Table of contents
For the sake of easier reading, the masculine form will be used consistently throughout this document, whilst it is to be explicitly interpreted as including the female form.
Article 1 - Scope
Article 2 - Parties
- The Academic Cloud Provider provides (parts of) the Academic Cloud services or the required support infrastructure. One or many providers can offer parts to the Academic Cloud;
- A Home Institution is a university located in Lower Saxony, Germany.
Article 3 - User Authorisation and Permission to Use
- The following parties may be authorised to use the Academic Cloud services:
- Staff, members, associates, students and affiliated institutions of universities in Lower Saxony, Germany;
- Authorised representatives contracted by the institutions listed under Article 3 (1).1 in order to fulfill their contractual duties and responsibilities;
- Members and associates of national universities outside of Lower Saxony by virtue of special arrangements and agreements;
- Other German national research and educational institutions and public authorities by virtue of special arrangements and agreements;
- Institutions affiliated through research alliances by virtue of special arrangements and agreements.
- The Academic Cloud Provider reserves the right to limit the user groups in accordance with their partnership agreements.
- Permission to use is granted exclusively for academic, scholarly and scientific purposes in research, teaching and studies, for purposes relating to the library, the administration, continuing education and further education as well as for the purpose of fulfilling other duties and responsibilities incumbent upon the universities in Lower Saxony. Any use in derogation thereof may be permitted in accordance with the Partnership Agreement if its scope is narrow and said use does not affect the Academic Cloud Providers or the concerns of the other users.
- Permission to use the Academic Cloud services shall be granted by issuance of a user permit.
- The application, which as a rule should be submitted electronically, shall contain the following information:
- Name and employment address of the applicant and the affiliated institution to which the applicant is assigned;
- Declaration with respect to the processing of personal data by the user;
- The user’s electronic consent to the processing of his personal data.
- The user permit can be time-limited.
- In order to ensure proper and fault-free operation, the user permit may be additionally subject to other requirements.
- Above and beyond this, the Academic Cloud Provider may make their permission to use contingent upon proof of certain knowledge about the use of the requested data processing systems and IT services.
- If the capacities of the IT resources are not sufficient to satisfy the needs of all users, the operating equipment for the individual user may be consigned in the order listed under Article 3 (1); this is because permission to use services can only be granted when allowed by the available capacities. The particulars are laid down in the “Directives on Consignment“.
- In general, the user permit is granted to individuals by providing them with one or several personal user IDs. User IDs granting authorisation to user groups or function-related instead of person-related use (function IDs) are only provided in justified exceptions.
- The user permit can be denied wholly or in part, revoked or retrospectively limited, particularly if:
- No proper application has been submitted or the information in the application is not or no longer applicable;
- The prerequisites for proper use of the services do not or no longer exist;
- The person holding access authorisation has been excluded from use under Article 5;
- The user’s envisioned project is incompatible with the tasks and objectives of the Academic Cloud Provider and the purposes laid down in Article 3 (3);
- The available IT resources are unsuitable for the requested usage or reserved for specific purposes;
- The capacity of the resources requested for use are inadequate for the planned usage because existing capacity is exhausted;
- The IT components to be used are connected to a network subject to special data protection requirements and there is no material reason clearly evident for the planned usage;
- The requested usage is expected to unreasonably impair other approved projects.
- The user permit expires:
- When the Home Institution or the user has submitted their termination of use to the Academic Cloud Provider.
