Data Protection Guidelines - Carl Duisberg Centren – German Courses

§ 1 – General information about the processing of personal data

(1) In the following, we, the Carl Duisberg Centren, will inform you about the personal data of our customers and contractors that we collect and process in connection with the delivery of our German courses, summer camps, and accompanying services. “Personal data” means any information that can be related to you personally, e.g. name, addresses, or information about physical features.

(2) The controller in accordance with Article 4 No. 7 General Data Protection Regulation (hereinafter referred to as “GDPR”) is:
Carl Duisberg Centren gemeinnützige GmbH
Hansaring 49 – 51
50670 Cologne
Germany
info@cdc.de

(3) The data protection officer is:
Franz-Henning Ritschel, Assessor iuris
Carl Duisberg Centren gemeinnützige GmbH
Hansaring 49 – 51
50670 Cologne
Germany
datenschutz@cdc.de

§ 2 – Your rights

(1) You have the following rights regarding your personal data that we control:
a) Right to information
b) Right to rectification or deletion
c) Right to restriction of processing
d) Right to withdraw consent – please also note § 5 No. 12 of these guidelines
e) Right to object to processing according to the conditions detailed in §7 of these guidelines.
f) Right to data portability

(2) To exercise your rights, you can contact us at any time by using the contact details provided above in §1 of these guidelines or the contact form on our website.

(3) In addition, you have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The data protection supervisory authority responsible for oversight of CDC is:
Landesbeauftragte für den Datenschutz und
Informationsfreiheit Nordrhein-Westfalen
Kavalleriestraße 2 – 4
40213 Düsseldorf
Germany

§ 3 – Collection of personal data, data processing for the purpose of fulfilling statutory and contractual obligations

(1) We only process the personal data that you have actively provided us. The data are collected at informational events, when you make your initial inquiry, in the context of individual advising, when you submit an application to work as a teacher, when you register for or book a course, program, or exam, when you register for our electronic learning management system (course participant online portal), when you use the online portal and the e-learning offers available there, when you take a placement test. Data may also be collected when you register for a free-time activity or service consultations where additional data collection is necessary.

(2) Certain personal data, e.g. name and invoice address, are processed in order to comply with legal obligations, e.g. tax law. The processing of the remaining personal data is necessary to allow us to do the following:
a) to check which German course and accompanying services we are able to offer you that fit you needs and for which you meet the prerequisites;
b) to organize and deliver German courses and services you have booked according to the terms of the contract we have concluded with you, which is also necessary before we can contact, select, and book the appropriate teachers for the courses.

(3) The following personal data may be collected:
a) Names
b) Addresses (permanent and temporary)
c) Telephone numbers
d) If applicable, email addresses
e) Date and place of birth / age
f) Gender
g) Information about family relationships
h) Nationality
i) Passport number and/or national ID number
j) Information about visa and immigration status
k) Arrival and departure dates
l) Preferences/dislikes/special requests, e.g. vegetarian
m) Health data
n) Information about education and training
o) Language levels
p) Courses you are interested in / require
q) Course location, course duration
r) Course attendance
s) Test results and other course assessments
t) If applicable, photo data (event photos / advertising photos)
u) If applicable, data from social networks (Facebook)
v) Information about insurance
w) In addition, the following data will be only collected from teachers:
aa) Marital status
bb) Information about the professional services offered
cc) Salary information
dd) Bank and account data
ee) If applicable, evaluations of the quality of teaching
ff) If applicable, fax number
gg) If applicable, information about private motor vehicle

(4) Should you elect to not provide the required personal data, we will as a consequence not be able to offer you some or all of our services, or in the case of teachers, we will not be able to offer you a contract to work as a teacher.

(5) The legal basis for the data processing conducted as described in §3 No. 2 Sentence 1 of these guidelines is for compliance with legal obligations in accordance with Article 6 No. 1 Subsection 1 c) GDPR. The legal basis for the data processing conducted as described in §3 No. 2 Sentence 2 of these guidelines is to carry out precontractual measures or to fulfill our contractual obligations in accordance with Article 6 No. 1 Subsection 1 b) GDPR. The legal basis for the data processing of health data is always derived from express consent of the data subject in accordance with Article 9 No. 2 a) GDPR.

