November 2019 - March 2020

Name and address of the controller

The controller within the meaning of the EU General Data Protection Regulation and other national data protection laws in the member states and other legal provisions related to data protection is:

erp4students

Pouyan Khatami
Karolingerstr. 96
45141 Essen

E-Mail: info@erp4students.org

Website: https://www.erp4students.de

General information about data processing

1. Scope of processing of personal data

We generally process personal data of our users only to the extent that this is necessary to ensure the functioning of our websites and to provide our contents and services. As a rule, the processing of personal data of our users will always be subject to their prior consent. An exemption applies where it is not possible to obtain prior consent for factual reasons and the data processing is permitted by law.


2. Legal basis for the processing of personal data

Where we obtain the data subject’s consent to the processing of personal data, the legal basis is provided by Art. 6 (1) (a) General Data Protection Regulation (GDPR).

Where the processing of personal data is necessary for the performance of a contract to which the data subject is party, the legal basis is provided by Art. 6 (1) (b) GDPR. This also applies to any processing required in order to take steps prior to entering into a contract.

Where the processing of personal data is necessary for compliance with a legal obligation to which our company is subject, the legal basis is provided by Art. 6 (1) (c) GDPR.
Where the vital interest of the data subject or another person requires the processing of personal data, the legal basis is provided by Art. 6 (1) (d) GDPR.

Where the processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party and where such interests are not overridden by the interests, fundamental rights and freedoms of the data subject, the legal basis for the processing is provided by Art. 6 (1) (f) GDPR.


3. Data erasure and retention period

We will erase or block the personal data of a data subject as soon as the specific purpose of retention ceases to exist. A further retention may happen where this is required by European or national lawmakers in EU regulations, national laws or other provisions applying to the data controller. We will also block or erase the data upon expiry of a legal retention period stipulated in any of the rules referred to above, unless it is still necessary to retain the data for concluding or performing a contract.

Provision of websites and creation of log files

1. Description and scope of data processing

Each time you visit our websites our system will automatically collect data and information from the computer system you use.
This refers to the following data:

  • Information about the type of browser and the specific version used
  • Operating system of the user
  • IP address of the user
  • Resulting from this: Origin of the request (organisation, country, town)
  • Internet service provider of the user
  • Pages viewed within our system
  • Date and time of the request
  • Length of stay
  • Websites from which the user’s system was referred to our websites

This information is saved in our system’s log files. However, when storing these data they will not be linked with any other personal data of the user.

2. Legal basis for data processing

The legal basis for a temporary storage of the data and log files is provided by Art. 6 (1) (f) GDPR.

3. Purpose of data processing

The temporary storage of the IP address by the system is required to deliver a website to the user’s computer. For this purpose the user’s IP address must be stored for the length of the visit.

The information is stored in log files to ensure that the websites are functional. In addition, we use the data to optimise our websites and ensure the safety of our IT systems. We do not analyse the data for marketing purposes in this context.

These purposes also constitute our legitimate interest in the data processing pursuant to Art. 6 (1) (f) GDPR.

4. Retention period

We will delete the data as soon as they are no longer necessary in relation to the purposes for which they were collected. For data collected to provide the website service, this refers to the moment when the specific session is completed.

Where we store the data in log files, this is the case after seven days at the latest. The backups of our log files are erased after 90 days.

5. Possibility of objection and elimination

The collection of data for the provision of the websites and the storage of the data in log files are strictly required for the operation of the websites. Consequently, the user has no possibility to object.

Use of cookies

1. Description and scope of data processing

Our websites use so-called session cookies. Session cookies are small text files that are stored in a user’s computer memory. Each session cookie contains a random unique identification number, called session ID. Moreover, cookies hold information about their origin and the retention period.

2. Legal basis for data processing

The legal basis for data processing by using cookies is provided by Art. 6 (1) (f) GDPR.

3. Purpose of data processing

The purpose of using technically necessary cookies is to make it easier for users to navigate the websites. Some functions of our websites cannot be offered without these cookies. They require that the browser is recognised after a page change.

User data collected by technically necessary cookies will not be used for the creation of user profiles.

4. Retention period, possibility of objection and elimination

The session cookies we use are essential for the functioning of our websites and are deleted as soon as you end your session.

Web analysis

1. Scope of the processing of personal data
Our websites use analysing tools. Among other things, this software reads what is called the HTTP user agent string. When subpages of our websites are accessed we collect the following data:
  • Information about the type of browser and the specific version used
  • Operating system of the user
  • IP address of the user
  • Resulting from this: Origin of the request (organisation, country, town)
  • Internet service provider of the user
  • Date and time of the request
  • Pages viewed within our system.
  • Length of stay
  • Websites from which the user’s system was referred to our websites

The software runs exclusively on our own servers.

2. Legal basis for data processing

The legal basis for the processing of the users’ personal data is provided by Art. 6 (1) (f) GDPR.

3. Purpose of data processing
The processing of our users’ personal data gives us the opportunity to analyse their browsing patterns. By analysing the collected data we are able to understand how individual components of our websites are used. This helps us continuously improve our websites and their user-friendliness. These purposes constitute our legitimate interest in the data processing under Art. 6 (1) (f) GDPR. By anonymising the IP addresses the users’ interest in the protection of their personal data is sufficiently taken into account.

