en

Data protection policy

I. Introduction

As a center for evaluation and methods, it is part of our daily work to ask questions in order to provide answers to social science questions. We process your personal data exclusively on behalf of and for contacting you when answering research questions and always delete your personal contact data at the earliest possible date.

Responsible handling of personal data is a top priority for the Center for Evaluation and Methods. The protection of your personal data in accordance with the current state of the art, the applicable legal situation and the more far-reaching regulations of professional associations is the basis of our work. We want you to know when we collect which data and how we use it.

All employees of the Center for Evaluation and Methods undertake to maintain confidentiality when handling personal data. The legal provisions of European and German data protection law apply. The Center for Evaluation and Methods is a member of DeGEval - Gesellschaft für Evaluation e.V.

The aforementioned memberships oblige the Center for Evaluation and Methods to comply with professional codes of conduct that go beyond the legal requirements and specify how the requirements of data protection are to be implemented in the practice of market and social research. We take special precautions to ensure the security of data and the protection of respondents' privacy. The ICC/ESOMAR Code of Conduct and the Code of Ethics can be viewed at http://www.rat-marktforschung.de/startseite/. If you identify a breach of the Code of Conduct in our work, you can also submit a complaint there.

In the following, we would like to inform you about the type, scope and purpose of the collection and use of personal data. We want to do this in a precise, transparent and comprehensible manner. Should you have any further information requirements, queries or other feedback on our privacy policy, please do not hesitate to contact us!

II. Terminology used

Before we go into our processing process, the legal basis for our processing and your personal rights in this process in the following sections of the privacy policy, we want you to know what we are talking about. The definitions in Art. 4 GDPR are decisive for us. Accordingly, we use the following terms, among others:

Personal data” means any information relating to an identified or identifiable natural person (hereinafter ‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. (Art. 4 No. 1 GDPR)

Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. (Art. 4 No. 2 GDPR)

Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (Art. 4 No. 7 GDPR)

Consent” of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. (Art. 4 No. 11 GDPR)

III. Name and address of the person responsible

The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is:

University Bonn

Zentrum für Evaluation und Methoden (ZEM)
Oxfordstr. 15
53111 Bonn

E-Mail: info@zem.uni-bonn.de
Internet: www.zem.uni-bonn.de

IV. Name and address of the data protection officer

The data protection officer of the controller is:

N.N.
Genscherallee 3
53113 Bonn
E-Mail: datenschutz@uni-bonn.de
Phone: + 49 (0)228 -73 – 6758
https://www.uni-bonn.de/en/data-protection-policy

V. General information on data processing

1. Scope of the processing of personal data

We only process the personal data of our users insofar as this is necessary to provide a functional website and our content and services. The processing of personal data of our users only takes place regularly with the consent of the user. An exception applies in cases where prior consent cannot be obtained for factual reasons and the processing of the data is permitted by law.

2. Legal basis for the processing of personal data

Insofar as we obtain the consent of the data subject for the processing of personal data, Art. 6 para. 1 lit. a) EU General Data Protection Regulation (GDPR) serves as the legal basis.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 para. 1 lit. b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures.
Insofar as the processing of personal data is necessary to fulfill a legal obligation to which the University of Bonn is subject, Art. 6 para. 1 lit. c) GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d) GDPR serves as the legal basis.
If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the university, Art. 6 para. 1 lit. e) GDPR serves as the legal basis for the processing.

3. Data erasure and storage duration

The personal data of the data subject will be deleted or blocked as soon as the purpose of storage no longer applies. Data may also be stored if this has been provided for by the European or national legislator in EU regulations, laws or other provisions to which the controller is subject. The data will also be blocked or erased if a storage period prescribed by the aforementioned standards expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.

VI. Provision of the website and creation of log files

1. Description and scope of data processing

Each time our website is accessed, our system automatically collects data and information from the computer system of the accessing computer. 
The following data is collected:

  • Information about the browser type and version used
  • The user's operating system
  • The user's internet service provider
  • The IP address of the user (pseudonymized, shortened IP address)
  • Date and time of access
  • Websites from which the user's system accesses our website
  • Websites that are accessed by the user's system via our website (within *.uni-bonn.de, external referrers are not passed on)

The log files contain IP addresses or other data that enable an assignment to the user. This could be the case, for example, if the link to the website from which the user accesses the website or the link to the website to which the user switches contains personal data.

The data is also stored in the log files of our system. This data is not stored together with other personal data of users.

