Data Protection Policy
The protection of your personal data is important to us. Therefore, in accordance with the provisions of the General Data Protection Regulation (GDPR) we inform you in detail in this Data Protection Policy about the processing of personal data in connection with the website of the Hochschule für Musik Karlsruhe – University of Music (hereinafter also: HfM).
1. Contact Information
1.1. Name and contact details of the person responsible for the processing of personal data (controller)
The person responsible for the processing of personal data (controller) within the meaning of the General Data Protection Regulation (GDPR), national data protection laws or other provisions relating to data protection is:
Hochschule für Musik Karlsruhe - University of Music
legally represented by the rector
Am Schloss Gottesaue 7
76131 Karlsruhe
phone: +49-(0)721-66 29-0
email: rektorat@hfm-karlsruhe.de
1.2. Name and contact details of the data protection officer
The data protection officer is
Prof. Dr. Thomas Troge
Goethestr. 15
76751 Jockgrim
email: dsb@hfm-karlsruhe.de
2. Information on data processing
On our website we inform the public about the activities and services of the Hochschule für Musik Karlsruhe - University of Music (HfM).
We process personal data only if, and to the extent, necessary to provide a functioning website, to present the particular content or to provide certain services.
In accordance with Article 6 paragraph 1 GDPR, processing of personal data on our web pages occurs only (a) with the consent of the user or if: (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, (c) processing is necessary for compliance with a legal obligation to which the HfM is subject, (d) processing is necessary in order to protect the vital interests of the data subject or of another natural person, (e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the HfM (cf. Article 4 Landesdatenschutzgesetz Baden-Württemberg – hereinafter: LDSG), or (f) processing is necessary for the purposes of the legitimate interests pursued by the HfM or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
If the processing for a purpose other than that for which the personal data have been collected is not based on the data subject’s consent or on a Union or Member State law which constitutes a necessary and proportionate measure in a democratic society to safeguard the objectives referred to in Article 23 paragraph 1 GDPR, the HfM, in order to ascertain whether processing for another purpose is compatible with the purpose for which the personal data are initially collected, takes into account, inter alia:
1) any link between the purposes for which the personal data have been collected and the purposes of the intended further processing;
2) the context in which the personal data have been collected, in particular regarding the relationship between you and the HfM;
3) the nature of the personal data, in particular whether special categories of personal data are processed, pursuant to Article 9 GDPR, or whether personal data related to criminal convictions and offences are processed, pursuant to Article 10 GDPR;
4) the possible consequences of the intended further processing for data subjects;
5) the existence of appropriate safeguards, which may include encryption or pseudonymisation (cf. Article 6 paragraph 4 GDPR, Article 5 LDSG).
Personal data of users of the internet pages of the HfM will be deleted if and to the extent that the particular purpose of the storage has expired and there is no archiving requirement. Deletion of the data will also occur when a legal retention period has ended, unless there is a requirement for continued retention of the data for completion or fulfillment of a contract.
In the interest of the adequate and comprehensive protection of your data, according to Articles 25, 32 GDPR, Article 3 LDSG we take into account the state of the art and use appropriate encryption techniques (TLS/SSL) and secure technical systems for the processing.
2.1. Data processing when visiting our website
2.1.1. Protocols and Log files
When you visit one of our websites, the browser of your accessing end device sends data and information (protocols, log files) automatically to the server of our website which will be stored temporarily.
Depending on the used access protocol, this may contain the following information:
- IP address of the accessing device
- date and time of the access
- access method/function requested by the accessing device
- input values (file name etc.) transmitted by the accessing device
- access status of the web server (data file transmitted, data file not found, command not executed, etc.).
- name of the requested data file
- URL from which the file was requested/the desired function was initiated
- information regarding the type of web browser
- the system software of the user
- website from which the user's system accessed our website
- other websites that are accessed from our website.
