Data Protection Declaration of Johannes Gutenberg University Mainz

Johannes Gutenberg University Mainz (JGU) takes the protection of personal data very seriously. We collect and process our website users' personal data according to the General Data Protection Regulation (GDPR), the State Data Protection Act (Landesdatenschutzgesetz (LDSG)), and, if applicable, according to the Federal Data Protection Act (Bundesdatenschutzgesetz (BDSG)).

We neither publish your data nor pass them on to third parties unauthorized. The following text will explain which data are collected during your visit to our website and how the data are used.

 

I. Controller contact details

The controller, according to the definition of the General Data Protection Regulation (GDPR), national data protection laws of the Member States, and other provisions of data protection law, is: 

Johannes Gutenberg University Mainz (JGU)
represented by the President
Professor Dr. Georg Krausch
Saarstraße 21
55122 Mainz, GERMANY
phone: +49 6131 39-0
fax: +49 6131 39-22919
email: 
website: http://www.uni-mainz.de/eng

 

II. Data Protection Officer contact details

JGU Data Protection Officer
phone: +49 6131 39-25382
fax: +49 6131 39-20709
email: 
website: https://www.verwaltung.zentrale-dienste.uni-mainz.de/datenschutz/ [in German]

 

III. General information on data processing / Data Protection Declaration

1. Extent of personal data processing

As a rule, we process personal data only as far as it is necessary in order to provide a functional website as well as our content and services. We process our users' personal data only with their consent or if processing is permitted by law.

2. Legal basis for the processing of personal data

Provided we have the user's consent to process their personal data, Art. 6 Subsection 1 Lit. a of the GDPR is the legal basis for the processing.

When the processing of personal data is necessary for the fulfillment of a contract JGU is party to, Art. 6 Subsection 1 Lit. b of the GDPR is the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual tasks and measures.

Insofar as the processing of personal data is necessary to fulfill a legal obligation to which JGU is subject, Art. 6 Subsection 1 Lit. c of the GDPR is the legal basis. 

When the processing of personal data is necessary for carrying out a task in the public interest or for exercising official authority, Art. 6 Subsection 1 Lit. e of the GDPR is the legal basis.

3. Deletion of data and storage period

The subject's personal data will be deleted or locked once the purpose for which they were collected and stored ceases to apply. Personal data may be stored beyond that period if such storage was intended by European or national legislators in EU regulations, laws, or other rules the controller is subject to.

4. Links to other providers' websites

This JGU Data Protection Declaration is valid for the websites of the "uni-mainz.de" domain wherever JGU is responsible for matters of data protection. If cross-references (links) are made to content from other providers, their data collection and data use may be based on principles other than those presented here. Such cross-references within the uni-mainz.de domain are marked with the "external link" ("Externer Link") tooltip and/or the symbol  .

You can find information on who is responsible for the proffered information of a website in the relevant website’s site information.
 

5. Transfer of personal data to third parties

Personal data processed based on using the websites of JGU are, as a rule, not transferred to third parties. The transfer of personal data might take place in individual cases on the basis of legal permission.

As a rule, no personal data are transferred to countries outside of the European Economic Area (EEA) and associated countries (no "third-country transfer" ("Drittlandtransfer")). If such a transfer should become necessary, we will inform you.

6. Information to be provided according to Art. 13 Subsection 2 Lit. e GDPR

As a rule, you are neither contractually nor legally obligated to share personal data on JGU websites. However, if you do not share certain data, the websites might only serve limited or no use.

 

IV. Provision of the website and creation of log files

1. Description and extent of data processing

Every time a user accesses our website, our system automatically collects data in the form of a log file. The following data are collected and stored until they are automatically deleted:

  • the user's IP address;
  • the date and time of access;
  • the name, URL, and transferred amount of data of the accessed file;
  • the access status (file transmitted, file not found, etc.);
  • information on the user's browser type and operating system;
  • the website from which the user's system accessed our website; and
  • the user's login name if internal JGU websites were accessed by a logged-in user.

2. Legal basis

Data processing is necessary for informing the public of the public tasks performed by JGU according to Art. 6 Subsection 1 Lit. e and Subsection 3 of the GDPR in conjunction with §2 Subsection 8 of the Rhineland-Palatinate University Act (Hochschulgesetz Rheinland-Pfalz (HochSchG)).

3. The purpose of data processing

Processing the collected data occurs in order to guarantee the use of our website (connection establishment), system security, and the technical administration of the network infrastructure as well as to optimize our website (error analysis). IP addresses are evaluated only in case the JGU network infrastructure is being or has been attacked.

