Data Privacy Statement of the Helmholtz Centre for Environmental Research GmbH - UFZ


This data privacy statement applies to our websites and our online presence on social media (YouTube, X (formerly Twitter), Instagram, LinkedIn, Mastodon and SciLogs).

(as of 02/2024)


I. Contact details of the data controller

The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is the

Helmholtz-Zentrum für Umweltforschung GmbH – UFZ
Permoserstraße 15
04318 Leipzig
Germany
Phone: +49 341 6025 1269
Email: info@ufz.de
Website: www.ufz.de

II. Contact details of the Data Protection Officer

The Data Protection Officer
Permoserstraße 15
04318 Leipzig
Germany
Phone: +49 341 6025 1227
Email: datenschutz@ufz.de
Website: www.ufz.de

III. General information on data processing

1. Scope of processing of personal data
We only process the personal data of our users insofar as this is necessary to provide a functional website and to provide our content and services. The processing of personal data of our users only takes place regularly with the consent of the user. An exception applies in cases where it is not possible to obtain prior consent for factual reasons and the processing of the data is permitted by law. 

2. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Article 6(1)(a) GDPR serves as the legal basis.
Article 6(1)(b) GDPR serves as the legal basis for the processing of personal data required for the fulfilment of a contract to which the data subject is a party. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Article 6(1)(c) GDPR will serve as the legal basis.
If the processing is necessary to safeguard a legitimate interest of the UFZ or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Article 6(1)(f) GDPR will serve as the legal basis for the processing.

3. Data deletion and storage period
The personal data of the data subject will be deleted as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.


IV. Provision of the website and creation of log files

1. Description and scope of the data processing
Each time our website is accessed, our system automatically records data and information from the computer system of the accessing computer in a local log file. 

The following data is collected if it is transmitted by the user's system:

  • the website from which users access our website,
  • the content of the request (specific subsite),
  • the date and time of the query,
  • the amount of data transferred,
  • the access status (file transferred, file not found),
  • the description of the type of web browser used and the version used,
  • the user's Internet service provider,
  • the pseudonymised IP address of the requesting computer.

Before storage, each data record is anonymised by changing the IP address. The data is not stored together with other personal data of the user.

2. Legal basis for the data processing
The legal basis for the temporary storage of data and log files is Article 6(1)(f) GDPR.

3. Purpose of the data processing
Temporary storage of the IP address is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session.

Data is stored in log files to ensure the functionality of the website. We also use the data to optimise the website and to ensure the security of our information technology systems. The data is not analysed for marketing purposes in this context. 

These purposes also constitute our legitimate interest in data processing in accordance with Article 6(1)(f) GDPR.

4. Duration of storage
The data is deleted as soon as it is no longer required to fulfil the purpose for which it was collected. If the data is collected to provide the website, it is deleted when the respective session has ended. If the data is stored in log files, it is stored for a maximum of 31 days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or anonymised so that it is no longer possible to identify the accessing client.

5. Possibility of objection and removal
The collection of data for the provision of the website and the storage of data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

V. Use of cookies

1. Description and scope of data processing
We use technically necessary and temporary cookies on our website. We do not use persistent cookies or Flash cookies.

Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When users access a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

The following data is stored and transmitted in the cookies:

  • Language settings
  • Log-in information
  • Earlier visit to prevent new pop-up adverts
  • Session information for web services.

Cookies are stored on the user's computer and transmitted from there to our website. Users therefore also have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing the settings in their Internet browser. If cookies are deactivated for our website, it may no longer be possible to use all functions of our website to their full extent.

2. Legal basis for data processing
The legal basis for the data processing is Article 6(1)(f) GDPR and § 25 para. 2 no. 2 Telecommunications-Telemedia Data Protection Act (TTDSG).

3. Purpose of data processing
The purpose of using technically necessary cookies is to enable basic functions of this website and to simplify the use of our website for users. 

These purposes also constitute our legitimate interest in the processing of personal data in accordance with Article 6(1)(f) GDPR. 

The user data collected by technically necessary cookies are not used to create user profiles.

4. Duration of storage
The cookies are deleted after the browser is closed.

VI. Web analytics through Matomo

1. Description and scope of data processing
We use the open source software tool Matomo on our website to analyse the surfing behaviour of our users. The software places a cookie on the user's computer. 

