List of active policies
(last amended: 18/03/2021)
Personal data from you and about you is collected and processed in connection with the usage of the learning platform. These data are referenceable to you personally. Accordingly, we are obligated to inform you of what data is collected and processed and what your rights are concerning the collection and processing of your data. We employ adequate IT security infrastructure to ensure that only those internal individuals who require access to fulfil their work responsibilities have access to the data in question. Personal data are treated as confidential and are not made available publicly or otherwise to third parties without authorisation.
For purposes of better understanding, non-gender-inclusive language may be used in this data protection policy, all genders should be deemed implied.
THE DATA CONTROLLER
The data controller per the General Data Protection Regulation, national data protection laws of EU Member States and other data protection regulations is:
Munich Aerospace e.V. – Bavarian Research Network
Register of associations
number: VR 203205
Represented by the board of directors: Prof. Dr. Günter Hein, Prof. Mirko Hornung, Prof. Horst Baier, Prof. Klaus Drechsler, Prof. Dr. Johann Bals
Telephone: +49 (0)89 307484913
You may contact the data controller at any time regarding any questions related to data protection.
The following data are collected when using our learning platform:
2.1 Profile data
following data are mandatory in connection with your account profile:
· E-mail address
following course content data are additionally collected:
· Registration date
following content data are additionally collected by the system:
· Role: Attendee or lecturer
· Profile settings
following data are optional:
· Country, time zone
· Description, displayed in the user profile
· Image, image description
· Other names, e.g. pseudonym
· Personal interests, displayed as tags on profile page
· Website, ICQ, Skype, AIM, Yahoo, MSN, ID number
· Institution, department
· Phone, smartphone
· MoodleNet profile, as applicable: In such case the learning platform data are linked to your Moodle profile
· When you take the pre-course survey: Professional background, area of specialisation, region/country of origin, expectations for the course, experience with e-learning, how you heard of the course, comments (all data anonymised)
· When completing the course evaluation: Feedback and comments to optimise content and structure (anonymised)
2.2 Other content and usage data
(1) Usage data include information identifying the user, course start and ending data, specific usage information and data on offerings utilised by the user. Most data are entered by users themselves. These include data actively entered in chat forums, for example. Such data are thus known to you. Other data linked to your account are automatically created in test and exercise scoring or are entered by course supervisors/tutors.
following necessary course completion data are collected:
· Test results
· Course details
· Scoring overview including scores over time, learning objectives, individual scores, overall score
following data are additionally collected by the system
· Last course access date
· Login information (last login details, password, user name)
· Browser sessions
following data are non-mandatory:
· Group participation
· Chat/forum interactions
2.3 Protocol/diagnostic and log data
Diagnostic data (master, existing and tracking
data automatically recorded upon occurrence of an error) are collected for
purposes of maintaining and improving system stability, performance and
· Error message returned by the web server.
The website provider also automatically
collects and stores information in server log files which are automatically
forwarded to us by your browser. These include:
· Browser type and version
· Operating system used
· Referrer URL
· Access date and time
· IP address of accessing device
· HTML code and protocol type
· Technical data (date, time, device, traffic, IP numbers of websites visited and services used)
· Transferred data volume
· Status code of responding web server
2.4 Using the Moodle app
3. PURPOSES AND LEGAL BASIS OF DATA PROCESSING
account/profile data specified under item 2.1 points 1 and 2 are collected to
enable users to participate in the course and are mandatory in order to create
an account/profile enabling the attendance. The data specified under item 2.2
point 2 are likewise mandatory, being required for course scoring and
certificate issuance. Accordingly, the data is stored for the purposes of
· ensuring that enrollees are of legal age,
· conducting courses,
· course communications,
· providing and opening/downloading learning materials,
· communicating organisational information, e.g. dates/deadlines,
· allowing questions to be asked about course content,
· providing work results to course participants.
The legal basis for collecting such data is Art. 6 (1) b) GDPR.
(2) The data specified under item 2.1 point 3 are utilised in the assignment of services to individuals’ roles, granting or restricting access accordingly. This data is furthermore utilised to enable users to select their own settings, including settings relevant to data protection law. The same applies regarding the data specified under item 2.2 point 3, which the system collects to help avoid improper use.
The basis of data processing is Art. 6 (1) f) GDPR, providing for data processing in case of our legitimate interest therein. The purposes stated represent a legitimate interest.
(3) The data
specified under item 2.1 point 4 are for personalising your account,
facilitating more fully personal interaction and dialogue with other
participants, including via platforms other than this learning platform. The
same applies regarding the voluntary data and communication content specified
under item 2.2 point 4. Processing is carried out for the purposes of
· in-course and external communication,
· communicating organisational information, e.g. dates/deadlines,
· allowing questions to be asked about course content.
