(Status 03 August 2021)
Information on data protection regarding our processing under Articles 13, 14 and 21 of the General Data Protection Regulation (GDPR)
We take data protection very seriously and inform you herein how we process your data and what claims and rights you are entitled to under data protection regulations. Applicable from 25 May 2018.
1. Office responsible for data processing and contact data
responsible office in the meaning of data-protection law
Kölner Studierendenwerk AöR
Universitätsstr. 16, 50937 Köln
Contact data of our data-protection officer::
Datenschutzbeauftragter des Kölner Studierendenwerk AöR
HEC Harald Eul Consulting GmbH Datenschutz + Datensicherheit
Auf der Höhe 34
You can reach our data-protection officer for the Office for Educational Support at:
Die Datenschutzbeauftragte der Ämter für Ausbildungsförderung in den Studierendenwerken Nordrhein-Westfalen
c/o Akademisches Förderungswerk Bochum AöR
2. Purposes and legal foundations upon which we process your data
We process personal data in accordance with the stipulations of the General Data-Protection Regulation (GDPR), the German Federal Data-Protection Act (Bundesdatenschutzgesetz - BDSG) and other applicable data-protection provisions (details are provided in the following). The details of which data are processed and how they are used depends largely on the services requested or agreed in each case. Further details or additions for the purposes of data processing can be found in the respective contract documents, forms, a declaration of consent and/or other information provided to you (e. g. in the context of the use of our website or our terms and conditions). In addition, this data protection information may be updated from time to time, as you may find out from our website www.kstw.de.
2.1 Purposes pursuant to fulfilment of an agreement or pre-contractual measures (Art. 6, section 1 b of the GDPR)
The processing of personal data is carried out in order to carry out our contracts with you and the execution of your orders as well as to carry out measures and activities within the framework of pre-contractual relations, e. g. with interested parties. In particular, the processing thus serves to provide services according to your orders and wishes and include the necessary services, measures and activities. This essentially includes contract-related communication with you, the verifiability of transactions, orders and other agreements as well as quality control by means of appropriate documentation, goodwill procedures, measures to control and optimize business processes as well as the fulfilment of general duties of care, control and supervision by affiliated companies (e. g. Parent company); statistical evaluations for corporate management, cost recording and controlling, reporting, internal and external communication, emergency management, accounting and tax assessment of operational services, risk management, assertion of legal claims and defence in the event of legal disputes; ensuring IT security ((inter alia system and plausibility tests) and general security, including building and plant security, securing and exercising domestic authority (e. g. by means of access controls); guaranteeing the integrity, authenticity and availability of data, preventing and investigating criminal offences; control by supervisory bodies or supervisory authorities (e. g. auditing).
2.2 Purposes within the framework of a legitimate interest on our part or of third parties (Art. 6, section 1 f of the GDPR)
Above and beyond the actual fulfilment of the (pre-) agreement, we process your data whenever this is necessary to protect legitimate interests of our own or of third parties, in particular for the following purposes:
2.3 Purposes within the framework of your consent (Art. 6, section 1 a of the GDPR)
Your personal data can also be processed for certain purposes (e.g. use of company communication systems for private purposes; photographs/videos of you for publication in the Intranet/Internet) including as a result of your consent. As a rule, you can revoke this consent at any time. This also applies to the revoking of declarations of consent that were issued to us before the GDPR went into effect, i.e. prior to 25 May 2018. You shall be separately informed about the consequences of revocation or refusal to provide consent in the respective text of the consent.
Generally speaking, revocation of consent only applies to the future. Processing that takes place prior to consent being issued is not affected by such and remains lawful
2.4 Purposes relating to adherence to statutory requirements (Art. 6, section 1 c of the GDPR) or in the public interest (Art. 6, section 1 e of the GDPR)
Just like any actor which takes part in business life, we are also subject to a large number of legal obligations. These are primarily statutory requirements (e.g. commercial and tax laws), but also if applicable supervisory law or other requirements set out by government authorities. The purposes of processing may also include identity and age checks, prevention of fraud and money laundering (e.g. comparisons with European and international anti-terror lists), compliance with control and notification obligations under tax law as well as the archiving of data for the purposes of data protection and data security as well as for purposes of audits by tax advisors/auditors, fiscal and other government authorities. In addition, it may be necessary to disclose personal data within the framework of official government/court measures for the purposes of collecting evidence, law enforcement and criminal prosecution or the satisfaction of civil law claims.
