Privacy Policy

This Privacy Policy applies to the university’s online presence and the websites, services and offers made available there, provided that they link to this Policy or refer to it and explain how the university handles personal data.

It also describes the options you have regarding the recording and usage of your personal data and the access to this data, and how you can update and correct this information.

Non-legally binding translation: In case of doubt and discrepancies, the provisions of the original German version shall apply.

I. Person in charge

II. Data protection officer

III. General information on data processing

IV. Rights of the data subject

V. Provision of the online presence | Creation of log files

VI. Usage of Cookies

VII. Web analysis by Matomo

VIII. Social Media

IX. Registration -- International competitions, Weimar Master Classes, pinboard, alumni datenbase

X. Newsletter

XI. Online conferences

In the sense of the EU General Data Protection Regulation (GDPR), other national data protection acts (particularly the Thuringian Data Protection Act) and other provisions under data protection legislation the person in charge is the:

University of Music FRANZ LISZT Weimar
Platz der Demokratie 2/3
99423 Weimar
Telephone: +49 3643 | 555 0
E-mail: praesidentin@hfm-weimar.de
Internetpräsenz: www.hfm-weimar.de

The University of Music FRANZ LISZT Weimar is a body under public law and is legally represented by its president.

University of Music FRANZ LISZT Weimar
Legal Office | Data Protection
Platz der Demokratie 2/3
99423 Weimar
Telephone: +49 3643 | 555 191
Email: datenschutz(at)hfm-weimar.de

1. Scope of data processing

In principle, the personal data of users is only processed to the extent that this is required for the provision of a functioning online presence and for the use of the content and services made available there, or to the extent that the user has consented to the processing of their personal data.

There is an exception in those cases where it was not previously possible to seek consent due to concrete reasons and the processing of data is permitted by statutory regulations.

Personal data is only disclosed to third parties or otherwise transmitted if this is necessary for the purposes of contract processing or for billing purposes, or the contractual partner has consented to this previously.

The use of the IT infrastructure and systems of other universities within Thuringia, within the framework of the cooperation agreement between Thuringian universities for IT services, supplemented by a corresponding framework agreement on contract data processing, remains unaffected by this.
 

2. Purpose and legal basis of data processing

The legal basis of the processing of the personal data in question is determined by its purpose.

In principle, every instance of processing of personal data by the university serves to fulfil the tasks assigned to it by law, particularly under Section 5 of the Thuringian Universities Act. Provided the data processing in question is covered by Section 11 of the Thuringian Universities Act and the Thuringian University Data Processing Ordinance, Art. 6 Para. 1 (e), the GDPR serves as the legal basis.

If the personal data of university employees is being processed, Section 27 of the Thuringian Data Protection Act, in conjunction with the Thuringian Government Employees Act, is the legal basis for data processing.

If consent is sought from the data subject for the processing of personal data, Art. 6 Para. 1 (a) of the GDPR is the legal basis.
 

3. Duration of storage and data erasure

The data subject’s personal data is erased as soon as the purpose of storage lapses.

If it is not possible to erase it due to technical circumstances or other requirements, or if this would only be possible with disproportionate outlay, the personal data will be made unavailable or otherwise restricted in terms of processing.

In addition, it may be stored if this is provided for by European or national legislators in ordinances, acts or other regulations under Union law, to which the controller is subject.

The erasure, making unavailable or restriction or processing of the data also occurs if one of the storage periods stipulated by the above norms comes to an end, unless it is necessary to continue storing the data in order to conclude a contract or fulfil it.

If your personal data is processed, you are a data subject within the sense of the GDPR, and you have rights vis-à-vis the controller, pursuant to Article 15 ff. GDPR. As part of this, limitations, changes and, potentially, the exclusion of these rights can arise from the General Data Protection Regulation itself, in particular, and from Sections 21 – 23 of the Thuringian Data Protection Act.

• In principle, you can request access to information regarding whether an of your personal data is being processed. If this is the case, you have a right to access information regarding this personal data and to any other information relating to the processing (Art. 15 GDPR).

• In the event that personal data relating to you is not (or is no longer) relevant or comprehensive, you can request the rectification, and if necessary, the supplementation, of this data (Art. 16 GDPR).

