# Privacy policy concerning the General Data Protection Regulation (GDPR)

# I. Name and address of the responsible persons

Regarding the GDPR, other national privacy policies of the Member States and any other data protection regulations those responsible are:

Universität zu Lübeck
Prof. Dr. med. Gabriele Gillessen-Kaesbach - President -
Ratzeburger Allee 160
23562 Lübeck
Germany
Tel.: +49 451 3101 1000
E-Mail: praesidentin[AT]uni-luebeck.de
Website: www.uni-luebeck.de

represented by

Univ.-Prof. Dr. rer. nat. Michael Herczeg
Institut für Multimediale und Interaktive Systeme (IMIS)
Ratzeburger Allee 160
23562 Lübeck
Germany
Tel.: +49 451 3101 5101
E-Mail: office[AT]imis.uni-luebeck.de
Website: www.imis.uni-luebeck.de

# II. Name and address of the data protection officer

The data protection officer being responsible is:

Dr. phil. Stefan Braun
Ratzeburger Allee 160
23562 Lübeck
Germany
Tel.: +49 451 3101 1000
E-Mail: datenschutz[AT]uni-luebeck.de
Website: www.uni-luebeck.de

# III. General Information about data processing

# 1. Scope of the personal data processing

Basically we process our users' personal data only in regards to providing a functioning website and in the scope of our contents and services. The periodical processing of our users' personal data is being conducted only after obtaining the users' consent. An exception is granted in cases where actual reasons prohibit the prior obtaining of consent and the data processing is permitted through legal regulations.

Insofar as we obtain the consent of the person concerned to process personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) is used as legal basis. In the processing of personal data necessary for the performance of a contract of which the data subject is a party, Art. 6 para. 1 lit. b GDPR is used as legal basis. This also applies to processing operations required to carry out pre-contractual measures. Insofar as processing of personal data is required to fulfill a legal obligation that is subject to our university, Art. 6 para. 1 lit. c GDPR is used as legal basis. In the event that vital interests of the person concerned or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR is used as legal basis.

# 3. Data erasure and storage duration

The personal data of the person concerned will be deleted or blocked as soon as the purpose of the storage is needless. In addition, data may be stored if provided for by the European or national legislator in EU regulations, laws or other regulations to which the controller is subject. A blocking or deletion of the data takes place even if a storage period prescribed by the mentioned standards expires, unless there is a need for further storage of the data for a conclusion of contract or a fulfillment of the contract.

# IV. Provision of the website and creation of log files

# 1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.

The following data is collected here:

  • Information about the browser type and version used
  • Operating system of the user
  • IP address of the user
  • HTTP status code
  • Base URL
  • Number of transmitted bits
  • Date and time of access
  • User names for authoritative services
  • Websites from which the system of the user came to our website (Matomo, formerly PIWIK)
  • Websites that are accessed by the user's system through our website (Matomo)

The data is also stored in the log files of our system. A storage of this data together with other personal data of the user does not take place.

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR.

# 3. Purpose of data processing

Storage in log files is done to ensure the functionality of the website. In addition, the data is used to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context.

For these purposes, our legitimate interest lies in the processing of data according to Art. 6 para. 1 lit. f GDPR.

# 4. Duration of storage

In the case of storing the data in log files, this is the case after no more than seven days. An additional storage is possible. In this case, the IP addresses of the users are deleted or alienated, so that an connection to the calling client is no longer possible.

# 5. Possibility of opposition and removal

The collection of the data for the provision of the website and the storage of the data in log files is essential for the operation of the website. There is consequently no possibility of contradiction on the part of the user.

# V. Usage of cookies

# 1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or the Internet browser on the user's computer system. When a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string that allows the browser to be uniquely identified when the website is reopened.

We use cookies to make our website more user-friendly. Some elements of our website require that the calling browser be identified even after a page break. LogIn information is stored and transmitted in the cookies.

In addition, we use cookies on our website that allow an analysis of users' browsing behavior. In this way, the following data can be transmitted:

  • Entered search terms
  • frequency of page views
  • Use of website functions

The data of the users collected in this way are pseudonymised by technical precautions. Therefore, an assignment of the data to the calling user is no longer possible. The data will not be stored together with other personal data of the users.

