Information on data processing at KLU

Information on data processing at KLU according to Article 13 & 14 of the General Data Protection Regulation (GDPR)

Information on data processing at KLU

Information on data processing at KLU according to Article 13 & 14 of the General Data Protection Regulation (GDPR)

Information on data processing at KLU according to Article 13 & 14 of the General Data Protection Regulation (GDPR)

Kühne Logistics University, consisting of Kühne Logistics University gGmbH, KLU Executive Education GmbH and KLU Academic Foundation, processes personal data (hereafter simply “data”) exclusively on the basis of the relevant statutory provisions. The purpose of this data protection declaration is to comprehensively inform you about the processing of your data at our university and the data protection claims and rights to which you are entitled under Art. 13 and 14 of the General Data Protection Regulation (GDPR).

You can find information about the responsible party in the imprint

Data protection officer

We have appointed a data protection officer for our company.

Dr. Uwe Nolte 

privacy@klu.org

As a rule, we receive data from prospective students, applicants, students, doctoral candidates, researchers, sponsors, third-party funders, partner universities, etc. from the respective parties themselves. We also receive contact data through recommendations or by researching publicly available data sources, e.g. the Internet. We may also receive your data (name, contact details) from educational service providers (e.g. GMASS, TOEFL, CIS) to which you have applied and where you have consented to the transfer of data to us. 

We receive data from individuals applying for (permanent) employment at KLU from said individuals themselves, but also through recommendations, and from the Employment Agency, web portals and recruitment agencies. When you conclude a contract with us, you will receive comprehensive information on the data processing of employees / students.

We process personal data for the following purposes:

  • to fulfill (pre-)contractual obligations pursuant to Article 6 (1) b. We conclude contracts with employees, students, and external lecturers. You must provide us with the personal data collected in the context of contractual cooperation; otherwise employment / study is not possible. 
  • in keeping with § 26 BDSG, we process the data of employees and applicants for (permanent) employment 
  • to fulfill our legal obligations in accordance with Art. 6 (1) c GDPR: e.g. data processing may be required by labor law, university laws, the German Commercial Code or German Fiscal Code. You must provide us with this data; otherwise employment is not possible.
  • to safeguard our legitimate interests (Art. 6 (1) f GDPR): on the basis of a balancing of interests, data processing may be carried out beyond the actual fulfillment of the contract in order to safeguard our legitimate interests or those of third parties. Data is processed in order to protect legitimate interests in e.g. the following cases:
    • use of our IT structures
    • operating our website and social media channels
    • advertising or marketing
    • measures for business management and further development of our services
    • quality assurance and certification at accreditation agencies
    • in the context of legal prosecution.
  • on the basis of your consent (Art. 6 (1) a GDPR): e.g. consent given to receive newsletters, to have your applicant data (e.g. employee relationship, freelancers) stored for a longer period of time.
  • Right of revocation

Consent is always voluntary. Refusing to give consent does not result in disadvantages. Your consent can be revoked or modified at any time without giving reasons with effect for the future. Data processing that has already taken place remains unaffected. An informal email is sufficient for this purpose:

For employees: to hr@klu.org
For students: to studentservices@klu.org
For all other revocations: to unsubscribe@klu.org

You can object to the use of your personal data for advertising purposes at any time. To do so, please use the address provided above or the email address unsubscribe@klu.org.

We are entitled, if necessary, under the legal conditions of § 7 para. 3 UWG, to use email addresses that were provided upon conclusion of a contract to directly advertise our own, similar services. 

If you do not wish to receive advertising by email from us, you can object to the use of your data for this purpose at any time. An email to unsubscribe@klu.org is sufficient for this purpose.

If we use a service provider for commissioned data processing, we still remain responsible for the protection of your data. All commissioned processors are contractually obligated to treat your data confidentially and to process it only in the context of providing the agreed-upon service. The processors we commission only receive your data if they require it to provide their respective service. These processors are, for example, IT service providers that we need for the operation and security of our IT system, as well as software providers that we need for the implementation of our business processes.

In the context of contractual cooperation or research projects, personal data may be passed on to project partners or third-party funders. This is done in the legitimate interest of all parties involved.

