The protection of your personal data is a high priority for Studierendenwerk Hamburg A.ö.R.. It is important to us to inform you comprehensively below about what personal data is collected when you visit our website and how it is used. This data protection declaration applies to the domain www.studierendenwerk-hamburg.de as well as to all subdomains maintained by Studierendenwerk Hamburg with this website.
The use of our pages is generally possible without providing personal data. However, if you want to use special services of the Studierendenwerk via our website, processing of personal data could become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain your consent.
As the controller, the Studierendenwerk Hamburg has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. Nevertheless, Internet-based data transmissions can always be subject to security vulnerabilities, so that absolute protection cannot be guaranteed. For this reason, every data subject is free to transmit personal data to us by alternative means, for example by telephone.
This data protection declaration is based on the terms used by the European Directive and Ordinance Maker when adopting the General Data Protection Regulation (DS-GVO). To ensure comprehensibility, we explain the terms used in advance.
We use the following terms, among others, in this privacy statement and on our website:
a) Personal data: Personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
b) Data subject: data subject means any identified or identifiable natural person whose personal data are processed by the controller.
c) Processing: processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of processing: restriction of processing is the marking of stored personal data with the aim of limiting their future processing.
e) Profiling: profiling is any type of automated processing of personal data that consists of using such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.
f) Pseudonymization: pseudonymization is the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
(g) Controller or controller: the controller or controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.
h) Processor: a processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
i) Recipient: a recipient is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigative task under Union or Member State law shall not be considered as recipients.
j) Third Party: a third party is a natural or legal person, public authority, agency or other body other than the Data Subject, the Controller, the Processor and the persons authorized to process the Personal Data under the direct responsibility of the Controller or the Processor.
k) Consent: Consent shall mean any freely given indication of the data subject's wishes for the specific case, in an informed and unambiguous manner, in the form of a statement or other unambiguous affirmative act by which the data subject indicates that he or she consents to the processing of personal data relating to him or her.
The responsible party within the meaning of the General Data Protection Regulation, other data protection laws applicable in the Member States of the European Union and other provisions of a data protection nature is:
Studierendenwerk Hamburg AöR
20146 Hamburg Phone: +49 (40) 41902 - 0
Any data subject may contact email@example.com at any time with any questions or suggestions regarding data protection.
The data protection officer appointed is:
Gabriele Paulsen - glp consulting
The data subject can prevent the setting of cookies by our website at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time via an Internet browser or other software programs. This is possible in all common Internet browsers. If the data subject deactivates the setting of cookies in the Internet browser used, not all functions of our website may be fully usable.
The website of the Studierendenwerk Hamburg collects a series of general data and information every time a data subject or automated system calls up the website. This general data and information is stored in the log files of the server. The following can be recorded
(1) the browser types and versions used,
(2) the operating system used by the accessing system,
(3) the website from which an accessing system arrives at our website (so-called referrer),
(4) the sub-websites that are accessed via an accessing system on our website,
(5) the date and time of an access to the Internet site,
(6) an Internet protocol address (IP address),
(7) the Internet service provider of the accessing system, and
(8) other similar data and information that serve to avert danger in the event of attacks on our information technology systems.
When using these general data and information, the Studierendenwerk Hamburg does not draw any conclusions about the data subject. Rather, this information is needed in order to.
(1) deliver the contents of our website correctly,
(2) optimize the content of our website and the advertising for it,
(3) ensure the long-term functionality of our information technology systems and the technology of our website, and
(4) to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack.
Therefore, the Studierendenwerk analyzes anonymously collected data and information on one hand, statistically, and on the other hand, with the aim of increasing the data protection and data security of our enterprise, and ultimately ensuring an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a data subject.
The data subject has the opportunity to register on the website of the controller by providing personal data. Which personal data is transmitted to the controller in the process is determined by the respective input mask used for the registration. The personal data entered by the data subject are collected and stored exclusively for internal use by the controller and for its own purposes. The controller may arrange for the data to be transferred to one or more processors, who will also use the personal data exclusively for an internal use attributable to the controller.
