Privacy Policy
Gisma University of Applied Sciences (Gisma) Privacy Policy
Introduction
Welcome to the Privacy Policy for the Gisma University of Applied Sciences.
The Gisma University of Applied Sciences GmbH (“Gisma”) respects your privacy and is committed to protecting your personal data. This Privacy Policy describes how we protect your personal data when you visit our websites (regardless of where you access them from), what rights you have as a data subject and how the law protects you.
This Privacy Policy has been prepared in a layer format so that you can click through the individual sections listed below. Please also refer to the Glossary in Section 16 for explanations of certain expressions used in this Privacy Policy
Purpose of this Privacy Policy
The purpose of this Privacy Policy is to tell you how Gisma collects and processes your personal data, including all data which you provide via this website any time you:
- come to our website via a social network like Facebook, Twitter, Instagram or LinkedIn;
- fill in a call back/enquiry form;
- register on our website in order to apply for a course or study programme, for a seminar for companies/managers or for CPD courses (online learning, distance learning, on-campus learning), regardless of whether you are submitting the application for yourself or for employees or other members of your organisation who are or become our clients;
- sign up to receive marketing materials; or
- provide your personal data to us in any other way.
This website is not aimed at children and we deliberately do not collect any data on this website pertaining to persons under 16 years of age. However, in the event that Gisma does process personal data concerning under-16s within the framework of its commercial activities, we ensure that appropriate safety measures are taken and that a parent or guardian gives their consent. More information is available from privacyprotection@gisma.com.
It is important that you read this Privacy Policy and all other privacy policies or policies regarding appropriate data processing which we publish with regards to certain instances where we collect or process personal data concerning you in order that you are aware of why and how we use your data.
This Privacy Policy supplements these other policies but does not replace them.
1. Important information and who we are
Controller
This website is operated on behalf of Gisma University of Applied Sciences GmbH, a company registered in Germany under org. no. HRB 35061 P at the Local Court Potsdam, with registered office at Konrad-Zuse-Ring 11, 14469 Potsdam.
Gisma is a part of Global University Systems B.V., a group comprising different legal persons. Details can be found here: https://www.globaluniversitysystems.com/.
We have engaged a Data Protection Officer (DPO) who is responsible for dealing with questions relating to this Privacy Policy. If you have questions regarding this Privacy Policy, including questions on how to exercise your legal rights, please contact the DPO using the contact information below.
Contact information
Our full contact details are:
- Name of legal person responsible for data: Gisma University of Applied Sciences GmbH (hereinafter Gisma)
- Internal data protection coordination: privacyprotection@gisma.com
- External Data Protection Officer: RPA Datenschutz + Compliance GmbH, Franzenburg 48, D-35578 Wetzlar, represented by its CEOs Ilja Borchers and Henning Koch. info@rpa-datenschutz.de
You have the right to lodge a complaint at any time with the State Commissioner for Data Protection and Inspection of Records in Brandenburg, the supervisory authority in charge of data protection and inspection of records in Brandenburg (https://www.lda.brandenburg.de).
We would always prefer for you to contact us to help us deal with your data protection concerns before you contact the Brandenburg supervisory authority or any other competent supervisory authority. For this reason, we kindly ask you to get in touch with us in the first instance.
Amendments to the Privacy Policy and your obligation to notify us of changes
This version was last updated on 06 Jun. 2024. You can contact us for copies of older versions.
From time to time, we may amend specific parts of this Policy. We will disclose all future changes on this page. Please check back regularly to stay up-to-date with any updates or changes.
It is important that the personal data we have on you are correct and up-to-date. Please notify us if your personal data change during the course of your commercial relationship with us.
Third-party links
This website contains links to third-party websites, plug-ins and applications. By clicking on these links or establishing connections with them, you give third parties consent to collect or forward your data. We have no control over these third-party websites and are not responsible for their privacy policies. If you are accessing other websites from our website, we recommend reading the privacy policies of each website you visit.
2. Osano (Cookies)
Our website uses consent technology from Osano to obtain your consent to storing certain cookies on your end device or to the use of certain technologies and to document this consent in compliance with data protection law. The provider of this technology is Osano, Inc., 3800 North Lamar Blvd, Suite 200, Austin, Texas 78756, USA (hereinafter “Osano”).
When you enter our website, a connection is established with Osano servers in order to obtain your consent and other declarations regarding the use of cookies. Osano then stores a cookie in your browser so that any consents you have given or withdrawn can be attributed to you. The data collected during this process are stored until you ask us to erase them, you delete the Osano cookie yourself, or the purpose, for which the data were being stored, is no longer applicable. Mandatory statutory retention periods are unaffected. According to Osano, data concerning European website visitors will remain within the EU as their data are processed exclusively on regional servers. Osano is used to obtain your consent to the use of cookies, as is stipulated by law. The legal basis is Article 6(1), point c) GDPR.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards. More information is available from the provider at the following link:
Data processing by Osano
We have concluded a data processing agreement (DPA) concerning the use of the aforementioned service. This agreement is a legal requirement under data protection law and guarantees that this service provider processes the personal data of our website users according to our instructions and in compliance with the GDPR only.
3. What data we collect from you
Personal data or personal information means all information concerning a person, through which this person can be identified. Therefore, anonymous data do not constitute personal data.
We have put together a list of the different types of personal data which we collect, use, store and transmit. These are:
- Education-related data means data that are relevant for your admittance to Gisma and includes data on previous education and schooling, education and training certificates, proof of qualifications, motivational letters, CVs, records of grades and references.
- Identity data means your first name, name at birth, surname, username or other similar identifying names, civil status, title, date of birth and sex, insurance number, student number, citizenship, residency status, disability declaration, third-party student reference number if this third party is forwarding your data to us, and photographs.
- Contact data means billing address, term-time address and permanent home address, country of residence, e-mail address and telephone numbers.
- Emergency contact data for next-of-kin, i.e. names and contact details in the event of an emergency.
- Employment data (if your employer is financing your education) means employer-related data, start date, end date, insurance number, your position or title, and contact details at your place of work (e-mail address, telephone number and postal address).
- Financial data means information on student loans, bank details and card details.
- Marketing and communication data means information on how you would like to receive marketing from us and how you would like us to contact you.
- Profile data means usernames and passwords, your queries, your purchases or tasks, your interests, your preferences, your feedback and your responses to surveys.
