Data Protection of Studierendenwerk Aachen

Thank you for your interest in our website www.studierendenwerk-aachen.de and in our services. We at Studierendenwerk Aachen are aware that the protection of your privacy when using our website is an important concern for you. Therefore, we comply with the legal regulations on data protection. Furthermore, it is important to us that you as a customer know at all times when and how we collect and store which data from you and how we use it.
The following gives a simple overview of what happens to your personal information when you visit our website. Personal information is any data with which you could be personally identified, for example name, address, email address, user behavior.

If we process personal data in the context of the use of our website or if we use commissioned service providers for individual functions, offers or services of our website with reference to data processing or if we want to use your data for advertising purposes, we will inform you in detail below about the respective processes, in particular which data is processed in this context. In doing so, we will also state the intended storage period or, in any case, the defined criteria for the storage period as well as the relevant legal basis for the respective processing.

I. Name and contact data of the party responsible

The party responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States and other data protection provisions is:

Studierendenwerk Aachen AöR, Pontwall 3, 52062 Aachen, info@stw.rwth-aachen.de, www.studierendenwerk-aachen.de

For more information see the following link to our terms and conditions down below:

https://www.studierendenwerk-aachen.de/de/impressum.html

II. Contact data of controller for data protection

Our controller for dara protection is to be contacted via post address with the addition ‘‘controller for data protection‘‘.

III. The collection and storage of personal information as well as kind, purpose, legal basis and duration of the use

§1 Visit of website

In the case of informational use of the website, i.e. if you do not register or otherwise transmit information to us, we only collect the personal access data in so-called server log files that your browser transmits to our server. The following data is collected as part of the server log files:

  • IP address (in anonymized form for IPv4 and IPv6 formats).
  • Date and time of the request
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request comes (so-called referrer)
  • browser type
  • Operating system and its interface
  • language and version of the browser software.

This data is analyzed exclusively to ensure smooth process of the site in terms of stability and security and to improve our offer, and then rejected. The legal basis for the data processing is Art. 6 para. 1 p.1 lit. f DSGVO. Our legitimate interest follows from the aforementioned purposes for data collection.

The data is also stored in the log files of our system. Not affected by the storage are the IP addresses of the user or other data that allow the assignment of the data to a user. This data is not stored together with other personal data of the user.

The collection of data for the provision of the website and the storage of the data in log files is absolutely necessary for the process of the website. There is no possibility of objection on the part of the user.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended.

In addition, we use cookies when you visit our website. You can find more detailed explanations under section V of this data protection.

§2 When using further services, functions and offers of our website

In addition to the purely informational use of our website, we offer various services, offers and functions that you can use if you are interested. For this purpose, you will usually have to provide further personal data, which we use to provide the respective service and for which the aforementioned data processing principles apply. The services, offers and functions are described in more detail below.

(1) Contacting us via email

When you contact us via a general inquiry email, the information you voluntarily provide (your email address, first and last name and, if applicable, phone number, city and zip code) will be stored by us in order to answer your question. The specification of email address and first name and surname is required, all other information is voluntary. The answer will be given via email or, if indicated, via telephone.

The legal basis for the processing is Art. 6 (1) lit. a, b and f of the DSGVO on the basis of your voluntarily given consent or to answer your respective inquiry.

We delete the data accruing in this context after completion of the inquiry you have made or restrict the processing if there are legal obligations to retain data.

(2) Newsletter

With your consent, you can subscribe to our newsletter, with which we inform you about our current interesting offers.

For the registration to our newsletter, we use the so-called double-opt-in procedure. This means that after your registration, we will send you an email to the email address you provided, in which we ask you to confirm that you wish to receive the newsletter. If you do not confirm your registration, your information will be blocked and automatically deleted after one month. In addition, we store the IP addresses used and time of registration and confirmation. The purpose of this procedure is to prove your registration and, if necessary, to be able to clarify a possible misuse of your personal data.

