Skip To Main Content

Privacy Policy



We take the protection of your personal data seriously and treat your personal data confidentiality and in accordance with statutory data protection regulations.

Our school is subject to the EU General Data Protection Regulation (hereinafter referred to as the GDPR). This policy informs you about the processing of personal data carried out by our organisation in the operation in accordance with this regulation (compare Articles 13 and 14 GDPR). 

1. Who is responsible for data processing and whom can I contact?
The responsible party is:
International School of Hamburg
(Internationale Schule Hamburg e.V.)
Hemmingstedter Weg 130
22609 Hamburg
Phone: +49 (0)40 8000 50-0

You can reach our data protection officer at:

International School of Hamburg
Data Protection Officer
Hemmingstedter Weg 130
22609 Hamburg, Germany
Phone: +49 (0) 40 8000 50 0
2. To whom does this data protection declaration apply?
This privacy policy applies to the visitors of our website, especially interested families, as well as prospective staff, prospective Internationale Schule e.V. association members, and other people who want to use and benefit from our offers or simply want to find out more about the International School of Hamburg.
3. What rights do I have?
In connection with our processing of your data, you have the following rights:
  • Right to information pursuant to Art. 15 GDPR about the processing of your personal data by us regarding the purpose of processing, categories of data processed, recipients or categories of recipients, duration of storage or criteria for determining the duration, right to rectification, erasure, restriction of processing or objection to processing, right to lodge a complaint with the supervisory authority, if applicable, information about the origin of the data and the existence of automated decision-making and, if applicable, information about guarantees pursuant to Art. 46 GDPR in the event of transfer to a third country or international organisations; Please send all requests for information, information requests or objections to data processing by e-mail to
  • Right to prompt correction of inaccurate or completion of incomplete personal data in accordance with Art. 16 GDPR;
  • Right to erasure of stored personal data pursuant to Art. 17 GDPR if the data are no longer necessary for the purposes for which they were collected or otherwise processed, if a given consent has been revoked and there is no other legal basis, if objection to processing has been lodged and the data are processed pursuant to Art. 21 (1) or (2) GDPR may no longer be processed, if the data have been processed unlawfully, if erasure is necessary for compliance with a legal obligation or if the data have been collected in relation to services offered by an information society pursuant to Art. 8 (1) GDPR. This does not apply insofar as processing is necessary for the exercise of the right to freedom of expression and information, compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
  • Right to restriction of processing pursuant to Art. 18 GDPR if you contest the accuracy of the data (and for the period necessary to verify the accuracy), if the processing is unlawful but you object to erasure and request restriction of use instead, if we no longer need the data for the purposes of processing but you need the data to assert, exercise or defend legal claims, or if you object to processing pursuant to Art. 21 (1) GDPR as long as it has not yet been determined whether our legitimate grounds outweigh your legitimate grounds;
  • Right to object to the processing of your personal data pursuant to Art. 21(2) GDPR (if the data are processed for the purpose of direct marketing) or pursuant to Art. 21(1) GDPR (if the processing is carried out pursuant to Art. 6(1) sentence 1 e) or f) GDPR, on grounds relating to your particular situation, unless we have compelling legitimate grounds for the processing which override your interests, or the processing is carried out for the establishment, exercise or defense of legal claims). For more information on the right to object, please also see section 9 below;
  • Right to data portability pursuant to Art. 20 GDPR, i.e. to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format or also to transfer it to another controller;
  • Right to revoke consent given at any time in accordance with Art. 7 (3) GDPR. The revocation has the consequence that we may no longer carry out the data processing for the future from the time of the revocation. Cf. also section 9 below;
  • Right to complain to a supervisory authority pursuant to Art. 77 GDPR:
The Hamburg Commissioner for Data Protection and Freedom of Information.
Ludwig-Erhard-Str 22, 7th floor 
20459 Hamburg
The right of appeal is without prejudice to other administrative or judicial remedies.
4. What data do we use?
In principle, you can visit our websites without disclosing your identity to us. If you send us an e-mail or a contact form, your message and e-mail address will be used exclusively for this correspondence with you.
a) Usage-related data
By calling up our websites, we receive usage data. This includes information such as screen resolution, browser version, Internet access, operating system, language, plug-ins used, origin by country/region (by IP address). The stored data is only evaluated for statistical purposes. Data is not passed on to third parties and user-related evaluation does not take place.
b) Use of cookies

Please refer to our Cookie Policy below.

