Privacy Policy

Index

1.  Introduction
2.  How we use your personal data
3.  Legal basis for the processing of your data
4.  Providing your personal data to others
5.  International transfers of your personal data
6.  Retaining and deleting personal data
7.  Amendments
8.  Your rights
9. Use of online platforms in the application process
10. Provision of online services and web hosting
11. Use of Cookies
12. Newsletter and Electronic Communications
13. Web Analysis, Monitoring and Optimization
14. Online Marketing
15. Profiles in Social Networks (Social Media)
16. Plugins and embedded functions and content
17.  Data protection officer 

1.  Introduction

This policy applies where we are acting as a data controller with respect to the personal data of our website visitors and service users, identified at https://www.emba.unisg.ch and https://apply.emba.unisg.ch; in other words, where we determine the purposes and means of the processing of that personal data.

We use cookies on our website. Insofar as those cookies are not strictly necessary for the provision of our website and services, we will ask you to consent to our use of cookies when you first visit our website. Please refer to the information on the use of cookies in this privacy policy to learn more about how cookies are used. You can manage your preferences relating to the use of cookies on our website by visiting the Cookie Settings.

In this policy, “we”, “us” and “our” refer to the University of St.Gallen Executive Master of Business Administration (EMBA-HSG).

Privacy online is a developing area. In this regard, please refer to our Privacy Policy intermittently, as this document is subject to modification.

2.  How we use your personal data

1. the general categories of personal data that we may process;
2. in the case of personal data that we did not obtain directly from you, the source and specific categories of that data
3. the purposes for which we may process personal data; and
4. the legal bases of the processing.

We may process data about your use of our website and services (“usage data“). The usage data may include your geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. The source of the usage data is our analytics tracking system Google Analytics. This usage data may be processed for the purposes of analyzing the use of the website and services. The legal basis for this processing is your consent and our legitimate interests, namely monitoring and improving our website and services. You may opt-out of this at any point by visiting our preference center: emba@unisg.ch

We may process your account data (“account data“) that you provide to create an account on our website. The account data may include first name, last name, email, and password. The source of the account data is you. The account data may be processed for the purposes of operating our website, providing our services, ensuring the security of our website and services, maintaining back-ups of our databases and communicating with you. The legal basis for this processing is consent.

We may process your information included in your personal profile on our website or on your LinkedIn profile (“profile data“). The profile data may include your title, your name, address, country, telephone number, email address, profile pictures, gender, date of birth, Skype ID, LinkedIn profile link, educational details and employment details. The profile data may be processed for the purposes of enabling your use of our services. The legal basis for this processing is consent and our legitimate interests, namely the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract.

We may process information contained in any enquiry you submit to us regarding services, namely download brochures, Data Plan, video viewing and registration for events (“enquiry data“). The enquiry data may include your first name, last name, email address, mobile phone number, country, work experience, academic education, EMBA programme you are interested in, city, gender, why you are considering an EMBA programme. The enquiry data may be processed for the purpose of supplying the services mentioned above and keeping proper records of those transactions. The legal basis for this processing is consent.

We may process information relating to transactions, including purchases of services (application for admission to our EMBA programme), that you enter into with us and/or through our website (“transaction data“). The transaction data may include title, first name, middle name, last name, preferred name, personal address, nationality, second nationality, date of birth, place of birth, gender, civil status, mobile number, landline number, work phone, Skype ID, secondary email address, results of GMAT, results of GRE, CPA qualification, CFA Level 2 qualification, English level, language skills, work experience, leadership experience, job title, company name, industry, business area, country of employment, nature of organization, responsibilities of job, international experience, activities and interests, three biggest achievements, career plans, highest degree, degree awarding institution(s), annual salary for your last three positions, intention of financing your EMBA, if you apply for a scholarship, if you are sponsored by a company, Swiss student ID Number, how you heard about us, other programmes to which you are applying, additional information, feedback, bachelor’s degree diploma, bachelor’s degree transcript(s), master’s degree diploma, master’s degree transcript(s), doctoral degree diploma, digital passport photograph, scanned passport page, curriculum vitae and other information. Further we will ask for reference contacts. The data about a reference contact may include title, first name, last name, email address, company, position, country of employment, telephone number, mobile number, rating of candidate, relationship to candidate, how long they have known the candidate, strengths of the candidate, most improvement of the candidate, description of communication skills of the candidate, potential of the candidate becoming a manager. For the payment of the application fee we will ask for your credit card details that are processed by our payment provider. The transaction data may be processed for the purpose of supplying the requested services and keeping proper records of those transactions. The legal basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract and our legitimate interests, namely the proper administration of our website and business.
We may process information that you provide to us for the purpose of subscribing to our email notifications and/or newsletter (“notification data“). The notification data may be processed for the purposes of sending you the relevant notifications and/or newsletters. The legal basis for this processing is consent.

