Data protection policy

This English translation is offered as a service.  I. Name and Address of the Data ControllerThe data controller (hereinafter: 'Controller') as mandated by the General Data Protection Regulation and other national data protection laws from member states as well as other regulations relevant to data protection is: 

Botanische Gärten der Rheinischen Friedrich-Wilhelms-Universität Bonn
Meckenheimer Allee 171
D-53115 Bonn
Germany

Telefon: 49-(0)228-735523
Telefax: 49-(0) 228-739058
E-Mail: botgart@uni-bonn.de
Internet: http://www.botgart.uni-bonn.de

II. Name and Address of the Data Protection Officer 

The data protection officer of the Controller is:
Dr. Jörg Hartmann
Genscherallee 3
53113 Bonn
Germany
Email: joerg.hartmann@uni-bonn.de
Phone: + 49 228 73-6758
https://www.datenschutz.uni-bonn.de

III. General Information on Data Processing

1. Scope of Processing of Personal Data

We process the personal data of our users only insofar as this is necessary for the provision of a functional website and our content and services. Routine processing of our users’ personal data is performed solely with the consent of the user. An exception comes in cases where the prior acquisition of consent is not possible for practical reasons and stipulations allowing for such processing are included in the legal requirements.

2. Legal Basis for the Processing of Personal Data

Insofar as we have obtained the consent of the data subject for the processing of their data, Art. 6 para. 1(a) GDPR serves as the legal basis for such processing.
The legal basis for the processing of personal data required for the fulfillment of a contract to which the data subject is a party is Art. 6 para. 1(b) GDPR. This also applies to measures in preparation of said contract.
The legal basis for the processing of personal data to fulfill a legal obligation on the part of the University of Bonn is Art. 6 para. 1(c) GDPR.
The legal basis for the processing of personal data as necessary to protect the vital interests of the data subject or another natural person is Art. 6 para. 1(d) GDPR.
The legal basis for processing required for the execution of duties in the public interest or the exercise of public authority that has been transferred to the University is Art. 6 para. 1(e) GDPR.

3. Erasure of Data and Duration of Storage

The personal data of the data subject is to be erased or locked as soon as the purpose for storage no longer applies. Storage can potentially extend beyond this point where necessitated by European or national legislation reflecting EU-wide directives, laws or other rules to which the Controller is subject. The data must then be locked or erased upon expiration of the retention period stipulated by the aforementioned standards, unless it is necessary to continue storage of the data for reasons of entering into or completing a contract. 

IV. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Each time our internet pages are requested, our system automatically records data and information about the requesting computer's system. 
The following data is recorded:

1.    Information about the browser type and version

2.    The user's operating system

3.    The user's internet service provider

4.    The user's IP address (pseudonymized, shortened IP address)

5.    Date and time of access

6.    Referrer website 

7.    Websites accessed by the user’s system via our website (within *.uni-bonn.de, details of referrers will not be communicated to third parties)

The log files contain IP addresses and other data that allows for identification of a user. This can for example be the case where a link from a referring website or from our pages to another website contains personal data.

The data is also stored in log files on our system. This data is not stored together with other personal data from the user.

2. Purpose of Data Processing

The temporary storage of the IP address by the system is required to allow for the website to be delivered to the user's computer. The IP address of the user must be stored for the duration of the session. 
Log files are stored to ensure the functionality of the website. Beyond this, the data helps us optimize the website and ensure the security of our IT systems. No analysis of the data for marketing purposes is made in this context.

 3. Duration of Storage

The data is erased as soon as it is no longer required to achieve the purpose for which it was collected. For data collected for the purpose of providing the website, this is the case once the respective session has ended. 

For data stored in log files, this purpose expires seven days after it is collected. The data can potentially be stored beyond this point. In this case the user's IP address is erased or anonymized to prevent any further possibility of identifying the client that requested it.

4. Options for Objecting and Removal

The collection of data for the provision of the website and storage of data in log files is necessary for the operating of the internet site. As a result, the user has no option for objecting in this context.

V. Use of Cookies

1. Description and Scope of Data Processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user requests a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string of characters that allows for the unambiguous identification of the browser if the website is requested again. 

We use cookies to make our website more user friendly. Some elements of our internet site require that the requesting browser can be identified even when a new page is opened. 

Cookies store and transmit the following data:

1.    Language settings

2.    Login information

Beyond this, our website uses cookies that allow for an analysis of the user's surfing habits.  A software tool called Matomo (formerly PIWIK) is used for this. More details can be found under point IX.

2. Legal Basis for Data Processing

The legal basis for the processing of personal data using cookies for analytical purposes is the acquisition of the user's consent in accordance with Art. 6 para. 1(a) GDPR.

