Please contact the data protection management for:

• Organisational questions regarding data protection
• Questions about the register of processing activities
• Requests for information in accordance with Art. 15 GDPR
• Questions about training programmes
• Notification of violations

Contact the data protection officer for:

• General questions about data protection
• Confidential enquiries and/or complaints regarding data protection
• Questions about data subject rights

The abbreviation GDPR stands for a directly applicable European regulation, the "General Data Protection Regulation". Since May 2018, this has primarily regulated what must be observed when processing personal data.

The GDPR has thus largely replaced the BDSG (German Federal Data Protection Act), although the latter still contains supplementary regulations. There are also state laws that provide further supplementary regulations for data protection. For example, the NDSG (Lower Saxony Data Protection Act) and individual provisions of the NHG (Lower Saxony Higher Education Act).

The University of Oldenburg, represented by the President, isresponsible for compliance. In other words, the Presidential Board. However, all employees and students are also bound by the provisions of the GDPR if they process personal data in the course of their work at the University of Oldenburg.

In principle, personal data may only be processed until the purpose of the processing no longer applies or has been achieved. The data must then be deleted.

In the area of research, it is not always possible to determine in advance the exact purposes for which the data can still reasonably be used. Therefore, if a purpose cannot yet be specified in such concrete terms, it is advisable to set a maximum storage period of 10 years. The limit of 10 years represents recognised good academic practice.

In exceptional cases and with appropriate justification, the storage period can of course be set longer.

Please note, however, that the cessation of the purpose should always be the primary deciding factor for the deletion period of personal data.

Problem:

The controller must ensure that information on the processing of personal data is only provided to persons authorised to receive such information. The identity of the person requesting information must therefore be disclosed.

Solution:

The more sensitive the personal data, the more certain the identity of the requesting person must be. Normally, it is sufficient if the identity appears plausible. Depending on the situation, a distinction must be made as to how the identity should be (plausibly) proven.

• This can be determined in a telephone call by asking appropriate questions. For example, the date of birth, a specific assigned identifier or the student ID number can be asked.
• In a personal conversation, it should be sufficient to ask to see an official photo ID or student ID.
• In the case of written enquiries, the person should have already provided sufficient information about their own data in advance. In other words, they should have already provided relevant and specific data in their letter of motivation so that you can be sure of their identity.

Note:

Only organisational information should be given by telephone. For anything more extensive, it is strongly recommended that you provide this in writing or electronically by email.

If the processing of personal data has no other legal basis, or if it is to be based on "two legs", a declaration of consent can be used to create a legal basis.

Obtaining a declaration of consent serves to prove the voluntary nature of the declaration. It must contain sufficient information about the planned data processing so that the data subject can understand what they are consenting to.

Therefore, the declaration of consent must at least include

• Purpose of the processing
• List of the data categories

If necessary, reference can also be made to an existing, corresponding privacy policy. A so-called "media break" is also permissible here.

In the case of electronic declarations, care must be taken to ensure that an opt-out procedure is not permitted. This means that the boxes for ticking must not be pre-ticked when the page or electronic document is called up.

Once consent has been given, it can be revoked at any time.

You can find further information on preparing a declaration of consent here.

If you become aware of a data breach that poses a risk to the rights and freedoms of natural persons, you must report this to the data protection officer. data protection management immediately so that they can submit a report to the supervisory authority within 72 hours and inform those affected.

Data transfer to the USA via the EU-U.S. Data Privacy Framework (adequacy decision)

What has happened?

On 7 October 2023, the European Commission adopted a new adequacy decision for the EU-U.S. Data Privacy Framework (successor to the "Privacy Shield"), certifying an adequate level of protection for certain U.S. companies.

What does this mean?

With the new adequacy decision, it is again possible to legitimise the processing of personal data by U.S. companies without the need for further transfer instruments, such as standard data protection clauses / standard contractual clauses or additional measures, such as encryption.

The basis for the adequacy decision is a decree signed by President Biden ("Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities"). The decree provides the following for Europeans whose personal data is transferred to the USA:

• binding safeguards that limit US intelligence agencies' access to the data to what is necessary and proportionate to protect national security,
• enhanced oversight of the activities of the US intelligence community to ensure compliance with the restrictions applicable to surveillance activities; and
• the establishment of an independent and impartial appellate process, including a new privacy review tribunal, to investigate and resolve complaints about access to data by U.S. national security agencies.

