TRANSPARENCY INFORMATION

Information on the processing of your data according to GDPR

Based on Articles 13 and 14 of the General Data Protection Regulation (GDPR), we would like to inform you about the processing of your personal data. This consists of a generally applicable part as well as further information on the individual processing of the data subject’s data under section 11.

1. Who is Data-Controller for the processing of your personal data, who is the data protection officer?

Depending on your contractual relationship with us, the following data controllers are responsible for processing your personal data: https://www.hs-fresenius.com/imprint/

1.1 Data-Controller

Hochschulen Fresenius gemeinnützige Trägergesellschaft mbH
Limburger Straße 2
65510 Idstein

Hochschulen Fresenius GmbH
Limburger Straße 2
65510 Idstein

Kontakt
Telefon: + 49 (6126) 93 52 0
Telefax: + 49(6126) 93 52 10
E-Mail: idstein@hs-fresenius.de

Hochschule Fresenius online plus GmbH
Limburger Straße
265510 Idstein

Kontakt
Telefon: +49 221 29258-600
Fax: +49 221 29258-999
E-Mail: fernstudium@hs-fresenius.de

Hochschule Fresenius für Internationales Management Gesellschaft mit beschränkter Haftung
Sickingenstraße 63-65
69126 Heidelberg

Kontakt
Telefon: +49 (62 21) 64 42 0
Telefax: +49 (62 21) 64 42 42
E-Mail: heidelberg@hs-fresenius.de

1.2 Contact details of the data protection officer

Carl Remigius Fresenius Education AG
Data Protection Officer
Im MediaPark 4e
50670 Cologne

Contact:
Phone: +49 221 921512-782
Email: datenschutz@crf-education.com

2. For what purposes and on what legal basis is your data processed?

We process your personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant laws (e.g. university laws, etc.).

2.1 Based on your consent (Art. 6 para. 1 lit. a GDPR)

If you have given us consent to process your personal data, the respective consent is the legal basis for the processing mentioned there. You can revoke this consent at any time with effect for the future in accordance with Art. 21 GDPR. The revocation is only effective for future processing.

2.2 For the fulfilment of contractual obligations (Art. 6 para. 1 lit. b GDPR)

We process your data for the fulfilment of our contractual relationship. The purposes of the data processing depends in detail on the specific product and the contract documents.

2.3 To comply with legal obligations (Art. 6 para. 1 lit. c GDPR)

We process your data to comply with a legal obligation to which we are subject as the controller.

2.4 To safeguard vital interests (Art. 6 para. 1 lit. d GDPR)

We process your data to protect vital interests of the data subject or another natural person.

2.5 Within legitimate interests pursued by the controller (Art. 6 para. 1 lit. f GDPR)

Furthermore, processing may also take place based on a balancing of interests to protect the legitimate interests of the controller or third parties. Our interest in the respective processing results from the respective purposes and such as efficient task fulfilment, sales, avoidance of legal risks. As far as the specific purpose allows, we adhere to the principle of data minimization and process your data in pseudonymized or anonymized form.

3. Who gets your data?

Your data will only be transmitted if this is permitted by a legal basis. Within our company, only those persons and departments (e.g. IT, Sales, HR, Marketing…) receive your personal data that require it to fulfil our contractual and legal obligations.

Within our Carl Remigius Fresenius Education Group, your data will be transferred to certain companies if they perform data processing tasks centrally for the companies affiliated in the Group (e.g. disposal of paperfiles).

Furthermore, personal data may be transferred to recipients outside the company, if this is necessary for the fulfilment of contractual and legal obligations as the Data-Controller, such as:

• Processors according to Art. 28 GDPR, in scope of IT services, logistics, transport company, affiliated companies of the Carl Remigius Fresenius Education Group and printing services, who process your data on behalf of the Controller.
• Joined Controller according to Art 26 GDPR as far as it is necessary for the fulfilment of the task
• Public authorities and institutions (e.g., Federal Statistical Office, State Education Authority, etc.)

