The Hochschule Bremen has the protection of any personal data you let us have very much at heSection We process personal data of the users of our websites in compliance with the applicable data protection regulations, in particular the European Data Protection Regulation (GPDR) and the Bremen Implementation Act for the EU Data Protection Regulation (BremGDPRAG).

Without authorization, collected data will neither be published by the Hochschule Bremen nor passed on to third parties.

Below we provide you with the essential information on data processing.

III. General information on data processing

Scope of the processing of personal data

As a matter of principle, we only process personal data of the users of our online offer insofar as this is necessary for the provision of a functioning website as well as its contents and our services. In principle, it is not necessary for you to provide personal data in order to use our website. However, if you wish to make use of special offers and services of the university via our internet pages, we may require your personal data. The personal data of our users is only processed with their consent.

Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Section 6 (1) a GDPR serves as the legal basis.

When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Section 6 (1) b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.

Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which the university is subject, Section 6 Para. 1 c or e GDPR serves as the legal basis. Insofar as the processing of personal data is necessary for the performance of a task which is in the public interest and which has been assigned to the controller, Section 6 (1) e GDPR serves as the legal basis.

In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Section 6 (1) d GDPR serves as the legal basis.

If the processing is necessary to protect a legitimate interest of Hochschule Bremen or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Section 6 (1) f GDPR serves as the legal basis for the processing.

Data deletion and storage period

Unless we inform you in detail about the storage period, we delete personal data when they are no longer required for the stated processing purposes and no statutory retention obligations prevent deletion.

IV. Provision of the website and creation of log files

Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. The following data is collected in our log files:

  1. Information about the browser type and version used
  2. The operating system of the user
  3. The user's internet service provider
  4. The IP address of the user
  5. Date and time of access
  6. Websites from which the user's system accesses our website
  7. Websites that are accessed by the user's system via our website.

Legal basis for data processing

The legal basis for the temporary storage of the data and the log files is Section 6 (1) f GDPR.

Purpose of the data processing

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the user's IP address must remain stored for the duration of the session. The storage in log files is done to ensure the functionality of the website. In addition, we use the data to optimise the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context. These purposes are also our legitimate interest in data processing according to Section 6 (1) f GDPR.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. In the case of storage of data in log files, this is the case after seven days at the latest.

If the data is stored for a longer period, the IP addresses of the users are deleted or anonymised so that it is no longer possible to assign the calling client.

Storage of the IP address for security purposes

In addition, we store the complete IP address transmitted by your web browser for a strictly limited period of seven days in the interest of being able to recognise, limit and eliminate attacks on our websites. After this period, we delete or anonymise the IP address. The legal basis is Section 6 (1) p.1 f GDPR.

Possibility of objection and removal

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Therefore, there is no possibility for the user to object.

V. Use of cookies

Description and scope of data processing

We use cookies in order to optimise our website in terms of user-friendliness, effectiveness and security. These are small text files that are placed on your terminal device and stored in your browser. They include cookies that are technically necessary for the operation of our website, as well as cookies for anonymous web analysis or for extended functions and services.

Necessary cookies

Necessary cookies enable basic functions and are required for the proper functioning of the website.

  • HSB -Cookie: Saves the settings of the visitors selected in the cookie banner.
  • LDAP cookie (only relevant for HSB employees): Saves the successful login for access-protected pages and files.

Legal basis for data processing

The legal basis for the processing of personal data using technically necessary cookies is Section 6 (1) f GDPR.

Purpose of the data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our websites cannot be offered without the use of cookies. For these, it is necessary that the browser is recognised even after a change of pages.

We need cookies for the following applications: saving the settings of the visitors selected in the cookie banner, displaying access-protected content.

The user data collected through technically necessary cookies are not used to create user profiles.

Optional cookies

You can change your settings for optional cookies on this website at any time by clicking on this link to access the cookie settings banner.

Tracking tool Matomo

We use the open-source software tool Matomo (formerly Piwik) on our website to analyse user behaviour. The statistics obtained enable us to improve our offer and make it more interesting for users.

The software sets a cookie on the computer of the user. The IP address is anonymised during this process so that the user remains anonymous to us. The software runs exclusively on the servers of our website. Personal data of the user is only stored there. The data is not passed on to third parties.

