§ 1 – General information and Contact Person
(1) In the following, we, the Carl Duisberg Centren, will inform you about the personal data of our customers and contractors that we collect and process in connection with the delivery of our language course programs, and accompanying services. “Personal data” means any information that can be related to you personally, e.g. names, addresses, and IP addresses.
(2) The controller in accordance with Article 4 No. 7 General Data Protection Regulation (hereinafter referred to as “GDPR”) is:
Carl Duisberg Centren gemeinnützige GmbH
(3) The data protection officer is:
Franz-Henning Ritschel, Assessor iuris
Carl Duisberg Centren gemeinnützige GmbH
§ 2 – Your rights
(1) Regarding your personal data that we control, you have the following rights according to the standards laid out in the GDPR:
a) Right to information
b) Right to rectification
c) Right to deletion
d) Right to restriction of processing
e) Right to data portability
f) Right to withdraw consent at any time; however, such a withdrawal of consent does not affect the permissibility of processing for the time period before which notification of the data subject’s withdrawal of consent was received.
g) Right to object to processing as long as our processing of your data is in conflict with the balancing of interests (in cases where the legal basis for the processing is based on Article 6 No. 1 f) GDPR) or when the processing is related to direct marketing. In the second case of direct marketing, we will cease the processing immediately. In the first case where legitimate purposes of the controller are in conflict with the interests or fundamental rights of the data subject, we will first limit the processing and notify you immediately of our decision whether we deem the processing to be in conflict with your interests or fundamental rights – which will lead to termination of the processing – or not.
(2) To exercise your rights, you can contact us at any time by using the contact details provided above in §1 of this Policy or a contact form on our websites.
(3) In addition, you have the right to lodge a complaint with a data protection supervisory authority about our processing of your personal data. The data protection supervisory authority responsible for oversight of CDC is:
Landesbeauftragte für den Datenschutz und
Kavalleriestraße 2 – 4
§ 3 – Fundamental principles of data processing, personal data collected
(1) We only process the personal data that you have actively provided us or – in rare exceptional cases – that you have actively provided to our partners or service providers. These data are only collected to the extent that such collection is strictly necessary to fulfill the purposes detailed in § 4 to § 11 of this Policy. We only engage in data processing if there is a legitimate legal basis for the processing that we are able to demonstrate and it is a situation in which you as our customer would reasonably expect that such processing would occur.
(2) Personal data will be collected when you register for or book our language course programs and accompanying services, when you register for online services that we use in our courses, or when you make an inquiry as well as other situations in the course of delivering our services.
(3) The following personal data may be collected:
a) Preferred means of address
b) First and last names
c) Addresses (permanent and temporary), billing address
d) Telephone numbers
e) email addresses
f) Date of birth/age
i) Passport number and/or national ID number
j) Information about visas and immigration status
k) Arrival and departure dates
l) Preferences/dislikes/special requests, e.g. vegetarian
m) Health data, e.g. allergies
n) Information about education and training
o) Language levels
p) Services selected
q) Course location
r) Course duration
s) Course attendance
t) Test results and other course assessments
u) Photos and video files
v) Usernames/handles (in social networks, video conference software, etc.)
w) Information about insurance
x) Evaluations of quality of the courses when you elect to provide your name on the evaluation
y) In addition, the following data will only be collected from teachers:
aa) Martial status
bb) Information about the professional services offered
cc) Salary information
dd) Bank and account data
ee) Fax number
ff) Information about private motor vehicle
§ 4 – Processing mandated by statutory regulation and for preparation and performance of contracts
(1) Certain personal data are processed in order to fulfill statutory requirements, e.g. billing addresses, which must be provided under German tax law if you enter into a business relationship with us in which money is exchanged for services.
(2) All other personal data that we process is used for the following purposes:
a) We need these data to be able to determine which language course programs and accompanying services or where applicable services already booked that we are able to offer you because they fulfill your requirements and to ensure that the conditions for concluding a contract have been met.
b) After a contract has been concluded, we require these data in order to be able to organize and deliver the language course programs and accompanying services as agreed in the contract.
