With the following information, we would like to give you an overview of the processing of your personal data by us and your rights under data protection law. Which data is processed in detail and how it is used depends largely on the services used.
The responsible party within the meaning of data protection laws, in particular the EU General Data Protection Regulation (DSGVO), is:
Studentenwerk Hannover Anstalt des öffentlichen Rechts The Managing Director Visiting address: Jägerstraße 5, 30167 Hannover Postal address: P.O. Box 58 20, 30058 Hannover Tel. (05 11) 76-88 022 Fax (05 11) 76-88 949 Tax number 25 / 207 / 40331 VAT ID No. DE115650860
The Studentenwerk Hannover processes personal data that is required to fulfill its statutory tasks.
Relevant personal data are personal details (including name, address and other contact details, date and place of birth and nationality).
In addition, this may also include data
- required around your student status,
- to fulfill our contractual obligations (e.g. data required for payment transactions),
- documentation (e.g. consultation protocol/contact form)
- among others.
We process personal data in accordance with the provisions
- of the EU General Data Protection Regulation (DSGVO),
- the Federal Data Protection Act (BDSG),
- the Lower Saxony Data Protection Act (as a public body of the state).
The lawfulness results
- on the basis of your consent or
- from the fulfillment of contractual obligations or
- due to legal requirements or
- within the framework of the balancing of interests / public interest.
Within the Studentenwerk Hannover, access to your data is granted to those offices that need it to fulfill our contractual and legal obligations. Service providers employed by us may also receive data for these purposes. These are, for example, companies in the categories of IT services and telecommunications.
As a matter of principle, we may only pass on data if this is required by law. Under these conditions, recipients of personal data may be, for example:
- Public bodies and institutions in the event of a legal or official obligation,
- Financial services institutions or comparable institutions to which we transfer personal data in order to carry out the business relationship with you,
- service providers that we use in the context of order processing relationships.
We process and store your personal data as long as this is necessary for the fulfillment of our contractual and legal obligations.
You have the following rights regarding the data stored by us:
- Information about your data stored by us and its processing(Art. 15 DSGVO),
- Correction of incorrect personal data(Art. 16 DSGVO),
- Deletion of your data stored by us(Art. 17 DSGVO),
- Restriction of data processing if we are not yet allowed to delete your data due to legal obligations(Art. 18 DSGVO),
- Objection to the processing of your data by us(Art. 21 DSGVO),
- Data portability, provided that you have consented to the data processing or have concluded a contract with us(Art. 20 DSGVO).
If you have given us consent, you can revoke this at any time with effect for the future.
In addition, you can file a complaint with a data protection supervisory authority at any time. A list of supervisory authorities with addresses can be found at:
When you access our website, information of a general nature is automatically collected. This information (server log files) includes the type of web browser, the operating system used, the domain name of your Internet service provider and similar. This is exclusively information that does not allow any conclusions to be drawn about your person.
This information is technically necessary in order to correctly deliver the content of websites requested by you and is mandatory when using the Internet. In particular, it is processed for the following purposes:
- Ensuring a smooth connection setup of the website,
- Ensuring a smooth use of our website,
- evaluating system security and stability, and
- for other administrative purposes.
The processing of your personal data is based on our legitimate interest from the aforementioned purposes for data collection. We do not use your data to draw conclusions about your person. Recipients of the data are only the responsible body and, if applicable, order processors.
Anonymous information of this kind may be statistically evaluated by us in order to optimize our website and the technology behind it.
For the comment function on this page in the Mensa forum, in addition to your comment, information on the time of creation of the comment, your e-mail address and the username you have chosen will be stored. Our comment function stores the IP addresses of users who post comments. Since we do not check comments on our site before activating them, we need this data in order to be able to take action against the author in the event of legal violations, such as insults or propaganda. This serves our security, as we can be prosecuted for illegal content on our website, even if it was created by users.