§ 4 – Transfer of personal data

(1) We only transfer/disclose personal data to third parties in the following cases and only to the extent that is necessary to fulfill the particular purpose for which the data was collected:
a) Our bank, domiciled in Germany, receives only the payment data that is necessary for processing payments (name, IBAN and where applicable BIC, payment amount, and payment reference).
b) Should you choose to pay using PayPal and you are logged on to your PayPal account, the company PayPal (Europe) S.à r.l. et Cie, S.C.A. (PayPal), domiciled in Luxemburg, automatically collects payment data (see above) and connection data as well as the delivery address in order to process payments. You can restrict data processing conducted by PayPal by adjusting the settings in your PayPal account.
c) Customers’ personal data that is necessary for delivery of the teaching or for directing the e-learning will be passed on or disclosed to the teachers. When we contract teachers to work for us, we conclude a so-called joint controller agreement that governs our joint roles relating to data protection in accordance with Article 26 GDPR. Among other points, this joint controller agreement obliges the teacher to keep customer data confidential, to delete customer data in a timely manner, and to implement the necessary technical and organizational measures to ensure the safety of customer data.
d) If customers have authorized the Carl Duisberg Centren to book services from third-party providers, in particular travel operators in connection with a booking for a language camp, the required personal data of the customers will be forwarded to these third party providers.
e) For language exams provided by telc and TOEIC/TOEFL, we deliver the test papers of the test candidates to be evaluated by the exam provider, telc gGmbH or LTS Language & Testing Service GmbH respectively. We have concluded a joint controller agreement with these exam providers that governs our joint roles relating to data protection in accordance with Article 26 GDPR. Among other points, this joint controller agreement obliges these exam providers to keep customer data confidential, to delete customer data in a timely manner, and to implement the necessary technical and organizational measures to ensure the safety of customer data.
f) In case of emergencies, necessary personal data will be passed on to or disclosed to treating physicians to facilitate the provision of medical treatment.
g) Should customers’ personal data be required as part of the process of locating and providing accommodations or boarding schools, these data will be passed on or disclosed to the participating schools as well as the host families, guest houses, hotels, hostels, or boarding school contracted to provide the accommodations.
h) Notices providing information about courses currently running including the room number of the classroom, the name of the teacher as well as names and countries of origins of the students will be displayed in a location in the foyer or in front of the classrooms where customers, employees, and teachers at the school where the course is being taught can all see these notices.
i) In addition, personal data is only transferred or disclosed to the following third-party processors in accordance with Article 28 GDPR. These third-party processors are contractually obligated to comply with statutory data protection standards. Our IT service provider and our document destruction service have access to all data. If tutors are charged with supervising customers or carrying out free-time activities that have been booked, they will only be provided with the customer data absolutely necessary for carrying out their duties. If e-learning products from external providers are used in connection with our German courses and services, these external providers will receive access to the necessary data concerning the customers and teachers. Out of all our external provides, only Rosetta Stone GmbH processes data outside of the European Economic Area, namely in the US. In this specific case, an appropriate level of data protect is guaranteed by Rosetta Stone GmbH’s participation in the EU–US Privacy Shield.
j) Where applicable, data may be disclosed/transferred to the following third parties: Facebook Inc. represented by Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland and Sendible Limited (responsible for managing our Facebook content), 311 Ballards Lane, N12 8LY, London, UK – you can find more information about this data processing in § 9 of these guidelines.

(2) The legal basis for the data processing conducted as described in §4 No. 1 a) – e) of these guidelines is to carry out precontractual measures or to fulfill our contractual obligations in accordance with Article 6 No. 1 Subsection 1 b) GDPR. The legal basis for the data processing conducted as described in §4 No. 1 f) of these guidelines is in order to protect the vital interests of the data subject or of another natural person in accordance with Article 6 No. 1 Subsection 1 d) GDPR. The legal basis for the data processing conducted as described in §4 No. 1 g) – i) of these guidelines is a balancing of interests in accordance with Article 6 No. 1 Subsection 1 f) GDPR. Our legitimate interests are to ensure an efficient organization of our services and to maintain a high quality of customer service. For information on the legal basis for the data processing conducted as described in §4 No. 1 j) of these guidelines, please see §9 No. 2 c) of these guidelines.

§ 5 – Data processing based on consent, right to withdraw consent

(1) Only in cases where a relevant health condition exists will we collect a customer’s health data after obtaining a separate declaration of consent, which may be submitted in written or electronic form. In this case, the collection of such data is absolutely necessary in order to be able to evaluate whether we can offer the service the customer has requested and where applicable to be able to make arrangements so that the customer can access the classrooms, accommodations, and other facilities.