However, this only applies to U.S. companies that have certified themselves in accordance with the Data Privacy Framework. Whether this has been done must be checked in advance.

The adequacy decision is not time-limited, but is continuously reviewed by the European Commission with regard to developments in the USA.

Where can I obtain further information and who can advise me?

Further information on the EU-U.S. Data Privacy Framework can be found here:

https://www.bfdi.bund.de/SharedDocs/Kurzmeldungen/DE/2023/17_Angemessenheitsbeschluss-EU-US-DPF.html

and here: https://ec.europa.eu/commission/presscorner/detail/de/qanda_23_3752

The Data Protection and Information Security Unit will be happy to advise you on the admissibility of data transfers to the USA or other third countries. The best way to contact us is by email at : dsm@uol.de

Further information on the topics of data protection and information security can be found at Working in compliance with data protection and IT security in the workplace.

For members and affiliates of the university, a comprehensive script on data protection law is available, which you can download here [on the intranet] as a PDF document along with other interesting documents on the subject of data protection:

Documents of the staff unit

Microsoft has released a new, free Outlook app for Windows 10 and 11 in addition to the classic Outlook application. This free application synchronises access data, including passwords, and emails with the Microsoft cloud. For this reason, the app may not be used for work purposes at the University of Oldenburg for information security and data protection reasons. Students are not permitted to use the app to access university email addresses. The same applies to the Outlook apps on mobile devices (Android and iOS) and Outlook 2021 on MacOS. For mobile access to emails, we recommend using the webmail function: https://webmail.uol.de or https://w.uol.de for short. This expressly does not apply to the classic Outlook application from the Microsoft Office package (Office 2016, Office 2019). You can find instructions on how to use webmail at IT services: https://uol.de/itdienste/services/groupware/outlook-web

Phishing originally referred to fishing for passwords. Nowadays, however, it usually refers to emails that are intended to deceive the reader in order to obtain confidential data.

The first version pretends to be from a known sender and aims to trick the reader into clicking on the link it contains. This link does not lead to a known website as claimed, but to a fake. If the user enters their password to log in, the attackers have achieved their goal.

In the second version, a file is sent as an attachment for the recipient to open. This file then contains a virus.

Recommendation

When you receive an email, check whether the content is plausible. Have you already had contact with the sender on the subject? Are you expecting the message or this reply? Has the sender actually promised to send you a file?

Viruses often intervene in an existing conversation and send a supposed reply in connection with a virus file.

Would the sender write to this email address?

Your bank will probably not send an email to your University of Oldenburg email address.

If an email unexpectedly asks you to log in to a website, never click on the link. Open a web browser and type in the known address yourself.

Tip: If you move the mouse pointer over a link in your email without clicking on it, you can see where the link actually leads to.

Be suspicious of files in emails. If you receive the file unexpectedly, do not open it.

And if you receive a security warning that macros are deactivated, please do not activate the virus.

By the way: If you receive suspicious emails, you are welcome to forward them to SPAM-Verdacht@uol.de!

Problem:

Email addresses are always personal data. Even if the email does not contain the first name and surname of the person concerned.

Therefore, a legal basis is always required to process email addresses within the meaning of the GDPR, i.e. to store them, send content to an email, etc.

Solution:

If you want to collect email addresses from publicly disclosed websites yourself:

Differentiate where the email data comes from.

First of all, it is important to determine whether the respective institution/office/organisation and the respective recipients are likely to have at least an imputable interest in the content of the email to be sent.

Furthermore, the potential recipients must also have at least presumably publicised their email in such a way that it can be expected that they will also be contacted regarding the respective content via this email and also have an interest in this.

If this is not the case, you need a legal basis for the processing of personal data (= here: storing and sending emails from and to "third parties" of the respective institutions). This can normally only be achieved with consent. However, you do not usually have this.

If you want to access an email address list of another institution/agency/organisation:

Clarify with the respective institution/agency/organisation whether they are allowed to pass on corresponding email address lists to you. This is usually only the case if the employees and relatives have already given their consent for their data to be passed on to third parties for the purpose of the respective content. Concrete purposes here are likely to be regular: Information offers, invitations to specialist conferences, participation in research studies, etc.