(3) The provision of all the data listed in § 3 No. 3 of this Policy is statutorily or contractually mandated, and should you elect to not provide the required personal data, we will as a consequence not be able to offer you some or all of our services, or in the case of teachers, we will not be able to offer you a contract to work as a teacher.
(4) The legal basis for the data processing conducted as described in §4 No. 1 of this Policy is for compliance with legal obligations in accordance with Article 6 No. 1 c) GDPR. The legal basis for the data processing conducted as described in §4 No. 2 of this Policy is to carry out precontractual measures or to fulfill our contractual obligations in accordance with Article 6 No. 1 b) GDPR. The legal basis for the data processing of health data is always derived from express consent of the data subject in accordance with Article 9 No. 2 a) GDPR.
§ 5 – Notification of direct marketing according to Section 7 No. 3 of the German Act against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb, UWG)
If you purchase goods or services from us, we are permitted to process the electronic contact information you provided to us in the context of your purchase in order to inform you of similar products and services that we offer by email provided you have not actively objected to this use of your personal data. You may object to this use of your data at any time and free of charge by notifying us of your objection by clicking on the unsubscribe link in the email, contacting us at the address given in §1 of this Policy, or using a contact form on our website. Upon receiving notification of your objection to the use of your data for direct marketing, we will no longer use your electronic contact information for advertising purposes.
§ 6 – Required data processing that can only be conducted with explicit consent
(1) If medical restrictions that may affect the delivery of the service requested exist, we must collect health data from you on the basis of a declaration of consent that you have provided us. In this case, the collection of such data is absolutely necessary in order to be able to evaluate whether we can offer the service the customer has requested and where applicable to be able to make arrangements so that the customer can access the classrooms, accommodations, and other facilities, etc.
(2) When you initiate contact with us over email or by using a contact form on our website, you consent to our processing of the information you actively enter into the fields on the contact form or email as well as data that is automatically transmitted so that we can process your request.
(3) The legal basis for this data processing is your express or unambiguous consent in accordance with Article 6 No. 1 a) GDPR. The legal basis for the processing of health data is the express consent of the data subject in accordance with Article 9 No. 2 a) GDPR. Should you elect to not provide the necessary consent or revoke this consent at a later date, this will have the consequence that we will unfortunately no longer be able to offer you the service or functionality that requires processing of these data. If a data subject is younger that 17 years old, only a parent or legal guardian can legally consent to processing of the data subject’s personal data.
§ 7 – Optional data processing that can only be conducted with explicit consent
(1) You can give your consent for us to publish items such as photos, quotes, and excerpts from customer reviews of our services along with your first name and last initial as a part of our efforts to present our organization to the public (website, social media channels, print advertisement, films, press releases).
(3) If you provide your explicit consent, we may send you newsletters at regular intervals for informational and advertising purposes to the email address you have provided.
(4) With your consent, we may record videoconferences, virtual classrooms, and other similar platforms in order to make these recordings available to you and other customers and to be evaluated as a part of our quality controls system.
(5) You may give your consent for us to include your name, contact details, nationality, and interests in a database for the purpose of matching tandem partner as well as granting permission for us to forward these personal data to interested parties who match your search criteria for a tandem partner, so that they can initiate contact with you.
(6) We only release reports of your course performance or records of course attendance to third parties with your consent or the consent of your legal representative.
(7) In order for us to be able to offer you assistance and accompany you when you require medical treatment in cases of illness or emergencies, we require an extra written declaration of consent from you.
(8) In order to evaluate and maintain the quality of our services, we conduct evaluations of our language course programs. Participation in these evaluations is voluntary. Participants have the option of providing their name, telephone number, and email address so that CDC can respond to any queries they may have. Other personal data and connection data (e.g. IP addresses) are not processed in connection with CDC’s online evaluations.
(9) The legal basis for this data processing is your express or unambiguous consent in accordance with Article 6 No. 1 a) GDPR. The legal basis for the transfer of data to a third country outside of the European Economic Area is the express consent of the data subject in accordance with Article 49 No. 1 a) GDPR. If a data subject is younger that 17 years old, only a parent or legal guardian can legally consent to processing of the data subject’s personal data.
§ 8 – Data Processing based on a balancing of interests
(1) In order to ensure the smooth running of our courses and to inform you of the time and location of your current in-person classes or events, we display this information along with the first and last names of the participants and teachers/event hosts on notices posted at a central location in our buildings where everyone who is present can view them.
