Data Protection

1.1

In the following, we inform you about the processing of personal data when using our website. Personal data is all data that can be related to you personally, e.g. name, address, e-mail addresses, user behaviour (see below).

1.2

The person responsible pursuant to Art. 4 (7) of the EU General Data Protection Regulation (GDPR) is:

PFH Private University Göttingen

Private University of Applied Sciences

Weender Landstrasse 3-7

37073 Göttingen

Sponsoring company:

Gesellschaft für praxisbezogene Forschung und wissenschaftliche Lehre GmbH

You can reach our data protection officer at datenschutz(at)pfh.de or our postal address with the addition of "the data protection officer".

1.3

If we use commissioned service providers for individual functions of our offer or would like to use your data for advertising purposes, we will inform you in detail about the respective processes below. In doing so, we will also state the defined criteria for the storage period. Where we use external service providers to process your data, they have been carefully selected and engaged by us, are bound by our instructions and are regularly monitored.

1.4

Following the example of Art. 4 of the GDPR, this data protection notice is based on the following definitions:

• "Personal data" (Art. 4 No. 1 GDPR) means any information relating to an identified or identifiable natural person ("data subject"). A person is identifiable if he or she can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier, location data or by means of information relating to his or her physical, physiological, genetic, mental, economic, cultural or social identity characteristics. The identifiability can also be given by means of a linkage of such information or other additional knowledge. The origin, form or embodiment of the information is irrelevant (photographs, video or audio recordings may also contain personal data).
• "Processing" (Art. 4 No.2 GDPR) means any operation which involves the handling of personal data, whether or not by automated (i.e. technology-based) means. This includes in particular the collection (i.e. obtaining), recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment, combination, restriction, erasure or destruction of personal data, as well as the change of a purpose or intended use on which a data processing was originally based.
• "Controller" (Art. 4 No.7 GDPR) means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
• "Third party" (Art. 4 No.10 GDPR) means any natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who are authorised to process the personal data under the direct responsibility of the controller or processor; this also includes other group-affiliated legal entities.
• "Processor" (Art. 4 No.8 GDPR) is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller, in particular in accordance with the controller's instructions (e.g. IT service provider). In the sense of data protection law, a processor is in particular not a third party.
• "Consent" (Art. 4 No. 11 GDPR) of the data subject means any freely given specific, informed and unambiguous indication of his or her wishes in the form of a statement or other unambiguous affirmative act by which the data subject signifies his or her agreement to the processing of personal data relating to him or her.

1.5

For the processing operations carried out by ourselves or by means of processors, we indicate below in each case how long the data will be stored by us and when it will be deleted or blocked. If no explicit storage period is specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for the storage no longer applies.

However, we may retain the information for longer than the above period in the event of a (threatened) legal dispute with you or other legal proceedings, or where retention is required by law to which we are subject as a responsible party (e.g. § 257 HGB, § 147 AO). If the storage period prescribed by the legal regulations expires, the personal data will be blocked or deleted unless further storage by us is necessary and there is a legal basis for this.

In principle, any processing of personal data is prohibited by law and only permitted if the data processing falls under one of the following justifications:

• Art. 6 para. 1 sentence 1 lit. a GDPR ("Consent"): Where the data subject has voluntarily, in an informed manner and unambiguously indicated by a statement or other unambiguous affirmative act that he or she consents to the processing of personal data relating to him or her for one or more specified purposes;
• Art. 6 para. 1 sentence 1 lit. b GDPR: If the processing is necessary for the performance of a contract to which the data subject is party or for the implementation of pre-contractual measures taken at the request of the data subject;
• Art. 6 para. 1 sentence 1 lit. c GDPR: If processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. a legal obligation to keep records);
• Art. 6 para. 1 sentence 1 lit. d GDPR: If the processing is necessary to protect the vital interests of the data subject or another natural person;
• Art. 6 para. 1 sentence 1 lit. e GDPR: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, or
• Art. 6 para. 1 sentence 1 lit. f GDPR ("Legitimate Interests"): Where processing is necessary to protect legitimate (in particular legal or economic) interests of the controller or a third party, unless the conflicting interests or rights of the data subject override (in particular where the data subject is a minor).

For the processing operations carried out by us, we indicate below the applicable legal basis in each case. A processing operation may also be based on several legal bases.

Furthermore, the storage of information on your terminal device as an end user and access to information already stored on your terminal device will only take place after you have given your consent in accordance with Section 25 (1) of the German Telecommunications Telemedia Data Protection Act (TTDSG), unless this is dispensable in accordance with Section 25 (2) of the TTDSG.

