We process the personal data of our users only to the extent necessary to provide a functioning website as well as our content and services, and we only process it with their consent or where the processing of personal data is permitted by legal regulations.

The information required by the GDPR on the purpose, type/scope, legal basis, storage period etc. can be found in the following drop-down menus.

Further information on data protection, privacy and information security at Carl von Ossietzky University Oldenburg can also be found under Data Protection and Information Security

Purpose: Required for proper provision of services/ensuring information security (e.g. identification of DoS attacks)

Type/Scope:

• Web browser type and version
• Operating system
• Website from which you are visiting us (referrer URL)
• Website you are visiting
• Date and time of access
• Your Internet Protocol (IP) address

Legal basis: Art. 6 (1)(e) GDPR in connection with Section of  the 3 Lower Saxony Data Protection Act (NDSG) and Section 3 of the Lower Saxony Higher Education Act (NHG)

Retention period: (up to) seven days

Purpose: Recognizing multiple use of our services by the same user or Internet connection holder. Optimisation of the offerings and facilitation of easier access to the websites of the Controller.

Type/scope: Cookies are small text files that your Web browser stores on your computer. Users are recognised based on the IP address stored in the cookies.

The following data is stored and transmitted in the cookies:

• Preferred font size
• Preferred contrast
• Logged on to the system (only for editing/administration)
• Expiry date

Legal basis: Art. 6 (1)(e) GDPR in conjunction with Section 3 NDSG and Section 3 NHG

Retention period: "Session cookies", which are deleted after the end of your visit.

Note: You can prevent the installation of cookies by modifying your browser settings accordingly. However, users should be aware that they may not be able to make full use of all features of this website in this case.

In addition, cookies are also used by Matomo web analytics (see below).

Purpose: Search the Controller's web pages for content.

Type/scope: Google privacy statement: see policies.google.com/privacy?gl=de

Legal basis: Art. 6 (1)(a) GDPR - agree with sending the search query

Retention period: Google privacy statement: see policies.google.com/privacy?gl=de

Note: This is an external web page! The Controller points out to users that personal data will only be processed by Google LLC if the search function is actively used. If users do not approve of this processing of their data they should not use this feature.

Purpose: The Controller operates a so-called "fan page" as part of its public relations work on Facebook.

Type/scope: Facebook Inc. de-de.facebook.com/privacy/explanation

Legal basis: Art. 6 (1)(e) GDPR in conjunction with Section 3 NDSG and Section 3 NHG or Art. 6 (1)(a) GDPR; Consent when visiting the website .

Retention period: See Facebook Ireland Limited privacy statement

Note: When a user visits the Controller's fan page, Facebook collects so-called "page insights". This is aggregated data that can be used by the Controller to understand how people interact with its site. Page Insights may be based on personal data collected in connection with a visit or interaction by individuals on or with the Controller's fan page and its content.

Facebook makes these "page insights" available to the Controller in anonymous form. The Controller has no way of establishing a connection with individuals regarding the page insights. The Controller uses this data in the context of public relations work to optimise the information offered.

Facebook Ireland Limited assumes primary responsibility under the GDPR for the processing of Insights Data and undertakes to comply with all obligations under the GDPR relating to the processing of Insights Data (including Articles 12 and 13, Articles 15 to 22 and Articles 32 to 34 of the GDPR). In addition, Facebook Ireland makes the essence of these page insights available to the individuals concerned.

If you have any questions about the Controller's fanpage, please contact the competent unit (see above).

Purpose: Information about offers/tasks of the Controller by means of different topic-related newsletters.

Type/scope: If you would like to receive a newsletter, we require a valid e-mail address from you and information that allows us to verify that you are the owner of that e-mail address provided or that its owner agrees to receive the newsletter. No other data will be collected. This data will only be used for newsletter dispatch purposes and is not passed on to third parties. 

When you subscribe to the newsletter, we store your IP address and the date you registered. This information is stored solely as proof in the event that an unauthorised third party uses an e-mail address to register for receiving the newsletter without the knowledge of the authorised party.

Legal basis: Art. 6 (1)(a) of the GDPR - consent with confirmation of registration for the respective newsletter.

Retention period: permanently until the newsletter is discontinued or the user cancels the subscription.

Note: You can revoke your consent to the storage of your data and your email address and its use for sending the newsletter at any time. You can cancel your subscription in the newsletters, in your profile area or by sending a notification to any of the above-mentioned contact options.

Purpose: Contacting different departments of the Controller.

