of the student applicants, early ... - uni-goettingen.de

Please note: This is an unofficial translation provided for your information only and does not have any

legal binding effects!

The original version was published in: Official Announcements Vol. 29 / 2010, pp. 2473

Regulation on collecting and processing personal data

of the student applicants, early students, students,

examination candidates, former university members (without employees)

and guest students

of the Georg-August-University Göttingen

(of 20 October 2010 (AM 29/2010 p. 2473)

-PersDatO-

Section 1: General provisions

Article 1 Purpose

(1) The Georg-August-University Göttingen can collect and process the personal information from

applicants for studies or early studies (hereafter: student applicants), students and early students

(hereafter: students), examination candidates, former members of the University (without

employees) as well as guest students which is specified here and is necessary for the purposes of

admission and matriculation, re-registration, granting leave, exmatriculation, participation in

teaching and in examinations, levying fees and charges, study guidance, student support, course of

study monitoring and the student self-evaluation, determining the entrance qualification and

identification, the use of infrastructure facilities, the participation in the self-administration,

maintaining contact with former University members as well as university statistics.

(2) The University Göttingen may also use this information to perform the other functions according

to Articles 3, 5 and 6, para. 2 of the NHG (Lower Saxony Higher Education Act).

Article 2 Scope of validity, data processing systems

(1) This regulation shall apply

to persons:

to all student applicants, students, former University members as well as guest

students of the University Göttingen;

to spaces:

to all buildings, rooms and places which are used by the University Göttingen,

to facts:

to the use of personal data which arises in connection with performing the functions

stated in Article 1.

(2) 1The data according to this regulation can be processed via electronic data processing systems. 2Data according to clause 1 may be automatically analysed in an anonymous form and used for the

purposes according to para. 1. 3Data according to clause 1 may be automatically analysed in a non-

anonymous form and used for the purposes according to para. 1, provided this is explicitly permitted




according to this regulation or is necessary for performing functions in accordance with the

regulations, in particular for the use of infrastructure facilities, the participation in self-administration

and the proper implementation of application, matriculation, re-registration, exmatriculation or

examination procedures as well as lectures, study guidance, support programmes (e.g. mentoring

programmes) and monitoring courses of study.

Article 3 Personal reference information

The following reference information and identification numbers can be created for the management

of personal data:

1. Matriculation number,

2. University number,

3. Year under review/semester,

4. Examination number,

5. Registration code,

6. Management code,

7. Re-registration ban,

8. Fees and charges,

9. Health insurance status,

10. Reference data (date, function, amendment).

11. Library number

12. Identification numbers and verification numbers for university admission certificates

13. University account for the use of IT systems

14. University email address

15. IP address.

Article 4 Rendering data anonymous

The data shall be rendered anonymous at the earliest possible time.

Section 2: Membership and affiliate status

Article 5 Admission

The University Göttingen shall process the following personal data and information of the student

applicants for admission:

1. Surname,

2. First name,

3. Additional titles/former name,

4. Place of birth,

5. Date of birth,

6. Sex,

7. Address(es),




8. Telephone, email, fax,

9. IP address,

10. Nationality,

11. Information on university admission, in particular the type of university admission, average

grade, date, country, federal state and district of issuance, school or university, other

necessary or study-related training, knowledge and skills,

12. Course of study and subject,

13. Intended degree,

14. Periods and completion of a course of study in a university in the scope of validity of the state

treaty on the awarding of university places,

15. Information on rendered services and comparable obligations according to Article 6 of the

university awarding regulations,

16. Duration of professional training,

17. Time of a vocational qualification,

18. Periods of employment after obtaining the university entrance qualification,

19. Reasons and scope as regards an application for improvement of the average grade or waiting

time,

20. Particularly personal social and family reasons (exceptional hardship),

21. Result of the first studies and reasons for the second studies according to Article 10 of the


22. Significant reasons for choosing the location of studies according to Article 15, para. 2 of the


23. If necessary, the school currently attended,

24. In terms of the person or persons who are entitled to care for a student applicant according to

the regulations of the German Civil Code, the data according to points 1 to 9.

