Go to main menu, to content, to homepage, to myHSHL

Your location: HSHL » University of Applied Sciences » Data Protection

Data Protection

Information on Data Protection

This data protection policy applies to the central part of Hamm-Lippstadt University of Applied Sciences’s webpages. Decentralized sites sometimes have different data protection conditions; these are stated there separately.

I. Name and Address of the Data Controller

The data controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:
Hamm-Lippstadt University of Applied Sciences
represented by the President
Marker Allee 76-78
59063 Hamm
Germany
Tel .: +49 (0) 2381 8789-0
Email: info@hshl.de
Website: www.hshl.de

II. Name and Address of the Data Protection Officer

The data protection officer of the data controller is:

Ellen Kortenbach (lawyer)
ppc Data GmbH
Dycker Feld 53
42653 Solingen
Email: dsb@hshl.de

The web server for Hamm-Lippstadt University of Applied Sciences is operated by ahd GmbH & Co. KG on behalf of Hamm-Lippstadt University of Applied Sciences.

III. General Information on Data Processing

1. Scope of Personal Data Processing

We only process personal data of our users to the extent that this is necessary for providing a functional website as well as our content and services. Collection and utilization of our users’ personal data is undertaken periodically only with the user’s consent. An exception applies in those cases where prior consent cannot be obtained for legal or factual reasons and the processing of the data is permitted by law.

2. Legal Basis for Processing Personal Data

Insofar as we obtain your consent for the processing of your personal data, Art. 6 para. 1 lit. a of the EU General Data Protection Regulation (GDPR) serves as the legal basis. For the processing of personal data necessary for fulfillment of a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for carrying out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfill a legal obligation to which Hamm-Lippstadt University of Applied Sciences is subject, Art. 6 para. 1 lit. c GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.
If the processing is necessary for the performance of a task that is in the public interest or takes place in the exercise of official authority that has been assigned to Hamm-Lippstadt University of Applied Sciences, Art. 6 para. 1 lit. e GDPR serves as the legal basis.
If processing is necessary to safeguard a legitimate interest of Hamm-Lippstadt University of Applied Sciences or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former, Art. 6 para. 1 lit. f GDPR serves as the legal basis. This does not apply if, in the said processing, Hamm-Lippstadt University of Applied Sciences is acting in the exercise of official authority.

3. Data Deletion and Storage Duration

The personal data of the data subject will be deleted or blocked as soon as the storage purpose no longer applies, unless there is another legal basis for further processing. In addition, the data may be stored if this has been provided for by the European or national legislators in EU regulations, laws, or other provisions to which the data controller is subject. Data will also be blocked or deleted if a storage period prescribed by the aforementioned regulations has elapsed, unless further storage of the data is necessary for the conclusion or fulfillment of a contract. If the processing is based on the consent of the data subject, the data will only be stored until the data subject revokes their consent, unless there is another legal basis for the processing.

IV. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Every time our website is visited, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected: date and time of access.

The data will be stored in the log files of our system. Data that are not affected by this are the user’s IP addresses or other data that would allow the user of the data to be identified. This data is not stored together with any other personal data of the user.

2. Legal Basis for Data Processing

The legal basis for temporary storage of the data is Art. 6 para. 1 lit. f GDPR.

3 Purpose of the Processing

The temporary storage of the IP address by the system is necessary to enable the delivery of the website to your computer. To do this, the user’s IP address must be stored for the duration of the session.

The data is stored in log files in order to ensure the website’s functionality. The data is also used to optimize the website and to ensure the security of our information technology systems. No evaluation of the data for marketing purposes is undertaken in this context.

These purposes also encompass our legitimate interest in data processing in accordance with Art. 6 para. 1 lit. f GDPR.

Duration of the Storage of Personal Data
The data is deleted when the respective session is ended.

If the data is stored in log files, it will be deleted, at the latest, within seven days. It may, however, be retained for a longer period. In this case, the user’s IP addresses will be deleted or anonymized in such a way that they can no longer be attributed to the accessing client.

4. Objection and Removal Options

The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no option for you to object to its collection and retention.

V. Statistical Collection, Matomo

1. Scope of Data Processing

We use the open-source software tool Matomo on our website to analyze users' browsing behavior. Data are collected and stored solely for statistical and optimization purposes. To this end, the generated usage information is transmitted to and stored on Matomo servers in Frankfurt am Main. The software runs exclusively on Matomo's servers, located in Frankfurt am Main. User data are stored only there. There is no transfer of the data to third parties. We use so-called "cookieless tracking" on our site.

