Data Protection Statement
Connection to external media services
Status of your consent:
- Mapbox:
- Vimeo:
- YouTube:
Content
Contact details of the Controller
Contact details of the data protection officer
Terms
Information on data processing.
Automated data processing (log files etc.)
Use of cookies (general, functionality, opt-out links etc.)
Consent Management Tool
Hosting
Hetzner
Web analysis and optimisation.
Fathom Analytics.
Online marketing.
Facebook Pixel
Presence on social media.
Instagram..
Facebook.
LinkedIn.
Snap Chat
Pinterest
Twitter
Vimeo.
Xing.
YouTube.
Plug-ins and integrated third-party content
Instagram
mapbox Plugins und ‑Schaltflächen.
Vimeo.
YouTube.
Online conferences, meetings and webinars.
Wonder
Zoom
Blog and forum (Digital Exhibition)
Single sign-on procedure for the intranet of the University
Google Single-Sign-On.
Evaluation on the website with data transfer
evasys.
Newsletter and mass communication including tracking.
Sendinblue.
We, the University of Applied Sciences of Design Schwäbisch Gmünd, are responsible for this website and, as a provider of a teleservice, are obliged to inform you at the beginning of your visit to our website about the type, extent, and purposes of the collection and use of personal data in a precise, transparent, understandable, and easily accessible form in clear and simple language. The content of the information must be accessible to you at all times. We are therefore obliged to inform you which personal data are collected or used. Personal data is defined as all information relating to an identified or identifiable natural person.
We value the importance to security of your data and the compliance with data protection regulations. Colleting, processing and use of personal data are subject to the provisions of the currently applicable European and national laws.
The meanings of terms such as “personal data” or “processing” are used in context as described in Art. 4 of the EU-GDPR
Contact details of the Controller
University of Applied Sciences of Design Schwäbisch Gmünd
Rektor-Klaus-Str. 100
73525 Schwäbisch Gmünd
Germany
Telefone: 07171 602 – 600
email address: sekretariat@hfg-gmuend.de
Web :www.hfg-gmuend.de
Authorized to represent: Maren Schmohl
Contact details of the data protection officer
Deutsche Datenschutzkanzlei
External Data Protection Officer
Mr. Maximilian Musch
Richard-Wagner-Str. 2
88094 Oberteuringen
Germany
email address: musch@ddsk.de
Web: www.ddsk.de
Recipients of data
Service providers (data recipients) involved in the provision of our online services are named under the respective category / heading.
The pertinent legal basis is specifically stated for each tool in question.
Terms
The specialist terms used in this Privacy Policy are to be understood as legally defined in art. 4 GDPR.
Information on data processing
Automated data processing (log files etc.)
It is possible for users to visit our website without providing personal data. However, every time our website is accessed on, we automatically store access data (server log files), such as the name of the internet service provider, the operating system in use, the website the user visited us from, the date and duration of the visit and the name of the file accessed, as well as the IP address of the device used (for security reasons, such as to recognise attacks on our website) for a duration of 7 days. This data is solely evaluated for the purpose of improving our offering and does not enable conclusions about the user in person. This data is not merged with other data sources.
The legal basis for the processing of data is Art. 6 (1) lit. c GDPR in conjunction with Art. 32 GDPR and Artt. 24, 32 GDPR.
We process and use the data for the following purposes:
- providing the website
- improving our websites
- for prevention and to identify errors/malfunctions and the abuse of the website
The processing is necessary to ensure the functionality and error-free and secure operation of the website and to adapt this website to the requirements of the users.
Use of cookies (general, functionality, opt-out links etc.)
We use ‘cookies’ on our website to make visiting our website more attractive and to enable certain functions to be used. The use of cookies serves our legitimate interest in making a visit to our website as pleasant as possible and is based on art. 6 (1) (f) GDPRAs a standard internet technology, cookies are used to store and retrieve login details and other usage information for all the users of a website. Cookies are small text files that are transferred from the server to your end device. They enable us to store user settings, to ensure that our website can be shown in a format tailored to your device. Some of the cookies we use are deleted after the end of a browser session, i.e. when closing the browser (known as ‘session cookies’). Other cookies remain on the user’s end device and enable us or our partner companies to recognise the browser on the next visit (known as ‘persistent cookies’).
