We want you to always feel safe and secure while enjoying your visit to our website, we therefore want to assure you that we have taken appropriate technical and organizational measures to ensure the greatest level of protection possible for your rights, and that we are continuously acting in such a way as to ensure that relevant legislation is complied with by both our staff and external service providers. Nonetheless there may still be security issues found in web-based services, so that absolute protection cannot be guaranteed. If you prefer, we would be happy to receive your personal data through other communication channels (for example by post, by telephone or fax).
1. Terms and definitions
Your personal data will be protected in accordance with the General Data Protection Regulation, the German Federal Data Protection Act, and several other sector-specific laws which all use the same terms and definitions explained below.
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (in the following referred to as “data subject” ); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
c) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
g) Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Controller’s name and address
The controller responsible for processing in the sense of the General Data Protection Regulation and the data protection legislation of the Member States of the European Union as well as additional sector-specific laws with data protection implications is COGNOS AG, Alte Rabenstraße 2, 20148 Hamburg.
3. Data Protection Officer’s name and address
The controller’s Data Protection Officer is:
Im Media Park 4e
Phone: +49 221 921512-782
Fax: +49 221 921512-10
4. Data subjects’ rights
a) Right of access
You have the right to obtain confirmation from the controller responsible for processing as to whether or not personal data concerning you are being processed. Where this is the case, you also have the right to be informed about the circumstances of data processing. This right of access includes the relevant data, the processing purposes, the processing category of personal data, and the recipient to whom the data are or have been transmitted. In addition the right covers the planned duration of storage, the origin of the data, to the extent that they were not supplied by yourself, and any existence of an automated decision-making process, including profiling. The right of access also includes the right to be informed about the right to restriction of processing or erasure of the personal data and the right to be informed about the existence of a right to lodge a complaint with a supervisory authority.
b) Right to erasure
You have the right to obtain from the controller the erasure of the personal data concerning you without undue delay, where one of the following grounds applies and in so far as the processing is not necessary:
- The purpose for which the data were collected no longer exists or the data are no longer necessary in relation to the purpose.
- You have exercised your right to object to data processing.
- You have since withdrawn your consent to data processing and there is no other legal ground for the processing.
- The data were erased due to a legal obligation to do so.
- The data were processed without legal basis.
c) Right to data portability
You have the right to receive the personal data concerning you which you have provided to us as a controller, in a structured, commonly used and machine-readable format, and you have the right to obtain transmission of those data to another controller without hindrance by the controller responsible for processing to whom the data were provided. This right shall apply where automated data processing was carried out for the performance of a contract or was based on given consent. This entitlement also includes the right to have the data transmitted directly from one controller to another, where technically feasible.
d) Right to object
The right to object includes the option to object to the processing of your own data for marketing purposes. In addition, you also have the right to object, on grounds of relating to your particular situation, to originally lawful data processing for other purposes.
e) Right to restriction of processing
The right to restriction of processing enables you obtain from the controller, if certain conditions apply, that your personal data held by the controller are blocked from further processing. You can for instance demand that the data be blocked for the period required for clarification, if the accuracy of the data has been contested.
f) Right to rectification
The right to rectification includes your entitlement as data subject to obtain from us as the controller without undue delay the rectification of inaccurate personal data concerning you.
5. Legal basis of processing
We will ask for your consent for most data processing operations. In these cases, Art. 6 I lit. a and Art. 7 GDPR serve as legal basis for the processing operations. Data processing may also partly be necessary for the performance of a contract and/or for the initiation of a contractual relations, this applies in particular to the delivery of any information material requested by you and the application for admission. In this case, the legal basis for processing is Art. 6 I lit. b GDPR. If the processing of data is necessary for compliance with legal obligations, for example for a request for tax information, processing is based on Art. 6 I lit. c GDPR. Under certain circumstances data processing may also be necessary in order to protect the vital interests of the data subject or other natural persons, in which case the legal basis would be Art. 6 I lit. d GDPR. If none of these legal exceptions apply, processing may still be authorized by Art. 6 I lit. f GDPR. This legal ground may be applicable, if processing is necessary for the purposes of a legitimate interest pursued by our company or a third party and to the extent that interests, fundamental rights and freedoms accruing to us as the controller do not take precedence. A legitimate interest could for instance be the conducting of our company’s business operations in order to protect the interests of our staff and shareholders. We also consider the tracking of user behavior in connection with advertising by means of cookies which do not involve sensitive data and which bear no references to persons a legitimate interest.
6. Transfer to third countries
If we process data in a third country (i.e. in a country outside the European Union or the European Economic Area), or we do so in connection with the use of the services of third parties or the disclosure and/or transmission of data to third parties, this may be done solely for the purpose of fulfilling contractual obligations or for precontractual actions, on the basis of consent given by you, on the basis of a legal obligation or on the basis of our legitimate interests. We will only process or transfer data in or to a third country or have data processed there, if the conditions of Art. 44 ff. GDPR have been met. Processing may be performed for example on the basis of special guarantees such as where an adequate level of protection comparable with the EU standard has been confirmed (e.g. “Privacy Shields”), on the basis of compliance with officially recognized contractual obligations or after submission of audit evidence proving any other recognized level of protection (exceeding any voluntary “Safe Harbor” commitment) (see also the extended requirements of the “Dusseldorf circle”).