In addition, we may transfer your personal data to other recipients outside KLU to the extent necessary to fulfill our contractual and legal obligations. In this regard, recipients of personal data may be e.g.:

  • tax consultants
  • social insurance carriers
  • health and pension insurance funds
  • tax authorities
  • employer’s liability insurance associations
  • credit and financial services institutions (e.g. for salary payments)
  • auditors and payroll tax inspectors
  • the State Statistical Office
  • Central Office for Foreign Education (in order to check whether an applicant is eligible for admission to a degree program in Germany, it may be necessary to send certificates of the applicant to the Central Office for Foreign Education (Zentralstelle für Ausländisches Bildungswesen, ZAB) for a certificate assessment.)
  • German Science and Humanities Council
    For the long-term recognition by the state and the institution's independent right to award doctorates, data may be transferred to state agencies, e.g. the German Science and Humanities Council, as part of the quality assurance process. 
  • Accreditation agencies in Germany/Europe and if applicable in the USA
    In the course of accreditation procedures to increase the international recognition of KLU study programs, data may be transferred to accreditation agencies.
  • project partners, third-party funders or processors in accordance with GDPR Art. 28
  • in the case of excursions, study trips and events, it may be necessary to pass on data to the respective event organizer, e.g. for the purpose of entry control.
  • if necessary, service providers that we use in the context of commissioned processing agreements.


Other data recipients may be those bodies for which you have given us your consent to transfer data to, or to which we are authorized to transfer personal data on the basis of a balancing of interests.

As a rule, we do not transfer any data to third countries. In individual cases, such transfers only take place on the basis of an Adequacy Decision of the European Commission, standard contractual clauses, appropriate safeguards, or your express consent. 

Transfers may take place, for example, to lecturers / partner universities or third-party funders who are based in a third country. We will inform you about such transfers in each individual case.

Processed personal data is deleted as soon as its storage is no longer necessary for the above-mentioned purposes. After termination of the contractual relationship / studies, employees’ / students’ personal data is stored for as long as KLU is legally obliged to do so or is entitled to do so on the basis of legitimate interests. 

The retention obligations that apply in this regard result e.g. from the provisions of higher education laws, the German Commercial Code and German Fiscal Code. 
Alternatively, personal data may be retained for the period during which claims can be asserted against KLU. In this case, statutory limitation periods ranging from three to thirty years apply. You will receive a detailed list upon conclusion of a study contract or employment contract.

If we have collected your data as part of an application selection procedure and you do not subsequently study at KLU, the data is generally deleted shortly after the procedure has been carried out, at the latest after 6 months, unless in individual cases there are sufficient reasons to store your data for a longer period.

The data of prospective students is deleted 3 years after the last contact.

The data of applicants for (permanent) positions is usually deleted 6 months after the end of the application process; longer storage is only possible with the applicant’s consent.

Affected persons have the right to information, correction, blocking, deletion, or restriction of the processing of their data at any time. You can revoke your consent with effect for the future; data processing remains legal until your revocation enters into force. Under certain circumstances, you may receive your stored personal data in electronic form or as a copy.

If we process your data to safeguard our legitimate interests, you can object to this data processing at any time. This would also apply to profiling.

We do not utilize automated profiling.

We will then no longer process your data unless we can demonstrate compelling legitimate grounds for the processing that supersede your interests, rights, and freedoms, or unless the processing serves to assert, exercise or defend legal claims. 

You may object to the processing of your data for the purpose of direct marketing at any time without giving reasons.

If you are of the opinion that we are violating German or European data protection law with regard to the processing of your data, please contact us so that we can address any questions you have. 

Please contact us either by mail (address above) or by email: privacy@klu.org. 

If any doubts arise, we may request additional information to confirm your identity. 

In addition, the supervisory authority of the Federal State of Hamburg is available to you as a contact.

For security reasons, all incoming mails are screened; only mails up to a maximum size of 35 MB are accepted. If a warning pops up during a screening, the email is moved to quarantine and the recipient is notified. Such emails may be delivered to the recipient after they have been cleared by IT.

If you need to exchange certain files with macros, files with unusual formats, or large files, please inform your contact person at KLU in advance. He or she can provide a SharePoint for you on request.

We use Office 365 from Microsoft to attend to our office work, for communication (conference calls, online meetings, and video conferences), and for online collaboration. 

Our legitimate interests are to simplify IT processes, communicate internally and externally, handle requests, increase efficiency, and promote cross-company collaboration.

Office 365 is a service of Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.

