TH-Wildau
Privacy policy

Privacy policy of TH Wildau - Technical University of Applied Sciences

TH Wildau takes the protection of your data very seriously. We treat your data confidentially and in accordance with the statutory data protection regulations. Further information on how we process your data within the framework of our website (https://www.th-wildau.de) and, if you are an external party, can be found below. A separate privacy policy applies to our online portal (https://www.thonline.th-wildau.de), which you can view here.
 

1. Information on the responsible body

The body responsible for data processing on this website is:

TH Wildau - Technical University of Applied Sciences
Hochschulring 1
15745 Wildau
Germany

Represented by:
TH Wildau - Technical University of Applied Sciences Wildau is a public corporation. It is represented externally by its president, Prof. Dr Ulrike Tippe.

Telephone: +49 (0) 3375 / 508 – 300
Email: praesidentin(at)th-wildau.de
 

2. Data protection officer

We have appointed an external data protection officer for our university.

You can contact him via his work email address: datenschutz(at)th-wildau.de
 

3. Cookies and similar technologies

a) Cookies in general

We use cookies or similar technologies such as pixels, tags or web beacons (hereinafter collectively referred to as ‘cookies’) on our website. These are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do not cause any damage to your device and do not contain viruses, Trojans or other malware. Pixels are small graphics that are integrated via the HTML code of our website. The pixel tag itself does not store or change any information on your device, so pixels do not cause any damage to your device and do not contain viruses, Trojans or other malware.

The cookie stores information that is related to the specific device used. However, this does not mean that we immediately obtain knowledge of your identity. Cookies send your IP address, the referrer URL of the website you visited, the time at which you viewed the website, the browser you used and previously set cookie information to a web server. This enables us to perform and offer the services described in this privacy policy.

The use of cookies serves, on the one hand, to technically offer you the basic use of our website.

We use so-called session cookies or transient cookies to recognise that you have already visited individual pages on our website. These are automatically deleted when you leave our site. The data processed by these cookies is necessary for the aforementioned purposes to safeguard our legitimate interests pursuant to Art. 6 (1) (f) GDPR and technically pursuant to § 25 (2) No. 2 TDDDG in order to provide a service requested by you.

In addition, we use temporary cookies or persistent cookies, which are stored on your device for a specific period of time, to optimise user-friendliness. If you visit our site again to use our services, it will automatically recognise that you have already been with us and what entries and settings you have made. The data processed by these cookies is necessary for the aforementioned purposes to safeguard our legitimate interests pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR and technically pursuant to § 25 para. 2 no. 2 TDDDG in order to offer a service you have requested.

Most browsers automatically accept cookies. However, you can configure your browser so that no cookies are stored on your computer or so that a message always appears before a new cookie is created. However, completely deactivating cookies may mean that you cannot use all the functions of our website. You can prevent the use of cookies on our pages by using appropriate tools or browser add-ons (e.g. the ‘AdBlock’ add-on for the Firefox browser).

Cookies are automatically deleted after a defined period of time. You can find more detailed information in the relevant data processing section.

b) Server log files

Our website is hosted by the university computer centre. Certain information is automatically collected by your browser, transmitted to our server and stored there in so-called server log files.

This data includes:

  • Browser type and browser version

  • Operating system used

  • Referrer URL

  • Host name of the accessing computer

  • Time of the server request IP address

The processing of data is necessary so that the website can be displayed (correctly) in your browser in response to your request. Access to your browser and device memory is therefore justified in accordance with Section 25 (2) No. 2 TDDDG. The provision of our website also corresponds to our legitimate interest in maintaining an informative internet presence. We base the data processing on Art. 6 para. 1 sentence 1 lit. f GDPR.

Your data will only be processed during the respective session, i.e. the website visit. There is no longer storage.
 

