Universität Bonn

Open Access Service Center

USL Data Protection Policy

I. Name and Address of the Data Controller

The data controller (hereinafter: “Controller”) as mandated by the General Data Protection Regulation (GDPR), the national data protection laws of EU member states and other regulations relevant to data protection is:

University of Bonn
Bonn University and State Library

Adenauerallee 39-41
53113 Bonn
Phone: +49 (0)228 73-7352
Fax: +49 (0)228 73-7546
Email: webmaster[@]ulb.uni-bonn.de
Website: https://www.ulb.uni-bonn.de

II. Name and Address of the Data Protection Officer

Data protection officer:
Dr. Jörg Hartmann
Genscherallee 3
53113 Bonn
Email: joerg.hartmann[@]uni-bonn.de
Web page: https://www.datenschutz.uni-bonn.de

Represented by:
Eckhard Wesemann
Division 1, Section 1.0
Regina-Pacis-Weg 3
53113 Bonn
Email: wesemann[@]verwaltung.uni-bonn.de

III. General Information on Data Processing

1. Scope of Processing of Personal Data

We process the personal data of our users only insofar as this is necessary for the provision of a functional website and our content and services. Routine processing of our users’ personal data is performed solely with the consent of the user. An exception comes in cases where the prior acquisition of consent is not possible for practical reasons and stipulations allowing for such processing are included in the legal requirements. No analysis of the data for marketing purposes is made in this context. The data is never forwarded to third parties.

Please also read our Information on Data Collection and Data Processing.

2. Legal Basis for the Processing of Personal Data

Insofar as we have obtained the consent of the data subject for the processing of their data, Art. 6 para. 1(a) GDPR serves as the legal basis for such processing.

The legal basis for the processing of personal data required for the fulfillment of a contract to which the data subject is a party is Art. 6 para. 1(b) GDPR. This also applies to measures in preparation of said contract.

The legal basis for the processing of personal data to fulfill a legal obligation on the part of the University of Bonn is Art. 6 para 1(c) GDPR.

The legal basis for the processing of personal data as necessary to protect the vital interests of the data subject or another natural person is Art. 6 para. 1(d) GDPR.

The legal basis for processing required for the execution of duties in the public interest or the exercise of public authority that has been transferred to the University is Art. 6 para. 1(e) GDPR.

3. Erasure of Data and Duration of Storage

The personal data of the data subject is to be erased or blocked as soon as the purpose of the storage no longer applies. Storage can potentially extend beyond this point where necessitated by European or national legislation reflecting EU-wide directives, laws or other rules to which the Controller is subject. The data will also be blocked or erased if a storage period stipulated in the above-mentioned legal norms expires, unless further storage of the data is required for conclusion or performance of a contract.

IV. Provision of the Website and Creation of Log Files

1. Description and Scope of Data Processing

Each time our internet pages are requested, our system automatically records data and information about the requesting computer's system.

The following data is recorded:

(1) Information about the browser type and version
(2) The user’s operating system
(3) The user’s internet service provider
(4) The user’s IP address (partially anonymized and shortened IP address)
(5) Date and time of the request
(6) Websites from which the user’s system navigated to our internet site
(7) Websites which are requested by the user’s system via our website (within *.uni-bonn.de, referrals to external sites are not forwarded)

The log files contain IP addresses and other data that allows for identification of a user. This can for example be the case where a link from a referring website or from our pages to another website contains personal data. The data is also stored in log files on our system. This data is not stored together with other personal data from the user.

2. Purpose of Data Processing

The temporary storage of the IP address by the system is required to allow for the website to be delivered to the user's computer. The IP address of the user must be stored for the duration of the session.

Log files are stored to ensure the functionality of the website. Beyond this, the data helps us optimize the website and ensure the security of our IT systems. 

3. Duration of Storage

The data is erased as soon as it is no longer required to achieve the purpose for which it was collected. In the case of data collected to provide the website, that is when the corresponding session has ended. Data stored in log files is deleted within seven days.

If data is stored longer than this, the IP addresses are deleted or anonymized so the client that accessed the website is no longer identifiable.

4. Options for Objecting and Removal

The collection of data for the provision of the website and storage of data in log files is necessary for the operating of the internet site. As a result, the user has no option for objecting in this context.

V. Use of Cookies

1. Description and Scope of Data Processing

Our website uses cookies. Cookies are text files that are stored in the internet browser or by the internet browser on the user's computer system. When a user requests a website, a cookie can be stored on the user's operating system. This cookie contains a characteristic string of characters that allows for the unambiguous identification of the browser if the website is requested again. We use cookies to make our website more user friendly. Some elements of our internet site require that the requesting browser can be identified even when a new page is opened.

