Data Protection Declaration

The GFZ takes the protection of personal data very seriously. The GFZ is bound to protect the privacy of everyone who uses its website and to treat any personal data provided in the strictest confidence. This data is used solely for the purposes indicated in each case and is not forwarded to any third party.

I. Name and address of controller

The data controller as defined in the General Data Protection Regulation, the national data protection laws of other EU member states, and other data protection regulations is:

Helmholtz Centre Potsdam – German Research Centre for Geosciences GFZ
Telegrafenberg
14473 Potsdam
Germnay
Phone: +49 331 288 0
Website: https://www.gfz-potsdam.de

II. Name and address of data protection officer

The controller’s data protection officer is:

Marko Blau
Telegrafenberg
14473 Potsdam
Germany
Phone: +49 331 288 1052
E-Mail: datenschutzbeauftragter@gfz-potsdam.de

III. General information on data processing

1. Scope of personal data processing
In general, the GFZ only processes personal data collected from users insofar as this is necessary to provide a functional website with the relevant content and services. As a rule, personal data provided by users is only processed with the respective user's consent. Exceptions apply in cases where the user’s prior consent cannot be obtained on factual grounds and statutory regulations permit the processing of personal data.

2. Legal basis for the processing of personal data
Art. 6 no. 1 lit. a EU General Data Protection Regulation (GDPR) serves as the legal basis when the GFZ obtains a data subject's consent to the processing of his/her personal data.

Art. 6 no. 1 lit. b GDPR serves as the legal basis when processing personal data for the performance of a contract to which the data subject is a party. The same applies to any processing measures that are required if steps are to be taken before entering into a contract.

Art. 6 no. 1 lit. c GDPR serves as the legal basis when the processing of personal data is necessary for compliance with a legal obligation to which the GFZ is subject.

Art. 6 no. 1 lit. f GDPR serves as the legal basis when processing is necessary to safeguard the legitimate interests of the GFZ or a third party, and provided these legitimate interests are not outweighed by the data subject’s interests and fundamental rights and freedoms.

3. Data erasure and storage period
The data subject's personal data is erased or blocked as soon as the purpose for which it was stored ceases to apply. Personal data may also be stored if so specified by European or national legislators in EU regulations, laws or other provisions to which the data controller is subject. In such instances, personal data is blocked or erased when a retention period specified in any of the above-named legislation expires, unless it has to be retained for longer in order to conclude or execute a contract.

IV. Provision of website and generation of log files

1. Description and scope of data processing
Every time our website is accessed, our system automatically collects data and information from the accessing computer system.

The following information is stored in the web server’s log files:

  • the client's IP address
  • the user’s ID, if the request requires the user to register
  • the date and time of the request
  • the client’s specific request, including the HTTP method, HTTP protocol version, and the path of the resource requested
  • the status code sent back to the client by the server
  • the size of the resources requested
  • the URL of the website from which the user accessed the current web page or file
  • the client program identifier

This data is also stored in our system’s log files. However, it is not stored together with other personal data collected from the user.

The legal basis for the temporary storage of this data is Art. 6 no. 1 lit. f GDPR.

2. Purpose of data processing
This data is used to optimise website use, correct errors, and safeguard the security of our information technology systems. Data collected in this context is not evaluated for marketing purposes.

The above-named purposes also constitute the GFZ’s legitimate interest in processing the data pursuant to Art. 6 no. 1 lit. f GDPR.

3. Storage period
The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected. Log files are deleted within 7 days maximum.

4. Right to object and right to erasure
The collection of data for website provision and the storage of data in log files are absolutely essential to the operation of the website. The user is therefore unable to assert any right to object in this context.

V. Use of Cookies

1. Description and scope of data processing
The GFZ website uses cookies. Cookies are text files stored in the user’s web browser or by the web browser on the user’s computer system. Whenever a user accesses a website, a cookie can be stored on that user's operating system.

The GFZ uses cookies to make the website more user-friendly. Some elements on the GFZ website require the accessing browser to be identified after the user has moved to another web page.

When accessing the GFZ website, an info banner informs users that cookies are being used for analytical purposes and refers them to this data protection declaration. In this context, users are also informed how the storage of cookies can be prevented by changing the browser settings.

2. Legal basis for data processing
The legal basis for the processing of personal data using cookies is Art. 6 no. 1 lit. f GDPR.

3. Purpose of data processing
The use of technically necessary cookies is intended to simplify website use. Some of the functions on our website cannot be provided unless cookies are enabled. In these cases, it is essential that the browser is also recognised after accessing another page.

The user data collected by these technically necessary cookies is not used to generate user profiles.