Article 6 Matriculation

The University Göttingen shall process the following personal data and information of the student

applicants for the matriculation:

1. Data according to Article 5, points 1 to 14 and 23 to 24,

2. Student status,

3. Type of studies,

4. Studies abroad,

5. Academic semesters,

6. Subject-related semesters,

7. Intermediate examination/preliminary examinations taken,

8. Affiliation to a faculty,

9. Name, address and type of university/universities previously or simultaneously attended and

the study time spent at it including the semesters on leave of absence and the respective

elected courses of study (evidence of exmatriculation),

10. Professional activity before starting the studies,




11. Evidence from the health insurance fund about the provision of compulsory insurance or the

exemption from the compulsory insurance,

12. Evidence of the payment of due student union fees as well as the administrative fee, if

necessary the tuition fees or other fees and charges,

13. The bank account details, provided the fees and charges are paid by direct debit,

14. Circumstances which could oppose matriculation, in particular,

a. disqualification from studies,

b. loss of the right to sit an examination,

c. illnesses which jeopardise the health of other students or seriously affect the study

structure,

15. In the case of student applicants with foreign university entrance qualifications, evidence that

they have sufficient German language skills,

16. In the case of student applicants who are not German in terms of Article 116 of the

constitution, evidence of scholarships if necessary.

Article 7 Re-registration

1The students shall request their re-registration for the coming semester with the payment of the

fees and charges due. 2The Georg-August-University Göttingen shall process the previously saved

data in the scope of the re-registration process. 3In addition, the amount of the fees and charges

paid, the reference semester as well as the bank account data, if necessary, shall be processed.

Article 8 Taking leave

1Students shall be committed to indicating and providing evidence of the reasons for taking leave. 2The Georg-August-University Göttingen shall process the previously saved data in the process for

granting leave. 3In addition, the reason, semester and duration of the leave granted shall be saved.

Article 9 Exmatriculation

The Georg-August-University Göttingen shall process the previously saved data as well as the reason

for and the date of the exmatriculation as well as the time the exmatriculation becomes effective.

Article 10 Evaluation

1The University shall assess the performance of its functions in teaching matters at regular intervals

(internal evaluation). 2A regulation shall govern the further details.

Article 11 Maintaining contact with former members of the University

(not employees)

(1) The Georg-August-University Göttingen shall process the following personal data and information

of former members of the University for the purposes of maintaining contact with these persons:




1. Surname,

2. First name,

3. Additional titles/previous name,

4. Former semester address,

5. Former home address,

6. Email,

7. Faculty,

8. Subject or subjects,


10. Date of matriculation,

11. Date of exmatriculation.

(2) The following personal data and information shall also be collected and processed:

1. Address,

2. Occupation,

3. The employer, with the agreement of the former member of the University.

(3) The aim of maintaining contact is to create and expand a network of students, members and

former members of the University Göttingen.

(4) Based on permanent relations founded on partnerships, the aim is to integrate former members

of the University into the activities of the University Göttingen, in terms of their content, ideas and

financing.

Article 12 Guest students

The Georg-August-University Göttingen shall collect the following personal data and information

from the guest student in order to include them in the guest student register:

1. Surname,

2. First name,

3. Additional titles / previous names,

4. Date of birth,

5. Sex,

6. Address,

7. Nationality,

8. Desired lectures/contact hours, from which the subject or the degree and the faculty can be

derived and processed

9. Student status

10. Matriculation in another university.

Section 3: Smart card

Article 13 Smart card




(1) 1Smart cards shall be issued to the students as well as the guest students in order to perform the

functions stated in Article 1. 2The smart cards shall remain in the property of the Georg-August-

University Göttingen.

(2) The smart card shall be used by the students as well as the guest students for purposes of access

control, identification, time recording, invoicing or payment.

Article 14 The smart card as a student identification card

(1) 1The student identification card shall be issued in the form of a smart card. 2This shall also be

considered as photo ID.

(2) The student identification card can contain the following personal information:

1. Surname,

2. First name,

3. Additional titles,

4. Date of birth,


6. First registration,

7. Course of study, semester, status, leave granted

8. Intended degree,

9. Admission indicators,

10. Faculty,

11. Passport photo,

12. Validity period of the identification,

13. Library number or barcode of the SUB (state and university library).

(3) 1All master data for producing the smart card shall already be contained in the data processing

system of the Student Affairs Office. 2In this respect there is no administration of personal data. 3The

photo required for producing the smart card shall only be produced for printing the smart card and

shall be automatically deleted from the corresponding data processing system after the smart card

has been issued.

Article 15 Use of the smart card as photo ID

(1) 1The smart card can be used as photo ID if the participation in University lectures is restricted. 2The use of the smart card as photo ID should facilitate the verification of the entitlement to

participate and should reduce waiting times. 3The smart card can be used as photo ID in the following

cases in particular:

for participating in studies and examinations




for participating in university sports.