4. Storage period

The data will be deleted once the purpose for which they were collected and stored ceases to apply. The data collected for accessing and using the website will be deleted when the respective session has ended. IP addresses are stored for 7 days for identification purposes in case of a cyber attack. If attacks and malfunctions are pursued beyond that period, the data resulting from the access will be stored until the relevant procedure is completed.

5. Right to object and deletion of data

The collection of data for the provision of the website and the storage of data in log files is necessary for the operation of the website. Consequently, the user has no option to object.

 

V. Use of cookies

1. Description and extent of data processing

Cookies are text files stored in the Internet browser or by the Internet browser on the user’s computer system. If a user accesses a website, a cookie can be stored in the user’s operating system. This cookie contains a characteristic string of information that enables clear identification of the browser when the website is accessed again.

Furthermore, so-called temporary cookies are used when accessing individual websites. These session cookies contain the following personal data:

  • language settings and
  • login information.

These are usually automatically deleted at the end of the session when you close your browser. Only the language settings are transmitted again the next time you access the website.

2. Legal basis for data processing

The legal basis for the processing of personal data using cookies required for technical reasons is Art. 6 Subsection 1 Lit. e of the GDPR in conjunction with § 2 Subsection 8 of the Rhineland-Palatinate University Act (Hochschulgesetz Rheinland-Pfalz (HochSchulG)).

3. Purpose of data processing

The purpose of using cookies required for technical reasons is to simplify the use of the website for users. Some features of our websites cannot be run properly without the use of cookies.

We need cookies for the following applications:

  • transfer of language settings and
  • user login for internal JGU websites.

As a rule, we do not use analysis cookies or programs that are used to generate user profiles by tracing the actual surfing habits on the individual pages.

For other JGU websites (faculties, departments, institutes, student councils, central institutions and facilities, etc.), different regulations may apply. These are explained in the respective data protection declarations of the individual websites, as we do not carry out any analysis of user habits by default.

4. Storage period, right to object, and deletion of data

Cookies are stored on the user’s computer and from there transmitted to our website. Consequently, the user has full control over the use of cookies. By changing the settings in your Internet browser, you can deactivate or restrict the transmission of cookies. You can also delete cookies at any time. This can also be done automatically. If you deactivate cookies for our website, you may no longer be able to use the full range of site features.

 

VI. Newsletters, press mailing list

1. Description and extent of data processing

On our website, you may subscribe to free newsletters. For this, we require the email address the relevant newsletter should be sent to.

If you, as a media representative, would like to be added to the central JGU press mailing list, please contact our Press and Public Relations Office. Here you need to provide your email address so we can send you our JGU press information via email.

2. Legal basis for data processing

By providing your personal data and allowing its subsequent transmission when signing up for a newsletter or the press mailing list, you consent to its processing. The legal basis is Art. 6 Subsection 1 Lit. a of the GDPR.

3. Purpose of data processing

The user's email address is used for delivering the relevant newsletter or press information.

4. Storage period

The data will be deleted once the purpose for which they were collected and stored ceases to apply. The user’s email address will be stored until the user unsubscribes from the relevant newsletter or the press mailing list.

5. Right to object and deletion of data

You can unsubscribe from all newsletters and/or the press mailing list at any time.

 

VII. Internal websites

1. Extent and processing of personal data

In the case of access-protected internal JGU websites, i.e., information platforms accessible only to university members and members of staff, the following personal data are collected from logged-in, registered users (students, staff, members of the university with a user account) while they are accessing the websites:

  • the user‘s name and
  • the user account’s email address.

2. Legal basis for the processing of personal data

By providing the requested data and submitting them when registering, you consent to their processing. The legal basis is Art. 6 Subsection 1 Lit. a of the GDPR.

3. Purpose of data processing

The collection of data serves to enable the use of access-restricted websites (connection establishment and authentication), to support system security and the technical administration of the network infrastructure as well as to optimize our services.

4. Storage period

The data will be deleted once the purpose for which they were collected and stored ceases to apply. This is the case when the user logs out or closes the Internet browser.

 

VIII. Rights of the data subject

If your personal data is processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the controller:

1. Right of access according to Art. 15 Subsection 1 GDPR

You have the right to obtain confirmation from the controller regarding whether or not your personal data is being processed. If it is, you have the right to obtain the following information:

a) the purposes of the processing;
b) the categories of personal data concerned;
c) the recipients or categories of recipient to whom the personal data have been or will be disclosed;
d) the envisaged period of time for which the personal data will be stored, or, if a period of time cannot be determined, the criteria used to determine that period;
e) the existence of the right to request rectification or erasure of your personal data or restriction of processing of personal data or to object to such processing;
f) the right to lodge a complaint with a supervisory authority; and
g) where the personal data were not collected from you directly, any available information as to their source.


