Data Protection Statements (Maintenance of data protection statements)
Privacy Policy for Matrix — Center for Information Services and High Performance Computing (ZIH) — CIDS
For what purpose will personal data be processed?
“Matrix” is an open, decentralized communication service for real-time communication. In compliance with the relevant legal and statutory provisions on data protection and IT security, members and affiliates of the TUD Dresden University of Technology are enabled to communicate with members of this and other universities and other Matrix users (e.g. academic partners) via chat and audio/video telephony using their ZIH login. The aim of using groupware systems is to ensure and simplify organizational measures for the joint work of users, groups of people, teams and committees as well as communication management. Personal data is processed exclusively for the above-mentioned purposes.
Who is responsible for data processing and to whom can data subjects turn?
Responsible in the sense of Art. 4 No. 7 GDPR is TUD Dresden University of Technology.
Responsible Department
Technische Universität Dresden
CIDS - Center for Interdisciplinary Digital Sciences
01062 Dresden
Tel.: +49 (0)351 463-40000
Email: servicedesk@tu-dresden.de
Data Protection Officer
Data Protection Officer of the TUD Dresden University of Technology
Mr Jens Syckor
01062 Dresden
Tel.: +49 (0)351 463-32839
Email: informationssicherheit@tu-dresden.de
Which personal data will be processed?
The processing includes the following 3 categories of personal data:
- Account information
- First and last name(s)
- Email address
- Matrix ID (generated from the ZIH login in the form @zihlogin:tu-dresden.de)
- Display name
- Profile picture
- Usage and content data
- rooms: memberships in private chats, group rooms or spaces
- content data: message, audio/video-data. Usually encrypted in a way that nobody without permission can access them. Unencrypted rooms are highlighted to the user
- uploaded files: uploaded files e.g. images are processed by the matrix-server without affecting the encryption
- device information: e.g. used operation system, type of device (Mobile/Desktop)
- Log data
- IP: last seen IP used by the client and timestamp
- Logs of matrix events (e.g. timestamp of events such as user enters a room, user leaves a room or sends a message)
- metadata: metadata is "information about information", which every systems needs to correctly process and categorize
The profile data (display name, email, photo) as well as the Matrix ID are visible to external parties through participation in the global Matrix network via the contact search.
What is the legal basis for processing personal data?
The legal basis for the processing of personal data for the above-mentioned purposes is Art. 6 para. 1 subpara. 1 lit. e, para. 2 and 3 GDPR in conjunction with. §§ 14 para. 1 and 3 SächsHSFG in conjunction with. §§ 2 to 18 SächsHSPersDatVO as well as the respective regulations of TUD Dresden University of Technology.
How long is personal data stored?
In accordance with § 15 (3) of the IT Regulations of the TUD Dresden University of Technology, personal data relating to the use of the service will be deleted no later than 15 months after the person concerned leaves the service or upon revocation.
The user contents according to 2. can be deleted by the users themselves at any time, an automated deletion is not possible on the part of ZIH.
Will personal data be transferred to third parties?
Unless otherwise provided by law, no transmission to third parties in the legal sense is made by TUD Dresden University of Technology when using Matrix.
What are the basic rights of data subjects?
-
Right to voluntary nature and revocation (Art. 7 (3) GDPR)
If the use of the services is based on consent, this consent can be revoked at any time in accordance with Art. 7 (3) GDPR with the consequence that the personal data of the person concerned will not be further processed. The lawfulness of the processing carried out on the basis of the consent until revocation remains unaffected.
-
Right to information (Art. 15 GDPR)
Data subjects have the right to obtain at any time information on the data processed concerning them and on the possible recipients of such data. They are entitled to receive a reply within a period of one month after submitting the request.
-
Right of correction, deletion and restriction (Art. 16 - 18 GDPR)
The persons concerned may at any time request TUD Dresden University of Technology to correct or delete their personal data or to restrict the processing of such data.
-
Right to data transferability (Art. 20 GDPR)
The persons concerned can demand that TUD Dresden University of Technology transfers their personal data to them in a machine-readable format. Alternatively, they may request that the personal data provided by you be transferred directly to another responsible party, as far as this is possible.
-
Right of objection (Art. 21 GDPR)
Data subjects may object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them.
-
Right of appeal (Art. 77 GDPR)
Data subjects can contact the Data Protection Officer of TUD Dresden University of Technology at any time and, in the case of a complaint under Art. 77 GDPR, a supervisory authority for data protection. The responsible supervisory authority for TUD Dresden University of Technology is:
Sächsische Datenschutz- und Transparenzbeauftragte
Frau Dr. Juliane Hundert
Maternistraße 17
01067 Dresden
Email: post@sdtb.sachsen.de
Telephone: +49 (0)351 85471-101
www.datenschutz.sachsen.de
To exercise these rights, notification in text form (letter or email) to the controller is sufficient.