Service Agreement to Cover the Use of IT-Devices and Central Services
Service Agreement to Cover the Use of IT-Devices and Central Services Provided by the University Computer Centre at the University of Greifswald (SA IT & C Systems)
The following service agreement is being closed between the University of Greifswald, represented by the Rector, herself represented by the Registrar, Head of Administration and Finance, Dr. Wolfgang Flieger,
General Staff Council of the University of Greifswald, represented by the Chairperson Dominik Nauke,
in accordance with §§ 66, 74 Landespersonalvertretungsgesetz (State Staff Representation Act) Mecklenburg-Vorpommern (PersVG M-V) and with reference to § 5.2 of the Regulations of the University of Greifswald’s Computer Centre:
The translation is to be seen as a reference and to be used for the understanding of the corresponding German documents.
Only the German version of this document is legally binding.
§ 1 Scope of Application
- This agreement applies to all employees of the University of Greifswald (employer) who are subject to the scope of the PersVG M-V
- After its entry into force, the employer commits itself to suitably adopt the regulations of this service agreement for those employees who are not covered by the scope of the PersVG M-V.
§ 2 Use of IT Devices and Central Services of the University Computer Centre
- Work IT devices (e.g. PCs, laptops, internet-enabled mobile telephones, tablet PCs) and central CC Services (e.g. internet access, email service, network drives, groupware, webservers) are provided to the employees as work tools for fulfilling work tasks. The direct line manager can order the use of work IT devices and central CC Services, if and as long as this is necessary for securing or making it easier to organise work tasks.
- Unless otherwise stated in the following provisions, private use of the devices and services defined in sub-section 1 is not permitted.
§ 3 Use of Internet Access
- Access to the internet at the workplace is provided to the employees as a work tool for fulfilling work tasks.
- There will be no technical separation of traffic/usage data according to work and private use. Measures taken to log and analyse data, pursuant to §§ 7 and 8, therefore also apply to the data accrued during private use of the access to the internet.
- Only employees who have previously submitted a declaration of consent to the employer by way of electronic agreement are given permission to use the access to the internet for private use. By submitting a declaration of consent, which can be withdrawn at any time, the employee recognises that telecommunications secrecy will be reduced and monitoring will be allowed in accordance with § 8 of this service agreement.
- If employees do not submit a declaration of consent or withdraw their consent, access to the internet will only be permitted for work purposes.
§ 4 Use of the email Service
- The work email account is only provided to the employees as a work tool for fulfilling work tasks. Private use of the work email account is not permitted. Unsolicited incoming private emails do not constitute a violation of the prohibition of private use.
- A limited amount of private emails may be sent via email services offered by external email providers. The password for these services may not be saved on or made available through work IT services. The regulations stipulated in § 3.2-5 apply accordingly.
- After reading incoming private emails sent to the work email address they must either be deleted by the employee or moved to a folder of the email programme that is named “Privat” or if necessary forwarded to a private email address. The employees should inform senders of private emails that have been received by their work email accounts that the email address is only to be used for work purposes.
§ 5 Behavioural Guidelines
- Any use of work IT and communication systems that could damage the interests or the public image of the University of Greifswald, compromise the security of these systems or is a violation of legal provisions is illicit. This applies especially to
- the accessing or spreading of contents that violate provisions relating to personal rights, copyright or criminal laws,
- the accessing or spreading of insulting, defamatory, anti-constitutional, racist, sexist, violent or pornographic remarks or images.
- Accessing information for private purposes (e.g. downloads, streaming) at the expense of the employer is not permitted. Authorised private use in accordance with § 3 and § 4 does not include use for commercial or other business purposes. This does not apply to approved secondary employment that is directly related to the main job.
- In order to ensure the regulations of this agreement are being adhered to, the traffic and user data accrued during use can be inspected and analysed (§ 8.3) randomly, however, without the disclosure of personal data. A supplementary overview of the respective total volume of the incoming and outgoing data traffic can be compiled.
- In accordance with § 35.7 Landesdatenschutzgesetz (State Data Protection Act) Mecklenburg-Vorpommern (DSG M-V) the traffic and user data accumulated during use may not be used by the employer for the evaluation of performance or behaviour. They are subject to the purposes stipulated in § 7.2 and the corresponding legal provisions for data protection.
§ 6 Provision of Information and Training of Employees
The employer’s responsible departments will inform the employees about the specific data protection problems when using IT and communication systems.. They will be trained in the secure and cost-efficient use of these systems and informed about the relevant legal provisions.
