The provisions of the EU General Data Protection Regulation (hereinafter referred to as: GDPR) are applicable throughout Europe. Please read our data privacy statement carefully.
The following data privacy notices inform you about how and to which extent personal data is processed by ISM International School of Management GmbH (hereinafter referred to as: ISM). Which individual data is processed and how the data is used depends substantially on the services you desire and have agreed. Therefore, not all parts of this information will apply to you. Personal data relates to information that is or can be directly or indirectly attributed to your person.
Data processing at ISM can be divided into two basic categories:
- For contract processing purposes, all data will be processed that is necessary for the implementation of a contract with ISM. If external service providers are also involved in the execution of the contract, for instance logistics companies, your data will be transferred to them to the extent necessary.
- When you access the website/application of ISM, certain information is exchanged between your end device and our server. This may also be personal data. Data collected in this way can, for instance, be used to optimise our website or to display advertising in the browser of your end device.
In accordance with the guidelines of GDPR, you have various rights which you can claim in relation to us. Among other things, this includes the right to raise an objection in relation to selected data processing, in particular for advertising purposes. The option to raise an objection is available in typographical form.
The websites are hosted on external servers in Europe and are thus subject to applicable European safety regulations; the legal basis for this are the processing regulations pursuant to Article 28 GDPR.
2 CONTACT DATA AND RIGHT TO INFORMATION
This data privacy statement applies to data processing by ISM International School of Management GmbH, Otto-Hahn-Strasse 19, D-44227 Dortmund, and for the following websites and/or applications: www.ism.de, en.ism.de and blog.ism.de.
We have appointed Marc Althaus as our external data controller. He shall be responsible for ensuring that we continually comply with data protection regulations and, as such, will carry out regular inspections. You can contact our data controller as follows:
DS EXTERN GmbH
Dipl.-Kfm. Marc Althaus
3 PURPOSE OF DATA COLLECTION, LEGAL BASIS, INTERESTS AND CATEGORY OF RECIPIENTS
3.1 Accessing our website/application
When accessing our website/application, information is sent automatically to the server of our website/application by the browser used by your end device and temporarily stored in a so-called log file. We have no influence on this. The following information will also be collected without your intervention and stored until automated erasure after seven days.
- IP address of the requesting Internet-enabled device,
- Date and time of access,
- Name and URL of the file retrieved,
- Website/Application from which the access was made (referrer URL),
- Browser used and, if necessary, the operating system of your Internet-enabled computer
- Name of your access provider
- Language, country, city
- Screen resolution
- Demographic characteristics: Age, gender
- Search term
The legal basis is Article 6 (1f) GDPR. Our legitimate interest follows from the purposes of data collection listed below. At this point it must be noted that in no event shall we use the captured data for the purpose of drawing conclusions with regard to your identity.
The IP address of your device and the other data listed above are used by us for:
- Ensuring smooth connection set-up,
- Ensuring comfortable use of our website/application,
- Evaluating system security and stability as well as
- for further administrative purposes
If you have consented to so-called geolocation in your browser or in the operating system or other settings of your device, we shall not use this function. If necessary, you will be offered individual services based on your current location by the search machines being used by you or other online service providers.
3.2 Conclusion, execution or termination of a contract
3.2.1 Data processing upon conclusion of a contract
The object of ISM is the rendering of services, the distance selling of goods, the retail trade within the framework of the officially issued permits and the serial production of the goods to be offered. In this context, we process the data required to complete, execute or terminate a contract. This includes:
- Last name / Maiden name
- First name
- Place of birth
- Country of birth
- Date of birth
- Email address(es)
- Entry date
- Billing and payment data
- Phone number(s)
- Further booked courses (e.g. preliminary courses)
- Examination registrations
- Examination results
- Study agreement
- If available, further supplementary documents for the study agreement
The legal basis for this is Article 6 (1b) GDPR. Provided that we are not processing your contact details for marketing purposes (see 3.3 below), we will store the data collected for the purpose of executing the contract until the expiry of the statutory or, if applicable, contractual warranty and guarantee rights. After this period has expired, we will store the information which relates to the contractual relationship and is required under commercial and tax law for the periods of time stipulated by law. During this period of time (usually ten years from the date of contract conclusion), the data will only be processed again if it needs to be checked by the tax authorities.