3.1

You have the following rights in relation to personal data relating to you:

• to request information about your data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the category of data, the categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right of complaint, the origin of your data if it has not been collected by us, as well as the existence of automated decision-making including profiling and, if applicable, meaningful information about its details;
• in accordance with Art. 16 GDPR to demand the correction of incorrect or the completion of your data stored by us without delay;
• to request the deletion of your data stored by us in accordance with Art. 17 GDPR, unless the processing is necessary for the exercise of the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest or for the assertion, exercise or defence of legal claims;
• demand the restriction of the processing of your data in accordance with Art. 18 GDPR, insofar as the accuracy of the data is disputed by you or the processing is unlawful;
• pursuant to Art. 20 GDPR to receive your data that you have provided to us in a structured, common and machine-readable format or to request the transfer to another controller ("data portability");
• object to the processing in accordance with Art. 21 GDPR, insofar as the processing is based on Art. 6 (1) sentence 1 lit. e or lit. f GDPR. This is particularly the case if the processing is not necessary for the performance of a contract with you. Except in the case of an objection to direct marketing, we will ask you to explain the reasons why we should not process your data as we have done. In the event of your justified objection, we will review the merits of the case and either cease or adapt the data processing or show you our compelling legitimate grounds on the basis of which we will continue the processing;
• in accordance with Art. 7 (3) of the GDPR, you may at any time revoke your consent - i.e. your voluntary, informed and unambiguous will expressed by a declaration or other unambiguous act of confirmation that you consent to the processing of the personal data in question for one or more specific purposes - that you have given to us (even before the GDPR came into force, i.e. before 25 May 2018), if you have given such consent. This has the consequence that we may no longer continue the data processing based on this consent in the future.

3.2

In accordance with Art. 77 GDPR, you may complain to a data protection supervisory authority about the processing of your personal data in our company, such as the data protection supervisory authority responsible for us.

We process the personal data specified in more detail below in accordance with the provisions of the GDPR, the TTDSG and the other relevant data protection regulations only to the extent necessary. Insofar as the processing of personal data is based on Art. 6 (1) sentence 1 lit. f GDPR, the aforementioned purposes also constitute our legitimate interests, subject to further interests to be specified in more detail.

4.1

In the case of mere informational use of the website, i.e. if you do not register or otherwise transmit information to us, we only collect the personal data that your browser transmits to our server. When you visit our website, we collect the following information, which is technically necessary to display our website to you and to ensure its stability and security (legal basis is Art. 6 para. 1 p. 1 lit. f GDPR):

• Host name of the accessing computer (IP address)
• Date and time of the request
• Time zone difference from Greenwich Mean Time (GMT)
• Browser type/version
• Operating system used
• Referrer URL (the previously visited page)
• Content of the request (concrete page)
• Data volume transferred in each case
• Access Status/HTTP Status Code

This data is not merged with other data sources and is deleted after statistical evaluation.

4.2

In addition to the above information, cookies are stored on your terminal device when you use our website (more on this below).

We use cookies on our websites and store information on your terminal device. Cookies are small text files that are assigned to the browser you are using and stored on your hard drive through which certain information flows to the body that sets the cookie. Cookies cannot run programmes or deliver viruses to your computer and therefore cannot cause any damage. They are used to make the website as a whole more user-friendly and effective, i.e. more pleasant for you.

Cookies can contain data that make it possible to recognise the device used. In some cases, however, cookies only contain information on certain settings that are not personally identifiable. However, cookies cannot directly identify a user.

A distinction is made between session cookies, which are deleted as soon as you close your browser, and permanent cookies, which are stored beyond the individual session. We use several types of cookies:

Transient cookies are automatically deleted when you close your browser. These include session cookies. These store what is known as a session ID, which allows various requests from your browser to be assigned to the same session. This enables us to recognise your computer when you return to our website. Session cookies are deleted when you log out or close your browser.

Persistent cookies are automatically deleted after a predefined period of time, which may differ depending on the cookie. You can delete the cookies at any time in the security settings of your browser.

We also use Google cookies on this site to enable us to display information about our courses on other websites at a later date, if necessary. You can disable these cookies in your advertising preferences. Alternatively, you can opt out of the use of third-party cookies by visiting the Network Advertising Initiative opt-out page.

Any use of cookies that is necessary for the provision of a telemedia service expressly requested by the user constitutes data processing that is only permitted with your express and active consent pursuant to Section 25 (1) TTDSG. Subsequent further processing must also be legitimised in accordance with Art. 6 para. 1 sentence 1 GDPR. This applies in particular to the use of advertising, targeting or the sharing of cookies. Furthermore, we will only disclose your personal data processed by cookies to third parties if you have expressly consented to this in accordance with Art. 6 (1) sentence 1 lit. a GDPR. In the following, we state the legal basis in connection with the respective service.

