Insert title here

Privacy Statement for the e-learning platform of TÜV SÜD Akademie GmbH

 

The TÜV SÜD Akademie GmbH web-based e-learning platform can be found at the website address lms.tuev-sued.com. Training participants can use this website to take part in online courses offered by TÜV SÜD Akademie GmbH.

We process the personal data of training participants and other website visitors in connection with running the website and providing online courses via the website.

These online courses are not sold via the web-based e-learning platform, but separately via TÜV SÜD Akademie GmbH's general website or via our resellers (typically other TÜV SÜD academies outside of Germany). This sales process and other transactions in connection with this, particularly the processing of our contacts' personal data by our customers and resellers, is not the subject of this Privacy Statement. Further information on this can be found in our general Privacy Statement for external parties at https://www.tuev-sued.de/servicelinks_de/datenschutz.

We take the protection of personal data very seriously. We only process personal data in accordance with the applicable data protection requirements, particularly the General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

In Section A of this Privacy Statement, you will find details of how your personal data is processed by the controller and the controller's data protection officer.

In Section B, you will also find information about the processing of your personal data.

In Section C, you will find detailed information on the use of cookies or similar technology.

In Section D, you will find information on your rights in relation to the processing of your personal data.

The key terms relating to data protection law used in this Privacy Statement are based on the meanings specified in the General Data Protection Regulation. Detailed information on this can be found in Section E.

 

 

Table of contents

A. Information about the controller

  1. Name and contact details of the controller
  2. Contact details of the data protection officer of the controller

B. Information on how your personal data is processed

  1. Use of the website for informational purposes
  2. Carrying out online training courses via the web-based e-learning platform
  3. Providing the forum function
  4. Providing the chat function

C. Information on the use of cookies

  1. General information on cookies
  2. Managing the cookies used on this website
  3. Cookies used on this website

D. Information on the rights of data subjects

  1. Right of access by the data subject
  2. Right to rectification
  3. Right to erasure ("right to be forgotten")
  4. Right to restriction of processing
  5. Right to data portability
  6. Right to object
  7. Right to withdraw consent
  8. Right to lodge a complaint with a supervisory authority

E. Information on the use of key terms from the General Data Protection Regulation used in this Privacy Statement

F. Validity and modification of this Privacy Statement

 

 

A.           Information about the controller

I.               Name and contact details of the controller

TÜV SÜD Akademie GmbH

Westendstr. 160

80339 München

akademie@tuev-sued.de

+49 (0) 89 5791-2388

 

If you have any questions about the processing of your personal data by us, we will be happy to provide you with information about the data affected (Article 15 General Data Protection Regulation (GDPR)). Furthermore, where statutory requirements in accordance with GDPR are present, you have a right to rectification (Article 16 GDPR), erasure (Article 17 GDPR), restriction of processing (Article 18 GDPR), objection to the processing (Article 21 GDPR) and the right to data portability (Article 20 GDPR). In these cases, you can send a short message at any time to our data protection officer by e-mail to akd.dsgvo@tuev-sued.de or by post to TÜV SÜD Business Services GmbH, Westendstr. 199, 80686 Munich, Germany.

Information on the processing of your personal data in connection with sending a query via this contact form can be found in our general Privacy Statement at https://www.tuvsud.com/de-de/datenschutz.

 

II.             Contact details of the data protection officer of the controller

TÜV SÜD AG

Mr Peter Walko

Westendstr. 199

80686 Munich

datenschutzbeauftragter@tuev-sued.de

+49 (0)89 5791-2798

 

B.            Information on how your personal data is processed

I.              Use of the website for informational purposes

When using the website for purely informational purposes (i.e. without logging into our e-learning platform), the browser used on your device sends certain information, such as your IP address, to our website server for technical reasons. We process this information to provide the content accessed by you on our website. To ensure the security of the IT infrastructure used to provide the website, this information will also be temporarily stored in a web server log file.

To provide our website's search functions, data entered into our search functions is temporarily processed on our web server.

In order to provide the language selection, data from strictly necessary cookies (à Section C) is temporarily processed on our web server in order to provide you with the contents of the website you have accessed in the language you have selected.

Detailed information on this can be found below:

[If the information is displayed in multiple layers ('layered information'), the following information could be hidden on the first layer]

 

1. Details of the personal data that is processed

Categories of personal data that is processed

Personal data contained in the cat-egories

Data sources

Obligation to provide data

Storage period

HTTP data.

Protocol data that is generated when the website is accessed via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes your IP address, the type and version of your web browser, your operating system, the accessed page, the page previ-ously accessed (referrer URL), the data and time of access.

Users of the website.

Sharing data is not legally or con-tractually required or necessary for entering into a contract. There is no obligation to provide data.

If you do not share your data with us, we cannot provide the content accessed via the website.

Data is stored in server log files, in a form that enables the data subject to be identi-fied, for a maximum of 7 days, unless there is a securi-ty issue (e.g. a DDoS attack).

In the event of a security is-sue, the server log files are stored until the security issue has been eliminated and completely resolved.

Search function data.

