Data Privacy

Introduction

SAP UCC applies the new EU General Data Protection Regulation to your data and the data processing. Careful handling of your data is of utmost importance to us. After the entry into force of the EU General Data Protection Regulation, new requirements for transparency within the data processing and the obligation to provide information to data subjects have occurred.

We are happy to meet these extended liabilities. The following text contains essential information concerning data processing within the SAP UCC. We describe your rights and explain who has access to your personal data.

Should questions or ambiguities occur, please do not hesitate to contact us at the following e-mail address:

datenschutz@ucc.ovgu.de

Name and address of the person responsible

The body responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection laws is:

Otto-von-Guericke-Universität
Universitätsplatz 2
D-39106 Magdeburg
Germany
Tel.: 49-(0)391-6701
E-Mail: rektor@ovgu.de
Website: www.ovgu.de

Name and address of the controller

Der Datenschutzbeauftragte des Verantwortlichen ist:

Rita Freudenberg
Universitätsplatz 2
D-39106 Magdeburg
Germany
Tel.: 49-(0)391-6752499
E-Mail: datenschutz@ovgu.de
Website: www.ovgu.de/Universität/Organisation/Beauftragte/Datenschutzbeauftragte.html

General information concerning data processing

Scope of the processing of personal data

We only store and use personal data of our users if this is necessary to provide for a functional website, applications provided through it or to provide other services within the framework of the provision of learning environments and associated services.

Collection and use of personal data of our users base on the user’s consent. An exception shall apply in those cases, in which prior consent cannot be obtained for factual reasons and data processing is permitted by law.

Legal basis for the processing of personal data

Should we obtain the consent of the person subject to the processing of personal data, Article 6 para.1a of the General Data Protection Regulation shall serve as the legal basis for processing of personal data.

In the processing of personal data required for the performance of a contract which the data subject is a party of, Article 6 para.1b of the General Data Protection Regulation shall serve as the legal basis. It also applies to processing operations necessary to carry out pre-contractual measures.

Should processing of personal data be required to fulfil a legal obligation which our company is subject to, Article 6 para.1c of the General Data Protection Regulation shall serve as the legal basis.

In the case that the vital interests of the data subject or another natural person require processing of the personal data, Article 6 para.1d of the General Data Protection Regulation shall serve as the legal basis.

If processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Article 6 para.1f of the General Data Protection Regulation shall serve as the legal basis.

Data deletion and storage period

Personal data of the individuals concerned shall be deleted or locked as soon as the purpose of storage ceases. Moreover, the data can be also stored if it is allowed and foreseen through the European or national legal body within the European law or other provisions concerning data storage and processing. The data shall also be locked or deleted if a storage period prescribed by the aforementioned regulations expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

Provision of the website, internet applications and creation of log files

Cookies on our websites

Our websites use the so-called cookies. Cookies are small text files placed by on your computer your browser. They enable us to recognise your computer the next time you visit the website with the purpose of making our service more user-friendly, effective and safe.

Most of the cookies we use are the so-called “session cookies” and “authentication cookies”. Some of these are automatically deleted at the end of your session. Other cookies remain stored on your device until you delete them. This can vary depending on your browser settings.

You can set your browser to be informed about the setting of cookies and to only allow cookies in individual cases as well as to exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser.

Cookies do not damage your computer but upon cookies deactivation, the functionality of websites may be limited.

Description and scope of data processing

Upon every visit to our website, our system automatically collects data and information from the system of the end device.

Folgende Daten werden hierbei in Log-Dateien gespeichert:

  • User’s IP address
  • OS
  • Web browser
  • Date and time of the access

Objection and deletion possibility

Collection of data necessary for the provision of the website and storage of data in log files are necessary for the correct operation of the website. Consequently, there is no objection possibility on the part of the user.

Contact form and e-mail contact

Description and scope of data processing

Our website contains a contact form which can be used for electronic contact. If the option is used, the data entered in the input mask is forwarded to and stored by the SAP UCC Magdeburg and SAP UCC Munich. The following data is concerned:

  • Name
  • E-Mail address
  • Institution / your organisation
  • your message

Upon sending the message, the following data is stored:

  • Date and time of the data transmission
  • User’s IP address

Upon sending the message, your consent is obtained, and a reference is made to this data protection declaration.

In this context, no data is disclosed to third parties. The data shall be used exclusively for processing of the communication.

Legal basis of the data processing

The legal basis for the data processing is the user’s consent according to the Article. 6 para. 1 a. DSGVO [GDPR].

