Table of Contents
Data protection
Name and address of the data controller
Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU) is responsible for this websites within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws as well as other data protection regulations. It is legally represented by its President. For contact details, please consult the legal notice on FAU’s central website.
The respective FAU institutions are responsible for any content they make available on the websites of Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU). For questions related to specific content, please contact the person responsible as named in the legal notice on the respective web page.
Name and address of the Data Protection Officer
Norbert Gärtner, RD
Postanschrift: Schloßplatz 4
91054 Erlangen
Phone number: +49 9131 85-25860
Email: norbert.gaertner@fau.de
E-mail: datenschutzbeauftragter@fau.de
General information on data processing
Scope of processing of personal data
We only process our users’ personal data to the extent necessary to provide services, content and a functional website. As a rule, personal data are only processed after the user gives their consent. An exception applies in those cases where it is impractical to obtain the user’s prior consent and the processing of such data is permitted by law.
Legal basis for the processing of personal data
Art. 6 (1) (a) of the EU General Data Protection Regulation (GDPR) forms the legal basis for us to obtain the consent of a data subject for their personal data to be processed. When processing personal data required for the performance of a contract in which the contractual party is the data subject, Art. 6 (1) (b) GDPR forms the legal basis. This also applies if data has to be processed in order to carry out pre-contractual activities. Art. 6 (1) © GDPR forms the legal basis if personal data has to be processed in order to fulfil a legal obligation on the part of our organisation. Art. 6 (1) (d) GDPR forms the legal basis in the case that vital interests of the data subject or another natural person make the processing of personal data necessary. If data processing is necessary in order to protect the legitimate interests of our organisation or of a third party and if the interests, basic rights and fundamental freedoms of the data subject do not outweigh the interests mentioned above, Art. 6 (1) (f) GDPR forms the legal basis for such data processing.
Deletion of data and storage period
The personal data of the data subject are deleted or blocked as soon as the reason for storing them ceases to exist. Storage beyond this time period may occur if provided for by European or national legislators in directives under Union legislation, laws or other regulations to which the data controller is subject. Such data are also blocked or deleted if a storage period prescribed by one of the above-named rules expires, unless further storage of the data is necessary for entering into or performing a contract.
Provision of the website and generation of log files
Description and scope of data processing
Each time our website is accessed, our system automatically collects data and information from the user’s computer system. In this context, the following data are collected:
- Address (URL) of the website from which the file was requested
- Name of the retrieved file
- Date and time of the request
- Data volume transmitted
- Access status (file transferred, file not found, etc.)
- Description of the type of web browser and/or operating system used
- Anonymised IP address of the requesting computer
The data stored are required exclusively for technical or statistical purposes; no comparison with other data or disclosure to third parties occurs, not even in part. The data are stored in our system’s log files. This is not the case for the user’s IP addresses or other data that make it possible to assign the data to a specific user: before data are stored, each dataset is anonymised by changing the IP address. These data are not stored together with other personal data .
Legal basis for data processing
The legal basis for the temporary storage of data and log files is Art. 6 (1) (f) GDPR.
Purpose of data processing
The temporary storage of the IP address by the system is necessary in order to deliver the website to the user’s computer. For this purpose, the user’s IP address must remain stored for the duration of the session. The storage of such data in log files takes place in order to ensure the website’s functionality. These data also serve to help us optimise the website and ensure that our IT systems are secure. They are not evaluated for marketing purposes in this respect. The purposes stated above constitute our legitimate interests in processing data in accordance with Art. 6 (1) (f) GDPR.
Storage period
Data are deleted as soon as they are no longer necessary for fulfilling the purpose for which they were collected. If data have been collected for the purpose of providing the website, they are deleted at the end of the respective session. If data are stored in log files, they are deleted at the latest after seven days. A longer storage period is possible. In this case, the users’ IP addresses are deleted or masked so that they can no longer be assigned to the client accessing the website.