Furthermore, the data stated above is transferred to overseas partner universities as part of your mandatory semester abroad.
3.2.2 Identity, credit check and transfer of data to rating and debt collection agencies
If necessary, we verify your identity by using information from service providers. The legal basis for this is Article 6 (1b and 1f) GDPR. We are entitled to do this to protect your identity and to avoid attempted fraud at our expense. The circumstance and the result of our enquiry will be added to your customer account or guest account for the duration of the contractual relationship.
In the course of the ordering process, we will also check your credit rating to only show you the payment methods that you can use. For this purpose, we transmit the following data to so-called rating agencies that cooperate with us: Name, address, date of birth. The processing of your contact data takes place here on the basis of your consent pursuant to Article 6 (1a) GDPR:
I hereby agree to my credit-worthiness being checked by ISM. I am aware that checks are already performed at the start of the order process and that I can withdraw my consent at any time.
Using the address specified under “Contact”, you may revoke your consent at any time with future effect. Withdrawal of consent does not affect the lawfulness of the processing of personal data prior to such withdrawal. If you do not wish to grant the aforesaid consent, please notify us accordingly before completing your purchase or use the guest order option. In this case, we can only offer you prepayment options that are not related with a credit risk for ISM. The circumstance and the result of our enquiry will be added to your customer account for the duration of the contractual relationship.
If you have already bought items from us, your data stored by us about you can be supplemented by so-called scores. Scoring is the process of making predictions about future events based on information gathered and past experiences. Based on the data stored about you, you will be assigned to statistical groups of people with similar entries in the past. The underlying method used is a well-founded, long-proven, mathematical-statistical method for predicting risk probabilities.
In the event of a delay in payment, we submit the necessary data to a company commissioned with the assertion of the claim, provided the other legal requirements exist. Legal bases for this are both Article 6 (1b) and Article 6 (1f) GDPR. The assertion of a contractual claim is to be regarded as a legitimate interest within the meaning of the second-named provision. If the other legal requirements are met, we also provide information on the payment delay or any default on loans to rating agencies that cooperate with us. The legal basis for this is Article 6 (1f) GDPR. The legitimate interest which this requires arises from our and third parties’ interest in reducing contract risks for future contracts.
To settle outstanding debts, we shall transfer this function to a debt collection agency and forward any data, as required to collect outstanding sums, to the debt collection agency commissioned by us. The debt collection agency initially investigates legitimacy of debt recovery and the debtor can expect to be contacted by the debt collection agency by post or, if necessary, also by phone. Finally, if the debt remains unpaid, the debt collection agency will serve the debtor with a summons and complaint which begins the legal lawsuit process. In this case, debtors are faced with the threat of foreclosure and the repossession of valuable assets.
3.2.3 Data transmission to partner companies
ISM transfers data collected when applying for a place at the university (pursuant to 3.2.1) as a CV with relevant attachments to qualified partner companies in order to provide dual study or part-time students with advance support in their search for a respective dual study place or partner. The data is transferred to partners for the purpose of the application procedure only. This data is erased upon completion of the application procedure or course of study, insofar as longer retention periods do not have to be observed under applicable laws.
3.3 Data processing for advertising purposes
3.3.1 Advertising purposes of ISM and third parties
As far as you have concluded a contract with us, we will register you as an existing customer. In this case, we process your name and address in order to send you information about new products and services. We reserve the right to transmit your postal contact data to contract partners as service providers who we have selected particularly carefully so that they can also inform you about new and similar ISM products.
3.3.2 Advertising in line with your interests
To ensure that you only receive information that is of interest to you, we categorise and supplement your customer profile with further information. Both statistical information and information about you (e.g. basic data of your customer profile) are used for this purpose. The aim is to provide you with advertising that is solely oriented towards your actual or supposed needs and not to bother you with uninteresting advertising.
