Data privacy statement
- Data protection officer
This document is intended to inform the users of the central web pages of Carl von Ossietzky University Oldenburg (hereinafter referred to as "web pages") about the purposes, type, scope and legal basis of the processing of personal data in connection with the use of the web pages and thus constitutes, among other things, the information required pursuant to Article 13 of the European General Data Protection Regulation (GDPR) for those affected by data processing.
The Controller within the meaning of Article 4 (7) and (24) of the GDPR is
Carl von Ossietzky University Oldenburg, a public corporation,
represented by its President.
Address: Ammerländer Heerstr. 114-118, 26129 Oldenburg
Telephone: +49 441 798-0
Telefax: +49 441 798-3000
Carl von Ossietzky Universität Oldenburg
Press & Communication
Ammerländer Heerstr. 114-118
Telephone: +49 (0)441 798-5446
Telefax: +49 (0)441 798-5545
Data protection officer
Carl von Ossietzky University of Oldenburg
- The Data Protection Officer -
Ammerländer Heerstr. 114 - 118
Phone: +49-441-798 4196
We process the personal data of our users only to the extent necessary to provide a functioning website as well as our content and services, and we only process it with their consent or where the processing of personal data is permitted by legal regulations.
The information required by the GDPR on the purpose, type/scope, legal basis, storage period etc. can be found in the following drop-down menus.
Further information on data protection, privacy and information security at Carl von Ossietzky University Oldenburg can also be found under Data Protection and Information Security
Purpose: Required for proper provision of services/ensuring information security (e.g. identification of DoS attacks)
- Web browser type and version
- Operating system
- Website from which you are visiting us (referrer URL)
- Website you are visiting
- Date and time of access
- Your Internet Protocol (IP) address
Legal basis: Art. 6 (1)(e) GDPR in connection with Section of the 3 Lower Saxony Data Protection Act (NDSG) and Section 3 of the Lower Saxony Higher Education Act (NHG)
Retention period: (up to) seven days
Purpose: Recognizing multiple use of our services by the same user or Internet connection holder. Optimisation of the offerings and facilitation of easier access to the websites of the Controller.
Type/scope: Cookies are small text files that your Web browser stores on your computer. Users are recognised based on the IP address stored in the cookies.
The following data is stored and transmitted in the cookies:
- Preferred font size
- Preferred contrast
- Logged on to the system (only for editing/administration)
- Expiry date
Legal basis: Art. 6 (1)(e) GDPR in conjunction with Section 3 NDSG and Section 3 NHG
Retention period: "Session cookies", which are deleted after the end of your visit.
Note: You can prevent the installation of cookies by modifying your browser settings accordingly. However, users should be aware that they may not be able to make full use of all features of this website in this case.
In addition, cookies are also used by Matomo web analytics (see below).
Purpose: Analyse user behaviour on the websites to optimise the information provided by the Controller on its tasks (and how it performs them) as well as for statistical purposes.
Type/scope: Matomo uses "cookies", which are text files placed on the user's computer, to help the website analyse how users use the site. The information generated by the cookie about the use of this offer is stored exclusively by the Controller and is not passed on to third parties. The IP address is anonymised immediately after processing and before it is stored. The following data will be collected:
- Two bytes of the IP address of the calling system (i.e. the user's system)
- The website accessed
- The website from which the user accessed the called website (referrer)
- The subpages accessed from the called web page
- The time spent on the website
- Frequency of access to the website
Legal basis: Art. 6 (1)(e) GDPR in conjunction with Section 3 NDSG and Section 3 NHG (if necessary)
Retention period: Permanently in anonymous form
If you do not want the data regarding your visit to be stored or evaluated, you can object to such storage or use with a single click of the mouse at any time. This means that a so-called opt-out cookie is stored in your web browser, causing Matomo to stop collecting data about your visit. Please note that should you delete the cookies in your browser settings, this may result in the opt-out-cookie being deleted by Matomo and possibly having to be reactivated by you.
Purpose: Search the Controller's web pages for content.
Type/scope: Google privacy statement: see https://policies.google.com/privacy?gl=de
Legal basis: Art. 6 (1)(a) GDPR - agree with sending the search query
Retention period: Google privacy statement: see https://policies.google.com/privacy?gl=de
Note: This is an external web page! The Controller points out to users that personal data will only be processed by Google LLC if the search function is actively used. If users do not approve of this processing of their data they should not use this feature.
Purpose: The Controller operates a so-called "fan page" as part of its public relations work on Facebook.
