Hasso-Plattner-InstitutSDG am HPI
 

Data Protection Policy

Short Version:

In general, our website can be used anonymously. The provision of personal data is purely voluntary and you will always be informed if and for what purpose we want to save your data. Personal data is the data that allows us to identify you and/or to contact you. This includes your name, your postal address or email address.

Here you can decide whether to allow us to statistically evaluate your visit at our website in order for us to improve our offer:

Matomo Web Analytics Opt-Out:

Information For Cookies:

Privacy Policy In Detail:

  1. Who we are and how you can reach us
  2. Which data we do (not) process, for what purpose, how long, and on what legal basis
    2.1. Anonymous use of our website
    2.2. Logging and evaluation in case of attacks
    2.3. Usage statistics with Matomo
    2.4. Data processing in connection with general contact
    2.5. Data processing in connection with subscribing to the newsletter
    2.6. Data processing in connection with events, education programs, and requests for information and offers
    2.7. Data processing when using third party content
    2.8. Data processing in connection with job applications
    2.9. Data processing when using M-365 applications
  3. Voluntary provision of your data
  4. Recipients of your data
  5. Automated decision-making, profiling
  6. Your rights
  7. Your right to object to data processing
  8. Payment Processing

1. Who we are and how you can reach us

The responsible party for the processing of personal data on this website is:

Hasso Plattner Institute for Digital Engineering gGmbH,
Campus Griebnitzsee
Prof.-Dr.-Helmert-Str. 2-3,
Phone: +49 (0)331 5509-0,
Telefax: +49 (0)331 5509-129,
Email: hpi-info(at)hpi.de.

You may contact our data protection officer at:
Data Protection Officer, Hasso Plattner Institute for Digital Engineering gGmbH,
Prof.-Dr.-Helmert-Str. 2-3,
14482 Potsdam,
Germany,
Email: datenschutz(at)hpi.de.

2. Which data we do (not) process, for what purpose, how long, and on what legal basis

2.1. Anonymous use of our website

You can use our website anonymously. When you visit our website, your web browser will tell our web server your IP address to make communication possible.  It may be possible to identify you via your IP address.

Each time you access the Internet offer of the Hasso Plattner Institute for Digital Engineering gGmbH, the following data is stored in the server log files:

  • Name of the retrieved file
  • Date and time of retrieval
  • Volume of data transferred
  • Notification of whether the retrieval was successful
  • IP address (in abbreviated form so that you are not identifiable)
  • The web address from which the file was accessed (referrer URL)
  • Information about the operating system and browser (user agent string)

You remain completely anonymous to us when you visit our website. This anonymous data is evaluated for statistical puposes only.

2.2. Logging and evaluation in case of attacks

Error messages—which as a rule are the result of attempted attacks—are recorded and evaluated with a complete IP address for security reasons. If no longer needed (for example, as evidence), this data will be deleted after seven days.

The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. Legitimate interests in processing on the basis of Art. 6 para. 1 subpara. 1 letter f GDPR are to ensure the functionality and security of our website and to ward off attacks and other abuses.

2.3. Usage statistics with Matomo

This website uses the open source web analytics service Matomo. Matomo uses so-called "cookies". Cookies are text files that are stored on your computer and allow an analysis of how you use our website. The information generated by the cookie about your use of this website is stored on our server. The IP address is anonymized before storage. The aim of processing is to improve our website and our offer, so we can better satisfy users’ needs.

The information generated by the cookie about the use of our website will not be disclosed to third parties. You can prevent the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

If you wish to prevent the collection and storage of your data, you can disable the use of such data. In this case, an opt-out cookie is deposited in your browser that prevents Matomo from storing usage data. By deleting your cookies, the Matomo opt-out cookie will be deleted as well. The opt-out must be reactivated when visiting our site again.

The legal basis for data processing is Art. 6 para. 1 subpara. 1 letter f GDPR. The legitimate interests in processing on the basis of Art. 6 para.1 subpara. 1 letter f GDPR are to ensure our and your interest are served in providing an attractive and helpful website and needs-based services and the better sales of our services.

