Call Me Back

Privacy Policy

Details of the person responsible

Gisma University of Applied Sciences

Konrad-Zuse-Ring 11
14469 Potsdam, Germany

Phone: +49 511 54609-0

E-mail: info@gisma.com

Contact for questions regarding data protection

If you have any questions regarding data protection, please contact our data protection officer at privacyprotection@gisma.com or at the above postal address with the addition of “data protection officer”.

Data Controller

This website is operated on behalf of Gisma University of Applied Sciences GmbH, a company registered in Germany with number HRP35061P with its registered office at Konrad-Zuse-Ring 11, 14469 Potsdam, Germany.

Gisma University of Applied Sciences is part of The Global University Systems B.V. group of companies which is made up of different legal entities, details of which can be found here (https://www.globaluniversitysystems.com/).

We have appointed a data protection officer (DPOs) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

Contact details

Full name of data controller legal entity: Gisma University of Applied Sciences

Name or title of the Data Protection Officer: Herr Henning Koch
Data Protection Email address: privacyprotection@gisma.com

RPA Datenschutz + Compliance GmbH
Franzenburg 48, 35578 Wetzlar
Tel. 06441/67100-0
Fax. 06441/67100-20
E-Mail: info@rpa-datenschutz.de Ansprechpartner: Herr Ilja Borchers und Herr Henning Koch

You have a right to complain to the State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht) about the way in which we process your personal data. Complaints can be filed in writing to Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht, Stahnsdorfer Damm 77, 14532 Kleinmachnow, or by email, Poststelle@LDA.Brandenburg.de. We consider this the lead supervisory authority for Gisma University of Applied Sciences.

We would always prefer that you come to us to help address any concerns of a privacy nature however before you go to the State Commissioner for Data Protection and Freedom of Information, so please contact us in the first instance.

Changes to the privacy notice and your duty to inform us of changes

This version was last updated on 29 September 2023 and historic versions can be obtained by contacting us.

We may from time to time change the detail in this notice.  Any changes we may make in the future will be posted on this page.  Please check back frequently to see any such updates or changes.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Data subject rights

If we process personal data about you, you have the following data subject rights:

  • a right to information about the data we process and to be copied,
  • a right to rectification if we process incorrect data about you,
  • a right to erasure, unless exceptions apply as to why we are still storing the data, for example, retention obligations or limitation periods,
  • a right to restrict processing,
  • a right to revoke consent to data processing at any time,
  • a right to object to processing in the public or legitimate interest,
  • a right to data portability,
  • a right to complain to a data protection supervisory authority if you find that we are not processing your data properly. The State Commissioner for Data Protection of Lower Saxony (http://lfd.niedersachsen.de) is responsible for our company. However, if you are in another federal state or not in Germany, you can also contact the data protection authority there.

Storage period (general)

The personal data stored by us will be deleted in accordance with legal requirements. We delete the data as soon as it is no longer required for the processing purpose, a given consent is revoked or other permissions cease to apply. Data that still has to be stored, e.g. for reasons of commercial or tax law, or whose storage is still necessary for the assertion, exercise or defence of legal claims, will be deleted as soon as this is no longer the case.

Processing of personal data – purposes and legal basis

Data processing on the company’s website

Log files

When our website is accessed, log files are set and remain stored for 30 days.

The log files include the following information and are collected on the basis of a legitimate interest. The purpose of the data collection is statistical evaluation and the possibility of error analysis:

  • Visited website
  • Time of day at the time of access
  • Amount of data sent in bytes
  • Source/reference from which you reached the page
  • Browser used
  • Operating system used
  • IP address used (if applicable: in anonymised form)

Cookie-Consent-Banner

Purposes for which the personal data are to be processedData processing for the management of consents.
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period.1 year
Legal basis for the processingLegal obligation (Art. 6 para. 1 p. 1 lit. c. DSGVO)

Content Delivery Network (CDN)

Purposes for which the personal data are to be processedThe purpose of processing personal data through a Content Delivery Network (CDN) is to speed up the delivery of the website. If there are many requests, the use of a CDN ensures that the website continues to be delivered and the CDN protects the web server from being overwhelmed by so-called DDoS attacks.
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period.Max. 7 days
Legal basis for the processingLegitimate interest (Art. 6 para. 1 p. 1 lit. f. DSGVO)
Legitimate interests within the meaning of Art. 6 para. 1 lit. f pursued by the responsible personTo optimize and secure our online service and to optimally display the content we offer on different end devices and to reduce the loading speeds of our website.

