Data privacy

Information on data protection and data security at the ESMT European School of Management and Technology GmbH
Status: Dezember 2024

1. Introduction

This Privacy Policy applies to the websites of ESMT European School of Management and Technology GmbH (hereinafter referred to as "ESMT Berlin"). Other privacy statements may be applicable to other third-party servers and websites.

Data privacy is of utmost importance to ESMT Berlin and we have taken the appropriate technical and organizational measures to guarantee the utmost security of your data. This enables us to ensure compliance with the legal regulations in Germany. Data protection regulations require that we handle user data properly and for a specific purpose. We will not use user data for purposes other than those stated. We would like to inform you here how we handle your personal data when using our website.

ESMT Berlin is subject to the provisions of the European General Data Protection Regulation (GDPR), and the Federal Data Protection Act (BDSG). We have taken appropriate technical and organizational measures to ensure that the regulations on data protection are followed.

2. Controller

ESMT European School of Management and Technology GmbH
Schlossplatz 1
10178 Berlin
Deutschland
Tel.: +49 30 212 31 0
E-Mail: info@esmt.org

Further details can be found in the imprint.

3. Data protection officer

Our data protection officer can be reached at the e-mail address dataprivacy@group.esmt.org or via the postal address above with the addition "To the data protection officer".

4. Handling of personal data

Personal data is any information relating to an identified or identifiable person; identifiable is an individual person who can be identified directly or indirectly, in particular by assignment to an identifier such as a name, an identification number, location data, an online identification or one or more special characteristics.

5. Collected data, purposes of data processing, and legal basis

a) Visiting our website

Each time a user accesses an ESMT Berlin page and each time a file is retrieved, data about this process is temporarily stored in a log file until their automatic erasure after three months. Depending on the access protocol used, the log data record contains information with the following contents:

• IP address of the requesting computer
• Name of the requested file
• Date and time of the request
• Access methods/functions requested by the requesting computer
• Access status of the webserver
• URL from which the file was requested
• Operating system and browser type or settings.

No user profiles are created, in which IP addresses and personal data are linked. Anything to the contrary shall only apply insofar as this is stated separately in this data protection declaration.

The stored log data is used exclusively for purposes of identification and tracking of unauthorized access attempts/access to the webserver, as well as for statistical evaluations such as visitor numbers and page popularity. Only authorized employees of ESMT Berlin carry out the evaluation.

The lawfulness of the data processing results from Art. 6 paragraph. 1 sentence 1 lit. f) GDPR. Our legitimate interest is explained above.

We use the following hosts: 

esmt.berlin: Uvensys

uvensys GmbH, Robert-Bosch-Straße 4b, 35440 Linden, Germany

apply.esmt.berlin: FullFabric

Lean Stack Worldwide, Rua dos Remolares 14, 3rd floor, 1200-371 Lisboa, Portugal

go.esmt.berlin and esmt.my.site.com: Salesforce (Pardot)

Salesforce.com Germany GmbH, Erika-Mann-Str. 31-37, 80636 Munich, Germany

jobs.esmt.berlin: HRWorks

HRworks GmbH, Waldkircher Straße 28, 79106 Freiburg, Germany

transitions.esmt.berlin: Google

Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland

In order to ensure data protection-compliant processing, we have concluded contracts for order processing with our hosters.

b) Registration for special services

If you have given explicit consent in accordance with Art. 6 paragraph. 1 sentence 1 lit. a) GDPR, we will store your email address and, depending on the requested service (activation of test accesses, registration for events and programs, application for study programs), other data also and use it to provide the requested services. Additionally, we may also use your personal information for marketing purposes, such as to inquire about your interest in a particular ESMT program or to generally promote our programs or events. The legal basis for this is Art. 6 para. 1 sentence 1 lit. f) GDPR.

The use of some of our offers, especially the online application procedure for students of the graduate programs, requires a personal password assignment. You must keep this password secret and protect it from access by unauthorized third parties.

You can withdraw your previous consent for the processing of personal data at any time or object to any processing carried out within the scope of our legitimate interests (Art. 1 para. 1 sentence 1 lit. f)  GDPR) (dataprivacy@group.esmt.org).

c) Newsletter

You have the option of receiving the newsletter offered on our website. 
If you would like to take advantage of our offer, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. For this purpose, we use the so-called double opt-in procedure: After your registration, you will receive an e-mail to the e-mail address provided, in which we ask for confirmation of the registration. 