By registering on the website of the controller, the IP address assigned by the Internet service provider (ISP) of the data subject, the date as well as the time of registration are also stored. The storage of this data takes place against the background that only in this way can the misuse of our services be prevented and, if necessary, this data makes it possible to clarify committed crimes and copyright infringements. In this respect, the storage of this data is necessary for the protection of the data controller. As a matter of principle, this data is not passed on to third parties unless there is a legal obligation to pass it on or the passing on serves criminal or legal prosecution. A comparison of the data collected in this way with data that may be collected by other components of our site also does not take place.
The registration of the data subject by voluntarily providing personal data serves the data controller to offer the data subject content or services which, due to the nature of the matter, can only be offered to registered users. Furthermore, the registration of the data subject serves monitoring as well as own documentation purposes. In addition, we use the collected data to contact you by telephone and to send you advertising by mail and e-mail. Registered persons are free to have the personal data provided during registration completely deleted from the controller's database.
The controller shall provide any data subject at any time, upon request, with information about what personal data is stored about the data subject. Furthermore, the data controller shall correct or delete personal data at the request or indication of the data subject, provided that this does not conflict with any statutory retention obligations. The data protection officer and the entire staff of the controller are available to the data subject as contact persons in this context.
As part of the 100th anniversary of the Studierendenwerk Hamburg AöR, data subjects have the opportunity to upload text, image and/or video formats to the Studierendenwerk's website using an input mask and providing their personal data. The first name and e-mail address of the person concerned are required, while information on the academic degree, last name and institution/function is optional.
With the consent to the publication of the text, image and/or video formats by the Studierendenwerk, the data subjects confirm that they hold the rights to the text, image and/or video formats and agree to the data protection notice as well as the use of the text, image and/or video formats naming their data provided per input mask (except for the e-mail address) for the public relations of the Studierendenwerk in the period 2021 up to and including December 31, 2032. Beyond that, the personal data and text, image and/or video formats will no longer be stored and deleted.
By uploading your text, image and/or video formats, you agree that your text, image and/or video contributions will be published in the period 2021 up to and including 31.12.2032, naming your data provided via the input mask (except for the e-mail address). Beyond that, the personal data and text, image and/or video formats will no longer be stored and deleted.
The Studierendenwerk offers the possibility to subscribe to newsletters / subscriptions. With these newsletters / subscriptions, the Studierendenwerk informs you about our offers at regular intervals (for menus, depending on your choice, daily (Mon - Fri) or weekly) depending on the topics and developments.
You will receive a so-called double opt-in e-mail in which you will be asked to confirm receipt of the newsletter / information subscription.
You can object to receiving the newsletter / subscription / information at any time (so-called opt-out). You will find an unsubscribe link in every newsletter / subscription or double opt-in e-mail. A valid e-mail address is required to receive the newsletter / subscription. The e-mail address entered by the data subject is checked to ensure that the data subject is actually the owner of the e-mail address provided or that the owner is authorised to receive the newsletter / subscription. With the registration for the newsletter / subscription, the IP address and the date and time of the registration of the data subject are stored. This serves as a safeguard for the controller in the event that a third party misuses the e-mail address and subscribes to the newsletter / subscription without the knowledge of the data subject. No other data is collected. The data collected in this way is used exclusively in accordance with Art. 6 para. 1 lit. a DSGVO for the purpose of receiving the newsletter / subscription. It will not be passed on to third parties. The data collected in this way is also not compared with data that may be collected by other components of our site.
The Studierendenwerk Hamburg currently uses an offer from Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, https://de.sendinblue.com for data processing of the menu subscription. Sendinblue stores the subscribers' data in encrypted form in Germany, and Google Cloud is used for hosting. The subscriber agrees to a statistical evaluation of the reach and frequency of use of the received Menu Abs.
The subscriber can revoke his/her declaration of consent at any time with effect for the future. The revocation is effected by calling up the registration link contained in each menu plan subscription.