The browser can be set so that the user is informed when cookies are to be stored and can decide whether to accept them in each individual situation, to accept them under certain circumstances, or to exclude them in general. In addition, cookies can be retrospectively deleted to remove data that the website stored on your computer. Deactivating cookies (known as ‘opting out’) can limit our website’s functionality in some respects.
Categories of data subjects: Website visitors, users of online services
Opt-out: Internet Explorer:
https://support.microsoft.com/de-de/help/17442
Firefox:
https://support.mozilla.org/de/kb/wie-verhindere-ich-dass-websites-mich-verfolgen
Google Chrome:
https://support.google.com/chrome/answer/95647?hl=de
Safari:
https://support.apple.com/de-de/HT201265
Legal bases: Consent (art. 6 (1) (a) GDPR), legitimate interest (art. 6 (1) (f) GDPR) or the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (art. (1) (e) GDPR)
Legitimate interests: Storing of opt-in preferences, presentation of the website, assurance of the website’s functionality, provision of user status across the entire website, recognition for the next website visitors, user-friendly online offering, assurance of the chat function
Consent Management Tool
We use a consent management tool on our website in order to be able to prove, store and manage the consent granted by our website visitors in accordance with the requirements of the GDPR. Visitors to our online offering can also manage the consent and preferences granted or withdraw consent via the service we have integrated.
The consent status is stored on the server and/or in a cookie (so-called opt-in cookie) or a comparable technology in order to be able to assign the consent to a user or their device. In addition, the time of the declaration of consent is recorded.
Categories of data subjects: Website visitors who use the Consent Management Tool
Data categories: Usage data (e. g. websites visited, interest in content, access times), metadata and communication data (e. g. device information, IP addresses)
Purposes of processing: Fulfilment of accountability obligations, Consent management
Legal bases: Legal obligation (art. 6 para 1 lit. c) GDPR, art. 7 GDPR)
Hosting
Our online offer is hosted by an external service provider. Personal data of the website visitors to our online offer, so-called log files, are stored on the servers of our service provider. This may also be data that is collected during the active use of our website. By using a specialised service provider, we can provide our website securely and efficiently. The hosting provider we use does not process the data for its own purposes.
Categories of data subjects: Website visitors
Data categories: Usage data (e. g. websites visited, interest in content, access times), metadata and communication data (e. g. device information, IP addresses)
Purposes of processing: Optimisation and proper presentation of the website
Legal bases: Consent (art. 6 (1) (a) GDPR), legitimate interest (art. 6 (1) (f) GDPR) or the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (art. (1) (e) GDPR)
Purpose & interests: Optimization and proper presentation of the website, fast website accessibility, avoidance of downtimes, high scalability
Hetzner
Recipient of Data: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany
Privacy: https://www.hetzner.com/legal/privacy-policy
Web analysis and optimisation
We use tools for web analysis and reach measurement so that we can evaluate user flows to our online offering. To do so, we collect information about the behaviour, interests, or demographics of our users, such as their age, gender, and so on. This helps us to recognise the times at which our online offering, its functions, and content are frequented the most or accessed more than once. In addition, we can use the information that has been collected to determine whether our online offering requires optimisation or adjustment.
The information collected for this purpose is stored in cookies or deployed in similar procedures used for reach measurements and optimisation. The data stored in the cookies could include the content viewed, webpages visited, settings, and the functions and systems used. However, plain data from users is not normally processed for the above purposes. In this case, the data is changed so that the actual identity of the user is not known to us, nor the provider of the tool used. The changed data is often stored in user profiles.
