Imprint and Privacy Policy

Contact

Responsible Service Provider according to § 5 TMG

Hochschule Trier · Trier University of Applied Sciences
Schneidershof
54293 Trier

Phone: +49 (0)651 8103 445
Fax: +49 (0)651 8103 557

praesidialbuero@hochschule-trier.de
www.hochschule-trier.de

The Trier University of Applied Sciences is a public corporation.
Prof. Dr. Dorit Schumann, President of the Trier University of Applied Sciences, is the authorised representative according to § 79 HochSchG.

Sales tax identification number according to § 27 a UStG: DE 155 681 598

Competent Supervisory Authority

Ministerium für Wissenschaft und Gesundheit des Landes Rheinland-Pfalz
Mittlere Bleiche 61
55116 Mainz

Phone: +49 (0)6131 16 0
Fax: +49 (0)6131 16 2997

poststelle@mwg.rlp.de
mwg.rlp.de

Responsible for Content according to § 18 Abs. 2 MStV

Prof. Dr. Dorit Schumann
praesidialbuero@hochschule-trier.de
www.hochschule-trier.de/hochschule/organisation/praesidium

Data Protection Officer

Prof. Dr. Konstantin Knorr
datenschutz@hochschule-trier.de

Privacy Policy

The protection of your personal data is important to us. We collect such data only insofar as technically necessary as such data enjoys special protection. We would like to explain to you hereafter – according to our obligation by law – which data will be collected as you use our web application and how we use such data. The way we handle your data is in accordance with the rules of the EU-General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) as well as the State Data Protection Act of Rhineland-Palatine (LDSG).

If we refer via links to other providers, such providers may have other principles and rules concerning data collection, processing and data use.

General

Legal Basis

Art. 6 sec. 1 lit. (a) GDPR shall be the legal basis if and insofar we obtain approval of the affected person for the processing of personal data.

Art. 6 sec. 1 lit. (b) GDPR shall be the legal basis when we process personal data which is essential for the performance of a contract of which the affected person is a contracting party. This shall also apply for processing activities which are necessary for the execution of pre-contractual measures.

Art. 6 sec. 1 lit. (c) GDPR shall be the legal basis if it is necessary to process personal data to fulfil a legal obligation which has to be satisfied by the service provider.

Art. 6 sec. 1 lit. (d) GDPR shall be the legal basis if vital interests of the affected person or another person require the processing of personal data.

Art. 6 sec. 1 lit. (f) GDPR shall be the legal basis if the data processing is essential for the protection of legitimate interests of the service provider or a third person and if such legitimate interests are not predominated by fundamental rights and liberties of the affected person.

Scope of Processing of Personal Data

We generally process personal data of our users only and insofar as this is necessary for the provision of operating a web application including its content and our activities for the specific purpose indicated. Processing of personal data of our users only happens after we have received the individual user‘s consent. This shall not apply if obtaining user’s prior consent is not feasible for practical reasons and if the processing of data is permitted by rule of law.

Appropriation and Time of Data Storage

If you put personal data at our disposal due to your consent, we will use such data only for the purpose covered by your prior consent. Data storage beyond that purpose may be possible if EU or national rules of law or other rules and regulations which are binding for us, permit such storage. We will respect your protection requiring interests according to the rules of law.

All personal data of an affected person will be deleted or locked as soon as the purpose is omitted. This shall also take place if a stipulated blocking period expires.

Recording and Storage of Contact Data and Presence Times

Description and Scope of Data Processing

Personal QR Code

Before you can check into a session, you must generate your personal QR code. By generating the QR code, the personal information you enter (Name, address, phone number and optionally an e-mail address) is only stored locally on your own device.

Check-in and check-out

You can check into a session by letting a session host scan your personal QR code. The personal information mentioned above is transferred to the session host's device and linked to a session (see below). A timestamp of your check-in is also stored.

You can check out of a session by letting the session host scan your personal QR code again. A timestamp of your checkout is saved. If you do not check out manually, you are automatically checked out when the session host closes the session.

Sessions

When a session is started, the name of the room and a timestamp are stored locally on the session host's device. The session host is automatically checked in.

When a session ends, another timestamp is saved and all checked-in visitors are automatically checked out.

When a session is ended, the associated data is transferred to a central database managed by the service provider. If this is not possible (e.g. because there is no Internet connection at that time), the data remains encrypted on the session host's device and is transferred to the central database as soon as this is possible again.