4. Storage period, right to object and right to erasure
Cookies are stored on the user's computer, from where they are sent to our website. This means that users have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing their web browser settings. Any cookies already stored can be deleted at any time. This can also be effected automatically. If cookies are deactivated for our website, it may no longer be possible to use all the website’s functions in full.

VI. Contact form and e-mail contact

1. Description and scope of data processing
The GFZ website contains a contact form that can be used to contact the GFZ electronically. If a user makes use of this function, the data entered into the form is sent to the GFZ and stored. If you wish to use this contact form, we need your name and e-mail address. Other information such as telephone numbers can be provided, but this is not essential.

The following additional data is stored at the time you send us your message:

- see IV. 1. Information in the web server’s log files

Alternatively, you can contact us using the e-mail address provided. In this case, the personal data transmitted with the user’s e-mail is stored.

Data collected in this context is not forwarded to any third parties. It is used solely to process the correspondence.

2. Legal basis for data processing
Art. 6 no. 1 lit. a GDPR serves as the legal basis for processing data when the user’s consent has been obtained. The legal basis for processing data transmitted when sending an e-mail is Art. 6 par. 1 lit. f GDPR. If an e-mail is sent with the intention of concluding a contract, Art. 6 no. 1 lit. b GDPR constitutes an additional legal basis for the processing of this data.

3. Purpose of data processing
Personal data entered into the input mask is processed solely for the purpose of dealing with the correspondence with the user. This also constitutes the necessary legitimate interest in processing the data collected when contact is made by e-mail.

The other personal data processed during the transmission process (see IV. 1. Information in the web server’s log files) serves to prevent improper use of the contact form and safeguard the security of the information technology systems.

4. Storage period
The data is erased as soon as it is no longer required to fulfil the purpose for which it was collected. In the case of personal data entered into the contact form's input mask and personal data sent by e-mail, this is the case when the correspondence with the user is terminated. The correspondence is deemed to have been terminated when it can be inferred from the circumstances that the facts in question have been clarified once and for all.

5. Right to object and right to erasure
The user has the right to withdraw his/her consent to the processing of personal data at any time. If the user contacts us by e-mail, he/she can object to the storage of his/her personal data at any time. It will no longer be possible to continue the correspondence in such a case.

In this instance, all personal data stored during the correspondence will be erased.

VII. Web analysis by Matomo (formerly PIWIK)

1. Scope of personal data processing

The GFZ uses the open source software tool Matomo (formerly PIWIK) to analyse the browsing behaviour of its website users. The software stores a cookie on the user’s computer (see above for information about cookies). The following data is stored whenever individual pages on the website are accessed:

  1. Two bytes of the IP address of the user's accessing system
  2. The web page accessed
  3. The website from which the user reached the web page accessed (referrer)
  4. The sub pages retrieved from the main web page
  5. The time spent on the web page
  6. The frequency with which the web page is accessed

The software runs solely on the website servers. This is the only place where the user's personal data is stored. This data is not forwarded to any third party.

The software is configured in such a way as to prevent IP addresses from being stored in full; instead, 2 bytes of the IP address are masked (e.g. 192.168.xxx.xxx). This ensures that the truncated IP address can no longer be identified with the accessing computer. “Do not track” is also taken into account if the browser sends this.

2. Legal basis for the processing of personal data
The legal basis for the processing of the user’s personal data is Art. 6 no. 1 lit. f GDPR.

3. Purpose of data processing
Processing personal data enables us to analyse the browsing behaviour of our users. Evaluations of the data collected allow the GFZ to compile information about the use of individual components on the website. This helps us to continue improving our website and make it more user-friendly. These purposes also constitute our legitimate interest in processing the data pursuant to Art. 6 no. 1 lit. f GDPR. The user’s interest in the protection of his/her personal data is duly taken into account by anonymising the IP address.

4. Storage period
The data is erased as soon as we no longer need it for recording purposes.

5. Right to object and right to erasure
Cookies are stored on the user's computer, from where they are sent to our website. This means that users have full control over the use of cookies. Users can deactivate or restrict the transmission of cookies by changing their web browser settings. Any cookies already stored can be deleted at any time. This can also be effected automatically. If cookies are deactivated for the GFZ website, it may no longer be possible to use all the website’s functions in full.

Detailed information about Matomo's privacy settings is available at the following link: https://matomo.org/docs/privacy


VIII. Rights of the data subject

Whenever personal data is processed, the data subject defined in GDPR has the following rights vis-à-vis the data controller:

1. Right to information
Data subjects (users) can request the GFZ’s controller to confirm whether or not the GFZ is processing their personal data.

