Data protection

Privacy policy

In the following we inform you about the collection of personal data when using our website. We also inform our customers, service providers and suppliers about the use of your data in the Microsoft 365 environment.

If you have any further questions about the handling of your personal data, please contact our data protection officer.

Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is the

NORDAKADEMIE gemeinnützige Aktiengesellschaft Hochschule der Wirtschaft
Köllner Chaussee 11
25337 Elmshorn info@nordakademie.de
Phone: +49 (0) 4121 4090-0
Fax: +49 (0) 4121 4090-40
Email: info@nordakademie.de

If you have any questions about data protection, please contact our external data protection officer:

Mr. Schewior
c/o intersoft consulting services AG
At the Strohhaus 17
20097 Hamburg
Email: dsb@nordakademie.de

 

How to contact us

When you contact us by e-mail or via a contact form, the data you provide (your e-mail address, your name and telephone number if applicable) will be stored by us in order to answer your questions and process your requests. The legal basis in this respect is Art. 6 para. 1 sentence 1 lit. f GDPR. If we request information via our contact form that is not required for contacting you, we have always marked this as optional. We use this information to specify your request and to improve the processing of your request. This information is provided expressly on a voluntary basis and with your consent, Art. 6 para. 1 sentence 1 lit. a GDPR. If this involves information on communication channels (e.g. email address, telephone number), you also consent to us contacting you via this communication channel in order to respond to your request. You can of course revoke this consent at any time for the future.

Your data that we have received in the course of contacting you will be deleted as soon as it is no longer required to achieve the purpose for which it was collected, your request has been fully processed and no further communication with you is necessary or desired by you.

As the data controller, our company has implemented numerous technical and organizational measures to ensure that the personal data processed via this website is protected as completely as possible. Nevertheless, internet-based data transmissions can generally have security gaps.Absolute protection cannot be guaranteed; in any case, sending unencrypted e-mails is not secure.We therefore ask you not to send sensitive data by unencrypted e-mail, but to use either encrypted communication channels (e.g. our contact form) or the postal service

Your rights

We will be happy to provide you with information as to whether personal data relating to you is being processed; if this is the case, you have a right to information about this personal data and to the information listed in detail in Art. 15 GDPR.In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR) and the right to data portability (Art. 20 GDPR) under the respective legal requirements.

You have the right to object to the processing under the legal requirements (Art. 21 GDPR).

To exercise your above rights, please contact us by email at DSB@Nordakademie.de or by post.Exercising your above rights is free of charge for you.

Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority at any time, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes data protection regulations (Art. 77 GDPR).

Under the legal requirements, you have the right 
Legal bases of our data processing

The processing of personal data can be based on various legal bases. If we need your data to fulfill a contract with you or to answer your inquiries regarding a contract, the legal basis for this data processing is Art. 6 para. 1 sentence 1 lit. b) GDPR. If we obtain your consent for certain data processing, the legal basis is Art. 6 para. 1 sentence 1 lit. a) GDPR. We carry out some data processing on the basis of our legitimate interest, whereby a balance is always struck between your interests worthy of protection and our legitimate interests. The legal basis for this is Art. 6 para. 1 sentence 1 lit. f) GDPR. Insofar as the processing is necessary to fulfill a legal obligation to which we are subject, the legal basis is Art. 6 para. 1 sentence 1 lit. c) GDPR.

Duration of data storage

The data is deleted as soon as it is no longer required to achieve the purpose for which it was collected.

Below we explain how we process personal data via our website.

Data processing when accessing the website

We collect the following technical information (log file data) when you use the website for information purposes only, i.e. if you do not register or otherwise provide us with information (e.g. via a contact form):

- Operating system of the device you use to visit our website
- Browser (type, version & language settings)
- the amount of data retrieved
- the current IP address of the device you are using to visit our website
- Date and time of access
- the URL of the previously visited website (referrer)
- the URL of the (sub)page that you access on the website
- the internet service provider of the accessing system

The collection of this data is technically necessary in order to display our website to you and to ensure stability and security. We regularly do not know who is behind an IP address. We do not merge the data listed above with other data.

The legal basis is Art. 6 para. 1 sentence 1 lit. f GDPR. Since the collection of data for the provision of the website and the storage in log files is absolutely necessary for the operation of the website and to protect against misuse, our legitimate interest in data processing prevails at this point.

Data security

We have taken extensive technical and operational precautions to protect your data from accidental or intentional manipulation, loss, destruction or access by unauthorized persons. Our security procedures are regularly reviewed and adapted to technological progress.

Data transfer
Your personal data will not be transferred to third parties unless we are legally obliged to do so, or the transfer of data is necessary for the execution of the contractual relationship or you have previously expressly consented to the transfer of your data.

External service providers and partner companies, such as a shipping company commissioned with the delivery, will only receive your data if this is necessary to process your order. In these cases, however, the scope of the transmitted data is limited to the necessary minimum. Insofar as our service providers process your personal data on our behalf, we ensure that they comply with the provisions of the data protection laws in the same way as part of order processing in accordance with Art. 28 GDPR. Please also note the data protection notices of the respective providers. The respective service provider is responsible for the content of external services, whereby we check the services for compliance with the legal requirements within the scope of reasonableness.

We attach great importance to processing your data within the EU/EEA. However, we may use service providers who process data outside the EU/EEA. In these cases, we ensure that an appropriate level of data protection comparable to the standards within the EU is established at the recipient before your personal data is transferred. This can be achieved, for example, by means of EU standard contracts or binding corporate rules or special agreements to which the company may be subject.

Applications
Applying as a prospective student

You can apply to study at the Nordakademie on our website. You can find the data protection information for prospective students here.

If you apply for a study place on our website, you must first complete an online test. The data collected from you in this process can be found in the privacy policy on the online test website.

Applying as an employee

You can apply to our company electronically, e.g. via e-mail or web forms. Please note that unencrypted e-mails are not transmitted with access protection.

Which of your personal data do we use?

We process your personal data insofar as this is necessary to carry out the application process. This includes the following data categories:

Standard information:

• Applicant master data (first name, surname, address, job position)

• Qualification data (cover letter, CV, previous activities, professional qualifications)

• (Employment) references and certificates (performance data, assessment data, etc.)

Other information:

• Voluntary information, such as an application photo, details of severe disability or other information that you voluntarily provide in your application.

In principle, we only process the personal data that we receive from you as part of the application process.

In some cases, we receive personal data from the following sources

• Service provider for applicant placement

• Social Media (LinkedIn, Xing etc.)

For what purposes and on what legal basis do we process your data?

Your data will be used to process your application and to decide on the establishment of an employment relationship. The legal basis is § 26 para. 1 i.V.m. para. 8 sentence 2 BDSG. Furthermore, your personal data may be processed if this is necessary to defend against legal claims asserted against us in the application process. The legal basis for this is Art. 6 para. 1 sentence 1 lit. f) GDPR. The legitimate interest in the processing also lies in the stated purposes. Other legitimate interest in this sense is, for example, a burden of proof in proceedings under the General Equal Treatment Act (AGG).

If there is an employment relationship between you and us, we may process the personal data already received from you for the purposes of the employment relationship in accordance with Section 26 (1) BDSG if this is necessary for the performance or termination of the employment relationship or for the exercise or fulfillment of the rights and obligations of the representation of employees' interests arising from a law or a collective agreement, a works or service agreement (collective agreement).

 

If you have given us your voluntary consent to the collection, processing or transfer of certain personal data, this consent forms the legal basis for the processing of this data in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR, § 26 para. 2 BDSG.

Your application data will not be processed beyond the use described above.

Who will your data be passed on to?

Your data is mainly processed by our HR department and the specialist departments. In some cases, external parties such as IT service providers (e.g. maintenance service providers, hosting service providers) may also be involved in the processing of your data.

