Who we are

Privacy Policy

We, the Hertie School, Friedrichstraße 180, 10117 Berlin, Germany herewith inform you about the processing of personal data for which we are responsible in the sense of the EU General Data Protection Regulation (GDPR).

You can reach our data protection officer by sending an email to hertie-school@daspro.de or by sending a letter to DPO Hertie School, daspro GmbH, Kurfürstendamm 21, 10719 Berlin

Below we have compiled the most important information on typical data processing for you, broken down by groups of data subjects. For certain data processing operations, which only concern specific groups, the information requirements are fulfilled separately. Where the term "data" is used, only personal data within the meaning of the GDPR are meant.

1. Website visitors of the Hertie School

1.1 Server log data

(i) When using the website, certain information is sent to the server of our website by the browser used on your device for technical reasons. This data is stored and processed on our server.

(ii) We process the following data for the purpose of providing the contents of the website that you have visited, to ensure the security of the IT infrastructure used, to correct errors, to enable and simplify searches on the website and to manage cookies.

(iii) The data processed is HTTP data: HTTP data is protocol data that is generated when the Website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit. HTTP(S) data also accumulates on the servers of service providers (e.g. when requesting third-party content).

The legal basis for the processing is our legitimate interest in the operation of an Internet presence and the communication with communication partners in accordance with Article 6 (1) (f) GDPR.

(iv) The data is automatically transmitted by the browser of the user.

(v) Recipients of the personal data are IT service providers which we use as processors within the framework of a data processing agreement.

(vi) The data will be anonymised and deleted after 7 days at the latest.

(vii) Without disclosure of personal data such as the IP address, the use of the website is not possible. Communication via the website without disclosure of data is technically not possible.

1.2 Counting the number of website visits without the use of cookies

We count pseudonymously the page visits on our website, but we do not use cookies for this. We use the tool Plausible for this purpose, which works by reloading a Java script without any reading or writing access. The respective data points are anonymized by a hash function with a rotating salt.

(i) The purpose of data processing is to measure the number of visitors to the website per day.
(ii) The processed data are:
•    Page URL
•    HTTP Referer
•    Browser
•    Operating System
•    Device Type
•    Visitor Country
•    User Agent
(iii) The legal basis for the processing is Article 6 (1) (f) GDPR (legitimate interest in counting the page visits pseudonymously without using cookies).
(iv) Data is automatically transmitted by the browser of the user.
(v) The recipient of the data is Plausible Insights OÜ, Västriku tn 2, 50403, Tartu, Estonia, which we use as processor within the framework of a data processing agreement. Germany has been selected as the server location. 
 (vi) The data is pseudonymized from the beginning and anonymized after 24 hours at the latest through the hash procedure.
(vii) Without disclosure of personal data the use of the website is not possible. Communication via the website without disclosure of data is technically not possible.

1.3 Technically Required Cookies

We use cookies on our website. Cookies are small text files containing information that can be stored on the user's end device via the browser when visiting a website. The information stored in cookies can be read and processed when the website is visited again using the same device. In doing so, we use processing and storage functions of the browser of your device and collect information from the storage of the browser of your device.

In the structure of our Privacy Policy, we differentiate between Technically Required Cookies, Marketing Cookies,Cookies in the Context of the Use of the Contact Form and Content from Third Party Providers. For the function of the website, Technically Required Cookies cannot be deactivated via the cookie management function of this website. However, you can deactivate cookies generally in your browser at any time. Different browsers offer different ways to configure the cookie settings in the browser. We would like to point out, however, that some functions of the website may not function or may no longer function properly if you deactivate cookies in your browser in general.

a) Google Tag Manager

We use the Google Tag Manager on our website. The Google Tag Manager enables us to manage cookies and control their placement. This enables us to implement, for example, your consent, a revocation of consent or an opt-out. The Google Tag Manager does not set its own cookies and does not process data stored in cookies.

(i) The purpose of the data processing is to control the placement of cookies on our website and to ensure the security of the application.

(ii) The data processed is HTTP data: HTTP data is protocol data that is generated when the Website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)) for technical reasons: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit. HTTP(S) data also accumulates on the servers of service providers (e.g. when requesting third-party content). Your IP address is automatically anonymized during processing.

(iii) The legal basis for the processing is our legitimate interest in the simple and reliable control of cookies in accordance with Article 6 (1) (f) GDPR and Section 25 (2) (2) TTDSG.

(iv) The data is automatically transmitted by the browser of the user.

(v) The recipient of the data is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, which we use as processor within the framework of a data processing agreement. We have instructed Google to use a European server location for data processing. However, in the event of disruptions and malfunctions, Google can also access the servers in Germany from so-called third countries such as the USA in order to carry out maintenance work. Google Ireland has concluded the EU Standard Contractual Clauses (2021/914; Module 3) with Google LLC in the USA to protect your data. You can request a copy of the essential contractual content of the EU standard contractual clauses at any time.

(vi) The data will be deleted after six months.

(vii) Without disclosure of personal data the use of the website is not possible. Communication via the website without disclosure of data is technically not possible.

b) Consent Cookies

We use so-called Consent Cookies to store your consent, possible revocation of consent and opt-out of the use of cookies on our website.

(i) The purpose of data processing is the storage of the user decisions on cookies (consent, revocation, opt-out).

(ii) The processed data are:

  • HTTP data: HTTP data is protocol data that is technically generated when the website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
  • User decision on cookies: User's decision on individual cookies or groups of cookies. Time of the decision and of the last visit.

(iii) The legal basis for the processing is our legitimate interest in the easy and reliable control of cookies settings in accordance with the respective user decisions in accordance with Article 6 (1) (f) GDPR and Section 25 (2) (2) TTDSG.

(iv) The data is actively provided by the user (decision on cookies) or automatically transmitted by the user's browser (protocol data, time stamp).

(v) Recipients of the personal data are IT service providers which we use as processors within the framework of a data processing agreement.

(vi) A negative user decision with regard to cookies is deleted at the end of the session. The other data will be deleted after one year.

(vii) Without disclosure of personal data, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible.

c) D.vinci Session Cookies

We use session cookies from d.vinci. This enables us to offer individual setting options on our Job Opportunities page.
(i) The purpose of the data processing is to enable individual settings on the Job Opportunities page. There are no plans to change the purposes.
(ii) The data processed are: 
•    HTTP data: HTTP data is protocol data that is technically generated when the website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
•    User settings on the job opportunities page
(iii) The legal basis for the processing is our legitimate interest in the provision of the individual sessions for the users of our job opportunities page in accordance with Article 6 (1) (f) GDPR and Section 25 (2) (2) TTDSG.
(iv) The data is transmitted by the user's browser.
(v) The recipient of the data is d.vinci HR Systems GmbH, Nagelsweg 37-39, 20097 Hamburg, which we use as processor within the framework of a data processing agreement Data will be deleted at the end of the session.
(vi) Without disclosure of personal data, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible.

d) Fundraisingbox Session Cookies for Fundraising Campaign Page

We use session cookies from Fundraisingbox on our Fundraising Campaign Page. This enables us to offer the Fundraising Page via Fundraisingbox.
(i) The purpose of the data processing is to enable the fundraising option on our website (loadbalancing and user sessions for the donators). There are no plans to change the purposes.
(ii) The data processed are: 
•    HTTP data: HTTP data is protocol data that is technically generated when the website is visited via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
•    Settings of the donators
(iii) The legal basis for the processing is our legitimate interest in the provision of the fundraising option on our website (sessions for donators) in accordance with Article 6 (1) (f) GDPR and Section 25 (2) (2) TTDSG.
(iv) The data is transmitted by the user's browser.
(v) The recipient of the data is Wikando GmbH, Schießgrabenstr. 32, 86150 Augsburg, which we use as a processor within the framework of a data processing agreement. FundraiserBox uses Amazon Webservices as hosting provider. Wikando GmbH has concluded the EU Standard Contractual Clauses (2023/914; Module 3) with Amazon Web Services Inc., in the USA to protect your data. You can request a copy of the essential contractual content of the EU Standard Contractual Clauses at any time. In addition, the Amazon companies (including Amazon Web Services, Inc.) are certified in accordance with the EU-US Data Privacy Framework (Article 45 of the GDPR).

(v) Data will be deleted at the end of the session.
(vi) Without disclosure of personal data, the use of the website is not possible. Communication via the website without the disclosure of data is technically not possible.

1.4 Marketing cookies

We use cookies on our website. Cookies are small text files containing information that can be stored on the user's end device via the browser when visiting a website. The information stored in cookies can be read and processed when the website is visited again using the same device. In doing so, we use processing and storage functions of the browser of your device and collect information from the storage of the browser of your device.

