NORDAKADEMIE

Privacy policy

of the NORDAKADEMIE University of Applied Sciences

In the following we inform you about the collection of personal data when using our website. We also inform our customers, service providers and suppliers about the use of your data in the Microsoft 365 environment.

If you have any further questions about the handling of your personal data, please contact our data protection officer.

Controller

The controller within the meaning of the General Data Protection Regulation (GDPR) is the

NORDAKADEMIE gemeinnützige Aktiengesellschaft Hochschule der Wirtschaft
Köllner Chaussee 11
25337 Elmshorninfo@nordakademie.de
Phone: +49 (0) 4121 4090-0
Fax: +49 (0) 4121 4090-40
Email: info@nordakademie.de

If you have any questions about data protection, please contact our external data protection officer:

Mr. Schewior
c/o intersoft consulting services AG
At the Strohhaus 17
20097 Hamburg
Email: dsb@nordakademie.de

Contact

When you contact us by email or via a contact form, we will store the data you provide (your email address, and, where applicable, your name and telephone number) in order to answer your questions and deal with your enquiries. The legal basis for this is Article 6(1)(f) of the GDPR. Where we request information via our contact form that is not necessary for establishing contact, we have always marked this as optional. We use this information to clarify your enquiry and to process your request more effectively. The provision of this information is expressly on a voluntary basis and with your consent, Article 6(1)(a) of the GDPR. Insofar as this concerns details of communication channels (e.g. email address, telephone number), you also consent to us contacting you via this communication channel, if necessary, in order to respond to your enquiry. You may, of course, withdraw this consent at any time with future effect.

The data we have received from you when you contacted us will be deleted as soon as it is no longer required to fulfil the purpose for which it was collected, your enquiry has been fully processed, and no further communication with you is required or requested by you.

As the data controller, our company has implemented numerous technical and organisational measures to ensure the most comprehensive possible protection of the personal data processed via this website. Nevertheless, internet-based data transmissions may, in principle, be subject to security vulnerabilities. Absolute protection cannot be guaranteed; in any case, sending unencrypted emails is not secure. We therefore ask that you do not send sensitive data via unencrypted email, but instead use either encrypted communication channels (e.g. our contact form) or post.

Your rights

We will be happy to inform you whether personal data concerning you is being processed; if this is the case, you have the right to access this personal data and to receive the information specified in detail in Article 15 of the GDPR. Furthermore, subject to the relevant legal requirements, you have the right to rectification (Article 16 of the GDPR), the right to restriction of processing (Article 18 of the GDPR), the right to erasure (Article 17 of the GDPR) and the right to data portability (Article 20 of the GDPR).

You have the right to object to the processing under the legal requirements (Art. 21 GDPR).

To exercise your rights as set out above, please contact us by email at DSB@Nordakademie.de or by post. There is no charge for exercising your rights as set out above.

Without prejudice to these rights and the possibility of seeking other administrative or judicial remedies, you have the right at any time to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection regulations (Article 77 of the GDPR).

Legal basis for our data processing

The processing of personal data may be based on various legal grounds. Where we require your data to fulfil a contract with you or to respond to enquiries from you regarding a contract, the legal basis for this data processing is Article 6(1)(b) of the GDPR. This also includes the organisation of events and any associated (preparatory) data processing. If we seek your consent for a specific data processing operation, the legal basis is Article 6(1)(a) of the GDPR. We carry out some data processing operations on the basis of our legitimate interests, whereby a balance is always struck between your interests worthy of protection and our legitimate interests. The legal basis for this is Article 6(1)(f) of the GDPR. Where processing is necessary to comply with a legal obligation to which we are subject, the legal basis is Article 6(1)(c) of the GDPR.

Duration of data storage

The data will be deleted as soon as it is no longer required for the purpose for which it was collected.

Below, we explain how we process personal data via our website.

Data processing when accessing the website

When you use the website purely for information purposes – i.e. if you do not register or otherwise provide us with information (e.g. via a contact form) – we collect the following technical information (log file data):

– Operating system of the device you are using to visit our website
– Browser (type, version & language settings)
– The amount of data accessed
– The current IP address of the device you are using to visit our website
– Date and time of access
– The URL of the previously visited website (referrer)
– The URL of the (sub)page you access on the website
– The internet service provider of the accessing system

The collection of this data is technically necessary to display our website to you and to ensure stability and security. We are generally unaware of who is behind an IP address. We do not combine the data listed above with any other data.

The legal basis is Article 6(1)(f) of the GDPR. As the collection of data for the provision of the website and its storage in log files is strictly necessary for the operation of the website and to protect against misuse, our legitimate interest in data processing prevails in this instance.

Data security

We have implemented comprehensive technical and organisational safeguards to protect your data against accidental or deliberate manipulation, loss, destruction or access by unauthorised persons. Our security procedures are reviewed regularly and adapted to technological advancements.

Data transfer

We do not, as a rule, transfer your personal data to third parties, unless we are legally obliged to do so, or the transfer of data is necessary for the performance of the contractual relationship, or you have previously given your express consent to the transfer of your data.

External service providers and partner companies, such as a delivery company commissioned to handle the delivery, will only receive your data to the extent necessary to process your order. In such cases, however, the scope of the data transferred is limited to the minimum necessary. Where our service providers process your personal data on our behalf, we ensure, within the framework of data processing in accordance with Article 28 of the GDPR, that they comply with the provisions of data protection laws in the same manner. Please also note the privacy policies of the respective providers. The respective service provider is responsible for the content of third-party services, although we will, within reasonable limits, check these services for compliance with legal requirements.

We are committed to processing your data within the EU/EEA. However, there may be instances where we use service providers who process data outside the EU/EEA. In such cases, we ensure that, prior to the transfer of your personal data, an adequate level of data protection, comparable to the standards within the EU, is established at the recipient’s end. This can be achieved, for example, through EU standard contractual clauses, Binding Corporate Rules, or specific agreements to which the company may submit.

Accessibility and Eye-Able

To ensure the accessibility of our websites in accordance with the requirements of the Accessibility Enhancement Act, we use an accessibility solution provided by Web Inclusion GmbH (Eye-Able). The solution is technically integrated via the provider’s servers and is only made available once users have specifically activated it.

When using the accessibility features, the IP address, standard technical data such as the browser and operating system used, and individual settings for the selected accessibility options are processed. According to the provider, the IP address is anonymised prior to further processing. Accessibility settings are stored locally in the browser (local storage); this is technically necessary to ensure accessible use in accordance with legal requirements and does not require separate consent under Section 25(2)(2) of the TDDDG.

In particular, the accessibility features allow key content on our website to be displayed in high-contrast colour schemes, for example, and enable users to have content read aloud. The processing of this data is carried out on the basis of Article 6(1)(c) of the GDPR in conjunction with the provisions of the BFSG, and additionally on the basis of Article 6(1)(f) of the GDPR, based on the legitimate interest in providing barrier-free access to our website for all user groups, in particular people with disabilities. The data is used exclusively for the provision and technical optimisation of the accessibility features; it is not processed for advertising or analytical purposes. The recipient of the data within the framework of commissioned processing is Web Inclusion GmbH. No personal data is transferred to third countries, and processing takes place exclusively within the European Union. No personal data is transferred to Eye-Able unless the aforementioned functions are activated.

Applications

Applying as a prospective student
You can apply to study at Nordakademie via our website. You can find the privacy policy for prospective students here.

When you apply for a place on our website, you must first complete an online test. Please refer to the privacy policy on the online test website for details of the data collected from you during this process.

Applying as a staff member

You can apply to our company electronically, e.g. via email or web forms. Please note that emails sent in unencrypted form are not transmitted in a secure manner.

Which of your personal data do we use?

We process your personal data to the extent necessary for the application process. This includes the following categories of data:

Standard information

Applicant details (first name, surname, address, job title)
Qualification details (cover letter, CV, previous employment, professional qualifications)
(Employment) references and certificates (performance data, assessment data, etc.)

Other information

Voluntary information, such as a photograph for your application, details regarding your status as a person with a severe disability, or any other information you voluntarily provide to us in your application.

We only process the personal data that we receive from you as part of the application process.

In some cases, we receive personal data from the following sources

Recruitment agencies
Social media (LinkedIn, Xing, etc.)