When subscribing to the menu plan subscription, the subscriber agrees to the collection, storage and use of his/her e-mail address for this purpose, as well as to the transmission of his/her e-mail address to the service provider sendinblue, which processes his/her e-mail address on behalf of the Studierendenwerk Hamburg and sends the menu plan subscription.
On its website, Studierendenwerk Hamburg offers you the opportunity to contact the data controller by e-mail and/or via a contact form. If the opportunity for the input of personal or business data (e-mail addresses, names, addresses) is given, the input of these data takes place voluntarily. In this case, the information provided by the person concerned will be stored for the purpose of processing his or her contact. Unless there are necessary reasons in connection with a business transaction, the data subject may revoke the previously granted consent to the storage of his personal data with immediate effect in writing, by e-mail or by fax. The data will not be disclosed to third parties, unless disclosure is required by law. A comparison of the data collected in this way with data that may be collected by other components of our site also does not take place.
For the allocation of housing complex places/daycare centre places/scholarships, it is possible to register online as an interested party via a questionnaire.
Within the framework of the balancing of interests pursuant to Art.6 para.1f DS-GVO.
After the respective purpose of processing and use has ceased to apply, the relevant statutory retention periods shall apply. If the controller concludes a corresponding contract with a relevant person, the transmitted data will be stored for the purpose of processing the contractual relationship in compliance with the statutory provisions. If the controller does not conclude a contract with a relevant person, the records will be automatically deleted six months after the notification of the rejection decision or after the last contact, if the data subject has not expressly consented to longer storage in the controller's database of interested parties or if no other legitimate interests of the controller or other statutory retention periods conflict with deletion or if the retention of the data serves the purpose of legal prosecution.
Preservation of evidence within the framework of the statutory limitation provisions: If it is necessary to preserve evidence, for example in the context of legal proceedings, reference is made to the following retention periods: The limitation periods of the German Civil Code (BGB) can be up to 30 years if a court title exists (§§ 195 ff. BGB). If no legal title has been obtained against the person concerned, the regular limitation period of 3 years applies.
Data obtained in this way is only passed on to third parties within the framework of legal/official requirements. A comparison of the data collected in this way with data that may be collected by other components of our site does not take place.
Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).
We use an applicant management tool from the provider d.vinci HR-Systems GbmH to process online applications. You can find d.Vinci's data protection information at https://www.dvinci.de/datenschutz/.
The controller collects and processes the personal data of applicants for the purpose of handling the application procedure. The processing may also take place electronically. This is the case, in particular, if an applicant sends relevant application documents to the controller by electronic means, for example by e-mail. If the controller concludes an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted six months after notification of the rejection decision, unless the data subject has expressly consented to longer storage in the controller's database of interested parties or unless other legitimate interests of the controller conflict with deletion. Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).
1. use of Google maps with recommendation components
The controller uses the "Google Maps" component on the website in combination with the so-called "share function". "Google Maps" is a service of the company Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA, hereinafter "Google".
With each individual call of the "Google Maps" component, a cookie is set by Google in order to process user settings and data when displaying the page on which the "Google Maps" component is integrated. As a rule, this cookie is not deleted by closing the browser, but expires after a certain time, unless you delete it manually beforehand.
If you do not agree with this processing of your data, you have the option of deactivating the "Google Maps" service and thus preventing the transfer of data to Google. To do this, you must deactivate the Java Script function in your browser. However, we would like to point out that in this case you will not be able to use "Google Maps" or only to a limited extent.
as well as the additional terms and conditions for "Google Maps
2. use of iPack 3
Online/application, upload enrollment certificate, semester ticket (iPack 3)
The provision of an online form that is made publicly available for use by the. The purpose of the form is the registration for a student dormitory place in the properties of the controller, the independent maintenance of master data by the tenants of the client and the secure sending of messages and files.