Legal Basis for Data Processing

The legal basis for this is Art. 14 section 1 of the 27th Corona Control Regulation of the State of Rhineland-Palatinate of 04.11.2021. In case of a concrete suspicion of infection, the responsible public health department in Trier (Paulinstraße 60, 54292 Trier) is the recipient of this data.

Purpose of Data Processing

We collect and store the above-mentioned data for the purpose of providing information to the responsible public health department.

Timespan of Data Storage

We will delete the above-mentioned data in accordance with Art. 1 sec. 8 of the 27th Corona Control Regulation of the State of Rhineland-Palatinate of 04.11.2021 four weeks after receipt.

Recording, Storage and Verification of the GGG Status

Description and Scope of Data Processing

Recording and Storage of the GGG Status

The recording of the GGG status is performed by personnel of the service provider. It establishes the type of status (Tested with antigen or PCR test, vaccinated, recovered or other) as well as the date relevant for it (date of the test, of the last relevant vaccination or of the establishment of recovery) on the basis of the documents provided by the user (such as a proof of a test, a vaccination certificate, a proof of recovery from a doctor). From this information, a validity period is calculated depending on the type of status.

By scanning the personal QR code during recording, the validity period is linked to the user's identity (ID and hash value) and transferred to a central database managed by the service provider.

Verification of the GGG Status

When checking in to a session, the visitor's ID contained in the personal QR code and a hash value is transmitted to the server. It checks whether a validity period has been recorded for this user and if so, whether the status is currently still valid or not.

Legal Basis for Data Processing

The processing of the GGG status takes place on a voluntary basis. By recording the GGG status, the user declares his consent to the collection and storage of the above-mentioned data.

Purpose of Data Processing

We collect and store the above-mentioned data for the purpose of ensuring mandatory testing of non-vaccinated and non-recovered visitors of events in accordance with Art. 14 section 1 of the 27th Corona Control Regulation of the State of Rhineland-Palatinate of 04.11.2021.

Timespan of Data Storage

We will delete the above-mentioned data at the end of the validity period.

Use of Cookies and Local Storage

So called 'cookies' are small text files which may be placed on your computer by your web browser. The act of placing a cookie file is called to 'set a cookie'. You may adjust your web browser according to your own wishes so that you will be informed about any placing of a cookie and then you may decide either – from case to case – whether you want to accept the cookie or generally not accept it or generally accept it. Cookies may be used for different purposes, e.g. to recognise if your computer has had a connection to a web service (permanent cookies) or to be able to store web services which you have looked at last (session cookies).

We use cookies - to permanently store the language you have selected, and - to store your authorization information for the duration of a web browser session after you log in.

To use our web application, you must allow cookies to be set for our web application.

Local Storage is another storage area provided to our web application by the web browser to store data permanently. Unlike cookies, which can be accessed by both the server and the client, Local Storage is managed entirely by the client. Data is not transferred to the server with every server request. Thus, no other web services can access this storage area.

We use the Local Storage to store all the information mentioned above on the client side.

Creation of Log Files

Description and Scope of Data Processing

On each request of the web application to the central server our system automatically collects and records data and information coming from the user’s computer system.

Following data will be collected: - IP-address - Date and time of the request - Requested Resource - Information about the success of the request

Legal Basis for Data Processing

Art. 6 sec. 1 lit. (f) GDPR shall be the legal basis for the temporary filing of data and the log files.

Purpose of Data Processing

The temporary storage of the IP-address by the system is necessary to facilitate the delivery of our web application to user’s computer.

We use all access data mentioned above exclusively in a non-personalised format for the continuous improvement of our web application by use analysis as well as to resolve any problems.

Timespan of Data Storage

The data mentioned above will be deleted as soon as the storage is not necessary any longer to reach the intended purpose of their collection. This is the case within 3 months with respect to data collection for the provision of the web application, after analysis and potential problems have been solved.

No Possibility to Object

The logging of your IP-address is absolutely essential for the provision and operation of our web application as well as the data storage in log files. Hence, there is no possibility for the user to object.

Data Transfer

We do not pass on to third persons the data mentioned above.

E-Mail-Contact

Description and Scope of Data Processing

Any user may contact us by e-mail. In such a case we will record all of user’s personal data transferred, the e-mail-address itself as well as the content of the message. Such data will be used exclusively for the processing of the conversation.

We apply for your permission for the data processing when you contact us and we will refer to this privacy policy.

We do usually not pass on any of your data to third persons. If – nonetheless – we pass on data in single cases, we will inform you adequately.