If individual pages of our website are accessed, the following data is stored:

  • Two bytes of the IP address of the calling system of the user
  • Date and time of the page view
  • The accessed web page (title and URL)
  • The website from which the user has reached the accessed website (referrer)
  • The subpages that are accessed from the accessed webpage
  • The length of stay on the website
  • The frequency with which the website is accessed
  • Screen resolution
  • Time according to the visitor's time zone
  • Files that have been clicked and downloaded
  • Links to external websites that have been clicked on
  • Page generation time (the time taken to generate and display the page)
  • Visitor location: country, region, city, approximate latitude and longitude (geo-position) based on internet access point
  • Main language of the browser
  • User Agent of the browser

The data processing is based on your consent, provided that you have given your consent via our banner. You can revoke your consent at any time. To do so, please follow this link and make the appropriate settings via our banner.

The data is automatically deleted after 6 months.

We also offer our users the option of opting out of the analysis process. In this way, another cookie is set on their system, which signals to our system not to save their data. If the user deletes the corresponding cookie from their system in the meantime, they must set the opt-out cookie again.

VI. Contact form/registration form

If you send us enquiries via the contact form/registration form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry/registration and in the event of follow-up enquiries. We do not pass on this data without your consent.

The processing of the data entered in the contact form is therefore based exclusively on your consent (Section 6 (1) a GDPR). You can revoke this consent at any time. For this purpose, an informal communication by e-mail to us is sufficient. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it or the purpose for storing the data no longer applies (e.g. after we have completed processing your enquiry). Mandatory legal provisions – in particular retention periods – remain unaffected.

VII. Data processing during registration for the use of offers/services

The purpose of data processing during registration for the use of offers/services is the realisation of the respective offer or the provision of certain contents and services on our internet pages.

Purpose of the data processing

The purpose of the data collection, unless already stated below, is indicated on the respective page at the point where the data is to be entered by you. The purpose of data processing when registering for the use of offers/services is the realisation of the respective offer or the provision of certain contents and services on our internet pages.

Legal basis for the processing

Insofar as Hochschule Bremen obtains your consent as the data subject for individual processing operations on its websites, the legal basis is Section 6 (1) a GDPR.

Passing on the data

Your personal data will not be passed on to other bodies or persons.

Duration of storage

The personal data are stored until the purpose of the processing has been achieved and the respective procedure has been completed. They are deleted without delay as soon as the stated purpose has been achieved or the procedure concerned has been completed.

VIII. E-mail contact

Description and scope of data processing

It is possible to contact us via our website using the e-mail address provided. If a user makes use of this option, the personal data of the user transmitted in the e-mail will be stored. In this context, the data will not be passed on to third parties.

The data will be used exclusively for processing the conversation. For the processing of the data, your consent will be obtained as part of the sending process and separate reference will be made to the information to be provided in accordance with Section 13 GDPR as well as the right of revocation with regard to the consent.

Legal basis for data processing

The legal basis for the processing of data is Section 6 (1) a GDPR if the user has given their consent. The legal basis for the processing of data transmitted in the course of sending an e-mail is Section 6 (1) f GDPR. If the e-mail contact is aimed at concluding a contract, the additional legal basis for the processing is Section 6 (1) b GDPR.

Purpose of the data processing

The processing of the personal data from the input mask serves us exclusively to process the contact. In the case of contact by e-mail, this also constitutes the necessary legitimate interest in processing the data.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. For personal data sent by e-mail, this is the case when the respective conversation with the user has ended. The conversation is ended when the circumstances indicate that the matter in question has been conclusively clarified. The additional personal data collected during the sending process will be deleted after a period of seven days at the latest.

Possibility of objection and removal

The user has the option to revoke their consent to the processing of personal data at any time. If the user contacts us by e-mail, they can object to the storage of their personal data at any time. In such a case, the conversation cannot be continued. The revocation of consent and the objection to storage can be made by e-mail to: datenschutz@hs-bremen.de. All personal data stored in the course of contacting us will be deleted in this case.

IX. Processing of personal data on internal access-protected websites

The usage regulations for information processing systems of the Hochschule Bremen apply to the use of internal access-protected websites.