(2) For informational and adverting purposes, we may send emails with information about our current offers or other customer information on a regular basis If you have provided us with your email address as a part of concluding a paid commercial transaction with us, and you did not object to receiving our emails (see § 5 of this Policy).
(3) If you initiate contact with us by using the contact form on our website, certain data will be transmitted to us when the form is sent in order to maintain the security of our IT system and to prevent possible misuse. In addition to data entered into the field of the contact form, the IP address of the user as well as the date and time of access will be transmitted to us (connection data).
(4) The legal basis for this data processing is a balancing of interests in accordance with Article 6 No. 1 f) GDPR. Should you object to this processing and this objection be successful, we will provide our services without this data processing, which will mean that we will only be able to provide you a limited version of our products without the services and functionality that depend on this data processing.
(5) You can find detailed information about other processing of personal data connected with the use of our website in our Data Protection Policy, which can always be accessed at our website www.cdc.de or https://www.cdc.de/cdds.
§ 9 – Facebook and Instagram
Due to the fact that Facebook itself is principally responsible for deciding the methods employed and purposes for which data is processed on its network, Facebook is responsible for data protection relating to the use of its network. As such, you can direct all data protection inquiries and requests to exercise your right listed in § 2 of this policy that relate to the Facebook network to: Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland (for use outside of the USA and Canada).
(2) Although we cannot control, nor can we monitor Facebook’s processing of your data, we may as an operator of company pages be considered, together with Facebook, jointly responsible for data protection. For this reason, we will now inform you in the following a) how – to the best of our knowledge – Facebook’s data processing works and b) how we use these data.
(a) Facebook’s social networks are online platforms that make it possible to publish information, opinions, and media as well as allowing users who are registered and logged on to the platforms (hereinafter referred to as “users”) to interact with one another. Facebook processes personal and other data for several purposes, including to deliver advertising and to personalize such adverts. If personal data is actively inputted or posted on Facebook’s social networks (e.g. in profiles, groups, events, timelines, stories, feeds) or sent over these networks, these data will in all cases be disclosed to Facebook. This also includes the so-called Exif data associated with digital photos and videos (metadata such as e.g. time, location, and camera used). Depending on the privacy settings for the particular profile, group, story, etc., which the user can configure, other users are granted access to the personal data that have been actively posted or sent. In addition, Facebook processes data that are not actively posted as follows: connection data (e.g. IP address, browser information, and location) is collected when users and non-users access the platforms, and data relating to users’ behavior on Facebook’s network will be saved. By using so-called cookies, Facebook plugins, and other tracking technology, Facebook also collects additional data about the behavior of users and non-users on other websites outside of Facebook’s networks (e.g. about websites visited and likes).
Please be aware that simply accessing our company page or browsing websites with embedded Facebook plugins may result in personal data being stored by Facebook even if you are not a Facebook user.
Facebook analyzes the content that users actively post on the platforms, compiles the data from users – where applicable, from several different sources – to generate profiles, evaluates the available information, generates summarized statistics, and passes these on to its own customers as a part several of products (including “Facebook Insights”, for more information, see below). In addition, Facebook allows its customers, e.g. app developers, broad access to its users’ data through application programming interfaces (APIs) on the networks.
The data processing conducted by Facebook is in part carried out in the USA and other countries outside of the European Economic Area. However, appropriate safeguards for the transfer of data have been established. For more information, please see § 12 no. 2 of this Policy.
Facebook and Carl Duisberg Centren are parties to a joint controller processing agreement in accordance with Article 26 GDPR, which Facebook has concluded with operators of fan pages in Europe. This agreement can be accessed at the following link (verified 07/2020): https://www.facebook.com/legal/terms/page_controller_addendum
In essence, this agreement stipulates the following:
- Facebook and Carl Duisberg Centren act as joint controllers when processing Facebook Insights data.
- Facebook assumes the primary responsibility for data processing.
- Facebook is solely responsible for answering all inquiries of affected persons or data protection regulators related to Facebook Insights data, while Carl Duisberg Centren is obligated to forward all such inquiries to Facebook.