- Student data means information regarding your term-time and home address, photo ID, area of interest, selected course or study programme at Gisma (or course or study programme of one of our partner organisations), data on your learning progress and your results (seminar attendance and examinations, including mock exam), additional results from the period before the most recent year of study, test papers and overviews of grades, information on your attendance, feedback from lecturers and tutors regarding you or your employees (in the case of a company) (student appraisals), correspondence with Gisma sent to or from you using your Gisma email address, how much you are using Gisma ‘s learning facilities/services (including loans and late returns), data on attendance of events, information on mentor and mentee data, data concerning your attendance at events we have hosted or advertised, learning analyses and profile data, information on disciplinary measures, information on complaints related to students, courses or tutors, (legal) claims of any kind relating to you, extenuating circumstances (personal issues), appeals, and any additional information that is required for professional associations, accreditation bodies or scholarship sponsors.
- Verification and notifiable data means data concerning the travel destination of college graduates and data concerning students which must be transmitted to third parties for regulatory purposes.
- Transaction data means information concerning payments to and from you and other information on products and services which you have purchased from us.
- Technical data means your IP address, log-in details, browser type and version, time-zone setting and location, types and versions of browser plug-ins, operating system and platform, and other technologies on devices you use to access this website.
- Usage data means URL data, web analytics data concerning how and from where you have reached our websites, what you have searched for, what pages on our websites you have accessed, how long your visit lasts and other information on how you use our websites and the data provided on the same and how you use our products and services; this helps us improve our website for you.
- Visa data for international students, including passport and details of previous visas, bank statements or other financial information which demonstrates to us that you are compliant with the conditions of your visa.
We also use and forward aggregated data, such as statistical or demographic data, for any and all purposes. Aggregated data may be derived from your personal data but are not legally considered personal data as they do not reveal your identity either directly or indirectly. For example, we compile usage data in order to calculate what percentage of users are using a specific service on our website. However, if we ever combine aggregate data with your personal data or connect these data in such a way that your identity can be inferred, directly or indirectly, we categorise these combined data as personal data and use such in accordance with the provisions of this Privacy Policy.
Special data categories
When you apply for a course or study programme on our website, we will ask you if you have any disabilities. You are not obliged to tell us but if you do, this will help to give us an idea of how we can fulfil our legal obligations with regards to your disability.
Failure to disclose personal data
If we are obliged to collect personal data by law or on the grounds of the provisions of a contract we have concluded with you and you fail to disclose these data when requested, we will be unable to fulfil the contract we have concluded or wish to conclude with you (e.g. delivering items to you or rendering services for you). In such case, we must cancel the product or service you have ordered, however we will inform you in due course if this is the case.
4. How we collect your personal data
We use different methods to collect data from and concerning you, including:
- Direct interactions. You share your identity, contact and financial data with us by filling in forms or communicating with us by post, telephone, e-mail or other means. This includes personal data which you disclose when:
- applying for our products or services;
- setting up an account on our website;
- using our website;
- subscribing to our services or publications;
- requesting marketing materials;
- participating in an advertising campaign or survey; or
- giving us feedback.
- Automated technologies and interactions. Whenever you interact with our website, we automatically collect technical data concerning your device and your navigation behaviour and patterns. We may also collect personal data by using cookies and other similar technologies. For more information, please refer to our cookie configuration.
- Third-party or publicly available sources. We receive personal data concerning you from numerous third parties and public sources in accordance with the following:
Technical data from the following parties:
- Analytics services like Google Analytics, Google Optimizer, Google Webmaster Tools, Google Tag Manager, Facebook, Instagram and other similar services which we will use in future;
- Advertising networks like Google Advertising Network, Facebook, Instagram, Bing and LinkedIn with registered offices outside of the EU and similar networks, through which we enter into a commercial relationship; and
- Information research services like Google, Bing and other search engines with registered offices within and outside of the EU, social networks like Facebook, LinkedIn and Instagram with registered offices in the EU, and others who offer similar services.
- Contact, financial and transaction data from providers of technical services and payment and delivery services, such as Google Analytics, Facebook, Instagram, Bing, LinkedIn and Stripe with registered offices outside of the EU, including similar services, through which we will enter into a commercial relationship in future;
- Identity and contact data from data collection services
- Identity and contact data from publicly available sources in the EU, such as the electoral roll.
- Student data from employees, administrators of other education institutions, from mentees or mentors, from claimants.
- College, contact, identity, marketing, communication and technical data from (i) publishers who are owners of private websites and have their registered office within and outside of Europe, and (ii) intermediaries and their organisations, such as other universities; and (iii) UCAS (Universities & Colleges Admissions Service).
5. How we use your personal data
We only ever use your personal data where legally permitted. Normally, we use your personal data in the following instances:
- If we are required fulfil the contract we have concluded or will conclude with you in the near future.
- If this is necessary within our (or a third party’s) legitimate interest and your interests and basic rights do not override this interest.
- If we have legal or regulatory obligations which we must fulfil.
Please see the table below for the different legal grounds, on which we process your data.
Generally speaking, we do not consider consent to constitute legal grounds to process your data, except with respect to sending you direct marketing materials by e-mail. You have the right to withdraw your consent to marketing at any time by contacting us at privacyprotection@gisma.com or by clicking on the Unsubscribe link in the relevant e-mails.
6. The purposes, for which your personal data are used
Below you will find a description of all the ways, in which your personal data are used and the legal grounds, on which these uses are based. Where applicable, we have also provided information on our legitimate interest.
Depending on the purpose, for which we are using your data, the processing of your personal data may be based on more than one legal ground.
