Information on data processing at KLU

Career Services uses the data provided by graduands to create a short profile for the KLU CV book. The CV book is intended to draw the attention of potential employers to KLU graduates and motivate them to make contact via the LinkedIn career portal. 

All communication with potential employers and graduands will be under LinkedIn's terms and conditions. KLU is merely an intermediary. 

Your KLU e-mail address will only be used internally and will not be passed on to third parties. 

No data will be transferred to a third country.

The CV book is published on the KLU website and will stay live for 12 months from the date of publication or until revoked. 

The CV book will be distributed via KLU Alumni Network, KLU Employer Network and KLU social media channels. 

Participation in the KLU CV book is voluntary and free of charge and is based on your consent in accordance with Art. 6 (1) a GDPR. By participating in the CV book, you consent to the processing of your data under the conditions outlined here.

You can revoke your consent at any time with effect for the future. To do so, simply send an email to recruit@KLU.org.
 

With the alumni network, we as your former university provide a contact point for communications and exchanges with you regarding your personal and professional further education and development, news about the university, opportunities for exchange and networking with other alumni, and funding opportunities through KLU. At the same time, we are looking for committed alumni to help promote international networking and KLU’s image in various ways, e.g. by participating in rankings.

In the following, we will inform you about the scope of data collection and storage, as well as its use and the purpose of the respective data collection in the context of using the alumni network.

Data processing in the context of the alumni network

Participation in the KLU alumni network is voluntary and free of charge and is based on your consent in accordance with Art. 6 (1) a GDPR. By participating in the alumni network, you consent to the processing of your data under the conditions outlined here.

You can revoke your consent at any time with effect for the future. To do so, simply send an email to alumni@klu.org.

The personal data you provide will be processed exclusively within the scope of the consent you have granted for the purpose of lawfully fulfilling the tasks of Alumni and Community Management and, if applicable, discipline-related alumni initiatives. The tasks of Alumni and Community Management include

• The sending of information by post and/or digital means, which generally concerns events, further education offers, funding opportunities and news from KLU.
• The information appears for example (but not exclusively) in the form of print publications (magazines, newsletters, information brochures), as invitation letters, and as event-related information letters.
• Bringing together former fellow students. In this regard, KLU’s Alumni and Community Management only acts as an intermediary. Your data will never be passed on to other alumni without your consent.
• Evaluation for statistical purposes (e.g. how many members there are in each discipline-specific group) and for the purposes of target group-specific communication (e.g. targeted dispatch of a subject-specific invitation to the members of a particular discipline-specific group). Such evaluations are only carried out by KLU’s Alumni and Community Management.
• The documentation of our interactions with you, e.g. your participation in KLU events, further education offers, support or mentoring programs, or your individual usage requests, e.g. subscribing to /unsubscribing from individual information offers.

Data retention period

If you have studied, researched, taught or worked at KLU, you are an alumnus – and can, if you wish, remain in contact with your alma mater for the rest of your life. Accordingly, Alumni and Community Management will not delete your user profile after a specified period of time, but will generally only do so
a) in the event of death or
b) in the event that you revoke your consent.

However, data that is no longer valid (e.g. outdated postal and email addresses), which can be replaced by updated information, will be deleted by us. You can also ask us at any time to correct or delete parts of the data we have collected and stored.

Data processing for a specific purpose, disclosure of data

We only process the aforementioned data for the stated purposes. Personal data will not be passed on to third parties outside the scope described here without your express consent. Further, data will only be transferred to state institutions and authorities entitled to receive information within the scope of the statutory duty to provide information or if we are obliged to provide information by a court decision.

Rights of data subjects (including information, revocation, objection, deletion, contact details for the data protection officer)

The above points notwithstanding, you can object to the use of your data at any time by sending an informal message by email to alumni@klu.org or by post to the following address: Kühne Logistics University, Alumni und Community Management, Großer Grasbrook 17, 20457 Hamburg.
If you revoke your consent to data processing or object to the use of the data, doing so has no effect on the legality of the data processing up to the time of revocation.

Furthermore, you can have the data we have collected and stored corrected, blocked or deleted at any time. In this regard, we wish to expressly underscore that there may be legal obligations to continue to store data; in such cases, the data can only be blocked, not deleted.

