Privacy statement

Information pursuant to Article 13 of the EU General Data Protection Regulation (GDPR) for the Indico Event Management System

1. Persons and Contact Information

a. Data Controller as Defined by the GDPR

The data controller as defined by the General Data Protection Regulation is the University of Hamburg, a public-law corporation. The contact information is as follows:

University of Hamburg

represented by the President

Mittelweg 177
20148 Hamburg
praesident@uni-hamburg.de

b. Contact Person for Questions Regarding Data Processing

Questions regarding the data processing described below can be directed to

RRZ
Application Systems (APP)
Schlüterstr. 70
20146 Hamburg
rrz-serviceline@uni-hamburg.de

c. Data Protection Officer

You can also contact the Data Protection Officer at:

Data Protection Officer of the University of Hamburg
Mittelweg 177
20148 Hamburg
dsb@uni-hamburg.de

2. Purpose(s)

Personal data is processed for the following purpose(s):

Indico is used to organize and manage (academic) events, conferences, and workshops. To this end, Indico offers the ability to create event pages, register and deregister participants, generate participant lists, manage abstracts, upload materials, and process fees. At the end of an event, participants may be provided with evaluation forms that allow them to assess the quality of the event and provide suggestions for improvement as well as requests for future events. The data is collected anonymously. Evaluations are generally conducted on an anonymous basis. In addition, at the end of an event, your contact information may be stored and processed so that we can invite you to future events or subscribe you to newsletters. However, your data will only be processed for such purposes if you have previously given your consent. For employees of the University of Hamburg, authorization and authentication for the Indico service are carried out via the Shibboleth Identity Provider (IdP). This enables secure single sign-on (SSO), in which data is exchanged only temporarily between your IdP (the University of Hamburg) and the service provider. This data is processed exclusively for the purpose of access control and providing the Indico service.

3. Legal basis

The legal basis(es) for the processing is/are:

  • For the processing of employees’ personal data:
    Art. 88(1) GDPR in conjunction with § 10(1)–(3) of the Hamburg Data Protection Act (HmbDSG) and, where applicable, in conjunction with § 85(1), sentence 1, of the Hamburg Civil Service Act (HmbBG) in the case of civil servants
  • For the processing of personal data of students:
    Article 6(1)(e) in conjunction with Article 6(3) of the GDPR in conjunction with Section 111(1) of the Hamburg Higher Education Act (HmbHG)
  • For the processing of personal data of external parties:
    To the extent that the UHH uses Indico to fulfill or initiate contracts, or where this is necessary to carry out pre-contractual measures at the request of data subjects, the legal basis is Article 6(1)(b) of the GDPR (in particular for the implementation of projects and collaborations)
    To the extent that data processing is carried out for the performance of tasks in the public interest, the legal basis is Article 6(1)(e), (3) of the GDPR in conjunction with § 4 HmbDSG and § 3 HmbHG (in particular for research projects).
    In cases where a declaration of consent is provided, the legal basis is Article 6(1)(a) of the GDPR

4. Categories of personal data

The following categories of personal data are processed:

  • Identification data: Last name, first name, email address, organization, phone number (if provided)
  • Usage data: IP address, session cookie; pseudonymized identifiers such as persistentID or eduPersonTargetedID), date/time of login, username/user ID, time of registration
  • Financial data (account number)
  • Event participation data
    • Event name/title
    • Location and time of the event
    • Preferred presentation language

5. Recipients / Categories of Recipients

The personal data is transferred to the following recipients / categories of recipients:

  • Internal: Event organizers, IT administration

6. Transfer of personal data to a third country

There are no plans to transfer your personal data to a third country or an international organization.

7. Retention Period

Personal data is stored for the following period:

Log files are stored for 30 days after the end of the event.

In the case of data processing based on your consent, the data will be deleted upon receipt of your revocation of the respective consent.

In the case of the registration process, the collected data is deleted when the registration is canceled or modified.

