Privacy Policy

This data protection declaration applies to the university's website and the Internet pages, services and offers made available there, insofar as they link to or refer to this declaration, and explains how the university handles personal data. 

It also describes the choices you have regarding the collection and use of your personal data and access to this data and how you can update and correct this information.

Individual data protection information must be observed for the following online services:

•    DFNconf
•    Zoom X

I. Person in charge

II. Data protection officer

III. General information on data processing

IV. Rights of the data subject

V. Provision of the online presence | Creation of log files

VI. Usage of Cookies

VII. Web analysis by Matomo

VIII. Special data processing

   A. Social Media

   B. Podcast

   C. Registration -- International competitions, Weimar Master Classes, pinboard, alumni database

   D. Lending System - Leihs

   E. Newsletter

   F. Moodle

   G. ASIMUT

I. Person in charge

In the sense of the EU General Data Protection Regulation (GDPR), other national data protection acts (particularly the Thuringian Data Protection Act) and other provisions under data protection legislation the person in charge is the:

University of Music FRANZ LISZT Weimar
Platz der Demokratie 2/3
99423 Weimar
Telephone: +49 3643 | 555 0
E-mail: praesidentin@hfm-weimar.de
Internetpräsenz: www.hfm-weimar.de

The University of Music FRANZ LISZT Weimar is a body under public law and is legally represented by its president.

II. Data Protection Officer

University of Music FRANZ LISZT Weimar
Legal Office | Data Protection
Platz der Demokratie 2/3
99423 Weimar
Telephone: +49 3643 | 555 191
Email: datenschutz(at)hfm-weimar.de

III. General information about data processing

1. Scope of data processing

In principle, the personal data of users is only processed to the extent that this is required for the provision of a functioning online presence and for the use of the content and services made available there, or to the extent that the user has consented to the processing of their personal data.

There is an exception in those cases where it was not previously possible to seek consent due to concrete reasons and the processing of data is permitted by statutory regulations.

Personal data is only disclosed to third parties or otherwise transmitted if this is necessary for the purposes of contract processing or for billing purposes, or the contractual partner has consented to this previously.

The use of the IT infrastructure and systems of other universities within Thuringia, within the framework of the cooperation agreement between Thuringian universities for IT services, supplemented by a corresponding framework agreement on contract data processing, remains unaffected by this.

In some cases, the university works with external service providers to offer certain services (e.g. newsletters, videos). If you voluntarily use these services, personal data may be transferred to a third country and processed there.

2. Purpose and legal basis of data processing

The legal basis of the processing of the personal data in question is determined by its purpose.

In principle, every instance of processing of personal data by the university serves to fulfil the tasks assigned to it by law, particularly under Section 5 of the Thuringian Universities Act. Provided the data processing in question is covered by Section 11 of the Thuringian Universities Act and the Thuringian University Data Processing Ordinance, Art. 6 Para. 1 (e), the GDPR serves as the legal basis.

If the personal data of university employees is being processed, Section 27 of the Thuringian Data Protection Act, in conjunction with the Thuringian Government Employees Act, is the legal basis for data processing.

If consent is sought from the data subject for the processing of personal data, Art. 6 Para. 1 (a) of the GDPR is the legal basis.

If personal data is transferred to a third country and the level of data protection there has been recognised by means of an adequacy decision within the meaning of Art. 45 GDPR, this decision serves primarily as the basis for the data transfer. 
For example, as part of the so-called "Data Privacy Framework" (DPF), the EU Commission has recognised the level of data protection for certain companies from the USA as secure within the framework of the adequacy decision of 10.07.2023 (https://www.dataprivacyframework.gov/).

Otherwise, data will only be transferred if the level of data protection is otherwise ensured, in particular through standard contractual clauses (Art. 46 para. 2 lit. c) GDPR) or the express consent of the data subject.

3. Storage period and data deletion | Possibility of objection

The data subject’s personal data is erased as soon as the purpose of storage lapses.

If it is not possible to erase it due to technical circumstances or other requirements, or if this would only be possible with disproportionate outlay, the personal data will be made unavailable or otherwise restricted in terms of processing.

Further storage may also take place if this is provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject.

The erasure, making unavailable or restriction or processing of the data also occurs if one of the storage periods stipulated by the above norms comes to an end, unless it is necessary to continue storing the data in order to conclude a contract or fulfil it.

IV. Rights of the data subject

If your personal data is processed, you are a data subject within the sense of the GDPR, and you have rights vis-à-vis the controller, pursuant to Article 15 ff. GDPR. As part of this, limitations, changes and, potentially, the exclusion of these rights can arise from the General Data Protection Regulation itself, in particular, and from Sections 21 – 23 of the Thuringian Data Protection Act.