Data that is entered into the search functions on our website.

This includes all information en-tered as search terms into the search form in the website.

Users of the website.

Sharing data is not legally or con-tractually required or necessary for entering into a contract. There is no obligation to provide data.

If the data is not shared, we cannot provide the requested website function.

Data is stored in server log files, in a form that enables the data subject to be identi-fied, for a maximum of 7 days, unless there is a securi-ty issue (e.g. a DDoS attack).

In the event of a security is-sue, the server log files are stored until the security issue has been eliminated and completely resolved.

Language selection data.

Data that you share in order to pro-vide the language selection func-tion and data that is assigned to your device when using the lan-guage selection function:

This includes the language you se-lect, the language preferences con-tained in the HTTP data, languages of specific courses, and a specific ID to identify and recognise your browser.

 (à Section C.III. für for detailed information on the contents of cookies used.)

Users of the website.

Sharing data is not legally or con-tractually required or necessary for entering into a contract. There is no obligation to provide data.

If the data is not shared with us, we cannot provide the content ac-cessed via the website in the lan-guage you have selected.

Cookies are stored in the us-er's system.

Section C.III. für for information on the validi-ty period of cookies used.)

We store the cookie data sent to us in server log files, in a form that enables the da-ta subject to be identified, for a maximum of 7 days, unless there is a security issue (e.g. a DDoS attack).

In the event of a security is-sue, the server log files are stored until the security issue has been eliminated and completely resolved

2. Details on the processing of personal data

Purpose of processing personal data

Categories of personal data that is processed

Automated decision-making

Legal basis and legitimate inter-est, if applicable

Recipient

Provision of the website content accessed by the user:

Data is temporarily stored on our web server for this purpose.

HTTP data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the pro-vision of website content ac-cessed by the user.

Hosting provider.

To provide our website's search functions:

Data that is entered into our search functions is temporarily processed on our web server for this purpose.

Search function data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is provid-ing our website's search functions accessed by the user.

Hosting provider.

To provide our website's language selection function:

When you return to the site, we determine whether you have al-ready selected a particular lan-guage version of our site and dis-play other pages of our site in that language as well.

For this purpose, data from strict-ly necessary session cookies is processed on our web server.

Language selection data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the pro-vision of website content ac-cessed by the user in the lan-guage the user has selected.

Hosting provider.

To guarantee the security of the IT infrastructure used for the pro-vision of the website, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks):

For this purpose, data is tempo-rarily stored in log files on our web server and analysed.

HTTP data,

Search function data,

Language selection data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to en-sure the security of the IT infra-structure used for the provision of the website, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks).

Hosting provider.

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or to international organisations

Recipient

Role of the recipient

Registered office of the recipient

Adequacy decision or appropriate or proportionate safeguards for transfers to third countries and/or international organisations

Hosting provider

(currently: TÜV SÜD Business Services GmbH)

Processor.

EU.

-

 

II.              Carrying out online training courses via the web-based e-learning platform

Training participants can use this website to take part in online courses offered by TÜV SÜD Akademie GmbH.

We process the personal data of training participants for the following purposes:

  • To create a training participant account for participation in online training courses via our web-based e-learning platform
  • To provide the training participant account and administrative functions for this account
  • To provide information from the training participant account to other training participants
  • To provide and document online training courses
  • To convey the results of the training course to the customer who booked the respective online training course for the training participant
  • To retain data for evidence purposes in the event of any enforcement, exercise or defence against legal claims
  • To retain data to fulfil legal retention obligations, particularly under commercial and taxation law
  • To ensure the security of the IT infrastructure used to provide the web-based e-learning platform, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks)

Detailed information on this can be found below:

 

1. Details of the personal data that is processed

Categories of personal data that is processed

Personal data contained in the cat-egories

Data sources

Obligation to provide data

Storage period

Master data.

Name and e-mail address of the training participant.

Customer who booked the train-ing with us for the respective training participant (typically the participant's employer).

If the training is booked through one of our resellers, we receive this data from our reseller.

-

After the online course that has been allocated to all the respective training partici-pants has been completed, we store this data for evi-dence purposes for the event of any enforcement, exercise or defence of legal claims for a transitional peri-od of three years starting from the end of the year in which the online course took place, or from the resolution of any legal disputes.

In addition, we also store this data insofar as there are legal retention obligations, particu-larly under commercial and taxation law. Depending on the type of documents, re-tention obligations under commercial and taxation law may last for six or ten years (Section 147 of the Fiscal Code of Germany (AO), Sec-tion 257 of the German Commercial Code (HGB)), which may affect course cer-tificates that include the name of the training partici-pant.

The training participant's password as chosen by the participant them-selves (saved in our database only in encrypted form).

Training participants.

Sharing data is not legally or con-tractually required or necessary for entering into a contract. There is no obligation to provide data.

If the data is not shared with us, we cannot offer the online training course.

Supplementary account data.

Data that you enter to complete your training participant account, e.g. your profile photo.

Training participants.

Sharing data is not legally or con-tractually required or necessary for entering into a contract. There is no obligation to provide data.

