Lars Galow (Head of section, Information Security Officer)

Christoph Wilken (Advisor)

Thorsten Kamp (Advisor, Deputy Information Security Officer)

Visitor address

Ökocentrum ÖCO, 3rd floor
Uhlhornsweg 99a
26129 Oldenburg

Postal address

Carl von Ossietzky University Oldenburg
Data Protection and Information Security Management
Ammerländer Heerstr. 114-118 26129 Oldenburg

FAQ-Data Protection and Information Security

Data protection is an increasingly important issue. But the security of information in general is also an important concern for the university. However, the subject matter is also quite complex. For this reason, you will find an overview of the most important questions and their answers regarding data protection and information security in relation to typical activities at Carl von Ossietzky University Oldenburg.

For more in-depth information, you can also read the data protection basics read.

Why was the external accessibility of RDP and IPMI switched off?

In the past, various servers and clients of the University of Oldenburg were accessible from the internet via administrative interfaces (RDP and IPMI). As there was a security risk for the University of Oldenburg with these procedures, we have, among other things, blocked the access possibilities from the outside in accordance with the recommendations of the Federal Office for Information Security.

External access to a computer via RDP (Windows Remote Desktop Protocol) is only possible after prior dial-in via VPN access. This means that employees can still access their workstations.

External access to IPMI will no longer be possible in future.

Technical background


For server systems, access via IPMI (Intelligent Platform Management Interface) is active in various cases. This is an out-of-band management interface that is used across manufacturers. Via this management interface it is possible, among other things, to change the server configuration, install new software or even a new operating system.

IPMI is also available when the server is switched off. The interface used is permanently installed in the mainboard of the system used and thus allows access to the system bypassing all security measures of the operating system. The protection of IPMI is only possible to a limited extent and is therefore usually achieved by limiting access on the network side. In the past, there have been repeated reports about the vulnerability of IPMI.


The situation is similar with workstations. In some cases, they can be accessed from the internet via RDP (Remote Desktop Protocol). This is a remote access option to a Windows computer. This function is occasionally used by staff or students to enable remote access to a workstation.

Systems that can be accessed via RDP are regularly attacked. The GoldBrute botnet attacked up to 1.5 million systems in 20192. Among the best-known and most serious vulnerabilities were Bluekeep and DejaBlue.

The German Federal Office for Information Security (BSI) recommends:

"In general, the RDP service should be deactivated when there is no need for it. If RDP is used, connections from outside should - if possible - be restricted to certain network areas or addresses. In addition, it is a good idea to log RDP logins and check them regularly for security-relevant anomalies.

News: ECJ overturns EU-US Privacy Shield (Schrems II)

Datenübermittlungen in die USA sind seit dem 16.07.2020 nicht mehr privilegiert

What happened? In the judgment of 16.07.2020 in Case 311/18, the ECJ declared the European Commission's adequacy decision(Implementing Decision 2016/1250) of 12.07.2016 invalid.

Judgment of the ECJ | Press release

What does this mean? An adequacy decision of the European Commission is binding. Therefore, until now, personal data transfers to US companies were unobjectionable, provided that these US companies had themselves certified via the EU-US Privacy Shield. Due to the discontinuation of the European Commission's adequacy decision, such harmlessness can no longer be assumed. The USA is now once again a so-called "third country" without an adequacy decision. Data transfers to companies and institutions in the USA that are subject to the EU-US Privacy Shield are no longer privileged. Consequently, this means that every US company and every US institution must be separately examined under data protection law before data may be transferred to them. In order to enable the transfer of personal data, so-called "Standard Contractual Clauses" (SCC) must be agreed upon, which have also been issued by the European Commission.

Where can I find standard contractual clauses? The standard contractual clauses in international data traffic can be found here:

A distinction is made here between:

  • Standard contractual clauses for the transfer of personal data to third countries.
  • Alternative standard contractual clauses for transfers to third countries
  • Standard contractual clauses for the transfer of personal data to processors in third countries.

