Legal Notice

Bucerius Law School
Hochschule für Rechtswissenschaft gemeinnützige GmbH
Bucerius Law School
Jungiusstraße 6
20355 Hamburg
Germany

Tel.: +49 (0) 40 3 07 06 – 0
Fax: +49 (0) 40 3 07 06 – 145
E-Mail: info(at)law-school.de 

President
Professor Dr. Michael Grünberger

CEO
Meinhard Weizmann, Benedikt Landgrebe

Chair of the Supervisory Board
Professor Dr. Michael Göring

Registered at
Freie und Hansestadt Hamburg
Amtsgericht Hamburg
HRB 75325
Tax ID: 17/424/06683
VAT-ID: DE212998891

1. Preamble

Bucerius Law School, University of Legal Sciences, a non-profit GmbH (“the University”) operates a website at the internet address www.law-school.de, where it provides information about its academic activities, study opportunities, and corresponding application processes. Part of this website consists of an online platform, the so-called "Application Portal," through which prospective students can apply for law studies. With this Privacy Policy, we want to inform whether and how personal data are processed on the website and in the Bucerius Law School's Application Portal.

1.1 Responsible Entity and Data Protection Officer

The responsible entity is:
Bucerius Law School
University of Legal Sciences gGmbH
Jungiusstraße 6
20355 Hamburg
Data Protection Officer for Bucerius Law School is:
Dr. Uwe Nolte
E-mail: datenschutz(at)law-school.de

1.2 Personal Data

Personal data refers to individual details about personal or factual circumstances of a specific or identifiable natural person. This includes information such as your name, address, phone number, and date of birth. Information that is not directly associated with your real identity - such as favorite websites or the number of users of a site - is not considered personal data.

1.3 Use of Personal Data; Processing of Order Data

We assure you that all personal data will be treated confidentially at the University, and we will comply with the relevant legal provisions, particularly the Federal Data Protection Act and the Telemedia Act, in processing and using data.
The data necessary for transaction processing are stored and processed by us. The processing serves, in particular, the preparation and execution of the application process as well as events.

Furthermore, we use your personal data for communication with you, as long as you have registered for the application process for law studies or an event.
Any further use of your data will only take place if you have given your consent. This concerns, for example, data processing for marketing purposes or the transmission of your data to other students.

In the course of processing and using personal data, we sometimes use service providers who, on our instruction, carry out processing and use operations technically or assist us in this regard. The service providers are obligated to comply with legal data protection regulations to the same extent as the University and also treat personal data confidentially; the legal provisions on processing of order data, in particular, the conclusion of a corresponding agreement and the monitoring of service providers, are ensured.

1.4 Routine Deletion and Blocking of Personal Data

We process and store personal data only for the period required to achieve the purpose or as provided by a legislator in laws or regulations to which the responsible party is subject. If the processing purpose ceases to exist or a prescribed storage period expires, the personal data are routinely blocked or deleted in accordance with legal provisions.
Personal data in our Application Portal will be deleted no later than six months after the application deadline, unless it concerns individuals who have deferred their study place offer for one year.

2. Data Processing on Our Website

Your data are collected partly by you providing them to us. This can be data that you enter into a contact form, for example.
Other data are collected automatically when you visit the website by our IT systems. These are primarily technical data (e.g., Internet browser, operating system, or the time of the page request). This data is collected automatically as soon as you enter our website.

Part of the data is collected to ensure error-free provision of the website. Other data may be used to analyze your usage behavior.
When visiting our website, your surfing behavior may be statistically analyzed. This is primarily done using so-called cookies and analytics programs. The analysis of your surfing behavior is generally anonymous; the surfing behavior cannot be traced back to you. You can object to this analysis or prevent it by not using certain tools. Detailed information can be found in the following privacy policy.

You can object to this analysis. We will inform you about the objection options in this privacy policy.

2.1 Web Hosting

To securely and efficiently provide our online offerings, we use hosting services from jweiland.net (Echterdinger Straße 57, 70794 Filderstadt near Stuttgart). For these purposes, we utilize infrastructure and platform services, computing capacity, storage space, and database services, as well as security and technical maintenance services. The legal basis is our legitimate interest according to Art. 6 (1) f GDPR.

Data processed in the course of providing hosting may include all information concerning the users of our website that accrues during use and communication. This typically includes the IP address necessary to enable communication on the Internet, and all inputs made within our online offerings or websites, such as inquiries.

We reserve the right to retrospectively check log data if there is a legitimate suspicion of unlawful use based on concrete evidence. We store IP addresses in log files for a limited period if necessary for security purposes, or for providing or billing services, e.g., if you use one of our offers.