In addition, you have the right to data portability in accordance with Art. 20 GDPR and the right to lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR.

To exercise any of the aforementioned rights, please contact Alumni and Community Management at alumni@klu.org.

Contact details for our data protection officer
Dr. Uwe Nolte
privacy@klu.org

Supervisory Authority of the Federal State of Hamburg
Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit
Ludwig-Erhard-Straße 22
20459 Hamburg
040 428544040
mailbox@datenschutz.hamburg.de

For security reasons, all incoming mails are screened; only mails up to a maximum size of 35 MB are accepted. If a warning pops up during a screening, the email is moved to quarantine and the recipient is notified. Such emails may be delivered to the recipient after they have been cleared by IT.

If you need to exchange certain files with macros, files with unusual formats, or large files, please inform your contact person at KLU in advance. He or she can provide a SharePoint for you on request.

We use Office 365 from Microsoft to attend to our office work, for communication (conference calls, online meetings, and video conferences), and for online collaboration. 

Our legitimate interests are to simplify IT processes, communicate internally and externally, handle requests, increase efficiency, and promote cross-company collaboration.

Office 365 is a service of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

When you use Office 365, personal data is also processed. For this purpose, we have concluded a commissioned processing agreement with Microsoft. A corresponding commissioned processing agreement is included in the Online Service Terms (OSTs).

www.microsoft.com/de-de/servicesagreement
www.microsoft.com/en-us/licensing/product-licensing/products
www.microsoft.com/de-de/trust-center/privacy/data-access

Categories of data processed and their legal basis

When you use Office 365, Microsoft processes a variety of data. 

• functionality data
• license data
• diagnostic data (telemetry)
• technical support
• continuous improvement
• processing for Microsoft’s legitimate business activities

Which types of personal data are processed depends on the individual case:

• Your IP address used to access Microsoft Office 365 applications. The legal basis for this is Art. 6 (1) f GDPR.
• Your user name (access data to the Microsoft Office 365 applications) and information about yourself that identifies you as a data user, sender, or recipient within the Office 365 world. Data within the scope of the so-called multifactor authentication that you yourself have stored on your Microsoft account (e.g. optionally your (private) cell phone number). The legal basis for this is Art. 6 (1) b GDPR.
• Other voluntarily provided data (such as a profile picture you have saved) can also be viewed in your profile at any time. This information is visible in your profile, but especially also in Outlook for you and other Office 365 users at any time and can be customized by you. The legal basis for this is Art. 6 (1) a GDPR.
• Usage data: This includes in particular communication content (text, audio, video) created by you. This depends on the application you use in Office 365 (Teams). The legal basis for this is Art. 6 (1) b and f GDPR.

Data recipients

In addition to the cases explicitly mentioned in this data protection declaration, your personal data will only be passed on without your express prior consent where doing so is permitted or required by law.

Data transfers to third countries

Data processing outside the European Union (EU) does not generally take place, as we have limited our storage sites to data centers in the European Union.

However, telemetry or diagnostic data, the support hotline and potentially other data processed in Microsoft’s area of responsibility outside the EU are excluded from this.

Furthermore, due to legal obligations, personal data may be transferred or disclosed to third parties (in particular, authorities), including third countries (USA) with a different level of data protection. 

In order to achieve the required secure level of data protection, in addition to internal organizational measures, the so-called Standard Contractual Clauses (SCCs) have been concluded with Microsoft, which are components of the Data Protection Addendum (DPA) as an annex to the above-mentioned OSTs.

Encryption

Data is encrypted in transit and at rest. This includes messages, files (video, audio, etc.), meetings, and other content. Teams also uses TLS and MTLS to encrypt chat messages.

Storage duration / criteria for determining storage duration

If a user (or an administrator on behalf of a user) deletes the data, Microsoft will ensure that all copies of the personal data are deleted within 60 days.

If a service offered by Microsoft is terminated, the corresponding personal data will be deleted between 60 and 180 days after the service is discontinued. We generally delete personal data when there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfill contractual services, to check and grant or defend against warranty and, if applicable, guarantee claims. In such cases, Microsoft must comply with the request of the company administrator.

