1. controller & data protection officer
Responsible for data processing is the

Media Center Wiesbaden e.V.
Hochstättenstraße 6-10
65183 Wiesbaden

Telephone: 0611 16658-41
Fax: 0611 31-3929
E-Mail: contact@mdz-wide

represented by the Management Board.

Our data protection officer, Ms. Dufeu, can be contacted at datenschutz@mdz-wide.

2 Purpose of data processing & legal basis
The controller operates a central cloud storage service (Nextcloud) including integrated additional applications.

Your data is processed for the following purposes

• Implementation, preparation and follow-up of lessons including the necessary communication
• Management of user rights and roles according to function (student, teacher, etc.) and membership of classes and groups
• Technical provision of services required for the administration and use of Nextcloud
  Security and functionality of these services

The processing of personal data is generally based on the voluntary consent of the data subjects (Art. 6 para. 1 a GDPR). An exception applies in cases where it is not possible to obtain prior consent for factual reasons, the processing of the data is based on legal regulations (Art. 6 para. 1 c GDPR), for example documentation and storage obligations of a school or on the basis of a balancing of interests, Art. 6 para. 1 f GDPR.

3. provision of the service and creation of log files
The following types of data are required for the provision and use of Nextcloud or are generated through its use

• User data (e.g. login name, password, role, group membership)
• Content and communication data generated by the user (e.g. documents, audio recordings and messages)
• Technical usage data (e.g. files created, versions, error messages)
• Automatically managed log data (e.g. time of access)

4. use of cookies
Cookies are only used to simplify or enable the secure use of the website for users. No third-party cookies are used.

5. user authentication
This Nextcloud instance uses the database of the Hessian school portal, which is operated by the Hessian Teachers' Academy, for user authentication (login).

When users log in to Nextcloud, a request for access data is sent to the school portal servers. If the login is successful, a shadow copy of the user data is saved on the Nextcloud server. This means that users create their Nextcloud access themselves when they log in for the first time.

For schools without a connection to the Hesse school portal, login data is created for each user by the school and communicated to the person responsible so that they can create the corresponding user data in the Nextcloud.

6 Access to data and disclosure of personal data to third parties
Within the Wiesbaden Media Center, all Nextcloud administrators have access to all data of all persons.

Medienzentrum Wiesbaden does not use any processors for the operation of Nextcloud and consequently does not pass on any data to third parties in the context of technical operation.

Within the school, access to data in connection with the use of Nextcloud is regulated by the rights and roles concept.

• School management - all data of all persons
• School administrator - all data of all persons (on the instructions of the school management)
• Teachers - own data and data of students and teachers according to their function and approvals by the persons themselves
• Pupils - own data and data of classmates according to releases by teachers or classmates

Persons from outside the school only receive access to data if they are permitted or required to do so by law or if consent has been given:

• Parents if released by pupils
• Parents and (former) pupils (right to information Art. 15 GDPR)
• Investigating authorities in the event of a criminal offense

7. duration of data storage
The user data of users is stored for as long as necessary. This is the case, for example

• when using the Nextcloud,
• the school affiliation of students, teachers or other employees,
• as long as consent to the processing of their data has not been withdrawn.
  (the first applicable applies in each case)

After ending the use of Nextcloud, leaving the school or ending the service at the school or objecting to the processing, the user's data will be deleted from Nextcloud within six weeks. Backup files of the Nextcloud server are deleted after 6 months.

Log files are stored for 14 days and then automatically deleted.

Exceptions to the aforementioned deletion periods are data for which longer retention periods are prescribed by applicable legislation.

Users have the option of deleting content and communication data generated by them at any time.

The storage periods for technical data and cookies can be found in the section on cookies.

8 Rights of the data subject
If your personal data is processed, you are a data subject within the meaning of the GDPR and you have certain rights vis-à-vis the controller: Right of access, right to rectification, right to restriction of processing, right to erasure, right to be informed, right to data portability, right to object, right to withdraw consent under data protection law, automated decision-making in individual cases including profiling, right to lodge a complaint with a supervisory authority.

Some of the above rights do not apply or only apply to a limited extent if the data processing is not based on your voluntary consent, but on one of the other above-mentioned bases. These include the right to erasure, withdrawal of consent and restriction of processing. However, the right to information and the right to lodge a complaint apply in any case.

Contact details of the competent supervisory authority:

The Hessian Commissioner for Data Protection and Freedom of Information

P.O. Box 3163
65021 Wiesbaden

Telephone: +49 611 1408 - 0
Fax: +49 611 1408 - 900 / 901

9. further information on data protection at Nextcloud
Further information can be found at https://nextcloud.com/de/gdpr/ (opens in a new tab) and as a Nextcloud user in the personal settings area under data protection.

Version 1.2 from 14.10.2021

The document was created using a template from https://datenschutz-schule.info/ (Dirk Thiede). We would like to express our thanks for the preparatory work!