Privacy Policy

The controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the member states, as well as other data protection regulations, is:

Clausthal University of
Technology Adolph-Roemer-Straße 2a
D-38678 Clausthal-Zellerfeld
Phone: +49 5323 72-0
Fax: +49 5323 72-3500
www.tu-clausthal.de
Legal Notice: www.tu-clausthal.de/impressum/

Clausthal University of Technology is a public-law corporation and is legally represented by the President (Link: https://www.tu-clausthal.de/universitaet/leitung-verwaltung/praesidium).
The competent supervisory authority is:

The State Commissioner for Data Protection of Lower Saxony
Prinzenstraße 5
30159 Hanover

Phone: +49 511 120-4500
Fax: +49 511 120-4599
Email:

Official Data Protection Officer of Clausthal University of Technology:

Clausthal University of
Technology – The Data Protection Officer –

Mr. Andreas Tews, M.A.
Erzstr. 18
D-38678 Clausthal-Zellerfeld

Email:
Website: https://www.datenschutz.tu-clausthal.de/

Clausthal University of Technology generally processes the personal data of website users only to the extent necessary to provide a fully functional website, along with its content and services. The processing of personal data generally takes place only with the user’s consent. An exception applies in cases where obtaining prior consent is not possible for practical reasons and the processing of the data is permitted by law.

To the extent that we obtain the data subject’s consent for the processing of personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

When processing personal data necessary for the performance of a contract to which the data subject is a party, Article 6(1)(b) of the GDPR serves as the legal basis. This also applies to processing operations necessary for the implementation of pre-contractual measures.

To the extent that the processing of personal data is necessary to comply with a legal obligation to which our company is subject, Article 6(1)(c) of the GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person necessitate the processing of personal data, Article 6(1)(d) of the GDPR serves as the legal basis.

If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, the legal basis is Article 6(1)(e) of the GDPR in conjunction with Section 3 of the Lower Saxony Data Protection Act (NDSG).

Every time you visit the Clausthal University of Technology website, our systems automatically collect the following data:

• the IP address of the user’s computer,
• Information about the browser type and version used,
• The user’s operating system (name and version),
• Date and time of access,
• The referring website from which the user’s system accessed the website,
• Documents accessed by the user’s system.

The data is also stored in the log files of our systems. This data is not stored together with other personal data of the user. Storage takes place exclusively on our own infrastructure at the Clausthal University of Technology in Clausthal-Zellerfeld.

The legal basis for the temporary storage of the data and log files is Art. 6(1)(e) GDPR in conjunction with § 3 NDSG.

The system temporarily stores the IP address in order to deliver requested documents to the user’s computer. To do this, the user’s IP address must be stored for the duration of the session.

The data is stored in log files to ensure the website functions properly. Additionally, the data is used to optimize the website and to ensure the security of the IT systems. The data is not analyzed for marketing purposes.

The data is deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. In the case of data collection for the provision of the website, this occurs when the respective session ends.

In the case of data stored in log files, this generally occurs after seven days. Longer storage is only intended for technical and legal purposes.

The collection of data for the purpose of providing the website and the storage of this data in log files is essential for the operation of the website. Consequently, users do not have the option to object.

The Clausthal University of Technology’s websites use the web analytics software Matomo (formerly “PIWIK”) provided by InnoCraft Ltd., 150 Willis St, 6011 Wellington, New Zealand. This is open-source software that allows for the analysis of usage of the Clausthal University of Technology’s website. The program is operated on TU Clausthal’s own servers, so the collected analysis data is not shared with third parties. TU Clausthal’s legitimate interest lies in analyzing and optimizing its website and for marketing purposes; the legal basis for this is Art. 6(1)(e) GDPR in conjunction with § 3 NDSG. The software collects and evaluates the following data, provided that you, as a user, have not objected to the evaluation:

Basic data:

• IP address, anonymized by truncation
• Cookie, to distinguish between different visitors
• Previously visited URL (referrer), if transmitted by the browser
• Name and version of the operating system
• Browser name, version, and language setting

Additionally, if JavaScript is enabled:

• URLs visited on this website
• Times of page views           
• Screen resolution and color depth
• Technologies and formats supported by the browser (e.g., cookies, Java, Flash, PDF, Windows Media)

In the interest of data minimization, an automatic anonymization function is performed by the Matomo software, which truncates the IP address by two bytes, ensuring that usage behavior is analyzed in a pseudo-anonymized form. It is not possible for Clausthal University of Technology to link the user profile to you or your internet connection. To collect the data, Matomo stores a cookie on your device via your web browser. This cookie is valid for 6 months. Among other things, the cookies enable the recognition of the web browser, allowing us to track how many different users visit the website. If you do not consent to this processing, you have the option to prevent the storage of the cookie by adjusting a setting in your web browser. Additionally, you may change the analysis of your usage behavior at any time via our cookie banner.

