Privacy Policy

Privacy Policy
Effective Date: July 5, 2025

Contents

• Controller

• Contact Data Protection Officer

• Overview of Processing Activities

• Applicable Legal Bases

• Security Measures

• Transfer of Personal Data

• International Data Transfers

• General Information on Data Storage and Deletion

• Rights of Data Subjects

• Provision of the Online Offer and Web Hosting

• Use of Cookies

• Contact and Inquiry Management

Controller

Mathilde Bessert-Nettelbeck
University of Rostock
Email: mathilde.bessert-nettelbeck@uni-rostock.de
Authorized Representative: University of Rostock, legally represented by Rector Prof. Dr. Elizabeth Prommer
Universitätsplatz 1
18055 Rostock
Phone: +49 381 498-0
Email: rektorin@uni-rostock.de
General email: firstname.lastname@exampledomain.eu

Contact – Data Protection Officer

Dr. Katja Fröhlich
Data Protection and Information Security Office
Albert-Einstein-Str. 22 (Konrad-Zuse-Haus), Room 104
18059 Rostock
Phone: +49 381 498-8333
Email: datenschutzbeauftragte@uni-rostock.de

Overview of Processing Activities

The following is a summary of the types of data processed, the purposes of processing, and the categories of data subjects.

Types of Data Processed

• Inventory data

• Contact data

• Content data

• Usage data

• Meta, communication, and procedural data

• Log data

Categories of Data Subjects

• Communication partners

• Users

Purposes of Processing

• Communication

• Security measures

• Organizational and administrative procedures

• Feedback

• Provision of our online offer and user-friendliness

• Information technology infrastructure

Applicable Legal Bases

Legal bases under the GDPR: Below is an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the GDPR, national data protection regulations of your or our place of residence may apply. Where more specific legal bases are applicable in individual cases, we will inform you within this privacy policy.

• Consent (Art. 6 para. 1 sentence 1 lit. a GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.

• Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR) – Processing is necessary for the performance of a contract or for taking steps prior to entering into a contract at the data subject's request.

• Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

National Data Protection Regulations in Germany: In addition to the GDPR, national data protection provisions in Germany apply, particularly the Federal Data Protection Act (BDSG). This law includes special provisions on access rights, data deletion, objection rights, processing of special categories of data, processing for other purposes, transmission, and automated decision-making including profiling. Data protection laws of individual German states may also apply.

Applicability of GDPR and Swiss FADP: This privacy policy is intended to comply with both the GDPR and the Swiss Federal Act on Data Protection (FADP). For clarity and wider applicability, GDPR terminology is used (e.g., "processing of personal data" instead of "handling of personal data"). However, within the scope of the Swiss FADP, legal definitions from that law remain valid.

Security Measures

We implement appropriate technical and organizational measures in accordance with legal requirements, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the risks posed to the rights and freedoms of individuals.

Measures include ensuring confidentiality, integrity, and availability of data via control of physical and electronic access to the data, input, transmission, availability, and separation. We also have procedures to handle data subject rights, data deletion, and responses to data breaches. Privacy is considered during the design of hardware, software, and processes following the principle of data protection by design and default.

Transfer of Personal Data

In the course of processing, personal data may be transferred to or disclosed to other entities, companies, legally independent units, or individuals (e.g., IT service providers or embedded service/content providers). In such cases, we comply with legal requirements and enter into contracts or agreements to protect your data.

International Data Transfers

Data processing in third countries: If data is transferred outside the EU/EEA, this is done in accordance with legal requirements.

For transfers to the U.S., we rely primarily on the EU-U.S. Data Privacy Framework (DPF), recognized as a safe framework by the European Commission (decision from July 10, 2023). We also use Standard Contractual Clauses (SCCs) to ensure additional protection.

This dual-layered approach ensures comprehensive data protection. The DPF is our primary basis; SCCs serve as a fallback in case of changes to the DPF.

We will inform you whether individual service providers are DPF-certified and/or use SCCs. More on the DPF and a list of certified companies is available at: https://www.dataprivacyframework.gov/

For other third countries, similar safeguards apply, including SCCs, explicit consent, or legal requirements. Information on third-country transfers and adequacy decisions can be found on the EU Commission's website:
https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en

General Information on Data Storage and Deletion

We delete personal data in accordance with legal requirements once the purpose is fulfilled or consent is withdrawn and no further legal grounds for processing exist.

Exceptions apply if statutory obligations or legitimate interests require longer storage or archiving (e.g., for legal claims, business records).

Retention and deletion periods under German law:

• 10 years – Financial records, annual reports, inventories, organizational documents (§147 AO, §14b UStG, §257 HGB)

• 8 years – Accounting documents like invoices (§147 AO, §257 HGB)

• 6 years – Business correspondence, tax-relevant documents, wage records (§147 AO, §257 HGB)

• 3 years – Data for legal claims, based on limitation periods (§§195, 199 BGB)

When multiple retention periods apply, the longest governs. Data retained for legal reasons is used only for that purpose.

Rights of Data Subjects

Under the GDPR (Art. 15–21), you have the following rights:

• Right to object to processing based on Art. 6(1)(e) or (f) GDPR, including profiling

• Right to withdraw consent at any time

• Right of access to your data and information on processing

• Right to rectification of incorrect or incomplete data

• Right to erasure and restriction of processing, subject to conditions

• Right to data portability

• Right to lodge a complaint with a supervisory authority in your habitual residence, workplace, or where the violation allegedly occurred

Provision of the Online Offer and Web Hosting

We process users' data to provide online services, including transmitting content to their device or browser.