The legal basis for the collection and processing of personal data is your consent per Article 6 (1) a) GDPR. You grant consent by entering your data.
(4) In contrast, the questionnaires per item 2.1 point 4 are processed for statistical purposes and for course evaluation in the interest of ongoing course optimisation and quality assurance.
The legal basis for the collection and processing of personal data is your consent per Article 6 (1) a) GDPR.
data per item 2.3 are collected to ensure that
· these services and the processed data of all users are secure,
· steps can be taken in case of unauthorised use or illegal activity to identify the perpetrators and proceed appropriately with legal action.
(6) No automated decision-making, or profiling in particular, as per the GDPR takes place. Tests administered as part of a course may however be evaluated to ascertain that the required learning objectives to pass have been met. Tests are pre-scored automatically and reviewed by the lecturer. The course lecturer determines the test questions for a given course.
4. RECIPIENT CATEGORIES
4.1 Who has access to what?
(1) Courses are offered on the learning platform. Learning platform users are assigned course-specific roles and rights for course and course section management and content design, and may be allowed in some cases to grant corresponding access rights to others. User rights differ based on their assigned role.
(2) Most courses are non-public, i.e. accessible exclusively to a defined group of individuals.
(3) The owners of a course are usually the lecturers. They have full access rights for the courses they manage, having rights to post content and activities. They have access to the enrolment list and thus to the master data for all course participants, and to all content users create as part of the course (forum entries, test results, etc.). Course owners with editing rights are authorised to manage course sections, structure content and grant access.
(4) The contact persons regarding individual course sections are ‘managers’. Managers have course section rights and are able to create courses and course sub-sections, assign rights and help lecturers with classroom use and configuration. Thus they have the same or greater access rights within their area than course owners.
(5) Enrollees can access courses for which they have been approved by the course owner, and are able to post content (in forums) and take tests under the rules imposed by the course owner. They can view data including name, e-mail address (depending on participant settings), role, group, last course access details and the status of other course participants. Course participants do not have rights to design course content.
(6) Administrators are responsible for technical administration of the learning platform and have system-wide access rights. They have access to all data on the learning platform, including tracking data collected by the Leibniz Data Centre (LRZ). These rights are assigned exclusively to individuals with IT system support responsibility and to the support service provider.
4.2 Disclosure/transfer of data
Data are only disclosed/transferred in
accordance with applicable laws. We only disclose/transfer user data to third
parties as necessary, such as on contractual grounds or based on a legitimate
interest connected with ensuring our proper commercial business
operations. We take appropriate legal
precautions regarding any subcontractors we utilise to provide our services and
implement technical and organisational measures suitable for ensuring that
personal data are protected in accordance with applicable laws. Please be advised that an external provider
is responsible for maintenance and support and other services for the software
used to provide learning content and process learning activities/progress. We
have a data processing agreement per Art. 28 GDPR in place with such provider.
Accordingly, data may be transferred to the following third parties:
· The support service provider eLeDia GmbH, Mahlower Str. 23/24, 12049 Berlin, Germany,
· the web server and data centre provider Hetzner Online GmbH, Industriestr. 25D, 91710 Gunzenhausen, Germany,
· the e-mail service provider Artfiles News Media GmbH, Zirkusweg 1, 20359 Hamburg, Germany,
· investigative authorities (all data pertinent to the users concerned; personal user directory data only in cases of suspected criminal activity).
4.3 Data transfer to third countries
In some cases we utilise external service providers domiciled outside the European economic area to process your data. Personal data are transferred to Australia. The Commission has issued no adequacy decision per Art. 45 (3) GDPR in this regard. The standard contractual clauses of the European Commission have been contractually implemented with the data processor in modified form to ensure adequate data protection for our course participants. A data processing agreement has furthermore been concluded with the processor. We select these service providers with care, requiring information on their data protection standards, and placing the contract with them in writing. The service provider is bound to comply with our instructions. The service provider does not transfer these data to third parties, erasing such data following performance of contract and elapse of statutory retention periods, unless you have consented to storage beyond such deadlines.
5. DURATION OF STORAGE
(1) We adhere to the principles of data economy and data avoidance. This means that we only store data provided to us for the period necessary for the purposes specified above, and as under widely varying retention periods required by law. Where a given purpose no longer applies or the applicable period has elapsed, your data are automatically restricted from access or erased as required by law.
(2) Personal data are deleted from the system as soon as they are no longer required for the purpose for which they were collected, or when you declared withdrawal or objection, unless their retention is required by law.