For what purposes and on what legal basis do we process your data?

Your details will be used to process your application and to decide whether to enter into an employment relationship with you. The legal basis for this is Section 26(1) in conjunction with Section 8(2) of the Federal Data Protection Act (BDSG). Furthermore, your personal data may be processed to the extent that this is necessary to defend against any legal claims asserted against us arising from the application process. The legal basis for this is Article 6(1)(f) of the GDPR. The stated purposes also constitute a legitimate interest in the processing. Other legitimate interests in this sense include, for example, a duty to provide evidence in proceedings under the General Equal Treatment Act (AGG).

Insofar as an employment relationship is established between you and us, we may, in accordance with Section 26(1) of the Federal Data Protection Act (BDSG), further process the personal data already received from you for the purposes of the employment relationship, if this is necessary for the performance or termination of the employment relationship or for the exercise or fulfilment of the rights and obligations of the employees’ representative body arising from a law or a collective agreement, a works or service agreement (collective agreement).

If you have given us your voluntary consent to the collection, processing or transfer of certain personal data, this consent forms the legal basis for the processing of this data in accordance with Article 6(1)(a) of the GDPR and Section 26(2) of the BDSG.

Your application data will not be processed for any purpose other than that described above.

Who will your data be shared with?

Your data is primarily processed by our HR department and specialist departments. In some cases, external parties such as IT service providers (e.g. maintenance providers, hosting providers) may also be involved in the processing of your data.

Is your data transferred to countries outside the European Union (so-called third countries)?

We place great importance on processing your data within the EU / EEA. However, there may be instances where we use service providers who process data outside the EU / EEA. In such cases, we ensure that, prior to the transfer of your personal data, an adequate level of data protection, comparable to the standards within the EU, is established at the recipient’s end. This can be achieved, for example, through EU standard contractual clauses, Binding Corporate Rules, or specific agreements to which the company may be subject.

How long will your data be stored?

Your personal data will be deleted no later than six months after the application process has been completed, provided that there are no other legitimate interests on our part that prevent deletion or you have not given us your consent for longer storage. If an employment relationship is not established but you have given us your consent to continue storing your data, we will store your data until you withdraw your consent, but for no longer than one year. In specific circumstances, we may also store your data for a longer period for the purpose of defending against potential legal claims.

What rights do you have in relation to the processing of your data?

Every data subject has the right of access under Article 15 of the GDPR, the right to rectification under Article 16 of the GDPR, the right to erasure under Article 17 of the GDPR, the right to restriction of processing under Article 18 of the GDPR, the right to object under Article 21 of the GDPR, and the right to data portability under Article 20 of the GDPR. The restrictions set out in Sections 34 and 35 of the Federal Data Protection Act (BDSG) apply to the right of access and the right to erasure.

We will be happy to inform you whether personal data concerning you is being processed; if this is the case, you have the right to access this personal data and to the information specified in detail in Article 15 of the GDPR. Furthermore, subject to the relevant legal requirements, you have the right to rectification (Article 16 of the GDPR), the right to restriction of processing (Article 18 of the GDPR), the right to erasure (Article 17 of the GDPR) and the right to data portability (Article 20 of the GDPR).

What rights do you have in the event of data processing based on your legitimate interests or the public interest?

Under Article 21(1) of the GDPR, you have the right, on grounds relating to your particular situation, to object at any time to the processing of personal data concerning you which is carried out on the basis of Article 6(1)(e) of the GDPR (data processing in the public interest) or on the basis of Article 6(1)(f) of the GDPR (data processing to safeguard a legitimate interest).
In the event of your objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.
You may withdraw your consent to the processing of personal data at any time. Please note that the withdrawal only applies to future processing.

Without prejudice to these rights and the possibility of seeking other administrative or judicial remedies, you have the right at any time to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes data protection regulations (Article 77 of the GDPR).

Is there an obligation to provide your personal data?

The provision of personal data is not required by law or contract, nor are you obliged to provide such data. However, the provision of personal data is necessary for the application process to proceed. This means that if you do not provide us with personal data when applying, we will not be able to proceed with the application process.

What are cookies?

Cookies are pieces of data stored on your computer by a website you visit, which enable your browser to be identified on subsequent visits. Cookies transmit information to the entity that sets the cookie. Cookies can store various types of information, such as your language settings, the duration of your visit to our website, or the data you have entered there. This prevents you, for example, from having to re-enter necessary form data every time you use the site. The information stored in cookies can also be used to identify preferences and tailor content to your areas of interest.

There are various types of cookies: session cookies are data sets that are only temporarily stored in the working memory and deleted when you close your browser. Persistent cookies are automatically deleted after a specified period, which may vary depending on the cookie. With this type of cookie, the information may also be stored in text files on your computer. However, you can delete these cookies at any time via your browser settings.

First-party cookies are set by the website you are currently visiting. Only this website is permitted to read information from these cookies. Third-party cookies are set by organisations that do not operate the website you are visiting. These cookies are used, for example, by marketing companies.

The legal basis for any processing of personal data via cookies and their retention periods may vary. Where you have given us your consent, the legal basis is Article 6(1)(a) of the GDPR. Where data processing is carried out on the basis of our overriding legitimate interests, the legal basis is Article 6(1)(f) of the GDPR. The stated purpose then corresponds to our legitimate interest.

We use cookies to ensure the website functions properly, to provide basic functionality, to measure reach and – with your consent – to tailor our services to your preferred areas of interest.

You can delete cookies already stored on your device at any time. If you wish to prevent cookies from being stored, you can do so via the settings in your web browser. Alternatively, you can also install so-called ad blockers. Please note that certain features of our website may not work if you have disabled the use of cookies.

When you visit our website, all users are also informed via an information banner about our use of cookies and directed to this privacy policy. As a user, you will also be asked to consent to the use of certain cookies, particularly those relevant for the personalisation of services and for marketing activities. You may withdraw any consent you have given at any time with future effect.

Online Orders Shop

When you place an online order on our website, we collect the data necessary to conclude the contract. The data is stored for the duration of the contract and in accordance with legal obligations. Where necessary for the processing of the order, we will pass on your address details to a delivery service provider. The legal basis is the conclusion and performance of a contract in accordance with Article 6(1)(b) of the GDPR.

For payment processing, we use various payment service providers, who are always identified and receive your input. They are therefore the recipients of your personal data collected in connection with the payment process. The legal basis for engaging payment service providers is also the performance of a contract pursuant to Article 6(1)(b) of the GDPR.

Advisory services for prospective students

As part of our individual student advisory service, we process your personal data in order to provide you with sound advice on choosing a degree programme and to support you in your decision. Once you have completed the personality test, we use the results to analyse your strengths, weaknesses and preferences together with you, and to make recommendations regarding suitable degree programmes at our university. In addition, the results of the tests you have completed are used in anonymised form for internal research purposes.

We primarily process your contact details, your test results, your bank details and the information you provide regarding your individual qualifications.

Processing is carried out on the basis of your voluntary consent in accordance with Article 6(1)(a) of the GDPR, which you may withdraw at any time with future effect. A further legal basis is the performance of a contract or the processing for pre-contractual measures pursuant to Article 6(1)(b) of the GDPR.

We would also like to point out that, whilst we work with the service provider 20Flow7 GmbH to carry out the test, we regard them as a separate data controller. We only receive the individual results of your test, which forms part of our service.

Registration with the CIS (Campus Information System)

You have the option to register on our websites and create a customer/user account. Any personal data that must be provided is marked as a mandatory field on the relevant registration form; any further details are optional.

For the purpose of registration, we collect and store the following data from you (optional):

– Title
– First name
– Surname
– Email (username)
– Password
– Address
– Date of birth

We use the so-called double opt-in procedure for registration, i.e. your registration is only complete once you have confirmed your sign-up by clicking on the link contained in a confirmation email sent to you for this purpose. If you do not confirm your registration [within 24 hours], your details will be automatically deleted from our database. Once registration is complete, you will receive personal, password-protected access and will be able to view and manage the data you have provided. Registration is voluntary, but may be a prerequisite for using certain services we offer.

We store the data required to fulfil the contract, including payment details where applicable, until you permanently delete your account. We also store any additional data you have provided for the duration of your use of the user account, unless you delete it beforehand. You can manage and amend all details in the secure customer area.

