This privacy policy applies to the central "E-Mail-Mailingslists" Service of the IT Center at RWTH Aachen University.

The "Email Mailinglists" service enables the sending of emails via mailinglists and the management of mailinglists via a web application interface.

I. Person Responsible for Data Processing (Data Controller)

The person responsible within the meaning of the General Data Protection Regulation and other national data protection laws of the member states as well as other data protection regulations is the:

Rector of RWTH Aachen University
Templergraben 55
52062 Aachen (physical address)
52056 Aachen (mailing address)
Telephone: +49 241 80 1
Fax: +49 241 80 92312
Email: rektorat@rwth-aachen.de
Website: www.rwth-aachen.de/rektorat

Responsible for operations

Contact details of the person responsible for technical operations:

Director of IT Center
RWTH Aachen University IT Center
Seffenter Weg 23
52074 Aachen
Telephone: +49 241 80 24680
Email: servicedesk@itc.rwth-aachen.de
Website: www.itc.rwth-aachen.de

II. Name and Address of the Data Protection Office

Contact details of the officially appointed Data Protection Office:

Data Protection Office of RWTH Aachen University D
Templergraben 83
52062 Aachen (physical address)
52056 Aachen (mailing address)
Germany
Telephone: +49 241 80 94114
Email: dsb@rwth-aachen.de
Website: www.rwth-aachen.de/dataprotection

III. E-Mail-Mailingslists

1. Subject Matter and Purpose of the Processing of Personal Data

The "E-Mail-Mailinglists" service of the IT Center at RWTH Aachen University enables the sending of emails via mailinglists, as well as the management of mailinglists through a website.

Users can subscribe to various free mailinglists. During registration, the data from the input form is transmitted to RWTH Aachen University. A valid email address is mandatory for subscribing to a mailinglist. Additional information, such as name, can be optionally provided.

There are four different subscription settings that can be configured for mailinglists:

• Open: Any user can subscribe to the mailinglist. No email address confirmation is required.
• Confirmation: Any user can register on the mailinglist but must confirm their email address via a separate email (Confirmation) from the mailinglist server by responding to the confirmation message.
• Moderation: Users can register themselves for the mailinglist, but their registration must be confirmed by a list moderator or administrator.
• Confirmation and Moderation: This configuration setting requires first confirmation by the subscriber and then confirmation by a list moderator or list administrator.

In addition to subscribing to mailinglists, users have the option of creating an account. With an account, users can view and manage their subscriptions, email addresses, and mailinglist settings. Creating an account is not mandatory for subscribers. However, it is mandatory for list administrators, as no permissions for managing a mailinglist can be assigned otherwise. Creating an account requires registration. A valid email address, username, and password must be provided. A confirmation email containing a confirmation link will then be sent to the specified email address, and registration can be completed by clicking on the link.

The following information can be stored in the profile if an account is created:

• Username
• Password
• First name
• Lastname
• Time zone
• Primary email address
• Additional email adresses
• Date of registration

Technically necessary information includes the username, password, and primary email address.The date of registration is determined automatically based on when the user created their account. Placeholders will be used for the other information if it has not been filled out by the user.

With an account, it is possible to configure personal settings.

1. Global: apply to all subscribed mailinglists
2. Adress-based: apply depending on the email address used
3. List-based: apply to each individual subscribed mailinglists.

Activities are logged when using the mailinglist system. The following data is automatically recorded for each action:

• Username
• IP adress of the client
• Time and date of the request
• Source of the request
• Action

Furthermore, RWTH Aachen University informs various groups of recipients through circular emails sent to specific addresses.

The archive function can be activated in the configuration of mailinglists. Messages sent to a mailinglist over a period of time can be saved in an archive and made available for reading or downloading. Users must be informed about archiving via the list information page or a notice in the email footer.

Data collected in the registration process will not be passed on to third parties. When you send a message to a mailinglist, all of its members may receive it. The data will be used exclusively for sending out emails and to be saved in archives (if set up).

2. Legal Basis for the Processing of Personal Data

The legal basis for the processing of data once a user has registered for mailinglists is, as long as the user's consent has been given, Art. 6 para. 1 lit. a GDPR. Users can revoke their consent to receive the mailinglist at any time by unsubscribing.

If RWTH Aachen provides information in the form of circular emails as part of its duties, the legal basis is Article 6(1)(e), paragraph 3 of the GDPR in conjunction with § 3(1) of the DSG NRW in conjunction with § 3(1) of the HG NRW

3. Deletion of Data and Duration of Storage

After subscribing to the mailinglist, you can unsubscribe at any time. To unsubscribe, click the corresponding link in the email or send an email to <list name>-leave@lists.rwth-aachen.de or <list name>-unsubscribe@lists.rwth-aachen.de. If you have created an account, you can delete it via the account settings. Deleting an account also deletes all mailinglist subscriptions.