We may process information contained in or relating to any communication that you send to us (“correspondence data“). The correspondence data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website forms. The correspondence data may be processed for the purposes of communicating with you and record-keeping. The legal basis for this processing is our legitimate interests, namely the proper administration of our website and business and communications with users.

In addition to the specific purposes for which we may process your personal data set out in this Section 2, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Please do not supply any other person’s personal data to us, unless we prompt you to do so.

3.  Legal basis for the processing of your data

Relevant legal bases according to the GDPR: In the following, you will find an overview of the legal basis of the GDPR on which we base the processing of personal data. Please note that in addition to the provisions of the GDPR, national data protection provisions of your or our country of residence or domicile may apply. If, in addition, more specific legal bases are applicable in individual cases, we will inform you of these in the data protection declaration.

Consent (Article 6 (1) (a) GDPR) – The data subject has given consent to the processing of his or her personal data for one or more specific purposes.

Performance of a contract and prior requests (Article 6 (1) (b) GDPR) – Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Compliance with a legal obligation (Article 6 (1) (c) GDPR) – Processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. archiving obligations under tax law).

Legitimate Interests (Article 6 (1) (f) GDPR) – the processing is necessary for the protection of the legitimate interests of the controller or a third party, provided that the interests, fundamental rights, and freedoms of the data subject, which require the protection of personal data, do not prevail.

Relevant legal basis according to the Swiss Data Protection Act: If you are located in Switzerland, we process your data based on the Federal Act on Data Protection (referred to as “Swiss DPA”). Unlike the GDPR, for instance, the Swiss DPA does not generally require that a legal basis for processing personal data be stated and that the processing of personal data is conducted in good faith, lawfully and proportionately (Art. 6 para. 1 and 2 of the Swiss DPA). Furthermore, we only collect personal data for a specific purpose recognizable to the data subject and process it only in a manner compatible with this purpose (Art. 6 para. 3 of the Swiss DPA).

Reference to the applicability of the GDPR and the Swiss DPA: These privacy policy serves both to provide information pursuant to the Swiss Federal Act on Data Protection (FADP) and the General Data Protection Regulation (GDPR). For this reason, we ask you to note that due to the broader spatial application and comprehensibility, the terms used in the GDPR are applied. In particular, instead of the terms used in the Swiss FADP such as “processing” of “personal data”, “predominant interest”, and “particularly sensitive personal data”, the terms used in the GDPR, namely “processing” of “personal data”, as well as “legitimate interest” and “special categories of data” are used. However, the legal meaning of these terms will continue to be determined according to the Swiss FADP within its scope of application.

4.  Providing your personal data to others

We may disclose your personal data to any member of the University of St.Gallen insofar as necessary for the purposes, and on the legal bases, set out in this policy. Information about our institutes and schools can be found at https://www.unisg.ch/en/universitaet/institute and https://www.unisg.ch/en/universitaet/schools.

We may disclose your personal data to internal and external professional advisers insofar as reasonably necessary for the purposes of obtaining professional analysis and advice about enhancing the EMBA programme.