2. Purpose of data processing

Temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session. 
The data is stored in log files to ensure the functionality of the website. We also use the data to optimize the website and to ensure the security of our information technology systems. The data is not analyzed for marketing purposes in this context.

3. Duration of storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected. In the case of the collection of data for the provision of the website, this is the case when the respective session has ended. 

If the data is stored in log files, this is the case after seven days at the latest. Storage beyond this period is possible. In this case, the IP addresses of the users are deleted or anonymized so that it is no longer possible to identify the accessing client.

4. Possibility of objection and removal

The collection of data for the provision of the website and the storage of data in log files are absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.

VII. Use of cookies

1. Description and scope of data processing

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. When a user accesses a website, a cookie may be stored on the user's operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again.

We use cookies to make our website more user-friendly. Some elements of our website require that the accessing browser can be identified even after a page change.

The following data is stored and transmitted in the cookies:

  • Language settings
  • Log-in information

We also use cookies on our website that enable an analysis of users' surfing behavior. The software Matomo (formerly Piwik) is used for this, details can be found below under point IX.

2. Legal basis for data processing

The legal basis for the processing of personal data using cookies for analysis purposes is Art. 6 para. 1 lit. a) GDPR if the user has given consent to this.

3. Purpose of data processing

The purpose of using technically necessary cookies is to simplify the use of websites for users. Some functions of our website cannot be offered without the use of cookies. For these, it is necessary for the browser to be recognized even after a page change.
We require cookies for the following applications:

  • Transfer of language settings

The user data collected by technically necessary cookies is not used to create user profiles.

Analysis cookies are used for the purpose of improving the quality of our website and its content. The analysis cookies tell us how the website is used, enabling us to constantly optimize our offering.

4. Duration of storage, objection and removal options

Cookies are stored on the user's computer and transmitted from there to our website. As a user, you therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.

VIII. YouTube

The website of the University of Bonn uses plugins from YouTube, which is operated by Google. The operator of the pages is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA.

When you visit one of our pages equipped with a YouTube plugin, a connection to the YouTube servers is established. This tells the YouTube server which of our pages you have visited.

If you are logged into your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your YouTube account.

The use of YouTube is in the interest of an appealing presentation of our online offers.

Further information on the handling of user data can be found in YouTube's privacy policy at: https://www.google.de/intl/de/policies/privacy.

IX. Contact form and e-mail contact

1. Description and scope of data processing

There is a contact form on our website that can be used to contact us electronically. If a user makes use of this option, the data entered in the input mask will be transmitted to us and stored. These data are:

  • Uni-ID
  • E-mail address
  • Subject
  • Question

The following data is also stored at the time the message is sent:

  • The IP address of the user
  • Date and time of registration

As part of the data collection process, your consent is obtained for the processing of the data and reference is made to the privacy policy.
Alternatively, you can contact us via the e-mail address provided. In this case, the personal data of the user transmitted with the e-mail will be stored.
The data will not be passed on to third parties in this context. The data is used exclusively for processing the conversation.

2. Legal basis for data processing

The legal basis for the processing of the data is Art. 6 para. 1 lit. a) GDPR if the user has given consent.
If the e-mail contact is aimed at the conclusion of a contract, the additional legal basis for the processing is Art. 6 para. 1 lit. b) GDPR.

3. Purpose of data processing

The processing of the personal data from the input mask serves us solely to process the contact. 
The other personal data collected is used to prevent misuse of the contact form and to ensure the security of our information technology systems.

4. Duration of storage

The data will be deleted as soon as its storage is no longer necessary to achieve the purpose for which it was collected. For the personal data from the input screen of the contact form and the data sent by email, this is the case when the respective conversation with the user has ended. The conversation is ended when it can be inferred from the circumstances that the matter in question has been conclusively clarified.

5. Possibility of objection and removal

The user has the option of withdrawing their consent to the processing of personal data at any time. If the user only contacts us by email, they can also object to the storage of their personal data at any time; in such a case, however, the conversation cannot be continued.
All personal data stored in the course of making contact will be deleted in the event of revocation.

X. Web analysis through Matomo

1. Scope of the processing of personal data

We use the open source software tool Matomo (formerly PIWIK) on our website to analyze the surfing behavior of our users. The software places a cookie on the user's computer (for cookies, see above). If individual pages of our website are accessed, the following data is stored:

The software runs exclusively on the servers of our website. Users' personal data is only stored there. The data is not passed on to third parties.