4. What data protection rights do you have as data subject?

You can exercise the following data subject rights with the Data-Controller for processing of personal data (see above):

• Information (according to Art. 15 GDPR) about your stored personal data
• Correction (according to Art. 16 GDPR) and
• Deletion (according to Art. 17 GDPR) of your data. You may furthermore have a right to
• Restriction of the processing (according to Art. 18 GDPR) of your data, a right to
• Right to data portability (Art. 20 GDPR) get data in a structured, common, and machine-readable format as well as the
• Right to object (Art. 21 GDPR)

5. Where can you complain?

Furthermore, you have the right to lodge a complaint with a supervisory authority (pursuant to Art. 77 GDPR): If you believe that the processing of your data violates data protection law or that your data protection rights have otherwise been violated in some way, you can file a complaint with the supervisory authority in charge: https://www.bfdi.bund.de/DE/Infothek/Anschriften_Links/anschriften_links-node.html

6. How long will your data be stored?

To the extent necessary, we process your personal data for the duration of our business relationship, which also includes the initiation and execution of a contract. In addition, we are subject to various retention and documentation obligations, which result, among other things, from the German Commercial Code (HGB), the Education Laws of the federal states or other legally prescribed periods. The periods specified there for retention or documentation are up to 60 years. Finally, the storage period is also assessed according to the statutory limitation periods, which, for example, according to §§ 195 et seq. of the German Civil Code (BGB), generally amount to three years, but in certain cases can also be up to thirty years.

7. Will your data be transferred to a third country?

If we transfer personal data to service providers or group companies outside the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection or if other appropriate data protection safeguards (e.g. Binding Corporate Data Protection Rules or EU Standard Contractual Clauses (incl. Transfer Impact Assessment)) are in place.

8. Are you obliged to provide your data?

Within the scope of our business relationship, you are only required to provide personal data that is necessary for the establishment, implementation, and termination of a business relationship or which we are legally obliged to process.

Without this data, we will usually have to refuse to conclude the contract or execute the order, or we will no longer be able to execute an existing contract and may have to terminate it.

9. To what extent is there automated decision-making in individual cases?

For the establishment and implementation of the business relationship, we generally do not use automated decision-making in accordance with Art. 22 GDPR. If we want to use these procedures in individual cases, we will inform you separately in advance.

10. To what extent will my data be used for profiling?

If we process your data automatically with the aim of evaluating certain personal aspects (such as so-called “profiling” pursuant to Art. 4 No. 4 GDPR), we will inform you separately in advance.

11. Special section for Data Subjects

Below you will find further information according to Art. 13 and 14 GDPR for the individual processing of data subjects’ data. Please click on the applicable link (+) to obtain further information on the processing:

Dear Student, Pupil, Participant, Applicant

Below we provide further information on the individual processing of your personal data:

1. What categories of data do we process and where do they come from?

We process data that we receive from the business relationship with you. This data is usually provided directly by you, e.g., in the context of an application or the conclusion of a contract for one of our educational products. In particular, but not exclusively, we process the following data:

• Master data for the application to one of our (High) Schools (e.g., name, address, and other contact data (such as e-mail, telephone, emergency contact.), date/place of birth, gender, photo, nationality, bank details)
• Data in connection with an application (letter of motivation, curriculum vitae, certificates, previous education (such as school-leaving certificate, learned profession), membership certificate of your health insurance company).
• Data in connection with the contract management of their educational product in organizational and financial terms.
• Data provided in connection with additionally provided services (such as student ID, participant, semester ticket).
• Educationally relevant data (e.g., enrolment in an educational program as well as modules/courses, course schedules, grades, ECTS, attendances, performance records/certificates).
• Correspondence (e.g., correspondence with you).
• Advertising and sales data (e.g., products potentially of interest to you).
• Statistics (e.g., for reporting to the Federal Statistical Office or to the education authorities).
• If applicable, certificates, vaccinations, and police clearance certificates, if these are necessary for the special educational offer. This may also include special categories of personal data such as health data. 