We may disclose (“usage data“) to our advertising, analytics and social media providers insofar as is reasonably necessary to measure the success of and improve our advertising and social media efforts. This personal data may include IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. These advertising providers include Facebook, Google Adwords, Google DoubleClick, LinkedIn, and YouTube. The legal basis for this processing and provision is consent. You may opt-out of this at any point by visiting our preference center: emba@unisg.ch

Applications, brochure, data plan downloads, full video viewing access and event registrations are handled by Full Fabric (UK) identified at https://fullfabric.com. We may disclose your enquiry and transaction data to Full Fabric for the purpose of processing your application, your brochure, data plan download request, full video viewing or your registration for an event insofar as reasonably necessary for processing your request.
For graduates of our EMBA programme, you automatically become an alumnus of the University of St.Gallen MBA. We may disclose (“account data”, “profile data”, “transaction data”) in the form of first name, last name, email address, phone number, graduation year to official alumni groups and representatives, including the EMBA alumni board. This information will be used to update you on the EMBA programme and alumni events. This information may also be disclosed to EMBA ranking providers, such as the Financial Times, Economist, Bloomberg, QS, Times Higher Education and others, for the purpose of participating in the rankings, as participation in various rankings requires a minimum level of responses from alumni.

In addition to the specific disclosures of personal data set out in this Section 3, we may disclose your personal data where such disclosure is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

5.  International transfers of your personal data

Data Processing in Third Countries in accordance with the GDPR: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or if the processing is done within the context of using third-party services or the disclosure or transfer of data to other individuals, entities, or companies, this is only done in accordance with legal requirements. If the data protection level in the third country has been recognized by an adequacy decision (Article 45 GDPR), this serves as the basis for data transfer. Otherwise, data transfers only occur if the data protection level is otherwise ensured, especially through standard contractual clauses (Article 46 (2)(c) GDPR), explicit consent, or in cases of contractual or legally required transfers (Article 49 (1) GDPR). Furthermore, we provide you with the basis of third-country transfers from individual third-country providers, with adequacy decisions primarily serving as the foundation. “Information regarding third-country transfers and existing adequacy decisions can be obtained from the information provided by the EU Commission: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en.

EU-US Trans-Atlantic Data Privacy Framework: Within the context of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the data protection level for certain companies from the USA as secure within the adequacy decision of 10th July 2023. The list of certified companies as well as additional information about the DPF can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/s/. We will inform you which of our service providers are certified under the Data Privacy Framework as part of our data protection notices.

Disclosure of Personal Data Abroad in accordance with Swiss DPA: In accordance with the Swiss Data Protection Act (DPA), we only disclose personal data abroad when an appropriate level of protection for the affected persons is ensured (Art. 16 Swiss DPA). If the Federal Council does not determine that there is an adequate level of protection (list of states: https://www.bj.admin.ch/bj/de/home/staat/datenschutz/internationales/anerkennung-staaten.html), we implement alternative security measures. These measures may include international agreements, specific guarantees, data protection clauses in contracts, standard data protection clauses approved by the Federal Data Protection and Information Commissioner (FDPIC), or internal company data protection regulations previously recognised by the FDPIC or a competent data protection authority of another country.

Under Art. 16 of the Swiss DPA, exceptions can be made for the disclosure of data abroad if certain conditions are met, including the consent of the affected person, contract execution, public interest, protection of life or physical integrity, publicly made data or data from a legally provided register. Such disclosures always comply with the legal requirements.

6.  Retaining and deleting personal data

This Section 6 sets out our data retention policies and procedure, which are designed to help ensure that we comply with our legal obligations in relation to the retention and deletion of personal data.

Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

In Google Analytics, we will retain your personal data for 14 months, after which it will be deleted or anonymized automatically.

In other cases, it is not possible for us to specify in advance the periods for which your personal data will be retained. In such cases, we will determine the period of retention based on the following criteria:

1. the period of retention of Usage Data will be determined based on user requests for deletion or the data is no longer required.
2. the period of retention for Account Data will be determined based on user requests for deletion or the data is no longer required.
3. the period of retention for Enquiry Data will be determined based on user requests for deletion or the data is no longer required.
4. the period of retention for Notification Data will be determined based on user requests for deletion.
5. the period of retention for Correspondence Data will be determined based on user requests for deletion or the data is no longer required and the correspondence has been completed.

Notwithstanding the other provisions of this Section 6, we may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

7.  Amendments

We may update this policy from time to time by publishing a new version on our website. You should check this page occasionally to ensure you are happy with any changes to this policy.

