rivacy Policy

I. Contact Details

Pursuant to the General Data Protection Regulation, national data protection laws of the various Member States, and other privacy regulations, the responsible entity (“controller”) is:

Prof. Dr. Hannes Zacher

Arbeits- und Organisationspsychologie
Universität Leipzig
Neumarkt 9
04109 Leipzig

Phone: +49 341 97 – 35932
Fax: +49 341 97 – 35933

Email: hannes.zacher@uni-leipzig.de

II. Data Protection Officer Contact Details

The contact details of the data protection officer of Leipzig University are:

Universität Leipzig
04109 Leipzig
Deutschland

Phone: +49 341 97-30081 
Email: dsb@uni-leipzig.de

 

III. Technical Implementation of the Website

The technical implementation of the website is carried out internally by the Leipzig University Computing Center (URZ):

Augustusplatz 10
04109 Leipzig

Email: urz@uni-leipzig.de

 

IV. General Information on Data Processing

1. Scope of Processing Personal Data

We process personal data of our users – including yours – generally only to the extent necessary to provide a functional website and our content and services.
The processing of personal data of our users is typically conducted only after their prior consent. An exception applies in cases where obtaining prior consent is not possible for factual reasons and/or the processing of the data is permitted by legal regulations.

2. Legal Basis for the Processing of Personal Data

If we obtain the consent of the data subject for the processing of personal data, Article 6(1) sentence 1 letter a) of the GDPR serves as the legal basis.
In instances in which the processing of personal data is necessary for the performance of a contract to which the data subject is a party, Article 6(1) sentence 1 letter b) of the GDPR serves as the legal basis. This also applies to processing operations necessary for the execution of pre-contractual measures.
If the processing of personal data is necessary to comply with a legal obligation to which Leipzig University is subject, Article 6(1) sentence 1 letter c) of the GDPR serves as the legal basis. For example, the storage of personal data may occur if mandated by European or national legislation in EU regulations, laws, or other provisions to which Leipzig University is subject.
If processing personal data is necessary to protect the vital interests of the data subject or another natural person, Article 6(1) sentence 1 letter d) of the GDPR serves as the legal basis.
Article 6(1) sentence 1 letter e) of the GDPR serves as the legal basis for the processing of data if such processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
If the processing is necessary to protect the legitimate interests of Leipzig University or a third party, and the interests, fundamental rights, and freedoms of the data subject do not outweigh these legitimate interests, Article 6(1) sentence 1 letter f) of the GDPR serves as the legal basis for such processing. While Article 6(1) sentence 1 letter f) of the GDPR does not apply to data processing by authorities in the performance of their duties, it does apply to tasks transferred by law, particularly in the context of administrative and service-related interventions. Therefore, when authorities act in a private law capacity, i.e., as equal partners in legal relations, the application of Article 6(1) sentence 1 letter f) of the GDPR is not excluded. This particularly applies to the public relations activities of Leipzig University.

3. Retention Period (Data Deletion)

The personal data we process will be deleted or blocked as soon as the purpose of the data processing (e.g., storage) no longer applies, i.e., when the processing is no longer necessary for the intended purpose and there are no legal retention obligations preventing deletion.

For example, if the data processing is based on a legal obligation as per Article 6(1) sentence 1 letter c) of the GDPR, the personal data will be blocked or deleted once the retention period prescribed by the relevant regulations has expired.

Data will also not be deleted if further storage is necessary, for example, for the conclusion of a contract or the fulfillment of a contract, thereby providing an alternative legal basis for data processing (e.g., Article 6(1) sentence 1 letter b) of the GDPR).

4. Legal/Contractual Obligations for the Provision of Personal Data and Consequences of Non-Provision

We inform you that the provision of personal data may, in part, be legally required or arise from contractual agreements. For instance, when entering into a contract, it is typically necessary for the data subject to provide personal data, which must subsequently be processed by us. This includes, for example, the obligation to provide personal data as part of a contract conclusion. Failure to provide personal data may result in the inability to conclude the contract with the data subject.

