Data Protec­tion Statement

Connection to external media services

Status of your consent:

  • Mapbox:
  • Vimeo:
  • YouTube:

Content

Contact details of the Controller
Contact details of the data protec­tion officer
Terms
Infor­ma­tion on data proces­sing.
Auto­mated data proces­sing (log files etc.)
Use of cookies (general, func­tion­a­lity, opt-out links etc.) 

Consent Manage­ment Tool
Hosting
Hetzner

Web analysis and opti­mi­sa­tion.
Fathom Analy­tics.

Online marke­ting.
Face­book Pixel 

Presence on social media.
Insta­gram..
Face­book.
LinkedIn.
Snap Chat
Pinte­rest
Twitter
Vimeo.
Xing.
YouTube.

Plug-ins and inte­grated third-party content
Insta­gram
mapbox Plugins und ‑Schalt­flä­chen.
Vimeo.
YouTube.

Online confe­rences, meetings and webi­nars.
Wonder
Zoom

Blog and forum (Digital Exhibition) 

Single sign-on proce­dure for the intranet of the Univer­sity
Google Single-Sign-On.

Evalua­tion on the website with data transfer
evasys.
News­letter and mass commu­ni­ca­tion inclu­ding tracking.
Sendin­blue.

Cont­ac­ting us. 

Events and activities. 

Data transfer

Storage period.

Auto­mated decision-making. 

Legal bases.

Rights of the data subject 

With­drawal of consent 

External links.

Amend­ments

We, the Univer­sity of Applied Sciences of Design Schwä­bisch Gmünd, are respon­sible for this website and, as a provider of a tele­ser­vice, are obliged to inform you at the begin­ning of your visit to our website about the type, extent, and purposes of the coll­ec­tion and use of personal data in a precise, trans­pa­rent, under­stan­dable, and easily acces­sible form in clear and simple language. The content of the infor­ma­tion must be acces­sible to you at all times. We are ther­e­fore obliged to inform you which personal data are coll­ected or used. Personal data is defined as all infor­ma­tion rela­ting to an iden­ti­fied or iden­ti­fiable natural person.

We value the importance to secu­rity of your data and the compli­ance with data protec­tion regu­la­tions. Colle­ting, proces­sing and use of personal data are subject to the provi­sions of the curr­ently appli­cable Euro­pean and national laws.

The meanings of terms such as personal data” or proces­sing” are used in context as described in Art. 4 of the EU-GDPR

Contact details of the Controller

Univer­sity of Applied Sciences of Design Schwä­bisch Gmünd
Rektor-Klaus-Str. 100
73525 Schwä­bisch Gmünd
Germany
Tele­fone: 07171 602 – 600
email address: sekretariat@hfg-gmuend.de
Web :www.hfg-gmuend.de
Autho­rized to repre­sent: Maren Schmohl 

Contact details of the data protec­tion officer

Deut­sche Daten­schutz­kanzlei
External Data Protec­tion Officer
Mr. Maxi­mi­lian Musch
Richard-Wagner-Str. 2
88094 Ober­teu­ringen
Germany

email address: musch@ddsk.de

Web: www.ddsk.de

Reci­pi­ents of data 

Service provi­ders (data reci­pi­ents) involved in the provi­sion of our online services are named under the respec­tive cate­gory / heading.

The perti­nent legal basis is speci­fi­cally stated for each tool in question. 

Terms

The specia­list terms used in this Privacy Policy are to be unders­tood as legally defined in art. 4 GDPR.

Infor­ma­tion on data processing

Auto­mated data proces­sing (log files etc.)

It is possible for users to visit our website without provi­ding personal data. However, every time our website is accessed on, we auto­ma­ti­cally store access data (server log files), such as the name of the internet service provider, the opera­ting system in use, the website the user visited us from, the date and dura­tion of the visit and the name of the file accessed, as well as the IP address of the device used (for secu­rity reasons, such as to reco­g­nise attacks on our website) for a dura­tion of 7 days. This data is solely evaluated for the purpose of impro­ving our offe­ring and does not enable conclu­sions about the user in person. This data is not merged with other data sources. 

The legal basis for the proces­sing of data is Art. 6 (1) lit. c GDPR in conjunc­tion with Art. 32 GDPR and Artt. 24, 32 GDPR.

We process and use the data for the follo­wing purposes: 

  • provi­ding the website
  • impro­ving our websites 
  • for preven­tion and to iden­tify errors/​malfunctions and the abuse of the website

The proces­sing is neces­sary to ensure the func­tion­a­lity and error-free and secure opera­tion of the website and to adapt this website to the requi­re­ments of the users.

Use of cookies (general, func­tion­a­lity, opt-out links etc.)

