We hereby inform you about the processing of your personal data by us and about the rights and claims to which you are entitled under the applicable data protection regulations.
The specific data that is processed and how it is used depends largely on the services you use, which may in some cases require a formal application.

Deviations from the provisions outlined here are explicitly detailed in separate privacy policies issued by the respective responsible departments.

1. What is the name of the affected automated processing?

Online presence of the Helmut Schmidt University / University of the German Armed Forces Hamburg (also known as the website or homepage of HSU / UniBwH)
Landing page accessible at the URL https://www.hsu-hh.de

2. Who is responsible for data processing and whom can I contact?

The responsible entity is:
President of the
Helmut Schmidt University / University of the German Armed Forces Hamburg
Holstenhofweg 85
GERMANY-22043 Hamburg

Legal Representative (Overall Responsibility):
The President
Prof. Dr. Klaus Beckmann

Official Data Protection Officer:
Data Protection Officer of the German Armed Forces
Federal Ministry of Defence
Fontainengraben 150
53123 Bonn
Germany

Technical Responsibility:
Data Center of the Helmut Schmidt University / University of the German Armed Forces Hamburg
Email: service@hsu-hh.de

Administrative Data Protection Officer of HSU / UniBwH:
ADSB of the Helmut Schmidt University / University of the German Armed Forces Hamburg
Central Administration
Holstenhofweg 85
22043 Hamburg
Email: ADSBUniBwH@bundeswehr.org
Tel.: +49 40 6541 2131 040 6541 2131

3. What sources and data do we use?

We process personal data that we require to provide and deliver the services and offerings you use from HSU-HH.
Relevant personal data includes, for example, personal details (name, address, and other contact information, user ID). In addition, this may also include data about your use of our telemedia services (e.g., time of access to our websites or apps, pages clicked on or entries made), as well as other data comparable to the aforementioned categories.

The type and amount of personal data processed depends on the point of access (internal/external) and the user’s rights:

• You use the publicly accessible web server, which contains an unalterable copy of the HSU / UniBwH online presence, or the internal web server as a non-logged-in visitor.
• You use the editable online presence accessible only within the campus network, with the connected editorial system, as a logged-in user.

4. For what purpose do we process your data (purpose of processing) and on what legal basis?

We process personal data in accordance with the provisions of the European General Data Protection Regulation (GDPR) and the Federal Data Protection Act (BDSG).
Specifically, the following data are logged and used for each access/request to the online presence of HSU / UniBwH:

• the IP address
• he page accessed (from which the file was requested)
• the name of the requested file
• the date and time of the request
• the amount of data transferred
• the access status, i.e., a message indicating whether the access/request was successful
• a description of the type of web browser used

All logging data is processed based on the “Framework Service Agreement (RDV) on the Logging of Information Technology Systems” between the Federal Ministry of Defence and the Main Staff Council at the Federal Ministry of Defence dated May 3, 2006.

The logs are used exclusively for the purposes of

• monitoring the legality of the processing and use of personal data
• reviewing and ensuring compliance with data protection requirements
• analyzing and correcting technical errors
• ensuring system security
• optimizing the network
• statistical determination of the total usage volume (see also point 12)
• random checks
• prevention and detection of criminal offenses
• evaluation as a measure in case of violations and misuse (in accordance with the aforementioned RDV)

(see §6 paragraph 2 RDV between the Main Staff Council and the Federal Ministry of Defence). The purpose “statistical evaluation” is explicitly listed under point 12. There, users also have the option to object and set an opt-out cookie.

For access to the editorial system of the website, which is only reachable from the campus network, as well as the services and applications offered there, personal data from a technical backend system is used for the purposes of identity management, user authorization, change logging, and rights verification. The following data are processed:

• central login data
• first name, last name
• position holder data (e.g., email address)
• type, scope, and time of content changes
• group membership (control of permissions)

Detailed procedural information is recorded in the processing activities register pursuant to Art. 30 GDPR, the register of automated processing of the The Center for Postgraduate Education.

4.1 Based on Your Consent (Art. 6 para. 1 lit. a GDPR)

If you have given us your consent to process personal data for specific purposes, the legality of this processing is based on your consent. You may revoke any given consent at any time. This also applies to the revocation of consents given to us before the GDPR came into effect, i.e., before May 25, 2018.
Please note that the revocation only applies to the future. Processing activities carried out before the revocation are not affected.

5. Who receives my data?

Within the Helmut Schmidt University / University of the German Armed Forces Hamburg, those departments receive your data that require it to fulfill their official and legal duties.
Information is only shared with third parties based on legal obligations and powers or with your consent.

6. How long is my data stored?

As far as necessary, we process and store your personal data for the duration of your visit to the online presence. Logging data from the web server (see point 4) is retained for a maximum of 6 months.
Position holder data and other voluntary information (e.g., on the staff page of a professorship) are collected from the respective person, who can determine the duration of storage beyond the employment relationship (see points 4.1 and 8.3).

7. Are data transferred to a third country or an international organization?

No data transfer to third countries (countries outside the European Economic Area – EEA) takes place.