You can delete your user account at any time. Upon deletion of the account, all personal data not subject to a statutory retention obligation or Article 17(3) of the GDPR will be deleted.

The legal basis for this data processing is Article 6(1)(a), (b) and (f) of the GDPR. You may, of course, withdraw your consent at any time with effect for the future.

Registration for events

On our website, we provide a calendar with an overview of all events. If you register for an event, we will store the personal data you provide (name, email address and, where applicable, telephone number) in order to use this information for the organisation and running of the event. The processing of this data is based on your voluntary consent, Article 6(1)(a) of the GDPR. You may, of course, withdraw this consent at any time with effect for the future.

We will delete the data collected in this context once storage is no longer necessary, or restrict its processing if statutory retention obligations apply.

HubSpot

This website uses HubSpot for its online marketing activities. HubSpot is a US-based software company with a branch in Ireland. Contact: HubSpot, 2nd Floor, 30 North Wall Quay, Dublin 1, Ireland.
This is an integrated software solution that covers various aspects of online marketing. These include, amongst others, email marketing, social media publishing & reporting, contact management, landing pages and contact forms. Cookies are also stored on the device you are using.
Our registration service enables visitors to our website to find out more about our company, download content and provide their contact details and other demographic information. This information, along with the content of our website, is stored on servers belonging to our software partner HubSpot. We may use this information to contact visitors to our website and to determine which of our company’s services are of interest to them. All information we collect is subject to this privacy policy. We use all collected information exclusively to optimise our marketing activities. HubSpot’s privacy policy can be found at: https://legal.hubspot.com/privacy-policy.

The data collected when using the registration service is transferred to the USA and processed there. HubSpot Inc. has obtained certification under the Data Privacy Framework (DPF) programme and is listed on the International Trade Administration’s (ITA) Data Privacy Framework list. This means that HubSpot Inc. has publicly committed to complying with the DPF obligations and that any data transfer to the USA is safe on the basis of the European Commission’s current adequacy decision of 10 July 2023.

A list of currently certified US companies can be found here: https://www.dataprivacyframework.gov/s/participant-search

Further information from HubSpot regarding EU data protection regulations can be found at: https://legal.hubspot.com/data-privacy
Further information on the cookies used by HubSpot can be found here: knowledge.hubspot.com/articles/kcs_article/reports/what-cookies-does-hubspot-set-in-a-visitor-s-browser and knowledge.hubspot.com/articles/kcs_article/account/hubspot-cookie-security-and-privacy

Data collection and storage are carried out on the basis of your consent in accordance with Article 6(1)(a) and on the basis of our legitimate interests in accordance with Article 6(1)(f) of the GDPR. This consent may be withdrawn at any time with effect for the future. HubSpot tracking is carried out via the consent tool under ‘Analytics’. Our legitimate interest is based on the operation of the website and the proper display of the website.

If you have deactivated the category (“Analytics”), this deactivation will be applied to the relevant provider, HubSpot.

jsDelivr.com

This website uses the CDN service jsDelivr.com, a service provided by ProspectOne, Królewska 65A/1, 30-081, Kraków, Poland.
JsDelivr.com is a CDN service that operates as a network of regionally distributed servers via the internet. This enables content and large files to be delivered quickly and reliably. We use this service to ensure improved performance of our website.

JsDelivr.com uses the data that is automatically processed when you use the website. This usage data may include information such as your computer’s Internet Protocol address (e.g. IP address), browser type, browser version, referrer data (limited to the domain), the URLs of our service that you visit (limited to the domain cdn.jsdelivr.net), the time and date of your visit, unique device identifiers and other diagnostic data.

The data is stored only for as long as is necessary to comply with legal obligations and to ensure the security and functionality of the service.

The legal basis for this processing is, in principle, our legitimate interest pursuant to Article 6(1)(f) of the GDPR. Our legitimate interests consist of ensuring security, stability and a wide range of content.

Further information on the provider’s data processing practices, in particular regarding data protection and data security, can be found at: https://www.jsdelivr.com/terms/privacy-policy-jsdelivr-net

DoubleClick by Google

We use the online marketing tool DoubleClick by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, on our website. The data controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland. DoubleClick uses cookies to display adverts relevant to users, to improve campaign performance reports, or to prevent users from seeing the same adverts multiple times. To do this, Google uses a cookie ID to track which adverts are displayed in which browser. This prevents the same advert from being shown multiple times. Furthermore, DoubleClick can use cookie IDs to track so-called conversions related to adverts. This is the case, for example, when a user sees a DoubleClick advert and later visits the advertiser’s website using the same browser and makes a purchase there.

When you visit a page that uses DoubleClick and where the DoubleClick script is enabled, your browser automatically establishes a direct connection to Google’s server. As the website operator, we have no influence over the scope or further use of the data collected by Google through the use of this tool. We are providing this information to the best of our knowledge: Through the integration of DoubleClick, Google receives the information that you have accessed the relevant part of our website or clicked on one of our advertisements. If you are registered with a Google service, Google may associate the visit with your account. Even if you are not registered with Google or have not logged in, there is a possibility that the provider may obtain and store your IP address.

Further information on DoubleClick by Google is available at https://www.google.de/doubleclick, and on Google’s data protection practices in general at https://www.google.de/intl/de/policies/privacy. Alternatively, you can visit the Network Advertising Initiative (NAI) website at https://www.networkadvertising.org.

Data is collected and stored only with your express consent in accordance with Article 6(1)(a) of the GDPR. This consent may be withdrawn at any time with future effect. If you have opted out of the ‘Analytics’ category, this opt-out will be applied to the relevant provider.

Google Analytics

Provided you have given your consent, this website uses Google Analytics, a web analytics service provided by Google LLC. The data controller for users in the EU/EEA and Switzerland is Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland (“Google”).

Scope of processing
Google Analytics uses cookies that enable us to analyse how you use our websites. The information collected via these cookies regarding your use of this website is usually transmitted to a Google server in the USA and stored there.

We use the User ID feature. With the help of the User ID, we can assign a unique, persistent ID to one or more sessions (and the activities within those sessions) and analyse user behaviour across devices.

We use Google Signals. This allows Google Analytics to collect additional information about users who have enabled personalised ads (interests and demographic data), and ads can be served to these users in cross-device remarketing campaigns.

During your visit to the website, your user behaviour is recorded in the form of ‘events’. Events may include:
- Page views
- First visit to the website
- Start of the session
- Your ‘click path’, interaction with the website
- Scrolls (whenever a user scrolls to the bottom of the page (90%))
- Clicks on external links
- Internal search queries
- Interaction with videos
- Adverts viewed / clicked

The following information is also collected:
- Your approximate location (region)
- Your IP address (in truncated form)
- Technical information about your browser and the devices you use (e.g. language settings, screen resolution)
- Your internet service provider
- The referrer URL (the website or advertising material via which you arrived at this website)

Purposes of processing

On behalf of the operator of this website, Google will use this information to evaluate your use of the website and to compile reports on website activity. The reports provided by Google Analytics are used to analyse the performance of our website and the success of our marketing campaigns.

Recipients

The recipients of the data are/may be Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (as a data processor pursuant to Article 28 of the GDPR), Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, and Alphabet Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. It cannot be ruled out that US authorities may access the data stored by Google.

Transfers to third countries

Where data is processed outside the EU/EEA and the level of data protection does not meet European standards, we have entered into EU Standard Contractual Clauses with the service provider to ensure an adequate level of data protection. The parent company of Google Ireland, Google LLC, is based in California, USA. The transfer of data to the USA cannot be ruled out.

Google LLC has been certified under the Data Privacy Framework (DPF) programme and is listed in the Data Privacy Framework list of the International Trade Administration (ITA). This means that Google LLC has publicly committed to complying with the DPF obligations and that any data transfer to the USA is unobjectionable on the basis of the European Commission’s current adequacy decision of 10 July 2023. The USA is considered a safe third country in terms of a comparable level of data protection. A list of currently certified US companies can be found here: https://www.dataprivacyframework.gov/s/participant-search

Retention period
The data we send and which is linked to cookies is automatically deleted after 14 months. Data that has reached the end of its retention period is automatically deleted once a month.