We use cookies’ on our website to make visi­ting our website more attrac­tive and to enable certain func­tions to be used. The use of cookies serves our legi­ti­mate inte­rest in making a visit to our website as plea­sant as possible and is based on art. 6 (1) (f) GDPRAs a stan­dard internet tech­no­logy, cookies are used to store and retrieve login details and other usage infor­ma­tion for all the users of a website. Cookies are small text files that are trans­ferred from the server to your end device. They enable us to store user settings, to ensure that our website can be shown in a format tail­ored to your device. Some of the cookies we use are deleted after the end of a browser session, i.e. when closing the browser (known as session cookies’). Other cookies remain on the user’s end device and enable us or our partner compa­nies to reco­g­nise the browser on the next visit (known as persis­tent cookies’).

The browser can be set so that the user is informed when cookies are to be stored and can decide whether to accept them in each indi­vi­dual situa­tion, to accept them under certain circum­s­tances, or to exclude them in general. In addi­tion, cookies can be retro­s­pec­tively deleted to remove data that the website stored on your computer. Deac­ti­vating cookies (known as opting out’) can limit our website’s func­tion­a­lity in some respects.

Cate­go­ries of data subjects: Website visi­tors, users of online services

Opt-out: Internet Explorer:

https://support.microsoft.com/de-de/help/17442

Firefox:

https://support.mozilla.org/de/kb/wie-verhindere-ich-dass-websites-mich-verfolgen

Google Chrome:

https://support.google.com/chrome/answer/95647?hl=de

Safari:

https://support.apple.com/de-de/HT201265

Legal bases: Consent (art. 6 (1) (a) GDPR), legi­ti­mate inte­rest (art. 6 (1) (f) GDPR) or the proces­sing is neces­sary for the perfor­mance of a task carried out in the public inte­rest or in the exer­cise of offi­cial autho­rity vested in the controller (art. (1) (e) GDPR)

Legi­ti­mate inte­rests: Storing of opt-in prefe­rences, presen­ta­tion of the website, assu­rance of the website’s func­tion­a­lity, provi­sion of user status across the entire website, reco­gni­tion for the next website visi­tors, user-friendly online offe­ring, assu­rance of the chat function

Consent Manage­ment Tool

We use a consent manage­ment tool on our website in order to be able to prove, store and manage the consent granted by our website visi­tors in accordance with the requi­re­ments of the GDPR. Visi­tors to our online offe­ring can also manage the consent and prefe­rences granted or with­draw consent via the service we have integrated. 

The consent status is stored on the server and/​or in a cookie (so-called opt-in cookie) or a compa­rable tech­no­logy in order to be able to assign the consent to a user or their device. In addi­tion, the time of the decla­ra­tion of consent is recorded.

Cate­go­ries of data subjects: Website visi­tors who use the Consent Manage­ment Tool 

Data cate­go­ries: Usage data (e. g. websites visited, inte­rest in content, access times), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses)

Purposes of proces­sing: Fulfilment of accoun­ta­bi­lity obli­ga­tions, Consent management

Legal bases: Legal obli­ga­tion (art. 6 para 1 lit. c) GDPR, art. 7 GDPR)

Hosting

Our online offer is hosted by an external service provider. Personal data of the website visi­tors to our online offer, so-called log files, are stored on the servers of our service provider. This may also be data that is coll­ected during the active use of our website. By using a specia­lised service provider, we can provide our website secu­rely and effi­ci­ently. The hosting provider we use does not process the data for its own purposes. 

Cate­go­ries of data subjects: Website visitors

Data cate­go­ries: Usage data (e. g. websites visited, inte­rest in content, access times), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses)

Purposes of proces­sing: Opti­mi­sa­tion and proper presen­ta­tion of the website

Legal bases: Consent (art. 6 (1) (a) GDPR), legi­ti­mate inte­rest (art. 6 (1) (f) GDPR) or the proces­sing is neces­sary for the perfor­mance of a task carried out in the public inte­rest or in the exer­cise of offi­cial autho­rity vested in the controller (art. (1) (e) GDPR)

Purpose & inte­rests: Opti­miza­tion and proper presen­ta­tion of the website, fast website acces­si­bi­lity, avoid­ance of down­times, high scalability

Hetzner

Reci­pient of Data: Hetzner Online GmbH, Indus­triestr. 25, 91710 Gunzen­hausen, Germany

Privacy: https://www.hetzner.com/legal/privacy-policy

Web analysis and optimisation

We use tools for web analysis and reach measu­re­ment so that we can evaluate user flows to our online offe­ring. To do so, we collect infor­ma­tion about the beha­viour, inte­rests, or demo­gra­phics of our users, such as their age, gender, and so on. This helps us to reco­g­nise the times at which our online offe­ring, its func­tions, and content are frequented the most or accessed more than once. In addi­tion, we can use the infor­ma­tion that has been coll­ected to deter­mine whether our online offe­ring requires opti­mi­sa­tion or adjustment. 

The infor­ma­tion coll­ected for this purpose is stored in cookies or deployed in similar proce­dures used for reach measu­re­ments and opti­mi­sa­tion. The data stored in the cookies could include the content viewed, webpages visited, settings, and the func­tions and systems used. However, plain data from users is not normally processed for the above purposes. In this case, the data is changed so that the actual iden­tity of the user is not known to us, nor the provider of the tool used. The changed data is often stored in user profiles.