Your IP address is anonymized and therefore cannot be traced back to you. The software is configured so that IP addresses are not stored in full; instead, two bytes of the IP address are masked. In this way, linking the shortened IP address to the requesting device is no longer possible. When individual pages of our website are accessed, the following data are stored:

  • two bytes of the IP address of the requesting user’s system
  • the webpage accessed
  • information about the browser type and version used
  • the user's operating system
  • the webpage from which the user reached the accessed webpage (referrer)
  • date and time of access
  • the subpages accessed from the accessed webpage
  • the time spent on the webpage
  • the frequency of visits to the webpage
  • websites that are accessed from the user's system via our website

2. Legal Basis for the Processing

The legal basis for processing users' personal data is Article 6(1)(f) GDPR.

3. Purpose of the Processing

Processing users' personal data enables us to analyze users’ browsing behavior. By evaluating the data collected, we can compile information about the usage of the individual components of our website. This helps us continuously improve our website and its user-friendliness.

When a webpage is requested, data about this process are stored. Specifically, these are the following pieces of information: page title, search term (that brought visitors to the page), search engines, page URL, number of pages visited, visitor location (country), provider, browser, operating system, screen resolution, browser plugins, visit times, visit duration, entry pages, exit pages, downloads, and referring websites.

4. Retention Period for Personal Data

Data are deleted or anonymized as soon as they are no longer needed for our recording purposes.

In our case, this is after 26 months. We compare user data semiannually and make a year‑over‑year comparison; the data we consider then go back about 18 months.

Data are deleted as soon as they are no longer needed for our recording purposes. Cookies are stored on users' devices and transmitted from there to our site. Therefore, you as a user have full control over the use of cookies. By changing the settings in your web browser, you can disable or restrict the transmission of cookies. Cookies already stored can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, it may no longer be possible to use all the website's functions fully.

5. Objection and Removal Options

Cookies are stored on users’ devices and transmitted from there to our site. Therefore, you as a user also have full control over the use of cookies. By changing the settings in your web browser, you can disable or restrict the transmission of cookies. Cookies already stored can be deleted at any time. This can also be done automatically. If cookies for our website are disabled, it may no longer be possible to use all the website’s functions fully.

VI. Use of Cookies

On the central pages of Hochschule Hamm-Lippstadt (www.hshl.de), no cookies are currently used beyond those required for Matomo web analytics.

VII. Open Street Map

This site uses the open-source mapping tool "OpenStreetMap" (OSM) via an API. The provider is the OpenStreetMap Foundation. In order to use the features of OpenStreetMap it is necessary to save your IP address. This information is generally transmitted to an OpenStreetMap server and stored there. The provider of this site has no influence on this data transfer. The use of OpenStreetMap is in the interest of an appealing presentation of our website and facilitates the location of the places we specify on the website. This constitutes a legitimate interest in accordance with Art. 6 para. 1 lit. f GDPR. More information on the handling of user data can be found here: https://wiki.osmfoundation.org/wiki/Privacy_Policy

VIII. Use of YouTube Videos

We offer our website users the opportunity to watch selected videos from YouTube directly on the site. To protect user data, a connection to YouTube is only established once the link is clicked on and the video starts. Only then will data be sent to the provider. As long as the link is not clicked on, no data will be exchanged between the user and YouTube. Information about the collection and use of your data on YouTube can be found here: https://policies.google.com/privacy?hl=de&gl=de

IX. Use of Vimeo Videos

We offer our website users the opportunity to watch selected videos from Vimeo directly on the site. To protect user data, a connection to Vimeo is only established once the link is clicked on and the video starts. Only then will data be sent to the provider. As long as the link is not clicked on, no data will be exchanged between the user and Vimeo. Information about the collection and use of your data on Vimeo can be found here: https://vimeo.com/privacy

X. Job portal by IQB Career Services GmbH

On our job portal page we offer users the ability to filter jobs directly and view current job openings. To this end, the page includes an interface to IQB Career Service GmbH. Further information can be found here: https://iqb.de/datenschutz/

XI. Job Listings - BITE

On our job listings page we offer users the ability to view current job openings. To this end, the page includes an interface to BITE GmbH. Further information can be found here: https://www.b-ite.de/legal-notice.html

XII. Use of podcast content via Podigee

On our website we offer users the option to play selected podcasts from Podigee directly on the page. To protect users’ data, a connection to Podigee is only established and the podcast only starts after a link is clicked. Only then are data transmitted to the provider. If you do not click the link, no exchange takes place between users and Podigee. Information about the collection and use of your data by Podigee can be found here: https://www.podigee.com/de/ueber-uns/datenschutz/

XIII. Use of a chatbot via Userlike

HSHL uses chat software from Userlike UG (limited liability), Probsteigasse 44–46, 50670 Cologne, Germany. The chat can be used like a contact form to chat with our staff in near real time. The following personal data are collected when the chat is started:

date and time of the access
browser type / version
IP address
operating system used
URL of the previously visited webpage
amount of data transmitted
And, if provided: first name, last name, and e‑mail address.
Depending on the course of the conversation with our staff, further personal data may be entered in the chat by users. The nature of these data strongly depends on the inquiry or the problem described. The processing of all these data serves to provide a quick and efficient contact option and thus to improve our customer service.

