1 OVERVIEW

The provisions of the EU General Data Protection Regulation (hereinafter referred to as: GDPR) are applicable throughout Europe. Please read our data privacy statement carefully.

The following data privacy notices inform you about how and to which extent personal data is processed by ISM International School of Management GmbH (hereinafter referred to as: ISM). Which individual data is processed and how the data is used depends substantially on the services you desire and have agreed. Therefore, not all parts of this information will apply to you. Personal data relates to information that is or can be directly or indirectly attributed to your person.

Data processing at ISM can be divided into two basic categories:

  1. For contract processing purposes, all data will be processed that is necessary for the implementation of a contract with ISM. If external service providers are also involved in the execution of the contract, for instance logistics companies, your data will be transferred to them to the extent necessary.
  2. When you access the website/application of ISM, certain information is exchanged between your end device and our server. This may also be personal data. Data collected in this way can, for instance, be used to optimise our website or to display advertising in the browser of your end device.

In accordance with the guidelines of GDPR, you have various rights which you can claim in relation to us. Among other things, this includes the right to raise an objection in relation to selected data processing, in particular for advertising purposes. The option to raise an objection is available in typographical form.

The websites are hosted on external servers in Europe and are thus subject to applicable European safety regulations; the legal basis for this are the processing regulations pursuant to Article 28 GDPR.

If you have any questions about our data privacy notices, please send an email to Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!.

2 CONTACT DATA AND RIGHT TO INFORMATION

This data privacy statement applies to data processing by ISM International School of Management GmbH, Otto-Hahn-Strasse 19, D-44227 Dortmund, and for the following websites and/or applications: www.ism.de, en.ism.de and blog.ism.de.

You are entitled, free of charge, to obtain information about your stored personal data and, if necessary, to exercise the right to personal data concerning you being rectified, blocked or erased. If you have any questions regarding the collection, processing or use of your personal data, require information on the rectification, blocking or erasure of your data or want to withdraw your consent or object to the processing of personal data concerning you, please contact: Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein!

We have appointed Marc Althaus as our external data controller. He shall be responsible for ensuring that we continually comply with data protection regulations and, as such, will carry out regular inspections. You can contact our data controller as follows:

Contact form:
https://www.dsextern.de/anfragen

DS EXTERN GmbH
Dipl.-Kfm. Marc Althaus
Frapanweg 22
D-22589 Hamburg

3 PURPOSE OF DATA COLLECTION, LEGAL BASIS, INTERESTS AND CATEGORY OF RECIPIENTS

3.1 Accessing our website/application

When accessing our website/application, information is sent automatically to the server of our website/application by the browser used by your end device and temporarily stored in a so-called log file. We have no influence on this. The following information will also be collected without your intervention and stored until automated erasure after seven days.

  1. IP address of the requesting Internet-enabled device,
  2. Date and time of access,
  3. Name and URL of the file retrieved,
  4. Website/Application from which the access was made (referrer URL),
  5. Browser used and, if necessary, the operating system of your Internet-enabled computer
  6. Name of your access provider
  7. Language, country, city
  8. Screen resolution
  9. Demographic characteristics: Age, gender
  10. Search term

The legal basis is Article 6 (1f) GDPR. Our legitimate interest follows from the purposes of data collection listed below. At this point it must be noted that in no event shall we use the captured data for the purpose of drawing conclusions with regard to your identity.

The IP address of your device and the other data listed above are used by us for:

  1. Ensuring smooth connection set-up,
  2. Ensuring comfortable use of our website/application,
  3. Evaluating system security and stability as well as
  4. for further administrative purposes

Furthermore, we use cookies, tracking tools and targeting procedures for our website/application. The exact procedures and how your data is used for this purpose is explained in detail in section 3.3.4.

If you have consented to so-called geolocation in your browser or in the operating system or other settings of your device, we shall not use this function. If necessary, you will be offered individual services based on your current location by the search machines being used by you or other online service providers.