(b) We are active on Facebook’s social networks for purposes of providing information to our customers, advertising, and to communicate with our customers and interested parties. In order to achieve these objectives, we post news, photos, videos, and texts; we follow clients, freelance employees, or third-party language training companies and travel providers; and we also run promotional contests and campaigns at irregular intervals, free of charge. These activities and content are regularly associated with or contain personal data related to our customers and freelance employees. Naturally, we inform data subjects and seek their consent before posting their personal data. Our company pages are publicly available without any restrictions to all users and third parties. Our groups on the Facebook network are “private”. This means that the Facebook user profiles that can interact with the group and access the contents posted in the group are limited to user profiles admitted by us, and as a rule these user profiles belong to our current and former customers, and our freelance employees. Before we post photos and videos to Facebook, we remove the Exif data from the file (see above for more information). Personal data on our company pages will be deleted after a retention period of seven years at the end of the calendar year in which the retention period expires. During this retention period, our legitimate interest to conduct advertising and inform customers, which justifies this data processing, shall remain in effect (for more information, see below).
We subscribe to “Facebook Insights” and “Instagram Insights”, products that Facebook provides free of charge. These products consist of anonymized, statistically analyzed data on the visitors to our company pages and how these visitors interact on our company pages on the respective social network. They consist of demographic data (e.g. age, gender, language, and employment status), geographic data (e.g. the user’s permanent place residence and current location), information about lifestyle and interests as well as the number of likes, which can be associated with data categories. Insights allow us to draw certain conclusion about the reach and popularity of our company pages and content. Where applicable, we use this information to customize the content. However, we do not systematically analyze the data we receive from Insights. Moreover, we do not target our Facebook activities at particular target groups and thus do not use any additional Facebook services that would, for example, make it possible for us to engage in target-group-specific customer communication. Thus, you will not receive personalized advertising from us under any circumstances.
Our legal basis for uploading and publishing content that includes your personal data on Facebook’s social networks is your consent in accordance with Article 6 No. 1 a) GDPR. The legal basis for the collection of your personal data and the subsequent transfer of these data to Facebook when you visit, view, and use our company Facebook pages as well as our use of Insights is a balancing of interests in accordance with Article 6 No.1 f) GDPR. Our legitimate interests in this case are advertising our products and service and providing information to our customers.
§ 10 – Xing und LinkedIn
Due to the fact that Xing or LinkedIn is principally responsible for deciding the methods employed and purposes for which data is processed on their networks, these companies are responsible for data protection relating to the use of their networks. As such, you can direct all data protection inquiries and requests to exercise your right listed in § 2 of this Policy that relate to these networks to:
XING SE, Dammtorstraße 30, 20354 Hamburg, Germany E-Mail: firstname.lastname@example.org
LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland, contact form: https://www.linkedin.com/help/linkedin/ask/TSO-DPO (for users in Europa).
(2) Nevertheless, we may be considered, together with Xing or LinkedIn, jointly responsible for the processing of personal data on their networks. For this reason, we will now inform you in the following a) how Xing’s data processing works, b) how LinkedIn’s data processing works, and c) to what extent we use these data for our own purposes.
a) Xing processes personal data for various purposes including for-profit placement and optimization of advertising and to compile and provide statistical data to its customers. If personal data are actively entered on the Xing network (e.g. registration data, profile data including photos, contacts, participation in events, reactions such as “likes”, data in posts, groups, and messages), these data will in all cases be disclosed to Xing. The only exception is data contained in private messages sent using the more recent versions of the Xing app (starting 5 April 2018) if end-to-end encryption is activated. In addition, other registered users on the Xing network, non-registered users, and external providers of integrated apps may – depending on the privacy settings that the user has activated – have access to the personal data that the user has actively posted. Moreover, Xing collects other data not actively inputted by the user: when accessing the network, the user’s IP address, device and browser type as well as location are saved. With the help of so-called cookies and other tracking technology, Xing collects a wide range of data about the behavior of registered users on the Xing network and outside the Xing network, e.g. information about websites viewed, searches conducted, and whether or not direct marketing emails have been opened. In addition, Xing processes the personal data of data subjects who do not use the Xing network if registered users have uploaded non-user contact data to their Xing address book. Xing analyzes the data actively inputted on the network, evaluates the user behavior, and compiles these data together to create a profile. Such profiles allow Xing to among other things personalize advertising content that users see on the network or that they receive by email. Additionally, Xing generates summarized statistics from these data, which Xing provides to users and other customers. Users receive free of charge a “weekly overview” with job postings and personalized contact matches as well as anonymized, statistical information about visitors to their profile and search queries relating to them.