In its recent ruling, the ECJ confirmed the validity of the latter standard contractual clauses.

Where can I get more information, who can advise me on these issues? Further information on the EU-US Pricacy Shield can be found here:

Further information on the admissibility of international data transfers under data protection law can be found here:

The Data Protection and Information Security Management Unit will be happy to advise you on the admissibility of data transfers to the USA or other third countries. The best way to reach us is by e-mail at:

Why does the university currently not allow tools from external providers (such as Microsoft Teams, Skype, Zoom, etc.) for digital communication?

The university management is legally responsible for the protection of the personal data of its members and affiliates (and, if applicable, also guests), takes this responsibility very seriously and therefore gives first priority to the tried and tested tool of the DFN-Verein (German Research Network), which is integrated into the university's digital infrastructure in the best possible way, and, as a supplement in the current situation (performance difficulties at the DFN), to the self-hosted (operated) tools for digital communication set up at short notice by the university's IT services (see

On the one hand, these have the advantage that they can be "controlled" by the university itself and the (personal) data traffic does not run through the systems/servers of third parties who can contractually commit to complying with the local data protection standards (especially those of the European Data Protection Regulation; DSGVO), but who may also be subject to divergent laws of the countries in which the companies are based (e.g. the USA). On the other hand, they are integrated into the existing university systems UniCloud and Stud.IP and thus enable easy usability and, in particular, technically uncomplicated (post-)use of created digital content (e.g. events, seminars).

The release of third-party systems with which personal data that lie within the university's area of responsibility are (or can be) processed also requires a careful process of technical and (data protection) legal examination, coordination with the staff council, the corresponding documentation required by the GDPR and the conclusion of the necessary contracts as well as, as a rule, corresponding licensing.

In addition to the protection of personal data, the protection goals (confidentiality, availability and integrity) of information security (especially in the case of confidential exchanges/conversations) also play a significant role here.

Many external offers only inadequately meet the above-mentioned requirements.

Furthermore, the university management attaches great importance to a structured approach to mobile communication. This is the only way to avoid a "proliferation" in the use of communication tools and to gain valuable insights for the university's digitisation strategy as a whole.

However, for this (and for planning further action), constructive and concrete feedback from all users regarding the current offering is essential.

Please send this to the known e-mail address:

Further contact persons:

If you have any questions about data protection and information security, you are also welcome to contact the Data Protection and Information Security Unit and (especially for confidential matters) the Data Protection Officer).


Who can I contact if I have a question?

Contact the for:

  • Organisational questions regarding data protection
  • Questions about the register of processing activities
  • Information requests according to Art. 15 DSGVO
  • Questions about training offers
  • Notification of violations

Contact the with:

  • General questions about data protection
  • Confidential enquiries and/or complaints regarding data protection
  • Questions about data subjects' rights

What is the GDPR and who is responsible for compliance?

The abbreviation GDPR stands for a directly applicable European regulation, the "General Data Protection Regulation". Since May 2018, it has primarily regulated what must be observed when processing personal data.

The DSGVO has thus largely replaced the BDSG (Federal Data Protection Act), which, however, still contains supplementary regulations. In addition, there are still state laws that make further supplementary regulations for data protection. For example, the NDSG (Lower Saxony Data Protection Act) and also individual regulations of the NHG (Lower Saxony Higher Education Act).

The Carl von Ossietzky University Oldenburg, represented by the President, is responsible for compliance. In other words, the Presidential Board. However, all employees and students are also bound by the regulations of the GDPR if they process personal data in the course of their work at Oldenburg University.

What is personal data?

According to Art. 4 of the GDPR, personal data is any information that relates to an identified or identifiable person.

These are therefore present if a reference to a specific person can be drawn from the data or from the combination of data. This can happen directly or indirectly.

