You are here:
A. General provisions on data processing
We, the Private Universität Witten/ Herdecke gGmbH (hereinafter referred to only as "Witten/ Herdecke University"), appreciate your interest in our Internet presence and our offers on our website.
The protection of your personal data is a great and very important concern to us. In the following, we would therefore like to inform you in detail about which data is collected when you visit our website, use our offers there and how it is processed or used by us in the following. Furthermore, we will also inform you about the accompanying protective measures we have taken in technical and organizational terms.
The processing of personal data, such as the name, address, e-mail address or telephone number of a data subject, is always in accordance with the applicable data protection regulations. By means of this data protection declaration, we would like to inform you about the type, scope and purpose of the personal data collected, used and processed by us and, insofar as you are affected by the data processing, to clarify this.
Although we, as the party responsible for processing personal data, have implemented numerous technical and organizational measures, Internet-based data transmission may in principle have security vulnerabilities, so that absolute protection cannot be guaranteed. We ask you to take this into account when using our website.
In this data protection declaration, terms are used that were specified by the legislator in the Basic Data Protection Regulation (hereinafter also referred to as DSGVO). You could access the DSGVO at the following link:
3. name and address of the controller
The responsible party in terms of data protection law is:
Private Universität Witten/Herdecke gGmbH Alfred-Herrhausen-Straße 50 D-58448 Witten, Germany
Phone: +49 (0)2302 / 926-0 E-mail: firstname.lastname@example.org Website: www.uni-wh.de
4. Contact details of the data protection officer
Dipl.-Stat. Martin Rützler Alfred-Herrhausen-Straße 50 D-58448 Witten
E-mail: email@example.com Website: www.uni-wh.de
5. Deletion and blocking of personal data/ storage period
Unless otherwise stipulated for the respective processing of personal data in Chapter B. of this data protection declaration, the data stored by us will be deleted as soon as they are no longer required for their intended purpose and the deletion does not conflict with any statutory retention obligations. If the data of the data subject is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data is blocked and not processed for other purposes. This applies, for example, to data of the data subject that must be retained for reasons of commercial or tax law.
According to legal requirements, data is retained for six years in accordance with Section 257 (1) HGB (commercial books, inventories, opening balances, annual financial statements, commercial letters, accounting vouchers, etc.) and for ten years in accordance with Section 147 (1) AO (books, records, management reports, accounting vouchers, commercial and business letters, etc.).
6. Rights of the data subject
6.1 Right to confirmation
Every data subject has the right granted by the European Directive and Regulation to obtain confirmation from the controller as to whether personal data concerning him or her are being processed. If a data subject wishes to exercise this right of confirmation, he or she may contact us at any time.
6.2 Right of access
Any person affected by the processing of personal data has the right to obtain from the controller, at any time and free of charge, information about the personal data stored about him or her and a copy of this information. Furthermore, the data subject shall be entitled to information on the following:
- the purposes of processing
- the categories of personal data processed
- the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular in the case of recipients in third countries or international organizations
- if possible, the planned duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration
- the existence of a right to obtain the rectification or erasure of personal data concerning him or her, or to obtain the restriction of processing by the controller, or a right to object to such processing
- the existence of a right of appeal to a supervisory authority
- if the personal data are not collected from the data subject: Any available information about the origin of the data
- The existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.
Furthermore, the data subject shall have the right to obtain information as to whether personal data have been transferred to a third country or to an international organization. If this is the case, the data subject also has the right to obtain information about the appropriate safeguards in connection with the transfer.
If a data subject wishes to exercise this right to information, he or she may contact us at any time.
6.3 Right to rectification
Every person affected by the processing of personal data has the right to demand the immediate rectification of incorrect personal data concerning him or her. Furthermore, the data subject has the right, taking into account the purposes of the processing, to request the completion of incomplete personal data by means of a supplementary declaration.
If a data subject wishes to exercise this right of rectification, he or she may contact us at any time.
