Lars Galow (Management, Information Security Officer)

Christoph Wilken (Consultant)

Thorsten Kamp (Officer, Deputy Information Security Officer)

Visitor address

Ecological Centre ÖCO, 3rd floor Uhlhornsweg 99a 26129 Oldenburg

Postal address

Carl von Ossietzky Universität Oldenburg 
Stabsstelle Datenschutz- und Informationssicherheitsmanagement
Ammerländer Heerstr. 114-118
26129 Oldenburg

Process personal data in compliance with the law

The Presidential Board is responsible under data protection law for compliance with the statutory provisions on data protection at the University of Oldenburg.

However, compliance with data protection regulations is also the obligation and responsibility of all members and associates of the university.

You can find out what you need to know to ensure compliance with data protection regulations in your everyday work on this page.

Further information can be found under Data protection principles [Intranet].

Processing personal data in compliance with the law

What is personal data?

Personal data is information relating to an identified or identifiable natural person. An "identifiable person" is someone who can be identified directly or indirectly by reference to one or more specific factors. This includes

  1. Direct identification: information such as name, date of birth, address, telephone number, student ID number, email address, user name, etc.
  2. Indirect identification: Data that can be used in conjunction with other information to identify a person. This can be, for example, location data, IP addresses, biometric data or genetic information.

It is important to note that the term "personal data" is very broad and can include many types of information. In the context of the European Union's General Data Protection Regulation (GDPR), special categories of personal data are also protected, including data relating to ethnic origin, political opinions, religious or philosophical beliefs, health or sex life. The protection of personal data is a fundamental principle of data protection and requires lawful, fair and transparent processing of this information.

What are special categories of personal data?

The special categories of personal data, also known as sensitive data, are special types of personal information whose processing is more strictly regulated under the European Union's GDPR. These categories include:

  1. "Racial" or ethnic origin: information that identifies "race" (the Data Protection and Information Security Unit expressly distances itself from this term and the ideas behind it and merely reproduces the wording of the law here) or ethnicity of a person.
  2. Political opinions: Data that reflect a person's political beliefs.
  3. Religious or philosophical beliefs: Information about a person's religious or philosophical affiliation.
  4. Trade union membership: Data revealing an individual's membership of a trade union or similar organisation.
  5. Health data: Information about a person's state of health, medical diagnoses, genetic data, information about illnesses or disabilities.
  6. Sexual life or sexual orientation data: information about an individual's sexual life or sexual orientation.

The processing of these special categories of personal data is generally only permitted under certain conditions. These generally include the explicit consent of the data subject, the necessity of processing for the establishment, exercise or defence of legal claims, reasons of public interest in the area of public health, and other specific legal bases intended to ensure the protection of this sensitive data. The handling of this data requires particularly high data protection standards in order to protect the privacy and fundamental rights of the data subjects.

Handling of personal data

When personal data is processed, the following handling must be ensured in particular:

  1. Lawfulness: The processing of personal data is generally prohibited by law, unless the processing can be supported by a legal basis. Possible legal bases include, for example, the performance of public tasks, the fulfilment of a contract or the consent of the data subject whose personal data is being processed.
  2. Duty to provide information: The persons whose personal data is processed must be informed in a transparent manner about the processing of their personal data.
  3. Access authorisations and data security : Strict access requirements must be implemented to ensure that only authorised persons have access to certain personal data; appropriate technical and organisational measures are taken to this end.
  4. Data minimisation and storage limitation: Only personal data that is absolutely necessary for the respective purpose may be collected and only stored for as long as is necessary to achieve this purpose. Superfluous data must be deleted regularly and as quickly as possible.
  5. Data protection impact assessment: When introducing new processing activities, the implementing organisational unit must carry out a risk assessment and, if necessary, an additional data protection impact assessment in order to evaluate possible risks to the freedoms and rights of the persons whose personal data is processed and to take appropriate protective measures.

Comply with accountability obligations

What are accountability obligations within the meaning of the GDPR?

Accountability under the GDPR refers to the obligation of organisations to demonstrate that they comply with the data protection principles under the Regulation. This means that universities and data controllers are not only obliged to comply with the data protection principles, but must also demonstrate that they do so. Accountability is intended to strengthen transparency and responsibility in the handling of personal data.

How do I fulfil the accountability obligations of the GDPR?

