Data Protection Statement
We appreciate your interest in our online presence. The protection of your personal data is very important to us. It is possible to use our websites without providing any personal data. When you make use of special services on our websites, however, it may be necessary for us to process your personal data. If this does prove necessary and there is no statuatory basis for this processing, we generally obtain your consent.
The processing of personal data, for example, of a person’s name, street address, email address or telephone number, is always performed in accordance with the EU General Data Protection Regulation (EU-GDPR) and in compliance with the Berlin Data Protection Act (BlnDSG). The following data protection statement is intended to inform you about the type, scope and purpose of the personal data we collect. Moreover this data protection statement also explains your rights.
The Data Protection Statement of Humboldt-Universität zu Berlin is based on the terms used by European legislators in issuing the General Data Protection Regulation. These terms are explained in a glossary at the end of this document.
1. Name and address of the data controller
The controller in the sense of the General Data Protection Regulation is:
Humboldt-Universität zu Berlin
Prof. Dr.-Ing. Dr. Sabine Kunst
Unter den Linden 6
Phone: +49 (30) 2093-2100
2. Name and address of the data protection officer
The Data Protection Officer of Humboldt-Universität zu Berlin is:
3. Data processing and processing purposes
For each visit to the website of Humboldt-Universität zu Berlin by a data subject or an automated system, the website collects a series of general data and information. These general data and information are stored on the log files of the server. The following are collected: (1) the type and version of the browser used, (2) the operating system used by the accessing system, (3) the website from which an accessing system reaches our website (HTTP referer), (4) the subsites that are accessed on our website via an accessing system, (5) the date and time of access to our website, (6) the Internet Protocol address (IP-address) with the final digits removed to make it anonymous and (7) other similar data and information that facilitate an emergency response in case of attacks on our information technology systems.
In using these general data and information, Humboldt-Universität zu Berlin makes no inferences about the data subject. This information is necessary in order (1) to correctly provide the contents of our website, (2) to optimize the contents of our website, (3) to ensure the continuous functionality of our IT system and the technology of our website and (4) to provide law enforcement authorities with the information necessary for criminal prosecution in the case of a cyber attack. These anonymously recorded data and information are evaluated by Humboldt-Universität zu Berlin statistically as well as with the goal of increasing data protection and data security at our institution in order to ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from all personal data provided by a data subject.
If a data subject contacts the data controller via email or contact form, the personal data of that data subject are automatically stored. These personal data, provided voluntarily by a data subject, are stored for the purpose of processing or of contacting the data subject. These personal data are not shared with a third party.
4. Erasing and blocking personal data
The personal data collected by us will be processed and saved only for as long as is necessary to achieve the storage purposes or as laws and regulations require. The log data mentioned in (3) will be erased after one week.
5. Rights of the data subject (withdrawal, access, rectification, erasure)
Every subject whose personal data is processed has, according to the law, the right to demand free of charge from the data controller access or confirmation regarding the personal data stored about them. Moreover there is a right to the rectification of inaccurate personal data without undue delay and a right to erasure; there is also a right to restriction of processing and a right to object to processing.
Consent to the processing of personal data can be withdrawn at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
There is a right to keep the personal data provided by the data subject in a structured, commonly used and machine-readable format, and to transmit it to another controller.
Furthermore without prejudice to any other administrative or judicial remedy, complaints can be submitted to a Member State supervisory authority if there are any doubts about the lawfulness of the processing of personal data.
7. Data protection provisions for the use and application of social media
Links to various social media platforms such as Facebook, Twitter, Instagram, etc. have been integrated into the HU websites. However, on the central HU websites there has not been an integration of data such as the ‘like’ button, but only of links to the respective external presentation of our institution on the corresponding platform. No data that are relevant to data protection are stored. There are web presences of HU facilities that deviate from this model.
8. Data protection provisions for the use and application of web analytics tools
The web analytics application ‘Matomo’ has been integrated into a number of HU websites. Web analytics is the measurement, collection and analysis of data about the behaviour of website visitors. Among other things, a web analytics tool collects data about which website a data subject used to reach a website (HTTP referer), the particular subpages of the website that have been accessed and how often and for what duration a specific subpage has been viewed. Web analytics are used primarily to optimize a website.