Scope of the processing of personal data

In the case of access-protected Internet pages of the university, which only concern information platforms accessible to university members and staff, the following personal data is collected from the logged-in, registered users (students, staff or university members with a user account) during their stay on these pages:

  1. Names of the user,
  2. the e-mail address assigned to the account,
  3. if applicable, the affiliation of the user to a certain user group.

Legal basis for the processing of personal data

The legal basis for the processing of data after registration is Section 6 (1) e GDPR.

Purpose of the data processing

The collection of the user's data serves to enable the use of the restricted access Internet pages (connection establishment), as well as the purposes of system security, the technical administration of the network infrastructure and the optimisation of the offers.

Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. This is the case after logging out or closing the web browser.

X. Social media

Our website may contain links to external social networks such as Facebook, Instagram, Twitter, YouTube, XING, LinkedIn etc. When you follow the links by clicking on them, your browser establishes a direct connection with the servers of the providers. We would like to point out that this data protection declaration applies exclusively to the pages of the Hochschule Bremen website. The functions assigned to the links of the networks, in particular the transmission of information and user data, are not activated by visiting our internet pages, but only by clicking on the corresponding links.

For the purpose and scope of data collection by the networks and the further processing and use of your data there, as well as your rights in this regard and setting options for protecting your privacy, please refer to the data protection information there.

The university operates online presences in various social networks (Twitter, LinkedIn, Facebook, Instagram, YouTube, XING) for the purpose of informing the public about the fulfilment of its tasks (Section 4 (9) of the Bremen Higher Education Act). When visiting these profiles, personal data of users outside the European Union may be processed. Therefore, a lower level of data protection may exist. The corresponding data processing is carried out by the external operators of these networks and on the basis of their data protection declarations. Please inform yourself there about the corresponding processing modalities. We would like to point out that you use social networks and their functionalities on your own responsibility. The Hochschule Bremen has no influence on the type and scope of the data processed by the respective provider, the type of processing and use or the transfer of this data to third parties.

XI. Rights of the data subject

If the Hochschule Bremen processes your personal data, you have the following rights as a data subject within the meaning of the GDPR:

Right to information

You can request confirmation as to whether personal data concerning you is being processed by us. If such processing is taking place, you can request information about the following:

  1. the purposes for which the personal data are processed;
  2. the categories of personal data which are processed;
  3. the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed;
  4. the planned duration of the storage of the personal data relating to you or, if specific information on this is not possible, criteria for determining the storage duration;
  5. the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the university or a right to object to such processing;
  6. the existence of a right of appeal to a supervisory authority;
  7. any available information on the origin of the data if the personal data are not collected from the data subject;
  8. the existence of automated decision-making, including profiling, pursuant to Section 22 (1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject. You have the right to request information on whether personal data concerning you is transferred to a third country or to an international organisation. In this context, you may request to be informed about the appropriate safeguards pursuant to Section 46 of the GDPR in connection with the transfer. If personal data is processed by you for scientific, historical or statistical research purposes, the right of access may be restricted to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfilment of the research or statistical purposes.

Right of rectification

You have a right of rectification and/or completion vis-à-vis the university if the personal data processed concerning you are inaccurate or incomplete. The university must make the correction without delay. If your personal data is processed for scientific, historical or statistical research purposes, the right of access may be restricted to the extent that it is likely to make the realisation of the research or statistical purposes impossible or seriously impair them and the restriction is necessary for the fulfilment of the research or statistical purposes.

Right to restrict processing

You may request the restriction of the processing of personal data concerning you under the following conditions:

  1. if you dispute the accuracy of the personal data concerning you for a period of time that enables the university to verify the accuracy of the personal data;
  2. the processing is unlawful and you refuse to erase the personal data and instead request the restriction of the use of the personal data;
  3. the university no longer requires the personal data for the purposes of processing, but you need them for the assertion, exercise or defence of legal claims, or
  4. if you have objected to the processing pursuant to Section 21 (1) GDPR and it has not yet been determined whether the legitimate reasons of the university outweigh your reasons.

Where the processing of personal data relating to you has been restricted, those data may be processed, with the exception of their storage, only with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of substantial public interest of the Union or of a Member State.

If the restriction of processing has been restricted in accordance with the above-mentioned conditions, you will be informed by the university before the restriction is lifted. If your personal data is processed for scientific, historical or statistical research purposes, the right of access may be restricted to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfilment of the research or statistical purposes.

