1. Name and address of the responsible controller
The responsible controller as defined in the EU General Data Protection Regulation (GDPR) and other national data protection laws of the EU member states as well as other data protection-related provisions is:
Lehrstuhl für Informatik 1
Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU)
attn. Mr. Gaston Pugliese
2. Name and address of the data protection officer
The data protection officer appointed by the responsible controller is:
Norbert Gärtner, RD
3. General information on data processing
We collect and use the personal data of our users insofar as necessary for operating a functional website and delivering our content and services, and to the extent to which the law permits.
3.1. Legal basis for processing personal data
Whenever we obtain the consent from a data subject to process personal data, Art. 6 (1 a) GDPR serves as the legal basis for processing this personal data.
Whenever processing such data is necessary for compliance with a legal regulation, to which the Friedrich-Alexander University Erlangen-Nürnberg is subject, Art. 6 (1 c) GDPR serves as the legal basis.
In cases for which processing is necessary to protect the vital interests of the data subject or of another natural person, Art. 6 (1 d) GDPR serves as the legal basis.
If processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Friedrich-Alexander University Erlangen-Nürnberg, Art. 6 (1 e) GDPR serves as the legal basis for processing this data.
If processing is necessary for safeguarding the legitimate interests of the Friedrich-Alexander University Erlangen-Nürnberg or of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, Art. 6 (1 f) GDPR serves as the legal basis for processing this data. This does not apply to processing tasks which the Friedrich-Alexander University Erlangen-Nürnberg is obliged to perform as a public authority.
3.2. Duration of storage of personal data
We reserve the right to retain the data subject’s personal data for as long as the purpose of such storage exists. If processing is permitted on the basis of the subject’s consent, his/her personal data is only stored until the data subject withdraws his/her consent, except in cases where processing is governed by a different legal basis.
3.3. Right to rectification and erasure of personal data
The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. The data subject also has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay as soon as the purpose of storage is no longer necessary. In cases where data processing is performed on the basis of consent, the right to erasure exists if the data subject withdraws his/her consent and no other legal grounds exist for processing the data.
Personal data must be erased if the data subject objects to the processing in accordance with Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or if the personal data has been unlawfully processed, or if the personal data must be erased in order to comply with a legal requirement mandated by an EU or member state law, to which the Friedrich-Alexander University Erlangen-Nürnberg is subject.
The right to erasure as put forth in the cases stated above does not apply, however, if it would prevent compliance with a legal obligation which requires processing by European Union or member state law, to which the Friedrich-Alexander University Erlangen-Nürnberg is subject, or hinder the performance of a task carried out in the public interest or in the exercise of official authority vested in the Friedrich-Alexander University Erlangen-Nürnberg, or if extended storage is necessary for the establishment, exercise or defence of legal claims.
3.4. Right to withdrawal
If permission to process personal data was granted by the consent of the data subject, he or she may withdraw his/her consent at any time. All processing of personal data performed prior to withdrawal remains lawful irrespective of the subject’s withdrawal.
3.5. Right to information
The data subject has the right to obtain confirmation from the Friedrich-Alexander University Erlangen-Nürnberg whether it is processing any personal data concerning him or her. If such is the case, the data subject has a right to information regarding the type of personal data and the purpose for which it is being processed. The data subject also has the right to obtain information on the duration of the planned storage of his/her data, or on the criteria for determining how long his/her data is to be stored.
4. Provision of the website and creation of log files
4.1. Scope of data processing
For every access query to our website, our server automatically collects data and information from the querying computer system. The following data is collected in this process:
- information on the browser type and version
- the user's operating system
- the user's Internet service provider
- the user's IP address
- the date and time of the query
- websites from which the user’s system was directed to our website
- websites which the user’s system accesses via our website
This data is compiled in log files and saved on our server. No further personal data is stored together with the log file data.
4.2. Legal basis for processing
The legal basis for temporarily processing data and log files is provided in Art. 6 (1 f) GDPR.