This right to access may be restricted if it is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

2. Right to rectification Art. 16 GDPR

You have the right to demand the rectification of inaccurate or incomplete personal data by the controller without undue delay.

This right may be restricted if it is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

3. Right to restriction of processing Art. 18 GDPR

You have the right to obtain from the controller restriction of processing of your personal data where one of the following applies:

a) You contest the accuracy of your personal data for a period enabling the controller to verify the accuracy of the personal data.
b) The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
c) The controller no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise, or defense of legal claims.
d) You have objected to processing pursuant to Art. 21 Subsection 1 of the GDPR and the verification of whether the controller's legitimate grounds override yours is pending.

Where processing of your personal data has been restricted, such personal data can only be processed with your consent or for the establishment, exercise, or defense of the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. The data will still be stored.

If the processing of your personal data was restricted according to the above-mentioned conditions, you will be informed by the controller before the restriction of processing is lifted.

This right may be restricted if it is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

4. Right to erasure Art. 17 GDPR

A) Obligation to erase data

You have the right to demand that the controller erases your personal data without undue delay. The controller is obligated to erase the data without undue delay where one of the following grounds applies:

a) The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) You withdraw the consent on which the processing is based according to Art. 6 Subsection 1 Lit. a of the GDPR and there is no other legal ground for the processing;
c) You object to the processing pursuant to Art. 21 Subsection 1 of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 2 Subsection 2 of the GDPR;
d) Your personal data have been unlawfully processed.
e) your personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.


B) Exceptions

The right to erasure does not apply where the processing is necessary

a) for exercising the right of freedom of expression and information;
b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
c) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 Subsection 1 of the GDPR if in so far as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
d) for the establishment, exercise, or defense of legal claims.

5. Notification obligation Art. 19 GDPR

If you asserted your right to rectification or erasure of personal data or restriction of processing vis-à-vis the controller, the controller is obligated to inform each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed by the controller about those recipients.

6. Right to data portability Art. 20 GDPR

You have the right to receive your personal data, which you provided to the controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit the data to another controller without hindrance from the controller to whom the personal data have been provided, where

  • the processing is based on consent pursuant to Art. 6 Subsection 1 Lit. a of the GDPR or Art. 9 Subsection 2 Lit. a of the GDPR, and
  • the processing is carried out by automated means.

Furthermore, in exercising the right to data portability, you have the right to have your personal data transmitted directly from one controller to another, where technically feasible. The rights and freedoms of other persons shall not be adversely affected by such transmission.

The right to data portability does not apply to processing of personal data necessary for carrying out a task in the public interest or in the exercise of official authority vested in the controller.

7. Right to object Art. 21 GDPR

You have the right to object to processing of your personal data on grounds relating to your particular situation according to Art. 6 Subsection 1 Lit. e of the GDPR at any time. This includes profiling based on those provisions.

The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 Subsection 1 of the GDPR, you have the right to object to processing of your personal data on grounds relating to your particular situation.

Your right to object may be restricted if it is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

8. Right to withdraw consent Art. 7 Subsection 3 GDPR

You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on your consent before its withdrawal.

9. Right to lodge a complaint with a supervisory authority Art. 13 Subsection 2 Lit. d GDPR

Without prejudice regarding any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, if you believe that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint was lodged informs the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 of the GDPR.

The responsible supervisory authority is

The Rhineland-Palatinate State Commissioner for Data Protection and Freedom of Information
(Landesbeauftragter für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz)

Hintere Bleiche 34
55116 Mainz, GERMANY
phone: +49 6131 208-2449
fax: +49 6131 208-2497
email:

 

IX. Current relevance and validity of the JGU Data Protection Declaration

This JGU Data Protection Declaration is currently valid and dated February 14, 2020.

In the course of the further development of our websites and the implementation of new technology, it might become necessary to change the JGU Data Protection Declaration. Johannes Gutenberg University Mainz reserves the right to change its Data Protection Declaration at any time, affecting future handling of data. We recommend reading the current declaration from time to time.

Please note:
The websites of other JGU institutions (faculties, departments, institutes, student councils, central institutions, etc.) might follow other rules. These are specified and explained in the relevant data protection declarations of the individual websites.

 

***Please note that only the German version of the JGU Data Protection Declaration is legally binding. The English version is for information purposes only.***