  • Two bytes of the IP address of the user's accessing system
  • The website accessed
  • The website from which the user came to the accessed website (referrer)
  • The subpages that are accessed from the accessed website
  • The time spent on the website
  • The frequency with which the website is accessed

The software runs exclusively on the servers of our website. Users' personal data is only stored there. The data is not passed on to third parties. The software is set so that the IP addresses are not stored in full, but two bytes of the IP address are masked (e.g.: 192.168.xxx.xxx). In this way, it is no longer possible to assign the shortened IP address to the calling computer.

2. Purpose of data processing

The processing of users' personal data enables us to analyze the surfing behavior of our users. By evaluating the data obtained, we are able to compile information about the use of the individual components of our website. This helps us to constantly improve our website and its user-friendliness. By anonymizing the IP address, the interest of users in the protection of their personal data is taken into account.

3. Duration of storage

The data is deleted as soon as it is no longer required for our recording purposes. 
In our case, this is the case after 3 months.

4. Possibility of objection and removal

Cookies are stored on the user's computer and transmitted from there to our website. As a user, you therefore have full control over the use of cookies. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it may no longer be possible to use all functions of the website to their full extent.
We offer our users the option of opting out of the analysis process on our website. To do this, you must follow the corresponding link. In this way, another cookie is set on your system, which signals to our system not to store the data of the user. If the user deletes the corresponding cookie from their own system in the meantime, they must set the opt-out cookie again.
 
You can find more information on the privacy settings of the Matomo software at the following link:  https://matomo.org/docs/privacy/.

XI. Rights of the data subject

If your personal data is processed, you as the data subject within the meaning of the GDPR have the following rights vis-à-vis the controller:

1. Right to information

You can request confirmation from the controller as to whether personal data concerning you is being processed. 
If such processing is taking place, you can request the following information from the controller:

  • the purposes for which the personal data are processed
  • the categories of personal data that are processed
  • the recipients or categories of recipients to whom the personal data concerning you have been or will be disclosed
  • the envisaged period for which the personal data concerning you will be stored, or, if specific information on this is not possible, the criteria used to determine that period
  • the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the controller or a right to object to such processing
  • the existence of a right to lodge a complaint with a supervisory authority
  • all available information about the origin of the data if the personal data is not collected from the data subject
  • the existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject

You have the right to request information as to whether the personal data concerning you is transferred to a third country or to an international organization. In this context, you may request to be informed of the appropriate safeguards pursuant to Art. 46 GDPR in connection with the transfer.

If the data processing is carried out for scientific, historical or statistical research purposes, the right of access may be restricted to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfillment of the research or statistical purposes.

2. Right to rectification

You have a right to rectification and/or completion of your data vis-à-vis the controller if the processed personal data concerning you is incorrect or incomplete. The data controller must make the correction without delay.
In the case of data processing for scientific, historical or statistical research purposes, your right to rectification may be restricted to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfillment of the research or statistical purposes.

3. Right to restriction of processing

Under the following conditions, you may request the restriction of the processing of personal data concerning you:

  • if you contest the accuracy of the personal data concerning you for a period enabling the controller to verify the accuracy of the personal data
  • the processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead
  • the controller no longer needs the personal data for the purposes of the processing, but they are required by you for the establishment, exercise or defense of legal claims, or
  • if you have objected to the processing pursuant to Art. 21 para. 1 GDPR and it is not yet certain whether the legitimate reasons of the data controller outweigh your reasons.

If the processing of personal data concerning you has been restricted, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
If processing has been restricted in accordance with the above conditions, you will be informed by the data controller before the restriction is lifted.

In the case of data processing for scientific, historical or statistical research purposes, your right to restriction of processing may be limited to the extent that it is likely to render impossible or seriously impair the achievement of the research or statistical purposes and the restriction is necessary for the fulfillment of the research or statistical purposes.

4. Right to erasure

a) Obligation to delete

You may request the data controller to erase the personal data concerning you without undue delay. The data controller is obliged to delete this data immediately if one of the following reasons applies:

  • The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed.
  • You revoke your consent on which the processing was based pursuant to Art. 6 para. 1 lit. a) or Art. 9 para. 2 lit. a) GDPR and there is no other legal basis for the processing.
  • You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR.
  • The personal data concerning you has been processed unlawfully.
  • The deletion of personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.
  • The personal data concerning you have been collected in relation to the offer of information society services referred to in Art. 8 (1) GDPR.

b) Information to third parties

If the data controller has made the personal data concerning you public and is obliged to erase it pursuant to Art. 17 (1) GDPR, it shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform data controllers who process the personal data that you, as the data subject, have requested them to erase all links to this personal data or copies or replications of this personal data.

