Data Protection Information in accordance with Art. 13 GDPR: English Translation
(General Data Protection Regulation)
This is a translation from the German version of this text. In the case of conflict between the English and German versions, the German version shall prevail.
To whom it may concern,
The personal data of every individual who has a contractual, pre-contractual or other relationship with our company deserves specific protection. According to Articles 13 and 14 of the GDPR, companies have specific information obligations when collecting personal data. In order to fulfil our data protection obligations from 25 May 2018 onwards, we would like to draw your attention to the following details:
1. Name and contact details of the Controller
The person responsible within the meaning of the Data Protection Regulation and other national data protection laws of the member states as well as other provisions of data protection law is the Data Protection Officer:
represented by the President of the University
66123 Saarbrücken, Germany
Phone: 0681 302-0
Name and address of the data protection officer
66123 Saarbrücken, Germany
phone: 0681 302-2813
2. Purposes of data processing and legal bases (Art. 13(1)(c) GDPR)
The purpose of the processing of personal data is the handling of all processes which concern the controller, the students as data subjects in the sense of data protection law, business and cooperation partners or other contractual or pre-contractual relations between the groups mentioned (in the broadest sense) or legal obligations of the controller.
The protection of personal data is a particular concern of the Europa-Institut/Saarland University. Your data will be processed for the purpose of contacting you, carrying out and completing a study program or similar participation in academic programs. We process personal data about you particularly for the purpose of your application for a study place, insofar as this is necessary for the decision to establish a study relationship with us.
Furthermore, we may process personal data about you insofar as this is necessary to defend against legal claims asserted against us in the application process. The legal basis behind this is Art. 6(1)(f) GDPR. The legitimate interest here is, for example, the burden of proof in proceedings pursuant to the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz (AGG)).
If our company is subject to a legal obligation which requires the processing of personal data, for example to fulfil tax obligations, such processing is based on Art. 6(1)(c) GDPR. Without the provision of your data by you, it would not be possible to establish and process a contract.
The legal basis of the processing also includes:
· Your consent to the processing of personal data concerning you for one or more specific purposes (Art. 6(1)(a) GDPR); processing procedures for which the Europa-Institut/Saarland University Law Department obtains consent for a specific processing purpose.
· The necessity of fulfilling a legal obligation to which the Europa-Institut/Saarland University Law Department is subject (Art. 6(1)(c) GDPR); e.g. the fulfilment of tax obligations.
· In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured on our premises and his/her name, age, health insurance data or other vital information had to be passed on to a doctor, a hospital or other third parties. The processing would then be based on Art. 6(1)(d) GDPR.
· If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (processing of personal data of litigants and other parties involved in the proceedings), which has been vested in the controller, Art. 6(1)(e) GDPR applies.
· Ultimately, processing procedures could also be based on Art. 6(1)(f) GDPR. Processing procedures which are not covered by any of the aforementioned legal bases are based on this legal basis if processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. Such processing procedures are permitted to us in particular because they have been specifically mentioned by the European legislator. In this respect, the legislator takes the view that a legitimate interest is to be assumed if the data subject is a client of the controller (Recital 47, Sentence 2 GDPR).
3. When the processing is based on Article 6(1)(f) GDPR: the legitimate interests pursued by the controller or a third party (Art. 13(1)(d) GDPR)
If the processing of personal data is based on Art. 6(1)(f) GDPR, it is in our legitimate interest to conduct our study program in the interest of the well-being of all persons involved in our institution, in particular students, teachers and employees.
4. Recipients or categories of recipients of personal data, insofar as is necessary for the fulfilment of the task (Art. 13(1)(e) GDPR)
· Public authorities, if required to do so by law, always under the legal obligation to maintain confidentiality;
· Internal departments, insofar as this data is required by them for the proper performance of tasks;
· Service providers/processors (Art. 28 GDPR), who are involved in the proper handling of business;
· External bodies for the proper performance of the above-mentioned purposes, in compliance with the legal provisions in the case of cross-border implications;
· Banks, social insurance agencies and tax authorities (if necessary).
