Data Protection Statements (Maintenance of data protection statements)
Data protection declaration for Sophos and GLPI — Center for Information Services and High Performance Computing (ZIH) — TU Dresden
Information obligation according to Article 13 GDPR for the Endpoint Security software solution
For what purpose will personal data be processed?
The data processing shall be carried out for the purpose of averting threats to TU Dresden’s information technology systems according to § 1 of the Saxon Information Security Act (SächsISichG). Furthermore, audit data from employees who serve as system administrators will be processed to ensure secure system administration.
Who is responsible for data processing and who can data subjects contact?
TUD-CERT
Visiting address: Tillich-Bau, 16/18 Helmholtzstraße 6/8 01062 Dresden
Postal address: TUD Dresden University of Technology TUD-CERT 01062 Dresden
Tel: +49 351 463-40500Fax+49 351 463-39718 E-Mail: cert@tu-dresden.de Office hours: Monday to Friday:08:00 - 16:00
Data Protection Officer
Mr Jens Syckor Data Protection Officer
Visiting address: Tillich-Bau, EG Zimmer 17 Helmholtzstr. 6-8 01062 Dresden
Tel: +49 351 463-32839 E-Mail: informationssicherheit@tu-dresden.de
What is the legal basis for the processing of personal data?
The legal basis for the purpose of averting danger is Art. 6 para. 1 subpara. 1 lit. e, para. 3 GDPR in conjunction with. §§ 12,13 SächsISichG.
The legal basis for the purpose of secure system administration is Art. 6 subpara. 1 lit. e, para. 3 GDPR in conjunction with. § 3 para. 1 Saxon Data Protection Implementation Act (SächsDSDG).
The legal basis for sending system-relevant information is § 11 para 1 SächsDSDG.
What personal data will be processed?
Protocol data within the meaning of § 3 para. 9 of the SächsISichG will be processed. This contains the following data, which may be personal: usernames, IP addresses, MAC addresses, process names, application names, browser add-ons, file hashes, file paths, host names, ports, URLs, system events and logs, and machine IDs.
The username of the administrator and the associated log data, e.g. adjustments to system settings, as well as the time specification will be processed as audit data.
For the purpose of sending system-relevant information to the responsible IT staff, their e-mail address will be processed.
How will personal data be processed and how long will it be stored?
The personal protocol data may be stored beyond the period required for the automated evaluation, but for no longer than 90 days, provided that the requirements pursuant to § 13 para. 2 sentence 1 no. 1 or 2 SächsISichG are met. Data will be stored for up to 90 days only on the device or server. Selected protocol data from this local data store that is required for averting threats is stored in the Sophos Data Lake in Sophos Central for a maximum of 90 days.
Audit data will be stored on Sophos Central for 90 days.
The email addresses of IT personnel will be processed for as long as system access is required for this group of persons due to their activities.
Are data processors contracted or will personal data be transferred to third countries?
TU Dresden uses the Sophos data processor for the purpose of data processing. Data is therefore stored exclusively in the EU. Personal data may be transferred to the United Kingdom or to Sophos Affiliates (offices worldwide) for technical support purposes only. This will only be done with the explicit approval of TU Dresden in individual cases.
Information on the right of objection pursuant to Art. 21 para. 1 GDPR
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data relating to you which is carried out on the basis of Art. 6 para. 1 subpara. 1 lit. e GDPR, at any time. The controller shall no longer process the personal data unless they can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defense of legal claims.
What general rights do data subjects have?
Right of access to personal data (Art. 15 GDPR) You have the right to obtain information on the data processed concerning your person, as well as the possible recipients of this data, at any time. You are entitled to a reply within one month after the responsible party receives the request for information.
Right to rectification, erasure and restriction (Art. 16–18 GDPR) You may request that TU Dresden correct or erase your personal data and/or restrict its processing at any time.
Right of appeal (Art. 77 GDPR) You can contact TU Dresden's Data Protection Officer (see above) at any time and, in the case of a complaint pursuant to Art. 77 GDPR, the responsible supervisory authority for data protection. Responsible supervisory authority: Saxon Data Protection and Transparency Commissioner Dr. Juliane Hundert Devrientstraße 5 01067 Dresden Tel.: +49 351 85471 101
Email: post@sdtb.sachsen.de Web: www.datenschutz.sachsen.de
However, you can also submit your complaint to any other data protection supervisory authority, in particular in the Member State where you live, where you work or where the alleged infringement occurred.
Note: To claim your rights, it is sufficient to notify the responsible person in writing (email, letter). However, the rights can only be exercised if the processed data allows for the identification of your person.