Data protection

The data protection officer does not protect data, but persons from the violation of their personal rights guaranteed by fundamental law through the incorrect or unlawful handling of their personal data.

Last modified: 22 January 2024 - Status: In progress

Current notes

  • [03 Jan 2023] New: The DPO Data Protection Tools. The tools (in English and German) currently include a contact form, an annotated RPA (record of processing activities) generator, and an annotated breach reporter. Shibboleth is used for authentication.

  • [02 Nov 2022] An alternative to Zoom and recommendation of the DPO: The BigBlueButton video conferencing system.

  • [04 Oct 2022] Video of the University of Bielefeld: Data Protection Basic Model ("Wimmelbild")

  • [28 Jul 2022] Data transfer to third countries (especially the USA): The HBDI issues the following notice to all public and non-public bodies in Hesse that use data processing systems involving the transfer of personal data to third countries as defined in Chapter V of the General Data Protection Regulation (GDPR). This concerns video conferencing, collaboration, database and other cloud services with storage location in a third country.

  • [06 Jul 2022] Data protection for children: BfDI publishes videos on Pixi knowledge

  • [06 Jul 2022] New (FAQ): What is the difference between a joint controller and a data processor?

Data protection officer

Sabine Sors-Eisfeld
Tel.: +49 561 804-7036

Deputy: Daniel Bischof
Tel.: +49 561 804-2011

FAQ: Entry into force of the HDSIG (Hessian data protection law) and the GDPR

  • No, unless you should have been concerned even before the GDPR came into force. Please also read the summary of the "Forum Privatheit" on the GDPR.
  • The management of the University of Kassel is responsible for compliance with data protection regulations. The latter may also be liable for violations. You personally can (as before) only be held responsible if you process personal data that is not generally accessible without being authorized to do so, or obtain it by providing incorrect information, and in doing so act in return for payment or with the intention of enriching yourself or another or harming another (Section 37 HDSIG, criminal offense). According to § 38 HDSIG, you may also be fined if you process personal data for purposes other than those for which it was transmitted (administrative offense). It is hard to imagine that the former (§ 37) happens to you "by mistake". In the case of the latter (Section 38), it helps to pay attention and, if in doubt, to ask the data protection officer.
  • If you receive an instruction of questionable permissibility under data protection law, you can (as in any other matter of data protection) call in the data protection officer directly and at any time. The data protection officer is bound to secrecy (Section 6, Paragraph 4 HDSIG).
  • You are welcome to use the entry into force of the new legal provisions as an opportunity to take a critical look at the data inventories in your own area: What contains is personal data? Is processing permitted by law or consent (see below)? If not: Delete or anonymize. If in doubt, contact the DPO.
  • If you work with the content management system and publish content on, you should take special care to ensure that no personal data is visible that should not (or no longer) be there. In the past, there have been repeated complaints about old examination lists, term papers and the like.
  • No. If someone sends you an e-mail or hands you their business card, you can consider this as implied consent to "processing".
  • However, where to draw the line on this "processing" is often a matter of considerable debate. Example: If someone gives you their business card, the person probably has no problem with you "storing" the contact information not only in your wallet, but also on your computer. However, if you "upload" the contact data (possibly in combination with other data such as an image or date of birth) from your computer to a third party's cloud (Google Contacts, WhatsApp, etc.), many people will already consider this crossing a line. You should therefore avoid doing so.
  • The previous procedure directory was replaced with the General Data Protection Regulation's Record of Processing Activities (RPA). Procedure directories created in the past retain their validity. However, it must be checked whether the (additional) information required by the GDPR is included. If yes, there is nothing to be said against the continuation of existing old procedure directories.

  • The data protection impact assessment (DPIA) has taken the place of the "prior check" in accordance with the HDSG (the predecessor of the HDSIG). The DPIA is a special procedure for describing, assessing and mitigating high risks to the rights and freedoms of natural persons when processing personal data. A DPIA is not required for processing operations that are still carried out in the same way as as they were when a "prior check" was done. Conversely, this also means that a DPIA must be carried out for any data processing whose implementation conditions (scope, purpose, personal data collected, identity of controllers or recipients, data retention period, technical and organizational measures, etc.) have changed since a "prior check" and which are likely to present a high risk.