8. What data protection rights do I have?

Every data subject has the right to information according to Art. 15 GDPR, the right to correction according to Art. 16 GDPR, the right to deletion according to Art. 17 GDPR, as well as the right to restriction of processing according to Art. 18 GDPR. Restrictions according to §§ 34 and 35 BDSG apply to the rights of information and deletion. In addition, there is the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR in conjunction with § 19 BDSG).
Information about the processing (e.g., file name and storage location) can be found in the processing register (see point 4).
The following paragraphs provide detailed information about your rights as a data subject.

8.1 Right of Access

According to Art. 15 GDPR, data subjects have the right to request confirmation as to whether personal data concerning them is being processed. If this is the case, the prescribed information about the processing must be provided and data subjects must be informed about their rights.

8.2 Right to Rectification

According to Art. 16 GDPR, data subjects have the right to demand the immediate correction of inaccurate personal data concerning them. Considering the purposes of processing, the completion of incomplete personal data—including by means of a supplementary statement—may be requested.
If you discover incorrect or incomplete information concerning you that cannot be corrected by you, please contact the responsible person mentioned above. Alternatively, you can contact the data protection officer of HSU / UniBwH.

8.3 Right to Erasure

According to Art. 17 GDPR, data subjects have the right to request the immediate deletion of personal data concerning them. The controller is obliged to delete personal data without delay under certain circumstances. This applies if

• personal data are no longer necessary for the purposes for which they were collected
• consent is withdrawn and there is no other legal basis
• the data subject has objected on legitimate grounds
• the personal data have been unlawfully processed

A consequence of deleting the user ID (see point 4) is subsequent exclusion from the editorial system of the HSU / UniBwH online presence.
The deletion of log data is carried out according to the RDV of the Main Staff Council and the Federal Ministry of Defence dated 08.03.2006 (see point 4).
Deletion of your data is carried out upon request. The request must be addressed to the responsible person or the data protection officer of HSU / UniBwH.

8.4 Right to Restriction of Processing

According to Art. 18 GDPR, data subjects have the right to request restriction of processing under certain conditions. The following cases are possible:

• The accuracy of the personal data is disputed by the data subject.
• The processing is unlawful, and the data subject opposes deletion of the personal data.
• The controller no longer needs the personal data for processing purposes, but the data subject requires them to assert, exercise, or defend legal claims:

Restriction marking of your data processing takes place upon request. If marking is not possible, the data will be secured before processing (e.g., by screenshot). The request must be addressed to the responsible person or the data protection officer of HSU / UniBwH.

• The data subject has objected to processing under Art. 21 para. 1 GDPR and it is not yet clear whether the legitimate grounds of the controller override those of the data subject:

In this case, the restriction marking of your data processing also takes place upon request. If marking is not possible, data will be secured before processing (e.g., by screenshot). The request must be addressed to the responsible person or the data protection officer of HSU / UniBwH.

8.5 Right to Object

According to Art. 21 GDPR, data subjects have the right to object at any time for reasons arising from their particular situation to the processing of personal data concerning them based on Art. 6 para. 1 lit. e or f. The controller shall then no longer process the personal data unless they can demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or the processing serves to assert, exercise, or defend legal claims.
In this application, personal data are processed under Art. 6 para. 1 lit. e GDPR, which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in HSU / UniBwH.

HSU / UniBwH is a service agency of the German Armed Forces and is organized in tasks, structure, and rights according to the regulations of Hamburg state law.

If a data subject objects to the processing of their data, participation in HSU / UniBwH services using technical procedures is no longer possible.
The objection must be addressed to the responsible person or the data protection officer of HSU / UniBwH.

8.6 Right to Data Portability

The right to data portability pursuant to Art. 20 GDPR entitles data subjects to receive a copy of their personal data in a common, machine-readable file format.
This right does not apply to the performance of tasks carried out in the exercise of official authority vested in the controller. This applies to the automated processing of personal data by HSU / UniBwH (see point 8.5).
Thus, the right to data portability is not applicable here.

8.7 Right to Withdraw Consent

This right applies prospectively.
Since the processing of personal data on the HSU / UniBwH online presence is authorized by a legal basis—not by consent—there is no right to withdraw consent here.
Voluntarily provided information, e.g., on a staff page, can be removed at any time by persons authorized to administer the respective web pages.

8.8 Right to Lodge a Complaint with a Supervisory Authority

According to Art. 77 GDPR, every data subject has the right to lodge a complaint with a supervisory authority if they believe that the processing of their personal data violates the GDPR.
Supervisory authorities within the meaning of the GDPR are the Federal Data Protection Commissioner and the State Data Protection Commissioners. For HSU / UniBwH as a German Armed Forces agency and a federal authority, the Federal Commissioner for Data Protection and Freedom of Information is the competent supervisory authority.

Independent of the right to lodge a complaint with the supervisory authority, a complaint can also be filed with the Data Protection Officer of the German Armed Forces (BfDBw).

9. Am I obligated to provide data?

For viewing the public internet presence of HSU / UniBwH, no personal data beyond log data is required. For using the content management system, the provision of personal data is necessary (see section 4). Without this data, creating and editing websites in the CMS is not possible.
The staff page allows voluntary information (photo, contact details) which can be entered by the user themselves or an authorized colleague.

10. To what extent is there automated decision-making in individual cases?

Automated decision-making according to Art. 22 GDPR does not take place.

11. To what extent are my data used for profiling (scoring)?

Automated processing of your personal data takes place. However, profiling or scoring does not occur.