Cookies store and transmit the following data:

(1) Language settings

Beyond this, our website uses cookies that allow for an analysis of the user's surfing habits.  A software tool called Matomo (formerly PIWIK) is used for this. Further information is available in section VII.

2. Legal Basis for Data Processing

The legal basis for the processing of personal data using cookies for analytical purposes is the acquisition of the user's consent in accordance with Art. 6 para. 1(a) GDPR.

3. Purpose of Data Processing

Cookies related to a necessary technical function are used to make the website easier to use. Some functions on our internet site cannot be provided without the use of cookies. It is necessary for example that the browser be recognized again when navigating between pages.
We require cookies for the following applications:

(1) Adoption of language settings
User data collected through technically necessary cookies are not used to create a user profile.
The use of analytical cookies serves to improve the quality of our website and its content. The analytical cookies provide us with insights on how the website is used, allowing us to constantly optimize our offerings.

4. Duration of Storage, Options for Objecting and Removal

Cookies are stored on the user's computer and from there transmitted to our pages. In this constellation, you as user retain full control over the use of cookies. By changing the settings of your internet browser, you can deactivate or restrict the transmission of cookies. Previously stored cookies can be erased at any time. This can also be performed automatically. If cookies are deactivated for our website, then portions of our website may potentially not display correctly.

VI. YouTube Integration

The website of the University of Bonn uses plugins from YouTube, which is operated by Google. The operator of the site is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA.

If you visit one of our pages where the YouTube plugin has been integrated, then a connection is established with the YouTube servers. This informs YouTube about which of our pages you have visited.

If you are logged into your YouTube account, YouTube can potentially associate your surfing habits directly with your personal profile. You can prevent this by logging out of your YouTube account.

The YouTube plugin has been integrated so that we can present our online content in a more attractive way.

For more information about how YouTube manages user data, please refer to the YouTube privacy policy at:  https://www.google.de/intl/de/policies/privacy.

VII. Web Analysis by Matomo

1. Scope of Processing of Personal Data

Our website uses an open source software tool called Matomo (formerly PIWIK) to analyze the surfing habits of our users. The software places a cookie on the user's computer (for more on cookies, see above). When individual pages of our website are requested, the following data is stored:

(1) Two bytes of the IP address of the user's requesting system
(2) The requested web page
(3) The website from which the user navigated to our website (referrer)
(4) The sub-page from which the visited web page was requested
(5) The duration of the visit to the web page
(6) The frequency of requests for the web page

Within this context, the software runs exclusively on our website's servers. The personal data of users is stored on these servers only. 

The software has been configured to prevent full storage of the IP address, with two bytes of the IP address masked (such as: 192.168.xxx.xxx). In this way, the shortened IP address can no longer be identified with the requesting computer.

2. Purpose of Data Processing

The processing of the user's personal data allows us to analyze the surfing habits of our users. We use analyses of the collected data to deduce information about the use of individual components of our website. This helps us constantly improve our website and its user friendliness. The IP address is anonymized to promote the interest of the user in the protection of his or her personal data.

3. Duration of Storage

The data is erased as soon as it is no longer required for our analytical purposes.
In our case, this is the case after 3 months.

4. Options for Objecting and Removal

Cookies are stored on the user's computer and from there transmitted to our pages. In this constellation, you as user retain full control over the use of cookies. By changing the settings of your internet browser, you can deactivate or restrict the transmission of cookies. Previously stored cookies can be erased at any time. This can also be performed automatically. If cookies are deactivated for our website, then portions of our website may potentially not display correctly.

We offer users of our website the option to opt-out of the analysis process. This then places an additional cookie on your system that signals to our computer not to store the user's data. If the user erases that cookie at some point from their own system, then the opt-out cookie must then be re-set to be effective.

For more information about privacy settings on Matomo software, please click on the following link: https://matomo.org/docs/privacy/

VIII. The bonnus Search Portal

The bonnus search portal is maintained by the USL Bonn. With respect to data processing required due to the web technology used, please refer to the separate USL Data Protection Policy for the bonnus search portal and our Information on Data Collection and Data Processing.

IX. Old Catalogue

Schneider Mikrocomputertechnik, Berlin, provides the old catalogue for the USL Bonn. Although Schneider Mikrocomputertechnik collects personal data when an order is placed from the old catalogue, the data is not stored temporarily, but is instead forwarded directly to the USL Bonn. Forwarding the data allows the USL to print the order once. The printout is used to process the order and is destroyed after processing (selecting the item(s) and entering the order in the user’s account).

X. Web Forms for Requests and Orders (outside of bonnus and the Old Catalogue) and booking systems

The personal information entered into web forms for requests and orders is processed for the sole purpose of providing the requested services (e.g. requests for information and other information services, delivery of documents, reproductions, registration for events or room use, etc.). Only information that is required to provide the service must be entered (mandatory fields). Fields requesting or allowing the entry of other information are optional. Please also read our Information on Data Collection and Data Processing.