The data is retrieved by the Studierendenwerk Hamburg itself once or several times a day using the "tl1 tlJob" software. The data is read into the "tl1 Wohnheimverwaltung" program used by Studierendenwerk Hamburg and processed further. In addition, Studierendenwerk Hamburg transfers data from this program to a contractor's server to enable independent maintenance of master data by tenants. Applicant/tenant data is kept on the server for 14 days and backed up daily. The subsequent deletion of the data is done together with the daily data retrieval.
We have concluded an order data processing contract with tl1 and fully implement the strict requirements of the German data protection authorities when using iPack 3.
3. use of Google Analytics with anonymization function
The controller has integrated the Google Analytics component (with anonymization function) on this website. Google Analytics is a web analysis service. Web analysis is the collection, compilation and evaluation of data about the behavior of visitors to websites. A web analysis service collects, among other things, data on which website a data subject came to a website from (so-called referrers), which subpages of the website were accessed or how often and for how long a subpage was viewed. A web analysis is mainly used for the optimization of a website and for the cost-benefit analysis of internet advertising.
The operating company of the Google Analytics component is Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA. The controller uses the addition "_gat._anonymizeIp" for web analysis via Google Analytics. By means of this addition, the IP address of the Internet connection of the data subject is shortened by Google
is shortened and anonymized if access to our Internet pages is from a member state of the European Union or from another state party to the Agreement on the European Economic Area.
The purpose of the Google Analytics component is to analyze the flow of visitors to our website. Among other things, Google uses the data and information obtained to evaluate the use of our website, to compile online reports for us showing the activities on our website, and to provide other services related to the use of our website.
services in connection with the use of our website.
Google Analytics sets a cookie on the information technology system of the data subject. What cookies are has already been explained above. By setting the cookie, Google is enabled to analyze the use of our website. By each call of one of the individual pages of this website operated by the controller and on which a Google analytics
and on which a Google Analytics component has been integrated, the Internet browser on the information technology system of the data subject is automatically prompted by the respective Google Analytics component to transmit data to Google for the purpose of online analysis. As part of this technical process, Google obtains knowledge of personal data, such as the IP address of the data subject, which Google uses, among other things, to track the origin of visitors and clicks and subsequently enable commission calculations. By means of the cookie, personal information, for example the access time, the place from which an access originated and the frequency of visits to our website by the data subject, is stored. Each time the data subject visits our website, this personal data, including the IP address of the internet connection used by the data subject, is transmitted to Google in the United States of America. This personal data is stored by Google in the United States of America. Google may disclose this personal data collected via the technical procedure to third parties. The data subject can prevent the setting of cookies by our website, as already described above, at any time by means of an appropriate setting of the Internet browser used and thus permanently object to the setting of cookies. Such a setting of the Internet browser used would also prevent Google from setting a cookie on the information technology system of the data subject. In addition, a cookie already set by Google Analytics can be deleted at any time via the Internet browser or other software programs.
4. use of YouTube
We use the YouTube.com platform to post our own videos and make them accessible. YouTube is the offer of a third party not affiliated with us, namely YouTube LLC.
Some Internet pages of our offer contain links or connections to the YouTube offer. In general, we are not responsible for the content of linked websites. In the event that you follow a link to YouTube, however, we would like to point out that YouTube stores the data of its users (e.g. personal information, IP address) in accordance with its own data usage guidelines and uses it for business purposes.
We also directly embed videos stored on YouTube on some of our web pages. With this integration, content from the YouTube website is displayed in parts of a browser window. However, the YouTube videos are only called up by clicking on them separately (framing). If you call up a (sub-)page of our website on which YouTube videos are embedded in this form, a connection is established to the YouTube servers and the content is displayed on the website by informing your browser.
The integration of YouTube content only takes place in "extended data protection mode". YouTube itself provides this mode and thus ensures that YouTube does not initially save any cookies on your device. However, when the relevant pages are called up, the IP address and the other data mentioned in item 4 are transmitted and thus, in particular, information is provided as to which of our Internet pages you have visited. However, this information cannot be assigned to you unless you have logged in to YouTube or another Google service (e.g. Google+) before accessing the page or are permanently logged in.