Is your data transferred to countries outside the European Union (so-called third countries)?

We attach great importance to processing your data within the EU/EEA. However, we may use service providers who process data outside the EU/EEA. In these cases, we ensure that an appropriate level of data protection comparable to the standards within the EU is established at the recipient before your personal data is transferred. This can be achieved, for example, by means of EU standard contracts or binding corporate rules or special agreements to which the company may be subject.

How long will your data be stored?

Your personal data will be deleted after completion of the application process after 6 months at the latest, unless deletion conflicts with any other legitimate interests on our part or you have not given us your consent for longer storage. If an employment relationship is not established, but you have given us your consent for the further storage of your data, we will store your data until you withdraw your consent, but for a maximum of one year. We may also store your data for a longer period for the purpose of defending against possible legal claims if there is a specific reason for doing so.

What rights do you have in connection with the processing of your data?

Every data subject has the right of access under Art. 15 GDPR, the right to rectification under Art. 16 GDPR, the right to erasure under Art. 17 GDPR, the right to restriction of processing under Art. 18 GDPR, the right to object under Art. 21 GDPR and the right to data portability under Art. 20 GDPR. The restrictions under Sections 34 and 35 BDSG apply to the right to information and the right to erasure.

We will be happy to provide you with information as to whether personal data concerning you is being processed; if this is the case, you have a right to information about this personal data and to the information listed in detail in Art. 15 GDPR. In addition, you have the right to rectification (Art. 16 GDPR), the right to restriction of processing (Art. 18 GDPR), the right to erasure (Art. 17 GDPR) and the right to data portability (Art. 20 GDPR) under the respective legal requirements.

What rights do you have in the event of data processing based on your legitimate or public interest?

In accordance with Art. 21 para. 1 GDPR, you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Art. 6 para. 1 sentence 1 lit. e) GDPR (data processing in the public interest) or on Art. 6 para. 1 sentence 1 lit. f) GDPR (data processing to safeguard a legitimate interest).

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

You can withdraw your consent to the processing of personal data at any time. Please note that the revocation is only effective for the future.

Without prejudice to these rights and the possibility of seeking any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority at any time, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes data protection regulations (Art. 77 GDPR).

Is there an obligation to provide your personal data?

The provision of personal data is neither legally nor contractually required, nor are you obliged to provide the personal data. However, the provision of personal data is necessary for the application process. This means that if you do not provide us with personal data when applying, we will not be able to carry out the application process.

What are cookies?

Cookies are data that are stored on your computer by a website that you visit and enable your browser to be reassigned. Cookies transmit information to the site that sets the cookie. Cookies can store various information, such as your language setting, the duration of your visit to our website or the entries you make there. This prevents you from having to re-enter required form data each time you use the website, for example. The information stored in cookies can also be used to recognize preferences and target content according to areas of interest.

There are different types of cookies: Session cookies are data sets that are only temporarily stored in the working memory and are deleted when you close your browser. Permanent or persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. With this type of cookie, the information can also be stored in text files on your computer. However, you can also delete these cookies at any time via your browser settings.

First-party cookies are set by the website you are currently visiting. Only this website may read information from these cookies. Third-party cookies are set by organizations that are not operators of the website you are visiting. These cookies are used by marketing companies, for example.

The legal basis for possible processing of personal data using cookies and their storage duration may vary. If you have given us your consent, the legal basis is Art. 6 para. 1 sentence 1 lit. a) GDPR. Insofar as the data processing is based on our overriding legitimate interests, the legal basis is Art. 6 para. 1 sentence 1 lit. f) GDPR. The stated purpose then corresponds to our legitimate interest.

We use cookies to ensure the proper operation of the website, to provide basic functionalities, to measure reach and - with your consent - to tailor our services to your preferred areas of interest.

You can delete cookies already stored on your device at any time. If you wish to prevent the storage of cookies, you can do so via the settings in your internet browser. Alternatively, you can also install so-called ad blockers. Please note that individual functions of our website may not work if you have deactivated the use of cookies.

When accessing our website, all users of our website are also informed by an information banner about the use of cookies by us and referred to this data protection information. As a user, you will also be asked for your consent to the use of certain cookies, in particular those relevant for the personalization of services and for marketing measures. Once you have given your consent, you can revoke it at any time with effect for the future.

Online orders Shop

When you place an online order on our website, we collect the data required to conclude the contract. The data is stored for the duration of the contract and in accordance with legal obligations. If necessary for processing the order, we will forward your address data to a shipping service provider.  The legal basis is the conclusion and performance of a contract in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.

We use various payment service providers for payment processing, which are always identified and accept your entries. These are therefore recipients of your personal data collected in connection with the payment process. The legal basis for the use of payment service providers is also contract processing in accordance with Art. 6 para. 1 sentence 1 lit. b GDPR.

Registration with CIS (Campus Information System)

You have the option of registering on our websites and creating a customer/user account. Personal data that must be provided is marked as a mandatory field in the respective registration form; any additional information is voluntary.

We collect and store the following data from you for registration (optional):

- Salutation
- First name
- Last name
- E-mail (user name)
- your password
- Your address
- Date of birth

We use the so-called double opt-in procedure for registration, i.e. your registration is not complete until you have confirmed your registration by clicking on the link contained in a confirmation e-mail sent to you for this purpose. If you do not confirm your registration [within 24 hours], your registration will be automatically deleted from our database. Once you have registered, you will receive personal, password-protected access and will be able to view and manage the data you have stored. Registration is voluntary, but may be a prerequisite for using certain of our services.

We store your data required for the fulfillment of the contract, including information on the method of payment, until you finally delete your account. Furthermore, we store the additional data you provide for the duration of your use of the user account, unless you delete it beforehand. You can manage and change all details in the protected customer area.

You can delete your user account at any time. If the account is deleted, all personal data that is not subject to a statutory retention obligation or Article 17 (3) GDPR will be deleted.

The legal basis for this data processing is Art. 6 para. 1 lit. a), b) and f) GDPR. You can of course withdraw your consent at any time with effect for the future.

Registration for events

On our website we offer a calendar with an overview of all events. If you register for the events, the personal data you provide (name and e-mail and, if applicable, telephone number) will be stored by us in order to use the data for the organization and implementation of the event. The data is processed on the basis of your voluntarily granted consent, Art. 6 para. 1 sentence 1 lit. a) GDPR. You can of course revoke this consent at any time with effect for the future.

We delete the data collected in this context after storage is no longer necessary, or restrict processing if there are statutory retention obligations.

HubSpot

This website uses HubSpot for online marketing activities. HubSpot is a software company from the USA with a branch in Ireland. Contact: HubSpot, 2nd Floor 30 North Wall Quay, Dublin 1, Ireland.
This is an integrated software solution that covers various aspects of online marketing. These include email marketing, social media publishing & reporting, contact management, landing pages and contact forms. Cookies are also stored on the device you are using.
Our registration service enables visitors to our website to find out more about our company, download content and provide their contact information and other demographic information. This information and the content of our website are stored on the servers of our software partner HubSpot. It can be used by us to contact visitors to our website and to determine which of our company's services are of interest to them. All information we collect is subject to this privacy policy. We use all information collected exclusively to optimize our marketing measures. You can find HubSpot's privacy policy at: https://legal.hubspot.com/privacy-policy.

The data collected when using the registration service is transferred to the USA and analyzed there. HubSpot Inc. has certified itself in accordance with the Data Privacy Framework (DPF) program and is listed in the Data Privacy Framework list of the International Trade Administration (ITA). This means that HubSpot Inc. has publicly committed to complying with the DPF obligations and that any data transfer to the USA is unobjectionable due to the current adequacy decision of the European Commission of July 10, 2023.