• Insofar as the statutory requirements are met, you can request the erasure of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR).

• You have the right to receive the personal data relating to you, which you have provided to the controller , in a standard, structured and machine-readable format, and to transmit this data to another controller, provided that certain conditions are met (Art. 20 GDPR).

• For reasons arising from your particular situation, you have the right to object to the processing of personal data relating to you at any time, if this processing occurs under Article 6, Para. 1 (e) or (f) GDPR. Insofar as the statutory requirements are met, the university will not process your personal data subsequent to this.

• According to data protection law, you have the right to revoke your declaration of consent at any time. Revoking this consent does not affect the legality of the processing that has already occurred on the basis of this consent, up to the point in time at which it was revoked.

Irrespective of any other legal remedy under administrative law, or judicially, you have the right to file a complaint with a supervisory authority if you believe that the processing of the personal data relating to you is in breach of the GDPR. The competent supervisory authority is the:

Thuringian State Officer for Data Protection and the Freedom of Information
Visitor address: Häßlerstraße 8 (4th Floor), 99096 Erfurt
Postal Address: PO Box 90 04 55, 99107 Erfurt
Telephone: +49 361 | 57 311 29 00
Fax: +49 361 | 57 311 29 04
Email: poststelle(at)datenschutz.thueringen.de

1. Scope of data processing

Every time the university’s online presence is accessed, the following data and information is automatically recorded by the computer system of the accessing computer and stored in log files:

1. Information about the browser type and version used
2. The user’s operating system
3. The user’s IP address
4. The date and time of access
5. The website from which the user’s system accessed the university’s website
6. Websites that the user’s system accessed via the university’s website.

 
This data is not stored in conjunction with the user’s data or any other personal data.

The following external service provider assists with the operation of this website:
JUSTORANGE – resch media services, Jena (consulting, design development, technical execution of the TYPO3 template, maintenance and updating).

2. Purpose and legal basis of data processing

It is necessary for the IP address to be temporarily stored by the system in order to enable the website to be delivered to the user’s computer. To this end, the user’s IP address must remain stored for the duration of the session.

Storage in log files serves to ensure the functioning of the website. In addition, the data helps to ensure the security of the university’s IT systems. In this context, the data is not evaluated for marketing purposes.

Due to the above legitimate interest in processing the above-mentioned data, the legal basis for the temporary storage of data and the creation of log files is Art. 6 Para. 1 (f) of the GDPR.

3. Duration of storage and data erasure | Right to object

The data processed for the provision of the online presence is deleted when the session in question has ended. The data stored in log files is erased after seven days, at the most.

Given that the recording of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website, it is not possible to object to this.

1. Scope of data processing

The internet presence of the university uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on your terminal device, for example, when you call up an Internet page. This cookie contains a characteristic string of characters that makes it possible to uniquely identify the browser when the website is called up again.

Cookies are used to make the Internet presence more user-friendly and to ensure that the Internet pages function as expected. Some elements of the Internet presence require that the calling browser can be identified even after a page change.

So-called session cookies (temporary cookies) are used on the university's Internet pages. This type of cookie is stored exclusively for the duration of the use of the Internet pages. Session cookies are used exclusively to identify you as long as you are logged in to the Internet pages. After the end of each session, the session cookies are deleted. Any use beyond this does not take place.

The following data is stored and transmitted in the cookies:

1. Log-in information
2. User setting to opt out of web analytics by Matomo
3. MoodleSession identifies you by an anonymous ID and stores your login for the current session in Moodle. This is necessary to maintain login and access permissions during the session. The cookie is automatically deleted when you log out of the system or close the web browser
4. MoodleID stores the username in the web browser when you use the Moodle platform. The next time you log in to the system, it will automatically be entered into the login screen to speed up your login process. You can optionally activate the cookie when logging in.

 
2. Purpose and legal basis of data processing

The purpose of using technically necessary cookies is to simplify the use of Internet pages. As a rule, cookies are only set in response to actions you take, such as setting privacy preferences, logging in or filling out forms. In principle, the university's Internet pages can be used without the use of cookies. However, some functions cannot be offered without the use of cookies. For these applications mentioned under No. 1, it is necessary that the browser is recognized even after a page change. The data collected through technically necessary cookies are not used to create usage profiles.

