Controller or for the performance of such a contract;

(2) is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

(3) is based on your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Art. 9 para. 1 GDPR, unless Art. 9 para. 2(a) or Art. 9 para. 2(g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in (1) and (3) above, the Controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.

10. Right of Complaint to a Supervisory Authority

Irrespective of any other available administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, including particularly the authority competent for the member state of your residence, at your place of work or at the place of the alleged violation, if you believe that your personal data are being processed in breach of the EU’s GDPR.
The supervisory authority receiving the complaint will inform the complainant about the status and results of the complaint, including the option for legal remedy in accordance with Art. 78 GDPR.

The competent supervisory authority for the University of Bonn is the:

Landesbeauftragte für Datenschutz und Informationsfreiheit
Nordrhein-Westfalen
[State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia]
Postfach 20 04 44
40102 Düsseldorf
Germany
Phone: +49 211 38424-0
Fax: +49 211 38424-10
Email: poststelle(at)ldi.nrw.de

Wird geladen