· If necessary for the fulfilment of the contract, the Europa-Institut Law/Saarland University Law Department may engage, among others, service providers, such as parcel and letter carriers and banks for the collection of direct debits.
Your personal data will be processed by employees within the university and at any existing home offices. These are internal departments that are involved in the execution of respective business processes. Furthermore, the university employs freelancers, employees, interns and guest students.
5. Recipients in a third country, suitable or appropriate guarantees and the possibility of obtaining a copy of these, or where they are available (Art. 13(1)(f), Art. 46(1) & (2)(c) GDPR)
In principle, data processing does not take place outside the EU or the EEA. In the context of the provision of cookies and the use of our social media plug-ins, data may be transferred to the USA. Those responsible for data protection, Google and Facebook also process your personal data in the USA and are subject to the EU-US-Privacy-Shield, www.privacyshield.gov/EU-US-Framework.
We will neither sell your personal data to third parties nor market it in any other way.
Pursuant to Art. 46(1) GDPR, the controller or a processor may only transfer personal data to a third country if the data controller or processor has provided appropriate guarantees and if the data subject has enforceable rights and effective remedies at his/her disposal. Suitable guarantees can take the form of standard data protection clauses, without requiring special approval from a supervisory authority (Art. 46(2)(c) GDPR).
The EU standard data protection clauses are agreed with all recipients from third countries before the first transfer of personal data. Consequently, appropriate safeguards, enforceable rights and effective remedies resulting from the EU standard data protection clauses are guaranteed for all processing of personal data. Anyone concerned may obtain a copy of the standard data protection clauses. The standard data protection clauses are also available in the Official Journal of the European Union (2010, L 39, p. 5-18).
6. Duration of storage (Art. 13(2)(a) GDPR)
The legislator has enacted a variety of storage obligations and periods. In addition, tax retention obligations may be relevant. After the expiry of these periods, the corresponding data is routinely erased.
If data is not affected by this, it is erased once the above-mentioned purposes cease to apply. For possible liability reasons, the data could be kept for longer in individual cases. If the legal requirements are met, the processing is restricted instead of being erased.
7. Legal or contractual provisions for the provision of personal data; necessity for the conclusion of the contract; obligation of the data subject to provide the personal data; possible consequences of non-provision (Art. 13(2)(e) GDPR)
Please be aware that the provision of personal data is, in part, required by law (e.g. in tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner).
In some cases, in order for a contract to be concluded, it may be necessary for the data subject to provide us with personal data which in turn must be processed by us. For example, the data subject is obliged to provide us with personal data if our company enters into a contract with him/her. Failure to provide personal data would mean that the contract with the data subject could not be concluded.
Prior to the provision of personal data by the data subject, the data subject may contact the controller. The latter then informs the data subject on a case-by-case basis whether the provision of personal data is required by law or the contract, or required for the conclusion of the contract, whether there is an obligation to provide the personal data and what consequences a failure to provide the personal data would have.
8. Existence of automated decision-making, including profiling in accordance with Art. 22(1) & (4) GDPR, and – at least in these cases – the provision of meaningful information on the logic involved and the scope and intended effects of such processing for the data subject (Art. 13(2)(f) GDPR)
We refrain from partaking in automatic decision-making and profiling.
9. Existence of rights of access, rectification, erasure, restriction of processing, the right to object to processing and the right of data portability (Art. 13(2)(b) GDPR)
All data subjects have the following rights:
Right of access
Every data subject has a right of access to his/her personal data. The right of access extends to all data processed by us. This right can be exercised easily and at reasonable intervals so that all data subjects are always aware of the processing of their personal data and can verify its lawfulness (recital 63 GDPR). This right arises from Art. 15 GDPR. The data subject may contact our data protection officer to exercise his/her right of access.
Right to rectification
Pursuant to Art. 16(1) GDPR, all data subjects have the right to request our company to immediately rectify any incorrect personal data concerning them if the processed personal data concerning them is incorrect or incomplete. In addition, Art. 16(2) GDPR stipulates that the data subject has the right to request the completion of incomplete personal data – also by means of a supplementary statement – taking into account the processing purposes.