Fulfilling accountability obligations under the GDPR requires a systematic and documented approach to data protection. Here are some steps that need to be taken:

  1. Documentation of processing activities: When a new processing activity is introduced, a data protection form (e.g. a data protection questionnaire or procedure description) must be completed and submitted to the Data Protection and Information Security Unit. This form must specify the purpose of the processing, the categories of data subjects, the recipients of the personal data, transfers to third countries and planned deletion periods as well as the IT tools used to carry out the processing. This documentation must be checked regularly for accuracy and completeness.
  2. Documentation of security measures: Appropriate technical and organisational measures must be taken to ensure the security of personal data. These are, for example, encryption, pseudonymisation or access controls and other measures. These measures must be documented in relation to the respective data processing activity.
  3. Notification of data breaches: Any unintentional processing of personal data constitutes a data breach (also known as a "data breach"). Every data breach must be reported immediately to the Data Protection and Information Security Unit so that further measures can be taken if necessary.
  4. Conclude data protection contracts: It is not uncommon for a data protection contract, e.g. with the provider of software or co-operation facilities, to be required before personal data processing begins. The GDPR provides precise regulations for the conclusion of specific data protection contracts, which stipulate the content of the contracts. Compliance with the requirements of the GDPR must also be ensured in data protection contracts.
  5. Seek advice: If you have any questions regarding compliance with data protection and the introduction of new or updating of existing processing activities, you can seek advice from the Data Protection and Information Security Unit. To do so, please send an email with your request to For general questions on data protection, you can contact the Data Protection Officer and for advice.

Comply with information obligations

What are the information obligations under the GDPR?

The GDPR pursues the principle of transparency. One of the most important tools for complying with this principle is compliance with information obligations. The GDPR sets out various information obligations that organisations must fulfil when they process personal data.

How do I fulfil the information obligations?

In order to fulfil the information obligations, a privacy policy must usually be drawn up first, which must contain the following aspects:

  1. Identity of the controller: you must clarify who is responsible for the data processing, i.e. who decides why and how the data is processed. This is done on the one hand by clearly naming the University of Oldenburg and on the other hand by specifying the body responsible for processing.
  2. Purpose of data processing: The GDPR requires the purpose of data processing to be transparent. Universities must explain why they collect personal data and how it is used.
  3. Legal basis for processing: You must state the legal basis on which the processing is based. This could be, for example, the consent of the data subject, the fulfilment of a contractor the protection of a legitimate interest.
  4. Data recipients: Universities must specify whether and to whom they pass on personal data, whether internally or to external third parties.
  5. Storage period: The GDPR stipulates that universities must specify the duration for which the personal data will be stored, or at least the criteria for determining this duration.
  6. Rights of data subjects: Data subjects have various rights under the GDPR, such as the right of access, rectification, erasure and objection. Universities must provide information on how these rights can be exercised.
  7. Right to lodge a complaint with the supervisory authority: Data subjects have the right to lodge a complaint with the data protection supervisory authority. The contact details of the supervisory authorityshould therefore be provided.

Depending on the circumstances, information must be provided on other aspects of data processing, such as the sources from which and which personal data is collected by another organisation.

Rights of data subjects

What are data subject rights within the meaning of the GDPR?

The GDPR grants data subjects whose personal data is processed various rights in order to strengthen control over their data. The rights of data subjects serve to protect the privacy and right to informational self-determination of individuals and to ensure that universities handle personal data transparently and lawfully.

What are the rights of data subjects under the GDPR?

  1. Right to information (Art. 15 GDPR): Data subjects have the right to obtain from an organisation confirmation as to whether or not personal data concerning them are being processed and, if so, which data.
  2. Right to rectification (Art. 16 GDPR): Data subjects may request the rectification of inaccurate or incomplete personal data.
  3. Right to erasure ("right to be forgotten") (Art. 17 GDPR): Data subjects have the right to request the erasure of their personal data under certain conditions, in particular if the data is no longer necessary or has been processed unlawfully.
  4. Right to restriction of processing (Art. 18 GDPR): In certain circumstances, data subjects may request the restriction of the processing of their personal data, for example during the verification of objections to the accuracy of the data.
  5. Right to data portability (Art. 20 GDPR): Data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format and, if necessary, to transmit it to another controller.
  6. Right to object (Art. 21 GDPR): Data subjects may object to the processing of their personal data on grounds relating to their particular situation.
  7. Automated decision-making and profiling (Art. 22 GDPR): Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, unless there is a legal basis or the data subject has given their explicit consent.