3. The categories of data that we process as long as we do not receive data directly from you, and its origin
If necessary for the contractual relationship with you and the activities performed by you, we may process data which we lawfully receive from other offices or other third parties (e.g. quality assessment or complaints by customers/suppliers/consumers). In addition, we process personal data that we have lawfully collected, received or acquired from publicly accessible sources (such as, for example, commercial registers and association registers, civil registers, the press, Internet and other media) if such is necessary and we are allowed to process this data in accordance with statutory provisions.
Relevant personal data categories may in particular be:
4. Recipients or categories of recipients of your data
At our company, your data is received by those internal offices or organisational units that need such to fulfil our contractual and statutory obligations or that require such data within the framework of processing and implementing our legitimate interests.
Your data is disclosed/passed on to external offices and persons solely
We shall moreover refrain from transmitting your data to third parties if we have not informed you of such separately. If we commission service providers within the framework of processing an order, your data will be subject there to the security standards stipulated by us in order to adequately protect your data. In all other cases, recipients may only use the data for purposes for which the data has been sent to them.
5. Length of time your data is stored
We process and store your data for the duration of our business relationship. This also includes the initiation of a contract (pre-contractual legal relationship) and the execution of a contract.
Above and beyond this, we are subject to various retention and documentation obligations that emanate inter alia from the German Commercial Code (HGB) and the German Tax Code (AO), The periods and deadlines for retention and/or documentation stipulated therein are up to ten years beyond the end of the contractual relationship or the pre-contractual legal relationship.
Furthermore, special statutory provisions may require longer retention such as for example the preservation of evidence in connection with statutory time-barring provisions (statute of limitations). Under §§ 195 ff. of the German Civil Code (BGB), the regular time-barred period is three years, but time-barred periods of up to 30 years may also be applicable.
If the data is no longer required to meet contractual or statutory obligations and rights, it is regularly deleted unless its further processing - for a limited period - is necessary to fulfil the purposes listed under number 2.2 due to an overriding legitimate interest. Such an overriding legitimate interest is deemed to be the case, for example, if it is not possible to delete the data as a result of the special type of storage or such is only possible at an unreasonably great expense and processing for other purposes is excluded by appropriate technical and organisational measures.
6. Processing of your data in a third country or through an international organisation
Data is transmitted to offices in countries outside the European Economic Area EU/EEA (so-called third states) whenever such is necessary to meet a contractual obligation towards you (e.g. if you are despatched to another country), such is required by law (e.g. notification obligations under tax law), such is in the legitimate interest of us or a third party or you have issued us your consent to such.
At the same time, your data may be processed in a third country including in connection with the involvement of service providers within the framework of the processing of the order. If no decision has been issued by the EU Commission regarding the presence of a reasonable level of data protection for the respective country, we warrant that your rights and freedoms will be reasonably protected and guarantied in accordance with EU data-protection requirements through contractual agreements to this effect. We will provide you with detailed information on request.
You can request information on the suitable or reasonable guarantees and the possibility, how and where to receive a copy of these from the company data-protection officer or the human resources department in charge of you.
7. Your data-protection rights
If certain conditions are met, you can assert your data-protection rights against us
Whenever possible, your applications for the exercise of your rights should be sent in writing to the address stated above or addressed directly to our data-protection officer.
8. Scope of your obligations to provide us your data
You only need to provide data that is necessary for the commencement and performance of the business relationship or for a pre-contractual relationship with us or the collection of which we are required by law. Without this data, we are generally not able to conclude the agreement or continue to perform such. This may also relate to data that is required later within the framework of the contractual relationship. If we request data from you above and beyond this, you shall be informed about the voluntary nature of the information separately.
9. Presence of an automated decision made in individual cases (including profiling)
We do not use any purely automated decision-making procedure as set out in Article 22 of the GDPR. If we do institute such a procedure in individual cases in the future, we shall inform you pursuant hereto separately if this is required by law.
Under certain circumstances, we may process your data in part with the aim of evaluating certain personal aspects (profiling).
In order to provide you with targeted information and advice on products, we may use evaluation tools. These enable a needs-oriented product design, communication and advertising including market and opinion research.
Information on your right of objection under Art. 21 of the GDPR
1. You have the right to file an objection at any time against processing of your data which is performed on the basis of Art. 6, section 1 f of the GDPR (data-processing on the basis of a weighing out of interests) or Art. 6, section 1 e of the GDPR (data-processing in the public interest). The precondition for this, however, is that there are grounds for your objection emanating from your special personal situation. This also applies to profiling that is based on this purpose in the meaning of Art. 4, no. 4 of the GDPR.