A list of currently certified US companies can be found here: https://www.dataprivacyframework.gov/s/participant-search

Further information from HubSpot regarding EU data protection regulations can be found at: https://legal.hubspot.com/data-privacy
You can find more information about the cookies used by HubSpot here: knowledge.hubspot.com/articles/kcs_article/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser and knowledge.hubspot.com/articles/kcs_article/account/hubspot-cookie-security-and-privacy

Data is collected and stored on the basis of your consent in accordance with Art. 6 para. 1 sentence 1 lit. a) and on the basis of our legitimate interests in accordance with Art. 6 para. 1 sentence 1 lit. f) GDPR. This consent can be revoked at any time with effect for the future. HubSpot tracking is carried out by means of consent in the consent tool under Analytics. Our legitimate interest is based on the operation of the website and the flawless presentation of the website.

If you have deactivated the category (“Analytics”), this deactivation will be taken into account for the corresponding provider HubSpot.

jsDelivr.com

This website uses the CDN service jsDelivr.com, a service of the company ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland.
JsDelivr.com is a CDN service that operates as a network of regionally distributed servers over the Internet. This makes it possible to deliver content and large files quickly and reliably. We use this service to ensure improved performance of our website.

JsDelivr.com uses the data that is automatically processed when you use the website. This Usage Data may include information such as your computer's Internet Protocol address (e.g. IP address), browser type, browser version, referrer data (limited to the domain), the URLs of our Service that you visit (limited to the domain cdn.jsdelivr.net), the time and date of your visit, unique device identifiers and other diagnostic data.

The data is only stored for as long as it is required for legal obligations and the security and functionality of the service.

The legal basis for this processing is basically our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f ) GDPR. Our legitimate interests are to be able to guarantee security, stability and a wide range of content.

Further information on data processing by the provider, in particular on data protection and data security, can be found at: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net

DoubleClick by Google

We use the online marketing tool DoubleClick by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, on our website. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. DoubleClick uses cookies to display ads that are relevant to users, to improve campaign performance reports or to prevent users from seeing the same ads more than once. Google uses a cookie ID to record which ads are displayed in which browser. This prevents the same ad from being shown more than once. In addition, DoubleClick can use cookie IDs to record so-called conversions with reference to ads. This is the case, for example, when a user sees a DoubleClick ad and later visits the advertiser's website using the same browser and makes a purchase there.

When you access a page that uses DoubleClick and where the DoubleClick script is enabled, your browser automatically establishes a direct connection with the Google server. As the website operator, we have no influence on the scope and further use of the data collected by Google through the use of this tool. We inform you according to our state of knowledge: By integrating DoubleClick, Google receives the information that you have called up the corresponding part of our website or clicked on an advertisement from us. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider will find out your IP address and store it.

Further information on DoubleClick by Google can be found at https://www.google.de/doubleclick and on data protection at Google in general: https://www.google.de/intl/de/policies/privacy. Alternatively, you can visit the website of the Network Advertising Initiative (NAI) at https://www.networkadvertising.org.

Data is only collected and stored with your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR. This can be revoked at any time with effect for the future. If you have deactivated the category (“Analytics”), this deactivation will be taken into account for the corresponding provider.

Google Analytics

If you have given your consent, Google Analytics, a web analysis service of Google LLC, is used on this website. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).

Scope of the processing

Google Analytics uses cookies that enable your use of our website to be analyzed. The information collected by the cookies about your use of this website is usually transferred to a Google server in the USA and stored there.

We use the User ID function. With the help of the user ID, we can assign a unique, permanent ID to one or more sessions (and the activities within these sessions) and analyze user behavior across devices.

We use Google Signals. This allows Google Analytics to collect additional information about users who have activated personalized ads (interests and demographic data) and ads can be delivered to these users in cross-device remarketing campaigns.

During your website visit, your user behavior is recorded in the form of “events”. Events can be
- Page views
- First visit to the website
- Start of the session
- Your “click path”, interaction with the website
- Scrolls (whenever a user scrolls to the bottom of the page (90%))
- Clicks on external links
- Internal search queries
- Interaction with videos
- Ads viewed / clicked on

Also recorded:
- Your approximate location (region)
- Your IP address (in abbreviated form)
- Technical information about your browser and the end devices you use (e.g. language setting, screen resolution)
- your internet provider
- the referrer URL (via which website/advertising medium you came to this website)

Purposes of the processing

On behalf of the operator of this website, Google will use this information to evaluate your use of the website and to compile reports on website activity. The reports provided by Google Analytics are used to analyze the performance of our website and the success of our marketing campaigns.

Recipients

Recipients of the data are/may be Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as processor pursuant to Art. 28 GDPR), Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA, Alphabet Inc, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. It cannot be ruled out that US authorities may access the data stored by Google.

Third country transfer

Insofar as data is processed outside the EU/EEA and there is no level of data protection corresponding to the European standard, we have concluded EU standard contractual clauses with the service provider to establish an appropriate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, USA. A transfer of data to the USA cannot be ruled out.

Google LLC is certified under the Data Privacy Framework (DPF) program and is listed in the Data Privacy Framework list of the International Trade Administration (ITA). This means that Google LLC has publicly committed to complying with the DPF obligations and any data transfer to the USA is unobjectionable due to the current adequacy decision of the European Commission of July 10, 2023. The USA is considered a safe third country with regard to a comparable level of data protection. A list of currently certified US companies can be found here: https://www.dataprivacyframework.gov/s/participant-search

Storage period

The data sent by us and linked to cookies is automatically deleted after 14 months. Data that has reached the end of its retention period is automatically deleted once a month.

Legal basis

The legal basis for this data processing is your consent in accordance with Art. 6 para. 1 sentence 1 lit. a) GDPR.

Withdrawal of consent

You can withdraw your consent at any time with effect for the future by accessing the cookie settings and changing your selection there. If you have deactivated the category (“Analytics”), this deactivation will be taken into account for the corresponding provider. The legality of the processing carried out on the basis of the consent until revocation remains unaffected.

Alternatively, you can prevent the storage of cookies from the outset by configuring your browser software accordingly. However, if you configure your browser to reject all cookies, this may restrict the functionality of this and other websites. You can also prevent Google from collecting the data generated by the cookie and relating to your use of the website (including your IP address) and from processing this data by Google by not giving your consent to the setting of the cookie..

You can find more information on the terms of use of Google Analytics and data protection at Google at https://marketingplatform.google.com/about/analytics/terms/de/

and at https://policies.google.com/?hl=de.

Google Maps plug-in

If you have given your consent, we use the map service Google Maps on our website. Google Maps is a map service provided by Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. The responsible service provider for users in the EU/EEA and Switzerland is Google Ireland Limited (“Google”).

When you visit a website that contains Google Maps, your browser establishes a direct connection with Google's servers, whereby the map content is sent to your browser and integrated by it. This includes the following data

Date and time of the visit to the website in question, location information, IP address, (start) address entered as part of route planning, internet address or URL of the website accessed, usage data and search terms.

You can find more information on the handling of user data in Google's privacy policy: https://www.google.de/intl/de/policies/privacy/. The information collected via the API about your use of this website is generally processed in the European Union. The data is deleted as soon as it is no longer required for processing purposes.

Google LLC has certified itself under the Data Privacy Framework (DPF) program and is listed in the Data Privacy Framework list of the International Trade Administration (ITA). This means that Google LLC has publicly committed to complying with the DPF obligations and any data transfer to the USA is harmless due to the current adequacy decision of the European Commission of July 10, 2023. The USA is considered a safe third country with regard to a comparable level of data protection. A list of currently certified US companies can be found here: https://www.dataprivacyframework.gov/s/participant-search

The legal basis for this data processing is your consent, Art. 6 para. 1 lit. a) GDPR. You can revoke your consent at any time with effect for the future by opening the data protection settings below under “Cookies & tracking settings” and activating the slider there accordingly.

