Usage guideline

Information technology is a fundamental tool in research, teaching, studies and further education, for library use and for numerous tasks and activities in the administration and technical operations of Coburg University of Applied Sciences.
This guideline is intended to ensure the smooth, unhindered and secure use of Coburg University’s information technology systems and facilities, systems and procedures, both in local operation and in a network.
In particular, it regulates the rights and obligations of users as well as the tasks, rights and obligations of the respective system operators. This guideline

• is based on the legally defined tasks of the universities and their mandate to safeguard academic freedom,
• establishes basic rules for the proper operation of information technology,
• points out the rights of third parties to be observed (e.g. software licenses, requirements of network operators, data protection aspects),
• obliges you to behave correctly and to use the resources offered economically,
• makes measures for logging and controlling the use of IT systems and services transparent,
• safeguards the personal rights of members of Coburg University of Applied Sciences,
• ensures the protection of personal and other sensitive data,
• clarifies possible measures in the event of violations of the regulations governing the use of information technology at Coburg University of Applied Sciences.

(1) This guideline applies to the use of computers, mobile end devices, storage devices, software, cable-based and wireless data networks and other technical equipment (IT infrastructure) used at Coburg University of Applied Sciences or elsewhere by third parties for the purposes of electronic information processing at Coburg University of Applied Sciences, as well as to the systems and procedures in the field of scientific and non-scientific electronic information processing operated on the basis of this infrastructure.
(2) This guideline applies to all persons and institutions authorized to use it (§ 2 para.
1 and
2) and system operators (§ 5 para. 1).

(1) Those entitled to use the IT infrastructure, systems and procedures of Coburg University of Applied Sciences in accordance with § 1 Para.
1 are in particular the members of Coburg University of Applied Sciences.
Other persons, in particular members of other universities, may be permitted to use them.
(2) The IT infrastructure, systems and procedures of Coburg University of Applied Sciences are available to the persons and institutions entitled to use them for the fulfillment of tasks in research, teaching, studies, training and further education, for the other university tasks mentioned in Art. 2 of the Bavarian University Innovation Act and for administrative tasks.

(1) Anyone wishing to use the IT infrastructure, systems and procedures of Coburg University of Applied Sciences requires a user authorization (para. 2).
If the data required for this is not already available from automated directories, an application must be submitted.
Systems and procedures that are set up for anonymous access (e.g. information services, library services, short-term guest accounts for events) are excluded.
(2) Only information that is directly required for the decision on the application may be collected or used for the granting of a user authorization.
The following can be collected as a rule Surname, first name, date of birth, title, affiliation to an organizational unit, description of the purpose of use, signature of the applicant, matriculation number if applicable.
The personal details must be verified by presenting an official photo ID or, alternatively, other official documents.
The system operators (§ 5 para. 1) may also declare other procedures suitable for the reliable establishment of personal identity to be permissible.
(3) The respective system operators (Section 5 (1)) shall decide on the application.
They may make the granting of the authorization dependent on certain criteria (proof of certain knowledge about the use, affiliation to a certain type of use, use or transfer regulations on the basis of corresponding foreign trade law provisions) and impose use-related conditions.
(4) The right of use shall be denied if
a) the requirements of § 2 para.
1 are not fulfilled,
b) the project is not compatible with the purposes of use in accordance with § 2 Para.
2 is compatible,
c) no objective reason for the granting of the right of use is presented,
d) facts justify the assumption that the person to be authorized will not fulfill his or her obligations as a user in accordance with § 4,
e) the capacities of the resources whose use is requested are not sufficient for the intended work due to existing utilization, are reserved for special purposes or are obviously unsuitable,
f) the resources to be used are expected to jeopardize other systems, data networks or other persons’ protected assets (personal data, work materials and results, etc.).
(5) The authorization of use may be temporarily or permanently withdrawn or restricted if one of the reasons for refusal under para.
4 subsequently occurs.
(6) The measures restricting use in accordance with para.
5 are based on the principle of proportionality.
The procedural provisions under § 6 must be observed.
The exclusion of use does not exclude consequences under criminal, disciplinary or labor law or exmatriculation due to misconduct.