(2) Should you elect to not provide your consent to process the health data necessary for us to deliver our services (as described above in No.1), we will unfortunately not be able to provide these services to you.

(3) In the event of illness or other medical emergencies, we will where applicable obtain written consent from the customers in order to be able to accompany them to doctors’ visits or, if necessary, provide support in the provision medical treatment.

(4) When you initiate contact with us over email or by using a contact form on our website, we process the information you actively enter into the fields on the contact form or email as well as data that is automatically transmitted (email address as well as where applicable name, address, telephone number, etc.).

(5) You can give your consent for us to publish photos, quotes, and excerpts from customer reviews of our services along with your first name and last initial as a part of our efforts to present our organization to the public (website, social media channels, print advertisement, films, press releases). You will be given the option of whether or not to allow us to use your quotes and reviews, e.g. when you are asked to elevate the service. We take photos at some events. You can find details about data processing as it related to our social media activity on Facebook in §9 of these guidelines.

(6) At the request of the customers depicted in the photos, we will upload event photos to the cloud service WeTransfer (free). In such cases, the terms of use and data policy of the (co)data controller WeTransfer B.V., Oostelijke Handelskade 751, 1019 BW Amsterdam, The Netherlands (hereinafter referred to as “WeTransfer”), which can be accessed at https://wetransfer.com/legal/terms or https://wetransfer.com/legal/privacy (URLs verified 08/2019) will apply. WeTransfer saves the photos that we upload, and according to their own terms of service, they do not analyze these data and delete all files after seven days. We only disclose one email address per recipient (customer depicted in the photo) to WeTransfer. In addition, WeTransfer collects the technical data necessary to establish a connection to their website (IP address, browser data, location of the host network, etc.), and by using cookies, they collect data on the user’s behavior (surf and click behavior also on other websites) in order to deliver advertising from WeTransfer or third parties and to personalize these adverts (tracking). According to their terms of service, WeTransfer saves these data for 12 months, analyzes them, and uses them for statistical purposes. The Carl Duisberg Centren does not have access to the data nor the results of any data analysis conducted by WeTransfer. Therefore, WeTransfer’s data processing has no influence on the actions of the Carl Duisberg Centren and its employees.

(7) In order to evaluate and maintain the quality of our services, we conduct evaluations during and at the conclusion of our German courses. Participation in these evaluations is voluntary. Participants have the option of providing their name, telephone number, and email address so that CDC can respond to any queries they may have. Other personal data and connection data (e.g. IP addresses) are not processed in connection with CDC’s online evaluations.

(8) Should the parents of an adult customer and/or the referring agencies request us to provide them with a report detailing the customer’s performance in the course or a record of attendance, we will only do this if we have received separate consent to do so, which can be provided in written or electronic form. If the recipient is based in a country outside of the European Economic Area where no data protection standards comparable to those in the EU can be guaranteed (third countries), we will inform the customer of this in advance in addition to advising whether appropriate guarantees are in place and what possible risks are associated with the data transfer.

(9) Where applicable, you may have the chance to take part in promotional competitions. However, in such cases, the only data need processed to conclude the legal formalities connected with such a competition will be your name, an email address, and where applicable photos/videos/texts provided by you will be used for purposes of determining a winner.

(10) If a data subject is under 17 years old, the consent of a legal guardian is always necessary.

(11) The legal basis for this data processing is your express or unambiguous consent in accordance with Article 6 No. 1 Subsection 1 a) GDPR. The legal basis for the processing of health data detailed in §5 No. 1 and 2 of these guidelines is the express consent of the data subject in accordance with Article 9 No. 2 a) GDPR. The legal basis for the transfer of data to a third country detailed in §5 No. 8 of these guidelines is the express consent of the data subject in accordance with Article 49 No. 1 Subsection 1 a) GDPR.

(12) Data subjects may at any time and free of charge withdraw their consent for the processing of their data. A withdrawal of consent only affects the permissibility of processing for the time period after which we were notified of the data subject’s withdrawal of consent. Should a data subject elect to withdraw consent, we may not be able to fulfill certain contractual or precontractual obligations, which will mean that we have the right to terminate the provision of affected services and where applicable to terminate the contract.

§ 6 – Data processing based on the balancing of interests, website

(1) For informational and adverting purposes, we may send emails with information about current offers from the Carl Duisberg Centren or other customer information on a regular basis. You will receive these emails in the following cases:

  • You have provided us with your email address as a part of concluding a paid commercial transaction with us, and you did not object to receiving our emails.
  • You have explicitly agreed to receive our newsletter until you withdraw your consent (see §7 No.2 of these guidelines).

