Information on Data Protection

According to EU Law pursuant to Art. 13 GDPR (Regulation (EU) 2016/679)

Introduction

We are pleased to welcome you to our website. The protection of your personal data is important to us, which is why we would like to inform you about the purposes for which the Ulm University collects, stores, or transmits your data. You can also find out what rights you have regarding your personal data.

Responsible Entity and Data Protection Officer

The entity responsible for data processing, according to Art. 4 (7) of the General Data Protection Regulation (GDPR), is:

The Ulm University is a public law corporation represented by the President Prof. Dr.-Ing. Michael Weber (praesident(at)uni-ulm.de) or the Chancellor Dieter Kaufmann (kanzler(at)uni-ulm.de). For questions regarding data protection, please contact dsb(at)uni-ulm.de or send a letter marked “Data Protection Officer” to the above address.

Terms

The technical terms used in this privacy policy are to be understood as defined in Art. 4 of the GDPR.

Information on Data Processing

Automated Data Processing (Log Files, etc.)

Our website can be visited without actively providing personal information. However, we automatically store access data (server log files) with each visit to the website, such as the name of the Internet Service Provider, the operating system used, the website from which the user visits us, the date and duration of the visit, and the name of the requested file, as well as the IP address of the computer used for security reasons, e.g., to detect attacks on our website, for a duration of 14 days.

These data are evaluated solely for the purpose of improving our services and do not allow any conclusions to be drawn about the identity of the user. The data will not be combined with other data sources. The legal basis for data processing is Art. 6 (1) (f) GDPR.

We process and use the data for the following purposes:

• Provision of the website,
• Improvement of our websites, and
• Prevention and detection of errors/malfunctions as well as abuse of the website.

The processing is carried out to pursue legitimate interests in ensuring the functionality and error-free, secure operation of the website, as well as to adapt this website to user requirements.

SSL or TLS Encryption

For security reasons and to protect the transmission of confidential content you send to us as the site operator, our website uses SSL or TLS encryption. This ensures that data transmitted via this website is not readable by third parties. You can recognize an encrypted connection by the “https://” in your browser’s address bar and the padlock symbol in the browser bar.

Web Analysis and Optimization

To evaluate visitor flows on our online services, we use web analysis and reach measurement tools. For this purpose, we collect information about the behavior, interests, or demographic information of our visitors. This helps us determine when our online services, their functions, or content are most frequently accessed or invite repeated visits. Additionally, we can identify whether our online services need optimization or adjustment based on the collected information.

For the purposes of optimizing and further developing the website and identifying potential interests, relevant information is stored in cookies or similar procedures. The stored data includes, among other things, viewed content, visited websites, settings, and used functions and systems. However, we generally do not process any personal data of users for the described purposes. The data is modified so that the actual identity of users is not known to us or the provider of the tool used.

We can determine the success of our measures based on the aggregated data made available to us by the provider of web analysis and reach measurement (so-called conversion measurement).

Categories of Data Subjects:
Website visitors, users of online services, interested parties, communication partners, business and contractual partners

Categories of Data:
User data (e.g., visited websites, interest in content, access times, browser and device settings, click paths, downloads, duration of stay, entry and exit pages, country designations), meta and communication data (e.g., device information, IP addresses), location data, contact data, content data (e.g., text entries, photographs, videos)

Purposes of Processing:
Website analysis, reach measurement, conversion measurement, evaluation of website interaction, audience analysis, development of marketing strategies, and increasing campaign efficiency

Legal Bases:
Consent (Art. 6 (1) (a) GDPR); legitimate interests (Art. 6 (1) (f) GDPR)

Legitimate Interests:
Optimization and further development of the website to increase reach and efficiency

Matomo

This website uses the open-source web analytics service Matomo.

With the help of Matomo, we are able to collect and analyze data about the usage of our website by visitors. This allows us to determine, among other things, when specific page views occurred and from which region they originated.

Service Used:
InnoCraft Ltd, 150 Willis St., 6011 Wellington, New Zealand

Data Protection:
https://matomo.org/privacy-policy/

Legal Basis:
Legitimate interest (Art. 6 (1) (f) GDPR)

Legitimate Interests:
Optimization and further development of the website to increase reach and efficiency

IP Anonymization

When analyzing with Matomo, we use IP anonymization. This means that your IP address is truncated before analysis so that it can no longer be clearly assigned to you.

Hosting

We host Matomo exclusively on our own servers, ensuring that all analytical data remains with us and is not shared with third parties.

Data Transmission

We transmit the personal data of visitors to our online services for internal purposes (e.g., for internal administration or to the HR department to comply with legal or contractual obligations). Internal data transmission or disclosure occurs only to the extent necessary, in accordance with applicable data protection regulations.

Retention Period

We store the data of visitors to our online services for as long as is necessary to provide our service or as required by the European legislator or other legislators in laws or regulations to which we are subject. In all other cases, we delete personal data once the purpose has been fulfilled, except for data that we must retain to meet legal obligations (e.g., we are required by tax and commercial law retention periods to keep documents such as contracts and invoices for a certain period).