Legal basis
The legal basis for this data processing is your consent in accordance with Article 6(1)(a) of the GDPR.

Withdrawal
You may withdraw your consent at any time with future effect by accessing the cookie settings and changing your selection there. If you have deactivated the ‘Analytics’ category, this deactivation will be applied to the relevant provider. The lawfulness of the processing carried out on the basis of your consent up until its withdrawal remains unaffected.

Alternatively, you can prevent cookies from being stored in the first place by adjusting your browser settings accordingly. However, if you configure your browser to reject all cookies, this may result in restricted functionality on this and other websites. You can also prevent the collection of data generated by the cookie and relating to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by not giving your consent to the setting of the cookie.

Further information on the terms of use of Google Analytics and on data protection at Google can be found at https://marketingplatform.google.com/about/analytics/terms/de/

and at https://policies.google.com/?hl=de.

Google Maps Plug-in

If you have given your consent, we use the Google Maps mapping service on our website. Google Maps is a mapping service provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The service provider responsible for users in the EU/EEA and Switzerland is Google Ireland Limited (“Google”).

When you visit a website that includes Google Maps, your browser establishes a direct connection to Google’s servers, whereby the map content is sent to your browser and integrated by it. This includes the following data:

Date and time of the visit to the relevant website, location information, IP address, (starting) address entered as part of route planning, internet address or URL of the accessed website, usage data, and search terms.

For more information on the handling of user data, please refer to Google’s Privacy Policy: https://www.google.de/intl/de/policies/privacy/. The information collected via the API regarding your use of this website is generally processed within the European Union. The data is deleted as soon as it is no longer required for the purposes of processing.

Google LLC has obtained certification under the Data Privacy Framework (DPF) program and is listed on the International Trade Administration (ITA) Data Privacy Framework list. This means that Google LLC has publicly committed to complying with DPF obligations, and any data transfers to the United States are considered safe based on the European Commission’s current adequacy decision dated July 10, 2023. The United States is considered a safe third country with regard to a comparable level of data protection. A list of currently certified U.S. companies can be found here: https://www.dataprivacyframework.gov/s/participant-search

The legal basis for this data processing is your consent, Art. 6(1)(a) GDPR. You may revoke your consent at any time with future effect by opening the privacy settings below under “Cookies & Tracking Settings” and adjusting the slider accordingly.

Google Tag Manager

For the sake of transparency, we would like to point out that we use Google Tag Manager on our website. This is a tag management system provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The provider for users in the EU or the EEA is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland.

Google Tag Manager is used for the technical management and deployment of website tags. Before you give your consent, no cookies or similar storage technologies are set on your device through the integration of Google Tag Manager, and no data is transmitted to Google or other third parties for tracking or marketing purposes.

Only after you have given your consent via our consent management system will additional tags and the associated processing be activated. In particular, this may involve the processing of IP addresses, online identifiers, technical information about your browser and device, as well as information regarding your use of our website. In this context, data may also be transferred to Google or other recipients outside the European Union or the European Economic Area. The legal basis for this is Art. 6(1)(a) GDPR and, where applicable, § 25(1) TDDDG.

If, following your consent, personal data is transferred to third countries, in particular to the United States, it cannot be ruled out that government authorities may access this data without equivalent legal remedies being available in every case.

You may revoke or modify your consent at any time with future effect via our consent management system. For more information about Google Tag Manager, please visit https://www.google.com/intl/de/tagmanager/use-policy.html

YouTube

We use services provided by YouTube, LLC, 901 Cherry Ave., 94066 San Bruno, CA, USA, a subsidiary of Google LLC, Amphitheatre Parkway, Mountain View, CA 94043, USA, on our website. For users whose habitual residence is in the European Economic Area or Switzerland, Google Ireland Limited (“Google”), Gordon House, Barrow Street, Dublin 4, Ireland, is the data controller responsible for your data.

To protect your personal data, we use a two-click solution. When you visit a page that contains an embedded YouTube video, a connection to the YouTube servers is only established once you click the “Confirm” button. In this case, YouTube will set cookies and use your visit data for its own purposes. If you are logged into YouTube at that time, the information about the videos you have viewed will be associated with your YouTube account. You can prevent this by logging out of your account before visiting our website. To the extent that data is processed outside the European Economic Area / the EU, where there is no level of data protection equivalent to the European standard, Google states that it uses standard contractual clauses.

Microsoft Clarity

We use the “Microsoft Clarity” tool from Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, on our website. Microsoft Clarity is a screen recording tool that records a user’s activities on our websites during a session and presents the data in a format that is easy for us to analyze. The recording and analysis of website activities serve to improve the user-friendliness of our websites and to analyze errors.

In addition, your personal data is processed for the following purposes:

-Tracking (e.g., interest-based/behavioral profiling, use of cookies),
-remarketing and conversion tracking (measuring the effectiveness of marketing measures),
-interest-based and behavioral marketing,
-profiling (creation of user profiles),
-reach measurement (e.g., traffic statistics, identification of returning users), and
-cross-device tracking (cross-device processing of user data for marketing purposes).

Various types of personal information are collected in connection with the use of Microsoft Clarity. This includes, in particular:

-Usage data (e.g., websites visited, content interests, access times),
-Meta/communication data (e.g., information about page views, UserID, SessionID),
-Location data (information about a device’s geographic location),
-Analytics data (information about user interactions on the website, e.g., clicks, scrolling, mouse movements), and
-Diagnostic data, e.g., script and image errors, erroneous interactions with buttons (dead clicks).

Further information about the data collected is available on the following website: https://learn.microsoft.com/en-us/clarity/setup-and-installation/clarity-data.

According to Microsoft, the collected data may also be used for marketing purposes.

Data processing is carried out by Microsoft Corporation, which is headquartered in the United States. Microsoft Corporation is certified under the Data Privacy Framework, meaning that data transfers to Microsoft Corporation are covered by an adequacy decision issued by the European Commission pursuant to Article 45 of the GDPR. The status of the certification can be viewed on the following website: https://www.dataprivacyframework.gov/s/.

The legal basis for processing your personal data for the specified purposes is your consent (Section 25 TTDSG and Article 6(1)(a) GDPR). You may revoke your consent at any time with future effect. To revoke your consent, you can simply adjust your cookie settings accordingly via our Privacy Policy. (See footer “Cookies & Tracking Settings”) You may also revoke your consent to data processing with Microsoft at any time: https://choice.microsoft.com/de-DE/opt-out.

For more information on how the tool works, please visit the following website: https://clarity.microsoft.com/lang/de-de. For information on how Microsoft processes personal data, please refer to Microsoft’s Privacy Statement: https://privacy.microsoft.com/de-de/privacystatement.

Facebook Custom Audiences (Facebook Pixel)

As part of our usage-based online advertising, we use the Custom Audiences service provided by Meta Platforms, Inc., 1601 S. California Avenue, Palo Alto, CA 94304, USA (hereinafter referred to as “Facebook”). For this purpose, we define target groups of users in Facebook Ads Manager based on specific characteristics, and these users are subsequently shown advertisements within the Facebook network. Users are selected by Facebook based on the profile information they have provided, as well as other data made available through their use of Facebook. If a user clicks on an advertisement and is subsequently redirected to our website, Facebook receives information via the Facebook pixel embedded on our website that the user has clicked on the ad banner. In general, a non-reversible and non-personally identifiable checksum (hash value) is generated from your usage data and transmitted to Facebook for analysis and marketing purposes. A Facebook cookie is set in the process. This cookie collects information about your activities on our website (e.g., browsing behavior, subpages visited, etc.). Your IP address is also stored and used for the geographic targeting of advertisements. We do not use Facebook Custom Audiences via the customer list or the “advanced matching” feature.

For more information about the purpose and scope of data collection, as well as the further processing and use of data by Facebook, and your privacy settings options, please refer to Facebook’s Privacy Policy. You can adjust your settings regarding which ads are shown to you on Facebook via this link and in your Facebook account settings.