If individual subsites of our website are accessed, the following data is stored:

  • two bytes of the IP address of the user's calling system,
  • the website accessed and the time of access,
  • the website from which the user accessed the website (referrer),
  • the subsites that are accessed from the website accessed,
  • the time spent on the website,
  • the frequency of visits to the website
  • which browser with which plugins, which operating system and which screen resolution is used.

The software runs exclusively on the servers of our website. The data is only stored there. The data is not passed on to third parties. 

The software is set so that the IP addresses are not saved in full, but 2 bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to assign the truncated IP address to the accessing computer, so that you as the user remain anonymous. This data is not stored together with other personal data of the user.

2. Legal basis for the data
The legal basis for the processing of users' personal data is Article 6(1)(a) GDPR.

3. Purpose of data processing
The processing of users' personal data enables us to analyse the surfing behaviour of our users. By analysing the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to constantly improve our website and its user-friendliness.

4. Duration of storage
The data is deleted as soon as it is no longer required for our recording purposes. The deletion takes place after 6 months.

5. Possibility of objection and removal
Users have the following options:

a) Activate the "Do-Not-Track" setting in the browser
As long as this setting is active, no user data is saved. Important: The do-not-track instruction generally only applies to the one device and browser in which the setting has been activated. If several devices/browsers are used, the "Do-Not-Track" setting must be activated separately everywhere.

b) Use of the opt-out function
Data collection is stopped or reactivated by clicking the tick in the following checkbox. As long as the checkbox is deactivated, no user data will be saved. Important: To opt out, we must store an opt-out-cookie in the user's browser. If this is deleted or a different device/browser is used, the opt-out-cookie must be activated again.

Further information on the privacy settings of the Matomo software can be found at: https://matomo.org/docs/privacy/.


VII. Registration for events

1. Description and scope of data processing
On our website we offer you the opportunity to register for UFZ events. The data is entered into an input mask and saved. 

The following data is collected during registration:

  • Title, salutation, name
  • Address, if applicable
  • Email address
  • Institution/Company.

The following data is also stored at the time of registration:

  • IP address
  • Date and time of registration.

The consent of the applicant is obtained for the processing of the data as part of the completion process.

We use either the Indico (Integrated Digital Conference) web form or a conference organisation software for registration.
Indico is operated as part of the Helmholtz Federated IT Services (HIFIS) on the servers of the Deutsches Elektronen-Synchrotron DESY, where your data is processed and stored. DESY is a processor within the meaning of Article 28 GDPR.
When using the conference organisation software, your data will be stored on the UFZ servers. 

Some events are organised on behalf of UFZ by a "Professional Congress Organiser" (PCO). This is an external company that offers organisational and agency services in connection with workshops, seminars, meetings or conferences. Data is passed on to this PCO in connection with data processing when registering for an event organised by the PCO. The PCO is a processor within the meaning of Article 28 GDPR. 

The data collected will be used exclusively for registration for the event and the organisation of the event.

2. Legal basis for data processing
The legal basis for the data processing in connection with registration for events is Article 6(1)(a) GDPR (consent) and, in the case of fee-based events, Article 6(1)(b) GDPR (for the fulfilment of a contract).

3. Purpose of data processing
The purpose of collecting the data is to ensure participation in the event. In the case of fee-based events, the data is also processed for billing purposes.

4. Duration of storage
The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected, i.e. after the event has been held.

If the event is a fee-based event and an invoice is issued for the participation fee, statutory retention periods must be observed. The data must then be stored for a period of 10 years in accordance with § 14b (1) Value Added Tax Act (UStG) and will be deleted or destroyed after this period has expired. Only the data contained on the invoice is stored. The data not required for issuing the invoice will be deleted.

5. Possibility of objection and removal
The collection of data for registration for an event is mandatory for participation in the event. Consequently, there is no possibility for event participants to object. 

If the data subjects decide not to participate after registering for the event, the consent given to the processing of their data can be withdrawn at any time at the same time as the cancellation of participation in the event – in the case of fee-based events, however, only before the obligation to pay the fee arises. The cancellation must be sent to the email address provided in the registration confirmation or to info@ufz.de.

After receipt of the withdrawal of consent, the collected data will be deleted.

VIII. Photo and video recordings during events

1. Description and scope of data processing
During selected events, photos and/or video recordings are made and processed to document these events. We will inform you when we announce an event and on site if we wish to make these recordings.
It cannot be excluded that persons may be directly or indirectly identifiable in these recordings.