The legal basis for the said data processing is Article 6 (1f) GDPR. In this context, the processing of existing customer data for our own advertising purposes or the advertising purposes of a third party qualifies as legitimate interest.
3.3.3 Right to object
You can object to data processing for the aforementioned purposes at any time free of charge, separately for the respective communication channel and with effect for the future. All you need to do is send an email or a letter to the contact details listed under 1.
If you file an objection, the contact address concerned will be blocked for further advertising data processing. We would like to point out that in exceptional cases advertising material may still be sent temporarily after receipt of your objection. This is technically due to the necessary lead time for advertisements and does not mean that we will not implement your objection. Thank you for your understanding.
3.3.4 Cookies - general information
188.8.131.52 Cookie Consent with Usercentrics
This website uses cookie consent technology from Usercentrics to obtain your consent to store certain cookies on your terminal device or to use certain technologies, and to document this consent in a manner that complies with data protection laws.
Operator of Usercentrics:
When you enter our website, the following personally identifiable information is transferred to Usercentrics:
- Your consent(s) or withdrawal of consent(s).
- Information about your browser.
- Information about your terminal device.
- Time of your visit to the website.
Furthermore, Usercentrics stores a cookie in your browser in order to be able to assign the consents granted to you or their revocation. The data collected in this way will be stored until you request us to delete it, delete the Usercentrics cookie yourself or the purpose for storing the data no longer applies. Mandatory legal storage obligations remain unaffected.
Usercentrics is used to obtain the legally required consent for the use of certain technologies. The legal basis for this is Art. 6 para. 1 p. 1 lit. c DSGVO.
184.108.40.206 Prevent the setting of cookies
If you wish to prevent the setting of cookies, you can - in addition to or instead of our cookie consent solution - set cookies on the website in a more general way:
However, if you choose to decline cookies, you may not be able to access some of the features of our website (or services on other websites) or use some of the features of our website. Also, cookies usually need to be enabled in order to be able to object to the use of programs/usages (because of the setting of his objection (opt-out) cookies).
3.3.5 Google Analytics
For the purpose of a design tailored to your demands and for the purpose of continuous optimisation of our website, we use Google Analytics, a web analysis service of Google Inc. ("Google"), based on Article 6 (1f) GDPR. In this context, pseudonymised user profiles are created and cookies are used. The information about your use of this website generated by the cookie, such as
- browser type/version,
- operating system used,
- referrer URL (the site previously visited),
- host name of the accessing computer (IP address),
- time of server enquiry,
is transferred to a Google server in the USA and stored there. The information is used to evaluate the use of the website, to compile reports on advertising activities and to provide further services associated with the use of the website and the internet for the purposes of market research and demand-oriented design of these Internet pages. This information may also be passed on to third parties if this is required by law or if third parties process this data on behalf of Google. Under no circumstances will your IP address be associated with other data from Google. The IP addresses are anonymised so that assignment is not possible. Any data that you send and which is linked to cookies, user IDs or advertising IDs is deleted after 14 months. After each new activity, the time period is determined using the current duration plus the stated storage period.
Google Signals: Cross-device reports contain aggregate data only. Individual user data is will not be reported.
220.127.116.11 Google Optimize
On our website we use the web analysis and optimization service "Google Optimize", which is provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA (hereinafter "Google Optimize"). We use the Google Optimize service to enhance the attractiveness, content and functionality of our website by bringing new features and content to a percentage of our users and statistically evaluating changes in usage. Google Optimize is a sub-service of Google Analytics (see section Google Analytics).
You can prevent the installation of cookies by adjusting the browser software accordingly; however, we would like to point out that in this case not all functions of this website can be used to their full extent. You can find more detailed information about data collection and processing by Google in the Google data protection information, which you can call up at https://policies.google.com/privacy?hl=en.
3.3.6 Google Tag Manager
This website uses Google Tag Manager.
