Privacy Policy

­

1. General information

Data protection

The operators of this website and its pages take the protection of your personal data very seriously. Hence, we handle your personal data as confidential information and in compliance with the statutory data protection regulations and this Data Protection Declaration.

Whenever you use this website, a variety of personal information will be collected. Personal data comprises data that can be used to personally identify you. This Data Protection Declaration explains which data we collect as well as the purposes we use this data for. It also explains how, and for which purpose the information is collected.

We herewith advise you that the transmission of data via the Internet (i.e. through e-mail communications) may be prone to security gaps. It is not possible to completely protect data against third party access.

Information about the responsible party (referred to as the “controller“ in the GDPR)

The data processing controller on this website is:

CEPA Customized Educational Programs Abroad GmbH
Burgweg 24, 74379 Ingersheim, Germany
Phone: +49 (0) 71 42 – 95 65 11
E-Mail: info (at) cepa-abroad.org

The controller is the natural person or legal entity that single-handedly or jointly with others makes decisions as to the purposes of and resources for the processing of personal data (e.g. names, e-mail addresses, etc.).

Designation of a data protection officer

Our company has appointed an external data protection officer who has certified our company and who ensures our continued implementation of GDPR.

D3 Datenschutz UG (limited liability)
Nico Villing
Hauptstraße 106/108
78549 Spaichingen
Germany
Tel.: +49 (0) 7424 603 939 0

E-Mail: privacy@cepa-abroad.org

­

Revocation of your consent to the processing of data

A wide range of data processing transactions are possible only subject to your express consent. You can also revoke at any time any consent you have already given us. To do so, all you are required to do is sent us an informal notification via e-mail. This shall be without prejudice to the lawfulness of any data collection that occurred prior to your revocation.

Right to object to the collection of data in special cases (Art. 21 GDPR)

In the event that data are processed on the basis of Art. 6 Sect. 1 lit. e or f GDPR, you have the right to object to the processing of your personal data based on grounds arising from your unique situation at any time. This also applies to any profiling based on these provisions. To determine the legal basis, on which any processing of data is based, please consult this Data Protection Declaration. If you log an objection, we will no longer process your affected personal data, unless we are in a position to present compelling protection worthy grounds for the processing of your data, that outweigh your interests, rights and freedoms or if the purpose of the processing is the claiming, exercising or defense of legal entitlements (objection pursuant to Art. 21 Sect. 1 GDPR).

­

Right to log a complaint with the competent supervisory authority

In the event of violations of the GDPR, data subjects are entitled to log a complaint with a supervisory authority, in particular in the member state where they usually maintain their domicile, place of work or at the place where the alleged violation occurred. The right to log a complaint is in effect regardless of any other administrative or court proceedings available as legal recourses.

The supervisory authority responsible for us is

Landesbeauftragte f. d. Datenschutz u. d. Informationsfreiheit Baden-Württemberg
Königstrasse 10 a, 70173 Stuttgart, Germany
Phone: +49 (0)7 11 61 55 41 – 0
Fax: +49 (0)7 11 61 55 41 – 15
E-Mail: poststelle@lfdi.bwl.de
Web: www.baden-wuerttemberg.datenschutz.de

Right to data portability

You have the right to demand that we hand over any data we automatically process on the basis of your consent or in order to fulfil a contract be handed over to you or a third party in a commonly used, machine readable format. If you should demand the direct transfer of the data to another controller, this will be done only if it is technically feasible.

SSL and/or TLS encryption

For security reasons and to protect the transmission of confidential content, such as inquiries you submit to us as the website operator, this website uses either an SSL or a TLS encryption program. You can recognize an encrypted connection by checking whether the address line of the browser switches from „http://“ to „https://“ and also by the appearance of the lock icon in the browser line.

If the SSL or TLS encryption is activated, data you transmit to us cannot be read by third parties.

Encrypted payment transactions on this website

If you are under an obligation to share your payment information (e.g. account number if you give us the authority to debit your bank account) with us after you have entered into a fee-based contract with us, this information is required to process payments.

Payment transactions using common modes of paying (Visa/MasterCard, debit to your bank account) are processed exclusively via encrypted SSL or TLS connections. You can recognize an encrypted connection by checking whether the address line of the browser switches from „http://“ to „https://“ and also by the appearance of the lock icon in the browser line. If the communication with us is encrypted, third parties will not be able to read the payment information you share with us.