Google Tag Manager

For reasons of transparency, we would like to point out that we use Google Tag Manager, from the provider Google LLC, 1600 Amphitheatre Parkway Mountain View, CA 94043, USA. The controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland.

The Google Tag Manager itself does not collect any personal data. Google Tag Manager makes it easier for us to integrate and manage our tags. Tags are small code elements that are used, among other things, to measure traffic and visitor behaviour, to record the impact of online advertising and social channels, to set up remarketing and targeting and to test and optimize websites. We use the Tag Manager for Google Analytics, Google Ads, Facebook (Meta) Ads, HubSpot Tracking, LinkedIn, Microsoft Ads and TikTok Ads, among others. If you have deactivated a category (e.g. “Marketing”), this deactivation will be taken into account by Google Tag Manager for the corresponding providers. For more information on Google Tag Manager, see: https://www.google.com/intl/de/tagmanager/use-policy.html.

The legal basis for this data processing is our legitimate interests, Art. 6 para. 1 sentence 1 lit. f) GDPR. This includes, in particular, our interest in being able to offer you as many functions as possible. In addition, the use of Google Tag Manager makes it easier for us to manage, integrate and evaluate various other services that we run on our website. We have selected the settings that are particularly privacy-friendly for you as a visitor. You have the right to object to this processing under the legal requirements.

YouTube

We use the services of YouTube, LLC, 901 Cherry Ave, 94066 San Bruno, CA, USA, a subsidiary of Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA, on our website. For users who have their habitual residence in the European Economic Area or Switzerland, Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland is the controller responsible for your data.

We use a two-click solution to protect your personal data. When you access a page in which a YouTube video is embedded, a connection to the YouTube servers is only established when you click on the “Confirm” button. In this case, YouTube will set cookies and use your visit data for its own purposes. If you are logged in to YouTube at this time, the information about the videos you have viewed will be assigned to your YouTube member account. You can prevent this by logging out of your member account before visiting our website. Where data is processed outside the European Economic Area / the EU, where there is no level of data protection in line with the European standard, Google states that it uses standard contractual clauses.

Google LLC has certified itself under the Data Privacy Framework (DPF) program and is listed in the Data Privacy Framework list of the International Trade Administration (ITA). This means that Google LLC has publicly committed to complying with the DPF obligations and any data transfer to the USA is harmless due to the current adequacy decision of the European Commission of July 10, 2023. The USA is considered a safe third country with regard to a comparable level of data protection. A list of currently certified US companies can be found here: https://www.dataprivacyframework.gov/s/participant-search

Further information on YouTube's data protection is provided by Google at the following link: https://www.google.de/intl/de/policies/privacy/

If you have deactivated the category (“Functionality”), this deactivation will be taken into account for the corresponding provider.

Microsoft Clarity

We use the “Microsoft Clarity” tool from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA on our website. Microsoft Clarity is a so-called screen recording tool that records the activities of a user on our website during a session and processes them in a comprehensible manner for us. The recording and evaluation of website activities serves to improve the user-friendliness of our websites and to analyze errors.

In addition, your personal data is processed for the following purposes

• Tracking (e.g. interest/behavioral profiling, use of cookies),

• Remarketing and conversion measurement (measurement of the effectiveness of marketing measures),

• Interest-based and behavioral marketing,

• Profiling (creation of user profiles),

• reach measurement (e.g. access statistics, recognition of returning users) and

• cross-device tracking (cross-device processing of user data for marketing purposes).

As part of the use of Microsoft Clarity, various personal information is collected. This applies in particular:

• Usage data (e.g. Internet presentations visited, interest in content, access times),

• Meta/communication data (e.g. information about the page view, UserID, SessionID),

• Location data (information on the geographical position of a device),

• Analysis data (information on user interactions on the website, e.g. clicking, scrolling, mouse movements) and

• Diagnostic data, e.g. script and image errors, incorrect interactions with buttons (deadclicks).

Further information on the information collected can be accessed via the following website: https://learn.microsoft.com/en-us/clarity/setup-and-installation/clarity-data.

According to Microsoft, the information collected can also be used for marketing purposes.

The data processing is carried out by Microsoft Corporation, based in the USA. Microsoft Corporation is certified according to the Data Privacy Framework, so that an adequacy decision of the European Commission within the meaning of Art. 45 GDPR is available for data transfers to Microsoft Corporation. The status of the certification can be accessed via the following website: https://www.dataprivacyframework.gov/s/.

The legal basis for the processing of your personal data for the stated purposes is your consent (§ 25 TTDSG and Art. 6 para. 1 lit. a) GDPR). You can withdraw your consent at any time with effect for the future. To revoke your consent, you can simply adjust your cookie settings accordingly via the corresponding link “Cookies & Tracking Settings” in the footer of our website.

You can withdraw your consent to data processing by Microsoft at any time: [https://choice.microsoft.com/de-DE/opt-out](https://choice.microsoft.com/de-DE/opt-out).  
For more information on how the tool works, please visit the following website: https://clarity.microsoft.com/lang/de-de. Information on how Microsoft processes personal data can be found in Microsoft's Privacy Statement: [https://privacy.microsoft.com/de-de/privacystatement](https://privacy.microsoft.com/de-de/privacystatement).

Facebook Custom Audiences (Facebook-Pixel)

We use the Custom Audiences service from Meta Platforms, Inc., 1601 S. California Avenue, Palo Alto, CA 94304, USA (hereinafter referred to as "Facebook") as part of usage-based online advertising. For this purpose, we define audiences in the Facebook Ads Manager based on specific characteristics, who are then shown advertisements within the Facebook network. Facebook selects users based on profile information they have provided and other data supplied through their use of Facebook. If a user clicks on an ad and subsequently visits our website, Facebook receives information via the embedded Facebook Pixel on our website that the user clicked on the ad. In general, a non-reversible and non-personal checksum (hash value) is generated from your usage data and transmitted to Facebook for analysis and marketing purposes. A Facebook cookie is set in this process, which collects information about your activity on our website (e.g., browsing behavior, visited subpages, etc.). Your IP address is also stored and used for geographically targeted advertising. We do not use Facebook Custom Audiences via the customer list or the "advanced matching" feature.

For more information on the purpose and scope of data collection, as well as the further processing and use of data by Facebook and your options for protecting your privacy, please refer to Facebook's privacy policy. You can adjust the settings for the ads you see on Facebook via this link or in Facebook's account settings.

Meta Platforms is certified under the Data Privacy Framework (DPF) program and is listed in the Data Privacy Framework list of the International Trade Administration (ITA). This means Meta Platforms has publicly committed to adhering to DPF obligations, and any data transfer to the U.S. is considered safe under the European Commission's adequacy decision of July 10, 2023. The U.S. is regarded as a secure third country in terms of a comparable level of data protection. A list of currently certified U.S. companies can be found here: [https://www.dataprivacyframework.gov/s/participant-search](https://www.dataprivacyframework.gov/s/participant-search). Further information on Facebook's Custom Audiences service can be found here: [https://de-de.facebook.com/business/help/449542958510885](https://de-de.facebook.com/business/help/449542958510885). Additional information on data processing and data retention can be obtained from the provider or at [https://www.facebook.com/about/privacy](https://www.facebook.com/about/privacy). Logged-in users can deactivate the "Facebook Custom Audiences" feature here: [https://www.facebook.com/settings/?tab=ads#_](https://www.facebook.com/settings/?tab=ads#_).

You can also prevent the storage of cookies entirely by adjusting the settings in your browser. However, please note that in this case, you may not be able to fully utilize all functions of our website. Additional options to deactivate cookies from third-party providers can be found at [www.networkadvertising.org/managing/opt_out.asp](http://www.networkadvertising.org/managing/opt_out.asp) or on the Digital Advertising Alliance Opt-Out platform at [http://optout.aboutads.info/?c=2&lang=en](http://optout.aboutads.info/?c=2&lang=en).