As soon as you start the playback of an embedded video by clicking on it, YouTube only saves cookies on your device through the extended data protection mode, which do not contain any personally identifiable data, unless you are currently logged in to a Google service. These cookies can be prevented by appropriate browser settings and extensions.
1. Routine erasure and blocking of personal data.
The controller shall process and store personal data of the data subject only for the period of time necessary to achieve the purpose of the storage or where provided for by the European Directive and Regulation or other legislator in laws or regulations to which the controller is subject.
If the storage purpose ceases to apply or if a storage period prescribed by the European Directive and Regulation Maker or another competent legislator expires, the personal data shall be routinely blocked or deleted in accordance with the statutory provisions.
2. Rights of the data subject
(a) Right to confirmation: Every data subject has the right granted by the European Directive and Regulation to obtain confirmation from the controller as to whether personal data concerning him or her are being processed. If a data subject wishes to exercise this right of confirmation, he or she may, at any time, contact our Data Protection Officer or another employee of the controller.
b) Right of access: Any person concerned by the processing of personal data has the right granted by the European Directive and Regulation to obtain at any time from the controller, free of charge, information about the personal data stored about him or her, as well as a copy of that information. In addition, the European Directive and Regulation Legislator has granted the data subject access to the following information:
the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject Furthermore, the data subject shall have a right of access to whether personal data have been transferred to a third country or to an international organization. If this is the case, the data subject also has the right to obtain information about the appropriate safeguards in connection with the transfer. If a data subject wishes to exercise this right of access, he or she may, at any time, contact our data protection officer or another employee of the controller.
c) Right of rectification: Every data subject affected by the processing of personal data has the right granted by the European Directive and Regulation to request that inaccurate personal data concerning him or her be corrected without delay. Furthermore, the data subject has the right to request the completion of incomplete personal data - also by means of a supplementary declaration - taking into account the purposes of the processing. If a data subject wishes to exercise this right to rectification, he or she may, at any time, contact firstname.lastname@example.org or an employee of the controller by e-mail.
d) Right to erasure (right to be forgotten): Any person concerned by the processing of personal data has the right granted by the European Directive and Regulation to obtain from the controller the erasure without delay of personal data concerning him or her, where one of the following grounds applies and to the extent that processing is no longer necessary:
The personal data has been collected in relation to information society services offered pursuant to Article 8(1) DS-GVO. If one of the aforementioned reasons applies, and a data subject wishes to arrange for the erasure of personal data stored by the Studierendenwerk Hamburg, he or she may, at any time, contact the controller by e-mail at email@example.com or by telephoning the controller. The data protection officer of the Studierendenwerk Hamburg or another employee shall arrange for the erasure request to be complied with immediately. If the Studierendenwerk Hamburg has made the personal data public and our enterprise as the controller is obliged to delete the personal data pursuant to Article 17 (1) of the Data Protection Regulation, the Studierendenwerk Hamburg shall implement reasonable measures, including technical measures, to ensure that other data controllers process the published personal data and that the data subject has requested from those other data controllers the erasure of all links to the personal data or copies or replications of the personal data, unless the processing is necessary. If data erasure is requested but the data controller is still legally obliged to retain the data, access to the data will be restricted (blocked). The same applies in the event of an objection. The data protection officer of Studierendenwerk Hamburg or another employee will arrange the necessary in individual cases.
e) Right to restriction of processing: Any person concerned by the processing of personal data has the right granted by the European Directive and Regulation to obtain from the controller the restriction of processing where one of the following conditions is met:
The data subject has objected to the processing pursuant to Article 21 (1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller override those of the data subject. If one of the aforementioned conditions is met, and a data subject wishes to request the restriction of personal data stored by the Studierendenwerk Hamburg, he or she may do so by sending an e-mail to firstname.lastname@example.org or to any employee of the controller. The data protection officer of the Studierendenwerk Hamburg or another employee will arrange the restriction of the processing.