6.4 Right to erasure
Any person affected by the processing of personal data has the right to obtain from the controller the erasure without delay of personal data concerning him or her, where one of the following grounds applies and insofar as the processing is not necessary:
- The personal data were collected or otherwise processed for such purposes for which they are no longer necessary.
- The data subject revokes his or her consent on which the processing was based pursuant to Art. 6(1)(a) DSGVO or Art. 9(2)(a) DSGVO and there is no other legal basis for the processing.
- The data subject objects to the processing pursuant to Article 21(1) DSGVO and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) DSGVO.
- The personal data have been processed unlawfully.
- The erasure of the personal data is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
- The personal data has been collected in relation to information society services offered pursuant to Article 8(1) DSGVO.
If one of the aforementioned reasons applies, and a data subject wishes to arrange for the erasure of personal data stored by the University of Witten/ Herdecke University, he or she may, at any time, contact us. We will arrange for the deletion request to be complied with immediately.
If the personal data has been made public by the University of Witten/ Herdecke and our company as the responsible party pursuant to Art. 17 Para. 1 DSGVO, Witten/ Herdecke University shall implement reasonable measures, including technical measures, to compensate other data controllers for processing the published personal data, taking into account the available technology and the cost of implementation, in order to inform the data subject that he or she has requested from those other data controllers the erasure of all links to the personal data or to copies or replications of the personal data, unless the processing is necessary. We will arrange the necessary in individual cases.
6.5 Right to restriction of processing
Any person affected by the processing of personal data has the right to request the controller to restrict processing if one of the following conditions is met:
- The accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data.
- The processing is unlawful, the data subject objects to the erasure of the personal data and requests instead the restriction of the use of the personal data.
- The controller no longer needs the personal data for the purposes of the processing, but the data subject needs it for the assertion, exercise or defense of legal claims.
- The data subject has objected to the processing pursuant to Article 21 (1) of the GDPR and it is not yet clear whether the legitimate grounds of the controller override those of the data subject.
If one of the aforementioned cases applies, and a data subject wishes to request the restriction of personal data stored by the Witten/ Herdecke University, he or she may, at any time, contact us. We will then arrange for the restriction of the processing.
6.6 Right to data portability
Any person affected by the processing of personal data has the right to receive the personal data concerning him or her, which has been provided by the data subject to a controller, in a structured, commonly used and machine-readable format. The data subject also has the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, provided that the processing is based on consent pursuant to Article 6(1)(a) of the GDPR or Article 9(2)(a) of the GDPR or on a contract pursuant to Article 6(1)(b) of the GDPR and the processing is carried out by automated means, unless the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Furthermore, when exercising the right to data portability pursuant to Article 20(1) of the GDPR, the data subject shall have the right to obtain that the personal data be transferred directly from one controller to another controller where technically feasible and provided that this does not adversely affect the rights and freedoms of other individuals.
To assert the right to data portability, the data subject may contact us at any time.
6.7 Right to object
Any person affected by the processing of personal data has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her which is carried out on the basis of Article 6(1)(e) or (f) of the DSGVO. This also applies to profiling based on these provisions.
The University of Witten/ Herdecke shall no longer process the personal data in the event of the objection, unless we can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the assertion, exercise or defense of legal claims.
If the Witten/Herdecke University processes personal data for the purposes of direct marketing, the data subject shall have the right to object at any time to processing of personal data processed for such marketing. This also applies to the profiling, insofar as it is related to such direct marketing. If the data subject objects to Witten/Herdecke University to the processing for direct marketing purposes, Witten/Herdecke University will no longer process the personal data for these purposes.
In addition, the data subject has the right, on grounds relating to his or her particular situation, to object to processing of personal data concerning him or her which is carried out by the University of Witten/ Herdecke for scientific or historical research purposes, or for statistical purposes pursuant to Article 89(1) of the Data Protection Regulation, unless such processing is necessary for the performance of a task carried out in the public interest.