2.2 Server Log Files

The provider of the pages automatically collects and stores information in so-called server log files, which your browser automatically transmits to us. These include:

• Name and URL of the retrieved file
• Date and time of retrieval
• Transferred data volume
• Notification of successful retrieval (HTTP response code)
• Browser type and version
• Operating system
• Referrer URL (i.e., the previously visited page)
• Websites accessed by the user's system via our website
• Internet Service Provider of the users
• IP address and the requesting provider

The basis for data processing is our legitimate interest according to Art. 6 (1) f GDPR. We use these log data without assignment to your person or other profiling for statistical evaluations for the purpose of operation, security, and optimization of our online offerings, but also for anonymous recording of the number of visitors to our website and the extent and type of usage of our website and services, as well as for billing purposes, to measure the number of "clicks" received from cooperation partners. Based on this information, we can provide personalized and location-based content, analyze data traffic, find and fix errors, and improve our services.

2.3 SSL or TLS Encryption

For security reasons and to protect the transmission of confidential content, such as orders or inquiries that you send to us as the site operator, this page uses SSL or TLS encryption. You can recognize an encrypted connection by the change in the browser's address line from "http://" to "https://," and by the lock symbol in your browser line. When SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

2.4 Contacting Us

If you contact us (e.g., by mail or printed media, email, contact forms, electronic text messages, chat, telephone, personal contact, etc.), the personal data transmitted by you will be stored by us. We process these data to handle your concern. We will not share this data without your consent. The processing of the above personal data is based on your consent (Art. 6 (1) a GDPR). You can revoke this consent at any time. An informal email to us is sufficient for this purpose. The legality of the data processing operations carried out until the revocation remains unaffected by the revocation.

The data you transmit when contacting us will remain with us until you request deletion, revoke your consent to storage, or the purpose for data storage no longer applies (e.g., after completed processing of your request). Mandatory statutory provisions - especially retention periods - remain unaffected.

2.5 Registration and Personal Data Collected for Ordering

With registration in the application portal, personal data such as salutation, first name, last name, address, postal code, city, email address, connection data (e.g., IP address), and telephone number are collected to properly offer and perform our services. If, in addition to the mandatory data, additional data can be provided, such entries are voluntary. Mandatory fields are marked as such.
The use of some of our offers, especially the application portal, requires that you assign a personal password. This password must be kept secret by you; it can be changed at your request.

2.6 Application and Selection Process

On our website, you can apply for a study place at the university (https://www.law-school.de/studium/jurastudium/online-bewerbung/registrierung). During registration in the application portal, your first name, last name, email address, and password are processed to carry out the registration.

After registration, you can log in to the application system, fill out your application form, and upload documents. In the context of your application for a study place at Bucerius Law School, we process the personal data that we need from you as part of the application process:

(1) Email address,
(2) First and last name,
(3) Address,
(4) Place and date of birth,
(5) Nationality,
(6) Details on university entrance qualification,
(7) Existence of other access requirements,
(8) Information on discrimination characteristics (voluntary),
(9) Typical information on motivation, interests, and career path during application and selection interviews (partially voluntary),
(10) Desired start of studies.

Your personal data is generally collected directly from you. In specific situations, e.g., when verifying provided information, your personal data may also be processed by other entities.
For conducting the selection process, your personal data will be transferred to the Institute for Test and Talent Research (ITB), which conducts the written and oral selection process on behalf of the university. The results determined by the ITB are sent to the university and incorporated into the selection process.

Various form generators (e.g., WuFoo, see below) are used for the application process on the website. The application process is managed via Salesforce on the English-language page of the university (see also below about Salesforce).

The processing of your aforementioned personal data serves to verify whether you meet the legally prescribed and other requirements for studying at Bucerius Law School and to further process your application, inform you about the progress and outcome of the application process, and enable the possible conclusion of a study contract.

Some of your data will also be processed in anonymized form for statistical purposes. Other individuals (e.g., students of the university) will only receive your data (especially contact details) from us with your consent.

You will receive comprehensive information on the processing of employee or student data during employment or studies upon contract conclusion.

2.7 Use of Cookies

Our websites use so-called cookies. Cookies are text files that the provider of a website stores on your computer and can retrieve when you visit the website again to facilitate navigation on the Internet or transactions, or to obtain information about usage behavior. Cookies do no harm to your computer and contain no viruses. Cookies make our offer more user-friendly, effective, and secure. Most of the cookies we use are called "session cookies." They are automatically deleted after your visit. Other cookies remain stored on your device until you delete them. These cookies enable us to recognize your browser on your next visit.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for specific cases or in general, and activate the automatic deletion of cookies when closing the browser. The legal basis for this is your consent according to Art. 6 (1) a GDPR. If you deactivate cookies, the functionality of this website may be limited.