  • In principle, you can request access to information regarding whether an of your personal data is being processed. If this is the case, you have a right to access information regarding this personal data and to any other information relating to the processing (Art. 15 GDPR).
  • In the event that personal data relating to you is not (or is no longer) relevant or comprehensive, you can request the rectification, and if necessary, the supplementation, of this data (Art. 16 GDPR).
  • Insofar as the statutory requirements are met, you can request the erasure of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR).
  • You have the right to receive the personal data relating to you, which you have provided to the controller , in a standard, structured and machine-readable format, and to transmit this data to another controller, provided that certain conditions are met (Art. 20 GDPR).
  • For reasons arising from your particular situation, you have the right to object to the processing of personal data relating to you at any time, if this processing occurs under Article 6, Para. 1 (e) or (f) GDPR. Insofar as the statutory requirements are met, the university will not process your personal data subsequent to this.
  • According to data protection law, you have the right to revoke your declaration of consent at any time. Revoking this consent does not affect the legality of the processing that has already occurred on the basis of this consent, up to the point in time at which it was revoked.


Irrespective of any other legal remedy under administrative law, or judicially, you have the right to file a complaint with a supervisory authority if you believe that the processing of the personal data relating to you is in breach of the GDPR. The competent supervisory authority is the:

Thuringian State Officer for Data Protection and the Freedom of Information
Visitor address: Häßlerstraße 8 (4th Floor), 99096 Erfurt
Postal Address: PO Box 90 04 55, 99107 Erfurt
Telephone: +49 361 | 57 311 29 00
Fax: +49 361 | 57 311 29 04
Email: poststelle(at)datenschutz.thueringen.de

V. Provision of the online presence | Creation of log files

1. Scope of data processing

Every time the university’s online presence is accessed, the following data and information is automatically recorded by the computer system of the accessing computer and stored in log files:

  1. Information about the browser type and version used
  2. The user’s operating system
  3. The user’s IP address
  4. The date and time of access
  5. The website from which the user’s system accessed the university’s website
  6. Websites that the user’s system accessed via the university’s website.

 
This data is not stored in conjunction with the user’s data or any other personal data.

The following external service provider assists with the operation of this website:
JUSTORANGE – resch media services, Jena (consulting, design development, technical execution of the TYPO3 template, maintenance and updating).


2. Purpose and legal basis of data processing

It is necessary for the IP address to be temporarily stored by the system in order to enable the website to be delivered to the user’s computer. To this end, the user’s IP address must remain stored for the duration of the session.

Storage in log files serves to ensure the functioning of the website. In addition, the data helps to ensure the security of the university’s IT systems. In this context, the data is not evaluated for marketing purposes.

Due to the above legitimate interest in processing the above-mentioned data, the legal basis for the temporary storage of data and the creation of log files is Art. 6 Para. 1 (f) of the GDPR.

3. Storage period and data deletion | Possibility of objection

The data processed for the provision of the online presence is deleted when the session in question has ended. The data stored in log files is erased after seven days, at the most.

Given that the recording of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website, it is not possible to object to this.

VI. Usage of Cookies

1. Scope of data processing

The internet presence of the university uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on your terminal device, for example, when you call up an Internet page. This cookie contains a characteristic string of characters that makes it possible to uniquely identify the browser when the website is called up again.

Cookies are used to make the Internet presence more user-friendly and to ensure that the Internet pages function as expected. Some elements of the Internet presence require that the calling browser can be identified even after a page change.

So-called session cookies (temporary cookies) are used on the university's Internet pages. This type of cookie is stored exclusively for the duration of the use of the Internet pages. Session cookies are used exclusively to identify you as long as you are logged in to the Internet pages. After the end of each session, the session cookies are deleted. Any use beyond this does not take place.

The following data is stored and transmitted in the cookies:

  1. Log-in information
  2. User setting to opt out of web analytics by Matomo
  3. MoodleSession identifies you by an anonymous ID and stores your login for the current session in Moodle. This is necessary to maintain login and access permissions during the session. The cookie is automatically deleted when you log out of the system or close the web browser
  4. MoodleID stores the username in the web browser when you use the Moodle platform. The next time you log in to the system, it will automatically be entered into the login screen to speed up your login process. You can optionally activate the cookie when logging in.

 
2. Purpose and legal basis of data processing

The purpose of using technically necessary cookies is to simplify the use of Internet pages. As a rule, cookies are only set in response to actions you take, such as setting privacy preferences, logging in or filling out forms. In principle, the university's Internet pages can be used without the use of cookies. However, some functions cannot be offered without the use of cookies. For these applications mentioned under No. 1, it is necessary that the browser is recognized even after a page change. The data collected through technically necessary cookies are not used to create usage profiles.

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f DSGVO.
 

3. Storage period and data deletion | Possibility of objection

Cookies are stored on your computer and transmitted from it to the university's website. Therefore, you also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for the university's Internet presence, it may no longer be possible to use all functions of the Internet pages to their full extent.

VII. Web analysis by Matomo

1. Scope of data processing 

The university uses the open source software tool Matomo on its website to analyze page views and the surfing behavior of the persons using the website. The software runs exclusively on the university's own servers, without the use of cookies. The data is not passed on to third parties.