Mandatory information for sending the newsletter is your email address only. The provision of further, separately marked data is voluntary and will be used to address you personally. After your confirmation, we store your email address for the purpose of sending the newsletter.

The legal basis is Art. 6 para. 1 p. 1 lit. a DSGVO based on your voluntarily given consent.

You can revoke your consent to the newsletter at any time and unsubscribe from the newsletter (see VIII).

We would like to point out that we analyze your user behavior when sending the newsletter. For newsletter dispatch and analysis, we use the technical service provider CleverReach GmbH & Co. KG, Mühlenstr. 43, 26180 Rastede ("CleverReach"), to whom we pass on your data provided during newsletter registration. This data is stored on CleverReach's servers in Germany and Ireland. For analyze purposes, the emails sent contain so-called Web-Beacons or Tracking-Pixel, which are single-pixel image files stored on our website. For the analysis, we link the data mentioned in III.§ 1 and the web beacons with your email address and an individual ID. Links received in the newsletter also contain this ID. The data is collected exclusively pseudonymously, i.e. the IDs are not linked to your other personal data, a direct personal reference is excluded. The data obtained in this way is used exclusively for the statistical analysis of newsletter campaigns. The results of these analyses can be used to better adapt future newsletters to the interests of the recipients.

You can object to this tracking at any time by unsubscribing from the newsletter. You can do this via the separate link provided in each email or by informing us via another contact method. The information will be kept for as long as you are subscribed to the newsletter. Moreover, such tracking is not possible if you have deactivated the display of images by default in your email program. In this case, the newsletter will not be displayed to you in full and you may not be able to use all of its features. If you display the images manually, the aforementioned tracking will take place.

You can read further information about CleverReach's data analysis here:
https://www.cleverreach.com/de/funktionen/reporting-und-tracking/

(3) Online application for a dormitory

An online application process is used to apply for our residence halls. In the online application, only data that is required for a placement in a residence hall is requested. The application data is entered by you online, and the data transmission is secured by encryption. A complete application consists of these data:

  • Your personal data, incl. email address
  • Your home address and semester address
  • Preferred type of housing (single apartment, shared apartment, etc.)
  • Desired dormitory
  • Desired move in date
  • If applicable, proof of disability
  • If applicable, name family members

In addition to the data you provide in the form, we will keep the date of your application for the purpose of contemporary processing and better accountability. After submitting the online application, you will receive a confirmation link via email. We use the data of your online application exclusively to arrange a place in a dormitory. If we are able to make you an offer, we will inform you via email. In addition, you will receive an email every four weeks in which we ask you whether you are still interested in a place in the dormitory. If you do not respond to this email by the deadline, your application including user account (see below) will be automatically deleted 6 months after the end of the last active application or feedback period.

After you have applied for a place in a residence hall, you are a registered user of the applicant platform. You can log in to the user account generated in the process and have online access to your application data; here you can view, manage and edit your data as well as delete your entire user account including data and active applications via the "Delete application" button. To change your personal data, however, you must contact the Housing Office.

If a rental contract is concluded, your application data will be used for the purpose of concluding the rental contract. If a rental contract is concluded, we will keep your data for the duration of the tenancy. Beyond the duration of the rental contract, we keep your data to fulfill our legal obligation to preserve as well as to be able to track whether you have already exceeded the maximum period of residence in the dormitories of Studierendenwerk Aachen when you reapply for a place in a dormitory. In this respect, we restrict the processing of your data to the aforementioned purposes. We delete your data after the legal obligation to preserve have expired; these are 10 years after the end of the rental period.

In the context of a rental agreement, you must provide those data that are required for the establishment, implementation or termination of the rental relationship and for the fulfillment of the associated contractual obligations, or which we are required to collect by law. Without this data, we will not be able to conclude the contract with you. All other information is voluntary. If details of a dormitory place application are not complete, it is possible that no rental agreement will be concluded.