Right to erasure

Obligation to delete

You may request the university to delete the personal data concerning you without delay; the university is obliged to delete this data without delay if one of the following reasons applies:

  1. The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
  2. You revoke your consent on which the processing was based pursuant to Section 6 (1) a or Section 9 (2) a GDPR and there is no other legal basis for the processing.
  3. You object to the processing pursuant to Section 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Section 21 (2) GDPR.
  4. The personal data concerning you has been processed unlawfully.
  5. The deletion of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the university is subject.
  6. The personal data concerning you was collected in relation to information society services offered pursuant to Section 8 (1) GDPR.

Information to third parties

If the university has made the personal data concerning you public and is obliged to erase it pursuant to Section 17 (1) of the GDPR, it shall take reasonable steps, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that you, as the data subject, have requested that they erase all links to, or copies or replications of, that personal data.

Exceptions

The right to erasure does not exist insofar as the processing is necessary

  1. to exercise the right to freedom of expression and information;
  2. for compliance with a legal obligation which requires processing under Union or Member State law to which the higher education institution is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the higher education institution;
  3. for reasons of public interest in the area of public health pursuant to Section 9 (2) h and i and Section 9 (3) GDPR;
  4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Section 89 (1) of the GDPR, where the right referred to in item a is likely to render impossible or seriously prejudice the achievement of the purposes of such processing, or
  5. for the assertion, exercise or defence of legal claims.

Right to information

If you have exercised the right to rectification, erasure or restriction of processing vis-à-vis the university, the university is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this rectification or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right to be informed by the university about such recipients.

Right to data portability

You have the right to receive the personal data concerning you that you have provided to the university in a structured, commonly used and machine-readable format. You also have the right to transfer this data to another controller without hindrance from the controller to whom the personal data has been provided, provided that

  1. the processing is based on consent pursuant to Section 6 (1) a GDPR or Section 9 (2) a GDPR or on a contract pursuant to Section 6 (1) b GDPR and
  2. the processing is carried out with the aid of automated procedures.

In exercising this right, you also have the right to have the personal data concerning you transferred directly from one controller to another controller, insofar as this is technically feasible. This must not affect the freedoms and rights of other persons.

The right to data portability shall not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Right of objection

You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Section 6 (1) e or f GDPR; this also applies to profiling based on these provisions. The university will no longer process the personal data relating to you unless it can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. You have the possibility, in connection with the use of information society services, notwithstanding Directive 2002/58/EC, to exercise your right to object by means of automated procedures using technical specifications.

If your personal data is processed for scientific, historical or statistical research purposes, you also have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out for scientific or historical research purposes or for statistical purposes pursuant to Section 89 (1) of the GDPR.

Your right to object may be restricted to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfilment of the research or statistical purposes.

Right to revoke the declaration of consent under data protection law

In accordance with Section 7 (3) GDPR, you have the right to revoke your declaration of consent under data protection law at any time. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

Automated decision in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

1. is necessary for the conclusion or fulfilment of a contract between you and the university,

2. is permitted on the basis of legal provisions of the Union or the Member States to which the higher education institution is subject and these legal provisions contain appropriate measures to safeguard your rights and freedoms as well as your legitimate interests, or

3. is done with your express consent.

However, these decisions must not be based on special categories of personal data pursuant to Section 9(1) of the GDPR, unless Section 9 (2) a or g of the GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests. With regard to the cases mentioned in (1) and (3), the university shall take appropriate measures to safeguard the rights and freedoms as well as your legitimate interests, including at least the right to obtain the intervention of a person from the university, to express your point of view and to contest the decision.

Assertion of your rights

To exercise your above-mentioned data protection rights, please contact datenschutz@hs-bremen.de.

Right to complain to a supervisory authority

Without prejudice to the above rights or to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your place of residence, place of work or place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the GDPR.

The supervisory authority of the Free Hanseatic City of Bremen is:

The State Commissioner for Data Protection and
Freedom of Information of the
Free Hanseatic City of Bremen
Arndtstraße 1
27570 Bremerhaven
Phone: +49 471 596 2010 or
+49 421 361 2010
Fax: +49 421 496 18495
E-mail: office@datenschutz.bremen.de