If you contact us with questions of any kind by e-mail or contact form, you give us your voluntary consent for the purpose of contacting you. For this purpose, it is necessary to provide a valid e-mail address. This serves the assignment of the request and the subsequent response to the same. The provision of further data is optional.
We expressly point out that the delivery of this data to us is partially unencrypted. For this reason, we ask that you do not send us any special categories of personal data (e.g. health data) via the contact form; use secure channels such as the postal service for this purpose.
All incoming and all sent e-mails are recorded in our central e-mail archive and generally stored for 10 years. This storage serves to fulfill the legal obligations for proper record keeping. Although this archiving obligation only applies to e-mails with an accounting document function, it is not possible to systematically separate these from other e-mails. Access to archived e-mails is for the purpose of financial accounting and bookkeeping, and also to fulfill the statutory tasks of the Studentenwerk if the contents of e-mails are required for technical purposes.
Detailed instructions on how to manage your own data in connection with Google products can be found at: http://www.dataliberation.org/.
We embed YouTube videos on some of our websites. The operator of the corresponding plugins is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. When you visit a page with the YouTube plugin, a connection to YouTube servers is established. This tells YouTube which pages you are visiting. If you are logged into your YouTube account, YouTube can assign your surfing behavior to you personally. You can prevent this by logging out of your YouTube account beforehand.
If you have deactivated the storage of cookies for the Google ad program, you will not have to expect any such cookies when watching YouTube videos. However, YouTube also stores non-personal usage information in other cookies. If you want to prevent this, you must block the storage of cookies in the browser.
You can find more information on data protection at YouTube in the provider's data protection declaration at: https://www.google.de/intl/de/policies/privacy/.
The data protection declaration was created in parts with the data protection declaration generator of activeMind AG.
The software recognizes food and drinks via the iPad's camera without having to take videos or photos of them. The name, number and price of the product as well as the payment command are transmitted to the cash register and can be paid directly at the cashier using the cafeteria card.
No image data is processed and/or sent during the entire checkout process. No personal data is recorded.
This service (hereinafter referred to as "App") is provided by the Studentenwerk Hannover, Jägerstraße 5, 30167 Hannover, Germany, as the responsible party within the meaning of the EU General Data Protection Regulation (GDPR). Within the scope of the app, we enable you to retrieve and display information about the Studentenwerk's canteen offerings at various locations and to list and filter them according to the preferences you have entered.
Certain information is already processed automatically as soon as you use the app. We have listed exactly which personal data is processed for you below.
1.1 Information collected during the download process
When you download the app, certain required information is transmitted to the app store you have selected (e.g., Google Play or Apple App Store); in particular, the user name, the e-mail address, the customer number of your account, the time of the download, payment information, and the individual device identification number may be processed. The processing of this data is carried out exclusively by the respective App Store and is beyond our control.
1.2 Information that is collected automatically
You have the option to use the app anonymously at the beginning. In this case, no personal data is transmitted, so anyone who wants to remain anonymous can be. We value the freedom of anonymity very much, but this reduces the functionality of the app to a minimum. We have no influence on the storage of data by the provider.
If you do not use the app anonymously, a UserID (user identifier) is automatically created as part of your use of the app, which is required for full use of the app. However, the Studentenwerk has no knowledge of the person behind the UserID at any time. The legitimate interest pursuant to Art. 6 I lit. f DSGVO applies to the collection of the UserID in order to ensure the functionality and error-free operation of the app and to be able to offer a service that is in line with the market and interests.
The submitted ratings are collected on the basis of consent pursuant to Art. 6 I lit. a DSGVO. You must submit your rating by actively clicking the "Send Feedback" button or you will be actively asked in the app whether you want to submit this rating. The collection of the pseudonymized usage data is based on a legitimate interest pursuant to Art. 6 I f DSGVO in conjunction with. Recital 47 (direct marketing).
The following lists the other data to be collected that are necessary for the provision of the service in accordance with Art. 6 I b and f DSGVO.
- UserID - with the registration you receive an account with a user ID to which the data can be assigned. This is pseudonymization.