Operator of Google Tag Manager:
1600 Amphitheatre Parkway
Mountain View, California 94043 (USA)
Through this service, website tags can be managed through one interface. The Google Tool Manager only implements tags. This means that no cookies are used and no personal data is collected.
The Google Tool Manager is a tool for managing website tags.
The Google Tool Manager triggers other tags, which in turn may collect data. However, the Google Tag Manager does not access this data. If a deactivation has been made at the domain or cookie level, it remains in place for all tracking tags, insofar as these are implemented with the Google Tag Manager.
The targeting measures listed below and used by us are carried out on the basis of Article 6 (1f) GDPR. We want to ensure that you are only shown advertising on your end devices that is tailored towards your actual or supposed interests through the targeting measures we employ. Not to bother you with uninteresting advertisements is in our and your interest.
We also use re-targeting technologies from ad-servers. This enables us to tailor our online content more precisely to your interests. We do this by setting a cookie which collects pseudonymous data about your interests. This information is used to place adverts relating to our offers which match your interests. No personal data is stored and no usage profiles are associated with your personal data. The cookie is stored for a period of 30 days before being deleted automatically.
18.104.22.168 Opt-out options
You can also prevent the described targeting technologies by means of a corresponding cookie setting in your browser (also see section 3.3.4). Facebook custom audience can be deactivated using the following link: https://www.reachlocal.com/opt-out.
4 ESTABLISHING CONTACT
Pursuant to Article 8 (1), the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. By giving us your declaration of consent, we assume that you are 16 years of age or that consent has been given or authorised by the holder of parental responsibility over you.
4.1 Contact forms
4.1.1 Contact form for interested parties
We provide you with respective contact forms to facilitate establishing contact and agreeing appointments. This applies to ordering information, agreeing appointments with the student advisory service team, as well as registering for an info event and admissions test. The collected data includes, e.g.
- First name and last name
- Postal address
- Email address
- Phone number
The data collected in this context is stored by us in order to provide you with information about the respective course and the university through the channels you have selected. The data is forwarded for further processing within the university. Inactivity on your part will result in the data being erased after 36 months, unless specified otherwise by you.
4.1.2 Cooperation with external Internet portals
Cooperation with Studyportals
We work in cooperation with the external study portal Studyportals. Information on data protection for Studyportals can be found here: https://studyportals.com/about-us/privacy-2/.
In order that the service (placement of an interested party) of Studyportals to ISM can be invoiced on a performance-related basis, a code of Studyportals is integrated into our application form. When you fill out our application form, the following data will be collected:
- Time of the call of the website (request to the server of the host provider)
- URL of the web page from which the web page was called
- IP address
The above mentioned data is transmitted to the service provider clickmeter and its host Amazon Web Services and processed there. This may also involve a transfer to countries outside the EU, especially the USA.
Information on the listing of Amazon Web Services in the EU-US Privacy Shield can be found here: https://www.privacyshield.gov/participant?id=a2zt0000000TOWQAA4
Information about Amazon Web Services data protection can be found here: https://aws.amazon.com/de/privacy/?nc1=f_pr
Information about clickmeters data protection can be found here: https://www.clickmeter.com/privacy-policy
The purpose of this processing is the performance-related billing of successful mediations between study portals and ISM. The legal basis for the data processing is the service contract and thus Article 6 (1 b) GDPR as well as the legitimate interest of ISM according to Article 6 (1 f) GDPR. ISM has a legitimate interest in obtaining control over the actual mediations via Studyportals.
4.1.3 Contact form for press contacts
We provide you with a respective contact form to register for our PR mailing list. Your data is saved by us for further processing and for communication purposes. External companies may be involved in the further processing of your data. Storage of data by the service provider may exceed the extent of this data privacy statement.
4.1.4 Google reCaptcha
We allow you to use WhatsApp as a communication channel with the university. Data sent to us by WhatsApp is saved within the university and forwarded internally in order to process your request or concern. Your data will be deleted after use. Please note that different privacy policies and liability provisions apply when using external service providers such as WhatsApp. Storage and use of data by the service provider may exceed the extent of this data privacy statement.