In the case of legal retention obligations, deletion will only be considered after the required retention period has expired.

Microsoft Teams 

We use the tool “Microsoft Teams” for presentations, meetings, joint project work, conferences, training workshops, and seminars.

Type of data

• activity data
• user data (user name, profile picture)
• teledata and video data
• contact data
• meeting data (topic, participants’ IP addresses, device / hardware information)
• user data (files for joint processing, chat data)

The legal basis for data processing when conducting “online meetings” is Art. 6 (1) b GDPR, insofar as the meetings are conducted in the context of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) f GDPR. Our legitimate interest is to effectively hold online meetings. 

Audio or video content is only recorded with your consent; you will be informed of this in advance in each case. The legal basis is Art. 6 (1) a GDPR.

Further information on the processing of personal data in Microsoft Teams can be found above or here:

docs.microsoft.com/de-de/microsoftteams/teams-privacy

In the following, we wish to inform you about the processing of personal data in connection with the use of “Zoom.” We use the tool “Zoom” to conduct administrative and faculty conference calls, online meetings, video conferences and/or webinars (hereafter “online meetings”). “Zoom” is a remote conferencing service provided by Zoom Video Communications, Inc., headquartered in San Jose, California, USA.

Zoom is also used at KLU to hold lectures for students. These are held as hybrid courses or pure online courses (hereafter “online courses”). 

The purpose of the data processing is the use of Zoom as a tool for collaboration within the scope of official activities at the university and for the fulfillment of university tasks (teaching, research and administration). Within the scope of the licenses provided, the use of Zoom for private purposes is not permitted.
No performance or behavioral monitoring takes place on the basis of your use of Zoom. Personal statistics are not compiled.

The settings selected for Zoom are intended to be privacy-friendly. For example, there is no attention tracking. As a rule, we do not record video conferences. For more information on lecture recording and mandatory attendance logging, see below. 

If you are registered as a “Zoom” user, reports on your online meetings (meeting metadata, phone dial-in data, questions and answers in webinars, survey function in webinars) can be stored by “Zoom” for up to one month. 

If it is necessary for the purpose of logging the results of an online meeting, we log the chat content. However, this is not generally the case. 

If we plan to record online meetings or online courses, we will transparently communicate this to you in advance and ask for your consent. The fact that the meeting / course is being recorded will also be indicated to you in the “Zoom” app. 
For online courses, your consent will be asked for once before each course. If you do not consent to being recorded, you will unfortunately not be able to participate in online meetings or online courses that are to be recorded. 

In the case of webinars, we may also process the questions asked by webinar participants for recording and follow-up purposes. 

Zoom’s terms of use can be found here: https://explore.zoom.us/en/terms/.
Zoom’s privacy policy and other legal notices can be found here: https://explore.zoom.us/de/trust/ and here: https://zoom.us/docs/de-de/privacy-and-legal.html.
Information on Privacy Shield (guaranteeing the level of data protection when processing data in the USA) can be found here: https://www.privacyshield.gov/participant?id=a2zt00000008TN8AAM&status=Active.

General notes on permissible use

No content requiring high level of protection

No content requiring a high level of protection should be exchanged via this service. Use is explicitly prohibited if special categories of personal data are processed (“sensitive data,” e.g. health data).

Check the data privacy settings and environment before the meeting

Please also make sure that no unauthorized persons can watch the video conference and that smart devices, such as voice assistants like Alexa, Siri, etc. are either out of range or are deactivated in order to prevent unauthorized data processing or recording.

Hide your background

To protect your privacy, you can replace your background with an overlay.

Basic settings 

All meetings and teaching sessions start with the microphone turned off; participants must actively switch on their microphone. The insertion of email addresses in shared content as watermarks is prevented. A 6-digit numeric identifier code is set as the default access protection for all meetings; this code is included in the invitation link. 

Feedback messages to Zoom at the end of a meeting / course are disabled. Remote support and remote camera control are disabled.

General technical settings

Video data, audio data, presented content, and text messages in meetings are processed via the local infrastructure (Meeting Connector / Virtual Room Connector). 