The legal basis for the processing of the data forwarded upon sending an e-mail is Article 6, para. 1 f. DSGVO [GDPR]. If a conclusion of a contract is the aim of an e-mail communication, the Article 6, para. 1 b. DSGVO [GDPR] is the additional legal basis.

Purpose of the data processing

The processing of the personal data originating from the input mask is only used to handle the communication. E-mail contact also constitutes the necessary legitimate interest in data processing.

The aim of further personal data processed during the sending process is to prevent misuse of the contact form and to ensure the security of our information technology systems.

Storage period

The data shall be deleted as soon as no longer needed for the purpose it was collected for. This is the case when the respective communication with a user is completed and concerns the data originating from the input mask of the contact form and the data sent by e-mail. The conversation is closed when the circumstances infer that the facts in question have been clarified.

Objection and deletion possibility

The user is entitled to revoke their consent to process their personal data at all times. If the user contacts us per e-mail, they are entitled to object to storing their personal data at all times. In such cases it is not possible to continue the communication.

In order to delete their personal data, the user is to contact the SAP UCC Magdeburg at the following e-mail address:

datenschutz@ucc.ovgu.de

In such cases, all personal data stored within the course of the communication process shall be deleted.

Rights of data subjects - your rights: Information, correction, locking, deletion and objection

Right to information

Upon your request we shall provide you with information concerning your data stored by the SAP UCC. We try to keep this data up-to-date.´

You can request the person responsible to confirm whether your personal data is processed by us.

If such processing has taken or takes place, you can request the following information from the person responsible:

  1. purposes which the personal data is processed for;
  2. categories of personal data processed;
  3. recipients or categories of recipients to whom the personal data concerning you have been or are being disclosed;
  4. planned duration of the storage of the personal data concerning you or, if specific information is possible, criteria for determining the storage period;
  5. existence of the right to correction or deletion of personal data concerning you, the right to limitation of the processing by the responsible body or the right to object to such processing;
  6. existence of the right to appeal to a regulatory authority;
  7. any available information on the origin of the data if the personal data is not collected from the data subject concerned;
  8. existence of an automated decision-making, including profiling in accordance with Article 22 para. 1 and para.4 of the General Data Protection Regulation and – at least in such cases – meaningful information on the logic involved and the scope and intended effects of such processing for the data subject concerned.

You have the right to request information as to whether the personal data concerning you is disclosed to a third country or to an international organisation. In this context, you are entitled to request to be informed about the appropriate guarantees in accordance with Article 46 General Data Protection Regulation in connection with the disclosure.

Right to correction

You have the right to correct and/or complete your data by the responsible body if the processed personal data concerning you is incorrect or incomplete. The person responsible shall make the correction immediately.

Right to processing restriction

Considering the following conditions, you are entitled to request that the processing of personal data concerning you be restricted:

  1. if you contest the accuracy of the personal data concerning you for a period which enables the data controller to verify the accuracy of the personal data;
  2. the processing is unlawful and you object to deleting the personal data and request that the use of the personal data be restricted instead;
  3. the controller no longer needs the personal data for the purposes of the processing, but you do need them to assert, exercise or defend legal claims, or
  4. if you have filed an objection against the processing pursuant to Article 21 para. 1 General Data Protection Regulation and it has not yet been determined whether legitimate reasons of the person responsible outweigh your reasons.

If the processing of your personal data has been restricted, such data may only be processed – apart from being stored – with your consent or to assert, exercise or defend legal claims of another natural or legal person or on grounds of an important public interest of the European Union or a member state.

If the processing restriction has been restricted according to the above conditions, you shall be informed by the person responsible.

Right to data deletion

a) Deletion obligation

You are entitled to request the data controller to delete the personal data concerning you immediately and they are obliged to delete this data immediately if one of the following reasons applies:

  1. The personal data concerning you is no longer necessary for the purposes which it had been collected for or is no longer otherwise processed.
  2. You revoke your consent which the processing was based on pursuant to Article 6 para. 1a or Article 9 para. 2a of the General Data Protection Regulation, and there is no other legal basis for the processing.
  3. You object to the data processing pursuant to Article 21 para.1 of the General Data Protection Regulation and there are no priority legitimate grounds for processing, or you file an objection to the processing pursuant to Article 21 para. 2 of the General Data Protection Regulation.
  4. The personal data concerning you has been processed illegally.
  5. The deletion of the personal data concerning you is necessary to fulfil a legal obligation pursuant to the EU law or the law of the member states which the data controller is subject to.
  6. The personal data concerning you had been collected in relation to information society services offered pursuant to Article 8 para. 1 of the General Data Protection Regulation.

