Privacy Policy
This is an English convenience translation. The legally binding version is the German original.
This privacy policy informs you pursuant to Art. 13 and Art. 14 GDPR about the processing of personal data in the context of the service entitlements.uni-mannheim.de (HPC Entitlements Service).
I. Controller
Universität Mannheim
L 1, 1 · 68131 Mannheim
Tel.: +49 621 181-1001
Email: rektor@uni-mannheim.de
II. Data Protection Officer
Jan Morgenstern (Attorney, Specialist Attorney for IT Law)
Johannesstraße 30 · 67346 Speyer
Email: datenschutzbeauftragter@uni-mannheim.de
III. Purpose and Legal Basis of Processing
Through this service, employees and students of the Universität Mannheim apply for access to high-performance computing resources (bwUniCluster). Access requires an export control compliance declaration (dual-use goods pursuant to AWG/AWV and Regulation (EU) 2021/821).
a) Application Management
Legal basis: Art. 6(1)(e) GDPR in conjunction with § 12 LHG (task carried out in the public interest: provision of HPC resources for research and teaching).
b) Retention of the Compliance Declaration
Legal basis: Art. 6(1)(c) GDPR in conjunction with § 22(3) AWV, § 17(1) AWG (compliance with a legal obligation: retention as proof of the export control assessment).
c) Export Control Screening
Upon submission of an application, an automated check is performed to determine whether your name appears on international sanctions lists. In addition, your nationality is retrieved once from the university's HIS/Portal2 system and checked against the BAFA embargo list and OFAC requirements.
Legal basis: Art. 6(1)(c) GDPR in conjunction with AWG, AWV, Regulation (EU) 2021/821 (compliance with a legal obligation: export control).
Note: Nationality is processed exclusively in working memory and is not stored. Only the screening result (unremarkable / flagged) is retained as a boolean value. The sanctions list check is performed locally on university-owned infrastructure — no personal data is transmitted to external services. No automated decision-making within the meaning of Art. 22 GDPR takes place; flagged results are assessed exclusively by the Export Control Officer on a manual basis.
d) Logging and Traceability
Each access records the IP address, a pseudonymised session identifier (SHA-256 hash), browser identifier and timestamp in the server logs. When the status of your application changes, this data is additionally stored in the change history to ensure the traceability of security-relevant operations.
Legal basis: Art. 6(1)(e) GDPR in conjunction with § 12 LHG (task carried out in the public interest: ensuring IT security and integrity of the service).
IV. Categories of Personal Data
| Category | Source |
|---|---|
| University ID / username | bwIDM (Shibboleth) |
| eduPersonPrincipalName (ePPN) | bwIDM (Shibboleth) |
| First and last name | bwIDM (Shibboleth) |
| Email address | bwIDM (Shibboleth) |
| Signed compliance declaration (PDF) | User input |
| Description of the research project | User input |
| Application status and timestamps | System |
| Export control screening result (boolean value) | System (automated) |
| Change history (status changes, document uploads) | System |
| IP address | Web server logs, change history |
| Session identifier (pseudonymised, hashed value) | System |
| Browser identifier (User-Agent) | Web server logs, change history |
| Error reports (stack trace, request data in case of system errors) | System (automated) |
Not stored: Nationality (only transiently in working memory during the screening, see Section III c).
Pseudonymisation: The session identifier is stored as a SHA-256 hash — reverse computation of the original session key is not possible.
V. Recipients of Personal Data
| Recipient | Data | Purpose |
|---|---|---|
| Shibboleth Identity Provider (University IT) |
User identifier, entitlement status | SAML attribute for cluster access |
| Service administrators (University IT, bwHPC CC) |
All application data | Application review and management |
| Export Control Officer (Division I) |
Name, compliance declaration (in case of a flag) | Manual review upon screening match |
| bwUniCluster operator (KIT, external) |
User identifier, entitlement status | Access control for the cluster (via bwIDM federation) |
| HIS/Portal2 (University IT, internal) |
User identifier → nationality (transient) | Export control screening (embargo list) |
The sanctions list screening is performed entirely locally on university-owned infrastructure. The sanctions lists used (OpenSanctions) are downloaded as public datasets — no personal data is transmitted in the process.
V.a Transfer to Third Countries
No transfer of personal data to third countries (outside the EEA) takes place. The transmission of the user identifier and entitlement status to the bwUniCluster operator takes place within Germany via the bwIDM federation.
VI. Storage Duration
| Data | Retention Period |
|---|---|
| Compliance declaration (PDF) | 10 years after end of entitlement (§ 22(3) AWV, § 17(1) AWG in conjunction with § 78(3) no. 3 StGB) |
| Application data, screening results, change history | 10 years after end of entitlement |
| Web server logs (IP address, session identifier, browser identifier) | 7 days (systemd journal rotation) |
| Audit trail (IP address, session identifier, browser identifier for status changes) | 10 years after end of entitlement (same as application data) |
| Django session data | Automatically deleted upon session end or expiry (max. 2 weeks) |
VII. Your Rights
You have the following rights vis-à-vis the controller:
- Access to the personal data stored about you (Art. 15 GDPR)
- Rectification of inaccurate data (Art. 16 GDPR)
- Erasure of your data, provided no statutory retention obligation applies (Art. 17 GDPR)
- Restriction of processing (Art. 18 GDPR)
- Objection to processing (Art. 21 GDPR)
- Data portability (Art. 20 GDPR)
To exercise your rights, please contact:
hpc-support@mailman.uni-mannheim.de
VIII. Obligation to Provide Data
The provision of your personal data is required for applying for HPC access. Without providing your identity data (via bwIDM/Shibboleth) and submitting the signed compliance declaration, the application cannot be processed and the entitlement cannot be granted. The export control screening is required by law (AWG/AWV).
IX. Right to Lodge a Complaint with the Supervisory Authority
You have the right to lodge a complaint with the competent data protection supervisory authority regarding the processing of your personal data (Art. 77 GDPR):
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg
Lautenschlagerstraße 20 · 70173 Stuttgart
Tel.: +49 711 615541-0
Email: poststelle@lfdi.bwl.de
Web: www.baden-wuerttemberg.datenschutz.de
Last updated: March 2026