b) LinkedIn processes personal and other data for various purposes including for-profit placement and personalization of advertising, for research purposes including research on topics such as trends in the labor market, and to provide statistical data to its customers. If personal data are actively entered on the LinkedIn network (e.g. registration data, profile data including photos, address books, calendar data uploaded using synchronization tools in other programs, participation in events, reactions such as “likes”, data in posts, groups, and messages), these data will in all cases be disclosed to LinkedIn. Profile data are completely visible to registered users of LinkedIn, and – should the user choose to active the appropriate setting – these data are also visible to non-registered users. depending on the settings for groups, posts, reactions, messages, etc. the remaining actively posted data are visible to registered and non-registered users of LinkedIn. If the user has activated permissions for the account to be linked with external service providers, then these providers will also have access to the profile data and contacts. When a company profile has been established, the employer can also view and manage certain activities of its employees. LinkedIn uses scanning technology to analyze chat messages. In addition, LinkedIn collects other data not actively inputted by the user: when accessing the network, the user’s IP address, device and browser type as well as location are saved. With the help of cookies and other tracking technology, LinkedIn collects additional data about the user behavior, e.g. information about searches conducted for other registered users, videos watched, and ads clicked on. Data is also collected about behavior of registered users outside of the LinkedIn network, e.g. information about websites viewed, searches conducted, and whether or not direct marketing emails have been opened. Moreover, LinkedIn collects data relating to data subjects, which has been disclosed to LinkedIn by its registered users, e.g. in connection with contacts or synchronized calendars, and some of these data may related to people who do not use the LinkedIn network. The data collected by LinkedIn will be analyzed to create a profile. Such profiles allow LinkedIn to among other things personalize advertising content that users see on the network and on external sites or that they receive by email, which may also be sent to non-users. Additionally, LinkedIn generates summarized statistics from these data, which LinkedIn provides to users and other customers. Users receive free of charge an anonymized “analytics” of post, videos, and articles they have published on the network, which contains information on the number of view for each post, “likes”, shared posts, and the demographic background of the audience, including company affiliation, job title, and location. The data processing conducted by LinkedIn is in part carried out in the USA and other countries outside of the European Economic Area. However, appropriate safeguards for the transfer of data have been established. For more information, please see § 12 no. 2 of this Policy.
c) We use Xing and LinkedIn as advertising platforms. Our employees use the abovementioned profiles to post, share, or react to (“like”) texts and media that relate to our services offered and events on all conceivable channels available on the specific platforms (e.g. posts, groups, events). When engaging in such advertising activities, we make all posts public and do not restrict the visibility of our activities. in addition, we communicate individually with customers and freelance employees to deliver advice and for marketing purposes. Personal data of customers and freelance employees will only be posted on these networks if we have obtained the data subject’s consent to do so. The personal data in question that we may post are names, personal network handles as well as photos. We do not use any additional paid services offered by Xing and LinkedIn. We do not engage in any targeted advertising. We only receive anonymized statistics, specifically the abovementioned “weekly overview” and “analytics”. We do not systematically evaluate and analyze these data. These data do not provide us a sufficiently detail picture about the reach and effect of our activities on these networks that would allow us to target our activities and our advertising in particular to specific target groups. However, our employees do when appropriate contact individual users that have been suggested by Xing and LinkedIn.
Our legal basis for uploading and publishing of content that includes your personal data on the Xing or LinkedIn network is your consent in accordance with Article 6 No. 1 a) GDPR. The legal basis for the collection of your personal data and the subsequent transfer of these data to the particular network when you visit, view, and use our company pages as well as our use of “weekly overview” and “analytics” is a balancing of interests in accordance with Article 6 No.1 f) GDPR. Our legitimate interests in this case are advertising our products and service and providing information to our customers.