Processed Data:

• Usage data (e.g., page views, interaction, devices, OS)

• Meta/communication/procedural data (e.g., IP addresses, timestamps, identifiers)

• Log data

Purposes:

• Provision of the online offer and user experience

• IT infrastructure and security

Legal Basis:

• Legitimate interests (Art. 6(1)(f) GDPR)

Server Logs:
Stored for up to 30 days unless needed for evidence in specific incidents (e.g., DDoS attacks).

Use of Cookies

"Cookies" are functions that store and read information on users' devices, used for functionality, security, user experience, and analytics.

We use cookies in compliance with the law and request consent when required. Where not required, we rely on our legitimate interests, especially when cookies are essential to deliver requested content or services.

Legal Basis:

• With consent: Art. 6(1)(a) GDPR

• Without consent: Legitimate interests under Art. 6(1)(f) GDPR

Cookie Types by Duration:

• Session cookies: Deleted after closing the website or app

• Persistent cookies: Remain after session ends, e.g., to save login or preferences; may last up to 2 years

Opt-out and Withdrawal:
Users can withdraw consent or object via browser settings or privacy tools.

Processed Data:

• Meta, communication, and procedural data

Data Subjects:

• Users of online services

Use of Cookies

The term "cookies" refers to technologies that store and retrieve information on users' devices. Cookies can serve various purposes, including ensuring the functionality, security, and user-friendliness of online services, as well as analyzing visitor flows.

We use cookies in accordance with legal requirements. Where required, we obtain prior consent from users. If consent is not necessary, we base the use of cookies on our legitimate interests—particularly when storing and accessing information is essential to provide explicitly requested content and services. This includes saving user settings and ensuring the security and proper functioning of our online services. Consent may be revoked at any time. We clearly inform users about the scope and purpose of cookie use.

Legal Basis under Data Protection Law

Whether we process personal data using cookies depends on the presence of user consent. If consent is given, it forms the legal basis for processing. Without consent, we rely on our legitimate interests, as explained in this section and in the context of specific services and processes.

Storage Duration

The following types of cookies are distinguished based on their duration:

• Temporary Cookies (also known as Session Cookies): These are deleted at the latest when the user leaves the online service and closes their device (e.g., browser or mobile app).

• Persistent Cookies: These remain stored after the device is closed. For example, login status can be retained or preferred content can be shown upon return visits. Cookies may also be used for audience measurement purposes. Unless we explicitly inform users about the type and duration of cookies (e.g., when requesting consent), users should assume cookies are persistent and may be stored for up to two years.

General Information on Withdrawal and Objection (Opt-Out)

Users may revoke previously granted consent at any time and may also object to processing in accordance with legal provisions—this includes using their browser's privacy settings.

• Types of Data Processed: Meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, involved parties).

• Data Subjects: Users (e.g., website visitors, users of online services).

• Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR); Consent (Art. 6 para. 1 sentence 1 lit. a GDPR).

Additional Notes on Processing Activities, Procedures, and Services

Processing of Cookie Data Based on Consent

We use a consent management platform to request user consent for the use of cookies or for the procedures and providers named in that platform. This process includes requesting, recording, managing, and enabling the revocation of consents—especially in relation to the use of cookies and comparable technologies used to store, read, and process information on users' devices.

As part of this procedure, user consent is obtained for cookie usage and the related processing of information, including any specific data processing or providers named in the consent platform. Users also have the option to manage or revoke their consent at any time.

Consent declarations are stored to avoid repeated requests and to provide proof of consent in accordance with legal requirements. Storage is performed server-side and/or using a cookie (known as an opt-in cookie), or via similar technologies to associate consent with a specific user or device.

Unless otherwise specified regarding a consent management provider, the following general information applies:

• Consent storage duration: Up to two years

• Stored information: A pseudonymized user ID, timestamp of consent, scope of consent (e.g., cookie categories or providers), browser and device information

• Legal Basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR)

Contact and Inquiry Management

When you contact us (e.g., by post, contact form, email, phone, or social media), or within the context of existing user or business relationships, we process the information provided by the inquiring individuals to the extent necessary to respond to their requests and fulfill any requested actions.

• Types of Data Processed:

  • Inventory data (e.g., full name, address, contact info, customer ID)

  • Contact data (e.g., postal or email addresses, phone numbers)

  • Content data (e.g., written or visual messages, authorship, timestamps)

  • Usage data (e.g., page views, duration, click paths, frequency, device types, OS, interactions with content or features)

  • Meta, communication, and process data (e.g., IP addresses, timestamps, identifiers, involved parties)

• Data Subjects: Communication partners

• Purposes of Processing: Communication, organizational and administrative procedures, feedback (e.g., collecting responses via online form), provision of our online services and user-friendliness

• Storage and Deletion: Data is deleted according to the section "General Information on Data Storage and Deletion"

• Legal Bases:

  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)

  • Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR)

Additional Notes on Processing Activities, Procedures, and Services

Contact Form

When users contact us via the contact form, email, or other communication channels, we process the personal data provided to respond to and handle the request. This typically includes name, contact information, and other voluntarily provided data necessary to address the issue appropriately. We use this information exclusively for the purpose of communication.

• Legal Bases:

  • Contract performance and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b GDPR)

  • Legitimate interests (Art. 6 para. 1 sentence 1 lit. f GDPR)