Data transfers with other services

Data transfers with Office 365 are disabled. Use of a content delivery network (CDN) is enabled (Panopto).

Recording the content of meetings and courses

Automatic storing of chat communications and whiteboard content is disabled. Manual storing by the host is possible. 

The default settings in Zoom are defined so that automatic recording of meetings and courses is generally disabled. Recording can be activated by the host (optional). Recordings must respect the copyrights and personal rights of the persons concerned. 

Recordings are only made with the express consent of all participants concerned and only insofar as this is necessary for official purposes or for the completion of specific tasks. The recording party must obtain the consent of all participants in advance. 

Courses that are recorded are marked in advance with “(Recorded)” in the course catalog. Recorded courses can be accessed at any time at the Moodle learning portal (see below).

There is always a notification in the Zoom window when recording begins. In the Zoom app, the fact that the meeting / course is being recorded is indicated to participants by a red Record icon.

Recording is only done with the explicit consent of all participants. Persons who do not wish to be recorded can leave their camera and microphone turned off and log in under an alias instead of their real name.

Before recording begins, you can also decline recording by clicking “Leave Meeting.” You should do this promptly. If you do not leave the meeting, you will be recorded when recording starts.

Lecture recordings (online courses) are only temporarily stored in the Zoom Cloud. They are promptly transferred to Panopto (see below) and deleted from Zoom.

Storage of recordings

Recordings are stored temporarily on internal drives or data carriers. Recorded events are only stored at Panopto as long as this is necessary for the completion of the respective task and as long as there is no obligation to delete them.

Posting meetings on social media (YouTube, Facebook)

The default settings in Zoom are defined so that no automatic posting / sharing takes place.

What data is processed?

When you use “Zoom,” various types of data are processed. The scope of the data also depends on the data you provide before or when participating in an online meeting or online course. You can independently activate or deactivate your camera and microphone at any time or leave the meeting at any time.

To participate in an online meeting or to enter the “meeting room,” you must at least provide information about your name / alias.

When participating in an online course, your data is (partly automatically) transferred from Moodle.

Further information concerning data use on the part of Zoom can be found here: 
https://explore.zoom.us/de/privacy/

Logging user attendance

The setting “Users must register” creates an overview of all attendees, which can be viewed by the organizer. 

Fundamentally speaking, the attendance list may not be made available to the participants.

Data collection for the purpose of checking attendance or participation is permissible under data protection law if attendance is compulsory and proof of participation must be kept or provided. For student events, this condition is normally met by the examination and study regulations.

If data is only collected to prevent unauthorized use and to ensure that the session is conducted properly and without disruptions, the data must be deleted as soon as the event has ended, or as soon as the respective purpose has been achieved. 

Legal basis for data processing

The legal basis for data processing when conducting online meetings and online courses is Art. 6 (1) b GDPR if the meetings are conducted in the context of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) f GDPR. Here, our legitimate interest is in effectively conducting online meetings and online courses.

If KLU employees’ personal data is processed, Section 26 BDSG is the legal basis for data processing. If, in connection with the use of “Zoom,” personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component in the use of “Zoom,” then in keeping with Art. 6 (1) f GDPR, the legitimate interest provides the legal basis for data processing. 

In these cases, our interest is in effectively conducting online meetings and online courses.

If we plan to record online meetings or online courses, Art. 6 (1) a GDPR, your consent is usually the legal basis for processing. 

Automated decision-making as defined in Art. 22 GDPR is not employed.

Data recipients / data disclosure

Both “Zoom” and its subcontractors (see below) are necessarily receive made privy to the above-mentioned data insofar as this is provided for in the context of our commissioned processing agreement with “Zoom.”
Otherwise, personal data processed in connection with participation in online meetings and/or online courses is generally not disclosed to third parties, unless it is specifically intended for disclosure. Please note that content from online meetings or online courses, and from face-to-face meetings, is often intended precisely for the purpose of exchanging or passing on information.

Data processing outside the European Union

“Zoom” is a remote conferencing service based in San Jose, California, USA. As such, the processing of personal data also takes place in a “third country.” The transfer of personal data to a third country takes place exclusively for the following data category: processed metadata from meetings.