c) Exceptions

The right to erasure does not exist if the processing is necessary

  • for exercising the right of freedom of expression and information;
  • for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • for reasons of public interest in the area of public health pursuant to Art. 9 para. 2 lit. h) and i and Art. 9 para. 3 GDPR
  • for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 para. 1 GDPR, insofar as the right referred to in section a) is likely to render impossible or seriously impair the achievement of the objectives of that processing, or
  • for the establishment, exercise or defense of legal claims

5. Right to information

If you have exercised your right to rectification, erasure or restriction of processing vis-à-vis the controller, the controller is obliged to communicate any rectification or erasure of personal data or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You have the right vis-à-vis the controller to be informed about these recipients.

6. Right to data portability

You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data has been provided, where

  • the processing is based on consent pursuant to Art. 6 para. 1 lit. a) GDPR or Art. 9 para. 2 lit. a) GDPR or on a contract pursuant to Art. 6 para. 1 lit. b) GDPR and
  • the processing is carried out by automated means.

In exercising this right, you also have the right to obtain that the personal data concerning you be transmitted directly from one responsible person to another responsible person, insofar as this is technically feasible. The freedoms and rights of other persons must not be impaired by this.

The right to data portability does not apply to the processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7. Right of objection

You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on point (e) of Article 6(1) GDPR, including profiling based on those provisions. 

In the event of an objection, the controller will no longer process the personal data concerning you unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms or for the establishment, exercise or defense of legal claims.

In the case of data processing for scientific, historical or statistical research purposes pursuant to Art. 89 para. 1 GDPR, you also have the right to object to the processing of personal data concerning you on grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.

8. Right to revoke the declaration of consent under data protection law

You have the right to withdraw your declaration of consent under data protection law at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

9. Automated decision in individual cases including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

This does not apply if the decision

  1. is necessary for the conclusion or performance of a contract between you and the data controller
  2. is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  3. with your express consent.

However, these decisions may not be based on special categories of personal data pursuant to Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) GDPR applies and appropriate measures have been taken to protect the rights and freedoms and your legitimate interests.

With regard to the cases referred to in (1) and (3), the data controller shall implement suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

10. Right to lodge a complaint with a supervisory authority

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the EU General Data Protection Regulation. 
The supervisory authority to which the complaint has been submitted will inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy pursuant to Art. 78 GDPR.

The supervisory authority responsible for the University of Bonn is the

State Commissioner for Data Protection and Freedom of Information
Nordrhein-Westfalen
P.O. Box 20 04 44
40102 Düsseldorf
Phone: 0211/38424-0
Fax: 0211/38424-10
E-Mail: poststelle(at)ldi.nrw.de

XII. Surveys

1. Types of data processed

We process several types of personal data as part of our business activities. These are in detail:

  • Contact data (e.g. telephone numbers, names, e-mail addresses, postal addresses)
  • Content data (e.g. open text fields in all types of surveys)
  • Usage data (e.g. websites visited, interest in content, access times)
  • Meta/communication data (e.g. device information transmitted by the browser, IP addresses, call logs)

2. Categories of affected persons

Within our surveys, we process the personal data of different groups of people. These can be summarized in two superordinate groups:

a) Users

  • Participants in online, telephone or postal surveys
  • Applicants to the ZEM (by email or via the online form)
  • visitors and users of our websites, if applicable
  • possibly third parties who are invited to participate by participants in online surveys

b) Contact persons

  • Project-specific contact persons at ZEM (usually the responsible project managers)
  • General contact persons at ZEM (e.g. IT)
  • If applicable, project-specific and/or general contact persons at clients for whom we conduct online surveys

3. Purpose of the processing

  1. Conducting university evaluation surveys
  2. Conducting market and social research and evaluation surveys
  3. Answering contact inquiries and communicating with participants
  4. Security and maintenance measures

We would like to explain to you in detail what we mean by these points in the following paragraphs. First of all, we differentiate between how we collect your information. We collect and store the responses you send us to our surveys. Participation in a survey by the ZEM is generally voluntary. A distinction must be made between different types of surveys:

a) Anonymous online or telephone surveys:
Anonymous online surveys in which anyone who knows the survey link and is interested in the survey can take part.