The legal basis for this processing is Art. 6 (1) (b) DSGVO for our data processing in the case of (pre-)contractual measures in connection with the dormitory rental agreement, as well as Art. 6 (1) (c) DSGVO in relation to the storage obligations. Supplementary legal basis is Art. 6 para. 1 lit. f) DSGVO for the storage of data for matching with the maximum rental period as well as Art. 6 para. 1 lit. e) DSGVO in connection with § 2 Studierendenwerksgesetz NRW for the fulfillment of our legal social commission for the students.

(4) Online application for a position and setting up a job alert.

If you apply for a job at Studierendenwerk Aachen via this website, personal data will be collected in our application portal. The data you enter or upload in our application portal will be used only for the purpose of filling the advertised position and reviewing and processing your application submitted in this context. In addition, we use the email address you provide to send you a confirmation email at short notice about the receipt of your application documents after you have submitted your application. After completion of the specific application process, your data will be blocked for further use and deleted after 6 months. Before the end of these 6 months, you can voluntarily give us your consent to further storage of your profile. For this purpose, we will usually send you a separate message. By giving your consent, the applicant profile you have created will remain in our system to make it easier for you to apply when filling other positions; for this purpose, you can access your profile through online access. To access it, you use the email address and password you selected yourself when you created your applicant profile.

You can revoke your consent at any time (see VIII). If you have given us your consent, we will delete your data no later than 6 months after receiving your consent. With your online access to the profile, you also have the option to delete your profile at any time.

The legal basis for the processing is Art. 88 DS-GVO in conection with Section 26 (1) BDSG; in the case of consent, Art. 6 (1) lit. a DS-GVO is the legal basis.

When using the application portal, you also have the option of setting up automatic notification of suitable new job profiles (so-called JobAlert). The data you voluntarily provide when setting up the JobAlert (your email address and the search specifications for the job search) are stored by us in order to be able to notify you via email as soon as a new job offer appears that matches your search specifications. By setting up the JobAlert, you enable us to send you a request to submit an application by means of the notification. The legal basis for the processing is Art. 6 para. 1 p. 1 lit. b DS-GVO.

(5) Implementation of prize draw
According to Art. 13 of the General Data Protection Regulation (DSGVO) for the implementation of prize draws.

Data that you voluntarily provide to us via the online questionnaire as part of a contest will be temporarily stored in an internal contest database. In order to enable you to participate in the prize draw, we collect personal data (surname, first name, email address, university). In order to exclude multiple entries, your IP address will be registered for the time of the competition.

In accordance with Art. 6 Para. 1 a.) -c.) DSGVO, we are entitled to collect, store and transmit personal data if the person concerned has agreed to the data processing. The participants can revoke the consent given for the processing of the data at any time. Furthermore, they have the right to information and correction regarding the collected data.

The data will only be used for the implementation of the prize draw and not for any other purposes. Your data will only be transmitted to third parties if this is necessary for the implementation of the prize draw. Your data will not be transferred to other third parties.

Furthermore, your data will be transmitted to internal departments involved in the execution of the respective prize draw processes (Marketing and Public Relations Department). As soon as the business purpose of carrying out the competition has been fulfilled and you have not been determined as the winner, we will delete your data within one month of the end of the process. If you have been determined as the winner, there are retention periods relating to tax and commercial law. These are 10 years for accounting documents in accordance with Section 147 (1) of the German Fiscal Code (AO) and 6 years for business documents in accordance with Section 257 (1) of the German Commercial Code (HGB).

(6) Participation in prize draw (social media)

Purpose of processing: Your data (first name, last name, email address) will be processed exclusively for the purpose of carrying out and processing the prize draw in which you participate. A winner will be determined from among the participants and this winner will then be informed of the prize by PM. Without the provision of your data, we will not be able to contact you in the event of a win. Your address data, which we request from you via email in the event of a prize notification, is used exclusively for sending the prize.

Legal basis for data processing: The legal basis for the processing of your personal data is Art. 6 para. 1 lit. b) DSGVO.