The legal basis for this data processing is your consent, Art. 6 para. 1 lit. a) GDPR. You can withdraw your consent at any time with future effect by opening the privacy settings below under "Cookies & Tracking Settings" and adjusting the toggle accordingly.

Facebook Fanpage

1. General Information

   Social media has become an integral part of the internet and modern communication. To stay in touch with our customers and prospects, we have also set up our own fan page on Facebook. Facebook is a service of Meta Platforms, Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (hereinafter referred to as "Facebook").

We explicitly point out that Facebook stores and uses data (e.g., IP address, preferences and personal interests, behavior on Facebook pages, potentially personal information stored on Facebook, etc.) of users for business purposes. We have no influence on the processing and further use of this data as Facebook alone determines how it is processed. To what extent, where, and for how long the data is stored, how it is linked and analyzed, and to whom it is shared is currently not transparent to us. We also have no insight or influence regarding deletion periods, i.e., whether and to what extent deletion periods are adhered to. Facebook's own information about what data is collected can be found in Facebook's privacy policy, which is available here: https://www.facebook.com/about/privacy/

If you are a Facebook member and logged into your Facebook account, Facebook can associate your visit to our page with your account. If you want to prevent Facebook from linking data about your visit to our fan page with the data stored in your Facebook account, you must:

- Log out of Facebook before visiting our fan page,
- Delete the cookies stored on your device,
- Close your browser and restart it.

According to Facebook, all information that can be used to identify you will then be deleted.

2. Scope of Data Collection and Storage

   You do not need to be a Facebook member to view the content on our Facebook fan page. However, Facebook collects, stores, and uses data each time you visit our page. When you access our fan page, your browser establishes a connection to a Facebook server. This may result in data being transferred to countries outside the European Union. Meta Platforms is certified under the Data Privacy Framework (DPF) program and is listed in the Data Privacy Framework directory of the International Trade Administration (ITA). This means Meta Platforms has publicly committed to complying with DPF obligations, and any data transfer to the United States is considered safe based on the European Commission's current adequacy decision from July 10, 2023. The United States is regarded as a secure third country with a comparable level of data protection. A list of currently certified U.S. companies can be found here: [https://www.dataprivacyframework.gov/s/participant-search](https://www.dataprivacyframework.gov/s/participant-search)

In any case, whether you are registered on Facebook or not, your IP address will be transmitted, and cookies will be set. If you are a Facebook member and logged into your Facebook account, Facebook can associate your visit to our page with your account.  

The cookies used include session cookies, which are deleted when the browser is closed, and persistent cookies, which remain on the device until they expire or are deleted by the user.  

According to Facebook, the cookies it uses serve purposes such as authentication, security, website and product integrity, advertising and measurement, website functions and services, performance, as well as analysis and research. Details about the cookies used by Facebook (e.g., cookie names, duration, collected content, and purpose) can be viewed here: [https://www.facebook.com/policies/cookies/](https://www.facebook.com/policies/cookies/) by following the links provided there.  

Settings regarding which advertisements Facebook displays to you or stops displaying to you can be managed at [https://www.facebook.com/about/basics/advertising](https://www.facebook.com/about/basics/advertising) and [http://www.youronlinechoices.com](http://www.youronlinechoices.com). Through the aforementioned link, you can manage your preferences for interest-based online advertising.  

If you object to interest-based online advertising with the help of the preference manager for a specific provider, this objection will only apply to the collection of business-related data via the currently used web browser. The preference management system is cookie-based. Deleting all browser cookies will also remove the preferences you set using the preference manager.

 

Data                                    ||     Intended use            ||    Legal basis

Userinteraction (Postings,
Likes etc.)                                 ||    User communication  ||    Art. 6 Par. 1 lit. f) DSGVO

Facebook-Cookies*                 ||    Target group advertising   ||    Art. 6 Par. 1 lit. f) DSGVO

Demographic data (e.g. based on age, place of residence,
language or gender information) || target group advertising || Art. 6 para. 1 lit. f) GDPR

Statistical data on user interactions in aggregated form, i.e. without personal reference for us (e.g. page activities, page views, page previews, likes, recommendations, posts, videos, page subscriptions incl. origin, times of day) || Target group advertising || Art. 6 para. 1 lit. f) GDPR

Automated decision-making including profiling in accordance with Art. 22 GDPR does not take place.

We generally only store personal data until the respective purpose for which the data was collected has been achieved. In the context of a business relationship with you, we store your personal data for as long as the business relationship lasts; this also includes the initiation and execution of a contract and the regular limitation period. In addition, we store the data if and insofar as we are subject to statutory retention obligations. Such obligations may arise, for example, from the German Commercial Code (HGB) or the German Fiscal Code (AO).
If you have given us your consent for a processing operation, the data associated with the granting of consent will be stored until revoked or at the latest for the duration of the processing operation and after termination of the same within the scope of the statute of limitations.

3. Facebook Insights

   We use the Facebook Insights function for statistical analysis purposes. In this context, we receive anonymized data on the users of our Facebook fan page. It is not possible for us to draw any conclusions about you personally. For further information, please refer to Facebook's cookie policy.

   4. Disclosure and use of personal data

If you interact with Facebook, Facebook will of course also have access to your data. Facebook is located in an insecure third country where the level of data protection is lower. The data transfer is based on the so-called standard data protection clauses.

5. Legal basis

   If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f) GDPR is the legal basis for the processing. We see our legitimate interest in data processing in the presentation of our company and our products and services for your information and in particular in the provision of up-to-date communication options for and with you.

   6. Joint controllers for the processing

   NORDAKADEMIE gemeinnützige Aktiengesellschaft Hochschule der Wirtschaft

   Köllner Chaussee 11

   25337 Elmshorn

and

Meta Platforms Ireland Limited
4 Grand Canal Square, Grand Canal Harbour,
D2 Dublin
Ireland

According to the European Court of Justice (ECJ), we are jointly responsible with Facebook for the processing of your personal data. You can find the ECJ's decision of 05.06.2018 here: curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=298398

Due to the joint responsibility we inform you with regard to Art. 26 GDPR about the essentials of the agreement on joint responsibility existing between us and Facebook: https://www.facebook.com/legal/terms/page_controller_addendum

 

TikTok

1. General Information

Social media has become an integral part of the internet and modern communication. To stay connected with our customers and prospects, we have also created a TikTok account. TikTok is a service provided by TikTok Technology Limited, located at 10 Earlsfort Terrace, Co. Dublin, Dublin, and TikTok Information Technologies UK Limited, 6th Floor, One London Wall, London, EC2Y 5EB, United Kingdom. 

We explicitly point out that TikTok stores user data (e.g., IP address, preferences and personal interests, activity on TikTok pages, possibly personal information stored on TikTok, etc.) and uses it for business purposes. 

We have no influence on the processing and further use of this data, as TikTok alone determines how it is handled. To what extent, where, and for how long the data is stored, how the data is linked and analyzed, and to whom the data is shared is currently unclear to us. We also have no insight or influence regarding deletion periods, i.e., whether and to what extent deletion periods are adhered to.

TikTok’s statements about what information is collected can be found in TikTok’s privacy policy, which is available here:  
https://www.tiktok.com/legal/page/eea/privacy-policy/en  

If you are a TikTok member and logged into your TikTok account, TikTok can associate your visit to our page with your user account. If you want to prevent TikTok from linking data about your visit to our website with the data stored in your TikTok account, you need to:
- Log out of TikTok before visiting our page,  
- Delete cookies stored on your device,  
- Close and restart your browser, or take additional necessary precautions.

