Data Privacy Statement of the Helmholtz Centre for Environmental Research GmbH - UFZ

 

I. Contact details of the data controller


The data controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states as well as other data protection regulations is the

Helmholtz-Zentrum für Umweltforschung GmbH – UFZ (Helmholtz Centre for Environmental Research – UFZ)
Permoserstraße 15
04318 Leipzig
Deutschland
Phone: +49 341 235-0
Email: info@ufz.de
Website: www.ufz.de

II. Contact details of the Data Protection Manager


The Data Protection Manager
Permoserstraße 15
04318 Leipzig
Germany
Phone: +49 341 235-1271
Email: datenschutz@ufz.de
Website: www.ufz.de

III. General information on data processing


1. Scope of processing of personal data

We process personal data of our users only to the extent necessary to provide a functioning website as well as our contents and services. In the case of processing personal data of our users, we will obtain the prior consent of the user. An exception applies in those cases where prior consent can not be obtained for genuine reasons and the processing of the data is permitted by law.

2. Data deletion and storage period
The affected individual's personal data will be deleted as soon as the purpose of the storage no longer applies. In addition, storage can also occur if provided for by European or national legislators in EU regulations, acts or other legislation to which the data controller is subject. The data shall also be blocked or deleted if a storage period prescribed by one of the aforementioned norms expires, unless it is necessary for further storage of the data for the conclusion or the fulfillment of a contract.


IV. Provision of the website and creation of log files


1. Description and scope of the data processing

Each time our website is accessed, our system automatically records data and information from the computer system of the accessing computer.

The following data are collected:

  • websites from which the file was requested,
  • name of the file,
  • date and time of the query
  • amount of the data transferred,
  • access status (file transferred, file not found)
  • information about the web browser used
  • IP address of the requesting computer

The data are likewise stored in our system's log files. These data are not stored together with other personal data of the user.

2. Legal basis for the data processing
The legal basis for the temporary storage of the data and the log files is Article 6 para. 1 lit. f GDPR.

3. Purpose of the data processing
The temporary storage of log files takes place in order to ensure the functionality of the website. We additionally use the data to optimize the website, to eliminate malfunctions and to ensure the security of our information technology systems. Our justified interest in data processing pursuant to Article 6 para. 1 lit. f GDPR also lies in such purposes.

4. Storage period
The data will be deleted as soon as they are no longer necessary for the purpose of their collection. When data is collected in order to enable the functioning of the website, the data will be deleted as soon as the respective session has ended.
Data in log files are stored for security reasons (e.g. to investigate misuse or fraud) for a maximum period of 31 days and then be deleted. Data whose further storage is required for evidentiary purposes are excluded from deletion until the respective incident has been finally clarified.

5. Possibility of objection and removal
The recording of data for the provision of the website and storage of the data in log files is vital to the operation of the website. The user consequently has no possibility to object.

V. Web analysis by Matomo (formerly PIWIK)


1. Scope of processing personal data

On our website we use the open source software tool Matomo (formerly PIWIK) to analyse the surfing behaviour of our users. The software utilizes a cookie on the user's computer. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. If a user visits a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables a unique identification of the browser when the website is called up again.

If individual pages of our website are accessed, the following data is stored:

(1) two bytes of the IP address of the accessing system of the user,
(2) the web website accessed,
(3) the referrer website from which the user has accessed the website,
(4) the subpages visited from the website accessed,
(5) time spent on the website,
(6) the frequency of website access.

The software runs exclusively on our servers. User’s personal data is stored only there. The data will not be shared with any third parties.

The software is used in such a way that IP addresses cannot be saved in full. Two bytes of the IP-address are masked (e.g. 192.168.xxx.xxx). It is therefore not possible to match the abbreviated IP address to the accessing computer.

2. Legal basis for the data
The legal basis for processing users' personal data is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing
Processing users' personal data enables us to analyse their surfing behaviour. By evaluating this data we are able to compile information about the use of individual elements of our website. This helps us to constantly improveour website and its user-friendliness. This is also the basis of our legitimate interest in the processing of data in accordance with Art. 6 para. 1 lit. f GDPR. In anonymising IP addresses, users' interest we pay due regard to the users' interest in the protection of their personal data.