Before the provision of personal data by the data subject as outlined above, you can contact us, preferably via the contact details provided above. In such cases, we will inform you on a case-by-case basis whether the provision of personal data is legally or contractually required or necessary for the conclusion of the contract. We will also clarify whether there is an obligation to provide personal data and the consequences of failing to provide such data.

5. Disclosure of Personal Data to Third Parties

The processing of personal data is conducted only by the following natural/legal persons: Leipzig University. This also includes individuals who are authorized under the direct responsibility of Leipzig University to process personal data, such as employees of Leipzig University. Disclosure of personal data to third parties – i.e., natural or legal persons, authorities, institutions, or other entities, excluding the data subject, the controller, and any existing processors – generally does not take place unless there is a legal obligation to which Leipzig University is subject (e.g., investigations by law enforcement or state security authorities).

V. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Each time our website is accessed, our server systems automatically collect data and information from the user’s/computing system, meaning from your computer as well.

In principle, the following data is collected:

  • IP address of the accessing computer,
  • Fully retrieved web page addresses (hostname and path),
  • Any form entries made*.

Depending on your browser’s configuration, the following additional data may also be transmitted:

  • Browser name and version, as well as the user’s operating system,
  • Preferred language of the content,
  • Possible data compression methods,

The website from which the user’s system reached the requested document (the so-called referrer URL in the HTTP standard).

The mentioned data (except for those marked with *) is also temporarily stored – that is, only temporarily – in the logfiles of our systems. In the logfiles, the following information is additionally recorded:

  • Date and time of access,
  • Query status, duration, and amount of data transferred.

There is no storage or merging of this data with other personal data of the user.

2. Legal Basis for Data Processing

The legal basis for the collection and temporary storage of data and logfiles is Article 6(1) sentence 1 letter f) of the GDPR (safeguarding a legitimate interest). Additionally, Article 6(1) sentence 1 letter c) of the GDPR in conjunction with § 12 TDDDG also permits data storage.

3. Purpose of Data Processing

The temporary storage of data, including the IP address, by the system is necessary to enable the delivery of our website to the user’s computer. For this, the user’s IP address must remain stored for the duration of the session.

The storage in logfiles is done to ensure the functionality of our website for you. Additionally, the data is used to optimize the webpages and to maintain the security of our information technology systems. The data will not be analyzed for marketing purposes in this context.

Our legitimate interest in data processing is also based on these purposes according to Article 6(1) sentence 1 letter f) of the GDPR. The interests or fundamental rights and freedoms of the data subject, which require the protection of personal data, do not override this. Furthermore, data storage for the defense against disruptions to the telecommunications system is explicitly permitted by Article 6(1) sentence 1 letter c) of the GDPR in conjunction with § 12 TDDDG.

4. Security of Data Processing

Taking into account the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, Leipzig University has implemented appropriate technical and organizational measures to protect your personal data and to ensure an adequate level of protection when providing the website services.

For this purpose, our web servers prioritize transport encryption via HTTP Strict Transport Security (HSTS). You can recognize this by the transmission protocol “Hypertext Transfer Protocol Secure” (shown as https:// in your address bar) and, for example, the lock symbol in your browser’s address bar. Currently, TLS 1.2 is required as the minimum standard. By also supporting older encryption standards, we ensure that as large a number of visitors as possible can access our website. Encryption algorithms deemed insecure are and will be disabled.

5. Duration of Storage

The data will be deleted as soon as it is no longer necessary for the purpose for which it was collected. In the case of data collected to provide the website, this occurs when the respective session has ended. You end the session by completely closing your browser, meaning not just closing the relevant tab.

In the case of data stored in logfiles, deletion/anonymization occurs monthly. Any further storage in non-anonymized form will only take place, with relevant data reduced, to fulfill investigative requests. Additionally, further storage is possible. In such cases, however, the IP addresses of users will be deleted or altered/anonymized so that the identification of the accessing client is no longer possible under any circumstances.

6. Right to Object and Right to Erasure

In the case of processing of your personal data based on Article 6(1) sentence 1 letter e) (public interest or public authority) or letter f) of the GDPR (legitimate interest), you have the right to object at any time, for reasons arising from your particular situation (see also under Right to Object).

