Privacy Policy

This Privacy Policy applies to the university’s online presence and the websites, services and offers made available there, provided that they link to this Policy or refer to it and explain how the university handles personal data.

It also describes the options you have regarding the recording and usage of your personal data and the access to this data, and how you can update and correct this information.
 

I. Person in charge

II. Data protection officer

III. General information on data processing

IV. Provision of the online presence | Creation of log files

V. Usage of Cookies

VI. Registration -- International competitions, Weimar Master Classes, pinboard, alumni datenbase

VII. Newsletter

VIII. Web analysis by Matomo

IX. Online conferences

X. Social Media

XI. Rights of the data subject

 

I. Person in charge

In the sense of the EU General Data Protection Regulation (GDPR), other national data protection acts (particularly the Thuringian Data Protection Act) and other provisions under data protection legislation the person in charge is the:

University of Music FRANZ LISZT Weimar
Platz der Demokratie 2/3
99423 Weimar
Telephone: +49 3643 | 555 0
Email: president(at)hfm-weimar.de
Internetpräsenz: www.hfm-weimar.de

The University of Music FRANZ LISZT Weimar is a body under public law and is legally represented by its president.

II. Data Protection Officer

University of Music FRANZ LISZT Weimar
Legal Office | Data Protection
Platz der Demokratie 2/3
99423 Weimar
Telephone: +49 3643 | 555 191
Email: datenschutz(at)hfm-weimar.de

III. General information about data processing

1. Scope of data processing

In principle, the personal data of users is only processed to the extent that this is required for the provision of a functioning online presence and for the use of the content and services made available there, or to the extent that the user has consented to the processing of their personal data.

There is an exception in those cases where it was not previously possible to seek consent due to concrete reasons and the processing of data is permitted by statutory regulations.

Personal data is only disclosed to third parties or otherwise transmitted if this is necessary for the purposes of contract processing or for billing purposes, or the contractual partner has consented to this previously.

The use of the IT infrastructure and systems of other universities within Thuringia, within the framework of the cooperation agreement between Thuringian universities for IT services, supplemented by a corresponding framework agreement on contract data processing, remains unaffected by this.

 

2. Purpose and legal basis of data processing

The legal basis of the processing of the personal data in question is determined by its purpose.

In principle, every instance of processing of personal data by the university serves to fulfil the tasks assigned to it by law, particularly under Section 5 of the Thuringian Universities Act. Provided the data processing in question is covered by Section 11 of the Thuringian Universities Act and the Thuringian University Data Processing Ordinance, Art. 6 Para. 1 (e), the GDPR serves as the legal basis.

If the personal data of university employees is being processed, Section 27 of the Thuringian Data Protection Act, in conjunction with the Thuringian Government Employees Act, is the legal basis for data processing.

If consent is sought from the data subject for the processing of personal data, Art. 6 Para. 1 (a) of the GDPR is the legal basis.

 

3. Duration of storage and data erasure

The data subject’s personal data is erased as soon as the purpose of storage lapses.

If it is not possible to erase it due to technical circumstances or other requirements, or if this would only be possible with disproportionate outlay, the personal data will be made unavailable or otherwise restricted in terms of processing.

In addition, it may be stored if this is provided for by European or national legislators in ordinances, acts or other regulations under Union law, to which the controller is subject.

The erasure, making unavailable or restriction or processing of the data also occurs if one of the storage periods stipulated by the above norms comes to an end, unless it is necessary to continue storing the data in order to conclude a contract or fulfil it.

IV. Provision of the online presence | Creation of log files

1. Scope of data processing

Every time the university’s online presence is accessed, the following data and information is automatically recorded by the computer system of the accessing computer and stored in log files:

  1. Information about the browser type and version used
  2. The user’s operating system
  3. The user’s IP address
  4. The date and time of access
  5. The website from which the user’s system accessed the university’s website
  6. Websites that the user’s system accessed via the university’s website.

 
This data is not stored in conjunction with the user’s data or any other personal data.

The following external service provider assists with the operation of this website:
JUSTORANGE – resch media services, Jena (consulting, design development, technical execution of the TYPO3 template, maintenance and updating).

 

2. Purpose and legal basis of data processing

It is necessary for the IP address to be temporarily stored by the system in order to enable the website to be delivered to the user’s computer. To this end, the user’s IP address must remain stored for the duration of the session.

Storage in log files serves to ensure the functioning of the website. In addition, the data helps to ensure the security of the university’s IT systems. In this context, the data is not evaluated for marketing purposes.

Due to the above legitimate interest in processing the above-mentioned data, the legal basis for the temporary storage of data and the creation of log files is Art. 6 Para. 1 (f) of the GDPR.