(1) Users have the right to use the IT infrastructure, systems and procedures of the information technology of Coburg University of Applied Sciences, but only for the purposes specified in § 2 para.
2 and only in accordance with these terms of use and any further terms of use and service agreements issued in individual cases.
Any kind of misuse is prohibited.
This includes, in particular, use for criminal or other unlawful acts and
a) – not applicable –
b) the installation, operation and use of devices, systems, procedures and programs that are not related to the tasks to be performed,
c) the installation and use of software requiring a license without a valid license,
d) actions that constitute unauthorized interference with data or IT infrastructure,
e) use for purposes that harm the interests and reputation of Coburg University (e.g. sending spam emails or hacking other people’s systems) or jeopardize the operation and security of the IT infrastructure, systems and procedures or the peace of the company or good social coexistence.
(2) It is expressly pointed out that the following conduct in particular is punishable under applicable law:
a) Dissemination of content that violates personal rights, copyright or criminal law provisions,
b) Dissemination of insulting, defamatory, anti-constitutional, racist, sexist, violence-glorifying or pornographic statements or images,
c) violation of the protection of personal data, including private data, as well as copyrights and other personal rights of members of Coburg University of Applied Sciences and all other persons,
d) dissemination of data worthy of protection, in particular breaches of statutory and contractual confidentiality obligations.
(3) Users are obliged,
a) to comply with the statutory regulations (copyright protection, copyright) when using software, documentation and other data,
b) in particular not to copy or pass on software, documentation and data, unless expressly permitted, nor to use them for purposes other than those permitted, in particular not for commercial purposes.
Attention is expressly drawn to the penalization of copyright infringements, e.g. through the unlawful distribution of software or the offering of films or pieces of music in accordance with §§ 106ff.
UrhG is expressly pointed out,
c) to allow regular checks of which software is installed on official devices and to install software suitable for this check on the device upon request.
(4) Furthermore, users are obliged to
a) only work with user accounts that they have been authorized to use; in particular, working under someone else’s name is prohibited. The disclosure of access data (e.g. login name in conjunction with password) or their storage in systems and devices that also allow use by others is generally not permitted (exception: functional accounts that are expressly intended for use by several persons for a specific purpose and whose disclosure is documented by the account holder),
b) to protect access to the IT infrastructure, systems and procedures of Coburg University of Applied Sciences by means of a secret password or an equivalent or higher-grade procedure,
c) to take precautions to prevent unauthorized third parties from gaining access; this includes in particular using a state-of-the-art password, changing it frequently and properly logging out of the system or procedure used at the end of use or blocking it for unauthorized use when absent from the workplace,
d) to immediately report any security-relevant incidents (e.g. virus detection, computer loss, phishing attacks, malfunctions) of which they become aware to the IT security officer or the IT service at the e-mail address it-service@hs-coburg.de.
(5) Users are responsible for all actions carried out under their access data, even if these actions are carried out by third parties to whom they have provided access in a manner that is reproachable under liability law.
In such a case, Coburg University of Applied Sciences is also entitled to subsequently demand from them the usage fees that the third party would have had to pay in the event of lawful use.
(6) Users are obliged to ensure that they use the available resources (workstations, CPU capacity, storage space, line capacities, peripheral devices and consumables) responsibly and economically.
They are obliged to refrain from impairing operations as far as they are foreseeable and to avoid to the best of their knowledge anything that could cause damage to the IT infrastructure, the systems and procedures of Coburg University of Applied Sciences or to other users.
(7) Users are prohibited from the following without the consent of the responsible system operator (§ 5 para. 1)
a) interfering with the hardware installations or using existing interfaces to expand the existing system infrastructure (e.g. connecting proxy servers, switches, access points…),
b) to change the configurations of the systems (operating systems, data networks, etc.) and procedures.
(8) Users are obliged to carry out projects involving the processing of personal data only in accordance with the data protection regulations and the data protection regulations of Coburg University of Applied Sciences and to coordinate such projects with the data protection officer before the start.
This also applies if IT services from third parties (e.g. cloud services) are used to process personal data. (9) Employees of Coburg University of Applied Sciences are obliged to
a) – not applicable –
b) to hand over all official data to their superiors and delete all private data before leaving Coburg University of Applied Sciences;
c) to completely uninstall software that was installed on employees’ personal computers due to mobile work or home use licenses at the end of their employment.
(10)
Coburg University of Applied Sciences is aware that a complete ban on the private use of IT systems and services does not make sense for students and employees and that a complete separation of business and private use of communication media is hardly possible.
Private use of the IT infrastructure and services of Coburg University of Applied Sciences is therefore permitted for students and employees under the following conditions:
a) The fulfillment of official tasks, in particular the intended purpose of the IT infrastructure to enable precisely this fulfillment of tasks, must not be impaired;
b) no additional requirements may arise for Coburg University of Applied Sciences from private use, in particular no additional warranty obligations and liability risks;
c) any use for extremist, racist, pornographic or criminal purposes is not permitted;
d) Coburg University of Applied Sciences e-mail addresses may not be published as contact data for private communication, for example in political forums or on private homepages;
e) regular forwarding of business e-mails to private external e-mail accounts is prohibited;
f) The security and functionality of the IT infrastructure must not be impaired by private shared use;
g) as a rule, business software may not be used for private purposes unless the respective license conditions expressly permit this.
(11)
In order to detect improper use and in cases of use-related malfunctions, users must directly observe the rights of the system operators (§ 5 para. 1) and the corresponding procedural provisions in accordance with § 6.