However, the collection of data to provide the website and the storage of data in logfiles is, as described above, absolutely necessary for the operation of Leipzig University’s website. Therefore, if you exercise your right to object but still access our website, there are overriding legitimate reasons for the data processing that outweigh the interests, rights, and freedoms of the data subject – you – and thus limit the possibility of objection, meaning your personal data can still be processed according to Article 21(1) sentence 2 of the GDPR.

VI. Contacting Us

1. Description and Scope of Data Processing

If a user takes the opportunity to contact us, e.g., via the provided email addresses, contact form, phone, or social media, the personal data provided during the contact process will be transmitted to us and, if necessary, stored.

To process the contact request via a contact form, certain information must be provided in the input mask:

  • Your email address,
  • Your name,
  • Your inquiry,
  • Confirmation of the privacy policy.

At the time of sending the message, these mandatory fields, along with any other details from the contact form and the data already listed under “Provision of the Website and Creation of Logfiles,” will be transmitted and sent by email to the author of the contact form.

Your consent will be obtained for the processing of the data as part of the submission process, and the privacy policy will generally be referenced. In this context, there will be no transfer of data to third parties. The data will be used solely for processing the conversation, i.e., specifically to address your inquiry. Additionally, your personal data may be stored in a Customer Relationship Management system (CRM system) or another database.

2. Legal Basis for Data Processing

The legal basis for processing the data is, if the user has given consent, Article 6(1) sentence 1 letter a) of the GDPR. The legal basis for processing the data transmitted during other types of contact (e.g., via email, phone, etc.) is Article 6(1) sentence 1 letter f) of the GDPR (legitimate interest). If the contact is aimed at concluding a contract, the legal basis for processing is Article 6(1) sentence 1 letter b) of the GDPR.

3. Purpose of Data Processing

The processing of personal data from the communication is solely for processing your contact request. This regularly includes the necessary legitimate interest in processing the data as per Article 6(1) sentence 1 letter f) of the GDPR. Your personal data will not be shared with third parties without your consent.

Other personal data processed during the submission of the contact form is used to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of Storage

The data will be deleted as soon as it is no longer needed for the purpose for which it was collected. For personal data from communication with us, this is typically the case when the respective conversation with the user is concluded. The conversation is considered concluded when it is clear from the circumstances that the issue has been resolved.

Further processing purposes may justify longer processing, such as storage in a Customer Relationship Management (CRM) system for ongoing contact management, or storage due to legal requirements.

The data will also be deleted if you exercise your right to deletion or withdraw your consent, provided that the data processing is based on consent. The above applies unless mandatory legal provisions justify further data processing. In such cases, the legal deletion/retention periods apply.

In the case of personal data collected during the submission of the contact form being stored in logfiles, the deletion/anonymization occurs after six months. Any further storage in non-anonymized form is only done, with relevant data reduced, to fulfill investigative requests. Further storage is also possible. In such cases, however, the IP addresses of users will be deleted or altered/anonymized so that identification of the accessing client is no longer possible under any circumstances.

5. Right to Object/Withdraw and Deletion

The consent, if given, is voluntary, i.e., free from coercion or pressure, and can be withdrawn at any time in whole or in part, without undue disadvantage, with effect for the future. To exercise your right to withdraw, please send us an email to the email address of our data protection officer. Withdrawing your consent and the subsequent deletion of all personal data stored during the contact process does not affect the legality of the processing carried out based on consent until the withdrawal.

If the data processing is for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Article 6(1) sentence 1 letter e) of the GDPR) or based on a legitimate interest (Article 6(1) sentence 1 letter f) of the GDPR), you have the right to object at any time under Article 21 of the GDPR, for reasons related to your particular situation (see also under Right to Object). In this case, Leipzig University will no longer process the personal data, unless it can demonstrate compelling legitimate grounds for processing that override the interests, rights, and freedoms of you as the data subject, or the processing serves the assertion, exercise, or defense of legal claims.

In the event of a withdrawal or objection, communication with you cannot be continued, as all personal data stored during the contact process will typically be deleted.