FAQ: Basic information on data protection

  • Personal data are individual details about personal and factual circumstances of a specific or (with additional knowledge) determinable natural person (e.g. name, address, date of birth, nationality, profession, title, denomination, personnel number, matriculation number, ID card number, marital status, telephone number, fax number, vehicle registration number, income, debts, illnesses, assessments, report card grades and pictures as well as biometric data of the person).
  • Certain personal data enjoy special protection (racial and ethnic origin, political opinions, religious or ideological beliefs, trade union membership, health data, etc.). Such data may either not be processed at all or special conditions are imposed on the processing.
  • A processing operation is pretty much anything you can do with personal data, including but not limited to simply storing or transmitting it (e.g., by "uploading" it to social media).
  • Personal data may in principle only be processed
    • within the university or
    • at external service providers with whom the university has concluded a data processing agreement.
  • "Anonymous" means that it is no longer possible to establish a reference to a person from a given data set (e.g., a survey) (or that this would be disproportionately costly; the proportionality of this will be the subject of an examination in case of doubt).
  • "Pseudonymous" means that a reference to a person can be re-established if additional knowledge is available (e.g., a list of identifiers and the corresponding plain names).
  • If a data set is anonymous (or has been effectively anonymized), the regulations for data protection no longer apply. You can then use the data as you wish (at least as far as data protection is concerned).
  • The processing of personal data is prohibited unless it is permitted. Permission may result either from an applicable legal regulation (law, statutes, etc.) or from the consent of the data subjects. If there is a legal regulation allowing the processing, consent is not required.
  • The legal basis for the processing is therefore either the legal regulation or the consent.
  • Legal regulations frequently applied for the processing of personal data at the University of Kassel are (among others):

If you process personal data in the context of a research project, an administrative activity or any other occasion, you are obliged to keep and amintain a record of processing activities (RPA) and to present it to the supervisory authority upon request (the RPA must exist when you start the processing activity, not only when the supervisory authority requests inspection).

Data protection impact assessments (PIA/DPIA) must be carried out for cases of processing operations where, due to special circumstances, there is likely to be a high risk for data subjects. In cases of normal and manageable risk, no DPIA is required. Please contact the Data Protection Officer if you have reason to believe that your processing is likely to result in a high risk to data subjects.

FAQ: Actual projects

  • Please read the detailed treatment of this topic by ZENDAS (German only).
  • If possible, design your survey to be (truly) anonymous from the outset, or to effectively anonymize the data collected immediately.
  • If you intend to conduct an anonymous survey: Make sure that you do not elaborate on the answer options for your questions in such detail that it jeopardizes an anonymous response. For example, do not ask for the exact date of birth if the year of birth (or a range of years of birth) would be sufficient for your research purpose. Critically examine whether considering the totality of your questions might result in too small a group with the same answers (this should not happen).
  • If an anonymous survey is not possible (e.g., because you want to collect contact data for an incentive, conduct a longitudinal study, or there is another reason why you cannot achieve your research goal with an anonymous survey), the formalities of data protection apply (record of processing activities, etc.). If necessary, please contact the data protection officer at an early stage.
  • Special case: surveys of children or young people at a Hessian school. Scientific research projects in Hessian schools require the approval of the Ministry of Education and Cultural Affairs (Section 84 Hessian School Act). You can find out which documents you need to submit to the Hessian Ministry of Education for the approval procedure at The Hessian Commissioner for Data Protection and Freedom of Information must be notified of the approval of research procedures in which personal data are processed (§ 84 para. 1 p. 4 Hessian School Act). Information on the processing of personal data in scientific research projects is provided in Section 84 (2) of the Hessian School Act.
  • Type and scope of personal data processed in the context of the survey
  • Purpose of the data processing (your research objective)
  • Participation is voluntary, there is no disadvantage in case of non-participation
  • The given consent can be revoked at any time (if applicable: as long as the data are not yet effectively anonymized)
  • Your e-mail address for queries and revocation

No. In surveys, the legal basis is almost always consent. Effective consent requires complete and truthful information about the purpose, nature and scope of the data processing. False or misleading information about the survey will render the consent invalid and you would thus be acting unlawfully.

If possible, distort the voice of the interviewee right away on the recording device. If this is not possible, transfer the interview to your computer and use software to distort the voice. This should be done immediately and the original recordings should also be deleted immediately, both on the recording device and on the computer. For distortion purposes, the freely available software "Audacity" can be used: load the recording, select "All" and change (at least) under "Effect" the pitch. Audio examples: Original [internal] and distorted [internal].

