- English below -

A. Safety instructions for online voting at the University of Oldenburg

I. General information

Elections to the University Senate, the Faculty Councils and the Doctoral Candidates' Representation are held as combined ballot box, postal and internet-based online elections (electronic elections). The online election is browser-based, operating system-independent and possible from anywhere in the world with an internet connection via a terminal device. The "uniWahl OWS" software from Electric Paper Informationssysteme GmbH, Konrad-Zuse-Allee 15, 21337 Lüneburg, Germany (https://www.electricpaper.de/) serves as the election platform. Online elections with uniWahl OWS are secure in accordance with the requirements of the Federal Office for Information Security and fulfil the requirements of democratic electoral law.

II Postal and ballot box voting

In addition to the option of casting your vote online, you also have the option of casting your vote by postal vote or in person at the ballot box at the polling station. For postal voting, your proposal for postal voting documents must be received by the Elections Office by 6 January 2026. Further information and the application form to apply for postal voting can be found on the Elections Office website at uol.de/wahlamt. Voting at the ballot box is possible on 20 January 2026 at the Wechloy campus (Ringebene) and on 21/22 January 2026 at the Haarentor campus (BIS-Saal) from 11:30 am to 2:30 pm.

III Voting application

The "uniWAHL" software and the "uniWAHL OWS" online voting system from Electric Paper Informationssysteme GmbH(www.wahlen-organisieren.de) will be used as the technical platform. The uniWAHL core software is installed locally on the computers of the internal electoral officer organisation and can only be accessed after logging in to the PC. This ensures at all times that sensitive data from the electoral roll (personal data of voters) is not leaked. The integrity of the voting process is additionally ensured by the pseudonymisation of voters (ID, voting authorisation) in uniWAHL OWS. The OWS platform uses HTTPS encryption for the secure transmission of all data between the voters and the servers. In the uniWAHL OWS voting system, voting is completely anonymised by randomly shuffling the encrypted ballot papers in a mixnet process after the vote has been cast so that they can no longer be assigned to any individual. The online voting system itself is provided in compliance with the GDPR from a highly secure Data Centre operated by German Telekom.

IV. Usability of the voting system in the event of technical or personal restrictions

The voting application is generally accessible without barriers and enables online voting largely without restrictions and without assistance, regardless of physical or technical capabilities. In principle, it can be used by people with and without health restrictions and with technical limitations (text browser, PDA, etc.). The information displayed can be read aloud using screen readers or output in Braille for blind and visually impaired people.

V. Safety instructions

In online voting, votes are cast on an individually used computer workstation or a mobile device with an Internet connection, via which the votes cast are transmitted to the voting system in encrypted form.

Compliance with the security measures recommended here is intended to ensure that suitable precautions are taken to guarantee a minimum level of security and to prevent attacks by malware (computer viruses, worms, Trojans, etc.) or similar attacks on the computer workstation and the election servers and to protect the secrecy of the ballot.

1. your terminal device

For the purposes of these security instructions, a terminal device is any technical device that can establish a connection to the Internet and display websites, e.g.

- a classic desktop PC at the workplace

- an Internet workstation in the university library

- a notebook / laptop

- a tablet

- a smartphone

- etc.

1.1 Current operating system on your end device

Make sure that the operating system on your end device is up to date. Carry out updates promptly or - if available - activate the function for automatic updates.

1.2 Using end devices without administrative rights

If your end device supports rights management, it is recommended that you only use the Internet with a user account without administrative rights. Malware usually relies on logged-in users having administrative rights in order to be permanently installed on other people's computers. You can find out whether and how to set up a user account without administration rights in the documentation for your end device.

1.3 Software and files from untrusted sources, viruses and Trojans

1.3.1 Basic information

Do not install or start any programmes from untrusted sources, especially those that you have received by email from strangers or acquaintances without being asked. Screensavers are also programmes! Do not open any files whose source seems unknown or unsafe to you. If you have even the slightest doubt about the trustworthiness of programmes or other files, do not start, install or open them.

