Data Protection Declaration pursuant to the GDPR
I. Name and address of the controller
The controller in terms of the General Data Protection Regulation and other national data protection acts of the Member States as well as other provisions on data protection is:
Energy Research Center of Lower Saxony (EFZN)
Head Office
Am Stollen 19 A
38640 Goslar
Telephone: +49 5321 3816 8002
Fax: +49 5321 3816 8009
e-mail: geschaeftsstelle@efzn.de
Website: https://www.efzn.de
II. Name and address of the data protection officer
The data protection officer of the controller is:
Patrick Borkowski
Clausthal University of Technology
Data Protection Officer
Adolf-Roemer-Straße 2A
D-38678 Clausthal-Zellerfeld
e-mail: dsb@tu-clausthal.de
Website: https://www.datenschutz.tu-clausthal.de/
III. General information on data processing
1. Scope of processing personal data
In principle we only process personal data of our users insofar as this is necessary for the provision of a functioning website as well as for our contents and services. In principle, the processing of personal data of our users is only done with the consent of the user. An exception is if prior consent by the user cannot be obtained for actual reasons and if the processing of data is permissible in terms of legal provisions.
2. Legal basis for the processing of personal data
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6(1) point a of the EU-GDPR shall serve as legal basis. This shall also apply to processing required for pre-contract measures.
Insofar as processing of personal data is required for the fulfilment of a legal obligation, Art. 6(1) point c EU-GDPR shall serve as legal basis.
In the event that vital interests of the data subject or of another natural person require the processing of personal data Art. 6(1) point d GDPR shall serve as legal basis.
If processing is required to protect the legitimate interests of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the data subject do not override the first mentioned interests, Art. 6(1) point f GDPR shall serve as legal basis for processing.
3. Data erasure and duration of storage
Personal data of the data subject shall be erased or blocked as soon as the purpose of storage falls away. In addition, data can be blocked if this is provided for by the European or national legislator in ordinances, laws or other provisions under Union law that apply to the data subject. Data will also be blocked or erased if a storage period prescribed by the said standards expires, unless further storage of data is required for the conclusion of a contract or for the fulfilment of a contract.
IV. Availability of the website and creation of logfiles
1. Description and scope of data processing
Every access to the internet offer of the EFZN shall be saved for a limited time in a protocol file with the following data:
- Date and time of access
- Details of request and target address
- Name of the file fetched and amount of data transmitted
- Message whether the fetching of the file was successful
The data shall also be saved in the logfiles of our system. This does not affect the IP addresses of the user or other data that would allow the allocation of data to a user. These data are not saved together with other personal data of the user.
2. Legal basis for data processing
The legal basis for the temporary saving of data is Art. 6(1) point f GDPR (legitimate interest).
3. Purpose of data processing
Saving is required to allow for the website to be transferred to the computer of the user.
4. Duration of storage
Data shall be deleted as soon as it is no longer required for the purposes for which they were collected. In the case of data having been captured to make available the website, this shall be when the respective session is ended.
5. Right to object and to be removed
Capturing of data is required to make available the website and to store data in logfiles for the operation of the internet site. The user can thus not object.
V. Use of cookies
1. Description and scope of data processing
Our website uses cookies. Cookies are text files that are saved in the internet browser and/or by the internet browser on the computer system of the user. When a user opens the website, a cookie can be saved on the operating system of the user. This cookie contains a characteristic sequence of characters that will allow the unambiguous identification of the browser when the website is opened again.
We make use of cookies to increase the user-friendliness of our website. Some elements of our internet site require the browser accessing the site to be identified after a change of site.
The cookies on our site include:
Cookie Name | Date of expiry | Purpose |
cb-enabled | Permanent cookie | This cookie recognises whether the user has already accepted the use of cookies and controls the visibility of the cookie disclaimer. |
PHPSESSID | End of session | PHP data identifier, set when the PHP session() method is used. |
fe_typo_user | End of session | This cookie is a standard session cookie of TYPO3. When a user logs in, it saves the access data entered for a closed area. |
be_typo_user | End of session | This cookie tells the website whether a visitor is registered in the Typo3-Backend and has administrator rights for this. |
typo3-login-cookiecheck | End of session | This cookie checks the browser settings regarding the edition of the site in the Typo3 backend. |
When accessing our website users are informed that cookies are used for analysis purposes and are referred to this data protection declaration by way of an information banner. At the same time a reference is also made as to how the saving of cookies can be prevented in the browser settings.
2. Legal basis of data processing
The legal basis for the temporary saving of data is Art. 6(1) point f DSGVO (legitimate interest).
3. Purpose of data processing
The use of analysis cookies has the purpose of improving the quality and content of our website. Analysis cookies tell us how the website is used and hence we can continuously optimise our site.