Article 4 - User’s Rights and Obligations
- The users are obligated to:
- Refrain from anything that disrupts proper operation of the Academic Cloud Service;
- Treat all of the Academic Cloud service with care and circumspection;
- Refrain from any unlawful usage and, above and beyond that, refrain from any usage that might potentially cause any disadvantages to the Academic Cloud Provider or prejudice the image or interests of the Academic Cloud Provider;
- Report to the Academic Cloud Provider immediately any changes to the basis on which the authorization for the user permit was granted;
- Ensure that e-mails sent to the e-mail boxes associated with their User IDs are read regularly;
- (Handling of User IDs)
- To work exclusively with the User IDs for the usage permitted within the scope of the user permit;
- Take precautions to keep unauthorized persons from accessing the services of the Academic Cloud this also includes protecting access with an appropriate password, i.e. one that is not easy to guess, which must be kept secret and that is at best changed regularly;
- Make sure that no unauthorised persons can discover the passwords;
- Change passwords the minute that any suspicion arises that unauthorised persons have discovered the passwords and report the suspicion to those responsible at the Academic Cloud Provider so that they can check it to see if this has any impact and implications for other systems;
- Neither try to find out nor to use other persons’ User IDs and passwords;
- Not access other users’ information without permission, and not share, use for ones’ own purposes or modify any disclosed information relating to other users without permission;
- (Software Use, Copyrights)
- Comply with statutory and contractual regulations particularly relating to copyright protection when using software, documents and other data, and observe the licensing terms and conditions under which software, documents and data are provided by the Academic Cloud Provider;
- Not copy software, documents or data provided by the Academic Cloud Provider or share it with third parties unless this has been explicitly permitted, nor to use them for other than the approved purposes;
- Delete authorised copies of the software, documents or data provided by the Academic Cloud Provider, after expiry of the user permit, unless express permission for further use has been granted;
- Upon request, in justified individual cases – particularly in the event of a justified suspicion of misuse and for the purpose of fault rectification – provide the Academic Cloud Providers management with information about the programs and implemented methods, and grant them access to the programs for monitoring purposes as well as allow the GWDG’s management to inspect the programs;
- Special reference is made to the following offences punishable under the German Criminal Code (StGB):
- Data espionage (Section 202a StGB)
- Phishing (Section 202b StGB)
- Acts preparatory to data espionage and phishing (Section 202c)
- Data tampering (Section 303a StGB) and Computer sabotage (Section 303b StGB)
- Computer fraud (Section 263a StGB)
- Distribution of pornography (Sections 184 ff. StGB), particularly distribution, acquisition and possession of child or juvenile pornographic materials (Section 184b, Section 184c StGB) and Distribution of pornographic performances by broadcasting, media services or telecommunications services (Section 184d StGB)
- Dissemination of propaganda material of unconstitutional organisations (Section 86 StGB) and Incitement to hatred (Section 130 StGB)
- Defamation such as libel or slander (Sections 185 ff. StGB)
- Criminal exploitation of copyrighted works, e.g. violation of software property rights (Sections 106 ff. of the German Copyright Act (UrhG)).
Article 5 - Exclusion from Use
- Usage of service by users may be temporarily or permanently limited or prohibited altogether, if they:
- Abuse or misuse the services to commit unlawful acts or;
- Cause harm to the Home Institution through other illegal user activities.
- Measures under subsection (1) of this Article should be taken if a prior remand fails to prevent the undesired behaviour. The affected person shall be given the opportunity to submit a rebuttal statement and may request the management of his institution to mediate. Under all circumstances, the opportunity for securing their data must be granted unless precluded by other legal regulations to the contrary. The Academic Cloud Provider must, without delay, inform the management of the respective Home Institution holding access authorisation.
- Temporary usage restrictions decided on by the Academic Cloud Provider’s management shall be lifted as soon as proper usage appears to be assured once again.
- In the event of serious or repeated violations as defined under subsection 1 of this Article, permanent restrictions on use or complete exclusion of a user from further use shall be considered, also when proper behaviour is no longer to be expected in the future. Potential claims on the part of the Academic Cloud Provider resulting from the mutual agreement for use shall remain unaffected thereby.
- The ownership of data must be clearly defined between the user and institution holding access authorisation.
Article 6 - The Academic Cloud Providers Rights and Obligations
The Academic Cloud Provider keeps a directory of all user authorisations which lists the information required on the application, additional voluntary user data as well as the names and descriptions derived therefrom, such as e-mail addresses.
Where necessary in order to rectify faults, for system administration and system expansion, or for the sake of system security and to protect user data, the Academic Cloud Provider can temporarily restrict usage of its resources or temporarily block individual User IDs. As far as possible, the affected users shall be informed of this in advance.
If there is clear evidence that a user is keeping illegal content for use on the Academic Cloud services, the Academic Cloud Provider can suspend further use until the legal situation has been satisfactorily resolved.