4. Duration of storage
Data is deleted as soon as it is no longer required for our recording purposes.

5. Possibility of objection and removal
Cookies are saved on the user's computer and then transferred by the user from there to our site. By adjusting your browser settings you can deactivate or restrict the transfer of cookies. Therefore you as user have full control over the use of cookies. Cookies already saved can be deleted at any time, including automatically, but in this case some of the functions of our websites may not be fully available.

On our websites you can opt out of the analysis process by following the relevant link. However, you can also object to the collection of your usage data at this point by clicking the tick in the box below. This will save another cookie on your computer that signals to our system not to save your data. If you then delete this cookie from your system, you will have to re-set the opt-out cookie again later.

Tracking is currently not active for you, because your browser has informed us that you do not wish to be tracked. This is a browser setting. To reactivate tracking, you must deactivate the so-called "Do Not Track" setting in your browser settings.

For more on Matomo's privacy settings, see at: https://matomo.org/docs/privacy/.


VI. Newsletter


1. Description and scope of data processing

On our websites you can subscribe to our free newsletter “Environmental Perspectives”. This newsletter is available either as print or as an e-paper. When you register, the data you enter into the input fields will be transmitted to us, i.e.

(1) User's name
(2) User's address (only if sent in paper form)
(3) User's e-mail-address (only if sent as e-paper)

To process this data we will need your consent, which you can provide when you register. The registration process will also refer you to this data protection statement.

When we process your data for the purposes of sending the newsletter as e-paper, we do not share any data with any third party. In connection with the data processing for the dispatch of newsletters as a print, the contact data (name and address) are passed on to a print shop, a service provider commissioned by UFZ, to dispatch the newsletter. The print shop is a processor within the meaning of Art. 28 GDPR.

The data will be used exclusively for sending the newsletter.

2. Legal basis for data processing
Subject to your consent, the legal basis for the processing of data after you have subscribed to the newsletter is Art. 6 para. 1 lit. a GDPR.

3. Purpose of data processing
Your email address respectively your postal address are collected for the purpose of sending the newsletter as print, PDF or e-Paper.

4. Duration of storage
Data is deleted as soon as it is no longer required for the purpose for which it was collected. Therefore your email address/address will be held only for as long as your subscription to the newsletter is active.

5. Possibility of objection and removal
Subscription to the newsletter can be terminated at any time and the consent can be revoked by that. The termination shall be sent by e-mail to info@ufz.de or by post to: Helmholtz-Zentrum für Umweltforschung GmbH - UFZ, Press and Public Relations Staff, Permoserstr. 15, 04318 Leipzig.

After revocation the collected data will be deleted immediately.

VII. Registration for events


1. Description and scope of data processing

On our website you can register for events of the UFZ via web form or conference organization software.

When you register, the following data is collected:

(1) Name
(2) address
(3) Email address
(4) Name of organization

When you register, your consent to the processing of your data is requested to process your personal data. The registration process will also refer you to this data protection statement.

In connection with processing data for the organization of some events, the data is shared with a PCO, which is commissioned by the UFZ to organize the event. A PCO is a "Professional Congress Organizer", i.e. an external company that offers organizational and agency services in connection with workshops, seminars, conferences or meetings. The commissioned PCO is a contract processor within the meaning of Art. 28 GDPR. When you register for the respective event, an indication is given as to whether it is being organized by the external PCO.

In connection with the use of the conference organization software, your data is collected via the software and stored on the servers of the UFZ. The software provider is a processor within the meaning of Art. 28 GDPR.

For events that are not organized by a PCO or for which the conference organization software is not used, no data is shared with any third parties.

The collected data will be used exclusively for your registration for the event and the execution of the event.

2. Legal basis for data processing
The legal basis for the processing of data is Art. 6 para. 1 lit. a GDPR (consent) as well as Art. 6 para. 1 lit. b GDPR (fulfillment of a contract) for paid events.

3. Purpose of data processing
We process your data in order to ensure your participation in the event. In case of paid events, we process your data also for billing purposes.

4. Duration of storage
Data will be deleted as soon as it is no longer required for the purpose for which it was collected, that is after the event.

In case of paid events where an invoice is issued for the participation fee, legal retention periods must be observed. The data must then be stored for a period of 10 years according to § 14b Abs. 1 UStG and will be deleted or destroyed after this period has expired. Only the data contained in the invoice will be stored. The data not required for issuing the invoice (e-mail address) will be deleted.

