Privacy Policy according to the GDPR
1 Name and address of the controller
The responsible person within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection provisions is:
HWR Berlin
Badensche Strasse 52
10825 Berlin
Represented by Andreas Zaby
praesident@hwr-berlin.de
2 Name and address of the data protection officer
HWR Berlin
Vitali Dick (HiSolutions)
Badensche Str. 52 10825
Berlin datenschutz@hwr-berlin.de
3 Data processing within Shibboleth (SingleSignOn)
3.1 Description of the data processing
The German Research Network Authentication and Authorisation Infrastructure (DFN-AAI) serves as a federation of higher education institutions and private information providers. The participants in this federation are enabled, on the basis of a technical infrastructure, to make resources of the entire federation available in a controlled manner to users registered locally in their institutions, without the users having a user account at all institutions.
The technical implementation is based on Shibboleth, a software developed by the Internet2 consortium that enables distributed authentication and authorisation for web applications and web services. The concept of Shibboleth provides, among other things, that a user only has to authenticate once per browser session at his or her home institution, e.g. the university where he or she is enrolled, in order to be able to access services or licensed content from different providers regardless of location (so-called federated single sign-on).
The service providers are both public bodies and non-public bodies in Germany and abroad.
When a user requests a resource accessible via the federation, the service provider directs the user to a service (discovery service) where the user selects the identity provider of their home organisation and is subsequently directed back to the service provider so that the service provider can cache the information about the identity provider belonging to the selected home organisation and use it for further requests. The service provider responds with an authentication request addressed to the identity provider.
The identity provider at the home institution checks whether the user already has a Shibboleth session, i.e. is already authenticated. If this is not the case, authentication is initiated, e.g. a form is displayed to the user to enter the user password and password. If the user is authenticated, a SAML authentication and attribute assertion is issued for the service provider.
The SP now checks whether the user has access based on the assertions and returns the originally requested resource accordingly. The service provider cannot access the authentication data of the HWR.
To authenticate the user, metadata must be sent to the user depending on the service requested. This transmission is currently done by consent of the user. For this purpose, the user is provided with a consent form with its own privacy policy. The consent is not part of this privacy policy.
3.2 Purposes of the processing – Shibboleth
The processing of personal data is carried out for the following purposes:
- Provision of a SingleSignOn for the registration and use of internal and external services and resources, for the status groups of students, staff and faculty via central login.
- Verification of access authorisation for connected online services
3.3 Currently integrated services
INTERNAL Services:
- HWR Cloud
- Planning tool
- Collaboard
- BITE
EXTERNAL Services:
- DFNconf – Conference platform of the German Research Network (consent required)
- DFN vote (consent required)
- DATEV (consent required)
- ISIS TU Berlin (consent required)
3.4 Legal basis for the processing
INTERNAL services:
- for students Art. 6 (1) lit. e DSGVO in conjunction with § 6 (1) 2 BerlHG.
- for all other members of the HWR Art. 6 (1) lit. e DSGVO in conjunction with § 6 (1) 210 and 12 BerlHG.
EXTERNAL services:
For all user groups (teachers, students, employees) Art. 6 para. 1 lit. a DSGVO – consent of the user. There is neither a contractual nor a legal obligation to provide the data. The consent is voluntary. The consent for the transfer can be revoked at any time. However, the service can then no longer be used via Shibboleth, as a transfer of the metadata is required.
3.5 Types and categories of personal data
We process the following categories and types of data for the above purposes:
| Data categories | Data types | Required for |
| Master data | Username | For clear identification of the user |
| Name, first name | For clear identification of the user | |
| E-mail address | For clear identification of the user | |
| Metadata
|
Affiliation (group affiliation of the Active Directory) | Assignment to an authorisation group and guarantee of certain access rights |
| Principal Name (unique institution-wide user ID UID = Username@Insti-
tution) |
For clear identification of the user and assignment to an institution
|
|
| Access data | Personal password in encrypted / hashed form | For authentication and login to the identity provider |
| Cookie data | Session cookie | This cookie only contains information necessary to identify the user’s IdP session. This cookie is created as a “session cookie” and removed when the browser removes such cookies (often when the browser is closed). |
| Server log data | IP address of the client | Records for fault diagnosis and tracking of safety incidents |
| user-identifier | ||
| userid of the user | ||
| Date, time and time zone of the user |
3.6 Data storage and deletion periods
The data is stored exclusively in Germany or the EU.