In the structure of our Privacy Policy, we differentiate between Technically Required Cookies, Marketing Cookies and Content from Third Party Providers. For the function of the website, Technically Required Cookies cannot be deactivated via the cookie management function of this website. However, you can deactivate cookies generally in your browser at any time. Different browsers offer different ways to configure the cookie settings in the browser. We would like to point out, however, that some functions of the website may not function or may no longer function properly if you deactivate cookies in your browser in general.

Depending on their function and purpose, the use of certain cookies may require the consent of the user. The granting of your consent takes place by means of a so-called "cookie banner": When you open our website, we display our cookie banner. In our cookie banner, you can declare your consent to the use of all cookies requiring consent on this website by pressing the "Accept all" button. Without such consent, the cookies requiring consent will not be activated. By pressing the "More information" button, you can make individual settings or you can also completely reject the use of cookies requiring consent. Using the Individual Privacy Settings button on our website, you can make an individual selection of cookies and customize them at a later time. We store your cookie settings in the form of a cookie on your terminal device in order to determine whether you have already made cookie settings when you return to the website.

a) Meta Pixel
If the corresponding consent has been given, we use the so-called "Meta Pixel". Cookies from Meta Platforms Ireland Limited, Harbour, D2, 4 Grand Canal Quay, Square, Dublin, Ireland ("Meta") are used for this purpose. The "Meta-Pixel" enables Meta, among other things, to collect information about your activities on our website. By integrating the "Meta Pixel", we enable Meta to collect personal data. 
However, we do not receive any information with which you can be personally identified. The collection and processing of this data takes place after your consent exclusively in the area of responsibility of Meta. Meta provides us with the evaluations or further information created on the basis of the collected data only in aggregated, anonymized form. We cannot assign the information provided to us to any natural person. 
We have no knowledge of the details of the processing of personal data in Meta's area of data controllership. Information about the processing of personal data by Meta can be found in Meta's data policy: de-de.Meta.com/about/privacy/. 
You can deactivate data processing by Meta on our website at any time in our Edit cookie settings button. Alternatively, you can disable Meta Pixel for the browser you are currently using by deactivating the storage of cookies in the browser settings. You can also use WebChoices: Digital Advertising Alliance's Consumer Choice Tool for Web US (aboutads.info) to disable the setting of Meta cookies.
The data controller is Meta Platforms Ireland Limited, Harbour, D2, 4 Grand Canal Quay, Square, Dublin, Ireland.
(i)    The purpose of the Meta Pixel is to enable Meta to collect and process your usage data on our website. The purposes of processing by Meta are determined solely by Meta (www.facebook.com/privacy/policy).  
(ii)    According to Meta the processed data are: 

  • Meta Pixel HTTP data:
    This is log data that is technically generated when the Meta Pixel is used on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.
  • Meta Pixel device data:
    Data that is assigned to your end device by the Meta Pixel: This includes a unique ID for (re)recognizing returning visitors
  • Meta Pixel event data:
    Data that Meta collects through the Meta Pixel by associating it with the unique visitor ID of each visitor contained in the Meta Pixel Device Data: This includes actions that take place on the website. These include, for example, conversions, link clicks, button clicks, page views. This also includes information associated with the respective actions recorded. This includes, for example, the submission of contact information or download of documents.
  • Meta Pixel analysis data:
    Data that Meta generates based on the information collected by the Meta Pixel by associating it with your unique user ID contained in the Meta Pixel endpoint data: This includes information about the effectiveness of Meta ads and associations of users to target groups for Meta ads. Meta may generate other data based on the information collected for its own purposes or for the purposes of third parties. We have no knowledge of the details of the data generated by Meta. 

(iii)    The legal basis for enabling Meta to collect personal data via our website is your consent (Article 6 (1) (a) GDPR, Section 25 (1) TTDSG). We do not process personal data in our area of responsibility. We have no knowledge of the details of the processing of data in Meta's area of data controllership, in particular of the legal basis used by Meta for the processing. 
(iv)    The Meta Pixel Analysis data is generated independently by Meta. We do not know whether Meta uses other data sources. 
(v)    The recipient of the data collected via our website is Meta Platforms Ireland Limited as the controller for the collection and processing of personal data. Meta Platforms Ireland Limited uses Meta Platforms Inc. in the USA (1 Hacker Way, Menlos Park, CA 94025, USA) as a service provider. As an independent controller, Meta Platforms Ireland Limited bears the responsibility for ensuring appropriate data protection guarantees for the transfer of data. 
(vi)    We do not collect or store this data ourselves. The collection and processing of this data is the responsibility of Meta. We have no knowledge about the storage period. 
(vii)    The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation for you to provide the data. In the event that the data is not provided, Meta cannot offer the Meta Pixel function.
(viii)    We do not use automated decision-making in our area of responsibility. We have no knowledge of the details of the processing of data in Meta's area of data controllership, in particular of any automated decision-making.

b) LinkedIn Insight Tag
If the corresponding consent has been given, we use the so-called "LinkedIn Insight Tag". Cookies from LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland („LinkedIn“) are used for this purpose. The " LinkedIn Insight Tag" enables LinkedIn, among other things, to collect information about your activities on our website. By integrating the " LinkedIn Insight Tag", we enable LinkedIn to collect personal data. 
However, we do not receive any information with which you can be personally identified. The collection and processing of this data takes place after your consent exclusively in the area of responsibility of LinkedIn. LinkedIn provides us with the evaluations or further information created on the basis of the collected data only in aggregated, anonymized form. We cannot assign the information provided to us to any natural person. 
We have no knowledge of the details of the processing of personal data in LinkedIn's area of data controllership. Information about the processing of personal data by LinkedIn can be found in LinkedIn's data policy: www.linkedin.com/legal/privacy-policy/. 
You can deactivate data processing by LinkedIn on our website at any time in our Edit cookie settings button. Alternatively, you can disable LinkedIn Insight Tag for the browser you are currently using by deactivating the storage of cookies in the browser settings. You can also use www.linkedin.com/psettings/guest-controls/retargeting-opt-out  to disable the setting of LinkedIn cookies.
The data controller is LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland.
(i)    The purpose of the LinkedIn Insight Tag is to enable LinkedIn to collect and process your usage data on our website. The purposes of processing by LinkedIn are determined solely by LinkedIn www.linkedin.com/legal/privacy-policy/.
(ii)    According to LinkedIn the processed data are: 

  • LinkedIn Insight Tag HTTP data:
    This is log data that is technically generated when the LinkedIn Insight Tag is used on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.
  • LinkedIn Insight Tag device data:
    Data that is assigned to your end device by the LinkedIn Insight Tag: This includes a unique ID for (re)recognizing returning visitors
  • LinkedIn Insight Tag event data:
    Data that LinkedIn collects through the LinkedIn Insight Tag by associating it with the unique visitor ID of each visitor contained in the LinkedIn Insight Tag device Data: This includes actions that take place on the website. These include, for example, conversions, link clicks, button clicks, page views. This also includes information associated with the respective actions recorded. This includes, for example, the submission of contact information or download of documents.
  • LinkedIn Insight Tag analysis data:
    Data that LinkedIn generates based on the information collected by the LinkedIn Insight Tag by associating it with your unique user ID contained in the LinkedIn Insight Tag device data: This includes information about the effectiveness of LinkedIn ads and associations of users to target groups for LinkedIn ads. LinkedIn may generate other data based on the information collected for its own purposes or for the purposes of third parties. We have no knowledge of the details of the data generated by LinkedIn. 

(iii)    The legal basis for enabling LinkedIn to collect personal data via our website is your consent (Article 6 (1) (a) GDPR, Section 25 (1) TTDSG). We do not process personal data in our area of responsibility. We have no knowledge of the details of the processing of data in LinkedIn's area of data controllership, in particular of the legal basis used by LinkedIn for the processing. 
(iv)    The LinkedIn Insight Tag Analysis data is generated independently by LinkedIn. We do not know whether LinkedIn uses other data sources. 
(v)    The recipient of the data collected via our website is LinkedIn Ireland Unlimited Company (Wilton Plaza, Wilton Place, Dublin 2, Ireland) as the controller for the collection and processing of personal data. LinkedIn Ireland Unlimited Company uses LinkedIn Corporation in the USA (1000 W. Maude Avenue, Sunnyvale, CA 94085, USA) as a service provider. As an independent controller, LinkedIn Ireland Unlimited Company bears the responsibility for ensuring appropriate data protection guarantees for the transfer of data. 
(vi)    We do not collect or store this data ourselves. The collection and processing of this data is the responsibility of LinkedIn. We have no knowledge about the storage period. 
(vii)    The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation for you to provide the data. In the event that the data is not provided, LinkedIn cannot offer the LinkedIn Insight Tag function.
(viii)    We do not use automated decision-making in our area of responsibility. We have no knowledge of the details of the processing of data in LinkedIn's area of data controllership, in particular of any automated decision-making.

c) Google Ads (Conversion)

If the corresponding consent has been given, we will use Google Ads (Conversion) tracking on our website. Google Ads (Conversion) enables us to monitor the success of ads placed via Google.