Type/scope: On our website, we offer you the possibility to contact us by e-mail and/or via a contact form. In this case, the e-mail address and the information provided by the user will be stored for the purpose of processing his contact. The data is not passed on to third parties. The data collected in this way will not be integrated with data that may be collected by other components of our website.

Retention period: until the request has been dealt with.

Legal basis: Art. 6 (1)(a) GDPR - Consent by sending an e-mail or using the contact form.

Purpose: Registration for events offered by the Controller within the scope of its duties.

Type/scope: At various places on its website, the Controller provides forms you can use to register for events. Typically, your contact information and any specific personal data required for the administration of the respective event will be collected (see the corresponding registration forms or separate privacy information).

Retention period: Generally until the end of the event.

Legal basis: Art. 6 (1)(a) GDPR - Consent by sending the registration using the relevant form.

You can ask the Controller to provide confirmation as to whether it processes personal information regarding you.

If this is the case, you can ask the Controller to provide information on the following data that has actually been processed, and more.

1. The purposes for which the personal data is processed;
2. The categories of personal data processed;
3. The recipients or categories of recipients to which the information about you has been or will be disclosed;
4. The planned duration for which the personal data concerning you are stored or, if no specific information can be provided, criteria for determining the duration of the storage;
5. The existence of the right to request from the Controller rectification or erasure of personal data relating to you, a right to a restriction of processing of personal data relating to you or to object to such processing;
6. The right to lodge a complaint with a supervisory authority;
7. All information available on the origin of the data if the personal data are not collected from the data subject.

You are entitled to request information as to whether the personal data concerning you will be transferred to a third country or to an international organisation. In this context, you can request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.

Further information and the body responsible for such a request for information

You have the right to have your personal data corrected and/or completed by the Controller if they are incorrect or incomplete. The Controller must carry out the rectification immediately.

Under the following conditions, you may request that the processing of your personal data should be restricted:

1. If you dispute the accuracy of the personal data concerning you for a period of time which allows the Controller to verify the accuracy of the personal data;
2. The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
3. The Controller no longer needs the personal data for the purposes of the processing, but you require them for establishing, exercising or defending legal claims;
4. If you have lodged an objection against the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the Controller's legitimate reasons outweigh your reasons.

Where processing of the personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of the processing has been restricted in accordance with the above conditions, you will be informed by the Controller before the restriction is lifted.

Obligation to delete

You have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

1. The personal data relating to you is no longer necessary for the purposes for which it was collected or otherwise processed;
2. You withdraw your consent on which the processing was based according to Art. 6 (1)(a) or Art. 9 (2)(a), and there is no other legal ground for the processing;
3. You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
4. The personal data concerning you have been unlawfully processed;
5. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
6. The personal data relating to you have been collected in relation to the offer of information society services referred to in Article 8 (1).

Information to third parties

Where the Controller has published the personal data concerning you and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform those responsible for processing the personal data that you as the data subject have requested the deletion of any links to, or copy or replication of, those personal data.

Exceptions

The right to deletion does not exist if the processing is necessary

1. for exercising the right of freedom of expression and information;
2. for complying with a legal obligation requiring processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
3. for reasons of public interest in the area of public health in accordance with Article 9 (2) (h) and (i) as well as Article 9 (3);
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. for the establishment, exercise or defence of legal claims.

If you have exercised the right to rectification, deletion or restriction of processing vis-a-vis the Controller, the Controller shall be obliged to notify all recipients to whom the personal data related to you have been disclosed of this rectification, deletion or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You shall have the right vis-à-vis the person responsible to be informed of such recipients.

You have the right to object, on grounds relating to your particular situation, at any time, to any processing of personal data concerning you which is based on Article 6 (1)(e) or (f) of the GDPR, including profiling based on those provisions.

The Controller shall no longer process any personal data concerning you unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims, or the processing serves to assert, exercise or defend legal claims.

You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

You have the right to receive the personal data concerning you that you have provided to the Controller in a structured, common and machine-readable format. You are also entitled to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:

1. the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b); and
2. the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data transmitted directly from one Controller to another, where technically feasible. Freedoms and rights of other persons must not be affected by this.

The right to data transfer does not apply to processing of personal data required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

None.

Without prejudice to any other administrative or judicial remedy, you are entitled to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.

We recommend that you contact the Controller's official data protection officer (see contact details above), who is able to act independently and will work for a prompt solution to many data protection problems.

The supervisory authority responsible for the Carl von Ossietzky University of Oldenburg is:

The State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5 
30159 Hannover

Telephone: 0511 120-4500
Telefax: 0511 120-4599
Email: poststelle@lfd.niedersachsen.de