
Privacy Policy
Details of the person responsible
Gisma University of Applied Sciences
Konrad-Zuse-Ring 11
14469 Potsdam, Germany
Phone: +49 511 54609-0
E-mail: info@gisma.com
Contact for questions regarding data protection
If you have any questions regarding data protection, please contact our data protection officer at privacyprotection@gisma.com or at the above postal address with the addition of “data protection officer”.
Data Controller
This website is operated on behalf of Gisma University of Applied Sciences GmbH, a company registered in Germany with number HRP35061P with its registered office at Konrad-Zuse-Ring 11, 14469 Potsdam, Germany.
Gisma University of Applied Sciences is part of The Global University Systems B.V. group of companies which is made up of different legal entities, details of which can be found here (https://www.globaluniversitysystems.com/).
We have appointed a data protection officer (DPOs) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the details set out below.
Contact details
Full name of data controller legal entity: Gisma University of Applied Sciences
Name or title of the Data Protection Officer: Herr Henning Koch
Data Protection Email address: privacyprotection@gisma.com
RPA Datenschutz + Compliance GmbH
Franzenburg 48, 35578 Wetzlar
Tel. 06441/67100-0
Fax. 06441/67100-20
E-Mail: info@rpa-datenschutz.de Ansprechpartner: Herr Ilja Borchers und Herr Henning Koch
You have a right to complain to the State Commissioner for Data Protection and Freedom of Information (Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht) about the way in which we process your personal data. Complaints can be filed in writing to Landesbeauftragte für den Datenschutz und für das Recht auf Akteneinsicht, Stahnsdorfer Damm 77, 14532 Kleinmachnow, or by email, Poststelle@LDA.Brandenburg.de. We consider this the lead supervisory authority for Gisma University of Applied Sciences.
We would always prefer that you come to us to help address any concerns of a privacy nature however before you go to the State Commissioner for Data Protection and Freedom of Information, so please contact us in the first instance.
Changes to the privacy notice and your duty to inform us of changes
This version was last updated on 29 September 2023 and historic versions can be obtained by contacting us.
We may from time to time change the detail in this notice. Any changes we may make in the future will be posted on this page. Please check back frequently to see any such updates or changes.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Data subject rights
If we process personal data about you, you have the following data subject rights:
- a right to information about the data we process and to be copied,
- a right to rectification if we process incorrect data about you,
- a right to erasure, unless exceptions apply as to why we are still storing the data, for example, retention obligations or limitation periods,
- a right to restrict processing,
- a right to revoke consent to data processing at any time,
- a right to object to processing in the public or legitimate interest,
- a right to data portability,
- a right to complain to a data protection supervisory authority if you find that we are not processing your data properly. The State Commissioner for Data Protection of Lower Saxony (http://lfd.niedersachsen.de) is responsible for our company. However, if you are in another federal state or not in Germany, you can also contact the data protection authority there.
Storage period (general)
The personal data stored by us will be deleted in accordance with legal requirements. We delete the data as soon as it is no longer required for the processing purpose, a given consent is revoked or other permissions cease to apply. Data that still has to be stored, e.g. for reasons of commercial or tax law, or whose storage is still necessary for the assertion, exercise or defence of legal claims, will be deleted as soon as this is no longer the case.
Processing of personal data – purposes and legal basis
Data processing on the company’s website
Log files
When our website is accessed, log files are set and remain stored for 30 days.