  • Usually not at all. Instead, address forwarding is used: you formulate your letter and the university either sends it to the desired group of persons on your behalf or allows you to reach the group of persons yourself by sending an e-mail to a special address. Please contact,
    • if the group of persons is all students of the university, to the university administration, Dept. II Studies and Teaching, or
    • if the group of persons are students of a department, to the dean's office of the department, or
    • if the group of persons are employees of the University, to the university administration, Dept. III Human Resources and Organization.
  • At the latest, if you intend to transmit or publish them, you need the (in case of doubt written) consent of all persons clearly recognizable on your photos or videos (unless one of the exceptions under § 23 KunstUrhG applies).
  • Apparently little known: The violation of this fulfills a criminal offense (§ 33 KunstUrhG in conjuction with § 22 KunstUrhG).
  • There is a form for obtaining the necessary consent for the publication of (portrait) images of university staff.
  • Special case: I would like to film lessons with children or young people at a school in Hesse. In this case, as with surveys in Hessian schools, the consent of the Ministry of Education and Cultural Affairs must be obtained in advance, see
  • Forwarding e-mails: Only use your work e-mail address (ending in "") for work-related matters so that work-related data remains within the university's data network and therefore within the sphere of the university as the responsible body. Forwarding an e-mail sent to your work e-mail address to your private e-mail address is only unproblematic under data protection law if the content is of a purely private nature (e.g. because the e-mail was only sent to your work e-mail address by mistake or in the absence of knowledge of your private e-mail address).
  • E-mails to several recipients: If you want to send an e-mail to several people, you should consider not using the obvious options of "To" (To) or "CC" (Copy), but instead send the e-mail to yourself and enter the recipients in the "BCC" (blind copy). This is particularly advisable if it is none of the individual recipients' business or should be none of their business to whom else the email in question was sent.
  • E-mails in HTML format: The data protection officer advises against sending e-mails in HTML format. This is unpleasant for recipients because you can never be sure that e-mails in HTML format do not contain active elements that transmit data in an uncontrolled manner or contain or download malicious code.
  • Special case: If you have an existing e-mail distribution list in the form of a hand-maintained list of e-mail addresses that you use to inform about news concerning your work at the University of Kassel, you can continue to use it. In one of your next emails, however, you should address the new legal situation with something like the following wording: I process your contact data in a file for the sole purpose of sending you this newsletter (or similar). If you no longer agree to receive it, please let me know at the following e-mail address: ... I will then delete your contact details immediately. (Please do the same with similar mailings).
  • Further useful information can be found on the pages of the THM Data Protection Officer.
  • The (often inadvertent) sending of emails with a large number of recipients in the "CC" is one of the more frequent incidents that the DPO has to deal with and often results in a report to the responsible supervisory authority (HBDI) in accordance with Art. 33 GDPR. Possible helpful measures for prevention include
    • using a delayed sending function if your email program supports this
    • using a warning function for a large number of "CC" recipients, if your mail program supports this
    • using a distribution list, e.g. the university's mailing list server
    • the use of a specialized newsletter service (from a provider based within the scope of the GDPR)
  • Both old files and defective media or media discarded for other reasons with content relevant to data protection or otherwise confidential should be disposed of in accordance with data protection regulations via the university's registry.
  • This does not apply if the data on the media is stored securely encrypted according to the state of the art. Then you can dispose of the data media as regular electronic waste.
  • Media with unknown content should also be disposed of via the Registrar's Office.
  • Please make sure to deliver your media to be disposed of to the registry in sufficiently stable containers and to label them with a sender's note. It should not be possible to determine from the outside that the contents are data carriers containing confidential and/or personal data. Therefore, the note "for destruction in compliance with data protection regulations" should only be affixed inside the container.

After you have backed up any data you still need, you can either

  • remove existing data media from the IT devices and have them destroyed via the registry, or
  • securely delete the data media using suitable software.
  • This also applies if you have to hand over an IT device for repair (media, such as hard drives, are naturally not destroyed in this case, but stored securely until the device is repaired).
  • This does not apply if the data on the media is stored securely encrypted according to the state of the art.

Secure deletion of data media takes a long time, but is easy to accomplish. CDs or memory sticks with specialized Linux distributions such as DBAN are particularly suitable for this purpose.