4. Third-country transfer

In connection with data processing, data may be transferred to third countries, i.e. to recipients outside the EU or the European Economic Area (EEA). If the European Commission has issued a decision on the existence of an adequate level of protection (cf. Art. 45 (3) GDPR) with regard to the third country, no additional measures are required for the data transfer. In the case of data transfer to recipients based in the USA, this is carried out on the basis of the Transatlantic Data Privacy Framework (DPF) of 10 July 2023, provided that the recipient has the appropriate certification. A list of currently certified companies is available here. In other cases, as well as in the case of data transfers to other so-called non-secure third countries, data will only be transferred if the requirements of Art. 46 ff. GDPR are met. Specifically, this means that transfers to third countries will only take place if

  • the recipient offers sufficient guarantees for the protection of personal data in accordance with Art. 46 GDPR,
  • you have expressly consented to the transfer after we have informed you of the risks in accordance with Art. 49(1)(a) GDPR,
  • the transfer is necessary for the performance of contractual obligations between you and us, or
  • another exception under Art. 49 GDPR applies.

Which of the above-mentioned bases applies in each individual case will be explained to you during the respective processing.

Data transfers to recipients based in the USA who do not have DPF certification and for whom an adequate level of data protection cannot be established by means of guarantees within the meaning of Art. 46 GDPR are carried out exclusively with your consent within the meaning of Art. 49 (1) (a) GDPR. We would like to point out that recipients based in the USA without DPF certification cannot guarantee an adequate level of data protection comparable to that in the EU. Such transfers of personal data therefore entail the following risks: There is a risk that US authorities may gain access to personal data on the basis of the PRISM and UPSTREAM surveillance programmes based on Section 702 of the FISA (Foreign Intelligence Surveillance Act) and on the basis of Executive Order 12333 or Presidential Police Directive 28. EU citizens have no effective legal protection against such access in the US or the EU.

Further information and a copy or reference to the relevant appropriate safeguards can be found in the description of the respective processing.
 

5. Processing on the website

a) Videos (Panopto)

You can also view videos on some pages of our website. For this purpose, we use the services of our processor Panopto EMEA Limited, White Collar Factory, 1 Old Street Yard, London EC1Y 8AF. Panopto places a cookie on your device in order to be able to play the video for you. The cookie collects your IP address and device data.

The display of videos is in line with our legitimate interest in making our website as appealing as possible and presenting information in the most accessible way possible. We have a legitimate interest in this pursuant to Art. 6 (1) (f) GDPR. The cookie is necessary to play the video technically by enabling the necessary data to be sent from Panopto's servers to your device. The technical use of the cookie is therefore justified under Section 25(2)(1) of the German Telecommunications Data Protection Act (TDDDG).

Panopto's headquarters are located in the USA. As a rule, your data is not transferred there. The data is stored in the EU Cloud: West region. The USA is considered an unsafe third country if the company is not certified under the Data Privacy Framework. Panopto has such certification (EU-U.S. Data Privacy Framework). You can view this certification here. To ensure that an adequate level of data protection is guaranteed during transmission, we have obliged Panopto to comply with European data protection law in our data processing agreement with them. You can view this agreement here. Your data will be automatically deleted after two weeks.

b) Photography and filming

Our website contains some photos and videos from past events. If you have participated in such an event and we have taken photos there, we may publish some of these photos on our website. It is therefore possible that we may publish image data of you. If you are directly visible, we will ask for your consent in accordance with Art. 6(1)(a) GDPR. If you are only incidentally visible in the image, we have a legitimate interest in promoting our events in accordance with Art. 6(1)(f) GDPR.

Your image data will only be deleted once you have revoked your consent. We regularly check the images on our website to ensure they are up to date and relevant. An image is deleted when it is no longer needed for the website.
 

6. Establishing contact

a) General contact

If you have any questions or suggestions regarding our services, you can contact us at any time using our online contact form. When you do so, we will process your enquiry internally and get back to you if necessary. In doing so, we process the following mandatory data:

  • Your first and last name
  • Your email address
  • The subject of your enquiry
  • Your consent to data processing
  • The content of your message
  • You can also provide us with the following data if you wish:
  • Your title (Dr/Prof)
  • Your form of address (Mr/Ms)
  • Your telephone number

We need this data in order to assign your enquiry to the correct contact person internally and thus provide you with an accurate response or process your enquiry efficiently. We process your data for the aforementioned purposes on the basis of your consent in accordance with Art. 6 (1) (a) GDPR.

