Data Protection Policy
Thank you for visiting our website. Data protection and data security are our top priority. For this reason, and to fulfil our duty to inform you, you can find out below how we process personal data, i.e., information relating to an identified or identifiable natural person (the “Data Subject”). In the following, as a user of our services, you can find details about, among other things, the nature, extent and purpose of our data processing (data collection, storage, etc.), such as during your visit to our website. If you have any questions regarding the data protection policy of the Chemnitz University of Technology, or if you want to exercise your rights, you can contact our Data Protection Officer (see below for contact details).
For reasons of better readability, the generic masculine form is generally used in the following. All references to persons naturally apply to all genders.
Contents
- I. Name and contact details of the Data Controller
- II. Contact details of the Data Protection Officer
- III. Technical implementation of the website
- IV. General information on data processing
- V. Provision of the website and creation of log files
- VI. Newsletter
- VII. Contacting us
- VIII. Use of cookies
- IX. Use of external websites
- X. Authentication and Authorisation (Web Trust Center) - Single Sign On (SSO)
- XI. Rights of the Data Subject
- XII. Up-to-dateness/modification of this Data Protection Policy
I. Name and contact details of the Data Controller
The Data Controller within the meaning of the EU General Data Protection Regulation (GDPR), other national data protection legislation of the Member States of the European Union and other data protection regulations is:
Chemnitz University of Technology,
represented by the Rector: Prof. Dr. Gerd Strohmeier
Strasse der Nationen 62
09111 Chemnitz, Germany
Email: rektor@tu-chemnitz.de
Phone: +49 371 531-10000
Website: https://www.tu-chemnitz.de/
II. Contact details of the Data Protection Officer
The Data Protection Officer of the Chemnitz University of Technology is:
N. N.
Website: https://www.tu-chemnitz.de/rektorat/dsb/
III. Technical implementation of the website
The website is technically implemented internally by the University Computer
Centre (URZ) at the Chemnitz University of Technology, which can be contacted
at the following email address: webmaster@tu-chemnitz.de
The individual websites are supported by various webmasters. The respective
webmaster in each case can be contacted using the contact information in the
footer of the website, to the left of the date of update.
IV. General information on data processing
1. Scope of the processing of personal data
We process our users’ personal data – including yours – only to the extent necessary to provide a functioning website as well as our content and services (including event registrations, evaluations, public relations, etc.).
Among other things, this can involve stock data (e.g., names, addresses), contact details (such as email addresses, telephone numbers, residential addresses), content data (such as text entries, photographs, videos, comments), usage data (such as websites visited, interest in content, access times) and meta-/communication data (such as device information, IP addresses).
As a rule, our users’ personal data is processed only after their prior consent. An exception applies in such cases in which it is not possible to obtain prior consent for practical reasons and/or the processing of data is permitted by law.
2. Legal basis for the processing of personal data
Where we obtain a Data Subject’s consent for processing personal data, the legal basis is provided by Art. 6(1) Sentence 1(a) GDPR.
When processing personal data required for the fulfilment of a contract with the Data Subject as a contracting party, the legal basis is provided by Art. 6(1) Sentence 1(b) GDPR. This also applies to processing operations necessary for the implementation of pre-contractual measures.
If the processing of personal data is required to comply with a legal obligation to which the Chemnitz University of Technology is subject, the legal basis is provided by Art. 6(1) Sentence 1(c) GDPR. According to this, personal data can be stored, for example, if required by the European or national legislators in EU legal regulations, laws or other regulations to which the Chemnitz University of Technology is subject.
In the event that the vital interests of the Data Subject or another natural person require a processing of personal data, the legal basis is provided by Art. 6(1) Sentence 1(d) GDPR.
Art. 6(1) Sentence 1(e) GDPR is invoked for data processing where the processing is necessary to perform a task in the public interest or in the exercise of public authority vested in the Data Controller.
Where processing is necessary to safeguard a legitimate interest of the Chemnitz University of Technology or a third party, and unless our aforementioned legitimate interest is outweighed by the interests and the fundamental rights and freedoms of the Data Subject, the legal basis for the processing is provided by Art. 6(1) Sentence 1(f) GDPR. According to Art. 6(1) Sentence 2 GDPR, Art. 6(1) Sentence 1(f) GDPR does not apply to data processing conducted by authorities in discharging their duties. However, according to the wording, this only encompasses tasks conferred by force of law, in particular in the context of executive and performance administration. Therefore, if authorities are acting on an equal footing – i.e., under private law – an application of Art. 6(1) Sentence 1(f) GDPR cannot be excluded. This particularly applies to the public-relations work of the Chemnitz University of Technology.
3. Storage duration (data deletion)
The personal data we process will be deleted or blocked as soon as the purpose for the data processing (including storage) ceases to exist, i.e., the processing is no longer required for the purpose, and deletion does not conflict with statutory retention obligations.
If data is processed due to a legal obligation within the meaning of Art. 6(1) Sentence 1(c) GDPR, for example, the personal data will be blocked or deleted on expiry of the retention period prescribed in the aforementioned standards. For example, it is obligatory to store trading books, inventories, status reports, booking vouchers, etc., in accordance with Section 147(1) AO [German Tax Code], Section 257(1) Nos. 1 and 4 and (4) HGB [German Commercial Code] for 10 years, and received and sent commercial letters in accordance with Section 257(1) Nos. 2 and 3 and (4) HGB for 6 years. In these cases, the data is not deleted, but its processing is merely restricted, i.e., the data is blocked and not used for any other purposes.
Your data will also not be deleted if there is a requirement for the further storage of data, such as for the conclusion or performance of a contract, and thus another legal basis for data processing exists, such as Art. 6(1) Sentence 1(b) GDPR.
4. Legal/contractual rules for the provision of personal data and the consequences of failing to do so
Please be aware that the provision of personal data is sometimes required by law or contractual arrangements. Thus, the conclusion of a contract generally requires the Data Subject to provide us with personal data that then has to be further processed by us. This is the case, for example, for the obligation to provide personal data in the context of the conclusion of a contract. The failure to provide personal data would otherwise have the consequence that the contract could not be concluded with the Data Subject.
Please do not hesitate to contact us – preferably via our above-mentioned Data Protection Officer – before providing personal data relating to the Data Subject within the above meaning. In each individual case, we will then clarify whether the provision of personal data is legally/contractually prescribed or required for the conclusion of the contract. We will also clarify whether there is an obligation to provide personal data, and will inform you of the consequences of failing to provide personal data in this case.
5. Disclosure of personal data to third parties
Personal data is processed by the following natural persons / legal entities: Chemnitz University of Technology. This also covers persons, such as employees of the Chemnitz University of Technology, who are authorised to process personal data under the direct responsibility of the Chemnitz University of Technology. However, disclosure of personal data to third parties – i.e., a natural person or legal entity, authority, agency or other body, with the exception of the Data Subject, Data Controller and, where applicable, Data Processor – will not generally occur, unless there is a legal obligation to do so, to which the Chemnitz University of Technology is subject (such as investigations by law-enforcement or state-security authorities).
V. Provision of the website and creation of log files
1. Description and scope of data processing
Whenever our website is accessed, our server systems automatically record data and information about the user’s computer system / the accessing computer, which also means your computer.
In principle, this relates to the following data:
- IP address of the accessing computer,
- host name of the queried web server,
- details of which document is requested,
- the encryption standard and algorithm used,
- any form inputs made*,
- any valid cookies*.
Depending on the configuration of your browser, the following data may also be transferred:
- browser name and version, as well as the user’s operating system,
- preferred language for content,
- possible data-compression methods,
- website from which the user’s system was forwarded to the requested document (so-called referrer URL or “Referer” in the HTTP standard).
The above data (apart from the fields marked with *) will also be temporarily – i.e., only transiently – stored in the log files of our systems. The log files also include the following information:
- any authenticated user (after logging into the Web Trust Center or via an application-specific procedure),
- date and time of access,
- query status, duration and amount of transferred data.
This data is not stored or merged with other personal data of the user.
2. Legal basis for data processing
The legal basis for the collection and temporary storage of data and log files is provided by Art. 6(1) Sentence 1(f) GDPR (safeguarding of a legitimate interest). In addition, the storage of data is also permitted by Art. 6(1) Sentence 1(c) GDPR in conjunction with Section 12 TDDDG [German Telecommunications Act].
3. Purpose of data processing
Temporary storage, for example of the IP address, by the system is necessary to ensure that it is possible to deliver our website to the user’s computer. In this case, the user’s IP address must be stored for the duration of the session.
Data is stored in log files to ensure that our website functions properly for you. In addition, we use the data to optimise the web pages and to maintain the security of our IT systems. Data is never evaluated for marketing purposes in this context.