Meta Platforms has been certified under the Data Privacy Framework (DPF) program and is listed in the International Trade Administration (ITA) Data Privacy Framework list. This means that Meta Platforms has publicly committed to complying with DPF obligations, and any data transfer to the U.S. is considered safe based on the European Commission’s current adequacy decision dated July 10, 2023. The U.S. is considered a safe third country with regard to a comparable level of data protection. A list of currently certified U.S. companies can be found here: https://www.dataprivacyframework.gov/s/participant-search

For more information about Facebook’s Custom Audiences service, please visit:
https://de-de.facebook.com/business/help/449542958510885.

For more information on data processing and retention periods, please contact the provider or visit https://www.facebook.com/about/privacy.
Logged-in users can disable the “Facebook Custom Audiences” feature at https://www.facebook.com/settings/?tab=ads#_.

You can also prevent the storage of cookies altogether by adjusting your browser settings accordingly. However, please note that in this case, you may not be able to use all features of our website to their full extent. Further options for disabling third-party cookies can be found at www.networkadvertising.org/managing/opt_out.asp or on the Digital Advertising Alliance Opt-Out Platform at http://optout.aboutads.info/?c=2&lang=en.

The legal basis for this data processing is your consent, Art. 6(1)(a) GDPR. You may revoke your consent at any time with future effect by opening the privacy settings below under “Cookies & Tracking Settings” and adjusting the slider accordingly.

Facebook Fan Page

1. General Information
Social media has become an integral part of the internet and modern communication. To stay in touch with our customers and prospective clients, we have also set up our own fan page on Facebook. Facebook is a service provided by Meta Platforms, Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA (hereinafter referred to as “Facebook”).
We expressly draw your attention to the fact that Facebook stores users’ data (e.g., IP address, preferences and personal interests, behavior on Facebook pages, any personal information stored on Facebook, etc.) and uses it for business purposes.
We have no influence over the processing and further use of this data, as Facebook alone determines how it is processed. The extent to which, where, and for how long the data is stored, the extent to which the data is linked and analyzed, and to whom the data is disclosed is currently not known to us. We also have no insight into or influence over deletion periods, i.e., whether and to what extent deletion periods are adhered to.
Information from Facebook itself regarding what data is collected can be found in Facebook’s Privacy Policy, which can be viewed here: https://www.facebook.com/about/privacy/

If you are a Facebook member and are logged into your Facebook account, Facebook can associate your visit to our page with your account. If you wish to prevent Facebook from linking data about your visit to our fan page with your membership data stored on Facebook, you must

– log out of Facebook before each visit to our fan page
– delete the cookies stored on your device
– and close and restart your browser.

According to Facebook, this will delete all information that can be used to identify you on Facebook.

2. Scope of Data Collection and Storage
You do not need to be a Facebook member to view the content on our Facebook fan page. However, every time you visit our page, Facebook collects, stores, and uses data. The moment you access our fan page, your browser establishes a connection with a Facebook server. In doing so, data may be transferred to countries outside the European Union. Meta Platforms has been certified under the Data Privacy Framework (DPF) program and is listed in the Data Privacy Framework list of the International Trade Administration (ITA). This means that Meta Platforms has publicly committed to complying with DPF obligations, and any data transfer to the U.S. is considered safe based on the European Commission’s current adequacy decision of July 10, 2023. The United States is considered a safe third country with regard to a comparable level of data protection. A list of currently certified U.S. companies can be found here: https://www.dataprivacyframework.gov/s/participant-search

In any case, regardless of whether you are registered with Facebook or not, your IP address will be transmitted and cookies will be set. If you are a Facebook member and logged into your Facebook account, Facebook can associate your visit to our site with your account.

The cookies used include session cookies, which are deleted when the browser is closed, and persistent cookies, which remain on the device until they expire or are deleted by the user.

According to Facebook, the cookies it uses are intended for authentication, security, website and product integrity, advertising and measurement, website features and services, performance, as well as analysis and research. You can view details about the cookies used by Facebook (e.g., cookie names, duration, data collected, and purpose) here: https://www.facebook.com/policies/cookies/, by following the links provided there. You can adjust your settings regarding which ads you would like Facebook to show you or stop showing you at https://www.facebook.com/about/basics/advertising and at http://www.youronlinechoices.com.
At the link provided above, you can manage your preferences regarding usage-based online advertising. If you object to usage-based online advertising from a specific provider using the preference manager, this applies only to the specific collection of business data via the web browser currently in use. Preference management is cookie-based. Deleting all browser cookies will also remove the preferences you have set using the preference manager.

Data ||    Purpose   ||    Legal basis

User interactions (posts, likes, etc.) ||    User communication  ||    Art. 6(1)(f) GDPR

Facebook cookies*     ||    Targeted advertising   ||    Art. 6(1)(f) GDPR

Demographic data (e.g., based on age, location, language, or gender) ||    Targeted advertising ||    Art. 6(1)(f) GDPR

Statistical data on user interactions in aggregated form, i.e., without any personal identifiability for us (e.g., page activities, page views, page previews, likes, recommendations, posts, videos, page subscriptions, including origin and times of day)            ||    Targeted -Advertising                  ||    Art. 6(1)(f) GDPR

We do not engage in automated decision-making, including profiling, as defined in Article 22 of the GDPR.

As a general rule, we store personal data only until the specific purpose for which the data was collected has been fulfilled. In the context of a business relationship with you, we store your personal data for as long as the business relationship lasts; this also includes the initiation and execution of a contract as well as the standard statute of limitations. In addition, we store the data if and to the extent that we are subject to statutory retention obligations. Such obligations may arise, for example, from the German Commercial Code (HGB) or the German Fiscal Code (AO).
If you have given us consent for a processing operation, the data associated with the granting of consent will be stored until revoked or, at the latest, for the duration of the processing operation and, after its termination, within the scope of the statute of limitations.

3. Facebook Insights
We use the Facebook Insights feature for statistical analysis purposes. In this context, we receive anonymized data about the users of our Facebook fan page. This data does not allow us to identify you personally. For further information, please refer to Facebook’s Cookie Policy.

4. Disclosure and Use of Personal Data
To the extent that you interact on Facebook, Facebook naturally also has access to your data. Facebook is located in a non-EU country where data protection standards are lower. The transfer of data is based on the so-called Standard Data Protection Clauses.

5. Legal Basis
If processing is necessary to safeguard a legitimate interest of our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not override the aforementioned interest, Article 6(1)(f) of the GDPR serves as the legal basis for the processing. We consider our legitimate interest in data processing to be the presentation of our company and our products and services for your information, and in particular the provision of modern communication channels for and with you.

6. Joint Controllers
NORDAKADEMIE gemeinnützige Aktiengesellschaft Hochschule der Wirtschaft
Köllner Chaussee 11, 25337 Elmshorn

and

Meta Platforms Ireland Limited
4 Grand Canal Square, Grand Canal Harbour,
D2 Dublin
Ireland

According to the European Court of Justice (ECJ), we are jointly responsible with Facebook for the processing of your personal data. You can find the ECJ’s decision of June 5, 2018, here: curia.europa.eu/juris/document/document.jsf?text=&docid=202543&pageIndex=0&doclang=DE&mode=req&dir=&occ=first&part=1&cid=298398

Due to this joint responsibility, we are informing you, in accordance with Article 26 of the GDPR, of the key points of the joint responsibility agreement between us and Facebook as follows: https://www.facebook.com/legal/terms/page_controller_addendum

TikTok

1. General Information
Social media has become an integral part of the internet and modern communication. To stay in touch with our customers and prospects, we have also set up a TikTok account. TikTok is a service provided by TikTok Technology Limited, located at 10 Earlsfort Terrace, Co. Dublin, Dublin, and TikTok Information Technologies UK Limited, 6th Floor, One London Wall, London, EC2Y 5EB, United Kingdom.

We expressly draw your attention to the fact that TikTok stores users’ data (e.g., IP address, preferences and personal interests, behavior on TikTok pages, any personal information stored on TikTok, etc.) and uses it for business purposes.

We have no influence over the processing and further use of this data, as TikTok alone determines how it is processed. The extent to which, where, and for how long the data is stored, the extent to which the data is linked and analyzed, and to whom the data is disclosed is currently not known to us. We also have no insight into or influence over deletion periods, i.e., whether and to what extent deletion periods are adhered to.