If the data is not shared with us, we cannot assign this information to your participant account.

The administrative functions of the training participant ac-count allow you to change this data yourself at any time and erase it completely.

If you do not alter or erase this data, the following ap-plies:

After the online course that has been allocated to all the respective training partici-pants has been completed, we store this data for evi-dence purposes for the event of any enforcement, exercise or defence of legal claims for a transitional peri-od of three years starting from the end of the year in which the online course took place, or from the resolution of any legal disputes.

In addition, we also store this data insofar as there are legal retention obligations, particu-larly under commercial and taxation law. Depending on the type of documents, re-tention obligations under commercial and taxation law may last for six or ten years (Section 147 of the Fiscal Code of Germany (AO), Sec-tion 257 of the German Commercial Code (HGB)), which may affect course cer-tificates that also include the name of the training partici-pant.

Training course data.

Data that is necessary to prepare, carry out and execute the online training courses.

This includes allocating the training participant to one of the specific customers and specific courses which the participant is to com-plete.

Customer who booked the train-ing with us for the respective training participant (typically the participant's employer).

If the training is booked through one of our resellers, we receive this data from our reseller.

-

Data that arises throughout the course (including the start, end, progress, number of attempts when answering test questions and the indi-vidual answers to test ques-tions) is completely erased after the enrolment period of the respective training course is complete. This en-rolment period varies de-pending on the course; we will inform you of the enrol-ment period for each training course.

For data relating to the pro-cess of assigning the training participant to a specific cus-tomer, data on specific courses the training partici-pant will attend, data on whether the training partici-pant passes or fails to com-plete a course, and data in-cluded on course certificates, the following applies:

After the online course has been completed, we store this data for evidence pur-poses for the event of any enforcement, exercise or de-fence of legal claims for a transitional period of three years starting from the end of the year in which the online course took place, or from the resolution of any legal disputes.

In addition, we also store this data insofar as there are legal retention obligations, particu-larly under commercial and taxation law. Depending on the type of documents, re-tention obligations under commercial and taxation law may last for six or ten years (Section 147 of the Fiscal Code of Germany (AO), Sec-tion 257 of the German Commercial Code (HGB)), which may affect course cer-tificates that include key in-formation regarding partici-pation in the course.

It also includes information about actual participation in training ses-sions on our e-learning platform, such as start, end, progress, any fi-nal test results and training certifi-cates.

Generated independently.

HTTP data.

Protocol data that is generated when the web-based e-learning platform is accessed via the Hyper-text Transfer Protocol (Secure) (HTTP(S)) for technical reasons.

This includes your IP address, the type and version of your web browser, your operating system, the accessed page, the page previ-ously accessed (referrer URL), the data and time of access.

Training participants.

Sharing data is not legally or con-tractually required or necessary for entering into a contract. There is no obligation to provide data.

If the data is not shared with us, we cannot offer the online training course.

Data is stored in server log files, in a form that enables the data subject to be identi-fied, for a maximum of 7 days, unless there is a securi-ty issue (e.g. a DDoS attack).

In the event of a security is-sue, the server log files are stored until the security issue has been eliminated and completely resolved.

Login data.

Data you provide when logging into your training participant account and data assigned to your device when logging into your training par-ticipant account:

This includes your e-mail address, your password and your IP address, as well as a clear ID to identify and recognise your browser.

Section C.III.for detailed information on the contents of cookies used.)

Training participants.

Sharing data is not legally or con-tractually required or necessary for entering into a contract. There is no obligation to provide data.

If the data is not shared with us, we cannot offer the online training course.

Cookies are stored in the us-er's system.

Section C.III. for information on the validi-ty period of cookies used.)

We store the cookie data sent to us in server log files, in a form that enables the da-ta subject to be identified, for a maximum of 7 days, unless there is a security issue (e.g. a DDoS attack).

In the event of a security is-sue, the server log files are stored until the security issue has been eliminated and completely resolved

Transaction e-mail data.

Data from transaction e-mails that we send to training participants to prepare, carry out and execute the online training courses (e.g. invita-tion to an online course booked for a training participant).

This includes the content and time of the transaction e-mail.

Generated independently.

-

After the online course has been completed, we store this data for evidence pur-poses for the event of any enforcement, exercise or de-fence of legal claims for a transitional period of three years starting from the end of the year in which the online course took place, or from the resolution of any legal disputes.

In addition, we also store this data insofar as there are legal retention obligations, particu-larly under commercial and taxation law. Depending on the type of documents, re-tention obligations under commercial and taxation law may last for six or ten years (Section 147 of the Fiscal Code of Germany (AO), Sec-tion 257 of the German Commercial Code (HGB)).

 

2. Details on the processing of personal data

Purpose of processing personal data

Categories of personal data that is processed

Automated decision-making

Legal basis and legitimate inter-est, if applicable

Recipient

Creating a training participant ac-count for participation in online training courses via our web-based e-learning platform:

Online training courses are sold outside the e-learning platform either directly by us to our cus-tomers (typically companies) or via our resellers (typically TÜV SÜD academies outside Germany). Before the training course, we receive a list of training partici-pants from the customer who has booked the training course with us (typically the participant's em-ployer), or from our reseller, so that we can set up a training par-ticipant account for them.