If the employees and relatives have not given their consent, you would have to ask the respective institution/body/organisation to obtain the consent of the potential recipients.

Problem:

When setting up newsletters and email distribution lists via the websites of the University of Oldenburg, there are information obligations under Article 13 GDPR. Among other things, the purpose, legal basis, duration and type of data processing and, in particular, the type of categories of personal data and much more must be stated.

Solution:

In simple cases, it is sufficient to refer to the university's privacy policy. This is the case, for example, with simple contact forms, newsletters & email distribution lists.

However, if more data is requested than is covered by the university's privacy policy, you should create your own privacy policy. If you would like advice on this, please contact the Data Protection and Information Security Unit at dsm@uol.de.

Problem:

Data protection requirements must also be taken into account when designing email distribution lists, as (at least personalised) email addresses are personal data within the meaning of the GDPR.

If an email distribution list is used in which all recipients are addressed in the "TO" or "CC" field, the recipients are visible to all other people in the distribution list. The content of the email can be used to obtain additional information about the group of addressees beyond the mere email address (e.g. if all addressees are graduates of a particular degree programme). In terms of data protection law, this is then a "transmission" to third parties, which is only permitted on the basis of a legal provision or the consent of the data subjects.

Solution:

Instead of the "AN field" or "CC field", email addresses should be entered in the "BCC field" (blind carbon copy). This makes it impossible for the addressee to recognise to whom else an email has been sent.

Your own email address is entered in the "TO field". This means that you send the email to yourself, but the recipients you have entered in the BCC field will still receive the email.

"Unsubscribe" function

You should also create and communicate with every email the option for recipients to unsubscribe from the mailing list at any time. This must be just as easy to do as it was to subscribe, i.e. regularly by a simple reply email or by clicking on an "Unsubscribe" button. The data subject must have the option of no longer receiving emails and being removed from the mailing list.

Note:

This does not apply to "setting in CC" as part of the fulfilment of official tasks in (internal) email correspondence. However, restrictive handling is also recommended here.

Problem:

The use of external cloud services (e.g. Dropbox, OneDrive), messenger services (e.g. WhatsApp) or groupware services (e.g. gmail, icloud) is often very questionable in terms of data protection law. This is due to the fact that it is often not clear at first glance which data is transmitted when using such services and which of it is encrypted or whether the providers are subject to or comply with the data protection regulations applicable in the EU.

The fact that metadata can be stored and forwarded when using messenger services such as WhatsApp and Threema is a particular cause for concern. In addition, both services may allow access to the user's contact list, which would give the services access to other people's phone numbers. Another complicating factor with Skype is that video calls are generally not encrypted.

Solution:

Only data protection-compliant cloud, messenger and groupware services should therefore be used. These include:

• NextCloud (via the university website)
• DFNconf (web and video conference with multiple participants)

Problem:

With the various options for file sharing in the university cloud (https://cs.uol.de), it can quickly happen that unauthorized persons gain access to the data by mistake or out of ignorance.

Solution:

Before sharing files, think carefully about who should have access to the files. You have the following options for controlling sharing:

• Internal sharing
  If possible, always use the "share directly with members of the University of Oldenburg" option when sharing files that are not intended for the public. This requires the recipients to log into their user account before they can access the file. This increases security and protects our data.
• Public links
  In exceptional cases, it may be necessary to create public links. However, these must be password-protected. Make sure that the password
  - is not easy to guess,
  - is provided via a second communication channel (e.g. separate e-mail or telephone).
• Limit or revoke access rights
  If possible, only grant access rights for a limited period of time. If this is not possible, regularly check the assigned access rights and shared links and revoke them as soon as access is no longer required. This helps to prevent unauthorized access to our data.
• Keep an eye on data protection
  Always be aware of what information you share. Avoid sharing confidential or sensitive data via public links. Your sense of responsibility is crucial to protect our data and minimize security risks.

Information on the cloud
The IT services provide a brief description and instructions on how to set up your personal cloud.

Contact
If you have any technical questions or uncertainties, please contact our IT services(servicedesk@uol.de) at any time. For data protection and information security queries, please contact the DISM staff unit(dsm@uol.de).

