I. Name and address of the Data Controller

The Data Controller for the purposes of the General Data Protection Regulation (hereinafter: GDPR) and other national data privacy laws and regulations is defined as follows:

Hochschule Aalen – Technik und Wirtschaft;
Aalen University - Technology and Economics (hereinafter: HS Aalen) Beethovenstr. 1
73430 Aalen, Germany
represented by its Rector

Phone: +49 (0)7361 576-0
E-Mail: info@hs-aalen.de
Website: www.hs-aalen.de

II .Contact details of the Data Protection Officer

Aalen University
Beethovenstr. 1
73430 Aalen, Germany

E-Mail: datenschutz@hs-aalen.de
Website: www.hs-aalen.de

III. General information on data processing

1. Scope of processing Personal Data (hereinafter: Personal Data)

We will process Personal Data of Data Subjects (hereinafter: Subjects) only insofar as the provision of a functional website and our content and services requires. Personal Data of our Subjects are regularly processed only with the consent of the Subject. An exception applies in cases where prior consent is not possible and the processing of Personal Data is permitted by legal regulations.

2. Legal background for processing Personal Data

• •Insofar as we obtain the consent of Subjects for the processing of Personal Data, Art. 6 (1) a) GDPR constitutes the legal background.
• In the case of processing Personal Data required for the performance of a contract to which the Subject is a party, Art. 6 (1) b) GDPR constitutes the legal background. The previous also applies to processing operations required for the performance of pre-contractual measures.
• Insofar as processing Personal Data is the prerequisite of the fulfilment of a legal obligation to which HS Aalen is subject, Art. 6 (1) c) GDPR constitutes the legal background.
• In the event that any vital interests of the Subject or another individual require the processing of Personal Data, Art. 6 (1) d) GDPR constitutes the legal background.
• Art. 6 (1) e) GDPR is the legal basis for the necessary processing of Personal Data for the performance of a task in the public interest or in the execution of official authority vested in HS Aalen.

3. Data deletion and storage period

Any Personal Data of Subjects shall be deleted or blocked as soon as the purpose of processing no longer applies. Any further processing shall only take place if provided for by the European or national legislator. Personal Data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage for the purpose of the conclusion or fulfilment of a contract.

IV. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects Personal Data and information from the computer system of the accessing computer. The following Personal Data are collected:

• Name and URL of the accessed website
• File
• Date and time of the call
• Message regarding incorrect call (error log)
• Browser type and version
• OS of the Subject
• Referrer URL (the previously visited page)
• IP address

2. Legal basis for data processing

The legal background for the temporary storage of Personal Data (and the log files) is as follows:

• Consent of the Subject according to Art. 6 (1) a) in conjunction with Art. 7 GDPR (EU Data Protection Regulation).
• To fulfil the public tasks of our University according to Art. 6 (1) e) GDPR.
• Insofar as processing Personal Data is the prerequisite of the fulfilment of a legal obligation, Art. 6 (1) c) GDPR constitutes the legal basis.
• To ensure the operational security of our web offer as well as to optimise the presentation of answers on your computer according to Art. 6 (1) c) in conjunction with. Art. 32 (1) GDPR: IP address, end device details, HTTPS cookie.
• In the case of processing Personal Data required for the performance of a contract to which the Subject is a party, Art. 6 (1) b) GDPR constitutes the legal background. The previous also applies to processing operations required for the performance of pre-contractual measures.

3. Purpose of data processing

The temporary storage of the Personal Data referred to in para IV. 1. is necessary to enable the delivery of the website to the Subject’s computer and to ensure the functionality of the website. In addition, the Personal Data help optimise the website and ensure the security of our IT systems. An evaluation of the Personal Data for marketing purposes does not take place in this context.

4. Terms of storage

Personal Data are deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of Personal Data required for providing the website, these shall be deleted when the respective session has ended. In the case of processing Personal Data in log files, deletion shall be due after seven (7) days at the latest. Processing beyond this date is possible; in this case, the IP addresses of the Subjects will be deleted or anonymised so that they may no longer be assigned to the calling client.

5. Objection and removal option

The collection of Personal Data for the provision of the website (and the storage of Personal Data in log files) is mandatory for operating the website. Consequently, there is no possibility for objection on the part of the Subject.

