The following data privacy information informs you about the nature and extent of the processing of so-called personal data by ISM International School of Management GmbH (hereinafter: ISM). Which data is processed in detail and how it is used depends largely on the services you have requested and have agreed upon. Therefore, not all parts of this data privacy information will apply to you. Personal data is information that can be directly or indirectly attributed to you.
Data processing by ISM can be divided into two main categories:
- For the purpose of contract processing, all data required for the execution of a contract with ISM will be processed. If external service providers are also involved in the processing and execution of the contract, for instance transport companies, your data will be passed on to them to the extent necessary in each case.
- When you access the ISM website/application, various information is exchanged between your end device and our server. This may also be personal data. The information collected in this way is used, among other things, to optimize our website or to display advertising in the browser of your end device.
In accordance with the provisions of GDPR, you have various rights which you can assert in relation to us. These include the right to raise an objection in relation to selected data processing, in particular data processing for advertising purposes. The option to object is available in print.
The ISM websites are hosted on external servers in Europe and are thus subject to applicable safety regulations applicable in Europe. The legal basis for this are the agreements on commissioned processing according to Article 28 of EU-GDPR.
2. CONTACT DATA AND RIGHT TO INFORMATION
We have appointed Mr. Marc Althaus as our external company data protection officer, who continuously works to ensure compliance with data protection regulations and carries out regular checks. You can find the contact details here:
DS EXTERN GmbH
Dipl.-Kfm. Marc Althaus
D-22589 Hamburg, Germany
3. PURPOSE OF DATA COLLECTION, LEGAL BASIS, INTERESTS AND CATEGORY OF RECIPIENTS
3.1 Accessing our website/application
When you access our website/application, the browser used on your end device automatically sends information to the server of our website/application and temporarily stores it in a so-called log file. We have no influence on this. The following information is collected without your intervention and stored until automatic deletion after seven days:
- IP address of the requesting Internet-enabled device,
- Date and time of access,
- Name and URL of the file retrieved,
- Website/Application from which the access was made (referrer URL),
- Browser used and, if applicable, the operating system of your Internet-enabled computer
- Name of your access provider
- Language, country, city
- Screen resolution
- Demographic characteristics: age, gender
- Search keyword
The legal basis is Article 6 (1)(f) GDPR. Our legitimate interest follows from the purposes of data collection listed below. At this point, we would like to point out that we are not able to draw any conclusions about your identity from the collected data and that we will not do so.
The IP address of your terminal device and the other data listed above are used by us for the following purposes:
- Ensuring smooth connection establishment,
- Ensuring a comfortable use of our website/app,
- Evaluating system security and stability as well as
- Other administrative purposes
Furthermore, we use so-called cookies, tracking tools and targeting methods for our website/application. The exact procedures involved and how your data is used for this purpose is explained in more detail below in section 3.3.4.
If you have consented to so-called geolocation in your browser or in the operating system or other settings on your terminal device, we do not use this function. However, you may receive individual services based on your current location through the search engines you use or other online service providers.
3.2 Conclusion, execution or termination of a contract
3.2.1 Data processing upon conclusion of a contract
The object of ISM's activities is the provision of services and the distance sale of goods, retail trade within the scope of the permits issued by the authorities and the serial production of the goods to be offered. In this context, we process the data required for the conclusion, execution or termination of a contract. This includes:
- Last name / Birth name
- First name
- Place of birth
- Country of birth
- Date of birth
- Email address(es)
- Entry date
- Billing and payment information
- Phone number(s)
- Study program
- Other courses booked (e.g. pre-courses)
- Registration for exams
- Exam results
- Study contract
- If available, further supplementary documents to the study contract
The legal basis for this is Article 6 (1)(b) GDPR. Insofar as we do not use your contact data for advertising purposes (see 3.3. below), we store the data collected for the processing of the contract until the expiry of the statutory or possible contractual warranty and guarantee rights. After expiration of this period, we retain the information of the contractual relationship required by commercial and tax law for the periods determined by law. For this period (regularly ten years from the conclusion of the contract), the data is processed again solely in the event of an audit by the tax authorities.
Furthermore, the above-mentioned data will be forwarded to foreign partner universities as part of your mandatory semester abroad.
