Privacy Statement Museums-Guide
As an app provider Universität Hamburg takes data protection very seriously. All personal data are held in the strictest confidence according to legal requirements, as described in this privacy statement.
Contact details for the controller
Pursuant to the General Data Protection Regulation, national data protection laws of the various Member States, and other privacy regulations, the responsible entity (“Controller”) is:
Tel: +49 40 42838-0
Fax: +49 40 42838-9586
Universität Hamburg Data Protection Officer contact details:
Der Datenschutzbeauftragte der Universität Hamburg
Tel.: +49 40 42838-2957
1. Scope of processing of personal data
We process personal data from our users only to the extent required to ensure the functionality, content, and service provision of the app. As a rule, processing of personal data occurs only with user consent. Exceptions to this rule include those cases in which consent was unable to be obtained for reasons of fact, and the processing of data is permitted by law.
2. Legal basis for the processing of personal data
Processing of data based on consent granted by the data subject is lawful pursuant to Article 6 paragraph 1 letter a General Data Protection Regulation (GDPR). Processing of personal data for the purpose of fulfilling contractual obligations to the data subject is lawful pursuant to Article 6 paragraph 1 letter b GDPR. This also applies to the preparatory process required for pre-contractual measures. Processing of personal data required by law is lawful pursuant to Article 6 paragraph 1 letter c GDPR. Processing of personal data required by the vital interests of the data subject or another natural person is lawful pursuant to Article 6 paragraph 1 letter d GDPR. Processing of personal data to safeguard a legitimate interest of our organization or that of a third party which is not outweighed by the interests, constitutional rights, and basic freedoms of the data subject is lawful pursuant to Article 6 paragraph 1 letter f GDPR.
3. Erasure of data and duration of storage
Personal data of the data subject will be deleted or blocked as soon as it is no longer required for the purpose for which it was collected. Further storage may occur when stipulated by European or national directives, laws, or other statutory instrument which so require. Blocking or erasure of data also occurs when the storage period stipulated by said law expires, unless further storage of data is required to execute an agreement or fulfill a contractual obligation.
Accessing the app and creation of log files
1. Description and scope of the data processing
Data and information are collected every time this app is accessed or used. These data and information are stored in log files on the server and can include:
• IP address
• browser type / browser version
• date and time the website was accessed
• user Internet service provider
• user operating system
• referring website
• websites accessed by the user’s system through our website
2. Legal basis for the processing of personal data
The temporary storage of data and log files is lawful pursuant to Article 6 paragraph 1 letter f GDPR.
3. Purpose of data processing
The IP address is temporarily stored in the system as it is necessary to provide app access for the user’s device. The IP address is retained while that website is being accessed.
These log files are stored to ensure app functionality, optimize app content, and ensure the security of our IT system.
4. Period of storage
The data will be deleted when they are no longer needed for the purpose they were collected. For data collected to provide access to the app, this will be at the end of every session.
For log files, this will occur after seven days at the latest. Data may be stored longer, in which case user IP addresses are deleted or anonymized, rendering it impossible to link the data to any individual.
5. Right to object and right to withdraw consent
You may exercise your right to withdraw consent, object, and rectification by contacting the Data Protection Officer of Universität Hamburg:
Datenschutzbeauftragter der Universität Hamburg
Mittelweg 177, 20148 Hamburg
Links to websites
The providers of external websites are solely responsible for their content.
Rights of the data subject
Under the GDPR, where your data is processed, you are the data subject, and as such, have the following rights:
1. Right to information
You have the right to ask for confirmation as to whether we are processing your personal data and the extent of that processing.
In the case of a processing of your data, you have the right to the following information:
(1) the purpose for which your personal data are being processed;
(2) the categories of personal data being processed;
(3) the recipients or categories of recipients who have seen or who may see your personal data;
(4) the intended duration of storage for your personal data, or where a specific duration is not known, the criteria by which this duration will be determined;
(5) the existence of a right to rectification or deletion of personal data, a right to restriction of processing or to object to processing of personal data by the Controller;
(6) the right to lodge a complaint with a supervisory authority;
(7) all available information regarding the data source when not collected directly from you;
(8) the existence of a decision-making process based solely on automated processing, including profiling in accordance with Article 22 paragraph 1 and paragraph 4 GDPR, and at least in such cases, to obtain meaningful, relevant information regarding the logical processes involved and the scope and intended effects of such processing for the data subject.
You have the right to demand information on whether your personal data will be transferred to another country or international organization. In this context, you may demand to be informed of the appropriate safeguards pursuant to Article 46 GDPR to which the transfer is subject.
2. Right to rectification
You have the right to obtain from the Controller the rectification and/or completion of any incorrect or incomplete data. The Controller must provide this without undue delay.
3. Right to restriction of processing
You have the right to restriction of processing of your personal data where one of the following applies:
(1) if you are contesting the accuracy of your personal data, you have the right to restrict processing for a period of time which enables the Controller to verify the accuracy of the personal data;
(2) if processing is unlawful and you have rejected the erasure of your personal data and instead demand that the processing be restricted;
(3) the Controller no longer requires the data for the purposes for which it was collected, but you require it for establishing, exercising, or defending a legal claim; or
(4) if you have objected to the processing pursuant to Article 21 paragraph 1 GDPR and it has not yet been established if the legitimate interests of the Controller override your interests.
