Please also note our social media channels: Bluesky and Instagram!

General information on data processing

Please note: This general information on data processing has been translated from German by DeepL.

scope of processing
We only process our users' personal data to the extent necessary to provide a functional website and our content and services. The processing of our users' personal data only takes place regularly with the user's consent. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

legal basis
Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 §1 lit. a EU General Data Protection Regulation (DSGVO) serves as the legal basis.

When processing personal data that is necessary for the fulfilment of a contract to which the data subject is a party, Art. 6 §1 lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the implementation of pre-contractual measures.

Insofar as the processing of personal data is necessary to fulfil a legal obligation to which our company is subject, Art. 6 §1 lit. c DSGVO serves as the legal basis.

The legal basis is Art. 6 §1 lit. e DSGVO in conjunction with §16ff ThürDSG and § 5ThürHG if the processing of the personal data you provide is necessary to process your request in the context of the fulfilment of our tasks.

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 §1 lit. f DSGVO serves as the legal basis for the processing.

data erasure and storage duration
The personal data of the data subject will be erased or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or deleted if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfilment of a contract.

stored information 
The University of Erfurt automatically collects and stores information that your browser transmits to us in its server log files. These are

  • browser type/version
  • operating system used
  • website from which access is made (referrer)
  • host name of the requesting computer (IP address)
  • date and time of the server request
  • name and URL of the retrieved data
  • amount of data transferred
  • message as to whether the request was successful (http status code)

This data cannot be assigned to specific persons by the University of Erfurt. It is used to analyse system security and stability, to investigate misuse and to ensure that our website is easy to use. This data is not merged with other data sources, and the data is regularly deleted after statistical analysis. No data is passed on to third parties.

The legal basis for data processing is Art. 6 para. 1 sentence 1 lit. f DSGVO.

encryption 
This site uses SSL encryption for security reasons and to protect the transmission of all content.
You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line.

cookies 
Cookies are small text files that are generated by the web server and sent to your Internet browser, where they are stored or saved on your browser. Cookies are used to increase the functionality and convenience of the website for you.

It is possible to use our website without cookies. A personalised database entry consisting of session ID, anonymised IP address, time stamp, user ID and session data is only created when you log in to an access-protected area of the website and is deleted again when you log out. Only the last timestamp is stored permanently. A personalised cookie is also created, which is usually deleted when the browser is completely closed.

For backend editors, a function cookie is created when they deregister in the backend, which is deleted again when they deregister from TYPO3.

You can configure the cookie management yourself in your browser. Example Firefox (in German only)

use of cloud technologies and data processing outside Europe

  • use of EC2 and Cloudfront
    Our website uses Amazon EC2 located in Frankfurt as a server solution. We also use Amazon Cloudfront as a content delivery network (CDN) to improve the performance and availability of our website. The minimum distribution of Cloudfront is limited to Europe and North America.
  • use of Cloudwatch and Certificate Manager
  • We use Amazon Cloudwatch to monitor our website infrastructure and log management. Due to our use of Cloudfront, the Cloudwatch location is in North America. We also use Amazon Certificate Manager as our SSL certificate issuer, which is also located in North America, to ensure a secure connection to our website.
  • use of WAF & Shield
    We use Amazon Web Application Firewall (WAF) and AWS Shield to ensure the security of our website. These services protect our website from attacks and other security threats. Due to our use of Cloudfront, the location of these security services is in North America.

data storage and transmission
The data collected by these services (EC2, Cloudfront, Cloudwatch, Certificate Manager, WAF & Shield) may be stored and processed in data centres in Europe and North America. We take all necessary measures to ensure that your data is handled securely and in accordance with the DSGVO.

social media 
In addition to this website, the University of Erfurt has a presence on:

  • Facebook;
  • Twitter;
  • Instagram;
  • Xing.

The corresponding information on responsibility and data protection can be found on the respective websites.

e-mail contact 
You can contact us at any time using the email addresses provided. In this case, the user's personal data transmitted with the e-mail will be stored. The data will not be passed on to third parties.

The legal basis for the processing is Art. 6 §1 lit. e DSGVO in conjunction with § 5 ThürHG, if the processing of the personal data provided by you is necessary to process your request as part of the fulfilment of our tasks. The communication of further information by you is voluntary on the basis of consent in accordance with Art. 6 §1 lit. a DSGVO.

The data will be used exclusively for processing the conversation. The data will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected. For the personal data from the input mask of the contact form and those sent by e-mail, this is the case when the respective conversation with the user has ended.

rights of the data subject

1. right to information
You can request confirmation from the controller as to whether personal data concerning you is being processed by us. If such processing is taking place, you can request the following information from the controller:

  •  the purposes for which the personal data is processed;
  • the categories of personal data being processed;
  • the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
  • the envisaged period for which the personal data concerning you will be stored, or, if specific information on this is not possible, the criteria used to determine that period;
  • the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing;
  • the existence of a right to lodge a complaint with a supervisory authority;
  • all available information about the origin of the data if the personal data is not collected from the data subject.

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 DSGVO in connection with the transfer.

2. right to rectification
You have a right to rectification and/or completion vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. The controller must carry out the rectification without undue delay.

3. right to restriction of processing
You may request the restriction of the processing of personal data concerning you under the following conditions:

  • if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims, or
  • if you have objected to processing pursuant to Art. 21 (1) DSGVO pending the verification whether the legitimate grounds of the controller override your grounds.

If the processing of personal data concerning you has been restricted, this data – apart from its storage – may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above conditions, you will be informed by the controller before the restriction is lifted.

4. right to erasure
a) obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

  • The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • You revoke your consent on which the processing was based pursuant to Art. 6 §1 lit. a or Art. 9 §2 lit. a DSGVO and there is no other legal basis for the processing.
  • You object to the processing pursuant to Art. 21 §1 DSGVO and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 §2 DSGVO.
  • The personal data concerning you has been processed unlawfully.
  • The deletion of personal data concerning you is necessary to fulfil a legal obligation under Union law or the law of the Member States to which the controller is subject.
  • The personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8(1) DSGVO.

b) information to third parties
If the controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17 (1) DSGVO, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

c) exceptions
The right to erasure does not apply if the processing is necessary:

  • to exercise the right to freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • for reasons of public interest in the area of public health in accordance with Art. 9 §2 lit. h and i and Art. 9 §3 DSGVO
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 §1 DSGVO, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
  • for the establishment, exercise or defence of legal claims.

5. right to information
If you have asserted the right to rectification, erasure or restriction of processing against the controller, the controller is obliged to notify all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

6. right to object
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) DSGVO, including profiling based on those provisions.

The controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

If the personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, the personal data concerning you will no longer be processed for these purposes.

You have the option of exercising your right to object in connection with the use of information society services – notwithstanding Directive 2002/58/EC – by means of automated procedures that use technical specifications.

7. right to revoke the declaration of consent under data protection law
You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

8. right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the DSGVO.

The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 DSGVO.


contact data protection officer
Dr Thomas Lauer
deputy data protection officer
University of Erfurt
C07 (teaching building 2) / room 130d
phone: +49 361 737-1201
e-mail: datenschutz(at)uni-erfurt.de