Declaration on Video Surveillance Data Protection

I. Name and contact details of the responsible unit

Chemnitz University of Technology
represented by the President: Prof. Dr. Gerd Strohmeier
Straße der Nationen 62
09111 Chemnitz, Germany
Email: rektor@tu-chemnitz.de
Phone: +49 371 531-10000
Fax: +49 371 531-10009
Web: www.tu-chemnitz.de

In case of questions regarding this Declaration on Data Protection or related data processing procedures or if you would like to make use of your rights accorded, you are welcome to address to us at any time:

Director of the University Library
Angela Malz
Straße der Nationen 33
09111 Chemnitz, Germany
Phone: +49 371 531-13100
Email: service@bibliothek.tu-chemnitz.de.

II. Contact details of the Commissioner for Data Protection

Gernot Kirchner
Commissioner for Data Protection of Chemnitz University of Technology
Straße der Nationen 62
09111 Chemnitz, Germany
Email: datenschutzbeauftragter@tu-chemnitz.de
Phone: +49 371 531-12030
Fax: +49 371 531-12039
Web: www.tu-chemnitz.de/rektorat/dsb/

III. Information related to processing of data

1. Scope and purpose of the processing personal-related data

The processing of personal-related data describes each operation implemented by means of or without automated processing procedures or each processing chain of that kind in the context of personal-related data such as the collection, the acquisition, the preparation, the sorting, the retention, the adjustment and alteration, the retrieval, the usage, the disclosure by transmission, dissemination or another manner of provision, the matching or the linking, the limitation, the cancellation or the deletion.

a) Video surveillance in the University Library

The collection of personal-related data by means of optical-electronic devices (video surveillance), their retention and other processing are carried out at the relevant and specifically designated and identified areas at the University Library only insofar this respectively serves for carrying out a duty of public interest or domiciliary rights, i.a. for protection of persons against violence or materials as well as immaterial goods on the university area against damage or unauthorized removal. In detail, from those purposes, the subsequent data processing derive:

aa) Surveillance period 24 hours / 7 days, including live-image transmission to the guard and digital archiving/retention of image data:

Camera location: cloakroom area
Camera location: ground floor entrance area east (deactivation in case of an event meaning no live surveillance, recording, retention (including Fullscreen Privacy Zone)
Camera location: emergency exits east/west

bb) Surveillance period: Mo-Fr from midnight until 06:00 am and from 07:15 pm until midnight; Sa from midnight until 06:00 am and from 12:15 pm until midnight; Sundays and holidays 24 hours, no live-image transmission to the guard but digital archiving/retention of image data:

Camera locations: lateral areas/wings from ground floor to 3rd level (except lateral area at ground floor east)
Camera location: 1^st level information/ lending desk

cc) ) Surveillance period 24 hours / 7 days, live-image transmission to the guard only and no digital archiving:

Camera location: ground floor/foyer
Camera location: ground floor entrance/exist area book return machine/foyer

Further processing of personal-related data for other purposes are only carried out insofar this is required for prevention of threats for public security as well as for prosecution of criminal offences, for enforcing legal claims or for preserving legitimate interests of persons affected, in particular for resolution of a persisting lack of evidence.

Apart from that, it is not allowed to use data collected and retained by video surveillance for performance and behavior control of staff members of Chemnitz University of Technology.

b) Video surveillance integrated in intercom systems of the University Library

The collection of personal-related data by means of optical-electronic devices (video surveillance) and their other processing are carried out at the relevant and specifically designated and identified areas within the intercom systems at the University Library only insofar this is required for control and regulation of access for deliveries, of parcel services, guests and project partners. The video surveillance serves for checking whether the respective vehicle is entitled for access (kind of vehicle, vehicle for delivery, parcel service etc.) and for identification of the person asking for entry by “extended eye” (Monitoring) in the context of application of the domiciliary right.

Apart from that, it is not allowed to use data collected and retained by video surveillance for performance and behavior control of staff members of Chemnitz University of Technology.

2. Legal base for the processing of personal-related data

The processing of personal-related data is legally based on § 13 section 1 SächsDSDG [Data Protection Act of the Free State of Saxony] in conjunction with art. 6 sec. 1 page 1 letter e), section 3 DSGVO [General Data Protection Regulation] (public interest). The processing of collected data of staff members, if applicable, is carried out according to Art. 88 DSGVO in conjunction with § 11 section 1 page 1 SächsDSDG in conjunction with the service agreement on the installation and operation of video surveillance devices in the respectively current version.