1.3.2 Viruses and Trojans

A computer virus is a self-replicating computer program. The term "virus" is derived from the fact that the computer virus - similar to a biological virus - infiltrates other programmes in order to multiply. Once started, it can make changes to both the software and hardware of the infected computer system and lead to functions or functional failures that are not desired by the user.

"Trojans" or "Trojan horses" are often programmes disguised as useful applications that have or execute other and often unwanted functions in the background without the user's knowledge. Trojans can be used to steal files from your end device, record your entries and send them to third parties or take over your browser session. This may enable third parties to exercise your right to vote without authorisation.

If you do not already have it, install antivirus software on your end device to protect against viruses and Trojans and keep it up to date. Business computers already have anti-virus software installed.

1.3.3 Where to buy antivirus software / further information

Sources of antivirus software can be found in computer magazines and in many places on the Internet, e.g. at

www.avira.com/de

Further information on the subject of security on the Internet can be found at

www.bsi.bund.de/DE/Themen/Verbraucherinnen-und-Verbraucher/verbraucherinnen-und-verbraucher_node.html

2. tapping of access data (phishing)

"Phishing" is the term used to describe the tapping of access data (user ID/password) via fake websites. Links to these pages are often distributed by email or other messages and possibly from fake sender addresses. Be critical of emails containing links. Mouse over links to check where they lead and do not click on them if you have even the slightest doubt about the authenticity of the email or link.

3. your browser

3.1 Software for displaying Internet pages (browser)

Special computer programmes (browsers) are used to display websites on the Internet. Make sure that the browser you are using comes from a trustworthy source to ensure that it is not malware or modified original software. Please only use versions of Internet browsers (Firefox, Chrome, Edge, Safari, etc.) that have been approved by the manufacturer. Microsoft Internet Explorer should no longer be used, as support expired in June 2022. If security problems become known with a browser, the manufacturers usually release updates to fix them promptly. You should therefore regularly find out about new updates for your end device and carry out the updates promptly or activate the automatic update function of your browser.

3.2 Browser settings

Although the browsers of different providers differ in terms of handling and configuration, there are some generally applicable behaviours for secure handling:

- While using the voting system, refrain from displaying other websites with untrustworthy content in a second browser window or tab.

- It is not necessary to activate Javascript, which is often used to support user-related functions in Internet-based applications.

- Set your browser so that encrypted pages and so-called "cookies" for saving your personal settings on websites are not saved. In Firefox, open the settings, go to the "Data protection and security" section and uncheck the box next to "Ask whether access data and passwords for websites should be saved". For other browsers, search for "Password manager" or "Password manager" in the settings or configuration.

- Empty the so-called "cache" after each session. The cache is a memory area in which pages previously displayed on the browser are shown. By deleting the cache, you prevent, for example, pages accessed at the computer workstation being used from being viewed by third parties at a later date. You can call up the function for deleting the cache in Firefox and some other browsers using the key combination Ctrl + Shift + Del.

- As an alternative to the last point, you can also use the browser in "private mode". In this case, the browser does not store any data about Internet usage on your computer. In Firefox, you can activate private mode using the "New private window" function in the application menu or the key combination Ctrl + Shift + P.

4. dialling process

4.1 Access data

You will receive your access data in the form of a PIN and a TAN in separate emails from the Elections Office to your personal university email address. You can use these to authenticate yourself on the election portal. Keep this data under lock and key at all times so that third parties cannot access it. Do not pass on your access data to third parties.

4.2 Location

A standard terminal device (computer workstation, smartphone, etc.) with a functioning internet connection is required to carry out the voting process. It is recommended that you only use end devices in trustworthy environments that generally ensure compliance with the recommended security measures. This security is also guaranteed, for example, by the University Library's internet workstations. Those authorised to vote are generally responsible for ensuring that the security measures recommended here are observed.

