Privacy Policy

Hochschule Niederrhein
University of Applied Sciences
Legally represented by the President
Prof. Dr. Susanne Meyer
Reinarzstraße 49
47805 Krefeld
Telefon: +49 2151 822-0
Telefax: +49 2151 822-3998
E-Mail: webmaster(at)hs-niederrhein.de

Hochschule Niederrhein
University of Applied Sciences
The Data Protection Officer
Reinarzstr. 49
47805 Krefeld
Tel.: +49 2161 186-2232
E-Mail: datenschutzbeauftragter(at)hs-niederrhein.de

The Data Protection Officer at Hochschule Niederrhein

The declaration of consent can be revoked at any time without giving reasons and without incurring any personal disadvantages. The revocation is effective for the future. The legality of the processing carried out until the revocation remains unaffected. The revocation can be sent informally to the following email address: zds(at)hs-niederrhein.de

If a separate address for revoking consent is specified for the respective data processing, you can assert the revocation at both email addresses.

Under the General Data Protection Regulation, you have the following rights:

1. If your personal data is processed, you have the right to obtain information about the data stored about you. In this context, you may need to specify which information or which processing operations your request for information relates to. (Art. 15 GDPR in conjunction with § 12 DSG NRW)
2. If incorrect personal data is processed, you have the right to have it corrected. (Art. 16 GDPR)
3. If the legal requirements are met, you can request deletion in accordance with § 10 DSG NRW. (Art. 17 GDPR)
4. If the legal requirements are met, you can request the restriction of the processing of data concerning you. (Art. 18 GDPR)
5. If you have consented to data processing or if a contract for data processing exists and the data processing is carried out using automated procedures, you may have a right to data portability. (Art. 20 GDPR)
6. The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them which is carried out on the basis of Article 6(1)(e) or (f). (Art. 21 GDPR)
   
   The objection can be made informally and should be addressed to:
   Hochschule Niederrhein
   Governance, Compliance und Datenschutz Lab
   Reinarzstr. 49
   47805 Krefeld
   E-Mail: zds(at)hs-niederrhein.de
    

If you exercise the aforementioned rights, the controller will check whether the legal requirements for this are met. Furthermore, without prejudice to other administrative or judicial remedies, you have the right to lodge a complaint with the Landesbeauftragten für Datenschutz des Landes Nordrhein-Westfalen (www.ldi.nrw.de).

The Niederrhein University of Applied Sciences creates and archives image and video recordings for the purposes of public relations work and uses them for presentation on its website, on the social media channels for which it is responsible, and in print and online publications to present the university, its events, projects, teaching, research, and continuing education, as well as for educational marketing and press coverage.

The legal basis for this data processing is Art. 6 (1) lit. e in conjunction with § 8 (6) HG NRW.

In the event of publication, the recipients of the data are generally all those who visit or read or view the relevant websites, social media channels, publications, etc. The data is stored by the university communications department or the respective department for an indefinite period.

Measures are taken at university events to prevent unwanted image and video recordings. These can be found in the information on the creation of image and video recordings. Depending on the event, these may include, for example, the labeling of name tags or recording-free event areas. In any case, you have the option of contacting the photographers and the persons responsible for organizing the event directly to prevent your image from being recorded.

The free and confidential anti-discrimination office is a point of contact for students and employees of the Niederrhein University of Applied Sciences who have experienced and/or witnessed discrimination and find themselves in stressful or challenging situations.

In order for us to provide you with individualized and expert support, it is necessary to collect certain information about you and your concerns. This includes your contact details, information about your life situation, and, depending on the reason for consultation and/or information events, also specific personal data, such as information about mental health or previous support, and finally information about how you became aware of our services.

This data is used exclusively for consulting and/or informational events. It is anonymized and summarized (aggregated). We use it for statistical evaluations. It is treated confidentially, not passed on to third parties, and stored securely. We need your personal data for scheduling appointments, managing contacts, and exchanging information. The documentation of the consultation content for follow-up consultations is created by the consultant, who, together with the completed documentation form, remains exclusively in a locked filing cabinet and in a digital, password-protected database at the counseling center and is used only for your personal consultation.

The processing of personal data for counseling purposes is carried out in accordance with Art. 6 (1) (a) GDPR in conjunction with Art. 9 (2) (a) GDPR, based on your express consent. State-recognized social workers, their assistants, and interns are generally subject to a legal duty of confidentiality in accordance with Section 203 of the German Criminal Code (StGB) (breach of private secrets). The duty of confidentiality may be waived if the initial consultation has taken place and further measures are to be/must be taken if necessary.

The evaluation for reporting purposes is carried out in accordance with Art. 6 sentence 1 lit. e GDPR in conjunction with § 3 (1) DSG NRW for internal university reporting purposes.