8.  Your rights

Rights of the Data Subjects under the GDPR: As data subject, you are entitled to various rights under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:

• Right to Object: You have the right, on grounds arising from your particular situation, to object at any time to the processing of your personal data which is based on letter (e) or (f) of Article 6(1) GDPR, including profiling based on those provisions. Where personal data are processed for direct marketing purposes, you have the right to object at any time to the processing of the personal data concerning you for the purpose of such marketing, which includes profiling to the extent that it is related to such direct marketing.
• Right of withdrawal for consents: You have the right to revoke consents at any time.
• Right of access: You have the right to request confirmation as to whether the data in question will be processed and to be informed of this data and to receive further information and a copy of the data in accordance with the provisions of the law.
• Right to rectification: You have the right, in accordance with the law, to request the completion of the data concerning you or the rectification of the incorrect data concerning you.
• Right to Erasure and Right to Restriction of Processing: In accordance with the statutory provisions, you have the right to demand that the relevant data be erased immediately or, alternatively, to demand that the processing of the data be restricted in accordance with the statutory provisions.
• Right to data portability: You have the right to receive data concerning you which you have provided to us in a structured, common and machine-readable format in accordance with the legal requirements, or to request its transmission to another controller.
• Complaint to the supervisory authority: In accordance with the law and without prejudice to any other administrative or judicial remedy, you also have the right to lodge a complaint with a data protection supervisory authority, in particular a supervisory authority in the Member State where you habitually reside, the supervisory authority of your place of work or the place of the alleged infringement, if you consider that the processing of personal data concerning you infringes the GDPR.

Rights of the data subjects under the Swiss DPA:

As the data subject, you have the following rights in accordance with the provisions of the Swiss DPA:

• Right to information: You have the right to request confirmation as to whether personal data concerning you are being processed, and to receive the information necessary for you to assert your rights under the Swiss DPA and to ensure transparent data processing.
• Right to data release or transfer: You have the right to request the release of your personal data, which you have provided to us, in a common electronic format, as well as its transfer to another data controller, provided this does not require disproportionate effort.
• Right to rectification: You have the right to request the rectification of inaccurate personal data concerning you.
• Right to object, deletion, and destruction: You have the right to object to the processing of your data, as well as to request that personal data concerning you be deleted or destroyed.

9. Use of online platforms in the application process

As part of the application process at our university, we use online platforms that are operated by external service providers. In addition to our data protection provisions, the data protection guidelines of the respective platforms apply. This applies in particular to the processing of your application documents, the implementation of online assessments and the use of procedures for analyzing the applicant pool and for targeting potential applicants.

• Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Payment Data (e.g. bank details, invoices, payment history); Contact data (e.g. postal and email addresses or phone numbers); Contract data (e.g. contract object, duration, customer category); Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features). Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties).
• Data subjects: Service recipients and clients; Business and contractual partners; Prospective customers. Education and course participants.
• Purposes of processing: Provision of contractual services and fulfillment of contractual obligations; Marketing; Business processes and management procedures; Conversion tracking (Measurement of the effectiveness of marketing activities). Provision of our online services and usability.
• Legal Basis: Performance of a contract and prior requests (Article 6 (1) (b) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• Full Fabric: The platform facilitates the efficient management of admission processes through an integrated CRM and admissions system, which eases the handling of the entire application process from initial contact to enrolment. Course registration is automated and simplified, significantly reducing administrative effort. Communication with prospects and students is supported by a personalized CRM tool tailored to the individual needs and interests of the students. Moreover, the system aids in capturing academic achievements by enabling educators and administrative staff to efficiently record and manage performance data. The platform also offers features for data-driven decisions, allowing educational institutions to analyse key data and trends and continuously improve their strategies; Service provider: Full Fabric, 1 Primrose Street, EC2A 2EX London, United Kingdom; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.fullfabric.com/; Privacy Policy: https://www.fullfabric.com/privacy-policy. Basis for third-country transfers: EEA – Adequacy decision (United Kingdom), Switzerland – Adequacy decision (United Kingdom).

10. Provision of online services and web hosting

We process user data in order to be able to provide them with our online services. For this purpose, we process the IP address of the user, which is necessary to transmit the content and functions of our online services to the user’s browser or terminal device.