We will delete your data as soon as we have processed your request and we are not obliged to retain it for legal reasons.

b)  Press office

The TH Wildau press office responds to enquiries from members of the press regarding TH-related issues in science and higher education policy. Enquiries are either handled directly by press office staff or forwarded to our internal contacts or our pool of experts. When you contact the press office, we process

  • Your status as a member of the press
  • Your full name
  • Your contact details (email, telephone, etc.)
  • The content of your enquiry

Your data is processed, including internal disclosure, so that we can respond to press enquiries in a scientifically and factually accurate manner in line with our position as a technical university. Commenting on relevant current topics is in line with our legitimate interest in communicating our work and clarifying our positions. The processing is justified in accordance with Art. 6 (1) (f) GDPR.

Your data will be deleted as soon as the enquiry has been processed.

c) mynewsdesk

TH Wildau uses the platform www.mynewsdesk.com for its press relations work. Current news from TH Wildau is published here and sent to representatives of the press. If you would like to subscribe to the latest news from the university, you can follow TH Wildau on its profile at www.mynewsdesk.com.

The platform's privacy policy can be found at https://www.mynewsdesk.com/de/about/terms-and-conditions/privacy_policy.
 

7.  Teaching Positions

If you accept a teaching position at TH Wildau, we will process your data in accordance with the following information.

a) Lecturer positions

As an external lecturer, you can accept a teaching position as a private lecturer at TH Wildau. In this case, we will process and store the following data:

  • Your full name and, if applicable, academic title
  • information on whether you have obtained a postdoctoral qualification
  • your teaching licence and its content and scope
  • if applicable, how long the teaching licence was valid at TH Wildau
  • if applicable, the acquisition of a teaching licence at another university

The appointment of private lecturers serves to give people who are interested in teaching and are particularly suited to it the opportunity to take up a teaching position. We process the data on the basis of Art. 6 (1) (e) GDPR in conjunction with § 62 BbgHG.

We will delete your data if you are no longer entitled to hold the title.

b) Honorary professorships

Individuals who regularly teach courses at TH Wildau without being employed full-time at TH Wildau may, upon request, be appointed as honorary professors by the President of TH Wildau. The application will be discussed publicly. We will process your data in order to check the requirements for the appointment. If the result is positive, we will store this data. This includes the following data:

  • Your full name and any academic titles
  • Which courses you have taught and when
  • Information about your teaching qualifications
  • Curriculum vitae, certificates and references
  • Information about your motivation
  • Your desired area of responsibility
  • Statement from the relevant dean
  • Your main occupation
  • If applicable, how long the honorary professorship was held before retirement

By appointing honorary professors, we can honour individuals who have rendered outstanding services to TH Wildau. The appointment and thus the processing of your data is based on Art. 6 (1) (e) GDPR in conjunction with § 61 BbgHG.

We will delete your data when you are no longer entitled to hold the honorary professorship.
 

8. Video conferences

Some of our offers are provided digitally via the Webex video conferencing service from Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134, USA (hereinafter referred to as ‘Cisco’). If you wish to take advantage of such an offer, we will send you an email with a link to participate. You can join the video conference via your browser or the Webex app, or dial in via your telephone. During the conference, you can interact with the other participants. When you participate in one of these offers, we therefore process the following data:

  • Your e-mail address
  • Your telephone number
  • The name you provide
  • Device data
  • Image and sound data
  • Content and reactions you share during the conference

We use Webex to make our consulting services and other events easier to access and available to a larger number of interested parties. The purpose and legal basis for processing are therefore based on the respective service listed below. For more information, please refer to the following sections where Webex is mentioned as a service.

Cisco acts as a processor for us. We have concluded a data processing agreement with Cisco. You can view this agreement here.

Cisco also processes your data in the United States. This means that your data is also transferred there. Cisco has been certified under the US government's Data Privacy Framework (DPF). You can view this certification here. This means that the level of data protection for the transfer and processing of data in the USA is comparable to that in Europe.

We store your data until the respective video conference has been held. We may store your data for longer if we are legally obliged to do so or if we assert claims against you.
 