When the website www.hshl.de is accessed, the chat widget is loaded as a JavaScript file from AWS CloudFront. The chat widget technically constitutes the source code that is executed on users’ computers and enables the chat.

In addition, HSHL stores chat histories for a period of three months. This serves to spare users from having to repeatedly provide extensive explanations of the history of an inquiry and for ongoing quality control of our chat offering. The processing is therefore permitted under Article 6(1)(f) GDPR. If this is not desired, you may notify us using the contact details given above. Stored chats will then be deleted immediately.

The storage of chat data also serves to ensure the security of our information technology systems. This constitutes our legitimate interest, which is why the processing is permissible under Article 6(1)(f) GDPR.

Further information can be found in the privacy policy of Userlike UG (haftungsbeschränkt): http://www.userlike.com/terms#privacy-policy.

XIV. Instagram

On our website we offer users the option to view selected Instagram posts directly on the page. To protect users’ data, a connection to Instagram is only established and data are only transmitted to the provider after a link is clicked. If you do not click the link, no exchange takes place between users and Instagram. Information about the collection and use of your data by Instagram can be found here: https://help.instagram.com/155833707900388

XVI. TikTok

On our website we offer users the option to view selected TikTok posts directly on the page. To protect users’ data, a connection to TikTok’s servers is established only after actively clicking a preview image or link.

Only through this deliberate action are data (including your IP address and information about the page visited) transmitted to the provider TikTok (TikTok Technology Limited, Ireland / TikTok Inc., USA). If you do not click the link or activate the video preview, no data exchange takes place between users and TikTok.

Information about the collection and use of your data by TikTok and your related rights can be found in TikTok’s privacy policy: https://www.tiktok.com/legal/page/eea/privacy-policy/de

XV. WhatsApp Channel

For the operation of our WhatsApp channel we use the services of WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland (“WhatsApp”). Please note that you use the interactive features of the WhatsApp channel at your own responsibility. This applies in particular to using interactive functions (e.g., commenting, liking). Alternatively, you can also access the information directly on our website under International Office » Hochschule Hamm‑Lippstadt.

According to WhatsApp, other subscribers cannot see whether you have subscribed to a channel or interact with it. This applies to both the name and the phone number and the profile picture. Further information on data protection can be found in WhatsApp’s help section.

The legal basis for this processing is Article 6(1)(a) GDPR. You gave your consent by “subscribing” to the WhatsApp channel. You can withdraw your consent at any time by unsubscribing.

Which user data WhatsApp collects, to what extent WhatsApp stores data, and how it subsequently uses data for its own purposes is not clearly traceable. We also do not have access to the data collected or to your profile data. Information about data collection and further processing by WhatsApp can also be found in:

WhatsApp Privacy Policy.

WhatsApp Channels Privacy Policy.

When using this platform, WhatsApp also collects, among other things, the following data: the computer system used, browser type and version, IP address, processor type. It is possible that WhatsApp processes the obtained data outside the scope of the GDPR. Details about which data WhatsApp processes and for what purposes can be found in the options to limit the processing of your data available in the general settings of your WhatsApp account under “Privacy and Security.” In addition, on mobile devices (smartphones, tablets) you can restrict WhatsApp’s access to contacts and calendar data, photos, location data, etc., via the device’s settings; this depends on the operating system used.

Rights of the Data Subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights with respect to us as the data controller:

1. Right to Information

You can request that we confirm whether we are processing or have processed personal data concerning you.If this is the case, you can request the following information from the data controller:
(1) the purposes for which the personal data are processed;
(2) the categories of personal data that are processed;
(3) the recipients or the categories of recipients to whom the personal data relating to you have been disclosed or are still being disclosed;
(4) the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
(5) the existence of a right to correction or deletion of your personal data, a right to restrict processing by the data controller or a right to object to this processing;
(6) the right to file a complaint with a supervisory authority;
(7) all available information about the origin of the data if the personal data are not collected from the data subject;
(8) the existence of automated decision-making including profiling in accordance with Art. 22 para. 1 and 4 GDPR and – at least in these cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject.

You have the right to request information regarding whether your personal information will be transmitted to a non-EU country or an international organization. In this respect, you can request the appropriate guarantees in connection with the transmission in accordance with Art. 46 GDPR.

2. Right to Correction

You have a right to correct and/or add to the personal data concerning you held by the data controller if it is incorrect or incomplete. The data controller is required to make the correction immediately.