§ 7 Logging
- The following traffic and user data accrued during the use of work IT and communication systems will be logged centrally and electronically:
- Date / time,
- Source and/or target IP addresses
- Hardware addresses (dependent on system)
- Username (dependent on system)
- Addresses of sender and recipient (dependent on system)
- Accessed websites (dependent on system)
- Amounts of transferred data (dependent on system)
- System-specific data (e.g. name requests sent to the domain name system)
- Exact details are provided by the legal provisions for data protection as given in the procedure description of the respective IT or communication system.
- The log data listed in sub-section 1 may only be used for:
- Analysing and correcting technical faults
- Ensuring system security,
- Optimising IT and communication systems,
- Statistical evaluations (e.g. regarding data amounts, accessed websites)
- Random checks and
- Evaluations in suspected cases of abuse in accordance with § 8 of this service agreement.
- The log data will be deleted automatically after seven days, unless longer storage
- is required specifically by other legal provisions;
- is necessary and legally permissible due to reasons related to the system that must be documented in the respective individual case;
- is required to clarify recorded violations or abuse. In each individual case, the Registrar, Head of Administration and Finance, will decide together with the official Data Protection Officer as to whether longer storage is required to clarify violations or abuse. Requirement, evaluation, results and deletion must be documented. The General Staff Council must be informed immediately.
§ 8 Evaluation and Monitoring
- Only the University Computer Centre’s staff members responsible for the technical administration of the IT and communication systems and the official Data Protection Officer (should s/he so desire) have access to the log data for the purposes listed in § 7.2.a-d. The checks and evaluations are to be carried out in an anonymous fashion without disclosure of personal data. Exact details are provided by the legal provisions for data protection as given in the procedure description of the respective IT or communication system.
- The log data can be viewed and evaluated by the official Data Protection Officer randomly, without disclosure of personal data (§7.2.e).
- If there are documented confirmed grounds for a justified and concrete suspicion of abuse or illicit use of work IT and communication systems (see §§ 2-5), the Registrar, Head of Administration and Finance, together with the General Staff Council and the official Data Protection Officer, can order an evaluation of disclosed personal data if the interests warranting protection of the employee do not outweigh the reasons for the evaluation, in particular if the kind and extent are not disproportionate with regard to the incidence. The evaluation will be carried through with the participation of the official Data Protection Officer and at least one of the responsible system administrators. The system administrator will create a report on the basis of the evaluation that must be handed out to the Registrar, Head of Administration and Finance, the official Data Protection Officer, the General Staff Council and the person affected. The person affected must then be heard with the participation of the General Staff Council. If there is a threat of considerable damage or loss of evidence (imminent danger) or there is suspicion of a serious criminal offence (§ 100a.2 Strafprozessordnung (Code of Criminal Procedure)), the General Staff Council’s agreement to the evaluation of disclosed personal data can be obtained subsequently. This must occur immediately.
- (4) If an accumulation of obvious private use of work IT and communication systems becomes apparent during a statistical analysis (§ 7.2.d) or a random check without disclosure of personal data (§ 7.2.e), the official Data Protection Officer shall carry out random checks without disclosure of personal data for a further two weeks. The General Staff Council must be informed of this procedure immediately. Furthermore, all of the staff members of the affected department/institution will receive a written notification. If there is no change to user behaviour during the random checks or evaluations, the logs of the following two weeks will be analysed using disclosed personal data in accordance with the procedure described in sub-section 3.
- The regulations of sub-sections 3 and 4 shall not be applied to members of the staff councils, the official Data Protection Officer and all other persons of trust or ombudspersons, who are obliged to protect information that has been entrusted to them as part of their duties during their period of office and within one year after the end of their period of office.
- The persons involved in the evaluation and analysis of log data are obliged to maintain confidentiality, and in particular subject to telecommunications secrecy and the data protection regulations. The University Computer Centre’s system administrators shall also be given written notification of possible consequences for violations of public service, employment and criminal laws. This notification will be renewed on a regular basis.
§ 9 Activation of Out-of-Office Replies
- If an employee is absent (e.g. on holiday or incapacitated for work) the employer is entitled to have the automatic out-of-office reply activated for his/her email account if this is necessary to ensure regular work operations and a previous attempt to contact the person affected was unsuccessful. This does not apply to those persons stipulated in § 8.5.
- The direct line manager will decide as to whether it is necessary to activate an out-of-office reply. S/he will commission the responsible system administrator in writing with the activation of an out-of-office reply for which s/he will deliver the exact wording; the system administrator will immediately inform the official Data Protection Officer and the General Staff Council of this action. It is not permitted to inspect any contents of the affected email account during activation of the out-of-office reply.