3. Period of retention (data deletion – retention restriction)

a) Video surveillance in the University Library

The processed personal-related data deriving from video surveillance are deleted or blocked as soon as the purpose of data processing expires meaning that the processing is no longer required for the designated purpose. In consequence, the subsequent delays for deletion derive for the designated video surveillance in the University Library / Alte Aktienspinnerei. Depending on the location of operation, the video cameras are activated at differing times and also differ with regard to kind of live surveillance, recording resp. retention.p

aa) Surveillance period 24 hours / 7 days, including live-image transmission to the guard and digital archiving/retention of image data:

Image data with timestamp: generally six (6) days with following exception for the regular shutdown period: skipping of the automatic deletion from the working day prior to the regular corporate shutdown period according to § 12 service agreement regarding working time regulation dated July 29, 2019 until the second working day subsequent to the regular corporate shutdown period.

bb) Surveillance period: Mo-Fr from midnight until 06:00 am and from 07:15 pm until midnight; Sa from midnight until 06:00 am and from 12:15 pm until midnight; Sundays and holidays 24 hours, no live-image transmission to the guard but digital archiving/retention of image data:

Image data with timestamp: generally six (6) days with following exception for the regular shutdown period: skipping of the automatic deletion from the working day prior to the regular corporate shutdown period according to § 12 service agreement regarding working time regulation dated July 29, 2019 until the second working day subsequent to the regular corporate shutdown period.

cc) Surveillance period 24 hours / 7 days, live-image transmission to the guard only and no digital archiving:

No retention/ recording of image data with timestamp

b) Video surveillance integrated in intercom systems of the University Library

At the moment of ringing the bell at the barrier and of ringing the bell at the rear entrance door of the University Library building, the image is transmitted for 30 seconds to the guard in the building. Subsequently, the connection is automatically interrupted. No recording and no retention of the image data is carried out.

4. Recipient of the personal-related data

a) Video surveillance in the University Library

The processing of personal-related data is exclusively carried out by the subsequently mentioned natural/ legal persons: University Management, University Computer Center as well as University Library of Chemnitz University of Technology.

A further processing of personal-related data by third-parties (e.g. investigation authorities) is carried out only insofar this is required for prevention of threats for public security as well as for prosecution of criminal offences, for enforcing legal claims or for preserving legitimate interests of persons affected, in particular for resolution of a persisting lack of evidence.

A transmission of the personal-related data to third-parties not mentioned before is not carried out nor a transmission to another member country of the European Union resp. to a third party country or an international organization.

b) Video surveillance integrated in intercom systems of the University Library

The processing of personal-related data is exclusively carried out by the subsequently mentioned natural/ legal persons: Guard of the University Library building, University Computer Center of Chemnitz University of Technology.

A transmission of the personal-related data to third-parties not mentioned before is not carried out nor a transmission to another member country of the European Union resp. to a third party country or an international organization.

5. Data Protection Impact Assessment

a) Video surveillance in the University Library

As from the present data processing carried out might potentially derive a high risk for the rights and freedom of natural persons in consequence, we have assessed in advance the impact of the intended processing procedures on the protection of personal-related data. This includes at least the following indications:

1. a systematic description of the intended processing procedures and the purposes of the processing;
2. an assessment of the necessity and eligibility of the processing procedures with regard to the purpose
3. an assessment of the risks for the rights and freedom of the persons affected and
4. the remedial measures intended for overcoming the risks including guarantees, precautions and processes for assuring the protection of personal-related data and for proving the compliance with data protection regulations taking account of the rights and legitimate interests of persons affected and other persons concerned.

b) Video surveillance integrated in intercom systems of the University Library

With regard to the intercom systems, it was determined by a threshold analysis that from the processing does probably not derive a high risk for the rights and freedom of natural persons in consequence so that it was not necessary to carry out a data protection impact assessment.

6. Data Privacy

By consideration of the state of the art, of the implementation costs, of the kind, the scope, the circumstances and the purposes of the processing as well as the of the probability of occurrence and the severity of the threats related to the processing for the legal interests of the persons affected, we have taken all technical and organizational measures required for assuring a level of protection within the processing of personal data in appropriate relation to the risks, in particular regarding the processing of specific categories of personal-related data. Among those may belong, apart from the measures mentioned in article 25 (data protection by technical design a data protection-friendly default settings), 32 (security of processing), 36 (prior consultation) DSGVO:

1. to assure that subsequently may be monitored and determined whether and by whom personal-related data had been entered, altered or deleted,
2. to sensitize and train persons involved in processing procedures.

Relevant technical guidelines and recommendations of the Federal Agency for Security in Information Technology (BSI) are insofar taken into account. This regards particularly the fundamental IT-protection provided by the BSI.