Information about blockage, rectification and eradication of data

Within the scope of the applicable statutory provisions, you have the right to at any time demand information about your archived personal data, their source and recipients as well as the purpose of the processing of your data. You may also have a right to have your data rectified, blocked or eradicated. If you have questions about this subject matter or any other questions about personal data, please do not hesitate to contact us at any time at the address provided in section ”1. General information.”

Right to demand processing restrictions

You have the right to demand the imposition of restrictions as far as the processing of your personal data is concerned. To do so, you may contact us at any time at the address provided in section ”1. General information.“ The right demand restriction of processing applies in the following cases:

  • In the event that you should dispute the correctness of your data archived by us, we will usually need some time to verify this claim. During the time that this investigation is ongoing, you have the right to demand that we restrict the processing of your personal data.
  • If the processing of your personal data was/is conducted in an unlawful manner, you have the option to demand the restriction of the processing of your data in lieu of demanding the eradication of this data.
  • If we do not need your personal data any longer and you need it to exercise, defend or claim legal entitlements, you have the right to demand the restriction of the processing of your personal data instead of its eradication.
  • If you have raised an objection pursuant to Art. 21 Sect. 1 GDPR, your rights and our rights will have to be weighed against each other. As long as it has not been determined whose interests prevail, you have the right to demand a restriction of the processing of your personal data.

If you have restricted the processing of your personal data, these data – with the exception of their archiving – may be processed only subject to your consent or to claim, exercise or defend legal entitlements or to protect the rights of other natural persons or legal entities or for important public interest reasons cited by the European Union (EU) or a member state of the EU. 

Rejection of unsolicited e-mails

We herewith object to the use of contact information published in conjunction with the mandatory information to be provided in section ”1. General information” to send us promotional and information material that we have not expressly requested. The operators of this website and its pages reserve the express right to take legal action in the event of the unsolicited sending of promotional information, for instance via SPAM messages.

2. Recordings of data on our website

Website host

This website is hosted on the servers of 1&1 IONOS SE. The services are provided by 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany.

We have executed a so-called “Data Processing Agreement“ with 1&1 IONOS SE, in which we mandate that 1&1 IONOS SE undertakes to protect the data of our customers and to refrain from sharing it with third parties. Furthermore, this agreement explicitly confirms the legally compliant execution of the legal requirements for data protection.

Cookies

In some instances, our website and its pages use so-called cookies. Cookies do not cause any damage to your computer and do not contain viruses. The purpose of cookies is to make our website more user friendly, effective and more secure. Cookies are small text files that are placed on your computer and stored by your browser.

Most of the cookies we use are so-called “session cookies“. They are automatically deleted after you leave our site. Other cookies will remain archived on your device until you delete them. These cookies enable us to recognize your browser the next time you visit our website.

You can adjust the settings of your browser to make sure that you are notified every time cookies are placed and to enable you to accept cookies only in specific cases or to exclude the acceptance of cookies for specific situations or in general and to activate the automatic deletion of cookies when you close your browser. If you deactivate cookies, the functions of this website may be limited.

Cookies that are required for the performance of the electronic communications transaction or to provide certain functions you want to use, are stored on the basis of Art. 6 Sect. 1 lit. f GDPR. The website operator has a legitimate interest in storing cookies to ensure the technically error free and optimized provision of the operator’s services. If other cookies (e.g. cookies for the analysis of your browsing patterns) should be stored, they are addressed separately in this Data Protection Declaration.

WebAnalytics (details on the use of 1&1 IONOS MyWebsite) / Server log files

The provider of this website and its pages automatically collect and store information in so-called server log files, which your browser communicates to us automatically. This data is not merged with other data sources.

This data is recorded on the basis of Art. 6 Sect. 1 lit. f GDPR. The operator of the website has a legitimate interest in the technically error free depiction and the optimization of the operator’s website. In order to achieve this, server log files must be recorded.

Tracking and logging are enabled by default. The data is determined either by a pixel or by a log file. WebAnalytics does not use any cookies.

1&1 IONOS does not store any personal data of website visitors so that no conclusions can be drawn about individual visitors. The following data are collected:

  • Referrer (previously visited website)
  • Requested web page or file
  • Browser type and version
  • Operating system used
  • Type of device used
  • Time of access
  • IP address in anonymous form (used only to determine the location of access)

In WebAnalytics, data is collected exclusively for statistical evaluation and technical optimization of the website. No data are passed on to third parties.

Contact forms

If you submit inquiries to us via one of our contact forms (Contact us, Request a Quote & Proposal,…), the information provided in the contact form as well as any contact information provided therein will be stored by us in order to handle your inquiry and in the event that we have further questions. We will not share this information without your consent.