Duration of storage: Your personal data will be deleted or blocked as soon as the purpose of storage no longer applies. In the present case, the purpose is no longer applicable as soon as a winner has been determined and this winner has been informed of the prize via email.

Recipients of the data: Outside of Studierendenwerk, only those offices will receive access to your data that require it to fulfill contractual and legal obligations or to fulfill the named purposes, for example, the organizer of an event for ticket transfer or similar.

(7) AUTOLOAD procedure

The AUTOLOAD procedure enables you to make cashless use of chargeable services and services of Studierendenwerk using an ID card/chip card. The following categories of data are processed for this purpose: Your bank account data, the required SEPA direct debit mandate and transaction-related billing data. The processing is carried out exclusively for the purpose described. Processing for other purposes does not take place. The legal basis of the processing is the fulfillment of a contract of which you are the contractual partner, Art. 6 (1) lit. b) DSGVO. In the context of the provision and maintenance of Studierendenwerk's systems, it may be necessary to transfer your data to order processors. Payment transaction data is processed in the context of processing payments from credit institutions. Your personal data will not be transferred to other persons or to a third country. Your data will be stored in accordance with the retention obligations for a period of 10 years, insofar as they are relevant to accounting. We delete all other data after the purpose of processing has been fulfilled, taking into account any further retention obligations.

(8) Information for dining hall guests

According to the currently applicable Corona Protection Ordinance, guests staying in the dining hall must leave personal contact data for the purpose of follow-up in the event of a Corona case. If a Corona case occurs, Studierendenwerk Aachen has a legal obligation to transmit the data to the health authority (Art. 6 para. 1 c) DSGVO).

Studierendenwerk Aachen offers a digital recording of the data with the MeldeApp Eifel. For this purpose, a QR code must be scanned at the tables, which leads to an online form. Below the QR code are further notes on data protection. Acceptance of the data protection provisions takes place by placing a check mark (Art. 6 para. 1 a) DSGVO).

Recipient of the data is the company Eifel Tourismus GmbH as order processor and in the Corona case the health department.

The contact data will be stored/kept for 30 days after the last registration in accordance with the Corona protection regulation and then automatically deleted.

Guests may revoke the consent given to the processing of data at any time. Furthermore, they have the right to information and correction regarding the collected data.

(9) Online Booking of counseling appointments

Due to the pandemic development, Studierendenwerk offers to book counseling appointments in the area of student financing and student housing online. The personal data collected as mandatory information in the context of this online appointment booking are the basis for the conclusion of the counseling at Studierendenwerk and are essential for the use of the service. All data collected and your information on the subject of the consultation will only be stored for the purpose of processing the appointment and contract.

What data is collected?
Personal data is all data that we store about you. In detail, we collect the following data:

  • Personal data: First and last name, date of birth
  • communication data: Telephone numbers, e-mail addresses
  • Further information necessary for the appointment allocation: Description of your request

Legal basis for the processing of data
When processing personal data that are necessary for the performance of a contract with you, Art. 6 (1) lit. b DSGVO serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures (such as, in this case, making an appointment in advance of the consultation).

Data storage and data transfer
Your data will be used exclusively for the purpose of making an appointment. Processing for other purposes or transfer to third parties does not take place.

Storage of the IP address
To prevent misuse of our service, your IP address will be stored for a maximum period of 90 days from the date of the appointment. The data is stored in the log files of the simplebooking application. A storage of this data together with other personal data of the user does not take place. The protection against misuse represents a legitimate interest within the meaning of Art. 6 para. 1 lit. f DSGVO.

(10) Relevo reusable system

Studierendenwerk Aachen does not collect any personal data when you use the Relevo reusable system. It also has no access to the data Relevo processes based on your registration or use of the app.

To participate in the Relevo reusable system, you need to download and register the app of the provider Relevo, available on Google Play or in the App Store. When registering in the app, you must provide personal data that is mandatory for the use of the reusable system: First and last name, email address and postal address. The processing of your data during registration and use of the app is the responsibility of Relevo GmbH, Bahnhofstraße 31A, 82194 Gröbenzell. Their privacy policy is available on the Internet at any time at www.gorelevo.de/datenschutz

IV. Transfer of data

Your personal data will not be transferred to third parties for purposes other than those listed below.