4. Duration of storage, right to object and to be removed
Cookies are saved on the computer of the user and are transferred to our server from there. Thus, you as the user have full control over the use of cookies. Through a change of settings in your internet browser you can deactivate or limit the transfer of cookies. Cookies that were already saved can be deleted at any time. This can also be automated. If cookies for our website are deactivated, possibly not all functions of our website can be fully used.
VI. Contact form and e-mail contact
1. Description and scope of data processing
A contact form to make contact electronically is available on our internet page. If a user utilises this input screen, the data entered will be transferred to us and will be saved. These data are:
- Name
- e-mail address
- Content of message
At the time when the message is sent, the following data are also saved:
- IP address of the user
- Date and time of registration
For the processing of data your consent is requested when the message is sent. In this process reference is made to this data protection declaration.
Alternatively, contact can be made via the e-mail address that is provided. In this case the personal user data as transmitted with the e-mail are saved.
In this regard data are not passed on to any third party. The data are used only to process the conversation.
2. Legal basis of data processing
In the event of consent having been given by the user, the legal basis of data processing is Art. 6(1) point a GDPR.
The legal basis of processing data that are transferred within the framework of sending an e-mail is Art. 6(1) point f GDPR.
If the e-mail contact is aimed at the conclusion of a contract, the legal basis of processing is Art. 6(1) point b GDPR.
3. Purpose of data processing
The processing of personal data from the input screen is used only to process the contact query. In the event of contact having been made by e-mail this includes legitimate interest in processing the data.
4. Duration for which data are saved
Data are deleted as soon as they are no longer required to achieve the purpose for which they were collected. In the case of personal data from the input screen of the contact form and those that were sent by e-mail this shall be the case when the respective conversation with the user is ended. A conversation is ended when the circumstances indicate that the respective issue has been finally resolved.
All additional personal data collected during the process of sending will be deleted after finalisation of the process.
5. Right to object and to be removed
User have the right of revoking their consent of the processing of their personal data at any time. If users make contact with us by e-mail they can at any time object to their personal data being saved. In such a case the conversation cannot be continued.
For a revocation of consent and for an objection to data being saved please contact us by e-mail through the following address: geschaeftsstelle@efzn.de.
All personal data that were saved during the course of a contact session will be deleted in this case.
VII. Web analysis through Matomo (formerly PIWIK)
1. Description and scope of data processing
On our website we use the Open Source Software Tool Matomo (formerly PIWIK) to analyse the surfing behaviour of our users. Matomo is an Open Source (GPL-licensed) Web Analysis Software. More information on the program can be found under: https://matomo.org/
If you have set your browser so that your visits are generally not to be captured by statistics software, our Matomo installation will immediately evaluate this information and will not capture your visit. Various browsers use a so-called "Do Not Track Header" for this purpose.
The Matomo software uses a cookie on the computer of the user (for more on cookies, see above). If individual pages of our website are called up, the following data will be saved:
- The two higher-value bytes of the IP address of the calling system of the user
- The website called
- The website from which the user reached the called website (referrer)
- The subpages called from the called website
- The time spent on the website
- The frequency with which the website is called
The software runs only on the servers of our website. Personal user data will only be saved there. The data are not forwarded to third parties.
The software is set so as not to fully save the IP addresses, but to mask 2 Bytes of the IP address (e.g. 192.168.xxx.xxx). This ensures that the shortened IP address can no longer be traced back to the calling computer. Hence, we do not capture personal data within the framework of the web analysis.
2. Legal basis of data processing
The legal basis of data processing is Art. 6(1) point f GDPR.
3. Purpose of data processing
The processing of user data allows us to analyse the surfing behaviour of our users. Through an analysis of the captured data we are able to compile information on the utilisation of the individual components of our website. This assists us in continuously improving our website and its user-friendliness. This constitutes a legitimate interest pursuant to Art. 6(1) point f GDPR. Through the anonymisation of the IP address the interest of users in protecting personal data is sufficiently observed.
4. Duration for which data are saved
Data are deleted as soon as they are no longer required for our purposes of recording.
In our case this is after six months.
5. Right to object and to be removed
Cookies are saved on the computer of the user and are transferred to our server from there. Thus, you as the user have full control over the use of cookies. Through a change of settings in your internet browser you can deactivate or limit the transfer of cookies. Cookies that were already saved can be deleted at any time. This can also be automated. If cookies for our website were deactivated, possibly not all functions of our website can be fully used.
On our website we offer our users the opportunity of an opt-out from the analysis process. To this end you need to follow the respective link. In this manner a further cookie is set on your system that signals our system that user data are not to be saved. If the user deletes the respective cookie in the meantime, the opt-out cookie must be set again.
For further information on privacy settings of Matomo software please follow this link: https://matomo.org/docs/privacy/.
VIII. Registration for events
1. Scope of processing personal data
On our website we offer the opportunity of registering for events by entering personal data. Data are entered in an input screen and are then transferred to us and saved. The following data are collected during the registration process:
- Name
- Company / Organisation
- e-mail address
- Invoice address
Within the framework of the registration process the user is requested to consent to the processing of this data.