Typical personal data are: Name, email, matriculation number, address, IP addresses, etc.

For more information on what personal data is and what the different categories of personal data are, see here.

When may I process personal data?

According to the GDPR, personal data may only be processed if there is a legal basis there is a legal basis for it. Which legal bases exist is regulated in particular in Art. 6 (1) GDPR.

The most important legal basis is Consent (Art. 6 para. 1 lit. a GDPR) and the performance of public duties (Art. 6 para. 1 lit. e GDPR) by the University.

Furthermore, so-called "data subjects", i.e. those whose personal data is processed, must be informed about the data processing at the latest when the data is collected.

In addition, a so-called "directory of processing activities must be kept.

How long may I store the data?

In principle, personal data may only be processed until the purpose of the processing no longer applies or has been achieved. After that, the data must be deleted.

In the field of research, it is not always possible to determine in advance exactly for which purposes the data can still reasonably be used. Therefore, if a purpose cannot yet be stated so concretely, it is advisable to set the duration of storage to a maximum of 10 years. The limit of 10 years represents recognised good scientific practice.

In exceptional cases and with appropriate justification, the duration of storage can of course be set longer.

Please note, however, that it is always primarily the cessation of the purpose that should be decisive for the deletion period of the personal data.

What is the difference between anonymisation and pseudonymisation?

Anonymised data are not subject to the provisions of the GDPR. In principle, they can be freely processed without the consent of a person or a specific legal basis.

Contrary to what the word suggests, anonymisation does not already exist when names are no longer mentioned. Rather, according to the legislator's idea, anonymised data should not have any personal reference to the data.

Data is pseudonymised when it can no longer be assigned to a specific person without additional information. This can be achieved in particular by replacing the name of the person concerned with an identifier.

Aggregated data is data that has been combined from different persons, thus creating a "data group". These are also no longer traceable to a specific person, but are therefore not necessarily anonymised.

  • More detailed information on personal data

Do I have information obligations and how do I implement them?

The introduction of the GDPR has extended the information and disclosure obligations for data subjects.

A "checklist" can be found in Art. 13 and Art. 14 of the GDPR.

The data subjects must be comprehensively informed at the latest when the data is collected. The instruments of the data protection declaration or, if applicable, the declaration of consent can be used for this purpose.

According to Art. 12 GDPR, data subjects must be informed "in a precise, transparent, comprehensible and easily accessible manner, using clear and plain language".

In particular, the data subject must be informed about:

  • Category of data processed
  • the purpose of the processing
  • Legal basis
  • Data subject rights
  • Duration of storage
  • Deletion periods
  • Disclosure to third parties
  • Use for other purposes and associated renewed information in the form of a data protection declaration or declaration of consent

What rights does a data subject have?

The data subject has in particular the following rights

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 19 GDPR)
  • Right to object (Art. 21 GDPR)
  • (in the case of consent) right of withdrawal (Art. 7(3) GDPR)
  • Right to complain to a supervisory authority (Art. 77 GDPR)

You can find more detailed information on the rights of data subjects here.

What do I have to bear in mind when making a declaration of consent?

If the processing of personal data has no other legal basis, or if it is to be placed on "two legs", a legal basis can be created with a declaration of consent.

The purpose of obtaining a declaration of consent is to prove that the declaration is voluntary . It must contain sufficient information about the intended data processing so that the data subject can understand what he or she is consenting to.

Therefore, the declaration of consent shall at least include:

  • Purpose of the processing
  • List of categories of data

If necessary, reference can also be made to an already existing, corresponding data protection declaration. A so-called "media break" is also permissible here.

In the case of electronic declarations, it must be ensured that a so-called opt-out procedure is not permissible. This means that the box to be ticked must not be pre-ticked when the page or electronic document is called up.

Once consent has been given, it can be revoked at any time.

You can find further information on how to make a declaration of consent here.

What is order processing?

