Privacy Policy

This privacy policy informs you about the processing of personal data when using the online service called “Publisher’s Living Handbook for Diamond Open Access” operated by the Hamburg State and University Library - Carl von Ossietzky, including all subpages (hereinafter collectively referred to as the “website”), as well as your rights as a data subject when using this service.

 
A. Contact details of the controller and the data protection officer

The controller responsible for data processing on and in connection with the website within the meaning of Art. 4 No. 7 GDPR and other data protection provisions is:

Staats- und Universitätsbibliothek Hamburg - Carl von Ossietzky
Von-Melle-Park 3
20146 Hamburg
Germany

E-Mail: auskunft@sub.uni-hamburg.de

Hamburg State and University Library - Carl von Ossietzky (hereinafter referred to as “SUBHH” or “we/us”). The SUBHH is a state-owned enterprise („Landesbetrieb“) of the Free and Hanseatic City of Hamburg. It is part of the Behörde für Wissenschaft, Forschung, Gleichstellung and underlies it´s supervision.

The SUBHH is legally represented by its managing director, Prof. Robert Zepf.

The data protection officer of the State and University Library Hamburg - Carl von Ossietzky can be contacted as follows:

datenschutz nord GmbH
Konsul-Smidt-Straße 88
28217 Bremen

Germany
Web: www.datenschutz-nord-gruppe.de
E-Mail: office@datenschutz-nord.de

 
B. Data processing
B.1. Provision of the website and creation of log files

When you visit the website, the Internet browser you are using automatically sends data to the website’s server and stores it in log files on the server for a limited period of time. The following data is stored until it is automatically deleted without any further input from the visitor to our website: 

•    IP address from which our website is accessed
•    Information about the browser type and version used
•    Date and time of access
•    Technical data relating to the transmission (protocols, status code, data volumes)
•    Internet service provider of the user
•    Operating system of the user
•    Websites from which the user’s system accesses the website
•    Websites accessed by the user’s system via our website.

The data is deleted as soon as it is no longer required for the purpose for which it was collected. In the case of data required for the provision of the website, this is the case when the respective session has ended. 

Further storage in so-called log files takes place if further purposes require this. Storage in log files is carried out to ensure the functionality of the website, to optimize the content of the website, and to ensure the security of our information technology systems. In the case of storage of data in log files, deletion takes place after 7 days at the latest. Storage beyond this is possible. In this case, the IP addresses of the user(s) are deleted or alienated so that it is no longer possible to assign the calling client.

The legal basis for the storage of the aforementioned data and log files is § 4 HmbDSG in conjunction with Art. 6 (1) (e) and Art. 6 (3) (1) GDPR. The website is operated within the scope of our public law duties in accordance with § 94 HmbHG. The aforementioned data processing is technically necessary for website operation. It serves the purpose of quickly establishing a connection to the website and recognizing and ensuring the security and stability of the systems. 

 
B.2 Registration and login when using the website
 

In principle, the website can be used without logging in.

Only editors must be registered and log in with their user data if they want to make edits. You need the user data assigned to you during registration to identify yourself as a user and log in securely so that no one else can make changes to the website via your account.

During registration, your email address and a user name of your choice (“ID”) are collected and stored. When you log in later, the assigned ID and the password you have chosen yourself are used. When you set up your account, we will provide you with an initial password, which you can change yourself.

We process your data exclusively for the purpose of identifying you as an authorized user and logging you in securely so that no unauthorized persons can make changes to the website.

Data processing is carried out on the legal basis of Art. 6 (1) (e) GDPR and § 4 HmbDSG, as the services are part of our duties in accordance with § 94 HmbHG.


The data will be deleted as soon as it is no longer required for the purpose for which it was collected or your authorization as an editor ends and there are no reasons for further storage (in particular legal storage obligations or post-contractual purposes). 


B.3. Use of cookies

Our website uses cookies. Cookies are text files that are stored in the Internet browser or by the Internet browser on the user’s computer. When a user visits our website, a cookie may be stored on the user’s operating system. This cookie contains a characteristic string of characters that enables the browser to be uniquely identified when the website is visited again.

You will be informed about which cookies are used when you visit the website via a so-called “cookie banner.” Technically necessary cookies do not require consent; they are always used. For cookies with other functionalities, please use the consent or rejection functions of the cookie banner.

The legal basis for the processing of personal data using technically necessary cookies is Art. 6 (1) (e) GDPR in conjunction with § 4 HmbDSG, as these are necessary for the operation of the website and thus for the provision of our services.


C. Disclosure of your data to third parties


We will only transfer personal data to third parties if
•    the data subject has expressly and knowingly consented to the transfer in accordance with Art. 6 (1) (a) GDPR;
•    one of the reasons specified in § 6 (2) HmbDSG applies and the transfer to third parties is carried out in accordance with the requirements of the provision;
•    there is a legal obligation to transfer the data in accordance with Art. 6 (1) (c) GDPR, and/or
•    this is necessary for the performance of a contractual relationship with the data subject in accordance with Art. 6 (1) (b) GDPR.


In other cases, personal data will not be disclosed to third parties. 

Disclosure to third parties currently only takes place to the website host, a company based and with servers located within the EU, with whom we have concluded a contract for order processing in accordance with Article 28 GDPR.