Your cookies for our website

You can, of course, use our website without accepting cookies. If you choose not to accept cookies, please note that our site may not function properly.

Changed your mind and want to change your cookie settings? No problem! You can withdraw your consent at any time in the future by changing your cookie settings.

Click here to change your cookie preferences for our website.

If you contact us by e-mail, the information you provide (your e-mail address, name and telephone number, if applicable) will be stored by us in order to answer your questions. We will delete such data when it is no longer necessary to store it, or restrict its processing if we are required by law to retain it. The purpose of the processing is to respond to your request. The legal basis is Art. 6 para. 1 p. 1 lit. b or lit. f GDPR.

7.1

In addition to the purely informational use of our website, we offer various services that you can use if you are interested. This will usually require you to provide further personal information which we will use to provide the service and which will be subject to the data processing principles set out above.

7.2

When you order information material, contact us for advice or registering for an event, we collect your first and last name, e-mail address and, where applicable, address and telephone number.

7.3

When you register for an online event, we collect your first and last name and your e-mail address. This data is transmitted to the company "Livestorm" (24 Rue Rodier, 75009 Paris, France), whose service we use as a platform for online information events. The data is used to register you for the event (Livestorm data protection information: https://livestorm.co/privacy/livestorm-privacy-policy-DE.pdf).

7.4

When registering/applying for an educational offer, we collect the following personal data:

• Name
• Contact details
• Information on higher education entrance qualification or other information on previous education

The legal basis regarding the processing of your personal data in the cases mentioned under points 7.2 – 7.4 is Art. 6 para. 1 p. 1 lit. b and f GDPR.

This website uses Google Analytics, a web analytics service provided by Google, Inc ("Google"), 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site (see above).

This website uses IP anonymisation, which means that your IP address will be shortened beforehand by Google within member states of the European Union or in other contracting states to the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transferred to a Google server in the USA, where it will be abbreviated. On behalf of the operator of this website, Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity and providing other services relating to website activity and internet usage to the website operator. Google will not associate the IP address transmitted by your browser with any other data held by Google. You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website. You can also prevent the collection of your data by Google using the cookie (including your IP address) and the processing of this data by Google by downloading and installing the browser plugin available under the following link:

http://tools.google.com/dlpage/gaoptout?hl=de

You can find more information on how Google Analytics handles user data in Google's privacy policy:

https://support.google.com/analytics/answer/6004245?hl=de

We have a data processing agreement with Google and fully comply with the strict requirements of the German data protection authorities when using Google Analytics.

The use of Google Analytics is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising. Click here to deactivate Google Analytics

We use the User ID feature. The User ID allows us to assign a unique, persistent ID to one or more sessions (and the activity within those sessions) and to analyse user behaviour across devices.

Messages are sent via the WhatsApp service using Twilio, a service provided by Twilio Inc. ("Twilio"), 645 Harrison St # 3rd Floor, San Francisco, CA 94107 USA.

To do this, we will transfer your mobile phone number to Twilio, where it will be stored until your request or communication with you is complete. We will then arrange for your mobile phone number to be deleted from Twilio. The legal basis for the use of Twilio is Art. 6 para. 1 p. 1 lit. a) GDPR.

The data collected is stored on servers managed by Twilio. These servers are located in the U.S.

Where personal data is transferred to a Twilio group company, the legal basis is the binding corporate rules (BCR) in accordance with Art. 47 GDPR. Details can be found here:

https://www.twilio.com/legal/bcr/processor#twilios-binding-corporate-rules-processor-policy

For data transfers to companies that are not subject to the BCR, we base the data transfer on the standard contractual clauses that we have concluded together with a data processing contract. Details can be found here: https://www.twilio.com/legal/data-protection-addendum

You can view Twilio's general privacy policy here: https://www.twilio.com/legal/privacy

10.1

Our websites also use other services that read data from or store data in visitors' terminal devices without the use of cookies, but through other technologies such as Javascript codes, web beacons, tags and other identifiers supported by AI-based technology.

We also currently use social media plug-ins that are only loaded if you have previously activated the function by giving your consent. Via the plug-ins, we offer you the opportunity to interact with social networks and other users.

If you wish to activate the plug-in in question, an information text and a button will appear. By pressing the button, you agree to the loading of the respective cookies used by the social or multimedia service.

Unless otherwise stated below, the legal basis for the use of the plug-ins is § 25 (1) TTDSG, whereby the subsequent further processing of your data also requires your consent in accordance with Art. 6 (1) sentence 1 lit. a GDPR; i.e. the integration will only take place if you have given your consent to the storage or readout of information on your terminal device and, in addition, your consent to the subsequent further processing of the personal data for analysis and advertising purposes (so-called "2-click solution").

You can withdraw your consent at any time in the cookie settings.