3. Right to Restriction of Processing

You can request that the processing of your personal data be restricted under the following conditions:
(1) if you dispute the accuracy of the personal data concerning you for a time period that enables the data controller to check the accuracy of the personal data;
(2) the processing is unlawful and you refuse the deletion of the personal data and instead request that the use of the personal data be restricted;
(3) the data controller no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
(4) if you have filed an objection to the processing in accordance with Art. 21 para. 1 GDPR and it has not yet been established whether the legitimate reasons of the data controller to process your data outweigh your reasons. If the processing of personal data concerning you has been restricted, such data may be processed – with the exception of their storage – only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State.
If the data processing has been restricted in accordance with the conditions listed above, you will be informed by the data controller before the restriction is lifted.

4. Right to Deletion

a) Obligation to Delete
You can request that the data controller delete the personal data relating to you immediately, and the data controller is obliged to delete this data immediately if one of the following reasons applies:
(1) The personal data relating to you are no longer necessary for the purposes for which they were collected or otherwise processed.
(2) You revoke your consent upon which its processing was based in accordance with Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for its continued processing.
(3) You object to its processing in accordance with Art. 21 para. 1 GDPR and there are no overriding legitimate grounds for its continued processing; or you submit an objection to its processing according to Art. 21 para. 2 GDPR.
(4) Your personal data has been processed unlawfully.
(5) The deletion of personal data concerning you is required in order to comply with legal obligations according to EU law or national law of the Member States to which the data controller is subject.
(6) The personal data concerning you was provided in connection with services offered by an information company per Art. 8 para. 1 GDPR.

b) Information to Third Parties
If the data controller has made the personal data concerning you public and is obligated to delete it according to Art. 17 para. 1 GDPR, the data controller will take appropriate measures, including those of a technical nature, while taking into account available technology and implementation costs, to inform the data controllers who are processing the personal data that you as the data subject have requested that they delete all links to this personal data or copies or replications of this personal data.

c) Exceptions
The right to deletion does not exist if the processing is necessary
(1) to exercise the right to freedom of expression and information;
(2) to fulfill a legal obligation that requires processing under the law of the Union or of the Member States to which the data controller is subject, or to perform a task that is in the public interest or in the exercise of official authority that has been transferred to the data controller;
(3) for reasons of public interest in the area of public health in accordance with Art. 9 para. 2 lit. h and i, as well as Art. 9 para. 3 GDPR;
(4) for archiving, scientific or historical research purposes in the public interest or for statistical purposes in accordance with Art. 89 para. 1 GDPR, to the extent that the law referred to in section a) is likely to render impossible or seriously compromise the attainment of the objectives of such processing, or
5) to assert, exercise or defend legal claims.

5. Right to Be Informed

If you have asserted to the data controller the right to have your data corrected, deleted or to restrict its further processing, they are obliged to inform all recipients to whom the personal data concerning you has been disclosed of this correction or deletion of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed about these recipients by the data controller.

6. Right to Data Portability

You have the right to obtain a copy of the personal data that the data controller has on file about you in a structured, commonly used, machine-readable format. In addition, you have the right to transfer this data to another data controller without hindrance from the data controller to whom the personal data was provided, provided that
(1) the processing is based on consent in accordance with Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on the basis of a contract in accordance with Art. 6 para. 1 lit. b GDPR and
(2) the processing is carried out using automated procedures.

In exercising this right, you also have the right to have the data controller transfer the personal data they have on file about you directly to another data controller if this is technically feasible. This action must not affect the freedoms and rights of other persons.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority which was conferred on the data controller.

7. Right to Objection

You have the right, for reasons arising from your specific situation, to object to the processing of personal data concerning you at any time, which is carried out in accordance with Art. 6 para. 1 lit. e or f GDPR; the same applies to profiling based on these provisions.The data controller will no longer process the personal data relating to you unless they can prove a compelling, legitimate reason for this which outweighs your interests, rights, and freedoms or the processing serves to assert, exercise, or defend legal claims.

In the context of the use of information company services  – notwithstanding Directive 2002/58/EC – you may exercise your right to object using an automated process involving the use of technical specifications.

8. Right to Revoke the Declaration of Consent Under Data Protection Law

You have the right to revoke your declaration of consent under data protection law at any time. This revocation will not affect the lawfulness of any processing done beforehand.

9. Right to File a Legal Complaint with a Supervisory Authority

Irrespective of any other administrative or judicial remedy, you have the right to file a complaint with a supervisory authority, in particular in the Member State where you reside, work or where the infringement is suspected, if you believe that the processing of personal data concerning you violates the GDPR.
The supervisory authority with which the complaint has been filed shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.

The supervisory authority responsible for Hamm-Lippstadt University of Applied Sciences is the State Commissioner for Data Protection and Freedom of Information (NRW).

Top