These purposes also constitute our legitimate interest in data processing in accordance with Art. 6(1) Sentence 1(f) GDPR. In this respect, the interests or fundamental rights and freedoms of the Data Subject that require the protection of personal data do not prevail. The storage of data to prevent disruptions in the telecommunications system is also expressly permitted by Art. 6(1) Sentence 1(c) GDPR in conjunction with Section 12 TDDDG.
4. Security of Data Processing
In order to guarantee a risk-appropriate level of protection when providing the website, the Chemnitz University of Technology has taken suitable technical and organisational measures to protect your personal data, taking into consideration the state of technology, the cost of implementation and the type, scope, circumstances and purposes of the processing, as well as the various probabilities of occurrence and the severity of the risk for the rights and freedoms of natural persons.
For this purpose, our web servers enforce transport encryption via HTTP
Strict Transport Security (HSTS). This is evident from the Hypertext Transfer
Protocol Secure transmission protocol used (https://
in your
address bar) as well as the lock icon in your browser bar, for example. TLS 1.2
is currently required as a minimum standard. By also supporting older
encryption standards, we ensure that as large a group of users as possible can
use our website. Encryption algorithms deemed insecure are and will be
disabled.
5. Storage period
The data will be deleted as soon as it is no longer required in order to fulfil the purpose for which it was collected. Where data is collected to provide the website, this is the case when the respective session has ended. You end the session by completely closing your browser, i.e., not by merely closing the respective tab.
Where data is stored in log files, it will be deleted/anonymised after one month. Further storage in a non-anonymous form, reduced to relevant data, only occurs for the fulfilment of investigation-related requests. In addition, further storage is possible, although in this case the IP addresses of the users are deleted or altered/anonymised so that they can no longer be assigned to the accessing client under any circumstances.
6. Objection and deletion options
Where personal data relating to you is processed on the basis of Art. 6(1) Sentence 1(e) (public interest or public authority) or (f) GDPR (legitimate interest), you have the right, in accordance with Art. 21 GDPR, to object at any time for reasons arising from your specific situation (see also under right of objection).
However, the collection of data in order to provide the site and the storage of the data in log files – as described above – is essential for the operation of the website of the Chemnitz University of Technology. Therefore, if you exercise your right of objection but still access our website regardless, there are compelling legitimate grounds for the processing of data that outweigh the interests, rights and freedoms of the Data Subject – yourself – and thus result in a restriction of the option to object so that, in accordance with Art. 21(1) Sentence 2 GDPR, your personal data can still be processed.
VI. Newsletter
1. Description and scope of data processing
Our website sometimes includes the possibility of subscribing to a free newsletter. In the process of registering for the newsletter, data from the input screen is sent to us. In addition to the email address, this may also include your name (voluntary) in order to make a personalised address possible in the newsletter.
In addition, the above information used to provide the website and create logfiles is collected during registration for a newsletter and provision of the newsletter.
For the processing of the data, your consent will be obtained on a voluntary basis as part of the registration process and reference will be made to the Data Protection Policy. Consent occurs in the form of a clearly affirmative action, by which the Data Subject makes it clear that he/she agrees to the processing of personal data relating to him/her.
When sending the newsletter, a so-called “double opt-in procedure” is used to ensure that the declaration of consent can be proven (recording of the time of registration/confirmation as well as the IP address). This first requires a registration via our website (first opt-in) as well as an additional confirmation via the confirmation link in the email received due to the registration (second opt-in). The same procedure is used when changing your stored data relating to the newsletter subscription.
The processing of personal data in connection with the sending of the newsletter is executed only by such persons who, under the direct responsibility of the structural unit of the Chemnitz University of Technology offering the newsletter, are authorised to process the personal data, such as staff of the XY professorship at the Chemnitz University of Technology. However, disclosure of personal data to third parties – i.e., a natural person or legal entity, authority, agency or other body, with the exception of the Data Subject, Data Controller and, where applicable, Data Processor – will not generally occur, unless there is a legal obligation to do so, to which the Chemnitz University of Technology is subject (such as investigations by law-enforcement or state-security authorities).
2. Legal basis for data processing
The legal basis for the processing of the data after registration for the newsletter by the user is the explicit consent of the user in accordance with Art. 6(1) Sentence 1(a) GDPR in conjunction with Section 7(2) No. 3 UWG [German Unfair Competition Act]. The logging of your consent is based on Art. 6(1) Sentence 1(c) GDPR, in particular in order to meet our legal obligation to log the consent, Art. 7(1) GDPR.
By way of derogation from the above explicit declaration of consent, Section 7(3) UWG in conjunction with Art. 6(1) Sentence 1(f) GDPR provides a legal basis for data processing for the purposes of sending our electronic newsletter, as it is required to safeguard our legitimate interests in direct marketing (cf. Recital 47 GDPR). In such cases, an outweighing of your interests or fundamental rights and freedoms requiring the protection of personal data cannot be determined. Prerequisites for this are that the Chemnitz University of Technology has received your email address from you in connection with the sale of a product or service, that the Chemnitz University of Technology uses the address solely for the direct marketing of its own similar goods or services, that you have not objected to its use, and that you have been clearly informed, on collection of the address and each time it is used, that you can object to its use at any time without incurring costs other than the transmission costs according to the basic tariffs.
3. Purpose of data processing
The purpose of collecting the user’s email address is to deliver the newsletter. For the specific content of the newsletter, please refer to the description provided during the registration process. The purpose of collecting other personal data during the registration process is to prevent misuse of the services or the email address used.
4. Storage period
The data will be deleted as soon as it is no longer required in order to fulfil the purpose for which it was collected. Accordingly, the user’s email address will be stored as long as the subscription of the newsletter is active, which means in particular that you have not revoked your consent or, in the case of Section 7(3) UWG, as long as you have not objected to data processing for direct marketing purposes. Deviations are possible, provided that other legal bases allow an ongoing storage, including with regard to the log data for defending claims relating to the previously granted consent declaration (the storage period in this case is typically three years).
With regard to the storage period for other personal data collected during the registration process, reference can be made to the storage period relating to the provision of the website and the creation of log files.
5. Objection/revocation and deletion options
The consent to data processing for the purpose of sending the newsletter is voluntary and may be revoked at any time, whereby the subscription of the newsletter will be terminated. In order to exercise your right of revocation, please send us an email to this effect from the email address registered for the newsletter subscription with the subject “Newsletter revocation” to the webmaster for the newsletter concerned (contact details in the footer of the web page with the newsletter registration form – to the left of the date of update), or alternatively to the Data Protection Officer of the Chemnitz University of Technology, or just click on the opt-out/unsubscribe link attached to every newsletter. Withdrawing your consent does not affect the legality of processing undertaken on the basis of your consent prior to its withdrawal, however.
If personal data is processed for the purposes of direct marketing operations, you have the right to object at any time to the processing of personal data relating to you for the purposes of such marketing (Art. 21 GDPR, Art. 7(3) UWG). If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes. You were explicitly informed of this right of objection, at the latest at the time of the first communication with you, in an understandable form separate from other information. You can find more detailed information about your right of objection below.
VII. Contacting us
1. Description and scope of data processing
If a user takes the opportunity to get in contact with us, including via the e-mail addresses provided, by phone or via social media, the personal data provided within the framework of the contact will be sent to us and, where necessary, saved. To this end, our website sometimes contains a contact form that can be used to contact us online.
The processing of the contact via a contact form requires the following entries in the input screen:
- your email address,
- your inquiry,
- any additional mandatory fields, such as confirmation of the Data Protection Policy.
At the time of sending the message, these mandatory details, as well as further details in the contact form and the details already listed under “Provision of the website and creation of log files” will be transferred and may be stored in a database, or sent by email to the originator of the contact form.
Prior to or in connection with the sending of the respective contact form, the Data Controller for the relevant contact form will provide you with further information on the processing of your personal data relating to your contact with us using the contact form.
Before the contact form is transmitted, we will obtain your consent to the processing of your data and refer you to the Data Protection Policy. In this context, no data will be disclosed to third parties. The data will be used exclusively for the processing of the conversation, i.e., particularly for processing your contact request. In addition, your personal data may be stored in a customer relationship management system (CRM system) or another database.
2. Legal basis for data processing
Where the user has given his or her consent, the legal basis for the processing of the data is provided by Art. 6(1) Sentence 1(a) GDPR. The legal basis for the processing of the data transferred in the course of another contact (including via email, telephone, etc.) is provided by Art. 6(1) Sentence 1(f) GDPR (legitimate interest). If the purpose of the contact is the conclusion of a contract, the legal basis for the processing is provided by Art. 6(1) Sentence 1(b) GDPR.
3. Purpose of data processing
The purpose of processing the personal data from the communication is solely to handle your request. As a rule, this also includes the necessary legitimate interest in the processing of the data within the meaning of Art. 6(1) Sentence 1(f) GDPR. Your personal data will not be disclosed to third parties without your consent.
The purpose of the other personal data processed during the transmission of the contact form is to prevent misuse of the contact form and to ensure the safety of our IT systems.