When you use Office 365, personal data is also processed. For this purpose, we have concluded a commissioned processing agreement with Microsoft. A corresponding commissioned processing agreement is included in the Online Service Terms (OSTs).

www.microsoft.com/de-de/servicesagreement
www.microsoft.com/en-us/licensing/product-licensing/products
www.microsoft.com/de-de/trust-center/privacy/data-access

Categories of data processed and their legal basis

When you use Office 365, Microsoft processes a variety of data. 

  • functionality data
  • license data
  • diagnostic data (telemetry)
  • technical support
  • continuous improvement
  • processing for Microsoft’s legitimate business activities

Which types of personal data are processed depends on the individual case:

  • Your IP address used to access Microsoft Office 365 applications. The legal basis for this is Art. 6 (1) f GDPR.
  • Your user name (access data to the Microsoft Office 365 applications) and information about yourself that identifies you as a data user, sender, or recipient within the Office 365 world. Data within the scope of the so-called multifactor authentication that you yourself have stored on your Microsoft account (e.g. optionally your (private) cell phone number). The legal basis for this is Art. 6 (1) b GDPR.
  • Other voluntarily provided data (such as a profile picture you have saved) can also be viewed in your profile at any time. This information is visible in your profile, but especially also in Outlook for you and other Office 365 users at any time and can be customized by you. The legal basis for this is Art. 6 (1) a GDPR.
  • Usage data: This includes in particular communication content (text, audio, video) created by you. This depends on the application you use in Office 365 (Teams). The legal basis for this is Art. 6 (1) b and f GDPR.

Data recipients

In addition to the cases explicitly mentioned in this data protection declaration, your personal data will only be passed on without your express prior consent where doing so is permitted or required by law.


Data transfers to third countries

Data processing outside the European Union (EU) does not generally take place, as we have limited our storage sites to data centers in the European Union.

However, telemetry or diagnostic data, the support hotline and potentially other data processed in Microsoft’s area of responsibility outside the EU are excluded from this.

Furthermore, due to legal obligations, personal data may be transferred or disclosed to third parties (in particular, authorities), including third countries (USA) with a different level of data protection. 

In order to achieve the required secure level of data protection, in addition to internal organizational measures, the so-called Standard Contractual Clauses (SCCs) have been concluded with Microsoft, which are components of the Data Protection Addendum (DPA) as an annex to the above-mentioned OSTs.

Encryption

Data is encrypted in transit and at rest. This includes messages, files (video, audio, etc.), meetings, and other content. Teams also uses TLS and MTLS to encrypt chat messages.


Storage duration / criteria for determining storage duration

If a user (or an administrator on behalf of a user) deletes the data, Microsoft will ensure that all copies of the personal data are deleted within 60 days.

If a service offered by Microsoft is terminated, the corresponding personal data will be deleted between 60 and 180 days after the service is discontinued. We generally delete personal data when there is no need for further storage. A requirement may exist in particular if the data is still needed to fulfill contractual services, to check and grant or defend against warranty and, if applicable, guarantee claims. In such cases, Microsoft must comply with the request of the company administrator.

In the case of legal retention obligations, deletion will only be considered after the required retention period has expired.

Microsoft Teams 

We use the tool “Microsoft Teams” for presentations, meetings, joint project work, conferences, training workshops, and seminars.

Type of data

  • activity data
  • user data (user name, profile picture)
  • teledata and video data
  • contact data
  • meeting data (topic, participants’ IP addresses, device / hardware information)
  • user data (files for joint processing, chat data)

The legal basis for data processing when conducting “online meetings” is Art. 6 (1) b GDPR, insofar as the meetings are conducted in the context of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) f GDPR. Our legitimate interest is to effectively hold online meetings. 

Audio or video content is only recorded with your consent; you will be informed of this in advance in each case. The legal basis is Art. 6 (1) a GDPR.

Further information on the processing of personal data in Microsoft Teams can be found above or here:

docs.microsoft.com/de-de/microsoftteams/teams-privacy

In the following, we wish to inform you about the processing of personal data in connection with the use of “Zoom.” We use the tool “Zoom” to conduct administrative and faculty conference calls, online meetings, video conferences and/or webinars (hereafter “online meetings”). “Zoom” is a remote conferencing service provided by Zoom Video Communications, Inc., headquartered in San Jose, California, USA.

Zoom is also used at KLU to hold lectures for students. These are held as hybrid courses or pure online courses (hereafter “online courses”). 