- AccountPassword - a password randomly generated by the app, which is used to authorize you and manage your account. Changing the password is possible after the fact.
- SelectedCanteen - Your selected canteens or cafeterias. So that the app will only send you reminders of dishes that are offered in your cafeteria.
- AccessToken - A server-generated token that you receive with your password to make it easier to authorize you.
- CreatedAt - The creation date of your account, so the app can track the growth of users.
- UpdatedAt - The last modification date of your account, so the app can track when changes were made.
- LastOnline - The date you last used the app, so we can delete your data after 1 year of non-use.
- FavoriteMeals - Your favorite meals. This allows the app to notify you when one of your favorite dishes is offered again, on the other hand, the app can customize the display of offers according to the most favorite dishes.
- MealRatings - Your ratings of the offered dishes. Based on these, the Mensa offer can be improved.
- Markings - Your allergens and markings of dishes that you either do not tolerate or do not like. This allows us to tailor your notifications to your eating habits, as well as tailor the Mensa experience to appeal to more guests.
Information about your device
- DeviceID - a server generated number for your device. Since there are people who have multiple devices, the app distinguishes between these registered devices. This number is associated with the following information: PushnotificationToken, DeviceOS, DeviceID and StreamViews.
- PushNotificationToken - A key generated by your AppStore provider, which allows the app to send push notifications (only if this is desired). For more information about this, see the section "Mobile app access rights".
- StreamViews - The menu items/areas of the app that you have accessed. This identifies which areas of the app are used most frequently. This helps to set the focus of improvement towards that. StreamViews are only transmitted with your explicit consent (to improve the app).
- DeviceOS - The operating system and version of your smartphone. This can be used to keep track of error crashes and devices under test.
For other purposes A transfer of your personal data to third parties for other purposes does not take place, unless you
- according to Art. 6 para. 1 p. 1 lit. a DSGVO you have given your explicit consent, as well as
- in case there is a legal obligation for the transfer according to Art. 6 para. 1 p. 1 lit. c DSGVO.
The app uses technology from Google Firebase. Firebase is part of the Google Cloud Platform and offers many services for developers, which you can view here: firebase.google.com/terms/ (https://firebase.google.com/terms/). Some Firebase services process personal data from you as an end user. This is necessary for the provision of Google services. You can find out which data is processed and for what purpose under the item dataprocessing information: firebase.google.com/support/privacy/ (https://firebase.google.com/support/privacy/). Google Firebase often uses "instance ID's" which, according to Google's information, are stored until the end user makes an API call to delete the ID. After that, the data is deleted from the live and backup system 180 days after the call. For more information, see: firebase.google.com/support/privacy/manage-iids (https://firebase.google.com/support/privacy/manage-iids). These Instance-ID's are determined, for example, to know to which device messages should be transmitted.
The Studentenwerk Hannover does not receive any personal data from Google Firebase and does not make any effort to personalize the data afterwards and only uses the data to analyze the usage behavior. No guarantee is given for the above-mentioned information by Google, it is only referred to the information provided. Google is entitled to change or delete this information at any time, to delete or change the URL (link to Google web pages) or to provide the information on another page.
Information of the third party provider: Google Dublin, Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001, or Google Analytics of Google Inc (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA). User terms and conditions: firebase.google.com/terms/ (https://firebase.google.com/terms/) Overview of data protection: firebase.google.com/support/privacy/ (https://firebase.google.com/support/privacy/) as well as the data protection declaration: policies.google.com/privacy (https://policies.google.com/privacy) Furthermore, we use the following services from Google Firebase: Cloud Messaging
3.1 Cloud Messaging
Cloud messaging is used to send you push messages or in-app messages. In the process, a pseudonymized push reference is assigned to the end device, which serves as the target for the push messages or in-app messages. The push messages can be deactivated and reactivated at any time in the settings of the end device.