(1) In addition to the IT Centre, system operators are also all other organizational units of Coburg University of Applied Sciences (faculties, institutes, central facilities, operating units and other subunits), insofar as they themselves or with the help of others within or outside Coburg University of Applied Sciences operate or offer the use of systems and facilities, systems and procedures for electronic information processing in accordance with § 1 para.
1 or offer them for use.
If several organizational units of Coburg University of Applied Sciences are involved in the system operation in terms of content, technology and/or organization, they shall agree on a responsible system operator within the meaning of this guideline.
The persons responsible for proper system operation within the organizational units of Coburg University of Applied Sciences within the meaning of this guideline are their heads.
Only a delegation of tasks, for example to technical personnel (administrators), is permitted, but not a delegation in the sense of ultimate responsibility.
(2) The system operators must exclusively use the IT infrastructure, systems and procedures of Coburg University of Applied Sciences within the scope of their tasks.
In particular, no systems and procedures may be put into operation for which Coburg University of Applied Sciences already has suitable systems and procedures that can be (co-)used as an alternative.
This also applies if costs are incurred for (co-)use.
(3) The system operators are entitled and obliged to provide appropriate evidence of the usage authorizations granted.
The documents and information created or collected when applying for or renewing usage authorizations as well as any consumption data may be stored automatically and must be deleted once the authorization has expired.
This does not apply to data for which certain retention obligations apply (e.g. billing data).
(4) The system operators are entitled to document and evaluate the use of the IT infrastructure, systems and procedures by individual users, but only insofar as this is necessary
a) to ensure proper system operation,
b) for resource planning and system administration,
c) to protect the personal data of other users
d) for billing purposes,
e) for the detection and elimination of malfunctions and
f) for the clarification and prevention of illegal or improper use.
(5) The system operators shall contribute in an appropriate manner, in particular in the form of regular spot checks, to the prevention, avoidance or detection of misuse.
To this end, they are entitled in particular to check passwords and usage data and to implement necessary protective measures, e.g. changes to easily guessable passwords, in order to protect the IT infrastructure, the systems and procedures and usage data from unauthorized access by third parties.
Users must be informed immediately of any necessary changes to passwords and other protective measures relevant to use. (6) The system operators shall be entitled to inspect usage files and to take defensive measures insofar as this is necessary to eliminate malfunctions or to clarify and prevent misuse, while observing data secrecy.
The inspection of usage files for other purposes is not permitted.
(7) The system operators are entitled and obliged to exclude users from further use of the IT infrastructure, systems and procedures in part or in full temporarily and in particularly serious cases permanently if facts justify the assumption that they are not fulfilling their obligations under Section 4.
In the case of measures restricting use, the provisions of Section 3 para.
6 and the procedural provisions pursuant to § 6 must be observed.
(8) The system operators are obliged to comply with the statutory data protection regulations and the data protection regulations of Coburg University of Applied Sciences and to maintain confidentiality.
(9) The system operators are obliged to observe the service agreements concluded with the staff representatives.
They are also obliged to support the staff representatives in the performance of their duties in accordance with the BayPVG by providing information, making documents available and granting inspection and access rights.
(10)
The system operators shall appoint contact persons vis-à-vis the IT Centre for organizational and content-related agreements regarding the use of the IT infrastructure, systems and procedures in their area.