3.2.2 Identity, creditworthiness and transmission of data to credit agencies and debt collection companies
If necessary, we may verify your identity by using information from service providers. The legal basis for this is Article 6(1)(b) and (f) of GDPR. The authorization for this results from the protection of your identity and the prevention of fraud attempts at our expense. The circumstance and the result of our request will be added to your customer account or your guest account for the duration of the contractual relationship.
In the course of the ordering process, we also check your creditworthiness in order to be able to show you only the payment methods that can be used by you. For this purpose, we transmit the following types of data to so-called credit agencies cooperating with us: Name, address, date of birth. The legal basis for this is the following declaration of consent by you within the meaning of Article 6(1)(a) GDPR:
I hereby consent to the verification of my creditworthiness by ISM. I am aware that the check is already carried out at the beginning of the order process and that I can revoke my consent at any time.
You can revoke your consent at any time with effect for the future by sending a declaration to the address given under "Contact". The revocation of consent does not affect the lawfulness of the personal data processed until the revocation. If you do not want to give the above consent, please give us before you initiate the completion of your purchase a corresponding note or use the option of guest ordering. In this case, however, we can only offer you payment methods that are not associated with a credit risk for ISM. The circumstance and the result of our inquiry will be saved to your customer account for the duration of the contractual relationship.
If you have already made a purchase from us, the data we have stored about you may be supplemented by so-called score values. Scoring is the creation of a forecast of future events based on information collected and experience gained in the past. On the basis of the data stored about you, an assignment is made to statistical groups of people who have had similar entries in the past. The underlying method used is a well-founded mathematical-statistical method for forecasting risk probabilities that has been tried and tested in practice for a long time.
In the event of a delay in payment, we will transmit the necessary data to a company commissioned to enforce the claim if the other legal requirements are met. The legal bases for this are both Article 6(1)(b) and Article 6(1)(f) GDPR. The assertion of a contractual claim is to be regarded as a legitimate interest within the meaning of the second-named provision. We also transmit information about the delay in payment or a possible bad debt to credit agencies cooperating with us if the other legal requirements are met. The legal basis for this is Article 6(1)(f) GDPR. The legitimate interest which this requires arises from our and third parties’ interest in reducing contract risks for future contracts.
In order to collect our outstanding receivables, we transfer this function to a collection agency and, in this context, pass on the necessary data to the collection agency commissioned by us. This company first checks the legitimacy of the receivables transferred for collection and then sends a reminder for the delinquent invoice in writing or, if necessary, by telephone. If payment is refused, the collection agency will initiate legal dunning proceedings if necessary. There is also the possibility of execution as well as the seizure of realizable objects.
3.2.3 Transmission of data to partner companies
ISM transmits the data collected during the application process for a study place (according to 3.2.1) as a curriculum vitae with attachments to qualified partner companies in order to support dual or part-time students in their search for a dual or partner in the run-up to their studies. The data will only be transmitted to partners exclusively for the application process. This data is deleted after completion of the application process or studies, unless longer legal retention periods exist.
3.3 Data processing for advertising purposes
3.3.1 Advertising purposes of ISM and third parties
Insofar as you have concluded a contract with us, we manage you as an existing customer. In this case, we process your contact data in order to send you information about new and similar products and services. From time to time, we transmit your postal contact data to contract partners selected by us with special care as service providers, so that they can inform you about new and similar products of ISM.
3.3.2 Advertising in line with interests
To ensure that you only receive information that is of supposed interest to you, we categorize and add further information to your customer profile. Statistical information as well as information about you (e.g. basic data of your customer profile) is used for this purpose. The aim is to send you advertising that is geared solely to your actual or perceived needs and, accordingly, not to bother you with useless advertising.
The legal basis for the aforementioned data processing is in each case Article 6(1)(f) GDPR. The processing of existing customer data in this way for our own advertising purposes or for the advertising purposes of third parties is to be regarded as legitimate interest.
3.3.3 Right of objection
You can object to data processing for the aforementioned purposes separately for the respective communication channel at any time and with effect for the future. For this purpose, it is sufficient to send an e-mail or a postal letter to the contact details mentioned under section 1.