(3) We have company-internal policies in place to ensure that these procedures are complied with.
The profile data per item 2.1 point 4 (with the
exception of the survey results) and the language preference are saved until
the profile or setting are deleted, or until consent withdrawal.
b) Survey results per item 2.1 point 4 are exclusively saved and included in statistics in anonymised form.
c) Profile data per item 2.1 point 3 are stored either until the profile is deleted or a course participant has lodged a valid objection.
d) As contractual data, in line with § 257 of German Commercial Code (HGB) we retain other profile data per item 2.1 points 1 - 2 (except the language preference setting) for a period of up to six (6) years after course completion, i.e. the date of certificate issuance, or six (6) years from the date of ceasing to work for us as a lecturer.
e) We store usage data per item 2.2. (2) for a period of up to six (6) years after course completion, i.e. the date of certificate issuance, and for lecturers for a period of up to six (6) years from the date of ceasing to work for us within the meaning of § 257 of German Commercial Code (HGB).
f) We store usage data per item 2.2. (3) for course participants until the end of the course, i.e. until certificate issuance, or sooner if a participant’s access is voided or a valid objection is filed.
g) Usage data per item 2.2. (4) are stored until the associated profile is deleted or a valid objection is filed. Note that deletion is not possible where such data are linked to forum contributions of other participants/lecturers.
h) Log/diagnostic data are deleted on a rolling basis after a period of six (6) months.
(4) Please note that on deactivation or deletion of a user account access to any courses, certificates or services will cease. It is the respective user’s responsibility to back up data after completing a course.
(1) This website utilises cookies. Cookies are small text files which are sent from a web server to your browser when you visit a website and stored locally on your device (PC, notebook, tablet, smartphone, etc.) and have the function of sending the data user, us, specific data.[BW2] Cookies are harmless for your computer, and do not contain viruses. Cookies contain a string of characters (cookie ID) that enables unique identification of the browser the next time the website is visited.
(2) We utilize cookies in order to make our website more user-friendly. Certain elements of our website require that the browser you are using remain identifiable after navigating to a different page.
employ the following cookies:
· Session cookies: These cookies are necessary to enable the learning platform to identify you across multiple page views without you having to authenticate or to log in again whenever you navigate to a different webpage. A cookie is placed when you first access the learning platform and remains on your device until you either log out of the learning platform or close your browser (you can change your local browser settings to prevent the latter). You may also remove the cookies from your browser or change the corresponding security settings on your PC. Session cookies are stored until exiting the website or completely closing all browsers.
· Usability cookies: Individual learning platform components utilise cookies to enhance user-friendliness, such as by saving the status of displayed or hidden website elements across multiple page views. These cookies remain stored until the website is exited or all browsers are closed.
browsers provide options for deleting and restricting the placement of cookies.
Please refer to the following websites for additional information:
· Internet Explorer: http://windows.microsoft.com/en-GB/windows7/How-to-manage-cookies-in-Internet-Explorer-9
· Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer?redirectlocale=en-US&redirectslug=Cookies
· Google Chrome: https://support.google.com/chrome/answer/95647?hl=en
· Safari: https://support.apple.com/de-de/HT201265
7. E-MAIL CONTACT
(1) You may also contact us via e-mail. In such case, personal data transmitted in the e-mail are saved. Where data on communication channels are concerned (e-mail address, phone number, etc.), you furthermore consent to us contacting you via the communication channel in question in order to respond to your inquiry. Such data is not being disclosed/forwarded to third parties. The data are used exclusively to respond to your inquiry.
(2) The legal basis for processing of data transmitted in sending an e-mail is Art. 6 (1) sentence 1 f) GDPR. If the e-mail is sent in order to conclude a contract, Art. 6 (1) sentence 1 b) GDPR also applies as legal basis for processing.
(3) We only use data stemming from your e-mail inquiries for the purpose for which you made the data available to us in contacting us. We will be pleased to respond to any questions you may have, and this represents a legitimate interest of ours.
(4) The data are deleted when no longer required for the purpose for which they were collected. This applies to personal data sent by e-mail when the respective interaction with the user has ended. An interaction has ended when it is apparent that the matter in question has been conclusively resolved. Where e-mail interaction occurs for performance of a contract, the data are deleted upon elapse of the applicable statutory retention period (under commercial or tax code).
(5) You can withdraw previously granted consent to the processing of an e-mail including e-mail content at any time. In such case, the interaction cannot continue. Please contact the data controller per § 1 as necessary in this regard. Withdrawal of consent is only an option however if the purpose of the e-mail interaction is not preparation for or performance of a contract.
