Privacy Statement
HafenCity Universität Hamburg’s (HCU) website can in principle be used without providing any personal data. However, if you would like to use the university's special services via our website, processing of personal data may be necessary. If processing of personal data is necessary and there is no statutory basis for such processing, we generally ask for your consent.
Personal data are all types of information that refer directly or indirectly to an identifiable natural person. Processing of personal data, such as your name, your address, e-mail address, telephone number or an online ID is always performed in accordance with the Datenschutz-Grundverordnung [General Data Protection Regulation] and consistent with the state-specific data protection regulations that apply to HCU Hamburg. With this privacy statement, our university wants to inform the public about the type, extent and purpose of the personal data that we collect, use and process. In addition, this privacy statement explains the rights to which you are entitled.
Name and address of the data controllers
Responsible in terms of the General Data Protection Regulation, other privacy protection laws applicable in Member States of the European Union and other regulations related to data protection is:
HafenCity Universität Hamburg (HCU)
Henning-Voscherau-Platz 1, 20457 Hamburg, Germany
Tel.: +49 (0)40 42827-5033
E-mail: hcu-kommunikation(at)vw.hcu-hamburg.de
Website: www.hcu-hamburg.de
Legal structure
Corporation under public law
Legal representative
President Prof. Dr. Jörg Müller-Lietzkow
Responsible supervisory authority
Behörde für Wissenschaft, Forschung, Gleichstellung und Bezirke (BWFGB) [Agency for Science, Research, Equality and Districts]
Hamburger Straße 37, 22083 Hamburg, Germany
Name and address of privacy officer
Information security and privacy officer
Henning-Voscherau-Platz 1, 20457 Hamburg, Germany
E-mail: hcu-datenschutz(at)vw.hcu-hamburg.de
We process our users’ personal data in principle only to the extent necessary for providing a functional website, as well as our content and services. Personal data is processed regularly only after the user consents. An exception exists in such cases where obtaining prior consent is not possible for practical reasons and processing of the data is permitted by statutory provisions. As a conscientious organization we do not use automatic decision-making or profiling.
The legal basis for some processing operations of personal data is consent by the data subject in terms of Sec. 6, Para. 1, letter a of the European Union General Data Protection Regulation (GDPR).
Performance of a contract (in terms of Sec. 6, Para. 1, letter b GDPR) to which the data subject is a party is also listed as a corresponding legal basis. This also applies to processing operations that are necessary to perform pre-contract measures.
If a processing operation is performed to meet a legal obligation (in terms of Sec. 6, Para. 1, letter c GDPR), a note about this fact is provided.
If personal data are processed in a case where the vital interests of the data subject or another natural person require this (Sec. 6, Para. 1, letter d GDPR), we explain that fact.
HCU is bound to perform tasks carried out in the public interest (Sec. 6, Para. 1, letter e GDPR) in the university sector (especially research, teaching, studies and continuing education) according to Sec. 3 and Sec. 4 in conjunction with Sec. 111 HmbHG [Hamburg University Act], which is relevant as a legal basis for processing personal data.
If processing of personal data is necessary to pursue a legitimate interest of HCU or a third party, and the interests, fundamental rights and freedoms of the data subject do not override the interest mentioned first (Sec. 6, Para. 1, Letter f GDPR), this circumstance suffices as a legal basis.
The applicable legal basis in each case is listed as part of the processing operation.
The data subject’s personal data are deleted or locked once the purpose for which they were stored no longer applies. They can be stored beyond that time if such storage was provided for by a European or national legislative body in [European] Union legal regulations, laws or other provisions to which the controller is subject. Data are also locked or deleted when a storage period required by one of the standards listed above expires, unless further storage of the data is necessary to enter into a contract or perform under a contract.
HCU Hamburg uses cookies to simplify users’ utilization of the website, for example, so that access data to non-public areas of the website do not need to be re-entered with each visit.
Cookies are text files that are saved and stored on a computer system via an Internet browser. Many cookies contain a “cookie ID.” A cookie ID is a unique identifier of the cookie. It consists of a series of characters that allow Internet pages and servers to be assigned to the specific Internet browser in which the cookie was saved. This allows the Internet pages and servers that were visited to distinguish the user’s individual browser from other Internet browsers that contain other cookies.
You can prevent our website from setting cookies at any time by changing the corresponding settings in the Internet browser that you use; this permanently objects to the setting of cookies. Furthermore, you can always use your Internet browser to delete cookies that have already been set. If cookies are disabled in the Internet browser that you use, not all functions on our website may be available to their full extent.
