Why and how does the University process your data?
Personal data, i.e. information which is related to individuals, may be collected, stored, transferred, and processed in any other way if there is a legal basis allowing it or if the affected persons give their consent to it. Or in brief: if it is not allowed, it is prohibited.
In addition, it is crucial to the data protection that the data processing must always serve a particular purpose which must be determined in advance. We would therefore like to explain you the purposes and legal framework of the data processing which relate to these web pages.
Data processing: web presence
You may call up a web page like this: The web browser on the user’s device, e.g. Firefox (currently the most user-friendly browser in terms of data protection), which functions as a “HTTP client”, sends the web address entered (e.g. www.uni-jena.de) as a “HTTP request” to the provider’s computer, e.g. Deutsche Telekom, O2-Telefonica, to the “HTTP server” on which the website is stored. In the University’s network, for example, such a request does not reach external parties because the server is provided by the University Computer Centre. The HTTP server sends the web page or the particular files from which the web page consist (e.g. layout, texts, photos) to the HTTP client. While sending the request, the IP address of the user device is pass on to the HTTP server, too. An IP address is a 32-digit number which is assigned to the user devices connected to the Internet. As a result, each of these devices is addressable and reachable via the Internet. The IP address is a postal address of the virtual world and is attached to the data packages in a similar way as the address to the parcel.
Why to comply with data protection?
Because the IP address is considered personal data! The IP address is a piece of personal data because the service provider may identify a natural person based on the IP address. In the University’s network, something is clear: if you want to receive an identifier (e.g. log-in credentials) from the University Computer Centre, you must provide your name first. The HTTP request of a particular user device within the University’s network can be thus always linked to a specific person.
Other providers always know that a specific person or their business partner were assigned a particular IP address at a particular time. Hypothetically, the University may identify this natural person based on the right of access, for example, if this very person would attack the website. Hence the IP address is—either assigned by the University or by external providers— a piece of personal data.
The purpose of the data processing is obvious: in order to have the website displayed, the IP address must be processed first. No IP address—no website. The legal framework for the data processing is section 6 subsection 1(f) of GDPR. According to it, processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests of the affected person may override such interests. The legitimate interest of the University is to be able to display the website to persons. Bearing in mind the HTTP request sent, the person who wants to visit this website has the same interest.
Data processing: Google Maps
On our web pages, we use the Google Maps services. These are provided by: Google Inc., 1600 Ampitheatre Parkway, Mountain View, CA 94043, USA (hereinafter: Google). The services comprise, firstly, calling up maps stored on the servers in the U.S. which are owned by Google, and secondly, transmitting the IP address to Google and thus disclosing it. It seems likely, but we do not know it, that Google might record such server request and process it. Google processes data in accordance with the information on data protection mentioned above. Unfortunately, the document does not clearly state what does Google do with the IP addresses. Our apologies, dear user.
The purpose of this data processing within our web pages is to explain the users how to find us in the real world. The legal framework for the data processing is section 6 subsection 1(f) of GDPR. Our legitimate interest in using Google Maps is to present the University at our best.
On its web pages, the University uses the web analysis tool Matomo (formerly known as Piwik). Matomo is an open-access project meaning that it is not a commercial provider , but an open developer community offering this technology. Matomo is stored on and hosted by the University’s servers. While visiting our web pages, you hence do not call up any external servers. In comparison to the market leader Google Analytics, this already shows that Matomo is considerably user-friendlier in terms of data protection.
How does Matomo work?
When calling up the University’s web pages, your browser stores a “Matomo/Piwik cookie” so that your browser may be identifiable. Matomo’s software is able to track the HTTP requests of each browser. As a result, it is possible to identify which web pages you visited, for how long, and what other actions you might have done on the web pages.
Essentially, your complete IP address is only stored for a while within log files. While scanning these log files, the IP address is shortened by the last two digits so that users may not be identified anymore.
Why do we use Matomo?
Sometimes, online editors need to see which offers are considered good or which web pages our users read. This information help them optimize their offers to increase the number of visitors. At the same time, this is the legitimate interest of the University in accordance with section 6 subsection 1(f) of GDPR.
Another important information: according to the GDPR principle that any interests which may override the interests of the person (hypothetically), the person has the right to object to data processing due to specific personal situation. If you do not want us to track your behaviour while visiting our web pages, you can switch off the tracking option below. By doing so, you exercise your right to object without any additional examination of the specific personal situation.
Data processing: registration features
On our web pages, you may register to access protected areas. If you are studying at the University, your restricted area is called “Friedolin”; all employees of the University, for example, may access “HanFRIED”. In addition to those, there are other protected areas at the faculties and in the administrative units. Whether you may access them, depends on the status of your log-in credentials. If you register, both your IP address and your log-in credentials will be transmitted to the server.
The purpose of the registration features is to give you information which are meant for your role at the University, e.g. student/employee.
The legal framework of the data processing may vary depending on the area. If you are a student, it may be your obligation to use the online student management system Friedolin according to the given examination regulations. This type of processing is based on section 6 subsection 1(e) of GDPR. According to this section, the data processing is legal if it is necessary to perform a task which is in the public interest or it is performed by the official authority. In accordance with the Thuringian Higher Education Act (Thüringer Hochschulgesetz, ThürHG), one of the University’s tasks is to conduct teaching activities. These legal tasks, which are in the public interest, are manifested in the examination regulations.
If the registration features should fulfil a service-oriented function, e.g. HanFRIED, you may use it upon your own decision. By registering, your free consent based on the information you collected is then considered the legal framework in accordance with section 6 subsection 1(a) of GDPR. You can withdraw your consent any time with the future effect. Any data processing before the withdrawal of the consent remains legal.
Data processing: e-mail
On our website, there are numerous options to establish contact via e-mail. If you write us an e-mail, we process your e-mail address, the content of your e-mail, and the meta data predetermined by the server, e.g. the time your e-mail was sent. The purpose of this data processing is to establish contact and to receive information from you.
Similar to the registration feature, the legal framework depends on your relation towards the University. If you are a student or a member of academic/non-academic staff, you have the obligation to use the e-mail data processing or at least to tolerate it. This is in accordance with the examination regulations or your contract of employment with the University, respectively. In these cases, the legal framework for the data processing is section 6 subsection 1(e) of GDPR in conjunction with the Thuringian Higher Education Act, or section 6 subsection 1(b) of GDPR in conjunction with the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG), respectively.
If you are a member of one of the groups mentioned, your free consent based on the information you collected is considered the legal framework in accordance with section 6 subsection 1(a) of GDPR.
In brief: it is your decision whether you write us an e-mail or not. You can withdraw your consent any time. Any data processing before the withdrawal of the consent remains legal.