Data Repository University of Stuttgart
University of Stuttgart
Data protection officer
70174 Stuttgart, Germany
Phone: +49 711 685-83687
Fax: +49 711 685-83688
The personal data described in this section are collected, stored and/or processed.
4.1 User Account
4.1.1 Description and categories of data
To view published records and download published data, no registration is required. In order to upload data to DaRUS, to describe data and to download (partially) protected data, a user account is required. The prerequisite for creating a user account is that authentication via an authentication server (IDP) via Shibboleth® is carried out by the home organization. At the first login to DaRUS a user account is created, which takes over the following information from the authentication server (IDP):
- Full name (cn, givenName, sn)
- E-mail address (email)
- Home organization (o)
- User ID (eduPersonPrincipalName, alternatively eduPersonUniqueId)
The information in the user account is used to assign rights and roles. The user information is made available to Dataverses administrators so that they can assign roles to persons and groups and thus rights to the Dataverse they manage. This serves the protection and integrity of the data. In particular, it logs who is making changes to the stored data records and who - in the case of protected data - is retrieving them. If a user requests the protected data of a data record, the information of his or her user account is additionally made available to the contact person of the data record concerned and the administrator of the dataverse containing the data record as a basis for deciding whether to approve or reject the request.
Transfer to guestbook entry: If a user downloads data from a dataverse for which a guestbook has been configured by the respective administrator, the name, e-mail address and home organisation are transferred to the corresponding form, but can also be changed and overwritten.
4.1.3 Legal basis
The use of DaRUS is voluntary for all those who are not connected to the University of Stuttgart via a joint research project or membership. The legal basis for the processing is then Art. 6 para. 1 lit. a DS-GVO. If the processing takes place within the framework of a research project and data of persons are concerned who are not members of the University of Stuttgart, this cooperation is based on a cooperation agreement. The legal basis is then Art. 6 para. 1 lit. b DS-GVO.
The system makes the existing user accounts available to the administrators of a dataverse via auto-completion in order to assign rights to users. So when an administrator starts typing a user's name, a list of existing user accounts containing that name is displayed. The information of the user account is also made available to the responsible person (usually the administrator of the corresponding dataverse) for requests for protected data records.
Super admins can view and manage a list of all existing user accounts for user administration purposes.
4.1.5 Duration of storage
Existing user accounts are deleted or anonymized on request or if the user hasn't used the service for three years. If a user account can not be deleted because of dependencies within the system, the account will be anonymized.
4.2 Research data
4.2.1 Description and categories of data
DaRUS enables scientists at the University of Stuttgart to secure their research data. These are stored separately for each research project in so-called "Dataverses". Depending on the type of research project, this (primary) data may also contain personal data.
DaRUS supports the management of research data. The link to structured metadata makes the data easier to find and trace. In addition to secure storage, user administration also makes it possible to publish data, share it with a defined number of partners or make it accessible to individuals.
4.2.3 Legal basis
As a rule, the storage and processing during a research project is subject to the informed consent of the data subject. In this case, the legal basis is Art. 6 para. 1 lit. a DS-GVO. If the research project is based on the collection of publicly accessible data or if the interests of the University of Stuttgart in the implementation of the research or statistical project outweigh the interests of the data subject in the exclusion of processing and if anonymous collection and processing is not possible, the legal basis is Art. 6 para. 1 lit. e DS-GVO in conjunction with Art. 6 para. 1 lit. a DS-GVO. § 13 LDSG in conjunction with § 2 Para. 5 of the Statutes of the University of Stuttgart to ensure the integrity of scientific practice and to deal with misconduct in science.
DaRUS offers various possibilities to publish research data: In any case, the metadata of a data set is made available to the whole public with the publication. As a rule, the actual research data itself can then be freely downloaded and reused by others. If research data is personal, it is usually protected by a procedure that only makes the data available on request, after authentication by a research institution and approval by the administrator of the dataverse under certain conditions. How the data is published is decided by the persons responsible for the respective data set depending on the consent given by the persons concerned.
4.2.5 Duration of storage
If publication or long-term re-use of the data is not planned, the data shall be deleted after a period specified in the research project's data management plan. In accordance with § 2 Para. 5 of the Statutes of the University of Stuttgart, this period regularly amounts to 10 years to ensure the integrity of scientific practice and to deal with misconduct in science. Various research funders may have different deadlines. The faculties of the university may also lay down different regulations for their departments. If the data are to be published or used for a longer period of time after the deadline for storage, this will only be done on the basis of an informed declaration of consent.
4.2.4 Specific protection of research data
126.96.36.199 Organizational data protection
The protection and integrity of research data is an essential part of good scientific practice. This includes a conscientious handling of personal data. All scientific employees of the University are obliged to take this into account in their work.
4.3 Guestbook entries
4.3.1 Description and categories of data
If a dataverse or a data record is provided with a guestbook, a web form is displayed before the associated data is downloaded, with which information about the downloading person is collected. The information that the administrator of the respective datavers/record has configured is collected via a web form, usually the name, organisation and e-mail address of the person downloading the data, possibly supplemented by answers to further questions.
The collected data serves the administrator of a dataver to inform which data records were downloaded by whom for which purpose and thus to make the re-use of scientific data traceable.