Cate­go­ries of data subjects: Website visi­tors, users of online services

Data cate­go­ries: Usage data (e. g. websites visited, inte­rest in content, access times), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses), contact data (e. g. email address, tele­phone number), content data (e. g. text inputs, photo­graphs, videos)

Purposes of proces­sing: Website analyses, reach measu­re­ment, utili­sa­tion and assess­ment of website inter­ac­tion, lead evaluation

Legal bases: Consent (art. 6 (1) (a) GDPR), legi­ti­mate inte­rest (art. 6 (1) (f) GDPR) or the proces­sing is neces­sary for the perfor­mance of a task carried out in the public inte­rest or in the exer­cise of offi­cial autho­rity vested in the controller (art. (1) (e) GDPR)

Purpose & inte­rests: Opti­mi­sa­tion and further deve­lo­p­ment of the website, increase in profits 

Fathom Analy­tics

Reci­pient of data: Conva Ventures Inc., BOX 37058 Mill­stream PO, Victoria, BC, V9B0E8, Canada

Privacy: https://usefathom.com/privacy

Online marke­ting

We process personal data within the frame­work of online marke­ting, parti­cu­larly regar­ding poten­tial inte­rests and to measure the effec­ti­ve­ness of our marke­ting measures, with the aim of conti­nu­ally boos­ting our reach and the promi­nence of our online offering.

We store the rele­vant infor­ma­tion in cookies or use similar proce­dures for the purpose of measu­ring the effec­ti­ve­ness of our marke­ting measures and iden­ti­fying poten­tial inte­rests. The data stored in the cookies could include the content viewed, webpages visited, settings, and the func­tions and systems used. However, plain data from users is not normally processed for the above purposes. If so, the data is changed so that the actual iden­tity of the user is not known to us, nor the provider of the tool used. The changed data is often stored in user profiles.

In the event that user profiles are stored, the data can be used, read, supple­mented, and expanded on the server of the online marke­ting proce­dure when other online offe­rings are visited that use the same online marke­ting procedure. 

We can calcu­late the success of our adverts using summa­rised data that is made available to us by the provider of the online marke­ting proce­dure (known as conver­sion measu­re­ment’). As part of these conver­sion measu­re­ments, we can trace whether a marke­ting measure caused a visitor to our online offe­ring to decide to make a purchase. This evalua­tion serves to analyse the success of our online marketing.

Cate­go­ries of data subjects: Website visi­tors, users of online services, commu­ni­ca­tion partners

Data cate­go­ries: Usage data (e. g. websites visited, inte­rest in content, access times), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses), loca­tion data, contact data (e. g. email address, tele­phone number), content data (e. g. text inputs)

Purposes of proces­sing: Marke­ting (some­times inte­rest-based and beha­vioural, as well), conver­sion measu­re­ment, target group forma­tion, click tracking, deve­lo­p­ment of marke­ting stra­te­gies and increase in the effi­ci­ency of campaigns

Legal bases: Consent (art. 6 (1) (a) GDPR)

Legi­ti­mate inte­rests: Opti­mi­sa­tion and further deve­lo­p­ment of the website, increase in profits, customer loyalty and acquisition

Face­book Pixel

Reci­pient of data: Meta Plat­forms, 4 Grand Canal Square, Dublin 2, Irland 

Privacy: https://www.facebook.com/privacy/explanation

Opt-out-link: https://www.facebook.com/settings?tab=ads

Legal base: Consent (art. 6 (1) (a) GDPR)

Face­book (META Insights addi­tional addendum): 

https://de-de.facebook.com/legal/terms/page_controller_addendum

Presence on social media

The Univer­sity provides online offers (e. g. fan pages) on various social media plat­forms that contain infor­ma­tion about it. 

Social media chan­nels are used to increase visi­bi­lity among poten­tial students and to make the univer­sity visible to the public. Social networks have proven to be effec­tive in incre­asing outreach and actively promo­ting inter­ac­tion and commu­ni­ca­tion with students. 

Higher educa­tion commu­ni­ca­tion, press and public rela­tions work is the original respon­si­bi­lity of the state’s higher educa­tion insti­tu­tions. Social media acti­vity and commu­ni­ca­tion has a high value in attrac­ting new students. Social media and the website can be used to share rele­vant infor­ma­tion about the degree programmes, publi­cise events and commu­ni­cate important short-term news and job advertisements. 

User profiles can be created and used to adapt adver­ti­se­ments to the inte­rests of target groups via the usage beha­viour of the users of the social network, for example the indi­ca­tion of inte­rests. For this purpose, cookies are regu­larly stored on the end devices of the users, partly regard­less of whether they are regis­tered users of the social network. 

In connec­tion with the use of social media, we use the asso­ciated messen­gers to contact users in an uncom­pli­cated manner. Commu­ni­ca­tion via social media chan­nels is an important and essen­tial part of public rela­tions for the university. 