When using these general data and information, HCU Hamburg does not draw any conclusions about persons. Rather, these data are needed to
(1) correctly deliver the content on our website,
(2) optimize the content on our website,
(3) ensure permanent functioning of our information technology systems and our website’s technology, and
(4) in case of a cyber attack, provide law enforcement agencies with the information needed to enforce the law.
These anonymously collected data and information are therefore analyzed by HCU Hamburg statistically and furthermore with the goal of increasing data protection and data security at our university, which in the end ensures the best protection level for the personal data that we process. The server log files’ anonymous data are stored separately from any personal data provided by a user.
You have the option to register for various services on our website by providing personal data, e.g., to take part in events or to subscribe to our newsletters. The personal data that are transmitted to the data controller in the process can be seen from the entry screen that is used for each registration. The personal data you enter are collected and stored solely for internal use at the data controller and solely for the purposes listed. The data controller can initiate transfer to one or more processors, for example a newsletter service; that processor will also use the personal data solely for the intended purposes listed.
By registering on the HCU Hamburg website, the IP address assigned by your Internet Service Provider (ISP) and the time of registration are saved. These data are stored in the context of preventing misuse of our services, which is only possible in this way, and of allowing for the resolution of offenses committed, if necessary. In this respect, storing these user data is necessary to protect the data controller. These data are in principle not transferred to third parties, unless there is a legal obligation to transfer or the transfer serves a law enforcement purpose.
Registration with voluntarily provided personal data allows the data controller to provide content or services that because of their nature can only be offered to registered users. At any time, registered users have the option to have the personal data provided during registration changed or entirely deleted from the database of the data controller.
If you have registered, the data controller will at any time provide information about the personal data that is stored about you. Furthermore, the data controller will correct or delete the personal data on request or notification, unless legal retention requirements prohibit this.
The HCU Hamburg website provides the opportunity to subscribe to various newsletters. Which personal data are transmitted when the newsletters are ordered can be seen on the entry screen used.
The HCU Hamburg newsletter can in principle only be received if (1) the subscribing user has a valid e-mail address and (2) he or she registers for the newsletter mailing. For legal reasons, a confirmation e-mail is sent in a double-opt-in process to the e-mail address that has initially been entered for the newsletter mailing. This confirmation e-mail is used to verify whether the owner of the e-mail address has authorized receipt of the newsletter.
The personal data collected in the context of registering for the newsletter are solely used to mail our newsletter. Furthermore, newsletter subscribers can receive information via e-mail, if this is necessary to operate the newsletter service or for a related registration, such as would be the case if the range of newsletters offered changes or if the technical conditions are adjusted. Personal data collected in the context of the newsletter service are not transferred to third parties. Subscription to our newsletter can be canceled at any time. Consent to storage of personal data can be withdrawn at any time. For the purpose of withdrawing consent, each newsletter features a corresponding link or e-mail address. Furthermore, there is the option to unsubscribe from newsletter mailings directly on our website at any time or to inform the data controller about this in another manner.
Due to statutory provisions, the HCU Hamburg website contains information that allows for quick electronic contacting and direct communication with us, which also includes a general e-mail address. If you contact us via e-mail or via a contact form, the transmitted personal data are automatically stored. Such voluntarily transmitted personal data are stored for the purpose of processing your communication or contacting you. These personal data are not transferred to third parties.
Your personal data will be stored in the library management system of the Library of the HafenCity University exclusively for circulation purposes and to contact you in the context of your membership. Storage and use take place under section 4 of the Hamburg Data Protection Act from May 18, 2018 (HmbGVBl. p. 145) and the terms of use of the libray. Passing on of stored data is only allowed as official assistance in case of delayed return with an unsuccessful reminder as well as in the course of the collection of fees. The registration data is transmitted in encrypted form.
The literature search engine requires technical cookies. These include the session ID, which is necessary for maintaining the login, for example. In addition, cookies are set for entries in the watch list (record IDs, "source" of the entries, i.e. whether they come from the "Books & more" or the "Articles" tab). Session cookies and stored titles of users without login are deleted at the end of the session. Log data is deleted after seven days. For statistical analysis, the library uses "Matomo" (formerly "PIWIK") with the literature search engine. This is an open source tool for web analysis. No cookies are set and the IP addresses are anonymized. You can find more information about the behavior of matomo here. This data is not passed on to third parties.