Options for filing an objection or requesting removal
The collection of data for the purpose of providing the website and the storage of such data in log files is essential to the website’s operation. As a consequence, the user has no possibility to object.
Use of cookies
Description and scope of data processing
Our website uses cookies. Cookies are text files that are saved in the user’s web browser or by the web browser on the user’s computer system. When a user accesses a website, a cookie can be stored in the user’s operating system. This cookie contains a character string that allows the unique identification of the browser when the website is accessed again.
We use cookies to make our website more user-friendly. Some parts of our website require that the requesting browser can also be identified after changing pages. During this process, the following data are stored in the cookies and transmitted:
- Log-in information (only in the case of protected information that is made available exclusively to FAU members)
- Search preferences (from October 2018)
Technical measures are taken to pseudonymise user data collected in this way. This means that the data can no longer be assigned to the user. The data are not stored together with other personal data of the user. When accessing our website, a banner informs users that cookies are used for analysis purposes and makes reference to this data protection policy. In connection with this, users are also instructed how they can block the storage of cookies in their browser settings.
Legal basis for data processing
The legal basis for the processing of personal data with the use of cookies is Art. 6 (1) (f) GDPR.
Purpose of data processing
Analysis cookies are used for the purpose of improving the quality of our website and its content. We learn through the analysis cookies how the website is used and in this way can continuously optimise our web presence. These purposes also constitute our legitimate interests in the processing of personal data in accordance with Art. 6 (1) (f) GDPR.
Storage period, options for filing an objection or requesting removal
As cookies are stored on the user’s computer and are transmitted from it to our website, users have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your web browser. Cookies that are already stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may be the case that not all of the website’s functions can be used in full.
Contact form and contact by e-mail
Description and scope of data processing
Contact forms are available on our website that can be used to contact us electronically. If a user makes use of this possibility, the data they enter in the input form are transmitted to us and stored. The contact forms list and explain which data is required. The contact forms indicate if there are any deviations from or additions to the principles, purpose and duration of storage as presented here.
Legal basis for data processing
Once the user has granted consent, the legal basis for data processing is Art. 6 (1) (a) GDPR.
The legal basis for the processing of data transmitted by e-mail is Art. 6 (1) (f) GDPR. If the purpose of the e-mail contact is to enter into a contract, the additional legal basis for data processing is Art. 6 (1) (b) GDPR.
Purpose of data processing
The personal data from the input form are processed solely for the purpose of contacting the user. If the user contacts us by e-mail, this also constitutes our legitimate interests in processing the data. All other personal data processed during the dispatch of an e-mail serve to prevent misuse of the contact form and to ensure that our IT systems are secure.
Storage period
Data are deleted as soon as they are no longer necessary for fulfilling the purpose for which they were collected. This is the case for the personal data from the input template of the contact form and those data sent by e-mail when the respective conversation with the user has ended. The conversation is regarded to have ended when it can be seen from the circumstances that the subject matter in question has been conclusively settled.
Options for filing an objection or requesting removal
Users can withdraw their consent for the processing of their personal data at any time. If the user contacts us by email, they may withdraw their consent for the storage of their personal data at any time. In such cases, the conversation cannot continue and all personal data which were stored when contact was made are deleted.
SSL encryption
Our website uses SSL encryption for security reasons and to protect the transmission of confidential information, for example enquiries you send to us as operators of the website. You can recognise an encrypted connection when the browser’s address line changes from ‘http://’ to ‘https://’ and a padlock appears in your web browser.
If SSL encryption is activated, the data you transmit to us cannot be read by third parties.