The remaining data will be retained for an additional 6 months after the event concludes in order to handle any inquiries regarding the event (e.g., issuing certificates of participation), unless statutory retention requirements—such as those under the German Fiscal Code (AO) or the German Commercial Code (HGB)—require a longer retention period. In such cases, the data will continue to be retained to meet the statutory retention periods but will otherwise be blocked from further processing. Once all retention periods have expired, the data will first be submitted to the university archives for an assessment of its archival value. If the data is not deemed to have archival value, it will be permanently deleted.

8. Cookies

We use essential cookies (also known as technically necessary cookies) on our Indico instance to ensure the platform’s functionality. Necessary cookies are set, for example, to make a website usable by enabling its basic functions so that it operates correctly. Cookies are text files that are stored in the web browser or by the web browser on the user’s computer. When users visit a website, a cookie may be stored on their operating system. This cookie contains a unique string of characters that allows the browser to be uniquely identified when the website is visited again.

There are different types of cookies. First, a distinction is made between first-party cookies and third-party cookies. While first-party cookies are set by the website you are currently visiting—and only that website can read information from the cookies—third-party cookies are set by third parties who are not the operators of that website.

A distinction is also made between session cookies and persistent cookies. Session cookies contain information that is stored only temporarily and is automatically deleted when you leave the website. Persistent cookies (also known as long-term cookies) are automatically deleted after the specified storage period, which may vary depending on the type of cookie. However, you can delete these cookies at any time via your browser settings. This can also be done automatically. You can also disable or restrict the transmission of cookies by changing your internet browser settings. If cookies are disabled for our website, you may no longer be able to use all of the website’s features to their full extent.

The legal basis for storing necessary cookies, as well as for storing information on end users’ devices and accessing such information already stored on those devices, is provided by the Act Regulating Data Protection and the Protection of Privacy in Telecommunications and Digital Services (TDDDG). In addition, the legal basis for the further processing of personal data collected in this context is derived from the General Data Protection Regulation (GDPR).

The legal basis under data protection law for the processing of personal data using necessary cookies is Article 6(1)(f) of the GDPR. The UHH has a legitimate interest in storing necessary cookies to ensure the technically flawless and optimized provision of its services.

Name

Provider

Purpose

Procedure

Type

_shibsession_*

UHH

Saving the Shibboleth login on a website (authentication of the user ID)

Session

HTTP cookie

indico_session

UHH

Technically necessary

Session

HTTP cookie

9. Legal or contractual obligation to provide personal data / Necessity for entering into a contract

You are not required to provide your personal data to the UHH. However, if you do not provide your data, you will not be able to use the Indico service at the UHH to organize, manage, and register for (academic) events.

10. Automated decision-making, including profiling

Automated decision-making, including profiling, as defined in Article 22, paragraphs 1 and 4 of the GDPR, does not take place.

11. Your Rights

You have the following rights:

a. Right of access

Under Article 15 of the GDPR, you have a right of access to the controller.

b. Right to rectification

Under Article 16 of the GDPR, you may request that the controller correct inaccurate data.

c. Right to erasure

You have the right to have your personal data erased, or a “right to be forgotten,” under Article 17 of the GDPR vis-à-vis the controller.

d. Right to restriction of processing

You have the right to request that the controller restrict the processing of your personal data in accordance with Article 18 of the GDPR.

e. Right to Withdraw Consent

Any consent you have given for the collection, processing, and use of your personal data may be withdrawn at any time with future effect (Article 7(3) of the GDPR). As a result, we may no longer continue the data processing that was based on this consent in the future and will delete your data in accordance with Section 7 of this notice.

f. Right to data portability

If you have consented to data processing or a contract for data processing exists and the data processing is carried out using automated means, you have a right to data portability (Art. 20 GDPR).

g. Right to object

If the processing is based on Article 6(1)(e) or (f) of the GDPR, you have the right to object to the processing under Article 21 of the GDPR by contacting the controller.

h. Right to file a complaint

You have the right to file a complaint regarding the processing of your personal data with a competent data protection supervisory authority.