We will only pass on your personal data to third parties if:

  • you have given your consent to do so in accordance with Art. 6 para. 1. p. 1 lit. a DSGVO,
  • the disclosure is required under Art. 6 para. 1 p. 1 lit. f DSGVO for the assertion, exercise or defense of legal claims and there is no reason to assume that you have an interest worthy of protection in the non-disclosure of your data,
  • in the event that there is a legal obligation for disclosure according to Art. 6 (1) p. 1 lit. c DSGVO, as well as
  • this is legally admissible and necessary according to Art. 6 para.1 p.1 lit. b DSGVO for the processing of contracts with you.

We pass on your data to the following third parties or categories of third parties:

  • Service providers for sending the newsletter and newsletter tracking (CleverReach GmbH).
  • Other agencies, service providers, etc.
  • Service providers for the applicant portal: Haufe-Lexware GmbH & Co. KG, Munzinger Straße 9, 79111 Freiburg, Germany

V. Use of cookies

Scope of data processing

In order to make the visit to our website user-friendly and effective and to enable the use of certain functions, we use so-called cookies on various pages. These are small text files that are stored on your terminal device and store certain settings and data for exchange with our system via your browser. Through the cookies, certain information gets to the spot that sets the cookie (here by us). Cookies cannot execute programs or transfer viruses to your computer.

Cookies do not contain any personal data and can therefore not be directly assigned to any user. Please note that certain cookies are already set as soon as you enter our website. This website uses the following types of cookies:

  • Necessary/functional cookies: these cookies are necessary to enable the operation of our website. These include, for example, cookies that allow you to log in to the customer area or to place something in a shopping cart. We also use cookies to identify you for subsequent visits if you have an account with us. Otherwise, you would have to log in again for each visit.
  • Transient cookies: These are automatically deleted when you close the browser. These include, in particular, session cookies. These store a so-called session ID, with which various requests of your browser can be assigned to the common session. This allows your computer to be recognized when you return to our website. The session cookies are deleted when you log out or close the browser.
  • Persistent cookies: these are automatically deleted after a specified period of time, which may differ depending on the cookie. You can delete the cookies in the security settings of your browser at any time.

You can configure your browser setting according to your preferences and refuse to accept cookies. Also, your browser can be configured so that there is always a notice when a cookie is created. For this, please consult the respective provider of your browser. We would like to point out that if you refuse cookies, you may not be able to use all the functions of this website.

The legal basis for the use of cookies is Art. 6 para. 1 p. 1 lit. f DSGVO. Our legitimate interest results from the above-mentioned purposes to make the offer of our website more user-friendly and effective.

VI. Google Maps

On this website, we use the offer of Google Maps. This allows us to display interactive maps directly on the website and enables you to comfortably use the map function.

By visiting the website, Google receives the information that you have called up the corresponding sub-page of our website. In addition, the data mentioned under § 3 of this statement are transmitted. This occurs regardless of whether Google provides a user account through which you are logged in or whether no user account exists. If you are logged in to Google, your data will be directly assigned to your account. If you do not want the assignment with your profile at Google, you must log out before activating the button. Google stores your data as usage profiles and uses them for the purposes of advertising, market research and/or demand-oriented design of its website. Such an evaluation is carried out in particular (even for users who are not logged in) to provide needs-based advertising and to inform other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, whereby you must contact Google to exercise this right.

For more information on the purpose and scope of data collection and its processing by the plug-in provider, please refer to the provider's privacy policy. There you will also find further information on your rights in this regard and setting options for protecting your privacy: http://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and has submitted to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.

Third-party vendor information: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA;

  • Use of Google Web Fonts

This site uses so-called web fonts provided by Google for the uniform display of fonts. When you call up a page, your browser loads the required web fonts into its browser cache in order to display texts and fonts correctly.