It should be noted that the secu­rity of indi­vi­dual services may depend on the user’s account settings. Even in the case of end-to-end encryp­tion, the plat­form provider can draw conclu­sions about the fact that and when users commu­ni­cate with the univer­sity as well as collect loca­tion data if necessary.

Depen­ding on where the social network is operated, user data may be processed outside the Euro­pean Union or the Euro­pean Economic Area. This may result in risks for users, for example because it makes it more diffi­cult to enforce their rights. 

We inform users that the univer­sity has no further influence on the proces­sing of personal data on these plat­forms. Only the respec­tive plat­form provider has full know­ledge of the content of the trans­mitted data and its use.

Cate­go­ries of data subjects: Regis­tered users and non-regis­tered users of the social network

Data cate­go­ries: User data (e. g. name, address), contact data (e. g. email address, tele­phone number), content data (e. g. text inputs, photo­graphs, videos), usage and inter­ac­tion data (e. g. websites visited, inte­rest in content, access times), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses)

Purposes of proces­sing: Increase in the reach, Networ­king with students, promo­ting inter­ac­tion and commu­ni­ca­tion, press and public rela­tions work

Legal bases: The use of the presences and the asso­ciated proces­sing of personal data on the plat­form is based on art. 6 para. 1 lit. e) GDPR in conjunc­tion with art. 6 para. 3 GDPR in conjunc­tion with § 4 LDSG-Baden-Würt­tem­berg, § 2 LHG-Baden-Würt­tem­berg. Consent to data proces­sing pursuant to art. 6 para. 1 lit. a) GDPR can also be a legal basis if the users have given this to the plat­form provider.

Purpose & inte­rests: Ensu­ring the univer­si­ty’s visi­bi­lity in society, impro­ving, and disse­mi­na­ting its external image, Inter­ac­tion and commu­ni­ca­tion on social media pages, findings regar­ding target groups, press and public rela­tions work.

Alter­na­tive infor­ma­tion and commu­ni­ca­tion options:

As an alter­na­tive means of infor­ma­tion and commu­ni­ca­tion, please feel free to use our above postal address or our e‑mail address:

Insta­gram

Reci­pient of data: Meta Plat­forms, 4 Grand Canal Square, Dublin 2, Ireland

Privacy: https://help.instagram.com/519522125107875

and https://www.facebook.com/about/privacy

Opt-Out-Link: https://www.instagram.com/accounts/login/?next=/accounts/privacy_and_security/

Face­book

Reci­pient of data: Meta Plat­forms, 4 Grand Canal Square, Dublin 2, Ireland 

Privacy: https://www.facebook.com/privacy/explanation

and https://www.facebook.com/legal/terms/page_controller_addendum

Opt-Out-Link: https://www.facebook.com/settings?tab=ads

LinkedIn

Reci­pient of data: LinkedIn Corpo­ra­tion, 1000 West Maude Avenue, Sunny­vale, CA 94085, USA

Privacy: https://www.linkedin.com/legal/privacy-policy

Opt-Out-Link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out

Snap Chat

Reci­pient of data: Snap Inc. LinkedIn, 2772 Donald Douglas Loop N, Santa Monica, CA 90405, USA

Privacy: https://www.snap.com/de-DE/privacy/privacy-policy

Opt-Out-Link: https://www.snapchat.com/l/de-de/cookie-settings/

Pinte­rest

Reci­pient of data: Pinte­rest Inc., 651 Brannan Street, San Fran­cisco, CA 94103, USA

Privacy: https://policy.pinterest.com/de/privacy-policy

Opt-Out-Link: https://policy.pinterest.com/de/cookies

Twitter

Reci­pient of data: Twitter Inter­na­tional Company, One Cumber­land Place, Fenian Street Dublin 2, D02 AX07 Ireland 

Privacy: https://twitter.com/de/privacy

Opt-Out-Link: https://help.twitter.com/de/rules-and-policies/twitter-cookies#privacy-options

Vimeo

Reci­pient of data: Vimeo Inc., 555 West 18th Street New York, New York 10011, USA

Privacy: https://vimeo.com/privacy

Opt-Out-Link: https://vimeo.com/cookie_policy

Xing

Reci­pient of data: New Work SE, Damm­tor­straße 30, 20354 Hamburg, Germany

Privacy: https://privacy.xing.com/de/datenschutzerklaerung

Opt-Out-Link: https://nats.xing.com/optout.html?popup=1

YouTube

Reci­pient of data: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy: https://policies.google.com/privacy?hl=de&gl=de

Opt-Out-Link: https://tools.google.com/dlpage/gaoptout?hl=de or https://myaccount.google.com/

Plug-ins and inte­grated third-party content

We have inte­grated func­tions and content obtained from third-party provi­ders into our online offe­ring. For example, videos, depic­tions, buttons, or contri­bu­tions (herein­after termed content’) can be integrated. 

To enable visi­tors of our website to see certain content, the third-party provider in ques­tion processes the user’s IP address, inter alia, to transmit the content to the browser and display it. It is not possible to inte­grate third-party content without this proces­sing taking place. 