Information from TikTok itself regarding what data is collected can be found in TikTok’s Privacy Policy, which can be viewed here:

https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE

If you are a TikTok member and are logged into your TikTok account, TikTok may associate your visit to our site with your account. If you wish to prevent TikTok from linking data about your visit to our website with your member data stored on TikTok, you must

- log out of TikTok before each visit to our site
- delete the cookies stored on your device
- and close and restart your browser, or take any additional precautions as needed.

Scope of Data Collection and Storage
You do not need to be a TikTok member to view the content on our page. However, TikTok collects, stores, and uses data every time you visit our page. The moment you access our TikTok page, your browser establishes a connection with a TikTok server. In doing so, data may be transferred to countries outside the European Union. In any case, regardless of whether you are registered with TikTok or not, your IP address is transmitted and cookies are set. If you are a TikTok member and logged into your TikTok user account, TikTok can associate your visit to our page with your user account.

The cookies used include session cookies, which are deleted when the browser is closed, and persistent cookies, which remain on the device until they expire or are deleted by the user. A cookie is a tiny text file that enables a website to recognize a browser. Cookies are stored on your computer when you visit a website and are retrieved and read the next time you visit the web server. You can use your browser settings to decide for yourself whether and which cookies you want to allow, block, or delete. Instructions for various browsers can be found here: Internet Explorer, Firefox, Google Chrome, Google Chrome mobile, Microsoft Edge, Safari, Safari mobile. Alternatively, you can also install ad blockers, such as Ghostery.

Your data is processed in three ways: data you provide, data collected automatically, and data from other sources.

Data you provide includes, for example: profile information, user-generated content, direct messages, your contacts, purchase information when you interact with TikTok, and surveys, research, and promotional activities.

Data collected automatically includes, for example: location information, usage information, cookies, content characteristics and attributes, and inferred data.

Data from other sources includes, for example: advertising, measurement, and data partners; merchants; payment and transaction service providers; platforms; and third-party partners.

TikTok states that it processes data on various legal grounds. In doing so, data is processed on the basis of consent pursuant to Art. 6(1)(a) of the GDPR in order to display personalized advertising.

Your rights:

Whenever TikTok uses your data based on your consent, you may withdraw your consent at any time. However, withdrawing your consent does not affect the lawfulness of the processing of your data based on your consent prior to its withdrawal. You can withdraw your consent for personalized advertising by following these instructions.

You also have the right to have information that you have provided to us and that we use based on your consent transferred to another provider.

In addition, TikTok relies on contractual necessity pursuant to Article 6(1)(b) of the GDPR to achieve the following purposes:

- To provide you with the platform
- To process product orders and deliveries
- To enforce the Terms of Use, guidelines, or policies
- To manage services

Furthermore, TikTok relies on a legitimate interest pursuant to Article 6(1)(f) of the GDPR to achieve the following purposes:

To enable the use of your videos in interactive features. To provide users with tools that encourage creativity, collaboration, and enjoyment, and to give users the opportunity to reach new audiences.

To recommend your account to other users. To enable users to quickly and efficiently find and connect with other users on our platform.

To provide non-personalized advertising to all users. To display non-personalized advertising so that the platform can remain free.

To provide measurement and analytics services. So that creators and advertisers can see and understand how their ads or content are performing and which audience is viewing or interacting with their ads or content.

Ensuring the safety and stability of the community and the platform. To ensure the safety of the community, verify compliance with guidelines, and detect misuse of the platform. As well as to ensure the stability and security of the platform, including identifying and resolving technical or security issues.

Reviewing, improving, promoting, and developing the platform. Improving, promoting, and developing the platform in a well-informed manner.

Conducting independent research. Promoting independent research aimed at advancing society’s collective knowledge, including in the areas of misinformation and disinformation, violence, cybercrime, and social trends. Click here for more information.

Sharing your data with third parties. To provide you with a seamless experience, enable the sharing of your content on other platforms, allow third parties to authenticate users, and optimize the user experience.

Communication for marketing purposes. To promote the platform or third-party products and services.

In certain circumstances, TikTok may process your data based on Article 6(1)(c), (d), and (e).

For detailed information, please visit: https://www.tiktok.com/legal/page/eea/privacy-policy/de-DE

We generally store personal data only until the specific purpose for which the data was collected has been achieved. In the context of a business relationship with you, we store your personal data for as long as the business relationship lasts; this also includes the initiation and execution of a contract as well as the standard statute of limitations. In addition, we store the data if and to the extent that we are subject to statutory retention obligations. Such obligations may arise, for example, from the German Commercial Code (HGB) or the German Fiscal Code (AO).

If you have given us consent for a processing operation, the data associated with the granting of consent will be stored until revoked or, at the latest, for the duration of the processing operation and, after its completion, within the scope of the statute of limitations.

3. Disclosure and Use of Personal Data

When you interact on TikTok, TikTok naturally has access to your data. TikTok may also process data in a non-EU country (e.g., the United States, Malaysia, and Singapore) where data protection standards are lower. This data transfer is based on the so-called Standard Data Protection Clauses. You can find more information here: .

4. Legal Basis

If processing is necessary to safeguard a legitimate interest of our company or a third party, and the interests, fundamental rights, and freedoms of the data subject do not override the aforementioned interest, Article 6(1)(f) of the GDPR serves as the legal basis for the processing. We consider our legitimate interest in data processing to be the presentation of our company and our products and services for your information, and in particular the provision of modern communication options for and with you.

5. Joint Data Controllers

NORDAKADEMIE Non-Profit Public Limited Company University of Business

Köllner Chaussee 11
25337 Elmshorn
Germany

and

TikTok Technology Limited / TikTok Information Technologies UK
10 Earlsfort Terrace / Limited 6th Floor, One London Wall
Dublin / London
Ireland / UK

We are jointly responsible with TikTok for the processing of your personal data.

In accordance with Article 26 of the GDPR, we hereby inform you of the key terms of the joint controller agreement between us and TikTok: https://ads.tiktok.com/i18n/official/policy/jurisdiction-specific-term s

TikTok Pixel

We use the “TikTok Pixel” tracking and conversion tool from the Chinese company ByteDance on our website. The controller for users in the EU/EEA and Switzerland is TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (“TikTok”).

Pixels are small, invisible image files used to collect information about how users interact with a website. When the website is accessed, a simple code is automatically triggered, allowing the pixel to be loaded onto the device being used and enabling the collection of specific information about the device and the user’s actions on the website.

This allows us to measure our ad performance and conversions, as well as build audiences for remarketing. It also enables us to display interest-based advertising to users of our website and to measure and analyze their behavior on our website for statistical and market research purposes.

This may include the IP address, a device ID, device type, and operating system, as well as information about activities on our website (e.g., browsing behavior, subpages visited, etc.). This data may also be transmitted to TikTok. TikTok can use this information to associate a user of our website with a TikTok user account. TikTok uses this data to display personalized advertising to its users and to create interest-based user profiles. For more information on data processing by TikTok, please refer to TikTok’s Privacy Policy: https://www.tiktok.com/legal/privacy-policy-eea?lang=de

Data processing by TikTok Pixel is based on your consent pursuant to Art. 6(1)(a) GDPR. You may revoke this consent at any time with future effect by changing your settings accordingly in our consent banner.

If data is transferred to countries outside the European Economic Area where there is no level of data protection equivalent to the European standard, TikTok states that it uses standard data protection clauses in accordance with Article 46(2)(c) of the GDPR.

For more information about TikTok’s data processing practices, please refer to TikTok’s Privacy Policy: https://www.tiktok.com/legal/privacy-policy-eea?lang=de

Freshworks

1. General Information

Through our website, we offer the option to report technical issues with the IT system via the Freshdesk service provided by Freshworks, Inc., headquartered at 16192 Coastal Highway, Lewes, Delaware 19958, USA.

The Freshdesk service enables us to process support requests in a coordinated and timely manner. When you open a ticket via the Freshdesk service, the data you provide is transmitted to the service provider Freshdesk. Required personal data is marked as a mandatory field in the respective registration form. Failure to provide this information means that we cannot process your ticket. Any additional information is voluntary.

If you report the technical issue to us via email, the following personal data will be processed: email address, first and last name, time of sending, and email text. If you contact us by phone, the responsible support representative will record the following personal data in the ticket: first name, last name, phone number, and email address.

