Data protection declaration for Schiffer-Berufskolleg
1. Responsibility for data processing
The individual school, represented by the headteacher, is responsible for data processing in LOGINEO NRW for schools.
The responsible supervisory authority is
The State Commissioner for Data Protection and Freedom of Information NRW
P.O. Box 20 04 44
40102 Düsseldorf
Tel.: 0211/38424-0
E-mail: poststelle@ldi.nrw.de
2. Purposes of data processing
LOGINEO NRW is a modular system that enables various processing activities. Depending on the processing activity or module, different processing purposes are pursued.
| Processing activity | Module(s) | Purpose of processing |
| Provision of the web-based frontend of the system | Homepage / web-based frontend | Ensuring trouble-free operation of the web-based frontend |
| Importing master data into user management | User management | Fulfilling the school’s educational mandate |
| Processing of data as part of task fulfillment | File storage Groupware (e-mail, calendar, address book) |
Fulfilling the school’s educational mandate |
| Activation and use of the user account | File storage Groupware (e-mail, calendar, address book) |
Storing documents from a pedagogical and school administrative context electronic communication |
When using and providing LOGINEO NRW, operating data (log files) are collected and processed in the data center to ensure proper operation and availability of the systems and to log security-relevant events, and cookies are set in the browser used to improve the user experience.
3. Scope and lawfulness of data processing
Depending on the processing purpose and category of data subjects, there are different legal bases for data processing in LOGINEO NRW.
| Processing activity | Categories of data subjects | Processed data | Legal basis |
| Provision of the web-based frontend | Visitors to the web-based frontend (publicly accessible) |
Server log files with: · Browser type and browser version · operating system used · Referrer URL (address of the page from which the reference was made) · IP address · Hostname of the accessing computer · Internet service provider · Time of the server request · amount of data transferred Cookies (name, purpose, storage period): Homepage: · JSESSIONID, session ID of the web application, until the browser is closed Navigation bar: · kmPos, y-position navigation (for saving/restoring navigation position per application, is deleted after 24h · shib_idp_session, IDP session information (global SSO login), until the browser is closed · _shib_session, SP session (session information for navigation), until the browser is closed · captcha, is required by the captcha in the contact form, until the browser is closed Edusharing: · JSESSIONID, session ID of the web application, until the browser is closed Network/Support · MoodleSession, session ID of the web application, until the browser is closed |
Art. 6 para. 1 sentence 1 lit. e), para. 3 lit. b) GDPR in conjunction with § 3 para. 1 DSG NRW |
| Importing master data into user management | School staff Students |
Master data: · Last name · First name(s) · Name abbreviation (teachers) · unique identification number (teachers) · school-internal unique identification number (students) · official/school e-mail address (inactive) · primary role of a user (e.g. student, teacher, …) · Membership of a group (e.g. class, course, subject group, working group, …) |
Art. 6 para. 1 lit e.) GDPR in conjunction with Art. 6 para. 3 lit b) GDPR (SchulG NRW, VO-DV I, VO-DV II) |
| Functionaries, External |
Master data: · Last name · First name(s) · school-internal unique identification number · official/school email address (inactive) · primary role of a user (e.g. secretariat, external, …) · Membership of a group (e.g. class, course, subject group, working group, …) |
Art. 6 para. 1 sentence 1 lit. e), para. 3 b) EU-GDPR in conjunction with § 3 para. 1 DSG NRW | |
| Processing of data as part of task fulfillment | Students, parents |
· Individual and organizational data, performance data, school form and grade-specific additional data in accordance with Annex 1 VO-DV I · Mandatory documentation in accordance with Annex 2 I. VO-DV I · further information collections in accordance with Annex 2 II. VO-DV I |
Art. 6 para. 1 lit. e) GDPR in conjunction with Art. 6 para. 3 lit. b) GDPR (SchulG NRW, VO-DV I) |
| Teachers |
· School data in accordance with Annex 1 VO-DV II · Files of the school management in accordance with Annex 2 VO-DV II |
Art. 6 para. 1 lit. e) GDPR in conjunction with Art. 6 para. 3 lit. b) GDPR (SchulG, VO-DV II) | |
| Functionaries, External |
· Information on how to reach them | Art. 6 para. 1 sentence 1 lit. e), para. 3 b) EU-GDPR in conjunction with § 3 para. 1 DSG NRW | |
| authenticated users |
Usage data: · voluntarily provided documents, files and data |
Art. 6 para. 1 sentence 1 lit. a) GDPR (consent) | |
| Activation and use of the user account | authenticated users | · Master data of the users | Art. 6 para. 1 lit. e) GDPR in conjunction with Art. 6 para. 3 lit. b) GDPR (SchulG NRW, VO-DV I, VO-DV II) |
|
Usage data: · documents and files voluntarily stored in the file storage areas, e.g. from a pedagogical context · Communication content |
Art. 6 para. 1 sentence 1 lit. a) GDPR (consent) | ||
|
Cookies (name, purpose, storage period): · _shib_session, SP session (session information for the respective application), until the browser is closed Log files: · System logs (e.g. access.log, error.log) to ensure the proper operation and availability of the systems · Application logs (e.g. server.log) for logging security-relevant events · Metadata on documents and files (e.g. “Owner”) · external circumstances of electronic communication (time, sender, recipient, amount of data transmitted, …) |
Art. 6 para. 1 sentence 1 lit. e), para. 3 lit. b) GDPR in conjunction with § 3 para. 1 DSG NRW |
The processing on the servers of the technical service provider takes place on the instructions of the controller in accordance with Art. 28 GDPR (data processing on behalf). The technical service provider and processor is:
Kommunales Rechenzentrum Niederrhein (KRZN)
Friedrich-Heinrich-Allee 130
47475 Kamp-Lintfort
Telephone: +49 2842 90 70-0
Fax: +49 2842 92732-0
E-mail: info@krzn.de
Internet: www.krzn.de
4. Categories of recipients and data transfer
Data relating to individuals are processed exclusively by
- Users of LOGINEO NRW
- Administrators of the technical service provider who have been instructed in their rights and obligations
- Employees of Medienberatung NRW and the technical service provider as part of the support
processed. A rights and roles concept based on the lawfulness of the processing and organizational measures ensure that data and documents can only be processed by those persons whose task fulfillment requires the processing. Data is only transmitted to authorized third parties on the basis of valid legal provisions or if the individual user has expressly consented to the transmission. For the purposes of criminal prosecution, to avert dangers by police authorities or to fulfill legal requirements of state protection, there may be an obligation to provide information, which the controller must comply with in individual cases.
