Information on Data Protection

This data protection policy applies to the central part of Hamm-Lippstadt University of Applied Sciences’s webpages. Decentralized sites sometimes have different data protection conditions; these are stated there separately.

I. Name and Address of the Data Controller

The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
Hamm-Lippstadt University of Applied Sciences
represented by the President
Marker Allee 76-78
59063 Hamm
Germany
Tel .: +49 (0) 2381 8789-0
Email: info@hshl.de
Website: www.hshl.de

II. Name and Address of the Data Protection Officer

The data protection officer of the data controller is:

Hamm-Lippstadt University of Applied Sciences
Data Protection Officer
Marker Allee 76-78
59063 Hamm, Germany
Tel .: +49 (0) 2381 8789-7213
Email: dsb@hshl.de

The web server for Hamm-Lippstadt University of Applied Sciences is operated by ahd GmbH & Co. KG on behalf of Hamm-Lippstadt University of Applied Sciences.

III. General Information on Data Processing

1. Scope of Personal Data Processing

We only process personal data of our users to the extent that this is necessary for providing a functional website as well as our content and services. Collection and utilization of our users’ personal data is undertaken periodically only with the user’s consent. An exception applies in those cases where prior consent cannot be obtained for legal or factual reasons and the processing of the data is permitted by law.

2. Legal Basis for Processing Personal Data

Insofar as we obtain your consent for the processing of your personal data, Art. 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis. For the processing of personal data necessary for fulfillment of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfill a legal obligation to which Hamm-Lippstadt University of Applied Sciences is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
If the processing is necessary for the performance of a task that is in the public interest or takes place in the exercise of official authority that has been assigned to Hamm-Lippstadt University of Applied Sciences, Art. 6 para. 1 lit. e GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of Hamm-Lippstadt University of Applied Sciences or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former, Art. 6 para. 1 lit. f GDPR serves as the legal basis. This does not apply if, in the said processing, Hamm-Lippstadt University of Applied Sciences is acting in the exercise of official authority.

3. Data Deletion and Storage Duration

The personal data of the data subject will be deleted or blocked as soon as the storage purpose no longer applies, unless there is another legal basis for further processing. In addition, the data may be stored if this has been provided for by the European or national legislators in EU regulations, laws, or other provisions to which the data controller is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned regulations has elapsed, unless further storage of the data is necessary for the conclusion or fulfillment of a contract. If the processing is based on the consent of the data subject, the data will only be stored until the data subject revokes their consent, unless there is another legal basis for the processing.

IV. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Every time our website is visited, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected: date and time of access.

The data will be stored in the log files of our system. Data that are not affected by this are the user’s IP addresses or other data that would allow the user of the data to be identified. This data is not stored together with any other personal data of the user.

2. Legal Basis for Data Processing

The legal basis for temporary storage of the data is Art. 6 para. 1 lit. f GDPR.

3 Purpose of the Processing

The temporary storage of the IP address by the system is necessary to enable the delivery of the website to your computer. To do this, the user’s IP address must be stored for the duration of the session.

The data is stored in log files in order to ensure the website’s functionality. The data is also used to optimize the website and to ensure the security of our information technology systems. No evaluation of the data for marketing purposes is undertaken in this context.

These purposes also encompass our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.

Duration of the Storage of Personal Data
The data is deleted when the respective session is ended.

If the data is stored in log files, it will be deleted, at the latest, within seven days. It may, however, be retained for a longer period. In this case, the user’s IP addresses will be deleted or anonymized in such a way that they can no longer be attributed to the accessing client.

4. Objection and Removal Options

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no option for you to object to its collection and retention.

V. Web Analysis by Google Analytics

1. Scope of Personal Data Processing

We use Google Analytics, a web analysis service provided by Google LLC ("Google"), on our website to analyze the surfing behavior of our users. The software places a cookie on the user’s computer. Cookies are text files that are stored within or by the internet browser on the computer system of the user. If a user visits a website, a cookie may be stored on the user’s operating system. These cookies contain a distinctive character string that enables precise identification of the browser when the website is accessed again.