2.4. Data processing in connection with general contact

If you call us or send us a message, for example via the contact form or by email, we need your email address, your postal address or your telephone number to provide you an answer. Instead of your name, you may use a pseudonym. We will only use this information, as well as date and time of your contact, to process your request. Your data will not be passed on to third parties by us, but only used internally by the department that is responsible for your concern. We will delete your data as soon as it is no longer needed for this purpose. As a rule, this is three months after your last contact with us. If you should have any questions, please notify us again within this three month period. The legal basis for the processing of data are Art. 6 para. 1 subpara. 1 letters b and f GDPR. The legitimate interests in processing on the basis of Art. 6 para. 1 subpara. 1 letter f GDPR is to fulfill your request.

Exceptions: We are required to store business and commercial letters and other tax-relevant documents in order to fulfill the commercial and tax law archiving obligations. We will delete these documents by the 31st of March of the seventh calender year following their creation and, in the case of accounting receipts, the eleventh calender year following their creation. Our accounting department has access to these data. The legal basis for the tax law retention is Art. 6 para. 1 subpara. 1 letter c GDPR in connection with §§ 147 AO, 257 HGB.

If your request is for a specific purpose (e.g., registration, request for a quotation, subscribing to the newsletter), only the explanations in the relevant section for that particular purpose apply to the processing of data.

2.5. Data processing in connection with subscribing to the newsletter

If you register for our newsletter, we need your email address in order to send you the newsletter. All other data is optional. Your data will not be passed on to third parties, and we use it solely for our newsletter and for customer service to contact you individually (as far as this is legally permissible), if applicable, after the research of further data, to make you offers and to clarify your need for our services. You will first receive an email with a link that you must click to confirm that you wish to receive the newsletter (“double opt-in”). In this way we prevent unauthorized persons from subscribing to the newsletter in your name. Additionally, we store your registration for the newspletter and your confirmation to prove that you have registered. Evaluations on the use of our newsletter are always carried out anonymously. For the purpose of sending you the newsletter, we will store your data until your consent is revoked or until the newletter is finally discontinued. In the interest of customer service we will delete your data in the event of your objection or by 31 March of the fifth calender year following your last login, request for quotation, or expression of interest; this is for the purpose of proof of consent by 31 March of the fourth calendar year following the last newsletter dispatch. If you do not confirm your newsletter registration, we will delete your data after 24 hours. Therefore please confirm your registration (“double-op-in”) within 24 hours otherwise you will be required to register again. Our communications department and our customer service have access to your data, and our legal department if required

We also use commercially available technologies in our newsletters to measure your interactions with the newsletters (eg, email opening, clicked links, unsubscribes, approximate location by IP address). We use this data in pseudonymous form for general statistical evaluations as well as for the optimization and further development of our content and our communication with you. This is done with the help of small graphics that are embedded in the newsletter (so-called pixels). The data are collected exclusively pseudonymized and also not linked with your other personal data. Legal basis for this is our aforementioned legitimate interest acc. Art. 6 para. 1 sentence 1 lit. f DSGVO. Through our newsletter, we want to share the most relevant content for you and better understand what readers are actually interested in. If you do not want to analyze the usage behavior, you can unsubscribe from the newsletter or deactivate graphics in your e-mail program by default. The data for the interaction with our newsletters are stored pseudonym for 30 days and then completely anonymized.

The legal basis of processing for the purpose of sending the newsletter is Art. 6 para. 1 subpara. 1 letter a GDPR. The legal basis of processing for the purpose of proof of consent is Art. 6 para. 1 subpara. 1 letter c in conjunction with Art. 5 para. 2 GDPR, Art. 7 para. 1 GDPR and Art. 24 para. 1 GDPR and Art. 6 para. 1 subpara. 1 letter f GDPR. For processing for the purpose of customer service is the legal basis Art. 6 para. 1 subpara. 1 letter f GDPR. Legitimate interest in processing on the basis of Art. 6 para. 1 subpara. 1 letter f GDPR are the promotion of the sale of our products and services, appropriate advertising as well as proof of your consent, i.e., the defense against legal claims.