Some­times, addi­tional infor­ma­tion is coll­ected via pixel tags’ or web beacons through which the third-party provider receives infor­ma­tion about the use of the content or visitor traffic to our online offe­ring, tech­nical infor­ma­tion about the user’s browser or opera­ting system, the visit time or refer­ring websites. The data coll­ected in this manner is stored in cookies on the user’s end device. 

We have taken secu­rity precau­tions to prevent this data from being auto­ma­ti­cally trans­ferred, with the aim of protec­ting the personal data of visi­tors to our online offe­ring. This data is only trans­ferred if the visitor uses the buttons or click on the third-party content. 

Cate­go­ries of data subjects: Users of plug-ins or third-party content

Data cate­go­ries: Usage data (e. g. websites visited, inte­rest in content, access times), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses) contact data (e. g. email address, tele­phone number), Master data (e. g. name, address)

Purposes of proces­sing: Design of our online offe­ring, increase in the reach of adverts on social media, sharing of contri­bu­tions and content, inte­rest-based and beha­vioural marke­ting, cross-device tracking

Legal bases: Consent (art. 6 (1) (a) GDPR)

Insta­gram

Reci­pient of data: Meta Plat­forms, 4 Grand Canal Square, Dublin 2, Ireland

Privacy: https://help.instagram.com/519522125107875

and https://www.facebook.com/about/privacy

Opt-Out-Link: https://www.instagram.com/accounts/login/?next=/accounts/privacy_and_security/

mapbox Plugins und ‑Schalt­flä­chen

Reci­pient of data: mapbox 50 Beale St floor 9, San Fran­cisco, CA 94105, USA

Privacy: https://www.mapbox.com/legal/privacy/

Opt-Out-Link: https://www.mapbox.com/legal/cookies

Vimeo

Reci­pient of data: Vimeo Inc., 555 West 18th Street New York, New York 10011, USA

Privacy: https://vimeo.com/privacy

Opt-Out-Link: https://vimeo.com/cookie_policy

YouTube

Reci­pient of data: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy: https://policies.google.com/privacy?hl=de&gl=de

Opt-Out-Link: https://tools.google.com/dlpage/gaoptout?hl=de or https://myaccount.google.com/

Online confe­rences, meetings and webinars 

We make use of the oppor­tu­nity to hold online confe­rences, meetings and webi­nars. To do so, we use offe­rings provided by other carefully selected providers. 

When actively using offe­rings of this nature, data regar­ding the parti­ci­pants in the commu­ni­ca­tion is processed and stored on the servers of the third-party services used, provided this data is neces­sary for the commu­ni­ca­tion process. In addi­tion, usage data and meta­data can also be processed. 

Cate­go­ries of data subjects: Parti­ci­pants in the online offe­ring in ques­tion (confe­rence, meeting, webinar)

Data cate­go­ries: Master data (e. g. name, address), contact data (e. g. email address, tele­phone number), Content data (e. g. text inputs, photo­graphs, videos), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses) 

Purposes of proces­sing: Proces­sing of enqui­ries, increase in effi­ci­ency, promo­tion of cross-company or cross-loca­tion collaboration

Legal bases: Consent (art. 6 (1) (a) GDPR)

Wonder

Reci­pient of data: Yotribe GmbH, Komman­dan­ten­straße 77, 10117 Berlin, Germany

Privacy: https://www.wonder.me/gdpr

Zoom

Reci­pient of data: Zoom Video Commu­ni­ca­tions, Inc., San Jose 55 Almaden Boule­vard, 6th Floor, 

San Jose, CA 95113, USA

Privacy: https://zoom.us/de-de/privacy.html#_Toc44414849

Blog and forum (Digital Exhi­bi­tion[GB1] )

We have provided a blog or compa­rable oppor­tu­ni­ties for publi­ca­tion on our webpage. We want to give visi­tors to our online offe­ring the option of cont­ac­ting us or sharing their thoughts and sugges­tions with us in this manner. 

If users of our online offe­ring publish comm­ents and contri­bu­tions on our website, we are obliged to prevent unlawful content, or the publi­ca­tion of the same, from appearing on our website. We collect the IP addresses of the users in ques­tion so that we can adhere to this obli­ga­tion and protect our inte­rests in being indem­ni­fied in the event that we are used for third-party content. This also helps us to iden­tify spam.

Beyond this, users of the func­tion provided are not obliged to make details available that could lead to conclu­sions being drawn about the iden­tity of the user in ques­tion. A contri­bu­tion can even be published under a pseud­onym, meaning that the user can then decide them­selves what data and content we process.