If you object, the contact address concerned will be blocked for further data processing for advertising purposes. We would like to point out that in exceptional cases, advertising material may still be sent after receipt of your objection. This is due to technical reasons and does not mean that we will not implement your objection. Thank you for your understanding.
3.3.4 Cookies - general information
126.96.36.199 Cookie Consent with Usercentrics
This website uses the cookie consent technology of Usercentrics to obtain your consent to store certain cookies on your terminal device or to use of certain technologies, and to document this consent in accordance with data protection law.
Operator of Usercentrics:
When you enter our website, the following personal data is transferred to Usercentrics:
- Your consent(s) or revocation of consent(s)
- Information about your browser
- Information about your terminal device
- Time of your visit to the website
Furthermore, Usercentrics stores a cookie in your browser in order to be able to assign the consents granted to you or its revocation. The data collected in this way will be stored until you request us to delete it, delete the Usercentrics cookie yourself or the purpose for storing the data no longer applies. Mandatory legal storage obligations remain unaffected.
Usercentrics is used to obtain the legally required consent for the use of certain technologies. The legal basis for this is Art. 6 paragraph 1 p.1 lit.c GDPR.
188.8.131.52 Prevent cookies from being set
If you want to prevent cookies from being set, you can - in addition to or instead of our cookie consent solution - set cookies on the website in a more general way:
Most browsers are set to accept cookies by default, but you can set your browser to reject cookies or ask for confirmation from you first. The help function in the menu bar of most web browsers explains how you can prevent your browser from accepting new cookies, how you can have your browser notify you when you receive new cookies, or even how you can delete all cookies you have already received and have the browser block all others.
3.3.5 Google Analytics
For the purpose of needs-based design and ongoing optimization, we use Google Analytics, a web analytics service provided by Google Inc ("Google"), on the basis of Article 6(1)(f) GDPR. In this context, pseudonymized usage profiles are created and cookies are used. The information generated by the cookie about your use of this website such as
- Browser type/version,
- Operating system used,
- Referrer URL (the site previously visited),
- Host name of the accessing computer (IP address),
- Time of the server request,
are transferred to a Google server in the USA and stored there. The information is used to evaluate the use of the website, to compile reports on website activity and to provide other services related to the use of the website and the Internet for the purposes of market research and demand-oriented design of these Internet pages. This information may also be transferred to third parties if this is required by law or if third parties process this data on our behalf. Under no circumstances will your IP address be merged with other Google data. The IP addresses are anonymized so that an assignment is not possible. The retention period of the data sent by you and linked to cookies, user IDs or advertising IDs is 14 months. With each new activity, the period is set to the current duration plus the retention period mentioned.
184.108.40.206 Google Optimize
On our website we use the web analysis and optimization service "Google Optimize", which is provided by
1600 Amphitheatre Parkway
Mountain View, California 94043, USA
We use the Google Optimize service to increase the attractiveness, content and functionality of our website by playing new features and content to a percentage of our users and statistically evaluating the change in usage. Google Optimize is a sub-service of Google Analytics (see´section Google Analytics).
3.3.6 Google Tag Manager
This website uses Google Tag Manager. Operator of Google Tag Manager is:
1600 Amphitheatre Parkway
Mountain View, California 94043, USA
Through this service, website tags can be managed through one interface. The Google Tag Manager only implements tags. This means that no cookies are used and no personal data is collected.
The Google Tag Manager is a tool for managing website tags. Google Tag Manager triggers other tags, which in turn may collect data. However, the Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, it remains in place for all tracking tags, insofar as these are implemented with the Google Tag Manager.
3.3.7 Google Enhanced Conversion Tracking
On our website, we use a Web Tracking Service of the company
Google Ireland Limited
Gordon House, Barrow Street 4
(hereinafter: Google Enhanced Conversion). With the help of Google Enhanced Conversions, ISM collects conversion data.
Google Enhanced Conversion Tracking is a feature that can increase the accuracy of our conversion measurement. It sends hashed first-party conversion data from our website to Google in a secure manner as part of an addendum to existing conversion tags. Customer information is not shared with other advertisers. Access controls and encryption are in place to prevent unlawful access. You can revoke the data collection and storage at any time with effect for the future.