In order to exercise the right to object, the data subject may contact us directly. The data subject is also free, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise his or her right to object by means of automated procedures using technical specifications.
6.8 Automated decisions in individual cases, including profiling.
Any person concerned by the processing of personal data shall have the right, granted by the European Directive and Regulation, not to be subject to a decision based solely on automated processing, including possible profiling, which produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision is necessary for the conclusion or performance of a contract concerning him or her.
- is not necessary for the conclusion or performance of a contract between the data subject and the controller, or
- is permitted by Union or Member State legislation to which the controller is subject, and that legislation contains appropriate measures to safeguard the rights and freedoms and legitimate interests of the data subject; or
- is carried out with the express consent of the data subject.
If the decision is
- is necessary for entering into, or the performance of, a contract between the data subject and the data controller, or
- If the decision is made with the explicit consent of the data subject, the Witten/Herdecke University shall take appropriate measures to safeguard the rights and freedoms as well as the legitimate interests of the data subject, which include at least the right to obtain the involvement of the data subject, to express his or her point of view and to contest the decision.
If the data subject wishes to exercise the rights concerning automated decisions, he or she may, at any time, contact us.
6.9 Right to withdraw consent under data protection law.
Any person affected by the processing of personal data has the right to withdraw consent to the processing of personal data at any time.
If the data subject wishes to exercise his or her right to withdraw consent, he or she may contact us at any time.
Any data subject may contact us directly at any time with any questions or suggestions regarding data protection.
6.10 Right of appeal to a data protection supervisory authority
Any person affected by the processing of personal data has the right to lodge a complaint about the processing of your personal data by us with the competent data protection supervisory authority, the State Commissioner for Data Protection and Freedom of Information of the State of North Rhine-Westphalia(www.ldi.nrw.de).
7. Legal basis of the processing
Unless otherwise stated in the description of the respective data processing operation in the following chapter B. of this data protection declaration, the following regulations apply.
Art. 6 I lit. a DSGVO serves Witten/Herdecke University as the legal basis for processing operations for which consent must be obtained for a specific processing purpose. If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, the processing is based on Art. 6 I lit. b DSGVO. The same applies to processing operations that are necessary for the performance of pre-contractual measures, for example in cases of inquiries about our services and products. If Witten/Herdecke University is subject to a legal obligation which requires the processing of personal data, the processing is based on Art. 6 I lit. c DSGVO. In rare cases, the processing of personal data might become necessary to protect vital interests of the data subject or another natural person. In this case, the processing is based on Art. 6 I lit. d DSGVO. Finally, processing operations could be based on Art. 6 I lit. f DSGVO. Processing operations which are not covered by any of the aforementioned legal bases are based on this legal basis if the processing is necessary to protect a legitimate interest of Witten/Herdecke University or a third party, provided that the interests, fundamental rights and freedoms of the data subject are not overridden. Such processing operations are permitted to us in particular because they have been specifically mentioned by the European legislator (see recital 47 sentence 2 DSGVO).
8. Consideration of legitimate interests
9. Data protection when using UW/H contact data
If you use the contact data provided on our website (such as our e-mail address or fax number) to contact us, the personal data you provide will only be processed for the purpose of contacting you.
This applies in the same way to personal data that we receive from you in the course of a conversation (in person or by telephone), by post or also by way of a business card.
If the reason for your contacting us is your interest in our services or the fulfillment of an existing contract with us, the legal basis is Art. 6 (1) lit. b DSGVO. In all other cases of contact, we have a legitimate interest pursuant to Art. 6 (1) lit. f DSGVO in the processing of data based on the communication initiated by you.
We store the data required for contract processing until the expiry of the statutory warranty and, if applicable, contractual warranty periods. We retain the data required under commercial and tax law for the periods specified by law, regularly ten years (cf. § 257 HGB, § 147 AO). The data processed to carry out pre-contractual measures are deleted as soon as the measures have been carried out and it is evident that no contract is concluded.