Purpose / Action | Type of data | Legal grounds for processing, including on grounds of legitimate interest |
Students or future students | ||
To respond to your request for a call back or reply via e-mail and to respond to course enquiries and applications | (a) Contact data | Fulfilling a contract with you (in the expectation of concluding a contract with you) |
To sign you up/register you as a new user and issue an enrolment number/a student ID | (a) Identity data (b) Contact data (c) College data | Fulfilling a contract with you |
Direct marketing relating to discounts and offers for students, university activities and events and services or job prospects and from or relating to professional and trade associations who wish to speak to students about job prospects To advertise the university or faculty using prospectuses which contain images of current students. Direct marketing includes cookie-based remarketing services, the aim of which is to show you targeted adverts based on your internet search. | (a) Contact data | Consent |
To process your application, and to render services including: (a) Managing payments, costs and fees (b) Collecting on moneys that are owed to us (c) Charging VAT | (a) Identity data (b) Contact data (c) Financial data (d) Transaction data (e) Marketing and communication data (f) College data | Fulfilling a contract with you Necessary for our legitimate interest (in order to collect on sums owed to us) |
To manage our legal relationship with you, including: (a) Providing learning materials (b) Requesting a review or participation in a survey (c) Verifying attendance or change in student status. (e) Managing complaints and appeals and also matters concerning health, conduct, cheating and plagiarism (prohibited resources). (f) Awarding scholarships | (a) Identity data (b) Contact data (c) Profile data (d) Marketing and communication data | Fulfilling a contract with you Fulfilling a legal obligation Necessary for our legitimate interest (in order that our documentation is up-to-date and in order to analyse how students are using our products/services) |
To review equality of opportunities (for some but not all institutions) | Gender, ethnicity, religion and citizenship | Legal obligation |
Registration | (a) Identity data (b) Student data | Necessary in order to fulfil a contract |
To make adjustments in order to comply with requirements regarding disabilities/medical conditions | Health data | Consent |
To provide health support and first aid, evacuate in case of emergency, conduct risk assessments, review accidents | Health data | Interests essential to life Consent |
Managing emergencies, accidents, health | Emergency contact/Details for next-of-kin | Interests essential to life Consent |
To improve services, group students according to their performance etc. – | Student data (in particular learning analyses) | Legitimate interest |
Customers (or future customers) of online courses and published media | ||
To register new customers for online materials | (a) Identity data (b) Contact data | Fulfilling a contract with you |
To process/fulfil/deliver a customer order, manage payments and fees To collect moneys owed Billing documents To defend against legal claims brought against us | (a) Identity data (b) Contact data (c) Financial data (d) Transaction data (e) Marketing and communication data | Fulfilling a contract with you Necessary for our legitimate interest (in order to collect on sums owed to us or defend against legal claims) Necessary in order to fulfil a legal claim |
Gisma customers (including business customers) | ||
To register customer with GUS | (a) Identity data (b) Contact data | Fulfilling a contract with you |
To process/fulfil/deliver our service to you, manage payments and fees, collect moneys owed, billing purposes To defend against legal claims brought against us | (a) Identity data (b) Contact data (c) Financial data (d) Transaction data (e) Marketing and communication data | Fulfilling a contract with you Necessary for our legitimate interest (in order to collect on sums owed to us or defend against legal claims) Necessary in order to fulfil a legal claim |
Gisma suppliers | ||
To register the supplier as a Gisma supplier | (a) Identity data (b) Contact data | Fulfilling a contract with you |
To process and receive goods and services To manage payments and fees, billing purposes, to defend against claims brought against Gisma | (a) Identity data (b) Contact data (c) Financial data (d) Transaction data (e) Marketing and communication data | Fulfilling a contract with you Necessary for our legitimate interest (in order to defend against legal claims) Necessary in order to fulfil a legal claim |
For all | ||
HR management (applications for academic positions submitted via web form) | (a) Identity data (b) Contact data | Fulfilling a contract with a candidate |
Customer relationship management, to update the Privacy Policy and notify you of the same, to update our Terms and Conditions and to inform you of the same To ask for your feedback, manage complaints | (a) Identity data (b) Contact data (c) Profile data (d) Marketing and communication data | Fulfilling a contract with you Fulfilling a legal obligation Necessary for our legitimate interest (continuous improvement/updating documents/analysing behaviour patterns among customers) |
To enable respondents to participate in a survey | (a) Identity data (b) Contact data (c) Profile data (d) Usage data (e) Marketing and communication data | Necessary for our legitimate interest (continuous improvement/updating documents/analysing behaviour patterns among customers) Consent |
To manage and protect our company and our website (including troubleshooting, data analysis, tests, system maintenance, support, reporting and data hosting) | (a) Identity data (b) Contact data (c) Technical data | Necessary for our legitimate interest (for managing our operations, providing administrative and IT services, network security, anti-fraud and in the context of reorganising the company or a restructuring of the group) Necessary in order to fulfil a legal obligation |
To provide you with relevant website content and advertising and to measure and understand the effectiveness of the advertising we show you | (a) Identity data (b) Contact data (c) Profile data (d) Usage data (e) Marketing and communication data (f) Technical data | Necessary for our legitimate interest (in order to analyse how customers use our products/services in order to develop these, in order to grow our business and in order to adapt our marketing strategy) Consent obtained through cookies |
To use data analytics services in order to improve our website, our products/services, our marketing, our business relationships and the experiences of our students and partners | (a) Technical data (b) Usage data | Necessary for our legitimate interest (in order to define customer types for our products/services so that our website is up-to-date and contains relevant information, in order to grow our business and in order to adapt our marketing strategy) |
To make suggestions and recommendations regarding goods and services that may be of interest to you | (a) Identity data (b) Contact data (c) Technical data (d) Usage data (e) Profile data | Necessary for our legitimate interest (in order to develop our products/services and in order to grow our business) Consent |
7. How we use confidential personal data (special category data)
We are legally obliged to fulfil additional requirements with respect to collecting, storing and using personal data that are regarded as “special category data”. We have appropriate security measures in place which we follow by law whenever processing such data. We process special categories of personal data in the following instances:
Purpose/Action | Type of data | Legal grounds for processing |
Students or future students | ||
In order to register you as a student, we must verify your residency status with Gisma | Citizenship data Residency data (information from visas and passports) | (a) Fulfilling a contract with you (b) Complying with legal obligations, e.g. with respect to German immigration authorities (and others) |
To make necessary adjustments and provide necessary support in accordance with the corresponding learning needs | Data on disabilities Special education needs | (a) Fulfilling our legal obligations (pursuant to German Equality Act (Gleichstellungsgesetz) of 2010) (b) Explicit consent (information is provided voluntarily) |
To review student absences* To process applications for extenuating circumstances To process applications for suspending or deferring studies To document dietary requirements | Medical data/Health data Doctor’s certificates Patient records (under certain circumstances) | (a) Fulfilling a contract with you (b) Explicit consent (information is provided voluntarily) (c) * Sometimes a visa states that a student must achieve a minimum level of attendance; in this case, we will request a doctor’s note for any absences so that we do not breach our obligations with respect to the German Foreign Office (Auswärtiges Amt) |
The above information must also be used as legal grounds where applicable due to the enforcement of legal claims or in order to protect your interests (or the interests of another person) (if you lack the capacity to give consent, e.g. because of a health issue which makes it impossible for you to communicate).
Consent
You are not required to consent to specific types of processing in order to become a student with us. However, if you decide not to give us any consent, you will be unable to use certain services, such as support services.
We do not require your consent in cases where we use special categories of data pursuant to our legal obligations (and where we describe this in our written guidelines).
In rare cases, we will ask for your explicit (written) consent to use special category data. When doing so, we will ensure that you receive a detailed explanation of what data we require and the reasons for this. You can then use this information to decide whether or not you wish to consent.
