Privacy Statement

In the following you will find a description of which personal data is collected and processed by the DaRUS service (data repository of the University of Stuttgart).

Data Repository University of Stuttgart

University of Stuttgart
Keplerstraße 7
70174 Stuttgart
Phone: +49 711/685-0

University of Stuttgart
Data protection officer
Breitscheidstr. 2
70174 Stuttgart, Germany
Phone: +49 711 685-83687
Fax: +49 711 685-83688

This privacy policy information refers to the research data repository of the University of Stuttgart (DaRUS) which is operated with the Open Source software Dataverse. DaRUS supports the scientists of the university in their research data management and enables - if desired - a sustainable publication. For this purpose, separate areas (so-called dataverses) can be created for individual research groups and projects, which are administered by local administrators. The servers are provided by the Technical Information and Communication Services (TIK) of the Information and Communication Centre of the University of Stuttgart. Administration is carried out jointly by TIK and the University Library. The research data competence centre FoKUS is responsible as part of the IZUS.

The personal data described in this section are collected, stored and/or processed.

4.1 User Account

4.1.1 Description and categories of data

To view published records and download published data, no registration is required. In order to upload data to DaRUS, to describe data and to download (partially) protected data, a user account is required. The prerequisite for creating a user account is that authentication via an authentication server (IDP) via Shibboleth® is carried out by the home organization. At the first login to DaRUS a user account is created, which takes over the following information from the authentication server (IDP):

  • Full name (cn, givenName, sn)
  • E-mail address (email)
  • Home organization (o)
  • User ID (eduPersonPrincipalName, alternatively eduPersonUniqueId)
4.1.2 Purpose

The information in the user account is used to assign rights and roles. The user information is made available to Dataverses administrators so that they can assign roles to persons and groups and thus rights to the Dataverse they manage. This serves the protection and integrity of the data. In particular, it logs who is making changes to the stored data records and who - in the case of protected data - is retrieving them. If a user requests the protected data of a data record, the information of his or her user account is additionally made available to the contact person of the data record concerned and the administrator of the dataverse containing the data record as a basis for deciding whether to approve or reject the request.

Transfer to guestbook entry: If a user downloads data from a dataverse for which a guestbook has been configured by the respective administrator, the name, e-mail address and home organisation are transferred to the corresponding form, but can also be changed and overwritten.

4.1.3 Legal basis

The use of DaRUS is voluntary for all those who are not connected to the University of Stuttgart via a joint research project or membership. The legal basis for the processing is then Art. 6 para. 1 lit. a DS-GVO. If the processing takes place within the framework of a research project and data of persons are concerned who are not members of the University of Stuttgart, this cooperation is based on a cooperation agreement. The legal basis is then Art. 6 para. 1 lit. b DS-GVO.

4.1.4 Transmission

The system makes the existing user accounts available to the administrators of a dataverse via auto-completion in order to assign rights to users. So when an administrator starts typing a user's name, a list of existing user accounts containing that name is displayed. The information of the user account is also made available to the responsible person (usually the administrator of the corresponding dataverse) for requests for protected data records.

Super admins can view and manage a list of all existing user accounts for user administration purposes.

4.1.5 Duration of storage

Existing user accounts are deleted or anonymized on request or if the user hasn't used the service for three years. If a user account can not be deleted because of dependencies within the system, the account will be anonymized. 

4.2 Research data

4.2.1 Description and categories of data

DaRUS enables scientists at the University of Stuttgart to secure their research data. These are stored separately for each research project in so-called "Dataverses". Depending on the type of research project, this (primary) data may also contain personal data.

4.2.2 Purpose

DaRUS supports the management of research data. The link to structured metadata makes the data easier to find and trace. In addition to secure storage, user administration also makes it possible to publish data, share it with a defined number of partners or make it accessible to individuals.

4.2.3 Legal basis

As a rule, the storage and processing during a research project is subject to the informed consent of the data subject. In this case, the legal basis is Art. 6 para. 1 lit. a DS-GVO. If the research project is based on the collection of publicly accessible data or if the interests of the University of Stuttgart in the implementation of the research or statistical project outweigh the interests of the data subject in the exclusion of processing and if anonymous collection and processing is not possible, the legal basis is Art. 6 para. 1 lit. e DS-GVO in conjunction with Art. 6 para. 1 lit. a DS-GVO. § 13 LDSG in conjunction with § 2 Para. 5 of the Statutes of the University of Stuttgart to ensure the integrity of scientific practice and to deal with misconduct in science.

