The personal data of every individual who has a contractual, pre-contractual or other relationship with our company deserves specific protection. According to Articles 13 and 14 of the GDPR, companies have specific information obligations when collecting personal data. In order to fulfil our data protection obligations from 25 May 2018 onwards, we would like to draw your attention to the following details:
The purpose of the processing of personal data is the handling of all processes which concern the controller, the students as data subjects in the sense of data protection law, business and cooperation partners or other contractual or pre-contractual relations between the groups mentioned (in the broadest sense) or legal obligations of the controller.
The protection of personal data is a particular concern of the Europa-Institut/Saarland University. Your data will be processed for the purpose of contacting you, carrying out and completing a study program or similar participation in academic programs. We process personal data about you particularly for the purpose of your application for a study place, insofar as this is necessary for the decision to establish a study relationship with us.
Furthermore, we may process personal data about you insofar as this is necessary to defend against legal claims asserted against us in the application process. The legal basis behind this is Art. 6(1)(f) GDPR. The legitimate interest here is, for example, the burden of proof in proceedings pursuant to the German General Equal Treatment Act (Allgemeines Gleichbehandlungsgesetz (AGG)).
If our company is subject to a legal obligation which requires the processing of personal data, for example to fulfil tax obligations, such processing is based on Art. 6(1)(c) GDPR. Without the provision of your data by you, it would not be possible to establish and process a contract.
· In rare cases, the processing of personal data may become necessary to protect the vital interests of the data subject or another natural person. This would be the case, for example, if a visitor were injured on our premises and his/her name, age, health insurance data or other vital information had to be passed on to a doctor, a hospital or other third parties. The processing would then be based on Art. 6(1)(d) GDPR.
· If the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority (processing of personal data of litigants and other parties involved in the proceedings), which has been vested in the controller, Art. 6(1)(e) GDPR applies.
· Ultimately, processing procedures could also be based on Art. 6(1)(f) GDPR. Processing procedures which are not covered by any of the aforementioned legal bases are based on this legal basis if processing is necessary to safeguard a legitimate interest of our company or a third party, provided that the interests, fundamental rights and freedoms of the data subject do not prevail. Such processing procedures are permitted to us in particular because they have been specifically mentioned by the European legislator. In this respect, the legislator takes the view that a legitimate interest is to be assumed if the data subject is a client of the controller (Recital 47, Sentence 2 GDPR).
If the processing of personal data is based on Art. 6(1)(f) GDPR, it is in our legitimate interest to conduct our study program in the interest of the well-being of all persons involved in our institution, in particular students, teachers and employees.
· Public authorities, if required to do so by law, always under the legal obligation to maintain confidentiality;
· If necessary for the fulfilment of the contract, the Europa-Institut Law/Saarland University Law Department may engage, among others, service providers, such as parcel and letter carriers and banks for the collection of direct debits.
Your personal data will be processed by employees within the university and at any existing home offices. These are internal departments that are involved in the execution of respective business processes. Furthermore, the university employs freelancers, employees, interns and guest students.
5. Recipients in a third country, suitable or appropriate guarantees and the possibility of obtaining a copy of these, or where they are available (Art. 13(1)(f), Art. 46(1) & (2)(c) GDPR)
In principle, data processing does not take place outside the EU or the EEA. In the context of the provision of cookies and the use of our social media plug-ins, data may be transferred to the USA. Those responsible for data protection, Google and Facebook also process your personal data in the USA and are subject to the EU-US-Privacy-Shield, www.privacyshield.gov/EU-US-Framework.
Pursuant to Art. 46(1) GDPR, the controller or a processor may only transfer personal data to a third country if the data controller or processor has provided appropriate guarantees and if the data subject has enforceable rights and effective remedies at his/her disposal. Suitable guarantees can take the form of standard data protection clauses, without requiring special approval from a supervisory authority (Art. 46(2)(c) GDPR).
The EU standard data protection clauses are agreed with all recipients from third countries before the first transfer of personal data. Consequently, appropriate safeguards, enforceable rights and effective remedies resulting from the EU standard data protection clauses are guaranteed for all processing of personal data. Anyone concerned may obtain a copy of the standard data protection clauses. The standard data protection clauses are also available in the Official Journal of the European Union (2010, L 39, p. 5-18).
The legislator has enacted a variety of storage obligations and periods. In addition, tax retention obligations may be relevant. After the expiry of these periods, the corresponding data is routinely erased.
If data is not affected by this, it is erased once the above-mentioned purposes cease to apply. For possible liability reasons, the data could be kept for longer in individual cases. If the legal requirements are met, the processing is restricted instead of being erased.
Please be aware that the provision of personal data is, in part, required by law (e.g. in tax regulations) or may also result from contractual regulations (e.g. information on the contractual partner).
In some cases, in order for a contract to be concluded, it may be necessary for the data subject to provide us with personal data which in turn must be processed by us. For example, the data subject is obliged to provide us with personal data if our company enters into a contract with him/her. Failure to provide personal data would mean that the contract with the data subject could not be concluded.