You can deactivate data processing by Google Ads (Conversion) on our website at any time in our Individual privacy settings button. Alternatively, you can disable Google Ads (Conversion for the browser you are currently using by deactivating the storage of cookies in the browser settings or install a browser plug-in from Google that prevents data collection by Google Ads (Conversion): tools.google.com/dlpage/gaoptout.

(i) The purpose of the data processing is to track the reach of ads (AdWords) placed via Google. When you click on our ad placed via Google, Google stores a cookie for conversion tracking on your terminal device. If you then visit our website linked in the ad and the cookie has not yet expired, we can recognize that you clicked on the ad and were redirected to our website. We can only recognize clicks on our own ads, not any clicks on ads of other customers of Google. Google uses the cookies, among other things, to bill us for the costs of the ads. We receive the evaluations and other information only in aggregated anonymous form and can not assign the information to any natural person. There are no plans to change the purposes.

(ii) The processed data are:

Google Ads HTTP data:

This is data that is technically generated when using the Google AdWords tool used on the website via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.

Usage data:

Usage data is clicks on ads, time spent on the website and information about web pages visited.

Conversion Event:

The conversion event is a summary of the results of the conversion.

(iii) The legal basis for the processing of personal data via our website by Google Ads (conversion) is your consent (Article 6 (1) (a) GDPR, Section 25 (1) TTDSG).

(iv) The data is provided automatically by the user's browser.

(v) The recipient of the data is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, which we use as processor within the framework of a data processing agreement. We have instructed Google to use a European server location for data processing. However, in the event of disruptions and malfunctions, Google can also access the servers in Germany from so-called third countries such as the USA in order to carry out maintenance work. Google Ireland has concluded the EU Standard Contractual Clauses (2021/914; Module 3) with Google LLC in the USA to protect your data. You can request a copy of the essential contractual content of the EU standard contractual clauses at any time. In addition, the Google companies (including Google LLC) are certified in accordance with the EU-US Data Privacy Framework (Article 45 of the GDPR).

(vi) The cookies lose their validity after 30 days, do not contain any personal data apart from the cookie ID and are not used to identify you personally. 

(vii) The provision of the data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation for you to provide the data. In the event that you do not provide the data, we will not be able to perform Google Ads tracking.

d) Pardot Cookies
(i) If you have given your consent to this, we use the Pardot Cookies of the provider Salesforce.com Germany GmbH, Erika-Mann-Str. 31, 80636 Munich ("Salesforce") in the context of the use of the contact form on our website. The Pardot Cookies enable us to collect information about activities of users of our website. The data collection is pseudonymized, unless you provide further personal data such as your name in the context of website use. In this case, an allocation can take place.
You can deactivate data processing within the scope of Pardot Cookies at any time in our Edit cookies settings button. Alternatively, you can disable Pardot Cookies for the browser you are currently using by deactivating the storage of cookies in your browser settings.
(ii) The purpose of Pardot Cookies is to enable us to analyze user data on our website.
(iii) The data processed are:
-Pardot Cookie HTTP data .
This is log data that is technically generated when the Pardot Tracking Cookies used on the website is used via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page accessed, the previously visited page (referrer URL), date and time of access.
-Pardot Cookie end device data
Data that is assigned to your end device by the Pardot Tracking Cookies: This includes a unique ID for (re)recognizing returning visitors
-Pardot Cookie Event Data
Data that Salesforce collects through the Pardot Tracking Cookie by associating it with the unique visitor ID of each visitor contained in the Pardot Tracking Cookie Endpoint Data: This includes actions that take place on the website. These include, for example, conversions, link clicks, button clicks, page views. This also includes information associated with the respective actions recorded. This includes, for example, the submission of contact information or download of documents.
- The legal basis for the processing of data in the context of the use of Pardot Tracking Cookie is Article 6 (1) (a) GDPR (consent) and Section 25 (1) TTDSG.
- The data is automatically provided by the user's browser.
- The recipient of the data collected via our website is Salesforce.com Germany GmbH as our processor. Salesforce.com Germany GmbH uses Salesforce.com Inc. in the USA (Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA) as a service provider. Salesforce.com Germany GmbH has concluded the EU standard contractual clauses (2021/914; Module 3) with Salesforce.com Inc. to protect your data. You can request a copy of the essential contractual content of the EU standard contractual clauses at any time. 
- The data will be deleted after one year.
- The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the part of the data subject to provide the data. In the event that the data is not provided, we will not be able to use the Pardot Cookies.
 

1.5 Content from Third Party Providers

a) Soundcloud Embedding

By activating the checkbox in the cookie banner for "Soundcloud" or by clicking the “accept” button on the website to play the content, you agree that we allow Soundcloud to collect data for its own purposes. The collection and processing of this data is the sole responsibility of Soundcloud Limited, 20 Old Bailey, London, EC4M 7 AN, United Kingdom.

On our website there are links to audio files that are stored and retrievable at Soundcloud. As soon as you activate the checkbox in or click on the button, the file is loaded by Soundcloud. Technically, the same thing happens then as would happen if you clicked a link to go to the Soundcloud website: Soundcloud receives all information that your browser automatically transmits (including your IP address). Soundcloud also sets its own cookies on your device. This also happens if you do not have a Soundcloud user account. If you are logged in to Soundcloud, your data is directly associated with your account. If you do not want your profile to be associated with your Soundcloud account, you must log out of Soundcloud before activating the checkbox.

We have no knowledge of further details on the processing of personal data or a possible data processing in the USA in the area of data controllership of Soundcloud. Hertie School has no influence on the data processing of Soundcloud.

Information on the processing of personal data by Soundcloud can be found in the Soundcloud Privacy Policy: https://soundcloud.com/pages/privacy

b) YouTube Embedding (Privacy Enhanced Mode) adn Google Fonts

By activating the checkboxes in the cookie banner or clicking on the “accept” button on the website for "YouTube" to play the content, you agree that we allow Google, as provider of the YouTube service, to collect data for its own purposes. The collection and processing of this data is the sole responsibility of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

We then integrate videos stored at Youtube on our website. During this integration, the contents of the YouTube website are displayed in parts of a browser window. However, the YouTube videos are only accessed by clicking on the video separately. The integration of Youtube content is carried out in the so-called "extended data protection mode". This is provided by Google as the provider of YouTube, thus ensuring that no data is transmitted to Google and no cookies are stored on your device before you click in the cookie banner or cookie board to play the video.

As soon as you activate the corresponding checkbox in the cookie banner or cookie board, the video is loaded from Youtube. Technically, the same thing happens then as if would happen if you clicked a link to go to the Youtube website: Youtube receives all information that your browser automatically transmits (including your IP address). Furthermore, Youtube sets its own cookies on your device. This also happens if you do not have a Youtube user account. If you are logged in at Youtube or Google, your data will be assigned directly to your account. If you do not want the assignment to your user account at Youtube or Google, you have to log out at Youtube and Google before activation the corresponding checkboxes in the cookie banner or cookie board.

The collection and processing of this data is the sole responsibility of responsibility of Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as service provider.

We have no knowledge of further details on the processing of personal data or a possible data processing in the USA in the area of data controllership of Google. Hertie School has no influence on the data processing of Google.

Information on the processing of personal data by Google can be found in the Google Privacy Policy: https://policies.google.com/privacy

c) Twitter Content

By activating the checkboxes in the cookie banner or in the cookie board to display “Twitter Content”, in the category "Social Media Content from Third Party Providers" to display Twitter content, you agree that we allow Twitter to collect data for its own purposes. We do this by including content stored on Twitter in our website. During this integration, content from the Twitter website is displayed in parts of a browser window. Before activating the corresponding checkboxes in the cookie banner or cookie board to display Twitter content, no data will be transmitted to Twitter and no cookies will be stored on your device.

As soon as you activate the corresponding checkboxes in the cookie banner or in the cookie board for displaying Twitter content, the content will be loaded from Twitter. Technically, the same thing happens then as would happen if you clicked a link to go to the Twitter website: Twitter receives all information that your browser automatically transmits (including your IP address). Twitter also sets its own cookies on your device. This also happens if you do not have a Twitter user account. If you are logged in to Twitter, your data will be assigned directly to your account. If you do not want your account to be assigned to your Twitter user account, you must log out of Twitter before you activate the checkboxes in the cookie banner or cookie board.

The collection and processing of this data is the sole responsibility of Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA.

We have no knowledge of further details of the processing of personal data or data processing in the USA in the area of data controllership of Twitter. Hertie School has no influence on the data processing of Twitter.

