Privacy Policy

Version 14 – 10.06.2024

I. Name and Address of the Data Controller
The Data Controller within the meaning of the General Data Protection Regulation (GDPR) and other national data protection laws of the Member States as well as other data protection regulations is:

Albert Ludwigs University of Freiburg
Friedrichstraße 39
79098 Freiburg
+49 (0)761/203-0
info@uni-freiburg.de

II. Name and Address of the Data Protection Officer
The Data Protection Officer of the Controller is:

Albert Ludwigs University of Freiburg
Data Protection Officer
Fahnenbergplatz
79085 Freiburg
datenschutzbeauftragter@uni-freiburg.de

III. Note of this Privacy Policy
This information on data protection/data protection declaration refers to the website of the Life Imaging Center , which is operated by the University of Freiburg. Please contact us in case you want to withdraw consent to process your personal data or if you want to know which data we store from you.

IV. General Information on Data Processing

1. Scope of Processing of Personal Data
   We process personal data of our users only to the extent necessary to provide a functional website as well as our content and services.
2. Legal Basis for the Processing of Personal Data
   Insofar as we obtain consent from the data subject for processing personal data, Article 6(1)(a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis.

In cases where the processing of personal data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller, Article 6(1)(e), paragraph 3 GDPR in conjunction with the task-assigning norms of Union or national law serves as the legal basis.

If the processing is necessary for the purposes of the legitimate interests pursued by the University of Freiburg or a third party, and these interests are not overridden by the interests or fundamental rights and freedoms of the data subject, Article 6(1)(f) GDPR serves as the legal basis for the processing.

3. Data Deletion and Storage Duration
   The personal data of the data subject will be deleted or blocked as soon as the purpose of storage ceases to apply. Storage beyond this period can occur if required by the European or national legislator in EU regulations, laws, or other provisions to which the University of Freiburg is subject. Blocking or deletion of the data also occurs when a storage period prescribed by the aforementioned standards expires.

V. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing
   Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing device.

The following data is collected:

• The IP address of the accessing computer
• Date and time of access
• Name, URL, and amount of data transmitted for the requested webpage or file
• Access status (file transferred, file not found, etc.)
• Information about the browser type, version, and operating system of the accessing device (if transmitted by the requesting web browser)
• The website from which the user reached our website (if transmitted by the requesting web browser)

This data is also stored in our system’s log files. The IP address is anonymized after the end of the usage session before storage in the log files. This data is not stored together with other personal data of the user.

2. Legal Basis for Data Processing
   The legal basis for the temporary storage of data is Article 6(1)(f) GDPR.
3. Purpose of Data Processing
   The temporary storage of the IP address by the system is necessary to deliver the website to the user’s computer. For this purpose, the IP address must be stored for the duration of the session.

Storage in log files is done to ensure the functionality of the website. Additionally, the data is used for technical optimization, tracking access numbers, and ensuring the security of our IT systems.

These purposes also constitute our legitimate interest in data processing according to Article 6(1)(f) GDPR.

Right to Object
The collection of data for the provision of the website and the temporary storage of data in log files is essential for the operation of the website. Therefore, the user has no right to object.

Duration of Storage
The data will be deleted as soon as it is no longer necessary for the purposes for which it was collected. In the case of data collection for the provision of the website, this occurs when the respective session is ended. For data stored in log files, this occurs after two weeks. Further storage is only possible in cases of concrete suspicion of attacks on our website and for error analysis.

VI. Use of Cookies

1. General Information on the Use of Cookies
   Our websites use cookies. Cookies are text files stored by the internet browser on the user’s computer system. When a user visits a website, a cookie may be stored on the user’s operating system. A cookie can contain a unique string of characters that allows the browser to be uniquely identified upon a return visit to the website.

We use cookies to ensure the proper functioning of the website, improve accessibility, navigation, and presentation of our website, and to embed media from our video portal.

The following types of cookies are used on our websites:

• Technically required cookies for the use of the websites (these are needed for the correct display of the websites and the integration of media from our video portal)
• Technically required cookies for consent management (e.g., consent for the use of the integrated Google search)
• Cookies from external service providers when using embedded applications on our websites, such as the integrated Google search, after obtaining personal consent (these are cookies stored directly by the external service providers on the user’s system when using the application, without the University of Freiburg having any influence over them)

Except for the technically required cookies, other cookies are activated only after explicit consent. These consents can be revoked at any time. If technically required cookies are blocked or deleted through browser settings, some functions of our website may only be available in a limited manner.

2. Technically Required Cookies for the Use of the Websites

2.1 Description and Scope of Data Processing
We use cookies to make our websites functional. Some elements of our website require the requesting browser to be recognized even after a page change.