In the case that personal-related data recorded are applicable for biometric analysis, appropriate technical and organizational measures for protection of the specific categories of personal-related data have been undertaken. A processing of those biometric data is exclusively carried out within the regulations defined by art. 9 sec. 2 DSGVO.

7. Legal/ contractual regulations for the provision of personal-related data and consequences of non-provision

The provision of personal-related data is regularly not legally mandatory nor required for the conclusion of an agreement, so that there is no regular obligation to cooperate by the provision of personal-related data. Thus, the non-provision of your personal-related data does regularly not lead to any consequences/effects.

IV. Rights of persons affected

In the case that personal-related data of yourself are processed, you are a person affected according to DSGVO so that, in the case that the respective conditions are provided, you are entitled for the subsequent rights face to Chemnitz University of Technology (responsible). In order to claim for your rights face to Chemnitz University of Technology and in case of further questions regarding data protection, you are welcome to address to our Data Protection Commissioner at any time.

All information and measures according to art. 15 to 22 (i.a. rights for disclosure, amendment, deletion, processing restriction, information, data transfer and appeal) and art. 34 DSGVO (rights for disclosure in case of data protection infringements) are provided free of charges. However, in case of obviously unjustified or – particularly in the case of frequent recurrence – excessive inquiries of a person affected, the responsible may either demand an appropriate financial compensation covering the administrative costs for the information or disclosure or the implementation of the measure applied for or refuse to take action based on the inquiry. Nonetheless, in that cases Chemnitz University of Technology has to prove the obviously unjustified or excessive character of the inquiry.

In addition, it shall be mentioned that restrictions of the rights of persons affected are existing according to §§ 7–10 SächsDSDG. They apply to i.a. the rights for deletion and disclosure as well as information obligations face to persons affected.

1. Right for disclosure

You are entitled for demanding a confirmation from the responsible whether personal-related data regarding yourself are processed by him. In the case that processing of that kind is carried out, you are entitled to demand disclosure from the responsible regarding the following information:

1. the purposes for processing;
2. the categories of personal-related data processed;
3. the recipients or the categories of recipients to whom the personal-related data were disclosed or are going to be disclosed, particularly in the case of recipients in third-party countries or of international organizations;
4. if possible, the intended period during which personal-related data are retained or, in the case this is not possible, the criteria for the determination of that period;
5. the existence of rights for amendment or for deletion of the personal-related data regarding yourself or for restriction of processing by the responsible or for objection to the processing;
6. the existence of right for appeal towards a supervisory authority;
7. in the case that the personal-related data are not acquired from you meaning from the person affected, all information available regarding the origin of the data;
8. the existence of an automated decision-making including profiling according to art. 22 sec. 1 to 4 DSGVO and – at least in those cases – comprehensive information regarding the logics applied as well as the scope and the impacts intended by such processing with regard to the person affected.

However, as Chemnitz University of Technology self-evidently processes a large quantity of information regarding persons affected, it may be required from you that you as person affected, when claiming for your right for disclosure, explain in detail to which information or to which processing procedures your inquiry for disclosure refers before getting a reply, see p. 7 of the 63^rd recital of the DSGVO.

According to the recommendations of the European Data Protection Board (EDPB), particularly in individual cases it has to be carefully examined whether your inquiry for disclosure may be accepted or whether rights of third-parties are affected (art. 15 sec. 4 DSGVO), whether Chemnitz University of Technology is not at all able to identify you as person affected in the image material (art. 11 sec. 2 DSGVO) of whether an excessive claim according to art. 12 DSGVO is applicable. For this reason, it shall be emphasized at this point that inquiries for disclosure regarding concrete individual cases will regularly be rejected in the case that they affect rights of third-parties or in the case that the person affected could not be unequivocally identified.

In the case that personal-related data are transmitted to a third-party-country or to an international organization, you as person affected have furthermore the right to be informed about the appropriate guarantees according to art. 46 DSGVO in context with the transmission.

2. Right for amendment

You are entitled for demanding immediate amendment of incorrect personal-related data related to yourself from the responsible. By consideration of the purposes of the processing, you as affected person have furthermore the right to claim the completion of incomplete personal-related data – also by a supplementary declaration.