2. For what purposes and on what legal basis is data processed?

We process your personal data in compliance with the provisions of the GDPR, the BDSG (German Federal Data Protection Act) and all other applicable laws (e.g. university laws, etc.).

2.1 Based on your consent (Art. 6 para. 1 lit. a GDPR)

This is done e.g., for the following purposes:

• Hours of presence
• Participation in surveys

2.2 For the fulfilment of contractual obligations (Art. 6 para. 1 lit. b GDPR)

This is done exemplarily but not conclusively for the following purposes:

• Enrollment and management of your chosen educational product
• Use of the tools provided by the training provider for (digital) education (communication, scheduling, online training (with video/voice/chat/upload download), examination).

2.3 To comply with legal requirements (Art. 6 para. 1 lit. c GDPR)

This is done exemplarily but not conclusively for the following purposes:

• Pandemic requirements
• Preparation of attendance lists (using standard software, paper, or electronic systems)
• Storage of information relevant to studies and training for long periods of time (up to 60 years)
• Evaluation
• Plagiarism checks in context of the examination for attempted cheating

2.4 To safeguard vital interests (Art. 6 para. 1 lit. d GDPR)

This is done exemplarily but not conclusively for the following purposes:

• Pandemic requirements

2.5 Within legitimate interests (Art. 6 Para. 1 lit. f GDPR)

This is done on an exemplary for the following purposes:

• General control and further development of services and products
• Advertising, market and opinion research
• Assertion of legal claims and defence in legal disputes
• Ensuring IT security and IT operations

Our interest in processing results from the respective purposes and, for example, for the efficient fulfilment of tasks, sales, avoidance of legal risks, etc. If the specific purpose allows, we process the data in pseudonymised or anonymised manner.

2.6 Special categories of personal data pursuant to Art. 9 (1) GDPR

If special categories of personal data are processed pursuant to Art. 9 (1) GDPR, this is necessary for the purpose of implementing the educational contract.

Dear external Lecturer

Below you will find additional information on the individual processing of your personal data:

1. What categories of data do we use and where do they come from?

We process data that we receive from the business relationship with you. Your personal data is collected directly from you in performing the requirements of the contract or during your work as a lecturer. In addition, we may have received data from third parties (e.g., recruitment agencies) and may also process activity-related performance data for evaluation purposes. In particular, but not exclusively, we process the following data

• Master data for working at one of our (High) Schools and Universities (e.g. name, address and other contact data (such as e-mail, telephone, emergency contact.), date/place of birth, gender, photo, nationality, bank details)
• Data related to your job such as curriculum vitae, certificates, previous education, membership certificate of your health insurance, confirmation of pension insurance
• Data in connection with the contractual execution of their order in organizational and financial terms.
• Correspondence (e.g., correspondence with you)
• Statistics (e.g., for reporting to the Federal Statistical Office or to the education authorities).
• If applicable, certificates, vaccinations and police clearance certificates if these are necessary for the specific training. This may also include special categories of personal data such as health data.
• The log data based on the use of the IT systems as well as further data within the scope of the external teaching assignment.
• Assessments and studies in the context of the evaluation

2. For what purposes and on what legal basis is data processed?

We process your personal data in compliance with the provisions of the GDPR, the BDSG (German Federal Data Protection Act) and all other relevant laws (e.g., university laws, etc.).

2.1 Based on your consent (Art. 6 para. 1 lit. a GDPR)

This is done e.g., for the following purposes:

• Publishing of photos on the web page of the Controller, etc.