The targeting measures listed below and used by us are carried out on the basis of Article 6(1)(f) GDPR. By means of the targeting measures used, we want to ensure that you are only shown advertisements on your end devices that are based on your actual or presumed interests. It is in your interest as well as ours not to bother you with advertisements that are not interesting for you.
On our website, information is collected and analyzed using cookies to optimize advertising. This information contains, for example, details of which of our study programs you were interested in. The collection and evaluation is exclusively pseudonymous and does not allow us to identify you. In particular, the information is not combined with personal data about you. Based on the information, we can show you offers on our site that are specifically geared to your interests, as determined by your previous user behavior. The cookie is automatically deleted after 30 days.
We also use re-targeting technologies from ad servers. This enables us to make our online offer more interesting and tailored to you. For this purpose, a cookie is set with which interest data is collected using pseudonyms. Based on this information, you will be shown interest-related advertisements about our offers. No personal data is stored and no usage profiles are merged with personal data about you. The cookie is stored for a period of 30 days and then automatically deleted.
220.127.116.11 Opposition options
You can disable the targeting technologies described above by selecting the appropriate cookie setting in your browser (see also 3.3.4). Facebook custom audience can be deactivated under the following link: https://www.reachlocal.com/opt-out.
Hubspot is a company that offers a sales and customer relationship management (CRM) platform.
Cambridge, MA 02141, USA
Data transfer to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here: https://www.hubspot.de/data-privacy/privacy-shield.
We use Hubspot CRM on this website.
Among other things, Hubspot CRM enables us to manage existing and potential customers as well as customer contacts. With the help of Hubspot CRM, we are able to record, sort, and analyze customer interactions via email, social media, or telephone across different channels. The personal data collected in this way can be evaluated and used for communication with the potential customer or for marketing measures (e.g. newsletter mailings). With Hubspot CRM, we are also able to record and analyze the user behavior of our contacts on our website.
The use of Hubspot CRM is based on Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the most efficient customer management and customer communication possible.
Form is a Hubspot service for creating online forms. All forms on our website are created using this service.
- User Agent Data,
- IP address,
- Browser type,
- Internet service provider,
- Company name,
- HTML pages,
- Information from third-party sources,
- Device drive system,
- Usage data,
- Phone number,
- Referrer URL,
- Session duration,
- Device type,
- Visited pages,
- Click path,
- Domain name,
- Contact information,
- Date and time of visit,
- Device identifier,
- Geographical location,
- E-mail address,
- Data provided via forms on the website.
The use of Hubspot Form is based on Art. 6 para. 1 lit. f GDPR.
Place of processing is: United States of America.
According to Article 8(1) GDPR, the processing of the child's personal data is lawful when the child has reached the age of sixteen. If the child has not yet reached the age of sixteen, this processing is lawful only if and to the extent that this consent is given by or with the consent of the holder of parental responsibility over the child. With the consent to the declaration of consent, we assume that you have either reached the age of sixteen or you have obtained parental consent.
4.1 Contact forms
4.1.1 Contact form for interested parties
We provide you with contact forms to simplify contacting us and making appointments. This applies to ordering information material, making appointments with the student advisory service and registering for information events and the entrance test. The collected data includes, for example:
- First name and last name
- Postal address
- Email address
- Phone number
The data collected in this context will be stored by us in order to inform you on the channels you have selected with information about the study program and the university. The data will be forwarded for further processing within the university. In case of inactivity on your part, your data will be deleted after 36 months, unless otherwise specified by you.
4.1.2 Cooperation with external Internet portals
Cooperation with Studyportals
We cooperate with the external study portal Studyportals.
You can find information on Studyportals's data protection here: https://studyportals.com/about-us/privacy-2/.
In order for the service (referral of a prospective student) from Studyportals to ISM to be billed on a performance-related basis, a code from Studyportals is integrated into our application form. When you fill out our application form, the following data is collected from you:
- Time of the call of the website (request to the server of the host provider)
- URL of the web page from which the web page was accessed
- IP address
The above-mentioned data is transmitted to the service provider clickmeter and its hoster Amazon Web Services and processed there. This may also involve a transfer to countries outside the EU, in particular the USA.