The purpose of the data processing is the use of Zoom as a tool for collaboration within the scope of official activities at the university and for the fulfillment of university tasks (teaching, research and administration). Within the scope of the licenses provided, the use of Zoom for private purposes is not permitted.
No performance or behavioral monitoring takes place on the basis of your use of Zoom. Personal statistics are not compiled.

The settings selected for Zoom are intended to be privacy-friendly. For example, there is no attention tracking. As a rule, we do not record video conferences. For more information on lecture recording and mandatory attendance logging, see below. 

If you are registered as a “Zoom” user, reports on your online meetings (meeting metadata, phone dial-in data, questions and answers in webinars, survey function in webinars) can be stored by “Zoom” for up to one month. 

If it is necessary for the purpose of logging the results of an online meeting, we log the chat content. However, this is not generally the case. 

If we plan to record online meetings or online courses, we will transparently communicate this to you in advance and ask for your consent. The fact that the meeting / course is being recorded will also be indicated to you in the “Zoom” app. 
For online courses, your consent will be asked for once before each course. If you do not consent to being recorded, you will unfortunately not be able to participate in online meetings or online courses that are to be recorded. 

In the case of webinars, we may also process the questions asked by webinar participants for recording and follow-up purposes. 

Zoom’s terms of use can be found here: https://explore.zoom.us/en/terms/.
Zoom’s privacy policy and other legal notices can be found here: https://explore.zoom.us/de/trust/ and here: https://zoom.us/docs/de-de/privacy-and-legal.html.
Information on Privacy Shield (guaranteeing the level of data protection when processing data in the USA) can be found here: https://www.privacyshield.gov/participant?id=a2zt00000008TN8AAM&status=Active.

General notes on permissible use

No content requiring high level of protection

No content requiring a high level of protection should be exchanged via this service. Use is explicitly prohibited if special categories of personal data are processed (“sensitive data,” e.g. health data).

Check the data privacy settings and environment before the meeting

Please also make sure that no unauthorized persons can watch the video conference and that smart devices, such as voice assistants like Alexa, Siri, etc. are either out of range or are deactivated in order to prevent unauthorized data processing or recording.

Hide your background

To protect your privacy, you can replace your background with an overlay.

Basic settings 

All meetings and teaching sessions start with the microphone turned off; participants must actively switch on their microphone. The insertion of email addresses in shared content as watermarks is prevented. A 6-digit numeric identifier code is set as the default access protection for all meetings; this code is included in the invitation link. 

Feedback messages to Zoom at the end of a meeting / course are disabled. Remote support and remote camera control are disabled.

General technical settings

Video data, audio data, presented content, and text messages in meetings are processed via the local infrastructure (Meeting Connector / Virtual Room Connector). 

Data transfers with other services

Data transfers with Office 365 are disabled. Use of a content delivery network (CDN) is enabled (Panopto).

Recording the content of meetings and courses

Automatic storing of chat communications and whiteboard content is disabled. Manual storing by the host is possible. 

The default settings in Zoom are defined so that automatic recording of meetings and courses is generally disabled. Recording can be activated by the host (optional). Recordings must respect the copyrights and personal rights of the persons concerned. 

Recordings are only made with the express consent of all participants concerned and only insofar as this is necessary for official purposes or for the completion of specific tasks. The recording party must obtain the consent of all participants in advance. 

Courses that are recorded are marked in advance with “(Recorded)” in the course catalog. Recorded courses can be accessed at any time at the Moodle learning portal (see below).

There is always a notification in the Zoom window when recording begins. In the Zoom app, the fact that the meeting / course is being recorded is indicated to participants by a red Record icon.

Recording is only done with the explicit consent of all participants. Persons who do not wish to be recorded can leave their camera and microphone turned off and log in under an alias instead of their real name.

Before recording begins, you can also decline recording by clicking “Leave Meeting.” You should do this promptly. If you do not leave the meeting, you will be recorded when recording starts.

Lecture recordings (online courses) are only temporarily stored in the Zoom Cloud. They are promptly transferred to Panopto (see below) and deleted from Zoom.

Storage of recordings

Recordings are stored temporarily on internal drives or data carriers. Recorded events are only stored at Panopto as long as this is necessary for the completion of the respective task and as long as there is no obligation to delete them.

Posting meetings on social media (YouTube, Facebook)

The default settings in Zoom are defined so that no automatic posting / sharing takes place.

What data is processed?