Categories of data subjects: Website visitors, users of online services
Data categories: Usage data (e. g. websites visited, interest in content, access times), metadata and communication data (e. g. device information, IP addresses), contact data (e. g. email address, telephone number), content data (e. g. text inputs, photographs, videos)
Purposes of processing: Website analyses, reach measurement, utilisation and assessment of website interaction, lead evaluation
Legal bases: Consent (art. 6 (1) (a) GDPR), legitimate interest (art. 6 (1) (f) GDPR) or the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (art. (1) (e) GDPR)
Purpose & interests: Optimisation and further development of the website, increase in profits
Fathom Analytics
Recipient of data: Conva Ventures Inc., BOX 37058 Millstream PO, Victoria, BC, V9B0E8, Canada
Privacy: https://usefathom.com/privacy
Online marketing
We process personal data within the framework of online marketing, particularly regarding potential interests and to measure the effectiveness of our marketing measures, with the aim of continually boosting our reach and the prominence of our online offering.
We store the relevant information in cookies or use similar procedures for the purpose of measuring the effectiveness of our marketing measures and identifying potential interests. The data stored in the cookies could include the content viewed, webpages visited, settings, and the functions and systems used. However, plain data from users is not normally processed for the above purposes. If so, the data is changed so that the actual identity of the user is not known to us, nor the provider of the tool used. The changed data is often stored in user profiles.
In the event that user profiles are stored, the data can be used, read, supplemented, and expanded on the server of the online marketing procedure when other online offerings are visited that use the same online marketing procedure.
We can calculate the success of our adverts using summarised data that is made available to us by the provider of the online marketing procedure (known as ‘conversion measurement’). As part of these conversion measurements, we can trace whether a marketing measure caused a visitor to our online offering to decide to make a purchase. This evaluation serves to analyse the success of our online marketing.
Categories of data subjects: Website visitors, users of online services, communication partners
Data categories: Usage data (e. g. websites visited, interest in content, access times), metadata and communication data (e. g. device information, IP addresses), location data, contact data (e. g. email address, telephone number), content data (e. g. text inputs)
Purposes of processing: Marketing (sometimes interest-based and behavioural, as well), conversion measurement, target group formation, click tracking, development of marketing strategies and increase in the efficiency of campaigns
Legal bases: Consent (art. 6 (1) (a) GDPR)
Legitimate interests: Optimisation and further development of the website, increase in profits, customer loyalty and acquisition
Facebook Pixel
Recipient of data: Meta Platforms, 4 Grand Canal Square, Dublin 2, Irland
Privacy: https://www.facebook.com/privacy/explanation
Opt-out-link: https://www.facebook.com/settings?tab=ads
Legal base: Consent (art. 6 (1) (a) GDPR)
Facebook (META Insights additional addendum):
https://de-de.facebook.com/legal/terms/page_controller_addendum
Presence on social media
The University provides online offers (e. g. fan pages) on various social media platforms that contain information about it.
Social media channels are used to increase visibility among potential students and to make the university visible to the public. Social networks have proven to be effective in increasing outreach and actively promoting interaction and communication with students.
Higher education communication, press and public relations work is the original responsibility of the state’s higher education institutions. Social media activity and communication has a high value in attracting new students. Social media and the website can be used to share relevant information about the degree programmes, publicise events and communicate important short-term news and job advertisements.
User profiles can be created and used to adapt advertisements to the interests of target groups via the usage behaviour of the users of the social network, for example the indication of interests. For this purpose, cookies are regularly stored on the end devices of the users, partly regardless of whether they are registered users of the social network.
In connection with the use of social media, we use the associated messengers to contact users in an uncomplicated manner. Communication via social media channels is an important and essential part of public relations for the university.
It should be noted that the security of individual services may depend on the user’s account settings. Even in the case of end-to-end encryption, the platform provider can draw conclusions about the fact that and when users communicate with the university as well as collect location data if necessary.
Depending on where the social network is operated, user data may be processed outside the European Union or the European Economic Area. This may result in risks for users, for example because it makes it more difficult to enforce their rights.
We inform users that the university has no further influence on the processing of personal data on these platforms. Only the respective platform provider has full knowledge of the content of the transmitted data and its use.