Type/scope: Facebook Inc. https://de-de.facebook.com/privacy/explanation
Legal basis: Art. 6 (1)(e) GDPR in conjunction with Section 3 NDSG and Section 3 NHG or Art. 6 (1)(a) GDPR; Consent when visiting the website .
Retention period: See Facebook Ireland Limited privacy statement
Note: When a user visits the Controller's fan page, Facebook collects so-called "page insights". This is aggregated data that can be used by the Controller to understand how people interact with its site. Page Insights may be based on personal data collected in connection with a visit or interaction by individuals on or with the Controller's fan page and its content.
Facebook makes these "page insights" available to the Controller in anonymous form. The Controller has no way of establishing a connection with individuals regarding the page insights. The Controller uses this data in the context of public relations work to optimise the information offered.
Facebook Ireland Limited assumes primary responsibility under the GDPR for the processing of Insights Data and undertakes to comply with all obligations under the GDPR relating to the processing of Insights Data (including Articles 12 and 13, Articles 15 to 22 and Articles 32 to 34 of the GDPR). In addition, Facebook Ireland makes the essence of these page insights available to the individuals concerned.
If you have any questions about the Controller's fanpage, please contact the competent unit (see above).
Purpose: The Controller operates online presences on Twitter, Linkedin and Youtube to inform the public about the fulfilment of its duties (see Section 3 (1)(10) NHG).
- Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)
- Privacy statement: https://twitter.com/de/privacy
- Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Irland)
- Privacy statement: https://www.linkedin.com/legal/privacy-policy
- Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active
- Google/ YouTube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
- Privacy statement: https://policies.google.com/privacy
- Privacy Shield: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
Legal basis: AArt. 6 (1)(e) GDPR in conjunction with Section 3 NDSG and Section 3 NHG or Art. 6 (1)(a) GDPR; Consent when visiting the website.
Retention period: see the corresponding privacy statements of the above providers.
Note:These are external offers by the above-mentioned providers. The Controller points out that when visiting these profiles, personal user data may be processed outside the European Union, possibly resulting in lower privacy levels. If you have any privacy concerns, do not visit these profiles.
The corresponding data processing is carried out by the external operators of these social networks and on the basis of their privacy statements. Please inform yourself there about the corresponding processing modalities.
With respect to requests for information and assertion of rights, we point out that these should best be asserted directly with the operators of social networks, as only they have access to user data and can act accordingly. On request, we can assist you in exercising your rights by making an identical request.
Purpose: Information about offers/tasks of the Controller by means of different topic-related newsletters.
Type/scope: If you would like to receive a newsletter, we require a valid e-mail address from you and information that allows us to verify that you are the owner of that e-mail address provided or that its owner agrees to receive the newsletter. No other data will be collected. This data will only be used for newsletter dispatch purposes and is not passed on to third parties.
When you subscribe to the newsletter, we store your IP address and the date you registered. This information is stored solely as proof in the event that an unauthorised third party uses an e-mail address to register for receiving the newsletter without the knowledge of the authorised party.
Legal basis: Art. 6 (1)(a) of the GDPR - consent with confirmation of registration for the respective newsletter.
Retention period: permanently until the newsletter is discontinued or the user cancels the subscription.
Note: You can revoke your consent to the storage of your data and your email address and its use for sending the newsletter at any time. You can cancel your subscription in the newsletters, in your profile area or by sending a notification to any of the above-mentioned contact options.
Purpose: Contacting different departments of the Controller.
Type/scope: On our website, we offer you the possibility to contact us by e-mail and/or via a contact form. In this case, the e-mail address and the information provided by the user will be stored for the purpose of processing his contact. The data is not passed on to third parties. The data collected in this way will not be integrated with data that may be collected by other components of our website.
Retention period: until the request has been dealt with.
Legal basis: Art. 6 (1)(a) GDPR - Consent by sending an e-mail or using the contact form.
Purpose: Registration for events offered by the Controller within the scope of its duties.
Type/scope: At various places on its website, the Controller provides forms you can use to register for events. Typically, your contact information and any specific personal data required for the administration of the respective event will be collected (see the corresponding registration forms or separate privacy information).
Retention period: Generally until the end of the event.
Legal basis: Art. 6 (1)(a) GDPR - Consent by sending the registration using the relevant form.
When your personal data are processed, you are a data subject within the meaning of the GDPR and are as such entitled to the following rights vis-à-vis the Controller. To exercise your rights, please contact the relevant department (see above for contact details), unless another contact person is expressly indicated.