Data transfer to third countries

Recipients or categories of recipients of the personal dataCloudflare, 101 Townsend St, San Francisco, CA 94107, USA, (unpkg andnd Cloudflare CDN)
Intention of the controller to transfer the personal data to a third country or an international organisationPersonal data is transferred outside the EU/EEA (third country):

 – USA
Presence or absence of an adequacy decision by the CommissionThe EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission.
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are availableThe following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

– Standard contractual clauses have been concluded with BootstrapCDN.

– Standard contractual clauses have been concluded with Cloudflare. These standard contractual clauses can be viewed at Cloudflare Data Processing Addendum: Standard Contractual Clauses for Customers | Cloudflare

Analytic-Tools

Purposes for which the personal data are to be processedCollection of personal data of website visitors to measure the use and type of use of websites, to optimise our own website and thereby increase the number and duration of users.

We also monitor the availability of our website through an external service (Pingdom, Sweden).
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period.Google: max. 2 years

Hotjar: max. 2 years

Microsoft: max 1 year, 25 days

Pingdom: max. 1 year

Pardot: max. 2 years
Legal basis for the processingConsent (Art. 6 para. 1 p. 1 lit. a. DSGVO)

Transfer and cross-border contexts

Recipients (if applicable 2nd level) or categories of recipients (1st level) of the personal dataGoogle Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA

Pardot LLC, 950 E. Paces Ferry Rd. Suite 3300 Atlanta, GA 30326, USA
Intention of the controller to transfer the personal data to a third country or an international organisation (1st level)Personal data is transferred outside the EU/EEA (third country):

– USA

– Singapore

– Taiwan

– Chile
Presence or absence of an adequacy decision by the Commission (2nd level, if applicable)The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission.
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available (2nd level if applicable).The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

– Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google

– Standard contractual clauses have been concluded with Microsoft. These standard contractual clauses can be viewed at Licensing Documents (microsoft.com).

– Standard contractual clauses have been concluded with Pardot. These standard contractual clauses can be viewed at Privacy Policy – Salesforce.com.

Plugins and Tools (Fonts)

Purposes for which the personal data are to be processedFonts from external providers are integrated in order to maintain the uniform company appearance (so-called corporate design).
Duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration (if applicable 2nd level)Adobe Fonts: According to Adobe, no cookies are stored when providing the fonts.

Google Fonts: max. 1 year
Legal basis for the processing (if applicable 2nd level)The data collection and also the data transmission are carried out on the basis of a legitimate interest (Art. 6 para. 1 p. 1 lit. f. DSGVO)
Legitimate interests within the meaning of Art. 6 para. 1 lit. f pursued by the responsible personA uniform presentation across devices, improved loading times and a smaller administrative effort.

Transfer and cross-border contexts

Recipients or categories of recipients of the personal dataAdobe Systems Software Ireland Companies, 4-6 Riverwalk, Citywest Business Campus, Dublin 24Ireland

Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland
Intention of the controller to transfer the personal data to a third country or an international organisationPersonal data is transferred outside the EU/EEA (third country):

– USA

– Singapore

– Taiwan

– Chile
Presence or absence of an adequacy decision by the CommissionThe EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission.
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are availableThe following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

– Standard contractual clauses have been concluded with Adobe. These standard contractual clauses can be viewed at Adobe Privacy Centre.

– Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google

Location Services

Purposes for which the personal data are to be processedMap services are used for the geographic representation of places and advice on navigation is also given.
Duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration (if applicable 2nd level)Google: max. 2 years
Legal basis for the processing (if applicable 2nd level)Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO)

Transfer and cross-border contexts

Recipients (if applicable 2nd level) or categories of recipients (1st level) of the personal dataGoogle Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland
Intention of the controller to transfer the personal data to a third country or an international organisation (1st level)Personal data is transferred outside the EU/EEA (third country):

– USA

– Singapore

– Taiwan

– Chile
Presence or absence of an adequacy decision by the Commission (2nd level, if applicable)The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission.
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are availableThe following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

– Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google.