If data is not processed by the data controller itself, but by using the services of a third party, this is referred to as "commissioned processing".

For this purpose, a separate agreement must be concluded between the data controller as the commissioning party and the third party as the commissioning party (processor).

You can find more details on this here.

What to do in the event of a breach of data protection regulations? (Data breach)

If you notice a data breach that poses a risk to the rights and freedoms of natural persons, you must report this to the immediately so that they can submit a report to the supervisory authority within 72 hours and inform the data subjects.

Is there anywhere I can read about this?

We have written a script for members and affiliates of the University to teach them the basics of data protection law.

You can download it here [on the intranet] in PDF format:

Documents of the Staff Office


Further questions from the practice

Taking and publishing photographs of employees


Again and again, photos are taken of colleagues. Whether it is a portrait photo for the official website or a group photo to present one's own employees, during a meeting or at a celebration. It is not uncommon for such photos to be published on the company website which is basically accessible worldwide.

Unless the person(s) depicted in the photo have given their consent, the production and publication of such photos is unlawful. The persons concerned then have a right to have these photos deleted. Often, however, the persons concerned do not even know that a photo has been taken of them and published (especially at parties, where photos are often taken out of the situation in order to achieve a high degree of authenticity).


Before taking any photos of colleagues, ask them if they agree. If you intend to publish the photos on the official website (also applies to internal organisational drives) - either publicly or only for certain persons - also ask whether all the colleagues pictured agree.

Avoid taking and especially publishing photos out of the situation if you have not obtained consent to do so.

Consent does not have to be given in writing, but this can be useful in case of dispute (a simple email is also sufficient).

Taking (and publishing) photos at events


You are planning a university event at which photos are to be taken for public relations purposes (publication of photos on the university website, etc.) and are wondering how to deal with this in accordance with data protection regulations?


If you send out invitations, point out on them that photos will be taken for public relations purposes and that they will be published (and especially where). The notice should also state that if you do not wish to be photographed, you should contact the photographer. In addition, contact details should be given for further questions. Such a notice should also be placed (additionally, if necessary) on a web-based registration form. In addition, clearly visible notices of the above kind (ideally with a "camera" pictogram) should be placed in front of the premises where the event is taking place.

If portrait recordings (e.g. for interviews) are to be made during the event, please obtain the consent of the persons concerned for this (as well as for publication). This does not necessarily have to be in writing. However, something "in writing" can be useful for documentation purposes in the event of a dispute. You can use the attached sample for a written consent.

Use of social media accounts for an institute


The ECJ has ruled that operators of a Facebook "Fanpage" act in a so-called "joint responsibility" with Facebook Ireland for the processing of personal data. (ECJ judgment of 5 June 2018, ref.: C-210/16). However, since the "fan page" operator has no access to the data processed by Facebook, it is unclear how it should exercise data subject rights. Therefore, an agreement pursuant to Art. 26 GDPR would have to be concluded between the operator of a "fan page" and Facebook, in which in particular the exercise of the data subject rights is regulated. However, Facebook does not currently offer such an agreement.

Furthermore, when implementing the "Like" button on one's own website, (personal) data of a user is transferred to Facebook (even if this user is not logged in to Facebook at all).


Avoid sending data to Facebook by not implementing the "Like" button on your website or contact the university's regarding a data protection-compliant implementation ("two-click solution"). This also applies to the implementation of other social media services (e.g. Youtube, Twitter, etc.) on university websites.

In addition, the University's privacy policy should at least be appropriately linked in the social media services used by the University.

If you have any questions about the use of social media services for official purposes, please contact the .


Exercise of the data subject's right to information


The controller must ensure that information about the processing of personal data is only provided to persons authorised to provide information. The identity of the person requesting information must therefore be disclosed.


The more sensitive the personal data, the more certain the identity of the person requesting information must be. Normally, it is sufficient if the identity appears pausible. Depending on the situation, a distinction must be made as to how the identity is to be (plausibly) proven.