3.2 Conclusion, execution or termination of a contract

3.2.1 Data processing upon conclusion of a contract

The object of ISM is the rendering of services, the distance selling of goods, the retail trade within the framework of the officially issued permits and the serial production of the goods to be offered. In this context, we process the data required to complete, execute or terminate a contract. This includes:

  1. Last name / Maiden name
  2. First name
  3. Place of birth
  4. Country of birth
  5. Date of birth
  6. Gender
  7. Nationality
  8. Address(es)
  9. Email address(es)
  10. Entry date
  11. Billing and payment data
  12. Phone number(s)
  13. Course
  14. Further booked courses (e.g. preliminary courses)
  15. Examination registrations
  16. Examination results
  17. Study agreement
  18. If available, further supplementary documents for the study agreement

The legal basis for this is Article 6 (1b) GDPR. Provided that we are not processing your contact details for marketing purposes (see 3.3 below), we will store the data collected for the purpose of executing the contract until the expiry of the statutory or, if applicable, contractual warranty and guarantee rights. After this period has expired, we will store the information which relates to the contractual relationship and is required under commercial and tax law for the periods of time stipulated by law. During this period of time (usually ten years from the date of contract conclusion), the data will only be processed again if it needs to be checked by the tax authorities.

Furthermore, the data stated above is transferred to overseas partner universities as part of your mandatory semester abroad.

3.2.2 Identity, credit check and transfer of data to rating and debt collection agencies

If necessary, we verify your identity by using information from service providers. The legal basis for this is Article 6 (1b and 1f) GDPR. We are entitled to do this to protect your identity and to avoid attempted fraud at our expense. The circumstance and the result of our enquiry will be added to your customer account or guest account for the duration of the contractual relationship.

In the course of the ordering process, we will also check your credit rating to only show you the payment methods that you can use. For this purpose, we transmit the following data to so-called rating agencies that cooperate with us: Name, address, date of birth. The processing of your contact data takes place here on the basis of your consent pursuant to Article 6 (1a) GDPR:

I hereby agree to my credit-worthiness being checked by ISM. I am aware that checks are already performed at the start of the order process and that I can withdraw my consent at any time.

Using the address specified under “Contact”, you may revoke your consent at any time with future effect. Withdrawal of consent does not affect the lawfulness of the processing of personal data prior to such withdrawal. If you do not wish to grant the aforesaid consent, please notify us accordingly before completing your purchase or use the guest order option. In this case, we can only offer you prepayment options that are not related with a credit risk for ISM. The circumstance and the result of our enquiry will be added to your customer account for the duration of the contractual relationship.

If you have already bought items from us, your data stored by us about you can be supplemented by so-called scores. Scoring is the process of making predictions about future events based on information gathered and past experiences. Based on the data stored about you, you will be assigned to statistical groups of people with similar entries in the past. The underlying method used is a well-founded, long-proven, mathematical-statistical method for predicting risk probabilities.

In the event of a delay in payment, we submit the necessary data to a company commissioned with the assertion of the claim, provided the other legal requirements exist. Legal bases for this are both Article 6 (1b) and Article 6 (1f) GDPR. The assertion of a contractual claim is to be regarded as a legitimate interest within the meaning of the second-named provision. If the other legal requirements are met, we also provide information on the payment delay or any default on loans to rating agencies that cooperate with us. The legal basis for this is Article 6 (1f) GDPR. The legitimate interest which this requires arises from our and third parties’ interest in reducing contract risks for future contracts.

To settle outstanding debts, we shall transfer this function to a debt collection agency and forward any data, as required to collect outstanding sums, to the debt collection agency commissioned by us. The debt collection agency initially investigates legitimacy of debt recovery and the debtor can expect to be contacted by the debt collection agency by post or, if necessary, also by phone. Finally, if the debt remains unpaid, the debt collection agency will serve the debtor with a summons and complaint which begins the legal lawsuit process. In this case, debtors are faced with the threat of foreclosure and the repossession of valuable assets.

3.2.3 Data transmission to partner companies

ISM transfers data collected when applying for a place at the university (pursuant to 3.2.1) as a CV with relevant attachments to qualified partner companies in order to provide dual study or part-time students with advance support in their search for a respective dual study place or partner. The data is transferred to partners for the purpose of the application procedure only. This data is erased upon completion of the application procedure or course of study, insofar as longer retention periods do not have to be observed under applicable laws.

