Login

Privacy statement

Information pursuant to Article 13 of the EU General Data Protection Regulation (GDPR) for the Indico Event Management System

1. Individuals and Contact Information

a. Data Controller under the GDPR

The controller within the meaning of the General Data Protection Regulation is the University of Hamburg, a public-law corporation. The contact details are:

University of Hamburg

represented by the President

Mittelweg 177
20148 Hamburg
praesident@uni-hamburg.de

b. Contact person for questions regarding data processing

Questions regarding the data processing described below can be directed to

University of Hamburg Data Center
Application Systems (APP)
Marvin Mundry
rrz-serviceline@uni-hamburg.de

c. Data Protection Officer

You can also contact the Data Protection Officer at:

Data Protection Officer of the University of Hamburg
Mittelweg 177
20148 Hamburg
dsb@uni-hamburg.de

2. Purpose(s)

Personal data is processed for the following purpose(s):

  • Organization and administration of scientific events, conferences, and workshops; registration and deregistration of participants; creation of participant lists; abstract management and material uploads; billing of fees.
  • Contact via email
  • Authorization and authentication of University of Hamburg employees via the Shibboleth Identity Provider (IdP) for the Indico service. This enables secure single sign-on (SSO), in which data is exchanged only temporarily between your IdP (the University of Hamburg) and the service provider. This data is processed exclusively for the purpose of access control and the provision of the Indico service.
  • Contact Management and Evaluation
    Storage and processing of contact data for evaluations, invitations to follow-up events, and similar purposes related to contact management and evaluation following an event.
  • Evaluation forms at the end of the event
    At the end of an event, participants may be provided with evaluation forms to assess the quality of the event and provide suggestions for improvement as well as requests for follow-up events. The data is collected anonymously. Even if handwritten, identifiable information is provided, the evaluation is always anonymized.
  • In addition, the following data is automatically collected, provided that consent forms are submitted via Indico:
    • Confirmation of the declaration of consent
    • Date and time the form was submitted
    • the user’s IP address, if applicable

3. Legal basis

The legal basis(es) for the processing is/are:

  • Employees:
    Article 88(1) of the GDPR in conjunction with Section 10(1)–(3) of the Hamburg Data Protection Act (HmbDSG) in conjunction with Section 85(1) of the Hamburg Civil Service Act (HmbBG)
  • Students:
    Article 6(1)(e) in conjunction with Article 6(3) of the GDPR in conjunction with Section 111(1) of the Hamburg Higher Education Act (HmbHG)
  • External parties:
    To the extent that the UHH uses M365 to fulfill and initiate contracts: Article 6(1)(b) of the GDPR (in particular, the implementation of projects and collaborations)
    To the extent that data processing is carried out for the performance of tasks in the public interest: Article 6(1)(e) and (3) of the GDPR in conjunction with Section 4 of the Hamburg Data Protection Act (HmbDSG) in conjunction with Section 3 of the Hamburg Higher Education Act (HmbHG) (in particular for research projects)
    In cases where a declaration of consent is provided, the legal basis is Article 6(1)(a) of the GDPR

4. Categories of personal data

The following categories of personal data are processed:

  • Identification data: Last name, first name, email address, organization, phone number (if provided)
  • Usage data: IP address, session cookie; pseudonymized identifiers such as persistentID or eduPersonTargetedID), date/time of login, username (user ID), time of registration
  • Event participation data
    • Event name/title
    • Location and time of the event
    • Preferred presentation language

5. Recipients / Categories of Recipients

The personal data is transferred to the following recipients / categories of recipients:

  • Internal: Event organizers, IT administration

6. Transfer of personal data to a third country

There are no plans to transfer your personal data to a third country or an international organization.

7. Duration of storage

Personal data is stored for the following period:

Log files are stored for 30 days after the end of the event.

The remaining data is generally deleted 6 months after the event concludes. In the case of consent, deletion occurs upon the declaration of revocation of the respective consent.

In the case of the registration process, the collected data is deleted when the registration is canceled or modified.

In any case, the following applies: If statutory retention periods (e.g., the German Commercial Code (HGB) or the German Fiscal Code (AO)) require longer storage of personal data, the respective data may only be deleted after this period has expired.

8. Cookies

We use necessary cookies (also known as technically necessary cookies) on our Indico instance to ensure the platform’s functionality. Necessary cookies are set, for example, to make a website usable by enabling its basic functions so that it operates correctly. Cookies are text files that are stored in the web browser or by the web browser on the user’s computer. When users visit a website, a cookie may be stored on their operating system. This cookie contains a unique string of characters that allows the browser to be uniquely identified when the website is visited again.

There are different types of cookies. First, a distinction is made between first-party cookies and third-party cookies. While first-party cookies are set by the website you are currently visiting—and only that website can read information from the cookies—third-party cookies are set by third parties who are not the operators of that website.

A distinction is also made between session cookies and persistent cookies. Session cookies contain information that is stored only temporarily and is automatically deleted when you leave the website. Persistent cookies (also known as long-term cookies) are automatically deleted after the specified storage period, which may vary depending on the type of cookie. However, you can delete these cookies at any time via your browser settings. This can also be done automatically. You can also disable or restrict the transmission of cookies by changing your internet browser settings. If cookies are disabled for our website, you may no longer be able to use all of the website’s features to their full extent.

The legal basis for storing necessary cookies, as well as for storing information on users’ devices and accessing such information already stored on the device, is derived from the Act on the Regulation of Data Protection and the Protection of Privacy in Telecommunications and Digital Services (TDDDG). In addition, the legal basis for the further processing of personal data collected in this context is derived from the General Data Protection Regulation.

The legal basis under data protection law for the processing of personal data using necessary cookies is Article 6(1)(f) of the GDPR. The UHH has a legitimate interest in storing necessary cookies to ensure the technically flawless and optimized provision of its services.

Name

Provider

Purpose

Procedure

Type

_shibsession_*

UHH

Saving the Shibboleth login on a website (authentication of the user ID)

Session

HTTP cookie

indico_session

UHH

Technically necessary

Session

HTTP cookie

9. Your Rights

You have the following rights:

a. Right of access

Under Article 15 of the GDPR, you have a right of access to the controller.

b. Right to rectification

Under Article 16 of the GDPR, you may request that the controller correct inaccurate data.

c. Right to erasure

You have the right to have your personal data erased, or a “right to be forgotten,” under Article 17 of the GDPR vis-à-vis the controller.

d. Right to restriction of processing

You have the right to request that the controller restrict the processing of your personal data in accordance with Article 18 of the GDPR.

e. Right to Withdraw Consent

Any consent you have given for the collection, processing, and use of your personal data may be withdrawn at any time with future effect (Article 7(3) of the GDPR). As a result, we may no longer continue the data processing that was based on this consent in the future.

f. Right to data portability

If you have consented to data processing or a contract for data processing exists and the data processing is carried out using automated means, you have a right to data portability (Art. 20 GDPR).

g. Right to object

If the processing is based on Article 6(1)(e) or (f) of the GDPR, you have the right to object to the processing under Article 21 of the GDPR by contacting the controller.

h. Right to lodge a complaint

You have the right to lodge a complaint regarding the processing of your personal data with a competent data protection supervisory authority.