5. Possibility of objection and removal

The data entered for registration for an event is mandatory for your participation in the event. Consequently, there is no possibility of objection on the part of the event participant.

In case you decide against participation after registration for the event, your consent to the processing of your data can be revoked at any time and at the same time with cancelling participation in the event. In case of paid events, however, registration can only be cancelled before the cost obligation arises. The revocation is to be sent by e-mail to info@ufz.de or by post to: Helmholtz-Zentrum für Umweltforschung GmbH – UFZ, Press and Public Relations Staff, Permoserstr. 15, 04318 Leipzig.

After receipt of the revocation of consent, the data collected will be deleted.


XIII. Web forms for surveys etc.


1. Description and scope of data processing

Web forms are available on our website that can be used to participate in scientific surveys etc.

As far as these are not anonymous surveys, personal data (e.g. contact data) may be requested and collected. In any case the submission of your data is voluntarily.

For processing your personal data, your consent is obtained and reference is made to this data protection declaration as part of the registration process.

2. Legal basis for data processing
The legal basis for the data processing for participation in surveys is Art. 6 para. 1 lit. a GDPR (consent).

3. Purpose of data processing
We collect your personal data only to contact you or in order to inform you about the execution, evaluation or the results of the survey, if requested by you.

4. Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected, i.e. after the person responsible informed you about the results of the survey.

5. Possibility of opposition and removal
You can revoke your consent to the processing of your data at any time. The revocation is to be sent by e-mail or by post to the person(s) named in the specific web form.

After revocation of the consent the collected data will be deleted immediately.


IX. Utilization of Cookies


1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are saved on the user's computer system in or by the browser software. If a user accesses a website, a cookie can be stored on their operating system. This cookie contains a unique identification code that enables the user's browser to be recognized when the user revisits the website.

We use cookies to make our website more user-friendly. Some elements of our website require the accessing browser to be identifiable even after the user has gone to a different site.

The cookies save and transmit the following data:
(1) Shopping cart for image download from the image database
(2) Log-in information for web services
(3) Session information for web services

2. Legal basis for data processing
The legal basis for using cookies to process personal data is Art. 6 para. 1 lit. f GDPR.

3. Purpose of data processing
We use cookies for technical reasons in order to make use of the website easier for users. Without cookies, some of the functions of our website will not work. These functions require that, when you return to our website, your browser is recognized.

We need cookies for the following uses:

(1) Shopping cart for image download from the image database
(2) Log-in information for web services
(3) Session information for web services

The user data we collect for technical purposes via cookies is not used to create user profiles. These purposes also constitute our legitimate interest in the processing of personal data as per art. 6 para. 1 lit. f GDPR.

4. Duration of storage; objection and removal
Cookies are saved on the user's computer and transferred from there to our site. Therefore you as user have full control over the use of cookies. By adjusting your browser settings you can deactivate or restrict the transfer of cookies. Cookies already saved can be deleted at any time and they can also be deleted automatically, but deletion may result in restricted usability of some of the functions of our website.


 X. Social Media Plugins


On our website we use so-called Social-Media-Buttons (also Social-Media-Plugins) on our website. These are small buttons that allow you to publish content from our website on social networks under your profile.

By activating such a button a connection will be established between our website and the social network. In addition to the relevant content, the operator of the social network receives further information, some of which is personal data, e.g, the fact that you are currently visiting our site.

The social media buttons are integrated using the so-called Shariff solution. This solution developed by Heise and c't prevents a connection to a social network from just because you call up a page with a social media button without activating it. In result no information will be sent to the social network until you use the button.

We use the following social media plugins:

a) Facebook:
In some cases, information are transmitted to the mother company Facebook Inc. based in the USA, which complies with the data protection regulations of the "US Privacy Shield" and is registered with the "US Privacy Shield" program of the US Department of Commerce.

Please review the Facebook data protection declaration for information on the purpose and scope of the data collection and the further processing and use of the data by Facebook as well as your rights and setting options for the protection of your privacy.

b) Twitter:
In some cases, information is transmitted to the parent company Twitter Inc. based in the USA, which complies with the data protection regulations of the "US Privacy Shield" and is registered with the "US Privacy Shield" program of the US Department of Commerce.