Hence, the processing of the data entered into the contact form occurs exclusively based on your consent (Art. 6 Sect. 1 lit. a GDPR). You have the right to revoke at any time any consent you have already given us. To do so, all you are required to do is sent us an informal notification via e-mail. This shall be without prejudice to the lawfulness of any data collection that occurred prior to your revocation.

The information you have entered into the contact form shall remain with us until you ask us to eradicate the data, revoke your consent to the archiving of data or if the purpose for which the information is being archived no longer exists. This shall be without prejudice to any mandatory legal provisions – in particular retention periods.

For our contact forms we use the services of Microsoft Forms. The information you provided in the contact forms will be encrypted and stored by Microsoft. Microsoft Forms is compatible with the data protection guidelines HIPAA and Baa. Furthermore, all FERPA and Baa protective measures are in place. Microsoft Forms data follows the standard Office 365 compliance framework and belongs to compliance category C. For more information affiliated with the processing of data by Microsoft Forms, please click on the following links:

https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-ferpa?view=o365-worldwide

https://docs.microsoft.com/en-us/microsoft-365/compliance/offering-hipaa-hitech?view=o365-worldwide

CEPA-Declaration-of-consent-to-use-pictures_sound_video-recording.pdf

Request by e-mail or telephone

If you contact us by e-mail or telephone, your request, including all resulting personal data (name, request) will be stored and processed by us for the purpose of processing your request. We do not pass this data on without your consent.

The processing of these data is based on Art. 6 (1) lit. b GDPR, if your request is related to the execution of a contract or if it is necessary to carry out pre-contractual measures. In all other cases, the processing is based on your consent (Article 6 (1) a GDPR) and/or on our legitimate interests (Article 6 (1) (f) GDPR), since we have a legitimate interest in the effective processing of requests addressed to us.

The data sent by you to us via contact requests remain with us until you request us to delete, revoke your consent to the storage or the purpose for the data storage lapses (e.g. after completion of your request). Mandatory statutory provisions – in particular statutory retention periods – remain unaffected.

3. Social Media

Facebook plug-ins (Like & Share button)

We have integrated plug-ins of the social network Facebook, provided by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, on our website. You will be able to recognize Facebook plug-ins by the Facebook logo or the “Like” button on our website. An overview of the Facebook plug-ins is available under the following link: https://developers.facebook.com/docs/plugins/.

Whenever you visit our website and its pages, the plug-in will establish a direct connection between your browser and the Facebook server. As a result, Facebook will receive the information that you have visited our website with your plug-in. However, if you click the Facebook “Like” button while you are logged into your Facebook account, you can link the content of our website and its pages with your Facebook profile. As a result, Facebook will be able to allocate the visit to our website and its pages to your Facebook user account. We have to point out, that we as the provider of this website do not have any knowledge of the transferred data and its use by Facebook. For more detailed information, please consult the Data Privacy Declaration of Facebook at: https://www.facebook.com/privacy/explanation.

If you do not want Facebook to be able to allocate your visit to our website and its pages to your Facebook user account, please log out of your Facebook account while you are on our website.

The use of the Facebook plug-in is based on Art. 6 Sect. 1 lit. f GDPR. The operator of this website has a legitimate interest in being as visible as possible on social media.

Twitter plug-in

We have integrated functions of the social media platform Twitter into our website. These functions are provided by Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. While you use Twitter and the “Retweet” function, websites you visit are linked to your Twitter account and disclosed to other users. During this process, data is transferred to Twitter as well. We must point out that we as the providers of this website and its pages do not know anything about the content of the data transferred and the use of this information by Twitter. For more details, please consult Twitter’s Data Privacy Declaration at: https://twitter.com/en/privacy.

The use of Twitter plug-ins is based on Art. 6 Sect. 1 lit. f GDPR. The operator of this website has a legitimate interest in being as visible as possible on social media.

You have the option to reset your data protection settings on Twitter under the account settings at https://twitter.com/account/settings.

Instagram plug-in

We have integrated functions of the public media platform Instagram into our website. These functions are being offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA.

If you are logged into your Instagram account, you may click the Instagram button to link contents from our website to your Instagram profile. This enables Instagram to allocate your visit to our website to your user account. We have to point out that we as the provider of this website and its pages do not have any knowledge of the content of the data transferred and its use by Instagram.

The use of the Instagram plug-in is based on Art. 6 Sect. 1 lit. f GDPR. The operator of this website has a legitimate interest in being as visible as possible on social media.

