The controller within the meaning of the General Data Protection Regulation and other national data protection laws of the Member States, as well as other data protection provisions, is:

GEOMAR Helmholtz Centre for Ocean Research Kiel
Wischhofstr. 1-3
24148 Kiel
Deutschland
Tel.: 0431-600-0
E-Mail: info(at)geomar.de 
Website: www.geomar.de 

The Data Protection Officer of the controller can be reached by post at:
Reference: „Datenschutzbeauftragter GEOMAR“

Building 1 – Mailbox – GEOMAR Interne Meldestelle

Wischhofstr. 1-3
24148 Kiel
Deutschland

The legal basis for the processing of personal data is Article 6(1) sentence 1 point (e) GDPR, based on the GEOMAR Establishment Act and its statutes.

• The purpose of the foundation is to conduct and promote ocean research at an international top level within the mission of the Hermann von Helmholtz Association of German Research Centres (HGF), in particular through
  • its own research, and
  • support of marine scientific research in Germany by providing coordination, logistics, and technical assistance in joint ocean research projects as well as in national, European, and international programmes.
• To this end, the foundation works closely with universities and research institutions at both national and international levels. It maintains a close cooperation with Kiel University (Christian-Albrechts-Universität zu Kiel, CAU).
• The foundation conducts basic research and development and aims to initiate, develop, and coordinate additional research programmes and research work. It promotes cooperation between science and industry.
• The foundation supports early-career researchers.
• The results of scientific work are to be published for the academic community and made accessible to the general public in an appropriate manner.
• The foundation observes the principles of good scientific practice recommended by the German Research Foundation (DFG), as well as the implementation rules adopted by the Hermann von Helmholtz Association of German Research Centres (HGF). It obliges its employees and early-career researchers to comply with these principles and appoints one or more ombudspersons.
• The foundation is authorised to undertake any activities that serve its purpose.

The data will be deleted as soon as they are no longer required to achieve the purpose for which they were collected.
Personal data are stored in a form that permits the identification of the data subject only for as long as is necessary for the purposes for which they are processed.
The storage period is generally based on the requirements of information security.
However, personal data may be stored for a longer period by way of exception if the data are processed exclusively for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes in accordance with Article 89(1) GDPR.
The specific storage period is explained in the special data protection notices, which are defined by the responsible departments for the respective processing activities and can be found in their publications.

As a rule, GEOMAR does not permit the transfer of personal data to third countries, i.e., countries outside the scope of the General Data Protection Regulation.
The data centres involved in the processing are located—according to contractual agreements—exclusively within the European Union.

If, in the context of global scientific cooperation, personal information is transmitted, such transmissions are individual decisions made by the scientists involved. Examples include various forms of electronic communication (e-mail, video conferences, chat systems).
The freedom of science, as enshrined in the EU Charter and the German Basic Law, requires a culture of trust at GEOMAR.

The EU Commission has issued so-called adequacy decisions for some third countries, confirming that the level of data protection in the respective third country corresponds to the level within the EU.
Up-to-date information on adequacy decisions is available to GEOMAR staff on the intranet.

GEOMAR’s commitment to privacy-friendly default settings for all IT solutions used is based on adherence to the following principles:

Lawfulness, Fairness, Transparency

GEOMAR processes personal data lawfully, fairly, and in a manner that is understandable to the data subject.

Purpose Limitation

Personal data are collected for specified, explicit, and legitimate purposes.
Further processing does not take place if it is incompatible with these purposes.
By exception, further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes is permitted [Article 89 GDPR].

Data Minimisation

The processing of personal data is appropriate to the purpose and limited to what is necessary.

Accuracy

Personal data are regularly maintained to ensure factual accuracy.
GEOMAR aims to keep personal data up to date.
All controllers take appropriate measures to ensure that inaccurate personal data are erased or corrected without delay.

Integrity and Confidentiality

GEOMAR processes personal data in a way that ensures an appropriate level of security.
This includes protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage through suitable technical and organisational measures.

Accountability

Compliance with the above principles is the responsibility of the respective controller and must be demonstrated through appropriate documentation.

As a data subject whose personal data are collected in the context of the services that refer to this data protection notice, you generally have the following rights, provided that no statutory exceptions apply in individual cases:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to restriction of processing (Article 18 GDPR)
• Right to data portability (Article 20 GDPR)
• Right to object to processing (Article 21 GDPR)
• Right to withdraw consent (Article 7(3) GDPR)
• Right to lodge a complaint with a supervisory authority (Article 77 GDPR)