 

3. Duration of storage and data erasure | Right to object

The data processed for the provision of the online presence is deleted when the session in question has ended. The data stored in log files is erased after seven days, at the most.

Given that the recording of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website, it is not possible to object to this.

V. Usage of Cookies

1. Scope of data processing

The university’s online presence uses cookies. Cookies are text files that are stored in the user’s web browser, or on the user’s computer system by the web browser. When a website is accessed, a cookie can be stored on the operating system of the computer system used. This cookie contains a characteristic string of characters that enables the browser to be clearly identified when the website is re-accessed.

Cookies are used to design the online presence in a more user-friendly way and to guarantee that the website functions as expected. Some elements of the website make it necessary for the accessing browser to be identifiable, even after the page has been changed.

The university’s website uses ‘session cookies’ (temporary cookies). This type of cookie is only stored for the period that the website is being used. Session cookies serve only to identify you, provided that you are logged into the website. The session cookies are deleted once each session has ended. They are not used beyond this point.

The cookies store and transmit the following information:

  1. Log-in information
  2. User settings regarding opt-out from web analysis by Matomo.



2. Purpose and legal basis of data processing

The purpose of the use of technically necessary cookies is to make it easier for users to use websites. Generally, cookies are only stored as a response to actions undertaken by you, such as determining privacy settings, registering or completing a form. In principle, the university’s website can be used without cookies being utilised. However, some functions cannot be offered without the use of cookies. For these applications, listed under No. 1, it is necessary for the browser to be recognised even after the page has been changed. The data collected by technically necessary cookies is not used to create use profiles.

The legal basis of the processing of personal data with the use of cookies is Art. 6 Para. 1 (f) of the GDPR.

 

3. Duration of storage and data erasure | Right to object

Cookies are stored on the user’s computer and transmitted from it to the university’s website. As a result, you, as the user, have full control over the use of cookies. By changing the settings of your web browser, you can deactivate or limit the transmission of cookies. Cookies that have been saved previously can be erased at any time, and this can also occur automatically. If cookies are deactivated for the university’s website, it is possible that you might no longer be able to use all the functions of the website in full.

VI. Registration -- international competitions, Weimar masterclasses, pinboard, alumni database

1. Scope of data processing

On some webpages, the university offers the option of registering by providing personal data. The nature and scope of the data collected depend on the purpose of the data collection, as determined by the corresponding tender, participation or usage conditions. The individual conditions can be accessed upon undertaking the registration in question, or they will be provided to the user in another way.

The data is provided via an input mask, then transmitted to the university and stored.

At the point of registration, the following data (log data) is also stored:

  1. The user’s IP address
  2. Date and time of registration

 
Alternatively, it is possible to make contact via the email address provided for the registration in question. In this case, the user’s personal data that is transmitted with the email is stored.

Personal data is only disclosed to third parties or otherwise transmitted by the university if this is necessary for purposes of contract processing, or for billing purposes, or if the contractual partner has consented to this previously.

Alongside the videos, the visiting professors for the Weimar masterclasses receive the surname, first name and date of birth of registered participants, so that they can undertake the pre-selection provided for in the participation conditions.

The following external service providers assist with executing the above services:

  • JUSTORANGE – resch media services (consulting, design development, technical execution of the TYPO3 template, maintenance and updating).
  • Friedrich Schiller University Jena (maintenance of the alumni database)
  • Bauhaus Weiterbildungsakademie Weimar e.V., Weimar (contract drafting, finances, participant support for competitions)
  • Novalnet AG, Ismaning (payment processing/e-payment)

 
 
2. Purpose and legal basis of data processing

Registration is necessary for the provision of certain content and services, in order to fulfil a contract with the user or to execute pre-contractual services.

The personal data collected during registration for the service or product in question is used to design and execute the service or product, to establish, and, if necessary, invoice a participation account and to reply to enquiries.

The legal basis of the processing of the data is Art. 6 Para. 1 (e) of the GDPR for competitions, masterclasses and the alumni database, and Art. 6 Para. 1 (a) of the GDPR, too, if the user has given their consent.

If the registration (also) serves to fulfil a contract to which the user is a party, or to execute pre-contractual measures, an additional legal basis for the processing of the data is Article 6 Para. 1 (b) of the GDPR (competitions, Weimar masterclasses, pinboard).

The log data processed during registration serves to prevent the contact form from being abused and ensure that the IT systems are secure. The legal basis for the processing of personal data is Art. 6 Para. 1 (f) of the GDPR.