f) Right to data portability: Any person affected by the processing of personal data has the right granted by the European Directive and Regulation to receive the personal data concerning him or her, which has been provided by the data subject to a controller, in a structured, commonly used and machine-readable format. He or she also has the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Furthermore, when exercising the right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to obtain that the personal data be transferred directly from one controller to another controller where technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals. In order to assert the right to data portability, the data subject may at any time contact email@example.com or an employee by e-mail.
g) Right to object: Any person affected by the processing of personal data has the right granted by the European Directive and Regulation to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f) of the GDPR. This also applies to profiling based on these provisions. The Studierendenwerk Hamburg shall no longer process the personal data in the event of the objection, unless compelling legitimate grounds for the processing can be demonstrated which override the interests, rights and freedoms of the data subject, or the processing serves the purpose of asserting, exercising or defending legal claims. We inform you that the revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.
If the Studierendenwerk Hamburg processes personal data for the purposes of direct marketing, the data subject shall have the right to object at any time to processing of personal data processed for such marketing. This also applies to profiling insofar as it is related to such direct marketing. If the data subject objects to the Studierendenwerk Hamburg to the processing for direct marketing purposes, the Studierendenwerk Hamburg will no longer process the personal data for these purposes. In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her which is carried out by the Studierendenwerk Hamburg for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the DS-GVO, unless such processing is necessary for the performance of a task carried out in the public interest. In order to exercise the right to object, the data subject may at any time contact firstname.lastname@example.org or an employee by e-mail. The data subject is also free to exercise his/her right to object by means of automated procedures using technical specifications in connection with the use of information society services, notwithstanding Directive 2002/58/EC.
h) Automated decisions in individual cases, including profiling: Any data subject concerned by the processing of personal data shall have the right, granted by the European Directive and the Regulation, not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and the controller, or (2) is permitted by Union or Member State law to which the controller is subject and that law contains suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or (3) is made with the data subject's explicit consent. If the decision (1) is necessary for entering into, or the performance of, a contract between the data subject and the data controller, or (2) it is made with the data subject's explicit consent, the Studierendenwerk Hamburg shall implement suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, which include at least the right to obtain the data subject's involvement on the part of the controller, to express his or her point of view and contest the decision. If the data subject wishes to exercise the rights concerning automated decisions, he or she may, at any time, contact email@example.com or an employee of the controller by e-mail.
i) Right to withdraw consent granted under data protection law: Any data subject concerned by the processing of personal data has the right, granted by the European Directives and Regulations, to withdraw his or her consent to the processing of personal data at any time. If the data subject wishes to exercise the right to withdraw consent, he or she may, at any time, contact firstname.lastname@example.org or any employee of the controller by e-mail.
j) Right of complaint
The data subject has at any time pursuant to Art. 77 DS-GVO in conjunction with. § 19 BDSG-neu the possibility to file a complaint with a data protection supervisory authority. The supervisory authority responsible here is:
The Hamburg Commissioner for Data Protection and Freedom of Information.
Ludwig-Erhard-Str. 22, 7th floor, 20459 Hamburg, Germany
Phone: (040) 4 28 54 - 40 40, Fax: (040) 4 28 54 - 40 00
We would like to inform you below about the processing of personal data in connection with the use of "Zoom".
Purpose of processing
We use the "Zoom" tool to conduct conference calls, online meetings, video conferences and/or webinars (hereinafter: "Online Meetings"). "Zoom" is a service provided by Zoom Video Communications, Inc. which is based in the USA.
The data controller for data processing directly related to the implementation of "Online Meetings" is the
Studierendenwerk Hamburg AöR
Telephone: +49 (40) 41902 - 0
Note: If you call up the "Zoom" website, the provider of "Zoom" is responsible for data processing. However, calling up the Internet site is only necessary to use "Zoom" in order to download the software for using "Zoom".
You can also use "Zoom" if you enter the respective meeting ID and, if applicable, further access data for the meeting directly in the "Zoom" app.