VI. Contacting

When contacting Aalen University (e.g. via contact form or e-mail), the Subject's details will be processed for the purpose of processing the enquiry and in the event that any follow-up questions should arise.

VII. Guest WiFi

As a service for its guests, Aalen University provides free guest WiFi access (‘hotspot’).

If you would like to use the guest WiFi access, Aalen University requires the following data:

• Time and date of registration
• User name, password and IP address of the Subject
• First and last name of the Subject
• Expiry date of the guest WiFi access
• MAC address of the terminal device
• Device type
• Log files

Aalen University uses the data only for the free provision of the guest WiFi access (‘hotspot’). The data will be stored for up to seven (7) days and then deleted. Aalen University reserves the right, however, to check the data subsequently if there is a justified suspicion of unlawful use based on concrete evidence.

The Subject has the right to revoke his consent to the processing of data and its use for the free provision of guest WiFi access (‘hotspot’) at any time. Such revocation can be made by sending a message to the Contacts specified either in the specific consent statement or above.

VIII. Integration of third-party services and content

Third-party content (e.g. YouTube videos, maps from Google Maps, RSS feeds or graphics from other websites) may be integrated within the offer. This assumes that the providers of this content (hereinafter: Third-Party Providers) are aware of the IP address of the Subject. Without an IP address, content cannot be sent to the browser of the respective Subject. The IP address is required for the display of this content. Aalen University has no influence on whether or not the Third-Party Providers store the IP address, e. g. for statistical purposes. Insofar as Aalen University should become aware of any Third-Party Providers storing the IP address, Subjects shall be informed accordingly.

IX. Getty Images

Images of the stock image provider Getty Images can be integrated within this offer. The images can be recognised by a frame including a Getty Images reference. The display of these images requires Getty Images to perceive the IP address of the Subject so that the images can be supplied to the Subject's browser. The IP address is thus required for the display of this content. According to current knowledge, the IP address is only used for this purpose. However, Aalen University has no influence on whether Getty Images stores the IP address, e. g. for statistical purposes. Insofar as Aalen University should become aware of Getty Images storing the IP addresses, Subjects shall be informed accordingly. Further information can be found in the Privacy Policy of Getty Images: http://www.gettyimages.de/company/privacy-policy

X. Matomo

This offer uses Matomo, an open source software for statistical analysis of user access. Matomo uses ‘cookies’, i. e. text files placed on your computer, to help the website analyse how users use the site. Information generated by the cookie about the use of this offer is stored on the provider's server in Germany. The IP address is anonymised immediately after processing and before it is stored. Users can prevent the installation of cookies by setting their browser software accordingly. However, Aalen University of Applied Sciences points out that in this case not all functions of the offer can be used to their full extent.

XI. Social Plugins

This website uses Social Plugins. Currently, Social Plugins used are the plugins of the Facebook, Google+ and Twitter services. Via these plugins, data, including personal data, may be sent to these US-based service providers and possibly used by them.

1. Shariff social media buttons

In order to prevent data from being transferred to service providers in the USA without the Subject's knowledge, the offer uses the Shariff Solution. The Shariff Solution ensures that no personal data is initially passed on to the providers of the individual Social Plugins when the offer is used. Only when  the Subject actively clicks on one of the Social Plugin buttons can data be transmitted to the service provider and stored there.

Further information about the Shariff solution can be found on the pages of Heise Medien Gmbh & Co. KG: http://m.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html

2. Facebook

This offer uses Social Plugins from Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (‘Facebook’). The list and appearance of Facebook Social Plugins can be viewed here: https://developers.facebook.com/docs/plugins/.

If the Subject actively clicks on a Facebook Social Plugin, the Subject’s browser will establish a direct connection with Facebook's servers. The content of the plugin is transmitted by Facebook directly to the Subject's browser, which then integrates it into the website. The provider, therefore, has no influence over the scope of data collected by Facebook using this plugin and therefore will inform Subjects according to its level of knowledge. By integrating the plugins, Facebook receives the information that a Subject has called up the corresponding page of the offer. If the Subject is logged in to Facebook, Facebook can assign the visit to the Subject’s Facebook account. When Subjects interact with the Facebook Social Plugin (e. g. by clicking the ‘Like’ button or posting a comment), the corresponding information will be transmitted directly from the Subject's browser to Facebook and stored on its servers. If a Subject is a Facebook member and does not want Facebook to collect data via this offer and link it to membership data stored on Facebook, this Subject must log out of Facebook before interacting with the Facebook Social Plugin. Further settings and objections to the use of data for advertising purposes are made available within the Facebook profile settings: https://www.facebook.com/settings. If a Subject is not a member of Facebook, it is still possible for Facebook to obtain and store the relevant IP address. According to Facebook, only an anonymised IP address is stored in Germany.

