We are delighted about your interest in DAAD events. Since we are also very concerned with your privacy, in the following paragraphs we would like to inform you about the way we process your personal data and your data protection rights in the context of your attendance of DAAD events. This is required according to the applicable legal regulations of German data protection law, particularly the General Data Protection Regulation (GDPR).
1. Data Processor and Data Protection Officer
The Data Processor as defined in data protection legislation is:
Deutscher Akademischer Austauschdienst e.V. (DAAD)
53175 Bonn, Germany
Tel.: +49 228 882-0
You can reach our Data Protection Officer at:
Dr Gregor Scheja
Scheja und Partner Rechtsanwälte mbB
53113 Bonn, Germany
Telephone: +49 228 227226-0
Fax: +49 228 227226-26
Contact via https://www.scheja-partner.de/kontakt/kontakt.html
2. Purposes and legal basis for data processing
2.1 Preparation, execution and monitoring of DAAD events
We process personal data whenever this is necessary for the preparation, execution and monitoring/evaluation of our events. Without this data, we would be unable to respond to your registration or to any expectations of the events, and neither could we continue developing our range of events in a way that meets your needs. The purposes depend on the specific contract and encompass in particular
- Support before, during and after the event
- Making contact with a view to providing event-specific information
- Making contact with a view to sending out event-specific questionnaires for the purpose of evaluation, based on the details provided by public funding bodies
- Evaluating user behaviour to ensure the needs-focused development of our range of events
- Providing contact details to partner organisations among the DWIH supporters, to framework agreement partners and event-specific partners and contractors of DAAD involved in preparing, organising and executing an event of DAAD
Further details about the purposes of data processing can be found in the specific contract documents.
Data is processed based on Article 6 Par. 1 b) of the GDPR. You will need to provide the personal data that is required in order to prepare, execute and monitor/evaluate the relevant event of DAAD. Without that data, we will not be able to process your requests or fulfil our contract.
We delete the data when it is no longer needed for our purposes of preparation and execution of a contract and no other legal basis applies. In the latter case, we delete the data after that legal basis is no longer applicable.
2.2 Recorded images
Your consent is principally required for recorded images of individual persons or small groups of persons in which you are visible and which may be published as part of reporting about our events on the DAAD websites and social media channels or in DAAD print publications. Your consent can be granted explicitly at our event upon our request or implied by your willing participation. If you do not wish to appear in such images, please bring this to the attention of the photographers at the event.
Data is processed based on Article 6 Par. 1 a) of the GDPR. You can revoke your consent at any time. This will not affect the legality of any processing that occurred based on your consent until your revocation of consent.
We delete the data when it is no longer needed for our purposes or when you revoke your consent and no other legal basis applies. In the latter case, we delete the data after that legal basis is no longer applicable.
2.2.2 Protection of legitimate interests
We process recorded images of groups of persons (more than four persons) or particular categories of persons (such as speakers at events, lecturers, public figures) in which you are visible and which may be published as part of reporting about our events on the DAAD websites and social media channels or in DAAD print publications for the purpose of protecting our legitimate interests. Our interest in this case is to report on our events.
Data is processed based on Article 6 Par. 1 f) of the GDPR.
We will delete your data once it is no longer required for our purposes and no other legal basis for retention applies. In the latter case, we delete the data after that legal basis is no longer applicable.
3. Recipients of personal data
Internal recipients: Within the DAAD, access is limited to persons requiring it for the purposes specified under clause 2. Where this is necessary to prepare, execute and monitor/assess the relevant event of DAAD, your data will be transmitted to the responsible work units of the DAAD headquarters, DAAD regional offices, information centres and lecturers.
External recipients: We only share your personal data with external recipients outside the DAAD if this is required for the purposes listed in clause 2. if we are otherwise legally permitted to do so, or if you have given us your consent for this purpose.
External recipients may be:
External service providers we use for the provision of services, for instance, in the technical infrastructure and maintenance of the DAAD’s own services or for the provision of contract-relevant content. We carefully select such processors and regularly check them to ensure the safeguarding of your privacy. Service providers may only use data for the purposes we specify.
b) Public bodies
Public authorities and state institutions, such as public prosecutors, courts of law and fiscal authorities, to which we need to send personal data for mandatory legal reasons.
c) Private bodies
Dealers, cooperation partners or assisting persons to whom we send data based on the purposes listed under clause 2 or based on a declaration of consent or on a legal basis, for instance hotels, print shops, advertising agencies, organisers/hosts of trade fairs and other event formats in science and research where DAAD envisages participation, partner institutions among the DWIH supporters that do not predominantly receive public support.
4. Data processing in third countries
If data is transmitted to bodies that have their head offices or data-processing locations outside EU member states and outside states forming part of the EEA, we ensure before disclosure that – except for certain legally permitted exceptions – those bodies either have your adequate consent or they provide an adequate level of data protection (for instance, through an adequacy decision taken by the European Commission, through suitable guarantees such as the recipient’s self-certification for the EU-US Privacy Shield or the agreement of so-called standard EU contractual clauses with the recipient).
You can request from us a list of recipients in third countries and a copy of the provisions that have been agreed in each case to ensure an adequate level of data protection. To do so, please use the contact details given in clause 1.
5. Automated case-by-case decisions including profiling
Automated decisions on a case-by-case basis including profiling as defined by Article 22 of the GDPR do not take place.
6. Retention period
For the retention period of personal data, please refer to clause 2.
In addition, the following applies: We only save your personal data for as long as it is necessary for fulfilling the stated purposes or – if you have given your consent – until you revoke your consent. If you revoke your consent, we erase your personal data, unless further processing is permitted under the relevant applicable statutory provisions.
We also erase your personal data if we are under an obligation to do so on legal grounds.
7. Rights of data subjects
As a person affected by data processing, you are entitled to specific rights. These are in detail:
Right to information: You have a right to access the data we have stored about you as a person.
Right to rectification and erasure: You can require us to correct inaccurate data or – provided that the legal grounds are in place – to erase your data.
Restriction of processing: Provided that the legal grounds are in place, you can require us to restrict the processing of your data.
Data portability: If you have provided us with data based on a contract or your consent, and as long as there are legal grounds, you can require us to send you the data you gave us in a structured, commonly used and machine-readable format, or you can require us to send your data to a different controller.
Objection to data processing for reason of “justified interest” as a legal basis:
If there are reasons arising from your specific situation, you are entitled to object to our processing of your data at any time, provided that such an objection has its legal basis in a “legitimate interest”. If you make use of your right to object, we shall discontinue the processing of your data, unless we can – within the parameters of the law – demonstrate compelling legitimate grounds for further processing, outweighing your own rights.
Revocation of consent: If you have given us your consent to the processing of your data, you can revoke this at any time with future effect. This, however, does not affect the legitimacy of processing your data until the date of revocation.
Right to lodge a complaint with the supervisory authority: You can also lodge a complaint with the competent supervisory authority if you believe that the processing of your data has breached the latest applicable law. To do so, you can contact the data protection authority responsible for your place of residence or country or the data protection authority responsible for ourselves.
Your options for contacting us and for exercising your rights: If you have any questions about the processing of your personal data, your rights as a data subject or any consent you may have given, please feel free to contact us free of charge. To exercise any of the afore mentioned rights, please contact firstname.lastname@example.org or write to the address specified in clause 1. When you do so, please make sure that we can clearly identify you.