(2) 1The smart card can be used by students for using particular services in the city of Göttingen for

students with a main place of residence in Göttingen. 2The student shall hand their smart card over

to an employee of the city of Göttingen. 3They shall check the main place of residence status of the

student and read out a unique serial number of the smart card via a smart card reader. 4The city

cannot draw any conclusions about the person holding the card from the serial number alone. 5The

serial number which has been read out shall be saved in a database of the city of Göttingen. 6The

student shall then go to a service point of the University Göttingen and request the imprint for

persons with a main place of residence in Göttingen. 7The serial number of the smart card shall be

read and transferred to an office of the city of Göttingen which enables access to the database with

the serial numbers of the persons with a main place of residence in Göttingen. 8If the transferred

serial number is found in the database, the validity imprint on the smart card shall be renewed with

the imprint for a person with a main place of residence in Göttingen. 9The Georg-August-University

shall not save data on which students use this service.

Article 16 The smart card as access authorisation

(1) 1The access system shall be used to protect the students as well as the guest students, the

personal data, to protect against unauthorised access to workflows and to protect the property of

the Georg-August-University. 2A list of all buildings, parts of buildings and rooms included in the

operation of an access system and the access system used there shall be made available on request.

(2) 1There shall be no efficiency and performance checks. 2Personal data or data which can be related

to persons which is suitable for an efficiency and performance check may not be analysed,

transferred into other systems or used to compare individual characteristics with requirement

profiles. 3The regulation in Article 31, para. 2 of this regulation shall be excluded from this.

(3) The smart cards shall be awarded and the access rights associated with this shall be managed

exclusively according to criteria which can be derived from the work to be completed in the studies.

(4) Knowledge which was obtained from the access system through a violation of this regulation may

not be used.

(5) The range of the reading device of the access system may not exceed 15cm.

Article 17 The smart card as identification for other applications

(1) 1The smart card can be used in connection with other applications which can be used by the

students as well as guest students. 2A unique identification number of the application system can be

electronically placed on smart card so that the corresponding application can identify the

corresponding user. 3These other applications can be loan systems in libraries as well as other

applications where the use of a smart card is practical.




(2) 1The use of the smart card in connection with other applications always requires the approval of

the data protection officer of the Georg-August-University Göttingen. 2Before deciding to expand the

smart card to cover other applications, the data protection officers of the student body as well as the

AStA shall be informed and consulted on the decision-making.

Article 18 The smart card as a payment method

(1) 1The smart card can be used as a method of payment for products and services. 2The use of the

smart card as a payment method should speed up payment processes and thus reduce waiting times. 3The smart card can be topped up with money at designated top-up machines.

(2) 1Payment processes must be implemented anonymously. 2Payment protocols may not disclose

the connection between a person and payment process. 3The payment protocols may, however, be

analysed for statistical and commercial purposes as well as for the purposes of account clearing.

(3) The following payment functions are possible in particular:

paying in the food courts

paying at the photocopiers within the Georg-August-University Göttingen

paying for print jobs within the Georg-August-University Göttingen.

Article 19 System description

(1) The smart cards used shall be designed to be as forgery-proof as possible; the data saved on the

chip card shall be protected against unauthorised access.

(2) 1The reading devices shall be designed in a way that the reading processes can be exclusively

activated by the user. 2This reading process must be recognisable for the user. 3Automatic reading or

other recognition processes which do not allow noticeable monitoring shall be excluded.

(3) 1Following the first installation and to update new users, to change existing user data and to

delete user data which is no longer required, data may be transferred from the student

administration system. 2User data which is no longer required shall be deleted.

(4) 1Data from the access system may not be transferred to other systems in any form. 2The handling

of data which is obtained for purposes other than access purposes in terms of this agreement shall

be governed by corresponding regulations.

Article 20 Authorisation of the student cards in data processing systems

(1) 1No personal data of the users shall be saved or read out on the smart cards used. 2The cards shall

be exclusively authorised in the access system via the unique internal identification number saved on




the smart card. 3Other corresponding identification numbers can be placed on the smart card for

other applications. 4Each application may only access the data of the card section it requires.

(2) 1When reading out or analysing the history data, only the respective identification number of the

smart card may be shown. 2The name of the card holder may not be shown.