For more information on this subject, please consult Instagram’s Data Privacy Declaration at: https://instagram.com/about/legal/privacy/.

4. Analysis tools and advertising

Statify

This website uses the plug-in Statify for analysis purposes. Statify is open source software developed by pluginkollektiv, based in Germany. In conjunction with the performance of analyses by Statify, it is possible to analyze the number of site views and visitor origins (i.e. from which site does the visitor arrive at our site) as well as visitor target sites. For these purposes, Statify archives in particular the following data:

  • Referrer (previously visited website)
  • Accessed page on the website or file
  • Website access time

According to Statify, the data recorded is completely anonymized so it cannot be tracked back to individuals. Statify does not store any personal data and does not use cookies.

The data is stored and analyzed pursuant to Art. 6 Sect. 1 lit. f GDPR. The operator of the website has a legitimate interest in the statistical analysis of user patterns to optimize both, the operator’s web presentation as well as the operator’s promotional activities. For more information affiliated with the recording and processing of data by Statify, please click on the following link:

https://wordpress.org/plugins/statify/#description

5. Newsletter

Newsletter data

If you would like to subscribe to the newsletter offered on this website, we will need from you an e-mail address as well as information that allow us to verify that you are the owner of the e-mail address provided and consent to the receipt of the newsletter. No further data shall be collected or shall be collected only on a voluntary basis. We shall use such data only for the sending of the requested information and shall not share such data with any third parties.

The processing of the information entered into the newsletter subscription form shall occur exclusively on the basis of your consent (Art. 6 Sect. 1 lit. a GDPR). You may revoke the consent you have given to the archiving of data, the e-mail address and the use of this information for the sending of the newsletter at any time, for instance by clicking on the “Unsubscribe“ link in the newsletter. This shall be without prejudice to the lawfulness of any data processing transactions that have taken place to date.

The data you archive with us for the purpose of the newsletter subscription shall be archived by us until you unsubscribe from the newsletter. Once you cancel your subscription to the newsletter, the data shall be deleted. This shall not affect data we have been archiving for other purposes.

Mailchimp

This website uses the services of Mailchimp to send out its newsletters. The provider is the Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.

Among other things, Mailchimp is a service that can be deployed to organize and analyze the sending of newsletters. Whenever you enter data for the purpose of subscribing to a newsletter (e.g. your e-mail address), the information is stored on Mailchimp servers in the United States.

Mailchimp is in possession of a certification that is in compliance with the “EU-US-Privacy-Shield.“ The “Privacy-Shield“ is a compact between the EU and the United States of America (USA) that aims to warrant the compliance with European data protection standards in the USA.

With the assistance of Mailchimp, we can analyze the performance of our newsletter campaigns. If you open an e-mail that has been sent through Mailchimp, a file that has been integrated into the e-mail (a so-called web-beacon) connects to Mailchimp’s servers in the United States. As a result, it can be determined whether a newsletter message has been opened and which links the recipient possibly clicked on. Technical information is also recorded at that time (e.g. the time of access, the IP address, type of browser and operating system). This information cannot be allocated to the respective newsletter recipient. Their sole purpose is the performance of statistical analyses of newsletter campaigns. The results of such analyses can be used to tailor future newsletters to the interests of their recipients more effectively.

If you do not want to permit an analysis by Mailchimp, you must unsubscribe from the newsletter. We provide a link for you to do this in every newsletter message.

The data is processed based on your consent (Art. 6 Sect. 1 lit. a GDPR). You may revoke any consent you have given at any time by unsubscribing from the newsletter. This shall be without prejudice to the lawfulness of any data processing transactions that have taken place prior to your revocation.

The data you archive with us for the purpose of the newsletter subscription shall be archived by us until you unsubscribe from the newsletter. Once you cancel your subscription to the newsletter, the data shall be deleted from our servers as well as those of Mailchimp. This shall not affect data we have been archiving for other purposes.

For more details, please consult the Data Privacy Policies of Mailchimp at:

https://mailchimp.com/legal/terms/

We have executed a so-called “Data Processing Agreement“ with Mailchimp, in which we mandate that Mailchimp undertakes to protect the data of our customers and to refrain from sharing it with third parties.

Calendly

GDPR FAQs – Help Center (calendly.com)

6. Plug-ins and Tools

YouTube with expanded data protection integration

Our website uses plug-ins of the YouTube platform, which is being operated by Google Ireland Limited (“Google“), Gordon House, Barrow Street, Dublin 4, Ireland.