(2) If you initiate contact with us by using the contact form on our website, certain data will be transmitted to us when the form is sent in order to maintain the security of our IT system and to prevent possible misuse. In addition to data entered into the field of the contact form (see § 5 No. 4 of these guidelines), the IP address of the user as well as the date and time of access will be transmitted to us (connection data).

(3) The legal basis for this data processing is a balancing of interests in accordance with Article 6 No. 1 Subsection 1 f) GDPR. If you have not expressly agreed to receive our information by email (see §6 No. 1 Sentence 2 second bullet point of these guidelines), the legal basis is your consent granted in accordance with Article 6 No. 1 Subsection 1 a) GDPR.

(4) You can find detailed information about additional data processing connected with the use of our website in our Data Protection Policy, which can always be accessed at our website www.cdc.de or https://www.cdc.de/cdds.

§ 7 – Objection to data processing, objection to use of data for marketing purposes

(1) If our processing of your personal data is in conflict with the balancing of interests, you can object to the processing at any time, free of charge. In your objection, we kindly ask that you present the reasons why we should not process your personal data in the manner intended by us. In cases where the objection is justified, we will suspend or as appropriate modify the data processing, or we will provide you with our prevailing interests that justify our continued processing of your personal data.

(2) You may object to the processing of your personal data for marketing purposes at any time, free of charge, and without providing any reason for your objection. Should you object to this processing, we will no longer process your personal data for these purposes.

§ 8 – Duration of storage and deletion

(1) Your personal data will be deleted as soon as they are no longer needed for the purpose that they were collected or other legitimate purposes (e.g. asserting legal claims). As a rule, customers’ personal data will be deleted after the end of the regular limitation period of three years at the end of the calendar year. Posts on our company Facebook page which contain personal data will be removed by us at the latest after seven years at the end of the calendar year.

(2) The additional personal connection data collected when using our contact form (see §6 No. 2 of these guidelines) will be deleted within seven days at the latest.

(3) Excepted from these rules are personal data that we are legally required to keep for longer periods to comply with statutory guidelines or to fulfill statutory record keeping requirements (e.g. invoice data).

(4) As an alternative to deletion, we may completely anonymize data so that we can retain the data for a longer period in order to aid in quality management and for statistical purposes. After anonymization, the data are no longer able to be associated with an individual person and do not infringe on your right to data protection.

§ 9 – Facebook

(1) We, the Carl Duisberg Centren, opperate a company page (https://de-de.facebook.com/cdc.de) with several groups on the social network provided by the third-party company Facebook Inc. (hereinafter referred to as “Facebook”). The use of our company Facebook page are subject to Facebook’s terms of use and data protection policy. Facebook’s data protection policy provides information about the data processing that Facebook engages in; this policy can be found on Facebook’s website or this link https://de-de.facebook.com/privacy/explanation (link verified 08/2019).

(2) Although we cannot control, nor can we monitor Facebook’s processing of your data, we may as an operator of a company page be considered, together with Facebook, jointly responsible for data protection. For this reason, we will now inform you – to the best if our knowledge – in the following a) how Facebook’s data processing works, b) how we use this, and c) what rights you have:

(a) Facebook is a social network that makes it possible to publish information, opinions, and media as well as allowing users who are registered and logged on (hereinafter referred to as “users”) to interact with one another. Facebook processes personal and other data for several purposes, including to deliver advertising and to personalize such adverts. If personal data is actively posted on the Facebook network (e.g. in profiles, groups, events, timelines, stories) or sent over this network, these data will in all cases be disclosed to Facebook. This also includes the so-called Exif data associated with digital photos and videos (metadata such as e.g. time, location, and camera used). Depending on the privacy settings for the particular profile, group, story, etc., which the user can configure, other users receive access to the personal data that have been actively posted or sent. In addition, Facebook processes data that are not actively posted as follows: users’ connection data (e.g. IP address, browser information, and location) and data relating to users’ behavior on Facebook’s network will be saved. By using so-called cookies, Facebook plugins, and other tracking technology, Facebook also collects additional data about users’ behavior on other websites outside of the Facebook network (e.g. about websites visited and likes).

Please be aware that simply accessing our company page or browsing websites with embedded Facebook plugins may result in personal data being stored by Facebook even if you are not a Facebook user.