- The entire procedure shall be documented in an appropriate manner. The system administrator shall immediately inform the person affected about the activation and the reasons for this action.
§ 10 Inspection of emails and Data on Work IT and Communication Systems
- If an employee is absent (e.g. on holiday or incapacitated for work), the employer is entitled to examine the employee’s email account, certain emails and data saved on work IT devices or central CC Services if this is necessary to ensure regular work procedures for the specific case, and so long as a previous attempt to make contact to the person affected and his/her job cover was unsuccessful (and this can be proved) and there are no permissive and promising alternatives for obtaining the required work information. This does not apply to the persons named in § 8.5. This also does not apply to emails or data that is clearly marked “privat” (private).
- The direct line manager will decide on the inspection of the account in agreement with the General Staff Council and the official Data Protection Officer. If there is a threat of considerable damage or loss of evidence (imminent danger) or there is suspicion of a serious criminal offence (§ 100a.2 Strafprozessordnung (Code of Criminal Procedure)), the General Staff Council’s and the official Data Protection Officer’s agreement to the evaluation of disclosed personal data can be obtained subsequently. This must occur immediately.
- The direct line manager commissions the responsible system administrator in writing with the opening of the email account or the retrieval of the data. The inspection must take place in the presence of a representative of the General Staff Council and the official Data Protection Officer. Specific emails, email attachments or data can be printed, saved as a file or forwarded to the direct line manager for further processing, if this is necessary for ensuring regular work procedures.
- The entire inspection process shall be documented in an appropriate form and the system administrator will immediately inform the person affected about the inspection and the reasons for this action.
§ 11 Exclusion of Improperly Obtained Evidence
If information (e.g. from the log files) is obtained, processed or used in violation of the provisions set down in this service agreement, it shall be excluded as evidence for staff or disciplinary measures or punishments pursuant to public service and employment laws. It may not be used by the employer for imposing sanctions or as evidence in a court procedure.
§ 12 Amendments and Extensions
If amendments and extensions are planned for the IT and communications systems, the employer shall involve either the General Staff Council or - if it is obvious that only a certain group of employees will be affected - the staff council responsible for that group of staff, as well as the official Data Protection Officer in good time. The resulting amendments or extensions to this service agreement shall be made in an official amendment or revised version of this service agreement.
§ 13 Severability Clause
If one or more provisions of this service agreement are held to be invalid, it shall not restrict the validity of the service agreement and the remaining provisions. The parties will cooperate in a trustful manner to replace the legally invalid provisions with legally compliant provisions that are closest to the aspired regulatory objectives.
§ 14 Final Provisions
- This service agreement shall enter force on the 01/04/2018. It can be terminated by either party with three months notice to the end of a calendar month. Thereafter the provisions shall have no further force or effect. After termination, negotiations shall be started immediately for creating a new service agreement.
- The entry into force of this service agreement annuls the Service Agreement on the Use of a Groupware System at the University of Greifswald that entered into force on the 24/10/2011.
- The parties shall jointly review the regulations of this service agreement within two years after its entry into force. The official Data Protection Officer shall be given sufficient prior notice to get involved. The provision stipulated in § 12 sentence 2 applies correspondingly.
For the Employees: Dominik Nauke (Chairman of the General Staff Council)
For the Employer: Dr. Wolfgang Flieger (Registrar, Head of Administration and Finance)
The declaration of consent pursuant to § 3.4 of this service agreement, which can be submitted/withdrawn electronically by the employees, i.e. through the University Computer Centre’s account administration (https://ums.uni-greifswald.de), contains the following information:
Declaration of Consent: Agreement to Private Internet Usage Checks
I declare my consent for the logging and analysis of my private use of work IT devices and central Computer Centre Services through the employer, as stipulated in §§ 7 and 8 of the aforementioned “Service Agreement for the Use of IT Devices and Central University Computer Centre Services at the University of Greifswald”.
I have received sufficient information of the kind, the intended purpose of the recorded, processed and used personal data and the evaluation that could be necessary and that the data will only be used to ensure the security of the system in accordance with § 35.7 DSG M-V.
I have been informed that the logged traffic data accrued during the use of the internet is usually stored for a maximum of 7 days, unless one of the cases stipulated in § 7.3.a-c allows longer storage as an exception. The logged traffic data can also be used for preventive random checks and evaluations using disclosed personal data in confirmed grounds of misuse pursuant to § 8 of the aforementioned service agreement. In such cases, I agree to the forwarding of this data to the employer’s authorised and named persons and departments.
I can withdraw this consent at any time. The following provision will then apply:
I do not agree to the analysis of my private use of/communications via the internet. If this is the case, I have been informed and accept that private use is not permitted.