| Data categories | Deletion deadlines |
| Master data | 150 days after exmatriculation (students)
30 days after leaving the service (employees, teachers, lecturers) |
| Metadata
|
|
| Access data | |
| Cookie data | a) As long as the browser session is open
For activity 8 hours In case of inactivity 60 minutes b) When browser session is closed (browser is closed, the cookie is directly closed |
| Consent data | 1 year |
| Server log data | 30 days |
4 General information on data processing
4.1 Scope of application
This data protection declaration applies to the processing of personal data in the IT service procedure Shibboleth (SingleSignOn) of HWR Berlin.
4.2 Scope of the processing of personal data
As a matter of principle, we only process personal data of our users insofar as this is necessary.
4.3 Recipients or categories of recipients of the personal data
Data is not transmitted to external recipients. Should a connected service require transmission to external recipients, we will either obtain separate consent from you or inform you oft hat matter. Within the university (internal recipients), the data may be processed by the administrators of the IT department.
4.4 Transfer of data to a third country or an int. organisation
Data is not transmitted to a third country or an international organisation. Should a connected service require a transfer to a third country, we will obtain separate consent from you or inform you of that matter.
4.5 Rights of the data subject
Pursuant to Art. 13 – 23 DSGVO, the person affected by the processing has rights which can be asserted against the HWR Berlin. An overview of the most important rights is listed below:
- Duty to provide information when collecting personal data pursuant to Art. 13 DSGVO
- Right to information about data stored by the data controller (HWR Berlin) according to Art. 15 DSGVO
- Right to rectification of data stored by the data controller (HWR Berlin) in accordance with Art. 16 DSGVO
- Right to have data stored by the data controller (HWR Berlin) deleted in accordance with Art. 17 DSGVO
- Right to restrict processing of data stored by the data controller (HWR Berlin) pursuant to Art. 18 DSGVO
- Obligation to notify in connection with the rectification or erasure of personal data or the restriction of processing pursuant to Art. 19 DSGVO
- Right to data portability according to Art. 20 DSGVO
- Right to object to data processing, provided that the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority pursuant to Article 6 (1) e of the GDPR or the processing is necessary for the purposes of safeguarding the legitimate interests of the controller or a third party pursuant to Article 21 of the GDPR.
- The right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- Right to notification under Article 34 GDPR of the data subject of a personal data breach.
4.6 Exercise of rights
If you wish to exercise your rights, please contact the data protection officer mentioned above or make the request at the link.[1]
4.7 Right of appeal
The data subject also has the right to complain to a supervisory authority about the HWR Berlin. The competent supervisory authority in the state of Berlin is
Berlin Commissioner for Data Protection and Freedom of Information
Friedrichstr. 219 10969 Berlin
mailbox@datenschutz-berlin.de
4.8 Data security
In order to adequately and comprehensively protect the security of your data during processing and in particular during transmission, we use appropriate technical and organisational measures to ensure the security of your personal data, insofar as this is necessary and oriented to the current state of the art.
5 Status, changes and validity of the general data protection declaration
This data protection declaration is valid as of 08/2022. We reserve the right to update this data protection declaration regularly in order to take into account the current legal requirements and technical changes as well as to implement our services and offers in a data protection-compliant manner. We will inform you in the event of significant changes to the legal framework. If there are any changes, we will send you an adapted consent and data protection declaration.
| Version | Date | Author | Change / Remark | Classification |
| 1.0 | 03.07.2020 | IT-DUD Hafner | DSE – Integration dfnconf | public |
| 1.1 | 20.08.2020 | IT-DUD Hafner | DSE Integration HWR Cloud | public |
| 1.2 | 07.01.2022 | IT-DUD Hafner | Revision | public |
| 1.3 | 30.08.2022 | IT-DUD Hafner | Revision | public |
[1] https://dsgvo2.ds–manager.net/jd8g73mg9/anfrage_meldung.html?key=5oZEoda8bochZmO9