The log files include the following information and are collected on the basis of a legitimate interest. The purpose of the data collection is statistical evaluation and the possibility of error analysis:
- Visited website
- Time of day at the time of access
- Amount of data sent in bytes
- Source/reference from which you reached the page
- Browser used
- Operating system used
- IP address used (if applicable: in anonymised form)
Cookie-Consent-Banner
Purposes for which the personal data are to be processed | Data processing for the management of consents. |
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period. | 1 year |
Legal basis for the processing | Legal obligation (Art. 6 para. 1 p. 1 lit. c. DSGVO) |
Content Delivery Network (CDN)
Purposes for which the personal data are to be processed | The purpose of processing personal data through a Content Delivery Network (CDN) is to speed up the delivery of the website. If there are many requests, the use of a CDN ensures that the website continues to be delivered and the CDN protects the web server from being overwhelmed by so-called DDoS attacks. |
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period. | Max. 7 days |
Legal basis for the processing | Legitimate interest (Art. 6 para. 1 p. 1 lit. f. DSGVO) |
Legitimate interests within the meaning of Art. 6 para. 1 lit. f pursued by the responsible person | To optimize and secure our online service and to optimally display the content we offer on different end devices and to reduce the loading speeds of our website. |
Data transfer to third countries
Recipients or categories of recipients of the personal data | Cloudflare, 101 Townsend St, San Francisco, CA 94107, USA, (unpkg andnd Cloudflare CDN) |
Intention of the controller to transfer the personal data to a third country or an international organisation | Personal data is transferred outside the EU/EEA (third country): – USA |
Presence or absence of an adequacy decision by the Commission | The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission. |
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available | The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: – Standard contractual clauses have been concluded with BootstrapCDN. – Standard contractual clauses have been concluded with Cloudflare. These standard contractual clauses can be viewed at Cloudflare Data Processing Addendum: Standard Contractual Clauses for Customers | Cloudflare |
Analytic-Tools
Purposes for which the personal data are to be processed | Collection of personal data of website visitors to measure the use and type of use of websites, to optimise our own website and thereby increase the number and duration of users. We also monitor the availability of our website through an external service (Pingdom, Sweden). |
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period. | Google: max. 2 years Hotjar: max. 2 years Microsoft: max 1 year, 25 days Pingdom: max. 1 year Pardot: max. 2 years |
Legal basis for the processing | Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO) |
Transfer and cross-border contexts
Recipients (if applicable 2nd level) or categories of recipients (1st level) of the personal data | Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA Pardot LLC, 950 E. Paces Ferry Rd. Suite 3300 Atlanta, GA 30326, USA |
Intention of the controller to transfer the personal data to a third country or an international organisation (1st level) | Personal data is transferred outside the EU/EEA (third country): – USA – Singapore – Taiwan – Chile |
Presence or absence of an adequacy decision by the Commission (2nd level, if applicable) | The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission. |
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available (2nd level if applicable). | The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: – Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google – Standard contractual clauses have been concluded with Microsoft. These standard contractual clauses can be viewed at Licensing Documents (microsoft.com). – Standard contractual clauses have been concluded with Pardot. These standard contractual clauses can be viewed at Privacy Policy – Salesforce.com. |
Plugins and Tools (Fonts)
Purposes for which the personal data are to be processed | Fonts from external providers are integrated in order to maintain the uniform company appearance (so-called corporate design). |
Duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration (if applicable 2nd level) | Adobe Fonts: According to Adobe, no cookies are stored when providing the fonts. Google Fonts: max. 1 year |
Legal basis for the processing (if applicable 2nd level) | The data collection and also the data transmission are carried out on the basis of a legitimate interest (Art. 6 para. 1 p. 1 lit. f. DSGVO) |
Legitimate interests within the meaning of Art. 6 para. 1 lit. f pursued by the responsible person | A uniform presentation across devices, improved loading times and a smaller administrative effort. |
Transfer and cross-border contexts
Recipients or categories of recipients of the personal data | Adobe Systems Software Ireland Companies, 4-6 Riverwalk, Citywest Business Campus, Dublin 24Ireland Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland |
Intention of the controller to transfer the personal data to a third country or an international organisation | Personal data is transferred outside the EU/EEA (third country): – USA – Singapore – Taiwan – Chile |
Presence or absence of an adequacy decision by the Commission | The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission. |
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available | The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: – Standard contractual clauses have been concluded with Adobe. These standard contractual clauses can be viewed at Adobe Privacy Centre. – Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google |
Location Services
Purposes for which the personal data are to be processed | Map services are used for the geographic representation of places and advice on navigation is also given. |
Duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration (if applicable 2nd level) | Google: max. 2 years |
Legal basis for the processing (if applicable 2nd level) | Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO) |
Transfer and cross-border contexts