3. Purpose of Data Processing

Cookies related to a necessary technical function are used to make the website easier to use. Some functions on our internet site cannot be provided without the use of cookies. It is necessary for example that the browser be recognized again when navigating between pages.
We require cookies for the following applications:

(1) Adoption of language settings

User data collected through technically necessary cookies are not used to create a user profile.

The use of analytical cookies serves to improve the quality of our website and its content. The analytical cookies provide us with insights on how the website is used, allowing us to constantly optimize our offerings.

4. Duration of Storage, Options for Objecting and Removal

Cookies are stored on the user's computer and from there transmitted to our pages. In this constellation, you as user retain full control over the use of cookies. By changing the settings of your internet browser, you can deactivate or restrict the transmission of cookies. Previously stored cookies can be erased at any time. This can also be performed automatically. If cookies are deactivated for our website, then portions of our website may potentially not display correctly.

VII. YouTube

The website of the University of Bonn uses plugins from YouTube, which is operated by Google. The operator of the site is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

If you visit one of our pages where the YouTube plugin has been integrated, then a connection is established with the YouTube servers. This informs YouTube about which of our pages you have visited.

If you are logged into your YouTube account, YouTube can potentially associate your surfing habits directly with your personal profile. You can prevent this by logging out of your YouTube account.

The YouTube plugin has been integrated so that we can present our online content in a more attractive way.

For more information about how YouTube manages user data, please refer to the YouTube privacy policy at:  https://www.google.de/intl/de/policies/privacy.

VIII. Newsletter

1. Description and Scope of Data Processing

Our website offers you the option of subscribing to our free newsletter. If you register for the newsletter, data from the data entry form will be transmitted to us.
In addition, the following data are collected during registration:

(1) IP address of the requesting computer
(2) Date and time of registration

In the course of the registration process, we will ask you to consent to the processing of your personal data and we will refer you to the privacy notice.
No data is disclosed to third parties in connection with data processing for the dispatch of newsletters. Such data is used exclusively for the purpose of sending the newsletter.

2. Legal Basis for Data Processing

The legal basis for the processing of data related to a newsletter subscription is the acquisition of the user's consent as per Art. 6 para. 1(a) GDPR.

3. Purpose of Data Processing

The user’s email address is needed to deliver the newsletter. 
Any other personal data collected during the registration process is required to prevent misuse of the services or the email address supplied.

4. Duration of Storage

The data is erased as soon as its retention is no longer required to achieve the purpose for which it was recorded. The user’s email address will be stored for as long as the user continues to subscribe to the newsletter.

5. Options for Objecting and Removal

The user may cancel their subscription to the newsletter at any time. Each newsletter contains a link for this purpose. 

This also allows subscribers to revoke their consent to the storage of personal data collected during the registration process.

IX. Contact Form and Contact by Email

1. Description and Scope of Data Processing

A contact form is available on our website and may be used to contact us electronically. If a user contacts us in this way, the data they enter in the input form is transmitted to us and stored. The data stored is:

The following data are also stored when the message is transmitted:

(1) The user’s IP address

(2) Date and time of registration

During the data collection process, we will ask you to consent to the processing of your personal data and we will refer you to the privacy notice.
Alternatively, you may contact us at the email address provided. In this case, the user’s personal data transmitted with the email will be stored. 

The data will not be shared with third parties. The data is used exclusively for processing the conversation (i.e. email communication) with the user.

2. Legal Basis for Data Processing

Once the user has granted consent, the legal basis for data processing is Art. 6 para.1(a) GDPR.
If the purpose of the email contact is to enter into a contract, the additional legal basis for data processing is Art. 6 para. 1(b) GDPR.

3. Purpose of Data Processing

The personal data from the input form is processed solely for the purpose of contacting the user. 
Any other recorded personal data is used to prevent misuse of the contact form and to secure the safety of our IT systems.

4. Duration of Storage

The data is erased as soon as its retention is no longer required to achieve the purpose for which it was recorded. This is the case for the personal data from the contact form and the data sent by email when the respective conversation with the user has ended. The conversation is deemed to have ended once the circumstances of the conversation indicate that the relative topic of discussion has been fully clarified.

5. Options for Objecting and Removal

Users may withdraw their consent for the processing of their personal data at any time. If the user has only engaged in contact with us via email, then objection to the storage of his or her personal data can be submitted at any time; in such a case, however, the conversation will not be continued.

If consent is revoked, all personal data stored when contact was made will be erased.