With the confirmation, the following information is then stored: 

-E-mail address

-Salutation

-Forename

-Surname

-the country 

Other data is not collected or is only collected on a voluntary basis. We use this data exclusively for sending the requested information and as proof of your registration.

The processing of the data entered in the newsletter registration form is carried out exclusively on the basis of your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent to the storage of the data, the e-mail address and its use for sending the newsletter at any time, for example via the "unsubscribe" link in the newsletter. The lawfulness of the data processing operations carried out up to that point remains unaffected by the revocation.

The data you provide to us for the purpose of sending the newsletter will be stored by us until you unsubscribe from the newsletter and deleted after you unsubscribe from the newsletter. Data that has been stored by us for other purposes remains unaffected by this.

Newsletters are sent via the following service providers:

Salesforce.com Germany GmbH, Erika-Mann-Str. 31-37, 80636 Munich, Germany.

HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin

The data you provide to us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and deleted from both our servers and the service provider's servers after you have unsubscribed from the newsletter. Data that has been stored by us for other purposes remains unaffected by this. 

For more information about the service providers, please visit: Salesforce; HubSpot

6. Use of cookies

As part of your visit to our website, we use so-called “cookies”.

These are small text files our web application stores on your computer so that we can identify your Internet browser when you visit. 

The popular Internet browsers are set so that they automatically accept cookies. You can de-activate the setting or set your Internet browser so that it informs you if cookies are used and you will be notified as soon as cookies are to be placed. A general objection to the use of cookies used for online marketing purposes can be made for a large number of services, especially in the case of tracking, via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/. 

Please note that it may not be possible to use all the functions of this online offer.

The data retrieved by cookies is not used to identify you personally.

Permanent cookies are stored on your computer for 100 days and are used to enable you to use our website as comfortably as possible even after your current visit. We use them for displaying individual content to you.

If you do not wish to permit permanent cookies you can de-activate them in your browser. Please refer to the help function in the menu bar of your browser for details on how to proceed. The deactivation of permanent cookies has no influence on the general usability of our website.

Session cookies are stored only until you close your current browser session on your system. They serve to enable you to use our services without restriction for your current visit to our site. This data is anonymized so that you cannot be identified personally. If you do not wish to allow session cookies, you can deactivate them in your browser.

Please find further information on this process in the help function of the menu bar of your browser.

By deactivating session cookies, we cannot guarantee that you will be able to use all of our services without restriction.

Social Media Plug-ins

We use social media plug-ins from the providers listed below.

We use the so-called two-click solution. This means that when you visit our site, no personal data is initially passed on to the providers of the plug-ins. You can recognize the provider of the plug-in by the mark on the box by its first letter or logo. We give you the opportunity to communicate directly with the provider of the plug-in via the button. Only if you click on the marked field and thereby activate it, the plug-in provider will receive the information that you have called up the corresponding website of our online offer. In addition, the data referred to in point 5.a) of this declaration will be transmitted. In the case of Facebook, according to the provider in Germany, the IP address is anonymized immediately after collection. By activating the plug-in, your personal data will be transmitted to the respective plug-in provider and stored there (in the case of US providers in the USA). Since the plug-in provider collects data in particular via cookies, we recommend that you delete all cookies via the security settings of your browser before clicking on the greyed out box. 

We, ESMT Berlin, have no influence on the data collected and data processing processes, nor are we aware of the full scope of the data collection, the purposes of the processing, or the storage periods. We also have no information on the deletion of the collected data by the plug-in provider. 

The data is passed on regardless of whether you have an account with the plug-in provider and are logged in there. If you are logged in to the Plug-in Provider, the data you collect with us will be directly assigned to your existing account with the Plug-in Provider. If you confirm the activated button and, for example, link to the page, the plug-in provider will also store this information in your user account and share it publicly with your contacts. We recommend that you log out regularly after using a social network, but especially before activating the button, as this allows you to avoid being assigned to your profile with the plug-in provider. 

