a. In the following we provide information about the processing of personal data when using sciebo. Personal data is all data that can be related to you personally, such as name, address, e-mail address or non-anonymous user behaviour.
b. This data protection policy refers to both, data which is collected in the context of the use of sciebo and data which stored in sciebo by the user. The terms of use regulate which data you may upload to sciebo.
The organisation responsible within the meaning of Art. 4 para. 7 of the European General Data Protection Regulation (GDPR) is the University of Münster (Münster University), hereinafter referred to as the "provider":
Universität Münster
Schlossplatz 2
D-48148 Münster
The provider is represented by its rector Prof. Dr. Johannes Wessels. The Center for Information Technology (CIT) of Münster University is responsible for the operation of the service. The CIT can be reached at:
CIT
Röntgenstraße 7-13
D-48149 Münster
E-mail: info@sciebo.de
Nina Meyer-Pachur
Schlossplatz 2
D-48149 Münster
When operating the sciebo service, a distinction must be made between data collected by the provider and required for the performance of the service (see 4.a. and b.), data that the user uploads for storage when using sciebo (see 4.c.), and data that is collected for the search of other users (see 4.d.).
a. The following data is collected for registration for and use of sciebo and stored for the duration of use of the service:
- First name
- Surname
- Institution
- Institution e-mail address
- User ID
- Status of the User (student/employee)
b. The user ID is generated by the home institution of which you are a member and transmitted to the provider as part of your registration for sciebo. The provider has no influence on the creation of the user ID. The user's home institution bears the data protection responsibility for the transmission of data to the provider during the registration process for sciebo.
c. The IP addresses of the end users and the time of use are stored for seven days. Then the data is permanently deleted.
d. The data that you provide when using sciebo is stored by the provider. This data includes files that you upload to sciebo and share with other users, guests and third parties, as well as data that is necessary for the use of calendar and address functions. Information that you share with other individuals will be transferred to them.
e. When using the search and autocomplete function by entering (parts of) the user ID of the searched user, the corresponding first and last name is transmitted to the person who carried out the search order. The same applies to the entry of parts of the name and the user ID.
As a matter of principle, the provider processes your personal data only to the extent necessary to provide the functional service sciebo. The regular processing of personal data of our end users only takes place with their consent. An exception applies in those cases in which it is not possible to obtain prior consent for factual reasons and the processing of the data is permitted by statutory regulations.
The end user's personal data collected during registration for sciebo (see 4.a.) is processed to provide the contractually agreed functional scope.
The stored IP addresses and times of use (see 4.b.) are processed exclusively for the purpose of troubleshooting.
The data you have uploaded to sciebo for storage (see 4.c.) will be stored within the scope of fulfilling the contractual purpose, in particular the provision of storage space for members of the participating institutions. Data that you instruct us to share with other users will be transferred to them. This includes shared files and your personal data as part of the use of the address, calendar and search functions (see 4.c.and 4.d.). Beyond that these data are processed for no further purposes.
The data are processed exclusively on servers which are administratively operated by the provider. The server location is Münster.
The legal basis for the processing is the consent according to Art. 6 para. 1 lit. a) GDPR.
By accepting the terms of use and this data protection polify, you consent to the processing of your personal data listed in this data protection policy for the purposes described.
The consent refers both to your personal data, which is collected and stored when you register for sciebo, and to the data you have uploaded for storage when using sciebo, as well as the transmission of the data you have shared with other users. You also consent to the storage and transmission of data resulting from the use of the address, calendar and search functions.
You can revoke your consent at any time via the my.sciebo portal. In this case, the legal basis for the processing of your personal data no longer applies, i.e. you can no longer use the service afterwards.
After termination of the contract, your data will be permanently deleted. The contract ends either by revocation of consent, deregistration from the service or with omitted re-authentication. In the event of revocation or deregistration, the data will be deleted on the same day. If re-authentication is omitted, the data will be deleted after a transitional period of three months.
If your personal data is processed, you are the data subject in the sense of the GDPR and you are entitled to the following rights vis-à-vis the person responsible:
a. Right to Information
You can ask the person in charge to confirm whether personal data concerning you are processed by her or him. In the event of such processing, you may ask the person responsible for the following information:
1. the purposes for which the personal data are processed;
2. the categories of personal data processed;
3. the recipients or categories of recipients to whom the personal data relating to you has been or will be disclosed;
4. the planned duration of the retention of the personal data relating to you or, if it is not possible to provide specific information in this regard, criteria for determining the retention period;
5. the existence of a right to rectify or delete personal data concerning you, a right to limit the processing by the person in charge or a right to object to such processing;
6. the existence of a right of appeal to a supervisory authority;
7. all available information on the origin of the data if the personal data is not collected from the data subject.