The following data is stored and transmitted in the cookies listed here:

Origin	Name	Purpose	Validity
uni-freiburg.de	serverid	Load balancer assignment	Until the end of the browser session
videoportal.uni-freiburg.de	framework	Session ID, timestamp for video player	7 days

Table 1: Overview of Technically Required Cookies

2.2 Legal Basis for Data Processing
The legal basis for data processing using the technically required cookies listed under VI. 2.1 in accordance with Section 25 (2) No. 2 TDDDG is Article 6 (1) (f) GDPR.

2.3 Purpose of Data Processing
The purpose of using technically necessary cookies is to enable the usability of the websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognized after a page change.

We need cookies for the following applications:

• Load balancer (to distribute the load of requests across multiple servers)
• Embedding media from the video portal (session ID and timestamp for the video player)

These purposes also constitute our legitimate interest in data processing according to Article 6 (1) (f) GDPR.

2.4 Duration of Storage, Objection, and Removal Options
The storage duration of the cookies can be found in Table 1 under VI. 2.1.

Cookies are stored on the user’s computer and transmitted to our site from there. Therefore, you as the user have full control over the use of cookies. By changing the settings in your internet browser, you can disable or restrict the storage of cookies. Already stored cookies can be deleted at any time. This can also be done automatically. If cookies are disabled for our website, not all functions of the website may be fully usable.

3. Technically Required Cookies for Consent Management

3.1 Description and Scope of Data Processing
On our website, we have individual offers for which we require your consent (e.g., Google search). Upon agreement, you have the option to store your consent permanently. For this, we ask for your one-time or permanent consent before using a corresponding webpage for the first time.

For permanent consent, the following data is stored and transmitted in the cookies listed here:

Origin	Name	Purpose	Validity
uni-freiburg.de	unifreiburg_allow_google_search	Opt-in cookie for Google search	1 year

Table 2: Cookies for Consent Management

3.2 Legal Basis for Data Processing
The legal basis for data processing using the technically required cookies listed under VI. 3.1 in accordance with Section 25 (2) No. 2 TDDDG is Article 6 (1) (f) GDPR.

3.3 Purpose of Data Processing
The purpose of using cookies for consent management is to permanently store consent so that consent does not need to be obtained again for future page visits, and to provide proof of the given consent.

Providing proof of the given consent also constitutes our legitimate interest in data processing according to Article 6 (1) (f) GDPR.

3.4 Duration of Storage, Objection, and Removal Options
The storage duration of the cookies can be found in Table 2 under VI. 3.1.

Cookies are stored on the user’s computer and transmitted to our site from there. Therefore, you as the user have full control over the use of cookies. You can withdraw your consent at any time by deleting the corresponding cookie in your browser or system.

4. Cookies from External Service Providers When Using Embedded Applications on Our Websites After Personal Consent

4.1 Google Search
On our website, we offer the option of a comprehensive search across all university portals using Google’s Programmable Search Engine (see X.1. Google Search). In the event of your consent, cookies from Google are stored on your system. Information on data protection and the cookies used by Google can be found in Google’s Privacy Policy [https://policies.google.com].

VII. Contact Form and Email Contact

1. Description and Scope of Data Processing
   Our website includes a contact form that can be used for electronic communication. If a user chooses to use this option, the data entered in the input form will be transmitted to us and stored. This data includes:

• Name
• Email address
• Content of the message

At the time the message is sent, the following additional data is also stored:

(1) Date and time of submission

For the processing of the data, your consent is obtained during the submission process, and reference is made to this privacy policy.

Alternatively, contact is possible via the provided email address. In this case, the user’s personal data transmitted with the email will be stored.

In this context, no data is passed on to third parties. The data is used exclusively for processing the conversation.

2. Legal Basis for Data Processing
   The legal basis for processing data via the contact form is your consent pursuant to Article 6 (1) (a) GDPR.

The legal basis for processing data transmitted in the course of sending an email is Article 6 (1) (f) GDPR.

3. Purpose of Data Processing
   The processing of personal data from the input form is solely for the purpose of handling the contact request. In the case of contact via email, this also constitutes the necessary legitimate interest in processing the data.

The other personal data processed during the submission process is used to prevent misuse of the contact form and ensure the security of our information technology systems.

4. Duration of Storage
   The data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected. For the personal data from the input form of the contact form and those sent by email, this is the case when the respective conversation with the user has ended. The conversation is considered ended when it can be inferred from the circumstances that the matter in question has been conclusively resolved and no further inquiries are expected. The data will therefore be deleted at the end of the year following their receipt.

The personal data additionally collected during the submission process will be deleted after a maximum period of seven days.