If this is the case, data subjects are entitled to request the following information from the GFZ’s controller:

  1. the purposes for which the personal data is being processed;
  2. the recipient or category of recipient to whom your personal data has been or is to be disclosed;
  3. the period for which your personal data will be stored, or, if no specific information can be provided, the criteria used to determine that period;
  4. the existence of a right to request the controller to rectify or erase your personal data, to restrict the controller’s processing of your personal data, or to object to such processing;
  5. the existence of a right to complain to a supervisory authority;
  6. where the personal data is not collected from the data subject, any available information as to its source.

2. Right to rectification
Data subjects have the right to request the GFZ’s controller to rectify and/or complete their personal data insofar as that of their personal data being processed is incorrect or incomplete. In such cases, the GFZ’s controller must rectify the data immediately.

3. Right to restriction of processing
Data subjects are entitled to request restrictions on the processing of their personal data in the following circumstances:

  1. if the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data;
  2. if the controller no longer needs the personal data for the purposes for which it was processed but it is still required by the data subject for the establishment, exercise, or defence of legal claims;
  3. if the data subject has objected to the processing of his/her data pursuant to Article 21 no. 1 GDPR and it has not yet been established whether the legitimate grounds of the GFZ override those of the data subject.

If the processing of the data subject’s personal data has been restricted, this data may – with the exception of storage – only be processed with the data subject’s consent, or to establish, exercise, or defend legal claims, or to protect the rights of another natural or legal person, or for reasons of important public interest within the EU or an EU member state.

A data subject who has obtained restriction of processing under the conditions specified above must be informed by the GFZ’s data controller before the restriction of processing is lifted.

4. Right to erasure

a) Erasure obligation
The data subject may request the controller to erase his/her personal data without delay, in which case the controller is obliged to erase the data without delay where one of the following grounds applies:

  1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed.
  2. The data subject withdraws the consent on which the processing is based pursuant to Art. 6 no. 1 lit. a or Art. 9 no. 2 lit. a GDPR, and there are no other legal grounds for the processing.
  3. The data subject objects to the processing of his/her data pursuant to Art. 21 no. 1 GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of his her data pursuant to Art. 21 no. 2 GDPR.
  4. The user's personal data was processed unlawfully.
  5. The personal data has to be erased for compliance with a legal obligation in EU or member state law to which the controller is subject.

b) Information to third parties
If the GFZ’s controller has made the data subject’s personal data public and is obliged pursuant to Art. 17 no. 1 GDPR to erase it, the controller, taking account of the technology available and the cost of implementation, must take reasonable steps, including technical measures, to inform controllers who are processing the personal data that the data subject has requested the erasure of any links to, or copy or replication of, his/her personal data

c) Exceptions
No right of erasure exists if the data has to be processed

  1. to exercise a right to freedom of speech and information;
  2. for compliance with a legal obligation according to which processing is required by EU or member state law to which the controller is subject, or for the performance of a task carried out in the public interest, or in the exercise of official authority vested in the controller;
  3. for reasons of public interest in the area of public health pursuant to Art. 9 no. 2 lit. h, i and Art. 9 no. 3 GDPR;
  4. for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes pursuant to Art. 89 no. 1 GDPR, insofar as the right referred to in point a is likely to render impossible or seriously impair the achievement of the objectives of the processing; or
  5. for the establishment, exercise, or defence of legal claims.

5. Right to notification
If the data subject exercises his/her right to rectification or erasure of personal data or restriction of processing, the controller is obliged to communicate this to all recipients to whom the personal data has been disclosed unless this proves impossible or involves disproportionate effort.

The GFZ’s controller is obliged to inform the data subject about these recipients if so requested.

6. Right to object
The data subject has the right to object at any time, on grounds relating to his/her particular situation, to any processing of his/her personal data effected on the basis of Art. 6 no. 1 lit. e or f GDPR.

If this right is exercised, the GFZ’s controller will cease processing this personal data unless he/she can demonstrate compelling legitimate grounds for the processing that override the interests, rights and freedoms of the data subject, or if the data has to be processed for the establishment, exercise, or defence of legal claims.

7. Right to revoke the declaration of consent provided in compliance with data protection legislation
The data subject has the right to withdraw his/her consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing effected on the basis of the data subject’s consent before its withdrawal.

8. Right to complain to a supervisory authority
Without prejudice to any other administrative or judicial remedy, the data subject has the right to lodge a complaint with a supervisory authority, in particular in the member state of his/her habitual residence, place of work, or place of the alleged violation, if the data subject considers that the processing of his/her personal data violates the GDPR.