Problem:

The ECJ has ruled that operators of a Facebook "fan page" are acting in a so-called "joint controllership" with Facebook Ireland for the processing of personal data. (ECJ ruling of 5 June 2018, case reference: C-210/16). However, as the "fan page" operator has no access to the data processed by Facebook, it is unclear how it should exercise data subject rights. An agreement pursuant to Art. 26 GDPR would therefore have to be concluded between the operator of a "fan page" and Facebook, in which in particular the exercise of data subject rights is regulated. However, Facebook does not currently offer such an agreement.

In addition, when implementing the "Like" button on your own website, (personal) data of a user is transferred to Facebook (even if this user is not logged in to Facebook).

Solution:

Avoid sending data to Facebook by not implementing the "Like" button on your website or contact the university's internet coordinator regarding a data protection-compliant implementation ("two-click solution"). This also applies to the implementation of other social media services (e.g. YouTube, Twitter etc.) on university websites.

In addition, the social media services used by the university should at least include a suitable link to the university's privacy policy.

If you have any questions about the official use of social media services, please contact the staff unit.

Problem:

When making appointments via Doodle, you not only provide Doodle AG, a company based in Switzerland, with your email address and name, but also, if applicable, the business reason for the appointment. This may violate both the employer's confidentiality interests and data protection concerns. This is because the fact of whether and with whom you communicate on business is also subject to confidentiality.

Doodle also uses Google Analytics and other analysis mechanisms that enable profiling and targeted advertising.

Solution:

Appointments can also be conveniently coordinated via Microsoft Outlook, which is installed on all work computers. The data then generally remains within the university network.

Should it nevertheless be necessary to use an external service, the more data protection-friendly alternative offered by the DFN (German Research Network) at terminplaner.dfn.de should be used. Here, data transmission is encrypted, the survey can be set with a deletion date and the activities are neither analysed nor do you receive advertising.

The University management is legally responsible for protecting the personal data of its members and affiliates (and guests, if applicable), takes this responsibility very seriously and therefore prioritises the tried-and-tested DFN-Verein (German Research Network) tool, which is optimally integrated into the University's digital infrastructure, and, as a supplement in the current situation (performance difficulties at DFN), the self-hosted (operated) tools for digital communication set up by the University's IT services at short notice (see uol.de/itdienste).

On the one hand, these have the advantage that they can be "controlled" by the university itself and the (personal) data traffic does not run via third-party systems/servers, which may be contractually obliged to comply with local data protection standards (in particular those of the European General Data Protection Regulation; GDPR), but may also be subject to divergent laws of the countries in which the companies are based (e.g. the USA). On the other hand, they are integrated into the existing university systems UniCloud and Stud.IP and thus enable easy usability and, in particular, technically uncomplicated (subsequent) use of created digital content (e.g. events, seminars).

The release of third-party systems with which personal data that lies within the university's area of responsibility (can) be processed also requires a careful process of technical and (data protection) legal review, coordination with the Staff Council, the corresponding documentation required by the GDPR and the conclusion of necessary contracts and, as a rule, appropriate licensing.

In addition to the protection of personal data, the protection objectives (confidentiality, availability and integrity) of information security (especially in the case of confidential exchanges/conversations) also play a significant role here.

Many external services do not adequately fulfil the above requirements.

In addition, the university management attaches great importance to a structured approach to mobile communication. This is the only way to avoid "uncontrolled growth" in the use of communication tools and to gain valuable insights for the university's digitalisation strategy as a whole.

However, constructive and specific feedback from all users regarding the current offering is essential for this (and for planning the next steps).

Please send this to the known e-mail address: servicedesk@uol.de.

Further contacts:

If you have any questions about data protection and information security, you can also contact the Data Protection and Information Security Unit(dsm@uol.de) and (especially for confidential matters) the Data Protection Officer(dsuni@uol.de).

Problem:

Google Analytics cannot be used in compliance with data protection regulations for the following reasons:

• Missing but required user consent when accessing the website (this is difficult to obtain in compliance with data protection regulations).
• Invasion of privacy: Google Analytics collects a large amount of personal data from website visitors, including IP address(es), surfing behaviour or demographic data.
• Limited transparency: Google Analytics works like a black box and offers only limited transparency regarding its data collection methods and algorithms.
• Ownership of the data: Ownership of the data is essentially ceded to Google.