4.3. Purpose of processing
The temporary storage of the IP address on our server is necessary for granting the user’s system access to our website. For this purpose, the user’s IP address must remain stored on our server for the duration of the session.
Data storage in log files is required to ensure the functionality of the website. Furthermore, the data enables us to optimise the website and guarantee the security of our IT systems. Data analysis for marketing-related purposes is not performed in this context.
These purposes correspond to the legitimate interests of data processing as indicated in Art. 6 (1 f) GDPR.
4.3. Duration of storage of personal data
The data is erased at the conclusion of the respective session.
All data stored in log files is erased within seven days. A longer period of data storage is possible. In such cases, the user’s IP address is erased or anonymised in such a way that renders it impossible to identify the querying client. All log files will be deleted after the data acquisition phase of our online study ends.
5.1. Scope of data processing
- language preference (German or English)
- temporary session ID (technically required)
Apart from this, our website does not use any cookies for analytics or tracking purposes.
5.2. Legal basis for processing
The legal basis for processing personal data using technically necessary cookies is provided in Art. 6 (1 f) GDPR. The legal basis for processing personal data using cookies for other purposes for which respective consent is granted by the user is provided in Art. 6 (1 a) GDPR. Purpose of processing
5.3. Duration of storage of personal data
Cookies are saved on the user’s computer which transfers them to our server. Consequently, as the user, you have complete control over how cookies are used by your system. By changing the settings in your web browser, you can deactivate or restrict the transmission of cookies to external websites. You can also delete all saved cookies on your system at any time. Restrictions on cookie usage can be managed automatically by your browser. If you choose to deactivate cookies for our website, it may prevent you from taking full advantage of all the features offered on this website.
6. Study Participation: Registration
6.1. Scope of data processing
This website is mainly intended to conduct an online study on browser fingerprinting and to present intermediate results of evaluations to the public. The study participation is designed in a way that participants receive weekly emails (one or more; like a newsletter). When a user signs up for our study, the information provided in the input mask is sent to our server.
As part of the registration process, the user is asked to consent to have his/her data processed and is informed of this data protection policy. All personal data processed in connection with email delivery is not shared with third parties. This data is exclusively used for delivering the emails during users' study participation.
6.2. Legal basis for processing
The legal basis for processing the user’s personal data after registering and granting his/her consent is provided in accordance with Art. 6 (1 a) GDPR.
6.3. Purpose of processing
The user’s email address is processed for the purpose of delivering study-dependent emails to participants.
6.4. Duration of storage of personal data
Your email address is saved on our server for as long as you participate in our study, i.e., until you decide to unsubscribe during the on-going study, or until the study itself ends and all email addresses of still active participants are deleted.
The study participation can be cancelled by the user at any time. For this purpose, a cancellation link is embedded in each of the weekly emails. When cancelling the study participation by visiting such a link, the email address of the user will be deleted from the database immediately.
7. Study Participation: Browser Fingerprints
7.1. Scope of data processing
During registration, participants can freely choose whether they agree that their browser fingerprints may be published in an anonymous form for research purposes. If not, the use of their data is limited to the study team.
In all public parts of our study website, where no registration is necessary, we naturally do not collected browser fingerprints from visitors of our website.