Matomo accesses various information from the browsers of the users in order to generate a randomly set, short-lived identifier for each visitor ("configuration ID"). The ID is used by Matomo to roughly and anonymously assign various actions to an end device in a short time window of a defined 30 minutes and to group them into "visits". After the 30 minutes have elapsed, a new ID is assigned when the website is called up again and it is counted as a new visit.

The following data is processed when individual pages of the website are called up:

  1. two bytes of the IP address of the calling system,
  2. the time at which the website was called up
  3. the page called up (page title and URL),
  4. the Internet page from which you accessed the accessed page (referrer),
  5. the subpages that are called up from the called-up Internet page,
  6. the time spent on the Internet page
  7. the frequency with which the Internet page is accessed
  8. the screen resolution used,
  9. the time in your local time zone,
  10. files clicked to download,
  11. the page generation time,
  12. the location of your computer (country, region, city, approximate longitude and latitude),
  13. language settings of the browser used,
  14. Operating system, browser version, end device (such as desktop, tablet, smartphone, TV, vehicle, console, etc.).


Source: https://matomo.org/faq/general/faq_18254/  

The software is set in such a way that the IP addresses are not stored completely, but 2 bytes of the IP address are masked (Ex: 192.168.xxx.xxx). In this way, an assignment of the shortened IP address to the calling end device is no longer possible.


2. Purpose and legal basis of data processing 

The processing of your personal data enables an analysis of your surfing behavior. By evaluating the data obtained, the university is able to compile information on the use of the individual components of the Internet pages. This helps to continuously improve the Internet presence and its user-friendliness.

In these purposes lies the legitimate interest in the processing of the data, so that the legal basis for the data processing is Art. 6 para. 1 p. 1 lit. f) DSGVO. By anonymizing the IP address, processing the data without cookies and the only short time of recording a visit to the website, your interest in protecting your personal data is sufficiently taken into account.


3. Storage period and data deletion | Possibility of objection

The generation of the "configuration ID" from the information of your browser is set in such a way that the data is anonymized and additionally randomly changed every 30 minutes.

The possibility of opting out of the analysis procedure is offered on the Internet pages. In this way, a cookie is set on your computer system, which signals to the university's system not to store your data. If you delete the corresponding cookie from your computer system in the meantime or if you use a different terminal device or a different Internet browser, you must set the opt-out cookie again.

You can find more information about the privacy settings of the Matomo software at the following link: https://matomo.org/docs/privacy/  


Possibility to OPT-OUT

VIII. Special data processing

The following provisions serve to provide information on the handling of your personal data within the scope of special, specific applications that you can access via the university's Internet presence. They supplement the above general provisions.

Due to the partial publication of individual data on the Internet, this data can also be found via search engines and linked with other data available on the Internet to create a personality profile or used for commercial purposes. Data may still be retrievable via the archive function of search engines even if the information has already been changed or removed from the university's website.

A. Social Media

The university's presence on social media is used for public relations work and enables it to make direct contact with members and interested parties outside the university and to provide information about the university and its programmes and services.

If you visit one of our social media pages, we are jointly responsible with the provider of the respective social media platform for the processing of personal data within the meaning of Art. 26 GDPR. The processing of personal data is carried out in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR on the basis of our legitimate interest in being able to communicate with you in a timely manner.

The university does not use any social media plugins on its website. You can only access the university's social media channels via external links. In order to prevent unwanted transmission of your usage data to these services, you can only access the respective services by clicking on a link. Links are currently provided to the following social media providers: YouTube, Facebook and Instagram.

When using social media services, data security cannot be guaranteed in accordance with European law. The university has no influence on whether and to what extent, for how long and for what purpose the external providers collect personal data when you visit their pages. However, it can be assumed that at least the IP address and device-related information is collected and used. As we do not have access to the providers' databases, you should exercise your rights as a data subject in accordance with Art. 15 et seq. GDPR directly with the respective providers.

The Google (YouTube) and Meta (Instagram, Facebook) services integrated on the university's website are certified in accordance with the Transatlantic Data Privacy Framework, so that the corresponding adequacy decision of the EU Commission guarantees an adequate level of data protection compared to the EU and is the basis for third country transfers.

If you have general data protection concerns regarding the processing of your personal data when using social media channels, you can continue to obtain equivalent information via the university's conventional information and communication channels (website, circular emails, newsletters, notices).

YouTube

The university embeds videos from the university's own YouTube channel on its website for information and advertising purposes. In addition, the university and users of the Moodle learning platform can embed videos via YouTube for information and teaching purposes. These are stored on YouTube's servers and played from the website or from Moodle via an embed or a link. Embedding on the website takes place with extended data protection settings and requires additional activation. No data is passed on when a page with an embedded YouTube video is called up, as the video is still deactivated at this point. Only when the video is played by separately activating the specified link will user-specific data be stored in the form of YouTube cookies and DoubleClick cookies and possibly automatically transmitted to YouTube or Google, including in third countries such as the USA. The university has no influence over this data transfer or the type, scope and intended use of the transferred data. Use for market research and marketing purposes cannot be ruled out.