The legal basis for the use of the social media plug-ins is Art. 6 para. 1 f) GDPR.

For more information about the scope, type and purpose of data processing and about rights and setting options to protect your privacy, please refer to the privacy policy of the respective provider of the social network. These can be accessed at the following addresses:

1. Meta Platforms Ireland Ltd.
   4 Grand Canal Square
   Grand Canal Harbour
   Dublin 2 Ireland
   http://www.facebook.com/policy.php , https://developers.facebook.com/docs/plugins/?locale=de_DE
2. Twitter International Company
   attn: Data Protection Officer
   One Cumberland Place, Fenian Street
   Dublin 2, D02 AX07 IRLAND

https://twitter.com/de/privacy 

3. Instagram: Meta Platforms Ireland Ltd.
   4 Grand Canal Square
   Grand Canal Harbour
   Dublin 2 Ireland
   https://help.instagram.com/519522125107875 

d)     LinkedIn Ireland

Unlimited Company 

Wilton Place

Dublin 2 Irland

http://www.linkedin.com/legal/privacy-policy 

e)     Google Ireland Limited

Gordon House, 

Barrow Street, 

Dublin 4, Irland 

https://policies.google.com/privacy?hl=de 

7. YouTube 

We use the YouTube service to embed videos. The responsible provider in Europe is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland ("Google"). The legal basis is your consent in accordance with Art. 6 Art. 1 lit. a GDPR. 

YouTube uses cookies to collect information about visitors to its website. YouTube uses them to collect video statistics, avoid fraud and improve the user experience, among other things. The cookies remain on your device until you delete them. 

As soon as you start a YouTube video on our website, a connection to YouTube's servers is established. The YouTube server is informed which of our pages you have visited. If you are logged in to your YouTube account, you enable YouTube to assign your surfing behavior directly to your personal profile. Data may be transferred to the United States and linked to other data from other Google services, especially if you are signed in to your Google Account. To secure the data transfer, we have concluded the EU standard data protection clauses. If you do not want this information to be transmitted to YouTube and Google in this way, you can prevent this transmission by logging out of your YouTube account before accessing our website.

The data processed includes

• Information about the devices and browsers used (e.g. unique identifiers, IP address, Google user ID, YouTube ID, type and settings, operating system, mobile network) 
• Your activities (videos watched, date and time of visit to the page in question, website visited, interactions) 
• Location data

We have no influence on the storage period of the data and the further data processing by YouTube and Google. You have the right to object to the creation of user profiles by YouTube, whereby you must contact YouTube to exercise this. 

For more information about privacy at YouTube and Google, please see their privacy policies at: https://www.youtube.com/static?gl=DE&template=terms&hl=de and https://policies.google.com/privacy?hl=de

8. Web analysis / Google Analytics

This website uses Google Analytics, a web analytics service provided by Google LLC., Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").

This web analysis tool helps us, within the scope of our legitimate interests, to ensure that our website functions as required and to constantly improve it. The legal basis for the processing of your data is Art. 6 para. 1 sentence 1 lit. f) GDPR).

The data about your use of this website is processed by Google on behalf of ESMT and is usually transferred to a Google server in the USA and stored there.

We would like to point out that on our website Google Analytics has been extended by the code "anonymizeIp" in order to guarantee an anonymized collection of IP addresses (so-called IP-Masking). This means Google will reduce your IP address within Member States of the European Union or in other Contracting States to the Agreement on the European Economic Area beforehand.

Full IP addresses are transmitted to a Google server in the USA and shortened there only in exceptional cases. Google will use this information on behalf of ESMT Berlin in order to evaluate visitors’ use of the website, compile reports on website activities, and provide other services related to the use of the website and the Internet to ESMT Berlin. The IP address provided by your browser in the context of Google Analytics is not combined with other data of Google. You may prevent cookies from being stored on your computer by changing the relevant setting in your browser software. 

According to Google, it adheres to the principles of the Data Privacy Framework (DPF) agreement. The DPF is based on the adequacy decisions of the European Union, the United Kingdom and Switzerland. 

You can also prevent the collection of data generated by the cookie and related to your use of the website (including your IP address) by Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link.

For more information on terms of use and data protection, please see Google's terms and policies.