WhatsApp is operated by:
1601 Willow Road, Menlo Park
California 94025 (USA)
Data sent to us by email is saved within the university and forwarded internally in order to process your request or concern. Emails are archived within the university in line with the legal obligation to retain such data.
4.5 Opt-out option
The selected contact options may be revoked at any time.
The legal basis for this is Article 6 (1f) GDPR and the EU-US Privacy Shield (https://www.privacyshield.gov/list).
5.2 Media centre
If necessary, and if no other resource is available, film clips will also be embedded via media centres; the legal basis for this is Article 6 (1f) GDPR. Please note that different privacy policies and liability provisions apply when using external service providers such as media centres. Storage and use of data by the service provider may exceed the extent of this data privacy statement.
To conduct lectures, online meetings, video conferences and/or webinars (in the following online meetings) we use the web conference software Zoom.
Zoom is operated by:
Zoom Video Communications, Inc.
55 Almaden Blvd, Suite 600,
San Jose, California 95113 (USA)
As far as you call up the internet page of Zoom, the operator of Zoom is responsible for the data processing. However, calling up the internet page is only necessary for the use of Zoom in order to download the software for the use of Zoom. You can also use Zoom if you enter the respective meeting ID and, if necessary, other access data for the meeting directly in the Zoom app. If you cannot or do not want to use the Zoom app, the basic functions can also be used via a browser version, which you can also find on the Zoom website.
When using Zoom, different types of data are processed. The scope of the data depends on the data you provide before or during participation in an online meeting. The following personal data are subject to processing:
- For online meetings: first name and surname, if applicable, subject of the meeting and description, participant IP addresses and device/hardware information
- On record: MP4 file of all video, audio and presentation recordings, M4A file of all audio recordings, text file of online meeting chat.
- When dialing in by phone: information on incoming and outgoing phone number, country name, start and end time. If necessary, further connection data such as the IP address of the device can be saved.
- Text, audio and video: You may be able to use the chat, question or survey features in an online meeting. To this extent, the text entries you make are processed in order to display and, if necessary, log them in the "online meeting". In order to enable the display of video and the playback of audio, the data from the microphone of your terminal device and from any video camera of the terminal device will be processed for the duration of the meeting. You can switch off or mute the camera or microphone yourself at any time using the zoom applications.
To take part in an online meeting or to enter the "meeting room", you must at least provide information about your name. If we want to record online meetings, we will inform you transparently in advance and - if necessary - ask for your consent. The fact of the recording will also be displayed in the zoom app.
If necessary for the purposes of documenting the results of an online meeting, we will log the chat content. However, this will usually not be the case. For purposes of recording and follow-up of online meetings, we may also process questions asked by webinar participants.
If you are registered as Zoom user, reports on online meetings (meeting metadata, phone dial-in data, questions and answers in webinars, survey function in webinars) can be stored for up to one month at Zoom.
The existing option of software-based "attention monitoring" ("attention tracking") is deactivated. An automated decision making process in the sense of Article 22 GDPR is not used.
Personal data processed in connection with participation in online meetings are generally not passed on to third parties, unless they are specifically intended to be passed on. Please note that content from online meetings, as well as personal meetings, often used to communicate information with customers, interested parties or third parties and is therefore intended for disclosure.
The provider of Zoom necessarily obtains knowledge of the above-mentioned data, as far as this is provided for in our contract processing agreement with Zoom.
In order to give students the opportunity to view online meetings at other times and time zones, these are recorded on voluntary basis. Recorded online meetings will be deleted after one week. The lecturer has to activate the recording of his course himself.
Zoom is a service provided by a provider from the USA. Processing of personal data therefore also takes place in a third country. We have concluded an order processing contract with the provider of Zoom. An appropriate level of data protection is guaranteed on the one hand by the "Privacy Shield" certification of Zoom Video Communications, Inc. but also by the conclusion of the EU standard contract clauses.