4. Storage period
The data will be deleted as soon as it is no longer required in order to fulfil the purpose for which it was collected. With regard to personal data from your communication with us, this is generally the case when the conversation with the user is ended. The conversation is deemed to have ended when it can be seen from the circumstances that the issue in question has been conclusively resolved. In addition to this, other processing purposes can justify longer processing, including the storage in a customer relationship management system (CRM system) for ongoing updates of contacts, storage due to relevance under auditing law, etc.
The data will also be deleted if you assert your right of deletion or withdraw your consent, provided that consent was given for the data processing. The foregoing applies only if there are no mandatory legal provisions that also justify data processing in the future. In such cases, the statutory deletion deadlines / retention periods apply.
With regard to the duration of storage of the other personal data collected during the registration process, reference can be made to the storage period in connection with the provision of the website and the creation of log files. Further storage in a non-anonymous form, reduced to relevant data, only occurs for the fulfilment of investigation-related requests. In addition, further storage is possible, although in this case the IP addresses of the users are deleted or altered/anonymised so that they can no longer be assigned to the accessing client under any circumstances.
5. Objection/revocation and deletion options
Any consent is given voluntarily, i.e., without coercion or pressure, and may be revoked at any time with effect for the future, as a whole or separately, and without undue disadvantages. To exercise your right of revocation, please send us an email to the email address of our Data Protection Officer, for example. The withdrawal of consent, and the consequent deletion of all personal data stored upon contacting us, do not affect the legality of processing undertaken on the basis of your consent prior to its withdrawal.
If data processing is carried out for the performance of a task carried out in the public interest or in the exercise of public authority vested in the Data Controller (Art. 6(1) Sentence 1(e) GDPR) or by virtue of a legitimate interest within the meaning of Art. 6(1) Sentence 1(f) GDPR, you have the right, in accordance with Art. 21 GDPR, to object at any time for reasons arising from your specific situation (see also under right of objection). In this case, the Chemnitz University of Technology will no longer process the personal data, unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms as Data Subject, or the processing serves to assert, exercise or defend legal claims.
In the case of a revocation or objection, the conversation with you cannot be continued, since, as a rule, all personal data stored in the course of contacting us will be deleted.
VIII. Use of cookies
1. Description and scope of data processing
Our website uses cookies where necessary. Cookies consist of textual information that is stored in your browser so that user-related information can also be processed as desired at a later point in time. If a user accesses a given website, a cookie can be sent with it by the web server. In addition to information to be stored, this cookie also contains the field of validity (web server and path specification) and the validity period. When accessing addresses in the field of validity, the browser sends this information to the corresponding web server. GDPR treats cookie identifiers as personal data (see Recital 30 of the GDPR). However, with regard to personal processing in connection with the provision of publicly available electronic communications services in public communications networks in the EU, the provisions of the GDPR are subordinate, see Art. 95 GDPR.
However, to further understand how cookies work, a distinction has to be made between different types of cookie. With regard to the “lifespan” of cookies, there is a distinction between so-called “session cookies” (temporary cookies, transient cookies) and so-called “permanent cookies”, sometimes also referred to as “persistent cookies”. The former are automatically deleted when the browser is closed; the latter remain on the user’s terminal for the set period of time. In addition to this, a distinction is made between so-called “first-party cookies” and so-called “third-party cookies” based on which cookies belong to a certain server. The former are set by the web server from which the visited page is retrieved. The latter, on the other hand, are set by another web server, from which the content on the page visited is used or incorporated, and are not relevant for the use of our website.
2. Legal basis for data processing
The legal basis for the processing of personal data using cookies – especially permanent cookies, no matter whether first-party or third-party cookies – is provided by Section 25(1) TDDDG in conjunction with Art. 6(1) Sentence 1(a) GDPR (consent of the data subject).
When accessing our website, users are informed about the use of cookies for the purposes of analysis by means of a pop-up (a so-called “cookie overlay”) and are referred to this Data Protection Policy. At the same time, they are asked to give their consent to the use of cookies in the scope described above in the form of a clearly affirmative action, by which the Data Subject makes it clear that he/she consents to the processing of personal data relating to him/her (opt-in). The consent is voluntary and may be revoked at any time.
The legal basis for the processing of personal data by using so-called “first-party cookies”, on the other hand, is Section 25(2) No. 2 TDDDG in conjunction with Art. 6(1) Sentence 1(e) Par. 3 GDPR in conjunction with Section 3 SächsDSDG, if the storage of the information in the end user's device or access to information already stored in the user's device is absolutely necessary so that Chemnitz University of Technology can provide a digital service expressly requested by the user - for example this website - technically error-free and smoothly. The latter applies, for example, in order to be able to provide you with functions you have selected (such as the language setting, login status, etc.).
3. Purpose of data processing
Technically essential session cookies are used to simplify the use of web pages for the user. Some functions of our website are not available without the use of cookies. These functions require the browser to be recognised even after you have switched to a different page. The user data collected by technically essential cookies is not used to create user profiles, however, even though they could make the behaviour of the Data Subject traceable. Therefore, if you have objected to the use of these cookies, your use of our website may be limited in the future, for example, or may only be fully available after logging in again.
4. Duration of storage, objection/revocation and deletion options
Cookies are saved to the user’s computer and are transferred to us from there. You, as the user, therefore have complete control over the use and storage of cookies. The storage duration of cookies, i.e., the time before they are automatically deleted, depends on the respective settings of the cookies. You can find more detailed information on storage periods in the following table.
However, if cookies for our website are deactivated or later deleted due to the lack of or a revoked consent, or due to the browser settings, it may no longer be possible to use all of the features of the website to their full extent, with the result that the functionality of our website may be limited.
a) Revocation option
Consent to the use of cookies is voluntary and may be revoked at any time. In order to exercise your right of revocation, please send us an email to this effect, or delete the cookies by yourself in your browser or via the cookie overview at https://www.tu-chemnitz.de/tu/datenschutz_cookies.html. You can find a helpful guide on how to delete cookies in different browsers from the NRW e. V. customer centre (https://www.verbraucherzentrale.de/wissen/digitale-welt/datenschutz/cookies-im-browser-einstellen-11996). The withdrawal of consent, and the consequent deletion of cookies already stored, do not affect the legality of processing undertaken on the basis of your consent prior to its withdrawal.
b) Objection option
Where we use cookies on the basis of Art. 6(1) Sentence 1(e) (public interest or in the exercise of public authority) or (f) GDPR (legitimate interests), you have the right to file an objection at any time, for reasons arising from your specific situation, to the processing of personal data relating to you; this also applies to profiling based on these provisions. In order to exercise your objection, please send an email to this effect to the webmaster of the respective website (contact details in the footer of the website – to the left of the date of update), or alternatively to the Data Protection Officer of the Chemnitz University of Technology, or delete the cookies in your browser by yourself. You can find a helpful guide on how to delete cookies in different browsers from the NRW e. V. customer centre (https://www.verbraucherzentrale.de/wissen/digitale-welt/datenschutz/cookies-im-browser-einstellen-11996). The Data Controller will then no longer process the personal data relating to you, unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or if the processing is used to assert, exercise or defend legal claims.
Where personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data relating to you for such marketing; this includes profiling, insofar as it is related to such direct marketing. If you object to processing for direct marketing purposes, personal data relating to you shall no longer be processed for such purposes.
In the context of the use of information society services – and notwithstanding Directive 2002/58/EC – you may exercise your right to object by automated means using technical specifications. You can find more information about this immediately below under “General deletion option”.
c) General deletion option
You can also monitor and regulate the storage of cookies in your browser, so that you can define the automatic deletion of all cookies at the end of a session (on closing the browser) or the general blocking of cookies of any kind, for example. By sending the “do-not-track” flag (“no-follow” request), no profile data will be collected on pages that implement local tracking. However, these settings are basically only browser/device-specific, so you will have to set them for all your devices. Please also note that blocking all cookies can result in the partial loss of the full functional scope of our website.
In addition, various service providers offer the option of lodging a general objection to the use of cookies for marketing purposes on the Internet: http://www.aboutads.info/choices/ (USA) or https://www.youronlinechoices.com/ (EU). We would like to explicitly point out that the Chemnitz University of Technology itself does not use cookies for user-based online advertising, but it cannot be ruled out for the external websites listed below.