The automatic transfer of the above-mentioned data when visiting our webpages occurs only inasmuch as this is required for the delivery, operation, and optimizing of our website. The storage of log files is carried out, first and foremost, due to security reasons, in order to be able to identify and track impermissible access attempts (e.g. attempted hacking attacks). This is essential for the maintenance of the internet pages and functionality of the server.
Temporary storage of the IP address is also necessary in order to enable delivery of our website content to your computer. For this purpose the user’s IP address must remain stored for the duration of the session. This data is not stored together with other personal data.
Recorded data are generally stored for a maximum of seven days and then automatically deleted. A longer retention period may occur in an individual case, provided a violation related to security was discovered.
The legal basis for processing is Article 6 paragraph 1 sentence 1 point (f) GDPR. Our legitimate interest follows from the above-mentioned purposes.
2.1.2. Cookies
Sometimes cookies can be generated due to a visit of the HfM website, for example, to identify user sessions or to configure the internet pages in a user-friendly manner.
Cookies are text files that are stored on or by your accessing end device. If a user visits an internet page, a cookie may be stored in the user's operating system. This cookie contains a unique character sequence that permits the browser to be specifically identified upon a subsequent visit to the internet page.
Certain functions of our web pages, where applicable, cannot be provided without the use of cookies. For these, it is necessary for the browser to be recognized again after a change of page.
The user data which is stored by the technically necessary cookies is not used in order to create user profiles.
Session cookies are automatically deleted from your end device when you close your browser.
As the cookies are saved on your end device, you as the user have full control of the use of cookies, regardless of the saving periods. By altering the settings in your web browser, you can deactivate or restrict the transfer of cookies. Cookies which have already been saved can be deleted at any time. This can also take place automatically.
Should cookies be deactivated for the HfM website, it may, however, be the case that not all of the functions of the website can be used in full.
The legal basis for processing is Article 6 paragraph 1 sentence 1 point (f) GDPR. Our legitimate interest follows from the above-mentioned purposes.
2.2. Data processing when using our email addresses
You can contact us via the email addresses provided on our web pages.
If you send us an email, your email address and other information provided by you will be used exclusively for the communication with you. The transferred data will be saved only as long as necessary for this purpose, unless some other legal basis justifies its continuing retention.
Please note that the use of a non-encrypted email is unsecure, i.e., it may be intercepted, read or changed by a third person along the transmission route.
The legal basis for processing is your consent pursuant to Article 6 paragraph 1 sentence 1 point (a) GDPR.
2.3. Web reading service (ReadSpeaker)
We want to provide access to our website to as many users as possible. Therefore, in the interest of accessibility we offer on our websites a web reading service by the company ReadSpeaker.
When using this read-aloud function, the required data are transmitted to the company ReadSpeaker:
Read Speaker GmbH
Am Sommerfeld 7
86825 Bad Wörishofen.
The ReadSpeaker web reader is a web reading service for internet content. Visitors of our website can activate the reading service by clicking on the function. ReadSpeaker then generates the audio files in real time.
That is, if a user clicks on the website on the “read aloud” button, a call goes to the ReadSpeaker server. There an audio file will be generated from the respective text and sent back to the user session. Once the delivery has been made, the whole process is completely deleted.
If a user changes any settings (highlight setting, text size, etc.) in the player, ReadSpeaker saves that information in a cookie in the user’s browser. To maintain the user-selected settings for all pages on the site, the cookie is connected to the domain, but expires after a week.
ReadSpeaker performs statistical data on the use of the speech function in general. However, the statistical data cannot be linked to individual users or their usage. ReadSpeaker stores only the total number of activations of the listening service per web page and the language.
The storage of the IP address in web logs serves only to identify the source of the activation and is used to be able to block out robot traffic, to prevent misuse of the service, and for technical debugging purposes.
The IP addresses and connected information (URL, User-Agent, time stamp) are deleted automatically after 30 days.