Article 21 Operating data processing systems in connection with the smart card

(1) 1All system functions which allow access to log files of the access system or which allow event

data of the access system to be read out or analysed shall be secured in such a way that access is

only possible for the persons authorised to access. 2Access to the log files of the access system or the

reading out or analysing of event data of the access system shall only be possible in the presence of

the student data protection officer. 3This shall not apply if this is not achievable with reasonable time

and effort. 4The student data protection officers may not view any personal data.

(2) 1A system administrator and a representative shall be named by the administration department

for the access system. 2The system administrator shall be responsible for the operation and

technology of the system. 3A correspondingly secured remote connection can be set up by the

software supplier for maintenance purposes. 4All access to the system shall be automatically

recorded. 5In the case of justified suspicion of misuse, the data protection officer of the Georg-

August-University Göttingen or the student data protection officers shall have an unrestricted right

to view the data. 6The data shall be illustrated in a readable, understandable form. 7The log files must

clearly show which system data, access authorisation data and event data of which persons was

accessed and which actions were activated and implemented while it was accessed. 8The log files

may not be used for any other purposes.

(3) 1The student data protection officers shall be informed of the persons who are appointed with

the administration of the access system (user administrators), by name. 2Their task is the

administration of the access authorisation data. 3This shall also apply to other data processing

systems in connection with the smart card.

(4) 1If there are log files for the payment function, it must be clear which system data and event data

of which persons was accessed and which actions were activated and implemented while this was

accessed. 2The log files may not be used in any other way. 3In the case of justified suspicion of

misuse, the data protection officer of the Georg-August-University Göttingen or the student data

protection officers shall have an unrestricted right to view the data.

Article 22 Rights and obligations of the students as well as guest students

(1) 1All students shall be informed about the functioning of the system in due time in an appropriate

way (e.g. use of its data and the analysing options). 2Each student shall have the right to have the

data saved on their smart card shown to them by a person assigned with the administration. 3The

data shall be illustrated in a form which is understandable for the students.




(2) 1The students shall be responsible for using their smart card in accordance with the regulations. 2The smart card may not be passed on to other persons. 3It may not be used to create advantages for

unauthorised persons. 4The University must be immediately informed should the smart card be lost. 5The smart card shall be immediately blocked for all systems.

(3) The data obtained in the data processing systems shall only be used in accordance with

regulations.

(4) 1The first card issued and the updating of the smart card is free. 2Should a new card have to be

issued if the card is lost or unusable, the costs which arise through manufacture and administrative

expenses can be demanded. 3The maximum amount for this shall be €15 per new card issued.

(5) The student data protection officers shall be nominated annually by the student body.

(6) The rights and obligations of the students shall apply accordingly to the guest students.

Article 23 Obligation to report

(1) 1The University Göttingen shall produce an annual report on the cases of reading out or analysing

of event data and the access to log files of the access system. 2The report shall state, in particular,

the university area concerned, the reason for reading out or analysing or accessing log files of the

access system, the number of persons concerned and the use of the data. Personal data shall be

made anonymous.

(2) 1The report shall initially be presented to the data protection officer of the Georg-August-

University Göttingen and the student data protection officers, who shall give a statement on it if

necessary. 2The report shall then be presented to the Senate of the Georg-August-University

Göttingen, if necessary together with a statement from the data protection officer of the Georg-

August-University Göttingen or the student data protection officers.

Section 4: University facilities (infrastructure facilities), IT systems for students as well as guest

students

Article 24 Infrastructure facilities

1The University can process data from students, guest students and third parties who do not have a

civil servant or employee status with the University according to Articles 6-9, 12 and 26 for the use of

infrastructure facilities, in accordance with the following provisions. 2The further regulations can be

governed in a statute for the respective infrastructure facility.

Article 25 Central printing system




(1) The University Göttingen shall operate a central printing system to allow students, guest students

and third parties to print documents against payment via the University account.

(2) 1The use of the printing system requires credit to be on the so-called printing account, which shall

be set up and centrally administered for the person (account holder) named in para. 1. 2The credit

balance shall be created through deposits by means of cash payments or direct debit procedures

(appreciation). 3The fee to be paid for a printing job shall be paid by charging the credit balance

(depreciation) immediately after the documents have been printed. 4The account holder can view

the current credit balance on the printing account, including appreciations and depreciations as well

as the printing jobs, by using their University account.