3.3 Data processing for advertising purposes

3.3.1 Advertising purposes of ISM and third parties

As far as you have concluded a contract with us, we will register you as an existing customer. In this case, we process your name and address in order to send you information about new products and services. We reserve the right to transmit your postal contact data to contract partners as service providers who we have selected particularly carefully so that they can also inform you about new and similar ISM products.

3.3.2 Advertising in line with your interests

To ensure that you only receive information that is of interest to you, we categorise and supplement your customer profile with further information. Both statistical information and information about you (e.g. basic data of your customer profile) are used for this purpose. The aim is to provide you with advertising that is solely oriented towards your actual or supposed needs and not to bother you with uninteresting advertising.

The legal basis for the said data processing is Article 6 (1f) GDPR. In this context, the processing of existing customer data for our own advertising purposes or the advertising purposes of a third party qualifies as legitimate interest.

3.3.3 Right to object

You can object to data processing for the aforementioned purposes at any time free of charge, separately for the respective communication channel and with effect for the future. All you need to do is send an email or a letter to the contact details listed under 1.

If you file an objection, the contact address concerned will be blocked for further advertising data processing. We would like to point out that in exceptional cases advertising material may still be sent temporarily after receipt of your objection. This is technically due to the necessary lead time for advertisements and does not mean that we will not implement your objection. Thank you for your understanding.

3.3.4 Cookies - general information

We use cookies in our systems on the basis of Article 6 (1f) GDPR. Our interest in optimising our website is considered to be justified in the sense of the aforementioned provision. Cookies are small files that your browser automatically creates and that are stored on your end device (laptop, tablet, smartphone, etc.) when you visit our website. Cookies do not harm your device and do not contain viruses, Trojans or other malicious software. In the cookie, pieces of information are stored, each resulting in connection to the specific end device used. However, this does not mean that we are immediately aware of your identity. The use of cookies serves to make the use of our content more pleasant for you. In addition, for the sake of usability, we also use permanent cookies that are stored on your end device for a period of 30 days. If you visit our website again to take advantage of our services, it is automatically recognised that you have already visited us and what inputs and settings you have made, so you do not have to re-enter them.

Furthermore, we use cookies in order to statistically record the use of our website and to evaluate it for the purpose of optimising our content and to display information tailored to your specific needs. These cookies allow us to automatically recognise that you have already visited us when you visit our website again. These cookies are deleted automatically after a period of 30 days. Most internet browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or a note always appears before a new cookie is created. However, disabling cookies completely may mean that you cannot use all the features of our website. The storage period of cookies depends on their purpose and is not the same for everyone.

3.3.5 Google Analytics

For the purpose of a design tailored to your demands and for the purpose of continuous optimisation of our website, we use Google Analytics, a web analysis service of Google Inc. ("Google"), based on Article 6 (1f) GDPR. In this context, pseudonymised user profiles are created and cookies are used. The information about your use of this website generated by the cookie, such as

  1. browser type/version,
  2. operating system used,
  3. referrer URL (the site previously visited),
  4. host name of the accessing computer (IP address),
  5. time of server enquiry,

is transferred to a Google server in the USA and stored there. The information is used to evaluate the use of the website, to compile reports on advertising activities and to provide further services associated with the use of the website and the internet for the purposes of market research and demand-oriented design of these Internet pages. This information may also be passed on to third parties if this is required by law or if third parties process this data on behalf of Google. Under no circumstances will your IP address be associated with other data from Google. The IP addresses are anonymised so that assignment is not possible. Any data that you send and which is linked to cookies, user IDs or advertising IDs is deleted after 14 months. After each new activity, the time period is determined using the current duration plus the stated storage period.

You can prevent the use of cookies by adjusting your browser settings accordingly. However, please note that some functions of this website may not be available to their full extent in this case.

You can also prevent Google Analytics from collecting data by clicking the following link Google Analytics disable to disable Google Analytics. This sets an opt-out cookie which prevents any future collection of your data when visiting our website.

3.3.6 Targeting

The targeting measures listed below and used by us are carried out on the basis of Article 6 (1f) GDPR. We want to ensure that you are only shown advertising on your end devices that is tailored towards your actual or supposed interests through the targeting measures we employ. Not to bother you with uninteresting advertisements is in our and your interest.