Further information on data processing by ReadSpeaker can be found here: https://www.readspeaker.com/blog/news/readspeaker-webreader-conforms-gdpr-standards/.
For further questions related to privacy protection, please contact ReadSpeaker: gdpr@readspeaker.com.
The use of ReadSpeaker occurs in the interest of making our website accessible for as many users as possible. This constitutes a legitimate interest pursuant to Article 6 paragraph 1 sentence 1 point (f) GDPR.
2.4. Playback of audio (SoundCloud)
In order to present audio material on our website, we use the services provided by SoundCloud. For this we embed on our web pages so-called SoundCloud-widgets (player software) by which users may play audio material.
When you visit one of our web pages which contains such a SoundCloud-player or use the playback function, the required data are transmitted to the company SoundCloud, registered branch in Germany:
SoundCloud Limited
Rheinsberger Str. 76/77
10115 Berlin.
If you visit a website with SoundCloud widget, a connection is established with the SoundCloud servers and the player is depicted. This provides the SoundCloud server with information about the web pages you have visited on our website.
If you are logged onto SoundCloud as a member with your own account, SoundCloud may automatically assign this information to your personal user account. When you activate the player (e.g. by clicking the start button of an audio file), the corresponding information is also assigned to your user account. You can prevent the automatic assignment of this information by logging out of your SoundCloud account and deleting the respective cookies before accessing our website.
For more information about the purpose and extent of data processing by SoundCloud as well as your rights and setting options for protecting your privacy, please read SoundCloud’s privacy and cookies policy at: https://soundcloud.com/pages/privacy
and
https://soundcloud.com/pages/cookies.
For further questions related to privacy protection, please contact SoundCloud: dataprotection@soundcloud.com.
The use of SoundCloud occurs in order to make our website appealing. This constitutes a legitimate interest pursuant to Article 6 paragraph 1 sentence 1 point (f) GDPR.
2.5. Playback of video (YouTube)
In order to present video on our website, we use the services provided by YouTube. For this we embed on our web pages YouTube video clips.
If you visit one of our web pages which contains such a YouTube video or use the playback function, the required data are transmitted to the company Google:
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4, Ireland
phone: +353 1 543 1000
fax: +353 1 686 5660.
Privacy Shield
(ensuring of the level of data protection in the event of processing in the USA): https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
When you visit a website with a YouTube video, a connection is established with the Google servers and the player is depicted. This provides the Google server with information about the web pages you have visited on our website.
If you are logged onto YouTube/Google as a member with your own account, Google may automatically assign this information to your personal user account. When you activate the player (e.g. by clicking the start button of an audio file), the corresponding information is also assigned to your user account. You can prevent the automatic assignment of this information by logging out of your YouTube/Google account and deleting the respective cookies before accessing our website.
For more information about the purpose and extent of data processing by Google as well as your rights and setting options for protecting your privacy, please read Google ‘s privacy and cookies policy at: https://policies.google.com/privacy?hl=en-US.
For further questions related to privacy protection, please contact Google: https://support.google.com/policies/contact/general_privacy_form.
The use of YouTube occurs in order to make our website appealing. This constitutes a legitimate interest pursuant to Article 6 paragraph 1 sentence 1 point (f) GDPR.
2.6. Map service (OpenStreetMap)
On our web pages we use the map service OpenStreetMap by the not-for-profit organisation Openstreetmap Foundation:
Openstreetmap Foundation
St John’s Innovation Centre
Cowley Road
Cambridge, CB4 0WS
United Kingdom.
In order to use OpenStreetMap your IP address and, if applicable, location data are sent to an OpenStreetMap server and stored there temporarily. The user data are used by OpenStreetMap exclusively for the purposes of providing the map service and temporarily storing the chosen settings.
For more information about the purpose and extent of data processing by OpenStreetMap as well as your rights and options for protecting your privacy, please read OpenStreetMap’s privacy policy at:
https://wiki.osmfoundation.org/wiki/Terms_of_Use#II._Privacy
und
https://wiki.osmfoundation.org/wiki/Privacy_Policy.