2.2 For the fulfilment of contractual obligations (Art. 6 para. 1 lit. b GDPR)

This is done e.g. for the following purposes:

• Use of the tools provided by the Controller to carry out the (digital) education (communication, online training (with video/voice/chat/upload-download), examination)

2.3 To comply with legal requirements (Art. 6 para. 1 lit. c GDPR)

This is done e.g. for the following purposes:

• Pandemic requirements
• Preparation of attendance lists (by means of standard software (Excel), on paper or electronic systems)
• Storage of information relevant to studies and training for long periods of time (up to 60 years)
• Evaluation

2.4 To safeguard vital interests (Art. 6 para. 1 lit. d GDPR)

This is done e.g. for the following purposes:

• Pandemic requirements

2.5 In the context legitimate interest (Art. 6 para. 1 lit. f GDPR)

This is done e.g. for the following purposes:

• Controlling and further development of services and products
• Assertion of legal claims and defense in legal disputes
• Ensuring IT security and IT operations
• Our interest in the processing results from the respective purposes and is otherwise of an economic nature (efficient fulfilment of tasks, avoidance of legal risks).

If possible, we process your data in a pseudonymized or anonymized manner.

2.6 HStatG

In addition, your anonymized or pseudonymized data are transmitted annually based on § 3 Survey Characteristics for Institutions pursuant to § 2 no. 1 in conjunction with § 3 para. 4 HStatG. In conjunction with Section 3 (4) HStatG, your anonymized or pseudonymized data will also be transmitted annually to the German Federal Statistical Office.

2.7 Special categories of personal data pursuant to Art. 9 (1) GDPR

If special categories of personal data are processed pursuant to Art. 9 (1) GDPR, this is necessary for fulfilment of legal obligations within the scope of the activity as an external lecturer.

Below you will find additional information on the individual processing of your personal data:

What categories of data do we use and where do they come from?

We process the following personal data from you, among others, for the purpose of contract fulfillment and due to our legitimate interest of supplier, external consultant, and service provider retention, as well as for business initiation:

• Master data: Name, address, company,
• Contact details (telephone number, e-mail address, fax)
• If applicable, department, function,…
• Correspondence (e.g., correspondence with you)

We store the personal data required for fulfilment of the contract for the entire business relationship as well as beyond that in accordance with the statutory retention, documentation and reporting obligations. In addition, we have defined and documented deletion periods for all other processing activities. This data will be deleted immediately and without your involvement once the purpose and the statutory retention obligations are outdated.

The app offers comprehensive functions, information and applications for prospective students, applicants and students, such as:

• Content can be accessed via the start area such as news, events and important information about study offers for the personalized user.
• Via the Application section, the individual steps of the application process can be carried out.
• Furthermore, interested parties and applicants have the opportunity to contact the student advisory service directly via chat. Students have access to a webmail connection so that they can contact lecturers and fellow students by e-mail.
• Already interested persons can personalize the app’s content by registering. This means that by specifying their interests in their profile, they receive specially selected content and offers to cover their needs or favorite locations.
• In addition, forms are integrated that allow easy registration for (info) events and requesting (info) material.
• The app offers the possibility to access the webshop, social media profils, activate push notifications, apartment ads and other functionality.
• Students can organize and manage their daily study work in their personal area, such as displaying the timetable in the personal calendar, accessing grades or internal learning platforms, and retrieving extensive news about the university site.
• Students can use their profile set a personal profile picture, manage and protect their data, and change their password.

1. collection of personal data during the delivery and operation of our mobile applications (apps)

The respective “app stores” of the operating systems of the devices collect and use personal data of the dta subject only if it is necessary for the provision of a functional app as well as the contents and services.

Each time the app is used, the system automatically collects the following data from the computer system of the device and stores it in log files: e.g. name of the downloaded file, date and time of usage, amount of data transferred, message about successful download, IP address of the user, operating system of the user. A consolidation of this data with other data sources does not take place. The legal basis for the collection of the data and its storage in log files is Art. 6 (1) lit. f) GDPR.

The temporary collection of data by the system is necessary to enable delivery of the app to your device and to ensure its successful download and installation. The storage in log files also takes place to ensure the stability and functionality of the app. Furthermore, the data is used to optimize the app and to ensure the security of the information technology systems against possible attacks from outside. This is also the legitimate interest in the data processing according to Art. 6 (1) lit. f) GDPR.

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

The collection of data for the provision of the app and its storage in log files is necessary for the operation of the app.