The provision of this information is voluntary and, in such cases, is initiated by you. If this information pertains to communication channels (such as an email address or phone number), we will use these channels to contact you regarding your inquiry.

We will, of course, use the personal data you provide to us exclusively for the purpose for which you provided it when contacting us.

2. Purposes of Processing

The purpose of processing your data is to handle and respond to your inquiry.

3. Legitimate Interests

The purposes described above also constitute a legitimate interest in the processing.

4. Legal Basis
The legal basis for processing the data you provide to us when contacting us is Article 6(1)(f) of the GDPR. If your inquiry relates to the conclusion or performance of a contract with us, data processing is based on Article 6(1)(b) of the GDPR.

5. Duration of data storage

We will delete the data we have received from you when you contact us as soon as it is no longer needed to achieve the purpose for which it was collected—that is, once your request has been fully processed and no further communication with you is required or desired by you.

6. Data Processing

The recipient of the data is Freshworks, Inc., located at 16192 Coastal Highway, Lewes, Delaware 19958, USA, acting as a data processor. We have entered into a data processing agreement with Freshworks, Inc. for this purpose.

7. Data Transfer to the United States

When using the service, data is transferred to the USA. To ensure an adequate level of data protection, we have entered into the Standard Data Protection Clauses adopted by the EU Commission pursuant to Art. 46 GDPR with the American service provider Freshworks Inc., which permit the transfer of personal data to a third country in specific cases. For more information on data protection at Freshworks, please refer to Freshworks’ privacy policy at https://www.freshworks.com/de/datenschutz/.

8. Right to Object, Data Deletion

You may contact our Data Protection Officer at any time to request the deletion of data related to your inquiry. However, please note that we may not be able to fully process your request in such cases.

Use of Customer, Supplier, and Service Provider Data (Business Partners)

1. Allgemeine Informationen
Wenn Sie mit uns Kontakt aufnehmen, eine Geschäftsbeziehung mit uns eingehen möchten oder einen Vertrag mit uns abschließen, verarbeiten wir Ihre personenbezogenen Daten. Darüber hinaus verarbeiten wir Ihre personenbezogenen Daten zu Zwecken wie der Erfüllung gesetzlicher Verpflichtungen, der Wahrung eines berechtigten Interesses oder auf Grundlage Ihrer Einwilligung. Wir verarbeiten ausschließlich die personenbezogenen Daten, die wir von Ihnen erhalten.

Je nach Rechtsgrundlage und Vertragsverhältnis mit uns handelt es sich dabei um folgende Kategorien personenbezogener Daten:

- Vorname, Nachname
- Firmenname
- Geschäftsadresse
- Geschäftskontaktdaten (Telefonnummer, E-Mail-Adresse)
- Kontoinformationen, insbesondere Registrierungs- und Anmeldedaten (z. B. Teams-Konto für externe Nutzer)
- Video- oder Bildaufnahmen

2. Purposes and Legal Bases
Based on your consent (Art. 6(1)(a) GDPR)
If you have voluntarily given us your consent to process certain personal data, this consent forms the legal basis for the processing of such data.

In the following cases, we process your personal data based on the consent you have provided:
- Sending information about our projects, news, events, and webinars.

To fulfill a contract (Art. 6(1)(b) GDPR)
We use your personal data to perform the contract as well as for pre-contractual communication.

To comply with legal obligations (Art. 6(1)(c) GDPR)
As a company, we are subject to various legal obligations. To fulfill these obligations, the processing of personal data may be necessary:

- Prevention/defense against criminal acts (only on a case-by-case basis).
- Retention and storage obligations (Section 257 of the German Commercial Code; Section 147 of the German Fiscal Code).
- Obligations to process customer data (e.g., due to tax law obligations).

Based on a legitimate interest (Art. 6(1)(f) GDPR)
In certain cases, we process your data to protect our legitimate interests:

- Communication with contact persons at our business partners.
- Direct marketing for similar projects within the scope of our business relationship.
- Ensuring IT security and IT operations.
- Video surveillance to enforce property rights.
- Customer satisfaction surveys.
- Occasion-based comparison of first and last names of business contacts with the lists of the EU Anti-Terrorism Regulations (Regulation (EC) No. 881/2002, Regulation (EC) No. 2580/2001, so-called anti-terrorism lists) due to the prohibition on provision under the EU Anti-Terrorism Regulation.

3. Retention Period
We store your personal data for as long as necessary to fulfill our legal and contractual obligations, including:

- Compliance with, for example, commercial and tax law retention requirements. These include retention periods specified in the German Commercial - Code (HGB) or the German Fiscal Code (AO). The retention periods are up to 10 years.
- Preservation of evidence within the framework of statutory limitation periods. According to the limitation provisions of the German Civil Code (BGB), these limitation periods can in some cases be up to 30 years; the standard limitation period is three years.
- After subscribing to the newsletter, your email address will be stored in our newsletter distribution list. After unsubscribing from the newsletter, your email address will be deleted from the distribution list and added to a blacklist. This list is deleted every 6 months.

4. Who will your data be shared with?
In general, your personal data will be processed by internal departments at NORDAKADEMIE that require it to perform their duties. In some cases, however, other external parties may also be involved in the processing of your data. If a data processor is involved, NORDAKADEMIE has entered into a corresponding data processing agreement with the respective external service provider in accordance with Article 28 of the GDPR. Other recipients will only receive your data if you have given NORDAKADEMIE your consent to the data transfer, or based on a contract concluded with you, or if

NORDAKADEMIE is legally obligated to transfer the data:

- IT service providers (e.g., maintenance service providers, hosting service providers)
- Service providers for document and data destruction
- Tax authorities and auditors
- Web hosting service providers

Microsoft 365 Applications

Below, we provide information about the processing of personal data when using Microsoft 365. Microsoft 365 is a combination of various software components from the U.S.-based software manufacturer Microsoft Corporation (hereinafter “the Provider”), consisting, for example, of the online versions of Word, Outlook, OneNote, PowerPoint, Excel, Teams, and OneDrive, as well as Microsoft Project and Microsoft Visio, depending on the plan. Microsoft 365 and Office 365 offer users the ability to work from any supported device, regardless of location. Stored data is located in Microsoft data centers, which can be accessed via the Internet.

In some cases, we create so-called external accounts in our Microsoft 365 environment for customers, service providers, or suppliers. Even if such an account is not created for customers, service providers, or suppliers, data from these groups of people is used in our Microsoft 365 environment. You will find more detailed information on this below.

1. Microsoft as the Data Controller
In general, NORDAKADEMIE is the data controller for the processing of your personal data within the meaning of the GDPR.

To the extent that you use Microsoft 365 software components, the
software provider Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-639 USA, is responsible for data processing. For more information on Microsoft 365 in the education sector, please visit: https://www.microsoft.com/de-de/education/school-leaders/resource-center . Information on data processing by Microsoft 365 is available at: https://privacy.microsoft.com/de-de/privacystatement

2. Purposes and Legal Basis
To ensure an effective customer, service provider, or supplier relationship with you, we process your personal data to the extent necessary. We process your personal data so that you can use the features of Microsoft 365 for the purpose of communicating and collaborating with us.

In some cases, we create so-called external accounts in our Microsoft 365 environment for customers, service providers, or suppliers. Personal data is processed for the registration and use of Microsoft 365 in the NORDAKADEMIE IT environment; you will find more detailed information on this below. The legal basis for the collection and processing of this data is our legitimate interest pursuant to Art. 6(1)(f) of the GDPR.

With regard to the processing of video and/or audio recordings in connection with the use of “Microsoft Teams,” this is done voluntarily by enabling the camera and/or microphone, so that Article 6(1)(a) of the GDPR (consent) serves as the legal basis. Consent may be revoked at any time with future effect by revoking the authorization of the camera and/or microphone. The same applies to the use of the chat function with regard to the processing of text data.

To ensure proper operation, as well as to verify compliance with the provisions of these Terms of Use and to detect misuse, all user activities, such as the time of access, date, type of access, details of the data/files/documents accessed, and all activities related to usage—such as creating, modifying, or deleting documents; setting up a team (and channels within Teams); taking notes in the notebook; starting a chat; and similar activities—are processed in log files.

