Data Privacy Policy

I.            Name and Address of Controller

The responsible party (“controller”), as defined by the European Union General Data Protection Regulation (GDPR), the Bundesdatenschutzgesetz (BDSG, Federal Data Protection Act of Germany) and the Rheinland-pfälzischen Landesdatenschutzgesetzes (LDSG, Data Protection Act of the Federal State of Rhineland-Palatinate), is the Hochschule für Wirtschaft und Gesellschaft Ludwigshafen (Ludwigshafen University of Business and Society), as represented by the university president.

Ernst-Boehe-Str. 4
67059 Ludwigshafen am Rhein
Tel. 0621 5203-0
Email: info@ 8< SPAM protection, please remove >8 hwg-lu.de
Website: www.hwg-lu.de

II.           Name and Address of Data Protection Officer

The Data Protection Officer of the controller is:

Franziska Eberius
Ernst-Boehe-Str. 4
D-67059 Ludwigshafen
Tel.: 0621/5203-175
Email: datenschutz@hwg-lu.de
Website: www.hwg-lu.de


III.          General Information on Data Processing

1. Scope of the Processing of Personal Data
We process the personal data of our users only to the extent necessary in to provide a functioning website as well as our content and services. The processing of our users’ personal data is made only after consent is granted by the user. An exception applies in those cases for which prior consent cannot be obtained for practical reasons and the processing of the data is permitted by law.


2.           Legal Basis for the Processing of Personal Data

Insofar as we obtain the consent from the data subject for the processing of personal data, Art. 6 para. 1 sentence 1 of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

Insofar as the processing of personal data is necessary in order to comply with a legal requirement that must be fulfilled by the Ludwigshafen University of Business and Society, Art. 6 para. 1 sentence 1 in conjunction with Art. 6 para. 3 sentence 1b of the GDPR in conjunction with § 3 of the LDSG serves as legal basis.

In the event that the vital interests of the data subject in question or another natural person make the processing of personal data necessary, Art. 6 para. 1 sentence 1d of the GDPR serves as legal basis.

If processing is necessary for the Ludwigshafen University of Business and Society in order to perform a task that is in the public interest, or if this task is carried out in the exercise of official authority, Art. 6 para. 3 sentence 1b of the GDPR in conjunction with § 3 of the LDSG serves as the legal basis for data processing.


3.           Deletion of Data and Duration of Retention

The personal data of the data subject is deleted or disabled as soon as the purpose for retaining it no longer applies. In addition, personal data may be retained if the European or national legislator has provided for this in Union regulations, laws, or other provisions to which the controller is subject. The data will also be disabled or deleted upon the expiration of the retention period prescribed by the aforementioned standards.


IV.          Accessing the Website and Creation of Logfiles

1.           Description and Scope of Data Processing

When accessing the website provided by the Ludwigshafen University of Business and Society, the following data is retained in a log file:

- IP address

- Date and time of access

- Page accessed and/or name of file accessed

- Report about whether accessing the page or retrieving the file was successful.

- Transferred data volume

- Web browser and operating system used

The data is stored in our system’s log files. This does not affect the user’s IP address or other data that makes it possible for the data to be attributed to a user. These data are not stored together with other personal data from the user.


2.        Legal Basis for Data Processing

The legal basis for the temporary retention of data and log files is Art. 6 para. 3 b of the GDPR in conjunction with Art. 6 para. 3 b of the GDPR and § 3 of the LDSG.


3.           Purpose of Data Processing

The above data are used only for statistical purposes and to ensure normal operation. Personal user profiles are not created. Data is not given to third parties. In none of their internet services the Ludwigshafen University of Business and Society uses techniques in order to analyse information
about the users or access patterns.

The temporary storage of IP addresses by the system is necessary in order to allow the website to accessed by the user’s computer. At the time the data is collected, the IP address is immediately and automatically anonymized.


4.           Duration of Retention of Data

Data is deleted as soon as it is no longer necessary for the purposes for which it had been collected. When data is collected in order for the user to access the website, this is the case as soon as the session in question has ended. The log file is automatically deleted after one year.


5.           Options for Objection and Removal
The collection of data associated with providing access to the website and the retention of data in log files is mandatory for the operation of the website. It is thus not possible for the user to object to this.


V.           Newsletter

1.           Description and Scope of Data Processing

You can subscribe to a free newsletter on our website. When you register for the newsletter, your email address will be sent to us from the sign-up form.

Your consent will be obtained for the processing of your data during the registration process and reference will be made to this data privacy notice.

In this context, data is not given to third parties. The data is used exclusively for the processing of the communication.


2. Legal Basis for Data Processing

When registering for the newsletter, the user provides his or her consent to the processing of their personal data. The legal basis for this is described in Art. 6 Para. 1 Sentence 1 of the GDPR.