Facebook analyzes the content that users actively post, compiles the data from a user, evaluates the available information, generates summarized statistics, and passes these on to its own customers as a part several of products (including “Facebook Insights”, for more information, see below). In the past, there were also cases that came to light in which third parties gained access to data on the Facebook network. The data processing by Facebook occurs in part in the US. However, Facebook participates in the US-EU Privacy Shield, which guarantees an appropriate level of data protection.

(b) We maintain a Facebook page and are active on Facebook for purposes of advertising, providing information to our customers, and to communicate with our customers. In order to achieve these objectives, our posts on our Facebook page include news, photos, videos, and texts – such as quotes and customer reviews –and we also run promotional contests at irregular intervals. These posts are regularly associated with or contain personal data related to our customers and teachers. Naturally, we inform data subjects and seek their consent before posting their personal data (see §5 No. 4 of these guidelines). Our company page is publicly available without any restrictions to all Facebook users and third parties. Our groups are “private”. This means that the number of Facebook profiles that can interact with the group and access the contents posted in the group are limited to profiles admitted by us, and as a rule these profiles belong to our current and former customers, and our teachers. Before we post photos and videos to Facebook, we remove the Exif data from the file (see above for more information). Personal data on our company page will be deleted after a retention period of seven years at the end of the calendar year. During this retention period, our legitimate interest to conduct advertising and inform customers, which justifies this data processing, shall remain in effect (for more information, see below).

We subscribe to “Facebook Insights”, a product that Facebook provides free of charge. Facebook Insights consists of anonymized, statistically analyzed data on the visitors to our company Facebook page and how these visitors interact on our company Facebook page. It consists of demographic data (e.g. age, gender, language, and employment status) geographic data (e.g. the user’s permanent place residence and current location), information about lifestyle and interests as well as the number of likes, which can be associated with data categories. Facebook Insights allows us to draw certain conclusion about the reach and popularity of our Facebook page. Where applicable, we use this information to customize the content. However, we do not systematically analyze the data we receive from Facebook Insights. Moreover, we do not target our Facebook activities at particular target groups and thus do not use any additional Facebook services that would, for example, make it possible for us to engage in target-group-specific customer communication. Thus, you will not receive personalized advertising from us under any circumstances.

In order to simplify the administration and planning of our Facebook page, we use the tool Sendible from Sendible Limited, 311 Ballards Lane, N12 8LY, London, UK (hereinafter referred to as “Sendible”). Sendible also provides us with statistical information. However, this data is based on the data already made available by Facebook and is not materially different in terms of quality and scope compared to the data provided by Facebook Insights. We use these data to the same extent that we use the underlying data provided directly by Facebook. In order to provide this service, Sendible processes content and links on our company Facebook page. Personal data of our customers and teachers is thus disclosed to Sendible. As a third-party data processor as defined in Article 28 GDPR, Sendible is contractually obligated to maintain the legally mandated level of data protection.

(c) The legal basis for uploading and publishing of content that includes your personal data is your consent in accordance with Article 6 No. 1 Subsection 1 a) GDPR. The legal basis for the collection of your personal data and the subsequent transfer of these data to Facebook when you visit, view, and use our company Facebook page as well as our use of Facebook Insights and Sendible is a balancing of interests in accordance with Article 6 No.1 Subsection 1 f) GDPR. Our legitimate interests in this case are advertising our products and service and providing information to our customers.

Facebook and Carl Duisberg Centren are parties to an agreement on data protection, which Facebook has concluded with operators of fan pages in Europe. This agreement can be accessed at the following link: https://www.facebook.com/legal/terms/page_controller_addendum (link verified 08/2019). In essence, this agreement stipulates the following:

  • Facebook and Carl Duisberg Centren act as joint controllers when processing Facebook Insights data.
  • Facebook assumes the primary responsibility for data processing.
  • Facebook is solely responsible for answering all inquiries of affected persons or data protection regulators related to Facebook Insights data, while Carl Duisberg Centren is obligated to forward all such inquiries to Facebook.

This means that if you wish to exercise your rights as detailed in § 2 of these guidelines in connection with data processing related to our company Facebook page, you may direct such request to us. Should you wish to object to data processing conducted on the basis of a balancing of interests, you may also submit an objection to us as describe in § 7 of these guidelines.

Nevertheless, as Facebook is the party primarily responsible for answering data protection inquiries, you should direct any requests to exercise your rights detailed in § 2 of these guidelines in connection with data processing related to our company Facebook page to Facebook. The entity responsible for data protection at Facebook is Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (for use outside of the US and Canada).

Version: 18 September 2019

nach oben