Data processing is performed pursuant to Art. 6 para. 1 sentence 1(e) GDPR in conjunction with the Data Protection Act of North Rhine-Westphalia (DSG NRW) § 3 a), the usage regulations of the Bonn University and State Library (Official Announcements, Year 52, No. 65) and the usage regulations of the faculty and subject libraries of the academic institutions of the University of Bonn (Official Announcements, Year 52, No. 66).

The data is processed and remains stored until the legal relationship arising from use of the service has been completed and any retention periods have ended (e.g. for invoices issued). Personal data is then erased without delay.

The booking systems are used to reserve workspaces in the library. The following personal details will be stored when you book a space:

(1) User number
(2) Name

This data is deleted after seven days.

XI. Contact via Email

Personal data we receive when contacted by email is processed to the extent and for as long as required in each case to fulfill the responsibilities delegated to the USL under its public mission. Data processing is performed pursuant to Art. 6 para. 1 sentence 1(e) GDPR in conjunction with the Data Protection Act of North Rhine-Westphalia (DSG NRW) § 3 a), the usage regulations of the Bonn University and State Library (Official Announcements, Year 52, No. 65) and the usage regulations of the faculty and subject libraries of the academic institutions of the University of Bonn (Official Announcements, Year 52, No. 66).

XII. USL Links to Web Content (e.g. Websites, Databases, Online Services)

USL web pages contain many links to web content, such as web pages, databases and online services. When using this content, you entrust your personal data to the service provider, which is responsible for the protection of personal data. The USL cannot guarantee that the provider is willing and able to fulfill the requirements of data protection law.

XIII. Web Content Licensed by the USL (Databases)

Section XII also applies to the large amount of web content that is licensed by the USL, i.e. web content that members of the University of Bonn and other USL users can use under a user agreement concluded between the USL and provider.

XIV.  Rights of the Data Subject

If your personal data is processed, then you as data subject have the following rights against the Controller as established in the GDPR:

1. Right of Access

You can demand confirmation from the Controller whether your personal data is being processed.
If such processing exists, then you can demand the following information from the Controller:
(1) The purposes of the processing of personal data
(2) The categories of personal data processed
(3) The recipients or categories of recipients to whom the personal data have been or will be disclosed
(4) The envisaged period for which your personal data will be stored or, if concrete information cannot be provided in this regard, the criteria used to determine that period
(5) The existence of the right to request from the Controller rectification, erasure or restriction of processing of your personal data or to object to such processing
(6) The right to lodge a complaint with a supervisory authority
(7) Where the personal data are not collected from the data subject, any available information as to their source
(8) The existence of automated decision-making, including profiling, referred to in Art. 22, para. 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.


You have the right to demand information about whether your personal data has been forwarded to a third country or an international organization. In this context, you can demand to be informed about suitable guarantees as per Art. 46 GDPR related to such transfers.
Insofar as the data processing serves scientific, historical or statistical research purposes, the right of access can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.

2. Right to Rectification

You have the right to rectification and/or completion of your data from the Controller, insofar as your processed personal data are incorrect or incomplete. The Controller must rectify the data without delay.
Where the data processing serves scientific, historical or statistical research purposes, the right of rectification can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.

3. Right to Restriction of Processing

You have the right to obtain restriction of processing from the Controller where one of the following applies:
(1) If you contest the accuracy of your personal data, for a period enabling the Controller to verify the accuracy of the personal data
(2) If the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
(3) If the Controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defense of legal claims
(4) If you have objected to processing under Article 21, para. 1 GDPR pending the verification whether the legitimate grounds of the Controller override your grounds.

If processing of your personal data has been restricted, then that data —other than storage— may only be processed with your consent or for the assertion, exercise or defense of legal claims or to protect the rights of another natural person or legal entity or from reasons of important public interest to the European Union or one of its member states.
If processing is restricted based on the aforementioned conditions, then you will be informed by the Controller before the restrictions are lifted.
Where data processing serves scientific, historical or statistical research purposes, your right to limit processing can be restricted to the extent that it is otherwise likely to render impossible or seriously impair the achievement of the research or statistical objectives, and if such a restriction is necessary to fulfill the research or statistical purposes.

