FAQ

As a public body, Leuphana University must comply in particular with the General Data Protection Regulation (GDPR) and the Niedersächsische Datenschutzgesetz (NDSG). This legal framework comprises the essential requirements with regard to data protection. In addition, specific regulations apply to the individual departments, which supplement the general data protection regulations (Ex: The Niedersächsische Hochschulgesetz (NHG), which defines the tasks of the university). The Bundesdatenschutzgeset (BDSG) applies only to those entities that participate in competition as a business and thereby process personal data in the course of their business activities. Within Leuphana University, this scope does not apply to the vast majority of areas.

The GDPRapplies to all data processing entities within Europe and the European Economic Area. Please be particularly careful with regard to data processing operations involving third countries (countries outside the scope of the GDPR), as it can be assumed that the standard of data protection law is far below that of the European Union. The office responsible for data protection will advise you on this.

The protected subject of the GDPRis personal data. This is any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
If the individual is identified, any data that can be associated with him or her is considered personal data. The name of the person does not have to be known. If the person is not identified, the question is whether the person can be identified with a proportionate effort using cumulatively all available data.

Special categories of personal data includes racial and ethnic origin, political opinions, religious or ideological beliefs, trade union membership, genetic data, biometric health data, sex life or sexual orientation. If special data is processed, it should always be noted that this entails an increased need for protection. Extensive technical and organizational measures must therefore be installed to ensure the protection of the special categories of personal data.

The controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Thus, if Leuphana University is considered to be the controller (externally), a department cannot rely on the fact that a person cannot be identified on the basis of the data available within the department/unit if further data is available within the university. The responsible party within the overall organization (Leuphana University of Lüneburg) is the respective unit involved in data processing.

Processing is defined as any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or non-destruction.

In short: processing actually includes everything that can be done with data.

A third party is a natural or legal person, public authority, agency or other body, other than the data subject, the controller, the processor (see question No. 18) and the persons who are authorized to process the personal data under the direct responsibility of the controller or processor. If personal data are transferred to a third party, this transfer always requires a legal basis.

First of all, the so-called "prohibition with reservation of permission" applies. Accordingly, any data processing is prohibited unless it can be based on a legal basis. Furthermore, there is a comprehensive duty of documentation (accountability) on the part of the data controller, which constitutes proof (especially to the competent data protection authority) that all data protection principles are being observed. Personal data must be processed lawfully, in good faith and transparently. Data processing must relate to a specific purpose and, in order to ensure data minimization, must be reduced to a level that is actually necessary to fulfill the purpose. Processed personal data should always be accurate, storage scope should be limited through deletion and anonymization, and integrity and confidentiality (data security) should always be ensured.

In essence, Leuphana as the controller is obliged to document all processing operations (directory of processing activities) and to inform the data subjects comprehensively prior to the respective processing (data subject information). This includes all wholly or partially automated processing of personal data, as well as non-automated processing that is stored or is to be stored in a file system. A file system is any type of organized storage, which does not have to be electronic, but can also be present in a systematic filing in a file. As an internal data processing unit, you are responsible for documentation and information.

The Records of processing activities (RoPA) is essentially a documentation and overview of procedures in which personal data are processed. The content of the RoPA is specified in the GDPR. Accordingly, the essential details of the data processing, such as the category of data, the group of data subjects, the purpose of the processing the legal basis, and much more, must be documented. The RoPA is securely managed and regularly updated by the unit responsible for data protection.

The scope of the data subject information is defined in Art. 13 and 14 GDPR. Before any processing of personal data, the data subjects must be informed by the controller about the scope of the data processing and their rights. Therefore, the relevant privacy notices must be urgently brought to the attention of the data subjects prior to processing. In the case of consent, mere acknowledgement is not sufficient and an unambiguous confirmatory act is required. The privacy notices state the purposes of the processing, the legal bases and the rights of the data subject. Information on this can be found in the templates for the privacy notices, legal basis Art. 6 GDPR.

The scope of the available legal bases is defined by Art. 6 GDPR.     
- Art. 6 para. 1 s. 1 letter. a) GDPR: Consent (it must always be checked whether the processing can be based on another legal basis).
- Art. 6 para. 1 s. 1 letter. b) GDPR: Contract performance (only relevant insofar as a contractual relationship exists directly from the data subject, or is necessary for the implementation of pre-contractual measures, which take place at the request of the data subject).
- Art. 6 para. 1 s. 1 letter. c) GDPR: legal obligation (example: budgetary law, regulatory law, tax law, etc.).
- Art. 6 para. 1 s. 1 letter. d) GDPR: protection of vital interests.
- Art. 6 para. 1 s. 1 letter. e) GDPR: Perception of a task that is in the public interest (here, there is usually a reference to the tasks of the university in the public interest [section 3 Abs. 1 NHG]).
- Art. 6 para. 1 s. 1 letter. f) GDPR: legitimate interest (the legitimate interest in the data processing must be weighed against the interest of the data subject worthy of protection and must outweigh the interests of the data subject worthy of protection. Art. 6 para. 1 s. 1 letter. f) does not apply to processing carried out by public authorities in the performance of their tasks.