Information about clickmeter's privacy protection can be found here: https://www.clickmeter.com/privacy-policy
The purpose of this processing is the performance-related billing of successful mediations between Studyportals and ISM. The legal basis for the data processing is the service contract and thus Article 6 (1)(b) GDPR as well as the legitimate interest of ISM according to Article 6 (1)(f) GDPR. ISM has a legitimate interest in maintaining control over the actual placements made via Studyportals.
4.1.3 Contact form for press contacts
4.1.4 Google reCAPTCHA
We include the "reCAPTCHA" function on our website to be able to recognize whether entries (e.g. in online forms) are made by humans and not by automatically acting machines (so-called "bots"). Processed data may include IP addresses, information about operating systems, devices or browsers used, language settings, location, mouse movements, keyboard strokes, time spent on web pages, previously visited web pages, interactions with Captcha on other web pages, possibly cookies, and results of manual recognition processes (e.g. answering questions asked or selecting objects in images).
Operator of WhatsApp is:
1601 Willow Road
Menlo Park, California 94025, USA
Data that you send us by e-mail will be stored within the university and forwarded internally in order to be able to process your request. E-mails are archived within the university within the scope of the legal retention obligation.
4.5 Possibility of objection
You can revoke the selected contact options at any time.
The legal basis for this is Article 6 (1)(f) GDPR.
5.2 Media library
We use Zoom web conferencing software to conduct classes, online meetings, video conferences, and/or webinars (hereinafter Online Meetings).
Zoom operator is:
Zoom Video Communications, Inc.
55 Almaden Blvd, Suite 600,
San Jose, California 95113, USA
Insofar as you call up the Zoom website, the operator of Zoom is responsible for data processing. However, calling up the website is only necessary for using Zoom in order to download the software for using Zoom. You can also use Zoom if you enter the respective meeting ID and, if applicable, further access data for the meeting directly in the Zoom app. If you do not want to or cannot use the Zoom app, then the basic functions can also be used via a browser version, which you can also find on the Zoom website.
When using Zoom, different types of data are processed. The scope of the data depends on the data you provide before or during participation in an online meeting.
The following personal data are subject to processing:
- For online meetings: first name and surname, if applicable, subject of the meeting and description, attendee IP addresses and device/hardware information
- For recording: MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of online meeting chat.
- When dialing in with the telephone: information on the incoming and outgoing phone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be stored.
- Text, audio and video data: You may have the option of using the chat, question or survey features in an online meeting. To this extent, the text entries you make are processed in order to display and, if necessary, log them in the "online meeting". In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed accordingly for the duration of the meeting. You can turn off or mute the camera or microphone yourself at any time via the Zoom applications.
In order to participate in an online meeting or to enter the "meeting room", you must at least provide information about your name. If we want to record online meetings, we will transparently inform you in advance and - if necessary - ask for your consent. The fact of the recording will also be displayed to you in the Zoom app.
If it is necessary for the purposes of documenting or logging the results of an online meeting, we will log the chat content. However, this will usually not be the case. For purposes of recording and following up on online meetings, we may also process questions asked by webinar participants.
If you are registered as a user with Zoom, then online meetings reports (meeting metadata, phone dial-in data, webinar questions and answers in webinars, webinar survey function) can be stored with Zoom for up to one month.
The existing possibility of software-based "attention monitoring" ("attention tracking") is deactivated. Automated decision-making process within the meaning of Art. 22 GDPR is not used.
Personal data that is processed in connection with participation in online meetings is generally not disclosed to third parties, unless it is intended for disclosure. Please note that content from online meetings, as well as from face-to-face meetings, is often used to communicate information with customers, prospects or third parties and is therefore intended for disclosure.
Zoom's provider necessarily obtains knowledge of the above-mentioned data to the extent provided for in our order processing agreement with Zoom.
In order to give students the opportunity to view online courses at other times and time zones, they are recorded on a voluntary basis, stored for one week and the deleted again. For this purpose, the lecturer must activate the recording of his course himself.
Zoom is a service provided by a provider from the USA. A processing of personal data therefore also takes place in a third country. We have concluded an order processing contract with the Zoom provider.