The information generated by the cookie about the user’s use of the website is generally transmitted to and stored on a Google server in the USA.
Google is certified under the Privacy Shield agreement, thereby offering a guarantee of compliance with European data protection law: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active

We use Google Analytics only with activated IP anonymization. This means that the IP address of the user is truncated by Google within the member states of the European Union or in other countries that are party to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and truncated there. The IP address sent by the user’s browser will not be connected with other data from Google. Users can prevent the storage of cookies by selecting the appropriate browser settings; you can also deactivate the use of your data by Google Analytics on this website via the link at the bottom of this page.
Source: Website of RA Dr. Thomas Schwenke

2. Legal Basis for Processing Personal Data

The legal basis for processing users’ personal data is Art. 6 para. 1 lit. f GDPR.

3. Purpose of Data Processing

The processing of users’ personal data enables us to analyze the surfing behavior of our users. We are in a position to compile information about the use of the individual components of our website by evaluating the data obtained. This helps us to continuously improve our website and its user-friendliness. For these purposes, our legitimate interest also lies in the processing of data pursuant to Art. 6 para. 1 lit. f GDPR. By anonymizing the IP addresses, users’ interest in protecting their personal data is sufficiently taken into account.

4. Duration of Storage

The data will be deleted or anonymized as soon as it is no longer required for our recording purposes.

In our case, this is the case after 26 months. We compare user data every six months and make a comparison with the same period of the previous year, the data we examine is then approx. 18 months old. Google offers a storage period of 14 months, 26 months or more. Since 14 months would be too short for our evaluation period, we save your data for 26 months.

5. Objection and Removal Options

Cookies are stored on the user’s computer and transmitted to our site. You therefore have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies for our website are deactivated, it is possible that you will no longer be able to use all of its features.

We offer our users the possibility to opt out of the analysis procedure on our website. To do this, you must follow the corresponding link (link, see above). This places another cookie on your system, which signals to our system not to store the user’s data. If the user deletes the corresponding cookie from his or her system in the meantime, the opt-out cookie must be set again.

Additional information on the use of data by Google, as well as options for settings and objections, can be found in Google’s privacy policy ( https://policies.google.com/technologies/ads) as well as in the settings for the display of ads by Google

VI. Use of Cookies

On the central pages of Hamm-Lippstadt University of Applied Sciences (www.hshl.de), no cookies are currently used beyond the web analysis of Google Analytics.

VII. Open Street Map

This site uses the open-source mapping tool "OpenStreetMap" (OSM) via an API. The provider is the OpenStreetMap Foundation. In order to use the features of OpenStreetMap it is necessary to save your IP address. This information is generally transmitted to an OpenStreetMap server and stored there. The provider of this site has no influence on this data transfer. The use of OpenStreetMap is in the interest of an appealing presentation of our website and facilitates the location of the places we specify on the website. This constitutes a legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. More information on the handling of user data can be found here: https://wiki.osmfoundation.org/wiki/Privacy_Policy

VIII. Use of YouTube Videos

We offer our website users the opportunity to watch selected videos from YouTube directly on the site. To protect user data, a connection to YouTube is only established once the link is clicked on and the video starts. Only then will data be sent to the provider. As long as the link is not clicked on, no data will be exchanged between the user and YouTube. Information about the collection and use of your data on YouTube can be found here: https://policies.google.com/privacy?hl=de&gl=de

IX. Use of Vimeo Videos

We offer our website users the opportunity to watch selected videos from Vimeo directly on the site. To protect user data, a connection to Vimeo is only established once the link is clicked on and the video starts. Only then will data be sent to the provider. As long as the link is not clicked on, no data will be exchanged between the user and Vimeo. Information about the collection and use of your data on Vimeo can be found here: https://vimeo.com/privacy

Rights of the Data Subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights with respect to us as the data controller:

1. Right to Information

You can request that we confirm whether we are processing or have processed personal data concerning you.If this is the case, you can request the following information from the data controller:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data that are processed;
(3) the recipients or the categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
(4) the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
(5) the existence of a right to correction or deletion of your personal data, a right to restrict processing by the data controller or a right to object to this processing;
(6) the right to file a complaint with a supervisory authority;
(7) all available information about the origin of the data if the personal data are not collected from the data subject;
(8) the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information regarding whether your personal information will be transmitted to a non-EU country or an international organization. In this respect, you can request the appropriate guarantees in connection with the transmission in accordance with Art. 46 GDPR.

2. Right to Correction

You have a right to correct and/or add to the personal data concerning you held by the data controller if it is incorrect or incomplete. The data controller is required to make the correction immediately.