 

3. Duration of storage and data erasure | Right to object

The data is erased if it is no longer required to execute the contract or for pre-contractual measures. Even once the contract has been concluded, it may be necessary to continue storing the contractual partner’s personal data, in order to meet contractual or statutory requirements.

The log data is erased when the session in question has ended. In the event that data is stored in log files, this data is generally erased after seven days, at the most.

As a user, you always have the option of terminating your registration or arranging for your personal data that has been to be changed. Depending on the service used, the corresponding written enquiry is to be sent to the appropriate email address given in the tender, participation or usage conditions.

If the data is required to fulfil a contract or execute pre-contractual measures, the premature erasure of the data is only possible if there are no contractual or statutory obligations that oppose erasure.

VII. Newsletter

1. Scope of data processing

The website of a university project (https://jazzomat.hfm-weimar.de) includes the option of subscribing to a free newsletter. When you register for the newsletter, the email address entered into the input mask is transmitted to the university.

In addition, the following data (log data) is recorded and stored upon registration:

  1. IP address of the accessing computer
  2. Date and time of registration

In conjunction with the processing of data for sending the newsletter, data is disclosed to the external service provider commissioned to perform this task:

MailChimp (The Rocket Science Group, LLC, 675 Ponce de Leon Ave NE, Suite 5000 Atlanta, GA 30308 USA)

Mailchimp has undertaken to transfer and process all data from other EU countries in accordance with the so-called EU standard contractual clauses. This valid data export mechanism automatically applies as part of the terms of use in accordance with Mailchimp's data processing addendum.

Data protection information from the service provider used:
https://mailchimp.com/legal/privacy/

 

2. Purpose and legal basis of data processing

The user’s email address is collected for the purpose of sending the newsletter.

The legal basis for the processing of data after the user’s registration for the newsletter is Article 6 Para. 1 (a) of the GDPR, if consent has been granted.

The log files processed during the registration serve to prevent the abuse of the data or the email address provided.

The legal basis for the processing of personal data is Art. 6 Para. 1(f) of the GDPR.

 

3. Duration of storage and data erasure | Right to object

The user’s email address is stored for as long as the newsletter subscription is active.

The log data is erased when the session in question has ended. In the event that data is stored in log files, this data is generally erased after seven days, at the most.

The subscription to the newsletter can be cancelled by the user at any time. Every newsletter contains a corresponding link for this purpose. This also makes it possible to revoke the consent to the storage of the personal data collected during the registration process.

VIII. Web analysis by Matomo

1. Scope of data processing

The university uses the open-source software tool Matomo (formerly PIWIK) on its online presence, in order to analyse the users’ browsing behaviour. The software stores a cookie on a user’s computer. If individual websites within the online presence are accessed, the following data is stored:

  1. two bytes of the IP address of the user’s system accessing the website
  2. the time at which the website was accessed
  3. the site accessed (page title and URL)
  4. the website from which the user reached the accessed site (referrer)
  5. the sub-pages that were accessed via the accessed site
  6. the duration of the user’s visit to the website
  7. the frequency with which the website is accessed
  8. the screen resolution used
  9. the time in the user’s local time zone
  10. files that were clicked on for downloading
  11. the page generation time
  12. the location of the user (country, region, city, approximate longitude and latitude)
  13. language settings of the browser used
  14. operating system, browser version, end device (such as desktop, tablet, smartphone, TV, car, console, etc.).

Source: https://matomo.org/faq/general/faq_18254/

The software is set up in such a way that IP addresses are not stored in full, but rather 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). This means it is no longer possible for the truncated IP address to be allocated to the accessing computer.

 

2. Purpose and legal basis of data processing

The processing of a user’s personal data enables browsing behaviour to be analysed. By analysing the data obtained, the university is able to compile information about the use of the individual components of the website. This helps to continually improve the online presence and its user-friendliness.

The legitimate interest behind the data processing lies in these purposes, meaning that the legal basis for data processing is Article 6 Para. 1 (f) of the GDPR. By anonymising the IP address, the interests of users regarding the protection of their personal data are sufficiently taken into account.

 

3. Duration of storage and data erasure | Right to object

The data is erased as soon as it is no longer needed for record-keeping purposes. In general, this is the case after seven days.

General information regarding the usage, storage and erasure of cookies can be found under point V. Usage of cookies.

The websites offer the option of opting-out of the analysis. By so doing, a cookie is stored on your system that tells the university’s system not to store your data. If you delete the cookie in question from your system in the interim, or if you use a different computer or web browser, you need to store the opt-out cookie again.

Further information about the privacy settings of Matomo software can be found via the following link: https://matomo.org/docs/privacy.