(3) The following data shall be processed for operating the central printing system:

1. Surname,

2. First name,


4. Place of birth,

5. Date of birth,

6. Sex,

7. Address(es),

8. Telephone, email,

9. Nationality,

10. Student status,

11. University account,


13. Bank account details, provided the appreciation is carried out by means of direct debit,

14. Name and number of printed documents,

15. Name of the computer used,

16. Name of the target printer,

17. Date and time the printing jobs were executed,

18. Changes to the credit balance.

(4) The printing account shall be deleted for the future upon the request of the account holder.

(5) The event data shall be deleted at the end of the semester.

Article 26 University account and University email address

(1) 1Each student shall be allocated a University account and a University email address to use the IT

systems for students. 2These shall be allocated with the issuing of the smart card. 3The University

account and the University email address shall be used for the use of IT systems for students.




(2) 1The University account shall consist of the user name and the appropriate password. 2The

University email address shall consist of the [email protected]. 3The user name can

be changed by the university on specific request. 4The use of a student's private email address as a

University email address is excluded.

(3) 1The University shall exclusively use the students' University email addresses to communicate

with them electronically, provided this is practical. 2The students shall provide access to the

University for this.

(4) 1The University account and the University email address shall be provided to be used for matters

relating to studies and teaching as well as the participation in self-administration. 2The student shall

keep confidential the passwords received for using the systems and shall immediately inform the

University as soon as they become aware that unauthorised third parties know the password. 3The

use may not violate statutory bans, the good morals and rights of third parties, especially trademark

rights, rights to bear a name, copyrights and data protection rights. 4When using the University

account and the University email address, the IP addresses of the student are processed. 5User

guidelines which are passed by the presidential board shall govern the further details.

(5) The University account and the University email address can be used to the necessary extent for

purposes of study guidance, the transfer of study-related information or a support program.

(6) The paragraphs 1 to 5 shall correspondingly apply to guest students.

Article 27 Use of self-service functions

(1) Provided a smart card is issued after personal identification, the student shall receive the

University account necessary for using the self-service function and a number of transaction numbers

(TAN).

(2) The student shall confirm the receipt of the smart card as well as the University account and TAN

in writing.

(3) The following self-service functions can be used with the University account and TAN:

printing of various certificates:

extract from master data, semester fee receipt, certificate of matriculation, period of study

confirmation, pension certificate, BAföG (financial assistance programme for students)

certificate, exmatriculation certificate

Changes to addresses and contact data (telephone, email, fax)

Re-registration for a following subject-related semester

Exmatriculation

Requesting and activating other TANs

Change to the PIN (changed password)

Registration for examinations and studies




Entry of and amendment to BAföG data (BAföG office, BAföG number)

Entry of and amendment to scholarship data.

(4) The self-service functions can be used by the students on their own computers (PC) and self-

service terminals of the university, provided these are offered by the university.

(5) Should the password for the University account or TANs be lost or when all TANs have been used,

the student can have their PIN reset and/or request a new TAN list in the main study centre after

personal identification.

(6) Para. 1 to 5 shall apply accordingly to guest students.

Section 5: Teaching and examination system

Article 28 Lecture and examination administration system

(1) 1The University Göttingen shall operate an integrated electronic lecture and examination

administration system with self-service functions on the internet. 2It shall be operated in order to

electronically administer the registration in and withdrawal from lectures, modules and module

examinations, the data on the prerequisites for admission to examinations and examinations as well

as the modification of the evaluation of examination decisions.

(2) 1The students as well as guest students shall be responsible for their use of the online access to

the lecture and examination administration system; an online account shall be set up for them for

this. 2They shall be committed to regularly checking the correctness of their online account in the

scope of their capabilities; transmission errors should be identified immediately. 3The students can

generate the following data in particular for the purposes of self-evaluation, including related to the

progress of studies, in due consideration of the achievements of the corresponding student group,

provided the student group includes at least ten students:

a. size and name of the student group

b. status of the student within the student group

c. status, credits and grades of the three highest placed students of the student group in an

anonymous form. 4The evaluation options according to clause 3 can be restricted; this shall particularly apply to

students in Bachelor courses of study who are in the first or second subject-related semester as well

as to students in courses of study which are coming to an end.

(3) The data of the lecture and examination administration system may be processed to the extent

necessary for the purposes of study guidance, a support program or monitoring of courses of study

as well as to obtain information on student applicants; in the case of the monitoring of the courses of

study as well as the information on student applicants, the data may only be processed in an

anonymous form and for a group size of at least ten students.