9. Educational opportunities

TH Wildau also offers people from outside the university the opportunity to take advantage of certain educational and helpful opportunities. In order to take advantage of the respective offer, you must register with us in advance by e-mail or via a registration form on our website. We will then process

  • your full name,
  • your email address,
  • the respective event,
  • any further content from your message.

We will delete your data as soon as the programme has been completed. Beyond that, we will only store your data if this is required by law or if we assert claims against you.

a) Study counselling

We offer study counselling to interested parties. Prospective students can find out about courses at TH Wildau that match their interests. We offer a campus tour, subject counselling, a taster course, individual consultation hours and support.

We process all your data so that we can contact you for counselling or to enable you to receive it in the first place. We therefore process your data on the basis of our legitimate interest in making the application process at TH Wildau as easy as possible. The processing is justified in accordance with Art. 6 (1) (f) GDPR.

If you would like individual counselling, we also offer you the option of conducting this via our Webex video conferencing service. For more information, please refer to section 7 above.

b) Preparatory courses

We offer preparatory courses in some areas of mathematics and natural sciences. Here you can refresh or deepen your knowledge. These courses are only held in person on the premises of TH Wildau.

We process the data so that we can provide you with the preparatory course. This is a voluntary offer for you. We therefore base the processing on our legitimate interest pursuant to Art. 6 (1) (f) GDPR in enabling interested parties to refresh or deepen their knowledge in the respective areas.

c) Language courses and language tandems

Our Language Centre offers you the opportunity to take language courses in various languages, including German as a foreign language, at different levels. You can also participate in our language tandems. In addition to the registration data, we also process the following data:

  • Status (whether you belong to TH Wildau, are an exchange student or an external student)
  • The course or programme language
  • The course level, if applicable
  • Your account details, if applicable (for courses subject to a fee)
  • Your residence permit, if applicable

You will then be issued with a certificate of attendance for some courses. If you attend a course that is subject to a fee or has a limited number of participants, we will conclude a participation agreement with you. We will then process your data for the purpose of executing this participation agreement in accordance with Art. 6 (1) (b) GDPR. We offer all other courses based on our legitimate interest in operating our language centre; the processing is justified in accordance with Art. 6 (1) (f) GDPR.

If you enrol in a fee-based course, your account details will also be passed on to our bank, MBS Potsdam. MBS Potsdam is independently responsible for processing. You can also participate in some courses and programmes via Webex. For more information, please refer to section 7 above.

d) Job application training and career guidance

At TH Wildau, you can also receive career guidance and advice on starting your career, as well as complete application training. You are free to do this on site, by telephone or virtually. For telephone consultations, we process your telephone number in addition to your registration data. If you wish to participate virtually, we use the Webex service. For more information on processing when using Webex, please refer to section 7 above.
 

10. Registration for events

a) Events in general

We provide information about various events on our website. Some of these are offered by third parties who are independently responsible for processing. We organise some events ourselves, some of which require registration. If you register for such an event that requires registration, we process the following participation data:

  • Means of communication: email address and telephone number
  • Your full name
  • Event details (e.g. title, date, time, location, etc.)
  • Any other data that you provide to us during the registration process

We process your data in order to fulfil the event contract with you. Therefore, the processing is justified in accordance with Art. 6 (1) (b) GDPR. Your data will only be stored for as long as is necessary to fulfil the contract. After that, we will only store your data if we are legally obliged to do so or if we wish to enforce claims against you.

b) Children's University

TH Wildau regularly organises the Children's University for pupils in grades 2 to 6. In addition to the above information, we process the following additional information about the participating pupils in addition to the participation data of the parents:

  • Minority
  • Consent of legal guardians
  • Full name of the children
  • Event data

For the ticket system, we use the services of pretix GmbH, Berthold-Mogel-Straße 1, 69126 Heidelberg (‘Pretix’). Pretix acts as a processor for us. We have concluded a data processing agreement with Pretix. You can view this agreement here.

The data will be deleted as soon as the event contract has been fulfilled. We will retain the data for longer if we need it to enforce claims arising from the event contract or if we are legally obliged to do so.
 