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f DSGVO.
 

3. Storage period and data deletion | Possibility of objection

Cookies are stored on your computer and transmitted from it to the university's website. Therefore, you also have full control over the use of cookies. By changing the settings in your internet browser, you can deactivate or restrict the transmission of cookies. Cookies that have already been stored can be deleted at any time. This can also be done automatically. If cookies are deactivated for the university's Internet presence, it may no longer be possible to use all functions of the Internet pages to their full extent.

1. Scope of data processing 

The university uses the open source software tool Matomo on its website to analyze page views and the surfing behavior of the persons using the website. The software runs exclusively on the university's own servers, without the use of cookies. The data is not passed on to third parties.

Matomo accesses various information from the browsers of the users in order to generate a randomly set, short-lived identifier for each visitor ("configuration ID"). The ID is used by Matomo to roughly and anonymously assign various actions to an end device in a short time window of a defined 30 minutes and to group them into "visits". After the 30 minutes have elapsed, a new ID is assigned when the website is called up again and it is counted as a new visit.

The following data is processed when individual pages of the website are called up:

1. two bytes of the IP address of the calling system,
2. the time at which the website was called up
3. the page called up (page title and URL),
4. the Internet page from which you accessed the accessed page (referrer),
5. the subpages that are called up from the called-up Internet page,
6. the time spent on the Internet page
7. the frequency with which the Internet page is accessed
8. the screen resolution used,
9. the time in your local time zone,
10. files clicked to download,
11. the page generation time,
12. the location of your computer (country, region, city, approximate longitude and latitude),
13. language settings of the browser used,
14. Operating system, browser version, end device (such as desktop, tablet, smartphone, TV, vehicle, console, etc.).

Source: https://matomo.org/faq/general/faq_18254/  

The software is set in such a way that the IP addresses are not stored completely, but 2 bytes of the IP address are masked (Ex: 192.168.xxx.xxx). In this way, an assignment of the shortened IP address to the calling end device is no longer possible.

2. Purpose and legal basis of data processing 

The processing of your personal data enables an analysis of your surfing behavior. By evaluating the data obtained, the university is able to compile information on the use of the individual components of the Internet pages. This helps to continuously improve the Internet presence and its user-friendliness.

In these purposes lies the legitimate interest in the processing of the data, so that the legal basis for the data processing is Art. 6 para. 1 p. 1 lit. f) DSGVO. By anonymizing the IP address, processing the data without cookies and the only short time of recording a visit to the website, your interest in protecting your personal data is sufficiently taken into account.

3. Storage period and data deletion | Possibility of objection

The generation of the "configuration ID" from the information of your browser is set in such a way that the data is anonymized and additionally randomly changed every 30 minutes.

The possibility of opting out of the analysis procedure is offered on the Internet pages. In this way, a cookie is set on your computer system, which signals to the university's system not to store your data. If you delete the corresponding cookie from your computer system in the meantime or if you use a different terminal device or a different Internet browser, you must set the opt-out cookie again.

You can find more information about the privacy settings of the Matomo software at the following link: https://matomo.org/docs/privacy/  

Possibility to OPT-OUT

Will be added here shortly ...

1. Scope of data processing

The website of a university project (https://jazzomat.hfm-weimar.de) includes the option of subscribing to a free newsletter. When you register for the newsletter, the email address entered into the input mask is transmitted to the university.

In addition, the following data (log data) is recorded and stored upon registration:

1. IP address of the accessing computer
2. Date and time of registration

In conjunction with the processing of data for sending the newsletter, data is disclosed to the external service provider commissioned to perform this task:

MailChimp (The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA)

Mailchimp has undertaken to transfer and process all data from other EU countries in accordance with the so-called EU standard contractual clauses. This valid data export mechanism automatically applies as part of the terms of use in accordance with Mailchimp's data processing addendum.

Data protection information from the service provider used:
https://mailchimp.com/legal/privacy/

 

2. Purpose and legal basis of data processing

The user’s email address is collected for the purpose of sending the newsletter.