When you use “Zoom,” various types of data are processed. The scope of the data also depends on the data you provide before or when participating in an online meeting or online course. You can independently activate or deactivate your camera and microphone at any time or leave the meeting at any time.

To participate in an online meeting or to enter the “meeting room,” you must at least provide information about your name / alias.

When participating in an online course, your data is (partly automatically) transferred from Moodle.

Further information concerning data use on the part of Zoom can be found here: 
https://explore.zoom.us/de/privacy/

Logging user attendance

The setting “Users must register” creates an overview of all attendees, which can be viewed by the organizer. 

Fundamentally speaking, the attendance list may not be made available to the participants.

Data collection for the purpose of checking attendance or participation is permissible under data protection law if attendance is compulsory and proof of participation must be kept or provided. For student events, this condition is normally met by the examination and study regulations.

If data is only collected to prevent unauthorized use and to ensure that the session is conducted properly and without disruptions, the data must be deleted as soon as the event has ended, or as soon as the respective purpose has been achieved. 


Legal basis for data processing

The legal basis for data processing when conducting online meetings and online courses is Art. 6 (1) b GDPR if the meetings are conducted in the context of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) f GDPR. Here, our legitimate interest is in effectively conducting online meetings and online courses.

If KLU employees’ personal data is processed, Section 26 BDSG is the legal basis for data processing. If, in connection with the use of “Zoom,” personal data is not required for the establishment, implementation or termination of the employment relationship, but is nevertheless an elementary component in the use of “Zoom,” then in keeping with Art. 6 (1) f GDPR, the legitimate interest provides the legal basis for data processing. 

In these cases, our interest is in effectively conducting online meetings and online courses.

If we plan to record online meetings or online courses, Art. 6 (1) a GDPR, your consent is usually the legal basis for processing. 

Automated decision-making as defined in Art. 22 GDPR is not employed.

Data recipients / data disclosure

Both “Zoom” and its subcontractors (see below) are necessarily receive made privy to the above-mentioned data insofar as this is provided for in the context of our commissioned processing agreement with “Zoom.”
Otherwise, personal data processed in connection with participation in online meetings and/or online courses is generally not disclosed to third parties, unless it is specifically intended for disclosure. Please note that content from online meetings or online courses, and from face-to-face meetings, is often intended precisely for the purpose of exchanging or passing on information.

Data processing outside the European Union

“Zoom” is a remote conferencing service based in San Jose, California, USA. As such, the processing of personal data also takes place in a “third country.” The transfer of personal data to a third country takes place exclusively for the following data category: processed metadata from meetings.

We have concluded a commissioned processing agreement with “Zoom” that complies with the requirements of Art. 28 GDPR. An adequate level of data protection is guaranteed by the conclusion of what are known as the “EU standard contractual clauses.”

A list of Zoom’s current subcontractors can be found here:

https://explore.zoom.us/en/subprocessors/.

Information on the processing of cookies can be found in Zoom’s cookie policy: https://explore.zoom.us/en/cookie-policy/.


Deletion of data and user accounts

As a rule, data is deleted as soon as the purpose of processing has been achieved and there are no retention requirements. A requirement may exist in particular if the data is still needed to fulfill contractual services, to check and grant or defend against warranty- and, if applicable, guarantee-based claims. In the case of statutory retention obligations, deletion will only be considered after expiry of the respective retention obligation.

Communication content is not stored beyond the communication itself. Communication-related metadata is deleted as soon as the storage is no longer required in order to provide or maintain the service. Deletion of data takes place 7 days after revocation of the consents required for publication and storage of the recording, or after there ceases to be a need to publish and store the recording. Locally stored recordings are deleted in keeping with their respective time limits. Locally stored chat messages will be deleted after 30 days.

If you are registered as a “Zoom” user, reports on your online meetings (meeting metadata, phone dial-in data, questions and answers in webinars, polling function in webinars) can be stored by Zoom for up to one month.
If you wish, you can delete your Zoom account yourself. You can find the necessary information here: 

https://support.zoom.us/hc/de/articles/201363243-Wie-k%C3%BCndige-ich-mein-Konto.

The account must be deleted as soon as the service is no longer required for the completion of the respective task, or at the latest when you leave KLU.

Your rights

For your data protection rights, see above.