When accessing our website, users will be informed by an information banner about the use of cookies for analysis purposes and referred to this privacy policy. In this context, there is also an indication of how the storage of cookies in the browser settings can be prevented.

The legal basis for the processing of personal data using cookies is Article 6 (1) lit. f GDPR

# 3. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some features of our website can not be offered without the use of cookies. For these, it is necessary that the browser is recognized even after a page break. To log in to the Content Management System we need cookies.

The user data collected by technically necessary cookies will not be used to create user profiles. The use of the analysis cookies is for the purpose of improving the quality of our website and its contents. Through the cookies for analysis we learn how the website is used and so we can constantly optimize our offer. We are particularly interested in this:

  • The geographic reach of our website
  • How often our website is referenced by external websites
  • Popular content on our website

For these purposes lies our legitimate interest in the processing of personal data pursuant to Art. 6 para. 1 lit. f GDPR.

# 4. Duration of storage, objection and disposal options

Cookies are stored on the computer of the user and transmitted by this on our side. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Already saved cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may not be possible to use all the functions of the website to the full.

# VI. Newsletter

# 1. Description and scope of data processing

On our website you can subscribe to a free newsletter. At the registration for the newsletter, the data from the input mask are transmitted to us. In addition, the following data will be collected upon registration:

  • Date and time of registration
  • Salutation
  • Title
  • First and Last Name
  • E-mail address

In connection with the processing of data for the sending of newsletters, there is no disclosure of the data to third parties. The data will be used exclusively for sending the newsletter.

After the user has registered for the newsletter and given that the user's consent is granted legal basis for the data processing is pursuant to Art. 6 para. 1 lit. a GDPR.

# 3. Purpose of data processing

The collection of the user's e-mail address serves to deliver the newsletter. The collection of other personal data as part of the registration process is intended to prevent misuse of the services or the e-mail address used.

# 4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. The user's e-mail address will be saved as long as the subscription to the newsletter is active.

# 5. Possibility of opposition and removal

Subscription to the newsletter may be terminated at any time by the user concerned. For this purpose, there is a corresponding link in each newsletter.

# VII. Contact form and e-mail contact

# 1. Description and scope of data processing

On our website a contact form is available, which can be used for electronic contact. If a user realizes this possibility, the data entered in the input mask is transmitted to us and stored. At the time the message is sent, the date and time are also saved.

For the processing of the data, your consent is obtained during the sending process and reference is made to this privacy policy.

Alternatively, contact via the provided e-mail address is possible. In this case, the user's personal data transmitted by e-mail will be stored.

There is no disclosure of data to third parties in this context. The data is used exclusively for processing the conversation.

In the presence of the user's consent Art. 6 para. 1 lit. a GDPR suits as legal basis for the data processing.

The legal basis for the processing of the data transmitted in the course of sending an e-mail is Art. 6 para. 1 lit. f GDPR. If the e-mail contact aims to conclude a contract, then additional legal basis for the processing is Art. 6 para. 1 lit. b GDPR.

# 3. Purpose of data processing

The processing of the personal data from the input mask only serves us to process the contact. In the case of contact via e-mail, this also includes the necessary legitimate interest in the processing of the data. The other personal data processed during the sending process serve to prevent misuse of the contact form and to ensure the security of our information technology systems.

# 4. Duration of storage

The data will be deleted as soon as it is no longer necessary to achieve the purpose of its collection. For the personal data from the input form of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation ends when it can be inferred from the circumstances that the facts are finally clarified.

The additional personal data collected during the sending process will at the latest be deleted after a period of seven days.

# 5. Possibility of opposition and removal

The user has the opportunity to revoke his consent to the processing of personal data at any time. If the user contacts us by e-mail, he may object to the storage of his personal data at any time. In such a case, the conversation can not continue.

All personal data stored in the course of contacting will be deleted in this case.