Rights of the data subject
If any of your personal data are processed, you are considered a data subject within the meaning of the GDPR and have the following rights:
Right to information
You have the right to obtain confirmation from the data controller as to whether or not we are processing personal data that concern you. If your data are being processed, you have the right to request the following from the data controller:
- The purposes for which your personal data are processed
- The categories of personal data processed
- The recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed
- The planned storage period for the personal data concerning you or, if details cannot be provided, the criteria used to determine the storage period
- The right to rectification or erasure of the personal data concerning you, a right to limitation of processing by the data controller or a right to object to such processing
- The right to lodge a complaint with a supervisory authority
- All available information on the source of the data if the personal data are not collected from the data subject
- Information on automated decision-making processes, including profiling, in accordance with Art. 22 (1) and (4) GDPR and – at least in these cases – authoritative information on the logic involved as well as the scope and intended effects of such processing for the data subject.
You have the right to request information as to whether the personal data concerning you are transmitted to a third country or to an international organisation. In this context, you can request that you are informed of the appropriate safeguards in accordance with Art. 46 GDPR in connection with the transmission of such data.
This right to information can be restricted if granting a right to information is likely to render impossible or seriously impair the research or statistical purposes for which the data is required and restricting the right to information is necessary to achieve the required research or statistical purposes.
Right to restriction of processing
You may request that the processing of personal data concerning you is restricted in the event that one of the following applies:
- You contest the accuracy of the personal data concerning you for a period that enables the data controller to verify the accuracy of such personal data
- The processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of their use.
- The data controller no longer requires the personal data for the purposes of processing, but you need them in order to assert, exercise or defend legal claims.
- You have objected to processing in accordance with Art. 21 (1) GDPR and it has not yet been established whether the legitimate reasons of the data controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, whilst such data may be stored, they may only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or for protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. If the restriction of processing has been restricted in accordance with the above conditions, the data controller will inform you before the restriction is lifted.
Your right to restriction of processing can be restricted insofar as it is likely to render impossible or seriously impair the research or statistical purposes for which the data is required and this restriction is necessary for achieving the required research or statistical purposes.
Right to rectification
You have the right to obtain from the data controller the rectification and/or completion of personal data concerning you if the data processed are inaccurate or incomplete. The data controller must rectify such data without delay.
Your right to rectification can be restricted insofar as it is likely to render impossible or seriously impair the research or statistical purposes for which the data is required and restricting the right to rectification is necessary for achieving the required research or statistical purposes.
Right to restriction of processing
You may request that the processing of personal data concerning you is restricted in the event that one of the following applies:
- You contest the accuracy of the personal data concerning you for a period that enables the data controller to verify the accuracy of such personal data - The processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of their use. - The data controller no longer requires the personal data for the purposes of processing, but you need them in order to assert, exercise or defend legal claims. - You have objected to processing in accordance with Art. 21 (1) GDPR and it has not yet been established whether the legitimate reasons of the data controller outweigh your reasons.
If the processing of personal data concerning you has been restricted, whilst such data may be stored, they may only be processed with your consent or for the purpose of asserting, exercising or defending legal claims or for protecting the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State. If the restriction of processing has been restricted in accordance with the above conditions, the data controller will inform you before the restriction is lifted.
Your right to restriction of processing can be restricted insofar as it is likely to render impossible or seriously impair the research or statistical purposes for which the data is required and this restriction is necessary for achieving the required research or statistical purposes.
Right to erasure
Duty to erase
You may request that the data controller erase without delay personal data concerning you and the data controller is obliged to erase these data without delay in the event that one of the following applies:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
- You withdraw your consent on which the processing was based in accordance with Art. 6 (1) (a) or Art. 9 (2) (a) GDPR and there is no other legal basis for the processing.
- You object to the processing in accordance with Art. 21 (1) GDPR and there are no overriding legitimate reasons for the processing or you object to the processing in accordance with Art. 21 (2) GDPR.
- The personal data concerning you have been processed unlawfully.
- The erasure of personal data concerning you is necessary to fulfil a legal obligation under Union or Member State law to which the data controller is subject.
- The personal data concerning you have been collected in relation to information society services in accordance with Art. 8 (1) GDPR.