Panopto is a complete system for recording, live streaming, editing, publishing, finding and managing video and audio content for study, teaching, continuing education and administration at KLU. Panopto’s support contributes to KLU’s fulfillment of the tasks assigned to it under Section § 111 of the Hamburg Higher Education Act (HmbHG). 

In particular, this consists in supporting and maintaining teaching operations at KLU’s faculties.
The central component of Panopto is a cloud-based web application in which video content recorded by users or on their behalf can be uploaded, edited, and shared with other users or the public. When integrated with the Moodle learning platform, recordings of events can be shared directly with the event participants.

Personal data is processed to provide the above functions and to ensure proper technical operation and system security. This includes in particular:

  • Master data: only for users with a user account (first and last name, email address, KLU username, rights, roles, group membership(s), status, department, institute, company, optional profile details, language settings, and approximate geographical location for the purpose of workload management between different server locations)
  • Connection- and content-related metadata (IP address, retrieved content and amount of data, time of access, action taken, referrer/exit URLs, device/hardware/browser information, performance data, and content metadata such as the video title, upload time, and author name)
  • Content data (text, audio and video content incl. interactive content and edits (e.g. cut marks, embedded quiz tests, chapter marks, and comments) and uploaded files (e.g. PDF attachments) 

Legal basis

The legal basis for the processing of KLU students’ personal data for the purpose of carrying out teaching, further education and other study-related activities is Art. 6 para. 1 lit. e GDPR, para. 3 in conjunction with. § 111 HmbHG. The legal basis for the processing of KLU employees’ personal data is § 26 BDSG.

When displaying Panopto content on public websites or in the case of restricted releases for external parties, connection-related and content-related metadata, which may contain personal data, is processed in order to ensure proper technical operation and system security. The legal basis for this processing is Art. 6 (1) f GDPR.

Data transfer

Because Panopto is a cloud service, the personal data mentioned under 2 above is transferred to the provider Panopto EMEA Limited and/or processed on its servers in Ireland. Panopto EMEA Limited is a British subsidiary of Panopto, Inc (USA). KLU has concluded a contract with Panopto EMEA Limited under a license agreement for commissioned processing pursuant to Art. 28 GDPR with EU standard data protection clauses.

In individual cases, data may also be transferred to third parties on the basis of legal permission, e.g. it may be transferred to law enforcement authorities for the investigation of criminal offenses.

Deletion of data

When users’ accounts are deleted by IT, their master data is as well.
Content data and the associated metadata (e.g. a video including description and comments) are deleted after 5 years. This does not apply to content in users’ personal folders, which is only deleted when the account is deleted.

Connection-related metadata is deleted as soon as the storage is no longer necessary in order to provide or maintain the service.

Your rights

For your data protection rights, see above. 

Fundamentally speaking, we collect and use the personal data of users of the electronic learning platform Moodle only to the extent necessary in order to establish a functional learning management system in the context of KLU’s educational activities.

When students use Moodle, their personal data is stored. This includes their name, university email address, the courses they attend, in what form they participate, and which functions they use. Performance results from courses (test results, etc.) are also stored.

Data processing on Moodle takes place for the following purposes:

  • Creating interactive learning units
  • Conducting e-learning courses
  • Automated performance assessment
  • Giving feedback on progress
  • Conducting electronic examinations

Legal basis

The legal basis for the processing of KLU students’ personal data for the purpose of carrying out teaching, further education and other study-related activities is Art. 6 para. 1 lit. e GDPR, para. 3 in conjunction with. § 111 HmbHG. The legal basis for the processing of KLU employees’ personal data is § 26 BDSG.

Data recipients / data disclosure

Personal data processed in connection with the use of Moodle is generally not disclosed to third parties unless it is specifically intended for disclosure. Please note that content from seminars and personal meetings is often used to exchange information with students, professors or third parties and is therefore intended for disclosure. As part of security audits, external parties may have access to records on the instruction and training students receive.


Deletion of data

Data on user activities is usually deleted manually at the beginning of a new semester. Courses that continue for two or more semesters are an exception. For this purpose, instructors receive specific training on handling the data. After exmatriculation, IT deletes the corresponding user account from the central directory service (Active Directory). Deleted accounts are automatically removed from Moodle.

Your rights

For your data protection rights, see above. 

At KLU, video systems are used to convey learning content and for access control. The video systems for conveying learning content are mainly operated in the lecture halls and classrooms and are used to convey learning and seminar content to students who are unable to attend in person. 

