The University of Freiburg processes a multitude of information in digital and analogue form as part of its research, teaching, transfer, and administrative activities. This encompasses a broad spectrum of data, including personal information on employees and students and sensitive operating data of IT infrastructures, as well as research data containing personal data.
At the University of Freiburg, the data protection officer, the information security officer, and the team at the Data Protection Unit in Department 5 – Legal Affairs are responsible for these tasks and available for all questions concerning these matters.
Ensuring secure and lawful data processing in accordance with the state of the art is a continuous challenge in the dynamic environment of an institution that drives innovation in teaching, research, and administration. The University of Freiburg therefore attaches great importance to robust technical and organizational measures that do not only satisfy the legal requirements of the EU General Data Protection Regulation (EU-GDPR), the State Data Protection Act (Landesdatenschutzgesetz – LDSG), and the State Higher Education Act (Landeshochschulgesetz – LHG) but also meet the high standards of quality and responsibility set by the mission statement of the University of Freiburg.
News on data protection and information security
IT security management at the University of Freiburg certified by TÜV SÜD
DIN EN ISO/IEC27001-Certification attests to reliable information security management system (ISMS)
Recommendations on the sovereignty and security of science in the digital space
In October 2023, the German Council of Science and Humanities published recommendations for improving information security at universities and colleges
Consultation of the European Commission on the GDPR
In February 2024, the European Commission initiated a consultation on improving the General Data Protection Regulation.
Video-Reihe Informationssicherheit
784e8d9228eaf87250667a8347703f61
da201df74d8249930adc732e1ca6e3af
31e40fa992891596fa1da22f2490d571
FAQ on data protection and information security
A data breach or data protection violation is an incident in which the security of personal data is violated. This means that data are unintentionally or unlawfully destroyed, lost, modified, disclosed, or made available to an unauthorized person. Examples include the loss of files, unauthorized access to an email account, or the theft of a notebook.
An information security incident occurs when protective measures have demonstrably failed, for example because a laptop has been stolen or attackers have succeeded in compromising an IT system via a vulnerability. Such an incident is characterized by a high probability of damage in violation of one of the key protection goals of confidentiality, integrity, or availability.
Incidents that remain undiscovered pose an additional risk.
Data breaches and information security incidents often coincide and are considered in practice from both a data protection and an information security perspective.
For more information, please consult the Circular on Reporting obligations for data protection and information security incidents: https://intranet.uni-freiburg.de/rs/2024/4 (Intranet)
First of all, you should ensure when starting up the laptop that the hard disk is encrypted. If you have done this and the laptop is stolen or lost and falls into the hands of a third party, it is not possible to misuse any data from the hard disk.
Nevertheless, the loss should be regarded as a data breach or information security incident and reported accordingly. Theft must be reported to the police.
As employees’ laptops are state property, they must be handled with care. In the event of reckless behaviour, the department may file a claim for compensation.
Further information is available on the intranet to logged-in users.
Scammers or attackers use phishing emails in various forms to get hold of confidential data or to compromise a user’s computer:
- Link to a fake website: In this case, the attacker “reproduces” a website to get the victim to enter access data for a university system, for example. The attacker can then use these data to access the victim’s email account.
- Defective attachments: A document capable of installing malware on the computer (virus, Trojan) is attached to an email, thus enabling the attacker to control the affected computer.
- Scamming: The attacker pretends to be a person the victim knows in order to engage them in a dialogue. In the course of the dialogue, the victim is asked to do something for the attacker, such as transfer money, purchase gift certificates, or pass on personal data.
Phishing emails often attempt to build up pressure and thus lead the victim to act carelessly.
If access data has been disclosed, this must be regarded as a reportable incident.
If your computer has been compromised by a virus or Trojan, you must disconnect it from the network (Internet, WLAN) immediately and inform your local IT administrator. It must then be checked whether data have been lost or other damage has occurred.
Further material is available on the intranet to logged-in users:
Working away from university premises, whether at home or on a mobile device, entails a number of potential risks that must be taken into account to ensure that university data and systems are adequately protected. For example, some systems require that you connect to a VPN (Virtual Private Network) in order to receive access remotely. The use of two-factor authentification also helps to counteract such risks.
Further recommendations on working securely – also in relation to offices on campus – are available on the intranet to logged-in users.
An important preventive consideration is how to securely store the data you work with. “Secure” means the following:
- Access to the data is regulated, and they are only accessible to those who need them for their work;
- The data are available at the moment when they are needed;
- The data can be restored if they were erased or are no longer directly available for another reason (e.g., loss of a laptop);
- Changes made to the data are documented and traceable.
It is therefore advisable to coordinate regular work processes so that necessary data are securely stored.
For more information, please consult the guideline on secure data storage and encryption of mobile data carriers: https://intranet.uni-freiburg.de/sazs/datenablage
The above guideline is supplemented by recommendations on the disposal of data carriers: https://intranet.uni-freiburg.de/sazs/datentraegerentsorgung
First, consider whether there might not be an alternative to using a USB flash drive. Possibilities include shared data repositories or a personal network drive. Relevant options are described in the guideline on secure data storage and encryption of mobile data carriers. If you do need to use a USB flash drive, you should consider encrypting the data on the drive, at least if it is to be used for sensitive and confidential data.
Processes for the safe disposal of USB flash drives should be established at your department (see the intranet for recommendations). Speak to your local IT administrator or waste management officer for more information.
Secure passwords are characterized by their complexity. In other words, they are generally long passwords including combinations of different types of characters (lower-/upper-case letters, special characters). Another important aspect is how you manage your passwords. Instead of jotting down your passwords on a Post-it note and sticking it your monitor, use a password manager like KeePass. For more information, see the following page on the IT Services website.
For more tips on creating and managing passwords, see the guideline on passwords.
Contacts
In compliance with legal requirements and for the protection of the university, there are central reporting officers that must be contacted in the event of data breaches and information security incidents.
More information on them is available on the intranet:
Contact
For (confidential) inquiries from data subjects about data processing and exercising their data protection rights,
Contact point for supervisory authorities: Datenschutzbeauftragter@zv.uni-freiburg.de
Reporting data breaches, exercising data subject rights, information on data protection: Datenschutz@zv.uni-freiburg.de
Reporting of security incidents, indications of vulnerabilities: security@uni-freiburg.de