Johannes Gutenberg University Mainz (JGU) takes the protection of personal data very seriously. We collect and process our website users’ personal data according to the EU General Data Protection Regulation (GDPR), the State Data Protection Act (Landesdatenschutzgesetz, LDSG), and, if applicable, according to the Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG).

We neither publish your data nor pass them on to third parties without authorization. The following text will explain which data are collected during your visit to our website and how the data are used.

The controller, in accordance with the definition of the General Data Protection Regulation (GDPR), national data protection laws of the Member States, and other provisions of data protection law, is:

Johannes Gutenberg University Mainz (JGU)
represented by the President
Professor Georg Krausch
Saarstraße 21
55122 Mainz

phone: +49 6131 39-0
fax: +49 6131 39-22919
email: praesident@uni-mainz.de
http://www.uni-mainz.de/en/

JGU Data Protection Officer
phone: +49 6131 39-20065
fax: +49 6131 39-52202
email: datenschutz@uni-mainz.de
https://organisation.uni-mainz.de/datenschutzbeauftragter (in German)

Extent of personal data processing

In principle, we process personal data only to the extent necessary to provide a functional website as well as our content and services. We process users’ personal data only with their consent or if processing is permitted by law.

Legal basis for the processing of personal data

Provided we have the users’ consent to process their personal data, Art. 6 Subsection 1 Lit. a GDPR serves as the legal basis for the processing.

When the processing of personal data is necessary for the fulfillment of a contract JGU is party to, Art. 6 Subsection 1 Lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual tasks and measures.

If the processing of personal data is necessary to fulfill a legal obligation to which JGU is subject, Art. 6 Subsection 1 Lit. c GDPR serves as the legal basis.

When the processing of personal data is necessary for carrying out a task in the public interest or for exercising official authority, Art. 6 Subsection 1 Lit. e GDPR serves as the legal basis.

Erasure of data and storage period

The subject’s personal data will be erased or made unavailable once the purpose for which they were collected and stored ceases to apply. Personal data may be stored beyond that period if such storage has been designated by European or national legislators in EU regulations, laws, or other rules the controller is subject to.

Links to other providers’ websites

This JGU Privacy Policy is valid for the websites of the “uni-mainz.de” domain wherever JGU is responsible for matters of data protection. If cross-references (links) are made to content from other providers, their data collection and data use may be based on principles other than those laid out here. Such cross-references within the uni-mainz.de domain are marked with the “external link” (“Externer Link”) tooltip and/or an external link symbol.

You can find information on who is responsible for the provided information of a website in the relevant website’s legal notice.

Transfer of personal data to third parties

Personal data processed based on use of the websites of JGU are, as a rule, not transferred to third parties. The transfer of personal data might take place in individual cases on the basis of legal permission.

As a rule, no personal data are transferred to countries outside of the European Economic Area (EEA) and associated countries (no “third-country transfer”). If such a transfer should become necessary, we will inform you.

Information to be provided according to Art. 13 Subsection 2 Lit. e GDPR

As a rule, you are neither contractually nor legally obligated to share personal data on JGU websites. However, if you do not share certain data, the websites may only serve limited or no use.

Description and extent of data processing

Every time a user accesses our website, our system automatically collects data in the form of a log file. The following data are collected and stored until they are automatically deleted:

  • the user’s IP address
  • the date and time of access
  • the name, URL, and transferred volume of data of the accessed file
  • the access status (file transferred, file not found, etc.)
  • information on the user’s browser type and operating system
  • the website from which the user’s system accessed our website
  • the user’s login name if internal JGU websites were accessed by a logged-in user

Legal basis

Data processing is necessary for informing the public of the public tasks performed by JGU according to Art. 6 Subsection 1 Lit. e and Subsection 3 GDPR in conjunction with §2 Subsection 8 of the Rhineland-Palatinate University Act (Hochschulgesetz Rheinland-Pfalz, HochSchG).

Purpose of data processing

The collected data is processed to guarantee the use of our website (connection establishment), system security, and the technical administration of the network infrastructure, and to optimize our website (error analysis). IP addresses are evaluated only if the JGU network infrastructure is being or has been attacked.

Storage period

The data will be deleted once the purpose for which they were collected and stored ceases to apply. IP addresses are stored for one year for identification purposes in case of a cyber attack. If attacks and malfunctions are pursued beyond that period, the data resulting from access will be stored until the relevant procedure is completed.

Right to object and erasure of data

The collection of data for the provision of the website and the storage of data in log files is necessary for the operation of the website. Consequently, the user has no option to object.