3.3.6.1 Onsite-Targeting

We use cookies on our website to collect and evaluate information to optimise the display of adverts. The information collected includes details about which of our courses you have shown an interest in. The data is only collected and evaluated solely pseudonymously and does not allow us to identify you. In particular, the information is not associated with any personal data concerning you. We use the information to display offers to you on our website which are specially tailored to your interests as identified by how you have used our website to date. The cookie is automatically deleted after 30 days.

3.3.6.2 Re-Targeting

We also use re-targeting technologies from ad-servers. This enables us to tailor our online content more precisely to your interests. We do this by setting a cookie which collects pseudonymous data about your interests. This information is used to place adverts relating to our offers which match your interests. No personal data is stored and no usage profiles are associated with your personal data. The cookie is stored for a period of 30 days before being deleted automatically.

3.3.6.3 Opt-out options

You can also prevent the described targeting technologies by means of a corresponding cookie setting in your browser (also see section 3.3.4). Facebook custom audience can be deactivated using the following link: https://www.reachlocal.com/opt-out.

4 ESTABLISHING CONTACT

Pursuant to Article 8 (1), the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. By giving us your declaration of consent, we assume that you are 16 years of age or that consent has been given or authorised by the holder of parental responsibility over you.

4.1 Contact formr

4.1.1 Contact form for interested parties

We provide you with respective contact forms to facilitate establishing contact and agreeing appointments. This applies to ordering information, agreeing appointments with the student advisory service team, as well as registering for an info event and admissions test. The collected data includes, e.g.

  • First name and last name
  • Postal address
  • Email address
  • Phone number

The data collected in this context is stored by us in order to provide you with information about the respective course and the university through the channels you have selected. The data is forwarded for further processing within the university. Inactivity on your part will result in the data being erased after 36 months, unless specified otherwise by you.

4.1.2 Contact form for press contacts

We provide you with a respective contact form to register for our PR mailing list. Your data is saved by us for further processing and for communication purposes. External companies may be involved in the further processing of your data. Storage of data by the service provider may exceed the extent of this data privacy statement.

4.2 Blog

We provide the email address Diese E-Mail-Adresse ist vor Spambots geschützt! Zur Anzeige muss JavaScript eingeschaltet sein! for responses to our blog. The contact data specified in your email (at least your name and email address) shall be stored within the university in order to process your request or concern, forwarded internally and deleted after use.

4.3 Whatsapp

We allow you to use WhatsApp as a communication channel with the university. Data sent to us by WhatsApp is saved within the university and forwarded internally in order to process your request or concern. Your data will be deleted after use. Please note that different privacy policies and liability provisions apply when using external service providers such as WhatsApp. Storage and use of data by the service provider may exceed the extent of this data privacy statement.

WhatsApp is operated by:
WhatsApp Inc.
1601 Willow Road, Menlo Park
California 94025 (USA)

4.4 EMail

Data sent to us by email is saved within the university and forwarded internally in order to process your request or concern. Emails are archived within the university in line with the legal obligation to retain such data.

4.5 Opt-out option

The selected contact options may be revoked at any time.

5 VIDEO

5.1 Youtube

We embed videos on the website operated by the service provider YouTube. The videos have been embedded in the extended data protection mode. As with most websites, however, YouTube also uses cookies to collect information about visitors to its website. Among other things, YouTube uses these to capture video statistics, prevent fraud and improve user friendliness. This also establishes a connection with the Google DoubleClick network. Starting the video could trigger further data processing. We have no control over this matter. Further information about data protection at YouTube can be found in their data privacy statement at: https://www.youtube.com/t/privacy_at_youtube.

The legal basis for this is Article 6 (1f) GDPR and the EU-US Privacy Shield (https://www.privacyshield.gov/list).

5.2 Vimeo

We embed videos on the Vimeo platform. As with most websites, Vimeo also uses cookies to collect information about visitors to its website. Among other things, Vimeo uses these to improve user friendliness. Please note that different privacy policies and liability provisions apply when using external service providers such as Vimeo. Storage and use of data by the service provider may exceed the extent of this data privacy statement.

Vimeo is operated by:
Vimeo, Inc.
555 West 18th Street
New York, New York 10011

The legal basis for this is Article 6 (1f) GDPR. Information on data privacy at Vimeo can be found at: https://vimeo.com/privacy.

