Security Operations Center (SOC) Privacy Information

The University of Hamburg (UHH) would like to provide you with additional information regarding the processing of your personal data when using the UHH network.

The UHH, as a public corporation, is responsible for processing in accordance with the GDPR. The contact details are as follows:

University of Hamburg

represented by the president

Mittelweg 177
20148 Hamburg
praesident"AT"uni-hamburg.de

The UHH operates a Security Operations Center (SOC) to detect, analyze, and defend against cyber threats to the UHH's IT infrastructure and IT services.

A SOC is a central unit within an organization that monitors all IT systems around the clock in order to detect, analyze, and respond to cyber attacks and security incidents at an early stage. The procedure serves to establish comprehensive visibility with regard to possible cyberattacks on the networks, IT infrastructure, and end devices of the UHH. It also serves to prepare, aggregate, and enrich data and display it in a portal as a working basis for the UHH SOC. This requires the processing of certain personal data of users. At large central network nodes, data streams are examined for suspicious patterns and, if a suspicious case is detected, the UHH is notified as a result of a processing chain.

In addition, the log data of various services of the UHH computer center (RRZ) is fed into the system. The SOC collects log data (such as successful or unsuccessful login attempts, authorization changes, attribute changes, system and network events, etc.) for automated processing. The specific log data collected may vary depending on the system. For example, Windows systems collect different log events than file storage or network systems. The data passes through a series of systems. Some of it is evaluated in the respective source system (e.g., endpoint protection solutions/antivirus software on the end device) or in the central Security Information and Event Management System (Tenzir), the SOAR system of the SOC service provider, or the long-term storage system (Graylog). In the event of anomalies (detected by automated detection), these are forwarded to the responsible system administrators for specific analysis.

The data used for IT security, some of which is personal data, is also used for scientific research purposes in compliance with legal requirements. IT security research deals, among other things, with the question of how IT infrastructures can be better protected against cyber attacks. The aim is to achieve long-term, continuous improvement of preventive and reactive measures and to mitigate risks. To achieve these goals, it is planned to share data sets with other cooperation partners in compliance with legal requirements in order to be able to detect attacks better and faster on the one hand, and to work on the further development of the technologies used on the other. This includes partners from the scientific community and international cooperation partners from the university sector to ensure round-the-clock operation of the SOC. In order to detect attacks and test the methods, it is important to also test them with data from a real system environment to determine the extent to which (defense) methods behave in a real environment.

This does not permit the monitoring of employee performance and behavior. The data collected during the processing described here may not be used as a basis for disciplinary and/or labor law measures. As an exception, this is permissible in the case of a specific suspicion (even if it arose by chance) in order to investigate cases of abuse (misconduct, breach of employment contract obligations, or criminal acts). The triggering circumstances and, in particular, the basis for the specific suspicion must be documented.

Questions regarding the data processing described below can be directed to:

University of Hamburg
Schlüterstr. 70
20146 Hamburg

Markus Böttger
rrz-serviceline"AT"uni-hamburg.de

In addition, you can contact the data protection officer with any questions regarding data processing at UHH at:

Data Protection Officer at the University of Hamburg
Mittelweg 177
20148 Hamburg
dsb"AT"uni-hamburg.de

Personal data is processed for the following purposes:

The purposes of processing are to monitor, detect, analyze, and defend against cyber threats to the IT infrastructure and IT services of UHH.

In order to achieve continuous improvement of preventive and reactive measures and to mitigate risks, personal data may also be further processed for scientific purposes to ensure the long-term development of the necessary services.

The UHH takes these measures to detect and prevent cyber threats in order to maintain and improve the functioning of its IT infrastructure and IT services. This serves to ensure that the UHH can continue to fulfill its statutory duties (Art. 6 (1) (e) GDPR). In some cases, there are specific legal obligations to implement certain measures, which form the legal basis for the necessary data processing (Art. 6 (1) (c) GDPR, § 6 (1) Hamburg Data Protection Act (HmbDSG), Art. 32 GDPR).

In relation to employees, processing is necessary to ensure the functionality of the IT infrastructure and IT services and to implement the employment relationship (Art. 6 (1) (b) GDPR, § 10 (1)-(3) HmbDSG, §§ 85 to 92 Hamburg Civil Service Act (HmbBG)), as network use is an integral part of the performance of tasks in all areas of work.

Personal data collected by the UHH on the basis of the aforementioned legal grounds may also be processed by the UHH for other purposes, provided that such a change of purpose is permitted by law. Where necessary, guarantees for your rights will be put in place for this purpose, e.g., anonymization or pseudonymization of the data records.

Further processing may take place in particular for the purposes of scientific or historical research, for statistical purposes (cf. § 11 (1) and (2) HmbDSG as well as § 6 (2) No. 9 HmbDSG and Art. 89 GDPR). In addition, a change in the original purpose is possible under the conditions of § 6 (2) Nos. 1-9 HmbDSG. Further processing may also be carried out in accordance with Art. 6 (4) GDPR in conjunction with Art. 89 GDPR for archiving or scientific research purposes in the public interest, in particular for technological development, demonstration, basic, applied, and/or privately funded research, for public health studies, and for the creation of a European Research Area (see Recital 159 to the GDPR).

Currently, processing on these grounds is taking place for the further processing of existing personal data by researchers at the UHH. In the future, information about cyberattacks in the form of the suspected cases described above will also be shared with the cooperation partners mentioned above in pseudonymized form. If the evaluations of the cooperation partners yield findings that may be relevant to the IT security of the UHH, the data used may also be returned to the UHH in enriched form.

The following categories of personal data are processed:

• Communication and authentication data (login, log, and network data of all network users, as well as other data generated during use of the SOC, specifically relating to the administrators active there)
• Login data: User name
• Authentication data: Password or 2FA
• Network data: Time and duration of network connections, IP addresses and ports used, data volumes transferred, URLs, network protocols and commands executed)

Personal data is transferred to the following recipients/categories of recipients:

Tenzir GmbH, Nagelsweg 41, 20097 Hamburg

The UHH uses a data integration and automation platform and several sensors from the processor Tenzir to detect attacks on its network structure. The processors are subject to the instructions of the UHH.

There are currently no plans to transfer your personal data to a third country/international organization. If research partners from non-European countries are involved in the further development of the SOC as part of future research collaborations, data will only be transferred in anonymized form. This means that the recipients of the data will no longer be able to establish any personal reference.

Personal data is stored for the following period:

Personal data is regularly stored in the UHH SOC for up to 13 months in order to ensure the retroactive availability of event reports, e.g., in the event of normal annual peak loads on the network (enrollment period, start of semester) or annual clusters of attacks (currently often in connection with nationwide holidays). The storage period depends on the importance of the data for IT security. Sub-datasets are deleted after 30 days. In specific individual cases, data may be stored for up to 18 months.

As part of the current transfers to a research project within the UHH, the transferred data is stored for twelve months and deleted on an ongoing basis. After the end of the project, it is intended to delete all data still available at that time three months after the end of the project.

You have the following rights:

a. Right to information

According to Art. 15 GDPR, you have a right to information from the controller.

b. Right to rectification

According to Art. 16 GDPR, you can request the controller to rectify incorrect data.

c. Right to erasure

You have the right to have your personal data erased or a “right to be forgotten” under Article 17 GDPR vis-à-vis the controller.

d. Right to restriction of processing

You have the right to request that the controller restrict the processing of your personal data under Article 18 GDPR.

e.     Right to object

f.     Right to lodge a complaint

You have the right to lodge a complaint against the processing of your personal data with a competent data protection supervisory authority.

Version 1, as of December 15, 2025