The legal basis for the processing of data after the user’s registration for the newsletter is Article 6 Para. 1 (a) of the GDPR, if consent has been granted.

The log files processed during the registration serve to prevent the abuse of the data or the email address provided.

The legal basis for the processing of personal data is Art. 6 Para. 1(f) of the GDPR.

 

3. Duration of storage and data erasure | Right to object

The user’s email address is stored for as long as the newsletter subscription is active.

The log data is erased when the session in question has ended. In the event that data is stored in log files, this data is generally erased after seven days, at the most.

The subscription to the newsletter can be cancelled by the user at any time. Every newsletter contains a corresponding link for this purpose. This also makes it possible to revoke the consent to the storage of the personal data collected during the registration process.

1. Scope of data processing

Via its website, the university offers its members and affiliates the option of accessing online conferencing services from external providers, and thereby carrying out video and teleconferences, online meetings and/or webinars.

Currently the online conference services of the following external service providers can be used via the corresponding links, in conjunction with the access details for the university services:

Cisco WebEx:
T-Systems International GmbH
Hahnstraße 43d, 60528 Frankfurt am Main
Cisco's online privacy policy
Privacy notices for the individual services

DFNconf:
Verein zur Förderung eines Deutschen Forschungsnetzes e.V. (DFN)
Alexanderplatz 1, 10178 Berlin
https://www.conf.dfn.de/datenschutz/

The following data is collected and stored when online conferencing services are used:

• First name and Surname
• Username/password or telephone number
• Meeting metadata

User information is only used to provide the service and the actual functionality of the meeting.

The person who initiated the event or sent the invitation to a meeting has the option of recording the meeting (video recordings, chats and other content), with the consent of the participants involved).

All the users have the option of uploading text, audio and video files during the conference and sharing them with the other participants in the meeting.

The university has set the default settings of the online conferencing service in question to be as friendly towards data protection as possible.

In principle, no text, audio or video files are processed without the users triggering the processing themselves, via the corresponding function, and thereby consenting to processing.

Personal data that is processed in conjunction with participation in online conferences is, in principle, not disclosed to third parties, provided it is not specifically destined for disclosure.

If necessary, the providers of the services will become aware of the above-mentioned mandatory data, and the optional self-recorded data, to the extent that this is stipulated in the processing contract in question. In addition, they reserve the right to disclose registration information, host information and/or usage information to the provider of the service, contractors or other third parties, if this is necessary for the provision and improvement of the service.

When the ‘WebEx’ service is used, it cannot be ruled out that data will be transmitted to the USA, as this is an American provider. Data is processed via servers in Germany or the European Union.

 

2. Purpose and legal basis of data processing

In particular, online conferencing services serve to establish and use digital learning formats, in order to supplement in-person events. Alongside this, assistance can be given with personal administrative tasks via meetings and committee meetings held in the form of telephone and/or video conferences. 

The legal basis for the processing of the users’ personal data is Art. 6 Para. 1 (e) of the GDPR.

If the functions of the online conferencing service (uploads, chat) and a recording of the conferences are actively used, the legal basis for the data collected and stored, to the extent that the user consents to this, is Article 6 Para. 1 (a) of the GDPR.

 

3. Duration of storage and data erasure | Right to object

When the DFNconf service is used, the leader or the user needs to undertake manual erasure, as the data and recordings are not erased automatically.

Subject to other internal guidelines, active users have complete control over how long their user-generated information (e.g. recordings and files that they initiate or upload) is stored on the Webex meetings platform and can view and erase this user-generated information at any time.

After the end or expiry of the service, user-generated information will be deleted from the Webex meetings platform within 60 days, at the most.

The user has the option of deregistering from the service in question at any time and erasing their personal data or their entire profile. If the processing of personal data within the scope of the use of an online conferencing service is based on the user’s consent, the user has the option of revoking this consent at any time. Revoking this consent does not affect the legality of the processing that has already occurred on the basis of this consent, up to the point in time at which it was revoked. The leader of the online conference is to be informed of the revocation of consent directly, and will either erase the data from the system him/herself or arrange for it to be done.