Privacy Policy

Introduction

Our school is subject to the EU General Data Protection Regulation (hereinafter referred to as GDPR). We would like to inform you about the processing of personal data carried out by our organisation in the operation in accordance with this regulation (compare Articles 13 and 14 GDPR). If you have any questions or comments about this privacy statement, you can send them to our data protection officer at dataprotection@ishamburg.org.

1. Who is responsible for data processing and whom can I contact?

You can reach our data protection officer at:

2. To whom does this data protection declaration apply?

3. What rights do I have?

• Right to information pursuant to Art. 15 GDPR about the processing of your personal data by us regarding the purpose of processing, categories of data processed, recipients or categories of recipients, duration of storage or criteria for determining the duration, right to rectification, erasure, restriction of processing or objection to processing, right to lodge a complaint with the supervisory authority, if applicable, information about the origin of the data and the existence of automated decision-making and, if applicable, information about guarantees pursuant to Art. 46 GDPR in the event of transfer to a third country or international organisations; Please send all requests for information, information requests or objections to data processing by e-mail to dataprotection@ishamburg.org.
• Right to prompt correction of inaccurate or completion of incomplete personal data in accordance with Art. 16 GDPR;
• Right to erasure of stored personal data pursuant to Art. 17 GDPR if the data are no longer necessary for the purposes for which they were collected or otherwise processed, if a given consent has been revoked and there is no other legal basis, if objection to processing has been lodged and the data are processed pursuant to Art. 21 (1) or (2) GDPR may no longer be processed, if the data have been processed unlawfully, if erasure is necessary for compliance with a legal obligation or if the data have been collected in relation to services offered by an information society pursuant to Art. 8 (1) GDPR. This does not apply insofar as processing is necessary for the exercise of the right to freedom of expression and information, compliance with a legal obligation, for reasons of public interest or for the establishment, exercise or defense of legal claims;
• Right to restriction of processing pursuant to Art. 18 GDPR if you contest the accuracy of the data (and for the period necessary to verify the accuracy), if the processing is unlawful but you object to erasure and request restriction of use instead, if we no longer need the data for the purposes of processing but you need the data to assert, exercise or defend legal claims, or if you object to processing pursuant to Art. 21 (1) GDPR as long as it has not yet been determined whether our legitimate grounds outweigh your legitimate grounds;
• Right to object to the processing of your personal data pursuant to Art. 21(2) GDPR (if the data are processed for the purpose of direct marketing) or pursuant to Art. 21(1) GDPR (if the processing is carried out pursuant to Art. 6(1) sentence 1 e) or f) GDPR, on grounds relating to your particular situation, unless we have compelling legitimate grounds for the processing which override your interests, or the processing is carried out for the establishment, exercise or defense of legal claims). For more information on the right to object, please also see section 9 below;
• Right to data portability pursuant to Art. 20 GDPR, i.e. to receive the personal data concerning you that you have provided to us in a structured, common and machine-readable format or also to transfer it to another controller;
• Right to revoke consent given at any time in accordance with Art. 7 (3) GDPR. The revocation has the consequence that we may no longer carry out the data processing for the future from the time of the revocation. Cf. also section 9 below;
• Right to complain to a supervisory authority pursuant to Art. 77 GDPR:

4. What data do we use?

a) Usage-related data

b) Use of cookies

Please refer to our Cookie Policy below.

C)  School or Association ApplicatioN DATA

Should you wish to begin an online application to our school, the webform will collect basic profile data required for the pre-application procedure and create an application login. This data is collected on the basis of Art. 6 para 1b  in order to take steps at the request of the data subject prior to entering into a contract.  Further personal data collected in the online admissions portal is governed by our privacy notice for families in the admissions portal.

Should you wish to become a member of the association "Internationale Schule Hamburg e.V." we will collect basic profile and contact data on the basis of Art 6 para 1b, necessary for the establishment, administration and support of your membership and in the pursuit of the objectives of the association. 

D) Employment Application Data

Should you wish to apply for employment at our school, the processing of your personal data in a job application procedure is subject primarily to § 26 BDSG (German Federal Data Protection Act). According to this, the processing of data required in connection with the decision on the establishment of an employment relationship is permissible. Should the data be required for legal prosecution after completion of the application procedure, if applicable, data processing may be carried out on the basis of the requirements of Art. 6 EU GDPR, in particular to safeguard legitimate interests pursuant to Art. 6 (1) lit. f EU GDPR. 

By sending us your application, you declare your consent that we may store and process your data for the purposes of application, staffing and recruitment. You can revoke this consent at any time and withdraw your application.

The personal data of your application will be processed by us exclusively for purposes of application processing and in the job filling process. Job placements are made in cooperation between the relevant members of our HR department and the managers of the specialist departments.