2. App permissions

When downloading and installing our app, certain permissions and accesses to your smartphone are requested. These serve exclusively the functionality of our app. For example, access to the microphone, the camera, photo or file storage or the calendar may be necessary to provide you with the full range of functions. You provide these accesses to the app voluntarily if you want to use these special functions. The revocation of consent (resetting of the functions provided) can be performed by using the settings of the respective operating system of your mobile device.

3. data processing and confidentiality when contacting us

In the app, you have the option of contacting the university via contact forms in the app. The personal data (e.g. name, address, telephone number or e-mail address) transmitted via the contact form is used exclusively for processing your contact requests. The data will not be disclosed to third parties. The legal basis for the processing of the data transmitted via the contact form is Art. 6 (1) lit. a) GDPR after prior consent.

The data is deleted as soon as it is no longer required for the purpose for which it was collected. This is the case when the processing of your respective request is completed, i.e. it can be inferred from the circumstances that the matter in question has been conclusively clarified.

4. upload functions

For the upload function in our app, in addition to the content uploaded by the user (text, image, audio, video, documents, certificates, grades, etc. ), the following data is collected, stored and processed: Last name, first name, as well as the additional information you provide to us. The collection of the data serves to fulfill the contract or to initiate pre-contractual measures according to Art 6 (1) b GDPR.

Your data from the upload function will be deleted after the purpose does not longer exist.

5. Functional Session Identifier (FSI)

The app uses so-called FSI for technical reasons in order to provide you with convenient access to the HSF offer and the functional scope of the app and to make it more user-friendly. In the FSI, your language settings, selections or texts entered for the app use as well as log-in information are stored and transmitted. The legal basis for the processing of personal data using HSF is Art. 6 para. (1) lit. f GDPR and §25 of the german TTDSG.

6 Push message with consent

If push notifications are activated in the app, a module of the app is used to provide this function. You can object to receiving notifications at any time via the settings in the app and thus deactivate the service.

We only statistically evaluate push messages if consent has been given via the cookie banner in accordance with Art 6 (1) a GDPR and can identify whether and when push messages were displayed and clicked on. This enables us to determine which push messages are interresting for the recipients in order to tailor future messages to the presumed interests of all recipients and increase user experience in our offer.

The consent information will be provided to you when you activate the push messages in the app.

7. collection of inventory data

While using some features of our app, we ask you as a visitor to collect some data that can be assigned to you personally. This occurs when you are ordering information material, registering for a training course or applying for an educational position.

In doing so, we only collect the personal data that is necessary for the respective purpose, such as:

• name,
• postal address,
• e-mail address,
• telephone number (optional),
• consent to the collection and processing of personal data.
• Origin of your data (e.g. website, app, exposition, event)

In addition, when registering for advanced training or further education::

• date of birth,
• place of birth,
• cell phone number,
• nationality,
• Profession (optional),
• employed since (optional).

If applying for an educational position, additionally:

• date of birth,
• place of birth,
• cell phone number ,
• nationality
• Graduation from school
• Qualified profession.

Which information is required in concrete terms can be seen from the respective input mask. The data is always transmitted in encrypted form. Data that you transmit to us in the areas “Request information material”, “Register online” and “Apply online” or at face-to-face events is processed using the CRM solution Salesforce. This solution is hosted exclusively in the European Economic Area (EEA).

The data collected in this context will only be used for the purpose of sending information material, in the case of consent to the sending of advertising for this purpose, or in the case of an application for an educational offer for the purpose of initiating a contract. Data is only transmitted to the selected shipping service provider, who only uses the personal data for the purpose of fulfilling the contract. Through registration, the access data provided by the provider, such as the assigned IP address, the date and time of registration are logged in order to prevent misuse of our services and to clarify possible criminal offences. The data will not be transmitted beyond this unless there is a legal obligation to do so.

Registration in our app is always voluntary and only to offer services that only unavoidably require registration. Each registered person can modify the relevant data files at any time or have them deleted completely, provided that there is no legal obligation to retain data. In addition, we will provide information on your data stored in our systems and applications upon request. In this respect, our data protection officer is at your disposal.