For this purpose, the browser you are using must connect to Google's servers. This enables Google to know that our website has been accessed via your IP address. Google Web Fonts are used in the interest of a uniform and appealing presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 (1) lit. f DSGVO.

If your browser does not support web fonts, a standard font will be used by your computer. You can find more information about Google Web Fonts at https://developers.google.com/fonts/faq and in Google's privacy policy: https://www.google.com/policies/privacy/.

VIII. Your rights

If personal data of yours is processed, you have the following rights towards us regarding the personal data concerning you:

Right of information, Art. 15 GDPR:
You may request confirmation from the person in charge as to whether personal data concerning you are being processed by her/him. If such processing is taking place, you may request information from this person about the following:

  • The purposes for which the personal data are processed;
  • The categories of personal data which are processed;
  • The recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed, in particular in the case of recipients in third countries or international organizations; in the latter cases, you may request to be informed about the appropriate guarantee according to Article 46 of the GDPR in connection with the transfer;
  • The planned duration of the storage of the personal data concerning you or, if concrete information on this is not possible, criteria for determining the storage period;
  • The existence of a right to correction or erasure of the personal data concerning you, a right to restriction of processing by the person in charge or a right to object to such processing;
  • The existence of a right of appeal to a supervisory authority;
  • Any available information on the origin of the data, if the personal data are not collected from the data subject;
  • The existence of automatized decision-making, including profiling, according to Article 22(1) and (4) of the GDPR and, at least in these cases, meaningful information about the logic involved and the scope and intended effects of such processing for the data subject.

Right to rectification, Art. 16 GDPR:

You have a right to rectification and/or completion towards the person in charge if the personal data processed concerning you are inaccurate or incomplete. The person in charge shall carry out the rectification without delay.

Right to erasure, Art. 17 DSGVO:

a) Obligation to erase

You may request the person in charge to erase the personal data concerning you without undue delay, and the person in charge shall be obliged to erase such data without delay, if one of the following reasons applies:

  • The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
  • You withdraw your consent on which the processing was based according to Art. 6 (1) a or Art. 9 (2) a DSGVO and there is no other legal basis for the processing.
  • You object to the processing according to Art. 21 (1) DSGVO (see below) and there are no prior legitimate reasons for the processing, or you object to the processing according to Art. 21 (2) DSGVO.
  • The personal data concerning you has been processed unlawfully.
  • The erasure of the personal data concerning you is necessary for compliance with a legal obligation under Union or Member State law to which the controller is subject.
  • The personal data concerning you has been collected in relation to information society services offered according to Article 8(1) of the GDPR.

b) Information to third parties

If the person in charge has made the personal data concerning you public and is obliged to erase it according to Article 17(1) of the GDPR, it shall take reasonable measures, including technical measures, having regard to the available technology and the cost of implementation, to inform data controllers which process the personal data that you, as the data subject, have requested that they erase all links to or copies or replications of such personal data.

c) Exceptions

The right to erasure does not exist to the extent that the processing is necessary

  • for the exercise of the right to freedom of expression and information;
  • for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority delegated to the controller;
  • for reasons of public interest in the area of public health according to Art. 9(2)(h) and (i) and Art. 9(3) DSGVO;
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes according to Article 89(1) DSGVO, insofar as the right referred to in section a) is likely to make the achievement of the purposes of such processing impossible or seriously disturb; or
  • for the assertion, exercise or defense of legal claims.

Right to restriction of processing, Art. 18 DSGVO:
You may request the restriction of the processing of personal data concerning you under the following conditions:

  • If you reject the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data;
  • The processing is unlawful and you reject the erasure of the personal data and request instead the restriction of the use of the personal data;
  • The controller no longer needs the personal data for the purposes of processing, but you need them for the assertion, exercise or defense of legal claims; or
  • If you have objected to the processing according to Article 21 (1) DSGVO (cf. on this below) and it has not yet been determined whether the legitimate reasons of the controller predominate your reasons.