Categories of data subjects: Registered users and non-registered users of the social network
Data categories: User data (e. g. name, address), contact data (e. g. email address, telephone number), content data (e. g. text inputs, photographs, videos), usage and interaction data (e. g. websites visited, interest in content, access times), metadata and communication data (e. g. device information, IP addresses)
Purposes of processing: Increase in the reach, Networking with students, promoting interaction and communication, press and public relations work
Legal bases: The use of the presences and the associated processing of personal data on the platform is based on art. 6 para. 1 lit. e) GDPR in conjunction with art. 6 para. 3 GDPR in conjunction with § 4 LDSG-Baden-Württemberg, § 2 LHG-Baden-Württemberg. Consent to data processing pursuant to art. 6 para. 1 lit. a) GDPR can also be a legal basis if the users have given this to the platform provider.
Purpose & interests: Ensuring the university’s visibility in society, improving, and disseminating its external image, Interaction and communication on social media pages, findings regarding target groups, press and public relations work.
Alternative information and communication options:
As an alternative means of information and communication, please feel free to use our above postal address or our e‑mail address:
Instagram
Recipient of data: Meta Platforms, 4 Grand Canal Square, Dublin 2, Ireland
Privacy: https://help.instagram.com/519522125107875
and https://www.facebook.com/about/privacy
Opt-Out-Link: https://www.instagram.com/accounts/login/?next=/accounts/privacy_and_security/
Facebook
Recipient of data: Meta Platforms, 4 Grand Canal Square, Dublin 2, Ireland
Privacy: https://www.facebook.com/privacy/explanation
and https://www.facebook.com/legal/terms/page_controller_addendum
Opt-Out-Link: https://www.facebook.com/settings?tab=ads
Recipient of data: LinkedIn Corporation, 1000 West Maude Avenue, Sunnyvale, CA 94085, USA
Privacy: https://www.linkedin.com/legal/privacy-policy
Opt-Out-Link: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out
Snap Chat
Recipient of data: Snap Inc. LinkedIn, 2772 Donald Douglas Loop N, Santa Monica, CA 90405, USA
Privacy: https://www.snap.com/de-DE/privacy/privacy-policy
Opt-Out-Link: https://www.snapchat.com/l/de-de/cookie-settings/
Pinterest
Recipient of data: Pinterest Inc., 651 Brannan Street, San Francisco, CA 94103, USA
Privacy: https://policy.pinterest.com/de/privacy-policy
Opt-Out-Link: https://policy.pinterest.com/de/cookies
Recipient of data: Twitter International Company, One Cumberland Place, Fenian Street Dublin 2, D02 AX07 Ireland
Privacy: https://twitter.com/de/privacy
Opt-Out-Link: https://help.twitter.com/de/rules-and-policies/twitter-cookies#privacy-options
Vimeo
Recipient of data: Vimeo Inc., 555 West 18th Street New York, New York 10011, USA
Privacy: https://vimeo.com/privacy
Opt-Out-Link: https://vimeo.com/cookie_policy
Recipient of data: New Work SE, Dammtorstraße 30, 20354 Hamburg, Germany
Privacy: https://privacy.xing.com/de/datenschutzerklaerung
Opt-Out-Link: https://nats.xing.com/optout.html?popup=1
YouTube
Recipient of data: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Privacy: https://policies.google.com/privacy?hl=de&gl=de
Opt-Out-Link: https://tools.google.com/dlpage/gaoptout?hl=de or https://myaccount.google.com/
Plug-ins and integrated third-party content
We have integrated functions and content obtained from third-party providers into our online offering. For example, videos, depictions, buttons, or contributions (hereinafter termed ‘content’) can be integrated.
To enable visitors of our website to see certain content, the third-party provider in question processes the user’s IP address, inter alia, to transmit the content to the browser and display it. It is not possible to integrate third-party content without this processing taking place.
Sometimes, additional information is collected via ‘pixel tags’ or web beacons through which the third-party provider receives information about the use of the content or visitor traffic to our online offering, technical information about the user’s browser or operating system, the visit time or referring websites. The data collected in this manner is stored in cookies on the user’s end device.