2.6. Data processing in connection with events, education programs, and requests for information and offers

When you register for an event, sign up or apply, we need specific information from you, depending on the nature of the service. The registration, application and / or offer form indicates which information is required and which is voluntary. If you contact us informally and the necessary information is missing, we will contact you or request the information from you. Your data will not be shared with third parties. Any exceptions (for example, at co-operative events) are clearly stated at the time of registration.

We use your data solely for the processing of your request, and the handling of the application, registration, event, training and complaints process, for customer service, and in particular (as far as this is legally permissible), if applicable, after the research of further data—to contact you to present offers and clarify your need for our services, to send you advertisements on similar trainings, events and services (including via e-mail) and to prove that we may send you this advertising.

In connection with events and training programs you also have the possibility to provide us with information regarding any special needs (e.g., food intolerances and allergies) if applicable. In this case, we ask for your explicit consent regarding data processing. The data will be processed solely in connection with the event or training program. In certain cases it may be necessary to pass on this information to third parties who carry out the respective service (e.g., to the caterer, the hotel, etc). Again, we will ask for your consent.  Your consent and provision of information are voluntary. However, in the case that you do not give consent or supply information about your needs, we will be unable to take them into account. The legal basis of processing is Art. 9 para. 2 letter a GDPR. The data will be deleted by us no later than three months after the end of the event.

Contingent upon your consent, we will use the participant information at events and training programs also for networking between participants and to document the events for attendees, for example, by providing or circulating participant lists. The legal basis of processing is Art. 6 para.1 subpara. 1 letter a of the GDPR. The data will be deleted by us no later than three months after the end of the event.

When explicitly stated, we use the participant information at events and training programs to also document the event in photo and film recordings. This material can also be used for advertising and for public relations purposes by the Hasso Plattner Institute for Digital Engineering gGmbh or for networking between participants, as well as to document the event or participant training. In doing so, the Hasso Plattner Institute for Digital Engineering gGmbh ensures that either those parts where the participant has given consent to be photographed or filmed explicitly or at least implicitly are sufficiently large and that those parts where there is no express or at least implied consent to being photographed or filmed are clearly recognizable, or that the participant can indicate his or her objection by a visually recognizable sign, such as a  name tag or a bracelet in a certain color, which the Hasso Plattner Institute for Digital Engineering gGmbh will observe independent of the applicable legal requirements under Art. 21 GDPR. The legal basis of processing is Art. 6 para 1 subpara. 1 letter f of the GDPR. Legitimate interests are the documentation and promotion of the work of the Hasso Plattner Institute for Digital Engineering gGmbh, as well as the public relations work and advertising for the Hasso Plattner Institute for Digital Engineering gGmbH and its events and training programs, as well as the networking between the participants and the documentation of the events or training for the participants. We assume that there is no infringement upon your interests, rights and freedoms because of the possibility to opt out of the recordings without significant limitations. The processing is generally carried out for an unlimited period. However, the event or training program will be reexamined at the latest by 31 December of the following year to determine whether the photo or film recordings are still needed, and, if so, whether a limitation can be placed on the processing. If the review reveals that due to the significance of the event or the training program or the recording, it is not possible to limit the processing of the data at the present time, a further reexamination will be made by 31 December of the tenth year following the respective last review. These images can potentially be made accessible to everyone.

Due to tax and commercial reasons, we are compelled to save your registration and, if applicable, any associated communication as well as invoice and payment data. We will delete your data as soon as it is no longer needed for this purpose. We are required to retain business and commercial letters and other tax-relevant documents to fulfill our commercial and tax law archiving obligations. We will delete this data by 31 March of the seventh calender year following their creation, and in the case of accounting documents by the eleventh calender year after their creation. In the interest of handling applications, registrations, events, trainings and claims, your data will be deleted three months after the end of the event or training. For customer service (including the processing of your enquiry) your data will be deleted in the event of your objection or by 31 March of the fifth calender year after your last application, registration, event or training participation, request for information or an offer or expression of interest. For the purpose of promotional mailings your data will be deleted in the event of your objection or we if definitively cease promotional mailings. For the purpose of proof of your registration and in a similar sense for the advertised events, trainings and services or for proof of consent your data will be deleted by 31 March of the fourth calender year that follows the last promotional mailing. Our communications department, our customer service and our accounting department have access to your data and, if necessary, the legal department