We use YouTube in the expanded data protection mode. According to YouTube, this mode ensures that YouTube does not store any information about visitors to this website before they watch the video. Nevertheless, this does not necessarily mean that the sharing of data with YouTube partners can be ruled out as a result of the expanded data protection mode. For instance, regardless of whether you are watching a video, YouTube will always establish a connection with the Google DoubleClick network.

As soon as you start to play a YouTube video on our website, a connection to YouTube’s servers will be established. As a result, the YouTube server will be notified, which of our pages you have visited. If you are logged into your YouTube account while you visit our site, you enable YouTube to directly allocate your browsing patterns to your personal profile. You have the option to prevent this by logging out of your YouTube account.

Furthermore, after you have started to play a video, YouTube will be able to place various cookies on your device. With the assistance of these cookies, YouTube will be able to obtain information about our website visitor. Among other things, this information will be used to generate video statistics with the aim of improving the user friendliness of the site and to prevent attempts to commit fraud. These cookies will stay on your device until you delete them.

Under certain circumstances, additional data processing transactions may be triggered after you have started to play a YouTube video, which are beyond our control.

The use of YouTube is based on our interest in presenting our online content in an appealing manner. Pursuant to Art. 6 Sect. 1 lit. f GDPR, this is a legitimate interest.

For more information on how YouTube handles user data, please consult the YouTube Data Privacy Policy under: https://policies.google.com/privacy?hl=en.

7. Privacy Policy addition for Customers

Payments through Flywire

Flywire will utilize administrative, technical and physical measures that conform to generally recognized industry best practices to protect the confidentiality, integrity and accessibility of customer data. Any electronic transmission or exchange of data with the platform will be conducted via secure means (using HTTPS, SFTP, or an equivalent protocol).

When transferring any Personal Data from the European Economic Area to the USA, Flywire adheres to the GDPR acceptable level of appropriate safeguards; by implementing Standard Contractual clauses. This standard requires Flywire to Safeguard data subject information and rights based on the principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement and liability. Flywire commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities.

Visitors to the holiday calendar

8. Privacy Policy addition for Applicants

We offer website visitors the opportunity to submit job applications to us via e-mail. Below, we will brief you on the scope, purpose and use of the personal data collected from you in conjunction with the application process. We assure you that the collection, processing and use of your data will occur in compliance with the applicable data privacy rights and all other statutory provisions and that your data will always be treated as strictly confidential.

Scope and purpose of the collection of data

If you submit a job application to us, we will process any affiliated personal data (e.g. contact and communications data, application documents, notes taken during job interviews, etc.), if they are required to make a decision concerning the establishment or an employment relationship. The legal grounds for the aforementioned are § 26 New GDPR according to German Law (Negotiation of an Employment Relationship), Art. 6 Sect. 1 lit. b GDPR (General Contract Negotiations) and – provided you have given us your consent – Art. 6 Sect. 1 lit. a GDPR. You may revoke any consent given at any time. Within our company, your personal data will only be shared with individuals who are involved in the processing of your job application. If your job application should result in your recruitment, the data you have submitted will be archived on the grounds of § 26 New GDPR and Art. 6 Sect. 1 lit. b GDPR for the purpose of implementing the employment relationship in our data processing system.

Data Archiving Period

If we should not be able to offer you a position, if you refuse a job offer, retract your application, revoke your consent to the processing of your data or ask us to delete your data, we will store your transferred data, incl. any physically submitted application documents for a maximum of 6 months after the conclusion of the application process (retention period) to enable us to track the details of the application process in the event of disparities (Art. 6 Sect. 1 lit. f GDPR). Only with your express consent will we store your transferred data incl. any physically submitted application documents for a maximum of 12 months after the conclusion of the application process (Art 6. (1) Lit. a) GDPR).

You have the option to object to this storage/retention of your data if you have legitimate interests to do so that outweigh our interest.

Once the retention period has expired, the data will be deleted, unless we are subject to any other statutory retention obligations or if any other legal grounds exist to continue to store the data. If it should be foreseeable that the retention of your data will be necessary after the retention period has expired (e.g. due to imminent or pending litigation), the data shall not be deleted until the data have become irrelevant. This shall be without prejudice to any other statutory retention periods.

­

Updated as of December 9, 2020

Information obligation / Informationspflicht­

­

We take the protection of your personal data very seriously and it is our priority that you feel safe and comfortable in our business relationship. When processing personal data, it is important for us to take your privacy into account in all business processes.

Below you will find information on the collection and processing of personal data in accordance with Art. 13 GDPR.

Choose your role to find out.