Audio and Video

Purposes for which the personal data are to be processedCloud services are used for the provision of videos and photos, so that the own internet infrastructure is relieved and a delivery of videos and photos can be guaranteed even with high numbers of requests.
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period.Youtube: max. 8 months

Google: max. 2 years
Legal basis for the processingConsent (Art. 6 para. 1 p. 1 lit. a. DSGVO)

Transfer and cross-border contexts

Recipients or categories of recipients of the personal dataGoogle Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland

YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, represented by: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
Intention of the controller to transfer the personal data to a third country or an international organisationPersonal data is transferred outside the EU/EEA (third country):

– USA

– Taiwan

– Singapore

– Chile
Presence or absence of an adequacy decision by the CommissionThe EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission.
Verweis auf geeignete oder angemessene Garantien und die Möglichkeit, wie eine Kopie von ihnen zu erhalten ist, oder wo sie verfügbar sindThe following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

– Standard contractual clauses have been concluded with Google (Youtube und Google Photos). These standard contractual clauses can be viewed at

Data transfer frameworks – Privacy & Terms – Google.

Advertising

Purposes for which the personal data are to be processedAdvertising our own services. For this purpose, our service providers also measure what users do after they have clicked on our ads (e.g. use of services).
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period.Facebook: max. 2 years

LinkedIn: max. 2 years

Google: max. 1 year

Microsoft: max. 2 years

Outbrain: max. 2 years
Legal basis for the processingConsent (Art. 6 para. 1 p. 1 lit. a. DSGVO)

Transfer and cross-border contexts

Recipients or categories of recipients of the personal dataFacebook Meta Platforms Ireland Limited, 1601 South California Avenue, Palo Alto, CA 94304, USA („Facebook“)

LinkedIn Ireland Unlimited Company
Wilton Place, Dublin 2, Ireland

Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (Bing Ads)

Outbrain UK Limited, 5th Floor, The Place, 175 High Holborn, London, WC1V 7AA, UK
Intention of the controller to transfer the personal data to a third country or an international organisationPersonal data is transferred outside the EU/EEA (third country):

– UK

– USA

– Singapore

– Chile

– Taiwan
Presence or absence of an adequacy decision by the CommissionThe EU Commission has not issued an adequacy decision for the third country USA. It is therefore possible that the level of data protection in the third country is lower than that in the EU.
Presence or absence of an adequacy decision by the Commission

Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available
The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

– Standard contractual clauses have been concluded with Facebook. These standard contractual clauses can be viewed at Facebook.

– Standard contractual clauses have been concluded with Google (DoubleClick, Google AdServices). These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google.

– Standard contractual clauses have been concluded with LinkedIn. These standard contractual clauses can be viewed at EU, EEA, and Swiss Data Transfers | LinkedIn Help.

– Standard contractual clauses have been concluded with Microsoft (Bing Ads). These standard contractual clauses can be viewed at Licensing Documents (microsoft.com).

Contact form

Purposes for which the personal data are to be processedPurposes for which the personal data are to be processed Provision of a contact form for responding to inquiries of any kind.
Duration for which the personal data will be stored or, if this is not possible, the criteria for determining this durationThe data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions – in particular retention periods – remain unaffected.
Legal basis for the processingIf your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures, Art. 6 (1) lit. b) DS-GVO is the legal basis. In all other cases, the processing is based on our legitimate interest in the effective processing of requests addressed to us (Art. 6 para. 1 lit. f DS-GVO) or on your consent (Art. 6 para. 1 lit. a DS-GVO).

Messenger

Purposes for which the personal data are to be processedThe purpose of data processing is communication with interested parties
Duration for which the personal data will be stored or, if this is not possible, the criteria for determining this durationDeletion of personal data at the latest with the deletion of the user’s account.
Legal basis for the processingContract or contract initiation for students or interested parties with study-related inquiries (Art. 6 para. 1 p. 1 lit. a) DSGVO)

Weitergabe und Auslandsbezug

Recipients or categories of recipients of the personal dataWhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland
Absicht des Verantwortlichen, die personenbezogenen Daten an ein Drittland oder eine internationale Organisation zu übermittelnPersonal data is transferred outside the EU/EEA (third country):

– USA
Vorhandensein oder Fehlen eines Angemessenheitsbeschlusses der KommissionThe EU Commission has not issued an adequacy decision for the third country USA. It is therefore possible that the level of data protection in the third country is lower than required.
Presence or absence of an adequacy decision by the Commission.The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

– Standard contractual clauses have been concluded with WhatsApp. These standard contractual clauses can be viewed at

https://www.whatsapp.com/legal/business-data-transfer-addendum-20210927?lang=en