We have taken security precautions to prevent this data from being automatically transferred, with the aim of protecting the personal data of visitors to our online offering. This data is only transferred if the visitor uses the buttons or click on the third-party content.
Categories of data subjects: Users of plug-ins or third-party content
Data categories: Usage data (e. g. websites visited, interest in content, access times), metadata and communication data (e. g. device information, IP addresses) contact data (e. g. email address, telephone number), Master data (e. g. name, address)
Purposes of processing: Design of our online offering, increase in the reach of adverts on social media, sharing of contributions and content, interest-based and behavioural marketing, cross-device tracking
Legal bases: Consent (art. 6 (1) (a) GDPR)
Instagram
Recipient of data: Meta Platforms, 4 Grand Canal Square, Dublin 2, Ireland
Privacy: https://help.instagram.com/519522125107875
and https://www.facebook.com/about/privacy
Opt-Out-Link: https://www.instagram.com/accounts/login/?next=/accounts/privacy_and_security/
mapbox Plugins und ‑Schaltflächen
Recipient of data: mapbox 50 Beale St floor 9, San Francisco, CA 94105, USA
Privacy: https://www.mapbox.com/legal/privacy/
Opt-Out-Link: https://www.mapbox.com/legal/cookies
Vimeo
Recipient of data: Vimeo Inc., 555 West 18th Street New York, New York 10011, USA
Privacy: https://vimeo.com/privacy
Opt-Out-Link: https://vimeo.com/cookie_policy
YouTube
Recipient of data: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Privacy: https://policies.google.com/privacy?hl=de&gl=de
Opt-Out-Link: https://tools.google.com/dlpage/gaoptout?hl=de or https://myaccount.google.com/
Online conferences, meetings and webinars
We make use of the opportunity to hold online conferences, meetings and webinars. To do so, we use offerings provided by other carefully selected providers.
When actively using offerings of this nature, data regarding the participants in the communication is processed and stored on the servers of the third-party services used, provided this data is necessary for the communication process. In addition, usage data and metadata can also be processed.
Categories of data subjects: Participants in the online offering in question (conference, meeting, webinar)
Data categories: Master data (e. g. name, address), contact data (e. g. email address, telephone number), Content data (e. g. text inputs, photographs, videos), metadata and communication data (e. g. device information, IP addresses)
Purposes of processing: Processing of enquiries, increase in efficiency, promotion of cross-company or cross-location collaboration
Legal bases: Consent (art. 6 (1) (a) GDPR)
Wonder
Recipient of data: Yotribe GmbH, Kommandantenstraße 77, 10117 Berlin, Germany
Privacy: https://www.wonder.me/gdpr
Zoom
Recipient of data: Zoom Video Communications, Inc., San Jose 55 Almaden Boulevard, 6th Floor,
San Jose, CA 95113, USA
Privacy: https://zoom.us/de-de/privacy.html#_Toc44414849
Blog and forum (Digital Exhibition[GB1] )
We have provided a blog or comparable opportunities for publication on our webpage. We want to give visitors to our online offering the option of contacting us or sharing their thoughts and suggestions with us in this manner.
If users of our online offering publish comments and contributions on our website, we are obliged to prevent unlawful content, or the publication of the same, from appearing on our website. We collect the IP addresses of the users in question so that we can adhere to this obligation and protect our interests in being indemnified in the event that we are used for third-party content. This also helps us to identify spam.
Beyond this, users of the function provided are not obliged to make details available that could lead to conclusions being drawn about the identity of the user in question. A contribution can even be published under a pseudonym, meaning that the user can then decide themselves what data and content we process.