(4) 1The University Göttingen shall process the data according to Articles 6 to 9, 12, 26, 27 and 30 to

32 as well as their amendments for the operation of the electronic lecture and examination

administration system. 2Event data shall be deleted one year after the completion of the examination

procedure.

Article 29 E-learning systems

(1) 1The University Göttingen shall operate specialised IT systems (E-learning systems) for the

purpose of helping teachers and students as well as guest students and other persons, provided this

is governed in a cooperation agreement, to organise processes in studies and teaching. 2The E-

learning systems shall include, in particular, components for organising lectures, working groups and

routine studying, for creating and exchanging learning materials as well as components for the

communication between teachers and students as well as guest students and between students and

guest students.

(2) 1In principle, the use of the E-learning system by students and guest students or other persons

requires the identification with the University account. 2The following personal data shall be

processed during the registration and operation of the E-learning system:


2. University account,

3. IP address,

4. Telephone, email,

5. Surname,

6. First name,

7. Additional titles,

8. Sex,

9. Course of study and subject,

10. Intended degree,

11. Faculty,

12. School attended,

13. Data according to Article 12.

(3) 1The content and services of the E-learning systems can be offered in limited contexts, for

example restricted for a lecture, a working group or facilities to which the access is restricted. 2In the

case of an access restriction which requires a special registration, a list of participants shall be

created, for whom the data shall be processed according to para. 2. 3The following data shall be

processed for each lecture (lecture data):

a. data of the person entitled to access (access data)

b. content of the lecture

c. event data.

(4) 1Event data which requires writing authorisation (e.g. file upload or chat, forum, blog and wiki

entries, participation in lectures or groups) or reading authorisation shall be processed including the




name of the author, the login data and the processing data. 2The name of the author as well as the

processing data shall be visible for all readers of the respective E-learning system as follows:

a. in the case of writing authorisations: always

b. in the case of reading authorisations: upon presentation of good cause.

(5) The duration of the availability of the event data according to para. 4 shall be based on the

duration of the corresponding context, e.g. offer of the lecture of the working group; the event data

shall be deleted on 60th day after the specific context has ended at the latest, unless otherwise

governed in the statutory provisions or para. 6.

(6) 1At the end of a lecture, the lecture data shall be archived in the last processed version for a

maximum of five years. 2During the archiving phase, the person authorised to access the lecture shall

be given a reading authorisation for the lecture data. 3Provided this is necessary for the purposes of

implementing and participating in teaching or in the case of written approval of all participants, an

archiving duration which differs from clause 1 can be determined in agreement with the data

protection officers.

(7) The data of the E-learning system can be used to the extent necessary for the purposes of study

guidance or a support programme.

Article 30 Registration for a preliminary, intermediate or final examination

or for an examination during studies

1In the case of registration for a preliminary, intermediate or final examination or an examination

during studies, the following information and documentation shall be presented by the students as

well as guest students, if necessary:

1. Evidence of the fulfilment of the requirements for the authorisation to sit an examination, in

particular, matriculation, academic achievements and days present,

2. Evidence of internships,

3. Number of examination attempts and their results,

4. Type, subject, time and result of module examinations, intermediate examinations, final

examinations,

5. Evidence of deadline extensions for sitting the examination,

6. Evidence of the implementation of obligatory study guidance,

7. Examination subjects,

8. Intended degree,

9. Invigilators,

10. BAföG receipt, grant number. 2The data according to clause 1 can also be collected and processed by the University Göttingen

itself.

Article 31 Processing a preliminary, intermediate or final examination

or an examination during studies




(1) In addition to the data collected according to Articles 26 to 30, the University shall also process

the following data when processing the examination:

1. Examination results,

2. Evidence of failed examinations or withdrawals,

3. Data on reasons for failure and violations against regulations,

4. Examination and completion data.

(2) Data according to Articles 28 to 30 may be automatically analysed in a non-anonymous form by

student advisors for purposes of study guidance; this type of processing shall be evaluated at regular

intervals of a maximum of two years.

Article 32 Implementation of doctoral examinations

The type and scope of the data collected for the doctoral examination shall be based on the

requirements of the applicable doctoral regulations of the faculties of the Georg-August-University

Göttingen.

Section 6: Participation in self-administration

Article 33 Data processing in the scope of participation in self-administration

(1) The University Göttingen shall process the following personal data should students as well as

guest students participate in the self-administration:

1. Surname

2. First name,


4. Place of birth,

5. Date of birth,

6. Sex,

7. Address(es),


9. Nationality,

10. Student status,

11. Type of studies,

12. Academic semester,

13. Subject-related semester,



16. Voluntary information,

17. Organ or committee for which they are a candidate,

18. Student association of list for which they are a candidate.




(2) The participation in the self-administration includes the necessary preceding procedures, in

particular elections and their preparation.