5. Storage period
5.1 User accounts
The following applies to the retention periods for master data in user management
- Students and parents in accordance with §9 VO DV I: max. 5 years
- Teachers in accordance with §9 VO DV II: max. 5 years
Unless otherwise specified, the retention periods begin at the end of the calendar year in which the personal data are no longer required for the performance of the task. User accounts of functionaries and external parties are deleted when the requirement for processing the master data no longer applies.
5.2 Contents of the file storage areas and the groupware (e-mail, calendar, address book) Teachers, students, parents
The following applies to the retention periods of data and documents that are processed as part of the fulfillment of the school’s educational mandate in accordance with Art. 6 para. 1 lit. e) GDPR in conjunction with Art. 6 para. 3 lit. b) GDPR (SchulG NRW, VO-DV I, VO-DV II) (administrative data)
- for the data of students, parents in accordance with § 9 VO-DV I
- 10 years for data and documents from a school administrative context, e.g. report lists, documents on class management, etc.
- 5 years for all other data
- for the data of teachers in accordance with § 9 VO-DV II
- 5 years
Unless otherwise specified, the retention periods begin at the end of the calendar year in which the personal data are no longer required for the performance of the task.
The following applies to all users
Documents and files stored in the file storage areas, contents of their own e-mail inbox as well as self-created calendars and address books can be deleted independently by the users at any time.
If consent to the processing of usage data is withdrawn, as well as if consent to the terms of use is withdrawn, the accounts of the data subjects will be reset to the state at the time the user account was created. With the reset, all documents stored by the respective user in the “My Files” of the file storage areas, the official or school e-mail inbox as well as all calendars and address books created by the user in the groupware will be deleted.
Voluntarily provided data and documents will be deleted at the latest when the deadlines for processing the master data have expired and the user accounts are therefore deleted.
5.3 Operating data
Log files
System log files are automatically deleted after a retention period of 7 days, application log files after 30 days.
Cookies
Through appropriate settings in the Internet browser used for the use of the offer, the storage and transmission of the data associated with the processing of cookies can be prevented and already stored cookies can be deleted. However, this may mean that not all functions of the offer can be used to their full extent.
6. Rights of data subjects
Data subjects have the right at any time
- Art. 15 GDPR to information about data concerning them
- Art. 16 GDPR to rectification of incorrect data concerning them
- Art. 17 GDPR to erasure of data concerning them if they are no longer necessary, they are processed unlawfully or consent to the processing has been withdrawn
- Art. 18 GDPR to restriction of processing, e.g. to assert further rights
- Art. 20 GDPR to data portability to make the data concerning them available to other procedures if necessary
- Art. 21 GDPR to object to object to the further processing of the data concerning them in a special situation
The recognition of the terms of use as well as the consent to the processing of voluntarily provided data and documents can be revoked at any time with effect for the future. Data subjects should contact the controller or the school administrator of LOGINEO NRW for a revocation.
The user account of the user in question will be reset immediately upon revocation. With the reset, all documents and files stored by the respective user in the “My Files” of the file storage areas, the official or school e-mail inbox as well as all calendars and address books created by the user in the groupware will be deleted. Even in the event of a revocation, those data whose processing is permitted by a legal basis may continue to be processed. Which legal basis this is and which data are involved can be found in the section “Scope and lawfulness of data processing” of this data protection declaration.
Data subjects should contact the controller, the school administrator of LOGINEO NRW or the official data protection officers responsible for the school to protect their rights.
If data subjects believe that their data has been processed unlawfully, they can also contact the competent supervisory authority.
As of: 2025-05-19