We have concluded a commissioned processing agreement with “Zoom” that complies with the requirements of Art. 28 GDPR. An adequate level of data protection is guaranteed by the conclusion of what are known as the “EU standard contractual clauses.”

A list of Zoom’s current subcontractors can be found here:

https://explore.zoom.us/en/subprocessors/.

Information on the processing of cookies can be found in Zoom’s cookie policy: https://explore.zoom.us/en/cookie-policy/.

Deletion of data and user accounts

As a rule, data is deleted as soon as the purpose of processing has been achieved and there are no retention requirements. A requirement may exist in particular if the data is still needed to fulfill contractual services, to check and grant or defend against warranty- and, if applicable, guarantee-based claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.

Communication content is not stored beyond the communication itself. Communication-related metadata is deleted as soon as the storage is no longer required in order to provide or maintain the service. Deletion of data takes place 7 days after revocation of the consents required for publication and storage of the recording, or after there ceases to be a need to publish and store the recording. Locally stored recordings are deleted in keeping with their respective time limits. Locally stored chat messages will be deleted after 30 days.

If you are registered as a “Zoom” user, reports on your online meetings (meeting metadata, phone dial-in data, questions and answers in webinars, polling function in webinars) can be stored by Zoom for up to one month.
If you wish, you can delete your Zoom account yourself. You can find the necessary information here: 

https://support.zoom.us/hc/de/articles/201363243-Wie-k%C3%BCndige-ich-mein-Konto.

The account must be deleted as soon as the service is no longer required for the completion of the respective task, or at the latest when you leave KLU.

Your rights

For your data protection rights, see above.

Panopto is a complete system for recording, live streaming, editing, publishing, finding and managing video and audio content for study, teaching, continuing education and administration at KLU. Panopto’s support contributes to KLU’s fulfillment of the tasks assigned to it under Section § 111 of the Hamburg Higher Education Act (HmbHG). 

In particular, this consists in supporting and maintaining teaching operations at KLU’s faculties.
The central component of Panopto is a cloud-based web application in which video content recorded by users or on their behalf can be uploaded, edited, and shared with other users or the public. When integrated with the Moodle learning platform, recordings of events can be shared directly with the event participants.

Personal data is processed to provide the above functions and to ensure proper technical operation and system security. This includes in particular:

• Master data: only for users with a user account (first and last name, email address, KLU username, rights, roles, group membership(s), status, department, institute, company, optional profile details, language settings, and approximate geographical location for the purpose of workload management between different server locations)
• Connection- and content-related metadata (IP address, retrieved content and amount of data, time of access, action taken, referrer/exit URLs, device/hardware/browser information, performance data, and content metadata such as the video title, upload time, and author name)
• Content data (text, audio and video content incl. interactive content and edits (e.g. cut marks, embedded quiz tests, chapter marks, and comments) and uploaded files (e.g. PDF attachments) 

Legal basis

The legal basis for the processing of KLU students’ personal data for the purpose of carrying out teaching, further education and other study-related activities is Art. 6 para. 1 lit. e GDPR, para. 3 in conjunction with. § 111 HmbHG. The legal basis for the processing of KLU employees’ personal data is § 26 BDSG.

When displaying Panopto content on public websites or in the case of restricted releases for external parties, connection-related and content-related metadata, which may contain personal data, is processed in order to ensure proper technical operation and system security. The legal basis for this processing is Art. 6 (1) f GDPR.

Data transfer

Because Panopto is a cloud service, the personal data mentioned under 2 above is transferred to the provider Panopto EMEA Limited and/or processed on its servers in Ireland. Panopto EMEA Limited is a British subsidiary of Panopto, Inc (USA). KLU has concluded a contract with Panopto EMEA Limited under a license agreement for commissioned processing pursuant to Art. 28 GDPR with EU standard data protection clauses.

In individual cases, data may also be transferred to third parties on the basis of legal permission, e.g. it may be transferred to law enforcement authorities for the investigation of criminal offenses.

Deletion of data

When users’ accounts are deleted by IT, their master data is as well.
Content data and the associated metadata (e.g. a video including description and comments) are deleted after 5 years. This does not apply to content in users’ personal folders, which is only deleted when the account is deleted.