Prior to the provision of personal data by the data subject, the data subject may contact the controller. The latter then informs the data subject on a case-by-case basis whether the provision of personal data is required by law or the contract, or required for the conclusion of the contract, whether there is an obligation to provide the personal data and what consequences a failure to provide the personal data would have.
8. Existence of automated decision-making, including profiling in accordance with Art. 22(1) & (4) GDPR, and – at least in these cases – the provision of meaningful information on the logic involved and the scope and intended effects of such processing for the data subject (Art. 13(2)(f) GDPR)
9. Existence of rights of access, rectification, erasure, restriction of processing, the right to object to processing and the right of data portability (Art. 13(2)(b) GDPR)
Every data subject has a right of access to his/her personal data. The right of access extends to all data processed by us. This right can be exercised easily and at reasonable intervals so that all data subjects are always aware of the processing of their personal data and can verify its lawfulness (recital 63 GDPR). This right arises from Art. 15 GDPR. The data subject may contact our data protection officer to exercise his/her right of access.
Pursuant to Art. 16(1) GDPR, all data subjects have the right to request our company to immediately rectify any incorrect personal data concerning them if the processed personal data concerning them is incorrect or incomplete. In addition, Art. 16(2) GDPR stipulates that the data subject has the right to request the completion of incomplete personal data – also by means of a supplementary statement – taking into account the processing purposes.
In accordance with Art. 17 GDPR, data subjects have the right to be erased and forgotten. You may request the data controller to erase the personal data relating to you without delay and the controller is obliged to erase this data without delay, as long as one of the following reasons applies:
· You file an objection against the processing pursuant to Art. 21(1) GDPR and there are no overriding legitimate reasons for the processing, or you file an objection against the processing pursuant to Art. 21(2) GDPR.
If the data controller has disclosed the personal data concerning you to third parties, and is then obliged to erase such data pursuant to Art. 17(1) GDPR, he shall take appropriate measures, including technical measures, taking into account the available technology and the implementation costs, to inform those processing such personal data that you as the data subject have requested the erasure of all links to this personal data or of copies or replications of this personal data.
Pursuant to Art. 18 GDPR, every data subject has a right to restriction of processing. Under the following conditions, you may request that the processing of personal data concerning you be restricted:
· The controller no longer needs the personal data for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims, or
If the processing of personal data concerning you has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.
Furthermore, Art. 21 GDPR guarantees the right to object. You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you which is based on point (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions.
The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Art. 20 GDPR grants the data subject a right to data portability. According to this provision, the data subject has the right, under the conditions set out in Art. 20(1)(a) & (b) GDPR, to receive the personal data concerning him/her which he/she has provided to the controller in a structured, commonly used and machine-readable format and to transmit this data to another controller without hindrance from the controller. The data subject can exercise the right to data portability via our data protection officer.
10. The right to revoke consent at any time without prejudice to the lawfulness of the processing carried out on the basis of the consent until revocation, provided that the processing is based on Art. 6(1)(a) GDPR or Art. 9(2)(a) GDPR (Art. 13(2)(c) GDPR)
If the processing of personal data is based on Art. 6(1)(a) GDPR, which is the case if the data subject has given consent to the processing of personal data concerning him/her for one or more specific purposes, or if the processing is based on Article Art. 9(2)(a) GDPR, which regulates the express consent to the processing of special categories of personal data, the data subject has the right to revoke his/her consent at any time pursuant to Art. 7(3), Sentence 1 GDPR.
The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until revocation (Art. 7(3), Sentence 2 GDPR). The revocation of consent must be as easy as the giving of consent (Art. 7(3), Sentence 4 GDPR). Therefore, the withdrawal of consent may always take place in the same way as the consent was given or in any other way that the data subject considers to be easier. If the data subject wishes to revoke a consent given to us, a simple e-mail to our data protection officer is sufficient. Alternatively, the data subject may choose any other way of informing us of his/her revocation of consent.
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a (data protection) supervisory authority, in particular in the Member State of your place of habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you violates German or European data protection law. As the controller, we are obliged to inform the data subject of the existence of a right to lodge a complaint with a supervisory authority (Art. 13(2)(d) GDPR). The right to lodge a complaint is regulated in Art. 77(1) GDPR. Under this provision, without prejudice to any other administrative or judicial remedy, any data subject has the right to lodge a complaint with a supervisory authority, in particular in the Member State of his/her place of habitual residence, his/her place of work or the place of an alleged infringement, if the data subject considers that the processing of his/her personal data is contrary to the GDPR. The right to lodge a complaint has been limited by the union legislator solely to the extent that it can only be exercised against a single supervisory authority (Recital 141, Sentence. 1 GDPR). This provision is intended to avoid duplicate complaints in the same matter by the same data subject. Therefore, if a data subject wishes to lodge a complaint against us, it is requested that only one supervisory authority be contacted.