Please review the Twitter data protection declaration for further information on data protection on Twitter in.
 

XI. YouTube


To integrate videos on our website we use YouTube, LLC 901 Cherry Ave., 94066 San Bruno, CA, USA (hereinafter: "YouTube"), a company of Google Inc., Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: "Google").

We use the option of the "extended data protection mode" provided by YouTube.

When you access a page that has an embedded video, it connects to the YouTube servers and shows the content on the website by notifying your browser.

According to YouTube, in "extended data protection mode", your data - in particular which of our websites you have visited as well as device-specific information including the IP address - will only be transmitted to the YouTube server in the USA when you watch the video.

If you are logged in to YouTube at the same time, this information will be associated with your YouTube account. You can prevent this by logging out of your member account before visiting our website.

Google complies with the data protection regulations of the "US Privacy Shield" and is registered with the "US Privacy Shield" program of the US Department of Commerce.

For more information about YouTube-related privacy, please see Google's privacy policy.


XII. Candidate Management – e-Recruiting


1. Description and scope of data processing
On our website we offer applicants the opportunity to apply for vacancies by providing personal data.

We collect the following data during the registration process in the e-Recruiting portal:

(1) Form of address
(2) Applicant's first and last name
(3) Applicant's address
(4) E-mail address
(5) Telephone number
(6) other applicant data and documents, e.g. motivation letter, curriculum vitae, certificates, photographs)

The data is entered into an input mask during registration, uploaded, stored on the systems of our software partner and then transmitted to us. The software partner is a processor within the meaning of Art. 29 GDPR.

2. Legal basis for data processing
The legal basis for the processing of data is Art. 6, Art. 88 GDPR in conjunction with § 26 BDSG.

3. Purpose of data processing
Your data entry is required for participation in application procedures of the UFZ and for the decision on the establishment of an employment relationship.

4. Duration of storage
If an employment relationship is created, the data is stored in the personnel file.

In the event that an applicant is refused in the specific application procedure, his/her data will be deleted 3 months after the end of the application procedure.

5. Possibility of opposition and removal
You can delete your personal data at any time, withdraw your application(s) or correct incorrect data by logging into the e-Recruiting portal with your login data and editing your profile accordingly or by contacting personal@ufz.de or Helmholtz-Zentrum für Umweltforschung GmbH - UFZ, Human Resources, Permoserstraße 15, 04318 Leipzig.


XIII. Rights of data subject


If your personal data is processed, you are a data subject in the sense intended by the GDPR and you have the following rights in your relationship with the data controller:

1. Right to be informed (Art. 15 GDPR)

If your data is being processed, you have the right to the following information from the data controller:

  1. The purposes for which the personal data is being processed;
  2. The categories of personal data being processed;
  3. The recipients or categories of recipients to whom your personal data has been or will be disclosed;
  4. The intended duration of storage of the personal data or, if this information is not available, the criteria for determining the duration;
  5. The existence of your right to the correction or deletion of your personal data, your right to the restriction of its processing by the data controller and your right to object to such processing;
  6. The existence of your right to complain to the supervisory authorities;
  7. All available information on the origin of the data insofar as the data was not collected from the data subject;

You have the right to know if your personal data is transferred to a non-EU country or an international organisation. In this context you have the right to be informed of the relevant guarantees that under art. 46 GDPR are to be provided for the transfer of data.

2. Right to correction, Art. 16 GDPR
You have the right to have your personal data corrected or completed by the data controller, in case your personal data are wrong or incomplete. Correction must be carried out by the data controller immediately.

3. Right to restriction of processing, Art. 18 GDPR
You have the right to the restriction of the processing of your personal data subject to the following criteria:

(1) You dispute the accuracy of your personal data for a period of time that allows the data controller to check the accuracy of the data concerned;
(2) The processing is unlawful and you decline to have the personal data deleted and instead request that the use of the data be restricted;
(3) The data controller no longer requires the personal data for the purposes originally intended but nonetheless needs it for the assertion of rights or the bringing of or defense against claims; or
(4) You have objected to processing as per Art. 21 para. 1 GDPR and it has not yet been established whether the legitimate interests of the data controller outweigh your interests.