  • In a telephone call, this can be determined by asking appropriate questions. For example, the date of birth, a certain assigned identifier or the matriculation number can be asked.
  • In a personal conversation, it should be sufficient to have the official photo ID or a student ID shown.
  • In the case of written enquiries, the person should have already provided sufficient information about his or her own data in advance. They should therefore have already provided relevant and concrete data in their letter of initiative so that one can be sure of their identity.


Only organisational information should be given by telephone. For anything further, it is strongly recommended to give it in writing or electronically by e-mail.

Notices with personal data


The public posting or public display of lists or examinations with matriculation numbers and names of students constitutes an unlawful transfer of personal data. This is because it is possible to identify which person attended which course under which matriculation number, took which examination and, if applicable, passed it with which grade.


If an electronic version of the posting, accessible only to the person concerned, is not possible, especially when posting examination results with grades (for example in Stud.IP), the analogue posting should only be carried out using the matriculation number. However, this should only be done to the extent that an assignment of the student number to the person behind it can only be carried out by the authorised persons. The assignment of the matriculation number to the person behind it must therefore not have been made public.

Conversely, lists of participants should only contain names and not (also) the matriculation number.

Use of web-based surveys (e.g. for studies)


Web-based tools regularly process personal data (such as the IP address or the name of the person). Especially with free-text response options, there is a high risk that personal data will be processed.


The questions should first be asked in such a way that already no personal reference can be established if they are not interested in the identity of the participants. Furthermore, it should be noted that no personal reference can be established even in combination of the data. This can be particularly the case with questions about the job title in combination with the question about the respective institution.

Avoid free text options. If a free-text option is necessary in order not to conflict with the purpose of the survey, point out to the participants that concrete personal data such as names, addresses, telephone numbers, workplaces, etc. should be avoided here.

If a third party acts as a service provider for the survey, make sure that they do not have access to the personal data.

  • It is best to use tools that are already provided by the data centre.
  • Make sure that you collect as little personal data as possible if you do not absolutely need it.
  • State the purpose of the survey
  • Have the respondents consent to the survey before it is conducted
  • Set closing dates (end and evaluation of the survey)
  • Anonymise the data as soon as possible after the interview
  • Allow for corrections of the answers (e.g. by logging in afterwards before the end of the survey period)
  • Create a register of processing activities and send it to the Data Protection and Information Security Management Unit.

Handling data via cloud services, messenger services or groupware services (e.g. Skype, WhatsApp, Dropbox, OneDrive, Facebook, Skype, Gmail)


The use of external cloud services (e.g. Dropbox, OneDrive), messenger services (e.g. WhatsApp) or groupware services (e.g. gmail, icloud) is often very questionable from a data protection perspective. This is due to the fact that it is often not clear at first glance which data are transmitted at all when using such services and which of them are encrypted or whether the providers are subject to or comply with the regulations of data protection applicable in the EU.

Especially when using messenger services such as WhatsApp and Threema, it is questionable that metadata can be stored and forwarded. In addition, both services can access the user's contact list, which would give the services access to other people's telephone numbers. In the case of Skype, this is aggravated by the fact that video calls are generally not encrypted.


Therefore, only cloud, messenger and groupware services that are compliant with data protection should be used. These include:

Disposal of paper documents


In everyday office life, many paper documents with confidential content accumulate (e.g. drafts of letters that are not kept on file, misprints of e-mails, etc.). Disposing of them via the office waste paper basket does not ensure that third parties cannot take unauthorised cognisance of the content.


Paper documents with confidential content are to be disposed of via the paper collection containers provided by Department 4 (more details here). Self-disposal is only permissible if a document shredder in accordance with DIN 66399 is used (security level 3 or higher).

Dealing with e-mail addresses


E-mail addresses are always personal data. Even if the email does not contain the first and last name of the person concerned.

