Gisma University of Applied Sciences
Konrad-Zuse-Ring 11
14469 Potsdam, Germany
Phone: +49 511 54609-0
E-mail: info@gisma.com
If you have any questions regarding data protection, please contact our data protection officer at privacyprotection@gisma.com or at the above postal address with the addition of "data protection officer".
If we process personal data about you, you have the following data subject rights:
The personal data stored by us will be deleted in accordance with legal requirements. We delete the data as soon as it is no longer required for the processing purpose, a given consent is revoked or other permissions cease to apply. Data that still has to be stored, e.g. for reasons of commercial or tax law, or whose storage is still necessary for the assertion, exercise or defence of legal claims, will be deleted as soon as this is no longer the case.
When our website is accessed, log files are set and remain stored for 30 days.
The log files include the following information and are collected on the basis of a legitimate interest. The purpose of the data collection is statistical evaluation and the possibility of error analysis:
Purposes for which the personal data are to be processed |
Data processing for the management of consents. |
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period. |
1 year |
Legal basis for the processing |
Legal obligation (Art. 6 para. 1 p. 1 lit. c. DSGVO) |
Purposes for which the personal data are to be processed |
The purpose of processing personal data through a Content Delivery Network (CDN) is to speed up the delivery of the website. If there are many requests, the use of a CDN ensures that the website continues to be delivered and the CDN protects the web server from being overwhelmed by so-called DDoS attacks. |
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period. |
Max. 7 days |
Legal basis for the processing |
Legitimate interest (Art. 6 para. 1 p. 1 lit. f. DSGVO) |
Legitimate interests within the meaning of Art. 6 para. 1 lit. f pursued by the responsible person |
To optimize and secure our online service and to optimally display the content we offer on different end devices and to reduce the loading speeds of our website. |
Data transfer to third countries
Recipients or categories of recipients of the personal data |
Cloudflare, 101 Townsend St, San Francisco, CA 94107, USA, (unpkg andnd Cloudflare CDN) |
Intention of the controller to transfer the personal data to a third country or an international organisation |
Personal data is transferred outside the EU/EEA (third country):
· USA |
Presence or absence of an adequacy decision by the Commission |
The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission. |
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available |
The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:
· Standard contractual clauses have been concluded with BootstrapCDN. · Standard contractual clauses have been concluded with Cloudflare. These standard contractual clauses can be viewed at Cloudflare Data Processing Addendum: Standard Contractual Clauses for Customers | Cloudflare.
|
Analytic-Tools
Purposes for which the personal data are to be processed |
Collection of personal data of website visitors to measure the use and type of use of websites, to optimise our own website and thereby increase the number and duration of users.
We also monitor the availability of our website through an external service (Pingdom, Sweden). |
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period. |
Google: max. 2 years Hotjar: max. 2 years Microsoft: max 1 year, 25 days Pingdom: max. 1 year Pardot: max. 2 years |
Legal basis for the processing |
Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO) |
Transfer and cross-border contexts
Recipients (if applicable 2nd level) or categories of recipients (1st level) of the personal data |
Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA
Pardot LLC, 950 E. Paces Ferry Rd. Suite 3300 Atlanta, GA 30326, USA
|
Intention of the controller to transfer the personal data to a third country or an international organisation (1st level) |
Personal data is transferred outside the EU/EEA (third country):
· USA · Singapore · Taiwan · Chile
|
Presence or absence of an adequacy decision by the Commission (2nd level, if applicable) |
The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission. |
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available (2nd level if applicable). |
The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined:
· Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google · Standard contractual clauses have been concluded with Microsoft. These standard contractual clauses can be viewed at Licensing Documents (microsoft.com). · Standard contractual clauses have been concluded with Pardot. These standard contractual clauses can be viewed at Privacy Policy - Salesforce.com.
|
Purposes for which the personal data are to be processed |
Fonts from external providers are integrated in order to maintain the uniform company appearance (so-called corporate design). |
Duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration (if applicable 2nd level) |
Adobe Fonts: According to Adobe, no cookies are stored when providing the fonts.