5. Use of individual cookies
In particular, the following are some of the cookies used to access our website:
Cookie name | Category | Period of validity | Explanation |
---|---|---|---|
csrftoken_[…] | Security | 1 year | Form protection for Django-based web application |
_saml_sp | Authentication only on wtc.tu-chemnitz.de |
10 days | SP identifier for Web Trust Center |
_redirection_state | Authentication only on wtc.tu-chemnitz.de |
100 days | Forwarding status for Web Trust Center |
_saml_idp | Authentication only on wtc.tu-chemnitz.de |
100 days | IdP identifier for Web Trust Center |
sessionid_[…] | Application | 14 days | Session ID for Django-based web application |
tuc_lang | User preference | 14 days | Required document language – set if a language change is selected on website |
tuc_accepted_search | User preference | permanently | Storage opt-in for the external search engine |
tuc_accepted_[…] | User preference | 7 days | Storage opt-in for the integration of external websites |
_redirect_user_idp | Authentication only on wtc.tu-chemnitz.de | Session | IdP selection for Web Trust Center |
_shibsession_[…] | Authentication | Session | Session ID after registration with single sign-on (Web Trust Center) |
PHPSESSID | Application | Session | Session ID for PHP-based web application |
ShibAuthToken | Authentication only on wtc.tu-chemnitz.de |
Session | ID for authentication for the IdP for Web Trust Center |
ShibSessionID | Authentication only on wtc.tu-chemnitz.de |
Session | Session identifier for the IdP for Web Trust Center |
WTC_AUTHENTICATED | Authentication | Session | Login ID of an authenticated user |
IX. Use of external websites
1. Description and scope of data processing
a) Social Media
Communication is changing, and with it the communication routes and options for reaching target groups. This is why, for a few years now, the Chemnitz University of Technology has set itself the task of using social media to reach and inform internal and external target groups, such as students, employees, family members, alumni and alumnae, prospective students and persons interested in science, research, campus and university development.
b) User-friendly website design
Our website also offers the Duck Duck Go, Ecosia, Google and Startpage.com search services to browse our websites. By using these, we are able to guarantee the most structured and comprehensive search possible in terms of the user- and operator-friendliness of our website, which could not currently be reasonably guaranteed by means of a self-contained search. However, we are also continuing our efforts to find and provide you with comparable alternative searches in the future.
Various external map services (Google Maps and OpenStreetMap) are also integrated into our website, including directions (including route planning) for making contacting us as user- and operator-friendly as possible. Unfortunately there are currently no comparable offers available, taking reasonable effort into consideration, but we are continuously evaluated and reassessing this, too.
Via the Studentenwerk Chemnitz-Zwickau, images of the menus of the different locations can be directly integrated on our website.
c) Embedding of multimedia content – Video Campus Saxony
For integrated multimedia content (specially videos) the platform Video Campus Saxony (https://videocampus.sachsen.de/) is used. This platform is operated by the BPS Bildungsportal Sachsen GmbH on the basis of a data processing contract with the Chemnitz University of Technology (Art. 28 GDPR). In terms of data protection no data is transferred to external providers.
d) External data-processing procedures
When you visit our external web/social-media sites, various personal data will be processed by us, but also primarily by external providers. You can find more detailed information on this in the data protection provisions of the respective providers:
- BPS Bildungsportal Sachsen GmbH (Bahnhofstraße 6, 09111 Chemnitz): https://www.bps-system.de/datenschutz/;
- Deezer (Deezer Limited Company, 12 rue d’Athènes 75009 Paris, France): https://www.deezer.com/legal/personal-datas;
- Duck Duck Go (Duck Duck Go Inc., 190 Country Lane Phoenixville, PA 19460 United States): https://duckduckgo.com/privacy;
- Ecosia (Ecosia GmbH, Gerichtstraße 23, 13347 Berlin): https://info.ecosia.org/privacy;
- Facebook (Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland): https://www.facebook.com/about/privacy/;
- Google (Maps)/YouTube (Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA): https://policies.google.com/privacy bzw. https://www.youtube.com/t/privacy_guidelines;
- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA): https://privacycenter.instagram.com/policy/;
- iTunes, Apple Podcast (Apple Inc., One Apple Park Way, Cupertino, California, USA, 95014): https://www.apple.com/legal/privacy/de-ww/;
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland): https://www.linkedin.com/legal/privacy-policy;
- OpenStreetMap (Openstreetmap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom): https://wiki.osmfoundation.org/wiki/Privacy_Policy;
- Spotify (Spotify AB, Regeringsgatan 19, 11153 Stockholm, Sweden): https://www.spotify.com/de/legal/privacy-policy/plain/ und https://www.spotify.com/de/legal/cookies-policy/plain/ sowie https://www.spotify.com/de/privacy;
- Startpage.com (Startpage B. V., Wilhelmina van Pruisenweg 104, 2595 AN Den Haag, The Netherlands): https://www.startpage.com/en/search/privacy-policy.html;
- Studentenwerk Chemnitz-Zwickau, (Studentenwerk Chemnitz-Zwickau, Thüringer Weg 3, 09126 Chemnitz, Germany): https://www.swcz.de/en/privacy-policy;
- Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA): https://twitter.com/de/privacy;
- Wakelet (Wakelet Limited, 76 Quay Street, Manchester, M3 4PR, United Kingdom): https://wakelet.com/privacy.html;
- Xing (XING AG, Dammtorstraße 29–32, 20354 Hamburg, Germany): https://privacy.xing.com/de/datenschutzerklaerung.
2. Legal basis for data processing
a) Social Media
Press and public-relations work at the Chemnitz University of Technology includes precisely reaching as many target groups as possible, so that the use of different communication routes and options and, in particular, also of newer communication channels (social media) is indispensable. This is also precisely where our legitimate interests in being able to process your personal data in this context lie, Art. 6(1) Sentence 1(f) GDPR.
The platform Video Campus Saxony serves as resource-efficient and accessible solution for video content; this constitutes our legitimate interest in the processing of your data within the meaning of Art. 6(1) Sentence 1(f) GDPR.
b) Declaration of consent
If you have previously had to declare your consent to us or one of the above-mentioned external providers, such as by way of prior consent for web tracking by confirming a pop-up or upon being forwarded to our external search providers or map services, the data will be processed on the basis of Art. 6(1) Sentence 1(a) GDPR, particularly because of your consent.
3. Purpose of data processing
a) Social Media
The purpose of processing personal data from communication via external web/social-media sites is solely to process your contact to the Chemnitz University of Technology. As a rule, this also constitutes a legitimate interest, regardless of any consent granted, in the processing of the data within the meaning of Art. 6(1) Sentence 1(f) GDPR. Normally, we will not contact you proactively via social media. Exceptions can be queries from us about comments under posts or replies to these comments, or requests for feedback.
In addition to this, your personal data will generally be used by the above-mentioned external providers for market-research purposes and promotional offers. The above-mentioned external providers usually process personal data by observing your behaviour as a user of the sites. In other words, in many cases, your Internet activities as a user are traced in order to subsequently process the data obtained using a wide range of techniques in such a way that a user profile can be created for you. This, in turn, generally forms the basis for future decisions affecting you or is used as a basis for analysing or forecasting your personal preferences, behaviour or habits, cf. Recital 24 GDPR. The results can then be used – including by the Chemnitz University of Technology – to present you with personalised online advertisements, for example, depending on the personal interests identified or predicted for you. In addition to this, it is not possible to rule out the storage and processing by the above-mentioned external providers of further details of the devices used, especially if you have an account with the respective (social-media) platform and are logged in as a registered user. You can find details for this from the above links to the data protection provisions of the external providers.
b) User-friendly website design
The sole purpose of data processing in connection with the integration of external search providers / map services into our site is to make the searchability of our websites and the path and route planner as efficient and user-friendly as possible for you. As a rule, this also constitutes a legitimate interest, regardless of any consent granted, in the processing of the data within the meaning of Art. 6(1) Sentence 1(f) GDPR.
c) Embedding of multimedia content – Video Campus Saxony
For loading video and web contents from the platform Video Campus Saxony there is our legitimate interest in the processing of your data within the meaning of Art. 6(1) Sentence 1(f) GDPR.
d) Joint responsibility
The Data Controller for data processing in this respect within the meaning of GDPR and other national data protection laws of the Member States of the European Union, as well as other data protection regulations, is therefore primarily the external service provider in this case. You can find detailed information about the purposes of the data processing conducted by the above-mentioned external providers via the above links to the data protection policies of the external providers.
4. Recipients / categories of recipients
In principle, personal data is processed in connection with the use of external websites (including social media, search services, etc.) only by the following natural persons / legal entities: the Chemnitz University of Technology, particularly the employees of the University Computer Centre, as well as the press office and cross-media editing team. Depending on the external website you select/use, your personal data will also be processed by the above-mentioned external providers.
Your personal data will not be disclosed by us to third parties not mentioned here, nor will it be transferred to another EU country or to a third country or international organisation, unless otherwise specified below.