If you file an objection, we shall no longer process your personal data unless we can demonstrate compelling reasons warranting protection for the processing that outweigh your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
2. We will also use your personal data in order to perform direct advertising. If you do not want to receive any advertising, you have the right to file an objection to such at any time. This also applies to the profiling to the extent that it is connected with such direct advertising. We shall respect this objection with effect into the future.
We shall no longer process your data for the purpose of direct advertising if you object to processing for this purpose.
The objection can be filed without adhering to any form requirements and should if possible be sent to
Kölner Studierendenwerk AöR
The use of the website of the Kölner Studierendenwerk AöR is possible without inputing personal data. However, if a user wants to use special services of the Kölner Studierendenwerk AöR online, processing of personal data could become necessary. This is the case on the website, for example, when using the online form in the Student Housing department to apply for a place in a hall of residence, for the informal application of the Student Financing department to apply for educational funding and for the general contact form. If the processing of personal data is necessary and if there is no legal basis for such processing, the Kölner Studierendenwerk AöR generally obtains the consent of the user and clearly informs the user of his/her revocation options.
As the designer of the Kölner Studierendenwerk AöR website has implemented numerous technical and organisational measures to ensure the most complete protection of personal data. Nevertheless, Internet-based data transmissions may in principle have security vulnerabilities, therefore absolute protection cannot be guaranteed.
By means of a cookie, the information and offers on our website can be optimised for the user. Cookies enable us, as already mentioned, to recognise the users of our website. The purpose of this recognition is to make it easier for users to use our website.
The user can prevent the setting of cookies on our website at any time by means of an appropriate setting on the user’s Internet browser and thus permanently object to the setting of cookies. Furthermore, cookies that have already been set can be deleted at any time using the Internet browser or other software programs. This is possible on all common Internet browsers.
2. Collection of general data and information
The web servers of the Kölner Studierendenwerk AöR collect information each time a user or automated system calls up the website. This information or data is stored in the server's log files. The types and versions of browsers used, the operating system used by the accessing system, the website from which an accessing system accesses our website, the sub-websites that are accessed via an accessing system on our website, the date and time of access to the website, an Internet protocol address (IP address), the Internet service provider of the accessing system and other similar data and information that serve to avert danger in the event of attacks on our IT systems may be recorded.
When using this information, the Kölner Studierendenwerk AöR does not draw any conclusions about the user. Rather, this information is needed to deliver the contents of our website correctly, to optimise the contents of our website for them, to ensure the long-term functionality of our information technology systems and the technology of our website, and to provide law enforcement authorities with the information necessary for prosecution in the event of a cyber attack. Therefore, the Kölner Studierendenwerk AöR analyses anonymously collected data and information on one hand and, on the other hand increases the data protection and data security of our enterprise, so that we can ultimately ensure an optimal level of protection for the personal data we process. The anonymous data of the server log files are stored separately from any personal data provided by a user.
3. Registration on our website
The user has the possibility to make inquiries via the website of the Kölner Studierendenwerk AöR by providing personal data. This personal data is thereby transmitted to the data officer, i.e. the Kölner Studierendenwerk AöR, resulting from the online form used by the user, i.e. you. The personal data entered by the user is collected and stored exclusively for internal use.
The Kölner Studierendenwerk AöR may arrange for the data to be passed on to one or more order processors, for example a service provider for the creation and evaluation of surveys about the Kölner Studierendenwerk AöR, who will also use the personal data exclusively for an internal use attributable to the Kölner Studierendenwerk AöR.
Furthermore, by using an online form on the website of the Kölner Studierendenwerk AöR, the IP address assigned by the Internet service provider (ISP) of the person concerned, the date as well as the time of use are stored. This data is stored because it is the only way to prevent misuse of our services and, if necessary, to enable us to investigate criminal offences that have been committed. In this respect, the storage of this data is necessary for the protection of the data officer. As a matter of principle, this data is not passed on to third parties unless there is a legal obligation to do so or the passing on serves the purpose of criminal prosecution.
The use of online forms by the users voluntarily providing personal data allows the Kölner Studierendenwerk AöR to be able to assign and process the request of the user. Those using the online form are free to change the personal data provided during use at any time or to have it completely deleted from the data bank, provided that its processing is not still necessary for the implementation of contractual or legal obligations (e.g. for the implementation of a housing tenancy in a student dormitory or the implementation of the Federal Training Assistance Act). For this purpose, it is sufficient to send an e-mail to firstname.lastname@example.org or otherwise contact the above-mentioned data protection officer.