2. Scope of data collection and storage

To view the content on our page, you don’t need to be a TikTok member. However, every time you visit our page, TikTok collects, stores, and uses data. As soon as you access our TikTok page, your browser establishes a connection to a TikTok server. Data may be transmitted to countries outside the European Union in the process. Regardless of whether or not you are registered with TikTok, your IP address will be transmitted, and cookies will be set. If you are a TikTok member and logged into your TikTok account, TikTok can associate your visit to our page with your account.

The cookies used include session cookies, which are deleted when the browser is closed, and persistent cookies, which remain on the device until they expire or are manually deleted by the user. A cookie is a small text file that allows a website to recognize a browser. Cookies are stored on the computer when a website is accessed and retrieved and read by the web server during subsequent visits. You can decide through your browser settings whether and which cookies you want to allow, block, or delete. Instructions for various browsers can be found here: Internet Explorer, Firefox, Google Chrome, Google Chrome mobile, Microsoft Edge, Safari, Safari mobile. Alternatively, you can install ad blockers like Ghostery.

According to TikTok, the cookies they use are intended for the operation and provision of services, including saving language settings, ensuring that the same video isn’t viewed multiple times, and for marketing and security purposes. Details about the cookies TikTok uses (e.g., cookie names, duration, collected content, and purpose) can be found here: https://www.tiktok.com/legal/page/global/cookie-policy/en

Your data is processed in three ways: data you provide, data collected automatically, and data from other sources.

Data you provide includes, for example: profile information, user content, direct messages, your contacts, purchase information, interactions with TikTok, and participation in surveys, research, and promotions.  
Automatically collected data includes, for example: location information, usage information, cookies, content characteristics and attributes, and derived data.  
Data from other sources includes, for example: advertising, measurement, and data partners, merchants, payment and transaction service providers, platforms, and third-party partners.

TikTok states that it processes data based on various legal foundations. Data is processed based on consent under Art. 6(1)(a) of the GDPR, for example, to deliver personalized advertising.

Your Rights:

Whenever TikTok processes your data based on your consent, you can withdraw your consent at any time. However, withdrawing your consent does not affect the legality of data processing based on your consent prior to its withdrawal. You can withdraw your consent for personalized advertising settings by following these instructions. 

You also have the right to request the transfer of information you provided to us and that we process based on your consent. 

Additionally, TikTok relies on contractual necessity in accordance with Article 6(1)(b) GDPR to achieve the following purposes:
- Providing the platform to you
- Managing product orders and deliveries
- Enforcing terms of service, policies, or regulations
- Administering services

TikTok also relies on legitimate interests under Article 6(1)(f) GDPR to achieve the following purposes:
- Enabling the use of your videos in interactive features. Providing users with tools that inspire creativity, collaboration, and enjoyment while allowing users to reach new audiences.
- Suggesting your account to other users. Helping users quickly and efficiently find and connect with others on our platform.
- Delivering non-personalized ads to all users. Displaying non-personalized ads to help keep the platform free of charge.
- Providing measurement and analytics services. Helping creators and advertisers understand how their ads or content perform and who interacts with or views them.
- Ensuring the safety and stability of the community and platform. Maintaining community safety, enforcing compliance with guidelines, identifying misuse of the platform, and ensuring platform stability and security, including resolving technical or security issues.
- Reviewing, improving, promoting, and developing the platform. Ensuring informed improvements, promotion, and development of the platform.
- Conducting independent research. Supporting independent research aimed at advancing collective societal knowledge, including studies on misinformation, disinformation, violence, cybercrime, and social trends. Click here for more information.
- Sharing your data with third parties. Providing a seamless experience, enabling your content to be shared on other platforms, facilitating third-party user authentication, and optimizing the user experience.
- Marketing communications. Promoting the platform or third-party products and services.

In some circumstances, TikTok processes your data based on Article 6(1)(c), (d), and (e) GDPR. 

For detailed information, please visit: https://www.tiktok.com/legal/page/eea/privacy-policy/en

We generally retain personal data only as long as necessary to fulfill the purpose for which it was collected. If you have a business relationship with us, we store your personal data as long as the business relationship continues, including the initiation and processing of a contract as well as the regular statute of limitations. In addition, we retain data as long as we are subject to statutory retention obligations, such as those under the German Commercial Code (HGB) or the Fiscal Code (AO).

If you have provided consent for a specific processing activity, the data associated with that consent will be retained until the consent is withdrawn or, at the latest, for the duration of the processing activity and within the applicable statute of limitations after the activity concludes.

3. Disclosure and use of personal data

If you interact with TikTok, TikTok will of course also have access to your data. TikTok may also process data in an insecure third country (e.g. USA, Malaysia and Singapore) where the level of data protection is lower. The data transfer is based on the so-called standard data protection clauses. You can find more information on this here: .

4. Legal basis

If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 para. 1 lit. f) GDPR is the legal basis for the processing. We see our legitimate interest in data processing in the presentation of our company and our products and services for your information and in particular in the provision of up-to-date communication options for and with you.

5. Joint controllers for the processing

NORDAKADEMIE gemeinnützige Aktiengesellschaft Hochschule der Wirtschaft

Köllner Chaussee 11

25337 Elmshorn

Deutschland

and

TikTok Technology Limited / TikTok Information Technologies UK

10 Earlsfort Terrace / Limited 6th Floor, One London Wall

Dublin / London

Ireland / UK

We are jointly responsible with TikTok for the processing of your personal data.

Due to the joint responsibility, we inform you with regard to Art. 26 GDPR about the essentials of the existing agreement on joint responsibility between us and TikTok: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-terms

TikTok-Pixel

We use the “TikTok Pixel” tracking and conversion tool on our website, provided by the Chinese company ByteDance. For users in the EU/EEA and Switzerland, the responsible entity is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (“TikTok”).

Pixels are small, invisible image files used to collect information about how users interact with a website. When the website is accessed, a simple code is automatically triggered, allowing the pixel to load on the user’s device and capture certain information about the device and user actions on the website.

This enables us to measure the performance of our ads and conversions, as well as build target audiences for remarketing. It also allows us to display interest-based ads to our website users and analyze their behavior on our website for statistical and market research purposes.

Data such as IP addresses, device IDs, device types, operating systems, and information about activities on our website (e.g., browsing behavior, pages visited, etc.) may be collected and transmitted to TikTok. TikTok can use this information to associate a website user with a TikTok user account. TikTok uses this data to display personalized ads to its users and to create interest-based user profiles. For more information about how TikTok processes data, please refer to TikTok’s privacy policy: https://www.tiktok.com/legal/privacy-policy-eea?lang=en.

The processing of data through TikTok Pixel is based on your consent pursuant to Art. 6 (1) sentence 1 lit. a) GDPR. You can revoke your consent at any time with future effect by adjusting your settings in our consent banner.

If data is transferred to countries outside the European Economic Area that do not have a level of data protection equivalent to European standards, TikTok states that it uses standard data protection clauses in accordance with Art. 46 (2) lit. c GDPR.

For more information about TikTok’s data processing, please refer to TikTok’s privacy policy: [https://www.tiktok.com/legal/privacy-policy-eea?lang=en](https://www.tiktok.com/legal/privacy-policy-eea?lang=en)

Freshworks

1. General Information

We offer the option to report technical disruptions of the IT system via the Freshdesk service provided by Freshworks, Inc., located at 16192 Coastal Highway, Lewes, Delaware 19958, USA, through our website.  
The Freshdesk service allows us to handle support requests quickly and efficiently. When you open a ticket through Freshdesk, the data you provide is transmitted to the service provider Freshdesk. Any personal data required is marked as mandatory in the respective registration form. Failure to provide this information will result in us being unable to process your ticket. Any additional information you provide is optional.  
If you report a technical issue via email, the following personal data will be processed: email address, first and last name, time of sending, and the email text. If you contact us by phone, the responsible support team member will record the following personal data in the ticket: first name, last name, phone number, and email address.  
Providing this information is entirely voluntary and initiated by you. If the information provided includes communication channels (e.g., email address or phone number), we will use those channels to contact you according to your inquiry.  
The personal data you provide will, of course, be used exclusively for the purpose for which you provided it when contacting us.