The video systems for access control are used to exercise domiciliary rights / enforce house rules, to protect property against theft or damage, to preserve evidence or facilitate criminal prosecution, and to safeguard our technical equipment and its continuing operation. The legal basis for this is Art. 6 (1) f GDPR. For cameras that record, the maximum recording duration is 72 hours; for pure surveillance cameras (monitoring), no recording takes place. The data is stored locally and not normally transferred to third parties; only in the context of criminal prosecutions are recordings made available to the public prosecutor’s office.

For the legal basis for video processing in connection with administrative and teaching activities, see above.

Your rights

For your data protection rights, see above.

We maintain publicly accessible profiles on social networks. Detailed information on the social networks we use can be found below. 

Links to our social media channels can be found on our website and can be recognized by the typical buttons. These buttons do not have a “share” or “like” function; they are simply graphics that link to our corresponding social media channels. When you click on one of these buttons, the respective channel is accessed. The respective social network is informed that you have visited our web pages using your IP address.

If you are logged into your account with this social network, it is possible for said network to associate your visit to our website with you and your user account. We would like to point out that we, as the provider of the pages, have no knowledge of the nature of the data transmitted or how it is used by the social network. If you do not want the respective network to track you, you must log out of your social media account.

Social networks such as Facebook, Google+, etc. can generally analyze your user behavior extensively when you visit their website or a website with integrated social media content (e.g. “like” buttons or advertising banners). Visiting our social media channels triggers numerous processing operations relevant to data protection. In detail:

If you are logged into your social media account and visit one of our social media channels, the operator of the social media portal can track this visit to your user account. However, your personal data may also be collected under certain circumstances even if you are not logged in or do not have an account with the respective social media portal. In this case, data collection takes place e.g. via cookies that are stored on your end device or by recording your IP address.

With the help of the data collected in this manner, the operators of social media portals can create user profiles in which your preferences and interests are stored. In this way, they can show you interest-based advertising inside and outside the respective social media portal / network. Provided you have an account with the respective social network, this interest-based advertising may be displayed on all devices on which you are or were logged in.

Please also note that we cannot track all processing that takes place on social media portals. Accordingly, further processing operations may be carried out by the operators of these portals, depending on the provider. For details, please refer to the respective portal’s terms of use and data protection provisions.

Legal basis

Our social media channels are intended to ensure the most comprehensive presence possible on the Internet. This constitutes a legitimate interest as defined in Art. 6 (1) f DSGVO. The analytic processes initiated by social networks may draw on other legal bases, which are to be specified by the operators of the social networks (e.g. consent in keeping with Art. 6 (1) a DSGVO).

Responsible party and assertion of rights

If you visit one of our social media sites (e.g. our Facebook page), we and the operator of the social media platform are jointly responsible for the data processing operations triggered by your visit. Fundamentally speaking, you can assert your rights (the right to information, correction, deletion, restriction of processing, data portability and complaint) both towards us and towards the operator of the respective social media portal (e.g. Facebook).
Please note that, despite our joint responsibility with the social media portal operators, we cannot fully influence the data processing operations of said portals. Our options are largely determined by the respective provider’s corporate policy.

Storage period

Data that we collect directly via our social media presence is deleted from our systems as soon as the purpose for storing it no longer applies, you request us to delete it, or you revoke your consent to store it. Stored cookies will remain on your end-user device until you delete them. Mandatory legal provisions - in particular retention periods - remain unaffected.

We have no influence on the storage period of your data when it is stored by the operators of social networks for their own purposes. For details, please contact the operators of the social networks directly.


Links to Xing

Links to the social network Xing are integrated into our website: https://www.xing.com/pages/kuhnelogisticsuniversity 

The provider is XING AG, Dammtorstraße 30, 20354 Hamburg, Germany. You can recognize the link by the Xing logo on our site. We would like to point out that we, as the provider of the pages, have no knowledge of the nature of the data transmitted or how it is used by Xing. If you do not want Xing to track you, you must log out of your Xing account. For more information, please see Xing’s privacy policy at: https://privacy.xing.com/.


Links to LinkedIn

Links to the social network LinkedIn are integrated into our website: https://www.linkedin.com/school/kuehne-logistics-university/ 

The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. You can recognize the link by the LinkedIn logo on our site. We would like to point out that we, as the provider of the pages, have no knowledge of the nature of the data transmitted or how it is used by LinkedIn. If you do not want LinkedIn to track you, you must log out of your LinkedIn account. You can find more information on this in LinkedIn’s privacy policy at: https://www.linkedin.com/legal/privacy-policy.