The data officer shall provide any user at any time, upon request, with information about what personal data is stored about the user. Furthermore, the data officer shall correct or delete personal data at the request or notice of the user, provided that this does not conflict with any statutory retention obligations.
4. Contact possibility via the website
Based on statutory provisions, the website of the Kölner Studierendenwerk AöR contains information that enables a quick electronic contact to be established as well as direct communication with us, which also includes several general electronic mail addresses (e-mail addresses) (e.g. email@example.com, firstname.lastname@example.org, etc.). If a user contacts the officer by e-mail or by using a contact form, the personal data entered and transmitted by the user will be stored automatically. Such personal data transmitted on a voluntary basis by a user to the officer will be stored for the purposes of processing or contacting the user.
By contacting email@example.com the Data Protection Officer of the Kölner Studierendenwerk AöR or another employee will arrange the necessary changes for individual cases.
Also by contacting firstname.lastname@example.org the Data Protection Officer of the Kölner Studierendenwerk AöR or another employee will arrange any data restriction changes.
The IT designer has integrated components from the company Facebook on this website. Facebook is a social network. A social network is a social meeting place operated on the Internet, an online community that generally allows users to communicate with each other and interact in virtual space. A social network can serve as a platform for sharing opinions and experiences or enables the Internet community to provide personal or company-related information. Facebook enables users of the social network to create private profiles, upload photos and network via friend requests, among other things.
The operating company of Facebook is Facebook, Inc, 1 Hacker Way, Menlo Park, CA 94025, USA. If a user lives outside the USA or Canada, Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland is responsible for your personal data
Each time the website operated by the data controller is called up and on which a Facebook component (Facebook plug-in) has been integrated, the Internet browser on the user’s operating system downloads the respective Facebook component automatically. A complete overview of all Facebook plug-ins can be found at developers.facebook.com/docs/plugins/. Within the scope of this operation, Facebook receives knowledge of which specific sub-page of our website is visited by the user.
If the user is logged in to Facebook at the same time, Facebook recognises which specific sub-page of our website the user is visiting each time the website is called up and for the entire duration of the stay on our website. This information is collected by the Facebook component and assigned by Facebook to the respective Facebook account of the user. If the user activates one of the Facebook buttons integrated on our website, for example the "Like" button, or if the user posts a comment, Facebook assigns this information to the personal Facebook user’s account and stores this personal data.
Facebook always receives information via the Facebook component that the user has visited our website if the user is simultaneously logged into Facebook at the time of calling up our website; this takes place regardless of whether the user clicks on the Facebook component or not. If the user does not want this information to be transmitted to Facebook, he or she can prevent the transmission by logging out of his or her Facebook account before calling up our website.
The data policy published by Facebook, which can be accessed at de-de.facebook.com/about/privacy/, provides information about the collection, processing and use of personal data by Facebook. It also explains which setting options Facebook offers to protect the privacy of the user. In addition, various applications are available that make it possible to suppress data transmission to Facebook, for example the Facebook blocker from the provider Webgraph, which can be obtained at webgraph.com/resources/facebookblocker/. Such applications can be used to suppress data transmission to Facebook.
The IT designer has integrated YouTube components on this website. YouTube is an Internet video portal that allows video publishers to post video clips free of charge and allows other users to view, rate and comment also free of charge. YouTube allows the publication of all types of videos, which is why complete film and TV shows, but also music videos, trailers or videos made by users themselves can be accessed via the Internet portal.
The operating company of YouTube is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. YouTube, LLC is a subsidiary of Google Inc, 1600 Amphitheatre Pkwy, Mountain View, CA 94043-1351, USA.
By each call of one of the individual pages of this website, which is operated by the controller and on which a YouTube component (YouTube video) has been integrated, the Internet browser on the user’s operating system downloads a copy of the corresponding YouTube component from YouTube automatically. Further information on YouTube can be found at www.youtube.com/yt/about/de/. Within the scope of this operation, YouTube and Google receive knowledge of which specific sub-page of our website is visited by the user.
If the user is logged into YouTube at the same time, YouTube recognises which specific sub-page of our website the user is visiting by calling up a sub-page that contains a YouTube video. This information is collected by YouTube and Google and assigned to the respective YouTube account of the user.
YouTube and Google always receive information via the YouTube component that the user has visited our website if simultaneously logged into YouTube at the time of calling up our website; this takes place regardless of whether the user clicks on a YouTube video or not. If the user does not want this information to be transmitted to YouTube and Google, he or she can prevent the transmission by logging out of his or her YouTube account before accessing our website.