Right to erasure (‘Right to be forgotten’)
a) In principle:
In accordance with Art. 17 GDPR, data subjects have the right to be erased and forgotten. You may request the data controller to erase the personal data relating to you without delay and the controller is obliged to erase this data without delay, as long as one of the following reasons applies:
· The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
· You revoke your consent on which the processing was based pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR, and there is no other legal basis for the processing.
· You file an objection against the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21(2) GDPR.
· The personal data concerning you has been processed unlawfully.
· The erasure of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
· The personal data concerning you has been collected in relation to information society services offered pursuant to Art. 8(1) GDPR.
b) Provision of information to third parties
If the data controller has disclosed the personal data concerning you to third parties, and is then obliged to erase such data pursuant to Art. 17(1) GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those processing such personal data that you as the data subject have requested the erasure of all links to this personal data or of copies or replications of this personal data.
The right to erasure shall not apply to the extent that processing is necessary:
· For the exercise of the freedom of expression and information;
· For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
· For the establishment, exercise or defence of legal claims.
Restriction of processing
Pursuant to Art. 18 GDPR, every data subject has a right to restriction of processing. Under the following conditions, you may request that the processing of personal data concerning you be restricted:
· If you contest the accuracy of the personal data concerning you for a period of time that enables the controller to verify the accuracy of the personal data;
· The processing is unlawful and you oppose the erasure of the personal data and instead request that the use of the personal data be restricted;
· The controller no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims, or
· If you have filed an objection against the processing pursuant to Art. 21(1) GDPR and it has not yet been determined whether the legitimate grounds of the controller override your reasons.
If the processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the processing restriction has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.
Right to object
Furthermore, Art. 21 GDPR guarantees the right to object. You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Right to data portability
Art. 20 GDPR grants the data subject a right to data portability. According to this provision, the data subject has the right, under the conditions set out in Art. 20(1)(a) & (b) GDPR, to receive the personal data concerning him/her which he/she has provided to the controller in a structured, commonly used and machine-readable format and to transmit this data to another controller without hindrance from the controller. The data subject can exercise the right to data portability via our data protection officer.
The right to portability shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
10. The right to revoke consent at any time without prejudice to the lawfulness of the processing carried out on the basis of the consent until revocation, provided that the processing is based on Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR (Art. 13(2)(c) GDPR)
If the processing of personal data is based on Art. 6(1)(a) GDPR, which is the case if the data subject has given consent to the processing of personal data concerning him/her for one or more specific purposes, or if the processing is based on Article Art. 9(2)(a) GDPR, which regulates the express consent to the processing of special categories of personal data, the data subject has the right to revoke his/her consent at any time pursuant to Art. 7(3), Sentence 1 GDPR.
The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation (Art. 7(3), Sentence 2 GDPR). The revocation of consent must be as easy as the giving of consent (Art. 7(3), Sentence 4 GDPR). Therefore, the withdrawal of consent may always take place in the same way as the consent was given or in any other way that the data subject considers to be easier. If the data subject wishes to revoke a consent given to us, a simple e-mail to our data protection officer is sufficient. Alternatively, the data subject may choose any other way of informing us of his/her revocation of consent.
11. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State in which you are domiciled, your place of work or the place where the alleged infringement occurred, if you consider that the processing of personal data relating to you is in breach of the DPA.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 DSGVO.
The supervisory authority responsible for Saarland University is the
Unabhängiges Datenschutzzentrum Saarland
Die Landesbeauftragte für Datenschutz und Informationsfreiheit
Tel.: 0681 94781-0
Saarland University points out that the online offer is subject to constant development and change. This circumstance makes it necessary to adapt the data protection declaration to such changes and further developments. You should therefore read the data protection statement regularly to keep yourself informed about changes regarding the processing of your personal data. If the changes require a cooperative action on your part, we will inform you of this.