Marketing
We make every effort to ensure that you can choose if and how certain personal data are used, in particular with regards to marketing and advertising. We always give you the opportunity to decide if and how we use your personal data.
Marketing from us
You will receive marketing from us if you have requested information from us or if you have purchased products or services from us or if you have provided your contact details in a survey or feedback form and you have consented to the sending of marketing materials in this context (opt-in).
Opt-out
We will only ever send you marketing e-mails if you have explicitly consented (opt-in). You can ask us to stop sending you marketing at any time by clicking on the Opt-out/Unsubscribe links in the marketing materials you receive or by contacting the DPO directly at privacyprotection@gisma.com
If you opt out of marketing or update your preferences, we will still keep those data which you have sent us when applying for a course or study programme or when purchasing other services or materials from us.
Cookies
You can adjust your browser settings to block all or some browser cookies or to receive a notification any time websites place cookies or access cookies. Please note that disabling or blocking cookies may affect the functionality of some parts of this website or prevent you from accessing the website entirely.
Change of purpose
We only ever use your personal data for those purposes, for which we collected them, unless we come to the conclusion, at our reasonable discretion, that we must use the data for another reason and that this reason is consistent with the original purpose (unless our processing was based on the legal grounds of consent). If you would like an explanation regarding the extent to which processing for this new purpose is consistent with the original purpose, please contact our DPO.
Any time we have to use your personal data for a purpose other than the specified purpose, we will notify you and explain the legal grounds which permit us to do so.
Please note that we will process your personal data in accordance with the above regulations without your knowledge or consent, insofar as this is legally required or permitted.
8. Disclosing your personal data
We are required to disclose your personal data to the parties indicated below on the grounds listed in the table in Section 5.
- Internal third parties pursuant to the Glossary.
- External third parties pursuant to the Glossary.
- Certain third parties as indicated in the Glossary.
- Third parties, to whom we decide to sell or assign parts of our company or our assets or with whom we decide to merge. Alternatively, we may seek to buy other companies or merge with such. In the event of a change affecting our company, the new owners may use your personal data in the manner described in this Privacy Policy.
We require of all third parties that they observe the security of your personal data and treat such in accordance with the applicable law. We do not permit our third-party service providers to use your personal data for their own purposes and we permit them only to process your personal data for specific purposes and in accordance with our instructions.
9. International data transfers
We forward your data within the GUS Group. This involves transferring your data outside of the European Economic Area (EEA).
Some of our external third parties have their registered office outside of the European Economic Area (EEA), such that the processing of your personal data by these parties involves the transfer of data outside of the EEA.
Whenever we transfer your personal data outside of the EEA, we ensure that your data are protected in a comparable manner by ensuring that the following security measures are implemented as a minimum:
- We only transfer your personal data to countries which, in the opinion of the European Commission, have an adequate level of data protection. You can get more information from the European Commission: Data protection adequacy in non-EU countries.
- When utilising certain service providers, we use special contracts which have been approved by the European Commission and which provide for the same level of data protection as in Europe. You can get more information from the European Commission: Model contracts for transfer of personal data to third countries.
- When using providers with registered offices in the USA, we only transfer data to these providers if they are subject to the regulations of the EU-US Privacy Shield which requires them to guarantee a comparable level of protection for personal data being transmitted between Europe and the USA. You can get more information from the European Commission: EU-US Privacy Shield.
- You have explicitly consented to the relevant transfer once you have been informed that this transfer involves risks for you because the level of data protection is not adequate and appropriate security measures have not been taken.
- The transfer is necessary in order to fulfil a contract between you and us as controller or in order to take steps at your request prior to entering into a contract.
- The transfer is necessary in order to conclude or fulfil a contract which was concluded in your interest between you and us as controller and another natural or legal person.
- The transfer is necessary for good cause in the public interest.
- The transfer is necessary in order to establish, exercise or defend legal claims.
- The transfer is necessary in order to protect your vital interests or the vital interests of other persons, insofar as you do not possess the physical or legal capacity to consent.
The transfer is conducted on the basis of a directory which, pursuant to the law of the European Union or a Member State, serves to inform the public and which is available to the general public or to persons who can demonstrate a legitimate interest, but only insofar as the requirements for inspection as set out in EU law or the law of a Member State are fulfilled in each case.
10. Data security
We have taken appropriate security measures to prevent the accidental loss, unauthorised use, modification and disclosure of or access to your personal data. We also restrict access to your personal data to those employees, agents, contractors and other third parties who require knowledge of such for business purposes. They process your personal data in accordance with our instructions only and are subject to confidentiality.
We have put in place procedures for reacting in the event that there is a suspicion that the security of your personal data may have been breached and we will inform you and all relevant regulatory authorities of any breaches, insofar as we are legally obliged to do so.
11. Data storage
How long do we use your personal data for?
We store your personal data only for as long as this is necessary for achieving the purposes, for which they were collected, including for the purposes of fulfilling legal, invoicing or reporting requirements.
In some cases, you may ask us to erase your data: please see below for more details.
In some cases, we anonymise your personal data (such that they can no longer be attributed to you) for research and statistical purposes; in such cases, we use this information indefinitely without informing you.
12. Your legal rights
In certain cases, you have specific rights with regards to your personal data on the grounds of data protection regulations. Please click on the links below to find out more about these rights:
- Requesting access to your personal data: You have the right to access your personal data (referred to as a “Subject access request”). You can receive a copy of the personal data we store concerning you and can check that we are processing these in accordance with the legal regulations.
- Submitting: If you would like to submit a request to access your information, please contact us at Gisma, Konrad-Zuse-Ring 11 14469 Potsdam or via e-mail at privacyprotection@gisma.com.
- What we need from you: We will have to ask you for certain pieces of information to confirm your identity and exercise your right to access your personal data (or to exercise other rights you have). This is a security measure for guaranteeing that personal data are not given out to persons who do not have the right to access such. Where applicable, we may also contact you in order to ask you for more information in regards to your request so that we can process your request faster.