The YouTube cookies stored when the videos are activated can be deleted, deactivated and restricted via the settings options of your Internet browser. However, it may no longer be possible to use all the functions of the website to their full extent.

As YouTube is a Google service, user-specific data is transmitted regardless of whether you have a Google account that you are logged into or whether no account exists. If you are logged in via your own Google account, this data may be assigned directly by Google. If you do not want this assignment to a personal profile, you must log out before playing the video.

By agreeing to Google's general terms of use, the EU standard contractual clauses between the university and the provider were concluded at the same time. This guarantees protective measures comparable to EU law for the possible transfer of data to third countries.

Vimeo

In addition, videos provided by the external service provider Vimeo are integrated on the university's website and on the Moodle learning platform. Here, too, no data transfer takes place when the respective website is simply accessed and the videos must be started separately. In addition, the videos are always integrated in the "Do Not Track" variant, so that personal data is only transmitted to Vimeo to a minimal extent when they are played.

In order to ensure an appropriate level of data protection when transferring data to the USA, the university has concluded the EU standard contractual clauses with Vimeo in the so-called "Controller to Controller" variant.  In addition, the provider of Vimeo has made a commitment to the university to continue to comply with the self-imposed obligations from the former Privacy Shield Agreement.

Despite the measures taken, data such as the IP address and information on the operating system and browser type may be transmitted to Vimeo and subsequently processed and stored when you watch videos. If you are logged in to Vimeo as a member, further data may also be transferred via stored (third-party) cookies and assigned to your personal user account. The assignment can be prevented by logging out of your Vimeo user account before using the website and deleting the corresponding cookies.

Facebook

When the university's Facebook pages are accessed, Facebook collects and uses the information described in the Facebook Data Policy. Facebook provides the university, as the operator of the pages, with statistics and insights about the types of actions taken on its pages ("Page Insights") without disclosing details for the exact identification of individuals. It may be possible to assign actions to specific profiles if individual details are set to "public" in the personal settings.

Page Insights may require the processing of personal data in accordance with the GDPR. Facebook and the university may then be jointly responsible for the processing of this data within the meaning of Art. 26 GDPR.

The university has entered into an agreement with Facebook that specifies who fulfils which obligation under the GDPR. Among other things, it was agreed that Facebook is responsible for providing data subjects with information about the processing for Page Insights and enabling them to exercise their rights under the GDPR. Further information on the respective rights can be found in your personal Facebook settings. If you have any questions or concerns, you can also contact Facebook's data protection officer, whose contact details can be found in Facebook's data policy. In addition, it has been agreed that the Irish Data Protection Commission is the lead supervisory authority for monitoring processing for Page Insights. However, you can also lodge a complaint with any other supervisory authority.

Instagram

The Instagram platform is used by the university to make its own images and videos publicly accessible. Instagram processes the data you enter in your account and analyses your actions on the platform for advertising purposes and to create a profile of your interests. Instagram uses analysis tools such as Instagram Insights, which function and are used in the same way as described for Facebook.

Only specific, non-personal, aggregated information about the activity (e.g. likes, clicks on a post or the profile) can be viewed by the university.

Instagram is also informed of the page from which you access the platform. This information can be assigned to you if you were logged in to Instagram or another meta service (e.g. Facebook) before accessing the page. As soon as you click on an Instagram channel, Instagram stores cookies on your device. The setting of these cookies can be prevented by appropriate browser settings and extensions. Some of the information about your visit is collected and processed by Instagram even if you do not have an Instagram user account or are not logged in to Instagram.


Further information on the handling of data protection on the external online and social media platforms and on the data protection settings options can be found on the respective websites of the providers:

B. Podcast

1. Scope of data processing

The university offers self-produced podcast episodes on its website for the university anniversary, in which members talk about themselves, their connection to music and the university.

The podcast files in MP3 format are hosted on the platform www.podcaster.de. The platform is operated by Fabio Bacigalupo, Brunnenstraße 147, 10115 Berlin, Germany.

The podcast player is integrated into the university's websites using widgets or embeds. In doing so, podcaster.de processes the IP address of the device you are using on its own server as well as other device information in log files. Any statistics are created without information on individual persons and only in aggregated form.

The university has concluded a data processing agreement with podcaster.de in accordance with Art. 28 GDPR. According to this agreement, podcaster.de undertakes to ensure the necessary protection of your data and to process the data exclusively on our behalf in accordance with the applicable data protection regulations. Further information on the handling of user data can be found in the privacy policy: https://www.podcaster.de/podcaster-datenschutzerklaerung.pdf 

You can also listen to and download the podcasts via your private devices on some of the most popular podcast platforms. This is done by agreeing to the terms of use and data protection provisions of the respective providers. It may also be necessary to have your own user account with the provider.
Further information can be found on the websites and in the privacy policies of the providers.