Where the processing of your personal data is restricted, this data may (apart from being stored) be processed only with your consent or for the assertion of rights or the bringing of or defense against claims or for the upholding of the rights of another natural or juristic person or on the grounds of significant public interest within the European Union or a member state.

Where processing is restricted in accordance with the aforementioned criteria, the data controller will inform you prior to the removal of such restriction.

4. Right to deletion, Art. 17 GDPR

a) Obligation to delete
You have the right to the immediate deletion of your personal data by the data controller, provided that:

  1. The data concerned is no longer required for the purposes for which it was originally collected or has otherwise been processed;
  2. You revoke the consent on which under Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR processing was based and there is no other legal basis for the processing.
  3. You object to processing under Art. 21 para. 1 GDPR and there are no legitimate grounds for processing that take priority, or your objection to processing is based on Art. 21 para. 2 GDPR;
  4. Your personal data has been processed unlawfully;
  5. The deletion of your personal data is necessary for compliance with a legal obligation under European Union law of the law of a member state to which the data controller is subject;
  6. Your personal data has been collected in relation to services offered as part of the information society as per Art. 8 para. 1 GDPR.


b) Sharing of information with third parties
Where the data controller has published your personal data and is required under Art. 17 para. 1 GDPR to delete it, it must, with due regard to the technology available and the costs of implementation, put in place appropriate measures (including technical ones) to inform those responsible for processing your personal data that you, the data subject, have exercised your right to have all links to or copies of your personal data deleted.

c) Exceptions
You have no right to the deletion of your personal data where its processing is required:

  1. For the exercise of the right to freedom of expression or information;
  2. For compliance with a legal obligation that makes processing necessary under the law of the European Union or the law of a member state to which the data controller is subject or for compliance with an order in the public interest or with an official requirement to which the data controller is subject;
  3. For reasons of public interest as it relates to public health as per Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
  4. For archiving purposes or scientific or historical research purposes that are within the public interest or for statistical purposes as per Art. 89 para. 1 GDPR, insofar as the rights specified under a) are likely to make the realisation of the aims of this processing impossible or jeopardize it; or
  5. For the assertion of or defense against claims or the exercise of rights.


5. Right to be informed
If you exercise your rights to have the data controller correct or delete your personal data or to restrict its processing, the data controller must inform all recipients to whom your personal data has been disclosed that you have exercised the aforementioned rights, unless to do so is impossible or would involve disproportionate cost or effort.

You have the right to be informed by the data controller who these recipients are.

6. Right to data portability, Art. 20 GDPR
You have the right to receive in a current, structured and machine-readable form the personal data that you have provided to the data controller. You also have the right to transfer this data to another data controller without hindrance by the data controller to whom you provided the data, provided:

  1. The processing is based on consent under Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract as per Art. 6 para. 1 lit. b GDPR;
  2. The data processing is automated.

In exercising this right you further have the right, insofar as is technically feasible and insofar as the rights and freedoms of third parties are not infringed, to have your personal data transferred directly from one data controller to another.

The right to data portability does not apply where personal data needs to be processed in order to comply with an order in the public interest or that is required on official orders to which the data controller is subject.

7. Right to object, Art. 21 GDPR
You have the right at any time and on grounds unique to you to object to the processing of your personal data as based on Art. 6 para. 1 lit. e or lit. f GDPR.

The data controller will then cease to process your personal data unless it can prove compelling grounds for processing that outweigh your interests, rights and freedoms or unless the processing serves the assertion of or defense against claims or the exercise of rights.

In connection with the use of information society services, and regardless of Directive 2002/58/EC, you can exercise your right to object by using automated processes for which technical specifications are used.

8. Right to revoke your declaration of consent as given under data protection law, Art. 7 para. 3 GDPR
You have the right to revoke at any time your declaration of consent as given under data protection law. Such revocation will not affect the lawfulness of any data processing carried out prior to the revocation on the basis of your consent.

9. Right to complain to a supervisory authority, Art. 77 GDPR
Without prejudice to any other legal or judicial remedy, you have the right to complain to a supervisory authority, especially one in the EU member state where you live or work or where the alleged infringement has taken place, if you believe that the processing of your personal data is in breach of the GDPR.

The supervisory authority to which the complaint is submitted will keep you informed as to the status and outcome of your complaint, including your options for judicial remedy as per Art. 78 GDPR.