In the case of anonymous surveys, it is generally possible to respond without providing personal data, such as your postal address. Depending on the questionnaire, we may wish to reward you for your willingness to participate or ask for your contact details for possible follow-up surveys. As soon as this is the case, we will strictly separate your contact details from your information in the questionnaire. In doing so, we will fully comply with the statutory information obligations under Art. 13 GDPR.

b) Personalized online, written or telephone surveys
Personalized online surveys to which you have been invited to participate, e.g. by e-mail or letter. These invitations contain an access code that only allows you personally to participate in a survey. Personalized telephone or postal surveys that we carry out on behalf of our clients and for which contact details have been provided to us by our clients.

As part of personalized surveys, we will send you an individual access code to an online questionnaire or a paper questionnaire by email or letter, for example, or call you on your landline or mobile phone number.
Depending on the survey project, your contact details may come from different sources, which we will always provide you with at the beginning of the survey in accordance with the statutory information obligations under Art. 14 GDPR.
For example, you may have voluntarily registered with us or our client to participate in a survey or you may have given us your contact details by telephone for the purpose of inviting you to participate in a survey. In the case of employee surveys, we have received your contact details from your employer.

In the case of surveys of companies, your contact details come from publicly accessible sources, have been provided to us by our client or we have requested your contact details during a call to your company.

If we have received your address from our client, we will process it within the framework of existing commissioned data processing in accordance with Section 11 BDSG (old) or within the framework of commissioned data processing in accordance with Art. 28 GDPR.

We may also reward you for your participation in this type of survey or invite you to take part in a follow-up survey or several follow-up surveys as part of the current research project. To do this, we will need to collect your contact details. As soon as this is the case, we will strictly separate your contact details from your details in the questionnaire. In doing so, we will fully comply with the statutory information obligations under Art. 13 GDPR.

Your consent to participate can be revoked at any time and without giving reasons. During the survey phase, your contact details and your personal access code will be stored separately from your questionnaire responses and can only be assigned to them by means of an automatically generated character or number sequence (so-called “pseudonymization”).

After completion of the survey project, your contact data and the assignment to the questionnaire responses will be deleted. It is then no longer possible to match the responses to the questionnaire with the respondents' contact details (so-called “anonymization”).
Any deviations from these principles and rules will be explicitly communicated to you in advance in exceptional cases.

Technical information that we receive about your access to our web servers

In addition to your content-related or personal details in online questionnaires, each of your accesses to a web server at ZEM is stored in a log file for a limited time with the following data:

  • Date and time of the request,
  • Request details and destination address,
  • name of the retrieved file and amount of data transferred,
  • IP address
  • Notification of whether the request was successful

This data is analyzed for statistical and security purposes and to rectify possible errors. We process this data on the basis of our legitimate interests pursuant to Art. 6 para. 1 lit. f. GDPR. GDPR, they are not linked to your details in the questionnaire. No personal evaluation or profiling takes place. However, we reserve the right to evaluate your IP address in the event of attacks on the ZEM Internet infrastructure.

In addition, our survey software also stores the following information in a log file for a limited period of time:

  • Date and time the questionnaire was called up and completed
  • Name of the survey called up
  • Status of the questionnaire on completion (“Completely processed” or “Interrupted”)
  • for personalized surveys: A pseudonym for linking survey responses and contact details

This data is also collected on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f. GDPR only for statistical purposes or to rectify possible technical errors and evaluated if necessary. In principle, no personal evaluation or profiling takes place.

The following data is automatically stored permanently together with your answers to a survey:

  • Date and time of the first questionnaire call and completion
  • Status of the questionnaire on completion (“Completed” or “Interrupted”)
  • Type of end device (desktop PC, tablet or smartphone)
  • For personalized surveys: A pseudonym for linking survey responses and contact details

After completion of a survey project and if no follow-up survey is planned, the link between survey responses and contact data is broken by deleting the contact data at the earliest possible point in time (“anonymization”, see also explanations on personalized surveys). You will usually be informed of this point in time at the beginning of the survey. If we are unable to provide you with a specific date, we will explain to you how the storage period is determined. This may be, for example, a variable project end date or contractual regulations for the acceptance of the anonymized survey results by our clients.

Meta/communication data

The following meta/communication data is collected as part of telephone surveys:

  • Date and time of the call
  • Result of the contact (e.g. “Participation refused” or “Interview completed”)
  • Telephone number called
  • for personalized surveys: A pseudonym to link survey responses and contact details
This data is collected on the basis of our legitimate interests in accordance with Art. 6 para. 1 lit. f. GDPR for statistical purposes and to rectify possible technical errors and stored temporarily. During the project duration of a telephone survey, this data may be used, for example, in the form of call times to support you in exercising your legal rights (such as the right to information in accordance with Art. 15 GDPR). Beyond this, no personal evaluation or profiling takes place.