5. Transfer to a third country
Personal data may only be transferred to a third country or an international organisation if the European Commission, for example, has decided that the third country, a region or one or more specific sectors in that third country or the international organisation concerned offers an adequate level of protection. In this case, data transmission of this type requires no special permission. With regard to the companies mentioned above, an adequate level of protection is currently guaranteed on the basis of the US–EU Privacy Shield. According to this, it is initially presumed that such a level of protection is afforded by all companies that have been certified according to the requirements of the US–EU Privacy Shield:
- Facebook Ireland Limited (San Jose, California, USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active#participation;
- Google Ireland Limited (Mountain View, California, USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active#participation;
- Instagram Inc. / Facebook Inc. (San Jose, California, USA): https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active#participation;
- LinkedIn Corporation (Sunnyvale, California, USA): https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active;
- Twitter International Company (San Francisco, California, USA): https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active#participation.
Regarding the transfer of personal data to the United Kingdom (Openstreetmap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom sowie Wakelet Limited 76 Quay Street, Manchester, M3 4PR, United Kingdom), the Commission has decided that the third country in question provides an adequate level of protection (Adequacy Decision: https://commission.europa.eu/system/files/2021-06/decision_on_the_adequate_protection_of_personal_data_by_the_united_kingdom_-_general_data_protection_regulation_en.pdf).
The prerequisites of Art. 45 GDPR (data transmission on the basis of an adequacy decision) are therefore met for the above-mentioned transmissions to third countries. The transfer of personal data to the above external providers and thus to third countries is therefore permissible, since the Data Controller and the Data Processor comply with the conditions set out in Art. 44 et seq. GDPR and also with the other provisions of GDPR. This ensures that the level of protection afforded by GDPR for natural persons is not undermined.
Purely as a precaution, we would like to point out, however, that the transfer of personal data to a third country or international organisation on the basis of the US–EU Privacy Shield is currently sometimes viewed critically. In accordance with Art. 49(1) Sentence 1(a) GDPR, data transmission is nevertheless permissible – even without certification according to the requirements of the US–EU Privacy Shields – if you have previously expressly consented to the proposed data transmission after you have been informed about the potential risks of such data transfers in the absence of an adequacy decision and without appropriate safeguards. These risks exist especially if the third country, a region or one or more specific sectors in the third country or the international organisation concerned does not provide an adequate level of data protection. This may have adverse effects for you especially in the following points:
the rule of law; the respect for human rights and fundamental freedoms; the relevant legislation applicable in the country or international organisation concerned, of both general and sectoral nature – also with regard to public security, defence, national security and criminal law, as well as the access of authorities to personal data – as well as the application of this legislation, data protection regulations, professional rules and safety regulations, including the provisions for the further transfer of personal data to another third country or another international organisation; the jurisprudence as well as the effective and enforceable rights of the Data Subject and effective administrative and judicial remedies for the Data Subjects whose personal data is being transferred;
the existence and the effective functioning of one or more independent supervisory authorities in the third country concerned or by which an international organisation is governed and that are responsible for compliance with and enforcement of data protection regulations, including appropriate enforcement powers, for supporting and advising Data Subjects in the exercise of their rights and for cooperation with the supervisory authorities of the Member States; and
the international obligations undertaken by the third country or international organisation concerned or other obligations arising from legally binding agreements or instruments, as well as from the participation of the third country or international organisation in multilateral or regional systems, particularly in relation to the protection of personal data.
6. Storage period
The personal data we process in this context will be deleted as soon as it is no longer required in order to fulfil the above-mentioned purposes for which it was collected. You can find more detailed information on data erasure by the above-mentioned external providers via the above links to the data protection policies of the external providers.
7. Objection/revocation and deletion options
Any consent given in connection with the use of external websites is voluntary, i.e., without coercion or pressure, is therefore of no relevance to your participation in CUT websites, and may be revoked at any time with effect for the future, as a whole or separately, and without undue disadvantages. To exercise your right of revocation with regard to the social-media channels used by the Chemnitz University of Technology, please send us an email to pressestelle@tu-chemnitz.de or use the cookie overview at https://www.tu-chemnitz.de/tu/datenschutz_cookies.html. However, please note that withdrawing consent does not affect the legality of processing undertaken on the basis of the consent prior to its withdrawal.
If your personal data is processed on the basis of Art. 6(1) Sentence 1(e) (public interest or in the exercise of public authority) or (f) GDPR (legitimate interests), you have the right to file an objection at any time, for reasons arising from your specific situation, to the processing of personal data relating to you; this also applies to profiling based on these provisions. To exercise your objection in relation to the external providers used, please follow the opt-out options linked below:
- Deezer (Deezer Limited Company, 12 rue d’Athènes 75009 Paris, France): https://www.deezer.com/legal/personal-datas;
- Duck Duck Go (Duck Duck Go Inc., 190 Country Lane Phoenixville, PA 19460 United States): https://duckduckgo.com/privacy;
- Ecosia (Ecosia GmbH, Gerichtstraße 23, 13347 Berlin): https://info.ecosia.org/privacy;
- Facebook (Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland): https://www.facebook.com/about/privacy/;
- Google (Maps)/YouTube (Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA): https://policies.google.com/privacy bzw. https://www.youtube.com/t/privacy_guidelines;
- Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA): https://privacycenter.instagram.com/policy/;
- iTunes, Apple Podcast (Apple Inc., One Apple Park Way, Cupertino, California, USA, 95014): https://www.apple.com/legal/privacy/de-ww/;
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland): https://www.linkedin.com/legal/privacy-policy;
- OpenStreetMap (Openstreetmap Foundation, St John’s Innovation Centre, Cowley Road, Cambridge, CB4 0WS, United Kingdom): https://wiki.osmfoundation.org/wiki/Privacy_Policy;
- Spotify (Spotify AB, Regeringsgatan 19, 11153 Stockholm, Sweden): https://www.spotify.com/de/legal/privacy-policy/plain/ und https://www.spotify.com/de/legal/cookies-policy/plain/ sowie https://www.spotify.com/de/privacy;
- Startpage.com (Startpage B. V., Wilhelmina van Pruisenweg 104, 2595 AN Den Haag, The Netherlands): https://www.startpage.com/en/search/privacy-policy.html;
- Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA): https://twitter.com/de/privacy;
- Wakelet (Wakelet Limited, 76 Quay Street, Manchester, M3 4PR, United Kingdom): https://wakelet.com/privacy.html;
- Xing (XING AG, Dammtorstraße 29–32, 20354 Hamburg, Germany): https://privacy.xing.com/de/datenschutzerklaerung.
In this context, please also note the information above on the objection/revocation and deletion options regarding the use of cookies on our website or on the websites of the external services used.
8. Integration and representation of external content on our website
Our web pages sometimes integrate and display external content (such as YouTube videos, graphics, maps, etc.) from the aforementioned third-party providers, including Facebook, Google, Twitter, YouTube, Xing, etc. The protection of your data is also important to us in this context. Therefore, these services are generally integrated via the state-of-the-art data protection-compliant solution from the c’t Shariff project (https://www.heise.de/ct/artikel/Shariff-Social-Media-Buttons-mit-Datenschutz-2467514.html) or via similar technical procedures.
In this way, we ensure no type of (personal) data is transferred to the external providers when you access our website. Otherwise, the integration of this type of external content would lead to a connection being established to the external server directly on visiting the website and thus also to the transmission of your (personal) data to this external server, including your IP address, the browser type you use and your operating system, the websites from which your system is forwarded to the external embedded web pages, the time of visit, etc., so that your activity on the Internet can be logged by the external provider and tracked for statistical and marketing purposes. This connection to external servers, which is automatic and established in the background without any action on your part, is initially prevented by the above solutions. Thus you can decide for yourself, by giving your consent in accordance with Art. 6(1) Sentence 1(a) GDPR, whether to transfer data to the external servers, which may be located in non-European countries (e.g. the USA, see above). Once consent has been given – if this is what you require and expressly select – it will be saved in a technically essential cookie for a period of seven days, respectively umlimited for the selection of the external search engine.
You will only transfer (personal) data, including your IP address, by actively, independently and voluntarily, i.e., without coercion or pressure, clicking on the (“Shariff”) button to establish the connection to the external server. For this reason, we have no influence on the data collected and data processing operations at the external service provider, so that we can also provide no information about the purpose and scope of data processing or storage duration / deletion. Also, at this point, we would like to first of all refer you to the above-mentioned data protection policies and the objection/revocation and deletion options, etc., of the external providers used by us.
We use so-called “Facebook social plug-ins” for the integration of Facebook (Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland). You can find more detailed information about the display of such plug-ins at the following link: https://developers.facebook.com/docs/plugins/. However, as described above, a connection with the Facebook server is not established directly, but requires your consent in accordance with Art. 6(1) Sentence 1(a) GDPR. Only then will your information / personal data be transmitted to Facebook due to the integration of the plug-in or any interaction you have with the plug-in (such as by clicking to like a post), further processed/stored there and – if you are a registered and logged-in Facebook user – also connected with your Facebook account. If you give your consent in the above-mentioned sense, even if you are not a registered Facebook user, personal data will nevertheless be transferred to Facebook and your IP address, among other things will be processed/saved. You can find more detailed information on this in the Facebook data protection provisions linked above.