You can also listen to and download the podcasts via your private devices on some of the most popular podcast platforms. This is subject to the terms of use and data protection provisions of the respective provider. It may also be necessary to have your own user account with the provider.

Further information can be found on the websites and in the privacy policies of the providers.


2. Purpose and legal basis of data processing

The processing and temporary storage of the IP address and other device information is carried out to enable podcast downloads and playback and to determine statistical data (views, subscriber numbers).

The data will not be used independently by podcaster.de or passed on to third parties. This data is also not stored together with other personal data of the user.

The use of the podcaster.de platform is in the interest of a secure and efficient provision of a podcast service by the university. The legitimate interest in the processing of data lies in these purposes, so that the legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f) GDPR.

3. Storage period and data deletion | Possibility of objection

The log files for the provision of the podcast player and the data stored in log files are deleted as soon as they are no longer required for the provision of the service, but at the latest when the session ends.

C. Registration -- International competitions, Weimar Master Classes, pinboard, alumni portal

1. Scope of data processing

On some webpages, the university offers the option of registering by providing personal data. The nature and scope of the data collected depend on the purpose of the data collection, as determined by the corresponding tender, participation or usage conditions. The individual conditions can be accessed upon undertaking the registration in question, or they will be provided to the user in another way.

The exact scope of your processed personal data results from the information to be provided in the respective input mask. On the one hand, this involves mandatory information (usually master and contact data and, in some cases, subject-specific information such as photo, CV and copy of passport/ID card) and, on the other hand, depending on the reason for registration, further, sometimes voluntary, information about your availability, studies and, if applicable, personal (professional) background.

The data is provided via an input mask, then transmitted to the university and stored.

In addition, it is possible that photographs and recordings may be taken of you when you participate in certain events and competitions and related events and that these may be used for public relations or other university purposes.

The university's alumni portal offers the possibility of internal communication via the contact form provided there. The data you enter in the form will be transmitted and processed to answer your enquiry.

At the time of registration for the various services and when using the alumni portal, the log data described under point V. Provision of the website | Creation of log files of this data protection declaration is also stored and logged for 7 days.

Alternatively, it is possible to make contact via the email address provided for the registration in question. In this case, the user’s personal data that is transmitted with the email is stored.

Personal data is only disclosed to third parties or otherwise transmitted by the university if this is necessary for purposes of contract processing, or for billing purposes, or if the contractual partner has consented to this previously.

Alongside the videos, the visiting professors for the Weimar masterclasses receive the surname, first name and date of birth of registered participants, so that they can undertake the pre-selection provided for in the participation conditions.

As part of the university's public relations work and in particular the promotion of events and competitions, your data may be published by the university's press department in print media, social media channels and on the university's website and passed on to third parties (press, media) for current reporting.

The following external service providers assist with executing the above services:

  • JUSTORANGE – resch media services (consulting, design development, technical execution of the TYPO3 template, maintenance and updating).
  • Friedrich Schiller University Jena (maintenance of the alumni database)
  • Bauhaus Weiterbildungsakademie Weimar e.V., Weimar (contract drafting, finances, participant support for competitions)
  • Novalnet AG, Ismaning (payment processing/e-payment)

 
 
2. Purpose and legal basis of data processing

Registration is necessary for the provision of certain content and services, in order to fulfil a contract with the user or to execute pre-contractual services.

The personal data collected when registering for the respective service or offer will be used to establish contact, organise and implement the services and offers, to set up and, if necessary, bill a participation account and to answer enquiries. The data you provide may also be used for voluntary participation in surveys as part of quality assurance and evaluations or for advertising and reporting purposes.

The legal basis for the processing of data for the competitions, masterclasses and the alumni portal is Art. 6 para. 1 sentence 1 lit. e) GDPR in conjunction with the Thuringian Higher Education Act, in particular § 5 and § 11 ThürHG; if you have given your consent, Art. 6 para. 1 sentence 1 lit. a) GDPR.

If the registration (also) serves to fulfil a contract to which the user is a party, or to execute pre-contractual measures, an additional legal basis for the processing of the data is Article 6 Para. 1 (b) of the GDPR (competitions, Weimar masterclasses, pinboard).

3. Storage period and data deletion | Possibility of objection

The data will be deleted if it is no longer required for the performance and fulfilment of the corresponding contract or associated pre-contractual measures or if you withdraw your consent to data processing.

You have the option of cancelling your registration or having the data stored about you amended at any time. Depending on the service used, the corresponding written request must be sent to the e-mail address stated in the terms and conditions of tender, participation or use or made in your user account itself. The data will only be stored for as long as you wish. However, deletion from the systems can take up to four weeks under certain circumstances.

D. Newsletter

1. Scope of data processing

After registering with the university's alumni portal, you have the option of subscribing to a free newsletter. When you register, the e-mail address you provide in the portal, together with your first name and surname, will be processed to send you the newsletter. Opening the newsletter and clicking on the links contained therein may be logged by the university for internal statistical purposes (date, time, e-mail address). The data obtained in this way is processed exclusively in anonymised form without being merged into personal user profiles.

