Our school is subject to the EU General Data Protection Regulation (hereinafter referred to as GDPR). We would like to inform you about the processing of personal data carried out by our organisation in the operation in accordance with this regulation (compare Articles 13 and 14 GDPR). If you have any questions or comments about this privacy statement, you can send them to our data protection officer at email@example.com.
1. Who is responsible for data processing and whom can I contact?
You can reach our data protection officer at:
2. To whom does this data protection declaration apply?
3. What rights do I have?
Right to information pursuant to Art. 15 GDPR about the processing of your personal data by us regarding the purpose of processing, categories of data processed, recipients or categories of recipients, duration of storage or criteria for determining the duration, right to rectification, erasure, restriction of processing or objection to processing, right to lodge a complaint with the supervisory authority, if applicable, information about the origin of the data and the existence of automated decision-making and, if applicable, information about guarantees pursuant to Art. 46 GDPR in the event of transfer to a third country or international organisations; Please send all requests for information, information requests or objections to data processing by e-mail to firstname.lastname@example.org.
Right to prompt correction of inaccurate or completion of incomplete personal data in accordance with Art. 16 GDPR;
Right to erasure of stored personal data pursuant to Art. 17 GDPR if the data are no longer necessary for the purposes for which they were collected or otherwise processed, if a given consent has been revoked and there is no other legal basis, if objection to processing has been lodged and the data are processed pursuant to Art. 21 (1) or (2) GDPR may no longer be processed, if the data have been processed unlawfully, if erasure is necessary for compliance with a legal obligation or if the data have been collected in relation to services offered by an information society pursuant to Art. 8 (1) GDPR. This does not apply insofar as processing is necessary for the exercise of the right to freedom of expression and information, compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
Right to restriction of processing pursuant to Art. 18 GDPR if you contest the accuracy of the data (and for the period necessary to verify the accuracy), if the processing is unlawful but you object to erasure and request restriction of use instead, if we no longer need the data for the purposes of processing but you need the data to assert, exercise or defend legal claims, or if you object to processing pursuant to Art. 21 (1) GDPR as long as it has not yet been determined whether our legitimate grounds outweigh your legitimate grounds;
Right to object to the processing of your personal data pursuant to Art. 21(2) GDPR (if the data are processed for the purpose of direct marketing) or pursuant to Art. 21(1) GDPR (if the processing is carried out pursuant to Art. 6(1) sentence 1 e) or f) GDPR, on grounds relating to your particular situation, unless we have compelling legitimate grounds for the processing which override your interests, or the processing is carried out for the establishment, exercise or defense of legal claims). For more information on the right to object, please also see section 9 below;
Right to data portability pursuant to Art. 20 GDPR, i.e. to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format or also to transfer it to another controller;
Right to revoke consent given at any time in accordance with Art. 7 (3) GDPR. The revocation has the consequence that we may no longer carry out the data processing for the future from the time of the revocation. Cf. also section 9 below;
Right to complain to a supervisory authority pursuant to Art. 77 GDPR:
4. What data do we use?
a) Usage-related data
C) School or Association ApplicatioN DATA
Should you wish to begin an online application to our school, the webform will collect basic profile data required for the pre-application procedure and create an application login. This data is collected on the basis of Art. 6 para 1b in order to take steps at the request of the data subject prior to entering into a contract. Further personal data collected in the online admissions portal is governed by our privacy notice for families in the admissions portal.
Should you wish to become a member of the association "Internationale Schule Hamburg e.V." we will collect basic profile and contact data on the basis of Art 6 para 1b, necessary for the establishment, administration and support of your membership and in the pursuit of the objectives of the association.
D) Employment Application Data
Should you wish to apply for employment at our school, the processing of your personal data in a job application procedure is subject primarily to § 26 BDSG (German Federal Data Protection Act). According to this, the processing of data required in connection with the decision on the establishment of an employment relationship is permissible. Should the data be required for legal prosecution after completion of the application procedure, if applicable, data processing may be carried out on the basis of the requirements of Art. 6 EU GDPR, in particular to safeguard legitimate interests pursuant to Art. 6 (1) lit. f EU GDPR.