Data protection contracts

What are data protection contracts within the meaning of the GDPR?

The GDPR contains specific requirements for the processing of personal data with multiple actors. In many cases, the GDPR stipulates that certain contracts must be concluded with third parties who are to process the personal data. Data protection contracts within the meaning of the GDPR are

  1. Data processing agreement (AVV / DPA for short) in accordance with Article 28 GDPR
  2. Agreement on joint controllership (in short: JCA) in accordance with Article 26 GDPR
  3. Standard data protection clauses / standard contractual clauses (SCC for short) in accordance with Article 46 GDPR

What is a data processing agreement?

A data processing agreement (DPA) is a written agreement between a controller and a processor in accordance with the provisions of the GDPR. This agreement sets out the conditions and modalities under which the processor may process personal data on behalf of the controller.

The GDPR stipulates that the controller must fulfil certain requirements when outsourcing the processing of personal data to a third party (the processor). The conclusion of a data processing agreement is one of these requirements.

A typical data processing agreement contains the following elements:

  1. Type and purpose of processing: clear information on what type of data is to be processed and for what purpose.
  2. Duration of processing: Specification of the period of time for which the processor is authorised to process the data.
  3. Type of personal data: Specification of the categories of personal data to be processed.
  4. Obligations of the processor: Definition of the security measures and obligations of the processor to ensure the protection of personal data.
  5. Rights and obligations of the controller: Clarification of the controller's rights and obligations in relation to processing.
  6. Possible subcontracting: Rules regarding the possible transfer of data to subcontractors and the conditions under which this is permitted.

What is a joint responsibility agreement?

A joint controllership agreement (JCA) is a legal agreement between two or more independent parties who are jointly responsible for the processing of personal data. This term is enshrined in the GDPR and refers to the cooperation of several controllers when they jointly decide how and why personal data is processed.

According to Article 26 of the GDPR, controllers must enter into a joint controllership agreement that contains certain information, including

  1. The identity of the controllers: Clarification of which parties are jointly responsible for the processing.
  2. The contact details of the data protection officers: Specification of the contact details of the data protection officers, if any.
  3. The purposes and means of processing: clarification of why and how the personal data is processed.
  4. The roles and responsibilities of the parties involved: Setting out the specific roles and responsibilities of each party in relation to the data processing.
  5. The rights of the data subjects: Information on how the rights of data subjects, such as the right of access, rectification and erasure, are guaranteed.
  6. The transfer of information between controllers: Rules on how information is exchanged between controllers.

What are standard contractual clauses (SCCs)?

The standard data protection clauses, also known as standard contractual clauses or SCCs for short, are predefined contractual terms developed by the European Commission. Their purpose is to regulate the international transfer of personal data from the European Union (EU) to third countries that do not offer an adequate level of data protection.

If personal data is transferred from the EU to a third country whose level of data protection is not considered sufficiently secure, alternative mechanisms must be used to legitimise the data transfer. The standard data protection clauses are one such mechanism.

The clauses contain binding provisions for the protection of personal data and compliance with data protection principles in accordance with the GDPR. They can be inserted in contracts between the data exporter (from the EU) and the data importer (in the third country). The clauses cover various aspects, including:

  1. Data protection principles: The obligation to comply with the data protection principles set out in the GDPR.
  2. Rights of data subjects: Ensuring that the rights of data subjects are protected in accordance with the GDPR.
  3. Liability and compensation: Establishing liability rules and conditions for compensation in the event of a breach of data protection regulations
  4. Monitoring by supervisory authorities: Regulations that enable data protection authorities to monitor compliance with the clauses.

The standard data protection clauses provide a legal basis for international data transfers and are used by organisations to ensure that personal data is also adequately protected outside the EU.

Data protection provisions in other contracts

In individual cases, it may also be the case that the GDPR does not require the conclusion of a data protection agreement prescribed by the GDPR for the specific circumstances. Nevertheless, it may be helpful to stipulate data protection regulations in other contracts that are not prescribed by the GDPR. Advice in individual cases is essential for this.

Internetkoordinator (Changed: 29 May 2024)  | 
Zum Seitananfang scrollen Scroll to the top of the page