ReadSpeaker is a text-to-speech service for online content. When you click the "Read Aloud" button, the corresponding text is transmitted via the user's IP address to the ReadSpeaker server, where the audio file is generated during the streaming process and sent back to the user's IP address. After the audio file is transmitted, the process and the user’s IP address are immediately deleted from the ReadSpeaker server. ReadSpeaker does not collect or store any personal data. All services are hosted in Europe (Sweden). When using the ReadSpeaker feature, technical cookies are stored on the end device to retain the settings selected by the user (highlighting settings, text size, etc.). They are stored for a maximum period of up to 30 days after the session or depending on the selected feature. If the ReadSpeaker feature is not enabled, no cookies are stored on your device when you visit the website. The legal basis for the use of ReadSpeaker is your consent to its use pursuant to Art. 6(1)(a) of the GDPR. Please note the information regarding revocation in the Privacy Policy.

No code elements from social media providers that enable the direct sharing of content from the Clausthal University of Technology’s websites are used. Consequently, no usage data is shared with social media providers when using the Clausthal University of Technology’s website.

Generally, no advertisements are displayed on the websites of Clausthal University of Technology. Consequently, no usage information is transmitted to external providers when using the Clausthal University of Technology website.

We maintain publicly accessible profiles on social media platforms. The specific social media platforms we use are listed below. Social media platforms such as Facebook, Twitter, etc., can generally analyze your user behavior in detail when you visit their website or a website that includes integrated social media content (e.g., “Like” buttons or advertising banners). Visiting our social media pages triggers numerous data processing operations relevant to data protection. Specifically:

If you are logged into your social media account and visit our social media presence, the operator of the social media portal can associate this visit with your user account. However, your personal data may also be collected even if you are not logged in or do not have an account with the respective social media portal. In this case, data collection occurs, for example, via cookies stored on your device or by recording your IP address. Using the data collected in this way, the operators of the social media portals can create user profiles that store your preferences and interests. In this way, interest-based advertising can be displayed to you both within and outside the respective social media presence. If you have an account with the respective social network, the interest-based advertising can be displayed on all devices on which you are logged in or have been logged in. Please also note that we cannot track all processing activities on social media platforms. Depending on the provider, additional processing operations may therefore be carried out by the operators of the social media platforms. For details, please refer to the terms of use and privacy policies of the respective social media platforms.

Our social media accounts are intended to ensure the broadest possible online presence. This constitutes public relations activities within the meaning of Article 6(1)(e) of the GDPR in conjunction with Section 3 of the NDSG. The analysis processes initiated by the social networks may be based on different legal grounds, which must be specified by the operators of the social networks (e.g., consent within the meaning of Article 6(1)(a) of the GDPR).

When you visit one of our social media pages (e.g., Facebook), we are jointly responsible with the operator of the social media platform for the data processing activities triggered by that visit. You may generally exercise your rights (right of access, rectification, erasure, restriction of processing, data portability, and the right to lodge a complaint) both against us and against the operator of the respective social media portal (e.g., against Facebook). Please note that despite our joint responsibility with the social media portal operators, we do not have full control over the data processing operations of the social media portals. Our options depend largely on the corporate policies of the respective provider.

Data collected directly by us through our social media presence will be deleted from our systems as soon as you request deletion, revoke your consent to storage, or the purpose for storing the data no longer applies. Stored cookies remain on your device until you delete them. Mandatory legal provisions—in particular retention periods—remain unaffected. We have no influence over the retention period of your data stored by social media operators for their own purposes. For details, please contact the respective social media operators directly (e.g., in their privacy policies, see below).

We have a Facebook profile. The provider of this service is Facebook Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. According to Facebook, the collected data is

Facebook, the collected data is also transferred to the United States and other third countries. We have entered into a joint processing agreement (Controller Addendum) with Facebook. This agreement specifies which data processing operations we or Facebook are responsible for when you visit our Facebook page. You can view this agreement at the following link: https://www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your ad settings yourself in your user account. To do so, click on the following link and log in: https://www.facebook.com/settings?tab=ads.