The HCU library offers the possibility to get in contact with the staff via a chat (Userlike). The use of the chat as well as the possible specification of the data of the users are voluntary. The chat can also be used anonymously/pseudonymously. A location determination or other collection of log data does not take place. Browser cookies, which are only required for the technical processing of the chat environment, are deleted after one day. The data is processed and stored exclusively for the purpose of answering queries and on the basis of necessity for the user relationship (Art. 6 para. 1 b DSGVO) or otherwise on the basis of legitimate interest (Art. 6 para. 1 f DSGVO) via a certified data center of the chat program provider in Germany. Only the employees of the HCU library have access. The data is generally not passed on unless this is necessary to respond to the request. The transcripts of the chat consultation are deleted after 30 days at the latest, after a statistical evaluation for internal purposes (number of chats per month, requested topics).
HCU Hamburg collects and processes the personal data of job applicants for the purpose of handling the application process. Processing can also occur electronically. This is the case, in particular, if the applicant has transmitted corresponding application documents electronically, for example via e-mail or via a web form on the website, to HCU Hamburg. If HCU Hamburg enters into an employment agreement with an applicant, the transmitted data are stored for the purpose of handling the employer-employee relationship while observing the statutory provisions. If no employment agreement is entered into with the applicant, the application documents are automatically deleted two months after notification on the decision to reject the applicant, unless such a deletion conflicts with other legitimate interests of HCU Hamburg. Other legitimate interests in this context are, for example, a burden of proof in proceedings under the Allgemeines Gleichbehandlungsgesetz (AGG) [General Equal Treatment Act].
Here (in German) you will find all information on data protection in the procurement process.
Each user of our services has the right to demand a confirmation from the data controller as to whether that entity is processing data about this user; this right was granted by the European body issuing directives and regulations.
If you would like to use the right to confirmation, you can approach us at any time at the contact addresses listed above.
Each person affected by the processing of personal data (data subject) always has the right to receive information free of charge from the data controller about the personal data stored about him or her and to receive a copy of that information; this right was granted by the European body issuing directives and regulations. Furthermore, the European body issuing directives and regulations has conceded to each data subject information about the following data:
- The purposes of processing
- The categories of personal data that are processed
- The recipients or categories of recipients to whom the personal data have been disclosed or will be disclosed, especially with respect to recipients in third countries or at international organizations
- If possible, the planned period for which the personal data will be stored, or if this is not possible, the criteria for determining this period
- Existence of a right to rectification or deletion of the personal data concerning him or her or to restricting processing by the controller or the right to object to this processing
- Existence of a right to lodge a complaint with a supervisory authority
- If the personal data are not collected from the data subject: All available information about the source of the data
- Existence of automated decision-making, including profiling, according to Sec. 22, Para. 1 and 4 GDPR and -- at least in those cases -- meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject
Furthermore, users have a right to information as to whether personal data were transferred to a third country or an international organization. If that is the case, they can demand information about the appropriate safeguards in connection with the transfer.
If you would like to use the right to information, you can approach us at any time at the contact addresses listed above.
Each data subject has the right to request prompt rectification of incorrect personal data concerning him or her; this right was granted by the European body issuing directives and regulations. Furthermore, while taking into account the purposes of processing, the data subject has the right to request completion of incomplete personal data - also by means of a supplementary statement.
If you would like to use the right to rectification, you can approach us at any time at the contact addresses listed above.
Each data subject has the right to demand from the data controller that the personal data concerning him or her be promptly deleted, if one of the reasons below applies and to the extent that processing is not necessary; this right was granted by the European body issuing directives and regulations.
- The personal data were collected or otherwise processed for purposes for which they are no longer needed.
- The data subject withdraws his or her consent on which processing according to Sec. 6, Para. 1, letter a GDPR or Sec. 9, Para. 2, Letter a GDPR is based, and there is no other legal basis for the processing.
- The data subject objects to the processing according to Sec. 21, Para. 1 GDPR and there are no overriding legitimate reasons for processing, or the data subject objects to the processing according to Sec. 21, Para. 2 GDPR.
- The personal data were processed unlawfully.
- Deletion of the personal data is necessary to comply with a legal obligation according to Union law or the law of the Member States to which the controller is subject.
- The personal data were collected with regard to information society services according to Sec. 8, Para. 1 GDPR.