D. Your rights as a data subject

D.1. Legal rights


We would like to point out that you have the following legal rights regarding the processing of your personal data.
You may, 

a) revoke your consent to data processing granted to us at any time in accordance with Art. 7 (3) GDPR. Your revocation means that we may no longer continue data processing based on this consent in the future. Revoking your consent does not affect the legality of the processing that took place prior to revocation. If there are also legal permissions on the basis of which the specific data processing is permissible, further processing may possibly be based on these. 

b) request information about your personal data processed by us in accordance with Art. 15 GDPR. We are entitled to refuse your request for information in accordance with § 16 (1) HmbDSG (Hamburg Data Protection Act) at our discretion, insofar and as long as the information would jeopardize public safety or otherwise be detrimental to the welfare of the federal government or a state, or insofar and as long as the information would lead to the disclosure of facts that must be kept secret under a legal provision or because of the rights and freedoms of other persons, or insofar and as long as the refusal to provide information is necessary for the prosecution of criminal offenses and administrative offenses. If the provision of information has been refused for one of the above reasons, you may contact the Hamburg Commissioner for Data Protection and Freedom of Information in accordance with Section 16 (2) sentence 3 HmbDSG. Furthermore, pursuant to Section 16 (2) sentence 4 HmbDSG, we are obliged, at your request, to provide the requested information to the competent supervisory authority, unless this would jeopardize the security of the Federal Government or a federal state.

c) pursuant to Art. 16 GDPR, immediately request the correction of incorrect or the completion of your personal data stored by us.

d) pursuant to Art. 17 (1) GDPR, request the deletion of your personal data stored by us (“right to be forgotten”). This right is restricted in accordance with Art. 17 (3) GDPR, among other things, insofar as further processing of your data is necessary: to exercise the right to freedom of expression and information or to fulfill a legal obligation required by the law applicable to us, or to perform a task carried out in our public interest or in the exercise of official authority vested in us, or for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 17 (3) (d) GDPR, or for the establishment, exercise or defense of legal claims.

Furthermore, there is no obligation to delete data in accordance with Section 17 HmbDSG if and as long as we have reason to believe that deleting the personal data would impair your interests worthy of protection. In cases where deletion is exceptionally ruled out, the deletion is replaced by the restriction of the processing of the data concerned in accordance with Art. 18 GDPR, and we will notify you of the restriction of processing.

e) request the restriction of the processing of your personal data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you, the processing is unlawful, but you refuse to have it deleted and we no longer need the data, but you need it to assert, exercise or defend legal claims, or you have objected to the processing pursuant to Art. 21 GDPR, or a situation pursuant to § 17 HmbDSG exists.

f) Request that we provide you with the personal data you have provided to us in a structured, commonly used, and machine-readable format or transfer it to another controller in accordance with Art. 20 GDPR. 

g) Lodge a complaint with a supervisory authority in accordance with Art. 77 GDPR. As a rule, you can contact the supervisory authority of your usual place of residence or your place of work for this purpose. 

h) Object to the processing of your personal data pursuant to Art. 21 GDPR if your personal data is processed by us on the basis of legitimate interests pursuant to Art. 6 (1) (f) GDPR, insofar as there are reasons for your objection arising from your particular situation or the objection is directed against direct marketing. In the case of direct marketing, you have a general right to object, which we will implement without you having to specify a particular situation. We would like to point out that, as a state-owned enterprise, we only process data on the legal basis of Art. 6 (1) (f) GDPR in exceptional cases when we are acting outside the scope of our public duties.


D.2. Restriction of your rights for specific processing purposes

As a precaution, we would like to point out that your rights may be restricted in individual cases beyond the examples mentioned in section D.1. for the following reasons: 

a) The above rights do not apply in accordance with Section 12 (1) HmbDSG if personal data is processed for artistic purposes.

b) Pursuant to Section 11 (5) HmbDSG, you do not have the right to information pursuant to Art. 15 GDPR, the right to rectification pursuant to Art. 16 GDPR, the right to restriction of processing pursuant to Art. 18 GDPR, and the right to object pursuant to Art. 21 GDPR, insofar as the exercise of these rights would make it impossible or seriously impair the achievement of the scientific or historical research purpose or the statistical purpose for which the data was collected.

 
D.3. Addressee of your declarations


You can assert your rights to object, revoke, and correct your data by contacting the following address:
Hamburg State and University Library – Carl von Ossietzky
Von-Melle-Park 3
20146 Hamburg
Email: auskunft@sub.uni-hamburg.de

 
E. Data security


We use appropriate technical and organizational security measures (known as TOM) to protect our users’ data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our websites are hosted partly on our own servers and partly on servers of a host based in Germany with whom we have concluded an agreement on order processing. When you visit our website, we generally use SSL (Secure Socket Layer) encryption in conjunction with the highest level of encryption supported by your browser. This is usually 256-bit encryption. You can tell whether an individual page of our website is transmitted in encrypted form by the closed display of the key or lock symbol in the status bar of your browser. We would like to point out that complete data security cannot be guaranteed when communicating by email, and we recommend that you use the postal service for confidential information. 

Date of the privacy policy: 28.11.2025