Every training participant receives a link from us via e-mail which takes them to their training partic-ipant account, and is required to choose a password for their ac-count when they log in for the first time.

Master data,

Transaction e-mail data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to pro-vide training courses to our cus-tomers.

For our customers who are also training participants: Article 6(1b) of the General Data Protection Regulation (the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract).

Hosting provider.

To provide the training participant account and administrative func-tions of this account:

This includes providing the login for the training participant ac-count and the administrative and settings options within the partic-ipant account (e.g. the option to enter/change a password).

In addition, this also includes showing details of the training courses started and completed via the training participant ac-count for a period of 10 years af-ter the end of the respective online courses.

Data from strictly necessary ses-sion cookies is processed on our web server for the purpose of providing the login.

Section C.III. for detailed information on the intended purposes of the cookies used.)

Master data,

Supplementary account data,

Training course data,

HTTP data,

Login data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to pro-vide training courses to our cus-tomers.

For our customers who are also training participants: Article 6(1b) of the General Data Protection Regulation (the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract).

Hosting provider.

To provide information from the training participant account to other training participants:

In order to enable the exchange between the participants of a course, each training participant is able to see at least the name of every other participant on that course.

In addition, training participants are free to make additional in-formation visible to other training participants within the course, such as a profile photo.

Master data,

Supplementary account data,

Training course data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to pro-vide information from the training participant account to other par-ticipants upon the request of that participant.

-

Provision and documentation of online training courses:

This includes the training partici-pant's request, via e-mail, to par-ticipate in an online training course booked for them as well as the provision of that online train-ing course, including any interac-tive elements (e.g. completion of tasks, test questions or surveys by the participant, interaction with the course instructor).

The current status as well as the participation history in an online training course are recorded (e.g. participation start time and cur-rent progress, number of at-tempts at answering possible test questions, etc.) in order to be able to prove we have properly provided the training service and to enable the training participant to seamlessly continue a training course at a later date.

Our online courses are also partly provided via live webinars. For this purpose, each training partic-ipant in the relevant classroom receives a link to access the live webinar via Adobe Connect. To provide the live webinar function, Adobe processes the user's HTTP data and data provided voluntarily by the user in the respective live webinar on our behalf (e.g. their name or questions posed by them in the live webinar).

Master data,

Training course data,

HTTP data,

Login data,

Transaction e-mail data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to pro-vide training courses to our cus-tomers.

For our customers who are also training participants: Article 6(1b) of the General Data Protection Regulation (the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract).

Hosting-Provider,

Live-Webinar-Provider.

To convey the results of the train-ing course to the customer who booked the respective online training course for the training participant:

AWe send the training results to the customer who has booked the respective online training for the participant either directly with us or via one of our resellers after the course has been completed.

Upon successful completion of the course (usually when all the course elements have been com-pleted and the required number of possible test questions have been answered successfully), we provide the customer with a course certificate for each train-ing participant.

In the event that courses are not successfully completed within the time period booked by the cus-tomer, we provide the customer with a list of the relevant training participants.

Master data,,

Training course data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to pro-vide training courses to our cus-tomers.

For our customers who are also training participants: Article 6(1b) of the General Data Protection Regulation (the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract).

Customer that has booked the relevant online course for the re-spective training participant

To retain data for evidence pur-poses in the event of any en-forcement, exercise or defence against legal claims.

For this purpose, we usually re-tain data for a transitional period of three years from the end of the year in which the online course was completed, or from the resolution of any legal dis-putes that may occur.

Master data,

Supplementary account data,

Training course data,

Transaction e-mail data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the en-forcement, exercise or defence of legal claims.

Hosting provider.

To retain data to fulfil legal reten-tion obligations, particularly un-der commercial and taxation law.

Depending on the type of docu-ments, retention obligations un-der commercial and taxation law may last for six or ten years (Sec-tion 147 of the Fiscal Code of Germany (AO), Section 257 of the German Commercial Code (HGB)).

Master data,

Supplementary account data,

Training course data,

Transaction e-mail data.

There is no automated decision on this matter.

Article 6(1c) of the General Data Protection Regulation (compli-ance with a legal obligation).

Hosting provider.

To ensure the security of the IT infrastructure used to provide the web-based e-learning platform, in particular for the detection, elim-ination and conclusive documen-tation of faults (e.g. DDoS attacks):

For this purpose, data is tempo-rarily stored in log files on our web server and analysed.

HTTP data,

Login data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to en-sure the security of the IT infra-structure used for the provision of the e-learning platform, in par-ticular for the detection, elimina-tion and conclusive documenta-tion of faults (e.g. DDoS attacks).

Hosting provider.

 

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or to international organisations

Recipient

Role of the recipient

Registered office of the recipient

Adequacy decision or appropriate or pro-portionate safeguards for transfers to third countries and/or international organ-isations

Hosting provider

(currently: Mastersolutions AG, TÜV SÜD Business Services GmbH)

Processor.