2. Legal basis for data processing
Insofar as we obtain the consent of the data subjects for the processing of personal data, Article 6(1)(a) GDPR serves as the legal basis. If the processing is necessary to safeguard a legitimate interest of the UFZ and if the interests, fundamental rights and freedoms of the data subjects do not outweigh the former interest, Article 6(1)(f) GDPR serves as the legal basis for the processing.

3. Purpose of data processing
Photos and video recordings are made as part of the UFZ's press and public relations work and are used to document certain aspects of the event and to report on the event, also for interested third parties.

4. Duration of storage
If the production and processing of photos and video recordings is based on a consent, the photos and video recordings will be stored until the consent is withdrawn by the data subject. If consent is withdrawn, photos and video recordings in which the person withdrawing consent is recognisable and which essentially only show the withdrawing person will be deleted immediately. If the withdrawing person is depicted on the photo/video together with other persons, the withdrawing person will be immediately made unrecognisable on the photo/video (e.g. by pixelation). 

Insofar as Article 6(1)(f) GDPR is relevant, the photo and video recordings will be deleted as soon as the purpose of storage no longer applies.

5. Possibility of opposition and removalAt the beginning or during the event, the persons concerned may inform the person taking the photos or video recordings that they do not consent to being depicted or that they wish to exercise their right to object.

Any consent given can be withdrawn at any time with effect for the future. The withdrawal of consent should be addressed to mediadb@ufz.de.


IX. YouTube

We use the provider YouTube, LLC 901 Cherry Ave, 94066 San Bruno, CA, USA (hereinafter: "YouTube"), a company of Google Inc, Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google") for the integration of videos on our website. 

For this purpose, we use the "extended data protection mode" option provided by YouTube.

When a subsite with an embedded video is accessed, a connection to the YouTube servers is established and the content is displayed on the website by notifying the user's browser.

According to the information provided by YouTube, in "extended data protection mode", data – in particular which of our subsites have been visited and device-specific information including the IP address – is only transmitted to the YouTube server in the USA when the video is watched.

If users are logged in to YouTube at the same time, this information is assigned to the YouTube member account. This can be prevented by users logging out of their member account before visiting our website.

Information about which data is processed by YouTube and for what purposes it is used can be found in the service's privacy policy, which you can find here:  Google's privacy policy.


XIII. Rights of data subjects

The data subjects whose personal data are processed in the context of the above-mentioned services have the following rights, unless statutory exceptions apply in individual cases:

1. Right to information, Article 15 GDPR
The right to information gives the data subjects comprehensive access to the data concerning them and some other important criteria, such as the purposes of processing or the duration of storage. The exceptions to this right set out in § 34 BDSG apply.

2. Right to rectification, Article 16 GDPR
The right to rectification includes the possibility for the data subjects to have incorrect personal data concerning them corrected.

3. Right to erasure, Article 17 GDPR
The right to erasure includes the possibility for the data subjects to have personal data erased by the controller. However, this is only possible if this data is no longer necessary, is being processed unlawfully or consent has been withdrawn. The exceptions to this right set out in § 35 BDSG apply.

4. Right to restriction of processing, Article 18 GDPR
The right to restriction of processing includes the possibility for the data subjects to temporarily prevent further processing of their personal data. A restriction occurs in particular when other rights of the data subjects are being examined.

5. Right to notification, Article 19 GDPR
If the data subjects have asserted the right to rectification, erasure or restriction of processing, we are obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data has been disclosed, unless this proves impossible or involves disproportionate effort. The data subjects have the right to be informed about these recipients.

6. Right to data portability, Article 20 GDPR
The right to data portability includes the possibility for the data subjects to receive the personal data concerning them from the controller in a commonly used, machine-readable format so that they can be forwarded to another controller if necessary. According to Article 20(3) sentence 2 GDPR, however, this right is not available if the data processing serves the fulfilment of public tasks.

7. Right to object, Article 21 GDPR
The data subjects have the right to object to the future processing of personal data concerning them, provided that this data is processed in accordance with Art. 6(1)(e) or (f) GDPR.

8. Right to withdraw the declaration of consent under data protection law, Article 7(3) GDPR
The data subjects have the right to withdraw their declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Right to lodge a complaint with a supervisory authority, Article 77 GDPR
Without prejudice to any other administrative or judicial remedy, the data subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating them infringes the GDPR. The supervisory authority responsible for the UFZ is

The Federal Commissioner for Data Protection and Freedom of Information
Graurheindorfer Str. 153, 53117 Bonn, Germany
Phone: +49 (0)228-997799-0
Email: poststelle@bfdi.bund.de