Details of the person responsible

Gisma University of Applied Sciences

Konrad-Zuse-Ring 11
14469 Potsdam, Germany

Phone: +49 511 54609-0

E-mail: info@gisma.com

Contact for questions regarding data protection

If you have any questions regarding data protection, please contact our data protection officer at privacyprotection@gisma.com or at the above postal address with the addition of "data protection officer".

Data subject rights

If we process personal data about you, you have the following data subject rights:

  • a right to information about the data we process and to be copied,
  • a right to rectification if we process incorrect data about you,
  • a right to erasure, unless exceptions apply as to why we are still storing the data, for example, retention obligations or limitation periods,
  • a right to restrict processing,
  • a right to revoke consent to data processing at any time,
  • a right to object to processing in the public or legitimate interest,
  • a right to data portability,
  • a right to complain to a data protection supervisory authority if you find that we are not processing your data properly. The State Commissioner for Data Protection of Lower Saxony (http://lfd.niedersachsen.de) is responsible for our company. However, if you are in another federal state or not in Germany, you can also contact the data protection authority there.

Storage period (general)

The personal data stored by us will be deleted in accordance with legal requirements. We delete the data as soon as it is no longer required for the processing purpose, a given consent is revoked or other permissions cease to apply. Data that still has to be stored, e.g. for reasons of commercial or tax law, or whose storage is still necessary for the assertion, exercise or defence of legal claims, will be deleted as soon as this is no longer the case.

Processing of personal data - purposes and legal basis

Data processing on the company's website

Log files

When our website is accessed, log files are set and remain stored for 30 days.

The log files include the following information and are collected on the basis of a legitimate interest. The purpose of the data collection is statistical evaluation and the possibility of error analysis:

  • Visited website
  • Time of day at the time of access
  • Amount of data sent in bytes
  • Source/reference from which you reached the page
  • Browser used
  • Operating system used
  • IP address used (if applicable: in anonymised form)

Cookie-Consent-Banner

Purposes for which the personal data are to be processed

Data processing for the management of consents.

The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period.

1 year

Legal basis for the processing

Legal obligation (Art. 6 para. 1 p. 1 lit. c. DSGVO)

Content Delivery Network (CDN)

Purposes for which the personal data are to be processed

The purpose of processing personal data through a Content Delivery Network (CDN) is to speed up the delivery of the website. If there are many requests, the use of a CDN ensures that the website continues to be delivered and the CDN protects the web server from being overwhelmed by so-called DDoS attacks.

The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period.

Max. 7 days

Legal basis for the processing

Legitimate interest (Art. 6 para. 1 p. 1 lit. f. DSGVO)

Legitimate interests within the meaning of Art. 6 para. 1 lit. f pursued by the responsible person

To optimize and secure our online service and to optimally display the content we offer on different end devices and to reduce the loading speeds of our website.

Data transfer to third countries

Recipients or categories of recipients of the personal data

Cloudflare, 101 Townsend St, San Francisco, CA 94107, USA, (unpkg andnd Cloudflare CDN)

Intention of the controller to transfer the personal data to a third country or an international organisation

Personal data is transferred outside the EU/EEA (third country):

 

·       USA

Presence or absence of an adequacy decision by the Commission

The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission.

Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available

The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

 

·       Standard contractual clauses have been concluded with BootstrapCDN.

·       Standard contractual clauses have been concluded with Cloudflare. These standard contractual clauses can be viewed at Cloudflare Data Processing Addendum: Standard Contractual Clauses for Customers | Cloudflare.

 

Analytic-Tools

Purposes for which the personal data are to be processed

Collection of personal data of website visitors to measure the use and type of use of websites, to optimise our own website and thereby increase the number and duration of users.

 

We also monitor the availability of our website through an external service (Pingdom, Sweden).

The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period.

Google: max. 2 years

Hotjar: max. 2 years

Microsoft: max 1 year, 25 days

Pingdom: max. 1 year

Pardot: max. 2 years

 

Legal basis for the processing

Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO)

Transfer and cross-border contexts

Recipients (if applicable 2nd level) or categories of recipients (1st level) of the personal data

Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland

 

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA

 

Pardot LLC, 950 E. Paces Ferry Rd. Suite 3300 Atlanta, GA 30326, USA

 

Intention of the controller to transfer the personal data to a third country or an international organisation (1st level)

Personal data is transferred outside the EU/EEA (third country):

 

·       USA

·       Singapore

·       Taiwan

·       Chile

 

Presence or absence of an adequacy decision by the Commission (2nd level, if applicable)

The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission.

Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available (2nd level if applicable).

The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

 

·       Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google

·       Standard contractual clauses have been concluded with Microsoft. These standard contractual clauses can be viewed at Licensing Documents (microsoft.com).

·       Standard contractual clauses have been concluded with Pardot. These standard contractual clauses can be viewed at Privacy Policy - Salesforce.com.

 

Plugins and Tools (Fonts)

Purposes for which the personal data are to be processed

Fonts from external providers are integrated in order to maintain the uniform company appearance (so-called corporate design).

Duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration (if applicable 2nd level)

Adobe Fonts: According to Adobe, no cookies are stored when providing the fonts.

 

Google Fonts: max. 1 year

Legal basis for the processing (if applicable 2nd level)

The data collection and also the data transmission are carried out on the basis of a legitimate interest (Art. 6 para. 1 p. 1 lit. f. DSGVO)

Legitimate interests within the meaning of Art. 6 para. 1 lit. f pursued by the responsible person

A uniform presentation across devices, improved loading times and a smaller administrative effort.