EU.

-

Live webinar provider

(currently: Adobe Systems Software Ireland Limited, Dublin, Ireland)

Processor.

EU.

-

Customer that has booked the relevant online course for the respective training participant

(usually the training participant's employer)

Controller

Inside or outside the EU, depending on the individual case.

Information on the recipient and the regis-tered office of the recipient can be found in the information sent individually via e-mail to each training participant concerning participation in the training course.

If the customer is located in a third country outside the EU:

The following link will take you to the latest information on the third countries for which the European Commission has issued an adequacy decision in accordance with Article 45 of the General Data Protection Regulation: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_de

If the third country in which the customer is located is not listed, the EU Commission has not made an adequacy decision within the meaning of Article 45 of the General Data Protection Regulation.

 

III.              Providing the forum function

Within our web-based e-learning platform, training participants can interact with each other and with the respective course leader via a forum that is only visible to the participants of that specific course.

We process the personal data of training participants for the following purposes:

  • To provide the forum for the relevant course
  • To send information e-mails about subscribed topics
  • To filter, post and, if necessary, decline contributions that violate copyright or other intellectual property rights.
  • To retain data for evidence purposes in the event of any enforcement, exercise or defence against legal claims
  • To ensure the security of the IT infrastructure used to provide the web-based e-learning platform, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks)

For this purpose, we also use data that is generated through the use of the training participant account (à SectionB.II.1).

Detailed information on this can be found below:

 

1. Details of the personal data that is processed

Categories of personal data that is processed

Personal data contained in the cat-egories

Data sources

Obligation to provide data

Storage period

Master data,

Supplementary account data,

Training course data,

HTTP data,

Login data.

(à SectionB.II.1for detailed information on what these data categories contain.)

(à SectionB.II.1for detailed information on what these data categories contain.)

(à SectionB.II.1for detailed information on what these data categories contain.)

(à SectionB.II.1for detailed information on what these data categories contain.)+

Forum contribution data.

This includes the title and contents of your forum contributions.

Contribution author.

Sharing data is not legally or con-tractually required or necessary for entering into a contract. There is no obligation to provide data.

If you do not share your data, we cannot allow you to make forum contributions.

This data is erased after the enrolment period of the course is complete. The en-rolment period varies de-pending on the course and the agreements with the par-ticipants, who are aware of this enrolment period.

Subscription data.

This includes information on the subscribed topics.

Contribution author.

Sharing data is not legally or con-tractually required or necessary for entering into a contract. There is no obligation to provide data.

If you do not share your data, we cannot subscribe you to any topics.

This data is erased after the enrolment period of the course is complete. The en-rolment period varies de-pending on the course and the agreements with the par-ticipants, who are aware of this enrolment period.

2. Details on the processing of personal data

Purpose of processing personal data

Categories of personal data that is processed

Automated decision-making

Legal basis and legitimate inter-est, if applicable

Recipient

To provide the forum for the rel-evant course:

Logged-in training participants can interact with each other and with the respective course leader via the forum.

All contributions published in the forum are only visible to the par-ticipants on the relevant course and the course director, and only for the duration of the course.

Contributions are published un-der the name of the training par-ticipant specified in the training participant account. If the training participant has voluntarily up-loaded a photo to their training participant account, this appears as the profile photo along with the respective contribution.

Participants can edit and/or de-lete their own contributions at any time.

Master data,

Supplementary account data,

Training course data,

HTTP data,

Login data,

Forum contribution data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is provid-ing the forum for the respective course.

Hosting provider.

To send information e-mails about subscribed topics:

Training participants have the op-tion to subscribe to topics in the forum.

Training participants receive in-formation via e-mail about new forum contributions relating to subscribed topics.

Master data,

Subscription data

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is sending information e-mails about sub-scribed topics upon the request of the respective training partici-pant.

Hosting provider.

To filter, post and, if necessary, decline contributions that violate copyright or other intellectual property rights.

Forum contribution data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the pre-vention of rights infringements.

Hosting-Provider.

To guarantee the security of the IT infrastructure used for the pro-vision of the website, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks):

For this purpose, data is tempo-rarily stored in log files on our web server and analysed.

HTTP data,

Login data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to en-sure the security of the IT infra-structure used for the provision of the website, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks).

Hosting provider.

 

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or to international organisations

Recipient

Role of the recipient

Registered office of the recipient

Adequacy decision or appropriate or pro-portionate safeguards for transfers to third countries and/or international organ-isations

Hosting provider

(currently: Mastersolutions AG, TÜV SÜD Business Services GmbH)

Processor.

EU.

-

 

IV.               Providing the chat function

Within our web-based e-learning platform, training participants can interact with each other and with the respective course leader via a chat that is on-ly visible to and usable by the participants of that specific course during the course duration.

We process the personal data of training participants for the following purposes:

  • To provide the chatroom for the respective course
  • To retain data for evidence purposes in the event of any enforcement, exercise or defence against legal claims
  • To ensure the security of the IT infrastructure used to provide the web-based e-learning platform, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks)

For this purpose, we also use data that is generated through the use of the training participant account (à SectionB.II.1).