Monitoring of the use of electronic communication systems takes place only where there is reasonable suspicion of misuse, conduct in breach of the contract, violations of these Terms of Use, or criminal offenses. The legal basis for this processing is our legitimate interest pursuant to Art. 6(1)(f) of the GDPR.

The collection of data for the provision of Microsoft 365 and the storage of data in log files is strictly necessary for the provision and operation of the software components provided. Consequently, the user has no right to object.

3. What data is processed?
Depending on the specific application and function, various types of personal data are collected and processed from you. Personal data is information that relates to an identified or identifiable natural person.
When you sign in to your computer, the following personal data is processed when you use Microsoft 365:
- IP address
- First name, last name
- Diagnostic data (Data regarding the use of the software and services)
- Functional data (e.g., log data)
- Device data used to access Microsoft 365 services (e.g., browser, operating system, antivirus software)
- Online identification data (username and password (encrypted))
For certain Microsoft 365 features, additional personal data about you may also be processed, for example:
- business contact information such as work email address, phone number, and mailing address
- video and audio transmission during video conferences via Teams
- geolocation/location data
- behavioral data (browsing behavior, etc.)
The data processed about users when using Microsoft products can be summarized into three groups:

Content Data

Information provided by NORDAKADEMIE:

All data, including all text, audio, video, or image files and software, that Microsoft receives from or on behalf of the customer through the use of the online service

e.g., customer password, contents of the customer’s email account or Azure database, email subject line

Diagnostic data

specific telemetry data collected via Microsoft 365 regarding the use of the software; all observations regarding the behavior of individual users of the services stored in event logs

e.g., client ID, user ID, duration of use of an Office service, size of the edited file, event ID (ID of the action performed—e.g., saving a document), program language

Functional data

Data required to execute application processes, which is deleted or anonymized immediately after the message has been transmitted. This data is therefore stored only temporarily.

The following features are available in Microsoft 365 (this list is not exhaustive):

Word	Word processing program for creating and editing documents
Excel	Spreadsheet program for performing logical, statistical, and mathematical functions
PowerPoint	Program for creating interactive presentations
Outlook-Exchange	Editing and managing emails, appointments, contacts, and tasks
OneNote	Digital notebook
Publisher	Creation of print publications such as brochures, email headlines, and product presentations
Access	Database management program for creating and managing databases as well as developing database applications
SharePoint	A cloud-based collaboration platform for co-editing documents, sharing calendars, and exchanging information
OneDrive for Business	Employee-specific cloud storage for audio and video calls, online meetings, web conferences, and screen sharing
Teams	A collaborative communication channel; chat messages, audio and video calls, online meetings, web conferences, and screen sharing (replaces Skype for Business)
Visio	Visualization program for creating graphical representations of tools and symbols
Project desktop application	Program for planning, managing, and monitoring projects (exclusively a local application on the end device)
Groups	Components such as Outlook, Teams, and SharePoint can be used collaboratively
Planner	Planning tool for creating plans and visually managing tasks
To-Do (browser application)	Tool for organizing tasks from other O365 components
Whiteboard	Tool for (collaborative) editing of virtual whiteboards
Editor (spelling checker)	Connected Experience: Editor browser extension checks for grammar and spelling errors and makes suggestions for text improvement
Translator	Connected Experience: Language translation tool
Office Help	Connected Experience: When you select “Help > Help” in the ribbon or press F1 in an Office application
Bot Analytics	Creating bots in the FAQ to answer recurring questions.

You can use Word, Excel, and PowerPoint as usual; that is, data is saved to your PC unless the “AutoSave” feature is enabled. If AutoSave is enabled, the data is stored in the cloud via OneDrive. However, it is also possible to use these applications as mobile apps on your work tablet and smartphone or to open them via a web browser. In this case, the files are also stored in the Microsoft cloud.

When using Teams, shared files, video and audio recordings, and chat messages are also stored in the Microsoft cloud.

4. Retention Period
When a subscription ends or is canceled, Microsoft retains customer data stored in a Microsoft 365 account with limited functionality for 90 days to allow the subscriber to extract the data. After the 90-day retention period expires, Microsoft deactivates the account and deletes the customer data. No later than 180 days after the expiration or cancellation of a Microsoft 365 subscription, Microsoft deactivates the account and deletes all customer data from it. Once the maximum retention period for data has expired, the data will no longer be commercially recoverable.

We, NORDAKADEMIE, store your personal data for as long as is necessary for the respective stated purpose of data processing. As soon as the data is no longer required to fulfill the purpose, it will be deleted or anonymized immediately. In exceptional cases, personal data will be retained for a longer period if we are obligated to do so to comply with certain statutory retention periods.

5. To whom is your data disclosed?
Your personal data is necessarily transferred to Microsoft Corporation. Microsoft processes personal data outside the EU/EEA and thus in so-called third countries. An adequate level of data protection is ensured by the fact that Microsoft is certified under the EU-U.S. Data Privacy Framework.

In addition, your data may be shared with technical service providers who assist NORDAKADEMIE with the operation and maintenance of Microsoft 365.

EvaSys Evaluation Software

We use the EvaSys software to conduct evaluations. EvaSys is a web-based software that allows surveys to be created, published, and conducted using various survey media (online and/or paper-based) and survey methods (e.g., via an online link or using the TAN procedure).

Registered users (instructors) can create surveys, publish them for implementation, and thus make them available worldwide. NORDAKADEMIE is responsible for publishing and conducting the surveys.

Categories of personal data

The following data, transferred from the NORDAKADEMIE central administration, is stored for user accounts in the system:

- First name and last name
- Title (e.g., Prof. or Dr.)
- Email address

User accounts remain in the NORDAKADEMIE system until the personal data record is deleted or until the user’s access rights expire, at which point they are deleted.

Content data includes all data that users themselves upload to the system or create within the system. This data includes, for example:

- information voluntarily provided in the user profile
- modified online templates
- questionnaires (including embedded media content)
- survey data

Legal Basis for Data Processing

The legal bases for the general conduct of evaluations of courses and seminars are the legitimate interest pursuant to Article 6(1)(f) of the GDPR (quality assurance and improvement) as well as—at least indirectly—the legal obligation under Article 6(1)(c) of the GDPR in conjunction with the provisions of the Schleswig-Holstein Higher Education Act.

The principle of data minimization is upheld by NORDAKADEMIE. With regard to students, anonymous data processing will be possible to a large extent. However, since there are free-text fields, a personal reference cannot be entirely ruled out. Thus, it is also partly up to the students whether the information provided in the evaluation remains anonymous or not.

The evaluations are conducted such that, with regard to anonymity, the threshold is set at 5 individuals (students). Additionally, at least two completed responses must be available. With regard to the instructors of the courses, personal identification is naturally present.

The evaluation of the feedback is carried out according to a strict authorization policy; in particular, the need-to-know principle must be observed.

Data Storage

Data from evaluations may be retained for up to five years; after that, the data will only be reused in anonymized form (e.g., the instructor’s name will be removed).

Data Sharing

Survey results are stored on the servers of the service provider EvaSys and can be analyzed and/or exported by survey creators using internal functions.

Mobility-Online (Organization and Implementation of Study Abroad Semesters)

We use the “Mobility-Online” portal for the organization and implementation of study abroad semesters. In doing so, personal data required for registration, application, organization, and documentation of the stay abroad is processed. This includes, in particular, identification and contact data, as well as necessary academic and mobility data and the information and documents you provide. The type and scope of data required in each individual case may vary depending on the partner university.

The recipients of your personal data include, in particular, IT service providers who provide and operate the portal. To the extent necessary for application, placement, and implementation, the partner universities you select will also receive your data. Some partner universities are located outside the EU and the EEA. If there is no adequacy decision by the European Commission for the respective recipient country and if no appropriate safeguards have been agreed upon, a level of data protection comparable to that of the EU cannot be guaranteed. In particular, data subjects’ rights may not be effectively enforced, and government agencies may, depending on the legal situation, gain access to your data.

The transfers required for this purpose are based on your voluntary consent. You may revoke this consent at any time with future effect. The lawfulness of the processing carried out prior to revocation remains unaffected. In this case, however, a semester abroad cannot be continued.

March 2026

Bachelor: dual

Master: part-time

Certificates & Further Education

International

Departments

Data protection

Privacy policy

of the NORDAKADEMIE University of Applied Sciences