(3) The following data can be published without the consent of the person concerned:

1. Surname,

2. First name,


4. Date of birth,

5. Sex,

6. Type of studies,

7. Organ or committee for which they are a candidate,

8. Student association or list for which they are a candidate.

(4) 1The organs of the student body can be informed about the data according to para. 1 to the

extent necessary to perform the functions according to Article 20 of the NHG or a statute of the

student body, without the consent of the person concerned. 2The responsible organ shall credibly

show that the data has been deleted once the tasks are complete.

(5) The following data can be passed on to other members or representative members of an organ or

committee without the consent of the person concerned:

1. Surname,

2. Name,


4. Sex,

5. Address(es),


7. Student association or list for which they are a candidate.

Section 7: General provisions, rights and obligations

Article 34 Data types

(1) In principle, there are three types of data:

System data:

This includes data such as operating system files, programme files and log files in

accordance with the particular purpose according to Article 10, para. 4 of the

Data Protection Act of Lower Saxony (NDSG).

Personal data including authorisation and identification data:

This includes the data according to Articles 5 to 9, 11 and 12, smart card data,

physical and temporal allocation of access authorisations, University account,




the University email address, TAN, identification numbers for other application

systems.

Event data:

This includes data such as the identification number of the smart card, date and

time of the access, terminal number of the reader, number of access attempts,

data on the payment processes and borrowings from the SUB.

(2) 1Event data shall be saved for a maximum of 60 days, unless other statutory provisions or this

regulation state otherwise. 2They shall be deleted afterwards. 3Reading out or analysing event data

(history memory) as well as accessing log files of the access system shall only be authorised in the

case of justified suspicion of serious misuse of the access authorisation or payment function, in the

case of misuse of other application systems or punishable acts or in the event of a statutory

authorisation.

(3) The work stations which are set up for the system monitoring, the user administration or other

information on the access system shall be secured in terms of data protection, data security and the

allocation and administration of authorisation just as in the student administration system.

Article 35 Rights

(1) 1Upon request, the persons concerned shall be informed about:

1. the personal data stored about them,

2. the purpose and legal basis of the storage,

3. the origin of the data and

4. the receivers of data transfers. 2This shall not apply to personal data which is exclusively saved for the purposes of data security or

data protection control. 3For blocked data which is only still saved because it cannot be deleted as a

result of statutory retention regulations, the obligation to exchange information shall apply only if

students show a legitimate interest in being granted the information about this.

(2) 1The application should describe the type of personal data about which information is requested

in more detail. 2The Georg-August-University Göttingen shall determine the procedure, in particular

the form of exchange of information at its sole discretion after due consideration.

(3) Should the data be saved in the files, the persons concerned can request information from files or

request to view the files, provided they provide information which allows the data to be found within

reasonable time and effort.

(4) Applications according to para. 1 or 3 can be refused if

1. fulfilling the request for information or to view data would put the regular execution of the

other functions of the Georg-August-University Göttingen at risk,

2. the information on or viewing of files would put the public security and order (Nds. SOG) at risk

or




3. the personal data or the fact that it has been saved are to be kept confidential according to a

legal regulation or due to legitimate interests of third parties.

(5) 1Refusing the information on or viewing of files does not require any justification if the purpose of

the refusal is jeopardised by the justification. 2The reasons for the refusal shall be saved on file.

(6) If the information or access to the files is refused, the persons concerned shall be informed that

they can contact the data protection officer of the Georg-August-University Göttingen or the state

official for data protection.

(7) The persons concerned shall have the right to rectify, delete and block the saved personal data in

accordance with the statutory provisions.

Article 36 Obligation to inform about the change to personal data

1The students, examination candidates and guest students shall be obliged to immediately inform the

Georg-August-University Göttingen of:

1. a change of name, address, telephone number (voluntary) and nationality,

2. illnesses which put the health of other students at risk or seriously affect the study structure. 2The Georg-August-University Göttingen shall be authorised to process this data.

Article 37 Rights and obligations of the two student data protection officers

(1) 1Both student data protection officers and the AStA of the University Göttingen shall be

extensively informed in due time about measures which concern the access system. 2The information

shall be considered to have been provided in due time as long as different solution alternatives can

be taken into consideration in the interests of the students concerned and no operational or

technical constraints have been established yet.