2. Purposes of the processing

 The purpose of processing your data is to process and respond to your request.

3. Legitimate interests

 The legitimate interest in processing also lies in the purposes described.

4. Legal basis

The legal basis for the processing of the data that you transmit to us in the course of contacting us is Art. 6 para. 1 sentence 1 lit. f) GDPR. If your request relates to the conclusion or performance of a contract with us, the data processing is carried out on the basis of Art. 6 (1) (b) GDPR.

5. Duration of data storage

We will delete your data that we have received in the course of contacting you as soon as it is no longer required to achieve the purpose for which it was collected, i.e. your request has been fully processed and no further communication with you is required or requested by you.

6. Data processing

The recipient of the data is Freshworks, Inc., based at 16192 Coastal Highway, Lewes, Delaware 19958, USA, as the processor. We have concluded an order processing agreement with Freshworks, Inc. for this purpose.

7. Data transfer to the USA

When using the service, data is transferred to the USA. In order to establish a secure level of data protection, we have concluded the standard data protection clauses adopted by the EU Commission in accordance with Art. 46 GDPR with the American service provider Freshworks Inc. which permit the transfer of personal data to a third country in individual cases. Further information on data protection at Freshwork can be found in Freshwork's data protection information at https://www.freshworks.com/de/datenschutz/.

8. Possibility of objection, data deletion

You can contact our data protection officer at any time to request the deletion of the data relating to your request. However, we may then not be able to process your request in full.

Use of customer, supplier and service provider data (business partners)

1. General Information

We process your personal data if you contact us, wish us to enter into a collaboration with you or conclude a contract with us. In addition, we also process your personal data to fulfill legal obligations, to protect a legitimate interest or on the basis of your consent. We only process personal data that we receive from you.

Depending on the legal basis and the contractual relationship with us, the following categories of personal data are involved:

• First name, last name

• Company name

• Business address

• Business communication data (telephone, e-mail address)

• Account information, in particular registration and logins (e.g. Teams account for external users)

• Video or image recordings

2. Purposes and legal basis

**Based on your consent (Art. 6 para. 1 sentence 1 lit. a) GDPR)**  
If you have voluntarily provided us with consent to process certain personal data, this consent forms the legal basis for processing such data.  
In the following cases, we process your personal data based on your consent:  
- Sending information about our projects, news, events, webinars.  

**For fulfilling a contract (Art. 6 para. 1 sentence 1 lit. b) GDPR)**  
We use your personal data to execute contracts and for pre-contractual communication.  

**To fulfill legal obligations (Art. 6 para. 1 sentence 1 lit. c) GDPR)**  
As a company, we are subject to various legal obligations. To comply with these obligations, processing personal data may be necessary:  
- Prevention/deterrence of criminal offenses (only on a case-by-case basis).  
- Retention and storage obligations (§ 257 HGB; § 147 AO).  
- Obligations to process customer data (e.g., due to tax-related requirements).  

**Based on legitimate interest (Art. 6 para. 1 sentence 1 lit. f) GDPR)**  
In certain cases, we process your data to protect legitimate interests of our company:  
- Communication with contact persons at business partners.  
- Direct marketing for similar projects within the scope of our business relationship.  
- Ensuring IT security and IT operations.  
- Video surveillance to protect property rights.  
- Case-by-case matching of first and last names of business contacts with the EU Anti-Terror Regulations lists (Regulation (EC) No. 881/2002, Regulation (EC) No. 2580/2001, so-called Anti-Terror Lists) due to the prohibition on provision under the EU Anti-Terror Regulation.Speicherdauer

We store your personal data for as long as is necessary to fulfill our legal and contractual obligations, including

• Fulfillment of, for example, retention obligations under commercial and tax law. These include retention periods from the German Commercial Code (HGB) or the German Fiscal Code (AO). The retention periods are up to 10 years.
• Preservation of evidence within the framework of statutory limitation periods. According to the statute of limitations of the German Civil Code (BGB), these limitation periods can be up to 30 years in some cases; the regular limitation period is three years.
• After registering for the newsletter, your e-mail address will be stored in our newsletter distribution list. After unsubscribing from the newsletter, your e-mail address will be deleted from the mailing list and placed on a blacklist. This list is deleted every 6 months.

3. Who will your data be passed on to?

In principle, your personal data is further processed by the internal departments of NORDAKADEMIE that require it to perform their duties. However, in some cases, external entities may also be involved in processing your data. If the entity is a data processor, NORDAKADEMIE has entered into a corresponding data processing agreement in accordance with Article 28 of the GDPR with the respective external service provider. Additional recipients will only receive your data if you have given NORDAKADEMIE your consent for data transfer, if it is based on a contract with you, or if NORDAKADEMIE is legally obligated to transfer the data. These recipients may include:

- IT service providers (e.g., maintenance service providers, hosting providers)
- Service providers for document and data destruction
- Tax authorities and auditors
- Web hosting service providers

Microsoft 365 Applications

Below, we provide information on the processing of personal data when using Microsoft 365. Microsoft 365 is a combination of various software components offered by the US-based software manufacturer Microsoft Corporation (hereinafter referred to as "the provider"). It includes online versions of applications such as [Word](https://en.wikipedia.org/wiki/Microsoft_Word), [Outlook](https://en.wikipedia.org/wiki/Microsoft_Outlook), [OneNote](https://en.wikipedia.org/wiki/Microsoft_OneNote), [PowerPoint](https://en.wikipedia.org/wiki/Microsoft_PowerPoint), [Excel](https://en.wikipedia.org/wiki/Microsoft_Excel), Teams, and [OneDrive](https://en.wikipedia.org/wiki/Microsoft_OneDrive), as well as, depending on the plan, [Microsoft Project](https://en.wikipedia.org/wiki/Microsoft_Project) and [Microsoft Visio](https://en.wikipedia.org/wiki/Microsoft_Visio). Microsoft 365 and Office 365 provide users the ability to work from any location using any supported device. Stored data is located in Microsoft data centers, which are accessible via the internet.

In some cases, external accounts for customers, service providers, or suppliers are created within our Microsoft 365 environment. Even if such an account is not created, the data of these groups of individuals is used within our Microsoft 365 environment. Below, you will find more detailed information about this.

 

1. Microsoft as controller for data processing

In principle, NORDAKADEMIE is the controller within the meaning of the GDPR for the processing of your personal data.

Insofar as you use the software components of Microsoft 365, the
software provider Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-639 USA, is responsible for data processing. You can find more information about Microsoft 365 in the education sector at: https://www.microsoft.com/de-de/education/school-leaders/resource-center. Information on data processing by Microsoft 365 can be found at: https://privacy.microsoft.com/de-de/privacystatement

2. Purposes and legal basis

To ensure an effective relationship with our customers, service providers, or suppliers, we process your personal data to the extent necessary. To enable you to use the functionalities of Microsoft 365 for communication and collaboration with us, we process your personal data.  

In some cases, so-called external accounts are created for customers, service providers, or suppliers within our Microsoft 365 environment. For the registration and use of Microsoft 365 in the IT environment of NORDAKADEMIE, personal data is processed. You can find more detailed information on this below. The legal basis for collecting and processing this data is our legitimate interest under Art. 6(1) sentence 1 lit. f) GDPR.  