Cate­go­ries of data subjects: Users of the func­tion in question

Data cate­go­ries: Master data (e. g. name, address), contact data (e. g. email address, tele­phone number), content data (e. g. text inputs, photo­graphs, videos), usage data (e. g. websites visited, inte­rest in content, access times), contract data (e. g. subject of the contract, term, customer cate­gory), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses)

Purposes of proces­sing: Networ­king of users/​students

Legal bases: Proces­sing is neces­sary for the perfor­mance of a task carried out in the public inte­rest or in the exer­cise of offi­cial autho­rity vested in the controller (art. (1) (e) GDPR), Consent (art. 6 (1) (a) GDPR)

Purpose & inte­rests: Preven­tion, secu­rity of the webpage, dupli­ca­tion of commu­ni­ca­tion chan­nels with visi­tors to the online offe­ring, opti­miza­tion and further deve­lo­p­ment of online offering

Single sign-on proce­dure for the intranet of the University

To make our online offe­ring even easier to use, we deploy a single sign-on proce­dure’. This enables users to log on to our online offe­ring with log-in details from a single sign-on provider, meaning that they do not need to have any addi­tional log-in details as a result. The use of a single sign-on proce­dure requires users to already have an exis­ting user account with a provider of the proce­dure in ques­tion, such as a social network. To log on with the single sign-on proce­dure, the user must provide their log-in details for the single sign-on proce­dure in the log-in window of our online offe­ring, or if the user is already logged in on the provi­der’s website, confirm regis­tra­tion via single sign-on by clicking the appro­priate button. 

We use user handles’ to carry out authen­ti­ca­tion. Inter alia, this includes a user ID plus infor­ma­tion that the user has used the ID to log on with the proce­dure provider in ques­tion. We only receive this ID for the purposes of authen­ti­ca­tion, i. e. we are not permitted to process it for any purposes beyond authen­ti­ca­tion. Whether data beyond this is trans­ferred to us, and if yes, what data, depends on the provider of the proce­dure in ques­tion, the user’s account settings with this provider and any data appr­ovals selected within the frame­work of authen­ti­ca­tion. The data we receive from the provider of the proce­dure in ques­tion can vary. However, it usually encom­passes an email address and a user­name. We cannot see the pass­word entered, nor can we store it. 

To change or delete connec­tions between user accounts and the single sign-on proce­dure, the appro­priate settings must be changed within the user account with the provider of the proce­dure in question. 

Cate­go­ries of data subjects: Users of the func­tion in question

Data cate­go­ries: User handles (e. g. user­name, authen­ti­ca­tion confirmation)

Purposes of proces­sing: Authen­ti­ca­tion of users

Legal bases: Consent (art. 6 (1) (a) GDPR)

Google Single-Sign-On

Reci­pient of data: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland

Privacy: https://policies.google.com/privacy

Evalua­tion on the website with data transfer

We carry out ques­ti­on­n­aires and surveys (herein­after surveys’) on our online offe­ring. This helps us to improve our offe­ring and better meet our custo­mers’ needs. To this end, it is not neces­sary to be able to trace whether we can asso­ciate feed­back with a parti­cular person. Before your survey is evaluated, the data we process to provide and execute our surveys on a tech­nical level is anony­mised. Parti­ci­pa­tion in the survey is voluntary. 

Cate­go­ries of data subjects: Parti­ci­pants in the online surveys

Data cate­go­ries: Feed­back on the survey matter, meta­data (e. g. device infor­ma­tion, IP address), usage data (e. g. websites visited, inte­rest in content, access times)

Purposes of proces­sing: Impro­ve­ment and opti­mi­sa­tion of the univer­si­ty’s offer, evaluation 

Legal bases: Proces­sing is neces­sary for the perfor­mance of a task carried out in the public inte­rest or in the exer­cise of offi­cial autho­rity vested in the controller (art. (1) (e) GDPR), Consent (art. 6 (1) (a) GDPR) (Art. 6 (3) GDPR, In conjunc­tion with the rele­vant state data protec­tion laws of Baden-Würt­tem­berg. Further special legal regu­la­tions can be found in the indi­vi­dual exami­na­tion regu­la­tions of the univer­sity. The legal basis for optional surveys can also be consent (art. 6 (1) (a) GDPR)

evasys

Reci­pient of data: evasys GmbH, Konrad-Zuse-Allee 13, 21337 Lüne­burg, Germany 

Privacy: https://evasys.de/datenschutz/

News­letter and mass commu­ni­ca­tion inclu­ding tracking 

On our online offe­ring, users have the option of subscribing to our news­letter or to noti­fi­ca­tions on various chan­nels (herein­after referred to overall as news­let­ters’).

In addi­tion, we may send specific infor­ma­tion about events or about the study programme or the univer­sity itself. 

We only send our news­let­ters and other infor­ma­tion to reci­pi­ents who have consented to receive the news­letter, in accordance with legal requirements. 

We occa­sio­nally use selected service provi­ders to send our newsletter.

An email address must be provided to subscribe to our news­letter. If appli­cable, we collect extra data, such as your name to include a personal gree­ting in our newsletter. 

Our news­letter is only sent after the double opt-in proce­dure’ has been fully completed. If visi­tors to our online offe­ring decide to receive our news­letter, they will receive a confir­ma­tion email that serves to prevent the frau­du­lent input of wrong email addresses and preclude a single, possibly acci­dental, click from causing the news­letter to be sent. The subscrip­tion to our news­letter can be ended at any time with future effect. An unsub­scrip­tion (opt-out) link is given at the end of every newsletter.