Description and extent of data processing

Cookies are text files stored in the internet browser or by the internet browser on the user’s operating system. If a user accesses a website, a cookie can be stored in the user’s operating system. This cookie contains a characteristic string of information that enables clear identification of the browser when the website is accessed again.

Furthermore, so-called temporary cookies are used when accessing individual websites. These session cookies contain the following personal data:

  • language settings
  • login information

These are usually automatically deleted at the end of the session when you close your browser. Only the language settings are transmitted again the next time you access the website.

Legal basis for data processing

The legal basis for the processing of personal data using cookies required for technical reasons is Art. 6 Subsection 1 Lit. e GDPR in conjunction with § 2 Subsection 8 HochSchG.

Purpose of data processing

The purpose of using cookies required for technical reasons is to simplify the use of the website for users. Some features of our websites cannot be run properly without the use of cookies.

We need cookies for the following applications:

  • transfer of language settings
  • user login for internal JGU websites

As a rule, we do not use analysis cookies or programs that are used to generate user profiles by tracing the actual surfing habits on the individual pages.

If necessary, the web analysis service Matomo (formerly Piwik) may be used to collect statistical data regarding use of the web content provided by JGU. The service will be hosted on the JGU Data Center (ZDV) servers. If a persistent cookie is used, it is stored for 7 days. No personal data will be collected when transmitting the statistical data. Nevertheless, you have the option to decline the collection of your (already anonymized) user behavior. Please follow this link in order to turn the analysis service on or off. By doing so, a Matomo deactivation cookie will be stored or deleted.

Please note that the Matomo deactivation cookie will also be deleted when you clear the cookies in your browser. You will also need to repeat the deactivation procedure if you use a different computer or browser.

For other JGU websites (faculties, departments, institutes, student councils, central institutions, facilities, etc.), different regulations may apply. These are explained in the privacy policies of the individual websites, as we do not carry out any analysis of user habits by default.

Storage period, right to object, and deletion of cookies

Cookies are stored on the user’s computer and from there transmitted to our website. Consequently, the user has full control over the use of cookies. By changing the settings in your web browser, you can deactivate or restrict the transmission of cookies. You can also delete cookies at any time. This can also be done automatically. If you deactivate cookies for our website, you may no longer be able to use the full range of site features.

Description and extent of data processing

On our website, you may subscribe to free newsletters. For this, we require the email address the relevant newsletter should be sent to.

If you, as a media representative, would like to be added to the central JGU press mailing list, please contact our Press and Public Relations Office. You will need to provide your email address so we can send you our JGU press information via email.

Legal basis for data processing

By providing your personal data and allowing its subsequent transfer when signing up for a newsletter or the press mailing list, you consent to its processing. The legal basis is Art. 6 Subsection 1 Lit. a GDPR.

Purpose of data processing

The user’s email address is used for delivering the relevant newsletter or press information.

Storage period

The data will be erased once the purpose for which they were collected and stored ceases to apply. The user’s email address will be stored until the user unsubscribes from the relevant newsletter or the press mailing list.

Right to object and erasure of data

You can unsubscribe from all newsletters and/or the press mailing list at any time.

Extent and processing of personal data

In the case of access-protected internal JGU websites, i.e., information platforms accessible only to university members and members of staff, the following personal data are collected from logged-in, registered users (students, staff, members of the university with a user account) while they are accessing the websites:

  • the user’s name
  • the email address associated with the user’s account

Legal basis for the processing of personal data

By providing the requested data and submitting them when registering, you consent to their processing. The legal basis is Art. 6 Subsection 1 Lit. a GDPR.

Purpose of data processing

The collection of data serves to enable the use of access-restricted websites (connection establishment and authentication) as well as to support system security, the technical administration of the network infrastructure, and the optimization of our services.

Storage period

The data will be erased once the purpose for which they were collected and stored ceases to apply. This is the case when the user logs out or closes their web browser.

If your personal data is processed, you are a data subject within the meaning of the GDPR and have the following rights vis-à-vis the controller:

Right of access according to Art. 15 Subsection 1 GDPR

You have the right to obtain confirmation from the controller regarding whether or not your personal data is being processed. If it is, you have the right to obtain the following information:

a)the purposes of the processing
b)the categories of personal data concerned
c)the recipients or categories of recipient to whom the personal data have been or will be disclosed
d)the envisaged period of time for which the personal data will be stored, or, if a period of time cannot be determined, the criteria used to determine that period
e)the existence of the right to request rectification or erasure of your personal data or restriction of processing of personal data or to object to such processing
f)the right to lodge a complaint with a supervisory authority
g)where the personal data were not collected from you directly, any available information as to their source

This right to access may be restricted if it is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

Right to rectification Art. 16 GDPR

You have the right to demand the rectification of inaccurate or incomplete personal data by the controller without undue delay.