IX. Online conferences

1. Scope of data processing

Via its website, the university offers its members and affiliates the option of accessing online conferencing services from external providers, and thereby carrying out video and teleconferences, online meetings and/or webinars.

Currently the online conference services of the following external service providers can be used via the corresponding links, in conjunction with the access details for the university services:

Cisco WebEx:
T-Systems International GmbH
Hahnstraße 43d, 60528 Frankfurt am Main
Cisco's online privacy policy
Privacy notices for the individual services

DFNconf:
Verein zur Förderung eines Deutschen Forschungsnetzes e.V. (DFN)
Alexanderplatz 1, 10178 Berlin
https://www.conf.dfn.de/datenschutz/

The following data is collected and stored when online conferencing services are used:

  • First name and Surname
  • Username/password or telephone number
  • Meeting metadata

User information is only used to provide the service and the actual functionality of the meeting.

The person who initiated the event or sent the invitation to a meeting has the option of recording the meeting (video recordings, chats and other content), with the consent of the participants involved).

All the users have the option of uploading text, audio and video files during the conference and sharing them with the other participants in the meeting.

The university has set the default settings of the online conferencing service in question to be as friendly towards data protection as possible.

In principle, no text, audio or video files are processed without the users triggering the processing themselves, via the corresponding function, and thereby consenting to processing.

Personal data that is processed in conjunction with participation in online conferences is, in principle, not disclosed to third parties, provided it is not specifically destined for disclosure.

If necessary, the providers of the services will become aware of the above-mentioned mandatory data, and the optional self-recorded data, to the extent that this is stipulated in the processing contract in question. In addition, they reserve the right to disclose registration information, host information and/or usage information to the provider of the service, contractors or other third parties, if this is necessary for the provision and improvement of the service.

When the ‘WebEx’ service is used, it cannot be ruled out that data will be transmitted to the USA, as this is an American provider. Data is processed via servers in Germany or the European Union.

 

2. Purpose and legal basis of data processing

In particular, online conferencing services serve to establish and use digital learning formats, in order to supplement in-person events. Alongside this, assistance can be given with personal administrative tasks via meetings and committee meetings held in the form of telephone and/or video conferences. 

The legal basis for the processing of the users’ personal data is Art. 6 Para. 1 (e) of the GDPR.

If the functions of the online conferencing service (uploads, chat) and a recording of the conferences are actively used, the legal basis for the data collected and stored, to the extent that the user consents to this, is Article 6 Para. 1 (a) of the GDPR.

 

3. Duration of storage and data erasure | Right to object

When the DFNconf service is used, the leader or the user needs to undertake manual erasure, as the data and recordings are not erased automatically.

Subject to other internal guidelines, active users have complete control over how long their user-generated information (e.g. recordings and files that they initiate or upload) is stored on the Webex meetings platform and can view and erase this user-generated information at any time.

After the end or expiry of the service, user-generated information will be deleted from the Webex meetings platform within 60 days, at the most.

The user has the option of deregistering from the service in question at any time and erasing their personal data or their entire profile. If the processing of personal data within the scope of the use of an online conferencing service is based on the user’s consent, the user has the option of revoking this consent at any time. Revoking this consent does not affect the legality of the processing that has already occurred on the basis of this consent, up to the point in time at which it was revoked. The leader of the online conference is to be informed of the revocation of consent directly, and will either erase the data from the system him/herself or arrange for it to be done.

X. Social Media

The university does not use any social media plug-ins on its websites. You only have the option of accessing the university’s social media channels via external links. To prevent your usage data from being transmitted to these services against your wishes, you can only access the services in question after you have clicked on a link. At present, there are links to the following social media providers: YouTube, Facebook and Instagram.

The university has no influence over whether, and to what extent, for what duration and for what purpose the external providers collect personal data when you visit their websites. However, it can be assumed that the IP address and device-related information, at least, is collected and used.

YouTube

The university integrates videos from its own YouTube channel into its website for informational and advertising purposes. These videos are stored on YouTube’s servers and played by the website in question via embedding. The embedding is carried out with expanded privacy settings and requires additional activation. When a page featuring an embedded YouTube video is accessed, data is not disclosed, because the video is still deactivated at this point in time. It is only once the video is played, by separately activating the link provided, that user-specific data is stored, in the form of YouTube cookies and DoubleClick cookies, and potentially transmitted to YouTube or Google Inc., Amphitheater Parkway, Mountain View, CA 94043, USA automatically. The university has no influence over this transmission of data, nor over the nature, scope and purpose for which the transmitted data is used. It is impossible to rule out that it will be used for marketing and market research purposes.