Cookies required for the electronic communication process or the provision of specific functions desired by you (e.g., shopping cart function) are stored based on Art. 6 (1) f GDPR. Website operators have a legitimate interest in storing cookies for technically error-free and optimized provision of their services. If other cookies (e.g., cookies to analyze your surfing behavior) are stored, they will be treated separately in this privacy policy.

General information on revocation and objection (Opt-Out): Depending on whether the processing is based on consent or legal permission, you have the opportunity at any time to revoke your consent or object to the processing of your data by cookie technologies (collectively referred to as "Opt-Out"). You can initially declare your objection using your browser settings, e.g., by disabling the use of cookies (this may also limit the functionality of our online offer). An objection to the use of cookies for online marketing purposes can also be declared via a variety of services, especially in the case of tracking, through the websites optout.aboutads.info and www.youronlinechoices.com. You can also receive additional objection notices within the information provided about the service providers and cookies used.

You can also prevent the collection and processing of your data by deactivating the execution of script code in your browser or installing a script blocker in your browser (you can find this, e.g., at www.noscript.net or www.ghostery.com).

2.7.1 PX-Cookie-Consent-Tool

This site uses a Cookie Consent Tool provided by PHORAX, Buttstraße 4, 22767 Hamburg. The Consent Tool is used to display a notice box for the notice on the use of cookies and their setting options. The use of the Cookie Consent Tool is in the interest of a uniform and appealing presentation of our online offer and the legally required setting options for consent-required cookies. The use of the tool constitutes a legitimate interest within the meaning of Art. 6 (1) f GDPR.

You can prevent the collection and processing of your data by the Cookie Consent Tool by deactivating the execution of script code in your browser or installing a script blocker in your browser (you can find this, e.g., at www.noscript.net or www.ghostery.com).

2.8 Social Media

We maintain publicly accessible profiles in social networks. You can find the social networks we use further below.

Our website contains links to our social media presences. You can recognize the links by the typical buttons. These buttons do not have a "Share" or "Like" function but are only graphics that link to our corresponding social media channel. If you click on one of these buttons, the respective social media channel is called up, and the social network is informed that you have visited our website with your IP address.

Social networks like Facebook, Instagram, LinkedIn, etc., can usually analyze your usage behavior extensively when you visit their website or a website with integrated social media content (e.g., Like buttons or advertising banners). By visiting our social media presences, numerous data protection-relevant processing operations are triggered. We point out that we, as the provider of the pages, have no knowledge of the content of the transmitted data or their use by the network operators.

If you are logged into your social media account and visit our channels, the operator of the social media portal can assign this visit to your account. If you do not want the network to associate you with the visit, you must log out of your social media account.

Your personal data may also be collected under certain circumstances even if you are not logged in or do not have an account with the respective social media portal.

2.8.1 Legal Basis

Our social media appearances are intended to ensure the most comprehensive presence possible on the internet. This is a legitimate interest within the meaning of Art. 6 (1) f GDPR. The analysis processes initiated by the social networks may be based on different legal foundations, which must be specified by the operators of the social networks (e.g. consent within the meaning of Art. 6 (1) a GDPR).

2.8.2 Responsible Party and Assertion of Rights

When you visit one of our social media sites (e.g., Facebook), we are jointly responsible with the operator of the social media platform for the data processing operations triggered during this visit. You can assert your rights (information, correction, deletion, restriction of processing, data transferability, and complaint) in principle both against us and against the operator of the respective social media portal (e.g., Facebook).

Please note that despite the joint responsibility with the social media portal operators, we do not have full influence on the data processing operations of the social media portals. Our options are significantly determined by the corporate policy of the respective provider.

2.8.3 Storage Duration

The data collected directly by us via the social media presence will be deleted from our systems as soon as the purpose for their storage lapses, you request us to delete them, or you revoke your consent to storage. Stored cookies remain on your device until you delete them. Mandatory legal provisions – especially retention periods – remain unaffected.

We have no influence on the storage duration of your data, which is stored by the operators of social networks for their own purposes. For details, please consult the operators of the social networks directly.

2.8.4 Links to LinkedIn

Our website integrates links to the social network LinkedIn. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. You recognize the link by the LinkedIn logo.

We point out that as the provider of the pages, we have no knowledge of the content of the transmitted data or their use by LinkedIn. If you do not want LinkedIn to associate it, you must log out of your LinkedIn account.

For more information, please see LinkedIn's privacy policy at: www.linkedin.com/legal/privacy-policy.