4.2.4 Receiver

DaRUS offers various possibilities to publish research data: In any case, the metadata of a data set is made available to the whole public with the publication. As a rule, the actual research data itself can then be freely downloaded and reused by others. If research data is personal, it is usually protected by a procedure that only makes the data available on request, after authentication by a research institution and approval by the administrator of the dataverse under certain conditions. How the data is published is decided by the persons responsible for the respective data set depending on the consent given by the persons concerned.

4.2.5 Duration of storage

If publication or long-term re-use of the data is not planned, the data shall be deleted after a period specified in the research project's data management plan. In accordance with § 2 Para. 5 of the Statutes of the University of Stuttgart, this period regularly amounts to 10 years to ensure the integrity of scientific practice and to deal with misconduct in science. Various research funders may have different deadlines. The faculties of the university may also lay down different regulations for their departments. If the data are to be published or used for a longer period of time after the deadline for storage, this will only be done on the basis of an informed declaration of consent.

4.2.4 Specific protection of research data Organizational data protection

The protection and integrity of research data is an essential part of good scientific practice. This includes a conscientious handling of personal data. All scientific employees of the University are obliged to take this into account in their work.

4.3 Guestbook entries

4.3.1 Description and categories of data

If a dataverse or a data record is provided with a guestbook, a web form is displayed before the associated data is downloaded, with which information about the downloading person is collected. The information that the administrator of the respective datavers/record has configured is collected via a web form, usually the name, organisation and e-mail address of the person downloading the data, possibly supplemented by answers to further questions.

4.3.2 Purpose

The collected data serves the administrator of a dataver to inform which data records were downloaded by whom for which purpose and thus to make the re-use of scientific data traceable.

4.3.3 Legal basis

4.3.4 Receiver

The collected data will be displayed to the administrators of the respective dataverse in tabular form, as well as made available for download.

4.4 Metadata

4.4.1 Description and categories of data

The data sets contain metadata to describe the research data contained in DaRUS. Which metadata categories are available to describe the data and which of them are mandatory fields is configured by the administrator of the respective dataverse. Which metadata fields are used to describe a dataset (beyond the mandatory fields) is decided by the respective authors of the dataset. At least, however, the following personal data is collected as metadata:

  • Author (first name*, surname*, institutional affiliation)
  • Contact email address*

* Mandatory fields

Optionally, a dataset can be described with additional metadata provided by the administrator of the dataverse, such as personal data of other contributors (first name, surname, institutional affiliation, email address, PIDs) or information on the origination (provenance) of the dataset with the steps to origination including times and persons involved, methods, software and hardware.

4.4.2 Purpose

In DaRUS, data records are described by additional information, so-called metadata, in order to make them findable and understandable. In the case of publication, the metadata is used to register a DOI as a persistent ID. Published records are made available to other repositories, search indexes, or services to increase visibility and demonstrate a possible publication requirement.

4.4.3 Legal basis
4.4.4 Receiver

The metadata of published records is generally visible to the public and can also be captured by web crawlers and search indexes. Upon publication, the citation metadata (author, title, publisher, year) are transferred to the DOI registration office of the TIB Hannover in order to register a DOI. Published datasets can also be retrieved from other repositories via procedures such as OAI-PMH.

4.4.5 Duration of storage

The metadata of published records are not deleted. The metadata of unpublished records is deleted when the associated record is deleted. This happens after the expiry of previously agreed retention periods.

4.5 Provision of the Website and Creation of Log Files

4.5.1 Description and categories of data

When you visit, your browser transmits data to our web server. The following data is temporarily recorded in a log file during a running connection:

  • IP address of the requesting computer
  • Date and time of access
  • Name, URL, and amount of data transferred in the file retrieved.
  • Access status (requested file transferred, not found etc.)
  • Browser type and operating system (if transmitted by the requesting web browser)
  • Website from which the access was made (if transmitted by the requesting web browser)

The data in this log file is processed as follows:

  • The log entries are continuously evaluated automatically in order to recognize attacks on the web servers and to be able to react accordingly.
  • In individual cases, i.e. reported malfunctions, errors and security incidents, a manual analysis is performed.