If consent is used as the legal basis for data processing, the data subject voluntarily and demonstrably consents to data processing for the stated purposes. Consent should be avoided as a legal basis if possible, since the data subject can revoke his or her consent at any time, which makes data processing with effect for the future impossible. Since voluntariness is of particular importance, it must be taken into account that in cases where there is an imbalance of power, this may not be guaranteed. Consent must not be linked to a contract, i.e. it must be a prerequisite for the conclusion of a contract (so-called prohibition of tying). In the case of minors, parental authority must also be granted. There is no fixed age limit for when the consent of a parent is no longer required. It is recommended that parental consent be waived from the age of 16 and that the individual case always be examined, as the person concerned must be aware of the scope of the data processing.
If consent is given via the Internet, the documentation poses particular challenges for the data controller. In this case, the double opt-in procedure must be used to ensure that it is possible to prove that consent has been given.

The Double-Opt-In procedure is mainly used in the area of e-mail marketing and in the area of electronic transmission of a declaration of consent in general. Through the procedure, the advertiser or the responsible party ensures that the data subject has given his or her consent in a legally verifiable and actual manner. In practice, the following procedure has become established:
1. the data subject gives his or her consent in the first step by actively selecting a checkbox, or leaves his or her e-mail address on a website in the newsletter registration form.
2. the data subject then receives an e-mail with an activation link or a request to confirm consent (ideally linked to the specific consent text in the e-mail).
3. logging of the IP address of the data subject, as well as the time of consent and confirmation of the activation link (time stamp), combined with the specific consent text.

Pseudonymization is the processing of personal data using identification numbers, ciphers, bar codes, etc. Pseudonymization means that the personal data can no longer be easily assigned to a specific person. However, it is still possible to assign the data within the controller by means of the key (e.g. matriculation number). In the case of anonymization, the data subject can no longer be identified by the means of the controller with a proportionate effort (to be evaluated on a case-by-case basis). Anonymization is equivalent to deletion in terms of data protection law. If the reference to a person ceases to exist as a result of anonymization, then in principle no data protection requirements apply. With pseudonymization, on the other hand, the reference to a person remains possible, which maintains the requirement of compliance with data protection regulations.

Profiling is any type of automated processing of personal data which consists in using them to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects relating to that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location (see Art. 4 no. 4 GDPR).
Profiling is characterized by the fact that service providers and data collectors evaluate stocks of personal data by means of automated processing using algorithms in order to evaluate certain personal aspects relating to a natural person on this basis, in particular to analyze or predict certain behaviors. This may concern, for example, a natural person's job performance, economic situation, health, personal preferences, interests, reliability, behavior, location or change of location.
The data subject should not be subject to a decision concerning personal aspects relating to him or her based solely on automated processing which produces legal effects concerning him or her or similarly significantly affects him or her. If profiling is involved, separate information shall be provided with the general data protection notices. In the case of profiling measures, the controller is also obliged to carry out a data protection impact assessment.

Scoring is to be regarded as a sub-case of profiling. It is to be subsumed under Art. 22 GDPR, which regulates automated decision-making in individual cases as a general provision. In the case of scoring (as a special use case of profiling), the use of the assessment procedure is used to decide on the establishment, implementation or termination of a contractual relationship. This means that decisions are made on the basis of a previously determined score value without any intervening human decision. Cases of practical relevance are, for example, the automatic rejection of an online credit application or online hiring procedures, which are prohibited by the GDPR. However, decisions that are not fully automated, i.e., where human intervention is not further defined, remain permissible.

A processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller. If data processing is to be carried out on behalf, a contract must be concluded with the processor in accordance with Art. 28 para. 3 GDPR. Pursuant to Art. 28 para. 1 GDPR, cooperation may only be carried out with processors who provide sufficient guarantees that appropriate technical and organizational measures will be implemented in such a way that the processing will be carried out in compliance with the requirements of the GDPRand will ensure the protection of the rights of the data subject. A sample contract for commissioned data processing is available from the unit responsible for data protection or directly on the intranet site if required.

According to Art. 26 GDPR, two or more controllers are always jointly responsible if they jointly determine the purposes and means of the processing of personal data. In contrast to commissioned data processing, in the case of joint processing the controllers act on an equal footing and are essentially not bound by instructions. This applies in particular to research projects and the use of social media services. If there is joint responsibility, the controllers must conclude an agreement that specifies in a transparent manner who fulfills which obligations under the GDPR. A sample contract for joint controllership is available from the data protection office if required.