The personal data stored by us on the basis of a legitimate interest will be stored until the purpose pursued by the contact has been achieved. You have the right to object at any time to data processing that is carried out on the basis of Art. 6 (1) f) DSGVO and does not serve direct advertising for reasons arising from your particular situation. In the case of direct marketing, on the other hand, you may object to the processing at any time without giving any reason.
Recipients of the personal data processed in accordance with this provision are IT service providers (esp. hosters, newsletter services), tax consultants and auditors with whom we have concluded a corresponding order processing agreement in accordance with Art. 28 DSGVO.
10. Data protection during applications and the application process
10.1 Application for employment
We collect and process the personal data of applicants for the purpose of carrying out the application procedure and thus on the basis of a pre-contractual measure within the meaning of Art. 6 (1) lit. b DSGVO or our legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO in hiring employees.
Applications for vacancies are made online via an application form on our website. If we conclude an employment contract with an applicant, the transmitted data will be stored for the purpose of processing the employment relationship in compliance with the statutory provisions. If the data controller does not conclude an employment contract with the applicant, the application documents will be automatically deleted three months after notification of the rejection decision, provided that no other legitimate interests of the data controller conflict with such deletion. Other legitimate interest in this sense is, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).
In the case of the digitized recording of applications received, the recipients of the personal data processed are representatives of Witten/Herdecke University. The personal data is also processed on the basis of a contract for commissioned data processing pursuant to Art. 28 DSGVO by the company softgarden e-Recruiting GmbH.
10.2 Application for a place at university (student application)
As part of the student application process, we process all information submitted by you that is required to carry out the process on the basis of Article 6(1)(b) DSGVO.
After the selection of applicants has been completed, your data will be deleted with the exception of your surname, first name, date of birth and date of application. This part of your data is stored to protect our own legitimate interests pursuant to Article 6(1)(f) DSGVO, as the number of repeat applications at Witten/Herdecke University is limited and must be documented. This part of the data will be stored by us for a period of 5 years.
B. Special provisions on data processing on our website
1. scope of the processing of personal data
We use the open source software tool Matomo (formerly PIWIK) on the intranet to analyze the surfing behavior of our users. The software does not set any cookies on the user's computer. If individual pages of our website are called up, the following data is stored:
- Two bytes of the IP address of the calling system of the user.
- The website called up
- The website from which the user accessed the accessed website (referrer)
- The subpages accessed from the accessed website
- The time spent on the website
- The frequency with which the website is accessed
The software runs exclusively on the servers of our website. A storage of the personal data of the users only takes place there. The data is not passed on to third parties.
The software is set in such a way that the IP addresses are not stored completely, but 2 bytes of the IP address are masked (ex: 192.168.xxx.xxx). In this way, an assignment of the shortened IP address to the calling computer is no longer possible.
2. legal basis for the processing of personal data
The legal basis for the processing of users' personal data is Art. 6 (1) lit. f DSGVO.
3 Purpose of the data processing
The processing of the users' personal data enables us to analyze the surfing behavior of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. In these purposes also lies our legitimate interest in processing the data in accordance with Art. 6 para. 1 lit. f DSGVO. By anonymizing the IP address, the interest of users in their personal data protection is sufficiently taken into account.
4 Duration of storage
The data will be deleted as soon as they are no longer needed for our recording purposes.In our case, this is the case after 365 days.
5. possibility of objection
We offer our users the possibility of opting out of the analysis process on our website. To do this, you must follow the corresponding link.
You can find more information about the privacy settings of the Matomo software at the following link:matomo.org/docs/privacy/.
You can decide here whether Matomo is activated to enable the collection and analysis of statistical data:
C. Security measures
We take organizational, contractual and technical security measures in accordance with the state of the art to ensure that the provisions of data protection law are complied with and thus to protect the data processed by us against accidental or intentional manipulation, loss, destruction or against access by unauthorized persons. The security measures include in particular the encrypted transmission of data using TLS 1.1 and TLS 1.2 between your browser and our server.