Privacy Policy
– Study Access Alliance Program –
This Privacy Notice explains how your personal data is processed in connection with the use of this website and the provided functionalities (hereinafter collectively referred to as the „Website“).
This Website uses SSL or TLS encryption for security and to protect the transmission of personal data and other confidential content (e.g. orders or inquiries submitted to the data controller). You can recognize an encrypted connection by the string “https://” and the lock symbol in your browser line.
1 General
1.1 Data Controller and Data Protection Officer
This Website is operated by Study Access Alliance gGmbH, Ridlerstraße 57, DE-80339 Munich („Study Access Alliance“). Study Access Alliance is the data controller for the processing of your personal data.
Study Access Alliance processes your personal data on a subject-related basis in joint controllership with other companies belonging to the same group of companies, the IU Group, as explained below (all with their registered office at Mülheimer Straße 38, 53604 Bad Honnef, Germany, unless otherwise stated; IU group companies are referred to as “IU Group”). Activities in connection with the operation of the IU International University are carried out in joint controllership with IU Internationale Hochschule GmbH, Juri-Gagarin-Ring 152, 99084 Erfurt (“IU”). For central services within the Group, such as controlling, accounting and personnel administration, office, process and quality management, purchasing and sales, as well as other services, the aforementioned companies receive support of IU Corporate Services GmbH, which is jointly responsible for data processing; IU IT Services GmbH, Ridlerstr. 57, c/o IU Group NV, 80339 Munich, with regard to the provision of the operational IT infrastructure including hardware and software, telecommunication and electronic communication; IU Examination Service GmbH for services in the field of examination supervision; IU Marketing Service GmbH as well as IU Sales Services GmbH, Ridlerstr. 57, c/o IU Group NV, 80339 Munich, for services in the area of marketing and sales (this also includes marketing via this website and the operation of the applicant portal for students); IU Commercial 1 GmbH for the management of the online campus and IU Commercial 2 GmbH for the management of the campus locations and with regard to the campus programs; IU Student Services GmbH together with the respective GmbH that exists for the respective location and is named after its city name, e.g. IU Dortmund GmbH or IU Bonn GmbH, for the support of prospective students and students, in particular student advising.
We can provide you with excerpts from the joint controller agreement. If you would like to receive an excerpt, please contact datenschutz@iu.org.
IU Group has appointed Dr. Annette Demmel, SPB DPO Services GmbH, An der Buche 4, 13465 Berlin, annette.demmel@spb-dpo-services.com, as the data protection officer for the aforementioned companies.
You can contact Study Access Alliance and IU Group either in writing or per email at datenschutz@iu.org.
1.2 Recipients
Unless otherwise described in the context of a certain processing, only those Study Access Alliance and IU Group employees, who are responsible for performing a specific task have access to your personal data. In addition, employees who are responsible for operating our IT systems may have access to some of your personal data as part of their job, e.g., administering an application or performing IT security control tasks. Our employees are obligated to maintain the confidentiality of all personal data.
In the course of our business activities, we rely on the support of various service providers, in particular for the aforementioned purposes as well as for the operation of our IT systems. If the service providers we use have access to personal data, we have entered into the necessary agreements to protect your personal data; in particular, we have concluded data processing agreements in accordance with Art. 28 GDPR, in which we oblige our service providers to maintain confidentiality. Furthermore, banks may receive personal data for the purpose of processing payments, or lawyers, tax advisors and auditors may receive personal data in the course of their work for us. In some cases, we transmit personal data due to legal obligations. In the event of a suspected criminal offense or during investigative proceedings, data may be transmitted to the police and public prosecutor’s office. For further information about who has access to your personal data when using the individual applications, please refer to the description of the respective application.
1.3 Transfers to Third Countries
If we transfer data to service providers in so-called third countries, this is described for the respective application. Some of these third countries do not have an adequate level of data protection. An overview of third countries for which an adequate level of data protection has been confirmed by the EU Commission can be found here: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en. Particularly in the case of data transfers to the USA, there is a risk that your personal data will be processed by the authorities there for control and monitoring purposes without you becoming aware of this or having sufficient legal remedies available to you. We routinely safeguard transfers to third countries by using the so-called EU standard contractual clauses. You can obtain a copy of these clauses at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de. If some providers use binding internal corporate rules for data protection or the transfer is secured because a company is certified according to the Data Privacy Framework (see https://www.dataprivacyframework.gov/s/program-overview), this is explained in the individual applications. If the use of individual applications is optional or alternatives are available, we point this out and – if you do not want to use the alternatives – process your personal data in such cases only on the basis of your separate consent to legitimize the data transfer in accordance with Art. 49 (1) a) GDPR.