Recipients (if applicable 2nd level) or categories of recipients (1st level) of the personal data | Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland |
Intention of the controller to transfer the personal data to a third country or an international organisation (1st level) | Personal data is transferred outside the EU/EEA (third country): – USA – Singapore – Taiwan – Chile |
Presence or absence of an adequacy decision by the Commission (2nd level, if applicable) | The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission. |
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available | The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: – Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google. |
Audio and Video
Purposes for which the personal data are to be processed | Cloud services are used for the provision of videos and photos, so that the own internet infrastructure is relieved and a delivery of videos and photos can be guaranteed even with high numbers of requests. |
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period. | Youtube: max. 8 months Google: max. 2 years |
Legal basis for the processing | Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO) |
Transfer and cross-border contexts
Recipients or categories of recipients of the personal data | Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, represented by: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA |
Intention of the controller to transfer the personal data to a third country or an international organisation | Personal data is transferred outside the EU/EEA (third country): – USA – Taiwan – Singapore – Chile |
Presence or absence of an adequacy decision by the Commission | The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission. |
Verweis auf geeignete oder angemessene Garantien und die Möglichkeit, wie eine Kopie von ihnen zu erhalten ist, oder wo sie verfügbar sind | The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: – Standard contractual clauses have been concluded with Google (Youtube und Google Photos). These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google. |
Advertising
Purposes for which the personal data are to be processed | Advertising our own services. For this purpose, our service providers also measure what users do after they have clicked on our ads (e.g. use of services). |
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period. | Facebook: max. 2 years LinkedIn: max. 2 years Google: max. 1 year Microsoft: max. 2 years Outbrain: max. 2 years |
Legal basis for the processing | Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO) |
Transfer and cross-border contexts
Recipients or categories of recipients of the personal data | Facebook Meta Platforms Ireland Limited, 1601 South California Avenue, Palo Alto, CA 94304, USA („Facebook“) LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (Bing Ads) Outbrain UK Limited, 5th Floor, The Place, 175 High Holborn, London, WC1V 7AA, UK |
Intention of the controller to transfer the personal data to a third country or an international organisation | Personal data is transferred outside the EU/EEA (third country): – UK – USA – Singapore – Chile – Taiwan |
Presence or absence of an adequacy decision by the Commission | The EU Commission has not issued an adequacy decision for the third country USA. It is therefore possible that the level of data protection in the third country is lower than that in the EU. |
Presence or absence of an adequacy decision by the Commission Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available | The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: – Standard contractual clauses have been concluded with Facebook. These standard contractual clauses can be viewed at Facebook. – Standard contractual clauses have been concluded with Google (DoubleClick, Google AdServices). These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google. – Standard contractual clauses have been concluded with LinkedIn. These standard contractual clauses can be viewed at EU, EEA, and Swiss Data Transfers | LinkedIn Help. – Standard contractual clauses have been concluded with Microsoft (Bing Ads). These standard contractual clauses can be viewed at Licensing Documents (microsoft.com). |
Contact form
Purposes for which the personal data are to be processed | Purposes for which the personal data are to be processed Provision of a contact form for responding to inquiries of any kind. |
Duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration | The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions – in particular retention periods – remain unaffected. |
Legal basis for the processing | If your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures, Art. 6 (1) lit. b) DS-GVO is the legal basis. In all other cases, the processing is based on our legitimate interest in the effective processing of requests addressed to us (Art. 6 para. 1 lit. f DS-GVO) or on your consent (Art. 6 para. 1 lit. a DS-GVO). |
Messenger
Purposes for which the personal data are to be processed | The purpose of data processing is communication with interested parties |
Duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration | Deletion of personal data at the latest with the deletion of the user’s account. |
Legal basis for the processing | Contract or contract initiation for students or interested parties with study-related inquiries (Art. 6 para. 1 p. 1 lit. a) DSGVO) |
Weitergabe und Auslandsbezug
Recipients or categories of recipients of the personal data | WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland |
Absicht des Verantwortlichen, die personenbezogenen Daten an ein Drittland oder eine internationale Organisation zu übermitteln | Personal data is transferred outside the EU/EEA (third country): – USA |
Vorhandensein oder Fehlen eines Angemessenheitsbeschlusses der Kommission | The EU Commission has not issued an adequacy decision for the third country USA. It is therefore possible that the level of data protection in the third country is lower than required. |
Presence or absence of an adequacy decision by the Commission. | The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: – Standard contractual clauses have been concluded with WhatsApp. These standard contractual clauses can be viewed at https://www.whatsapp.com/legal/business-data-transfer-addendum-20210927?lang=en |