4. Right to Erasure

a) Right of Erasure
You can demand that the Controller erase your personal data without delay. The Controller is obligated to erase this data without delay if one of the following reasons applies:
(1) Your personal data is no longer needed for the purpose for which it was collected or otherwise processed.
(2) You revoke your consent that allowed for processing in accordance with Art. 6 para. 1(a) or Art. 9 para. 2(a) GDPR, and no other legal basis for processing applies.
(3) You file an official objection to processing in accordance with Art. 21 para. (1) GDPR and no overriding justification for the processing applies, or you file an official objection to processing in accordance with Art. 21 para. (2) GDPR.
(4) Your personal data were processed in an illegal manner.
(5) The erasure of your personal data is required to fulfill a legal obligation based on EU law or the law of the Controller’s member state.
(6) Your personal data was collected in the context of services provided by the IT company in accordance with Art. 8 para. (1) GDPR.

b) Information to Third Parties
If the Controller has shared your personal data and is obligated under Art. 17 para. 1 GDPR to delete that data, then measures, technical or otherwise, must be undertaken, accounting for the available technology, to inform the processor of the personal data that you as data subject demand the deletion of all links to that personal data or demand all copies and facsimiles of that personal data.

c) Exceptions
The right of erasure does not apply where processing is necessary
(1) for the exercise of rights of free speech and information;
(2) to fulfill a legal obligation to processing related to the laws of the European Union or its member states to which the Controller is subject, or for the fulfillment of a task in the public interest or in the execution of public authority that has been transferred to the Controller;
(3) for reasons of public interest related to public health as per Art. 9 para. 2(h) and (i) and Art. 9 para. 3 GDPR;
(4) for archival, scientific or historical research purposes in the public interest or for statistical purposes as per Art. 89 para. 1 GDPR and the law mentioned in a), insofar as the right potentially severely limits or makes impossible the realization of these;
(5) for the assertion, exercise or defense of legal claims

5. Right of Information

If you have exercised your right of notification, erasure and restriction of processing against the Controller, then the Controller is obligated to inform all recipients who received your personal data about that notification, erasure or restriction of processing, unless this is impossible or involves an unreasonable amount of cost and complexity.
You have the right to demand of the Controller information about those recipients.

6. Right to Data Portability

You have the right to receive your personal data that you have provided the Controller in a structured, commonly used machine-readable format. Furthermore you have the right to transfer that data to a different controller, without impediment by the Controller who received the personal data, insofar as
(1) the processing is based on consent provided according to Art. 6 para. 1(a) GDPR or Art. 9 para. 2(a) GDPR or on a contract pursuant to Art. 6 para. 1(b) GDPR and
(2) the processing is carried out by automated means.
In exercising this right, you furthermore have the right to demand that your personal data be transferred directly from one controller to another controller, insofar this is technically feasible. Freedoms and rights of other persons may not be violated in this process.
The right to data portability does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Controller.

7. Right to Object

You have the right to object at any time for reasons related to your specific situation to the processing of your personal data on the basis of Art. 6 para. 1(e) GDPR, including profiling based on that provision.
In the event of an objection, the Controller will no longer process your personal data, unless he or she can provide urgent defensible reasons for processing that outweigh your interests, rights and freedoms, or where the processing serves the assertion, exercise or defense of legal claims.
For data processing related to scientific, historical or statistical research purposes as per Art. 89 para. 1 GDPR, you have the additional right to object to the processing of your personal data for personal reasons, unless the processing is necessary for the fulfillment of tasks in the public interest.

8. Right of Revocation of Declaration of Consent to Processing

You have the right to revoke your declaration of consent to data processing at any time. Revoking consent does not affect the legality of the data processing performed before the point of rescission on the basis of the consent provided.

9. Automated Individual Decision-Making, Including Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, that has legal effects for you or that has a similarly significantly impact on you.
This shall not apply if the decision
(1) is necessary for entering into, or performance of, a contract between you and the Controller;
(2) is authorized by Union or Member State law to which the Controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests or
(3) is based on your explicit consent.
However, these decisions shall not be based on special categories of personal data referred to in Art. 9 para. 1 GDPR, unless Art. 9 para. 2(a) or Art. 9 para. 2(g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.
In the cases referred to in (1) and (3) above, the Controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the Controller, to express your point of view and to contest the decision.

10. Right of Complaint to a Supervisory Authority

Irrespective of any other available administrative or judicial remedies, you have the right to lodge a complaint with a supervisory authority, including particularly the authority competent for the member state of your residence, at your place of work or at the place of the alleged violation, if you believe that your personal data are being processed in breach of the EU GDPR.
The supervisory authority receiving the complaint will inform the complainant about the status and results of the complaint, including the option for legal remedy in accordance with Art. 78 GDPR.

The competent supervisory authority for the University of Bonn is the:

Landesbeauftragte für Datenschutz und Informationsfreiheit
Nordrhein-Westfalen
(State Commissioner for Data Protection and Freedom of Information in North Rhine-Westphalia)
Postfach 20 04 44
40102 Düsseldorf
Germany
Phone: +49 (0)211 38424-0
Fax: +49 (0)211 38424-10
Email: poststelle[at]ldi.nrw.de

Wird geladen