You can ask the Controller to provide confirmation as to whether it processes personal information regarding you.
If this is the case, you can ask the Controller to provide information on the following data that has actually been processed, and more.
- The purposes for which the personal data is processed;
- The categories of personal data processed;
- The recipients or categories of recipients to which the information about you has been or will be disclosed;
- The planned duration for which the personal data concerning you are stored or, if no specific information can be provided, criteria for determining the duration of the storage;
- The existence of the right to request from the Controller rectification or erasure of personal data relating to you, a right to a restriction of processing of personal data relating to you or to object to such processing;
- The right to lodge a complaint with a supervisory authority;
- All information available on the origin of the data if the personal data are not collected from the data subject.
You are entitled to request information as to whether the personal data concerning you will be transferred to a third country or to an international organisation. In this context, you can request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.
Further information and the body responsible for such a request for information
You have the right to have your personal data corrected and/or completed by the Controller if they are incorrect or incomplete. The Controller must carry out the rectification immediately.
Under the following conditions, you may request that the processing of your personal data should be restricted:
- If you dispute the accuracy of the personal data concerning you for a period of time which allows the Controller to verify the accuracy of the personal data;
- The processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
- The Controller no longer needs the personal data for the purposes of the processing, but you require them for establishing, exercising or defending legal claims;
- If you have lodged an objection against the processing pursuant to Art. 21 (1) GDPR and it has not yet been determined whether the Controller's legitimate reasons outweigh your reasons.
Where processing of the personal data concerning you has been restricted, such data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the restriction of the processing has been restricted in accordance with the above conditions, you will be informed by the Controller before the restriction is lifted.
Obligation to delete
You have the right to obtain from the Controller the erasure of personal data concerning him or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
- The personal data relating to you is no longer necessary for the purposes for which it was collected or otherwise processed;
- You withdraw your consent on which the processing was based according to Art. 6 (1)(a) or Art. 9 (2)(a), and there is no other legal ground for the processing;
- You object to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
- The personal data concerning you have been unlawfully processed;
- The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the Controller is subject;
- The personal data relating to you have been collected in relation to the offer of information society services referred to in Article 8 (1).
Information to third parties
Where the Controller has published the personal data concerning you and is obliged pursuant to Art. 17 (1) GDPR to erase the personal data, the Controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform those responsible for processing the personal data that you as the data subject have requested the deletion of any links to, or copy or replication of, those personal data.
The right to deletion does not exist if the processing is necessary
- for exercising the right of freedom of expression and information;
- for complying with a legal obligation requiring processing by Union or Member State law to which the Controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the area of public health in accordance with Article 9 (2) (h) and (i) as well as Article 9 (3);
- for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) GDPR in so far as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
- for the establishment, exercise or defence of legal claims.
If you have exercised the right to rectification, deletion or restriction of processing vis-a-vis the Controller, the Controller shall be obliged to notify all recipients to whom the personal data related to you have been disclosed of this rectification, deletion or restriction of processing, unless this proves impossible or involves a disproportionate effort.
You shall have the right vis-à-vis the person responsible to be informed of such recipients.
You have the right to object, on grounds relating to your particular situation, at any time, to any processing of personal data concerning you which is based on Article 6 (1)(e) or (f) of the GDPR, including profiling based on those provisions.
The Controller shall no longer process any personal data concerning you unless the Controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims, or the processing serves to assert, exercise or defend legal claims.
You have the right to revoke your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
You have the right to receive the personal data concerning you that you have provided to the Controller in a structured, common and machine-readable format. You are also entitled to transmit those data to another Controller without hindrance from the Controller to which the personal data have been provided, where:
- the processing is based on consent pursuant to Article 6 (1) (a) or Article 9 (2) (a) GDPR or on a contract pursuant to Article 6 (1) (b); and
- the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data transmitted directly from one Controller to another, where technically feasible. Freedoms and rights of other persons must not be affected by this.
The right to data transfer does not apply to processing of personal data required for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Without prejudice to any other administrative or judicial remedy, you are entitled to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78 of the GDPR.
We recommend that you contact the Controller's official data protection officer (see contact details above), who is able to act independently and will work for a prompt solution to many data protection problems.
The supervisory authority responsible for the Carl von Ossietzky University of Oldenburg is:
The State Commissioner for Data Protection of Lower Saxony
Telephone: 0511 120-4500
Telefax: 0511 120-4599