The legal basis of data processing is Art. 6 para. 1 subpara. 1 letter a (as far as consent is granted), letter b (for the processing and handling of your request, application or registration including the implementation of the contract) and f GDPR. The legal basis of processing for providing proof of your request, application or registration, or consent are Art. 6 para. 1 subpara. 1 letter c in conjunction with Art. 5 para. 2 GDPR and Art. 24 para. 1 GDPR, as well as Art. 6 para. 1 subpara. 1 letter f GDPR. The legal basis for the tax retention is Art. 6 para. 1 subpara. 1 letter c GDPR in conjunction with §§ 147 AO, 257 HGB. Legitimate interest in processing on the basis of Art. 6 para. 1 subpara. 1 letter f GDPR are the fulfillment of your request, the promotion of the sale of our services, appropriate advertising, the assertion or exercise of legal rights or the defense against legal claims.  

2.7. Data processing when using third party content and web fonts

Our website uses offers from third parties. These are Youtube, Vimeo and OpenStreetMap. Normally your web browser would automatically exchange information with these providers, such as your IP address. To prevent this, we use so-called two-click solutions. To use the offers of third party providers, it is necessary to first enable the data transfer to these third-party providers. Before this is done, none of your data will be sent to the third party provider, and you remain unknown to it. If you activate this button then information will be transmitted directly from your web browser to the respective provider. We then no longer have any influence on the processing of your data by third-party providers—just as when you follow a link to another website. The legal basis is Art. 6 para. 1 subpara. 1 letter f GDPR; the legitimate interest is your wish to activate and use the third-party content.  

Data that is thereby transferred include, for example, from which page you clicked on the button and your IP address. If you are logged in at the provider or if the provider can otherwise identify you (for example, via the cookies stored at your machine) the provider can link the information that you visited our website with other information about you, such as your user account at the provider. If you do not want the provider to associate this information with your other information, you should log out beforehand and, ideally, delete the cookies in your web browser.

When you submit data to third-party providers, this data is subject to the privacy policies of those providers. We can assume no liability for this action. Please note that depending on the origin country of the third-party provider, the data privacy regulations may be less stringent than ours. Information about the data regulation of third-party providers is available here:

https://www.google.de/intl/de/policies/privacy

https://vimeo.com/privacy

https://www.fossgis.de/datenschutzerklaerung

In addition, we use webfonts from: Monotype Imaging Holdings Inc., 600 Unicorn Park Drive, Woburn, MA 01801, USA (“Monotype”). If your browser is configured accordingly, your browser will connect directly to Monotype so that it will technically know your IP address and other information about your browser―which it sends automatically. In keeping with Monotype’s data privacy policy, this information is stored for 30 days in order to count the number of page views (upon which our remuneration is based) and to prevent the unauthorized use of webfonts. You can usually disable the loading of webfonts in your browser, in which case your browser will not connect to Monotype. The legal basis of processing is Art. 6 para. 1 subpara. 1 letter f GDPR. Legitimate interest is our, and your, interest in the visually appealing presentation of our website. The legal basis for the transfer to the USA is Art. 49 para. 1 subpara. 1 letter c GDPR (performance of a contract entered into in the interest of the data subject). For more information about Monotype’s processing of personal data see:  https://www.monotype.com/legal/privacy-policy/web-font-tracking-privacy-policy.

2.8. Data processing in connection with job applications

We understand that job applications contain sensitive personal information.

When you apply to us, we process the information we receive from you in the context of the application process. This includes the letter of application, CV, certificates, written correspondence and information received by telephone and in person. Besides your contact information, we attach particular importance to your educational background, working experience and abilities. Without this information we will be unable to regularly determine your suitability for the position and therefore we will be unable to consider your application.