- Request for rectification of your personal data
You may have all data which we store concerning you which are incomplete or incorrect rectified. We will then review whether the new data you have provided us with are correct. - Request for erasure of your personal data
You can ask us to erase or remove your personal data, insofar as we do not have proper cause to continue processing such. You also have the right to ask us to erase or remove your personal data if you have successfully exercised your right to object to processing (see below), if we have processed your information unlawfully or if we are required to erase your personal data on the grounds of local legal regulations. However, please note that we will not always be able to fulfil your request for erasure due to certain legal grounds which we will inform you of as applicable when you submit your request. - Objecting to processing of your personal data
You can object to the processing of your personal data insofar as we are claiming a legitimate interest (or the legitimate interest of a third party) and insofar as you wish to object to the processing on grounds relating to your particular situation because you feel that your fundamental rights and freedoms are being negatively affected. You also have the right to object insofar as we process your personal data for direct marketing purposes. In some cases, we will demonstrate that we have compelling lawful grounds to process your information which override your rights and freedoms. - Request to restrict processing of your personal data
You can request that we restrict the processing of your personal data. You can request that we temporarily cease processing your personal data in the following cases: (a) you want us to ensure that the data are correct; (b) our use of the data is unlawful but you do not want us to erase the data; (c) we are required to store the data for you, even if we no longer require such because you require these data in order to establish, exercise or defend legal claims; or (d) you have objected to our processing of your data but we must determine whether we have overriding legal grounds for the processing. - Request for transfer of your personal data
You can exercise your right to have your personal data transferred to you or a third party. We will provide you or a third party, whom you name, with your personal data in a structured, common, machine-readable format. Please note that this right only applies to automated information, our use of which you initially consented to or which we have used in order to fulfil a contract with you. - Right to withdraw consent
This right applies only insofar as we obtain your consent to the processing of your personal data. The lawfulness of processing conducted before you withdraw your consent is not affected. We will no longer be able to offer you certain services if you withdraw your consent. We will tell you if this is the case when you withdraw your consent.
In certain cases, you can exercise your right to exclusion of processing by ticking certain options in the forms we use to collect your data. You can also contact us at privacyprotection@gisma.com if you wish to exercise your rights.
13. Social media
Elements of the social network Facebook have been integrated into this website. The provider of this service is Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. However, according to information provided by Facebook, the data collected are transferred to the USA and other third countries. You can find an overview of the Facebook social media elements here: https://developers.facebook.com/docs/plugins/?locale=en_EN.
When the social media element is active, a direct connection is established between your end device and the Facebook server. Consequently, Facebook is informed that you have visited this website from your IP address. If you click on the Facebook “Like” button while you are logged in to your Facebook account, you can link the content of this website on your Facebook profile. Consequently, Facebook can assign your visit to this website to your user account. Please note that as the operator of this website, we are not aware of the content of the data transmitted or the use of such by Facebook. More information is available in the Facebook Privacy Policy at: https://www.facebook.com/privacy/policy/.
The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. Insofar as personal data are collected on our website and transferred to Facebook using the tools described here, we act jointly as controller together with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 (Article 26 GDPR). This joint responsibility is limited exclusively to the collection of data and transfer of the same to Facebook. Processing of data by Facebook after this transfer does not fall under the scope of this joint responsibility. The obligations incumbent on us and Facebook jointly have been set out in an agreement on joint processing.
The wording of this agreement can be found here:
https://www.facebook.com/legal/controller_addendum.
According to this agreement, we are responsible for providing information on data protection when using the Facebook tool and for implementing the tool on our website securely and in accordance with data protection law. Facebook is responsible for the data security of Facebook products. You can enforce your rights as a data subject (e.g. subject access request) regarding data processed by Facebook directly with Facebook. If you enforce your rights as a data subject with us, we will be obliged to forward this information to Facebook. Details are available here: https://www.facebook.com/legal/EU_data_transfer_addendum, https://www.facebook.com/help/566994660333381 and https://www.facebook.com/policy.php.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards. More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt0000000GnywAAC&status=Active
X (formerly Twitter)
Functions provided by the service X (formerly Twitter) have been integrated into this website. These functions are provided by the parent company X Corp., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The subsidiary, Twitter International Unlimited Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07, Ireland, is responsible for the processing of data of persons living outside of the USA. When the social media element is active, a direct connection is established between your end device and the X server. Consequently, X (formerly Twitter) is notified that you have visited this website. If you use X (formerly Twitter) and the “Retweet” or “Repost” function, the websites you have visited can be linked to your X (formerly Twitter) account and disclosed to other users. Please note that as the operator of this website, we are not aware of the content of the data transmitted or the use of such by X (formerly Twitter).
More information is available in the X (Formerly Twitter) Privacy Policy at:
https://twitter.com/en/privacy.
The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. The transfer of data to the USA is based on the EU standard contractual clauses. For details, please see: https://gdpr.twitter.com/en/controller-to-controller-transfers.html.
You can change your privacy settings on X (formerly Twitter) in your account settings at
https://twitter.com/account/settings.
Functions provided by the service Instagram have been integrated into this website. These functions are provided by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland. When the social media element is active, a direct connection is established between your end device and the Instagram server. Consequently, Instagram is notified that you have visited this website. If you are logged in to your Instagram account, you can link the content of this website to your Instagram profile by clicking the Instagram button. Consequently, Instagram can assign your visit to this website to your user account. Please note that as the operator of this website, we are not aware of the content of the data transmitted or the use of such by Instagram. The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. Insofar as personal data are collected on our website and transferred to Facebook/Instagram using the tools described here, we act jointly as controller together with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 (Article 26 GDPR). This joint responsibility is limited exclusively to the collection and transfer of data to Facebook/Instagram. Processing of data by Facebook/Instagram after this transfer does not fall under the scope of this joint responsibility. The obligations incumbent on us and Facebook jointly have been set out in an agreement on joint processing. The wording of this agreement can be found here: https://www.facebook.com/legal/controller_addendum.
According to this agreement, we are responsible for providing information on data protection when using the Facebook/Instagram tool and for implementing the tool on our website securely and in accordance with data protection law. Facebook is responsible for the data security of Facebook or Instagram products. You can enforce your rights as a data subject (e.g. subject access request) regarding data processed by Facebook/Instagram directly with Facebook. If you enforce your rights as a data subject with us, we will be obliged to forward this information to Facebook. The transfer of data to the USA is based on the EU standard contractual clauses. Details are available here: https://www.facebook.com/legal/EU_data_transfer_addendum,
https://privacycenter.instagram.com/policy/ and
https://www.facebook.com/help/566994660333381.
More information is available in the Instagram Privacy Policy at:
https://privacycenter.instagram.com/policy/.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards. More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt0000000GnywAAC&status=Active
This website uses elements of the LinkedIn network. The provider is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Any time you access a page on this website containing LinkedIn elements, a connection is established with the LinkedIn servers. LinkedIn is notified that you have visited this website from your IP address. If you click on the LinkedIn “Recommend” button and are logged in to your LinkedIn account, LinkedIn is able to attribute your visit to this website to you and your user account. Please note that as the operator of this website, we are not aware of the content of the data transmitted or the use of such by LinkedIn. The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. The transfer of data to the USA is based on the EU standard contractual clauses. Details are available here:
More information is available in the LinkedIn Privacy Policy at:
https://www.linkedin.com/legal/privacy-policy.