Detailed information on this can be found below:

 

1. Details of the personal data that is processed

Categories of personal data that is processed

Personal data contained in the cat-egories

Data sources

Obligation to provide data

Storage period

Master data,

Supplementary account data,

Training course data,

HTTP data,

Login data.

(à SectionB.II.1 for detailed information on what these data categories contain.)

(à SectionB.II.1 for detailed information on what these data categories contain.)

(à SectionB.II.1 for detailed information on what these data categories contain.)

(à SectionB.II.1 for detailed information on what these data categories contain.)

Chat data.

This includes the contents of your chat contributions.

Chat participants.

Sharing data is not legally or con-tractually required or necessary for entering into a contract. There is no obligation to provide data.

If you do not share your data, we cannot allow you to participate in the chat.

Unless specified otherwise, we only store this data for the duration of the respected chat, as stated in the class-room.

In exceptional cases, the course leader also saves cer-tain chat messages for a tran-sitional period in order to answer any questions posed in the chat in connection with the execution of the online training courses (Sec-tion B.II).

2. Details on the processing of personal data

Purpose of processing personal data

Categories of personal data that is processed

Automated decision-making

Legal basis and legitimate inter-est, if applicable

Recipient

To provide the chatroom for the respective course:

Logged-in training participants can interact with one another and with the respective course leader live in the chat at the times speci-fied in the respective classroom.

All contributions published in the chat are only visible to the partic-ipants on the relevant course and the course director, and only for duration specified in the class-room.

Chat messages are published un-der the name of the training par-ticipant specified in the training participant account. If the training participant has voluntarily up-loaded a photo to their training participant account, this appears as the profile photo along with the respective chat messages.

Master data,

Supplementary account data,

Training course data,

HTTP data,

Login data,

Chat data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is provid-ing the chatroom for the respec-tive course.

Hosting provider.

To retain data for evidence pur-poses in the event of any en-forcement, exercise or defence against legal claims.

In exceptional cases, we retain chat messages even after the du-ration of the chat, in particular for evidence purposes with regard to any legal violations.

For this purpose, we usually re-tain data for a transitional period of three years from the end of the year in which the chat took place, or from the resolution of any legal disputes that may occur.

Master data,

Chat data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is the en-forcement, exercise or defence of legal claims.

-

To guarantee the security of the IT infrastructure used for the pro-vision of the website, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks):

For this purpose, data is tempo-rarily stored in log files on our web server and analysed.

HTTP data,

Login data.

There is no automated decision on this matter.

Article 6(1f) of the General Data Protection Regulation (balancing of interests).

Our legitimate interest is to en-sure the security of the IT infra-structure used for the provision of the website, in particular for the detection, elimination and conclusive documentation of faults (e.g. DDoS attacks).

Hosting provider.

 

3. Details on the recipients of personal data and the transfer of personal data to third countries and/or to international organisations

Recipient

Role of the recipient

Registered office of the recipient

Adequacy decision or appropriate or pro-portionate safeguards for transfers to third countries and/or international organ-isations

Hosting provider

(currently: Mastersolutions AG, TÜV SÜD Business Services GmbH)

Processor.

EU.

-

 

C. Information on the use of cookies

We use cookies in connection with the provision of online training courses via our e-learning platform. We use the processing and storage functions of the browser on your device and collect information from your device's browser memory.

Detailed information on this can be found below.

I.               General information on cookies

Cookies are small text files containing information that can be placed on the user's device when they visit a website via their browser. When the web-site is visited again on the same device, the cookie, and the information contained within, is retrieved.

1.            First- and third-party cookies

First-party cookies and third-party cookies can be distinguished depending on where they come from:

First-Party-Cookies

Cookies that are set and retrieved by the website operator as the controller responsible for data processing or by a processor commissioned by them.

Third-Party-Cookies

Cookies that are set and retrieved by controllers responsible for processing other than the website operator who are not acting as processors on behalf of the website operator.

 

2.            Transient and persistent cookies

Transient and persistent cookies can also be distinguished depending on their period of validity:

Transient cookies
(session cookies)

Cookies that are automatically deleted when you close your browser.

Persistent cookies

Cookies that are stored on your device for a certain amount of time after you close your browser.

 

3.            Cookies that do and do not require consent

Depending on their function and the purpose for which they are being used, it may be necessary to obtain consent before using certain cookies. This means that cookies can be differentiated according to whether the user's consent is required for their use:

Cookies not requiring consent

Cookies whose sole purpose is transferring a message via an electronic communications network.

Cookies that are absolutely necessary for the provider of an information society service that has been expressly requested by the subscriber or user to be able to provide this service ("strictly necessary cookies").

Cookies requiring con-sent

Cookies for all purposes apart from the one stated above.

 

 

II.            Managing the cookies used on this website

You can manage the use of cookies in your browser settings. Different browsers offer different ways to configure the cookie settings in the browser. Ex-tensive further information on this topic can be found at http://www.allaboutcookies.org/ge/cookies-verwalten/.