Categories of data subjects: Users of the function in question
Data categories: Master data (e. g. name, address), contact data (e. g. email address, telephone number), content data (e. g. text inputs, photographs, videos), usage data (e. g. websites visited, interest in content, access times), contract data (e. g. subject of the contract, term, customer category), metadata and communication data (e. g. device information, IP addresses)
Purposes of processing: Networking of users/students
Legal bases: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (art. (1) (e) GDPR), Consent (art. 6 (1) (a) GDPR)
Purpose & interests: Prevention, security of the webpage, duplication of communication channels with visitors to the online offering, optimization and further development of online offering
Single sign-on procedure for the intranet of the University
To make our online offering even easier to use, we deploy a ‘single sign-on procedure’. This enables users to log on to our online offering with log-in details from a single sign-on provider, meaning that they do not need to have any additional log-in details as a result. The use of a single sign-on procedure requires users to already have an existing user account with a provider of the procedure in question, such as a social network. To log on with the single sign-on procedure, the user must provide their log-in details for the single sign-on procedure in the log-in window of our online offering, or if the user is already logged in on the provider’s website, confirm registration via single sign-on by clicking the appropriate button.
We use ‘user handles’ to carry out authentication. Inter alia, this includes a user ID plus information that the user has used the ID to log on with the procedure provider in question. We only receive this ID for the purposes of authentication, i. e. we are not permitted to process it for any purposes beyond authentication. Whether data beyond this is transferred to us, and if yes, what data, depends on the provider of the procedure in question, the user’s account settings with this provider and any data approvals selected within the framework of authentication. The data we receive from the provider of the procedure in question can vary. However, it usually encompasses an email address and a username. We cannot see the password entered, nor can we store it.
To change or delete connections between user accounts and the single sign-on procedure, the appropriate settings must be changed within the user account with the provider of the procedure in question.
Categories of data subjects: Users of the function in question
Data categories: User handles (e. g. username, authentication confirmation)
Purposes of processing: Authentication of users
Legal bases: Consent (art. 6 (1) (a) GDPR)
Google Single-Sign-On
Recipient of data: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
Privacy: https://policies.google.com/privacy
Evaluation on the website with data transfer
We carry out questionnaires and surveys (hereinafter ‘surveys’) on our online offering. This helps us to improve our offering and better meet our customers’ needs. To this end, it is not necessary to be able to trace whether we can associate feedback with a particular person. Before your survey is evaluated, the data we process to provide and execute our surveys on a technical level is anonymised. Participation in the survey is voluntary.
Categories of data subjects: Participants in the online surveys
Data categories: Feedback on the survey matter, metadata (e. g. device information, IP address), usage data (e. g. websites visited, interest in content, access times)
Purposes of processing: Improvement and optimisation of the university’s offer, evaluation
Legal bases: Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (art. (1) (e) GDPR), Consent (art. 6 (1) (a) GDPR) (Art. 6 (3) GDPR, In conjunction with the relevant state data protection laws of Baden-Württemberg. Further special legal regulations can be found in the individual examination regulations of the university. The legal basis for optional surveys can also be consent (art. 6 (1) (a) GDPR)
evasys
Recipient of data: evasys GmbH, Konrad-Zuse-Allee 13, 21337 Lüneburg, Germany
Privacy: https://evasys.de/datenschutz/
Newsletter and mass communication including tracking
On our online offering, users have the option of subscribing to our newsletter or to notifications on various channels (hereinafter referred to overall as ‘newsletters’).
In addition, we may send specific information about events or about the study programme or the university itself.
We only send our newsletters and other information to recipients who have consented to receive the newsletter, in accordance with legal requirements.
We occasionally use selected service providers to send our newsletter.
An email address must be provided to subscribe to our newsletter. If applicable, we collect extra data, such as your name to include a personal greeting in our newsletter.
Our newsletter is only sent after the ‘double opt-in procedure’ has been fully completed. If visitors to our online offering decide to receive our newsletter, they will receive a confirmation email that serves to prevent the fraudulent input of wrong email addresses and preclude a single, possibly accidental, click from causing the newsletter to be sent. The subscription to our newsletter can be ended at any time with future effect. An unsubscription (opt-out) link is given at the end of every newsletter.
In addition, we are obliged to provide proof that our subscribers actually want to receive the newsletter. To this end, we collect and store their IP address, along with the time of subscription and unsubscription.