If you do not want to or cannot use the "Zoom" app, then the basic functions can also be used via a browser version, which you can also find on the "Zoom" website.
Various types of data are processed when using "Zoom". In this context, the scope of the data also depends on the information on data you provide before or when participating in an "online meeting".
The following personal data are subject to processing:
User details: first name, last name, telephone (optional), e-mail address, password (if "single sign-on" is not used), profile picture (optional), department (optional).
Meeting metadata: Topic, description (optional), attendee IP addresses, device/hardware information.
If recording (optional): MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of online meeting chat.
For dial-in with the telephone: information on the incoming and outgoing call number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.
Text, audio and video data: You may have the option of using the chat, question or survey functions in an "online meeting". To this extent, the text entries you make are processed in order to display them in the "online meeting" and, if necessary, to log them. In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the "Zoom" applications.
To participate in an "online meeting" or to enter the "meeting room", you must at least provide information about your name.
We use "Zoom" to conduct "online meetings". If we want to record "online meetings", we will transparently communicate this to you in advance and - if necessary - ask for consent. The fact of the recording will also be displayed to you in the "Zoom" app.
If it is necessary for the purposes of logging the results of an online meeting, we will log the chat content. However, this will generally not be the case.
In the case of webinars, we may also process questions asked by webinar participants for purposes of recording and following up on webinars.
If you are registered as a user at "Zoom", then reports of "online meetings" (meeting metadata, telephone dial-in data, questions and answers in webinars, survey function in webinars) may be stored at "Zoom" for up to one month.
Automated decision-making within the meaning of Art. 22 DSGVO is not used.
Insofar as personal data of employees of Studierendenwerk Hamburg AöR are processed, Section 26 BDSG is the legal basis for data processing. If, in connection with the use of "Zoom", personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component in the use of "Zoom", Article 6 (1) f) DSGVO is the legal basis for data processing. In these cases, our interest is in the effective implementation of "online meetings".
For the rest, the legal basis for data processing when conducting "online meetings" is Art. 6 (1) lit. b) DSGVO, insofar as the meetings are conducted in the context of contractual relationships.
Should no contractual relationship exist, the legal basis is Art. 6 para. 1 lit. f) DSGVO. Here, too, our interest is in the effective implementation of "online meetings".
Personal data processed in connection with participation in "online meetings" will not be disclosed to third parties as a matter of principle unless it is specifically intended for disclosure. Please note that content from "online meetings", as well as from face-to-face meetings, is often used precisely to communicate information with customers, interested parties or third parties and is therefore intended for disclosure.
Other recipients: The provider of "Zoom" necessarily receives knowledge of the above-mentioned data, insofar as this is provided for in the context of our order processing agreement with "Zoom".
"Zoom" is a service provided by a provider from the USA. A processing of personal data therefore also takes place in a third country. We have concluded an order processing agreement with the provider of "Zoom" that meets the requirements of Art. 28 DSGVO.
An adequate level of data protection is guaranteed on the one hand by the conclusion of the so-called EU standard contractual clauses. As supplementary protective measures, we have also configured our Zoom so that only data centers in the EU are used to conduct "online meetings".
We have appointed a data protection officer.
Any data subject may contact email@example.com at any time with any questions or suggestions regarding data protection.
The data protection officer appointed is:
Gabriele Paulsen - glp consulting
You have the right to obtain information about the personal data concerning you. You can contact us for information at any time.
In the case of a request for information that is not made in writing, we ask for your understanding that we may require proof from you that you are the person you claim to be.
Furthermore, you have a right to rectification or deletion or to restriction of processing, insofar as you are entitled to this by law.
Finally, you have a right to object to processing within the scope of the law.
A right to data portability also exists within the framework of the data protection legal requirements
As a matter of principle, we delete personal data when there is no need for further storage. A requirement may exist in particular if the data is still needed in order to fulfill contractual services, to check and grant or ward off warranty and, if applicable, guarantee claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.
You have the right to complain about the processing of personal data by us to a data protection supervisory authority.