8. USING THE FILEZILLA FTP CLIENT (FTP = FILE TRANSFER PROTOCOL)
(1) We use the FileZilla FTP client on our website, which enables the rendering of eLearning services. This is a free server and client software for data transmission. The product FileZilla is produced by Tim Kosse, Lukasstrasse 10, 50823 Cologne, Germany ("FileZilla"). Specifically, we utilise the client software. Data processing may occur on the basis of our legitimate interest in order to provide information on the latest version of the client software. The following data, for example, are concerned: software version, operating system, processor architecture.
(2) The data can be processed in anonymised form by FileZilla for statistical purposes on the basis of a legitimate interest therein. This does not enable personal referencing.
(3) Data processing occurs for the purpose of rendering the e-learning services and is necessary for the transferral of data.
(4) The legal basis is Art. 6 (1) f) GDPR.
(5) The data are not disclosed to FileZilla or any other third parties.
(6) The data are retained for the duration of the course.
9. RIGHTS OF DATA SUBJECTS
When your personal data are processed, you are a data subject within the meaning of the GDPR, thus having the following rights vis-à-vis the controller per § 1:
3. Restriction of processing
6. Data portability
7. Objection to processing
8. Withdrawal of data privacy consent
9. Right to not be subject to automated decision-making
10. Right to lodge a complaint with a supervisory authority
9.1 Right to information
(1) You can demand confirmation from us of whether we process personal data concerning you. If such processing is taking place, you can demand information from us free of charge on what personal data of yours is stored as well as the following additional information:
The purposes for which personal data are
b) the categories of personal data processed,
c) the recipients or categories of recipients to whom the personal data concerning you have been/will be/are being disclosed,
d) planned duration of the retention of personal data concerning you, or the criteria for determining the retention period if the former is unknown,
e) your rights to rectification or erasure of your personal data, to restriction of processing by the controller and to object to processing,
f) your right to lodge a complaint with a supervisory authority,
g) the right to receive all available information concerning the source of personal data not collected from the data subject,
h) whether automated decision-making, including profiling, per Art. 22 (1) and (4) GDPR are performed, and if so and otherwise as applicable, relevant information on the logic employed and the scope of such processing and its intended impact on the data subject.
(2) You have the right to receive information on whether your personal data is transferred to a third country or to an international organisation. In connection therewith you may demand information regarding the effective data transfer guarantees in place per Art. 46 GDPR.
9.2 Right to rectification
You have the right to prompt rectification and/or completion if your personal data we processed are incorrect or incomplete.
9.3 Right to restriction of processing
(1) If the following conditions are met, you may demand that your personal data be restricted from processing without delay:
If you dispute the accuracy of personal data
concerning you for a period of time during which it is possible for the
controller to review its accuracy,
b) if processing is unlawful and you object to erasure of the personal data, demanding instead that the personal data be restricted from processing[BW3] ,
c) if the controller no longer requires the personal data for processing purposes but you need the data in order to assert, exercise or defend legal claims, or
d) if you have objected to processing in accordance with Art. 21 (1) GDPR and it has not yet been determined whether our legitimate interests outweigh your reasons.
(2) If your personal data have been restricted from processing, such data may – apart from its storage – only be used with your consent or for the purposes of asserting, exercising, or defending legal claims or protecting the rights of another natural or legal person, or for important reasons of public interest to a European Union nation or Member State. If restriction of processing rights is limited pursuant to the above, we will inform you before an implemented restriction from processing is lifted.
(3) Restriction from processing may mean that you are no longer able to access the learning platform and/or attend a course, or that documentation of course credits, certificates, etc. may no longer be providable.
9.4 Right to erasure
(1) You have the right to demand that we erase your personal data without delay if any of the following applies:
The personal data concerning you are no longer
necessary for the purposes for which they were collected or otherwise
b) You withdraw consent to processing per Article 6 (1) a) or Article 9 (2) a) GDPR and no other legal basis for processing exists.
c) You object to processing in accordance with Art. 21 (1) GDPR and there is no overriding legitimate interest in processing, or you object to processing in accordance with Art 21 (2) GDPR.
d) The personal data concerning you have been processed unlawfully.
e) The erasure of your personal data is necessary to fulfil a legal obligation under EU law or the law of Member States to which the controller is subject.
f) Your personal data was collected in connection with offered information society services per Art. 8 (1) GDPR.
(2) If we have made personal data concerning you public and are obligated to erase such data pursuant to Article 17 (1) GDPR, we will take technical and other measures which are adequate in view of the state of technology and cost of implementation so as to enable the notification of the data controller who processes the personal data that you as data subject have demanded the erasure of all links to such personal data and all copies and replications thereof.