Legal Basis for the Data Processing

Art. 6 sec. 1 lit. (a) GDPR is the legal basis for the data processing in case user has given his consent.

Art. 6 sec. 1 lit. (f) GDPR is the legal basis for the processing of data which has been transferred due to e-mail correspondence. If the e-mail contact is aimed at the conclusion of a contract, Art. 6 sec. 1 lit. (b) GDPR is an additional legal basis.

Purpose of Data Processing

Processing of personal data coming from the message forms and/or entry masks will be used only for the purpose which is mentioned in connection with the message forms and/or entry masks. If you contact us via e-mail, such purpose is the handling of your contact. At the same time the handling of your contact constitutes the necessary legitimate interest in processing the data.

Timespan of Data Storage

Data will be deleted as soon as the purpose for the collection of data has been reached. This is the case with respect to the personal data transferred by e-mail as soon as the conversation with the user is finalised. The conversation shall be deemed finalised if the parties have resolved the concerned issue terminally.

If there is a deadline for the time of data storage, we will inform you adequately at the particular place.

Right of Objection and Elimination

User has the right to withdraw his consent for the processing of his personal data at any time. If user contacts us via e-mail, he may revoke the storage of his personal data at any time. Nonetheless, conversation with user may not be continued in such a case.

You may withdraw your consent or revoke the data storage by e-mail.

All personal data which we have stored in the course of the contact will be deleted in such a case.

Data Security and Data Protection, Communication by E-Mail

Your personal data will be stored in such a way that it will not be accessible for third persons by using all technical and organisational measures. The web application is protected via cryptographic protocols as e.g. SSL/TLS.

When using communication via e-mail we cannot guarantee perfect data security. Hence, we recommend using regular mail if the transferred information is sensitive.

Rights

If we process your personal data you are the „aggrieved party“ in the sense of the GDPR. As a consequence you are entitled to the following rights (towards the responsible person):

Right of Information

You have the right to ask the responsible person for a confirmation whether your personal data has been processed by us.

If such data processing took place, you have the right to ask the responsible person for the following information: - the purpose for which the personal data has been processed - the categories of personal data which has been processed - the receivers resp. the categories of receivers to whom we have revealed your personal data or to whom we will reveal your personal data - the intended time span of data storage of your personal data or – if specific information is not possible – certain criteria for the time span of data storage - the existence of a right of objection or elimination of your personal data as well as a right of restriction of data processing by the responsible person or a right of objection against any data processing - the existence of a right of complaint at a regulatory authority - all available information where the data comes from if the personal data has not been directly collected from the concerned person - the existence of an automated decision making process including profiling according to Art. 22 sec. 1 and 4 GDPR and – at least in such cases – significant information about the involved logic as well as the scope and the sought effects of such processing for the concerned person. You have the right to ask for information whether your personal data will be transmitted in a third country or to an international organisation. You have the right to ask for information about the appropriate guarantees in connection with the transmission according to Art. 46 GDPR.

Right of Correction

You have a right of correction and/or completion of your personal data against the responsible person if your processed personal data is not correct or incomplete. The responsible person has to carry out the correction immediately.

Right of Restriction of Data Processing

You have the right to ask for the restriction of data processing of your personal data under the following prerequisites: - if you contest the correctness of your personal data: for the time span which enables the responsible person to check the correctness of your personal data; - if data processing is unlawful and if you decline the deletion of your personal data but instead ask for the restriction of use of your personal data; - if the responsible person does not use your personal data for the data processing any longer but you need it for the enforcement, exercise or defence of legal claims or - if you have revoked against data processing according to Art. 21 sec. 1 GDPR but it not certain yet if the responsible person’s legitimate reasons prevail your reasons. If the processing of your personal data has been restricted, such data may – apart from being stored – only be processed with your consent or for the enforcement, exercise or defence of legal claims or for the protection of rights of another person or legal entity or because of an important public interest of the EU or a member state. If the restriction of data processing was restricted under the prerequisites mentioned beforehand, you will be informed by the responsible person prior to the suspension of the restriction.