In addition, the date and time stamp, IP address + port (source), IP address + port (destination) and packet size are logged on the active network components of the Universität Stuttgart when web pages are called up.

When data is downloaded, user account data (name, e-mail address, institution and position, if available) or the session ID of guest users are stored together with download information (download time, downloaded file).

4.5.2 Purpose

The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user's computer. For this purpose, the IP address of the user must remain stored for the duration of the session. The data is stored in a log file to ensure the functionality of the website. The data is also used to optimise the website and to ensure the security of our information technology systems. The IP addresses contained in the log entries are not merged with other data, unless there are actual stopping points for a disruption of proper operation. Logging on active network components also serves to ensure the security of information technology systems. These purposes also include our legitimate interest in data processing pursuant to Art. 6 para. 1 lit. f DS-GVO.

The information for downloading the data is used for metrics to determine the quality of a data set and for traceability of the subsequent use of data sets.

4.5.3 Legal basis

The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f DS-GVO.

4.5.4 Recipient

If investigation measures are initiated due to attacks on our information technology system, the data or log files mentioned above under 4.1.1 can be passed on to state investigation bodies (e.g. police, public prosecutor's office). The same shall apply if the relevant authorities and/or courts address enquiries to the University and the University is obliged to comply with them.

Information for downloading data is made available to the administrator of the respective dataverse, the manager of the dataset and the curator of the dataset.

4.5.5 Duration of storage

The data will be deleted as soon as they are no longer necessary to achieve the purpose for which they were collected. In the case of the collection of data to provide the website, this is the case when the session in question has ended.
The storage of data in log files is anonymised after seven days. This is done by shortening the IP addresses.

4.5.6 Consequences of non-disclosure, objection or removal possibility

The collection of data for the provision of the website and the storage of data in log files is mandatory for the operation of the website. Users who do not wish their data to be processed as described will not be able to use the University's services.

4.6 Use of Cookies

4.6.1 Description and categories of data

Our website uses cookies to assign successive visits to our site after a login to a connected session (session cookie). Cookies are text files that are stored in the Internet browser or by the Internet browser on the user's computer system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is called up again. When a user visits a website, a cookie can be stored on the user's operating system.

4.6.2 Purpose

Some functions of our website cannot be offered without the use of cookies, in particular all functions that require authentication under a user account. For these it is necessary that the browser is recognized also after a page change.

The user data collected by technically necessary cookies are not used to create user profiles.

Our legitimate interest in the processing of personal data pursuant to Art. 6 para. 1 lit. f DS-GVO also lies in these purposes.

4.6.3 Legal basis

The legal basis for the processing of personal data using cookies is Art. 6 para. 1 lit. f DS-GVO.

4.6.4 Recipient

The recipient of the information contained in the cookies is exclusively the authorised web server, i.e. the web server of the university that sets the cookie.

4.6.5 Duration of storage

Session cookies are automatically deleted from your computer when you close your browser. Since the cookies are stored on your end device, you also have the option of an earlier deletion. You can find out more in the following point.

4.6.6 Consequences of non-disclosure, possibility of objection or elimination

Cookies are stored on the user's computer and transmitted to our site by the user. Therefore, you as a user have full control over the use of cookies, regardless of the storage periods listed above. You can deactivate or restrict the transmission of cookies by changing the settings in your Internet browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that all functions of the website can no longer be used to their full extent.

  • You have the right to obtain information from the University about the personal data stored about you and/or to have incorrectly stored data corrected. If research (primary) data is affected, your right to have the data corrected is only permitted to the extent that the integrity of the data is still guaranteed. If a correction of the data is not possible for this reason, it is possible to add a note or a statement to the data.
  • In addition, you have the right to deletion or restriction of processing or a right to object to processing.

Please contact the data protection officer of the University of Stuttgart at:

  • You have the right to complain to the supervisory authority if you are of the opinion that the processing of your personal data violates legal regulations.

The responsible supervisory authority is the State Commissioner for Data Protection and Freedom of Information for Baden-Württemberg.

Your personal data will be protected according to the Code of Conduct for Service Providers, a common standard for the research and higher education sector to protect your privacy.


To the top of the page