Furthermore, there is also the option of subscribing to a free newsletter on the website of one of the university's projects (https://jazzomat.hfm-weimar.de/). By subscribing to this newsletter, the e-mail address entered in the input mask is transmitted to the university.

In addition, the following data (log data) is recorded and stored upon registration:

  1. IP address of the accessing computer
  2. Date and time of registration


In conjunction with the processing of data for sending the newsletter, data is disclosed to the external service provider commissioned to perform this task:

MailChimp (The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA)

Mailchimp is certified according to the Data Privacy Framework, so that the corresponding adequacy decision of the EU Commission guarantees an appropriate level of data protection and is the basis for third country transfers.

Data protection information from the service provider used:
https://mailchimp.com/legal/privacy/
 

2. Purpose and legal basis of data processing

The collection and further processing of your e-mail address and, in the case of the alumni newsletter, your name is used to deliver the respective newsletter.

The legal basis for the processing of data after the user’s registration for the newsletter is Article 6 Para. 1 (a) of the GDPR, if consent has been granted.

The anonymous logging of your activities in relation to the alumni newsletter is used to measure success. By analysing the resulting statistics, the university is able to compile information about the use of the newsletter and the topics addressed in it. This helps to continuously improve the newsletter.

The legitimate interest in the processing of data lies in these purposes, so that the legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f) GDPR.

3. Storage period and data deletion | Possibility of objection

Your e-mail address will be stored for as long as the subscription to the newsletter is active. In the case of the Alumni Portal newsletter, your data will be stored until you unsubscribe from the portal.

The subscription to the newsletter can be cancelled by the user at any time. Every newsletter contains a corresponding link for this purpose. This also makes it possible to revoke the consent to the storage of the personal data collected during the registration process.

E. Lending System – Leihs

1. Scope of data processing

The lending system - Leihs is a web-based application that can be accessed via the university's website and is operated on its own server. After registering with your name and e-mail address at the university's media technology department, you can log in to the system with your e-mail address via Shibboleth. When you borrow items for the first time, the barcode on your thoska card is also registered so that it can be assigned via a barcode scanner. The entire lending process is managed via the system and the associated e-mail correspondence (e.g. confirmations, reminders). Data is not transmitted to third parties.

2. Purpose and legal basis of data processing

The purpose of processing your data is to provide an overview of available and loanable equipment and technology and to properly manage your orders and loans.
The legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. e) GDPR in conjunction with the Thuringian Higher Education Act, in particular § 5 and § 11 ThürHG.
If a loan agreement is concluded after registration and registration, the additional legal basis for the processing of the data is Art. 6 para. 1 sentence 1 lit. b) GDPR.

3. Storage period and data deletion | Possibility of objection

The data will be deleted if this is requested by you and if it is no longer required for the execution and processing of the loan agreement. When you leave the university, access via Shibboleth expires and login is no longer possible. Your data will also be deleted at this time at the latest, provided there are no open positions in your user account. Furthermore, all users who have not been active in the last two years are deleted from the system once a year.

F. Moodle

The university uses the open source software Moodle for the operation of a teaching and learning platform Moodle (https://moodle.hfm-weimar.de/), hereinafter referred to as Moodlelearn, as well as Moodledok (https://moodledok.hfm-weimar.de) for web-based, digital document management. 

Moodlelearn is a web-based learning management system that serves to supplement teaching through virtual course rooms, promote cooperation and communication within the university (exchange between students, between students and lecturers and between lecturers) and between the university and other educational institutions.

The Moodledok platform is used for centralised document management at the university (minutes, reports, accreditation documents, recommended resolutions, forms, handouts, etc.) and as an exchange and cooperation platform (joint editing of documents, etc.) between university members and staff as well as between internal and external committee members (e.g. university council).

1. Scope of data processing

Moodle can be used by members and affiliates of the university with the university login, and by external users with an appropriate guest account if necessary. 

By using Moodle, your name, e-mail address and user name for your university (guest) account will be processed (inventory data). In addition, you will receive a Moodle user ID with a Moodle user account.
In a personal profile, you can enter further data that is only stored on the platform itself. There you can also determine whether and which of this data should be visible to other users.

Moodlelearn also stores data about the courses used there, their content and times of use. Performance results from courses (e.g. test results) are linked to you and are also stored.

The data is collected by you entering it yourself or communicating it to the university, or it is taken from the data already communicated to the university or the data systems available there. Other data, especially technical data, is collected automatically or generated by uploading documents (transcripts) and assessments for tests and assignments.

The courses for which you are authorised and your role are stored in Moodle. You can gain access to a course either by registering as a trainer or participant in a course or by manually booking (self-enrolment) in a Moodle course. This data on authorisations and roles is necessary for the system to function. Manual entries can be made by course creators, managers or administrators.

