Data Protection Statements (Maintenance of data protection statements)
Privacy policy for Matrix — Center for Information Services and High Performance Computing (ZIH) — TU Dresden
For what purpose will personal data be processed?
“Matrix” is an open, decentralized communication service for real-time communication. In compliance with the relevant legal and statutory provisions on data protection and IT security, members and affiliates of the TU Dresden are enabled to communicate with members of this and other universities and other Matrix users (e.g. academic partners) via chat and audio/video telephony using their ZIH login. The aim of using groupware systems is to ensure and simplify organizational measures for the joint work of users, groups of people, teams and committees as well as communication management. Personal data is processed exclusively for the above-mentioned purposes.
Who is responsible for data processing and to whom can data subjects turn?
Responsible in the sense of Art. 4 No. 7 GDPR is the TU Dresden.
ZIH
Technische Universität Dresden CIDS - Center for Interdisciplinary Digital Sciences Department Information Services and High Performance Computing (ZIH) 01062 Dresden
Tel.: +49 (0)351 463-40000 Fax: +49 (0)351 463-42328 Email: servicedesk@tu-dresden.de
The data protection officer
The data protection officer of the TU Dresden Herr Jens Syckor 01062 Dresden
Tel.: +49 (0)351 463 32839 Fax: +49 (0)351 463 39718 Email: informationssicherheit@tu-dresden.de
Which personal data will be processed?
The processing includes the following 3 categories of personal data:
- Account information
- First and last name(s)
- Email address
- Matrix ID (generated from the ZIH login in the form @zihlogin:tu-dresden.de)
- Display name
- Profile picture
- Usage and content data
- rooms: memberships in private chats, group rooms or spaces
- content data: message, audio/video-data. Usually encrypted in a way that nobody without permission can access them. Unencrypted rooms are highlighted to the user
- uploaded files: uploaded files e.g. images are processed by the matrix-server without affecting the encryption
- device information: e.g. used operation system, type of device (Mobile/Desktop)
- Log data
- IP: last seen IP used by the client and timestamp
- Logs of matrix events (e.g. timestamp of events such as user enters a room, user leaves a room or sends a message)
- metadata: metadata is "information about information", which every systems needs to correctly process and categorize
The profile data (display name, email, photo) as well as the Matrix ID are visible to external parties through participation in the global Matrix network via the contact search.
What is the legal basis for the processing of personal data?
The legal basis for data processing for the above purposes is Art. 6 Abs. 1 UAbs. 1 lit. a GDPR (consent).
How long is personal data stored?
In accordance with § 15 (4) of the IT Regulations of the TU Dresden, personal data relating to the use of the service will be deleted no later than 15 months after the person concerned leaves the service or upon revocation.
The user contents according to 2. can be deleted by the users themselves at any time, an automated deletion is not possible on the part of ZIH.
Will personal data be transferred to third parties?
Unless otherwise provided by law, no transmission to third parties in the legal sense is made by TU Dresden when using Matrix.
What are the basic rights of data subjects?
-
Right to voluntary nature and revocation (Art. 7 (3) GDPR)
If the use of the services is based on consent, this consent can be revoked at any time in accordance with Art. 7 (3) GDPR with the consequence that the personal data of the person concerned will not be further processed. The lawfulness of the processing carried out on the basis of the consent until revocation remains unaffected.
-
Right to information (Art. 15 GDPR)
Data subjects have the right to obtain at any time information on the data processed concerning them and on the possible recipients of such data. They are entitled to receive a reply within a period of one month after submitting the request.
-
Right of correction, deletion and restriction (Art. 16 - 18 GDPR)
The persons concerned may at any time request TU Dresden to correct or delete their personal data or to restrict the processing of such data.
-
Right to data transferability (Art. 20 GDPR)
The persons concerned can demand that TU Dresden transfers their personal data to them in a machine-readable format. Alternatively, they may request that the personal data provided by you be transferred directly to another responsible party, as far as this is possible.
-
Right of objection (Art. 21 GDPR)
Data subjects may object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them.
-
Right of appeal (Art. 77 GDPR)
Data subjects can contact the data protection officer of the TU Dresden at any time and, in case of a complaint according to Art. 77 GDPR, the responsible supervisory authority for data protection, which is:
Sächsische Datenschutz- und Transparenzbeauftragte Frau Dr. Juliane Hundert Devrientstraße 5 01067 Dresden Tel.: +49 (0)351 85471-101 Fax: +49 (0)351 85471-109 Email: post@sdtb.sachsen.de
To make use of these rights, it is sufficient to notify the responsible person in text form (letter, e-mail or fax).