1.4 Consent
If you have given your consent to a processing activity, you may withdraw this consent at any time with effect for the future without providing a reason. For this purpose, please use the methods for contacting us mentioned above or change the switch settings if you have given your consent via the selected switch settings.
1.5 Retention
It is our general policy to delete your data as soon as it is no longer needed for the required purpose and if there are no retention obligations. We usually delete your personal data within a short period of time, e.g. within a few months after the conclusion of any counseling. Unless special circumstances regarding deletion are described for the respective application, we process your personal data in accordance with the various retention periods under university or federal law for up to 15 years or in accordance with retention periods under tax and commercial law for a period of six to ten calendar years after the conclusion of a transaction or after the end of the contract. If you object to any processing under Art. 21 (2) GDPR, we will delete your data within four weeks after your objection, unless otherwise required by law or if we are obligated to block the data. If the processing takes place on the basis of your consent and you withdraw your consent or the processing ends for other reasons, we will process the information necessary to prove that consent had previously been granted, i.e. date, time, details of the granting and subject of the consent, for a period of three years after the processing based on consent ends.
2 Data Collection When Visiting the Website
When using our Website for informational purposes only, i.e. if you do not register or otherwise transmit information to us, we only collect data that your browser transmits to our server (so-called „Server Log Files“). When you access our Website, we collect the following data, which is technically necessary in order to display the Website for you:
- Our Website visited
- Date and time of access
- Quantity of data transmitted in byte
- Source/reference from which you reached the page
- Browser used
- Operating system used
- IP address used
The processing takes place in accordance with Art. 6(1)(b) of the General Data Protection Regulation (“GDPR”) on the basis of your use of our Website and our interest in improving the stability and functionality of our Website in accordance with Art. 6(1)(f) GDPR.
We process your data in order to provide you with a functional website, retain the data for the duration specified by us for this purpose and delete your data thereafter.
Only employees of Study Access Alliance and IU Group who are responsible for maintaining the Website receive access to your personal data.
We use third-party services on our Website. Further information about these services and the related data processing is found in this Privacy Policy or the cookie settings.
3 Cookies
Depending on your browser settings and whether you have given us your consent, cookies may be used when you visit this Website in order to extend the functionality of the Website and make it more convenient for you to use. Cookies are small text files that are stored on your computer. Most of the cookies used are deleted from your hard drive at the end of the browser session („Session Cookies”). In addition, we use so-called permanent cookies („Persistent Cookies”), which remain on your device in order to recognize you the next time you visit the Website. If cookies are used, they collect and process to an individual extent certain user information such as browser and location data, IP address values and as described in the Server Log Files. Persistent cookies are automatically deleted after a specified period of time, which may differ depending on the cookie.
An overview of the cookies used and the duration of the respective cookie storage can be found in the cookie settings in our Cookie Consent Tool.
If personal data is also processed through individual cookies used by us, the processing takes place in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in improving the stability and functionality of our Website (so-called „Necessary Cookies”) or in accordance with Art. 6(1)(a) GDPR on the basis of your consent for all other cookies (marketing and analysis cookies).
Please note that you can configure your browser in such a way that you are informed about the use of cookies and can decide individually whether to accept or to refuse to accept them in certain cases or in general. Each browser differs in the way it manages cookie settings. Cookie settings are described in the help menu of each browser, which explains how you can change your cookie settings.
Please note that if you do not accept cookies, the functionality of our Website may be limited.
4 Cookie Consent Tool
This website uses a so-called cookie consent tool of Usercentrics GmbH, Rosental 4, 80331 Munich, Germany (the „Cookie Consent Tool“) to obtain consent to the use of cookies and cookie-based applications that require consent.
By integrating a corresponding JavaScript code, users are shown a banner when they access our Website, in which consent for certain cookies and/or cookie-based applications can be given by ticking the appropriate box.
The Cookie Consent Tool blocks the use of all cookies requiring consent until the respective user grants the corresponding consent by ticking the appropriate box. This ensures that cookies of this type are only placed on the user’s device if consent has been granted.
In order for the Cookie Consent Tool to be able to clearly assign page views to individual users and to individually record, log and store the consent settings chosen by the user for a session duration, certain user information, as described in the Server Log Files and including the IP address, is collected by the Cookie Consent Tool when our Website is accessed, transmitted to servers of the Cookie Consent Tool and stored there. For further details, please refer to the information provided in each case in the Cookie Consent Tool.
