Skip to main content

Data Protection Declaration GPT.UP

Information on Data Protection

We process your personal data in compliance with the applicable data protection laws, in particular the EU General Data Protection Regulation (GDPR) and the Brandenburg Data Protection Act (BbgDSG).

Data Controller 

University of Potsdam 
represented by the President, Prof. Oliver Günther, Ph.D. At the New Palace 10 
14469 Potsdam 
Phone: +49 331 977-0 
Fax: +49 331-977-1089
www.uni-potsdam.de

Purpose of Data Processing

GPT.UP is a generative chat KI offered by the University of Potsdam. 

The service is provided to students of the University of Potsdam for use during their studies. Employees may use it in connection with the performance of their contractual duties (including research and teaching). Lecturers and guests of the University are permitted to use the service for activities related to their teaching assignment or guest status. 

The processing of personal data is limited to what is necessary in relation to the purpose of processing, all personal data is treated as strictly confidential.

Lawfulness of Processing

The legal basis for the processing of personal data of students and external users is provided by Art. 6 para. 1 sentence 1 lit. e GDPR in conjunction with Section 15 para. 11 BbgHG. According to these provisions, the universities of the State of Brandenburg may process personal data of students in connection with their studies and the use of university facilities, such as the ZIM.

The legal basis for the processing of personal data of employees is Art. 88 GDPR in conjunction with Section 26 para. 1 sentence 1 BbgDSG. These provisions allow the processing of personal data of employees in connection with the implementation of the respective employment relationship. This includes the processing of personal data for the use of a generative chat AI in a work-related context.

Logging

Each time the GPT.UP service is accessed, the following usage data is stored in log files for the purpose of operational and data security as well as for statistical purposes:

  • IP address
  • Time and date of access
  • Operating system version
  • Client version
  • Retrieved resource
  • Referring page (referrer)

User prompts and answers from the generative AI models are not saved within GPT.UP.

They are encrypted and stored in the users' web browser (Local Storage). In addition, declarations of consent and usage preferences are stored in the web browser. This data can be deleted by the users themselves at any time.

Cookies

When using the service, so-called "session cookies" are stored on your computer. Session cookies are used so that the GPT.UP service can function properly.  Cookies do not cause any damage to your computer, nor do they contain any viruses. Session cookies are usually deleted automatically after the end of your visit. You have the option of deactivating the storage of cookies by adjusting your browser’s settings. Please note that if you deactivate cookies you may not be able to use the full scope of all the functions on our website. 

The legal basis for storing session cookies on your device is derived from Section 25 para. 2 No. 2 TDDDG.

SSL Encryption

This service uses SSL encryption for security reasons and to protect the transmission of confidential data that you send to us.

Duration of Data Storage

Technical protocol and user data are stored for 14 days, after which they will be retained in anonymised form. The IP address will not be combined with other data.

When using Microsoft models, Microsoft stores prompts and answers for 30 days to monitor abuse. When using GWDG models, the prompts and answers are not stored by the GWDG.

Transmission of Data to Third Parties

The promtps of the users (content data) addressed to the AI are transferred to:

Microsoft Corporation 
One Microsoft Way 
Redmond, WA 98052-6399 
USA

(when using the LLMs hosted by Microsoft)

or

Gesellschaft für wissenschaftliche Datenverarbeitung mbH Göttingen (GWDG)
Burckhardtweg 4 
37077 Göttingen

(when using the LLMs hosted by the GWDG)

In relation to both recipients, a data processing agreement has been concluded. The GWDG processes the data locally on its own servers. Microsoft uses servers hosted in Sweden for processing. Any data transfers to countries outside the EU/EEA are protected by adequacy decisions and standard data protection clauses of the EU Commission.

Information about the users themselves (login, protocol and usage data) is not passed on from the University of Potsdam to any of the two processors. 

Your Rights

You have the right to obtain from the controller confirmation as to whether or not your personal data is being processed, and, if that is the case, access to the personal data and additional information (right of access). You also have the right to obtain from the controller without undue delay the rectification of inaccurate personal data.

If the legal requirements of Art. 17 or 18 GDPR are met, you are entitled to the erasure of your personal data or to a restriction of processing. Please note that restricted processing of the data may not be possible in every instance. You have the right to receive your personal data in a structured, standard and machine-readable format or to request the transfer to another controller (right to data portability, Art. 20 GDPR). Furthermore, you may object to the processing of your personal data under the conditions set forth in Art. 21 GDPR.

In order to exercise your rights, we kindly request that you contact:

ZIM Management 
E-mail: zim-leitunguni-potsdamde 
Phone: +49 331 9771216

Access to your personal data can be requested from the Chief Information Officer (University of Potsdam, Karl-Liebknecht-Str. 24-25, 14476 Potsdam). The corresponding form can be found on his website: https://www.uni-potsdam.de/de/praesidialbereich/praesident-vizepraesidenten/cio.html

You can contact the university’s data protection officer if you have questions regarding data protection:

Dr. Marek Kneis
Am Neuen Palais 10 
14469 Potsdam 
Phone: +49 331 977-124409
Fax: +49 331 977- 701821 
Email: datenschutzuni-potsdamde 

If you think that the processing of your personal data infringes the GDPR, then you have the right to lodge a complaint with the supervisory authority for data protection.