§ 11 – Twitter
(1) We use the microblogging service provided by the company Twitter Inc. (hereinafter referred to as “Twitter”) for the purposes of providing information to our customers and for advertising. To accomplish this, we post (“tweet”) texts and media that relate to our services offered and events on our company account. In the course of these activities, we also tweet personal data of customers and freelance employees but only after notifying the data subjects and obtaining their consent. The personal data in question that we may post are names, email addresses, personal Twitter handles, photos, videos as well as weblinks to further content that contains personal data. In addition, we react to tweets of third parties (“likes”) and forward these (“retweeting”). Our tweets and reactions are always set to public, and we do not restrict the visibility of our activities using the account settings or any special tools available from Twitter. As a result, the abovementioned personal data are not only disclosed to Twitter, but they are also freely available to an indeterminate number of Twitter users and non-users on the Internet. The legal basis for uploading and publishing of content that includes your personal data on the Twitter network is your consent in accordance with Article 6 No. 1 a) GDPR.
(2) Twitter conducts further data processing through its microblogging service. Twitter’s terms of service and its data protection policy apply. You can access these by following these links: https://twitter.com/de/tos or https://twitter.com/de/privacy (verified 07/2020). As we do not restrict the reach of our posts on Twitter and only use Twitter’s free services, which do not give us access to any of Twitter’s analytical data or other functions (e.g. ad tracking) that would enable us to direct our activities to specific target groups, we have no influence on Twitter’s further processing of data. Accordingly, Twitter alone decides about the methods used and the purpose of further data processing and is in this respect solely responsible for data protection. As such, all data protection inquiries and requests to exercise your right listed in § 2 of this policy that relate to Twitter should be directed to Twitter:
Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2, D02 AX07 Ireland, Contact form: https://twitter.ethicspointvp.com/custom/twitter/forms/data/form_data.asp (For users in Europa).
§ 12 – Recipients of personal data
(1) We contract with external service providers to deliver the services listed below. In cases where one of these services affects you, we will transfer your personal data that is necessary for delivering the particular service to the service provider:
a) Document destruction
b) Banking services (our company’s primary bank)
c) Lodging (e.g. homestay families, hotels)
d) Providing spaces for course or events/rentals
e) Cloud computing services
f) IT maintenance and Support
g) Customer supervision (contracted tutors)
h) Where applicable, newsletter delivery
i) Emergency medical care (e.g. emergency medical services)
j) Exams (exam providers)
l) Travel services (travel providers)
m) Social networks (Facebook, Instagram, LinkedIn, Xing, Twitter)
n) Social media marketing management
o) Training/courses (participating contracted teachers)
p) Insurance services (insurance companies)
q) Video conference platforms (e.g. Adobe, Microsoft, Zoom)
r) Payment services (e.g. PayPal)
(2) In the cases listed above in No. 1 m), n) and q), your data will be processed in a country outside the European Economic Area. For this data processing, appropriate safeguards have been established in accordance with Article 46 GDPR in the form of standard data protection clauses adopted by the European Commission that we have agreed to with each service provider and that you can access here. In the case of No. 1 n), the service provider used only processes data in Canada and is thus covered by an act of the European Commission that has determined that this third country ensures an adequate level of protection for this type of data processing.
§ 13 – Deletion and retention periods
(1) We delete personal data as soon as they are no longer needed for the purpose that they were collected or other legitimate purposes. As a rule, private customers’ personal data will be deleted after the end of the retention period of three years at the end of the calendar year. Personal data of commercial customers will be deleted after the end of the retention period of six years at the end of the calendar year. Posts on our company social media accounts which contain personal data will be removed by us at the latest after seven years at the end of the calendar year. The additional personal connection data collected when using our contact form (see §8 No. 3 of this Policy) will be deleted within seven days at the latest.
(2) Excepted from these rules are personal data that we are legally required to keep for longer periods to comply with statutory guidelines or to fulfill statutory record keeping requirements.
(3) As an alternative to deletion, we may completely anonymize data so that we can retain the data for a longer period in order to aid in quality management and for statistical purposes. After anonymization, the data are no longer able to be associated with an individual person and do not infringe on your right to data protection.
Version: 17 July 2020