8. use of the services of other providers and concrete applications through the app

8.1 Zendesk

We deploy the CRM system Zendesk to process user inquiries. The provider is Zendesk, Inc., 1019 Market Street in San Francisco, CA 94103 USA.

We use Zendesk to be able to respond to your inquiries promptly and efficiently. This constitutes a legitimate interest as defined in Art. 6(1)(f) GDPR.

In order to be able to submit inquiries, you must provide your e-mail address and name.

The messages addressed to us remain with us until you request deletion, or the data storage purpose no longer applies (e.g. after completed processing of your request). Mandatory statutory provisions, in particular retention periods, remain unaffected.

Zendesk has Binding Corporate Rules (BCR) which have been approved by the Irish Data Protection

Authority. These are binding corporate rules that legitimize the transfer of data within the company to third countries outside the EU and EEA. Details can be found here:
https://www.zendesk.de/blog/update-privacy-shield-invalidation-european-court-justice/ .

If you should not want to agree to the processing of your inquiries by us via Zendesk, you have the alternative option to communicate with us via e-mail, telephone, or fax.

For more information, please consult Zendesk’s Data Privacy Declaration at: https://www.zendesk.com/company/customers-partners/privacy-policy/.

Zendesk Chat Functions

Our app offers you the opportunity to send us messages via a chat window. The chat functions are provided by Zendesk. Whenever you use this chat window, we do not only store your chat messages, but also your IP address. You do not have to provide your name to engage in chats.

Data processing

We have concluded a data processing agreement (DPA) for the use of the above-mentioned service. This is a contract mandated by data privacy laws that guarantees that they process personal data of our app visitors only based on our instructions and in compliance with the GDPR.

8.2 Consent with Usercentrics

This app uses the consent technology of Usercentrics to obtain your consent to the storage of certain cookies on your device or for the use of specific technologies, and to document the former in a data protection compliant manner. The party offering this technology is Usercentrics GmbH, Sendlinger Straße 7, 80331 München, Germany, website: https://usercentrics.com/ (hereinafter referred to as “Usercentrics”).

Whenever you visit our app, the following personal data will be transferred to Usercentrics:

• Your declaration(s) of consent or your revocation of your declaration(s) of consent Your IP address
• Information about your browser
• Information about your device
• The date and time you visited our app

Moreover, Usercentrics shall store a cookie or other analytics functions in your browser to be able to allocate your declaration(s) of consent or any revocations of the former. The data that are recorded in this manner shall be stored until you ask us to eradicate them, delete the Usercentrics cookie or until the purpose for archiving the data no longer exists. This shall be without prejudice to any mandatory legal retention periods.

Usercentrics uses cookies to obtain the declarations of consent mandated by law. The legal basis for the use of specific technologies is Art. 6(1)(c) GDPR.

Data processing

We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract mandated by data privacy laws that guarantees that they process personal data of our app visitors only based on our instructions and in compliance with the GDPR.

8.3 Google Analytics

This app uses functions of the analysis service Google Analytics. The provider of this service is Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the app operator to analyze the behavior patterns of app visitors. To that end, the app operator receives a variety of user data, such as pages accessed, time spent on the app and pages, the utilized operating system and the user’s origin. Google may consolidate these data in a profile that is allocated to the respective user or the user’s device.

Google Analytics uses technologies that make the recognition of the user for the purpose of analyzing the user behavior patterns (e.g., cookies or device fingerprinting). The app use information recorded by Google is, as a rule transferred to a Google server in the United States, where it is stored.

This analysis tool is used on the basis of Art. 6 Sect. 1 lit. f GDPR. The operator of this app has a legitimate interest in the analysis of user patterns to optimize both, the services offered online and the operator’s advertising activities. If a corresponding agreement has been requested (e.g., an agreement to the storage of cookies), the processing takes place exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the agreement can be revoked at any time.