Google Data Studio

On the legal basis of Art. 6 paragraph. 1 f) GDPR (legitimate interest in the aggregated analysis of the use and continuous optimization of this website) we use an additional data management tool from Google Analytics - Google Data Studio - for the visual creation of user-defined reports and interactive dynamic dashboards for internal purposes. We use data from Google Analytics and no other data sources. The data is processed by Google on behalf of ESMT. The web-based tool is accessed via a browser and Google Analytics is directly connected to the Google Data Studio via an interface. Further information about Google Data Studio can be found here. 

Matomo

This website uses Matomo, a web analysis tool for the statistical evaluation of visitor access, to ensure that our website functions as required within the framework of our legitimate interests and to constantly improve it. The legal basis for the processing of your data is Art. 6 paragraph. 1 sentence 1 lit. f) GDPR.

The data collected by Matomo is processed on a server operated by ESMT Berlin. Your data will be anonymized directly upon visiting a web page. Matomo does not use cookies for tracking and instead works only on the basis of the anonymized IPs and website visits. In addition to the web pages and files accessed, it saves information about your operating system, browser, browser plugins (e.g. whether Flashplayer is available), screen resolution, your approximate location (e.g. "Berlin", but not your concrete address), and the duration of your visit.

9. Google Maps

This website uses the "Google Maps API" of the Google Group ("Google"). Via this API, the map material of the Google Maps service is displayed together with the localization of ESMT Berlin. The display of this content in your browser requires Google to collect your IP address. We would like to point out that on this website Google Maps API has been extended by the code "anonymizeIp" in order to ensure anonymous collection of IP addresses (so-called IP-Masking).

For users who are habitually resident in the European Economic Area or Switzerland, Google Ireland Limited, Google Building Gordon House, 4 Barrow St, Dublin, D04 E5W5, Ireland, is the responsible party for providing the service and for your data, unless otherwise stated in Google's privacy policy.

The data collected by the Service may be transferred to the United States and processed on servers of Google LLC, 1600 Amphitheater Parkway, Mountain View, CA 94043, USA. According to Google, it adheres to the principles of the Data Privacy Framework (DPF) agreement. The DPF is based on the adequacy decisions of the European Union, the United Kingdom and Switzerland. 

The legal basis for this data processing is our legitimate interest (Art. 6 paragraph.1 lit. f) DSGVO) in making it easier for you to contact us. Google and we process your data as independent data controllers, on the basis of the agreement which can be accessed here. 

The terms of use for Google Maps can be found under Terms of use for Google Maps. For more information about Google's privacy policy, please click here.

If you're signed in to a Google Account, the information collected by the service can be associated directly with your account. If you want to prevent Google from processing your information and associating it with your Google Account, please contact Google Ireland Limited.

10. AI Chatbot Esme 

This website provides you with an AI-powered chatbot to provide you with an easy way to contact us and answer your questions. This serves to process inquiries more efficiently and increase satisfaction through fast and accurate responses. 

With the help of the chatbot Esme (OpenAI API), you can interact directly with our website and, for example, ask questions. If, for example, the chatbot Esme answers your questions satisfactorily, you will be helped quickly and you will not have to wait for an e-mail response from us. The chatbot Esme is available for you at any time of the day or night, improving our customer service and your experience on our website. 

Personal data

Personal data is processed as part of the use of the chatbot. 

Depending on the interaction, the following data may be processed:

• Communication content (your questions and comments)
• Audio recordings
• Meta and usage data about the devices and browsers used (e.g., unique identifiers, IP address, type and settings, timestamp, browser version, and operating system)
• Location data

Which data is stored always depends on your entries. All entries you make in the chatbot are processed. 

Basically, OpenAI processes natural language, images, and other data formats that can be used to create machine learning models. This data is used to improve the chatbot's capability. 

If you use the chatbot or OpenAI products in general, your IP address will be processed. 
Unless you enter personal data, it will not be processed or stored (except for the IP address). All data entered is stored anonymously and encrypted to protect your privacy in the best possible way.

Purposes of data processing
The AI chatbot Esme helps us, within the framework of our legitimate interests, to make it easier for you to contact us and to optimize our web offer. The processing of your data is carried out for the purpose of providing and using the chatbot as well as for processing your request. 