Obligation to inform third parties
If the data controller has made the personal data concerning you public and is obliged to erase them in accordance with Art. 17 (1) GDPR, he or she will take reasonable steps, including technical measures and taking into account the available technology and the cost of implementation, to inform data controllers responsible for processing such personal data that you as data subject have requested the erasure by such controllers of any links to, or copy or replication of, these personal data.
Exceptions
The right to erasure does not apply insofar as the processing is necessary:
- To exercise the right to freedom of expression and information
- To fulfil a legal obligation which requires processing in accordance with Union or Member State law to which the data controller is subject or for the performance of a task in the public interest or in the exercise of official authority vested in the data controller
- For reasons of public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) and Art. 9 (3) GDPR
- For archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes in accordance with Article 89 (1) GDPR insofar as the right referred to in the section on ‘Duty to erase’ is likely to render impossible or seriously impair the achievement of the objectives of such processing.
- For asserting, exercising or defending legal claims
Right to notification
If you have exercised your right to have the data controller rectify, erase or restrict the processing of personal data concerning you, he or she is obliged to inform all recipients to whom such data have been disclosed of their rectification or erasure or of the restriction of processing, unless this proves impossible or involves disproportionate effort. You have the right to be informed of these recipients.
Right to data portability
You have the right to receive the personal data concerning you that you have made available to the data controller in a structured, common and machine-readable format. You also have the right to pass these data to another data controller without hindrance from the data controller to whom they were made available provided that:
- The processing is based on consent in accordance with Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract in accordance with Art. 6 (1) (b) GDPR.
- The processing takes place with the help of automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one data controller to another insofar as this is technically feasible. This must not compromise the freedoms and rights of other persons. The right to data portability does not apply for the processing of personal data necessary for the performance of a task in the public interest or in the exercise of official authority vested in the data controller.
Right to object
You have the right, on grounds arising out of your particular situation, to object at any time to the processing of personal data concerning you that occurs on the basis of Art. 6 (1) (e) or (f) GDPR; this also applies for profiling activities undertaken on the basis of these provisions. The data controller shall no longer process the personal data concerning you, unless he or she produces compelling and legitimate reasons for such processing which outweigh your interests, rights and freedoms or such processing is necessary for asserting, exercising or defending legal claims. If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing; this also applies to profiling insofar as it is undertaken in connection with such direct marketing activities. If you object to data processing for direct marketing purposes, the personal data concerning you are no longer processed for such purposes. In connection with the use of information society services and notwithstanding Directive 2002/58/EG, you may exercise your right to object by automated means using technical specifications.
You also have the right, on grounds arising out of your particular situation, to object to the processing of personal data concerning you that occurs for scientific or historical research purposes or for statistical purposes in accordance with Art. 89 (1) GDPR. Your right to object can be restricted insofar as it is likely to render the achievement of research and statistical purposes impossible or seriously impair such purposes and this restriction is necessary for achieving such research or statistical purposes.
Right to withdraw a declaration of consent concerning data protection
You have the right to withdraw your declaration of consent concerning data protection at any time. Withdrawing your consent does not affect the lawfulness of data processing based on your consent before its withdrawal. Automated decisions in individual cases, including profiling
You have the right not to be made subject to a decision based exclusively on automated data processing, including profiling, which produces legal effects concerning you or significantly affects you in a similar way. This does not apply if the decision is:
- Necessary for entering into or performing a contract between you and the data controller
- Authorised by Union or Member State law to which the data controller is subject and which contains suitable measures to safeguard your rights and freedoms as well as your legitimate interests
- Based on your explicit consent
However, such decisions may not be based on special categories of personal data in accordance with Art. 9 (1) GDPR unless Art. 9 (2) (a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms as well as your legitimate interests have been taken. With regard to the circumstances referred to in (1) and (3), the data controller shall take suitable measures to safeguard your rights and freedoms as well as your legitimate interests, which include at least the right to obtain human intervention on the part of the data controller, to express your point of view and to contest the decision.
Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR. The supervisory authority with which the complaint has been lodged shall inform the complainant of the progress and the outcome of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.