2. Legal basis of data processing
The legal basis for the processing of data is Art. 6(1) point b GDPR (contractual basis) and/or Art. 6(1) point a GDPR (user consent) for all voluntary information.
3. Purpose of data processing
Data are required for purposes of organising and carrying out events. Further information (title, department, additional contact data) can be provided voluntarily.
If you transfer data to us within the framework of registration for an event, this data shall be used only for the relevant event and will then be deleted after expiry of the legally required periods. Data will be transferred to third parties (e.g. co-organisers, participants’ list) only with your explicit consent.
4. Duration for which data are saved
Data are deleted as soon as they are no longer required for the purpose for which they were collected.
5. Right to object and to be removed
You can revoke your registration at any time or you can change the saved data. Upon revocation your data will immediately be deleted insofar as this is not in conflict with contractual or legal obligations.
IX. Rights of the data subject
If your personal data are processed, you are a data subject in terms of the GDPR and you have the following rights towards the controller:
1. Right to information
You may request confirmation from the controller whether personal data of which you are the subject are processed by us.
In the event of such processing, you can request the following information from the controller:
a) the purposes for which personal data are being processed;
b) the categories of personal data that are processed;
c) the recipients and/or the categories of recipients to whom the personal data of which you are the subject was or will be disclosed;
d) the planned duration for which the personal data of which you are the subject will be stored or, if no concrete information can be given in this regard, the criteria according to which the duration of data storage is determined;
e) the existence of the right to rectify or erase personal data concerning yourself, the right to limit processing by the controller or the right to object against this processing;
f) the existence of a right of objection to a supervisory authority;
g) all available information on the origin of data if personal data were not collected from the data subject;
h) the existence of an automated decision-making, including profiling pursuant to Art. 22(1) and (4) GDPR and – at least in such cases – pertinent information on the logic involved as well as the scope and the desired effects of such processing for the data subject.
You are entitled to request information on whether personal data related to yourself will be transmitted to a third country or an international organisation. In this regard you may demand from us information on adequate safeguards in terms Art. 46 GDPR with regard to the transfer.
2. Right to rectification
You have the right to obtain from the controller without undue delay the rectification and/or completion of inaccurate and/or incomplete personal data concerning you. The controller shall immediately effect the rectification.
3. Right to restriction of processing
You shall have the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by you, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims; or
d) you have objected to processing pursuant to Art. 21(1) GDPR pending the verification whether the legitimate grounds of the controller override those of you.
Where processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If the restriction of processing was restricted according to the above conditions, you will be informed by the controller before the restriction of processing is lifted.
4. Right of deletion
a) Obligation of erasure
You shall have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(1) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(2) you withdraw consent on which the processing is based according to Art. 6(1) point a or Art. 9(2) point a GDPR, and where there is no other legal ground for the processing;
(3) you object to the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21(2) GDPR;
(4) the personal data have been unlawfully processed;
(5) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(6) the personal data have been collected in relation to the offer of information society services referred to in Art. 8(1) GDPR.
b) Information to third parties
Where the controller has made the personal data public and is obliged pursuant to Art. 17(1) GDPR to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
c) Exceptions
The right to erasure shall not apply to the extent that processing is necessary
(1) for exercising the right of freedom of expression and information;
(2) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(3) for reasons of public interest in the area of public health pursuant to Art. 9(2) points h and i as well as Art. 9(3) GDPR;
(4) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Art. 89(1) GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(5) for the establishment, exercise or defence of legal claims.
5. Right to being informed
If you have established the right to rectification, erasure or restriction of processing towards the controller, such controller shall inform all recipients to whom the personal data concerning you were disclosed of such rectification or erasure of data or of the restriction of processing, unless this is proven to be impossible or to cause unreasonable effort.
You are entitled towards the controller to be informed about these recipients.
6. Right to data portability
You shall have the right to receive the personal data concerning yourself that you have provided to the controller, in a structured, commonly used and machine-readable format. And you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:
a) the processing is based on consent pursuant to Art. 6(1) point a GDPR or Art. 9(2) point a GDPR or on a contract pursuant to Art. 6(1) point b GDPR; and
b) the processing is carried out by automated means.
In exercising this right you have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of others may not be adversely affected hereby.
The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
7. Right to object
You shall have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1) point e or f GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, you shall have the right to object at any time to processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
Where you object to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
8. Right to revoke the declaration of consent with regard to data protection
You have the right to revoke your declaration of consent with regard to data protection at any time. Such revocation of consent shall not affect the legitimacy of the data processing carried out on the basis of the consent until its revocation.
9. Automated individual decision-making, including profiling
You shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This shall not apply if the decision
a) is necessary for entering into, or performance of, a contract between you and the data controller,
b) is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
c) is based on your explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Art. 9(1) GDPR, unless Art. 9(2) point a or g GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in points a) and b), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
10. Right to object before a supervisory authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.