Right of Deletion

a) Obligation to Delete

You have the right to ask the responsible person that your personal data will be deleted immediately. The responsible person is obliged to delete such data immediately presupposed that one of the following factors applies: - The purpose for which your personal data has been collected or processed is not relevant or necessary anymore. - You revoke your consent on which the data processing according to Art. 6 sec 1 lit. (a) or Art. 9 sec. 2 lit. (a) GDPR has been based on and there is no other legal basis for the data processing. - You file an objection according to Art. 21 sec. 1 GDPR against the data processing and there are no overriding legitimate reasons for the processing or you file an objection against the data processing according to Art. 21 sec. 2 GDPR. - Your personal data has been processed unlawfully. - The deletion of your personal data is necessary for the fulfilment of a legal obligation according to EU law or the law of a member state also governing the responsible person. - Your personal data has been collected in connection with offered services of the information society according to Art. 8 sec. 1 GDPR.

b) Information for Third Persons

If the responsible person has made your personal data public and if he is obliged to delete them according to Art. 17 sec. 1 GDPR he will take appropriate measures considering the available technology and the costs of implementing such appropriate measures (including technical aspects) in order to inform the person responsible for the data processing, which processes your personal data, that you as the concerned person have claimed to delete all links to your personal data or of any copies or replications of your personal data.

c) Exceptions

The right of deletion as well as the obligations described under 4. b) above does not exist if the data processing is necessary: - for the execution of the right of free speech and information; - for the fulfilment of a legal obligation which requires the data processing according to the law of the EU or a member state and of which the responsible person is an object to, or for the perception of a task which is in the public interest or in exercise of public authority which has been delegated onto the responsible person; - for reasons of public interest in the domain of public health according to Art. 9 sec. 2 lit. (h) and (i) as well as Art. 9 sec. 3 GDPR; - for archival purposes which are also in the public interest, for scientific or historic research purposes or for statistical purposes according to Art. 89 sec. 1 GDPR, as long as the right mentioned under a) will presumably make the realisation of the goals of the data processing impossible or seriously impair such goals, or - to assert, exercise or defend legal claims.

Right of Information

If you have claimed your right of correction, deletion or restriction of processing toward the responsible person, such person is obliged to inform all persons or entities which have received your personal data about the correction or deletion of data or restriction of processing unless this is impossible or only feasible with unreasonable effort. You have the right toward the responsible person to be informed about such receivers.

Right of Data Transferability

You have the right to receive all of your personal data which you have transmitted to the responsible person in a structured, established and machine-readable format. Additionally, you have the right to transmit such data to another responsible person without any hindrance by the responsible person whom you have provided with your personal data, if - data processing is based on a consent according to Art. 6 sec. 1 lit. (a) GDPR or Art. 9 sec. 2 lit. (a) GDPR or on a contract according to Art. 6 sec. 1 lit. (b) GDPR and - data processing takes place by means of automated procedures. When exercising this right, you have also the right to obtain that your personal data will be transmitted directly from one responsible person to another one if this is technically feasible. Any freedoms or rights of other persons may not be damaged by this. The right of data transferability does not apply for the processing of personal data which is necessary for the perception of a task which is in the public interest or in exercise of public authority which has been delegated onto the responsible person.

Right of Objection

You have the right to file an objection against the data processing or your personal data for reasons deriving out of your specific situation at any time according to Art. 6 sec. 3 lit. (b) GDPR in connection with § 3 LDSG; this shall also apply with respect to a profiling which is based on these provisions.

The responsible person does not process your personal data any longer, unless he can prove compulsory reasons for the processing requiring protection which – at the same time – prevail your interests, rights and freedom or if the procession serves the enforcement, exercise or defence of legal claims.

You have the possibility to execute your right of objection in connection with the use of services of the information society – notwithstanding the Directive 2002/58/EG – while using automated procedures which apply technical specifications.

Right of Objection of the Privacy Policy of Consent

You have the right to withdraw your privacy policy of consent at any time. Your withdrawal does not touch the lawfulness of data processing until the time of your withdrawal.

Automated Decision in Each Individual Case including Profiling

You have the right to be subject of a decision which is not exclusively based on automated procession – including profiling – and which will have legal effect on you or which will have a similar effect on you.

Right of Complaint with Supervisory Authority

Notwithstanding any other legal remedy by court or administration you have the right of complaint with a supervisory authority, especially in the member state where you have your domicile, your place of work or the place where the potential infringement took place if you are of the opinion that the processing or your personal data has violated the GDPR. The supervisory authority where you filed your complaint shall inform the complainant about the current state of affairs and the result of the complaint including the possibility of filing a legal remedy at a competent court according to Art. 78 GDPR.

Timeliness and Validity of the Privacy Policy

This privacy policy is currently valid and dated 16.11.2021.

It might become necessary due to further development of our web application or due to the implementation of new technologies to change this privacy policy. We reserve the right to change this privacy policy for the future at any time. We recommend to read the current privacy policy from time to time anew.