This website uses elements of the XING network. The provider is New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany. Any time you access a page on this website containing XING elements, a connection is established with the XING servers. To our knowledge, personal data are not stored during this process. In particular, IP addresses are not stored and user behaviour is not analysed. The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. More information on privacy and the XING Share button is available in the XING Privacy Policy at: https://privacy.xing.com/en.
14. Analytical tools and advertising
Google Tag Manager
We use Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is a tool which we can use to integrate tracking or statistics tools and other technologies into our website. Google Tag Manager does not generate user profiles itself, nor does it save any cookies or conduct any independent analyses. Its sole purposes is to manage and run the tools which it is used to integrate. However, Google Tag Manager does record your IP address which may also be transferred to the Google parent company in the USA. The use of Google Tag Manager is based on Article 6(1), point f) GDPR. The website operator has a legitimate interest in the quick and simple integration and management of different tools on his website. Where corresponding consent has been requested, processing is performed exclusively on the grounds of Article 6(1), point a) GDPR and S. 25(1) TTDSG, insofar as this consent covers the storage of cookies or access to information on the user’s end device (e.g. device fingerprinting) within the meaning of the TTDSG. You can withdraw this consent at any time.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards. More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt000000001L5AAI&status=Active
Google Analytics
This website uses functions of the Google Analytics service. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics enables the website operator to analyse the behaviour of visitors to his website. The website operator receives a variety of usage data, such as page visits, length of visit, operating systems used and origin of user. These data are compiled in a User ID and assigned to the respective end device of the website visitor. We can also use Google Analytics to track your mouse movements, scrolling and clicks. Additionally, Google Analytics uses a variety of modelling methods to supplement the data sets created and employs machine-learning technologies for data analysis. Google Analytics uses technologies which enable user recognition for the purposes of analysing user behaviour (e.g. cookies or device fingerprinting). The information which Google collects concerning use of this website is generally speaking transferred to a Google server in the USA where it is stored. The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. The transfer of data to the USA is based on the EU standard contractual clauses. Details are available here: https://privacy.google.com/businesses/controllerterms/mccs/.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards.
More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt000000001L5AAI&status=Active
IP anonymisation
Google Analytics IP anonymisation is enabled. Consequently, your IP address is compressed by Google within Member States of the European Union or other signatory States to the Agreement on the European Economic Area before being transmitted to the USA. Your full IP address will be transmitted to a Google server in the USA and compressed there in exceptional cases only. Google will use this information on behalf of the operator of this website to analyse your use of the website, to compile reports on website activities and to provide other services for the website operator relating to use of the website and the internet. The IP address transmitted by your browser within the context of Google Analytics is not merged with other Google data.
Browser plug-in
You can prevent Google from collecting and processing your data by downloading and installing a browser plug-in available from the following link: https://tools.google.com/dlpage/gaoptout?hl=en.
More information on how Google Analytics handles user data can be found in the Google Privacy Policy: https://support.google.com/analytics/answer/6004245?hl=en.
Google signals
We use Google signals. When you visit our website, Google Analytics collects data such as your location, your search history, your YouTube history and demographics (user data). These data can be used by Google signal to personalise advertising. If you have a Google account, Google Signal will link these user data to your Google account and use them to show you personalised adverts. These data will also be used to compile anonymised statistics on the behaviour of our users.
Data processing
We have concluded a data processing agreement with Google and implement the strict guidelines of the German data protection authorities when using Google Analytics.
Microsoft Advertising
The website operator uses Microsoft Advertising. Microsoft Advertising is an online advertising program provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA. Microsoft Advertising enables us to display adverts in the Bing search engine or on third-party websites whenever users enter certain key terms into Bing (keyword targeting). Targeted ads can also be displayed by utilising user data which Microsoft already possesses (e.g. location data and interests) (group targeting). As the operator of the website, we can run quantitative analyses on these data, such as by analysing what search terms have led to our adverts being displayed and how many adverts have led to clicks. We use universal event tracking (UET) from Microsoft Advertising on this website. This tool collects pseudonymised data in order to track the actions you take on our websites after clicking on an ad displayed with Microsoft Advertising. UET records your IP address (anonymised), device ID, information on device and browser settings, Microsoft Click ID (stored in a cookie), length of visit to the website, what areas of the website you access, which ad led you to our website and which keyword(s) was/were clicked on. The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time.
The transfer of data to the USA is based on the EU standard contractual clauses. Details are available here: https://learn.microsoft.com/en-us/compliance/regulatory/offering-eu-model-clauses.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards.
More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt0000000KzNaAAK&status=Active
Clarity
This website uses Clarity. The provider is Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland, https://docs.microsoft.com/en-us/clarity/ (hereinafter “Clarity”). Clarity is a tool which analyses user behaviour on this website. In particular, Clarity records mouse movements and prepares a graphic showing which part of the website users scroll particularly frequently (heatmaps). Clarity can also record sessions so that we can view the use of our website in video form. In addition, we receive information on general user behaviour across our website. Clarity uses technologies which enable user recognition for the purposes of analysing user behaviour (e.g. cookies or device fingerprinting). Your personal data are stored on Microsoft servers in the USA (Microsoft Azure Cloud Service). Insofar as we have obtained consent, use of this service is based exclusively on Article 6(1), point a) GDPR and S. 25 TTDSG. You can withdraw this consent at any time. If consent has not been obtained, use of this service is based on Article 6(1), point f) GDPR; the website operator has a legitimate interest in effective user analysis.
For more details about privacy at Clarity, please visit: https://docs.microsoft.com/en-us/clarity/faq.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards. More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt0000000KzNaAAK&status=Active
Data processing
We have concluded a data processing agreement (DPA) concerning the use of the aforementioned service. This agreement is a legal requirement under data protection law and guarantees that this service provider processes the personal data of our website users according to our instructions and in compliance with the GDPR only.
Google Ads
The website operator uses Google Ads. Google Ads is an online advertising program provided by Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. Google Ads enables us to display adverts in the Google search engine or on third-party websites whenever users enter certain key terms into Google (keyword targeting). Targeted ads can also be displayed by utilising user data which Google already possesses (e.g. location data and interests) (group targeting). As the operator of the website, we can run quantitative analyses on these data, such as by analysing what search terms have led to our adverts being displayed and how many adverts have led to clicks. The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG. You can withdraw this consent at any time. The transfer of data to the USA is based on the EU standard contractual clauses. Details are available here: https://policies.google.com/privacy/frameworks and https://business.safety.google/controllerterms/.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards.