Solution:

Matomo (formerly Piwik): An open source web analytics platform that allows you to host the data on your own servers, giving you full control over your data and ensuring data protection. It is already in use at the UOL. If you have any questions, please contact servicedesk@uol.de.

IT security at the University of Oldenburg depends on each individual employee. We have therefore compiled information on the most important security risks in the workplace and how you can minimise them separately for you here.

No. Storage is insecure and passwords can be stolen. It is better to use a password safe.

There are so-called password safes for storing passwords. These are programmes that save the stored passwords in an encrypted, password-protected file. Instead of, for example, 30 passwords, you only have to remember a single password, the master password. Consider whether you want to use a different, longer password as the master password than for your university access. And don't share this master password with anyone.

The best-known password safes include the Keepass programme(keepass.info/) and its offshoot KeepassXC(keepassxc.org/).

You can also use these programmes at the University of Oldenburg to manage your passwords. Just make sure that you choose a secure, sufficiently long password for the programme. This is the only password you will need to remember. You save all other passwords in the programme and can copy them and use them to log in if necessary. The programmes also offer a password generator to create secure passwords.

The programmes mentioned are all open source and can be used free of charge.

Problem:

Photos of colleagues are taken time and time again. Whether it's a portrait photo for the company website or a group photo to present your own employees, during a meeting or at a party. Such photos are often published on the company website, i.e. on the Internet, which is generally accessible worldwide.

If the person or persons depicted in the photo have not given their consent, the taking and publication of such photos is unlawful. The persons concerned then have a right to have these photos deleted. However, the persons concerned often do not even know that a photo of them has been taken and published (especially at parties, where photos are often taken out of the situation in order to achieve a high degree of authenticity).

Solution:

Before you take any photos of colleagues, ask them in advance whether they agree to this. If you intend to ultimately publish the photos on the company website (also applies to internal organisation drives) - whether publicly or only accessible to certain people - also ask whether all colleagues pictured agree to this.

Avoid taking and, in particular, publishing photos of the situation if you have not obtained consent to do so.

Consent does not necessarily have to be given in writing, but this can be useful in the event of a dispute (a simple email is also sufficient).

Problem:

You are planning a university event at which photos are to be taken for public relations purposes (publication of photos on the university website, etc.) and are wondering how to handle this in compliance with data protection regulations?

Solution:

If you send out invitations, point out on them that photos will be taken for public relations purposes as part of the event and that these will be published (and, above all, where). The notice should also state that you should contact the photographer if you do not wish to be photographed. Contact details for further questions should also be provided. Such a notice should also be placed (if necessary additionally) on a web-based registration form. In addition, clearly visible notices of the above-mentioned type (ideally with a "camera" pictogram) should be displayed outside the premises where the event is taking place.

If portrait recordings (e.g. for interviews) are to be made during the event, please obtain consent from the persons concerned (as well as for publication). This does not necessarily have to be in writing. However, something "in writing" can be useful for documentation purposes in the event of a dispute. You can use the attached sample for written consent.

Problem:

The public posting or public display of lists or examinations with student ID numbers and student names constitutes an unlawful transfer of personal data. This is because it is possible to recognise which person has attended which course under which student ID number, taken which examination and, if applicable, passed it with which grade.

Solution:

If an electronic version of the notice, which is only accessible to the person concerned, is not possible, especially when displaying examination results with marking (e.g. in Stud.IP), the analogue notice should only be posted using the student ID number. However, this should only be done to the extent that the student ID number can only be assigned to the person behind it by authorised persons. The assignment of the student ID number to the person behind it must therefore not have been made public.

Conversely, lists of participants should only contain names and not (also) the student ID number.

Problem:

In everyday office life, many paper documents with confidential content accumulate (e.g. drafts of letters that are not kept on file, misprints of emails, etc.). Disposal via the office wastepaper basket does not ensure that third parties cannot gain unauthorised knowledge of the content.

Solution:

Paper documents with confidential content must be disposed of via the paper collection containers provided by Division 4 (more details here). Disposal on your own is only permitted if a document shredder in accordance with DIN 66399 (security level 3 or higher) is used that is suitable for the protection requirements of the documents.