Legal basis for data processing
We have a legitimate interest in optimising our service offering and improving our offer both technically and economically. With the help of the chatbot (API to OpenAI), we improve your experience on our website and expand our support offering. This is our legitimate interest, Art. 6 para. 1 lit. f) GDPR

If the processing is necessary for the implementation of pre-contractual measures that are carried out at your request, the legal basis pursuant to Art. 6 para 1 lit. b) GDPR is relevant.

Recipients of the data
The processing is carried out by OpenAI.
OpenAI Ireland Ltd, is a company incorporated in the Republic of Ireland with its registered office at 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland.

We use the OpenAI GPT-4 language model in an API (application programming interface) in the Enterprise Edition. This is the latest version of the language model developed by OpenAI, which is based on the GPT (Generative Pre-trained Transformer) architecture. It provides enhanced skills in language processing and interaction. 

Data transfer to third countries
OpenAI states that all data is encrypted both in transit (using TLS 1.2 or higher) and at rest (using AES-256). These measures are part of OpenAI's security protocols to restrict access to the data (https://openai.com/security). 

To the extent that OpenAI Ireland Ltd transfers customer data to other OpenAI subsidiaries in countries that do not provide the same level of data protection, this will be done on the basis of intra-group agreements that contain appropriate provisions to protect customer data. Such mechanisms may be the Standard Contractual Clauses adopted by the EU Commission on 4 June 2021 (which may be amended, updated or replaced from time to time) ("EU SCCs") or an adequacy decision taken by the European Commission pursuant to Article 45 GDPR.

We have concluded a data processing agreement with the service provider OpenAI. 

Storage period

We only have influence on the storage period of the data and the further data processing by OpenAI to the extent that: 

We have disabled data storage when using the Open AI GPT-40 API. This process is known as Zero Data Retention (ZDR). When ZDR is enabled, customer request and corresponding response data are not stored in a log system and only exist in memory to serve the request. After the request has been processed, this data will be deleted. An exception exists if legal requirements require longer storage. 

By default, Open-AI can store API data for up to 30 days, but also offers the possibility to shorten this storage period and do without data storage altogether. 

However, you can only prevent complete data processing by not using the chatbot. 

Automated decision-making: 

In the context of the use of the chatbot Esme on this website, no automated decision-making takes place in accordance with Art. 22 GDPR. 

For more information on data processing by OpenAI, please visit: https://openai.com/de-DE/policies/row- privacy-policy/ 

11. Links to other websites and social networks

Hyperlinks to various offers by third-party providers, such as social networks, may be integrated in our website in order to allow you to quickly access the latest information and communicate easily. If you follow these hyperlinks and use social networks, data may be collected by these third-party providers.

12. Data security

Personal data provided to us by you will be transmitted to us in encrypted form via a secure connection. The security procedure used (SSL - Secure Sockets Layer) corresponds to the usual state of the art. 

13. Automated decision-making / profiling

Automated decision-making / profiling does not take place.

14. Affected rights and the right of appeal to a supervisory authority

Each user has the right to receive free information about the data stored about them by ESMT Berlin. In addition, the user has the right to:

• Correction of incorrect data
• Restriction of processing
• Deletion
• Data portability
• Withdraw a given consent, Art. 7, paragraph. 3 GDPR
• Objection to processing

If your personal data are processed on the legal basis of legitimate interests in accordance with Art. 6 paragraph. 1 sentence 1 letter f) GDPR, you have the right to object to the processing of your personal data in accordance with Art. 21 GDPR, if there are reasons for doing so arising from your particular situation or if the objection is directed to advertising. In the last case, you have a general right of objection which we will implement without indicating a special situation.

There is also a right of appeal to the supervisory authority responsible for ESMT Berlin. The contact details are:

Berliner Beauftragte für Datenschutz und Informationsfreiheit
Alt-Moabit 59-61
10555 Berlin
Tel.: +49 30 13889-0
Fax: +49 30 2155050
E-Mail: mailbox@datenschutz-berlin.de

15. Changes

As ESMT Berlin’s internet offers may be subject to change, it may be necessary in individual cases to make changes to the privacy policy. ESMT Berlin reserves the right to change this Privacy Policy at any time.