Therefore, a legal basis is always required in order to process email addresses in the sense of the GDPR, i.e. to store them, to send content to an email, etc.


If you yourself want to collect email addresses from publicly disclosed websites:

Differentiate where the email data comes from.

First of all, it depends on whether the respective institution/office/organisation, as well as the respective recipients are likely to have at least an imputable interest in the content of the e-mail to be sent.

Furthermore, the potential recipients must have made their email publicly known in such a way that it can be assumed that they can also be contacted regarding the respective content of this email and also have an interest in this.

If this is not the case, you need a legal basis for the processing of personal data (= here: saving and sending of and to "third-party" emails of the respective institutions). This can normally only be achieved through consent. However, you do not usually have this.

If you want to access an email address list of another institution/office/organisation:

Clarify with the respective institution/office/organisation whether they may pass on corresponding e-mail address lists to you. This is usually only the case if the employees and relatives have already given their consent for their data to be passed on to third parties for the purpose of the respective content. Concrete purposes are likely to be regularly: Information offers, invitations to expert conferences, participation in research studies, etc.

If the employees and relatives have not given their consent, you would have to ask the respective institution/office/organisation to obtain the consent of the potential recipients.

Dealing with the TYPO3 Powermail form


When you use the form function of Powermail on your website, you save by default the content entered by the users of this form as well as their specified e-mail address.

As soon as the form has been filled out and submitted by the users, you can view the completed input options on the one hand via the "Powermail" tab and on the other hand via the "List" tab. The last entries are also visibly displayed in the content element through which you display the Powermail form on your website. The data is therefore "processed" here in accordance with the GDPR.


Maintain the stored data regularly: delete the content when it is no longer needed. Export the email addresses regularly if you have set up the Powermail only for this purpose (e.g. for distribution lists or newsletters) and then delete the contents in Typo3. You can do this on the one hand via the "Powermail" tab and on the other hand via the "List" tab.

Data protection notice for contact forms, newsletters & e-mail distribution lists


When setting up newsletters and email distribution lists via the websites of the University of Oldenburg, there are information obligations according to Article 13 GDPR. According to this, among other things, the purpose, the legal basis, the duration and the type of data processing as well as, in particular, the type of categories of personal data and much more must be stated.


In simple cases, it is sufficient to refer to the university's privacy policy. This is the case, for example, with simple contact forms, newsletters & email distribution lists.

However, if more data is requested than is covered by the university's privacy policy, you should create your own privacy policy. If you would like advice on this, please contact the Data Protection and Information Security Management Unit at

Open e-mail distribution list


Data protection requirements must also be taken into account when designing email distribution lists, as (at least personalised) email addresses are personal data in the sense of the GDPR.

If an email distribution list is used in which all persons written to are addressed in the "TO" or "CC field", the addressees are visible to all other persons in the distribution list. From the content of the e-mail, additional information about the group of addressees can be obtained beyond the mere e-mail address (e.g. if all addressees are graduates of a year in a certain degree programme). In terms of data protection law, this is then a "transmission" to third parties, which is only permissible on the basis of a legal provision or the consent of the persons concerned.


Instead of the "TO field" or "CC field", the e-mail addresses should be entered in the "BCC field" (Blind Carbon Copy). This way, the addressee cannot see to whom else an e-mail has been sent.

Your own e-mail address is entered in the "TO field". You send the e-mail to yourself, but the recipients you have entered in the BCC field still receive the e-mail.

"Unsubscribe" function

Furthermore, you should create the possibility and also communicate with each e-mail that the recipients can unsubscribe from the distribution list at any time. This must be just as easy to do as it was to subscribe, i.e. regularly by sending a simple reply e-mail or clicking on an "Unsubscribe" button. The data subject must have the option of no longer receiving emails and being removed from the mailing list.