Connection-related metadata is deleted as soon as the storage is no longer necessary in order to provide or maintain the service.

Your rights

For your data protection rights, see above. 

Fundamentally speaking, we collect and use the personal data of users of the electronic learning platform Moodle only to the extent necessary in order to establish a functional learning management system in the context of KLU’s educational activities.

When students use Moodle, their personal data is stored. This includes their name, university email address, the courses they attend, in what form they participate, and which functions they use. Performance results from courses (test results, etc.) are also stored.

Data processing on Moodle takes place for the following purposes:

• Creating interactive learning units
• Conducting e-learning courses
• Automated performance assessment
• Giving feedback on progress
• Conducting electronic examinations

Legal basis

The legal basis for the processing of KLU students’ personal data for the purpose of carrying out teaching, further education and other study-related activities is Art. 6 para. 1 lit. e GDPR, para. 3 in conjunction with. § 111 HmbHG. The legal basis for the processing of KLU employees’ personal data is § 26 BDSG.

Data recipients / data disclosure

Personal data processed in connection with the use of Moodle is generally not disclosed to third parties unless it is specifically intended for disclosure. Please note that content from seminars and personal meetings is often used to exchange information with students, professors or third parties and is therefore intended for disclosure. As part of security audits, external parties may have access to records on the instruction and training students receive.

Deletion of data

Data on user activities is usually deleted manually at the beginning of a new semester. Courses that continue for two or more semesters are an exception. For this purpose, instructors receive specific training on handling the data. After exmatriculation, IT deletes the corresponding user account from the central directory service (Active Directory). Deleted accounts are automatically removed from Moodle.

Your rights

For your data protection rights, see above. 

At KLU, video systems are used to convey learning content and for access control. The video systems for conveying learning content are mainly operated in the lecture halls and classrooms and are used to convey learning and seminar content to students who are unable to attend in person. 

The video systems for access control are used to exercise domiciliary rights / enforce house rules, to protect property against theft or damage, to preserve evidence or facilitate criminal prosecution, and to safeguard our technical equipment and its continuing operation. The legal basis for this is Art. 6 (1) f GDPR. For cameras that record, the maximum recording duration is 72 hours; for pure surveillance cameras (monitoring), no recording takes place. The data is stored locally and not normally transferred to third parties; only in the context of criminal prosecutions are recordings made available to the public prosecutor’s office.

For the legal basis for video processing in connection with administrative and teaching activities, see above.

Your rights

For your data protection rights, see above.

A certificate issued by Credly is a digital representation of a learning outcome, experience or competence. The digital Credly certificates (“Badges”) can easily and reliably be verified online. The Badges are linked to metadata that include the context and verification. Badges can be exchanged on the Internet to ensure maximum visibility and recognition. In addition to the image / graphic, they contain further information on the skills you acquired in the respective training measure. As such, they allow you to provide further information on your abilities and expertise to interested persons, coworkers and companies (e.g. Human Resources), e.g. on Social Media channels.

KLU awards Credly Badges for the completion of certain training measures, confirming your participation and newly acquired skills. If you are issued a Badge following a training, you will receive an email notification from Credly with instruction on how to request / accept your Badge and how to set up your own Credly account. 

Doing so gives you an uncomplicated way to manage the training courses you’ve attended, to share your new skills, and to verify your achievements. There are no costs for you in connection with the Badge.

The Badges are provided by Credly (formerly Acclaim), a product of Pearson, 80 Strand, London, WC2R 0RL, United Kingdom. In terms of applicable data security legislation, KLU’s use of Credly is based on its contractual or contract-like relation with you as defined in Art. 6 (1) b GDPR.

You can configure any and all of your personal information and access credentials using your Credly account. You have complete control over this information. If you prefer your certifications or profile to not be publicly visible, you can restrict access by classifying them as private.

Your data is provided to Credly on the basis of a Data Processing Agreement (DPA with SCC). In connection with technical data processing, this includes the transfer of your data to non-EU countries. You can find information on all legal and data protection aspects of using Credly here: info.credly.com/legal. The relevant DPA can be found here: info.credly.com/data-protection-agreement.