  • If you regularly transmit personal data via an insecure connection (Internet) to third parties outside the University of Kassel, there should be a described and approved procedure for this. Transmission using state-of-the-art encryption is obligatory here.
  • If your transmission is an exceptional case and no described and tested procedure exists, you can pack the data to be transmitted into an archive, symmetrically encrypt the resulting file and send it to the data recipient, e.g. as an e-mail attachment. Afterwards, transmit the password required for decryption to the data recipient by telephone. The password should be sufficiently long and complex (at least 10 random characters).
    • The software 7-Zip, which is available for all common operating systems, is suitable for this purpose. If in doubt, seek advice from the IT service centre (ITS) and/or familiarize yourself with its use in advance (instructions for 7-Zip can be found here, for example).
  • No. At least, the data protection officer has not yet become aware of any case at the University of Kassel in which the processing of biometric data of university employees would have been adequate. Even the consent of the persons concerned (the voluntary nature of which would be questionable anyway) does not justify the processing of biometric data if milder means of access systems are available (key, code and smartcard locks).
  • No. Video surveillance at the University of Kassel only takes place
    • in justified individual cases and
    • if milder means have proven to be unsuitable
    • with the approved video surveillance system operated centrally by the IT service centre.
  • Self-installed dummy cameras are also not permitted.
  • Electronic door viewers are acceptable only, if
    • structural conditions do not permit any other option,
    • the devices do not permit recording for technical reasons, and
    • images are only transmitted when someone has rung the bell.

Board members (and other persons who may be present at board meetings) must be informed about the processing of their personal data in connection with board meetings. Furthermore, a record of processing activities (RPA) must be kept and maintained.

Please proceed as follows:

  • Include the following notice in invitations to panel meetings: "Information on the processing of your personal data is available here." Link "here" to the privacy information on the University's committee website or reproduce the link as provided here. In addition, you should place this notice on your committee's website, if any (recommended).
  • If audio recordings are to be made for minutes purposes with the consent of the committee chair, the above information must be more detailed: "This meeting will be audio recorded for the purpose of preparing the minutes. For more information on the processing of your personal data, click here." Provide the link as well, as described above.
  • A verbal notice to participants about audio recording by the chair of the comittee is only required if, exceptionally, a meeting or part of a meeting is recorded, thereby informing participants that use will be made of the option to record "as of now."
  • Make sure that the attendance list form you use includes the note that the entry of name and signature is mandatory. Here, too, a data protection notice should be made as described above.
  • Special case: online meetings. In the case of online meetings, the information option via the attendance list does not apply. In order to inform in particular spontaneous participants and those who join later, the invitation link should also contain the note described above.
  • Create a RPA for the organization of your committee meeting by filling out the form "Muster-VV Uni Kassel Verantwortlicher, vorausgefüllt, für Gremiensitzungen" (available on this page under "Dokumente und Formulare"). Compared to the pre-filled standard form, this form is already shortened and adapted for the processing case committee meetings. In the simplest case, you only need to enter your contact details and the name of your committee. Furthermore, for committee meetings where no audio recordings are made for protocol purposes, the corresponding date "Audio recording" must be removed from the list of processed data. Additional adjustments may be required, so please review the form carefully.

  • The DPO is not aware of all boards and their practices. If in doubt about something, please contact the DPO.

First of all, please read the"Regulatory agreement on mobile work in the context of the Corona pandemic for administrative/technical staff dated July 23, 2020" (under "Regulations for mobile work"). Although this regulatory agreement strictly applies only to administrative-technical personnel, you should also take note of the statements made therein regarding technical and organizational measures for data protection during mobile work if you belong to another employee group.

In particular:

  • If possible, use a terminal device provided and administered by the university and use it exclusively for official purposes.
  • If you have to use a private end device, make sure that it is always up to date (software) and use a separate local account for official use.
    • Use the virtual desktop infrastructure (VDI) of the university. In this way, you will largely avoid having official data stored on your private end device.
    • If you cannot use the VDI and thus have to store official data on your private end device (this should only be done in justifiable exceptional cases), use VPN access to the university and local data encryption (e.g. VeraCrypt, see below).
      • Use of VPN access is not necessary if data traffic to and from the university is already encrypted (e.g. when accessing webmail or Zoom).
  • Mobile devices can be lost more easily than an office PC (loss, theft). To prevent unauthorized third parties from gaining access to personal data, the DPO strongly recommends encrypting at least the user data on the mobile device.
    • Smartphones and tablets: On current Android and iOS devices, device encryption is usually active by default. If in doubt, check this in the device settings. Since smartphones and tablets are typically rarely turned off, the DPO strongly advises setting up a screen lock with a sufficiently secure PIN (5 or more digits).
    • Laptops: Laptops used for business purposes are equipped with Windows 10 "Education" (as of March 2021). This already offers the option of data encryption using on-board tools ("BitLocker"), but unlike smartphones and tablets, this is not normally active by default. An alternative to BitLocker is the open source software "VeraCrypt", which is therefore considered particularly secure. VeraCrypt also works on Windows variants on which BitLocker is not available (e.g. the "Home" variant). Whichever of the two options you use: Set a strong password for the key. Furthermore, you should both print out the key and store it on a USB stick, and keep both in a safe place.