Processing of your personal data for purposes other than those described will only take place if permitted by law or if you have consented to the changed purpose of the data processing. In the event of further processing for purposes other than those for which the data was originally collected, you will be informed about these other purposes prior to further processing and you will be provided with all other relevant information.
In the app, the data is normally stored for up to 12 months. If you have not been active for longer than 12 months (i.e. you have not used the app) or you delete your account (via the app), all your attributable data will be automatically deleted or anonymized. In doing so, your personal data will be anonymized or deleted in the App as soon as it is no longer required for the purposes for which it was collected or used in accordance with the preceding paragraphs or to the extent that such data is no longer required for criminal prosecution or to secure, assert or enforce legal claims. After deletion of the user account, data will be automatically deleted for further use, unless according to Article 6 para. 1 p. 1 lit. c DSGVO due to tax and commercial storage and documentation obligations (from HGB, StGB or AO) are obliged to store for a longer period or you have consented to the storage beyond that according to Art. 6 para. 1 p. 1 lit. a DSGVO.
The ratings for dishes and other services, on the other hand, are not deleted, even if the app is uninstalled or this dish is no longer on the menu. The ratings do not contain any personal data other than the UserID, which is deleted or anonymized as mentioned above.
The UserID is used in our systems while the app is offered. Server logs are usually kept for as long as is necessary to analyze any errors. As a rule, this is 14 days.
You have the right to request information about the processed personal data concerning you in the scope of Art. 15 DSGVO at any time. For this purpose, you can send a request by mail or e-mail to the addresses below.
You have the right to request the immediate rectification of the personal data concerning you, should they be inaccurate. To do so, please contact us at the address below.
To exercise your right to erasure, please contact us at the contact addresses below.
You have the right to request the restriction of processing in accordance with Art. 18 DSGVO. This right exists in particular if the accuracy of the personal data is disputed between, for the duration that the verification of the accuracy requires, as well as in the case that the user requests limited processing instead of erasure in the case of an existing right to erasure; furthermore, in the case that the data are no longer necessary for the purposes pursued, but the user needs them for the assertion, exercise or defense of legal claims, as well as if the successful exercise of an objection is still disputed. To exercise your right to restrict processing, please contact us at the contact addresses below.
You have the right to receive the personal data concerning you that you have provided to us in a structured, commonly used, machine-readable format in accordance with Art. 20 DSGVO. To exercise your right to data portability, please contact us at the contact addresses below.
You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out, inter alia, on the basis of Art. 6(1)(e) or (f) DSGVO, in accordance with Art. 21 DSGVO. processing of your personal data will cease unless compelling legitimate grounds for the processing can be demonstrated which override your interests, rights and freedoms, or if the processing is for the establishment, exercise or defense of legal claims.
You have the right to withdraw your consent to the respective data processing without giving reasons. This applies to processing after the time of revocation. The processing until then remains unaffected.
You are welcome to contact the data protection officer of the Studentenwerk (see below for contact details) in case of complaints. In addition, you have the right to lodge a complaint with the competent data protection supervisory authority, the State Commissioner for Data Protection of Lower Saxony, Prinzenstraße 5, 30159 Hanover, Germany, phone: +49 511 120-4500, e-mail: email@example.com.
In order to optimize the user flow and to receive better and more suitable suggestions within the app, there is a recommendation system. A distinction is made between local and server-side suggestions. The server-side processing of own data only takes place if the item "Send statistics data" has been agreed to (this item can be deactivated again under "Settings"). General suggestions, which are user-independent, are still made. Personal data is only evaluated locally on the end device. For example, more suitable buildings can be suggested based on the user's location, or the nearest refectory can be displayed.
The recommendation system accesses the following data: Server-side:
- StreamView data (data about screens used).
- Non-sensitive user data that exists server-side (including preferred dining hall, favorite dishes, student body)
The application uses appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction or against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments.
If you have any questions or comments about the handling of your personal data, or if you would like to exercise the rights as a data subject set out in sections 6 and 7, please contact the data protection officer.
Status: February 25, 2021