HWR Cloud Storage Service

Data protection declaration according to the GDPR

1 Name and address of the Controller

HWR Berlin

Information Technology

Badenstrasse 52

10825 Berlin

It-hotline@hwr-berlin.de

2 Name and address of the official data protection officer

Vitali Dick (data protection officer)

Badensche Str. 52

10825 Berlin

datenschutz@hwr-berlin.de

3 Data processing in the HWR cloud storage service procedure

3.1 Purpose of Processing

Personal data is processed for the following purposes:

  • Provision of storage space for the temporary upload of files from HWR members
  • Sharing or exchanging folders and files via the cloud to HWR members and third parties

3.2 Legal Basis for Processing

The legal basis for the processing

  1. For students Art. 6 (1) lit. e GDPR in conjunction with § 6 (1) 2 BerlHG. You can object to data processing. The cloud can then no longer be used.
  2. For all other members of the HWR and external access Art. 6 (1) lit. e GDPR in conjunction with § 6 (1) 1-10 and 12 BerlHG. You can object to data processing for important reasons.
  3. For user profile data entered voluntarily, Article 6 (1) (a) GDPR. Consent is voluntary. There is neither a contractual nor a legal obligation to provide the data. The lawfulness of the processing remains unaffected until the consent is revoked.

3.3 Types and Categories of Personal Data

We process the following categories and types of data for the purposes stated in 3.1:

Data category Data types Affected categories Legal basis Required for
Base data Last name / first name / email address Lecturers / Lecturers / Employees / Students – Art. 6 (1) lit.e GDPR

in conjunction with § 6 (1) 1-10 and 12 BerlHG

 

– Art. 6 (1) lit. a GDPR

For unique identification of the user account
Authorization data / entitlement data User Roles / User Permissions Assignment to an authorization group and guarantee of certain access rights
Authentication data Username / Authorization Token Authentication and authorization of the user towards the HWR, as an authorized member of the HWR Berlin.
Content Data / File Data Files uploaded by users that are either named in other processing directories or provided by the accessing party Lecturers / lecturers / employees / students / external users Sharing or exchanging folders and files via the cloud to HWR members and third parties
Server log files Comon log format (esp. IP address) / Records for troubleshooting and tracking security incidents
Cookie data* 4 different cookies These are essential cookies that are required to identify the user and their session to the cloud system.
Audit log data Logging of creation, modification and deletion of shares and permissions on them server-side In order to be able to understand in the event of a dispute/damage, for example, how data was passed on and by whom this was authorized
Activity data Logging of creation, modification and deletion of shares and permissions on them on the client side Lecturers / Lecturers / Employees / Students
Profile data (voluntary / not filled by default) Profile picture / Phone number / Address / Website / Twitter / Locale Lecturers / Lecturers / Employees / Students Art. 6 (1) lit. a GDPR No

* These are the following cookies: oc_sessionPassphrase / __Host-nc_sameSiteCookiestrict / __Host-nc_sameSiteCookielax / 514c7a36e9080

3.4 Deletion Periods

We delete the personal data according to the following scheme:

Data category Deletion period
Base data After the user is deleted = 150 days after the student leaves the university / 60 days after the employee or teacher leaves the university
Authorization data / entitlement data After deleting the user
Authentication data Token (after closing the browser session / if active 8 hours)
Content Data / File Data Elimination of the purpose of processing

After deletion of the user and legal deletion periods that are defined in other processing directories

Server log files 30 days
Cookie data After closing the browser session / if active 8 hours
Audit log data 30 days
Activity data 30 days
Profile data (voluntary / not filled by default) After deleting the user

In addition, the data will be deleted as soon as the user exercises his right to delete the data in accordance with Art. 13 (2) b GDPR or deletes the data independently.

3.5 Place of Processing

The HWR cloud storage service is operated at the HWR Berlin. Data processing therefore takes place in Germany.

3.6 Recipients of the personal data and transfer of the data to a third country or an international organization

The HWR data center does not transfer data to third parties outside the university (external recipients). When users share files, they may be transferred to third parties. These are documented in other processing activities.

The HWR data center does not transfer connection data to a third country or an international organization. When users share files, there may be transfers to third countries. These are documented in other processing activities.

4 General information on data processing

4.1 Scope of processing of personal data

In principle, we only process the personal data of our users to the extent that this is necessary.

4.2 Rights of the data subject

The person affected by the processing has rights in accordance with Art. 13 – 23 GDPR, which can be asserted against the HWR Berlin. An overview of the most important rights is listed below:

  • Information obligation when collecting personal data according to Art. 13 DSGVO
  • Information obligation if the personal data was not collected from the person concerned according to Art. 14 DSGVO
  • Right to information about data stored by the person responsible (HWR Berlin) according to Art. 15 DSGVO
  • Right to correction of data stored by the person responsible (HWR Berlin) according to Art. 16 DSGVO
  • Right to erasure of data stored by the person responsible (HWR Berlin) in accordance with Art. 17 GDPR
  • Right to restriction of processing of data stored by the person responsible (HWR Berlin) in accordance with Article 18 GDPR
  • Notification obligation in connection with the correction or deletion of personal data or the restriction of processing according to Art. 19 DSGVO
  • Right to data portability according to Art. 20 GDPR
  • Right to object to data processing if processing is required under Art. 6 (1) e GDPR to perform a task that is in the public interest or in the exercise of official authority or processing under Art. 6 (1) f GDPR is necessary to protect the legitimate interests of the person responsible or a third party according to Art. 21 DSGVO.
  • Right not to be subject to a decision based solely on automated processing – including profiling – which produces legal effects concerning you or similarly significantly affects you.
  • Right to notification according to Art. 34 GDPR of the person affected by a breach of the protection of personal data.

4.3 Right to information

You can request confirmation from the HWR as to whether personal data relating to you is being processed by us.

4.4 Exercise of Rights

If you would like to exercise your rights, please contact the data protection officer named above or submit the request using the link . [1]

4.5 Right to Complain

The person concerned also has the right to complain to a supervisory authority about the HWR Berlin. The competent supervisory authority in the state of Berlin is

Berlin Commissioner for Data Protection and Freedom of Information

Friedrichstr. 219

10969 Berlin

mailbox@datenschutz-berlin.de

4.6 Data Security

In order to protect the security of your data appropriately and comprehensively during processing and in particular during transmission, we use appropriate technical and organizational measures to ensure the security of your personal data, where necessary and based on the current state of the art.

5 Status, changes and validity of the general data protection declaration

This data protection declaration is dated 01/2022. We reserve the right to update the data protection declaration regularly in order to take current legal requirements and technical changes into account and to implement our services and offers in compliance with data protection regulations. We will inform you in the event of significant changes to the legal framework. If there are changes that require renewed consent, we will send you an adapted consent and data protection declaration.

 

Version           Date     Document       author  change / comment      Classification

1.0       13.10.2020      DSE Nextcloud          IT – DuD        Final Release  public

1.1       01/07/2022      DSE Nextcloud          IT – DuD        Final Release  public

 

[1] https://dsgvo2.ds – manager.net/jd8g73mg9/frage_meldung.html?key=5oZEoda8bochZmO9  

Diese Webseite verwendet ausschließlich technisch notwendige Cookies. Eine Einwilligung des Nutzers ist demnach nicht erforderlich. This website only uses technically necessary cookies. The consent of the user is therefore not required .