Our newsletters are designed so that we can obtain findings about improvements, target groups or the reading behaviour of our subscribers. We are able to do this thanks to a „web beacon’ or tracking pixel that reacts to interactions with the newsletter, such as looking at whether links are clicked on, whether the newsletter is opened at all, or at what time the newsletter is read. For technical reasons, we can associate this information with individual subscribers.
Categories of data subjects: Newsletter subscribers, students
Data categories: Master data (e. g. name, address), contact data (e. g. email address, telephone number), metadata and communication data (e. g. device information, IP addresses), usage and interaction data (e. g. websites visited, interest in content, access times)
Purposes of processing: Providing information, answering requests, analysis, and evaluation of the campaigns’ success
Legal bases: Consent (art. 6 (1) (a) GDPR)
Sendinblue
Recipient of data: Sendinblue GmbH, Köpenicke Straße 126, 10179 Berlin, Germany
Privacy: https://de.sendinblue.com/datenschutz-uebersicht/
Contacting us
On our online offering, we offer the option of contacting us directly or requesting information via various contact options.
In the event of contact being made, we process the data of the person making the enquiry to the extent necessary for answering or handling their enquiry. The data processed can vary depending on the method via which contact is made with us.
Categories of data subjects: Individuals submitting an enquiry
Data categories: Master data (e. g. name, address), contact data (e. g. email address, telephone number), content data (e. g. text inputs, photographs, videos), metadata and communication data (e. g. device information, IP addresses), usage data (e. g. websites visited, interest in content, access times)
Purposes of processing: Processing requests
Legal bases: Fulfilment of tasks according to Art. 6 para. 1 lit. e) GDPR, para. 3 GDPR in conjunction with § 4 LDSG Baden-Württemberg in the version of 21.06.2018, in conjunction with § 2 para. 9 LHG Baden-Württemberg in the version of 17.12.2020; If applicable, consent (Art. 6 para. 1 lit. a) GDPR) or fulfilment or initiation of a contract (Art. 6 para. 1 lit. b) GDPR)
Events and activities
On our online offering, visitors have the opportunity to register for events and activities. The details collected by us that are necessary to initiate and perform the contract are marked as mandatory fields. The provision of data in excess of this is voluntary.
Categories of data subjects: Individuals submitting an enquiry
Data categories: Master data (e. g. name, address), contact data (e. g. email address, telephone number), content data (e. g. text inputs, photographs, videos), metadata and communication data (e. g. device information, IP addresses), usage data (e. g. websites visited, interest in content, access times)
Purposes of processing: Data processing is carried out for participation in events
Legal bases: Consent (art. 6 para. 1 lit. a) GDPR) or fulfilment or initiation of a contract (art. 6 para. 1 lit. b) GDPR)
Data transfer
We transfer the personal data of visitors to our online offering for internal purposes (e. g. for internal administration or to the HR department so we can meet statutory or contractual obligations). Internal data transfer or the disclosure of data only occurs to the extent necessary, under the pertinent data protection provisions.
It may be necessary for us to disclose personal data for the performance of contracts or to comply with legal obligations. If the data necessary in this regard is not provided to us, it may be the case that the contract cannot be concluded with the data subject.
Your data is processed outside the EU/EEA, in so-called third countries (e.g. USA), when using or accessing certain services, e.g. Google services (e.g. YouTube). The European Commission has not issued an adequacy decision for the transfer of data to the USA, which is considered an unsafe third country. Adequacy refers to the level of protection of data in that third country or international organisation. There is a risk that data may be processed by US authorities for control and monitoring purposes without any possible redress for data subjects.
We conclude a data protection agreement with the providers (Data Processing Agreements) including standard contractual clauses pursuant to Art. 44 et seq. DSGVO and define additional measures to ensure the highest possible level of protection for the personal data of data subjects.