However, we would like to point out that some functions of the website will not function or will no longer function properly if you deactivate cookies in your browser in general, such as the login to your training participant account.

 

III. Cookies used on this website

The following cookies may be used on this website:

Bezeichnung

First Party / Third Party

Purpose and content

Period of validity

Requiring consent

MoodleSession

First-party

When you visit our web-based e-learning platform, we set a session cookie containing a clear ID to identify and recognise your browser.

This cookie is necessary from a technical perspective to enable all the functions of the e-learning platform for which we need to identi-fy you as a specific user. This includes the login function and all as-sociated functions (participation in courses, use of the forum and chat, etc.).

The cookie is used to clearly recognise your browser and the cur-rent status of your session (e.g. logged in as a specific user) within the relevant session, which we then store on our server and your browser, and thereby assign to you personally.

Transient.

No.

D.           Information on the rights of data subjects

As a data subject, you have the following rights with regard to the processing of your personal data:

  • Right of access (Article 15 of the General Data Protection Regulation)
  • Right to rectification (Article 16 of the General Data Protection Regulation)
  • Right to erasure ("right to be forgotten") (Article 17 of the General Data Protection Regulation)
  • Right to restriction of processing (Article 18 of the General Data Protection Regulation)
  • Right to data portability (Article 20 of the General Data Protection Regulation)
  • Right to object (Article 21 of the General Data Protection Regulation)
  • Right to withdraw consent (Article 7(3) of the General Data Protection Regulation)
  • Right to lodge a complaint with a supervisory authority (Article 77 of the General Data Protection Regulation)

To exercise your rights, you can contact us using the contact information referred to in Section A

Information on any specific modalities and mechanisms that may facilitate the exercise of your rights, in particular the exercise of your rights to data portability and to object, can be found, where appropriate, in the information on the processing of personal data in Section B of this Privacy Statement.

 

 

Below, you will find detailed information on your rights with regard to the processing of your personal data:

I.              Right of access by the data subject

As the data subject, you have the right of access under the conditions of Article 15 of the General Data Protection Regulation.

Specifically, this means that you have the right to request confirmation from us as to whether we process personal data. If that is the case, you also have the right to access this personal data and the information stated in Article 15(1) of the General Data Protection Regulation. This includes infor-mation on the purpose of processing, the categories of personal data being processed and the recipient or categories of recipients who have access or who will have access to the personal data (Article 15(1a, 1b, 1c) of the General Data Protection Regulation).

The full scope of your right of access can be found in Article 15 of the General Data Protection Regulation, which can be accessed via the following link: http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679.

II.            Right to rectification

As the data subject, you have the right to rectification under the conditions of Article 16 of the General Data Protection Regulation.

Specifically, this means that you have the right to have any incorrect personal data that concerns you rectified by us without undue delay and to have any incomplete personal data completed.

The full scope of your right of access can be found in Article 16 of the General Data Protection Regulation, which can be accessed via the following link:http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679.

III.          Right to erasure ("right to be forgotten")

As the data subject, you have the right to erasure ("right to be forgotten") under the conditions of Article 17 of the General Data Protection Regulation.

This means that, unless otherwise specified, you have the right to request that we erase personal data that concerns you without undue delay, and we are obliged to erase this personal data immediately, insofar as one of the reasons stated in Article 17(1) of the General Data Protection Regulation ap-plies. This may be the case, for example, if personal data is no longer necessary for the purposes for which is was collected or otherwise processed (Ar-ticle 17(1a) of the General Data Protection Regulation).

In the event that we have disclosed the personal data and are obliged to erase it, we are also obliged to take appropriate measures, including those of a technical nature and taking into account the available technology and costs of implementation, to inform other parties responsible for processing the disclosed personal data that you have requested that they erase all links to, or copies or replicas of, the personal data (Article 17(2) of the General Data Protection Regulation).

As an exception, the right to erasure ("right to be forgotten") does not apply if processing is obligatory because of one of the reasons stated in Article 17(3) of the General Data Protection Regulation. For example, this may be the case if the processing is necessary to fulfil a legal obligation or to en-force, exercise or defend legal claims (Article 17(3a) and (3e) of the General Data Protection Regulation).

The full scope of your right to erasure can be found in Article 17 of the General Data Protection Regulation, which can be accessed via the following link:http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679.

IV.         Right to restriction of processing

As the data subject, you have the right to restriction of processing under the conditions of Article 18 of the General Data Protection Regulation.

This means that you have the right to request that processing is restricted if one of the conditions stated in Article 18(1) of the General Data Protection Regulation is met. For example, this may be the case if you dispute the accuracy of the personal data. Processing is restricted in this case for a period of time that enables us to verify the accuracy of the personal data (Article 18(1a) of the General Data Protection Regulation).

Restriction means stored personal data is marked with the aim of restricting its future processing (Article 4(3) of the General Data Protection Regula-tion).

The full scope of your right to restriction of processing can be found in Article 18 of the General Data Protection Regulation, which can be accessed via the following link:http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679.

V.           Right to data portability

As the data subject, you have the right to data portability under the conditions of Article 20 of the General Data Protection Regulation.