Where processing of your personal data has been restricted, with the exception of its storage, such data may only be processed with your consent, or for the purpose of establishing, exercising, or defending a legal claim or to protect the rights of other natural or legal persons or for reasons of an important public interest of the Union or of a Member State.
Where the right to restriction of processing has been exercised pursuant to the above, you will be informed by the Controller prior to that restriction being lifted.
4. Right to erasure (“right to be forgotten”)
a) Obligation to erase
You may obtain from the Controller that all personal data pertaining to you are erased without undue delay, and the Controller is obliged to erase such data without undue delay where one of the following applies:
(1) the personal data are no longer required for the purpose for which it was collected;
(2) you have withdrawn the consent on which the processing was based pursuant to Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a GDPR, and where there is no other legal ground for the processing;
(3) you object to the processing pursuant to Article 21 paragraph 1 GDPR and there are no overriding legitimate grounds for the processing, or you have objected to the processing pursuant to Article 21 paragraph 2 GDPR;
(4) the processing of your personal data is unlawful;
(5) your personal data must be erased to comply with a legal obligation in Union or Member State law to which the Controller is subject;
(6) your personal data have been collected in relation to the offer of information society services referred to in Article 8 paragraph 1 GDPR;
b) Information to third parties
Where the Controller has made the personal data public and is obliged to erase it pursuant to Article 17 paragraph 1 GDPR, the Controller shall take reasonable steps, including technical measures, in light of available technology and the cost of implementation, to inform controllers who may be processing the personal data that the data subject has requested erasure of copies or reproductions of such data and any links to it.
There is no right to erasure where the processing is necessary:
(1) for the exercise of the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under the law of the Union or a Member State to which the Controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller;
(3) for reasons of public interest in the area of public health pursuant to Article 9 paragraph 2 letters h and i, and Article 9 paragraph 3 GDPR;
(4) for archiving purposes in the public interest, for academic or historical research purposes, or statistical purposes in accordance with Article 89 paragraph 1 DGPR insofar as the right referred in a) above is likely to render impossible or seriously impair the achievement of the objectives of that processing;
(5) for establishing, exercising, or defending legal claims.
5. Right to notification
If you have exercised your right to rectification, erasure, or restriction of processing, the Controller is obliged to inform all recipients to whom your personal data has been disclosed of this rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to request information from the Controller about any such recipients.
6. Right to data portability
You have the right to receive in a structured, commonly used, and machine-readable format any personal data concerning you which you have provided to the Controller. You also have the right to transmit this data to another Controller without hindrance from the Controller to whom the data was provided as long as:
(1) the processing is based on consent pursuant to Article 6 paragraph 1 letter a or Article 9 paragraph 2 letter a DGPR or in a contract pursuant to Article 6 paragraph 1 letter b GDPR and
(2) the processing is carried out by automated means.
In the exercise of this right, you also have the right to have the personal data transmitted directly from one Controller to another, where technically feasible. The rights and freedoms of others may not be adversely affected by this.
The right to data portability does not apply to the processing of personal data required for the performance of a task in the public interest or in the exercise of official authority vested in the Controller.
7. The right to object
You have the right to object, on grounds related to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6 subsection 1 letters e or f GDPR. This also applies to profiling based on these provisions.
The Controller will no longer process your personal data unless able to demonstrate compelling reasons that override your interests, rights, and freedoms or the processing is required for establishing, exercising, or defending a legal claim.
Where your personal data are processed for direct marketing purposes, you have the right to object to the processing of your data for such purposes at any time; this also applies to profiling to the extent related to such direct marketing.
If you object to the processing of your data for direct marketing purposes, the personal data will no longer be processed for such purposes.
For data used by information society services, you may exercise your right to object notwithstanding Directive 2002/58/EC, by automated means using technical specifications.
8. Right to withdraw data protection declaration of consent
You have the right to withdraw your data protection declaration of consent at any time. This does not affect the lawfulness of processing carried out based on your consent prior to its withdrawal.
9. Automated decision-making in individual cases, including profiling
You have the right not be subject to a decision based solely on automated processing, including profiling, which precludes legal effects that otherwise significantly affect you. This does not apply if the decision
(1) is necessary for entering into or performance of a contract between you and the Controller;
(2) is authorized by Union or Member State law to which the Controller is subject and these legal provisions also lay down appropriate measures to safeguard your rights and freedoms as well as your legitimate interests; or
(3) it is based on your explicit consent.
These decisions may not be based on special categories of personal data referred to in Article 9 paragraph 1 GDPR, as long as Article 9 paragraph 2 letters a or g apply and appropriate measures to safeguard your rights, freedoms, and legitimate interests are in place.
In the cases listed in (1) and (3), the Controller must implement appropriate measures to safeguard your rights, freedoms, and legitimate interests, which includes at the least the right to human intervention on the part of the Controller to express his or her point of view and to contest the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular, in the Member State in which you are habitually resident, where you work, or the location in which the alleged infringement took place if you consider that the processing of your personal data is in breach of the DGPR.
The supervisory authority with whom you lodge your complaint will inform the complainant about the progress and the outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.
The supervisory authority for data protection is:
Hamburgischer Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Str. 22, 7. OG
Tel: +49 40 42854-4040
Fax: +49 40 42854-4000
This translation is for information only — only the German version shall be legally valid and enforceable.