More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt000000001L5AAI&status=Active
Google AdSense
This website uses Google AdSense, a service for integrating adverts. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. We can use Google AdSense to display targeted third-party adverts on our website. The content of these ads is tailored to your interests which Google determines based on your prior user behaviour. Context information, such as your location, the content of the website you are visiting or the search terms you have entered into Google, is also taken into account when selecting suitable ads. Google AdSense uses cookies, web beacons (invisible graphics) and similar recognition technologies. These technologies can be used to analyse information such as visitor traffic on this website. The information which Google AdSense collects regarding use of this website (including your IP address) and the displaying of advertising formats are transferred to a Google server in the USA where they are stored. Google may pass on this information to its contract partners. However, Google will not merge your IP address with other data it holds concerning you. The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. The transfer of data to the USA is based on the EU standard contractual clauses. Details are available here: https://privacy.google.com/businesses/controllerterms/mccs/.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards. More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt000000001L5AAI&status=Active
Google Ads Remarketing
This website uses functions of Google Ads Remarketing. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. We can use Google Ads Remarketing to assign persons who interact with our online presence to specific target groups in order to subsequently show them tailored advertising on the Google Ads network (remarketing/ retargeting). The marketing target groups compiled by Google Ads Remarketing can also be linked to cross-device Google functions. In this way, we can show you personalised adverts tailored to your interests based your previous user and surfing behaviour on one end device (e.g. phone) on another of your end devices (e.g. tablet or PC).
If you have a Google account, you can object to personalised advertising at the following link: https://adssettings.google.com/anonymous?hl=en.
The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. More information and data protection regulations can be found in the Google Privacy Policy at: https://policies.google.com/technologies/ads?hl=en.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards. More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail? contact=true&id=a2zt000000001L5AAI&status=Active
Creating target groups with Customer Match
We use tools such as Customer Match from Google Ads Remarketing in order to create target groups. In doing so, we transfer certain customer data (e.g. e-mail addresses) from our customer lists to Google. If the corresponding customers are Google users and are logged in to their Google account, they will be shown suitable ads within the Google network (e.g. on YouTube, in Gmail or in the search engine).
Google Conversion Tracking
This website uses Google Conversion Tracking. The provider is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. We and Google can use Google Conversion Tracking to identify whether a user has performed specific actions. This means, for example, that we can analyse which buttons on our website have been clicked on frequently and which products have been frequently viewed or purchased. This information is used to compile conversion statistics. We are informed of the total number of users who clicked on our ads and what actions they performed. We do not receive any information that would allow us to personally identify the user. Google itself uses cookies or similar recognition technologies for the purposes of identifying users. The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw your consent at any time. More information on Google Conversion Tracking is available in the Google Privacy Policy: https://policies.google.com/privacy?hl=en.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards. More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt000000001L5AAI&status=Active
Facebook Conversion API
We have integrated the Facebook Conversion API into this website. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. However, according to information provided by Facebook, the data collected are transferred to the USA and other third countries. The Facebook Conversion API enables us to record visitors’ interactions with our website and to pass this information to Facebook in order to improve the performance of our advertising on Facebook. In particular, we record the time of access, the page accessed, your IP address, your user agent and other specific data as applicable (e.g. products purchased, value of basket and currency). You can find a full overview of the data collected here: https://developers.facebook.com/docs/marketing-api/conversions-api/parameters.
The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. Insofar as personal data are collected on our website and transferred to Facebook using the tools described here, we act jointly as controller together with Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2 (Article 26 GDPR). This joint responsibility is limited exclusively to the collection of data and transfer of the same to Facebook. Processing of data by Facebook after this transfer does not fall under the scope of this joint responsibility. The obligations incumbent on us and Facebook jointly have been set out in an agreement on joint processing. The wording of this agreement can be found here: https://www.facebook.com/legal/controller_addendum.
According to this agreement, we are responsible for providing information on data protection when using the Facebook tool and for implementing the tool on our website securely and in accordance with data protection law. Facebook is responsible for the data security of Facebook products. You can enforce your rights as a data subject (e.g. subject access request) regarding data processed by Facebook directly with Facebook. If you enforce your rights as a data subject with us, we will be obliged to forward this information to Facebook. The transfer of data to the USA is based on the EU standard contractual clauses. Details are available here: https://www.facebook.com/legal/EU_data_transfer_addendum and https://www.facebook.com/help/566994660333381.
You can find more information on how your privacy is protected in the Facebook Privacy Policy: https://www.facebook.com/privacy/policy/?entry_point=data_policy_redirect&entry=0.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards. More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt0000000GnywAAC&status=Active
Data processing
We have concluded a data processing agreement (DPA) concerning the use of the aforementioned service. This agreement is a legal requirement under data protection law and guarantees that this service provider processes the personal data of our website users according to our instructions and in compliance with the GDPR only.
Facebook Custom Audiences
We use Facebook Custom Audiences. The provider of this service is Meta Platforms Ireland Limited, 4 Grand Canal Square, Dublin 2, Ireland. When you use or visit our websites and apps, take advantage of our free or paid-for offers, transmit data to us or interact with our company’s Facebook content, we collect your personal information. Insofar as you consent to our use of Facebook Custom Audiences, we will pass these data to Facebook who can use them to show you appropriate advertising. Your data can also be used to define target groups (Lookalike Audiences). Facebook processes these data on our behalf as a processor. Details on the Facebook usage agreement can be found here: https://www.facebook.com/legal/terms/customaudience.
The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. The transfer of data to the USA is based on the EU standard contractual clauses. For details, please see: https://www.facebook.com/legal/terms/customaudience and https://www.facebook.com/legal/terms/dataprocessing.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards. More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt0000000GnywAAC&status=Active
TikTok Pixel
We have integrated the TikTok Pixel into this website. The provider is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (hereinafter TikTok). We can use the TikTok Pixel to show visitors to our website who have viewed our offers advertising on TikTok that is tailored to their interests (TikTok Ads). At the same time, we can use the TikTok Pixel to identify how effective our TikTok advertising is. We can consequently evaluate the effectiveness of our TikTok ads for statistical and market research purposes and optimise these for future campaigns. To do this, we process a variety of usage behaviour, such as IP address, pages accessed, length of visit, operating systems used and origin of user, information on the ad on TikTok which a person has clicked on or an event which was triggered (timestamp). These data are compiled in a User ID and assigned to the respective end device of the website visitor. The use of this service is based on your consent according to Article 6(1), point a) GDPR and S. 25(1) TTDSG (German Telecommunications and Telemedia Data Protection Act). You can withdraw this consent at any time. The transfer of data to third countries is based on the EU standard contractual clauses. Details are available here: https://www.tiktok.com/legal/page/eea/privacy-policy/en and https://ads.tiktok.com/i18n/official/policy/controller-to-controller.