11. Payment processing

Some of our services are subject to a fee. If you make use of these services, we will charge you a fee. Payment must be made directly by bank transfer. MBS Potsdam and the State Treasury are solely responsible for processing your data.
 

12. Social media accounts

TH Wildau maintains accounts on various social media platforms to inform you about us and our services and to give you the opportunity to interact with us.

Please note that you use social media platforms and their functions at your own risk. This applies in particular to the use of interactive functions (e.g. commenting, sharing, rating).

For certain processing operations, we and the platform operators also act as joint controllers within the meaning of Art. 26 GDPR.

However, your personal data may also be collected if you are not logged in or do not have an account with the respective social media platform. In this case, this data collection is carried out, for example, via cookies or similar technologies stored on your device or by recording your IP address. This processing is carried out by the provider of the social media platform alone.

When you visit one of our social media channels, we process your interactions with that channel (e.g. the content of messages, enquiries, posts or comments that you send to us or leave on our social media channels, or when you like or share our posts) as well as your publicly visible profile data (e.g. your name and profile picture) . Which personal data from your profile is publicly visible depends on your profile settings, which you can adjust yourself in your settings on the social media platform.

The purpose of data processing on our social media channels is to ensure effective and up-to-date public relations work, to simplify interaction with users and, where applicable, to initiate and process contracts.

The information you voluntarily publish may be made available to third parties. In addition, your information will be processed by the service providers of the social media platforms. You can find more detailed information on this below in the description of the respective platform and in the data protection guidelines of the respective platform.

The legal basis for the processing of your data via our channels is Art. 6 (1) (f) GDPR, based on our legitimate interest in the aforementioned public relations work, corporate communications and the optimisation of our corporate image. If your contact is aimed at concluding a contract or is related to an existing contractual relationship, data processing is also carried out on the basis of Art. 6 (1) (b) GDPR.

We cannot rule out the transfer and further processing of users' personal data in third countries by the platform operator, e.g. in the USA, and the associated risks for users.

Your data will generally be processed until it is removed from the respective platform.

a) Facebook and Instagram

The operator of the Facebook and Instagram services is Meta Platforms Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (‘Meta’).

We operate a Facebook page and an Instagram profile for the purposes mentioned above. Meta processes your data for its own purposes when you interact with the service. Further information on this can be found here. We have no further knowledge of the data processing carried out by Meta.

If you interact with our Facebook page or Instagram profile, we process your data with Meta in so-called joint responsibility in accordance with Art. 26 GDPR for so-called insights. It has been agreed that we are responsible for informing data subjects in accordance with Art. 12 ff. GDPR and Meta is responsible for fulfilling data subject requests in accordance with Art. 15 – 20 GDPR. The right to object in accordance with Art. 21 GDPR is upheld by both parties in relation to their own processing. Both are subject to the reporting and notification obligations under Articles 33 and 34 GDPR. You can view the agreement here. You can assert your rights against both controllers at any time.

The parent company of Meta Platforms Ireland is Meta Platforms, Inc. in the USA. The information generated by Meta is transferred to servers of Meta Platforms, Inc. in the USA and processed there. On 10 July 2023, the EU Commission issued an adequacy decision for the Data Privacy Framework for data transfers to recipients based in the USA. According to this, an adequate level of data protection is assumed for data transfers to certified recipients based in the USA. Meta Platforms, Inc. is a certified

b) LinkedIn

LinkedIn is operated by LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland (‘LinkedIn’).

We operate a LinkedIn page for the purposes mentioned above. LinkedIn processes your data for its own purposes when you interact with the service. Further information on this can be found here. We have no further knowledge of the data processing carried out by LinkedIn.

When you interact with our LinkedIn page, we process your personal data with LinkedIn in so-called joint responsibility in accordance with Art. 26 GDPR for so-called insights. It has been agreed that LinkedIn is primarily responsible for informing data subjects in accordance with Articles 12 and 13 GDPR and for fulfilling data subject requests in accordance with Articles 15–21 GDPR and reporting and notification obligations in accordance with Articles 33 and 34 GDPR. You can view the agreement here. You can assert your rights against both controllers at any time.