5.3 Media centre

If necessary, and if no other resource is available, film clips will also be embedded via media centres; the legal basis for this is Article 6 (1f) GDPR. Please note that different privacy policies and liability provisions apply when using external service providers such as media centres. Storage and use of data by the service provider may exceed the extent of this data privacy statement.

6 APPLICATIONS TO ISM

If you send us personal data as part of the application process, you can transfer the data online using our application platform. The basis for this is an agreement on order processing. Any personal data sent to us is divided into the following types of data and data categories for collecting, processing or utilising data:

  • Personal data (first and last name, date of birth, address, school leaving certificate)
  • Communication data (phone no., mobile no., fax no., email address)
  • Rating data (from third parties, e.g. rating agencies, or from public directories)
  • Data concerning the evaluation and assessment during the application procedure
  • Data about education and training (school education, vocational training, compulsory community/national service, study courses, doctoral degree)
  • Data about professional career to date, vocational training and references
  • Details about other qualifications (e.g. language skills, PC knowledge, voluntary activities)
  • Application photo
  • Details of remuneration expectations
  • Application history

Your personal data sent to us is used exclusively within the ESO Education Group to process your application for the advertised position. Your personal data is only accessible to persons who are involved in the application process. All members of staff involved with the processing of data confirm their agreement to treat your data in the strictest confidence. We do not share your personal data with third parties unless you have given us your express consent to do so or we are required by law and/or regulatory or court orders to do so. An application will create an account in our career portal where you can view and manage your application. During the application process you will have the opportunity to assess the application procedure and our company online with the provider softgarden e-recruiting GmbH. This feedback may be published on the assessment platforms of softgarden and kununu GmbH.

Your data will be deleted automatically within 6 months of the specific application process being completed. This does not apply if statutory provisions contradict deletion, continued storage is required for the purpose of furnishing proof or you have expressly agreed to a longer storage period.

If you have decided to join the Talent Pool, all members of the ESO Education Group can access your personal data should potential vacancies arise. It is possible to join the Talent Pool by accepting the invitation of a recruiter or pro-actively using the “Get into contact” form.

7 RECIPIENTS OUTSIDE THE EU

7.1 Data processing for advertising purposes

The processing activities described in section 3.3 result in data being transferred to the servers of the providers of tracking and/or targeting technologies commissioned by us. These servers are located in the USA.

7.2 Data processing at overseas universities

In addition to the processing of data described in section 3.2, we transfer your personal data to overseas universities located outside the European Union or the European Economic Area if this is necessary to plan and accomplish overseas study in a non-European country as part of your course of study at ISM.4>

8 YOUR RIGHTS

8.1 Overview

Besides the right to withdraw your consent given to us, you also have the following rights, when the respective legal conditions are extant:

  1. Right to information regarding your personal data stored by us pursuant to Article 15 GDPR,
  2. Right to rectification of erroneous or to completion of correct data pursuant to Article 16 GDPR,
  3. Right to erasure of your data stored by us pursuant to Article 17 GDPR,
  4. Right to restrict the processing of your data pursuant to Article 18 GDPR,
  5. Right to data portability pursuant to Article 20 GDPR.

8.2 Right to object

The above mentioned general right to object applies to all purposes for processing described in this data privacy information that are processed on the basis of Article 6 (1f) GDPR. In contrast to the special right to object to data processing for marketing purposes (see 3.3.3 above), we are, according to GDPR, only obliged to implement such a general right to object if you can provide grounds of superordinate importance (e.g. a possible risk to life or health). In addition, the possibility exists to contact a supervisory authority or the data controller.

9 DATA SECURITY

All data transmitted by you personally, including your payment data, is transferred with the generally normal and secure standard SSL (Secure Socket Layer). SSL is a secure and trusted standard, which is also used in online banking, for example. Among other things, you can recognise a secure SSL connection by the attached s in the http (for example https://…) in the address list of your browser or by the lock symbol in the lower part of your browser.

We also use suitable technical and organisational security measures in order to protect your personal data saved by us against manipulation, partial or complete loss or unauthorised third-party access. We endeavour to constantly improve our security measures in line with technical developments. Data exchange between the server and a computer (client) accessing the server is secured by SSL certificates with the secure hash algorithm SHA-256. This applies to www.ism.de, en.ism.de und blog.ism.de.