The use of OpenStreetMap is in the interest of making our website appealing and to facilitate the location of places specified by us on the website. This constitutes a legitimate interest pursuant to Article 6 paragraph 1 sentence 1 point (f) GDPR.
3. Social media presence
Our social media presence (SoundCloud, YouTube) is part of our public relations work. By this we want to communicate with and provide information to the users active on these platforms.
Provided that processing of data is conducted outside of the EU by our social media providers, they are certified under the EU-US Privacy Shield and accessible to any person, so that a legally reasonable level of protection for personal data is guaranteed.
Providing our Social Media presence occurs only for the purposes stated above, in particular, our public relations work and information. This constitutes a legitimate interest pursuant to Article 6 paragraph 1 sentence 1 point (f) GDPR.
4. Your data protection rights as an affected person (data subject)
In connection with the HfM website, personal data is processed to the aforementioned extent and for the stated purposes. Depending on the reason and method of the processing of your personal data, you are entitled to the following data protection rights:
4.1. Right of access
Pursuant to Article 15 GDPR, you have the right to request from HfM access to your respective personal data
You have the right to obtain from the HfM confirmation as to whether or not personal data concerning you are being processed. Where that is the case, you have the right of access to the personal data and the following information:
the purposes of the processing;
the categories of personal data concerned;
the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;
where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
the existence of the right to request from the HfM rectification or erasure of personal data or restriction of processing of personal data concerning you or to object to such processing;
the right to lodge a complaint with a supervisory authority;
where the personal data are not collected from you, any available information as to their source;
the existence of automated decision-making, including profiling, referred to in Article 22 paragraphs 1 and 4 GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
The HfM provides a copy of the personal data undergoing processing. For any further copies requested by you, the HfM may charge a reasonable fee based on administrative costs. Where you make the request by electronic means, and unless otherwise requested by you, the information shall be provided in a commonly used electronic form. The aforementioned right to obtain a copy shall, however, not adversely affect the rights and freedoms of others.
Your right to access is not absolute and subject to legal restrictions, in particular in the following instances:
in case of a large amount of information the HfM may require that the request to access be specified with respect to the information or processing in question;
obviously unfounded or excessive requests or frequent repetitions may result in the rejection or compensation of costs;
the information may be withheld under the circumstances stated in Articles 9, 13 and 14 LDSG.
4.2. Right to rectification/completion
Pursuant to Article 16 GDPR you have the right to obtain from HfM without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you have also the right to have incomplete personal data completed, including by means of providing a supplementary statement.
The rectification/completion may be withheld under the circumstances stated in Articles 13 and 14 LDSG.
4.3. Right to restriction of processing
Pursuant to Article 18 GDPR you have the right to obtain from the HfM restriction of processing where one of the following applies:
the accuracy of the personal data is contested by you, for a period enabling the HfM to verify the accuracy of the personal data;
the processing is unlawful and you oppose the erasure of the personal data and requests the restriction of their use instead;
the HfM no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defence of legal claims;
you have objected to processing pursuant to Article 21 paragraph 1 GDPR pending the verification whether the legitimate grounds of the HfM override those of you.
Where processing has been restricted under Article 18 paragraph 1 GDPR, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
In case you have obtained restriction of processing pursuant to Article 18 paragraph 1 GDPR you will be informed by the HfM before the restriction of processing is lifted.
The restriction of processing may be withheld under the circumstances stated in Articles 13 and 14 LDSG.
4.4. Right to erasure ('right to be forgotten')
Pursuant to Article 17 GDPR you have the right to obtain from the HfM the erasure of personal data concerning you without undue delay and the HfM has the obligation to erase personal data without undue delay where one of the following grounds applies:
the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
you withdraw consent on which the processing is based according to point (a) of Article 6 paragraph 1 GDPR, or point (a) of Article 9 paragraph 2 GDPR, and where there is no other legal ground for the processing;
you object to the processing pursuant to Article 21 paragraph 1 GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Article 21 paragraph 2 GDPR;
the personal data have been unlawfully processed;
the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
the personal data have been collected in relation to the offer of information society services referred to in Article 8 paragraph 1 GDPR.