 

VII. Use of External Web Services

This website uses the Google Maps service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. With this service, we can embed map material on our website.

To use the functions of Google Maps, it is necessary to store your IP address. This information is typically transferred to a server of Google in the USA and stored there.

The provider of this page has no influence on this data transmission. When Google Maps is activated, Google may use Google Fonts to ensure uniform font display. When accessing Google Maps, your browser loads the required web fonts into its browser cache to display text and fonts correctly.

The use of Google Maps is in the interest of an appealing presentation of our online offers and to facilitate the easy location of the places we specify on the website. This constitutes a legitimate interest within the meaning of Article 6(1) letter f) of the GDPR. If consent has been requested, the processing is carried out solely based on Article 6(1) letter a) of the GDPR and § 25(1) of the TDDG, provided the consent includes the storage of cookies or access to information on the user’s device (e.g., device fingerprinting) as defined by the TDDG. The consent can be revoked at any time.

Data transmission to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:
https://privacy.google.com/businesses/gdprcontrollerterms/
https://privacy.google.com/businesses/gdprcontrollerterms/sccs/

For more information about the handling of user data, please refer to Google’s privacy policy:
https://policies.google.com/privacy?hl=en

The company is certified under the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA, which aims to ensure compliance with European data protection standards in data processing in the USA. Every company certified under the DPF commits to adhering to these data protection standards. Further information can be found at the provider’s link here:
https://www.dataprivacyframework.gov/participant/5780

 

VIII. Rights of the Data Subject

If personal data is processed about you, you are considered a data subject under the GDPR, and you have the following rights against the University of Leipzig (the controller). To assert your rights against the University of Leipzig or for any further questions regarding data protection, you can contact our Data Protection Officer at any time.

All notifications and actions according to Articles 15 to 22 (including the right to access, rectification, deletion, restriction of processing, notification, data portability, objection rights) and Article 34 GDPR (notification of data breaches) will be provided free of charge. In the case of clearly unfounded or – especially in cases of frequent repetition – excessive requests from a data subject, the controller may either charge a reasonable fee, considering administrative costs for providing the information or implementing the requested action, or refuse to act on the request. However, in such cases, the University of Leipzig must prove the clearly unfounded or excessive nature of the request.

Additionally, it is pointed out that restrictions on the rights of the data subject exist according to Sections 7-10 of the Saxon Data Protection Act (SächsDSDG). This affects, among other things, the right to deletion and access, as well as the information obligations towards the data subjects.

1. Right to Access

You can request confirmation from the controller whether personal data concerning you is being processed. If such processing occurs, you can request the following information from the controller:

  • The purposes of processing;
  • The categories of personal data being processed;
  • The recipients or categories of recipients to whom the personal data has been or will be disclosed, particularly if recipients are in third countries or international organizations;
  • If possible, the planned duration for which the personal data will be stored, or if that is not possible, the criteria used to determine that duration;
  • The existence of a right to rectification or deletion of personal data concerning you, or the right to restriction of processing by the controller, or the right to object to such processing;
  • The existence of a right to lodge a complaint with a supervisory authority;
  • If the personal data has not been collected from you, all available information about the source of the data;
  • The existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) GDPR and, at least in such cases, meaningful information about the logic involved, as well as the scope and consequences of such processing for the data subject.

The controller processes a large amount of information about data subjects, so you will be required to specify which information or processing activities your access request relates to before access is granted, as stated on page 7 of Recital 63 of the GDPR.

If personal data is transferred to a third country or international organization, you also have the right to be informed about the appropriate safeguards under Article 46 GDPR in connection with the transfer.

2. Right to Rectification

You have the right to request the controller to immediately rectify any inaccurate personal data concerning you. Taking into account the purposes of processing, you also have the right to request the completion of incomplete personal data – including by means of a supplementary statement.

