University of Hamburg - to research, to teach, to educate and form, to homepage
RRZ
Regional Computer
Center (RRZ)

Photo: UHH, RRZ/MCC

Data Protection Declaration for UHHCloud Services

Scope of validity

This data protection declaration applies to the UHHCloud Service at https://cloud.uni-hamburg.de.

Contact details for the Controller

Pursuant to the General Data Protection Regulation, national data protection laws of the various member states, and other privacy regulations, the responsible entity (“Controller”) is:

The University of Hamburg represented by the President
Mittelweg 177
20148 Hamburg
praesident@uni-hamburg.de(//praesident"AT"uni-hamburg.de)

The University of Hamburg is a corporation under German public law, represented by Prof. Dr. Hauke Heekeren, president of the University of Hamburg, Mittelweg 177, 20148 Hamburg.

University of Hamburg Data Protection Officer contact details:

Datenschutzbeauftragte/r der Universität Hamburg
Mittelweg 177, 20148 Hamburg
datenschutz@uni-hamburg.de(//datenschutz"AT"uni-hamburg.de)

A. Data processing

1. Creating log data

Every time you consult the service’s web page or use the service, data and information are recorded and saved. This can include:

  • IP address
  • browser type / browser version
  • date and time the web app was accessed
  • user Internet service provider
  • user operating system
  • Nextcloud Client / app version
  • registration name

This temporary data storage is lawful under Article 6 paragraph 1 letter f GDPR.

The data mentioned above are temporarily stored in the system as it is necessary to provide website access to the user’s computer. Long-term storage occurs only to secure the functionality of the service and to ensure the safety of IT systems.

All log data are deleted after 28 days at the latest.

2. Cookies

Our website uses cookies. Cookies are small data files, created and stored by the Internet browser on the user’s computer’s hard drive. Accessing a website may result in a cookie being saved on your operating system. This cookie contains a specific string of characters that allows the browser to be clearly recognized every time the website is accessed.

A list of the cookies used, including their purposes, is available at https://docs.nextcloud.com/server/latest/admin_manual/gdpr/cookies.html.

The storing of cookies and/or information in the end user’s institution and the access to the information already stored there is lawful pursuant to the Gesetz über den Datenschutz und den Schutz der Privatsphäre in der Telekommunikation und bei digitalen Diensten, TTDSG. The General Data Protection Regulation (GDPR) also governs the further use of personal data collected in this context.

Cookies are stored on the user’s computer and transferred to us. That is why you, as the user, have full control over cookie implementation. You can deactivate or restrict cookies by changing your browser settings. You can erase stored cookies at any time. This process may also be automated. However, disabling cookies for our website may result in some functions not working correctly.

3. Registration

Users can register on our web page. The following personal data are collected:

  • registration name (often an email address)
  • authentication parameters
  • additionally when using the UHH login
    • University of Hamburg uni username
    • display name
    • member status at the University of Hamburg
    • email address

As part of the registration process via the University of Hamburg login, the user will be asked to agree to the processing of this data.

The IP address for successful registration will be stored together with the internal user ID. These data are required for a neural network to recognize unauthorized access, thereby potentially increasing the security of your accounts.

This data processing is lawful under Article 6 paragraph 1 letter a GDPR.

Registration is necessary so that we can provide certain content and services, including, inter alia, the creation and management of user accounts, data, calendars, appointments, and tasks, and all related administration.

The data will be deleted when they are no longer needed for the purpose they were collected or when the account is deleted.

4. Data storage and permitting access to content

Our users can store their content on our web page and grant access to other users, including to data, files, calendars, appointments, and tasks can be made accessible. For this purpose, every user is recorded in a global list that every other user can search through. This list is shared with other Nextcloud users. The following personal data are collected:

  • username in the UHHCloud Service
  • display name
  • accessible content

This data processing is lawful under Article 6 paragraph 1 letter a GDPR.

The data will be deleted when they are no longer needed for the purpose they were collected or when the account is deleted.

5. Activities

Changes that users make to any content are saved on our web page. This makes it possible to trace who made what changes. This information can also be viewed by other users who have access to the content in question. The following personal data are collected:

  • username in the UHHCloud Service
  • the content in question and its metadata (e.g., file name and tags)
  • type of change
  • time of change

The following data are also stored for security reasons:

  • successful and unsuccessful user logins
  • logouts
  • changing access permission
  • permission access
  • deleting and retrieving data from the waste basket
  • displaying quick screen shots
  • changing user data, e.g., changing names or passwords

This data processing is lawful under Article 6 paragraph 1 letter a GDPR.

The data will be deleted when they are no longer needed for the purpose they were collected or when they are older than 180 days.

6. Data management

Users can use the service to upload, work on, and delete files. The following personal data are collected:

  • username in the UHHCloud Service
  • file content and all related attributes
  • time of change

This data processing is lawful under Article 6 paragraph 1 letter a GDPR.

Data are deleted as soon as users delete them from their waste basket or delete their account.

7. Calendar, appointments, and tasks

Users can use the service to upload, work on, and delete calendars. This makes it possible to manage appointments and tasks. The following data are processed and saved:

  • username in the UHHCloud Service
  • contact data with all related attributes, including:
    • title
    • location
    • description
    • date and time
    • status
    • participants
  • tasks with all related attributes, including:
    • title
    • description
    • status
    • time of change

This data processing is lawful under Article 6 paragraph 1 letter a GDPR.

Data are deleted as soon as users delete them from their waste basket or delete their account.

8. OnlyOffice

Users can work on documents on our web page. They can use the RRZ service OnlyOffice. The following personal data are collected:

  • username in the UHHCloud Service
  • display name
  • file content and all related attributes

This data processing is lawful under Article 6 paragraph 1 letter a GDPR.

The documents will be transmitted to the OnlyOffice service when processing begins. All changes are stored again in the UHHCloud.

The data will be deleted as soon as you end the session.

B. Your rights

You have the following rights:

  • the right to access information regarding personal data pertaining to you that is stored by us (Article 15 GDPR)
  • the right to rectification of any incorrect or incomplete personal data (Article 16 GDPR)
  • the right to erasure of stored personal data insofar as the relevant data is not necessary for the exercise of the right of freedom of expression and information, for compliance with a legal obligation; for reasons of public interest; or the purpose of establishing, exercising, or defending a legal claim (Article 17 GDPR);
  • the right to restrict processing of personal data (Article 18 GDPR);
  • the right to object to the processing of your data conducted in our legitimate interest, public interest, or for profiling purposes unless we can demonstrate compelling grounds for processing said data that outweighs your interests, rights, and freedoms or where the processing of said data is required for the establishment, exercise, or defense of a legal claim (Article 21 GDPR).
  • the right to withdraw your consent to the collection, processing, and use of your personal data at any time with future effect (Article 7 paragraph 3 GDPR)— As a consequence, we may no longer process any data based on this consent from the date consent is withdrawn.
  • You also have the right to lodge a complaint with a supervisory authority where you believe the processing of personal data related to you is in breach of the GDPR (Article 77 GDPR).

C. Withdrawal of consent / objection to processing

You may exercise your right to withdraw consent, object, and obtain rectification by contacting the University of Hamburg Data Protection Officer:

Datenschutzbeauftragte/r der Universität Hamburg
Mittelweg 177, 20148 Hamburg
datenschutz"AT"uni-hamburg.de

D. Data subject rights

You may exercise your rights as a data subject, for example, you may obtain information on stored data by contacting datenschutz"AT"uni-hamburg.de