In addi­tion, we are obliged to provide proof that our subscri­bers actually want to receive the news­letter. To this end, we collect and store their IP address, along with the time of subscrip­tion and unsubscription. 

Our news­let­ters are desi­gned so that we can obtain findings about impro­ve­ments, target groups or the reading beha­viour of our subscri­bers. We are able to do this thanks to a web beacon’ or tracking pixel that reacts to inter­ac­tions with the news­letter, such as looking at whether links are clicked on, whether the news­letter is opened at all, or at what time the news­letter is read. For tech­nical reasons, we can asso­ciate this infor­ma­tion with indi­vi­dual subscribers. 

Cate­go­ries of data subjects: News­letter subscri­bers, students

Data cate­go­ries: Master data (e. g. name, address), contact data (e. g. email address, tele­phone number), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses), usage and inter­ac­tion data (e. g. websites visited, inte­rest in content, access times)

Purposes of proces­sing: Provi­ding infor­ma­tion, answe­ring requests, analysis, and evalua­tion of the campaigns’ success

Legal bases: Consent (art. 6 (1) (a) GDPR)

Sendin­blue

Reci­pient of data: Sendin­blue GmbH, Köpe­nicke Straße 126, 10179 Berlin, Germany 

Privacy: https://de.sendinblue.com/datenschutz-uebersicht/

Cont­ac­ting us

On our online offe­ring, we offer the option of cont­ac­ting us directly or reques­ting infor­ma­tion via various contact options. 

In the event of contact being made, we process the data of the person making the enquiry to the extent neces­sary for answe­ring or hand­ling their enquiry. The data processed can vary depen­ding on the method via which contact is made with us.

Cate­go­ries of data subjects: Indi­vi­duals submit­ting an enquiry

Data cate­go­ries: Master data (e. g. name, address), contact data (e. g. email address, tele­phone number), content data (e. g. text inputs, photo­graphs, videos), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses), usage data (e. g. websites visited, inte­rest in content, access times)

Purposes of proces­sing: Proces­sing requests

Legal bases: Fulfilment of tasks accor­ding to Art. 6 para. 1 lit. e) GDPR, para. 3 GDPR in conjunc­tion with § 4 LDSG Baden-Würt­tem­berg in the version of 21.06.2018, in conjunc­tion with § 2 para. 9 LHG Baden-Würt­tem­berg in the version of 17.12.2020; If appli­cable, consent (Art. 6 para. 1 lit. a) GDPR) or fulfilment or initia­tion of a contract (Art. 6 para. 1 lit. b) GDPR)

Events and activities

On our online offe­ring, visi­tors have the oppor­tu­nity to register for events and acti­vi­ties. The details coll­ected by us that are neces­sary to initiate and perform the contract are marked as manda­tory fields. The provi­sion of data in excess of this is voluntary.

Cate­go­ries of data subjects: Indi­vi­duals submit­ting an enquiry

Data cate­go­ries: Master data (e. g. name, address), contact data (e. g. email address, tele­phone number), content data (e. g. text inputs, photo­graphs, videos), meta­data and commu­ni­ca­tion data (e. g. device infor­ma­tion, IP addresses), usage data (e. g. websites visited, inte­rest in content, access times)

Purposes of proces­sing: Data proces­sing is carried out for parti­ci­pa­tion in events

Legal bases: Consent (art. 6 para. 1 lit. a) GDPR) or fulfilment or initia­tion of a contract (art. 6 para. 1 lit. b) GDPR)

Data transfer

We transfer the personal data of visi­tors to our online offe­ring for internal purposes (e. g. for internal admi­nis­tra­tion or to the HR depart­ment so we can meet statu­tory or contrac­tual obli­ga­tions). Internal data transfer or the disclo­sure of data only occurs to the extent neces­sary, under the perti­nent data protec­tion provisions.

It may be neces­sary for us to disc­lose personal data for the perfor­mance of contracts or to comply with legal obli­ga­tions. If the data neces­sary in this regard is not provided to us, it may be the case that the contract cannot be concluded with the data subject. 

Your data is processed outside the EU/EEA, in so-called third count­ries (e.g. USA), when using or acces­sing certain services, e.g. Google services (e.g. YouTube). The Euro­pean Commis­sion has not issued an adequacy decision for the transfer of data to the USA, which is considered an unsafe third country. Adequacy refers to the level of protec­tion of data in that third country or inter­na­tional orga­ni­sa­tion. There is a risk that data may be processed by US autho­ri­ties for control and moni­to­ring purposes without any possible redress for data subjects.

We conclude a data protec­tion agree­ment with the provi­ders (Data Proces­sing Agree­ments) inclu­ding stan­dard contrac­tual clauses pursuant to Art. 44 et seq. DSGVO and define addi­tional measures to ensure the highest possible level of protec­tion for the personal data of data subjects.