C)  School or Association InQuiry Or ApplicatioN DATA

We want to help you in finding out if our school is the right choice for your family. When filling our our enquiry form we request information about your child and family circumstances that help us provide you the best information. We collect this information on the basis of Art. 6 para 1a, your explicit consent.

Should you wish to begin an online application to our school, the webform will collect basic profile data required for the pre-application procedure and create an application login. This data is collected on the basis of Art. 6 para 1b  in order to take steps at the request of the data subject prior to entering into a contract.  Further personal data collected in the online admissions portal is governed by our privacy notice for families in the admissions portal.

Should you wish to become a member of the association "Internationale Schule Hamburg e.V." we will collect basic profile and contact data on the basis of Art 6 para 1b, necessary for the establishment, administration and support of your membership and in the pursuit of the objectives of the association. 

D) Employment Application Data

Should you wish to apply for employment at our school, the processing of your personal data in a job application procedure is subject primarily to § 26 BDSG (German Federal Data Protection Act). According to this, the processing of data required in connection with the decision on the establishment of an employment relationship is permissible. Should the data be required for legal prosecution after completion of the application procedure, if applicable, data processing may be carried out on the basis of the requirements of Art. 6 EU GDPR, in particular to safeguard legitimate interests pursuant to Art. 6 (1) lit. f EU GDPR. 

By sending us your application, you declare your consent that we may store and process your data for the purposes of application, staffing and recruitment. You can revoke this consent at any time and withdraw your application by contacting our Human Resources department at

The personal data of your application will be processed by us exclusively for purposes of application processing and in the job filling process. Job placements are made in cooperation between the relevant members of our HR department and the managers of the specialist departments.

Your data will be deleted six months after completion of the application process, unless you agree to a longer storage period in order to consider you for future job postings, if applicable. If you are hired, your data will be transferred to our personnel data.

E) Login areas of the website
We provide our employees, parents and students with a login to Veracross Portals and Google Workspace for Education (pursuant to Art. 28 para.3 EU GDPR) via a link. These accounts are created in the course of hiring (employees) pursuant to Art. 88 EU GDPR or § 26 BDSG, or the conclusion of a contract (parents, students) pursuant to Art. 6 para. 1b EU GDPR and are governed by the privacy notice in the Veracross portal. These services manage the flow of information (communication, messages, news, etc.) at our school and the provision of documents. Use of Veracross Portals or Google Workspace by third parties is excluded. 
5. For what purposes and on what legal basis do we use your data?
We process your personal data in accordance with the provisions of the General Data Protection Regulation (EU GDPR) and the Federal Data Protection Act (BDSG). Please also see our information on your right to object in accordance with Article 21 GDPR.
a) For the fulfillment of contractual obligations (Art. 6 para 1b EU GDPR).
The processing of personal data is carried out for the implementation of our offers, as well as for the implementation of pre-contractual measures, which are carried out upon your request, e.g. student application to the school or membership to our association.
b) Based on your consent (Art. 6 para. 1a EU GDPR).

Insofar as you have given us consent to process personal data for certain purposes (e.g. receipt of a newsletter, use of your photo, etc.), the lawfulness of this processing is based on your consent. Consent given can be revoked at any time by contacting our data protection officer. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

c) Within the framework of the balancing of interests (Art. 6 para. 1f EU GDPR).

To the extent necessary, we process your data beyond the actual performance of the contract to protect legitimate interests of us or third parties.

  • Assertion of legal claims and defense in legal disputes.
  • Ensuring IT security
  • Statistical purposes
  • CCTV
6. Who receives my data and is data transferred to a third country?
Within the International School of Hamburg (ISH), only those offices that need your data to fulfill your request will have access to it. Service providers and agents employed by us may also process data for these purposes, if they comply with confidentiality agreements and our instructions under data protection law.

Our website operator Finalsite (Active Internet Technologies, LLC dba Finalsite) processes personal data as a Data Processor. ISH has concluded a GDPR-compliant Data Processing Agreement with Follett School Solutions, LLC. Our data is hosted in the Microsoft® Azure Cloud in Germany. Limited processing may take place in the USA. Processing in the USA is subject to the Standard Contractual Clauses approved by the European Commission.