(3) Right to erasure does not accrue if processing is necessary
to exercise the right of free speech and/or
rights to information,
b) to fulfil a legal obligation that requires processing by Union or Member State law to which we are subject, or for the performance of a task carried out in the public interest or in exercise of official authority vested in us,
c) for reasons of public interest in the area of public health in accordance with points and (i) of Article 9 (2) as well as Article 9 (3) GDPR,
d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89 (1) GDPR in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing), or
e) for the establishment, exercise or defence of legal claims.
(4) When erasure, restriction of processing or withdrawal rights are exercised, the usability of the learning platform is no longer guaranteed with immediate effect, nor access to learning content stored thereupon, nor the ability to participate in platform activities or utilise platform functionalities. Depending on the course format and usage by the individual course owners, course participation may also be thereby affected as well as coordination with lecturers and participants, the ability to take part in mandatory or other non-mandatory events and/or receive course credit documentation or other study records.
9.5 Right to notification
If you have asserted your right to rectification, erasure or restriction from processing with us, we are obligated to notify all disclosure recipients of the personal data concerning you of the rectification or erasure made or and/or of restricting of the data from processing unless such proves impossible or involves disproportionate effort. You have the right to require us to notify you of such recipients.
9.6 Right to data portability
(1) You have the right to receive the personal data concerning you which you have provided to us in a structured, commonly used and machine-readable format. You further have the right to transferral of this data to another controller to whom the personal data have been provided, which we may not impede, if
processing is based on consent pursuant to
point (a) of Article 6 (1) or point (a) of Article 9 (2) or on a contract
pursuant to point (b) of Article 6 (1), and
b) processing is carried out by automated means.
(2) In exercising this right to data portability you furthermore have the right to have the personal data transmitted directly from one controller to another, where technically feasible. The freedoms and rights of others may not be thereby adversely affected.
(3) Exercising the right to data portability shall not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
(4) The data subject can contact us at any time ordering to exercise the right to portability.
9.7 Right to object
(1) You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) or (f) of Article 6 (1), including profiling based on those provisions.
(2) We will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing which override your interests, rights and freedoms, or as necessary for the establishment, exercise or defence of legal claims.
(3) In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.
(4) The data subject can contact us directly in order to exercise the right to object.
(5) Such objection may mean that you are no longer able to access the platform and/or take a course, or that documentation of course credits, certificates, etc. may no longer be providable.
9.8 Right to withdrawal of data privacy consent
(1) You have the right to withdraw your previously granted data privacy consent at any time. Withdrawing consent does not affect the legality of processing performed on the basis of consent prior to withdrawal thereof. You may contact us regarding this right.
(2) Withdrawal may mean that you are no longer able to access the platform and/or take a course, or that documentation of course credits, certificates, etc. may no longer be providable. If processing occurs in connection with an employment contract, your right of withdrawal may be limited.
9.9 Subjection to automated decision-making and profiling
(1) You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly affects you significantly. The above does not apply where the decision
is necessary for the conclusion or performance
of a contract between you and us,
b) is legal under EU or Member State law to which the controller is subject, as long as such law lays down suitable measures to safeguard your rights and freedoms and legitimate interests, or
c) is made with your express consent.
(2) These decisions may not however be based on special categories of personal data as per Article 9 (1) GDPR unless point (a) or (g) of Article 9 (2) GDPR applies and suitable measures to safeguard your rights, freedoms and legitimate interests are in place.
(3) Respecting the cases per points (1) and (3) we take appropriate measures to uphold your rights, freedoms and legitimate interests, including at a minimum your rights to human review by a person within our organisation, to have your view heard and to contest the decision.
(4) Data subjects wishing to assert rights in regard of automated decision-making may contact us at any time.
9.10 Right to lodge a complaint with a supervisory authority
Irrespective of any other administrative or court appeal possibilities, you have the right to lodge a complaint with a supervisory authority, including particularly the authority competent for the Member State of your residence, at your place of work or at the place of the alleged violation, if you believe that your personal data are being processed in breach of the GDPR. The supervisory authority with which a complaint is lodged informs the complainant of the status and the results of the complaint, including the possibility of judicial remedy per Art. 78 GDPR. The competent authority in our case is the
Bavarian State Office for Data Protection
11. Special provisions regarding Russia
The following applies regarding users who are residents of the Russian Federation:
Russian citizens residing in Russia are expressly advised that you bear all risk and responsibility in connection with any personal data you provide us with via our website. You furthermore agree not to hold us responsible for any possible violation of the law of the Russian Federation.