7. Cooperation with processors and third parties
If we disclose or transfer data to other persons and companies (processors, COGNOS group companies or third parties) or otherwise enable them to obtain access to data during our processing, this is always done on the basis of a legal permission (e.g. if the transfer of payment data to the group company responsible for payment operations is necessary for fulfilling the contract or if address data are disclosed to the shipping provider for the delivery of any course material in accordance with Art. 6 Para. 1 lit. b GDPR), consent, a legal obligation or due to a legitimate interest or data processing on behalf of a controller in accordance with Art. 28 GDPR.
8. SSL Encryption
In order to protect your data during transmission, we use current state of the art in encryption techniques via HTTPS.
A cookie is a small data file which is sent from the web server to your computer, if you surf our web pages. A cookie contains only information which we ourselves send to your computer – cookies cannot be used to retrieve private data. Accepting cookies does not give us any access to your personal information.
We do not use any cookies for the purpose of audience measurement or usage analysis on our COGNOS website.
10. Access data
During each page view, access data regarding this operation are stored by us or our hosting provider in a log file. In connection with the website access we receive usage data which are temporarily stored for statistical purposes and then erased again. Log data are collected solely for internal purposes and are not transferred to third parties.
Such log data include:
- the IP address of the requesting computer,
- date and time of the request,
- the access method/function desired by the requesting computer,
- input transmitted by the requesting computer (e.g. file name),
- web server status of access (file transferred, file not found, command not executed, etc.),
- the name of the requested file and transferred data volume,
- URL from which the file was requested/desired function was called.
The stored data will be made anonymous at the earliest time possible (last octet of IP address is removed) and only used for the purposes of identifying and tracking unauthorized access and access attempts to the web server. No further analysis, except for statistical purposes in anonymized form, is performed. These data are not referenced to specific individuals, no individual user profiles will be created. We will not collect any personal data through our websites without your consent. Any consent granted by you in this respect may be withdrawn at any time with effect for the future. We would like to point out that specific provisions of law may mean, under certain circumstances, that we may have to continue holding your data for a period prescribed by legislation despite your objection. Data which are collected by automated means on the websites for the purposes of securing the web services will be exclusively processed within the territorial scope of the EU Data Protection Directive.
11. Collection of user-related data
When you use some areas of our internet presence, we ask you as a user to provide some information which can be unambiguously attributed to your person.
In this case we only collect the respective user-related data necessary for the respective purpose such as:
- your name,
- telephone number,
- postal address,
- email address,
- your consent to the collection and processing of personal data.
Which data are required in the actual case is determined by the respective input fields. The data will always be encrypted when they are transmitted. Data which you provide to us through the “Request for information material” and “Online application“ pages of our website, may also be processed using the Salesforce CRM solution. This software solution is also hosted outside the territorial scope of the EU Data Protection Directive. Due to the service provider’s contractual obligations, which exceed the minimum requirements of the Safe Harbor commitments, and submitted audit evidence (see also trust.salesforce.com/trust) an adequate level of protection has been demonstrated (see also the extended requirements of the “Dusseldorf circle”). Any data collected in this context will only be used for the purposes of providing information material, where consent has been given to promotions for this purpose, and for the purpose of precontractual actions where an educational program was applied for. Personal data will only be disclosed to the carefully selected shipping provider, which in turn will only use them for fulfilling the contract. Access data made available by the internet service provider when registering, such as the assigned IP address and the date and time of registration, are logged to prevent the improper use of our services and make it possible to investigate any offences committed. The data will not be disclosed further, unless we are under a legal obligation to do so.
Registration on our website is always on a voluntary basis and only where we offer you services that can only be offered to registered users. Every registered person can change his or her user-related data at any time or have them deleted completely unless this is precluded by a legal retention requirement. We will also provide information, upon request, to you as to what personal data we hold about you. Please feel free to contact our designated Data Protection Officer any time in this respect.
We use hosting services to provide the following services: platform services, computing capacity, data storage, database services, security settings and technical service and maintenance, these are necessary for website operation. In this connection we and/or our hosting service provider process user-related, contact, usage and contract data as well as meta and communication data on the basis of our legitimate interest in the provision of our online presence in accordance with Art. 6 Para. 1 lit. f GDPR in conjunction with Art. 28 GDPR.
13. Contact us through the website
If you have any request you would like to send via the contact form, the information provided by you in the request form including any contact information given by you will be stored for processing the request and for any queries. They will not be disclosed to third parties. Should this, however, be necessary for processing your request, we would ask for your permission to do so before disclosing them.
14. Erasure and blocking of personal data
We process and hold your personal data only as long as this is required for the purpose of storage or under the statutory provisions of EU directives and/or regulations. Such data are routinely erased when the purpose of storage no longer exists or the retention periods stipulated in EU directives and/or regulations have expired. The length of data storage is determined by the applicable statutory retention periods. The statutory requirements for data retention in Germany are 6 years in accordance with Section 257 Para. 1 German Commercial Code, 10 years in accordance with Section 147 Para. 1 German Tax Code, and apart from these, we are subject to the retention periods prescribed by the Higher Education Laws of Germany’s Federal States. Your data will routinely be erased after the retention periods have expired, unless they are still required for fulfilling a contract or precontractual actions.