If you are enrolled in courses, you will receive messages from these course rooms by e-mail and in the Moodle system. In your personal profile, you can choose which e-mails you receive from Moodle. You can change these settings at any time. When using the messaging system, messages sent to other users may be visible to teachers and administrators. To prevent third parties from viewing messages, you can alternatively use the e-mail system.

Usage data
Usage data is generated by your activity in the system. The actions you can perform in the respective course/course area depend on your respective role. During activity, the time at which you access which parts of the site and/or the profiles of other users is logged. In addition, it is also recorded whether tasks have been completed and whether and which contributions have been made in the forums, as well as whether and how tests have been taken.

With every action in Moodle, the system automatically logs the following data:

  • First name, surname and Moodle user ID of the person performing the action,
  • If applicable, the first name, surname and Moodle user ID of the person concerned,
  • IP address of the accessing end device,
  • Date and time of the request,
  • Source of the call,
  • Action (incl. description),
  • the course concerned.


In addition, Moodle stores the following data in the user's profile:

  • Time of first access to the website,
  • Time of last access to the website,
  • Time of the last access to a course,
  • last IP address used.


Content data
Content data in Moodle is created through your actions in the system and depending on the respective role. Content can be created in polls, tasks, tests and interactive content, for example. Uploaded files and assessments also count as content data.

Entries in forums etc. can be viewed by the respective trainer(s) or HiWis of the course room as well as the administrators. If a registration in a course room is cancelled, the contact details are no longer visible to other users.

Assessments in Moodlelearn can be made either automatically by the system or manually by the teachers and assistants. In addition, administrators and managers always have the theoretical option of making assessments.

Authentication
Authentication is required to control access to Moodle. This is done when you log in to the system using the Shibboleth authentication service. Your name, e-mail address and place of residence, including the country, are transferred from the university's identity management system and saved. You can display the transferred data when you log in and view it at any time afterwards. This data is otherwise not visible to anyone and is only used to assign access authorisation.

After logging into Moodle, you have the opportunity to take part in university surveys that are relevant to you. You can take part by clicking on links in your Moodle dashboard and then being redirected to the evasys evaluation software. Your entries and data are processed and saved there. The assignment to the surveys is made via your university e-mail address, which is known to both systems through the link to your university account. No other data is exchanged in the process. It is also not possible to trace from where you access the respective survey. The survey links remain active in Moodle for the survey period (up to one month).

2. Purpose and legal basis of data processing

Inventory, course, usage and content data in Moodlelearn are processed for the purpose of preparing, organising and running courses, teaching learning objectives and monitoring learning success and in Moodledok for the purpose of academic (self-)administration.

The processing of inventory data is necessary for the fulfilment of the university's tasks as a public institution within the meaning of Section 5 ThürHG. This data is processed on the basis of Art. 6 para. 1 sentence 1 lit. e) GDPR, as is the processing of usage and content data.

The usage data is also used for the purpose of administering and maintaining the system, technical controlling, troubleshooting technical problems or clarifying security incidents. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c) GDPR in conjunction with Art. Art. 32 GDPR.

3. Storage period and data deletion | Possibility of objection

The retention period for courses and documents created in Moodle and the personal data processed therein is based on the retention periods prescribed for the respective course or document type and its content.

Inventory data
Inventory data remains in Moodle until it is deleted in Identity Management. Once you have left the university, you will no longer be able to log in one day after the end of your contract/exmatriculation. The same applies to external students when their membership of a committee or course ends. On a technical level, the account will be blocked after 90 days and then deleted.

Authentication
The data required for authentication is deleted when you log out, when the Moodle session ends after a long period of inactivity or when the browser session ends.

Course data
The authorisations, including the rights for courses and course areas, are deleted as soon as the course or course area itself is deleted or the person with the authorisation leaves the university.

Content data
The content data and its storage period are linked to the existence of the associated course and also depend on the general and legal retention periods applicable to the respective content. Posts made by users, e.g. within forums, are still available even if the person is no longer active as a user.

Usage data
Usage data is stored for as long as is necessary for the creation, administration or implementation of a course or participation in a course. It is also deleted at the latest when the course is deleted. The data on the first and last access to the website or a course as well as the last IP address used are deleted in the same way as the inventory data when the account is deleted in the university's identity management system.
 

G. ASIMUT

The university uses the ASIMUT room booking system from ASIMUT software ApS in Aarhus, Denmark, to plan and organize events and to book and manage the rooms available to members.

1. Scope of data processing

ASIMUT can be used by members and affiliates of the university with the university login and, if necessary, by external users with an appropriate guest account. Guest accounts are created manually by the system administration.

Your surname, first name, user number, e-mail address (booking confirmation), technical log data and authorization references as well as the actual booking data (location: location/room, period and title of the booking) are regularly processed in the software.

The data is collected by you entering it yourself (reservations, bookings) or it is taken from the data already provided to the university or the data systems available there (university identity management). Other data, especially technical data, is collected automatically through the use of the system.