X. Web Analysis by Matomo (formerly PIWIK)

1. Scope of Processing of Personal Data

Our website uses an Open Source software tool called Matomo (formerly PIWIK) to analyze the surfing habits of our users. The software places a cookie on the user's computer (for more on cookies, see above). When individual pages of our website are requested, the following data is stored:

(1) Two bytes of the user’s IP address

(2) The requested web page

(3) The referrer website

(4) Subpages retrieved from the accessed website

(5) The duration of the visit to the web page

(6) Access frequency
The software used for such analyses runs exclusively on our servers. The personal data of users is stored on these servers only. The data is never forwarded to third parties.

The software has been configured to prevent full storage of the IP address, with two bytes of the IP address masked (such as: 192.168.xxx.xxx). In this way, the shortened IP address can no longer be identified with the requesting computer.

2. Purpose of Data Processing

The processing of the user's personal data allows us the analyze the surfing habits of our users. We use analyses of the collected data to deduce information about the use of individual components of our website. This helps us constantly improve our website and its user friendliness. The IP address is anonymized to promote the interest of the user in the protection of his or her personal data.

3. Duration of Storage

The data is erased as soon as it is no longer required for our analytical purposes. 
In our case, this is the case after 3 months.

4. Options for Objecting and Removal

Cookies are stored on the user's computer and from there transmitted to our pages. In this constellation, you as user retain full control over the use of cookies. By changing the settings of your internet browser, you can deactivate or restrict the transmission of cookies. Previously stored cookies can be erased at any time. This can also be performed automatically. If cookies are deactivated for our website, then portions of our website may potentially not display correctly.

We offer users of our website the option to opt-out of the analysis process. To do so, you must click on the corresponding link. This then places an additional cookie on your system that signals to our computer not to store the user's data. If the user erases that cookie at some point from their own system, then the opt-out cookie must then be re-set to be effective.

For more information about privacy settings on Matomo Software, please click on the following link:  https://matomo.org/docs/privacy/.

XI. Rights of the Data Subject

If your personal data is processed, then you as data subject have the following rights against the Controller as established in the GDPR:

1. Right of Access

You can demand confirmation from the Controller whether your personal data is being processed. 
If such processing exists, then you can demand the following information from the Controller:

(1) The purposes for which your personal data are processed;

(2) The categories of personal data processed;

(3) The recipients and/or category of recipients who have been or are still being provided with your personal data;

(4) The planned duration of storage of your personal data or, if concrete information cannot be provided here, the criteria for determining the duration of storage;

(5) The existence of the right to request from the Controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; 

(6) The right to lodge a complaint with a supervisory authority;

(7) All available information on the source of the data if the personal data is not collected from the data subject;

(8) Information on the existence of automated decision-making, including profiling, referred to in Art. 22 para. 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to demand information about whether your personal data has been forwarded to a third country or an international organization. In this context, you can demand to be informed about suitable guarantees as per Art. 46 GDPR related to such transfers.

Insofar as the data processing serves scientific, historical or statistical research purposes, the right of access can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.

2. Right of Rectification 

You have the right to rectification and/or completion of your data from the Controller, insofar as your processed personal data are incorrect or incomplete. The Controller must undertake the corrections immediately.
Where the data processing serves scientific, historical or statistical research purposes, the right of rectification can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.

3. Right to Restriction of Processing

Where the following conditions are met, you have the right to restrict processing of your personal data:

(1) You contest the accuracy of the personal data for a period that enables the Controller to verify their accuracy;

(2) The processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of their use;

(3) The Controller no longer requires the personal data for the purposes of processing, but you need them in order to assert, exercise or defend legal claims, or

(4) You have objected to processing in accordance with Art. 21 para. 1 GDPR pending verification whether the legitimate grounds of the Controller override your reasons.

If processing of your personal data has been restricted, then that data — other than storage — may only be processed with your consent or for the assertion, exercise or defense of legal claims or to protect the rights of another natural person or legal entity or from reasons of important public interest to the European Union or one of its member states.
If processing is restricted based on the aforementioned conditions, then you will be informed by the Controller before the restrictions are lifted.

Where data processing serves scientific, historical or statistical research purposes, your right to limit processing can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.

4. Right to Erasure

a) Right of Erasure

Right of Erasure
You can demand that the Controller immediately erase your personal data. The Controller is obligated to erase this data immediately, insofar as one of the following reasons applies:

(1) Your personal data is no longer needed for the purpose for which it was collected or otherwise processed.

(2) You revoke your consent that allowed for processing in accordance with Art. 6 para. 1(a) or Art. 9 para. 2(a) GDPR, and no other legal basis for processing applies. 

(3) You file an official objection to processing in accordance with Art. 21 para. (1) GDPR and no overriding justification for the processing applies, or you file an official objection to processing in accordance with Art. 21 para. (2) GDPR. 

(4) Your personal data were processed in an illegal manner. 