The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the relevant rights and settings options for protecting the privacy of Subjects, can be found in Facebook's privacy policy: https://www.facebook.com/about/privacy/.

3. Instagram

Provider: Facebook Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland Privacy Policy: https://help.instagram.com/155833707900388
Cookie Information: https://help.instagram.com/1896641480634370?ref=ig

4. Twitter

This offer uses the buttons of Twitter Inc., 795 Folsom St, Suite 600, San Francisco, CA 94107, USA (‘Twitter’). They are recognisable by terms such as ‘Twitter’ or ‘Follow’ combined with the symbolic image of a blue bird.

If the Subject actively clicks on the Twitter buttons, the Subject’s browser will establish a direct connection with Twitter's servers. The content of the buttons is transmitted by Twitter directly to the Subject's browser, which then integrates it into the website. The provider therefore has no power over the scope of data that Twitter collects using the buttons. According to Twitter, only the Subject's IP address and the URL of the respective website are transmitted and used exclusively to display the buttons.

Further information on the buttons of the Twitter service can be found in Twitter's privacy policy: http://twitter.com/privacy.

5. Youtube

Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Privacy Policy: https://policies.google.com/privacy
Cookie Information: https://policies.google.com/technologies/ads?hl=de

Opt-Out: https://adssettings.google.com/anonymous?hl=de&sig=ACi0TCiJxXvvKBloi2agYqXUJ4wynvlJkl YAPsz_wOZwSUspvMZl4kBzJhFORHem0ERdQR1S2YqYpM9z1j8524iEylUKxtZ5IQ

Specific information about YouTube accounts or channels: When you visit our YouTube channel, YouTube will process your personal data.

XII. Subject rights

1. Right of access

You may obtain confirmation from the Data Controller as to whether Personal Data relating to you is being processed by us. If such processing is taking place, you may obtain information from the Data Controller about the following:

• the purposes for which the Personal Data are processed;
• the categories of Personal Data processed;
• the recipients or categories of recipients to whom your Personal Data have been or will be disclosed;
• the planned duration of the storage of your Personal Data or, if specific information is not accessible, criteria for determining the storage period;
• the existence of a right to rectification or deletion of your Personal Data, a right to restriction of processing by the Data Controller or a right to object to such processing;
• the existence of a right of appeal to a regulatory authority;
• any available information about the origin of Personal Data if not collected from the Subject;
• the availability of automated decision-making including profiling pursuant to Art. 22 I and IV GDPR and - at least in these cases - meaningful information about the logic involved and the scope and intended effects of such processing for the Subject.

You have the right to obtain information about whether your Personal Data are transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards pursuant to Article 46 GDPR regarding the transfer.

This right of access may be limited insofar it is likely to render impossible or seriously impair the achievement of research or statistical purposes and such restriction is  necessary for the fulfilment of those purposes.

2. Right of rectification

You have the right of rectification and/or completion from the Data Controller if your Personal Data processed is inaccurate and/or incomplete. The Data Controller shall carry out the rectification and/or completion without undue delay.

This right may be limited insofar it is likely to render impossible or seriously compromise the achievement of research or statistical purposes and such limitation is necessary for the fulfilment of those purposes.

3. Right to restriction of processing

You may request the restriction of the  processing of your Personal Data  under the following conditions:

• If you contest the accuracy of your Personal Data for a period enabling the Data Controller  to verify it;
• The processing is unlawful and you object to the deletion of Personal Data and request the restriction of its use instead;
• The Controller no longer needs your Personal Data for processing, but you need it to assert, exercise or defend legal claims; or
• If you have objected to the processing pursuant to Art. 21 I GDPR and it has not yet been determined whether the legitimate interests of the Data Controller override your interests.