4.3 Secure encrypted connection

Make sure that there is a secure connection when logging into the voting system. The server "uol.gremienwahlen.de" must be displayed in the URL and communication must be encrypted. You can recognise the latter in Firefox by the fact that a closed padlock is displayed in the address bar of the browser and the URL begins with https. By clicking on the padlock and then on the "Secure connection" / "More information" / "Show certificate" option, you can also display the site's security certificate. The certificate of the server election/polyas.com has the following SHA-256 fingerprint:

2766ed65da79fca026f2f1cfOef20762ffd21f36132247be9e1eb7ecb8e429ec

4.4 Voting

Votes are cast in person and unobserved in electronic form, which must be confirmed electronically by the authorised voters. While casting their vote, eligible voters are responsible for ensuring that the secrecy of the ballot is maintained and, in particular, that third parties cannot gain knowledge of the content of the vote.

4.5 Logging out of the voting system and auto-logout

If you wish to cancel or interrupt the election, please log out properly using the "Cancel / log out election" button. Irrespective of this, the system will automatically log you out for security reasons if no entries are made for approx. 15 minutes. In both cases, your entries will not be saved and you will have to log into the voting system again with your access data and re-enter any entries you may have made previously.

B. Data protection information in accordance with Art. 13 GDPR

1. name and contact details of the controller, contact details of the data protection officer, professional responsibility

The controller is the University of Oldenburg, a public corporation, legally represented by the President, Ammerländer Heerstraße 114 - 118, 26129 Oldenburg, Germany.

You can contact the data protection officer of the University of Oldenburg at the above address (for the attention of "The Data Protection Officer"), by telephone on +49 (0)441 798 4196 or by email at dsuni@uol.de.

The responsible body is the Elections Office of the University of Oldenburg, Head: Ass. iur. Dennis Deitermann, Postal address: University of Oldenburg - Elections Office, Ammerländer Heerstraße 114 - 118, 26129 Oldenburg, Email: wahlamt@uol.de, Phone: +49 441 798-5124

2 Purposes, legal basis, obligation to provide

Your personal data will be processed for the following purposes

- Realisation of the committee elections

The legal basis for the processing of your personal data is the fulfilment of a public task that has been assigned to the responsible body, cf. §§ Sections 16 (5) sentence 1, 41, 44, 9 (4) NHG in conjunction with the election regulations of Carl von Ossietzky University and the regulations for the election of the doctoral student representation (election regulations) of Carl von Ossietzky University of Oldenburg.

You are not obliged to provide your personal data. However, participation in the electronic election is not possible without providing this data.

3. storage period

The storage period is 15 years from 1 January of the year following the election; after expiry of the storage period, your personal data (voting notes) will be offered to the University Archives for transfer and archiving (see Nds. AktO i.V.m. Instruction on the storage, archiving and destruction of documents of the University of Oldenburg dated 14 June 2018).

4. rights of data subjects

As a data subject within the meaning of the GDPR, you have the following rights

- Right of access (Art. 15 GDPR)

- Right to rectification (Art. 16 GDPR)

- Right to erasure (Art. 17 GDPR)

- Right to restriction of processing (Art. 18 GDPR)

- Right to data portability (Art. 20 GDPR)

- Right to object (Art. 21 GDPR)

To exercise these rights, please contact the data controller (see above).

5. right to lodge a complaint with a supervisory authority

If you are of the opinion that the processing of your personal data violates data protection regulations, please contact the data protection officer of the controller (see above). Irrespective of this, you have the right to lodge a complaint with a supervisory authority. The supervisory authority responsible for Carl von Ossietzky University is: Landesbeauftragte für den Datenschutz in Niedersachsen, Prinzenstraße 5, 30159 Hannover.

6 Recipients or categories of recipients

If necessary, your personal data will be passed on to Electric Paper Informationssysteme GmbH, Konrad-Zuse-Allee 15, 21337 Lüneburg, Germany as a processor within the meaning of Art. 28 GDPR (a corresponding data processing agreement has been concluded between the University of Oldenburg and Electric Paper GmbH).

- English version -

(in progress)