Authentication
Authentication is required to control access to ASIMUT. This takes place when you log in to the system via the Shibboleth authentication service. Your name, e-mail address and user ID are transferred from the university's identity management system and stored. You can view the transferred data when you log in and at any time afterwards. This data is otherwise not visible to anyone and is only used to assign access authorization.

Inventory data
By logging in to ASIMUT and using it, your name, e-mail address and user ID (user name) are processed for your university (guest) account. In addition, you will receive a randomly generated user name in ASIMUT with your user account.

Usage data/log data
Usage data is generated by your activity in the system. The actions you can perform depend on your respective role and the booking privileges assigned to you.

ASIMUT stores the rooms and roles for which you are authorized. This data is necessary for the system to function. As a rule, you only have access to the general user interface to make your own bookings there. Extended use of the system and manual entries can only be made by so-called power users (usually the Events Office and the persons responsible for the individual university buildings) or system admins.

When rooms are booked, the person making the booking, any other participants/guests and data on the desired time and duration are processed.

For internal communication regarding the organization of events and the equipment of rooms, authorized persons (extended user interface) can send information messages within the system for the individual dates. In addition, e-mail notifications can also be sent, although the e-mail addresses are not visible to all users.

Persons with the appropriate authorization can run analyses and create statistics to evaluate room utilization, capacities and booking figures, among other things. These functions are not used for monitoring or profiling purposes.

The system automatically logs the following data for every action in ASIMUT:

  • Login attempt
  • Date and time
  • Success of the login
  • Login name
  • IP address


Separately, when the system is actively used, the history of bookings and changes and by whom they were made is logged step by step.

Data transfer
Within the university, only those persons entrusted with room management will receive your personal data. The inventory data and booking data are accessible to all users of the extended interface (admins and power users) until they are deleted from the system. In addition, persons invited by or with you to the same event can also view the data for the respective event via the general interface (name, room, time, further information).

The persons involved in a process only receive the personal data that they require for their respective tasks. It is mainly individual employees of the Events Office and the relevant faculties who process your personal data. When participating in public events, your name may be displayed under certain circumstances and be visible to the people using the system.

The provider of the software necessarily obtains knowledge of your data insofar as this is provided for in the order processing contract. There are no plans to transfer the data to third countries.

2. Purpose and legal basis of data processing

The purpose of the room booking system is to record and manage room booking requests. Your personal data is processed in order to be able to offer the room booking service via digital devices from anywhere and to provide you with relevant information as part of the booking process, to inform you and, if necessary, to contact you in the event of queries.

Your authentication data is processed for the purpose of restricting access to non-public, protected parts of the service to registered users.

Inventory and usage data is processed for the purpose of preparing, organizing and holding events, e.g. for the reservation and booking of university premises.

The processing of inventory data is necessary for the performance of the university's tasks as a public institution within the meaning of Section 5 ThürHG. This data is processed on the basis of Art. 6 para. 1 sentence 1 lit. e) GDPR in conjunction with Section 11 para. 1 no. 1 and no. 8 ThürHG, as is the processing of usage data.

The usage data is also used for the purpose of administering and maintaining the system, technical controlling, troubleshooting technical problems or clarifying security incidents. The legal basis for this is Art. 6 para. 1 sentence 1 lit. c) GDPR in conjunction with Art. Art. 32 GDPR.

If the university wishes to process your personal data for other purposes not mentioned above, it must obtain your written consent to do so. The legal basis is then Art. 6 para. 1 sentence 1 lit. a) GDPR.

3. storage period and data deletion | Possibility of objection

The period of storage and deletion of personal data processed in ASIMUT depends on the data types and any prescribed retention periods. If the contractual relationship via the room booking system is terminated, all data will be permanently deleted from the database within 90 days of the expiry of the contract.

Inventory data
Your inventory data will remain in ASIMUT until it is deleted in Identity Management. After you leave the university, login to ASIMUT can no longer be guaranteed. Guest accounts in ASIMUT are deleted manually by the system administration.

The account data in the university's Identity Management will be set to inactive, blocked on a technical level after 90 days and then deleted within one year. In addition, the account will be deleted upon your explicit request for deletion, after a corresponding check by the specialist department.

Authentication
The data required for authentication is deleted when you log out, when the ASIMUT session ends after a long period of inactivity or when the browser session ends.

Usage data/log data
Usage data/log data are records of system access and are stored for as long as is necessary for the reservation, booking or administration of the respective premises or the organization of an event. Final deletion of the data takes place automatically after six months.

Event and personal data
Event-related data remains visible in the system for three years after the end of the event and is then irretrievably deleted (including from the database). The level of detail of visibility depends on the respective user role. It is also possible to delete events manually from the database.

The personal data is updated in the system at the start of each semester and old data and persons are removed. The irretrievable deletion date of personal data is calculated from the time of deletion of the data record in the system plus the data retention period of three years. However, a personal data record is not irretrievably deleted until all event data records in which the person participates have been irretrievably deleted.