Privacy policy –
For WHU – Otto Beisheim School of Management, Burgplatz 2, 56179 Vallendar, email: datenschutz(at)whu.edu (hereinafter referred to as "WHU"), protecting the personal data that we process in the context of your degree program at WHU is of the highest importance.
In the following, we explain, based on our privacy policy, what types of personal data we process and in which way.
Please contact us if you have further questions. Our contact details are listed at the end of this Privacy Policy.
Personal Data
Personal data is any information relating to an identified or identifiable natural person. A natural person is considered to be identifiable if the identity of the person can be directly or indirectly determined - in particular by association with identifying information such as a name, ID number, location data, an online username, or one or more special characteristics that express the physical, physiological, genetic, mental, economic, cultural, or social identity of this natural person.
Personal data includes, for example, information such as your name, address, telephone number, language, location, email address, bank details, and date of birth.
Processing of Personal Data
When processing data, we handle your personal data responsibly and confidentially. Your personal data is processed in compliance with the applicable data protection regulations in Germany (in particular the Bundesdatenschutzgesetz, “BDSG new”) and Europe (EU General Data Protection Regulation, hereinafter referred to as "GDPR").
According to the meaning of these regulations, the processing of personal data consists of any form of data process or series of processes, with or without the help of automated processes. In particular, data processing includes collecting, capturing, organizing, filing, storing, adapting, modifying, selecting, querying, using, disclosing through transmission, dissemination, or any other form of providing, matching or linking, and the restriction, deletion or destruction of personal data.
In the event that we contract a data processor with the processing of your personal data, then we conclude a data processing agreement with the latter that fulfills all the requirements of Art. 28 GDPR.
Purpose of Processing Personal Data
Processing of personal data (e.g., collecting, storing, transmitting, using) is allowable when these processes are legally authorized or if you have given your consent.
When you enter into a contract and this contract is carried out, your personal data is shared with us and stored by us.
We process your personal data in order to properly fulfill our contract with you as well as to fulfill our legal obligations.
We process personal data in accordance with the requirements and regulations described below, using automated data processing; this is based on the relevant legal authorization as well as on your voluntary declaration of consent (if applicable).
We do so in accordance with our statutory authorization to store data in order to fulfill our contract with you; see art. 6 para. 1 sentence 1 lit. b GDPR ("processing is necessary for the performance of a contract"). We process your data in particular in order to be able to fulfill our contractual relationship with you. This basis for authorization also includes data processing during the phase of your application for admission to a degree program, i.e. the initiation of a contract of study. If you apply for admission to our school, the data you provide will be processed by us to check whether we can establish and perform a contract with you. The application data that you submit to us will only be saved up to the point when a decision is reached regarding whether we will enter into a study contract with you. If we do not enter into such a contract with you, then no further data processing takes place for which you did not give your consent or which is permitted by law. 6 months after we send the rejection letter and/or return your application documents, we will delete your data. In the case of a successful application, the personal data that we collected at the time of contract conclusion or during the application process is required for the conclusion of the respective contract. In order to be able to carry out the respective contract, you are contractually obligated to provide the necessary data. Failure to provide the required personal data may result in an inability to perform the contract.
In terms of legal authorization, art. 6 para. 1 sentence 1 lit. c GDPR provides the relevant basis.
In addition, we use your personal data if we have a legitimate interest for doing so as set out in Article 6, paragraph 1, point (f) GDPR. A legitimate interest exists whenever we have an economic, legal or non-material interest, and this does not override your own legitimate interests.
Aside from what is required for contract fulfillment, your personal data will only be processed by us if you have given your express consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR i. and Art. 7 GDPR. Failure to provide consent or revocation of consent does not affect our statutory authorization to process your data as provided by Art. 6 para. 1 sentence 1 lit. b GDPR ("processing is necessary for the performance of a contract"), Art. 6 para. 1 sentence 1 lit. c GDPR ("processing is necessary for compliance with a legal obligation"), and Art. 6 para. 1 sentence 1 lit. f GDPR ("processing is necessary for the purposes of the legitimate interests"). You have the option to voluntarily submit a consent form. There are no disadvantages for you if you do not consent. You can ask to view your consent form at any time and may revoke your consent at any time by email or by post. Revocation of consent does not affect the legality of data processing that was carried out prior to your revocation. Our contact details can be found at the end of this Privacy Policy.
Automated decision-making in individual cases, including profiling, is prohibited according to Art. 22 GDPR.
WHU analyzes and makes use of anonymized data for higher education-related statistical and scientific purposes, which it collects for both administrative and statistical purposes during the selection process and course of study, such as country of origin, federal state, school-leaving qualification, results achieved in the selection process, and credits earned during the course of study.
The extent to which your personal data is processed is limited to the purposes described above.
Storage of Personal Data During Use of WHU’s Internal Payment System
When you log on to WHU’s internal, cashless payment system using the terminal manager or our app, MyAuthent, and when you use the payment system, your personal data is collected and stored by us.
This data includes name, amount, date, WHU card number, and user group association. Data is collected and processed when you add credits to your card, use your card to pay at a terminal, or return credits.
Processing of personal data only takes place insofar as this is necessary to complete the contract in place pertaining to the use of the payment system. The legal basis for data storage and processing is in this case art. 6 para. 1.1.b GDPR.