Guarantees applied in the case of third country transfers (if applicable):
Transfers on the basis of Standard data protection clauses (Art. 46 para 1, 2 lit. c) GDPR):
Google-Services:
https://privacy.google.com/businesses/processorterms/
https://privacy.google.com/businesses/processorterms/mccs/
Vimeo:
https://de-1bbeae2b241b298db.getsmartling.com/data-processing
Zoom:
zoom.us/docs/doc/Zoom_GLOBAL_DPA.pdf
zoom.us/docs/doc/Zoom_Pre-Signed_Standard_Contractual_Clauses_with_DocuSign_Fields.pdf
Transfers on the basis of an adequacy decision (European Commission) (Art. 45 GDPR):
Fathom (based in Canada):
https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32002D0002
Storage period
In principle, we store the data of visitors to our online offering for as long as needed to render our service or to the extent that the European body issuing directives and regulations, or another legislator stipulates in laws and regulations to which we are subject. In all other cases, we delete personal data once the purpose has been fulfilled, with the exception of data that we need to continue to store to comply with legal obligations (e. g. if retention periods under tax law and trade law require us to keep documents such as contracts and invoices for a certain period of time).
Automated decision-making
We do not use automated decision-making or profiling.
Legal bases
The decisive legal bases primarily arise from the GDPR. They are supplemented by national laws from member states and can, if applicable, be applied alongside or in addition to the GDPR.
Consent: Art. 6 (1) (a) GDPR serves as the legal basis for processing procedures regarding which we have sought consent for a particular purpose of processing.
Performance of a contract: Art. 6 (1) (b) serves as the legal basis for processing required to perform a contract to which the data subject is a contractual party or for taking steps prior to entering into a contract, at the request of the data subject.
Legal obligation: Art. 6 (1) © GDPR is the legal basis for processing that is required to comply with a legal obligation.
Vital interests: Art. 6 (1) (d) GDPR serves as the legal basis if the processing is necessary to protect the vital interests of the data subject or another natural person.
Public interest: Art. 6 (1) (e) GDPR serves as the legal basis for processing that is necessary to perform a task in the public interest or to exercise public force that is transferred to the controller.
Legitimate interest: Art. 6 (1) (f) GDPR serves as the legal basis for processing that is necessary to protect the legitimate interests of the controller or a third party, provided this is not outweighed by the interests or fundamental rights and fundamental freedoms of the data subject that require personal data to be protected, particularly if the data subject is a child.
Rights of the data subject
Right of access: Pursuant to art. 15 GDPR, data subjects have the right to request confirmation as to whether we process data relating to them. They can request access to their data, along with the additional information listed in art. 15 (1) GDPR and a copy of their data.
Right to rectification: Pursuant to art. 16 GDPR, data subjects have the right to request that data relating to them, and that we process, be rectified or completed.
Right to erasure: Pursuant to art. 17 GDPR, data subjects have the right to request that data relating to them be erased without delay. Alternatively, they can request that we restrict the processing of their data, pursuant to art. 18 GDPR.
Right to data portability: Pursuant to art. 20 GDPR, data subjects have the right to request that data made available to us by them be provided and transferred to another controller.
Right to lodge a complaint: In addition, data subjects have the right to lodge a complaint with the supervisory authority responsible for them, under art. 77 GDPR.
Right to object: If personal data is processed on the basis of legitimate interests pursuant to art. 6 (1) (1) (f) GDPR, under art. 21 GDPR data subjects have the right to object to the processing of their personal data, provided there are reasons for this that arise from their particular situation, or the objection relates to direct advertising. In the latter case, data subjects have a general right to object that is to be put into effect by us without a particular situation being stated.
Withdrawal of consent
Some data processing procedures can only be carried out with the express consent of the data subject. Once granted, you are able to withdraw consent at any time. To do so, sending an informal note or email to info@hfg-gmuend.de is sufficient. The consent of data processing operations on our online offer can be directly adjusted in our Consent Manager-Tool.
The legality of the data processing carried out up to the point of withdrawal shall remain unaffected by the withdrawal.
External links
Our website includes links to online offerings from other providers. We note that we have no influence over the content of the online offerings linked to and over whether their providers comply with data protection provisions.
Amendments
We reserve the right to amend this information on data protection, in compliance with the applicable data protection provisions, if changes are made to our online offering so that it complies with the legal requirements.
This Privacy Policy was drawn up by
- Maximilian Musch -