3. Purpose of Data Processing

The user’s email address is collected in order to send the user the newsletter.

The collection of other personal data as part of the registration process serves to prevent misuse of the services or the email address used.


4. Duration of Retention of Data

Data is deleted as soon as it is no longer necessary for the purposes for which it had been collected. Accordingly, the user's email address is to be stored as long as their newsletter subscription is active.


5.      Options for Objection and Removal
The newsletter subscription can be cancelled by the user at any time. To do so, please contact our Data Protection Officer.

This also allows you to revoke your consent to the storage of personal data that had been collected during the registration process.
   

VI.          Contact Form and Email Contact
1. Description and Scope of Data Processing

A contact form is available on our website, which can be used to get in touch with us electronically. If a user makes use of this option, the data entered in the form will be transmitted to us and stored. This data includes:

(1) Name

(2) Reason for contacting us

(3) Your email address

(4) Your message

Your consent will be obtained for the processing of data as part of the process of submitting the form, and reference will be made to this data privacy policy.

Alternatively, you can contact us via the email address provided. In this case, personal data from the user transmitted as part of the email will be retained.

In this context, data is not given to third parties. The data is used exclusively for the processing of the communication.

The transmission of content via the contact form of the Ludwigshafen University of Business and Society is protected against third-party access by means of encryption procedures.


2.           Legal Basis for Data Processing

Having obtained consent from the user, the legal basis for data processing is defined in Art. 6 para. 1 sentence 1a of the GDPR. The legal basis for processing data, which is transmitted in the process of sending an email, is Art. 6 para. 1f of the GDPR. If the purpose of the email is to enter into a contract, an additional legal basis for the processing applies as defined in Art. 6 para. 1 sentence 1 b of the GDPR.


3. Purpose of Data Processing

The processing of personal data from the contact form is used exclusively to process the contact request. Email contact also constitutes necessary, legitimate interest with regard to data processing.

Other personal data processed during the process of sending serve to prevent misuse of the contact form and to ensure the security of our information technology systems.


4.           Duration of Storage of Data

Data is deleted as soon as it is no longer necessary for the purposes for which it had been collected. For the personal data input into the contact form and as well as data sent by email, this is the case when the respective conversation with the user has ended. The conversation is considered to be ended when it can be concluded from the circumstances that the issue in question has been definitively resolved.


5.           Options for Objection and Removal

The user may revoke his or her consent to the processing of their personal data at any time. If the user contacts us by email, he or she can object to the storage of their personal data at any time. In a case such as this, the conversation cannot be continued.

You may revoke your consent and object to storage of data by submitting the contact form, or by email. In this case, all personal data that been stored during the process of establishing contact will be deleted.


VII.        Web Analysis using Matomo (formerly PIWIK)

1.           Scope of Processing of Personal Data

On our website, we use the open source software tool Matomo (formerly PIWIK) to analyze the surfing behavior of our users. The software places a cookie on the user’s computer.

Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user visits a website, a cookie can be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified if the website is accessed again.

When individual pages on our website are accessed, the following data is saved:

(1) The user’ anonymized IP address

(2) The website accessed

(3) The website from which the user accessed the website (referrer)

(4) The subpages accessed from the accessed web page

(5) Time spent on the website

(6) How frequently the site is accessed

(7) The operating system used and the respective version of the operating system used

(8) Screen resolution

(9) The browser used and the respective version of the browser used

(10) The installed plugins required for the website

(11) Date and time of access

(12) Country, continent and region, location, geocoordinates from where the user accesses the website (typically approximations derived from IP address and Internet nodes used)

(13) Model and manufacturer name, if accessed via a mobile device


The software runs exclusively on the servers of our website. Personal data from users is stored only there. This data is not shared with third parties.

The software is configured in such a way that IP addresses are not saved in full. Accordingly, it is not possible to match the shortened IP address to the computer accessing the website.


2.           Legal Basis for Data Processing

The legal basis for the processing of users’ personal data is Art. 6 para. 3b GDPR in conjunction with § 3 LDSG.



3.           Purpose of Data Processing

The processing of users’ personal data allows us to optimize our website. By evaluating the data collected, we are able to compile information about the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness. By anonymizing IP addresses, the interests of users with respect to protecting their personal data is duly taken into account.


4.           Duration of Storage of Data

Data is deleted as soon as it is no longer needed for our recording purposes. All visitor logs older than 30 days are deleted once a month.


5.           Options for Objection and Removal

Cookies are saved on the user’s computer and are transmitted from there to our site. This gives the user full control over cookie usage. You can deactivate or restrict cookie transmission by modifying the settings in your Internet browser.

Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may be the case that the website’s functions can no longer be used to the fullest extent. You may object to the recording of your (already anonymized) usage behavior. Please contact our Data Protection Officer for this.

Matomo complies with the user’s request that his or her visit not be tracked by the transmission of the so-called “do-not-track” setting from the user’s browser. The user is then excluded from tracking in the same way as with an opt-out cookie. See also https://matomo.org/docs/privacy/#step-4-respect-donottrack-preference.

More information on Matomo’s software privacy settings can be found at:  https://matomo.org/docs/privacy/.

 

VIII.       Links to Facebook, Instagram, and Twitter 
Our websites contain links to the external websites of the social networks Facebook, Instagram, and Twitter. The links are identified on our website with the Facebook and Twitter logos. Social plugins are not used. When you visit our websites with references to Facebook, Instagram, and Twitter, no data is transmitted to third parties. Data will only be transferred to a social media service if you visit their site.

Here you will find the data usage policies for Facebook and Instagram.

We are not responsible for whether the operators of social media platforms comply with statutory data protection regulations.


VIII.       Rights of the Data Subject

If personal data from you is processed, you are the data subject within the meaning of the GDPR, and you are entitled to the following rights from the controller:


1.           Right of Access by the Data Subject (Article 15)

The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

  1. The purposes of the processing;
  2. The categories of personal data concerned;
  3. The recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
  4. Where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
  5. The existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing;
  6. The right to lodge a complaint with a supervisory authority;
  7. Where the personal data are not collected from the data subject, any available information as to their source;
  8. The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Where personal data are transferred to a third country or to an international organization, the data subject shall have the right to be informed of the appropriate safeguards pursuant to Article 46 of GDPR relating to the transfer.

 

2         Right to Restriction of Processing (Article 16)

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. 


3.           Right to Restriction of Processing (Article 18)

The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

  1. The accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. The controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
  4. The data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Where processing has been restricted under paragraph 1, such personal data shall, with the exception of storage, only be processed with the data subject’s consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

A data subject who has obtained restriction of processing pursuant to paragraph 1 shall be informed by the controller before the restriction of processing is lifted.


4.          Right to Erasure (Article 17)
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. The data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
  3. The data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
  4. The personal data have been unlawfully processed;
  5. The personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. The personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

Information to Third Parties

Where the controller has made the personal data public and is obliged pursuant to Art. 17 paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

Exceptions

The right to erasure and the obligations outlined under point 4 above do not apply if data processing is necessary:

  1. For exercising the right of freedom of expression and information;
  2. For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. For reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
  4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. For the establishment, exercise or defense of legal claims.


5. Right to Information

If you have exercised your right to rectify, delete or limit the processing of your personal data with regard to the controller, the latter is obliged to notify all recipients to whom the personal data concerning you have been disclosed of such rectification, deletion or limitation, unless this proves impossible or involves disproportionate effort. You have the right to be informed by the data controller of such recipients.


6. Right to Data Portability (Article 20)

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

(1) The processing is based on consent pursuant to Art. 6 paragraph 1 sentence 1a or Art. 9 paragraph sentence 2  or on a contract pursuant to Art. 6 pargraph 1 sentence 1 and

  1. The processing is carried out by automated means.

In exercising his or her right to data portability pursuant to paragraph 1, the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible.

The freedoms and rights of others shall not adversely be affected by this. The right to data portability right shall not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.


7 Right to Object (Article 21)

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1) in conjunction with § 3 LDSG, including profiling based on those provisions. 2The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, the data subject may exercise his or her right to object by automated means using technical specifications.


8         Right to Revoke Declaration of Consent under Data Protection Law

You have the right to revoke your declaration of consent under data protection law at any time. The revocation of your consent does not affect the legality of the processing carried out on the basis of your consent until you revoke it.
 

9   Automated Individual Decision-Making, including Profiling (Article 22)

The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. This does not apply if the decision:

  1. Is necessary for entering into, or performance of, a contract between the data subject and a data controller;
  2. Is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests; or
  3. Is based on the data subject’s explicit consent.

These decisions, however, are not be based on special categories of personal data referred to in Article 9(1), unless point (a) or (g) of Article 9(2) applies and suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3), the data controller shall implement suitable measures to safeguard the data subject’s rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
 

10    Right to Lodge a Complaint with a Supervisory Authority (Article 77)
 

Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.


Analytics Tool

The web analytics service Matomo is used to collect statistical data on the use of this website. No personal data is collected during the transmission of statistical data.


Nevertheless, you may still object to the recording of your (already anonymized) usage behavior. Please contact our data protection officer for this.


Please note that the Matomo deactivation cookie is also deleted when you delete the cookies stored in your browser. You will also need to repeat the deactivation procedure if you use a different computer or web browser.