If processing your Personal Data has been restricted, these data may - apart from being stored - only be used with your consent or for the assertion, exercise or defence of legal claims or to protect the rights of another natural or legal person or for reasons of substantial public interest of the European Union or a Member State.

If processing has been restricted pursuant to above conditions, you will be informed by the Controller before any such restriction will be lifted.

Your right of restricting processing may be limited insofar it is likely to render impossible or seriously impair the achievement of research or statistical purposes and such limitation is necessary for the fulfilment of those purposes.

4. Right of deletion

• Obligation to delete
  
  You may request the Data Controller to erase your Personal Data without undue delay, provided that
  
  
  1. they are no longer needed for the purposes for which they were processed;
  2. you withdraw your consent and there is no other legal justification for processing;
  3. you object to the processing and there are no overriding legitimate reasons for processing
  4. they have been processed unlawfully;
  5. their deletion is required for compliance with a legal obligation under EU or Member State law; or
  6. they have been collected in relation to information society services offered pursuant to Art. 8 I GDPR.
     
     
• Forwarding to third parties
  
  If the Data Controller has made your Personal Data public and is obliged to erase them pursuant to Art. 17 I GDPR, he/she/ they shall take reasonable measures, including technical measures, taking into account the available technology and implementation costs, to inform the Data Processing Controllers that you have requested the deletion of all links to these Personal Data, including copies or other replications.
  
  
• Exceptions
  
  The right to deletion does not apply to the extent that processing is necessary
  
  
  1. for the exercise of the right to freedom of expression and information;
  2. for compliance with a legal obligation requiring processing under EU or Member State law to which the Data Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the responsible person;
  3. for reasons of public interest in the area of public health pursuant to Art. 9 II h) and i, Art. 9 III GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89 I GDPR, insofar as the right referred to in a) is likely to render impossible or seriously impair the attainment of the objectives of this agreement; or
  5. for the assertion, execution or defence of legal claims.

5. Right to information

If you have asserted the right of rectification, deletion and/or restriction of processing against the Data Controller, he/she/they shall inform all recipients to whom your Personal Data have been disclosed of the assertion, unless this proves impossible or involves a disproportionate effort.

You are entitled to be informed of these recipients by the Data Controller.

6. Right to data portability

You are entitled to receive your Personal Data provided to the Data Controller in a structured, standard and machine-readable format. You are also entitled to transfer this Personal Data to another Data Controller without any hindrance from the Data Controller  to whom you have provided your Personal Data, provided that

• processing is based on consent pursuant to Art. 6 I 1 a) GDPR or Art. 9 II a) GDPR or on a contract pursuant to Art. 6 I 1 b) GDPR and
• processing is carried out with the help of automated procedures.

In this context, you are also entitled to have your Personal Data transferred directly from one Data Controller to another, insofar as technically feasible without impairing the freedoms and rights of others.

The right to data portability does not apply to processing of Personal Data required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Data Controller.

7. Right to object

You have the right to object at any time, based on your individual situation, to the processing of your Personal Data performed pursuant to Article 6 I 1 e) GDPR; this also applies to profiling based on these provisions.

The Data Controller shall no longer process your Personal Data unless compelling legitimate arguments for continued processing can be demonstrated which override your interests, rights and freedoms, or the processing serves the purpose of asserting, executing or defending legal claims.

You have the possibility, in connection with the use of information society services, to  exercise your right to object by means of automated procedures using technical specifications.

You also have the right to object, based on your individual situation, to the processing of your Personal Data performed for scientific or historical research purposes or for statistical purposes pursuant to Article 89 GDPR. Your right to object may be limited insofar it is likely to render impossible or seriously impair the achievement of research or statistical purposes and such limitation is necessary for the fulfilment of those purposes.

8. Revocation of the declaration of consent under data protection law

You are entitled to revoking your declaration of consent under data protection law at any time. Such revocation does not affect the lawfulness of any processing carried out pursuant to the consent up to the time of revocation.

9. Right of appeal

In addition, you also have the right of complaint to a regulatory authority (Art. 77 GDPR). The regulatory authority over Aalen University is the State Commissioner for Data Protection and Freedom of Information of Baden-Württemberg, poststelle@lfdi.bwl.de.