4.3.3 Legal basis
The collected data will be displayed to the administrators of the respective dataverse in tabular form, as well as made available for download.
4.4.1 Description and categories of data
The data sets contain metadata to describe the research data contained in DaRUS. Which metadata categories are available to describe the data and which of them are mandatory fields is configured by the administrator of the respective dataverse. Which metadata fields are used to describe a dataset (beyond the mandatory fields) is decided by the respective authors of the dataset. At least, however, the following personal data is collected as metadata:
- Author (first name*, surname*, institutional affiliation)
- Contact email address*
* Mandatory fields
Optionally, a dataset can be described with additional metadata provided by the administrator of the dataverse, such as personal data of other contributors (first name, surname, institutional affiliation, email address, PIDs) or information on the origination (provenance) of the dataset with the steps to origination including times and persons involved, methods, software and hardware.
In DaRUS, data records are described by additional information, so-called metadata, in order to make them findable and understandable. In the case of publication, the metadata is used to register a DOI as a persistent ID. Published records are made available to other repositories, search indexes, or services to increase visibility and demonstrate a possible publication requirement.
4.4.3 Legal basis
The metadata of published records is generally visible to the public and can also be captured by web crawlers and search indexes. Upon publication, the citation metadata (author, title, publisher, year) are transferred to the DOI registration office of the TIB Hannover in order to register a DOI. Published datasets can also be retrieved from other repositories via procedures such as OAI-PMH.
4.4.5 Duration of storage
The metadata of published records are not deleted. The metadata of unpublished records is deleted when the associated record is deleted. This happens after the expiry of previously agreed retention periods.
4.5 Provision of the Website and Creation of Log Files
4.5.1 Description and categories of data
When you visit https://darus.uni-stuttgart.de, your browser transmits data to our web server. The following data is temporarily recorded in a log file during a running connection:
- IP address of the requesting computer
- Date and time of access
- Name, URL, and amount of data transferred in the file retrieved.
- Access status (requested file transferred, not found etc.)
- Browser type and operating system (if transmitted by the requesting web browser)
- Website from which the access was made (if transmitted by the requesting web browser)
The data in this log file is processed as follows:
- The log entries are continuously evaluated automatically in order to recognize attacks on the web servers and to be able to react accordingly.
- In individual cases, i.e. reported malfunctions, errors and security incidents, a manual analysis is performed.
In addition, the date and time stamp, IP address + port (source), IP address + port (destination) and packet size are logged on the active network components of the Universität Stuttgart when web pages are called up.
When data is downloaded, user account data (name, e-mail address, institution and position, if available) or the session ID of guest users are stored together with download information (download time, downloaded file).
The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session. The data is stored in a log file to ensure the functionality of the website. The data is also used to optimise the website and to ensure the security of our information technology systems. The IP addresses contained in the log entries are not merged with other data, unless there are actual stopping points for a disruption of proper operation. Logging on active network components also serves to ensure the security of information technology systems. These purposes also include our legitimate interest in data processing pursuant to Art. 6 para. 1 lit. f DS-GVO.
The information for downloading the data is used for metrics to determine the quality of a data set and for traceability of the subsequent use of data sets.
4.5.3 Legal basis
The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f DS-GVO.
If investigation measures are initiated due to attacks on our information technology system, the data or log files mentioned above under 4.1.1 can be passed on to state investigation bodies (e.g. police, public prosecutor's office). The same shall apply if the relevant authorities and/or courts address enquiries to the University and the University is obliged to comply with them.
Information for downloading data is made available to the administrator of the respective dataverse, the manager of the dataset and the curator of the dataset.
4.5.5 Duration of storage
The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data to provide the website, this is the case when the session in question has ended.
The storage of data in log files is anonymised after seven days. This is done by shortening the IP addresses.
4.5.6 Consequences of non-disclosure, objection or removal possibility
The collection of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website. Users who do not wish their data to be processed as described will not be able to use the University's services.
4.6.1 Description and categories of data
The user data collected by technically necessary cookies are not used to create user profiles.
Our legitimate interest in the processing of personal data pursuant to Art. 6 para. 1 lit. f DS-GVO also lies in these purposes.
4.6.3 Legal basis
The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f DS-GVO.
The recipient of the information contained in the cookies is exclusively the authorised web server, i.e. the web server of the university that sets the cookie.
4.6.5 Duration of storage
Session cookies are automatically deleted from your computer when you close your browser. Since the cookies are stored on your end device, you also have the option of an earlier deletion. You can find out more in the following point.
4.6.6 Consequences of non-disclosure, possibility of objection or elimination
- You have the right to obtain information from the University about the personal data stored about you and/or to have incorrectly stored data corrected. If research (primary) data is affected, your right to have the data corrected is only permitted to the extent that the integrity of the data is still guaranteed. If a correction of the data is not possible for this reason, it is possible to add a note or a statement to the data.
- In addition, you have the right to deletion or restriction of processing or a right to object to processing.
Please contact the data protection officer of the University of Stuttgart at: firstname.lastname@example.org
- You have the right to complain to the supervisory authority if you are of the opinion that the processing of your personal data violates legal regulations.
The responsible supervisory authority is the State Commissioner for Data Protection and Freedom of Information for Baden-Württemberg.