This means that you have the right, unless specified otherwise, to receive the relevant personal information that you have provided to us in a struc-tured, common and machine-readable format, and you have the right to freely convey this data to another controller, provided that the processing is based on a consent in accordance with Article 6(1a) or Article 9(2a) of the General Data Protection Regulation or on a contract in accordance with Arti-cle 6(1b) of the General Data Protection Regulation and the processing is carried out by automated means (Article 20(1) of the General Data Protection Regulation).

Information as to whether processing is carried out based on consent in accordance with Article 6(1a) or Article 9(2a) of the General Data Protection Regulation or based on a contract in accordance with Article 6(1b) of the General Data Protection Regulation can be found in the information on the le-gal basis for processing in Section B of this Privacy Statement.

When exercising the right to data portability, you also have the right, unless specified otherwise, to have your personal data transferred directly by us to another controller, insofar as this is technically possible (Article 20(2) of the General Data Protection Regulation).

The full scope of your right to data portability can be found in Article 20 of the General Data Protection Regulation, which can be accessed via the fol-lowing link:http://eur-lex.europa.eu/legal-content/DE/TXT/HTML/?uri=CELEX:32016R0679.

VI.               Right to object

As the data subject, you have the right to object under the conditions of Article 21 of the General Data Protection Regulation.

As the data subject, we will expressly draw your attention to your right to object upon our first communication with you at the latest.

Detailed information on this can be found below:

1.             Right to object for reasons arising from the specific situation of the data subject

As the data subject, you have the right to object to the processing of your personal data on the basis of Article 6(1e) or (1f) of the General Data Protection Regulation for reasons arising from your specific situation at any time; this also applies to profiling based on these provisions.

Information as to whether processing is based on Article 6(1e or (1f) of the General Data Protection Regulation can be found in the information on the legal basis of processing in Section B of this Privacy Statement.

In the event of an objection based on reasons arising from your specific situation, we will no longer process your personal data unless we can prove compelling, legitimate grounds that outweigh your interests, rights and freedoms, or that the processing is necessary to enforce, exercise or defend legal claims.

The full scope of your right to object can be found in Article 21 of the General Data Protection Regulation, which can be accessed via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

2.             Right to object to direct marketing

If personal data is processed to drive direct marketing, you have the right to object to the processing of your personal data for the purposes of this type of marketing; this also applies to profiling, insofar as it is linked to direct marketing.

Information as to whether and to what extent personal data is processed for the purposes of direct marketing can be found in the information on the purposes of processing in Section B of this Privacy Statement.

In the event of an objection to processing for the purposes of direct marketing, we will no longer process the personal data for this purpose.

The full scope of your right to object can be found in Article 21 of the General Data Protection Regulation, which can be accessed via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

VII.             Right to withdraw consent

If the processing is based on consent pursuant to Article 6(1a) or Article 9(2a) of the General Data Protection Regulation, you as the data subject have the right to withdraw consent at any time in accordance with Article 7(3) of the General Data Protection Regulation. Withdrawing consent does not affect the lawfulness of processing before the withdrawal of consent. We will inform you of this before you give your consent.

Information as to whether processing is based on consent in accordance with Article 6(1a) or Article 9(2a) of the General Data Protection Regulation can be found in the information on the legal basis of processing in Section B of this Privacy Statement.

VIII.           Right to lodge a complaint with a supervisory authority

As the data subject, you have the right to lodge a complaint with a supervisory authority under the conditions of Article 77 of the General Data Protection Regulation.

The supervisory authority responsible for us is:

Bayerisches Landesamt für Datenschutzaufsicht [Bavarian Data Protection Authority, BayLDA]

Promenade 18

91522 Ansbach Germany

poststelle@lda.bayern.de

+49 (0) 981 180093-0

 

 

E.             Information on the use of key terms from the General Data Protection Regulation used in this Privacy Statement

The key terms used in this Privacy Statement are based on the meanings specified in the General Data Protection Regulation.

The full scope of the definitions for the purposes of the General Data Protection Regulation can be found in Article 4 of the General Data Protection Regulation, which can be accessed via the following link: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679.

Detailed information on the most important terms from the General Data Protection Regulation used in this Privacy Statement can be found below:

  • "Personal data" means any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
  • "Data subject" means the identified or identifiable natural person to whom the personal data relates;
  • "Processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
  • "Profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements;
  • "Controller"“ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
  • "Processor" means a natural or legal person; public authority, agency or other body which processes personal data on behalf of the controller;
  • "Recipient" means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or member state law shall not be regarded as recipients; the processing of this data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
  • "Third party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • "International organisation" means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries;
  • "Third country" means a Member State of the European Union ("EU") or the European Economic Area ("EEA");
  • "Special categories of personal data" means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

F.             Validity and modification of this Privacy Statement

This Privacy Statement is valid as of 12th November, 2019.

It may be necessary to adapt this Privacy Statement due to technical developments and/or changes in legal and/or official requirements.

The current Privacy Statement can be accessed at any time under [website address of the Privacy Statement].