# VIII. Web analysis by Matomo (formerly PIWIK)

# 1. Extent of processing of personal data

To analyze the surfing behavior of the users on our website we use the open-source software tool Matomo (formerly PIWIK). The software sets a cookie on the computer of the users (for cookies see above). If individual pages of our website are called, the following data is stored:

  • Two bytes of the IP address of the user's calling system
  • The website called
  • The website from which the user came to the accessed website (referrer)
  • The subpages that are called from the called web page
  • The length of stay on the website
  • The frequency of calling the webpage

The software runs exclusively on the servers of our website. A storage of the personal data of the users takes place only there. A transfer of the data to third parties does not take place. The software is set so that the IP addresses are not completely stored but 2 bytes of the IP address are masked (eg 192.168.xxx.xxx). In this way, an assignment of the shortened IP address to the calling computer is no longer possible

The legal basis for the processing of users' personal data is Article 6 (1) lit. f GDPR

# 3. Purpose of data processing

The processing of users' personal data enables us to analyze the surfing behavior of our users. By analyzing the obtained data, we are able to compile information about our website's usage of the individual components. This helps us to constantly improve our website and its user-friendliness. For these purposes, our legitimate interest lies in the processing of data according to Art. 6 para. 1 lit. f GDPR. The anonymisation of the IP address sufficiently takes into account the interest of users in their protection of personal data.

# 4. Duration of storage

The data will be deleted as soon as it is no longer needed for our recording purposes. This is the case with us after one month.

# 5. Possibility of opposition and removal

Cookies are stored on the user's computer and transmitted by this on our side. Therefore, as a user, you have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the transmission of cookies. Already saved cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, it may not be possible to use all the functions of the website to the full.

We offer our users the option of opting out of the analysis process on our website. For this you must follow the given link. In this way, another cookie is set on your system signaling our system not to store the user's data. If the user in the meantime deletes the corresponding cookie from his own system, he must set the opt-out cookie again.

For more information on Matomo Software's privacy settings, please visit https://matomo.org/docs/privacy/.

# IX. Rights of the data subject

If personal data is processed by you, you are data subject regarding the GDPR and you have the following rights to the responsible person:

# 1. Right to information

You may ask the person in charge to confirm if personal data concerning you is processed by us. If such processing is available, you can request information from the person responsible about the following issues:

  • the purposes for which the personal data is being processed;
  • the categories of personal data that is being processed;
  • the recipients or the categories of recipients to whom the personal data relating to you have been or will be disclosed;
  • the planned duration of the storage of your personal data or, if specific information is not available, criteria for determining the duration of storage;
  • the right of rectification or erasure of personal data concerning you, a right to restriction of processing by the person responsible or a right to object to such processing;
  • the existence of a right of appeal to a supervisory authority;
  • all available information on the source of the data if the personal data are not collected from the data subject;
  • the existence of automated decision-making including profiling under Article 22 (1) and (4) GDPR and
  • at least in these cases, meaningful information about the logic involved and the scope and intended impact of such processing on the data subject.

You have the right to request information about whether the personal data relating to you are transferred to a third country or an international organization. In this regard, you can request the appropriate warranties in accordance with. Art. 46 GDPR to be informed in connection with the transfer.

In the case of data processing for scientific, historical or statistical research purposes, this right of access may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes and the restriction is necessary for the performance of the research or statistical purposes

# 2. Right to rectification

You have a right to rectification and / or completion to the person in charge, if the personal data you process is incorrect or incomplete. The person in charge must make the correction without delay.

In the event of data processing for scientific, historical or statistical research purposes, your right of rectification may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes and the restriction is necessary for the performance of the research or statistical purposes.

# 3. Right to restriction of processing

Under the following conditions you may request the restriction of the processing of your personal data:

  • if you contest the accuracy of your personal information for a period of time that enables the controller to verify the accuracy of your personal information;
  • the processing is unlawful and you refuse to delete the personal data and instead request the restriction of the use of personal data;
  • the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
  • if you have filed an objection against the processing under Art. 21 (1) GDPR and it is not yet certain whether the legitimate reasons of the person responsible outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data may only be used with your consent or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for reasons of important public interest Union or a Member State.

If the restriction on processing has been restricted in accordance with the above conditions, you will be notified by the person responsible before the restriction is lifted.

Their right to restriction of processing may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes and the restriction is necessary for the performance of the research or statistical purposes.