The following categories of personal data are processed for counseling purposes: Last name, first name, age, pronouns, university affiliation status, campus location, email address, attendance, date of participation, life situation, information on well-being and previously used counseling centers and services, concerns, agreement on next steps, information on the course of the counseling session, notes from the conversation, consent to data protection, telephone or cell phone number. Special categories of personal data are collected if they are disclosed during the counseling session.

The Anti-Discrimination Office receives the data you provide for the purpose of providing counseling. Counseling sessions and events may also take place in cooperation with other (external) service providers, e.g., the HSNR Equal Opportunities Office. In this case, the persons involved will receive your personal data.

Your data will only be stored for as long as it is necessary for the purpose for which it was collected. The deletion period for informational meetings and initial consultations without follow-up meetings is four weeks after the last contact. The deletion period for follow-up consultations and complete documentation of the consultation content is three years after the last contact. An exception applies to the use of documentation for criminal offenses. Aggregated and anonymized data remains unaffected for statistical processing purposes.

When submitting and processing reports, your personal data will be collected and processed for the following purposes:
- For submitting reports: Where applicable, the name and contact details of the reporting person, if disclosed, as well as personal data contained in your report (e.g., employment status and personal data of the person named in the report)
- For initiating follow-up measures: Personal data required for investigating the report and taking the necessary measures.

The legal basis for the processing of personal data is Art. 6 (1) (c) GDPR in conjunction with § 10 HinSchG.

The whistleblower system serves to receive and process reports of (suspected) legal and regulatory violations in a secure and confidential manner. Personal data is processed within the framework of this system in order to uncover, investigate, and prevent misconduct, as well as to avert damage and liability risks for the Niederrhein University of Applied Sciences. If a report received concerns an employee, the processing of the data may also serve to prevent criminal offenses or other relevant legal violations in a professional context. In this case, the confidentiality of the whistleblower's identity is guaranteed in accordance with the provisions of the Whistleblower Protection Act.

You have various options for submitting a report to the internal reporting office. Regardless of how you choose to submit your report, further processing will proceed in the following steps. Please note, however, that no confirmation of receipt or feedback can be provided for anonymous reports.

If you have not submitted your report anonymously, you will receive confirmation of receipt from the internal reporting office within seven days of receipt. The internal reporting office will first check whether the HinSchG is applicable. This includes checking personal applicability (whether you, as the person reporting the incident, are covered by the law) and factual applicability (whether the reported violation falls within the scope of the HinSchG, e.g., violations of criminal laws or certain provisions on fines). This is followed by a validity check. This involves checking whether the facts described are plausible and whether there are sufficient factual indications of a possible violation. If necessary, you will be contacted for further information, unless you have reported anonymously. However, you are not obliged to provide further information. Spam and obviously abusive reports can be filtered out.

If the validity check reveals that a possible violation has occurred, appropriate follow-up measures will be taken. These may include, for example:
- Internal investigations by the internal reporting office or other competent bodies within the university (e.g., the specialist compliance offices; namely information security, data protection, internal audit, corruption officer, export control, external personnel compliance, good scientific practice, AGG, disciplinary committee, procurement, research funding, university controlling, occupational safety, legal department, equal opportunities officer, quality management in studies and teaching, feedback management, fire protection).
- Forwarding the proceedings to a unit responsible for internal investigations at the university or to a competent authority (e.g., law enforcement authorities in the case of criminal offenses). Your identity will only be disclosed to an authority upon lawful request, and you will be informed in advance in accordance with Section 9 (2) sentences 2 to 4 HinSchG.
- Initiation of measures to remedy the violation.
- Termination of the proceedings due to lack of evidence or other reasons.

No later than three months after confirmation of receipt, you will receive a reasoned response regarding the follow-up measures planned or already taken, or the discontinuation of the proceedings. However, this response can only be provided insofar as it does not affect internal investigations or inquiries and does not prejudice the rights of the persons named in the report. No information will be provided regarding who has been convicted or how the case was handled in detail. Even if a report is not pursued further and the proceedings are closed, feedback is still provided. If, in individual cases, it is not actually possible to provide feedback to an anonymous whistleblower, this obligation does not apply.

The identity of the person providing the information will be treated confidentially. Only the persons responsible for receiving and processing the report and supporting persons (e.g., from specialist departments) will have access to your identity. Your identity will only be disclosed to other parties with your express consent or in the exceptional cases regulated by law in Section 9 of the German Whistleblower Protection Act (HinSchG) (e.g., upon lawful request by law enforcement authorities). You will be informed prior to any such disclosure, unless this would jeopardize the investigation. The identity of persons who are the subject of the report and other persons named in the report is also protected. Information about these persons may only be disclosed to the extent necessary for follow-up measures.