Rights of the data subject

Where we process your personal data, you are a data subject within the meaning of the GDPR and have the following rights with regard to the controller:

1. Right of access

You may obtain from the controller confirmation as to whether or not we process any personal data concerning you.
Where this is the case, you may request the controller to provide you with the following information:

  1. The purposes of processing the personal data;
  2. The categories of personal data concerned;
  3. The recipients or categories of recipients to whom the personal data have been or will be disclosed;
  4. The envisaged period for which the personal data concerning you will be stored, or, if not possible, the criteria used to determine that period;
  5. The existence of the right to request from the controller rectification or erasure of the personal data or restriction of processing of personal data concerning you or to object to such processing;
  6. The right to lodge a complaint with a supervisory authority.
  7. Any available information as to the source of the data, where the personal data are not collected from the data subject;
  8. The existence of automated decision-making, including profiling, referred to in Art. 22 (1) and (4) GDPR, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
You have the right to obtain information whether the personal data concerning you are disclosed to third countries or international organisations. In this context you may request to be informed about the appropriate safeguards pursuant to Art. 46 GDPR with regard to the transfer.

This right to access may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.

 

2. Right to rectification

You have a right to obtain from the controller the rectification and/or completion, where the processed personal data concerning you are inaccurate or incomplete. The controller must undertake the rectification without delay.

Your right to rectification may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.

3. Right to restriction of processing

Under the following conditions you may demand a restriction of the processing of personal data concerning you:

  1. You contest the accuracy of the personal data concerning you, for a period enabling the controller to verify the accuracy of the personal data;
  2. The processing is unlawful and you oppose the erasure of the personal data and request the restriction of their use instead;
  3. The controller no longer needs the personal data for the purposes of the processing, but you still require them for the establishment, exercise or defence of legal claims; or
  4. You have objected to processing pursuant to Art. 21 (1) GDPR pending the verification whether the legitimate grounds of the controller override your interest.
Where processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

Where restriction of processing has been obtained under the conditions above, you will be informed by the controller before the restriction of processing is lifted.

Your right to restriction of processing may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.

 

4. Right to erasure

(a) Obligation to erase
You have the right to obtain from the controller the erasure of personal data concerning you without undue delay, and the controller has the obligation to erase personal data without undue delay where one of the following grounds applies:

  1. The personal data concerning you are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. You withdraw consent on which the processing is based according to Art. 6 (1) (a), or Article 9 (2) (a) GDPR, and where there is no other legal ground for the processing;
  3. You object to the processing pursuant to Art. 21 (1) GDPR and there are no overriding legitimate grounds for the processing, or you object to the processing pursuant to Art. 21 (2) GDPR;
  4. The personal data concerning you have been unlawfully processed;
  5. The personal data concerning you have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
  6. The personal data concerning you have been collected in relation to the offer of information society services referred to in Article 8 (1) GDPR.
(b) Information to third parties
Where the controller has made public the personal data concerning you and is obliged pursuant to Art. 17 (1) GDPR to erase them, the controller, taking account of available technology and the cost of implementation, will take reasonable steps, including technical measures, to inform data controllers which are processing the personal data that you as the data subject have requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

(c) Exceptions
The right to erasure does not exist to the extent that processing is necessary:
  1. For exercising the right of freedom of expression and information;
  2. For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  3. For reasons of public interest in the area of public health in accordance with Art. 9 (2) (h) and (i) as well as Art. 9 (3) GDPR;
  4. For archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Art. 89 (1) GDPR in so far as the right referred to in section (a) above is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
  5. For the establishment, exercise or defence of legal claims.

 

5. Right to be informed

Where you have exercised your right to rectification, erasure or restriction of processing, the controller is obliged to communicate any rectification or erasure of personal data concerning you or restriction of processing to each recipient to whom the personal data concerning you have been disclosed, unless this proves impossible or involves disproportionate effort.

You also have the right to be informed about these recipients by the controllers.

6. Right to data portability

You have the right to receive the personal data concerning you, which you provided to the controller, in a structured, commonly used and machine-readable format. Moreover, you have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where:

  1. The processing is based on consent pursuant to Art. 6 (1) (a) GDPR or Art. 9 (2) (a) GDPR or on a contract pursuant to Art. 6 (1) (b) GDPR; and
  2. The processing is carried out by automated means.
In exercising this right you also have the right to have the personal data concerning you transmitted directly from one controller to another, where technically feasible. The rights and freedoms of others may not be affected adversely hereby.

The right to data portability does not apply to processing of personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

 

7. Right to object

You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on Article 6 (1) (e) or (f) GDPR, including profiling based on those provisions.

The controller will no longer process the personal data concerning you, unless the controller demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purposes of establishing, exercising or defending legal claims.

Where personal data concerning you are processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.

Where you object to processing for direct marketing purposes, the personal data concerning you are no longer processed for such purposes.

In the context of the use of information society services, and notwithstanding Directive 2002/58/EC, you may exercise your right to object by automated means using technical specifications.

You also have the right, on grounds relating to your particular situation, to object to processing of personal data concerning you, where these are processed for scientific or historical research purposes or statistical purposes pursuant to Art. 89 (1) GDPR.

Your right to object may be limited in so far as it is likely to render impossible or seriously impair the achievement of specific research or statistical purposes, and where such a limitation is necessary for the fulfilment of those purposes.

8. Right to withdraw consent given under data protection law

You have the right to withdraw consent given under data protection law at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

 

9. Automated individual decision-making, including profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision:
  1. Is necessary for entering into, or performance of, a contract between you and the data controller;
  2. Is authorised by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard your rights and freedoms and legitimate interests; or
  3. Is based on your explicit consent.
However these decisions must not be based on special categories of personal data referred to in Art. 9 (1) GDPR, unless Art. 9 (2) (a) or (g) GDPR applies and suitable measures to safeguard your rights and freedoms and legitimate interests are in place.

In the cases referred to in points (1) and (3) above, the data controller implements suitable measures to safeguard your rights and freedoms and legitimate interests, at least the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision.

 

10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
The supervisory authority with which the complaint has been lodged will inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Art. 78 GDPR.
© 2019 erp4students Europe, All rights reserved. Terms of Use | Privacy Login