Your data will be deleted six months after completion of the application process, unless you agree to a longer storage period in order to consider you for future job postings, if applicable. If you are hired, your data will be transferred to our personnel data.

E) Login areas of the website

5. For what purposes and on what legal basis do we use your data?

a) For the fulfillment of contractual obligations (Art. 6 para 1b EU GDPR).

b) Based on your consent (Art. 6 para. 1a EU GDPR).

Insofar as you have given us consent to process personal data for certain purposes (e.g. receipt of a newsletter, use of your photo, etc.), the lawfulness of this processing is based on your consent. Consent given can be revoked at any time by contacting our data protection officer. Please note that the revocation only takes effect for the future. Processing that took place before the revocation is not affected.

c) Within the framework of the balancing of interests (Art. 6 para. 1f EU GDPR).

To the extent necessary, we process your data beyond the actual performance of the contract to protect legitimate interests of us or third parties.

• Assertion of legal claims and defense in legal disputes.
• Ensuring IT security
• statistical purposes
• CCTV

6. Who receives my data and is data transferred to a third country?

The website operator Finalsite (Active Internet Technologies, LLC dba Finalsite) processes personal data as a Data Processor. ISH has concluded a GDPR-compliant Data Processing Agreement with Follett School Solutions, LLC. Our data is hosted in the Microsoft® Azure Cloud in Germany. Limited processing may take place in the USA. Processing in the USA is subject to the Standard Contractual Clauses approved by the European Commission. https://follett.com/policies/

Veracross is used in the processing of prospective student enquires and student applications. Veracross LLC processes this information as a Data Processor according to our GDPR-compliant commissioned data processing agreement. Our data is hosted in secure, SSAE 16 SOC I and SOC II certified data centers in the European Union (Frankfurt, Germany). Some processing of personal data could take place in the United States. Such processing is subject to the Standard Contractual Clauses approved by the European Commission. 

Our Google Workspace for Education Plus account is used in the processing of job and association membership applications and may be used in the processing of prospective student enquiries. Google Ireland Limited processes this data as a processor under our commissioned data processing contract. Our data is hosted in secure ISO/IEC 27001-certified data centers in the European Economic Area (EEA). Where data is processed outside of the EEA this processing is subject to the Standard Contractual Clauses approved by the European Commission. https://cloud.google.com/security/gdpr

Our site also uses Cookies from our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. Please refer to our Cookie Policy below for detailed information.

7. How long will my data be stored?

8. Is there any automated decision-making including profiling?

9. Information about your right of objection according to Article 21 EU GDPR

a) Individual right of objection.

b) Objection to the processing of your data for public relations purposes.

In individual cases, we may use your personal data for our public relations work. You have the right to object to this at any time; this also applies to profiling if it is related to direct advertising. In the event of an objection, we will no longer process your personal data for these purposes. The objection can be made form-free and should, if possible, be directed to our data protection officer via the above-mentioned contact.

12. How secure is my data?

To protect the personal data of our customers and interested parties, we use the secure online transmission method commonly known as "Secure Socket Layer" (using TLS) transmission, which encrypts transmission data before it is sent. Access to and processing of personal data at ISH is controlled by technical and organisational measures, such as selecting reputable data processors with state-of-the-art data security infrastructures, role-based system account roles, multi-factor-authentication, auditing and staff training.

13. Plug-Ins

Youtube

This website uses plug-ins of the video portal Youtube. The provider is Youtube LLC, 901 Cherry Avenue San Bruno, California, United States. When you visit one of our pages equipped with a Youtube plug-in, a connection to the servers of Youtube is established. In the process, the Youtube server is informed which of our pages you have visited. In addition, Youtube obtains your IP address. This also applies if you are not logged into Youtube or do not have an account with Youtube. The information collected by Youtube is transmitted to the Youtube server in the USA. If you are logged into your Youtube account, you enable Youtube to assign your surfing behavior directly to your personal profile. You can prevent this by logging out of your Youtube account. For more information on the handling of user data, please refer to Youtube's privacy policy.

Google Maps

To help you find our offers, we have integrated Google Maps on our website. The provider is Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google requires you to consent to their Cookie Policy. This information is usually transferred to a Google server in the USA and stored there. The provider of this site has no influence on this data transmission. 

14 CCTV

We currently use CCTV around our school premises for the following purposes: 

• for the security and personal safety of staff, students, visitors and other members of the public, and to act as a deterrent against crime;
• to protect buildings and assets from damage, disruption, vandalism and other crime;
• to exercise our house rights
• to support law enforcement bodies in the prevention, detection and prosecution of crime.

We consider the use of CCTV to be in our legitimate interests to protect property and to maintain the safety of individuals. The legal basis for this data processing is Art. 6 para. 1 f GDPR. The use of CCTV cameras is indicated by clearly visible signs in the entrance areas of the school. The video recordings are automatically deleted after 10 working days.

Cookie Policy