10.2

For some functions on our website, we involve external service providers to whom we transfer personal data. All third party service providers commissioned by us act as order processors for us in accordance with our instructions and are in accordance with Art. 28 DSGVO in a data protection compliant manner. The contractual agreement provides, among other things, that the order processors undertake to comply with data protection, which includes securing your personal data through appropriate technical and organisational measures. Recipients of personal data may include, in particular:

• Bitninja (https://bitninja.io), whose security software we use for our web services.
• RapidMail (Augustinerplatz 2, 79098 Freiburg i.Br.) to keep in touch with our existing customers.
• Other companies within the scope of support/maintenance of EDP/IT applications, archiving, controlling, data destruction, purchasing/procurement, administration, marketing.
• Facebook Pixel (Facebook, 1601 South California Avenue, Palo Alto, CA 94304, USA): Use of the Visitor Action Pixel for the purpose of analysing our advertising activities on Facebook. For more information about Facebook's data collection and use practices, as well as your rights and choices about how you can protect your privacy, please visit Facebook's privacy policy at https://www.facebook.com/about/privacy/. Alternatively, you can opt-out of the Custom Audiences remarketing feature at https://www.facebook.com/settings/?tab=ads#_=_. You must be logged in to Facebook to do this.
• Hotjar (Hotjar Ltd, Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's STJ 3141, Malta) is used to record randomly selected individual website visits (with anonymised IP address only). This creates a log of mouse movements and clicks. This allows us to randomly replay individual website visits and derive potential improvements for the website.
• Awin (Awin AG, Eichhornstraße 3, 10785 Berlin, Germany) for Affiliate Marketing
• Zuko (Formisimo Ltd, Colony, 5 Piccadilly Place, Manchester, M1 3BR, United Kingdom) to record the viewing of our forms and interactions with the same. The information collected will allow us to identify problems that visitors to our site may have when interacting with your forms.

10.3

We also process personal data submitted via this website in Salesforce. This is a cloud-based software platform provided by Salesforce, Inc., Tower 415 Mission Street, 3rd Floor San Francisco, CA 94105, which helps us to manage customer relationships and business processes ("Customer Relationship Management"). The legal basis for the processing of your personal data in this case is Art. 6 par. 1 p. 1 lit. f DSGVO.

10.4

If you have given us your consent pursuant to Art. 6(1)(1)(a) DSGVO, we will also transfer your data to our Microsoft Power BI-based reporting tool ("Cube") in order to analyse and improve our business processes.

You may revoke your consent at any time by sending an informal e-mail to datenschutz(at)pfh.de (see below).

In the course of our business relationship, your personal data may be transferred or disclosed to third party companies. These may be located outside the European Economic Area (EEA), i.e. in third countries. Such processing is done solely for the purpose of fulfilling contractual and business obligations and maintaining your business relationship with us. We will inform you of the details of such transfers at the relevant points below.

Some third countries have been certified by the European Commission as having a level of data protection comparable to the EEA standard through so-called Adequacy Decisions (a list of these countries and a copy of the Adequacy Decisions can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en). However, other third countries to which personal data may be transferred may not have a consistently high level of data protection due to a lack of legislation. Where this is the case, we ensure that adequate data protection is in place. This may be through binding corporate rules, the European Commission's standard contractual clauses for the protection of personal data, certificates or recognised codes of conduct.

The transfer of personal data to the U.S. is currently possible again based on the adequacy decision for the EU-U.S. Data Privacy Framework adopted by the European Commission on 10 July 2023. Please also note that a transfer of your personal data to a third country such as the USA cannot, in the vast majority of cases, be based on your consent pursuant to Art. 49 of the GDPR.

We will inform you about the legal basis (e.g. standard contractual clauses) on which the transfer of data to third countries takes place at the appropriate place in the individual services. Please contact our Data Protection Officer if you would like more detailed information.

12.1

If you have given your consent to the processing of your data (Art. 6 para. 1 sentence 1 lit. a GDPR), you may withdraw your consent at any time. Such a withdrawal of consent will affect the lawfulness of the processing of your personal data after you have expressed it to us.

12.2

You may object to the processing of your personal data where we are relying on the balancing of interests (Art. 6 para. 1 sentence 1 lit. f GDPR). In particular, this is the case if the processing is not necessary for the performance of a contract with you, which we will demonstrate in each case in the functional description. If you exercise such an objection, we ask you to explain the reasons why we should not process your personal data in the way we have done. If your objection is justified, we will consider the merits of the case and either stop or amend the processing or provide you with our compelling legitimate grounds for continuing the processing.

12.3

You may, of course, at any time object to the processing of your personal data for advertising purposes and the profiling associated with it. You can inform us of your objection to advertising using the following contact details: datenschutz(at)pfh.de