3. Right for deletion

a) Obligation for deletion, art. 17 DSGVO („Right to be forgotten“)

You are entitled for demanding from the responsible that the personal-related data regarding yourself are deleted without any delay. In addition, the responsible is obliged to immediately delete those data insofar one of the following reasons apply:

• The personal-related data regarding yourself are no more required for the purposes for which they were acquired or processed in other ways.
• You cancel your declaration of consent on which the processing according to art. 6 sec. 1 p. 1 let. a) DSGVO or art. 9 sec. 2 let. a) DSGVO was based, and there is no other legal basis on which the processing is founded.
• You are appealing against the processing according to art. 21 sec. 1 DSGVO and there are no justified priority reasons for the processing, or you are appealing against the processing according to art. 21 sec. 2 DSGVO.
• The personal-related data regarding yourself were processed unlawfully.
• The deletion of the personal-related data regarding yourself is required for complying with legal obligations according to European Union legislation or with the legislation of member countries to which the responsible is being subject.
• The personal-related data regarding yourself were acquired in the context of provided services of the information society according to art. 8 sec. 1 DSGVO.

b) Information of third-parties

In the case that the responsible has published the personal-related data regarding yourself and that he is obliged for their deletion according to art. 17 sec. 1 DSGVO, he has to adopt appropriate measures, also in technical ways by consideration of the technologies available and the implementation costs, in order to inform persons or units responsible for data handling processing personal-related data about the fact that you as person affected have demanded from them – the other persons/ units responsible – the deletion of all links to this personal-related data or all copies and reproductions of those personal-related data.

c) Exemptions from the right for deletion

The right for deletion does not apply insofar the processing is required

• for carrying out the right for free speech and information;
• for complying with legal obligations requiring the processing according to the legislation of the European Union or of member countries to which the responsible is subject or for carrying out a task of public interest or in execution of public authority transferred to the responsible;
• for reasons of public interest in the field of public health according to art. 9 sec. 2 let. h) and let. i) as well as art. 9 sec. 3 DSGVO;
• for purposes of archiving for public interest, purposes of scientific and historical research or other statistical purposes according to art. 89 sec. 1 DSGVO insofar the “right to be forgotten” mentioned above probably makes impossible or significantly endanger to reach the targets of those processing, or
• for claiming, implementing or defending legal entitlements.

4. Right for processing restriction

By compliance with the following conditions, you may demand the restriction of the processing of personal-related data regarding yourself:

• in the case that you appeal against the correctness of personal-related data regarding yourself with a delay allowing the responsible to verify the correctness of the personal-related data;
• in the case that the processing is unlawful and that you reject the deletion of the personal-related data and demand instead the restriction of usage of those personal-related data;
• in the case that the responsible does no longer need the personal-related data for the purposes of their processing but that you require them for claiming, implementing of defending legal entitlements, or
• in the case that you have appealed against the processing according to art. 21 sec. 1 DSGVO and that is not yet determined whether the justified reasons of the responsible are predominant to your reasons.

In the case that the processing of the personal-related data regarding yourself were restricted in the way mentioned above, those data may – apart from their retention – only be processed by your consent or for claiming, implementing or defending legal entitlements or for protection of rights of another natural or legal person or for reasons of significant public interest of the European Union or a member country.

In the case that the processing was restricted according to the conditions mentioned above, you are informed by the responsible before the restriction is being suspended.

5. Right for information

The responsible is obliged towards you to inform all recipients to whom your personal-related data are disclosed about each amendment or deletion of the personal-related data or a restriction of the processing according to art. 16, 17 sec. 1 and art. 18 DSGVO unless this turns out to be impossible or is related to an excessive effort. In the case that this required by the person affected, the responsible informs the person affected about the recipients

6. Right for appeal

Based on reasons deriving from your specific situation, you are entitled to appeal against the processing of personal-related data regarding yourself carried out according to art. 6 sec. 1 p. 1 let. e) (public interest and in execution of public authority) or let. f) DSGVO (justified interests) at any time; this applies also to a profiling based on those regulations.

The responsible does not process those personal-related data regarding yourself anymore unless he can prove urgent legitimate reasons for the processing prepondering to your interests, rights and freedoms or the processing serves at the claim, implementation or defense of legal entitlements.

7. Right for appeal to a supervisory authority

Irrespective of another administrative or juridical legal remedy, you are entitled for appeal to a supervisory authority, particularly at the member state of your location of residence, location of work or the location of the suspected infringement, in the case that you are of the opinion that the processing of the personal-related data regarding yourself infringe data protection regulations.
According to art. 51 DSGVO in conjunction with §§ 14 ff., the responsible authority in the Free State of Saxony is:

Data Protection and Transparency Officer for Saxony
Dr. Juliane Hundert
Devrientstraße 5
01067 Dresden
Email: post@sdtb.sachsen.de
Phone: +49 351 85471-101
Fax: +49 351 85471-109
Web: https://www.datenschutz.sachsen.de/

The supervisory authority, to whom the appeal had been submitted, informs the appellant about the status and the results of the appeal including the opportunity for legal remedies according to art. 78 DSGVO.

V. Currency of this Declaration on Data Protection

This declaration on data protection is currently in force and was last amended in October 2022.