The GDPR clearly says no, but…
What is meant is that the processing of personal data is generally prohibited, but may be permitted under certain conditions. The GDPR speaks of a prohibition with a reservation of permission.
The following must be taken into account in order to lawfully process personal data:
Lawfulness of the processing: There must be a legal permission provision or consent must be obtained from the data subjects. The respective authorisation criteria or authorisation regulations are regulated in Article 6 of the GDPR or in special legal norms (e.g. Telecommunications Act, BDSG, StudDatVO).
Data minimisation and purpose limitation: Only the personal data required for the respective purposes may be processed. The collected data may not be used for any other purposes – apart from regulated exceptions, e.g. in the area of scientific research (Article 5 of the GDPR).
Information requirements: Data subjects must be informed about the processing in a precise, transparent, comprehensible and easily accessible manner (Article 12, Article 13, Article 14 GDPR). The information obligations are usually fulfilled in the privacy statement. The data subjects must be informed of the information obligations at the latest at the time of data processing by the HWR.
Directory of processing activities: All essential information on the various processing of personal data (e.g. personnel administration, student administration or research projects) must be documented in the register of processing activities (VVT) (Article 30 DSGVO).
Security of processing: Processing shall be protected against threats and hazards by appropriate technical and organisational measures. A level of protection appropriate to the risk must be ensured. (Article 32 GDPR)
Data subject rights: the rights of data subjects to access (Article 15 GDPR), rectification (Article 16 GDPR), erasure of data (Article 17 GDPR), restriction of processing (Article 18 GDPR), data portability (Article 20 GDPR) or objection (Article 21 GDPR) shall be taken into account.
Commissioned data processing: If personal data are processed on behalf by external bodies, a contract for commissioned processing must be concluded (Article 28 DSGVO).