Information on the processing of personal data by Twitter can be found in the Twitter Privacy Policy: https://twitter.com/de/privacy

d) Vimeo
By activating the checkboxes in the cookie banner or clicking the “accept” button on the website to display “Vimeo Content”, in the category "Content from Third Party Providers" to display Vimeo content, you agree that we allow Vimeo to collect data for its own purposes. We do this by including content stored on Vimeo in our website. During this integration, content from the Vimeo website is displayed in parts of a browser window. Before activating the corresponding checkboxes or buttons to display Vimeo content, no data will be transmitted to Vimeo and no cookies will be stored on your device.
As soon as you activate the corresponding checkboxes in the cookie banner or in the cookie board for displaying Vimeo content, the content will be loaded from Vimeo. Technically, the same thing happens then as would happen if you clicked a link to go to the Vimeo website: Vimeo receives all information that your browser automatically transmits (including your IP address). Apple also sets its own cookies on your device. This also happens if you do not have a Vimeo user account. If you are logged in to your Vimeo Account, your data will be assigned directly to your account. If you do not want your account to be assigned to your Vimeo user account, you must log out of Vimeo before you activate the checkboxes or buttons.
The collection and processing of this data is the sole responsibility of Vimeo.com Inc., 330 West 34th Street, 5th Floor, New York 10001, USA.
We have no knowledge of further details of the processing of personal data or data processing in the USA in the area of data controllership of Vimeo. Hertie School has no influence on the data processing of Vimeo.
Information on the processing of personal data by Vimeo can be found in the Vimeo Privacy Policy: vimeo.com/privacy

d) Podigee
By activating the checkboxes in the cookie banner or clicking on the “accept” button on the website to display “Podigee Content”, you agree that we allow Podigee to collect data for its own purposes. We do this by including content stored on Podigee in our website. During this integration, content from the Podigee website is displayed in parts of a browser window. Before activating the corresponding checkboxes or buttons to display Podigee content, no data will be transmitted to Podigee and no cookies will be stored on your device.
As soon as you activate the corresponding checkboxes or buttons for displaying Podigee content, the content will be loaded from Podigee. Technically, the same thing happens then as would happen if you clicked a link to go to the Podigee website: Podigee receives all information that your browser automatically transmits (including your IP address). Podigee also sets its own cookies on your device. This also happens if you do not have a Podigee user account. If you are logged in to Podigee, your data will be assigned directly to your account. If you do not want your account to be assigned to your Podigee user account, you must log out of Podigee before you activate the checkboxes or buttons.
The collection and processing of this data is the sole responsibility of Podigee GmbH, Schlesische Straße 20, 10997 Berlin.
We have no knowledge of further details of the processing of personal data or data processing in the USA in the area of data controllership of Podigee. Hertie School has no influence on the data processing of Podigee.
Information on the processing of personal data by Podigee can be found in the Podigee Privacy Policy: www.podigee.com/de/about/privacy/

f) Apple Music/ iTunes
By activating the checkboxes in the cookie banner or clicking the “accept” button on the website to display “Apple Music or iTunes Content”, in the category "Content from Third Party Providers" to display Twitter content, you agree that we allow Apple to collect data for its own purposes. We do this by including content stored on Apple in our website. During this integration, content from the Apple website is displayed in parts of a browser window. Before activating the corresponding checkboxes or buttons to display Apple Music or iTunes content, no data will be transmitted to Apple and no cookies will be stored on your device.
As soon as you activate the corresponding checkboxes in the cookie banner or in the cookie board for displaying Apple Music or iTunes content, the content will be loaded from Apple. Technically, the same thing happens then as would happen if you clicked a link to go to the Apple website: Apple receives all information that your browser automatically transmits (including your IP address). Apple also sets its own cookies on your device. This also happens if you do not have a Apple user account. If you are logged in to your Apple Account on iTunes, your data will be assigned directly to your account. If you do not want your account to be assigned to your iTunes user account, you must log out of iTunes before you activate the checkboxes in the cookie banner or cookie board.
The collection and processing of this data is the sole responsibility of Apple Distribution International Limited, Hollyhill Industrial Estate, Hollyhill, Cork, Republic of Ireland.
We have no knowledge of further details of the processing of personal data or data processing in the USA in the area of data controllership of Apple. Hertie School has no influence on the data processing of Apple.
Information on the processing of personal data by Apple can be found in the Apple Privacy Policy: www.apple.com/legal/privacy/en-ww/

g) Spotify
By activating the checkboxes in the cookie banner or clicking the “accept” button on the website to display “Spotify Content”, you agree that we allow Spotify to collect data for its own purposes. We do this by including content stored on Spotify in our website. During this integration, content from the Spotify website is displayed in parts of a browser window. Before activating the corresponding checkboxes or buttons to display Spotify content, no data will be transmitted to Spotify and no cookies will be stored on your device.
As soon as you activate the corresponding checkboxes or buttons for displaying Spotify content, the content will be loaded from Spotify. Technically, the same thing happens then as would happen if you clicked a link to go to the Spotify website: Spotify receives all information that your browser automatically transmits (including your IP address). Spotify also sets its own cookies on your device. This also happens if you do not have a Spotify user account. If you are logged in to Spotify, your data will be assigned directly to your account. If you do not want your account to be assigned to your Spotify user account, you must log out of Spotify before you activate the checkboxes in the cookie banner or cookie board.
The collection and processing of this data is the sole responsibility of Spotify USA Inc., 150 Greenwich Street, Floor 62, New York, NY 10007, USA.
We have no knowledge of further details of the processing of personal data or data processing in the USA in the area of data controllership of Spotify. Hertie School has no influence on the data processing of Spotify.
Information on the processing of personal data by Spotify can be found in the Spotify Privacy Policy: www.spotify.com/us/legal/privacy-policy/

Collapse

2. Students and participants in research and further education programmes

(i) The purpose of the processing is the implementation and organization of study programmes, research and further education programmes.

(ii) The processed data are:

Name, e-mail address, title/gender (if indicated), date of birth, address, other telecommunication data, professional knowledge, previous certificates, professional and school career according to curriculum vitae, information about financing of studies, optionally hobbies and photos;

Information about the chosen study programme and status at the Hertie School (enrolled, on leave of absence, graduated or dropped out) as well as current grades in the study program, if applicable final grade.

(iii) The legal basis for data processing is the Study Agreement or the contract for the research and further education program (Article 6 (1)(b) GDPR) and Article 6 (1)(c) GDPR (legal obligations, in particular tax and commercial law regulations).

(iv) The data is provided by the data subject.

(v) The personal data is passed on internally to the responsible employees. The data is also passed on to lecturers, instructors, the State Office for Statistics, to scholarship and study lenders and external speakers. We use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance and servicing of IT systems.

(vi) All data relevant to the contract and accounting are stored in accordance with tax and commercial law retention periods for a period of ten calendar years after the end of the contract.

(vii) Without the data, it is not possible to participate in the study courses, research and further education programmes of Hertie School.

Collapse

3. Interested parties as well as applicants for study programmes, and for research and further education programmes

(i) The purpose of data processing is to carry out the application process and to select students and participants for research and further education programmes at the Hertie School. A change of these purposes is not planned.

(ii) The processed data are:

  • Name, e-mail address, title/gender (if indicated), date of birth, address, other telecommunication data, professional knowledge, previous certificates, professional and school career according to curriculum vitae, information about financing of studies, optionally hobbies and photos;
  • Optional information to optimize the recruitment process by surveying the source of attention for interest in the Hertie School

(iii) The legal basis for data processing is the initiation of a Study Agreement or a contract for the research and further education program (Article 6 (1)(b) GDPR). If you do not apply directly yourself, but are proposed, for example, the legal basis is the legitimate interest of the Hertie School in knowing the persons proposed for the relevant study programmes or research and further education program and their professional qualifications (Article 6(1)(f) GDPR).

(iv) The data is provided by the data subject or by the person or institution which has proposed the data subject.

(v) The personal data is passed on internally to the responsible employees. In addition, during the application process some of the data will be passed on to an evaluation committee, to partner universities and to project partners in connection with scholarship programmes and the Integrated Professional Year. In addition, we use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance and servicing of IT systems.

(vi) The applicant data for study programmes, research and further education programmes are deleted 6 months after the end of the application procedure. All data relevant to contracts and bookings will be stored in accordance with tax and commercial law retention periods for a period of ten calendar years after the end of the contract.

(vii) Without the data, participation in the application processes for study programmes, research and further education programmes at Hertie School is not possible.

Collapse

4. Users of Unibuddy

We integrate the communication platform Unibuddy into our website. This is used to enable prospective students to communicate with our students.

(i) We process the following data for the purpose of providing a communication option for prospective students with our students, as well as for analysing the use of the communication platform in order to improve the service. There are no plans to change these purposes.

(ii) The data processed are:

  • From Hertie School students:
    Name, photo, email address, password, country, phone number, languages spoken, academic history (previous school; degree, degree level, university year), an "about me" free text selection, as well as chat conversations and other interactions with prospective students.
  • From prospective students:
    Name, email address, password, country, field of study and degree level, telephone number, whether they have already applied to the Hertie School, as well as chat conversations and other interactions with students.
  • From all user groups:
    Device-specific information, such as hardware model, operating system version, unique device identifiers and mobile network information;

Technical information about their computer, including, where available, their IP address, operating system and browser type, for system administration and analysis purposes; and details of their visits to the Platform (URL, clicks, retrieval times and duration), as well as information about a call via the website or the Unibuddy widget.