Data transfers to the U.S. are based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://de-de.facebook.com/help/566994660333381. For details, please refer to Facebook’s Privacy Policy: https://www.facebook.com/about/privacy/.

We use the microblogging service Twitter. The provider is Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland. You can adjust your Twitter privacy settings yourself in your user account. To do so, click on the following link and log in: https://twitter.com/personalization. Data transfers to the United States are based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://gdpr.twitter.com/en/controller-to-controller-transfers.html. For further details, please refer to Twitter’s Privacy Policy: https://twitter.com/de/privacy.

We have an Instagram account. The provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. Data transfers to the United States are based on the European Commission’s Standard Contractual Clauses. For more details, please visit: https://www.facebook.com/legal/EU_data_transfer_addendum, https://help.instagram.com/519522125107875, and https://de-de.facebook.com/help/566994660333381. For details on how Instagram handles your personal data, please refer to Instagram’s Privacy Policy: https://help.instagram.com/519522125107875.

We have a profile on XING. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. For details on how they handle your personal data, please refer to XING’s Privacy Policy: https://privacy.xing.com/de/datenschutzerklaerung.

We have a profile on LinkedIn. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. LinkedIn uses advertising cookies. If you wish to disable LinkedIn advertising cookies, please use the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out. Data transfers to the U.S. are based on the EU Commission’s Standard Contractual Clauses. Details can be found here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs. For details on how LinkedIn handles your personal data, please refer to LinkedIn’s Privacy Policy: https://www.linkedin.com/legal/privacy-policy

We have a YouTube channel. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For details on how they handle your personal data, please refer to YouTube’s Privacy Policy: https://policies.google.com/privacy?hl=de.

Our website features a contact form that can be used to contact us electronically. If a user chooses this option, the data entered in the form is transmitted to us and stored. Alternatively, you can contact us via the email address provided. In this case, the user’s personal data transmitted via email will be stored. In this context, the data will not be disclosed to third parties. The data is used exclusively for the purpose of handling the correspondence. The legal basis for processing the data is Article 6(1)(a) of the GDPR, provided the user has given consent. If the email contact is aimed at concluding a contract, the additional legal basis for processing is Article 6(1)(b) of the GDPR.

The processing of personal data from the input form serves solely to handle the contact request. In the case of contact via email, this also constitutes the necessary legitimate interest in the processing of the data.

The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For personal data from the contact form input field and data sent via email, this is the case when the respective conversation with the user has ended. The conversation is considered ended when it can be inferred from the circumstances that the matter in question has been conclusively resolved.

The personal data additionally collected during the submission process is handled in accordance with the section “Duration of Data Storage.”

If, in addition, the websites of individual institutes and departments at Clausthal University of Technology offer the option to enter personal or business data (email addresses, names, addresses), the disclosure of such data by the user is expressly voluntary. The legal basis for this processing is Article 6(1)(a) of the GDPR. The collection and processing of data serve only the purpose stated in the respective online form. No sale or disclosure to third parties takes place.

The user may withdraw their consent to the processing of their personal data at any time. If the user contacts us via email, they may object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. All personal data stored in the course of the contact will be deleted in this case.

By registering for an event organized by Clausthal University of Technology, you consent to the collection, storage, and use of the above-mentioned personal data for the purposes of the event. This includes registration for the event, the creation of a participant list, and, if applicable, the issuance of a certificate of participation.

By registering, I expressly agree that TU Clausthal may disclose the participant’s personal data to third parties commissioned to organize the event. TU Clausthal ensures that the participant’s rights are protected in this process.

I agree that my last name, first name, company/institution, and position may be listed in the participant directory.

The email address may only be used to send invitations and informational materials from Clausthal University of Technology. In this case, sending invitations electronically is equivalent to sending them by mail.

I may revoke this consent at any time with future effect.

If your personal data is processed, you are a data subject within the meaning of the GDPR and you have the following rights vis-à-vis the controller:

You may request confirmation from the controller as to whether we are processing personal data concerning you.
If such processing is taking place, you may request the following information from the controller:
(1) the purposes for which the personal data is being processed;
(2) the categories of personal data being processed;
(3) the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
(4) the planned duration of storage of the personal data concerning you or, if specific details are not available, the criteria for determining the storage period;
(5) the existence of a right to rectification or erasure of the personal data concerning you, a right to restriction of processing by the controller, or a right to object to such processing;
(6) the existence of a right to lodge a complaint with a supervisory authority;
(7) all available information regarding the origin of the data, if the personal data is not collected from the data subject;
(8) the existence of automated decision-making, including profiling, pursuant to Article 22(1) and (4) of the GDPR and—at least in such cases—meaningful information regarding the logic involved, as well as the significance and the intended consequences of such processing for the data subject.
You have the right to request information regarding whether the personal data concerning you will be transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Article 46 of the GDPR in connection with the transfer.