Data transmission to the US is based on the Standard Contractual Clauses (SCC) of the European Commission. Details can be found here: https://privacy.google.com/businesses/controllerterms/mccs/. operator of this app that are related to the use of the app and the Internet. The IP address transmitted in conjunction with Google Analytics from your browser shall not be merged with other data in Google’s possession.

Browser plug-in

You can prevent the recording and processing of your data by Google by downloading and installing the browser plugin available under the following link: https://tools.google.com/dlpage/gaoptout?hl=en.

For more information about the handling of user data by Google Analytics, please consult Google’s Data Privacy Declaration at: https://support.google.com/analytics/answer/6004245?hl=en.

IP anonymization

On this app, we have activated the IP anonymization function. As a result, your IP address will be abbreviated by Google within the member states of the European Union or in other states that have ratified the Convention on the European Economic Area prior to its transmission to the United States. The full IP address will be transmitted to one of Google’s servers in the United States and abbreviated there only in exceptional cases. On behalf of the operator of this app, Google shall use this information to analyze your use of this app to generate reports on app activities and to render other services.

Contract data processing

We have executed a contract data processing agreement with Google and are implementing the stringent provisions of the German data protection agencies to the fullest when using Google Analytics.

Demographic parameters provided by Google Analytics

This app uses the “demographic characteristics” function of Google Analytics, to be able to display to the app visitor compatible ads within the Google advertising network. This allows reports to be created that contain information about the age, gender, and interests of the app visitors. The sources of this information are interest-related advertising by Google as well as visitor data obtained from third-party providers. This data cannot be allocated to a specific individual. You have the option to deactivate this function at any time by making pertinent settings changes for advertising in your Google account or you can generally prohibit the recording of your data by Google Analytics as explained in section “Objection to the recording of data”.

Archiving period

Data on the user or incident level stored by Google linked to cookies, user IDs or advertising IDs (e.g., DoubleClick cookies, Android advertising ID) will be anonymized or deleted after 14 month. For details, please click the following link: https://support.google.com/analytics/answer/7667196?hl=en

8.4. SalesForce Sales Cloud

We use the Salesforce Sales Cloud to manage customer data. The provider is salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich, Germany (hereinafter “Salesforce”). Salesforce Sales Cloud is a CRM system and enables us, among other things, to manage existing and potential customers as well as customer contacts and to organize sales and communication processes. The use of the CRM system further enables us to analyze our customer-related processes. We would also like to point out that customer data is stored on Salesforce servers. In this context, personal data may also be transferred to the parent company of salesforce.com Germany GmbH, salesforce.com inc. Salesforce Tower, 415 Mission Street, San Francisco, CA 94105, USA.

Salesforce Sales Cloud may be used on the basis of the pre-contractual or contractual processing of an educational offer pursuant to Art. 6 (1) lit. b GDPR if the documents and forms are used to collect inventory data. Furthermore, data processing is carried out on the basis of consent pursuant to Art. 6 para. 1 lit. a GDPR and Section 25 para. 1 TTDSG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device (e.g. device fingerprinting, registration of statistical data for analysis purposes) within the meaning of the TTDSG. Consent can be revoked at any time. Salesforce has Binding Corporate Rules (BCR according to Art. 47 GDPR), which have been approved by the French data protection authority. These are binding corporate rules that legitimize corporate data transfers to third countries outside the EU and EEA. More information can be found here: Salesforce’s Binding Corporate Rules meet the highest data protection standards – Salesforce Blog.

Conclusion of a contract for processing on behalf of others

We have concluded a data processing agreement (DPA) with the above-mentioned provider. This is a contract mandated by data privacy laws that guarantees that they process personal data of our app visitors only based on our instructions and in compliance with the GDPR.

9. further notes

We also process data about you in internal systems and applications in order to provide you with the requested and contractually agreed services (e.g.: eHVP (university administration program), ilias (digital training platform) …). Privacy notices for these systems and applications can be found at the following link: https://www.hs-fresenius.com/privacy-policy/transparency-information/

If you have any questions or if you require further, more detailed information on the processing of your personal data, please do not hesitate to contact us at datenschutz@crf-education.com.

Status: 06.2023