Data is only collected to the extent necessary for processing the report (data economy) and deleted as soon as it is no longer required for processing purposes.

The internal reporting office takes organizational, physical, and technical measures to prevent unauthorized third parties from accessing the data. Security standards and data protection compliance are observed when using IT systems.

The entire course of the procedure is documented. This serves as proof that the legal obligations have been complied with. The reasons for decisions (both positive and negative) are also documented. The documentation is stored in accordance with the legal retention requirements.

The use of KI:connect is voluntary. The following rules and instructions apply to its use:

1. It is not permitted to transmit personal or personally identifiable data from third parties.
2. The university prohibits the entry of any personal data or any data that could be used to identify specific living individuals. All inquiries must be kept strictly anonymous.
3. Furthermore, it is prohibited to use the software for any form of individual evaluation of applicants, students, employees, or other natural persons.
4. By entering content data into KI:connect, AI providers receive information that is used, among other things, to train the AI and for other processing and analysis purposes that are not precisely known. Data processing takes place outside the EU. The state data protection authority is currently reviewing the legality of ChatGPT.
5. The necessity for work-related tasks must be assessed independently by the employee. When using AI:connect, a sensitive and critical approach must be maintained. The following example usage scenarios serve as a guide:
   - Brainstorming / idea generation / creativity
   - Research and compilation of information
   - Analysis and summarization of data or texts (e.g., the 5 most important findings of an article)
   - Creation of text-based content (emails, social media posts, Internet/intranet content, job descriptions)
   - Reviewing existing texts for grammar, style, and clarity, as well as suggesting edits
   - Developing surveys and feedback questionnaires
   - Creating training materials
   - Supporting planning and time management in the form of schedules and to-do lists (daily tasks, project plans, event organization)
   - Preparing and structuring topics for presentations
   - Translating texts
   - Overviews of FH-relevant guidelines and laws
   - (Non-personal) data validation/checking data for plausibility and inconsistencies
   - Support/responding to basic support requests, FAQs
   - Creating minutes for discussions and meetings
   - Creating learning materials
6. No information from documents classified as confidential or otherwise restricted in distribution may be transmitted. In case of doubt, information is considered not to be released.

KI:connect enables the use of AI systems in compliance with data protection regulations by communicating with the connected AI systems via the interface of RWTH Aachen University (processor) using a single, central user account belonging to the Niederrhein University of Applied Sciences. All users and their requests are anonymous to the AI systems.

For this purpose, your account data (Identity Provider (IDP)-specific, unique, persistent ID for the person; roles or groups of the person; type of affiliation with their own organization; associated domain of the person's own organization, as well as data as part of the browser session (first name, last name, work email address) and an authentication cookie (Shibboleth session ID, cookie policy settings, IP address of the person's end device, ID of the KI:connect.nrw service) are processed by RWTH Aachen University as the processor. In addition, usage data, communication between the user and the AI system, and chat histories are stored.

Your personal data is processed in accordance with Art. 6 (1) (e) in conjunction with § 3 (1) DSG NRW.

Further information on data processing via KI:connect can be found at:  https://chat.kiconnect.nrw/app/privacy

The following AI systems are currently available via AI:connect (depending on your user role). Please note the system-specific information on data processing:

• Information on data processing in ChatGPT can be found at: https://openai.com/policies/privacy-policy
• Information on data processing in Mistral AI can be found at: https://legal.mistral.ai/terms/usage-policy
  This system is provided by the Open Source-KI.nrw project.

The processing of financial aid matters for those eligible for financial aid at the Niederrhein University of Applied Sciences is carried out by the RWTH Aachen University Financial Aid Office. For this purpose, the Niederrhein University of Applied Sciences sends personal data (name, contact details, employment status) to RWTH Aachen University on a monthly basis for the purpose of reviewing submitted financial aid claims. The data is deleted by RWTH Aachen University at the end of the following year after the entitlement to financial assistance has expired.

The processing of personal data in the course of handling financial assistance matters is carried out in accordance with Art. 6 sentence 1 lit. c GDPR in conjunction with § 75 LBG NRW. Further regulations are governed by Section 75 (10) of the LBG NRW in the NRW Subsidy Regulation (BVO NRW) and the Subsidy Regulation for Salaried Employees (BVOTb NRW).

Applications for subsidies and supporting documents containing personal data and, where applicable, health data and information or data relating to sexual life or sexual orientation are sent directly by the persons entitled to subsidies to the subsidy office of RWTH Aachen University for the purpose of final processing of the application. The Niederrhein University of Applied Sciences does not have access to this data, but receives sealed envelopes containing the processed subsidy matters via bulk mail for internal mail forwarding.