By sending us your application, you declare your consent that we may store and process your data for the purposes of application, staffing and recruitment. You can revoke this consent at any time and withdraw your application.
The personal data of your application will be processed by us exclusively for purposes of application processing and in the job filling process. Job placements are made in cooperation between the relevant members of our HR department and the managers of the specialist departments.
Your data will be deleted six months after completion of the application process, unless you agree to a longer storage period in order to consider you for future job postings, if applicable. If you are hired, your data will be transferred to our personnel data.
E) Login areas of the website
5. For what purposes and on what legal basis do we use your data?
a) For the fulfillment of contractual obligations (Art. 6 para 1b EU GDPR).
b) Based on your consent (Art. 6 para. 1a EU GDPR).
Insofar as you have given us consent to process personal data for certain purposes (e.g. receipt of a newsletter, use of your photo, etc.), the lawfulness of this processing is based on your consent. Consent given can be revoked at any time by contacting our data protection officer. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.
c) Within the framework of the balancing of interests (Art. 6 para. 1f EU GDPR).
To the extent necessary, we process your data beyond the actual performance of the contract to protect legitimate interests of us or third parties.
Assertion of legal claims and defense in legal disputes.
Ensuring IT security
6. Who receives my data and is data transferred to a third country?
The website operator Finalsite (Active Internet Technologies, LLC dba Finalsite) processes personal data as a Data Processor. ISH has concluded a GDPR-compliant Data Processing Agreement with Follett School Solutions, LLC. Our data is hosted in the Microsoft® Azure Cloud in Germany. Limited processing may take place in the USA. Processing in the USA is subject to the Standard Contractual Clauses approved by the European Commission. https://follett.com/policies/
Veracross is used in the processing of prospective student enquires and student applications. Veracross LLC processes this information as a Data Processor according to our GDPR-compliant commissioned data processing agreement. Our data is hosted in secure, SSAE 16 SOC I and SOC II certified data centers in the European Union (Frankfurt, Germany). Some processing of personal data could take place in the United States. Such processing is subject to the Standard Contractual Clauses approved by the European Commission.
Our Google Workspace for Education Plus account is used in the processing of job and association membership applications and may be used in the processing of prospective student enquiries. Google Ireland Limited processes this data as a processor under our commissioned data processing contract. Our data is hosted in secure ISO/IEC 27001-certified data centers in the European Economic Area (EEA). Where data is processed outside of the EEA this processing is subject to the Standard Contractual Clauses approved by the European Commission. https://cloud.google.com/security/gdpr
7. How long will my data be stored?
8. Is there any automated decision-making including profiling?
9. Information about your right of objection according to Article 21 EU GDPR
a) Individual right of objection.
b) Objection to the processing of your data for public relations purposes.
In individual cases, we may use your personal data for our public relations work. You have the right to object to this at any time; this also applies to profiling if it is related to direct advertising. In the event of an objection, we will no longer process your personal data for these purposes. The objection can be made form-free and should, if possible, be directed to our data protection officer via the above-mentioned contact.
12. How secure is my data?
To protect the personal data of our customers and interested parties, we use the secure online transmission method commonly known as "Secure Socket Layer" (using TLS) transmission, which encrypts transmission data before it is sent. Access to and processing of personal data at ISH is controlled by technical and organisational measures, such as selecting reputable data processors with state-of-the-art data security infrastructures, role-based system account roles, multi-factor-authentication, auditing and staff training.
We currently use CCTV around our school premises for the following purposes:
- for the security and personal safety of staff, students, visitors and other members of the public, and to act as a deterrent against crime;
- to protect buildings and assets from damage, disruption, vandalism and other crime;
- to exercise our house rights
- to support law enforcement bodies in the prevention, detection and prosecution of crime.
We consider the use of CCTV to be in our legitimate interests to protect property and to maintain the safety of individuals. The legal basis for this data processing is Art. 6 para. 1 f GDPR. The use of CCTV cameras is indicated by clearly visible signs in the entrance areas of the school. The video recordings are automatically deleted after 10 working days.