You have the right to request that the controller correct and/or complete your personal data if the personal data being processed concerning you is inaccurate or incomplete. The controller must make the correction without delay.

You may request the restriction of the processing of your personal data under the following conditions:
(1) if you contest the accuracy of your personal data for a period that allows the controller to verify the accuracy of the personal data;
(2) if the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of its use;
(3) the controller no longer needs the personal data for the purposes of the processing, but you need it to assert, exercise, or defend legal claims; or
(4) if you have objected to the processing pursuant to Article 21(1) of the GDPR and it has not yet been determined whether the legitimate grounds of the controller override your grounds.
If the processing of your personal data has been restricted, such data—apart from its storage—may only be processed with your consent or for the establishment, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of an important public interest of the Union or a Member State.
If the restriction on processing has been imposed in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

You may request that the controller erase your personal data without delay, and the controller is obligated to erase such data without delay if any of the following grounds apply:
(1) The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
(2) You withdraw your consent on which the processing was based pursuant to Art. 6(1)(a) or Art. 9(2)(a) of the GDPR, and there is no other legal basis for the processing.
(3) You object to the processing pursuant to Article 21(1) of the GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21(2) of the GDPR.
(4) The personal data concerning you has been processed unlawfully.
(5) The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union law or the law of the Member States to which the controller is subject.
(6) The personal data concerning you was collected in relation to information society services offered pursuant to Article 8(1) of the GDPR.
 

If the controller has made your personal data public and is required to erase it pursuant to Article 17(1) of the GDPR, the controller shall, taking into account available technology and the cost of implementation, take reasonable measures, including technical measures, to inform controllers who process the personal data that you, as the data subject, have requested the erasure of all links to such personal data or of copies or replications of such personal data

The right to erasure does not apply where the processing is
necessary: (1) for the exercise of the right to freedom of expression and information;
(2) for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health pursuant to Art. 9(2)(h) and (i) and Art. 9(3) of the GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes pursuant to Article 89(1) of the GDPR, insofar as the right referred to in section (a) is likely to render impossible or seriously impair the achievement of the objectives of such processing; or
(5) for the establishment, exercise, or defense of legal claims.

If you have exercised your right to rectification, erasure, or restriction of processing with the controller, the controller is obligated to notify all recipients to whom your personal data has been disclosed of such rectification, erasure, or restriction of processing, unless this proves impossible or involves disproportionate effort.
You have the right to request information from the controller regarding these recipients.

You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided
that (1) the processing is based on consent pursuant to Art. 6(1)(a) GDPR or Art. 9(2)(a) of the GDPR or on a contract pursuant to Art. 6(1)(b) of the GDPR, and
(2) the processing is carried out by automated means.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one controller to another controller, to the extent that this is technically feasible. The rights and freedoms of others must not be adversely affected by this.
The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you that is carried out pursuant to Article 6(1)(e) or (f) of the GDPR; this also applies to profiling based on these provisions.
The controller will no longer process the personal data concerning you unless it can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defense of legal claims.
If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing; this also applies to profiling to the extent that it is related to such direct marketing.
If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.
You have the option, in connection with the use of information society services—notwithstanding Directive 2002/58/EC—to exercise your right to object by means of automated procedures using technical specifications.

You have the right to withdraw your consent under data protection law at any time. Withdrawing your consent does not affect the lawfulness of any processing carried out on the basis of your consent prior to its withdrawal.

You have the right not to be subject to a decision based solely on automated processing—including profiling—that produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
(1) is necessary for the conclusion or performance of a contract between you and the controller,
(2) is authorized by Union or Member State law to which the controller is subject and that law provides for appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, or
(3) is based on your explicit consent.
However, such decisions may not be based on special categories of personal data as defined in Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect your rights and freedoms as well as your legitimate interests.
With regard to the cases mentioned in (1) and (3), the controller shall take appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, including at least the right to obtain human intervention on the part of the controller, to present your point of view, and to contest the decision.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or the place where the alleged infringement occurred, if you consider that the processing of personal data concerning you infringes the GDPR.
The supervisory authority to which the complaint was submitted shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 of the GDPR.