The legal basis of the data processing is Article 6 (1)(b) and (f) GDPR. Information about data protection at Zoom can be found at: https://zoom.us/docs/de-de/privacy-and-legal.html
6. APPLICATIONS TO THE ISM
If you provide us with personal data as part of the application process, you can send it to us online via our application platform. The basis for this is an agreement on order processing. The personal data provided to us in this way is divided into the following data types and data categories for collection, processing or use:
- Personal data (first and last name, date of birth, address, school-leaving certificate)
- Communication data (telephone no., mobile no., fax no., email address)
- Information (from third parties, e.g. credit agencies or public directories)
- Data concerning the evaluation and assessment during the application process
- Data on education (school education, vocational training, civil/military service, studies, doctoral degree)
- Data on the previous professional career, training and work references
- Information on other qualifications (e.g. language skills, PC skills, voluntary activities)
- Application photo
- Details of the expected salary
- Application history
We use the personal data you provide exclusively within the ESO Education Group of companies to process your application for the advertised position. Only persons involved in the application process will be given access to your personal data. All employees entrusted with data processing are obliged to maintain the confidentiality of your data. We do not disclose your personal data to third parties unless you have consented to the disclosure of data or we are obliged to disclose data due to statutory provisions and/or official or court orders. When you submit an application, an account is created in our career portal where you can view and manage your application. In the course of the application process, you have the opportunity to rate the application process and our company online with the service provider softgarden e-recruiting GmbH. This feedback may appear on the rating portals of softgarden and kununu GmbH.
Your data will be deleted automatically within six months of the specific application process being completed. This does not apply if legal provisions prevent deletion, if further storage is necessary for the purpose of providing evidence, or if you have expressly consented to a longer storage period.
If you decide to join the Talent Pool, your personal data may be accessed by all members of the ESO Education Group in the event of any potential job assigments and vacancies. The Talent Pool can be joined by agreeing to the invitation of a recruiter or by proactively using the “Get in touch” form.
7. RECIPIENTS OUTSIDE THE EU
7.1 Data processing for advertising purposes
The processing mentioned in section 3.3 causes a data transfer to the servers of the providers of tracking and targeting technologies commissioned by us. These servers are located in the USA.
7.2 Data processing at foreign universities
In addition to the processing of data described in section 3.2, we will pass on your data to foreign universities located outside the European Union or the European Economic Area (EEA) if this involves the planning and implementation of a stay abroad in connection with your studies at ISM, which will be completed outside Europe.
8. YOUR RIGHTS
In addition to the right to revoke your consent given to us, you have the following additional rights if the respective legal requirements are met:
- Right to information regarding your personal data stored by us according to Art. 15 GDPR,
- Right to rectification of inaccurate data or completion of correct data according to Art. 16 GDPR,
- Right to have your data stored by us deleted according to Art. 17 GDPR,
- Right to restrict the processing of your data according to Art. 18 GDPR,
- Right to data portability according to Art. 20 GDPR.
8.2 Right of objection
Under the conditions of Art. 21 (1) DSGVO, data processing may be objected to for reasons arising from the particular situation of the data subject.
The above mentioned general right to object applies to all purposes for processing described in this Data Privacy Notice that are processed on the basis of Article 6 (1)(f) GDPR. Unlike the specific right of objection directed at data processing for advertising purposes (compare section 3.3.3 above), we are only obliged under the GDPR to implement such a general right of objection if you provide us with reasons of overriding importance for doing so (e.g. a possible risk to life or health). In addition, you have the option of contacting a supervisory authority or the data protection officer.
9. DATA SECURITY
All data transmitted by you personally, including your payment data, is transferred with the generally normal and secure standard SSL (Secure Socket Layer). SSL is a secure and proven standard, which is also used, for example, in online banking. Among other things, you can recognise a secure SSL connection by the attached s at the the http (for example https://…) in the address bar of your browser or by the lock symbol in the lower area of your browser.
We also use appropriate technical and organizational security measures to protect your personal data stored with us against manipulation, partial or complete loss and against unauthorized access by third parties. Our security measures are continuously improved in line with technological developments. Data exchange between the server and a computer accessing it (client) is secured by SSL certificates with the SHA-256 signature algorithm. This applies to www.ism.de, en.ism.de and ismblog.de.