The ‘Matomo’ software runs on a server of the HU Computer and Media Service (CMS). The log data relevant for data protection are stored exclusively on this server. We use data about the usage of our website only in anonymised form.
If you do not consent to the storage and evaluation of these data about your visit, you can subsequently object to storage and evaluation per mouse click. An opt-out cookie will be set in your browser and as a result Matomo will not collect any session data. Please note: When you delete your cookies, you also delete your opt-out cookie and must reactivate it if you want to opt out again.
Further information and the current data protection provisions of Matomo can be found at http://matomo.org/docs/privacy/.
9. Data protection provisions for the use and application of ‘Mindbreeze’
At various places on our Internet pages you will find the option of subscribing to a free newsletter, for example, the student newsletter (https://www.hu-berlin.de/de/service/hu_newsletter/newsletter_studierende). If you register for a newsletter, the email address you provide on the form will be submitted to our list server. The list server also stores the date of list registration. In order to process the data, your consent is obtained in this registration process through a double opt-in procedure. It is not enough to simply enter your email address into the web form. You become a subscriber to the list only when you have clicked the confirmation link in the invitation email that has automatically been sent by the list server. A newsletter will be sent to your address only after this has occurred. The delivery of newsletters is carried out with the assistance of the SYMPA list server installed on the CMS. Your email address is NOT shared with third parties.
You can end your subscription to the newsletter at any time by unsubscribing from the same webpage you used to subscribe. Your data will then be removed automatically from the list. Every newsletter sent to you contains a link to the unsubscribe form.
The employee newsletter is a second type of newsletter. This newsletter is sent to the email addresses of all employees in the central HU employee database (ZIS). The legal basis for this is a valid HU employment contract. According to this contract, university management has the right to send information to its employees. However, at the bottom of every newsletter there is a reference to the possibility of unsubscribing to the newsletter. Removal from the list occurs either by unsubscribing or by deletion from the ZIS.
11. The legal basis of processing
The processing of personal data is always performed in accordance with the EU General Data Protection Regulation (EU-GDPR) and in compliance with the Berlin Data Protection Act (BlnDSG). If the data processing is based on your consent, the processing is lawful pursuant to Art. 6 para. 1 lit. a GDPR (e.g. newsletter subscriptions).
Data processing necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract is lawful pursuant to Art. 6 para. 1 lit. b GDPR (e.g. event registration). If the data processing is necessary for compliance with a legal obligation to which the Humboldt-Universität zu Berlin is subject, the processing is lawful according to Art. 6 para. 1 lit. c GDPR (e.g. statutory storage obligations).
If the data processing is necessary in order to protect the vital interests of the data subject or of another natural person, the processing is lawful according to Art. 6 para. 1 lit. d GDPR. As far as the data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Humboldt-Universität zu Berlin, the processing is lawful according to Art. 6 para. 1 lit. e GDPR (e.g. processing of examinations).
If the data processing is necessary for the purposes of the legitimate interests pursued by the Humboldt-Universität zu Berlin, the processing of data is lawful pursuant to Article 6 paragraph 1 lit. f GDPR, (e.g. the data processing as listed in 3.), unless interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, take precedence.
The Data Protection Statement of Humboldt-Universität zu Berlin is based on the terms used by European legislators in issuing the General Data Protection Regulation. Our Data Protection Statement is intended to be easily readable and comprehensible. To this end we would like to explain the terms that have been used here.
We have used the following terms in our data protection statement:
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject
Data subject means any identified or identifiable natural person whose personal data are processed by the data controller.
Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaption or alteration, selection, retrieval, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting in the use personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
g) Controller or data controller
Controller or data controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or Member State law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Recipient means a natural or legal person, public authority, agency or other body, to whom personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with European Union or Member State law shall not be regarded as recipients.
j) Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who are authorized to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.