Links to Facebook

Links to the social network Facebook are integrated into our website: https://www.facebook.com/kuehnelogisticsuniversity/ 

The provider is Meta Platforms Inc, 1 Hacker Way, Menlo Park, California 94025, USA. You can recognize the link by the Facebook logo on our site. You can find an overview of the Facebook plugins here: http://developers.facebook.com/docs/plugins/. We would like to point out that we, as the provider of the pages, have no knowledge of the nature of the data transmitted or how it is used by Facebook. For more information, please refer to Facebook’s privacy policy at http://facebook.com/policy.php.
If you do not want Facebook to be able to associate your visit to our pages with your Facebook user account, please log out of your Facebook account.


Links to YouTube

Links to the social network YouTube are integrated into our website: https://www.youtube.com/user/KLUHamburg 

The provider is YouTube, LLC, 901 Cherry Ave, San Bruno, CA 94066, USA. You can recognize the link by the YouTube logo on our site. We would like to point out that we, as the provider of the pages, have no knowledge of the nature of the data transmitted or how it is used by YouTube. If you do not want YouTube to track you, you must log out of your YouTube account. For more information on the handling of user data, please refer to YouTube’s privacy policy at: https://policies.google.com/privacy and here https://support.google.com/youtube/answer/2801895.

Links to Instagram 

Links to the social network Instagram are integrated into our website: https://www.instagram.com/kuehnelogisticsuniversity/

The provider is Instagram Inc, 1601 Willow Road, Menlo Park, CA 94025, USA. You can recognize the link by the Instagram logo on our site. We would like to point out that we, as the provider of the pages, have no knowledge of the nature of the data transmitted or how it is used by Instagram. If you do not want Instagram to track you, you must log out of your Instagram account. For more information, please see Instagram’s privacy policy at: https://instagram.com/about/legal/privacy/.


Links to Twitter 

Links to the social network Twitter are integrated into our website: https://twitter.com/the_klu

The provider is Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. You can recognize the link by the Twitter logo on our site. By using Twitter and the “Re-Tweet” function, the websites you visit are linked to your Twitter account and visible for other users. In the process, certain data is also transferred to Twitter. We would like to point out that we, as the provider of the pages, have no knowledge of the nature of the data transmitted or how it is used by Twitter. For more information, please refer to Twitter’s privacy policy at: https://twitter.com/privacy. You can independently change your privacy settings on Twitter in the account settings at: https://twitter.com/personalization.

Using Credly

A certificate issued by Credly is a digital representation of a learning outcome, experience or competence. The digital Credly certificates (“Badges”) can easily and reliably be verified online. The Badges are linked to metadata that include the context and verification. Badges can be exchanged on the Internet to ensure maximum visibility and recognition. In addition to the image / graphic, they contain further information on the skills you acquired in the respective training measure. As such, they allow you to provide further information on your abilities and expertise to interested persons, coworkers and companies (e.g. Human Resources), e.g. on Social Media channels.

KLU awards Credly Badges for the completion of certain training measures, confirming your participation and newly acquired skills. If you are issued a Badge following a training, you will receive an email notification from Credly with instruction on how to request / accept your Badge and how to set up your own Credly account. 

Doing so gives you an uncomplicated way to manage the training courses you’ve attended, to share your new skills, and to verify your achievements. There are no costs for you in connection with the Badge.

The Badges are provided by Credly (formerly Acclaim), a product of Pearson, 80 Strand, London, WC2R 0RL, United Kingdom. In terms of applicable data security legislation, KLU’s use of Credly is based on its contractual or contract-like relation with you as defined in Art. 6 (1) b GDPR.

You can configure any and all of your personal information and access credentials using your Credly account. You have complete control over this information. If you prefer your certifications or profile to not be publicly visible, you can restrict access by classifying them as private.

Your data is provided to Credly on the basis of a Data Processing Agreement (DPA with SCC). In connection with technical data processing, this includes the transfer of your data to non-EU countries. You can find information on all legal and data protection aspects of using Credly here: info.credly.com/legal. The relevant DPA can be found here: info.credly.com/data-protection-agreement.

Diese Informationen stehen Ihnen auch in Deutsch zur Verfügung.

Deutsche Informationen