Transfer and cross-border contexts

Recipients or categories of recipients of the personal data

Adobe Systems Software Ireland Companies, 4-6 Riverwalk, Citywest Business Campus, Dublin 24Ireland

 

Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland

Intention of the controller to transfer the personal data to a third country or an international organisation

Personal data is transferred outside the EU/EEA (third country):

·       USA

·       Singapore

·       Taiwan

·       Chile

Presence or absence of an adequacy decision by the Commission

The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission.

Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available

The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

·       Standard contractual clauses have been concluded with Adobe. These standard contractual clauses can be viewed at Adobe Privacy Centre.

·       Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google

Location Services

Purposes for which the personal data are to be processed

Map services are used for the geographic representation of places and advice on navigation is also given.

Duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration (if applicable 2nd level)

Google: max. 2 years

Legal basis for the processing (if applicable 2nd level)

Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO)

Transfer and cross-border contexts

Recipients (if applicable 2nd level) or categories of recipients (1st level) of the personal data

Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland

Intention of the controller to transfer the personal data to a third country or an international organisation (1st level)

Personal data is transferred outside the EU/EEA (third country):

·       USA

·       Singapore

·       Taiwan

·       Chile

Presence or absence of an adequacy decision by the Commission (2nd level, if applicable)

The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission.

Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available

The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

·       Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google.

Audio and Video

Purposes for which the personal data are to be processed

Cloud services are used for the provision of videos and photos, so that the own internet infrastructure is relieved and a delivery of videos and photos can be guaranteed even with high numbers of requests.

The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period.

Youtube: max. 8 months

Google: max. 2 years

Legal basis for the processing

Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO)

Transfer and cross-border contexts

Recipients or categories of recipients of the personal data

Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland

 

YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, represented by: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA

Intention of the controller to transfer the personal data to a third country or an international organisation

Personal data is transferred outside the EU/EEA (third country):

·       USA

·       Taiwan

·       Singapore

·       Chile

Presence or absence of an adequacy decision by the Commission

The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission.

Verweis auf geeignete oder angemessene Garantien und die Möglichkeit, wie eine Kopie von ihnen zu erhalten ist, oder wo sie verfügbar sind

The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

·       Standard contractual clauses have been concluded with Google (Youtube und Google Photos). These standard contractual clauses can be viewed at

Data transfer frameworks – Privacy & Terms – Google.

Advertising

Purposes for which the personal data are to be processed

Advertising our own services. For this purpose, our service providers also measure what users do after they have clicked on our ads (e.g. use of services).

The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period.

Facebook: max. 2 years 

LinkedIn: max. 2 years

Google: max. 1 year

Microsoft: max. 2 years

Outbrain: max. 2 years

Legal basis for the processing

Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO)

Transfer and cross-border contexts

Recipients or categories of recipients of the personal data

Facebook Meta Platforms Ireland Limited, 1601 South California Avenue, Palo Alto, CA 94304, USA („Facebook“)

 

LinkedIn Ireland Unlimited Company

Wilton Place, Dublin 2, Ireland

 

Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland

 

Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (Bing Ads)

 

Outbrain UK Limited, 5th Floor, The Place, 175 High Holborn, London, WC1V 7AA, UK

 

Intention of the controller to transfer the personal data to a third country or an international organisation

Personal data is transferred outside the EU/EEA (third country):

·       UK

·       USA

·       Singapore

·       Chile

·       Taiwan

 

Presence or absence of an adequacy decision by the Commission

The EU Commission has not issued an adequacy decision for the third country USA. It is therefore possible that the level of data protection in the third country is lower than that in the EU.

Presence or absence of an adequacy decision by the Commission

Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available

The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

·       Standard contractual clauses have been concluded with Facebook. These standard contractual clauses can be viewed at Facebook.

·       Standard contractual clauses have been concluded with Google (DoubleClick, Google AdServices). These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google.

·       Standard contractual clauses have been concluded with LinkedIn. These standard contractual clauses can be viewed at EU, EEA, and Swiss Data Transfers | LinkedIn Help.

·       Standard contractual clauses have been concluded with Microsoft (Bing Ads). These standard contractual clauses can be viewed at Licensing Documents (microsoft.com).

·        

Contact form

Purposes for which the personal data are to be processed

Purposes for which the personal data are to be processed Provision of a contact form for responding to inquiries of any kind.

Duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration

The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions - in particular retention periods - remain unaffected.

Legal basis for the processing

If your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures, Art. 6 (1) lit. b) DS-GVO is the legal basis. In all other cases, the processing is based on our legitimate interest in the effective processing of requests addressed to us (Art. 6 para. 1 lit. f DS-GVO) or on your consent (Art. 6 para. 1 lit. a DS-GVO).

Messenger

Purposes for which the personal data are to be processed

The purpose of data processing is communication with interested parties

Duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration

Deletion of personal data at the latest with the deletion of the user's account.

Legal basis for the processing

Contract or contract initiation for students or interested parties with study-related inquiries (Art. 6 para. 1 p. 1 lit. a) DSGVO)

Weitergabe und Auslandsbezug

Recipients or categories of recipients of the personal data

WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland

Absicht des Verantwortlichen, die personenbezogenen Daten an ein Drittland oder eine internationale Organisation zu übermitteln

Personal data is transferred outside the EU/EEA (third country):

·       USA

Vorhandensein oder Fehlen eines Angemessenheitsbeschlusses der Kommission

The EU Commission has not issued an adequacy decision for the third country USA. It is therefore possible that the level of data protection in the third country is lower than required.

Presence or absence of an adequacy decision by the Commission.

The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:

·       Standard contractual clauses have been concluded with WhatsApp. These standard contractual clauses can be viewed at

https://www.whatsapp.com/legal/business-data-transfer-addendum-20210927?lang=en.  

 

Top