(1) If, based on certain facts, there is a suspicion that a user is misusing the IT infrastructure, systems and procedures in accordance with the provisions of § 4, the user is obliged to provide the system operator with information about installed programs and methods used and to grant access to the data, insofar as this is necessary to clarify the suspicion.
(2) The data protection officer of Coburg University of Applied Sciences must be informed by the system operator in cases of suspicion according to para.
1 by the system operator and may participate in the investigation at their own discretion.
If the suspicion is directed against employees of Coburg University of Applied Sciences, the Human Resources Department and the Staff Council must also be involved in the investigation in cases of suspected criminal or other unlawful acts, while safeguarding the interests of the person concerned that are worthy of protection.
Unless there is imminent danger, the aforementioned bodies must be involved before any actual and/or legally relevant measures are taken.
(3) In the event of measures to uncover misuse, the parties concerned are entitled to consult the official data protection officer.
If the measures relate to employees of Coburg University of Applied Sciences within the meaning of Art. 4 BayPVG, they are entitled to involve the staff council in addition to the official data protection officer.
(4) Procedures in accordance with this provision must be documented.

(1) Users shall be liable in accordance with the respective liability provisions for all disadvantages incurred by Coburg University of Applied Sciences as a result of their failure to comply with their obligations under § 4 of these Terms of Use.
(2) In accordance with the respective liability provisions, users are also liable for damages caused by unauthorized use by third parties if they are responsible for this third-party use, e.g. by passing on access data.
(3) Users shall indemnify Coburg University of Applied Sciences against all claims asserted by third parties against Coburg University of Applied Sciences as a result of misuse within the meaning of para.
2 against Coburg University of Applied Sciences.
(4) Coburg University of Applied Sciences does not guarantee that its IT infrastructure, systems and procedures are error-free and available at all times without interruption.
Any loss of data due to technical faults cannot be ruled out.
(5) Coburg University of Applied Sciences assumes no responsibility for the functionality of the programs provided.
Coburg University of Applied Sciences is also not liable for the content, in particular for the accuracy, completeness and up-to-dateness of the information to which it merely provides access for use.
(6) Furthermore, Coburg University of Applied Sciences shall only be liable in the event of intent and gross negligence on the part of its employees, unless there is a culpable breach of essential obligations, compliance with which is of particular importance for achieving the purpose underlying the user relationship.
In this case, the liability of Coburg University of Applied Sciences is limited to typical damages that were foreseeable at the time the user relationship was established.
(7) Possible official liability claims against Coburg University of Applied Sciences remain unaffected by the above provisions.

(1) The present guideline may be supplemented by the system operators for their respective systems and facilities, systems and procedures by further regulations, provided that this does not contradict the provisions of this guideline.
If the additions affect data protection and/or staff representation interests, they are only permissible with the involvement and approval of the data protection officer and/or the responsible staff representation.
Regulations in force at the time of entry into force of this directive and compatible with its provisions shall continue to apply.
Incompatible regulations shall be repealed and replaced by compatible regulations.
For the amendment of existing regulations, the procedural provisions according to p. 2 and 3 shall apply accordingly.
(2) IT services for which users of the IT infrastructure, systems and procedures of Coburg University of Applied Sciences are liable to pay a fee can be found in the respective fee regulations.
(3) In the event of technical and organizational differences of opinion between the users and the system operators arising from the interpretation and application of these guidelines, an agreement shall be sought before the IT Steering Committee of Coburg University of Applied Sciences.
If no agreement can be reached, the university management shall decide.
The handling of legal issues is the responsibility of the relevant departments.
(4) Future changes to this guideline are subject to co-determination insofar as they affect the conditions of use and working conditions of employees in accordance with Art. 4 BayPVG.
Student representatives and the Senate shall also be consulted.
(5) The place of jurisdiction for all legal claims arising from the usage relationship is Coburg.