We use the software platform Hubspot for our Customer Relations Activities. Most of our online inquiry and sign-up forms available through our website are processed by Hubspot. ISH has concluded a GDPR-compliant Data Processing Agreement with Hubspot Germany GmbH. As an EMEA customer our data is hosted in Frankfurt, Germany. Some processing of personal data could take place in the United States. Such processing is based on the Adequacy Decision of the European Commission. Hubspot, Inc. is certified under the EU-US Data Privacy Framework.

Veracross is used in the processing of prospective student enquires and student applications. Veracross LLC processes this information as a Data Processor according to our GDPR-compliant commissioned data processing agreement. Our data is hosted in secure, SSAE 16 SOC I and SOC II certified data centers in the European Union (Frankfurt, Germany). Some processing of personal data could take place in the United States. Such processing is subject to the Standard Contractual Clauses approved by the European Commission. 

Our Google Workspace for Education Plus account is used in the processing of job and association membership applications and may be used in the processing of prospective student enquiries. Google Ireland Limited processes this data as a processor under our commissioned data processing contract. Our data is hosted in secure ISO/IEC 27001-certified data centers in the European Economic Area (EEA). Where data is processed outside of the EEA this processing is subject to the Standard Contractual Clauses approved by the European Commission.

Our site also uses Cookies. Please refer to our Cookie Policy below for detailed information.

7. How long will my data be stored?
We endeavour not retain personal data any longer than necessary for the purpose it was collected or as required by statutory law. We maintain a data retention schedule outlining retention periods for the various school records.
8. Is there any automated decision-making including profiling?
As a matter of principle, we do not use automated decision-making including profiling in accordance with Article 22 EU GDPR.  In the event that we use profiling for targeted marketing as part of our public relations work, you will be informed separately.
9. Information about your right of objection according to Article 21 EU GDPR
a) Individual right of objection.
You have the right to object to the processing of your personal data on grounds relating to your particular situation. The prerequisite for this is that the data processing is carried out in the public interest or on the basis of a balancing of interests. This also applies to profiling. In the event of an objection, we will no longer process your personal data. Unless we can demonstrate compelling legitimate grounds for processing such data that override your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
b) Objection to the processing of your data for public relations purposes.

In individual cases, we may use your personal data for our public relations work. You have the right to object to this at any time; this also applies to profiling if it is related to direct advertising. In the event of an objection, we will no longer process your personal data for these purposes. The objection can be made form-free and should, if possible, be directed to our data protection officer via the above-mentioned contact.

12. How secure is my data?

To protect the personal data of our customers and interested parties, we use the secure online transmission method commonly known as "Secure Socket Layer" (using TLS) transmission, which encrypts transmission data before it is sent. Access to and processing of personal data at ISH is controlled by technical and organisational measures, such as selecting reputable data processors with state-of-the-art data security infrastructures, role-based system account roles, multi-factor-authentication, auditing and staff training.

13. Plug-Ins


This website uses plug-ins of the video portal Youtube. The provider is Youtube LLC, 901 Cherry Avenue San Bruno, California, United States. When you visit one of our pages equipped with a Youtube plug-in, a connection to the servers of Youtube is established. In the process, the Youtube server is informed which of our pages you have visited. In addition, Youtube obtains your IP address. This also applies if you are not logged into Youtube or do not have an account with Youtube. The information collected by Youtube is transmitted to the Youtube server in the USA. If you are logged into your Youtube account, you enable Youtube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your Youtube account. For more information on the handling of user data, please refer to Youtube's privacy policy.

Google Maps

To help you find our offers, we have integrated Google Maps on our website. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google requires you to consent to their Cookie Policy. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission. 


We currently use CCTV around our school premises for the following purposes: 

  • for the security and personal safety of staff, students, visitors and other members of the public, and to act as a deterrent against crime;
  • to protect buildings and assets from damage, disruption, vandalism and other crime;
  • to exercise our house rights
  • to support law enforcement bodies in the prevention, detection and prosecution of crime.

We consider the use of CCTV to be in our legitimate interests to protect property and to maintain the safety of individuals. The legal basis for this data processing is Art. 6 para. 1 f GDPR. The use of CCTV cameras is indicated by clearly visible signs in the entrance areas of the school. The video recordings are automatically deleted after 10 working days.

Cookie Policy