The browser characteristics collected on a subpage of our website for registered study participants are listed in the following:
- Accepted header, encoding, language; DoNotTrack preference; user agent; IP address
- User agent, browser name, browser version, browser vendor, oscpu, platform, installed plugins, mime types, ajax, timezone, languages, Silverlight version, Java support, cookie Support, Google Gears support, PDF reader, screen resolution, color depth, device pixel ratio, cookie behavior, DoNotTrack preference, .NET version, online, geolocation support, Active X support, Vibrate API support, Crypto API support, Security Policy support, FM Radio API support, User Media support, Adblocker support
- List of all installed, or if Flash is not installed, or at least detectable fonts; number of fonts
- is Flash installed; operating system; language; vendor; player type; screen resolution; screen color; DPI; 32 bit support; 64 bit support; touch screen type; CPU architecture; is access to audio and video components forbidden; is communication supported; is encoding of audio streams via microphone supported; are embedded videos supported; is a Input Method Editor (IME) installed; is a MP3 decoder installed; is printing supported; are screen broadcast applications via Flash Media Server supported; is audio streaming supported; is video streaming supported; are native SSL sockets supported, is decoding of video streams (e.g., via web cam) supported; is access on hard drive allowed; max. supported H.264 level
- is WebRTC supported; is screen capturing supported; are WebRTC-capable devices enumerable; is WebRTC Audio supported; is WebRTC video supported; local IP address(es); public IPv6 address; public IPv4 address; are bidirectional end-to-end data channels supported; is Stream Control Transport Protocol supported
- are local, session, and global storage as well as Indexed DB, OpenDatabase, and IE Add Behavior supported; Temporary storage (bytes)
- E, Pi, Sqrt(2), Sqrt(0.5), Ln(2), Ln(0.5), Log_2(E), Log_10(E)
- is Audio API supported; is destination property available; sample rate; state of Audio API after init; is MozAudioChannelType available; number of audio channels for up/down mixing; number of max. available audio channels; modes regarding matching of input and output; type of channels; number of inputs; number of outputs
- is Battery API supported; battery level of device; is device charging; time till device is fully charged; time till device is discharged
- Canvas fingerprint; WebGL fingerprint; is canvas winding supported; WebGL constants
7.2. Legal basis for processing
The legal basis for processing the user’s personal data after registering and granting his/her consent is provided in accordance with Art. 6 (1 a) GDPR.
7.3. Purpose of processing
The collection of browser fingerprints of registered study participants has the purpose to support research on and against browser fingerprinting based on real-world data.
7.4. Duration of storage of personal data
According to the purpose of processing, collected browser fingerprint data are not deleted, but stored in an anonymous form. However, if a study participant wants his or her fingerprint data to be deleted, an informal email to the study's contact person (contact page) is sufficient.
8. Email contact
8.1. Scope of data processing
On our website, users can personally contact the University via email by using the email address provided for such purposes. In this case, the email together with the user’s personal data is saved on our server.
The user’s personal data is not shared with third parties in this context. The data is exclusively used for purposes of establishing and maintaining contact with the user. Legal basis for processing
The legal basis for processing the user’s personal data, acquired as a result of the user sending an email, is provided in accordance with Art. 6 (1 f) GDPR.
8.2. Purpose of processing
The user’s personal data is processed only for the purpose of establishing and maintaining contact with the user. This corresponds to the legitimate interests of processing personal data in accordance with Art. 6 (1 f) GDPR.
8.3. Duration of storage of personal data
All personal data sent to us via email is deleted as soon as the respective dialogue with the user is concluded. The dialogue is deemed concluded when circumstances indicate that the issue in question has been clarified to the satisfaction of all parties.
9. Social media buttons
9.1 Scope of data processing
We use Shariff, a solution by German computer magazine c't and heise online that provides privacy for visitors that neither want to make use of these buttons, nor their browsing data to be leaked to social networks. There will be no connection and no data exchange with servers of social networks, unless you explicitly click on one of the buttons (except email, it only opens your local email client).
Those who want to make use of these buttons will transmit data (e.g., IP address, referrer URL) to Web servers of the respective social network by clicking on the corresponding buttons. Furthermore, your social media account provider will be able to analyze your browsing behavior and link it with your user ID and also with further data if you decide to use social media buttons (in general).
- Terms of service - Facebook
- Data policy - Facebook
- Terms of service - Twitter
- Terms of service - Google+
9.2 Legal basis for processing
The legal basis for processing the user’s personal data is provided in Art. 6 (1 a) GDPR.