Please first read the"Handreichung zur Durchführung von elektronischen Fernprüfungen (Online-Klausuren) vom 4. Februar 2021" (under "Regelungen für Lehrende", in German only). In this handout, the University refers to the Regulation on the Conduct of Electronic Distance Examinations of the State of Hesse dated 08.12.2020.

In particular, it should be noted:

  • Online exams may only be offered as a (temporally parallel) alternative to a face-to-face exam. Exclusive online examinations are not permitted. The possibility of an online examination must be determined at the latest before the end of the registration period applicable to the respective face-to-face exam.
  • When checking identity in the context of online examinations with Zoom and comparable systems, care must be taken to ensure that ID cards are checked in such a way as to prevent unauthorized third parties from gaining knowledge of ID card data. A concrete procedure is described on the web pages of the IT service centre (ITS).
  • The examinees must be given the opportunity to familiarize themselves with the examination procedure in advance within the framework of an online examination (technical requirements and organizational conditions of the examination). Furthermore, the examinees must be informed about the processing of their personal data when determining the possibility of an online examination.
  • Recording of the examination event and the identification process is not permitted.
  • Joint controller in a processing activity: a joint controller is a natural or legal person outside the University of Kassel who jointly decides with you on the means and purposes of the processing of personal data. A (written) joint controllership agreement is required. A typical example is joint research projects.
  • A data processor in a processing activity: a processor is a natural or legal person outside the University of Kassel who processes the personal data according to your instructions. A data processing agreement (DPA) is required. DPAs are signed by the provost on behalf of the university. Typical examples are hosting and SaaS services, translation/transcription services, etc.
    • Typically, processors have contract templates; please ask your processor for a copy. Otherwise, there is a link to a template for a DPA available on this page (see above under "Documents and Forms", in German only).
  • The main difference is the responsibility for the personal data to be processed: In the case of joint controllership, it is shared by the two (or more) contracting parties, whereas in the case of processing (by a third party as a service), it remainswith the controller (i.e., the University of Kassel or the client of the University of Kassel). In both cases, a contract must be concluded: Either a joint controllership agreement or a data processing agreement (or both, if jointly controlling parties want to use the services of a processor).

FAQ: Miscellanea

  • For all e-learning systems used at the University of Kassel (i.e. not only the central Moodle of the SCL, but all such systems at the University of Kassel), the statute on the "Protection of personal data in multimedia use of e-learning procedures at the University of Kassel" (1.62.10, version of 06.07.2009, in German only) applies.
  • The above-mentioned statutes also apply to examination procedures, e.g. multiple choice tests on computers with subsequent automated evaluation.
  • Moodle and (probably also) other e-learning systems contain functions in their delivery state that violate regulations of the above mentioned statutes. For example, according to § 6 para. 1 of the statutes, it is only permitted to process users' personal data if this is necessary for the use of the e-learning system. A tabular overview of participants and their examination results, for example, is comprehensibly required, but this is at least questionable in the case of an overview of viewed documents per participant.
  • Functions that are illegal or questionable according to the statutes are deactivated in the Moodle operated by the SCL. Those who operate their own Moodle or a similar system are required to deactivate such functions as well.
  • No. It does not matter who is recording (or intends to record) and for what purpose: your consent is always required. Exceptions may apply for special events and speakers (press conferences, ceremonial addresses, lectures by persons with contemporary historical significance, etc.), but not for regular lectures, classes, etc.
  • In case someone does not comply with this: According to § 2, para. 3 and 4 of the house rules of Kassel University (1.75.00, version of 26.03.2015), you as a lecturer are also the house authority during a course and can expel or have expelled disruptive persons from the building (security service: Tel. 0561-804-2222).

The DPO is legally bound to secrecy, HDSIG § 6, para. 4 (Hessian data protection law, abridged):

Employees of public bodies may contact the DPO on all matters relating to data protection without having to comply with official channels. Data subjects may consult the Data Protection Officer on all matters related to the processing of their personal data and the exercise of their rights under Regulation (EU) No. 2016/679 [the GDPR], this Act and other data protection legislation. The data protection officer is obliged to maintain confidentiality about the identity of the data subject who has entrusted facts to him/her in the capacity of data protection officer. The obligation to maintain secrecy also extends to circumstances that allow conclusions to be drawn about the data subject, as well as to these facts themselves, unless the data protection officer is released from this obligation by the data subject.

If you prefer not to write an e-mail to the DPO, you can request an appointment for a personal meeting by telephone.