5. Objection and Removal Options
   The user has the right to revoke their consent to the processing of personal data at any time. If the user contacts us via email, they can object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. All personal data stored in the course of the contact will be deleted in this case.

VIII. Web Analysis Using Matomo

1. Description and Scope of Processing Personal Data
   Matomo is used on our website to analyze the usage behavior of our visitors.

Matomo is configured so that the IP address is not stored in full (masking of two bytes of the IP address). This way, it is no longer possible to associate the truncated IP address with the requesting computer.

When individual pages of our website are accessed, the following data is stored:

• Two bytes of the IP address of the user’s requesting computer
• The URL of the accessed webpage
• The webpage from which the user accessed the current page (referrer)
• The subpages accessed from the visited webpage
• The duration of the visit to the webpage
• The frequency of webpage visits
• The device type used, operating system, browser type, browser version, screen resolution, and language setting

Matomo is also configured so that no cookies are set for the analysis of usage behavior.

The data collected by Matomo is stored exclusively on servers of the University of Freiburg. The stored data is not shared with third parties. There is no merging of this data with any other stored data that may be collected when using other services that require the provision of personal information.

2. Legal Basis for Processing Personal Data
   The legal basis for processing users’ personal data is Article 6 (1) (f) GDPR.
3. Purpose of Data Processing
   By analyzing the usage behavior of our visitors, we are able to compile information on the use of the individual components of our website. This helps us to continuously improve our website and its user-friendliness.

This also constitutes our legitimate interest in data processing according to Article 6 (1) (f) GDPR.

By anonymizing the IP address and avoiding the use of cookies, the interests of the users in protecting their personal data are adequately taken into account.

4. Duration of Storage
   To analyze the temporal course and development of usage behavior, the data is generally stored for two years and then automatically deleted.

IX. Video Portal of the University of Freiburg (VIMP)
On our website, videos from the University of Freiburg’s video portal are embedded on certain pages to provide you with engaging media content. When you access a page with embedded videos, technically necessary cookies are set. For more information about the cookies used, please refer to section VI. 2. “Technically Necessary Cookies for Using the Website.”

X. Collection and Processing of Personal Data When Integrating External Services with Consent
To better convey information and improve the discoverability of our content, we integrate third-party services on our website. Below is an overview of the services used.

1. Google Search
   1.1 Access to Google Search
   On our website, we offer the possibility of a cross-portal search across all university portals using Google’s Programmable Search Engine. Access to this search function is available on the results page of the internal search via the tab “Search Across All University Portals.”

1.2 Consent Declaration
After clicking the tab, you will be presented with a selection dialog containing information about data protection and the option to consent to the search either once or permanently (valid for 1 year). If consent is given once, users must agree again on subsequent accesses. In the case of permanent consent, we store a cookie on your system to avoid having to obtain your consent again for future searches. For more information about the cookie used, please refer to section VI. 3. “Technically Necessary Cookies for Managing Consents.”

1.3 Data Exchange with Google
With your consent, the previously entered search term is passed to a Google script, which then returns the search results. The script developed by Google (Google Programmable Search Engine) is integrated into the search results page by the University of Freiburg unchanged. This script enables automated communication (data exchange) with dynamic data transfer between the accessed page and the Google service.

1.4 Google’s Privacy Notices and Privacy Policy
By consenting to the use of Google Search, you agree to the transfer of data to the Google service. This includes the search term you entered and possibly other search parameters. Furthermore, Google may collect additional personal data through the integrated script call, such as the IP address of your computer. Please note that Google has different privacy provisions than those of the University of Freiburg’s website. We expressly inform you that the responsibility for the processing, storage, deletion, and use of any transmitted and additionally collected personal data rests solely with Google, and the University of Freiburg has no influence over the type and scope of the data collected or its further processing.

Information about Google’s privacy practices and cookies can be found in Google’s Privacy Policy [https://policies.google.com].

XI. Privacy Policies for Social Media
The University of Freiburg uses various social media platforms to complement its existing communication channels such as its website, press releases, newsletters, print materials, and events. These platforms are used for current reporting on university topics, events, news from science, research, and teaching, service offerings, student jobs, and other campus-related information. As the responsibility for editorial oversight of these services remains with the University of Freiburg, we have published separate privacy policies for the following external services:

• Facebook
• X (formerly Twitter)
• Instagram
• YouTube
• Xing
• LinkedIn

XII. Rights of the Data Subject
If your personal data is processed, you are considered a data subject under the GDPR, and you have the following rights against the University of Freiburg:

1. Right to Information
   You can request confirmation from the University of Freiburg as to whether personal data concerning you is being processed.