Google Fonts: max. 1 year |
Legal basis for the processing (if applicable 2nd level) |
The data collection and also the data transmission are carried out on the basis of a legitimate interest (Art. 6 para. 1 p. 1 lit. f. DSGVO) |
Legitimate interests within the meaning of Art. 6 para. 1 lit. f pursued by the responsible person |
A uniform presentation across devices, improved loading times and a smaller administrative effort. |
Transfer and cross-border contexts
Recipients or categories of recipients of the personal data |
Adobe Systems Software Ireland Companies, 4-6 Riverwalk, Citywest Business Campus, Dublin 24Ireland
Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland |
Intention of the controller to transfer the personal data to a third country or an international organisation |
Personal data is transferred outside the EU/EEA (third country): · USA · Singapore · Taiwan · Chile |
Presence or absence of an adequacy decision by the Commission |
The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission. |
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available |
The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: · Standard contractual clauses have been concluded with Adobe. These standard contractual clauses can be viewed at Adobe Privacy Centre. · Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google |
Purposes for which the personal data are to be processed |
Map services are used for the geographic representation of places and advice on navigation is also given. |
Duration for which the personal data are stored or, if this is not possible, the criteria for determining this duration (if applicable 2nd level) |
Google: max. 2 years |
Legal basis for the processing (if applicable 2nd level) |
Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO) |
Transfer and cross-border contexts
Recipients (if applicable 2nd level) or categories of recipients (1st level) of the personal data |
Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland |
Intention of the controller to transfer the personal data to a third country or an international organisation (1st level) |
Personal data is transferred outside the EU/EEA (third country): · USA · Singapore · Taiwan · Chile |
Presence or absence of an adequacy decision by the Commission (2nd level, if applicable) |
The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission. |
Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available |
The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: · Standard contractual clauses have been concluded with Google. These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google. |
Purposes for which the personal data are to be processed |
Cloud services are used for the provision of videos and photos, so that the own internet infrastructure is relieved and a delivery of videos and photos can be guaranteed even with high numbers of requests. |
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period. |
Youtube: max. 8 months Google: max. 2 years |
Legal basis for the processing |
Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO) |
Transfer and cross-border contexts
Recipients or categories of recipients of the personal data |
Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland
YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA, represented by: Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA |
Intention of the controller to transfer the personal data to a third country or an international organisation |
Personal data is transferred outside the EU/EEA (third country): · USA · Taiwan · Singapore · Chile |
Presence or absence of an adequacy decision by the Commission |
The EU Commission has not issued an adequacy decision for the third country. It is therefore possible that the level of data protection in the third country is lower than that of the EU Commission. |
Verweis auf geeignete oder angemessene Garantien und die Möglichkeit, wie eine Kopie von ihnen zu erhalten ist, oder wo sie verfügbar sind |
The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: · Standard contractual clauses have been concluded with Google (Youtube und Google Photos). These standard contractual clauses can be viewed at |
Purposes for which the personal data are to be processed |
Advertising our own services. For this purpose, our service providers also measure what users do after they have clicked on our ads (e.g. use of services). |
The period for which the personal data will be stored or, if this is not possible, the criteria for determining this period. |
Facebook: max. 2 years LinkedIn: max. 2 years Google: max. 1 year Microsoft: max. 2 years Outbrain: max. 2 years |
Legal basis for the processing |
Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO) |
Transfer and cross-border contexts
Recipients or categories of recipients of the personal data |
Facebook Meta Platforms Ireland Limited, 1601 South California Avenue, Palo Alto, CA 94304, USA („Facebook“)
LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland
Google Ireland limited, Gordon House, Barrow Street Dublin 4, Ireland
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (Bing Ads)
Outbrain UK Limited, 5th Floor, The Place, 175 High Holborn, London, WC1V 7AA, UK
|
Intention of the controller to transfer the personal data to a third country or an international organisation |
Personal data is transferred outside the EU/EEA (third country): · UK · USA · Singapore · Chile · Taiwan
|
Presence or absence of an adequacy decision by the Commission |
The EU Commission has not issued an adequacy decision for the third country USA. It is therefore possible that the level of data protection in the third country is lower than that in the EU. |
Presence or absence of an adequacy decision by the Commission Reference to appropriate or adequate safeguards and how to obtain a copy of them or where they are available |
The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: · Standard contractual clauses have been concluded with Facebook. These standard contractual clauses can be viewed at Facebook. · Standard contractual clauses have been concluded with Google (DoubleClick, Google AdServices). These standard contractual clauses can be viewed at Data transfer frameworks – Privacy & Terms – Google. · Standard contractual clauses have been concluded with LinkedIn. These standard contractual clauses can be viewed at EU, EEA, and Swiss Data Transfers | LinkedIn Help. · Standard contractual clauses have been concluded with Microsoft (Bing Ads). These standard contractual clauses can be viewed at Licensing Documents (microsoft.com). · |
Contact form
Purposes for which the personal data are to be processed |
Purposes for which the personal data are to be processed Provision of a contact form for responding to inquiries of any kind. |
Duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration |
The data you enter in the contact form will remain with us until you request us to delete it, revoke your consent to store it, or the purpose for storing the data no longer applies (e.g. after we have completed processing your request). Mandatory legal provisions - in particular retention periods - remain unaffected. |
Legal basis for the processing |
If your request is related to the performance of a contract or is necessary for the implementation of pre-contractual measures, Art. 6 (1) lit. b) DS-GVO is the legal basis. In all other cases, the processing is based on our legitimate interest in the effective processing of requests addressed to us (Art. 6 para. 1 lit. f DS-GVO) or on your consent (Art. 6 para. 1 lit. a DS-GVO). |
Messenger
Purposes for which the personal data are to be processed |
The purpose of data processing is communication with interested parties |
Duration for which the personal data will be stored or, if this is not possible, the criteria for determining this duration |
Deletion of personal data at the latest with the deletion of the user's account. |
Legal basis for the processing |
Contract or contract initiation for students or interested parties with study-related inquiries (Art. 6 para. 1 p. 1 lit. a) DSGVO) |
Weitergabe und Auslandsbezug
Recipients or categories of recipients of the personal data |
WhatsApp Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland |
Absicht des Verantwortlichen, die personenbezogenen Daten an ein Drittland oder eine internationale Organisation zu übermitteln |
Personal data is transferred outside the EU/EEA (third country): · USA |
Vorhandensein oder Fehlen eines Angemessenheitsbeschlusses der Kommission |
The EU Commission has not issued an adequacy decision for the third country USA. It is therefore possible that the level of data protection in the third country is lower than required. |
Presence or absence of an adequacy decision by the Commission. |
The following measures have been taken to ensure that the level of data protection guaranteed by the GDPR is not undermined: · Standard contractual clauses have been concluded with WhatsApp. These standard contractual clauses can be viewed at https://www.whatsapp.com/legal/business-data-transfer-addendum-20210927?lang=en. |