If the processing of personal data relating to you has been restricted, this data may - apart from being stored - only be processed with your consent or for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of an important public interest of the Union or a Member State.

If you have obtained a restriction of processing under the above conditions, you will be informed by the controller before the restriction is lifted.

Right to receive information, Art. 19 GDPR:
If you have asserted the right to correction or erasure or restriction of processing against the controller, the controller is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or erasure of the data or restriction of processing, unless this proves impossible or involves a disproportionate effort.

You have the right against the controller to be informed about these recipients.

Right to data portability, Art. 20 DSGVO:
You have the right to receive the personal data concerning you that you have provided to the controller in a structured, commonly used and machine-readable format. In addition, you have the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, if

  • the processing is based on consent according to Art. 6 (1) a DSGVO or Art. 9 (2) a DSGVO or on a contract according to Art. 6 (1) b DSGVO and
  • the processing is carried out with the help of automated procedures.

In exercising this right, you also have the right to obtain that the personal data concerning you be transferred directly from one controller to another controller, insofar as this is technically possible. Liberty and rights of other persons must not be affected by this.

Your right to deletion remains unaffected.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested to the controller.

Right to object, Art. 21 DSGVO
According to Art. 21 para. 1 sentence 1 DSGVO, you have the right to object on a case-by-case basis to the processing of personal data relating to you on the basis of Art. 6 para. 1 lit. e DSGVO (data processing in the public interest) or Art. 6 para. 1 sentence 1 lit. f DSGVO (data processing for the purposes of protect the legitimate interests of the controller or a third party), as well as the right to object to the processing of personal data for advertising purposes according to Art. 21 para. 2 DSGVO.

Right to revoke the declaration of consent under data protection law:
You may revoke a granted consent to the processing of your personal data at any time towards the controller (Art. 7 (3) DSGVO). Please note that the revocation is only effective for the future. The lawfulness of the processing carried out on the basis of the consent until the revocation is not affected.

Automatized decision in individual cases including profiling, Art. 22 DSGVO:
You have the right not to be subject to a decision based on automatized processing - including profiling - which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision

(1) is necessary for the conclusion or performance of a contract between you and the controller,

(2) is permitted by legislation of the Union or the Member States to which the controller is subject and that legislation contains appropriate measures to protect your rights andliberty and your legitimate interests; or

(3) takes place with your explicit consent.

In cases (1) and (3), the controller shall take reasonable steps to protect the rights and liberty, and the legitimate interests of you, including at least the right to obtain the intervention of a person on the part of the controller, to express his or her point of view and to contest the decision.

Furthermore, decisions based on automatized processing may not be based on special categories of personal data according to Article 9(1) of the GDPR, unless Article 9(2)(a) or (g) of the GDPR applies and appropriate measures have been taken to protect the rights and liberty and your legitimate interests.

You can exercise your aforementioned rights by sending us an informal message - if possible with the subject "Objection".

This message can be sent by post to:

Studierendenwerk Aachen AöR, Pontwall 3, 52062 Aachen, Germany

or via email to:

  1. info@stw.rwth-aachen.de or
  2. datenschutz@stw.rwth-aachen.de

Right to complain to a supervisory authority, Art. 77 DSGVO:
You also have the right to complain to a data protection supervisory authority about the processing of your personal data. You may address your complaint to the supervisory authority in the Member State of your residence, workplace or the place of the suspected infringement. The supervisory authority to which the complaint has been submitted will inform you, as the complainant, about the status and outcome of the complaint, including the possibility of a judicial remedy under Article 78 GDPR.

IX. Data protection

We try hard to store your personal data by taking all technical and organizational possibilities so that they are not accessible to third parties. When communicating via email, we cannot guarantee complete data security, so we recommend that you send confidential information by post.

For security reasons and to protect the transmission of confidential content, such as the requests you send to us as the site operator, this site uses TLS encryption. You can recognize an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If TLS encryption is activated, the data you transmit to us cannot be read by third parties.