If such processing occurs, you can request information from the University of Freiburg about:

• The purposes of the processing of personal data.
• The categories of personal data being processed.
• The recipients or categories of recipients to whom the personal data has been disclosed or will be disclosed.
• The planned duration of the storage of personal data or, if specific details cannot be provided, the criteria used to determine the storage period.
• The existence of the right to rectification or erasure of personal data, the right to restrict processing by the University of Freiburg, or the right to object to such processing.
• The existence of the right to lodge a complaint with a supervisory authority.
• All available information on the origin of the data if the personal data was not collected from the data subject.
• The existence of automated decision-making, including profiling, according to Article 22 (1) and (4) GDPR, and – at least in these cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

You have the right to request information on whether personal data is transferred to a third country or an international organization. In this context, you can request to be informed about the appropriate safeguards according to Article 46 GDPR related to the transfer.

2. Right to Rectification
   You have the right to rectification and/or completion of your personal data that is inaccurate or incomplete. The University of Freiburg must rectify the data without delay.
3. Right to Restrict Processing
   You can request the restriction of processing of your personal data under the following conditions:

• If you contest the accuracy of the personal data concerning you, for a period enabling the University of Freiburg to verify the accuracy of the personal data.
• If the processing is unlawful and you oppose the erasure of the personal data and instead request the restriction of its use.
• If the University of Freiburg no longer needs the personal data for processing purposes, but you require it for the assertion, exercise, or defense of legal claims.
• If you have objected to processing according to Article 21 (1) GDPR and it has not yet been determined whether the legitimate grounds of the University of Freiburg override your grounds.

If the processing of your personal data is restricted, such data – apart from being stored – may only be processed with your consent or for the assertion, exercise, or defense of legal claims, or to protect the rights of another natural or legal person, or for reasons of substantial public interest of the Union or a Member State.

If the restriction of processing is based on the aforementioned conditions, the University of Freiburg will inform you before the restriction is lifted.

4. Right to Erasure
   4.1 Obligation to Erase
   You can request that the University of Freiburg erase your personal data without delay, and the University of Freiburg is obliged to erase this data without delay, if one of the following reasons applies:

• The personal data concerning you is no longer necessary for the purposes for which it was collected or otherwise processed.
• You withdraw your consent on which the processing is based according to Article 6 (1) (a) or Article 9 (2) (a) GDPR, and there is no other legal ground for the processing.
• You object to the processing according to Article 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object according to Article 21 (2) GDPR.
• The personal data concerning you has been processed unlawfully.
• The erasure of personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the University of Freiburg is subject.
• The personal data concerning you was collected in relation to the offer of information society services according to Article 8 (1) GDPR.

4.2 Notification to Third Parties
If the University of Freiburg has made your personal data public and is obliged to erase it according to Article 17 (1) GDPR, the University will, considering the available technology and the implementation costs, take reasonable steps, including technical measures, to inform controllers who are processing the personal data that you, as the data subject, have requested the erasure of all links to this personal data or copies or replicas of this personal data.

4.3 Exceptions
The right to erasure does not apply to the extent that processing is necessary:

• For exercising the right to freedom of expression and information.
• For compliance with a legal obligation which requires processing under Union or Member State law to which the University of Freiburg is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University of Freiburg.
• For reasons of public interest in the area of public health according to Article 9 (2) (h) and (i) and Article 9 (3) GDPR.
• For archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes according to Article 89 (1) GDPR, insofar as the right to erasure is likely to make the achievement of the objectives of that processing impossible or seriously impair it.
• For the establishment, exercise, or defense of legal claims.

5. Right to Notification
   If you have exercised the right to rectification, erasure, or restriction of processing, the University of Freiburg is obliged to notify all recipients to whom your personal data has been disclosed of such rectification, erasure, or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed by the University of Freiburg about these recipients.

6. Right to Data Portability
   You have the right to receive the personal data concerning you that you have provided to the University of Freiburg in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the University of Freiburg, to whom the personal data was provided, provided that:

• The processing is based on consent according to Article 6 (1) (a) GDPR or Article 9 (2) (a) GDPR, or on a contract according to Article 6 (1)
• the processing is carried out by automated means.

In exercising this right, you also have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others must not be adversely affected as a result.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the University of Freiburg.

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Art. 6(1) of the GDPR.

The University of Freiburg shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights, and freedoms or for the establishment, exercise, or defence of legal claims.

You have the possibility, in the context of the use of information society services, and notwithstanding Directive 2002/58/EG, to exercise your right to object by automated means using technical specifications.

8. Right to withdraw consent under data protection law

You have the right to withdraw your consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your habitual residence, place of work, or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 of the GDPR.