• Processed data types: Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties); Log data (e.g. log files concerning logins or data retrieval or access times.). Content data (e.g. textual or pictorial messages and contributions, as well as information pertaining to them, such as details of authorship or the time of creation.).
• Data subjects: Users (e.g. website visitors, users of online services).
• Purposes of processing: Provision of our online services and usability; Information technology infrastructure (Operation and provision of information systems and technical devices, such as computers, servers, etc.).); Security measures; Server monitoring and error detection; Firewall. Content Delivery Network (CDN).
• Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).

Further information on processing methods, procedures and services used:

• Provision of online offer on rented hosting space: For the provision of our online services, we use storage space, computing capacity and software that we rent or otherwise obtain from a corresponding server provider (also referred to as a “web hoster”); Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR).
• Collection of Access Data and Log Files: Access to our online service is logged in the form of so-called “server log files”. Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, notification of successful retrieval, browser type along with version, the user’s operating system, referrer URL (the previously visited page), and typically IP addresses and the requesting provider. The server log files can be used for security purposes, e.g., to prevent server overload (especially in the case of abusive attacks, known as DDoS attacks), and to ensure server load management and stability; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Retention period: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data, the further storage of which is necessary for evidence purposes, are excluded from deletion until the respective incident has been finally clarified.
• New Relic: Server monitoring und error detection; Service provider: https://newrelic.com, New Relic, Inc. Attn: Legal Department 188 Spear Street, Suite 1200 San Francisco, CA 94105, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://newrelic.com; Security measures: IP Masking (Pseudonymization of the IP address); Privacy Policy: https://newrelic.com/termsandconditions/privacy; Data Processing Agreement: https://newrelic.com/termsandconditions/terms; Basis for third-country transfers: EEA – Data Privacy Framework (DPF), Switzerland – Standard Contractual Clauses (Provided by the service provider). Retention period: The aggregated data are deleted after three months, the pseudonymised data after seven days.
• Wordfence: firewall and security and error detection functions to detect and prevent unauthorized access attempts as well as technical vulnerabilities that could enable such access. For these purposes, cookies and similar storage procedures required for this purpose may be used and security logs may be created during testing and, in particular, in the event of unauthorized access. In this context, the IP addresses of the users, a user identification number and their activities, including the time of access, are processed and stored and compared with the data provided by the provider of the firewall and security function and transmitted to the latter; Service provider: Defiant, Inc., 800 5th Ave Ste 4100, Seattle, WA 98104, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.wordfence.com; Privacy Policy: https://www.wordfence.com/privacy-policy/; Basis for third-country transfers: EEA – Standard Contractual Clauses (https://www.wordfence.com/standard-contractual-clauses/), Switzerland – Standard Contractual Clauses (https://www.wordfence.com/standard-contractual-clauses/). Further Information: https://www.wordfence.com/help/general-data-protection-regulation/.
• Cloudflare: Content-Delivery-Network (CDN) – service with whose help contents of our online services, in particular large media files, such as graphics or scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Service provider: Cloudflare, Inc., 101 Townsend St, San Francisco, CA 94107, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.cloudflare.com; Privacy Policy: https://www.cloudflare.com/privacypolicy/; Data Processing Agreement: https://www.cloudflare.com/cloudflare-customer-dpa/. Basis for third-country transfers: EEA – Data Privacy Framework (DPF), Switzerland – Standard Contractual Clauses (https://www.cloudflare.com/cloudflare-customer-scc/).
• Akamai: Content-Delivery-Network (CDN) – service with whose help contents of our online services, in particular large media files, such as graphics or scripts, can be delivered faster and more securely with the help of regionally distributed servers connected via the Internet; Service provider: Akamai Technologies GmbH, Parkring 22, D-85748 Garching, Germany; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.akamai.com; Privacy Policy: https://www.akamai.com/de/legal/compliance/privacy-trust-center; Data Processing Agreement: https://www.akamai.com/de/legal/compliance/privacy-trust-center (Akamai Data Processing Agreement – For Customers). Basis for third-country transfers: EEA – Standard Contractual Clauses (https://www.akamai.com/de/legal/compliance/privacy-trust-center (Cross-Border Data Transfer)), Switzerland – Adequacy decision (Germany).
• InterNetX: Services in the field of the provision of information technology infrastructure and related services (e.g. storage space and/or computing capacities); Service provider: InterNetX GmbH, Johanna-Dachs-Str. 55, 93055 Regensburg, Germany; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.internetx.com//; Privacy Policy: https://www.internetx.com/datenschutz/; Data Processing Agreement: Provided by the service provider. Basis for third-country transfers: Switzerland – Adequacy decision (Germany).