4. Relevant legal bases

In accordance with Art. 13 GDPR, we inform you of the legal basis of our data processing. If the legal basis is not stated in the privacy policy, the following applies: The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 GDPR, the legal basis for processing for the performance of our services and implementation of contractual measures is Art. 6 para. 1 lit. b GDPR, the legal basis for processing to fulfill our legal obligations is Art. 6 para. 1 lit. c GDPR, and the legal basis for processing to protect our legitimate interests as a market and social research institute is Art. 6 para. 1 lit. f GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 para. 1 lit. d GDPR serves as the legal basis.

5. Cooperation with processors and third parties

All data received in the course of answering surveys is treated in strict confidence. Data logged when accessing online questionnaires will only be transmitted to third parties if we are obliged to do so by law or by court order or if this is necessary for legal or criminal prosecution in the event of attacks on the Internet infrastructure.

Questionnaire responses are only evaluated together with the information provided by other respondents in summarized (aggregated) form (e.g. as an average of all responses), published or passed on to third parties (e.g. our respective client or third parties authorized by them). We take care to ensure that no conclusions can be drawn about individual participants.

If we carry out a survey on behalf of a client and we are contractually obliged to pass on the survey data to the client or third parties authorized by the client, we only transmit the anonymized survey data. In individual cases and if the client is also a research institute and not, for example, a company that has customers or employees surveyed, we also transmit the additional survey data. The same data protection obligations apply there.

Personal data obtained in the course of answering surveys will not be passed on to third parties for commercial or non-commercial purposes without your express consent. This may play a role in the context of remuneration for survey participation, for example if the remuneration is paid out in the form of electronic vouchers.

If we commission third parties to process data on the basis of a so-called “order processing contract”, this is done on the basis of Art. 28 GDPR.

6. Rights of the data subjects

Right of access of the data subject (Art. 15 GDPR): You have the right to know whether personal data concerning you is being processed by us. If this is the case, you have the right to receive further information about the processing and a copy of your personal data processed by us.

Right to rectification (Art. 16 GDPR): If we process incorrect personal data concerning you, you have the right to have this data corrected by us. If we process incomplete data, you have the right to request that we complete your data.

Right to erasure (“right to be forgotten”) (Art. 17 GDPR): You have the right to demand the immediate deletion of personal data concerning you.

Right to restriction of processing (Art. 18 GDPR): In accordance with Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data.

Right to data portability (Art. 20 GDPR): You have the right to receive the personal data concerning you that you have provided to us for processing. You can also request that we transfer this data to another controller.

Right to lodge a complaint with a supervisory authority (Art. 77 GDPR): You have the right to lodge a complaint with a competent supervisory authority.

7. Right of withdrawal

In addition to the aforementioned rights, you have the right under Art. 7 (3) GDPR to revoke any consent you have given us at any time in order to prevent future processing of your personal data.

8. Right of objection

Finally, you also have the right to object to the future processing of data concerning you in accordance with Art. 21 GDPR.

9. Deletion of data

As explained in the section “Rights of data subjects”, you have the right to request the erasure and restriction of personal data concerning you. Unless we have made any project-specific exceptions, we will delete your data as soon as it is no longer required for its original purpose of answering research questions. This will usually be the case when the anonymized survey results are sent to our clients. Possible exceptions are personal data for which there are statutory retention periods. For example, the retention periods for commercial letters and accounting documents are six years in accordance with Section 257 (1) of the German Commercial Code (HGB) (e.g. in the context of remuneration for survey participation) and, in accordance with Section 147 (1) of the German Fiscal Code (AO), documents relevant for taxation must be kept for ten years.

If we are obliged to retain data for this statutory retention period, your personal data cannot be deleted. However, we will ensure that the processing of this data is restricted, i.e. the data will be blocked and will not be stored for any purpose other than our statutory retention obligation.

10. Contacting us

If you wish to contact us, for example by calling project-specific telephone numbers or by e-mail or when exercising your rights as a data subject, your contact details will be stored by us in order to process the request until the matter has been clarified. Depending on the type of contact, this may take the form of an email or handwritten or digital notes. The data will not be passed on to third parties in this context. The data is used exclusively for processing the conversation. Your data will be deleted at the earliest possible time. We refer to Art. 6 para. 1 lit. f GDPR as the legal basis for this processing.