Automated Decision-Making

We do not engage in automated decision-making or profiling, pursuant to Art. 22 GDPR.

Legal Bases

The relevant legal bases primarily arise from the GDPR. These are supplemented by national laws of the member states and may be applicable together with or in addition to the GDPR.

Consent:
Art. 6 (1) (a) GDPR serves as the legal basis for processing operations for which we have obtained consent for a specific processing purpose.

Contract Fulfillment:
Art. 6 (1) (b) GDPR serves as the legal basis for processing that is necessary for the fulfillment of a contract to which the data subject is a party, or for carrying out pre-contractual measures at the request of the data subject.

Legal Obligation:
Art. 6 (1) (c) GDPR serves as the legal basis for processing that is necessary for compliance with a legal obligation.

Vital Interests:
Art. 6 (1) (d) GDPR serves as the legal basis when processing is necessary to protect the vital interests of the data subject or another natural person.

Public Interest:
Art. 6 (1) (e) GDPR serves as the legal basis for processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Legitimate Interest:
Art. 6 (1) (f) GDPR serves as the legal basis for processing that is necessary for the purposes of the legitimate interests pursued by the controller or a third party, unless the interests or fundamental rights and freedoms of the data subject, which require protection of personal data, override those interests, particularly when the data subject is a child.

Interactive Buttons

As part of our online services, we use interactive buttons to assist users in finding appropriate health information. This task is at the core of the research project. This includes support for navigating the website (e.g., a navigation quiz on the homepage) or an interactive button for the symptom area of specific disorders.

To evaluate the effectiveness of our support services, we collect usage data from the interactive buttons with the users’ consent. The disclosure of this personal data on an anonymized basis is made by the user on an expressly voluntary basis and requires explicit consent from the users for storage and processing. Generally, only the data necessary for the respective purpose will be requested. For the use of our online services in general, it is not necessary to provide personal data.

Categories of Data Subjects:
Website visitors, users of the online service

Categories of Data:
Content data (e.g., text entries), usage data (e.g., information interests), preferences and inclinations (e.g., mood, concerns)

Purposes of Processing:
Fulfillment of the research assignment of the project, website analysis, conversion measurement, evaluation of website interactions, audience analysis, increasing the efficiency of information delivery, and tailoring the information offer to the target group.

Legal Bases:
(Art. 6 (1) (a) GDPR), contract fulfillment or pre-contractual measures (Art. 6 (1) (b) GDPR), Art. 6 (1) (e) GDPR (for the performance of a task carried out in the public interest) in conjunction with Art. 6 (3) GDPR and § 4 of the State Data Protection Act of Baden-Württemberg (Landesdatenschutzgesetz Baden-Württemberg; LDSG) as well as based on the Higher Education Act of Baden-Württemberg (Landeshochschulgesetzes; LHG).

Rights of Affected Persons

Right to Information:
According to Article 15 of the GDPR, affected persons have the right to request confirmation as to whether we are processing their personal data. They can request information about this data as well as the additional information listed in Article 15(1) of the GDPR and a copy of their data.

Right to Rectification:
According to Article 16 of the GDPR, affected persons have the right to request the rectification or completion of their personal data that we process.

Right to Deletion:
Affected persons have the right under Article 17 of the GDPR to request the immediate deletion of their personal data. Alternatively, they can request the restriction of the processing of their data under Article 18 of the GDPR.

Right to Data Portability:
According to Article 20 of the GDPR, affected persons have the right to request the provision of the data they have made available to us and to request its transmission to another controller.

Right to Lodge a Complaint:
Affected persons also have the right to lodge a complaint with the competent supervisory authority in accordance with Article 77 of the GDPR.

Right to Object:
If personal data is processed on the basis of legitimate interests according to Article 6(1)(f) of the GDPR, affected persons have the right to object to the processing of their personal data under Article 21 of the GDPR, provided there are reasons arising from their particular situation or if the objection is directed against direct marketing. In the latter case, affected persons have a general right to object, which we will implement without the need to provide a specific situation.

Data Processing by a Third Party

For web analysis and optimization with Matomo, we use a server operated by:

The data you enter is processed for us by STRATO AG. All necessary technical and organizational security measures to protect your personal data from loss and misuse are implemented by us and, on our behalf, by STRATO AG. 

Revocation

Some data processing operations are only possible with the explicit consent of the affected individuals. You have the option to revoke any consent given at any time. A simple notification or email to improva@uni-ulm.de is sufficient. The legality of the data processing carried out until the revocation remains unaffected by the revocation. 

External Links

Our website contains links to the online services of other providers. We hereby point out that we have no influence on the content of the linked online services and the compliance with data protection regulations by their providers. 

Changes

We reserve the right to adjust this privacy notice at any time in response to changes in our online services and in accordance with applicable data protection regulations to ensure compliance with legal requirements.