The Academic Cloud Provider has the right to verify the security of system/user passwords and user data by regularly implementing manual or automated measures as well as the required protective measures, for example, by changing easy-to-guess passwords, in order to protect the IT resources and user data against unauthorised third-party claims. The user shall be notified without delay in the event of changes to user passwords, access rights to user data and the implementation of other usage-relevant protective measures.
For the processing of personal data by the user, the Academic Cloud Provider has the appropriate protective measures in place that reflect the technical and organisational/administrative state-of-the-art options available to it and ensures that these measures are supported within the computer centre’s operation.
Under the provisions stated below, the Academic Cloud Provider has the right to document and analyse each individual user’s utilisation of the data processing systems, but only to the extent necessary to
- ensure that the systems run properly,
- allocate resources and administer the system,
- protect other users’ personal data,
- settle accounts,
- identify and troubleshoot faults as well as
- uncover and stop unlawful use, abuse or misuse.
Under these conditions and in compliance with data protection and criminal regulations, the Academic Cloud Provider also has the right to inspect the user’s data to the extent necessary to eliminate current disruptions or to discover and stop any unlawful or criminal behaviour in the face of substantial evidence.
However, the inspection of messaging and e-mail accounts is only permissible to the extent that this is essential to rectify current faults in the e-mail messaging service. Under these circumstances, the Academic Cloud Providers data protection officer must be brought in.
In all cases, the inspection must be documented and the affected user notified without delay once the purpose has been achieved. The aforementioned provisions also allow documentation of the traffic and user data generated during messaging traffic (especially e-mail usage) subject to compliance with the applicable statutory requirements. Notwithstanding the above, the immediate circumstances of the telecommunications, but not the non-public communication contents, may be collected, processed and used.
The traffic data and user data generated by online activities on the Internet and using other media services or telecommunications provided by the Academic Cloud Provider for usage or for which the GWDG mediates access to use, must be deleted as early as possible, at the latest directly at the end of the respective instance of use, unless invoicing data happen to be involved.
Under the provisions of the statutory regulations, the Academic Cloud Provider is obligated to maintain telecommunications secrecy and data confidentiality.
Whenever users report to the Academic Cloud Provider that they have terminated their use, the Academic Cloud Provider shall inform the Home Institution holding access authorisation about the termination of use.
After invalidating the user permit (Article 4 (12)), the data stored under the User ID will be deleted.
Article 7 - Liability of the User
- The user shall also be liable for damages resulting from third-party use within the scope of the user’s access and usage options provided to him, provided he is responsible for this third-party use, and particularly, if he has shared his User ID with third parties. In this case, the Academic Cloud Provider can demand a user fee for the third-party use from the user according to the provisions of the pay regulations.
- If any third parties assert claims against the Academic Cloud Provider for damage compensation, default or other claims resulting from the users’ activities that are illegal or punishable under criminal law, the user must release the Academic Cloud Provider from all claims resulting therefrom. The Academic Cloud Provider will file suit against user in the event that the third party litigates against the Academic Cloud Provider in court based on these claims.
Article 8 - Liability of the Academic Cloud Provider
- The Academic Cloud Provider does not warrant, and hereby disclaims any warranties – either express or implied – that the IT systems will operate in an uninterrupted or error-free manner at all times. The potential loss of data resulting from technical malfunctions or the disclosure of confidential data resulting from unauthorised access by third parties cannot be excluded.
- The Academic Cloud Provider shall not be responsible for the accuracy of the software provided. Neither shall the Academic Cloud Provider be liable for content, particularly relating to the accuracy, completeness or up-to-date nature of the information and data; the Academic Cloud Provider merely mediates the access to use of said information and data.
- Otherwise the Academic Cloud Provider shall only be liable in the event of intent or gross negligence by its employees, unless there are significant obligations that have been culpably violated, where compliance therewith is of special importance for carrying out the purpose of the contract (cardinal obligations). In this case, the Academic Cloud Provider’s liability is limited to the typical damages that were foreseeable at the time when the mutual agreement for use was established, as long as no intentional or grossly negligent acts have been committed.
- Any public authority liability against the Academic Cloud Provider shall remain unaffected by the aforementioned policy.