The legal basis of the data processing is Article 6 (1 b) and (f) GDPR and the EU-US Privacy Shield (https://www.privacyshield.gov/list). Information on data protection at Zoom can be found here: https://zoom.us/docs/de-de/privacy-and-legal.html
6 APPLICATIONS TO ISM
If you send us personal data as part of the application process, you can transfer the data online using our application platform. The basis for this is an agreement on order processing. Any personal data sent to us is divided into the following types of data and data categories for collecting, processing or utilising data:
- Personal data (first and last name, date of birth, address, school leaving certificate)
- Communication data (phone no., mobile no., fax no., email address)
- Rating data (from third parties, e.g. rating agencies, or from public directories)
- Data concerning the evaluation and assessment during the application procedure
- Data about education and training (school education, vocational training, compulsory community/national service, study courses, doctoral degree)
- Data about professional career to date, vocational training and references
- Details about other qualifications (e.g. language skills, PC knowledge, voluntary activities)
- Application photo
- Details of remuneration expectations
- Application history
Your personal data sent to us is used exclusively within the ESO Education Group to process your application for the advertised position. Your personal data is only accessible to persons who are involved in the application process. All members of staff involved with the processing of data confirm their agreement to treat your data in the strictest confidence. We do not share your personal data with third parties unless you have given us your express consent to do so or we are required by law and/or regulatory or court orders to do so. An application will create an account in our career portal where you can view and manage your application. During the application process you will have the opportunity to assess the application procedure and our company online with the provider softgarden e-recruiting GmbH. This feedback may be published on the assessment platforms of softgarden and kununu GmbH.
Your data will be deleted automatically within 6 months of the specific application process being completed. This does not apply if statutory provisions contradict deletion, continued storage is required for the purpose of furnishing proof or you have expressly agreed to a longer storage period.
If you have decided to join the Talent Pool, all members of the ESO Education Group can access your personal data should potential vacancies arise. It is possible to join the Talent Pool by accepting the invitation of a recruiter or pro-actively using the “Get into contact” form.
7 RECIPIENTS OUTSIDE THE EU
7.1 Data processing for advertising purposes
The processing activities described in section 3.3 result in data being transferred to the servers of the providers of tracking and/or targeting technologies commissioned by us. These servers are located in the USA.
7.2 Data processing at overseas universities
In addition to the processing of data described in section 3.2, we transfer your personal data to overseas universities located outside the European Union or the European Economic Area if this is necessary to plan and accomplish overseas study in a non-European country as part of your course of study at ISM.
8 YOUR RIGHTS
Besides the right to withdraw your consent given to us, you also have the following rights, when the respective legal conditions are extant:
- Right to information regarding your personal data stored by us pursuant to Article 15 GDPR,
- Right to rectification of erroneous or to completion of correct data pursuant to Article 16 GDPR,
- Right to erasure of your data stored by us pursuant to Article 17 GDPR,
- Right to restrict the processing of your data pursuant to Article 18 GDPR,
- Right to data portability pursuant to Article 20 GDPR.
8.2 Right to object
The above mentioned general right to object applies to all purposes for processing described in this data privacy information that are processed on the basis of Article 6 (1f) GDPR. In contrast to the special right to object to data processing for marketing purposes (see 3.3.3 above), we are, according to GDPR, only obliged to implement such a general right to object if you can provide grounds of superordinate importance (e.g. a possible risk to life or health). In addition, the possibility exists to contact a supervisory authority or the data controller.
9 DATA SECURITY
All data transmitted by you personally, including your payment data, is transferred with the generally normal and secure standard SSL (Secure Socket Layer). SSL is a secure and trusted standard, which is also used in online banking, for example. Among other things, you can recognise a secure SSL connection by the attached s in the http (for example https://…) in the address list of your browser or by the lock symbol in the lower part of your browser.
We also use suitable technical and organisational security measures in order to protect your personal data saved by us against manipulation, partial or complete loss or unauthorised third-party access. We endeavour to constantly improve our security measures in line with technical developments. Data exchange between the server and a computer (client) accessing the server is secured by SSL certificates with the secure hash algorithm SHA-256. This applies to www.ism.de, en.ism.de und blog.ism.de.