You have the right to request information as to whether the personal data concerning you will be transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate guarantees pursuant to Art. 46 GDPR in connection with the transfer.
b. Right to Rectification
You have the right to correction and/or completion by the person responsible if the personal data processed concerning you is inaccurate or incomplete. The person responsible must rectify the data without delay.
c. Right to Limitation of Processing
Under the following conditions, you may request that the processing of your personal data be restricted:
1. if you dispute the accuracy of the personal data concerning you for a period of time which enables the person responsible to verify the accuracy of the personal data;
2. if the processing is unlawful and you refuse to delete the personal data and instead request the restriction of the use of the personal data;
3. if the person responsible no longer needs the personal data for the purposes of processing, but you need it for the assertion, exercise or defence of legal claims, or
4. if you have filed an objection against the processing pursuant to Art. 21 para. 1 GDPR and it has not yet been determined whether the justified reasons of the person responsible outweigh your reasons.
Where the processing of personal data concerning you has been restricted, such data may not be processed, other than with your consent or for the purpose of asserting, exercising or defending a right or protecting the rights of another natural or legal person or for reasons of an important public interest of the European Union or of a Member State, except with regard to the storage of such data.
If the processing restriction has been restricted in accordance with the above conditions, you will be informed by the person in charge before the restriction is lifted.
d. Right to Deletion
You may request the person responsible to delete the personal data concerning you immediately and the person responsible is obliged to delete this data immediately if one of the following reasons applies:
1. The personal data relating to you is no longer necessary for the purposes for which it was collected or otherwise processed.
2. You revoke your consent on which the processing pursuant to Art. 6 para. 1 lit. a) was based and there is no other legal basis for the processing.
3. You object to the processing pursuant to Art. 21 para. 1 GDPR and there are no overriding legitimate reasons for processing, or you object to the processing pursuant to Art. 21 para. 2 GDPR.
4. The personal data concerning you has been processed unlawfully.
5. The deletion of personal data concerning you is necessary in order to fulfil a legal obligation under Union law or the law of the Member States to which the person responsible is subject.
6. The personal data relating to you has been collected in relation to information society services pursuant to Art. 8 para. 1 GDPR.
If the person responsible has made the personal data concerning you public and is obliged to delete them in accordance with Art. 17 para. GDPR, he shall take appropriate measures, also of a technical nature, taking into account the available technology and the implementation costs, to inform the persons responsible for data processing who process the personal data that you, as the person concerned, have requested them to delete all links to this personal data or copies or replications of this personal data.
The right to deletion does not exist if the processing is necessary
1. to exercise the right to freedom of expression and information;
2. to fulfil a legal obligation which requires the processing under the law of the Union or of the Member States to which the person responsible is subject, or to perform a task carried out in the public interest or in the exercise of official authority vested in the person responsible;
3. for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h) and i) as well as Art. 9 para. 3 GDPR;
4. for archive purposes in the public interest, for scientific or historical research purposes or for statistical purposes pursuant to Art. 89 para. 1 GDPR, insofar as the right referred to in section a) presumably makes the realisation of the objectives of such processing impossible or seriously impairs it;
5. for the assertion, exercise or defence of legal claims.
e. Right to Information
If you have exercised your right to rectify, cancel or limit the processing of your personal data against the responsible person, he or she is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification, cancellation or limitation of processing, unless this proves impossible or involves a disproportionate effort.
You have the right to be informed of these recipients by the person responsible.
f. Right to Data Transferability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to communicate this data to another responsible person without being hindered by the responsible person to whom the personal data was provided, provided that
1. the processing is based on an agreement pursuant to Art. 6 Para. 1 lit. a) GDPR or on a contract pursuant to Art. 6 Para. 1 lit. b) GDPR and
2. the processing is carried out using automated procedures.
In exercising this right, you also have the right to request that the personal data concerning you be transmitted directly by a responsible person to another responsible person, as far as this is technically feasible. Furthermore, the exercise of this right does not exclude the possibility of exercising your right to deletion (d.). Freedoms and rights of other persons must not be affected by this.
The right to data transferability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the person responsible.
g. Right of Appeal to a Supervisory Authority
Without prejudice to any other administrative or judicial remedy, you shall have the right to complain to a supervisory authority, in particular in the Member State of your residence, place of work or place of suspected infringement, if you consider that the processing of your personal data is in breach of the GDPR.
The supervisory authority to which the complaint was submitted shall inform the complainant of the status and results of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
You can use the contact form on sciebo.de to exercise your rights (a., b., c., e., f.). You can exercise the right to deletion (d.) in the my.sciebo portal on sciebo.de by confirming the corresponding button ("Delete account"). If this is not possible for you, you can also use the contact form on sciebo.de for this purpose.