WHU uses a service provider for automatic adding of credit in the context of our cashless payment system; this service provider is Payone Payment Services, provided by PAYONE GmbH. For this purpose, your data is transferred to PAYONE GmbH. Your credit card information is stored by PAYONE GmbH. In terms of data protection laws, PAYONE GmbH is independently responsible for the storage of this data. You can access PAYONE GmbH’s data privacy protection policy (art. 14 GDPR) using the following link: https://s3-eu-west-1.amazonaws.com/bspayone-docs/bspayone/PAYONE_Information_zu_Datenverarbeitung_gemaess_Art-14-DSGVO_062019.pdf
With respect to data processing in the MyAuthent app, we refer to the data protection policy specific to this app, which you can access before or during every use of the app.
Identity Provider (IdP) and authentication process
The Identity Provider (IdP) is a service for authentication and authorization to service providers as part of the DFN-AAI. The authentication and authorization infrastructure DFN-AAI is administered by the DFN-Verein. DFN creates the necessary relationship of trust as well as an organizational and technical framework for the exchange of user information between institutions and providers of the DFN-AAI.
As part of the registration process, the IdP first authenticates the users. This is done by entering the user name and password. The registration data are always checked at the WHU IdP. These login data are not transmitted to the service provider. The preset information required for use is then transmitted to the service provider. This can be, for example, the name, the e-mail address, the group membership and matriculation number.
All communication is encrypted. Certificates that have been issued or checked by the DFN-Verein are used for encryption. WHU is responsible for the technical provision and operation of the IdP.
Advertising
We may process the data provided by you or collected by us for advertising purposes. The legal basis for this is Article 6 sentence 1 lit. f GDPR ("legitimate interest"). A legitimate interest exists in this case according to the Recitals to the GDPR, in particular with regard to direct marketing (GDPR Recital 47, sentence 7). The term direct marketing refers to a provider (in this case, us) who makes direct contact with a customer with the aim of promoting the sale of products or services.
We of course adhere to the requirements of § 7 Abs. 3 UWG (unfair competition act).
Advertising is carried out by post, by electronic means (e-mail), by SMS / MMS or through phone calls, and in reference to all products and services of the school, in particular courses of study, continuing education courses at WHU, eg: Bachelor of Science, Master in Management, Master in Entrepreneurship, Master in Finance, Full-Time Master of Business Administration Program, Part-Time Master in Business Administration Program, Executive Master of Business Administration, Executive Education customized and open programs, the Doctoral Program, and International Short Programs, etc.
Advertising activities also refers to conferences, research projects, publications and the like, carried out by the chairs and student initiatives of WHU.
For the advertising purposes mentioned above, your personal data may be transmitted to the WHU Foundation and used processed for advertising purposes.
You can object at any time to the processing of your personal data for advertising purposes. Our contact details are listed at the end of this Privacy Policy. In the case of an objection, your personal data will no longer be processed for advertising purposes and will be deleted from the corresponding advertising channels.
Duration of Data Processing
The maximum duration of data processing depends on the purpose that the data processing serves. The duration of data storage depends on how long it is necessary to process your data for the purpose of contract fulfillment, in particular with regard to the fulfillment of the contract that the school has concluded with you (for example, to fulfill commercial and tax-related obligations under § 257 HGB and § 147 AO and to fulfill the data storage requirements of university law).
If WHU voluntarily continues to provide services (e.g. inbox or e-learning platform) to alumni following the successful completion of their course of study, and the processing of their data continues, then this data privacy policy remains unaltered and in force. The same applies to the deletion of data, which can only take place if the data are no longer required for the purpose of contract fulfillment.
Recipients of Personal Data
The data that WHU processes in the context of your study contract is carried out exclusively by the Student Office or specialized departments (e.g. Examination Office, IT, Library, Career Center, Executive Education, Chairs), if necessary.
In addition, other students and staff may have access to your personal data as follows: Intranet (information platform, staff directory): first name, last name, business email address and telephone number, department, job title.
Furthermore, data may be transmitted to the following third parties, as necessary, to:
School ranking organizations (e.g., Financial Times, Times Higher Education), Accreditation agencies, health insurance, social insurance, BAföG office, student financing, the alumni association, external lecturers, examiners in the application process, cooperation partners, and if necessary, career networks, and if necessary financial services, public transportation.
Location of Data Processing
Your personal data is only processed either in Germany or in member states of the European Union. In the event that your personal data is transmitted by us to countries outside the member states of the European Union (so-called third countries) or to other international organizations, then this transmission complies with all the requirements of Art. 44 et seq. GDPR.
Safety and Technical and Organizational Measures
We take all technical and organizational precautions necessary in order to protect your personal data from loss, destruction, access, modification or disclosure by unauthorized persons, and misuse; this is in accordance with the provisions of Articles 24, 25 and 32 GDPR.
For example, we comply with the legal requirements for pseudonymizing and encrypting personal data, for ensuring the confidentiality, integrity, availability and resilience of systems and services related to processing, the availability of personal data and the ability to rapidly recover them in the event of a physical or technical incident, and the establishment of procedures to regularly check, assess, and evaluate the effectiveness of technical and organizational measures that ensure the safety of data processing.
Furthermore, we also observe the requirements of Art. 25 GDPR with regard to the principles of "privacy by design" (privacy by intentional technical design) and "privacy by default" (data protection by means of privacy-protecting default settings).
Your Rights
You have a right to free information about your personal data and, if the respective legal requirements are met, a right to correct, block, or delete your data, to restrict processing and transmission of data, and a right of objection.
You also have the possibility to complain to the relevant regulatory authority.
If you have any questions regarding the processing of your personal data or if you have questions regarding the aforementioned rights or suggestions, please contact us or our external data protection officer:
Mr. Ralf Wickert
c/o Dornbach GmbH Rechtsanwaltsgesellschaft
Anton-Jordan-Straße 1
56070 Koblenz
Email: datenschutz(at)whu.edu
Phone: 0261 9431-434
As of: January 2024