11. Use of Cookies

Cookies are small text files or other types of storage markers that store information on end devices and read information from them. For example, to save the login status in a user account, the contents of a shopping cart in an e-shop, the content accessed, or the functions used of an online offer. Furthermore, cookies can be used for various concerns, such as for the functionality, security, and comfort of online offers as well as the creation of analyses of visitor flows.

Notes on Consent: We use cookies in accordance with legal regulations. Therefore, we obtain prior consent from users, unless it is not required by law. Permission is particularly not necessary if the storage and reading of information, including cookies, are absolutely necessary to provide a telemedia service (i.e., our online offer) expressly requested by the users. The revocable consent is clearly communicated to them and contains information on the respective cookie usage.

Notes on the legal basis for data protection: The legal basis on which we process users’ personal data with the help of cookies depends on whether we ask them for consent. If users accept, the legal basis for processing their data is the declared consent. Otherwise, the data processed with the help of cookies are based on our legitimate interests (e.g., in a commercial operation of our online offer and its usability improvement) or, if this occurs within the fulfillment of our contractual obligations, when the use of cookies is necessary to fulfill our contractual obligations. We clarify the purposes for which the cookies are used by us in the course of this data protection declaration or within the scope of our consent and processing processes.

Storage Duration: Regarding the storage duration, the following types of cookies are distinguished:

• Temporary cookies (also: session or session cookies): Temporary cookies are deleted at the latest after a user has left an online offer and closed his end device (e.g., browser or mobile application).
• Permanent cookies: Permanent cookies remain stored even after closing the end device. For example, the login status can be saved and preferred content can be displayed directly when the user revisits a site. Similarly, user data collected via cookies can be used for reach measurement. Unless we provide users with explicit information about the nature and storage duration of cookies (e.g., when obtaining consent), they should assume that they are permanent and the storage duration can be up to two years.

General notes on revocation and objection (Opt-out): Users can revoke the consents they have given at any time and also declare an objection to the processing according to legal requirements, also via the privacy settings of their browser.

• Processed data types: Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties).
• Data subjects: Users (e.g. website visitors, users of online services).
• Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR). Consent (Article 6 (1) (a) GDPR).

Further information on processing methods, procedures and services used:

• Processing Cookie Data on the Basis of Consent: We implement a consent management solution that obtains users’ consent for the use of cookies or for the processes and providers mentioned within the consent management framework. This procedure is designed to solicit, log, manage, and revoke consents, particularly regarding the use of cookies and similar technologies employed to store, read from, and process information on users’ devices. As part of this procedure, user consents are obtained for the use of cookies and the associated processing of information, including specific processing and providers named in the consent management process. Users also have the option to manage and withdraw their consents. Consent declarations are stored to avoid repeated queries and to provide proof of consent according to legal requirements. The storage is carried out server-side and/or in a cookie (so-called opt-in cookie) or by means of comparable technologies in order to associate the consent with a specific user or their device.If no specific details about the providers of consent management services are provided, the following general notes apply: The duration of consent storage is up to two years. A pseudonymous user identifier is created, which is stored along with the time of consent, details on the scope of consent (e.g., relevant categories of cookies and/or service providers), as well as information about the browser, system, and device used; Legal Basis: Consent (Article 6 (1) (a) GDPR).
• Usercentrics: Cookie Consent Management: Procedures for obtaining, recording, managing, and revoking consents, particularly for the use of cookies and similar technologies for storing, accessing, and processing information on users’ devices as well as their processing; Service provider: Usercentrics GmbH, Sendlinger Strasse 7, 80331 Munich, Germany; Website: https://usercentrics.com/; Privacy Policy: https://usercentrics.com/privacy-policy/. Basis for third-country transfers: Switzerland – Adequacy decision (Germany).