b) Disclosure to third parties

If the data controller has made your personal data public and is obliged to delete it pursuant to Article 17 para.1 of the General Data Protection Regulation, they shall take appropriate measures, including technical ones, taking into account the available technology and the implementation costs, to inform subjects processing the personal data that you have had all links to this personal data or copies or replications of this personal data deleted.

c) Exceptions

The right to have the data deleted does not exist insofar as the processing is necessary

  1. to exercise the right of freedom of expression and information;
  2. to perform a legal obligation required for processing pursuant to the law of the European Union or the member states which the controller is subject to or to perform a task in the public interest or in the exercise of official authority conferred on the controller;
  3. for reasons of public interest within the field of public health pursuant to Article 9 para. 2 h and i and Article 9 para. 3 General Data Protection Regulation;
  4. for archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes pursuant to Article 89 para.1 of the General Data Protection Regulation, insofar as the right referred to in para.1 is likely to make it impossible or seriously impair the attainment of the objectives of such processing, or
  5. to assert, exercise or defend legal claims.

Right to information

If you have exercised your right to correction, deletion and restriction of processing towards the controller, the controller is obliged to inform all recipients who your personal data had been disclosed to about this correction or deletion of the data or restriction of processing, unless it proves impossible or involves disproportionate effort.

You are entitled to be informed about such recipients by the person responsible.

Right to data portability

You are entitled to receive the personal data concerning you, which you have provided to the person responsible in a structured, common and machine-readable format. Additionally, you are entitled to forward this data to another person responsible without obstruction by the person responsible to whom the personal data was provided, provided that

  1. processing is based on consent pursuant to Article 6 para.1a of the General Data Protection Regulation or Article 9 para.2a of the General Data Protection Regulation or on a contract pursuant to Article 6 p1b of the General Data Protection Regulation and
  2. the processing is carried out using automated methods.

In exercising this right, you are also entitled to request that the personal data concerning you be transferred directly from one data controller to another, if technically feasible. This must not affect the freedoms and rights of other persons.

The right to data portability shall not apply to processing of personal data necessary for performing a public interest task or to exercising of official authority conferred on the controller.

Right to object

At any time, you are entitled to object to, for reasons arising from your situation, the processing of personal data concerning you pursuant to the Article 6 para.1e or f of the General Data Protection Regulation; this also applies to profiling based on these provisions.

The data controller shall not process your personal data any longer, unless they can prove compelling reasons for the processing, which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.

If your personal data is processed for direct marketing purposes, you have the right to object to the processing of the personal data for the purpose of such advertising at any time; this also applies to profiling if it is associated with such direct marketing.

If you object to the processing for direct marketing purposes, the personal data concerning you shall no longer be processed for these purposes.

You have the possibility to exercise your right of objection in connection with the use of information society services by means of automated procedures using technical specifications – irrespective of the Directive 2002/58/EC.

Right to revoke the data protection declaration

You are entitled to revoke your data protection declaration of consent at any time. The revocation of the declaration of consent shall not affect the legality of the processing carried out on the basis of the consent prior to revocation.

Automatic decision in individual cases including profiling

You are entitled to not be subject to a decision based exclusively on automated processing, including profiling, which has legal effect on you or significantly affects you in a similar manner. It does not apply if the decision

  1. is necessary for the conclusion or performance of a contract between you and the person responsible,
  2. is admissible pursuant to the law of the European Union or of the member states which the person responsible is subject to and that law contains appropriate measures to safeguard your rights, freedoms and legitimate interests, or
  3. followed your express consent.

However, these decisions are not to be based on special categories of personal data pursuant to Article 9 para.1 of the General Data Protection Regulation, unless Article 9 para.2a or g apply, and appropriate measures had been taken to protect your rights and freedoms and your legitimate interests.

With regard to the cases mentioned in a. and c., the person responsible shall take appropriate measures to protect the rights and freedoms as well as your legitimate interests, at least including the right to obtain the intervention of a person by the person responsible, to state their own position and to appeal against the decision.

Right of appeal with a regulatory authority

Regardless of any other administrative or legal remedy, you are entitled to appeal to a regulatory authority, in particular in the member state of your residence, place of work or where suspected infringement has taken place, if you believe that the processing of personal data concerning you violates against the General Data Protection Regulation.

The supervisory authority which the complaint has been filed with shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Article 78 of the General Data Protection Regulation.

Use of the data by external service providers

In order to provide its services, SAP UCC also works with external service providers. For this purpose, it is necessary that the personal data stored by SAP UCC be forwarded to these external service providers. This data transfer serves exclusively to ensure the provision of the SAP UCC services and to support our users. Personal data is not disclosed for other purposes (e.g.: marketing).

Contact

Should any questions occur, feel free to contact us under dataprivacy@ucc.ovgu.de.