Regarding the processing of video and/or audio recordings in connection with the use of "Microsoft Teams," this is done voluntarily by enabling the camera and/or microphone, making Art. 6(1) sentence 1 lit. a) GDPR (consent) the legal basis. Consent can be revoked at any time with effect for the future by disabling the camera and/or microphone. The same applies to the use of the chat function regarding the processing of text data.  

To ensure proper operation, as well as to monitor compliance with the provisions of these terms of use and to detect misuse, all user activities, such as the time of access, date, type of access, information regarding the data/files/documents accessed, and all activities related to usage, such as creating, modifying, or deleting documents, setting up a team (and channels in Teams), making notes in the notebook, starting a chat, and similar activities, are processed in log files.  

Monitoring the use of electronic communication systems will only occur if there is sufficient suspicion of misuse, contract violations, breaches of these terms of use, or criminal offenses. The legal basis for this processing is our legitimate interest under Art. 6(1) sentence 1 lit. f) GDPR.  

The collection of data for the provision of Microsoft 365 and the storage of data in log files is essential for the provision and operation of the offered software components. Therefore, the user has no option to object.

3. What data is processed?

Depending on the specific application and function, various personal data will be collected and processed from you. Personal data is information that relates to an identified or identifiable natural person.
When you log in to your computer, the following personal data is processed when you use Microsoft 365:

- IP address
- First name, last name
- Diagnostic data (data on the use of the software and services)
- Functional data (e.g. log data)
- Device data with which you use the Microsoft 365 services (e.g. browser, operating system, virus protection)
- Online identification data (user name and password (encrypted))
- For individual functions of Microsoft 365, further personal data may also be processed, for example
- Business contact data such as company e-mail address, telephone number and postal address
- Video and audio transmission for video conferences via Teams
- Geolocation/location data
- Behavioral data (surfing behavior, etc.)

Three groups of data can be summarized that are processed about the user when using Microsoft products:

 

Content data	Information provided by NORDAKADEMIE: All data, including any text, sound, video or image files and software, provided to Microsoft by or on behalf of the Customer through the use of the Online Service e.g. customer password, content of the customer's email account or Azure database, email subject line
Diagnose data	specific telemetry data collected via Microsoft 365 about the use of the software; all observations stored in event logs about the behavior of individual users of the services z. e.g. client ID, user ID, duration of use of an Office service, size of the edited file, event ID (ID of the action performed - e.g. saving a document), program language
Functional data	Data that is necessary for the execution of application processes and that is deleted or anonymized immediately after the transmission of the message has been completed. Data is therefore only stored temporarily.

 

The following different functionalities can be used with Microsoft 365 (this list is not exhaustive):

Word	Word processing program for creating and editing documents
Excel	Spreadsheet program for performing logical, statistical and mathematical functions
PowerPoint	Program for creating interactive presentations
Outlook-Exchange	Processing and managing emails, appointments, contacts and tasks
OneNote	digital notebook
Publisher	Creation of print publications such as brochures, e-mail headlines and product presentations
Access	Database management program for creating and managing databases and developing database applications
SharePoint	Exchange platform in the cloud for joint editing of documents, joint maintenance of a calendar and exchange of information
OneDrive for Business	Employee-related storage space in the cloud for audio and video calls, online meetings, web conferences and screen sharing
Teams	shared information channel for collaboration; chat messages, audio and video calls, online meetings, web conferencing and screen sharing (replaces Skype for Business)
Visio	Visualization program for creating graphical representations of tools and symbols
Project Desktop-software	Program for planning, controlling and monitoring projects (local application on the end device only)
Groups	Components such as Outlook, Teams and SharePoint can be used cooperatively.
Planner	Planning tool for creating plans and visual management of tasks
To-Do (Browsersoftware)	Tool for organizing tasks from other O365 components
Whiteboard	Tool for (joint) editing of virtual whiteboards
Editor (spelling checker)	Connected Experience: Editor browser extension searches for grammatical and spelling errors and makes suggestions for text improvement
Translator	Connected Experience: language translation tool
Office Help	Connected Experience: If you select “Help > Help” in the ribbon or use F1 in an Office application
Bot Analytics	Creation of bots in the FAQ to answer recurring questions.

 

The Word, Excel and PowerPoint functions can be used as usual, i.e. data is stored on your PC unless the “automatic saving” mode is used. If this is used, the data is stored in the cloud via OneDrive. However, it is also possible to use these applications as a mobile app with your company tablet and smartphone or to open them via the web browser. In this case, the files are also stored in the Microsoft cloud.

When using Teams, the shared files, video and audio recordings and chat messages are also stored in the Microsoft cloud.

4. Storage duration

When a subscription ends or is canceled, Microsoft retains customer data stored in Microsoft 365 in a limited-function account for 90 days so that the subscriber can extract the data. At the end of the 90-day retention period, Microsoft deactivates the account and deletes the customer data. No later than 180 days after the expiration or termination of a Microsoft 365 subscription, Microsoft will deactivate the account and delete all customer data from it. Once the maximum data retention period has expired, the data will no longer be commercially recovered.

We, NORDAKADEMIE, store your personal data for as long as this is necessary for the respective stated purpose of data processing. As soon as the data is no longer required to fulfill the purpose, it will be deleted or anonymized immediately. In exceptional cases, personal data will be stored for longer if we are obliged to do so in order to comply with certain statutory retention periods.

5. Who will your data be passed on to?

If necessary, your personal data will be transmitted to Microsoft Corporation. Microsoft also processes personal data outside the EU/EEA and thus in so-called third countries. An adequate level of data protection is made possible by the fact that Microsoft is certified in accordance with the EU-U.S. Data Privacy Framework.

In addition, your data may be transferred to technical service providers who support NORDAKADEMIE in the operation and maintenance of Microsoft 365.

Evaluationsoftware EvaSys

We use the EvaSys software to carry out evaluations. EvaSys is a web-based software with which surveys can be created, published and carried out using various survey media (online and/or paper-based) and survey modes (e.g. via online link or using the TAN procedure).

Registered users (lecturers) can create surveys, publish them for implementation and thus make them available worldwide. NORDAKADEMIE is responsible for the publication and implementation of the surveys.

Categories of personal data

The following data transferred from the central administration of NORDAKADEMIE is stored for the user accounts in the system:

• First name and surname

• Title (e.g. Prof. or Dr.)

• E-mail address

User accounts remain with NORDAKADEMIE until the personal data record is deleted or until the user authorization expires in the system and are then deleted.
Content data includes all data entered into the system by the users themselves or created by them in the system. This data includes, for example

• information provided voluntarily in the user profile

• Modified online templates

• Questionnaires (including integrated media content)

• survey data

Legal basis for data processing

The legal basis for the general implementation of evaluations of courses and courses/seminars is the legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f) GDPR (quality assurance and improvement) and - at least indirectly - legal obligation pursuant to Art. 6 para. 1 sentence 1 lit. c) GDPR in conjunction with the requirements of the Schleswig-Holstein Higher Education Act.

NORDAKADEMIE complies with the principle of data minimization. With regard to students, anonymous data processing will largely be possible. However, as there are free text fields, a personal reference cannot be completely ruled out. This means that it is largely up to the students to decide whether or not the information provided as part of the evaluation remains anonymous.

The evaluations are carried out in such a way that the anonymity limit is defined as 5 persons (students). In addition, there must be at least two completed responses. With regard to the lecturers of the courses, there is naturally a personal reference.

The evaluation of the evaluations is carried out according to a strict authorization concept, above all the need-to-know principle must be observed.

Storage of data

The data from the evaluations can be stored for up to five years, after which the data will only be used anonymously (e.g. the lecturer's name will be deleted).

Passing on the data

The survey results are recorded on the servers of the service provider EvaSys and can be analyzed and/or exported by the survey creators using internal functions.

 

Last Update: February 2025