Where the HfM has made the personal data public and is obliged pursuant to Article 17 paragraph 1 GDPR to erase the personal data, the HfM, taking account of available technology and the cost of implementation, takes reasonable steps, including technical measures, to inform controllers which are processing the personal data that you have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
This does not apply to the extent that processing is necessary:
1. for exercising the right of freedom of expression and information;
2. for compliance with a legal obligation which requires processing by Union or Member State law to which the HfM is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the HfM;
3. for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9 paragraph 2 GDPR as well as Article 9 paragraph 3 GDPR;
4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 paragraph 1 GDPR in so far as the right referred to in Article 17 paragraph 1 GDPR is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
5. for the establishment, exercise or defence of legal claims.
Your right to erasure may be further restricted due to Articles 10, 14 LDSG.
4.5. Notification obligation regarding rectification or erasure of personal data or restriction of processing
If you have asserted your right to rectification, erasure or restriction of processing against vis-à-vis the HfM, pursuant to Article 10 GDPR we are obliged to communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, 17 paragraph 1 and 18 GDPR to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The HfM informs you about those recipients if you request it.
4.6. Right to data portability
Pursuant to Article 20 GDPR you have the right to receive the personal data concerning you, which you have provided to the HfM, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the HfM, where:
the processing is based on consent pursuant to point (a) of Article 6 paragraph 1 GDPR or point (a) of Article 9 paragraph 2 GDPR or on a contract pursuant to point (b) of Article 6 paragraph 1 GDPR; and
the processing is carried out by automated means.
In exercising your right to data portability pursuant to Article 20 paragraph 1 GDPR, you have the right to have the personal data transmitted directly from one controller to another, where technically feasible.
The exercise of the right according to Article 20 paragraph 1 GDPR shall be without prejudice to Article 17 GDPR.
The right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the HfM.
The right referred to in Article 20 paragraph 1 GDPR shall not adversely affect the rights and freedoms of others.
The right to portability may be withheld under the circumstances stated in Article 14 LDSG.
4.7. Right to object
Pursuant to Article 21 GDRP you have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 paragraph 1 GDPR, including profiling based on those provisions.
The HfM will no longer process the personal data unless the HfM demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.
In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
Where personal data are processed for scientific or historical research purposes or statistical purposes pursuant to Article 89 paragraph 1 GDPR, you, on grounds relating to your particular situation, have the right to object to processing of personal data concerning you unless the processing is necessary for the performance of a task carried out for reasons of public interest.
The right to object may be withheld under the circumstances stated in Articles 13 and 14 LDSG.
4.8. Right to withdraw consent to data processing
Where the data processing occurs on the basis of your consent, pursuant to Article 7 paragraph 3 GDPR you have the right to withdraw his or her consent at any time.
The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
The withdrawal of consent shall be made vis-à-vis the HfM body to which the consent was given.
4.9 Right to lodge a complaint with a supervisory authority
Pursuant to Article 77 GDPR – without prejudice to any other administrative or judicial remedy – you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
In the case of the HfM the data protection supervisory authority is
the State Officer for Data Protection and Freedom of Information Baden-Württemberg
Königstrasse 10 a, 70173 Stuttgart
phone: 0711/615541-0
fax: 0711/615541-15
email: poststelle@lfdi.bwl.de.
5. Date, revision and application of this data protection policy
his data protection policy was created in March 2020.
It is subject to modifications in order to meet the needs of legal or technical developments as well as to implement our services and offers in compliance with data protection requirements.
The most recent version of this data protection policy applies to your visit of our website.