# 4. Right to delete

a) Deletion obligations

You may require the controller to delete your personal information without delay, and the controller is required to delete that information immediately if one of the following is true:

  • Your personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
  • You revoke your consent, to which the processing acc. Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for the processing.
  • In accordance with Article 21 (1) of the GDPR, you object to the processing and there are no prior justifiable grounds for processing, or you object to the processing in accordance with Article 21 (2) GDPR.
  • Your personal data has been processed unlawfully.
  • The deletion of personal data concerning you is required to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.
  • The personal data concerning you were collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.

b) Information to third parties

If the person responsible has made public the personal data relating to you and is obliged to delete them in accordance with Art. 17 (1) GDPR, taking due account of the available technology and the implementation costs, he shall take appropriate measures, including technical ones, for data controllers, who are processing the personal data, informing you, as the data subject, that you have requested the deletion of all links to such personal data or copies or replications of such personal data. c) Exceptions

The right to erasure does not exist if the processing is necessary

  • to exercise the right to freedom of expression and information;
  • to fulfill a legal obligation required by the law of the Union or of the Member States to which the controller is subject, or to carry out a task which is in the public interest or in the exercise of official authority conferred on the controller;
  • for reasons of public interest in the field of public health pursuant to Art. 9 (2) lit. h and i and Art. 9 (3) GDPR;
  • for archival purposes of public interest, for scientific or historical research purposes or for statistical purposes acc. Article 89 (1) GDPR, to the extent that the law referred to in subparagraph (a) is likely to render impossible or seriously affect the achievement of the objectives of that processing, or
  • to assert, exercise or defend legal claims.

# 5. Right to information

If you have asserted the right of rectification, erasure or restriction of processing to the controller, the latter is obliged to notify all recipients to whom your personal data have been disclosed of this correction or deletion of the data or restriction of processing except this proves to be impossible or is associated with a disproportionate effort.

You have the right to be informed about these recipients.

# 6. Right to data portability

ou provided to the controller in a structured, common and machine-readable format. You also have the right to transfer this data to another person without hindrance by the person responsible for providing the personal data, provided that

  • the processing is based on a consent in accordance with Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract pursuant to Art. 6 para. 1 lit. b GDPR and
  • the processing is done using automated procedures.

In exercising this right, you also have the right to obtain that personal data relating to you be transmitted directly from one controller to another, as far as technically feasible. Freedoms and rights of other persons may not be affected.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority delegated to the controller.

# 7. Right of objection

You have the right at any time, for reasons that arise from your particular situation, to prevent the processing of your personal data, which, pursuant to Art. 6 para. 1 lit. e or f GDPR takes an objection; this also applies to profiling based on these provisions.

The controller will no longer process the personal data concerning you unless he can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights and freedoms, or the processing is for the purposes of asserting, exercising or defending legal claims.

If the personal data relating to you are processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct mail.

If you object to the processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

In connection with the use of Information Society Services you have the option - notwithstanding Directive 2002/58 / EC - to exercise your right of objection by means of automated procedures that use technical specifications.

You also have the right, for reasons arising from your particular situation, to contradict the processing of personal data relating to you for scientific or historical research purposes or for statistical purposes according to Art. 89 para. 1 GDPR.

Their right of objection may be limited to the extent that it is likely to render impossible or seriously affect the realization of the research or statistical purposes and the restriction is necessary for the performance of the research or statistical purposes.

You have the right to revoke your data protection consent declaration at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent, until revocation.

# 9. Automated decision on a case-by-case basis, including profiling

You have the right not to be subjected to a decision based solely on automated processing - including profiling - that will have legal effect or affect you in a similar manner. This does not apply if the decision

  • is required for the conclusion or performance of a contract between you and the person responsible,
  • is permitted by Union or Member State legislation to which the Responsible Party is subject, and where such legislation contains appropriate measures to safeguard your rights and freedoms and your legitimate interests, or
  • with your express consent.

However, these decisions may not be based on special categories of personal data under Art. 9 (1) GDPR, unless Art. 9 (2) lit. a or g GDPR applies and reasonable measures have been taken to protect the rights and freedoms as well as your legitimate interests.

With regard to the cases mentioned in (1) and (3), the person responsible shall take appropriate measures to uphold the rights and freedoms and their legitimate interests, including at least the right to obtain the intervention of a person by the controller, to express his / her own position and heard on challenge of the decision.

# 10. Right to complain to a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to complain to a supervisory authority, in particular in the Member State of its place of residence, place of work or place of alleged infringement, if you believe that the processing of your personal data relates to you violates the GDPR. The supervisory authority to which the complaint has been submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

date: 05/29/2018