If one of the reasons above applies and you would like to initiate deletion of personal data that are stored at HCU Hamburg, you can approach us at any time using the contact options listed above. We will arrange that the request for deletion is promptly honored.
If the personal data have been made public by HCU Hamburg and our university, as the controller according to Sec. 17, Para. 1 GDPR, is required to delete the personal data, HCU Hamburg - taking into account available technology and the cost of implementation - will take reasonable steps, including technical measures, to inform other data controllers who process the published personal data that the data subject has requested the erasure by such other data controllers of any links to these personal data, or of copies or replications of these personal data, unless processing is necessary.
- The accuracy of the personal data is contested by the data subject, namely for a period that enables the controller to verify the accuracy of the personal data.
- Processing is unlawful, the data subject opposes erasure of the personal data and requests instead that the use of personal data be restricted.
- The controller no longer needs the personal data for the processing purposes, but the data subject needs the data to establish, exercise or defend legal claims.
- The data subject has objected to processing according to Sec. 21, Para. 1 GDPR and it is not yet clear whether the controller’s legitimate reasons override those of the data subject.
Each data subject has the right to receive the personal data concerning him or her, which the data subject provided to a controller, in a structured, commonly used and machine-readable format; this right was granted by the European body issuing directives and regulations. He or she also has the right to transmit these data to another controller without hindrance from the controller to which the personal data have been provided, if processing is based on consent according to Sec. 6, Para. 1, Letter a GDPR or Sec. 9, Para. 2, Letter a GDPR or on a contract according to Sec. 6, Para. 1, Letter b GDPR and processing is carried out by automated means, unless processing is needed to perform a task carried out in the public interest or to exercise official authority vested in the controller.
Furthermore, when exercising his or her right to data portability according to Sec. 20, Para. 1 GDPR, the data subject has the right to have the personal data transmitted directly from one controller to another controller, if this is technically feasible and does not infringe on the rights or freedoms of other persons.
To assert the right to data portability, you can approach us at any time by using the contact options listed above.
Each data subject has the right to object, at any time on grounds relating to his or her particular situation, to processing of personal data concerning him or her that is based on Sec. 6, Para. 1, Letter e or f GDPR; this right was granted by the European body issuing directives and regulations. This also applies to profiling based on these provisions.
In case of an objection, HCU Hamburg no longer processes the personal data, unless we can prove compelling legitimate reasons for the processing that override the interests, rights and freedoms of the data subject, or processing serves to establish, exercise or defend legal claims.
If HCU Hamburg processes personal data for direct marketing purposes, the data subject has the right to object at any time to processing of personal data for the purpose of such marketing. This also applies to profiling to the extent that it is related to such direct marketing. If the data subject objects to processing for direct marketing purposes with respect to HCU Hamburg, HCU Hamburg will no longer process the personal data for such purposes.
Furthermore, the data subject, on grounds relating to his or her particular situation, has the right to object to processing of personal data concerning him or her that is performed at HCU Hamburg for scientific or historical research purposes or for statistical purposes according to Sec. 89, Para. 1 GDPR, unless such processing is necessary for the performance of a task carried out for reasons of public interest.
To assert the right to object, you can approach us directly by using the contact options listed above. In the context of using information society services, notwithstanding Directive 2002/58/EC, you are also free to exercise your right to object by automated means where technical specifications are used.
Each data subject has the right - granted by the European body issuing directives and regulations - not to be subject to a decision based solely on automated processing, including profiling, that produces legal effects concerning him or her or similarly significantly affects him or her, unless the decision:
(1) is necessary for entering into, or performance of, a contract between the data subject and the controller, or
(2) is based on Union or Member State law to which the controller is subject and the law lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests; or (3) is made based on the data subject's explicit consent.
If the decision
(1) is necessary for entering into, or performance of, a contract between the data subject and the controller, or
(2) is made based on the data subject's explicit consent, HCU Hamburg takes suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, which include at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
If you would like to assert rights with regard to automated decisions, you can approach us for this purpose at any time by using the contact options listed above.
Each data subject has the right to withdraw consent to processing of personal data at any time; this right was granted by the European body issuing directives and regulations.
If the data subject would like to assert his or her right to withdraw consent, he or she can at any time approach an employee of the data controller.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your residence, place of work or place of the alleged infringement, if you believe that the processing of personal data relating to you violates the GDPR.
The supervisory authority with which the complaint has been lodged informs the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy according to to Article 78 GDPR.