This does not apply to "setting in CC" in the context of the official fulfilment of tasks in (internal) e-mail traffic. However, restrictive handling is recommended here as well.


Use of "Doodle" to coordinate appointments


When coordinating appointments via Doodle, you inform Doodle AG, a company based in Switzerland, not only of your e-mail address and your name, but also, if applicable, of the official reason for coordinating the appointment. This may violate both the employer's confidentiality interests and data protection concerns. This is because the fact of whether and with whom you communicate on official business is also subject to secrecy.

Doodle also uses Google Analytics and other evaluation mechanisms that enable profiling and targeted advertising.


Appointments can also be conveniently coordinated via Microsoft Outlook, which is installed on all work computers. The data then generally remain within the university network.

Should it nevertheless be necessary to use an external service, the more data-protection-friendly alternative of the DFN Association (German Research Network) at should be used. Here, data transmission is encrypted, the survey can be given a deletion date and activities are neither evaluated nor do you receive advertising.

Register of processing activities


Due to insufficient documentation of data processing operations, it cannot be proven on the one hand that only the data are processed that are necessary for the respective task fulfilment and may therefore also be processed. Furthermore, there is a risk that technical and organisational data protection measures are not defined in a sufficiently binding manner and are therefore changed without prior review.


Pursuant to Art. 30 of the GDPR, a procedure description must be created for every procedure in which personal data is processed automatically, made available to the data protection officer and kept up to date. The staff unit will assist you with the preparation.

Obligation of confidentiality - e.g. for student assistants


You are using student assistants in the context of a (research) project and would like to "instruct"/sensitise them with regard to data protection regulations or oblige them to do so?


This is also a good idea for your own protection. Please use the attached sample and adapt it to your project accordingly.

Questions from the area of information security

What is phishing?

Phishing originally refers to fishing for passwords. In the meantime, however, it usually refers to e-mails that are intended to deceive the reader in order to obtain confidential data.

The first version pretends to be from a known sender and wants to entice the reader to click on the link it contains. This link then does not lead to a known website as claimed, but to a fake one. If the user enters his password to log in, the attackers have reached their goal.

In the second version, a file is sent as an attachment, which the recipient is supposed to open. This file then contains a virus.


Pay attention to whether the content of the e-mail you receive is plausible. Have you already had contact with the sender on the subject? Are you expecting the message or this reply? Did he actually promise to send you a file?

Viruses often insert themselves into an existing conversation and send a supposed reply in connection with a virus file.

Would the sender write to this e-mail address?

Your bank will probably not send you an e-mail to your Uni-Oldenburg e-mail address.

If an e-mail unexpectedly asks you to log on to a website, never click on the link. Open a web browser and type in the known address yourself.

Tip: If you hover over a link in your mail without clicking on it, you can see where the link actually leads.

Link pruefen

Be suspicious of files in e-mails. If the file is sent to you unexpectedly, do not open it.

And if you receive a security warning that macros are disabled, please do not activate the virus.


By the way: If you receive suspicious e-mails, feel free to forward them to !




How can I save passwords?

There are so-called password safes for storing passwords. These are programmes that save the stored passwords in an encrypted, password-secured file. Instead of, for example, 30 passwords, you only have to remember one password, the master password. Consider using a different, longer password than the one for your university access as the master password. And don't share this master password with anyone.

The best-known password safes include the programme Keepass ( and its offshoot KeepassXC (

You can also use these programmes at Oldenburg University to manage your passwords. Just make sure that you choose a secure, sufficiently long password for the programme. This will be the only password you have to remember. All other passwords are stored in the programme and can be copied and used for logging in if necessary. The programmes also offer a password generator for creating secure passwords.

The programmes mentioned are all open source and free to use.

Can I save passwords in the browser?

No. Storage is insecure, passwords can be stolen. It is better to use a password safe.

What do I have to pay attention to with my web server or my website?

Internetkoordinator (Changed: 06 Jun 2023)  |