The parent company of LinkedIn Ireland is LinkedIn Corporation in the USA. On 10 July 2023, the European Commission issued an adequacy decision for the Data Privacy Framework for data transfers to recipients based in the USA. According to this decision, an adequate level of data protection is assumed for data transfers to certified recipients based in the USA. LinkedIn Corporation is a certified

c) YouTube

YouTube is operated by Google Ireland Limited, Gordon House, Barrow Street Dublin 4 (‘YouTube’).

We operate a YouTube account for the purposes mentioned above. YouTube processes your data for its own purposes when you interact with the service. YouTube provides us with YouTube Analytics, which evaluates interactions with our content and reflects demographic data and user interests. Further information on this can be found here. We have no further knowledge of the data processing carried out by YouTube.

The parent company of Google Ireland is Google LLC in the USA. The information generated by YouTube is transferred to Google LLC servers in the USA and processed there. On 10 July 2023, the EU Commission issued an adequacy decision for the Data Privacy Framework for data transfers to recipients based in the USA. According to this, an adequate level of data protection is assumed for data transfers to certified recipients based in the USA. Google LLC is a certified company.

d) Bluesky

The operator of the Bluesky service is Bluesky Social, PBC, 113 Cherry St # 24821, Seattle, WA, 98104-2205, USA (‘Bluesky’).

We operate our Bluesky presence for the purposes stated. Bluesky processes your data for its own purposes when you interact with the service. Further information can be found here. We have no further knowledge of the data processing carried out by Bluesky.

Your personal data may be processed on servers in the USA. For the transfer of data to the USA, Bluesky refers to standard contractual clauses of the European Commission, which are intended to ensure compliance with European data protection standards.

e) X (currently deactivated)

The operator of the X service is Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, DO2 AX07 Ireland (‘X’).

We operate an X profile for the purposes mentioned above. X processes your data for its own purposes when you interact with the service. Further information can be found here. We have no further knowledge of the data processing carried out by X.

The data may be processed on servers of the parent company in the USA. For the transfer of data to the USA, the provider refers to standard contractual clauses of the European Commission, which are intended to ensure compliance with European data protection standards. A copy of these can be found here.

f) Xing (currently deactivated)

Xing is operated by New Work SE, Am Strandkai 1, 20457 Hamburg (‘Xing’).

We operate our Xing profile for the purposes mentioned above. Xing processes your data for its own purposes when you interact with the service. Further information on this can be found here. We have no further knowledge of the data processing carried out by Xing.
 

13. Rights of data subjects

You have certain rights under the GDPR. These are:

→ Information, restriction, erasure

Within the framework of the applicable legal provisions, you have the right to obtain information free of charge at any time about your stored data, its origin and recipients, and the purpose of data processing, and, if applicable, a right to correct or erase this data or to restrict its processing. You can contact us at any time using the contact details provided in the legal notice if you have any further questions on this subject.

→ Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a common, machine-readable format. If you request the direct transfer of the data to another controller, this will only be done to the extent that it is technically feasible.

→ Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You can revoke your consent at any time. To do so, simply send us an informal email or send an email to the specific email address provided in the relevant section above. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

→ Right to lodge a complaint with the competent supervisory authority

In the event of violations of data protection law, the data subject has the right to lodge a complaint with the competent supervisory authority. The competent supervisory authority for data protection issues is the state data protection officer of the federal state in which our company is based. A list of data protection officers and their contact details can be found at the following link: www.bfdi.bund.de.

PURSUANT TO ARTICLE 21 OF THE GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA IF WE PROCESS YOUR PERSONAL DATA SOLELY ON THE BASIS OF OUR LEGITIMATE INTERESTS AND THERE ARE REASONS FOR THIS ARISING FROM YOUR PARTICULAR SITUATION. IF YOUR OBJECTION IS DIRECTED AGAINST DIRECT MARKETING, YOU HAVE A GENERAL RIGHT TO OBJECT WITHOUT SPECIFYING PARTICULAR REASONS.

YOU CAN SUBMIT YOUR OBJECTION BY E-MAIL TO THE E-MAIL ADDRESS SPECIFIED IN SECTION 1 OR DIRECTLY TO