(iii) The legal basis for the processing is Article 6(1)(a) DS-GVO (consent).

(iv) The data is automatically generated by the browser and the user's activities in the context of the communication platform, as well as provided directly by the user.

(v) Recipients of the personal data are IT service providers, which we use within the framework of an order processing agreement. For the provision of the communication platform, we use the service provider Unibuddy Ltd, Old Street - Provost and East, 145 City Road, London, EC1V 1LP England by way of commissioned processing. The legal basis for data processing in the United Kingdom as a so-called third country is Page 468/469 Brexit Contract: "Article FINPROV.10A: Interim provision for transmission of personal data to the United Kingdom.

(vi) The data will be deleted no later than two years after the last interaction with the communication platform. 

(vii) It is not possible to use the communication platform without disclosing personal data. Communication via the website without disclosing data is technically not possible

Collapse

5. Participants in online events of the Hertie School via Zoom

(i) We process the data of participants for the purpose of organising, conducting and documenting the online event of the Hertie School via Zoom. Provided that we make special reference to this in the context of the individual online events and obtain your consent in this regard, a recording of the online event of the Hertie School is made and the recordings are published in print, online and audiovisual formats, in particular on the website of the Hertie School or other separately specified channels. There are no plans to change these purposes.

(ii) The data of the participants processed by the Hertie School as data controller in the context of the online event of the Hertie School via Zoom are:

Participant data:
First and last name, e-mail address

Zoom conference data:
Participant name and email address; Meeting metadata: Subject, IP address, device/hardware information; Telephone data:For dial-in with telephone, information on incoming and outgoing call number, country name, start and end time, other connection data if applicable.

Communication data
Within the online event, your communication data will be processed in the form of questions, requests to speak or votes, as well as chat contributions. You always decide for yourself whether and in what form you want to participate.

Photo, sound and video data and corresponding recordings (recording only with corresponding consent):
Within the online event via Zoom, photo, sound and video data of the participants will be processed.
However, each person is always free to decide whether they want to switch on their camera and microphone or whether they only want to communicate via the chat window.
If we have obtained your corresponding consent, a recording of the online event will be made, including the film, sound and video data of the participants.

Payment data (only for paid online events)
For online events for which a fee is charged, we also process payment data.
 

(iii) The legal basis for the processing of participants' data for the implementation of the online event via Zoom is their consent pursuant to Article 6 (1) a) DS-GVO. The legal basis for the production and publication of the recordings on the website of the Hertie School or on Youtube is also your consent pursuant to Article 6 (1) (a) DS-GVO.

(iv) You can revoke your consent at any time with effect for the future. The revocation does not affect the lawfulness of the processing carried out before the revocation. Therefore, publications that have already taken place (e.g. on websites or in social media will not be deleted) . If, due to special circumstances, further dissemination of printed material is to be omitted, please inform us of these reasons together with the objection.

(v) Participant data was actively provided by the data subject as part of the registration for the online Hertie School event. The Zoom conference data is actively provided by the data subject himself or automatically by the browser or the end device of the data subject. The photo, sound or video data and communication data are collected automatically, the recordings of the photo, sound and video data are made by the Hertie School.

(vi) The participant data (and payment data) will be deleted after 10 years (legal retention periods due to participation in the online event). Zoom conference data and communication data will be deleted three months after the online event has been held by the Hertie School, unless otherwise specified in the individual event. The photo, audio and video data as well as the corresponding recordings and the selected archived material will not be deleted. However, the excess raw footage of the recordings will be deleted 3 months after the online event has taken place.

(vii) In addition, you can request the deletion of your personal data at any time, unless we are legally or contractually obliged or entitled to continue processing the data.

(viii) The recipients of the name, communication data and photo, audio and video data are always the moderators as well as the other participants of the respective online event of the Hertie School. We also use service providers by way of order processing in the provision of services, in particular for the provision, maintenance and care of IT systems, in particular the service providers Zoom Video Communications, Inc. 55 Almaden Blvd, Suite 600, San Jose, CA 95113, USA. The basis for data processing in the USA is your consent (Art. 49 para. 1 letter a) DS-GVO). In the USA, there is no level of data protection comparable to the requirements of the GDPR. It is possible that government agencies access personal data without us or you knowing about it. It is probably not possible to enforce your rights in the USA. You can revoke your consent at any time with effect for the future.  We have entered into the EU Standard Contractual Clauses with Zoom Video Communicaions, Inc. so that Zoom Video Communicaions, Inc. may only process your data for our purposes.

However, to the extent that you create your own profile and register accordingly as part of the registration process on Zoom, the processing of this personal data is the sole responsibility of Zoom Video Communications, Inc. We have no knowledge of further details of data processing by Zoom Video Communications, Inc. and of data processing in the USA.

Further information on data processing by Zoom Video Communications, Inc. can be found in the privacy policy: zoom.us/privacy.

Recipients of the published photo, sound and film recordings, including the name of the participants, if applicable, can be anyone, in particular journalists, press agencies, members, employees, visitors to the website, users of social media, etc., as well as service providers within the scope of order processing, in particular commissioned web hosting companies and IT and media service providers.

When publishing recordings on the internet (Hertie School websites, videos on e.g. YouTube), data is regularly transferred to so-called third countries outside the European Union, which are to be regarded as unsafe third countries in terms of data protection law. The Hertie School has no influence on how the operators of the social media handle the data. Whether and for what purposes the data is further processed in the third country is beyond the Hertie School's knowledge.

Collapse

6. Hertie School Alumni

(i) The purpose of the processing is the organization, implementation and documentation of the Hertie School's Alumni Programme, which is intended to serve the networking and international interaction of former students. In addition, research is conducted on the former students' further professional career development in order to further improve the Hertie School's services and to be able to make concrete offers regarding events or collaborations after graduation.

(ii) The data processed are name, email, date of birth and nationality, data on the study programme and exmatriculation, information on the professional career after graduation (sector, institution and position, country) and other personal interests, for example, hobbies, languages or job interests, which you yourself voluntarily provide within the Alumni Programme in the course of your participation.

(iii) The legal basis for the processing of data of Participants of the Hertie School Alumni Programme from July 2020 onwards is the contract for participation in the Hertie School Alumni Programme in accordance with Article 6 (1) (b) GDPR. The legal basis for the processing of data of Participants of the Hertie School Alumni Programme until July 2020 is our legitimate interest in the organization of the Hertie School Alumni Programme and in research on the further professional development of our Alumni in accordance with Article 6 (1) (f) GDPR.

(iv) The data is provided by the Alumni or selected via publicly available business-related social media networks (such as Xing and LinkedIn) or official company websites by our Hertie School Alumni team.

(v) We use service providers as processors within the framework of a data processing agreement, in particular for the provision, maintenance and servicing of IT systems.

(vi) The data will only be deleted when you unsubscribe from the Hertie School Alumni Programme. If you decide that you no longer wish to participate in the Hertie School Alumni Programme, you can terminate your Hertie School Alumni Programme contract at any time without providing any reasons. To do so, you can send your declaration of termination to alumnirelations@hertie-school.org. If you do not want any research on your professional career, you can object to this research at any time alumnirelations@hertie-school.org.

(vii) Without the processing of personal data, participation in the Hertie School Alumni Programme is not possible

Collapse

7. Newsletter recipients

If you subscribe to our newsletter, you will receive information about the Hertie School, our events and our offers.

(i) If you subscribe to our newsletter, we process your data for the purpose of sending the newsletter.

(ii) The data processed are:

  • Name, email address, salutation/gender (optional, only if specified)
  • HTTP data

This is protocol data that is generated for technical reasons when opening the newsletter via the Hypertext Transfer Protocol (Secure) (HTTP(S)): This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.

(iii) The legal basis for the processing of data for newsletters is Article 6 (1)(a) GDPR (consent).

(iv) Your contact details are provided by yourself when subscribing to the newsletter, the further data are automatically provided by your browser.

(v) We use service providers as processors within the framework of a data processing agreement, in particular for the provision, maintenance and servicing of IT systems. For the sending of the newsletter, we use, among others, the Pardot service of the provider Salesforce.com Germany GmbH as a processor. Salesforce.com Germany GmbH uses Salesforce.com Inc. in the USA (Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA) as service provider. The basis for data processing in the USA is your consent (Art. 49 (1) (a) GDPR). There is no level of data protection in the USA comparable to the provisions of the GDPR. It is possible that US authorities may access personal data without us or you being informed. It is unlikely that it will be possible to enforce your rights in the USA. You can revoke your consent at any time with effect for the future. We have concluded standard EU contractual clauses with Salesforce.com Inc. so that Salesforce.com Inc. may process your data only for our purposes. Furthermore, Salesforce.com Inc. has implemented Binding Corporate Rules.