At RWTH Aachen University, the financial aid office is located in Department 8.3 – Business Travel Management and University Financial Aid Office, which is structurally part of the Human Resources Department of the Central University Administration at RWTH Aachen University.

RWTH Aachen University has transferred the processing of financial aid matters to a digital workflow, using the software-as-a-service solution ZABAS BeiPro from Beihilfe-Service-Gesellschaft MbH in Munich. The new application procedure requires applications and the associated supporting documents to be sent by post directly to the scanning center of Beihilfe-Service-Gesellschaft in Munich. After an initial application (using the long subsidy application form, see Info-ABC), supporting documents can be submitted using a short application form or, after registering, via the subsidy service app.

Applications for nursing care benefits must always be sent by post to the scanning center in Munich using the appropriate subsidy form.

All other benefit matters, such as appeals, letters from the nursing care insurance company, applications for psychotherapy, rehabilitation measures, and cost estimates, should continue to be sent by mail to RWTH.

As before, RWTH will send the decisions by bulk mail to the contractual partner for forwarding to those entitled to benefits.

Instead of sending your receipts by post to the scanning center of Beihilfe-Service-Gesellschaft MbH in Munich, you can submit your receipts digitally after submitting your initial application by post and registering with the Beihilfe-Service app. You will receive the authentication information required to complete the registration with your bank transfer after submitting your initial application.

To use the Beihilfe-Service app, you must agree to the terms of use and provide a declaration of consent to the app operator. Further information can be found in the app's data protection agreement and in the user agreement. Consent to Beihilfe-Service-Gesellschaft MbH can be revoked by deleting the user account or by sending an email to ds(at)beihilfe-service.com.

The student course evaluation is a tool for evaluating studies and teaching at the Niederrhein University of Applied Sciences. Its aim is to gather opinions and information from students about the course in order to support teachers in the further development of their teaching. In addition, the results are incorporated into the university's central reporting system and contribute to the continuous improvement of studies and teaching.

As part of the student course evaluation, data from lecturers (including teachers and adjunct lecturers) and course participants (including students and guest students) is processed. This data is processed in accordance with Art. 6 (1) (c) GDPR in conjunction with § 7 (2) HG NRW in conjunction with § 6 of the Regulations for Ensuring and Developing the Quality of Studies and Teaching at the Niederrhein University of Applied Sciences (QM and Evaluation Regulations).

If the student course evaluation is carried out using printed questionnaires, these will be destroyed at the end of the following semester after electronic recording. Data collected via online surveys will be deleted at the end of the semester after six years. Results reports from the student course evaluation that contain personal references to course lecturers will be deleted after four years.

As part of the course evaluation, your responses as a participant in the course surveys will be recorded. The EvaSys evaluation software uses technically necessary session cookies to record your responses in the online questionnaire. If you were invited to participate in the course evaluation by email, your university email address was recorded along with the course to be evaluated and your department.

The results of the student course evaluation are processed in such a way that it is generally not possible to identify individual participants. However, in the case of small courses and individual responses to open questions, the re-identification of individual persons cannot be completely ruled out with additional knowledge.

As part of the course evaluation, the following personal data will be processed about you as a course instructor: personal details (title, first name, last name, email address), Evasys login details (login name or HSNR account, password), organizational unit, Evasys operating data (user type, user role & assigned rights, date of account creation), and any data you may add to your Evasys user account. When you access Evasys, technical data (IP address, browser, session cookie) is processed; in the Evasys evaluation software, courses and surveys as well as the responses collected are processed.

You can use your HSNR account to access the results reports for your own courses in the Evasys evaluation software. In accordance with QM and evaluation regulations, the deans and, if applicable, the evaluation officers receive these results regularly at the end of each semester.

The purpose of event feedback is to gather opinions and information from participants about the respective event and to use this information to further develop the event and, if necessary, its context. To this end, participants evaluate aspects such as organization, premises, speakers, event materials, content, etc. They also have the opportunity to express praise and criticism and to make requests.

Data from speakers and event participants is processed as part of the survey. This data is processed in accordance with Art. 6 (1) (c) GDPR in conjunction with § 10 of the Regulations for Ensuring and Developing the Quality of Studies and Teaching at the Niederrhein University of Applied Sciences (QM and Evaluation Regulations) and § 8 (8) HG NRW in conjunction with § 3 (1) DSG NRW.

If the processing of personal data is carried out with consent in accordance with Art. 6 (1) (a) GDPR, this consent is obtained at the beginning of the survey.

The recipients of the results and the deletion periods are based on the respective evaluation concept of the event, which is explained in the introduction to the survey.