The data subject may request information at reasonable intervals about data processing, in particular about its purposes, the scope of the data processed and the recipients (Art. 15 GDPR). You can find more information about the right to information in our handout on data subject rights.

The principle of data economy requires that personal data be stored only for as long as is necessary for the purpose in question. The specific purpose must be determined by the controller before the start of the processing activity.
In principle, no general statement can be made here with regard to the storage period to be applied in your area or the deletion routine. If possible, use legal retention periods as a guide and contact the office responsible for data protection if you are unsure. Always ask yourself whether the retention of data is actually necessary in the individual case or merely serves the purpose of data retention.

A breach of security that results, whether accidentally or unlawfully, in the destruction, loss, alteration, or unauthorized disclosure of / access to personal data. In the event of a personal data breach, the Controller shall, without undue delay and, where possible, within 72 hours of becoming aware of the breach, notify it to the competent supervisory authority pursuant to Article 51, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by a statement of the reasons for the delay (Article 33 Abs.1 GDPR).

As soon as you become aware of a personal data breach or an irregularity in the processing of personal data, please contact the Leuphana University office responsible for data protection without delay. The latter will decide on the further procedure and, in the event of a data protection breach subject to notification, will inform the competent supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Further notices and a data protection incident form can be found here: Hinweise & Formular downloaden (German).

Data protection impact assessment (dpia) is a specific tool for describing, assessing and mitigating risks to the rights and freedoms of natural persons in relation to the processing of personal data. In the case of forms of processing (here we are talking about a single processing operation) that are likely to result in a high risk to the rights and freedoms of natural persons (in particular when using new technologies, due to the nature, scope, circumstances and purposes of the processing), a dpia must be carried out in accordance with Article 35 of the GDPR. It addresses remedial actions to ensure the protection of personal data and to demonstrate compliance with the GDPR.
Typical examples of use:
- Extensive processing of personnel file data, which also concerns confidential and highly personal data (personnel administration).
- Automated evaluation of video or audio recordings to assess personal aspects of the data subjects (personality evaluation).
- Extensive and innovative processing of confidential or highly personal data in third countries
- Extensive processing of social data

The creation of photo and/or video recordings can be attributed to a legal basis as well as to consent. Please note that the available legal bases are to be preferred over consent. If photo and/or video recordings are made, please note that use in connection with social media channels may require the conclusion of a separate agreement on data protection with the respective providers. It is also advisable to use the so-called "button solution": By pointing out the planned recordings at the entrance and providing colored badges or stickers for people who do not wish to be recorded, you can greatly minimize the risk of data subjects subsequently revoking their consent or objecting to data processing, which usually leads to your recordings being unusable.
Furthermore, the recordings should ideally be made using a SHK. Hiring a freelance photographer requires an additional written agreement and requires a separate review of the photographer(s) regarding their data protection precautions.
Please refer to the handout on the organization of events and the instructions there for taking photographs and/or video recordings.

Personal data may not be transferred to third parties without further ado. Each transfer (to persons / entities outside the controller) represents an independent processing operation and thus requires a legal basis in advance (Art. 6 GDPR or commissioned data processing). If, in addition, the data is transferred to a third country (to an entity outside the EU / EWR, e.g.: USA), the controller must ensure that an adequate level of data protection can be demonstrated through additional requirements. This proof can be based on different grounds:
- The data protection level of the destination country has been recognized as adequate by the European Commission (this applies, for example, to Argentina, Canada, Switzerland, New Zealand, Uruguay, etc.).
- The recipient of the personal data is demonstrably listed as having an adequate level of data protection under the Privacy Shield certification. The certification is controversial as it is only based on the self-perception of the entities.
- The transferor and recipient of the personal data have entered into an agreement based on the European Commission's standard contractual clauses, thus providing for appropriate measures to protect the personal data.
- The recipient has installed specific approved protection procedures (Binding Corporate Rules) to ensure the protection of personal data at the EU level.

The area of university research is a special topic under data protection law and includes various critical fields that must be properly classified from a data protection law perspective. Please use our handout on research for comprehensive information.

Additional protection is provided for children's personal data, as children are less aware of the risks and consequences of data sharing and their rights. Any information specifically addressed to children should be adapted to be in an easily accessible form and in clear and simple language.
When processing a child's personal data, the consent of a parent or guardian is required. The age limit for parental consent requirement varies between 13 and 16 years, depending on the determination in the respective EU Member State. The GDPR provides for a limit of 16 years. However, since it is not only age that is important, but in particular the ability to understand and the child must be able to reasonably foresee the consequences of his or her decision, it is recommended that the consent of a holder of parental responsibility be obtained for minors as a matter of principle.

According to Art. 82 GDPR, any controller involved in a processing operation is liable for the damage caused by a processing operation that does not comply with the Regulation.