(vi) Data relation to newsletters will be deleted when you unsubscribe. A revocation of the consent is possible at any time. Please use the unsubscribe function in the newsletters for this purpose.

(vii) Personal data is required to receive newsletters. Without providing personal data, the newsletters cannot be sent

Collapse

8. Event participants

We process your data for the purpose of holding the event and for the documentation of the event by means of film and sound recordings and the use of the resulting recordings for the purpose of press and public relations work and for the creation of a participant brochure. A change of these purposes is not planned.

The processed data are:

  • surname, first name, e-mail address, study programme, final year, current institution and position
  • overview of the selected event points
  • Bank and payment data for events involving costs
  • information whether or not the person agrees with the two options (brochure/photos) mentioned above
  • film and sound recordings (if you have given your consent)

The legal basis for the processing of data of Participants in events is Article 6 (1) (b) GDPR (contract to hold the event) and Article 6 (1) (c) GDPR (legal obligations, in particular tax and commercial law regulations). The legal basis for the production of image and sound recordings and its publication and the participants' brochure is your consent in accordance with Article 6 (1) (a) GDPR. Your consent is given voluntarily, participation in the event is also possible without the provision of your consent for recordings and participant brochures.

The data is provided by the Event Participants. The film and sound recordings are made by the Hertie School if you have given your consent.

For the purpose of press and public relations work, the recipient of the image and sound recordings can be anyone, in particular journalists, media companies, press and photo agencies, members, employees, website visitors, users of social media. Banks and payment providers may be recipients of data for the processing of payments. We use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance and servicing of IT systems.

When publishing film and sound recordings on the Internet (Hertie School website, social media platforms of the Hertie School, film recordings in videos (e.g. YouTube)), data is regularly transferred to so-called third countries outside the European Union, which are to be regarded as unsafe third countries in terms of data protection. Hertie School has no influence on how the social media providers handle the data. Hertie School has no knowledge of whether and for what purposes the data is further processed in the third country.

Archived film and sound recordings of the events as well as publications are generally not deleted. All data relevant to the contract and bookings will be stored in accordance with tax and commercial law retention periods for a period of ten calendar years after the end of the contract. Further data collected in the course of the event will be deleted six months after the event has taken place.

The provision of personal data is contractually binding for participation in events. It is not possible to participate in events without providing personal data. The production of film and sound recordings and the participants' brochure is not obligatory for participation in the event.

8.1 Participants in events of the Hertie School in the context of the Hertie Summit 2022

(i) We process your data for the purpose of carrying out the events of the Hertie Summit 2022, which are hosted by the Hertie School, as well as for the corresponding documentation of these events by means of photo, sound and film recordings and the use of the resulting recordings for the purpose of press and public realtions work. A change of these purposes is not planned.

(ii) The processed data is participant data. These are names and contact details of the participants and also photos taken of the participants, insofar as you have given your consent to this.

(iii) The legal basis for the processing of data of participants at events within the context of the Hertie Summit 2022, which are hosted by the Hertie School, is Article 6 (1) (b) GDPR (contract to hold the event) and Article 6 (1) (c) GDPR (legal obligations, in particular tax and commercial law provisions). The legal basis for the production of photos, sound and film recordings within the context of these events is your consent in accordance with Article 6 (1) (a) GDPR. The consent is given voluntarily, participation in the event is also possible without providing consent for recordings.

(iv) Recipients of the personal data are IT service providers, which we use as processors within the framework of a data processing agreement. Recipients of the photo and sound recordings made can be anyone for the purpose of press and public relations work, in particular journalists, media companies, press and photo agencies, members, employees, visitors to the website, users of social media, as well as service providers within the framework of a data processing agreement, in particular commissioned web hosting companies, IT and media service providers.

We would like to point out that the Gemeinnützige Hertie Stiftung (hereinafter “GHST“) is holding its own events as part of the Hertie Summit 2022. If you register for one of these events, the GHST will be an independent data controller for the personal data processed in this context. In this context, Hertie School uses GHST for the technical operation of the Hertie Summit 2022 platform as a service provider by means of a processor within the framework of a data processing agreement. For data processing by GHST as controller the Privacy Policy of GHST applies.

(v) When photo and sound recordings are published on the Internet (Hertie School website, Hertie School social media platforms, film recordings in videos (e.g. YouTube)), data is regularly transmitted to so-called third countries outside the European Union, which are to be regarded as unsafe third countries in terms of data protection. The Hertie School has no influence on how the social media providers handle the data. The Hertie School has no knowledge of whether the data is processed further in the third country and for what purposes.

(vi) Archived photo and sound recordings of the event as well as publications are generally not deleted. All contractual and booking relevant data will be stored in accordance with tax and commercial law retention periods for a period of ten calendar years after the end of the contract. Further data collected in the course of the event will be deleted six months after the event has taken place

Collapse

9. Donors

i. The purpose is the receipt and administration of donations to Hertie School as part of general donations or as part of the fundraising campaign

ii. The data processed are:

  • Name, email, address
  • Bank details
  • Donation amount
  • Frequency of donation
  • Project
  • Date of support

iii. The legal basis for the processing is Article 6 (1) (b) GDPR (preparation and execution of the contract). The legal basis for the transmission of payment data to payment service providers is Article 6 (1) (f) GDPR (our legitimate interest in the centrally controlled payment processing by a payment service provider).

iv. The data is actively provided by the data subject.

v. Recipients of data may be banks and payment service providers for the processing of payments. In individual cases, data may be transmitted to lawyers and courts. The recipient of the data is Wikando GmbH, Schießgrabenstr. 32, 86150 Augsburg, which we use as a processor within the framework of a data processing agreement. FundraiserBox uses Amazon Webservices as hosting provider. Wikando GmbH has concluded the EU Standard Contractual Clauses (2023/914; Module 3) with Amazon Web Services Inc., in the USA to protect your data. You can request a copy of the essential contractual content of the EU Standard Contractual Clauses at any time. In addition, the Amazon companies (including Amazon Web Services, Inc.) are certified in accordance with the EU-US Data Privacy Framework (Article 45 GDPR).

vi. All data relevant to the contract and accounting are stored in accordance with tax and commercial law retention periods for a period of ten calendar years after the end of the contract.

vii. The provision of data is contractually obligatory. The support of the Hertie School via the fundraising campaign cannot be carried out without providing data.

Collapse

10. Business partners and their employees

(i) The purpose of processing is the preparation and execution of contracts and communication with employees of business partners. A change of this purpose is not planned.

(ii) The legal basis for processing is Article 6(1)(b) GDPR (preparation and execution of the contract) in the case of contracts with natural persons, Article 6(1)(f) GDPR our legitimate interest, namely communication with contractually relevant contact persons and always Article 6(1)(c) GDPR (legal obligations, in particular tax and commercial law provisions).

(iii) The data is actively provided by the data subject.

(iv) Recipients of data can be banks for the processing of payments. Authorities and administrative bodies can be recipients within the scope of their tasks, insofar as we are obliged or entitled to transfer data. We also use service providers as processors within the framework of a data processing agreement, in particular for the provision, maintenance and servicing of IT systems.

(v) All data relevant to the contract and accounting are stored in accordance with tax and commercial law retention periods for a period of ten calendar years after the end of the contract.

(vi) The provision of data is obligatory for business partners and employees of business partners both legally and contractually. The business relationship cannot be established and carried out without providing data.

Collapse

11. Interested parties and communication partners

(i) The purpose of processing is the preparation and execution of a contractual relationship or other communication.

(ii) The data processed are name, contact details, communication content, communication time stamp and technical metadata of the communication.

(iii) The legal basis for processing is Article 6(1)(b) GDPR (contract or contract initiation) in the case of contracts with natural persons, Article 6(1)(f) GDPR (legitimate interest, namely communication with contractually relevant contact persons) in the case of contracts with legal persons, and always Article 6(1)(c) GDPR (legal obligations, in particular tax and commercial law provisions). For communication only, the legal basis is Article 6 (1) (f) GDPR (legitimate interest, namely documentation of communication processes).

(iv) The contact details are actively provided by the data subject. The communication metadata, telephone data and communication data are collected automatically.

(v) Contact and contract data may be transmitted to other service providers, business partners as well as administrative bodies and authorities if this is necessary for the execution of the contract or order. We also use service providers as processors within the framework of a data processing agreement, in particular for the provision, maintenance and servicing of IT systems.

(vi) Data of contractual partners and service providers will be deleted 10 calendar years after termination of the contract or order.

(vii) The processing of contact data by service providers and business partners is necessary to execute the contract or order. If the data is not provided, communication can be disturbed.

Collapse

12. Applicants for Hertie School Jobs

12.1 Applications as a Scientist

APPLICATIONS

(i) The purpose of data processing is the selection of job applicants for scientific positions. A change of purpose is not planned.