(2) For their information, the student data protection officers and the AStA of the University

Göttingen shall have the right to participate in all meetings which are held as a result of changes or

additions to the functions of the smart card.

(3) 1Both student data protection officers shall have the right to be informed in terms of the

compliance with this regulation in the scope of their general tasks. 2Furthermore, both student data

protection officers shall be extensively informed in due time about significant compromises. 3In the

event of suspicion of misuse or a significant infringement, the student data protection officers shall

inform the data protection officer of the Georg-August-University Göttingen who will carry out the

further investigation and inform the student data protection officers. 4The data protection officer of

the Georg-August-University Göttingen shall have an unrestricted right to view data. 5The access to

the corresponding systems necessary for this and the necessary information shall be granted,

provided the information access to the corresponding data protection system is governed in this

regulation. 6The system administrator shall be obliged to make all information and knowledge which




results from operating the system or which is necessary for the operation available to the data

protection officers. 7The data protection officer shall inform the student data protection officers of

the result or intermediate results of their investigations.

(4) The student data protection officers shall be committed to secrecy should they become aware of

personal data in the scope of their work or if the obligation to maintain secrecy is to be observed in

order to avoid a direct serious disadvantage for students, the University or the foundation.

Article 38 Special obligations

(1) If decisions and other measures, in particular registrations, module or examination admissions,

examination deadlines as well as examination results are disclosed to the public, the following

personal data may not be published in text form without the consent of the person concerned:

surname, first name, additional titles/previous name, address(es), telephone, email.

(2) 1Should the university send emails to several persons, in particular via mailing lists, it shall be

ensured that the personal data of one person, in particular their name and email address, are not

passed on to another person. 2This shall not apply if

a. the law, a decree or this regulation states otherwise,

b. the email communication was started by the persons concerned,

c. consent of the persons concerned exists in text form.

(3) 1Personal data and images can be published in publications and on internet sites of the University

with the consent of the persons concerned. 2Consent according to clause 1 shall not be required

should the public be informed about public lectures or lectures public to the University, about the

self-administration, about the administration as well as about the performance of the functions of

the University.

(4) 1The persons concerned shall be appropriately informed about the significance of the consent, in

particular about the purpose of the data and, in the event of intended transfer, also about the

receivers of the data. 2The persons concerned shall be notified that they can refuse the consent or

revoke it with effect as of a future date. 3The declaration and notes must contain the following

information: in the case of a revocation, personal data may no longer be used for the intended

purposes in the future and shall be deleted immediately. 4Should the consent not be revoked, it shall

also apply after the end of the membership in the University, without time limits. 5The consent shall

be voluntary; no disadvantages shall result from refusing the consent or its revocation.

Article 39 Transferring data in the scope of cooperations

(1) 1In order to implement courses of study and programmes with other universities or non-

university institutions (collectively: third parties), the data of the corresponding students and guest

students can be transferred to them in the scope necessary for the implementation. 2A cooperation

agreement shall govern the further details.




(2) 1In the scope of funding applications, research agreements, scholarship programmes as well as

funding programmes including the awarding of sponsorship prizes, personal data can be transferred

to the funding organisation or the cooperation partners with the consent of the persons concerned

in the scope necessary. 2The consent of the persons concerned must be present in text form.

(3) The third parties to whom the data is transferred may only process this data for the purpose for

which it was transferred to them.

Article 40 Period required for the retention of documents

Written material can be destroyed after one year if

1. the students were informed that they can collect the written documents submitted by them

within one year, should this no longer be necessary for further processing or provided it is not

determined in a statute that the written material shall remain in the University,

2. the written documents are not originals of public deeds and

3. the written documents are not required for the further processing, in particular for purposes of

evidence.

Section 8: Final provisions

Article 41 Effective date

(1) This regulation shall come into force on the day after it has been disclosed in the Official

Announcements of the Georg-August-University Göttingen.

(2) At the same time, the "Regulation on collecting and processing the personal data of student

applicants, students, examination candidates, former members of the University as well as guest

students" of the Georg-August-University Göttingen in the version of the announcement from

19.05.2004 (Official Announcements 5/2004 p. 301), last amended by resolution of the Senate from

16.07.2008 (Official Announcements 16/2008 p. 1104) shall expire.

of the student applicants, early ... - uni-goettingen.de

Documents