The data will be deleted as soon as it is no longer needed to achieve the purpose of its collection. The data of the user are stored as long as they remain subscribed to the mailinglist or as long as their account is active.

IV. Provision of the Website and Generation of Log Files

1. Subject Matter and Purpose of the Processing of Personal Data

Each time you visit a website, information is exchanged between your device (such as a computer, tablet, or mobile phone) and the servers hosting the website to establish communication between your device and the website. Data about this process is temporarily stored in a log file each time you access the website.

The following data can be collected:

• Information on the browser and version used
• Information on the user’s operating system
• The user’s internet service provider
• The user’s IP address
• Date and time of access
• Websites from which the user's system is led to the RWTH Aachen University website
• Information on websites visited and files opened

The system temporarily stores the IP address to enable delivery of the website to the user's computer. For this purpose, the user’s IP address must remain stored for the duration of the session.

The data is used for the purpose of optimizing the website and to ensuring the safety of information technology systems. The data are not evaluated for marketing purposes in this context.

Each time you log in to Mailman, the information provided by the user is automatically stored in addition to the data mentioned above.

• Username and email address
• Time of login

The login data is used for correctly assigning and authorizing users, as well as for storing user settings.

Information about every email sent via the mailinglist service is stored in log files.

• Time of access
• Sender email address, including mail server information (IP and DNS)
• Recipient email addresses
• Bounce messages are received, processed, and forwarded to the list owner
• Additional email information, such as the subject line and headers.

Log data is processed to ensure the proper operation of websites, i.e., to detect, limit, or eliminate malfunctions or errors.

Moreover, the log data is processed for technical security purposes, particularly to protect against and defend against cyber attacks. This is done on the basis of Article 6(1)(e) and Article 32(1) of the GDPR.

2. Legal Basis for Data Processing

The legal basis for the temporary storage of data and log files is Article 6(1)(e), paragraph 3 of the GDPR in conjunction with § 3(1) of the DSG NRW in conjunction with § 3 of the HG NRW.

3. Deletion of Data and Duration of Storage

The data will be deleted as soon as it is no longer needed to achieve the purpose of its collection. Typically, data is deleted 14 days after its storage at the latest. It is possible that the data is stored for a longer period. In this case, the users’ IP addresses are deleted or anonymized, so that the client accessing the website can no longer be identified.

V. Use of Cookies

1. Description, Scope and Purpose of Data Processing

Mailman uses cookies. Cookies are text files that are saved in the user’s web browser or stored by the Internet browser on the user's computer system. If a user visits a website, a cookie may be stored in the user's operating system. This cookie contains a specific string of characters which makes it possible to identify the browser when the website is accessed again.

The only cookies that are stored are those that are technically necessary. These cookies identify a logged-in user via an anonymous ID for the current session in Mailman. Allowing this is necessary so that login and access permissions within Mailman are retained during the session.

2. Legal Basis for Data Processing

The legal basis for the processing of personal data using cookies is Article 6(1)(e), paragraph 3 of the GDPR in conjunction with § 3(1) of the DSG NRW in conjunction with § 3 of the HG NRW.

3. Duration of Storage, Possibility of Objection and Remedy

Cookies are stored on the user's computer and transmitted to our site. For this reason, the user have full control over the use of cookies and of LocalStorage. The user can deactivate or restrict the transmission of cookies by changing the settings of your browser. Cookies already stored on you computer can be deleted at any time. This can be done automatically as well. If cookies have been deactivated for our website, it may no longer be possible to use all functions of the website.

VI. Rights of the Data Subject

If the personal data of a person is being processed, they are considered a data subject according to the GDPR. Thus, they have the following rights vis-a-vis the data controller:

In accordance with Articles 15 et seq. of the GDPR, the data subject has the right to request information from the controller regarding the personal data concerned, under the conditions defined therein. The data subject also has the right to request rectification, deletion, or restriction of processing; the right to object to processing; and the right to data portability.

Additionally, the data subject has the right to lodge a complaint with the competent data protection supervisory authority in accordance with Article 77 of the GDPR, should they believe that the processing of their personal data violates this regulation.

If processing is based on consent from the data subject (see Article 6(1)(a) and Article 9(2)(a) of the GDPR), the data subject also has the right to withdraw consent at any time, which will only take effect for the future and will not affect the lawfulness of processing based on consent before its withdrawal.

To exercise these rights, the data subject should email servicedesk@itc.rwth-aachen.de.