(ii) The processed data are name, contact data, communication details, interview notes, job application documents including certificates and curriculum vitae, the time stamp of communication, as well as technical metadata of communication.

(iii) The legal basis is Article 6 (1) (b) (initiation of the employment contract) in conjunction with Article 88 GDPR. If we are currently unable to offer you a position, but your application is suitable for other positions in the future, and you do not object to further storage, the legal basis for further storage is Article 6 (1) (f) GDPR (legitimate interest in retaining suitable job applications).

(iv) The job application data will be transferred internally to the responsible employees in charge of the decision-making. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance, and servicing of IT systems. We use the service provider Interfolio, Inc., 1400 K Street NW, 11 th Floor, Washington, DC 20005 USA, in particular for the application procedures for scientists. In the USA, there is no level of data protection comparable to the requirements of the GDPR. It is possible that government agencies access personal data without us or you knowing about it. It is probably not possible to enforce your rights in the USA.  We have concluded the EU standard contractual clauses including additional safeguards (so-called standard contractual clauses plus) with Interfolio, Inc. so that Interfolio, Inc. may only process your data for our purposes.

However, to the extent that you create your own profile on Interfolio and register accordingly, the processing of this personal data is the sole responsibility of Interfolio, Inc.. We have no knowledge of further details of data processing by Interfolio, Inc. or of data processing in the USA.

Further information on data processing by Interfolio, Inc. can be found in the privacy policy of Interfolio: www.interfolio.com/privacy-policy/.

 (v) Application data is deleted six months after the end of the specific application process. If job applicants are also considered for future positions and do not object to further storage of their data, the data will remain stored for up to 12 months after the end of the job application process.

(vi) The provision of personal data is necessary for the examination of the job application and, if applicable, the subsequent conclusion of an employment contract. A job application cannot be considered without the provision of personal data.

COOKIES

TECHNICALLY REQUIRED COOKIES

  1. Interfolio Session Cookies

(i)        The purpose of the data processing is to enable user-specific settings. A change of purpose is not planned.

(ii)       The processed data are data concerning the user settings.

(iii)      The legal basis for the processing is our legitimate interest in the provision of the individual sessions for the users in accordance with Article 6 (1) (f) GDPR. We use the service provider Interfolio, Inc., 1400 K Street NW, 11 th Floor, Washington, DC 20005 USA, in particular for the application procedures for scientists. In the USA, there is no level of data protection comparable to the requirements of the GDPR. It is possible that government agencies access personal data without us or you knowing about it. It is probably not possible to enforce your rights in the USA.  We have concluded the EU standard contractual clauses including additional safeguards (so-called standard contractual clauses plus) with Interfolio, Inc. so that Interfolio, Inc. may only process your data for our purposes.

(iv)      The data is automatically transmitted by the browser of the user.

(v)       Recipients of the personal data are IT service providers which we use as processors within the framework of a data processing agreement.

(vi)      The data is deleted at the end of the session.

(vii)     Without disclosure of personal data the use of the website is not possible. Communication via the website without disclosure of data is technically not possible.

STATISTIC COOKIES

a) Google Analytics

If you have given your consent, we use the web analysis tool Google Analytics on our website. With the help of Google Analytics, we can analyze the user behaviour of visitors to our website in pseudonymized and anonymised form.

 (i) The purpose of data processing is to analyze user behaviour and to measure the reach of our website and advertisements to optimize our website.

(ii) The processed data are:

  • Google Analytics HTTP data: This is protocol data that is generated for technical reasons when using the web analysis tool Google Analytics via the Hypertext Transfer Protocol (Secure) (HTTP(S)) used on the website: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
  • Google Analytics device data: Data generated by the web analysis tool Google Analytics and assigned to your device: This includes a unique ID for the (re-)recognition of returning visitors (so-called "client ID") as well as certain technical parameters for controlling data collection for web analysis.
  • Google Analytics measurement data: Device-related raw data (so-called "dimensions" and " measurement results"), which are collected and analysed by the web analysis tool Google Analytics when using our website: This includes, above all, information about the sources through which visitors reach our website, information about the location, the browser and the device used, information about the use of the website (in particular page views, frequency of visits and length of stay on accessed pages) as well as information about the fulfilment of certain purposes (in particular transactions in the online shop). The data is assigned to the client ID assigned to your device. As a result, device-related usage profiles are created in which all device-related raw data is combined into a client ID. The data that we collect using Google Analytics does not enable us to identify you personally (i.e. by your civil name). We also do not merge the device-related raw data and the resulting device-related usage profiles with data that directly identifies you personally without your consent.
  • Google Analytics report data: Data contained in aggregated segment and device-related reports generated by the Google Analytics web analysis tool based on the analysis of device-related raw data.

(iii) The legal basis for the processing is Article 6 (1) (a) GDPR (consent).

(iv) Data is automatically transmitted by the browser of the user.

(v) The recipient of the data is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, which we use as processor within the framework of a data processing agreement. Google Ireland Limited uses Google LLC in the USA (1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) as its service provider. The basis for data processing in the USA is your consent granted through the cookie banner (Art. 49 (1) (a) GDPR). In the USA, there is no level of data protection comparable to the provisions of the GDPR. It is possible that US authorities may access personal data without us or you being informed. An enforcement of your rights is probably not possible in the USA. You can withdraw your given consent at any time with effect for the future.

(vi) The data will be deleted after 14 months.

(vii) The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot make web analysis using Google Analytics.

b) Hotjar

If you have given your consent, we use the web analysis tool Hotjar on our website. With the help of Hotjar we can examine the user behavior of visitors to our website in pseudonymized and anonymized form.

You can deactivate the data processing by Hotjar at any time in our "cookie board". Also you can use the following opt-out link: www.hotjar.com/legal/compliance/opt-out. Alternatively, you can deactivate the storage of cookies in the settings of your browser.

(i)        The purpose of the processing of data is to increase the efficiency of our use of resources for our web offer, the yield of our online shop and the satisfaction of our visitors and (potential) customers by (usage-based) optimization of our web offer by measuring the usage of our web offer. The focus here is primarily on the examination of the individual steps of the purchasing process and the handling of special features of our website. A change of purpose is not planned.

(ii)       The processed data are:

  • HTTP data
    This is protocol data that is generated for technical reasons when using the web analysis tool Hotjar via the Hypertext Transfer Protocol (Secure) (HTTP(S)) used on the website: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
  • Hotjar device data
    Data generated by the Hotjar web analysis tool and assigned to your device: this includes a unique ID for (re)recognition of returning visitors (so-called “Hotjar user-ID”) as well as the IP address for identifying the region in which the user is located by the means of the first three groups of the IP address.
  • Hotjar measurement data
    evice-related raw data (so-called "dimensions" and " measurement results"), which are collected and analyzed by the web analysis tool Hotjar when using our website: This includes, above all, information about the sources through which visitors reach our website, information about the location, the browser and the device used, information about the use of the website (in particular page views, frequency of visits and length of stay on accessed pages) as well as information about the fulfilment of certain purposes (in particular transactions in the online shop). The data is assigned to the Hotjar user-ID assigned to your device. As a result, device-related usage profiles are created in which all device-related raw data is combined into a Hotjar user-ID. The data that we collect using Hotjar does not enable us to identify you personally (i.e. by your civil name). We also do not merge the device-related raw data and the resulting device-related usage profiles with data that directly identifies you personally without your consent.
  • Hotjar report data
    Data contained in aggregated segment and device-related reports generated by the Hotjar web analysis tool based on the analysis of device-related raw data.

(iii)      The legal basis for the processing is Article 6 (1) (a) GDPR (consent).

(iv)      The data is automatically transmitted by the browser of the user.

(v)       The recipient of the data is Hotjar Ltd, Level 2, St Julians Business Centre, 3, Elia Zammit Street St Julians STJ 3155, Malta, which we use as processor within the framework of a data processing agreement.

(vi)      Server log data will be deleted when it is no longer required for the purpose of processing. The duration of storage of the cookies, in which the Hotjar User-ID is stored, is 365 days.

(vii)     The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot carry out the web analysis using Hotjar.

c) Ahoy

If you have given your consent, we use the web analysis tool Ahoy on our website. With the help of Ahoy, we can analyze the user behaviour of visitors to our website in pseudonymized and anonymised form.

 (i) The purpose of data processing is to analyze user behaviour and to measure the reach of our website and advertisements to optimize our website.