Data processing
We have concluded a data processing agreement (DPA) concerning the use of the aforementioned service. This agreement is a legal requirement under data protection law and guarantees that this service provider processes the personal data of our website users according to our instructions and in compliance with the GDPR only.
LinkedIn Insight Tag
This website uses the LinkedIn Insight Tag. The provider of this service is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Data processing with LinkedIn Insight Tag Through the LinkedIn Insight Tags, we obtain information on the visitors to our website. If a website visitor is registered with LinkedIn, we can analyse master data related to their profession (e.g. career stage, size of company, country, location, industry and position) and consequently better align our website with the respective target groups. We can also use LinkedIn Insight Tags to analyse whether visitors to our website make a purchase or perform any other action (conversion tracking). Conversions can also be tracked across devices (e.g. from PC to tablet). The LinkedIn Insight Tag also provides a retargeting function which we can use to show visitors to our website targeted ads outside of our website. According to LinkedIn, the targets of these ads are not identified during this process. LinkedIn itself also compiles so-called logfiles (URL, Referrer URL, IP address, device and browser properties, and time of access). The IP addresses are compressed or (insofar as they are used to reach LinkedIn members across multiple devices) hashed (pseudonymised). The direct IDs of LinkedIn members are erased by LinkedIn after seven days. The pseudonymised data that remain are then erased within 180 days. We, as the website operator, are not able to attribute the data collected by LinkedIn to specific individual persons. LinkedIn will store the personal data collected on website users on its servers in the USA and use them within the context of its own advertising campaigns. Details can be found in the LinkedIn Privacy Policy at https://www.linkedin.com/legal/privacy-policy#choices-oblig.
Legal basis
Insofar as we have obtained consent, use of this service is based exclusively on Article 6(1), point a) GDPR and S. 25 TTDSG. You can withdraw this consent at any time. If consent has not been obtained, use of this service is based on Article 6(1), point f) GDPR; the website operator has a legitimate interest in effective advertising, under exclusion of social media. The transfer of data to the USA is based on the EU standard contractual clauses. Details are available here: https://www.linkedin.com/legal/l/dpa and https://www.linkedin.com/legal/l/eu-sccs.
You can object to the use of the LinkedIn Insight Tag, analysis of user behaviour and targeted advertising by LinkedIn at the following link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
Members of LinkedIn can also manage the use of their personal data for marketing purposes in their account settings. In order to prevent data collected by LinkedIn on our website being linked to your LinkedIn account, you must also log out of your LinkedIn account before visiting our website.
Data processing
We have concluded a data processing agreement (DPA) concerning the use of the aforementioned service. This agreement is a legal requirement under data protection law and guarantees that this service provider processes the personal data of our website users according to our instructions and in compliance with the GDPR only.
15. Plug-ins and tools
YouTube
This website embeds videos from YouTube. The operator of the YouTube website is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland. When you visit one of our websites which has YouTube integrated, a connection is established with the YouTube servers. The YouTube server is then notified of which of our pages you have visited. YouTube can also store various cookies on your end device or use similar technologies for user recognition (e.g. device fingerprinting). Consequently, YouTube can obtain information regarding visitors to this website. This information is used, among other purposes, to compile video statistics which improve user-friendliness and prevent attempts to commit fraud. If you are logged in to your YouTube account, you allow YouTube to link your surfing behaviour directly to your personal profile. You can prevent this by logging out of your YouTube account. We use YouTube in the interest of making our online present appealing. This constitutes a legitimate interest within the meaning of Article 6(1), point f) GDPR. Where corresponding consent has been requested, processing is performed exclusively on the grounds of Article 6(1), point a) GDPR and S. 25(1) TTDSG, insofar as this consent covers the storage of cookies or access to information on the user’s end device (e.g. device fingerprinting) within the meaning of the TTDSG. You can withdraw your consent at any time. More information on how user data are handled can be found in the YouTube Privacy Policy at: https://policies.google.com/privacy?hl=en.
The company is certified according to the “EU-US Data Privacy Framework” (DPF). The DPF is an agreement between the European Union and the USA which is intended to guarantee compliance with European data protection standards for data processed in the USA. All DPF-certified companies undertake to comply with these data protection standards.
More information is available from the provider at the following link: https://www.dataprivacyframework.gov/s/participant-search/participantdetail?contact=true&id=a2zt000000001L5AAI&status=Active
If you would like more information on our particular approach to transferring your personal data outside of the EEA, please contact our DPO.
16. Glossary
Legal grounds
Legitimate interest means the interest our company has in managing our business in such a way that we can offer you the best service/product and the best and safest experience. We make sure that we review all potential impacts (both positive and negative) on you and your rights before processing your personal data in our legitimate interest. We do not use your personal data for actions where the impact of such on you overrides our interest (unless we have your consent or other legal obligation or permission). For more information on how we weigh the impact of certain actions on you against our legitimate interest, please contact our DPO.
Fulfilment of contract means processing your data, insofar as this is necessary in order to fulfil a contract you are a party to or in order to take steps at your request prior to entering into a contract.
Compliance with a legal obligation or regulatory obligation means processing your personal data, insofar as this is necessary in order to comply with a legal or regulatory obligation which we must fulfil.
Third party
Internal third party
Other companies within the GUS Group who act jointly as controller or data processor, who have their registered offices at different locations around the world and who render services that are operated jointly, such as IT, legal advice and representation, system administration and reporting.
External third party
- Services providers who act as data processors in England and Germany and render IT and system administration services.
- Professional consultants who act jointly as a controller or data processor, including solicitors, bankers, auditors and insurers, who have their registered offices at different locations around the world and who render services in the areas of consulting, banking, law, insurance and accounting.
- HM Revenue & Customs, regulatory authorities and other authorities which act as data processing authorities or jointly as data supervisory authorities, who have their registered office in the United Kingdom and in other countries, and who, in certain cases, require records of data processing activities.
- Employers who request an assessment from Gisma
- External examiners for the purposes of examinations, grading and evaluation of grades
- Partners of the decision-making committees – in order to manage the administrative aspects of registering students on study programmes
- Professional associations/Funding bodies/Student loans companies
- Advertising partners (e.g. AgenturWebfox GmbH, Facebook Lookalikes)
- Other universities, employers, future employers, providers of training contracts or assistant positions