Your data will initially be processed for the application procedure alone. If your application is successful, it will be used as part of your personal file and for the purpose of implementing and terminating your employment relationship, whereby it will then be deleted in accordance with the rules applicable to personal files. If we are currently unable to offer you employment, your data will be processed up to six months after the sending the refusal in order to protect ourselves against possible legal claims, in particular against any alleged discrimination claim in the application process. Insofar, as you are entitled to receive reimbursements or any other tax-related business transaction exists (e.g., a meal invitation), the corresponding accounting documents for the fulfillment of commercial and tax-related retention obligations are saved up to 31 March of the eleventh calender year after payment. In the case of commercial and business letters and other tax-related documents, these are saved up to the seventh calender year after their creation. Initially our human resource department has access to your documents but also, as necessary, the department of the job you applied for, the legal department, and the accounting department. 

The legal basis of the data processing in the application process and as part of the personal file are § 26 para. 1 sent. 1 GDPR und Art. 6 para. 1 subpara. 1 letter b GDPR, and insofar as you have given your consent—for example by sending information that is not required for the application procedure―Art. 6 para. 1 subpara. 1 letter a GDPR. The legal basis of data processing after refusal is Art. 6 para. 1 subpara. 1 letter f GDPR.The legal basis for the commercial and tax law retention is Art. 6 para.1 subpara. 1 letter c GDPR in conjunction with §§ 147 AO, 257 HGB. Legitimate interest in processing on the basis of Art. 6 para. 1 subpara. 1 letter f GDPR is the defense against legal claims. The legal basis for the fulfillment of the statuatory rights of the Works Council is Art. 6 para. 1 subpara. 1 letter c GDPR in conjunction with § 80 BetrVG (German Works Council Constitution Act), § 26 para. 1 sent. 1 last clause BDSG (Federal Data Protection Act).

As a rule, we do not require any special categories of personal data for the application in terms of Art. 9 GDPR, such as health data or information about your ethical origin. We ask you at the outset not to provide us with any such information. If such information is particularly relevant to the application, we will process it along with your other application data. This might, for example, concern information about severe disability, which you provide voluntarily and which we are then required to process in fulfillment of our specific obligation with respect to the severely disabled. In this case, the processing serves in exercising the rights or in fulfillment of legal responsibilities arising from labor law, social security law, and social protection. The legal basis of data processing is Art. 9 para. 2 letter b GDPR, §§ 26 para. 3 BDSG (Federal Data Protection Act), 164 SGB (Code of Social Law) IX.

2.9 Use of M-365 applications

This information applies if you use Microsoft 365 applications together with us. This applies in particular to the use of aMicrosoft Office application such as Teams, SharePoint, Stream, Forms, etc. (hereinafter referred to as M365). MicrosoftAzure is used for the purpose of logging on to HPI applications.
M365 is a productivity, collaboration and exchange platform for individual users, teams, communities and networks thatcan be used across organizational units. When you use M365, personal data about you is processed.
Our contractual partner for the licensing of these applications is Microsoft Ireland Operations Limited, South CountyBusiness Park, One Microsoft Place, Carmanhall and Leopardstown, Dublin, D18 P521, Ireland. This company may transfer data to subcontractors based in the USA, in particular to Microsoft Corporation, One Microsoft Way Redmond, Washington 98052, USA.
If you require information about the processing by us, you can find it under the following links: Privacy Impact Assessment M365Privacy Policy M365

If you need information about the processing by Microsoft, you can find it under the following link: https://privacy.microsoft.com/en-us/privacystatement

3. Voluntary provision of your data

You are not required to provide personal information to us. However, by not providing us with certain information (for example, how to contact you if you would like an answer from us), it is possible that we will be unable to complete your request. In the context of special procedures (for example, when you register for an event or our newsletter), you may again be required to provide us with certain information. Without this data we may not, for example, be able to process your registration or send you our newsletter. You will be expressly informed if this should be the case.