The YouTube cookies stored via activation of the videos can be erased, deactivated and limited via your web browser settings. However, it is possible that this could mean you are no longer able to use all the functions of the website in full.

Given that YouTube is a service provided by Google Inc., the user-specific data is transmitted, regardless of whether the user is logged in via their Google account, or whether they do not have an account. If the user is logged in via their own Google account, this data might potentially be allocated to them directly by Google. If this allocation to a personal profile is not desired, the user can log out before playing the video.

By agreeing to Google's general terms of use, the EU standard contractual clauses between the university and the provider were concluded at the same time. This ensures protective measures comparable to EU law in the event of the possible transfer of data to third countries.

Vimeo

In addition, videos are integrated into the university's website which are provided by the external service provider Vimeo. Here, too, no data is transferred when the respective website is called up, and the videos must be started separately. In addition, the videos are always integrated in the "Do Not Track" variant, so that personal data are only transmitted to Vimeo in a minimal way when they are played.

In order to ensure an adequate level of data protection when transferring data to the USA, the university has concluded the EU standard contractual clauses with Vimeo in the so-called "controller to controller" variant. In addition, the provider of Vimeo has committed to the university to continue to comply with the self-imposed obligations from the former Privacy Shield agreement.

Despite the measures taken, data such as the IP address and information on the operating system and browser type may be transmitted to Vimeo when videos are viewed and subsequently processed and stored. If the user is logged in as a member of Vimeo, further data transfers may occur through stored (third-party) cookies and an assignment to the personal user account. The assignment can be prevented by the user logging out of their Vimeo user account before using the website and deleting the corresponding cookies from Vimeo.

Issuu

Some of the university’s webpages include a Flash application by Issuu, which enables the user to read the university’s magazine and additional publications as an e-paper that they can flick through. As part of this, Issuu uses cookies and also stores personal data such as the IP address and information about the time and duration of use. The transmission takes place when JavaScript is activated in the browser. You can prevent the cookies from being used by setting your browser accordingly, or by using a JavaScript blocker.

If you have registered for a user account, Issuu is able to allocate your browsing behaviour to your personal profile directly. You can prevent this by logging out of your Issuu account prior to use. The university does not have any influence over this data transfer.

Issuu is used to depict e-papers that can be flicked through, and is therefore in the interests of presenting the content appropriately. This represents a legitimate interest, in the sense of Article 6 Para. 1 (f)of the GDPR.


Privacy information of the providers

Further information about the handling of data protection by the external online platforms and social media platforms can be found on the websites in question:

XI. Rights of the data subject

If your personal data is processed, you are a data subject within the sense of the GDPR, and you have rights vis-à-vis the controller, pursuant to Article 15 ff. GDPR. As part of this, limitations, changes and, potentially, the exclusion of these rights can arise from the General Data Protection Regulation itself, in particular, and from Sections 21 – 23 of the Thuringian Data Protection Act.

  • In principle, you can request access to information regarding whether an of your personal data is being processed. If this is the case, you have a right to access information regarding this personal data and to any other information relating to the processing (Art. 15 GDPR).
  • In the event that personal data relating to you is not (or is no longer) relevant or comprehensive, you can request the rectification, and if necessary, the supplementation, of this data (Art. 16 GDPR).
  • Insofar as the statutory requirements are met, you can request the erasure of your personal data (Art. 17 GDPR) or the restriction of the processing of this data (Art. 18 GDPR).
  • You have the right to receive the personal data relating to you, which you have provided to the controller , in a standard, structured and machine-readable format, and to transmit this data to another controller, provided that certain conditions are met (Art. 20 GDPR).
  • For reasons arising from your particular situation, you have the right to object to the processing of personal data relating to you at any time, if this processing occurs under Article 6, Para. 1 (e) or (f) GDPR. Insofar as the statutory requirements are met, the university will not process your personal data subsequent to this.
  • According to data protection law, you have the right to revoke your declaration of consent at any time. Revoking this consent does not affect the legality of the processing that has already occurred on the basis of this consent, up to the point in time at which it was revoked.


Irrespective of any other legal remedy under administrative law, or judicially, you have the right to file a complaint with a supervisory authority if you believe that the processing of the personal data relating to you is in breach of the GDPR. The competent supervisory authority is the:

Thuringian State Officer for Data Protection and the Freedom of Information
Visitor address: Häßlerstraße 8 (4th Floor), 99096 Erfurt
Postal Address: PO Box 90 04 55, 99107 Erfurt
Telephone: +49 361 | 57 311 29 00
Fax: +49 361 | 57 311 29 04
Email: poststelle(at)datenschutz.thueringen.de