3. Right to Restriction of Processing

You can request that the processing of your personal data be restricted under the following conditions:
(1) if you dispute the accuracy of the personal data concerning you for a time period that enables the data controller to check the accuracy of the personal data;
(2) the processing is unlawful and you refuse the deletion of the personal data and instead request that the use of the personal data be restricted;
(3) the data controller no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
(4) if you have filed an objection to the processing in accordance with Art. 21 para. 1 GDPR and it has not yet been established whether the legitimate reasons of the data controller to process your data outweigh your reasons. If the processing of personal data concerning you has been restricted, such data may be processed – with the exception of their storage – only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If the data processing has been restricted in accordance with the conditions listed above, you will be informed by the data controller before the restriction is lifted.

4. Right to Deletion

a) Obligation to Delete
You can request that the data controller delete the personal data relating to you immediately, and the data controller is obliged to delete this data immediately if one of the following reasons applies:
(1) The personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed.
(2) You revoke your consent upon which its processing was based in accordance with Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for its continued processing.
(3) You object to its processing in accordance with Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for its continued processing; or you submit an objection to its processing according to Art. 21 para. 2 GDPR.
(4) Your personal data has been processed unlawfully.
(5) The deletion of personal data concerning you is required in order to comply with legal obligations according to EU law or national law of the Member States to which the data controller is subject.
(6) The personal data concerning you was provided in connection with services offered by an information company per Art. 8 para. 1 GDPR.

b) Information to Third Parties
If the data controller has made the personal data concerning you public and is obligated to delete it according to Art. 17 para. 1 GDPR, the data controller will take appropriate measures, including those of a technical nature, while taking into account available technology and implementation costs, to inform the data controllers who are processing the personal data that you as the data subject have requested that they delete all links to this personal data or copies or replications of this personal data.

c) Exceptions
The right to deletion does not exist if the processing is necessary
(1) to exercise the right to freedom of expression and information;
(2) to fulfill a legal obligation that requires processing under the law of the Union or of the Member States to which the data controller is subject, or to perform a task that is in the public interest or in the exercise of official authority that has been transferred to the data controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i, as well as Art. 9 para. 3 GDPR;
(4) for archiving, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Art. 89 para. 1 GDPR, to the extent that the law referred to in section a) is likely to render impossible or seriously compromise the attainment of the objectives of such processing, or
5) to assert, exercise or defend legal claims.

5. Right to Be Informed

If you have asserted to the data controller the right to have your data corrected, deleted or to restrict its further processing, they are obliged to inform all recipients to whom the personal data concerning you has been disclosed of this correction or deletion of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the data controller.

6. Right to Data Portability

You have the right to obtain a copy of the personal data that the data controller has on file about you in a structured, commonly used, machine-readable format. In addition, you have the right to transfer this data to another data controller without hindrance from the data controller to whom the personal data was provided, provided that
(1) the processing is based on consent in accordance with Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on the basis of a contract in accordance with Art. 6 para. 1 lit. b GDPR and
(2) the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the data controller transfer the personal data they have on file about you directly to another data controller if this is technically feasible. This action must not affect the freedoms and rights of other persons.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority which was conferred on the data controller.

7. Right to Objection

You have the right, for reasons arising from your specific situation, to object to the processing of personal data concerning you at any time, which is carried out in accordance with Art. 6 para. 1 lit. e or f GDPR; the same applies to profiling based on these provisions.The data controller will no longer process the personal data relating to you unless they can prove a compelling, legitimate reason for this which outweighs your interests, rights, and freedoms or the processing serves to assert, exercise, or defend legal claims.

In the context of the use of information company services  – notwithstanding Directive 2002/58/EC – you may exercise your right to object using an automated process involving the use of technical specifications.

8. Right to Revoke the Declaration of Consent Under Data Protection Law

You have the right to revoke your declaration of consent under data protection law at any time. This revocation will not affect the lawfulness of any processing done beforehand.

9. Right to File a Legal Complaint with a Supervisory Authority

Irrespective of any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority, in particular in the Member State where you reside, work or where the infringement is suspected, if you believe that the processing of personal data concerning you violates the GDPR.
The supervisory authority with which the complaint has been filed shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

The supervisory authority responsible for Hamm-Lippstadt University of Applied Sciences is the State Commissioner for Data Protection and Freedom of Information (NRW).