(5) The erasure of your personal data is required to fulfil a legal obligation based on EU law or the law of the Controller’s member state. 

(6) Your personal data was collected in the context of services provided by the IT company in accordance with Art. 8 para. (1) GDPR.

b) Information to Third Parties

If the Controller has made your personal data public and is obliged pursuant to Art. 17 para. 1 GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other data controllers who are processing your personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, the personal data. 

c) Exceptions

The right of erasure does not apply where data processing is necessary

(1) to exercise the right to freedom of expression and information;

(2) to fulfill a legal obligation which requires processing in accordance with Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;

(3) for reasons of public interest in the area of public health in accordance with Art. 9 para. 2(h) and 9 para. 2(i) and Art. 9 para. 3 GDPR;

(4) for archiving purposes in the public interest or for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 para. (1) GDPR, insofar as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or

(5) for the assertion, exercise or defense of legal claims

5. Right of Information

If you have exercised your right of notification, erasure and restriction of processing against the Controller, then the Controller is obligated to inform all recipients who received your personal data about that notification, erasure or restriction of processing, unless this is impossible or involves an unreasonable amount of cost and complexity.

You have the right to demand of the Controller information about those recipients.

6. Right to Data Portability

You have the right to receive your personal data that you have provided the Controller in a structured, commonly used machine-readable format. Furthermore you have the right to transfer that data to a different Controller, without impediment by the Controller who received the personal data, insofar as
(1) the processing is based on consent provided according to Art. 6 para. 1(a) GDPR or Art. 9 para. 2(a) GDPR or on a contract pursuant to Art. 6 para. 1(b) GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you furthermore have the right to demand that your personal data be transferred directly from one controller to another controller, insofar this is technically feasible. Freedoms and rights of other persons may not be violated in this process.

The right to data portability does not apply in cases of processing of personal data required for execution of duties in the public interest or the execution of public authority that has been transferred to the controller.

7. Right to object

You have the right to object at any time for reasons related to your specific situation to the processing of your personal data on the basis of Art. 6 para. 1(e) GDPR, including profiling based on that provision. 

In the event of an objection, the Controller will no longer process your personal data, unless he or she can provide urgent defensible reasons for processing that outweigh your interests, rights and freedoms, or where the processing serves the assertion, exercise or defense of legal claims.

Where data processing is for scientific, historical or statistical research purposes as per Art. 89 para. (1) GDPR, you shall have the additional right to object to the processing of your personal data on grounds relating to your particular situation, unless the processing is necessary for the fulfillment of tasks in the public interest.

8. Right of Revocation of Declaration of Consent to Processing

You have the right to revoke your declaration of consent to data processing at any time. Revoking consent does not affect the legality of the data processing performed before the point of rescission on the basis of the consent provided.

9. Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, that has legal effects for you or that has a similarly significantly impact on you. 

This shall not apply if the decision 

(1) is necessary for entering into a contract between you and the Controller or for the performance of such a contract;

(2) is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or

(3) is based on your explicit consent.

However, these decisions shall not be based on special categories of personal data referred to in Art. 9 para. 1 GDPR, unless Art. 9 para. 2(a) or Art. 9 para. 2(g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in (1) and (3) above, the Controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express his or her point of view and to contest the decision.

10. Right of Complaint to a Supervisory Authority

Irrespective of any other available administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, including particularly the authority competent for the member state of your residence, at your place of work or at the place of the alleged violation, if you believe that your personal data are being processed in breach of the EU’s GDPR. 
The supervisory authority receiving the complaint will inform the complainant about the status and results of the complaint, including the option for legal remedy in accordance with Art. 78 GDPR.

The competent supervisory authority for the University of Bonn is the:

Landesbeauftragte für Datenschutz und Informationsfreiheit
Nordrhein-Westfalen
[State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia]
Postfach 20 04 44
40102 Düsseldorf
Germany
Phone: +49 211 38424-0
Fax: +49 211 38424-10
Email: poststelle(at)ldi.nrw.de

I. Name and Address of the Data Controller

The data controller (hereinafter: 'Controller') as mandated by the General Data Protection Regulation and other national data protection laws from member states as well as other regulations relevant to data protection is:

University of Bonn

Regina-Pacis-Weg 3
53113 Bonn[PA3] 
Germany

Phone: +49 228 73-0
Email: kommunikation@uni-bonn.de
Website: https://www.uni-bonn.de


II. Name and Address of the Data Protection Officer 

The data protection officer of the Controller is:

Dr. Jörg Hartmann

Genscherallee 3
53113 Bonn
Germany

Email: joerg.hartmann@uni-bonn.de
Phone: +49 228 73-6758
https://www.datenschutz.uni-bonn.de

Wird geladen