12. Newsletter and Electronic Communications

We send newsletters, emails, and other electronic notifications (hereinafter “newsletters”) exclusively with the consent of the recipients or based on a legal basis. If the contents of the newsletter are specified during registration for the newsletter, these contents are decisive for the users’ consent. Normally, providing your email address is sufficient to sign up for our newsletter. However, to offer you a personalised service, we may ask for your name for personal salutation in the newsletter or for additional information if necessary for the purpose of the newsletter.

Deletion and restriction of processing: We may store unsubscribed email addresses for up to three years based on our legitimate interests before deleting them to be able to demonstrate previously given consent. The processing of these data is limited to the purpose of potentially defending against claims. An individual request for deletion is possible at any time, provided that at the same time the former existence of consent is confirmed. In case of obligations to permanently observe objections, we reserve the right to store the email address solely for this purpose in a blocklist.

The logging of the registration process is based on our legitimate interests for the purpose of proving its proper execution. If we commission a service provider to send emails, this is done based on our legitimate interests in an efficient and secure mailing system.

Contents:

Information about us, our services, promotions and offers.

• Processed data types: Inventory data (For example, the full name, residential address, contact information, customer number, etc.); Contact data (e.g. postal and email addresses or phone numbers); Meta, communication and process data (e.g. IP addresses, timestamps, identification numbers, involved parties). Usage data (e.g. page views and duration of visit, click paths, intensity and frequency of use, types of devices and operating systems used, interactions with content and features).
• Data subjects: Communication partner (Recipients of e-mails, letters, etc.); Service recipients and clients; Prospective customers. Users (e.g. website visitors, users of online services).
• Purposes of processing: Direct marketing (e.g. by e-mail or postal). Marketing.
• Legal Basis: Consent (Article 6 (1) (a) GDPR). Legitimate Interests (Article 6 (1) (f) GDPR).
• Opt-Out: You can cancel the receipt of our newsletter at any time, i.e. revoke your consent or object to further receipt. You will find a link to cancel the newsletter either at the end of each newsletter or you can otherwise use one of the contact options listed above, preferably e-mail.

Further information on processing methods, procedures and services used:

• Full Fabric: The platform facilitates the efficient management of admission processes through an integrated CRM and admissions system, which eases the handling of the entire application process from initial contact to enrolment. Course registration is automated and simplified, significantly reducing administrative effort. Communication with prospects and students is supported by personalised CRM tools tailored to the individual needs and interests of the students. Moreover, the system aids in capturing academic achievements by enabling educators and administrative staff to efficiently record and manage performance data. The platform also offers features for data-driven decisions, allowing educational institutions to analyse key data and trends and continuously improve their strategies; Service provider: Full Fabric, 1 Primrose Street, EC2A 2EX London, United Kingdom; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.fullfabric.com/; Privacy Policy: https://www.fullfabric.com/privacy-policy; Basis for third-country transfers: EEA – Adequacy decision (United Kingdom), Switzerland – Adequacy decision (United Kingdom).
• Mailerlite: Email distribution and email marketing platform; Service provider: MailerLite Limited, Ground Floor, 71 Lower Baggot Street, Dublin 2, D02 P593, Ireland; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://www.mailerlite.com/; Privacy Policy: https://www.mailerlite.com/legal/privacy-policy; Data Processing Agreement: https://www.mailerlite.com/legal/data-processing-agreement. Basis for third-country transfers: Switzerland – Adequacy decision (Ireland).
• Zapier: Automation of processes, merging of different services, import and export of personal and contact data as well as analyses of these processes; Service provider: Zapier, Inc., 548 Market St #62411, San Francisco, California 94104, USA; Legal Basis: Legitimate Interests (Article 6 (1) (f) GDPR); Website: https://zapier.com; Privacy Policy: https://zapier.com/privacy; Data Processing Agreement: https://zapier.com/legal/data-processing-addendum. Basis for third-country transfers: EEA – Standard Contractual Clauses (https://zapier.com/legal/standard-contractual-clauses), Switzerland – Standard Contractual Clauses (https://zapier.com/legal/standard-contractual-clauses).

13. Web Analysis, Monitoring and Optimization