4. Recipients of your data

Generally, your personal data remains within our area of responsibility, except in special cases (e.g., co-operative events), in which we will then explicitly inform you to whom your data will be sent. If compelling circumstances arise, it may be necessary to pass on your data to external consultants, for example to lawyers in the case of legal disputes (legal basis Art. 6 para. 1 subpara. 1 letter f GDPR; purpose and legitimate interest: the exercising, defending or asserting of legal rights). In certain areas, such as web hosting, e-mail hosting and event management, we use specialized service providers. These are strictly bound to our instructions with an order processing contract and are not allowed to process the data for their own purposes. Our data protection officer has extensive rights of control, accorded by Art. 37, 38 GDPR, and therefore access to personal data (legal basis Art. 6 para. 1 subpara. 1 letter c in conjunction with Art. 37, 38 GDPR). Further recipients of your data are listed in the notes on the respective data processing. In certain cases, we may need to disclose your personal information to third parties so that you can receive the service you want; this means to vicarious agents, for example banks and other payment service providers or to postal service providers. In certain areas, such as web hosting and email hosting, we use specialized service providers. These providers are strictly bound by our instructions through an agreement on commissioned data processing and may not process the data for their own purposes. If in special cases (e.g., co-operative events with partners outside of the EU), your data will be transferred to third countries, we will inform you of this and, if required, also separately about the legal basis and level of data protection.

5. Automated decision-making, profiling

Your data will not be used for automated decision-making or profiling.

6. Your rights

Under the relevant legal requirements, you have the right to receive information about your data, the right to have such data corrected or deleted, the right to the restriction of processing, the right to object to processing, and the right to data tranferability. In particular, you have the right to object to the processing of your data for advertising purposes at any time without incurring costs other than the transmission costs, according to the rates of your provider (e.g., the costs of an email=usually none). This applies, for example, if you have registered for an event and do not wish  to be informed about similar events.  If the data processing is based on consent, you have the right to revoke your consent at any time without this affecting the legality of the processing being carried out on the basis of consent to revocation or processing on any other legal basis. If you want to exercise these rights, you can simply write to datenschutz(at)hpi.de or click on the unsubscribe link in any email newsletter to unsubscribe. If we call you, you can also communicate this to us directly.

You also have the right to complain to a data protection supervisory authority about our processing of your personal data, for example to the supervisory authority whom we answer to: Die Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht, Stahnsdorfer Damm 77, 14532 Kleinmachnow, Tel: +49 (0)33203 356-0, Fax: +49 (0)33203 356-49, Email: poststelle(at)lda.brandenburg.de.

If you have questions or requests regarding data protection, you can contact us at any time. Your contact is: datenschutz(at)hpi.de.

7. Your right to object to data processing

Insofar as the processing of your personal data is based on Art. 6 para. 1 subpara. 1 letter e or f GDPR, you have the right to object to processing in accordance with Art. 21 GDPR. If your objection is made for reasons arising from your particular situation, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh your interests, rights and freedoms, or for the establishment, exercise of defence against legal claims. If your opposition is directed against direct marketing, including profiling, insofar as it is connected with such direct mail, we will no longer process your personal data for these purposes.

8. Payment Processing

Credit card:

If you decide to pay for an event by credit card, the technical processing will be carried out by:

Computop Business Informatics GmbH
Schwarzenbergstr. 4
96050 Bamberg

The corresponding credit card information is exclusively stored and processed by Computop Wirtschaftsinformatik GmbH (https://www.computop.com/de/datenschutz/). There is no storage or processing of credit data information at the HPI.

PurpleX cashless payment system:

If you choose to pay through the PurpleX cashless payment system when using chargeable services, the technical processing will be carried out by:

PurpleX GmbH
Petersburger Str. 38
10249 Berlin

The corresponding payment information is stored and processed exclusively by the company PurpleX GmbH (https://www.purplex.com/datenschutz/). There will be no storage or processing of payment information at HPI.

PayPal:

On this website we offer, among other things, payment via PayPal. The provider of this payment service is PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal"). If you select payment via PayPal, the payment data you enter will be transmitted to PayPal.

The transmission of your data to PayPal is based on Art. 6 para. 1 point a GDPR (consent) and Art. 6 para. 1 point b GDPR (processing for the performance of a contract). You have the option to revoke your consent to data processing at any time. A revocation does not affect the effectiveness of past data processing operations.

You can learn more about the use of data by PayPal in their Privacy Policy at https://www.paypal.com/de/webapps/mpp/ua/privacy-full .

Version: 24.01.2022