This right may be restricted if it is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

Right to restriction of processing Art. 18 GDPR

You have the right to obtain from the controller restriction of processing of your personal data when one of the following applies:

a)You contest the accuracy of your personal data for a period enabling the controller to verify the accuracy of the personal data.
b)The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead.
c)The controller no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise, or defense of legal claims.
d)You have objected to processing pursuant to Art. 21 Subsection 1 GDPR and the verification of whether the controller’s legitimate grounds override yours is pending.

Where processing of your personal data has been restricted, such personal data can only be processed with your consent or for the establishment, exercise, or defense of the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State. The data will still be stored.

If the processing of your personal data was restricted according to the above-mentioned conditions, you will be informed by the controller before the restriction of processing is lifted.

This right may be restricted if it is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

Right to erasure Art. 17 GDPR

A) Obligation to erase data

You have the right to demand that the controller erases your personal data without undue delay. The controller is obligated to erase the data without undue delay when one of the following grounds applies:

a)The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
b)You withdraw the consent on which the processing is based according to Art. 6 Subsection 1 Lit. a GDPR and there is no other legal ground for the processing.
c)You object to the processing pursuant to Art. 21 Subsection 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 2 Subsection 2 GDPR.
d)Your personal data have been unlawfully processed.
e)Your personal data must be erased to comply with a legal obligation in European Union or Member State law to which the controller is subject.

B) Exceptions

The right to erasure does not apply where the processing is necessary

a)for exercising the right of freedom of expression and information
b)to comply with a legal obligation which requires processing by European Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
c)for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 Subsection 1 GDPR if insofar as the right referred to in paragraph a) is likely to render impossible or seriously impair the achievement of the objectives of that processing
d)for the establishment, exercise, or defense of legal claims

Notification obligation Art. 19 GDPR

If you asserted your right to rectification or erasure of personal data or restriction of processing vis-à-vis the controller, the controller is obligated to inform each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. You have the right to be informed by the controller about those recipients.

Right to data portability Art. 20 GDPR

You have the right to receive the personal data which you provided to the controller in a structured, commonly used, and machine-readable format. You also have the right to transfer the data to another controller without hindrance from the controller to whom the personal data have been provided, where

  • the processing is based on consent pursuant to Art. 6 Subsection 1 Lit. a GDPR or Art. 9 Subsection 2 Lit. a GDPR and
  • the processing is carried out by automated means

Furthermore, in exercising the right to data portability, you have the right to have your personal data transferred directly from one controller to another, where technically feasible. The rights and freedoms of other persons shall not be adversely affected by such a transfer.

The right to data portability does not apply to the processing of personal data necessary for carrying out a task in the public interest or in the exercise of official authority vested in the controller.

Right to object Art. 21 GDPR

You have the right to object to processing of your personal data on grounds relating to your particular situation according to Art. 6 Subsection 1 Lit. e GDPR at any time. This includes profiling based on those provisions.

The controller shall no longer process your personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or for the establishment, exercise, or defense of legal claims.

Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 Subsection 1 GDPR, you have the right to object to processing of your personal data on grounds relating to your particular situation.

Your right to object may be restricted if it is likely to render impossible or seriously impair the achievement of research or statistical purposes and the restriction is necessary to achieve these purposes.

Right to withdraw consent Art. 7 Subsection 3 GDPR

You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on your consent before its withdrawal.

Right to lodge a complaint with a supervisory authority Art. 13 Subsection 2 Lit. d GDPR

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, if you believe that the processing of your personal data infringes the GDPR.

The supervisory authority with which the complaint was lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

The responsible supervisory authority is

The Rhineland-Palatinate State Commissioner for Data Protection and Freedom of Information
(Landesbeauftragter für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz)

Hintere Bleiche 34
55116 Mainz
phone: +49 6131 8920-0
fax: +49 6131 8920-299
email: poststelle@datenschutz.rlp.de

This JGU Privacy Policy is currently valid and dated October 21, 2021.

In the course of the further development of our websites and the implementation of new technology, it might become necessary to change the JGU Privacy Policy. JGU reserves the right to change its Privacy Policy at any time, affecting future handling of data. We recommend reading the current policy from time to time.

Please note:
The websites of other JGU institutions (faculties, departments, institutes, student councils, central institutions, etc.) might follow other rules. These are specified and explained in the relevant privacy policies of the individual websites.

*** Please note that only the German version of the JGU Privacy Policy is legally binding. The English version is for information purposes only. ***