(ii) The processed data are:

  • Ahoy  HTTP data: This is protocol data that is generated for technical reasons when using the web analysis tool Google Analytics via the Hypertext Transfer Protocol (Secure) (HTTP(S)) used on the website: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit.
  • Ahoy device data: Data generated by the web analysis tool Ahoy and assigned to your device: This includes a unique ID for the (re-)recognition of returning visitors (so-called "client ID") as well as certain technical parameters for controlling data collection for web analysis.
  • Ahoy measurement data: Device-related raw data (so-called "dimensions" and " measurement results"), which are collected and analysed by the web analysis tool Ahoy when using our website: This includes, above all, information about the sources through which visitors reach our website, information about the location, the browser and the device used, information about the use of the website (in particular page views, frequency of visits and length of stay on accessed pages) as well as information about the fulfilment of certain purposes (in particular transactions in the online shop). The data is assigned to the client ID assigned to your device. As a result, device-related usage profiles are created in which all device-related raw data is combined into a client ID. The data that we collect using Ahoy does not enable us to identify you personally (i.e. by your civil name). We also do not merge the device-related raw data and the resulting device-related usage profiles with data that directly identifies you personally without your consent.
  • Ahoy report data: Data contained in aggregated segment and device-related reports generated by the Ahoy web analysis tool based on the analysis of device-related raw data.

(iii) The legal basis for the processing is Article 6 (1) (a) GDPR (consent).

(iv) Data is automatically transmitted by the browser of the user.

(v) The recipient of the data is our service provider, which we use as processor within the framework of a data processing agreement.  The basis for data processing in the USA is your consent granted through the cookie banner (Art. 49 (1) (a) GDPR). In the USA, there is no level of data protection comparable to the provisions of the GDPR. It is possible that US authorities may access personal data without us or you being informed. An enforcement of your rights is probably not possible in the USA. You can withdraw your given consent at any time with effect for the future.

(vi) The data will be deleted after 12 months.

(vii) The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, we cannot make web analysis using Ahoy.

d)         Facebook Pixel

If you have given your consent, we use the “Facebook Pixel”. For this purpose, cookies from Facebook Ireland Limited, Harbour, D2, 4 Grand Canal Quay, Square, Dublin, Irland („Facebook“) are used. The Facebook Pixel enables Facebook to collect information about activities of users of our website. By implementing the Facebook Pixel we enable Facebook to collect personal data. The collection and processing of this data takes place after your consent and is the sole responsibility of Facebook. We have no knowledge of further details of the processing of personal data in the area of data controllership of Facebook. For information about the processing of personal data by Facebook, please refer to the Facebook Privacy Policy: de-de.facebook.com/about/privacy/.

Facebook provides us with the evaluations created on the basis of the collected data or further information only in aggregated, anonymized form. We cannot assign the information provided to us to any natural person.

You can deactivate the “Facebook Pixel” for the browser you are currently using by deactivating the storage of cookies in your browser settings.

(i)        The purpose of the Facebook Pixel is to enable Facebook to collect and process user data on our website. The purposes of processing by Facebook are solely determined by Facebook (https://de-de.facebook.com/about/privacy/).

(ii)       According to Facebook the processed data are:

  • Facebook pixel HTTP data
    This is protocol data that is generated for technical reasons when using the Facebook Pixel via the Hypertext Transfer Protocol (Secure) (HTTP(S)) used on the website: This includes IP address, type and version of your Internet browser, operating system used, the page visited, the page previously visited (referrer URL), date and time of the visit
  • Facebook Pixel device data
    Data generated by the Facebook Pixel and assigned to your device. This includes a unique ID for (re)recognition of returning visitors.
  • Facebook Pixel event data
    Data that Facebook collects through the Facebook Pixel under assignment to the unique visitor ID of the respective visitor contained in the Facebook Pixel device data: This includes actions that take place on the website (so-called "events"). 
  • Facebook Pixel analysis data
    Data that Facebook generates on the basis of the information captured by the Facebook Pixel under assignment to the unique visitor ID of the respective visitor contained in the Facebook Pixel device data: This includes information about the effectiveness of Facebook ads and user targeting for Facebook ads. Facebook may also generate additional data from the information collected for its own purposes or for the purposes of third parties. We have no knowledge of the details of data generated by Facebook.

(iii)      The legal basis for enabling the collection of personal data on our website by Facebook is Article 6 (1) (a) GDPR (consent). We do not process personal data in our area of data controllership. We have no knowledge about the details of processing data in the area of data controllership of Facebook, in particular of the legal basis used by Facebook for the processing.

(iv)      Facebook generates the Facebook Pixel analysis data independently. We have no knowledge about the usage of further data sources by Facebook.

(v)       The recipient of the data collected through our website is Facebook Ireland Limited, as data controller for collecting and processing personal data. Facebook Ireland Limited uses Facebook Inc. in the USA (1 Hacker Way, Menlos Park, CA 94025, USA) as its service provider. As data controller, Facebook Ireland Limited is solely responsible for ensuring appropriate data protection safeguards for the data transfer. The data will only be transferred if you have granted us your consent through the cookie banner (Article 49 (1) (a) GDPR). In the USA, there is no level of data protection comparable to the provisions of the GDPR. It is possible that US authorities may access personal data without us or you being informed. An enforcement of your rights is probably not possible in the USA. You can withdraw your given consent at any time with effect for the future.

(vi)      We do not collect and store this data ourselves. The collecting and processing of this data is the sole responsibility of Facebook. We have no knowledge about the duration of storage.

(vii)     The provision of data is not required by law or contract or necessary for the conclusion of a contract. There is no obligation on the data subject to provide the data. If the data is not provided, Facebook cannot offer the function of the Facebook Pixel.

e) Chat Support Olark

We integrate the Chat Support Olark into our Application website for speficic scientific positions.

(i) We process the following data for the purpose of providing a communication option. There are no plans to change these purposes.

(ii) The data processed are:

  • Contact data
     
  • Communication data
     
  • Other data
    Device-specific information, such as hardware model, operating system version, unique device identifiers and mobile network information;

 (iii) The legal basis for the processing is Article 6(1)(a) DS-GVO (consent).

(iv) The data is automatically generated by the browser and the user's activities in the context of the chat support, as well as provided directly by the user.

(v) Recipients of the personal data are IT service providers, which we use within the framework of an data processing agreement. For the provision of the chat support, we use the service provider Habla, Inc. 427 N Tatnall St #63602 Wilmington, DE 19801, USA , as a data processor. The basis for data processing in the USA is your consent (Art. 49 (1) (a) GDPR). In the USA, there is no level of data protection comparable to the provisions of the GDPR. It is possible that US authorities may access personal data without us or you being informed. An enforcement of your rights is probably not possible in the USA. You can withdraw your given consent at any time with effect for the future.

(vi) The data will be deleted no later than two years after the last interaction with the chat support. 

(vii) It is not possible to use the chat support without disclosing personal data. Communication via the website without disclosing data is technically not possible

 

12.2 Applications for Student Jobs

(i) The purpose of data processing is the selection of job applicants for student jobs. A change of purpose is not planned.

(ii) The processed data are name, contact data, communication details, interview notes, job application documents including certificates and curriculum vitae, the time stamp of communication, as well as technical metadata of communication.

(iii) The legal basis is Article 6 (1) (b) (initiation of the employment contract) in conjunction with Article 88 GDPR. If we are currently unable to offer you a position, but your application is suitable for other positions in the future, and you do not object to further storage, the legal basis for further storage is Article 6 (1) (f) GDPR (legitimate interest in retaining suitable job applications).

(iv) The job application data will be transferred internally to the responsible employees in charge of the decision-making. We also use service providers as processors within the framework of a data processing agreement for the provision of services, especially for the provision, maintenance, and servicing of IT systems.

(v) Application data is deleted six months after the end of the specific application process. If job applicants are also considered for future positions and do not object to further storage of their data, the data will remain stored for up to 12 months after the end of the job application process.

(vi) The provision of personal data is necessary for the examination of the job application and, if applicable, the subsequent conclusion of an employment contract. A job application cannot be considered without the provision of personal data

Collapse

13. Rights of data subjects and further information

(i) We do not use any methods of automated individual decision-making.

(ii) You have the right to request information at any time about all your personal data which we are processing.

(iii) If your personal data is incorrect or incomplete, you have the right to have it rectified and completed.

(iv) You can request the erasure of your personal data at any time, as long as we are not bound by legal obligations that require or allow us to continue processing your data.

(v) If the applicable legal requirements are met, you can request a restriction to the processing of your personal data.

(vi) You have the right to object to the processing, insofar as the data processing is based on profiling or direct marketing purposes.

(vii) If the processing is carried out on the basis of the balancing of interests, you may object to the processing by stating reasons arising from your particular situation.

(viii) If the data processing takes place on the basis of your consent or a contract, you have the right to a transfer of the data provided by you, insofar as the rights and freedoms of others are thereby not impaired.

(ix) If we process your data on the basis of a declaration of consent, you have the right to revoke this consent at any time with future effect. The processing carried out prior to a revocation remains unaffected by the revocation.

(x) Moreover, you have the right to file a complaint at any time with a data protection supervisory authority, if you believe that data processing has been carried out in violation of the applicable law.

Collapse

Version: January 2024