As a registered Facebook user, to avoid the data transmission and linking with your Facebook account described above, please log out and delete your cookies. You can find more information on this in the statements above on the use of cookies, as well as on the existing objection/revocation and deletion options.
The above comments concerning the integration of Facebook also apply likewise – and not exhaustively – to the integration of content from Google (maps) / YouTube, Twitter, Instagram, Xing, LinkedIn and Wakelet.
9. Joint responsibility, Art. 26 GDPR
Notwithstanding the foregoing remarks, at this point it should be pointed out that the European Court of Justice – the highest European court – on June 5, 2018, affirmed the joint responsibility of Facebook and Facebook fan-page operators for compliance with the data protection vis-à-vis fan-page users: (ref. C-210/16). The independent federal and state data protection authorities in Germany therefore indicated on June 6, 2018, (https://www.saechsdsb.de/100-datenschutzkonferenzen/umlaufentschliessungen/575-die-zeit-der-verantwortungslosigkeit-ist-vorbei-eugh-bestaetigt-gemeinsame-verantwortung-von-facebook-und-fanpage-betreibern) “that, according to the ECJ judgement, there is an urgent need for action on the part of the operators of fan pages”, but without further specifying this need for action, such as with regard to the immediate shut-down of existing Facebook fan pages or the addition / upstream insertion of a specific/separate data protection policy. This happened on September 5, 2018, in the decision of the DSK data protection conference regarding Facebook fan pages (https://www.datenschutz-berlin.de/fileadmin/user_upload/pdf/publikationen/DSK/2018/2018-DSK-Facebook_Fanpages.pdf), which results in the introduction of eight test criteria that must be observed when operating a Facebook fan page, and which is briefly discussed below for the sake of transparency, even though a newer positioning of the DSK of April 1, 2019, (https://www.datenschutzkonferenz-online.de/media/dskb/20190405_positionierung_facebook_fanpages.pdf) took a new critical look at the data-protection-compliant operation of a Facebook fan page and the Bundesverwaltungsgericht [Federal Administrative Court] judgement of September 11, 2019, (BVerwG 6 C 15.18) confirmed that a regulatory “deactivation order constitutes a proportionate means” if “the data processing that occurs on opening the fan page proves to be unlawful (https://www.bverwg.de/pm/2019/62):
The Facebook Page Insights supplement has established which obligations arising from GDPR are fulfilled and in what way, Art. 26(1) GDPR.
In principle, the Page Insights supplement provides an effective basis in relation to the obligations to provide information in accordance with Art. 13 and 14 GDPR, even if Art. 14 GDPR is not explicitly mentioned, but in this respect there is only mention of “inter alia”, i.e., of an exemplary enumeration. More problematic, however, is that these commitments, etc., are only assumed for the processing of Insights data, so there is still a degree of legal uncertainty about how responsibilities are otherwise distributed.
Data Subjects can view the agreement online at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.
However, on the part of the Data Controller (e.g. the Chemnitz University of Technology) acting in addition to Facebook, based on the Page Insights supplement, it cannot currently be ensured that the rights of Data Subjects are being upheld by Facebook. There are no specific details of this in the Page Insights supplement.
For our Facebook fan page, we clarified in the context of a data protection impact assessment (Art. 35 GDPR), inter alia, whether a sufficient legal basis for the processing of Insights data exists and have provided a separate data protection policy for operating the Facebook fan page.
Facebook itself always explains comprehensively in its data protection policy which personal data is stored, in particular for cookies, IP addresses, etc. However, it is impossible to check whether this is complete and whether the details are correct. The fact that even non Facebook users are registered “unnoticed” is questionable in terms of data protection, however, which is why explicit reference should be made to the information above.
The specific reasons for using the individual Facebook cookies can only be partly clarified and verified, because Facebook itself gives only limited information on this.
Even if the Page Insights supplement can be seen to contain an agreement within the meaning of Art. 26 GDPR, the agreements on the fulfilment of obligations are, at the moment, unfortunately extremely vague, because these can only be conferred on Facebook in their entirety.
The LinkedIn Corporation or LinkedIn Ireland Unlimited Company has made a “Page Insights Joint Controller Addendum” (https://legal.linkedin.com/pages-joint-controller-addendum) available per the European Court of Justice’s rulings.
Please therefore note that we may not be able to fulfil the rights of Data Subjects below, or at least not in full, without the support of the above-mentioned external providers. As already stated, to a large extent, data processing is exclusively the responsibility of the external providers, so that only these have access to the relevant information and personal data. Where such personal data is concerned, we therefore recommend that you assert your rights under the provisions of data protection law directly with the above-mentioned external providers. Regardless of this and the details of the agreement in accordance with Art. 26(1) GDPR we are aware that, as a Data Subject, you are also entitled to assert your rights vis-à-vis each individual Data Controller, so you can of course also contact us at any time.
X. Authentication and Authorisation (Web Trust Center) - Single Sign On (SSO)
1. Description, scope and purpose of data processing
The Chemnitz University of Technology uses its own identity provider (IdP) as a central authentication platform. This authorises and authenticates in encrypted form via the SAML protocol (Security Assertion Markup Language) to known local services (service providers) – web servers and web applications (identity and access control). The set of systems involved is called Web Trust Center. You only have to log in to it once locally with your URZ user code and your password and then you can access restricted content or use web-based applications or other service providers (“Single Sign On”).
Authentication and subsequent authorisation, including attribute transfer, are performed exclusively to enable access to non-public content and to provide web-based, personalised services.
The IdP can also be used – through participation in federations (Federated Identity Management) – for the authentication and authorisation of affected persons of the Chemnitz University of Technology for national (DFN-AAI) and international (eduGAIN) web services. The infrastructure for authentication and authorisation within the framework of the DFN-AAI is administered technically and contractually by the German Research and Education Network (DFN) as a trust and switching centre and realised on the software side by means of SAML-compliant software. More information on data protection in the framework of the DFN-AAI can be found on the DFN website at https://doku.tid.dfn.de/de:aai:dataprotection (German only). This makes it possible to register as a member or affiliate of the Chemnitz University of Technology to present themselves to other participating institutions (e.g. universities) within the framework of the DFN-AAI to be authenticated exclusively via the local IdP of the Chemnitz University of Technology and authorise without having to carry out a separate logon outside the IdP of the Chemnitz University of Technology or send the URZ user ID and password to the service providers. For this purpose it may be necessary (“Discovery Service”) to select the Chemnitz University of Technology as home organisation when using services within the scope of the DFN-AAI in order to be redirected to the IdP of the Chemnitz University of Technology.
The communication between IdP and service providers is exclusively encrypted according to the current state of the art. The public key cryptography used for this is based on certificates from selected Certificate Authorities.
a) Local services at Chemnitz University of Technology
For authorisation decisions and further processing of data the IdP transmits the following attributes in encrypted form to servers of the Chemnitz University of Technology:
Attribute(s) | Technical Name(s) | Example(s) |
---|---|---|
Name and surname | givenName, sn, cn | Otto, Normalverbraucher, Otto Normalverbraucher |
Email address | mail, emailAddress | otto.normalverbraucher@hrz.tu-chemnitz.de |
Phone number (if assigned) | telephoneNumber | 35555 |
URZ user name | eduPersonPrincipalName, eduPersonUnscopedPrincipalName | otto@tu-chemnitz.de, otto |
Entitlement(s) | eduPersonEntitlement | urn:mace:dir:entitlement:common-lib-terms |
Organisation name, organisational unit(s) and number(s) | o, ou, ouNumber | Chemnitz University of Technology, Faculty of Humanities, 270000 |
Type(s) of organisational affiliation | eduPersonAffiliation, eduPersonScopedAffiliation | member/student, member/student@tu-chemnitz.de |
IdM group membership | afsgroup, idmgroup | urz:sw_tu-studenten, grp:test_phil |
b) National and international providers (Service Providers)
For authorisation decisions and further processing of data external service providers also request attributes. An overview of attributes for all applications can be found on the DFN website at https://doku.tid.dfn.de/de:attributes (German only). The IdP transmits a subset of the following attributes in encrypted form to the requesting external service providers:
Attribute(s) | Technical Name(s) | Example(s) |
---|---|---|
Name and surname | givenName, sn, cn/displayName | Otto, Normalverbraucher, Otto Normalverbraucher |
Email address | otto.normalverbraucher@hrz.tu-chemnitz.de | |
URZ user name and persistent pseudonym | eduPersonPrincipalName, Subject-ID/eduPersonUniqueID/eduPersonPersistentID | otto@tu-chemnitz.de, 499[…]1c5@tu-chemnitz.de |
Service-targeted pseudonym | Pairwise-ID/eduPersonTargetedID | e10[…]5bc@tu-chemnitz.de |
Entitlement(s) | eduPersonEntitlement | urn:mace:dir:entitlement:common-lib-terms |
Organisation name | o, schacHomeOrganization | TU Chemnitz, tu-chemnitz.de |
Type(s) of organisational affiliation | eduPersonAffiliation, eduPersonScopedAffiliation | member/student, member/student@tu-chemnitz.de |
For the use of federated services within the framework of the DFN-AAI – a complete list of all service providers within the framework of the DFN-AAI can be found on the DFN website https://tools.aai.dfn.de/entities/ – data transmission takes place only with mandatory user confirmation/consent for each individual service provider. Use of the service as well as consent to data transfer are voluntary. The Chemnitz University of Technology is responsible for ensuring that only the personal data (attributes) can be transmitted (so-called attribute filter rules in the IdP) that are necessary for the service provider to provide the service. The federation directory at https://www.aai.dfn.de/verzeichnis/ lists which attributes a service expects, whereby anonymous identification by means of a unique ID (transientID) that cannot be related to a specific natural person by the service provider is usually sufficient. Otherwise, a service-targeted pseudonym is preferred so that the service provider can recognise a user without a direct personal reference.