The data processing carried out by the Cookie Consent Tool takes place in accordance with Art. 6(1)(f) GDPR on the basis of our legitimate interest in a legally compliant, user-specific and user-friendly consent management for cookies and thus our legitimate interest in our Website being lawfully designed.
We have concluded a data processing agreement with Usercentrics GmbH, which obligates Usercentrics GmbH to protect the data of visitors to our Website and to refrain from disclosing such data to third parties.
We process your data for this purpose for the duration of your session and delete your data thereafter, unless you have given your consent to the use of cookies, in which case we process your data for the duration specified for each cookie.
For further information on the use of data by Usercentrics GmbH, please refer to Usercentrics’ Privacy Policy at https://usercentrics.com/privacy-policy/.
5 Contact (e.g. by email)
If you contact us by e-mail, we process the information necessary to answer your contact requeest, e.g. your e-mail address, the information you provide and the date and time of the contact. If you also provide us with your name and other personal data, we also process these.
If you conduct an online meeting with us, we additionally process your name displayed, if applicable your profile picture, preferred language, date, time, meeting ID, if applicable your phone number, as well as exchanged texts, audio and video data. To handle our communications, we use Microsoft 365, Microsoft Teams, both services are provided by Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA (“Microsoft”) and Zoom Video Communications, Inc., 55 Almaden Boulevard, Suite 600, San Jose, CA 95113, USA („Zoom“).
The legal basis for this processing is Art. 6 (1)(b) GDPR. We process your data in order to respond to your inquiry. Your personal data will be retained in each case for the period determined by us in order to perform the task and will be deleted thereafter. This is based on the retention periods under commercial and tax law. Only employees of Study Access Alliance and IU Group who are responsible for responding to contact requests will receive access to your personal data.
We have concluded data processing agreements with Microsoft and Zoom based on the EU Standard Contractual Clauses. You can access the EU Standard Contractual clauses at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de. For more information on data processing by Microsoft, please visit https://privacy.microsoft.com/de-de/privacystatement and for Zoom https://explore.zoom.us/en/privacy/.
6 Web Analysis Services
Our website uses analysis services in order to collect information about our website, provided you have consented to the setting of the corresponding cookies. The data obtained with the help of these analysis services, such as the location of the visitors or their length of stay on our website, gives us information about visitor behaviour on our website. With the help of this data, we can not only eliminate website issues, but also improve the efficiency of our website. Further information on the analysis services used on our website can be found below. For information on the processing of personal data by the cookies set for this purpose, such as the storage duration of the cookies, please refer to our cookie settings.
6.1 Google Analytics and Google Signals
We use Google Analytics to get an overview of the behaviour of website visitors, and gain insights regarding our digital marketing efforts. Google Analytics allows us to collect and evaluate the data specifically relevant to us, for example how far down a webpage was scrolled, which button was clicked, etc. Google Analytics also helps us, for example, understand user demographic characteristics such as age, gender and interests, geographic characteristics such as language and location, as well as technical characteristics such as device type, browser and operating system. With the help of this data we can not only optimise our website, but can also recognise how the respective user sessions ended (e.g. simple website visit, request for information material, application for studies). Google Analytics also helps us recognise which webpage a user is accessing and via which channel the users come to our website from (e.g. via a paid or unpaid ad, a Google search, a Facebook post or direct access to the website). With the help of this information, we can identify which marketing channels are working and which are not. Google Analytics also allows us to recognise user paths, i.e. where users are moving on our website, whether they are going back to the start page and how many users access our website. With the help of this information, we can, for example, recognise whether the jumping off of a large number of users is due to a technical defect in the website. The above data gives us a good overview of our website and how it is used. Even if we collect user data, we cannot draw any conclusions about your identity from this data, as we receive reports from Google Analytics that are based on aggregated data sets.
Since we have also activated the Google Signals service offered by Google, i.e. so-called cross-device tracking, your aforementioned data is analyzed across devices and processed for personalizing ads. Google can thus recognize whether you visit our website first via a smartphone and later via a laptop. We ourselves only receive reports with anonymous data from which we can recognize patterns in user behavior. Google Signals is active if you have a Google account and are logged into it when you visit our website. Furthermore, you must have agreed to “personalized advertising” with Google. If you do not want cross-device tracking, you must deactivate “personalized advertising” in your Google account. Google Signals allows us to launch cross-device remarketing campaigns. This means that we also show you our advertising on third-party websites. You may access your data or delete them at Google in “My Activity”. Google LLC is certified under the Data Privacy Framework.
Additional information on Google Analytics plus the Google data privacy policy is available here. The contact information for GDPR claims (e. g. right to erasure) against the Google Ireland Limited is also available there.