Guaran­tees applied in the case of third country trans­fers (if applicable):

Trans­fers on the basis of Stan­dard data protec­tion clauses (Art. 46 para 1, 2 lit. c) GDPR):

Google-Services:

https://privacy.google.com/businesses/processorterms/

https://privacy.google.com/businesses/processorterms/mccs/

Vimeo:

https://de-1bbeae2b241b298db.getsmartling.com/data-processing

Zoom:

zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf
zoom.us/docs/doc/Zoom_Pre-Signed_Standard_Contractual_Clauses_with_DocuSign_Fields.pdf

Trans­fers on the basis of an adequacy decision (Euro­pean Commis­sion) (Art. 45 GDPR):

Fathom (based in Canada):

https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002

Storage period

In prin­ciple, we store the data of visi­tors to our online offe­ring for as long as needed to render our service or to the extent that the Euro­pean body issuing direc­tives and regu­la­tions, or another legis­lator stipu­lates in laws and regu­la­tions to which we are subject. In all other cases, we delete personal data once the purpose has been fulfilled, with the excep­tion of data that we need to continue to store to comply with legal obli­ga­tions (e. g. if reten­tion periods under tax law and trade law require us to keep docu­ments such as contracts and invoices for a certain period of time).

Auto­mated decision-making

We do not use auto­mated decision-making or profiling.

Legal bases

The decisive legal bases prima­rily arise from the GDPR. They are supple­mented by national laws from member states and can, if appli­cable, be applied along­side or in addi­tion to the GDPR. 

Consent: Art. 6 (1) (a) GDPR serves as the legal basis for proces­sing proce­dures regar­ding which we have sought consent for a parti­cular purpose of processing. 

Perfor­mance of a contract: Art. 6 (1) (b) serves as the legal basis for proces­sing required to perform a contract to which the data subject is a contrac­tual party or for taking steps prior to ente­ring into a contract, at the request of the data subject.

Legal obli­ga­tion: Art. 6 (1) © GDPR is the legal basis for proces­sing that is required to comply with a legal obligation. 

Vital inte­rests: Art. 6 (1) (d) GDPR serves as the legal basis if the proces­sing is neces­sary to protect the vital inte­rests of the data subject or another natural person.

Public inte­rest: Art. 6 (1) (e) GDPR serves as the legal basis for proces­sing that is neces­sary to perform a task in the public inte­rest or to exer­cise public force that is trans­ferred to the controller.

Legi­ti­mate inte­rest: Art. 6 (1) (f) GDPR serves as the legal basis for proces­sing that is neces­sary to protect the legi­ti­mate inte­rests of the controller or a third party, provided this is not outweighed by the inte­rests or funda­mental rights and funda­mental free­doms of the data subject that require personal data to be protected, parti­cu­larly if the data subject is a child.

Rights of the data subject

Right of access: Pursuant to art. 15 GDPR, data subjects have the right to request confir­ma­tion as to whether we process data rela­ting to them. They can request access to their data, along with the addi­tional infor­ma­tion listed in art. 15 (1) GDPR and a copy of their data.

Right to recti­fi­ca­tion: Pursuant to art. 16 GDPR, data subjects have the right to request that data rela­ting to them, and that we process, be recti­fied or completed.

Right to erasure: Pursuant to art. 17 GDPR, data subjects have the right to request that data rela­ting to them be erased without delay. Alter­na­tively, they can request that we rest­rict the proces­sing of their data, pursuant to art. 18 GDPR. 

Right to data porta­bi­lity: Pursuant to art. 20 GDPR, data subjects have the right to request that data made available to us by them be provided and trans­ferred to another controller.

Right to lodge a complaint: In addi­tion, data subjects have the right to lodge a complaint with the super­vi­sory autho­rity respon­sible for them, under art. 77 GDPR.

Right to object: If personal data is processed on the basis of legi­ti­mate inte­rests pursuant to art. 6 (1) (1) (f) GDPR, under art. 21 GDPR data subjects have the right to object to the proces­sing of their personal data, provided there are reasons for this that arise from their parti­cular situa­tion, or the objec­tion relates to direct adver­ti­sing. In the latter case, data subjects have a general right to object that is to be put into effect by us without a parti­cular situa­tion being stated.

With­drawal of consent

Some data proces­sing proce­dures can only be carried out with the express consent of the data subject. Once granted, you are able to with­draw consent at any time. To do so, sending an informal note or email to info@hfg-gmuend.de is suffi­cient. The consent of data proces­sing opera­tions on our online offer can be directly adjusted in our Consent Manager-Tool.

The lega­lity of the data proces­sing carried out up to the point of with­drawal shall remain unaf­fected by the withdrawal.

External links

Our website includes links to online offe­rings from other provi­ders. We note that we have no influence over the content of the online offe­rings linked to and over whether their provi­ders comply with data protec­tion provisions.

Amend­ments

We reserve the right to amend this infor­ma­tion on data protec­tion, in compli­ance with the appli­cable data protec­tion provi­sions, if changes are made to our online offe­ring so that it complies with the legal requirements.

This Privacy Policy was drawn up by 

Deut­sche Datenschutzkanzlei 

- Maxi­mi­lian Musch -