The Chemnitz University of Technology’s website can also be accessed with the authorisation of IdPs of other institutions within the DFN-AAI federation in order to provide access-restricted content. The following attributes are expected for this: Type(s) of organisational affiliation (eduPersonScopedAffiliation) and user name (eduPersonPrincipalName).
c) Special case: Learning platform OPAL (BPS Bildungsportal Sachsen GmbH)
In order to fulfil the tasks in the context of teaching, the transmission of special personal attributes to the learning platform is necessary. The IdP transmits the (sub) set of the following attributes available for the authenticated user in encrypted form:
Attribute(s) | Technical Name(s) | Example(s) |
---|---|---|
Name and surname | givenName, sn | Otto, Normalverbraucher |
Date of birth | schacDateOfBirth | 19121212 |
Email address | otto.normalverbraucher@hrz.tu-chemnitz.de | |
URZ user name and service-targeted pseudonym | eduPersonPrincipalName, eduPersonTargetedID | otto@tu-chemnitz.de, […]@tu-chemnitz.de |
Entitlement(s) | eduPersonEntitlement | urn:mace:dir:entitlement:common-lib-terms |
Organisation name, organisational unit(s) and number(s) | o, ou, eduPersonOrgUnitDN | Chemnitz University of Technology, Faculty of Humanities, 270000 |
Type(s) of organisational affiliation | eduPersonAffiliation, eduPersonScopedAffiliation | member/student, member/student@tu-chemnitz.de |
Field of study and subject-related term | dfnEduPersonFieldOfStudyString, fachsemester | Bachelor Romanistik, 8 |
Matriculation number and academic title | schacPersonalUniqueCode, title | 111111111, Dr. |
2. Legal basis for data processing
The processing of personal data for authentication and authorisation is carried out in accordance with Section 15(1) Sentence 1 No. 1 SächsHSG for the purpose of access to the study programme and the implementation of the study programme or in accordance with Section 11(1) SächsDSDG for the purpose of implementing the service or employment relationship. Further details are determined by the usage regulations of the University Computer Centre (URZ) of the Chemnitz University of Technology dated 29 May 2002 and the framework regulations for the use of information and communication services and information security at the Chemnitz University of Technology (IuK-Rahmenordnung) dated 10 February 2017.
For the voluntary use of the local and federated services and for the related data transfer (transfer of various attributes) outside the aforementioned necessity, on the other hand, a voluntarily granted declaration of consent by the data subject (Art. 6(1) Sentence 1(a) GDPR) is required. This means that after successful authentication with the IdP of the TU Chemnitz, you will initially only be shown which specific personal data (attributes) are to be transmitted to the service provider. Only after you have agreed to the transmission (consent) does the actual transmission to the service provider take place and thus the actual authorisation to the latter. Alternatively, you are free to refrain from voluntarily using the local and federated services.
3. Recipients of personal data
The processing of personal data is carried out locally by the legal entity Chemnitz University of Technology. A transfer of the data to third parties does not happen.
With individually approved, explicit and voluntary attribute disclosure to federated services (national and international), the processing is carried out by the respective external providers as a rule and, unless otherwise communicated, under their own responsibility under data protection law.
4. Legal/contractual rules for the provision of personal data and the consequences of non-provision
a) Local services at Chemnitz University of Technology
Without authentication to the IdP, you cannot access restricted content and services. For certain offers, however, this can be relevant to studies or work, so that failure to provide personal data would mean that the studies or the service/employment could not be carried out. In this case, members and affiliates of the university are obliged to provide their personal data insofar as this is necessary for the fulfilment of the tasks according to Section 15(1) SächsHSG or Section 11 SächsDSDG. In addition, the provision and use of the local services is voluntary, so that failure to provide your personal data as part of the authentication and authorisation has no consequences for you.
b) National and international providers (Service Providers)
The use of the services of the national or international federations is inherently voluntary. The data transmission takes place only with personal consent.
c) Special case: Learning platform OPAL (BPS Bildungsportal Sachsen GmbH)
The data protection-compliant use of the OPAL learning platform is subject to the responsible teacher in specific individual cases due to the freedom of teaching (Section 4 Sentence 3 SächsHSG). The authorisation for OPAL takes place within the DFN-AAI Federation. As there is a contract processing agreement between the Chemnitz University of Technology and the BPS Bildungsportal Sachsen GmbH in the sense of Art. 28 GDPR, the learning platform OPAL is equal to the local services. There is no transfer of personal data to third parties in terms of data protection law. Irrespective of this, however, the BPS Bildungsportal Sachsen GmbH is a recipient of personal data within the meaning of Art. 4 No. 9 GDPR.
5. Storage period
The necessary personal data is read and transmitted at application time. The IdP initiates a session valid for twelve hours; during this time, services can be authorised without re-authentication. Their attributes are only present in the local working memory during this time. Before and after this, neither the IdP nor the service providers retain data. The exception is entries in log files, which are described in the section V.
For individual local and federated services, longer storage (e.g. for personal settings) may be necessary. Details can be found in the specific data protection declarations of the service providers.
6. Objection/revocation and deletion options
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6(1) Sentence 1(e) GDPR. In this case, the controller shall no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
You have the right to revoke your declaration of consent under data protection law at any time, either in whole or separately, without giving reasons and without unreasonable disadvantages, with effect for the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation. The revocation of consent is as simple as giving consent. In the event of revocation, personal data relating to them shall be deleted without delay if there is no other legal basis for the processing (Art. 17(1)(b) GDPR).
a) Local services at Chemnitz University of Technology
Please address your objection or revocation to the Chemnitz University of Technology’s contact responsible for the respective procedure, which in the specific individual case uses authentication and authorisation via the Web Trust Center. In case of doubt or queries, please contact the Chemnitz University of Technology’s Data Protection Officer in advance.
b) National and international providers (Service Providers)
If you have consented to the transfer of personal data to an external service provider after authentication and authorisation via the Web Trust Center of the Chemnitz University of Technology and wish to withdraw your consent, please preferably contact the relevant external service provider directly.
The University is indeed obliged under Art. 19 GDPR, in the event of disclosure of personal data, to notify all recipients of any rectification or erasure of the personal data or restriction of processing (cf. Art. 16–18 GDPR). However, it is at the same time not obliged to retain, obtain or process additional information to identify the data subject for the mere purpose of complying with this provision (Art. 11(1) GDPR). Against this background, it proves impossible for the Chemnitz University of Technology to comply with the notification obligation under Art. 19 GDPR in this context, unless and insofar as you provide additional information in order to exercise your rights, since the URZ of Chemnitz University of Technology, as the operator of the Web Trust Center, does precisely not store to which external service providers personal data have been transmitted in individual cases after authentication, in the sense of data minimisation (Art. 5(1)(c) GDPR).
XI. Rights of the Data Subject
If your personal data is processed, you are a Data Subject within the meaning of GDPR, so you are entitled to the following rights vis-à-vis the Chemnitz University of Technology (Data Controllers). To assert your rights vis-à-vis the Chemnitz University of Technology or in case of further questions regarding data protection, you can contact our Data Protection Officer at any time.
All notices and actions in accordance with Art. 15–22 (e.g. information, correction, deletion, processing restriction, notification, data portability, right of objection) and Art. 34 GDPR (right of notification for data protection violations) are made available free of charge. However, for manifestly unfounded or – especially in the case of frequent repetition – excessive applications from one Data Subject, the Data Controller can either demand a reasonable fee, taking into account the administrative costs for the briefing or the notification or the implementation of the action requested, or it can refuse to act on the basis of the application. In such cases, however, the Chemnitz University of Technology must provide proof of the manifestly unfounded or excessive character of the application.