Information on the provider, the cookies set, the legal basis for cookie collection, international data transfers and storage times of the cookies can be found in our cookie settings.
7 Google Tag Manager
This website uses Google Tag Manager („GTM”), a service provided by Google Ireland Ltd. („Google”), with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland. Through the use of GTM, tags such as code snippets or pixels are used on our own Website by means of a so-called container, which inserts a kind of placeholder into the source code and in which the tools that are to be used are stored without us having to interfere with the source code of our Website. Using GTM, tools can be used on our own Website without having to include each of them in the source code. Instead, only the code of GTM has to be included, and then GTM can be used as a central place to launch or disable the desired tools.
GTM works on the Website when a defined user behavior triggers a tag (i.e. a pixel tag, web beacon, or html code) for the tool. GTM collects the relevant data for the built-in tool and forwards it to the tool. Information about the tools used on our Website that are loaded via GTM can be found here. In this context, not only are the data categories described for the respective tools transferred to the respective tool providers; Google Ireland Ltd. also receives information about your usage behavior on our Website. Since a large number of the tool providers are located in countries outside the EU, please refer to the description of the respective tools if you would like to receive information on the transfer mechanisms agreed with us. We have also entered into a data processing agreement with Google Ireland Ltd., which incorporates the EU standard contractual clauses. The main content of this agreement is available for review here: https://policies.google.com/privacy/frameworks?hl=en. Google LLC is certified under the Data Privacy Framework.
We us GTM to deploy not only statistical tools but also marketing tools. Accordingly, GTM is a statistics and marketing tool, and the use of GTM is based on your consent in accordance with Art. 6(1)(a) GDPR, which you may withdraw at any time with effect for the future by sending an email to datenschutz@iu.org.
8 Social Media
For the purpose of increasing our reach, we maintain social media online presences on Facebook, Instagram and LinkedIn. If you click on a link embedded in our website, you will be redirected to the respective page: Facebook: https://www.facebook.com, Instagram: https://www.instagram.com, LinkedIn: https://de.linkedin.com. Plugins of these social networks are integrated on our website. When you visit our website, a direct connection between your browser and the server of the social network is established via the plugins. The social network thereby receives the information that you have visited this website with your IP address. If you are logged into your account with the social network, the social network can assign the visit to this website to your user account. Details on data collection (purpose, scope, further processing, use) as well as your rights and setting options can be found in the privacy policy of the social network. The deletion of your personal data by the social network takes place as described in the respective privacy policy. If there is joint responsibility with Instagram or Facebook, the contract on joint responsibility applies. You can find the contract at https://de-de.facebook.com/legal/terms/page_controller_addendum. For more information on the respective responsibilities, please refer to the Facebook Page Insights Supplement (https://de-de.facebook.com/legal/terms/page_controller_addendum). The legal basis for the processing of the data is Art. 6 para. 1 f) GDPR. Our legitimate interest in this respect is to increase the reach of our online presence on the social media channels. The purpose of the processing is to increase our presence on the Internet. Access to the data is granted to employees of Study Access Alliance and IU Group who are active in the support of the social media channels and, if applicable, to employees of the respective provider. Your personal data is transferred to the companies listed below in the USA or can be accessed from there. For more information on safeguarding the international transfer of data, please refer to the section “Transfers of personal data to third countries”. Information on data processing can be found at: LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) – Privacy Policy https://www.linkedin.com/legal/privacy-policy, Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out, Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA) – Privacy Policy/Opt-Out: http://instagram.com/about/legal/privacy. Facebook (Meta Platforms Ireland Ltd., 4 Grand Canal Square, Dublin 2, Ireland) – Privacy Policy (Opt-Out: https://www.facebook.com/about/privacy/legal_bases). Meta is certified under the Data Privacy Framework. We process your personal data for the duration determined by us with regard to the performance of the task. In this regard, we take the retention obligations under commercial and tax law as a basis. Clicking on a link, such as to Facebook, Instagram or LinkedIn, will take you to the respective websites of the different providers. Data processing on the respective website is governed by the data protection information applicable there. We do not have any influence on the data processing carried out there.
9 Videos
We have embedded videos on our Website that are stored on the video portal Vimeo. The video portal is operated by Vimeo LLC, 555 West 18th Street, New York, New York 10011, USA. With the help of a plug-in, we can show you interesting video material directly on our Website. In the process, the data specified in the Server Log Files is transferred to Vimeo. The legal basis is your consent in accordance with Art. 6 (1)(a) GDPR to view the corresponding content.