3. Right to Deletion

a) Obligation to delete, Article 17 GDPR (“Right to be Forgotten”)

You can request the controller to delete personal data concerning you immediately. The controller is also obligated to delete such data immediately if one of the following reasons applies:

  • The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed;
  • You withdraw your consent on which the processing is based according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, and there is no other legal basis for the processing;
  • You object to the processing under Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing under Article 21(2) GDPR;
  • The personal data concerning you has been processed unlawfully;
  • The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of a member state to which the controller is subject;
  • The personal data concerning you was collected in relation to the offered information society services in accordance with Article 8(1) GDPR.

b) Information to Third Parties

If the controller has made personal data concerning you public and is required to delete it under Article 17(1) GDPR, the controller will, taking into account available technology and implementation costs, take reasonable measures, including technical measures, to inform controllers who process the personal data that you, as the data subject, have requested the deletion of all links to, or copies or replications of, such personal data.

c) Exceptions to the Right to Deletion

The right to deletion does not apply to the extent that processing is necessary:

  • For exercising the right to freedom of expression and information;
  • For fulfilling a legal obligation that requires processing under Union or member state law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • For reasons of public interest in the area of public health under Article 9(2)(h) and (i) and Article 9(3) GDPR;
  • For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes under Article 89(1) GDPR, to the extent that the “Right to be Forgotten” is likely to prevent or seriously impair the achievement of the objectives of such processing;
  • For the establishment, exercise, or defense of legal claims.

4. Right to Restriction of Processing

Under the following circumstances, you may request the restriction of processing of personal data concerning you:

  • If you contest the accuracy of the personal data for a period that allows the controller to verify the accuracy of the personal data;
  • If the processing is unlawful and you oppose the deletion of the personal data and instead request the restriction of its use;
  • If the controller no longer needs the personal data for processing purposes, but you require it for the establishment, exercise, or defense of legal claims;
  • If you have objected to the processing under Article 21(1) GDPR, and it has not yet been determined whether the legitimate grounds of the controller override your rights and freedoms. Once the processing of personal data has been restricted under the above conditions, such data – apart from its storage – can only be processed with your consent or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person, or for reasons of an important public interest of the Union or a member state.

5. Right to Notification

The controller is required to inform all recipients to whom your personal data has been disclosed of any rectification or deletion of the personal data or restriction of processing under Articles 16, 17(1), and 18 GDPR, unless this proves impossible or involves a disproportionate effort. The controller will inform the data subject of these recipients if the data subject requests it.

6. Right to Data Portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used, and machine-readable format (e.g., PDF, CSV). Additionally, you have the right to transmit such data to another controller without hindrance from the controller to whom the personal data was provided, provided that:

  • The processing is based on consent under Article 6(1)(a) GDPR or Article 9(2)(a) GDPR or on a contract under Article 6(1)(b) GDPR; and
  • The processing is carried out by automated means. In exercising this right, you have the right to request that the personal data concerning you be transmitted directly from one controller to another, where technically feasible. The rights and freedoms of other persons must not be affected by this.

7. Right to Object

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) (public interest or exercise of official authority) or (f) (legitimate interests) of the GDPR; this also applies to profiling based on these provisions. The controller will no longer process personal data concerning you, unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.

8. Right to Withdraw Consent

You have the right to withdraw your data protection consent at any time. The withdrawal of consent is as easy as granting it, particularly concerning formal requirements, so that generally an informal communication via email suffices. The withdrawal of consent does not affect the legality of the processing based on the consent until the withdrawal.

9. Automated Individual Decision-Making, including Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision is:

  • Necessary for the performance of a contract between you and the controller;
  • Authorized by Union or member state law to which the controller is subject, and that law provides for suitable measures to safeguard your rights and freedoms and legitimate interests;
  • Based on your explicit consent.

10. Right to Lodge a Complaint with a Supervisory Authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the member state of your residence, workplace, or the place of the alleged infringement, if you believe the processing of personal data concerning you is in violation of data protection law.

The competent supervisory authority in the Free State of Saxony is, pursuant to Article 51 GDPR in conjunction with Sections 14 et seq. of the SächsDSDG: Saxon Data Protection and Transparency Officer

Dr. Juliane Hundert
Devrientstraße 5
01067 Dresden
Write an email 
Phone: +49 351 85471-101
Fax: +49 351 85471-109
Website

The supervisory authority with which the complaint has been lodged will inform the complainant about the status and outcomes of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.