In addition, please note that there are restrictions on the rights of the Data Subject in accordance with Sections 7–10 SächsDSDG (Saxony Data Protection Implementation Act). Among other things, this affects the right to deletion and right to information, as well as the duty to provide information vis-à-vis Data Subjects.
1. Right to information
You can request confirmation from the Data Controller as to whether it is processing personal data relating to you. If such data is being processed, you can request the following information from the Data Controller:
- the processing purposes;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom the personal data has been disclosed or is yet to be disclosed, particularly for recipients in third countries or in international organisations;
- if possible, the planned period for which personal data is stored, or, if this is not possible, the criteria for determining that period;
- the existence of a right to rectification or erasure of the personal data relating to you or to restriction of processing by the Data Controller and the right to object to such processing;
- the existence of a right to lodge a complaint with a supervisory authority;
- if the personal data is not collected from you, i.e., the Data Subject, all available information on the source of the data;
- the existence of automatic decision-making including profiling in accordance with Art. 22(1) and (4) GDPR and – in these cases at least – meaningful information about the logic involved as well as the extent and the envisaged consequences for the Data Subject of processing of this nature.
However, as a Data Controller, the Chemnitz University of Technology naturally processes a large amount of information about Data Subjects, so that you as the Data Subject are required, when asserting your right to receive information, to specify the information or processing procedures to which your request for information relates, before information is issued to you (cf. Sentence 7, Recital 63 GDPR).
If personal data is transferred to a third country or an international organisation, as a Data Subject, you also have the right to be informed about the appropriate guarantees in accordance with Art. 46 GDPR in connection with the transfer.
2. Right to rectification
You have the right to demand that the Data Controller immediately rectify inaccurate personal data relating to you. Taking into account the purposes of processing, as a Data Subject, you also have the right to demand the completion of incomplete personal data, including by means of a supplementary declaration.
3. Right to erasure
a) Right to deletion, Art. 17 GDPR (“Right to be forgotten”)
You can request that the Data Controller delete personal data relating to you without delay. The Data Controller is also obliged to delete this data without delay if one of the following reasons applies:
- The personal data relating to you is no longer necessary for the purposes for which it was collected or otherwise processed.
- You withdraw the consent on which processing was based in accordance with Art. 6(1) Sentence 1(a) GDPR or Art. 9(2)(a) GDPR, and no further legal basis exists for processing.
- In accordance with Art. 21(1) GDPR, you object to processing and there are no overriding legitimate reasons for such processing, or you object to processing in accordance with Art. 21(2) GDPR.
- The personal data relating to you has been processed unlawfully.
- The personal data relating to you has to be erased in order to comply with a legal obligation under EU law or the law of a Member State to which the Data Controller is subject.
- The personal data relating to you has been collected in relation to the offer of information society services in accordance with Art. 8(1) GDPR.
b) Information to third parties
Where the Data Controller has made public personal data relating to you and is obliged to erase such data in accordance with Art. 17(1) GDPR, the Data Controller shall, taking account of available technology and the cost of implementation, take reasonable steps, including technical measures, to inform Data Controllers who are processing the personal data that you as the Data Subject have requested that they – the other Data Controllers – erase all links to, or copies or replications of, such personal data.
c) Exceptions to the right to erasure
The right to erasure does not apply to the extent that processing is necessary
- for the exercise of the right to freedom of expression and information;
- for the fulfilment of a legal obligation that requires processing by Union law or that of the Member States to which the Data Controller is subject, or for the performance of a task in the public interest or in the exercise of public authority vested in the Data Controller;
- for reasons of the public interest in the area of public health in accordance with Art. 9(2)(h) and (i) GDPR and Art. 9(3) GDPR;
- for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes in accordance with Art. 89(1) GDPR, insofar as the aforementioned “right to be forgotten” is likely to render impossible or severely impair the achievement of the objectives of that processing, or
- to assert, exercise or defend legal claims.
4. Right to restriction of processing
Under the following conditions, you can request the restriction of processing of personal data relating to you:
- if you contest the accuracy of the personal data, for a period that enables the Data Controller to verify the accuracy of the personal data;
- if the processing is unlawful and you decline the erasure of the personal data and instead request that their use be restricted;
- if the Data Controller no longer needs the personal data for the purposes of processing, but it is required by you to assert, exercise or defend legal claims, or
- if you have filed an objection against processing pursuant to Art. 21(1) GDPR, pending the verification of whether the legitimate interests of the Data Controller override your interests.
If the processing of personal data relating to you within the meaning above has been restricted, then such data may only be processed – with the exception of storage – with your consent or to assert, exercise or defend legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or of a Member State.
If processing has been restricted in accordance with the conditions above, you will be informed by the Data Controller before the restriction is lifted.
5. Right to information
The Data Controller is obliged to inform you of all recipients to whom your personal data has been disclosed, of any rectification or deletion of personal data or limitation of processing in accordance with Art. 16, 17(1) and Art. 18, unless this proves impossible or would involve a disproportionate effort. The Data Controller shall inform the Data Subject of these recipients if the Data Subject so requests.
6. Right to data portability
You have the right to receive the personal data relating to you, which you have provided to the Data Controller, in a structured, commonly used and machine readable format (e.g., PDF, CSV). You also have the right to transmit such data to another Data Controller without hindrance from the Data Controller to whom you have provided your personal data, insofar as
- the processing is based on consent in accordance with Art. 6(1) Sentence 1(a) GDPR or Art. 9(2)(a) GDPR or on a contract pursuant to Art. 6(1) Sentence 1(b) GDPR, and
- the processing is carried out by automated means.
In exercising this right, you particularly have the right to cause the personal data relating to you to be transmitted directly from one Data Controller to another Data Controller, where this is technically feasible. The rights and freedoms of other persons may not be adversely affected by this.
Art. 17 GDPR (“Right to be forgotten”) shall remain unaffected by the right to data portability. It does not apply to the processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of public authority vested in the Data Controller.
7. Right to object
You have the right to object at any time, for reasons arising from your own particular situation, to the processing of personal data relating to you performed on the basis of Art. 6(1) Sentence 1(e) (public interest or in the exercise of public authority) or (f) GDPR (legitimate interests); this also applies to profiling based on these provisions.
The Data Controller will no longer process the personal data relating to you unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or unless processing is necessary to assert, exercise or defend legal claims.
Where personal data relating to you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data relating to you for such marketing; this includes profiling, insofar as it is related to such direct marketing.
If you object to processing for direct marketing purposes, personal data relating to you shall no longer be processed for such purposes.
In the context of the use of information society services – and notwithstanding Directive 2002/58/EC – you may exercise your right to object by automated means using technical specifications.
8. Right to withdraw your consent under data protection law
You have the right to withdraw your consent under data protection law at any time. The revocation of consent is just as simple as the granting of consent, in particular with regard to formal requirements, so that in principle, an informal notice by email is sufficient. Withdrawing your consent does not affect the legality of processing undertaken on the basis of your consent prior to its withdrawal.
9. Automated decision making in individual cases, including profiling
You have the right to not be subject to a decision based solely on automated processing – including profiling – which produces legal effects for you or significantly affects you in a similar manner. This does not apply if the decision
- is necessary for the conclusion or performance of a contract between you and the Data Controller;
- is permissible on the basis of European Union or Member State law to which the Data Controller is subject, and such regulations include appropriate measures to guarantee your rights and freedoms and your legitimate interests, or
- is made with your explicit consent.
However, these decisions may not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless Art. 9(2)(a) or (g) GDPR apply, and suitable measures to safeguard your rights, freedoms and legitimate interests are in place.
In the cases referred to previously in (1) and (3) above, the Data Controller shall take appropriate measures to safeguard your rights, freedoms and legitimate interests, which include as a minimum the right to obtain human intervention on the part of the Data Controller, to express your point of view and to challenge the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or legal remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you live or work or in which the alleged infringement took place, if you are of the opinion that the processing of personal data relating to you infringes legal provisions for data protection.
In accordance with Art. 51 GDPR in conjunction with Sections 14 et seq. SächsDSDG, the competent supervisory authority in the Free State of Saxony is:
Data Protection and Transparency Officer for Saxony
Dr. Juliane Hundert
Devrientstraße 5
01067 Dresden, Germany
Email: post@sdtb.sachsen.de
Phone: +49 351 85471-101
Fax: +49 351 85471-109
Website: https://www.datenschutz.sachsen.de
The supervisory authority to which the complaint was submitted will inform the complainant about the progress and the outcome of the complaint, including the possibility of a legal remedy pursuant to Art. 78 GDPR.
XII. Up-to-dateness/modification of this Data Protection Policy
This Data Protection Policy is currently in force and was last amended in October 2024.
It may become necessary to change or update this Data Protection Policy due to the further development of our website and products or due to legislative or administrative changes. A separate consent/permission for this on your part is generally not required by law.
You can view, print and save the current Data Protection Policy at any time on the website at https://www.tu-chemnitz.de/tu/datenschutz.html.en.