When you visit a website in which a Vimeo video is embedded, your browser connects to Vimeo’s servers. This results in a data transfer to Vimeo and your data is stored on Vimeo servers in the USA. IU Group has entered into a data processing agreement with Vimeo for this purpose, which incorporates the EU standard contractual clauses. You can obtain a copy of these clauses at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de. Vimeo is certified under the Data Privacy Framework. Vimeo uses your data, among other things, to improve its own service offering and to display advertisements for you. Whether or not you have a Vimeo account, Vimeo collects data about you. Information about data processing by Vimeo is available at https://vimeo.com/privacy.
If you have a Vimeo user account and are logged in while visiting our Website, data about your visit will be linked to your Vimeo user account to form a user profile. If you would like to prevent this, we recommend logging out before visiting our Website. You also have the right to object to such data processing at any time. To do this, we recommend adjusting the settings in your browser regarding cookies and the settings in our Cookie Tool.
For information about the cookies used in connection with Vimeo, please refer to our cookie settings.
10 Communication with journalists and press representatives
We process from representatives of the press and journalists their names, contact details, information about professional activities and the content of the communication for the purpose of press and public relations work and direct communication. The legal basis for the processing of personal data is Art. 6 par. 1 lit. f) GDPR. The legitimate interest for the processing is the implementation of public relations and press work, which is why we may maintain a press distribution list. For the email press distribution list we may use the services of Meltwater (Meltwater Deutschland GmbH, Rotherstraße 22, 10245 Berlin). You may unsubscribe from the press distribution list by clicking on the link that is included at the end of each email. We have entered into a data processing agreement with Meltwater in accordance with Art. 28 GDPR. We process the personal data for the period in which we occasionally provide press representatives and journalists with information. We delete contact data upon request or after we have become aware that an activity for the press or in the area of public relations is no longer being carried out.
11 Rights of Data Subject
You can contact us in writing or per email at datenschutz@iu.org in order to exercise the following rights:
- Access your data in order to check and verify this data;
- Obtain a copy of your personal data;
- Rectification, erasure or restriction of processing, which also includes the right to complete incomplete or incorrect data by providing a supplementary statement;
- Right to object to the processing; please note that pursuant to Art. 21 GDPR you have the right to object to the processing of personal data processed by us on the basis of legitimate interests pursuant to Art. 6 (1) (f) DSGVO; you have a right to object to processing insofar as this is done on grounds relating to your particular situation; insofar as the objection is directed against the processing of personal data for the purpose of direct marketing, you have a general right to object without the requirement to specify a particular situation,
- You can receive your provided personal data in a structured, commonly used and machine-readable format and transmit this data to another controller, provided that you have given your consent to the processing or the processing is based on a contract;
- If you have given us your consent to process your personal data, you can withdraw this consent at any time with effect for the future.
You also have the right to lodge a complaint with a supervisory authority with regard to the processing of your personal data. To exercise this right, you can contact the authority responsible for your place of residence or for the location of the IU Group in Thuringia:
Der Thüringer Landesbeauftragte für den Datenschutz, Häßlerstraße 8, 99096 Erfurt.
12 Automated Decision-making and Profiling
Except for the services described in the context of Google Analytics and Google Signals, your personal data will not be used by us for automated decision-making.
When visiting our Website, we place cookies from various providers, provided you have given your consent in this regard. By means of the cookies that you have allowed in each case, data is generated as described in the Server Log Files. This data is consolidated and combined with the help of a Google solution. For this purpose, we have concluded a data processing agreement with Google, with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland, which incorporates the EU standard contractual clauses. You can obtain a copy of the clauses at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?locale=de. Google LLC ist certified under the Data Privacy Framework. If we receive information about you through our Website, for example, because you ask us to send you informational materials or contact us, then we store your data and combine it with the data generated by cookies. In addition, we receive reports from Google Analytics with data that we also combine with your data. For further information, please refer to the section on Google Analytics.
With the help of your consent regarding the data generated via our website, we store it in a CRM solution. We analyze the data to determine whether you are only interested in a course of study offered by us or whether you have also applied, and we add the relevant information to your data record. We store this profile created about you in a salesforce solution provided by Salesforce, with its registered office at Floor 26 Salesforce Tower, 110 Bishopsgate EC2N 4AY London, England.
The legal basis for this data processing is your consent in accordance with Art. 6(1)(a) GDPR, which you can withdraw at any time with effect for the future by contacting datenschutz@iu.org.
13 Why Do We Collect Your Personal Data?
You may choose not to provide us with your personal data or choose to provide incomplete data. In such a case, for example, if you prevent the storage of a cookie, you may not be able to use all the functionalities of the Website.
Status: October 2024