2.8.5 Links to Facebook

Our website integrates links to the social network Facebook. The provider is Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. You recognize the link by the Facebook logo on our page. An overview of Facebook plugins can be found here: developers.facebook.com/docs/plugins/.

We point out that as the provider of the pages, we have no knowledge of the content of the transmitted data or their use by Facebook. Further information can be found in Facebook's privacy policy at de-de.facebook.com/policy.php.

If you do not wish Facebook to associate your visit to our pages with your Facebook account, please log out of your Facebook account.

2.8.6 Links to YouTube

Our website integrates links to the social network YouTube. The provider is YouTube, LLC, 901 Cherry Ave., San Bruno, CA 94066, USA. You recognize the link by the YouTube logo on our page.

We point out that as the provider of the pages, we have no knowledge of the content of the transmitted data or their use by YouTube. If you do not want YouTube to associate it, you must log out of your YouTube account.

Further information on the handling of usage data can be found in YouTube's privacy policy at: policies.google.com/privacy and here support.google.com/youtube/answer/2801895.

2.8.7 Links to Instagram

Our website includes links to the social network Instagram. The provider is Instagram Inc., 1601 Willow Road, Menlo Park, CA 94025, USA. You recognize the link by the Instagram logo on our page.

We point out that as the provider of the pages, we have no knowledge of the content of the transmitted data or their use by Instagram. If you do not want Instagram to associate it, you must log out of your Instagram account.

Further information can be found in Instagram's privacy policy: instagram.com/about/legal/privacy/.

2.8.8 Links to Twitter

Our website includes links to the social network Twitter. The provider is Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. You recognize the link by the Twitter logo on our page.

We point out that as the provider of the pages, we have no knowledge of the content of the transmitted data or their use by Twitter. If you do not want Twitter to associate it, you must log out of your Twitter account.

Further information can be found in Twitter's privacy policy at: twitter.com/de/privacy.

2.8.9 Walls.io

We have integrated components from Walls.io on our website. Walls.io is a service of Walls.io GmbH and offers us the opportunity to aggregate content from various social media platforms and present it on our website.

When you access this content, you establish a connection to the servers of Walls.io GmbH, Andreasgasse 6/1, 1070 Vienna, Austria, transmitting your IP address and possibly browser data such as your user agent. This data is processed exclusively for the purposes mentioned above and to maintain the security and functionality of Walls.io.

The use of the service is based on our legitimate interests, i.e., an interest in platform-independent provision of content according to Art. 6 (1) f GDPR.

The specific storage duration of the processed data is not influenced by us but is determined by Walls.io GmbH. Further information can be found in the privacy policy for Walls.io: walls.io/privacy.

2.9 Privacy Notices Regarding Our Facebook Profile

We have a profile on Facebook: www.facebook.com/buceriuslawschool
The provider is Facebook Inc., 1 Hacker Way, Menlo Park, California 94025, USA. We have entered into an agreement with Facebook regarding joint processing (Controller Addendum). This agreement defines which data processing operations we or Facebook are responsible for when you visit our Facebook Page. You can view this agreement at the following link: www.facebook.com/legal/terms/page_controller_addendum.

You can adjust your advertising settings independently in your user account. Click on the following link and log in: www.facebook.com/settings. Details can be found in Facebook's privacy policy: www.facebook.com/about/privacy/.

2.9.1 Information on the Use of Facebook Fanpage INSIGHTS

Facebook Ireland Ltd ("Facebook") provides us as a Facebook Fanpage operator with so-called "Facebook Insights" ("Insights"). Insights are various statistics that provide us with information about the use of our Facebook Fanpage. Detailed information on this and which data processing takes place can be found at www.facebook.com/business/a/page/page-insights and www.facebook.com/legal/terms/information_about_page_insights_data

We process the Facebook Fanpage Insights data based on our legitimate interest in evaluating the activities on our Fanpage and our marketing measures (advertisements, campaigns, postings); Article 6 (1) f DSGVO.
The legal bases and purposes of processing by Facebook Ireland can be found here Facebook Fanpages and Insights – the answers, www.facebook.com/about/privacy/legal_bases, and www.facebook.com/policy.php
Facebook Fanpage Insights may be based on personal data collected in connection with a visit or interaction of people on or with our Facebook Fanpage and its content, so that personal data may also be processed by Facebook. You are not legally obliged to provide your personal data. However, the provision may be necessary for a contract or for functions of the Facebook Fanpage. Therefore, a contract or a function on the Facebook Fanpage may not be offered if not provided.

2.9.2 Joint Responsibility

The essential information of the agreement concluded between us and Facebook according to Article 26 of the General Data Protection Regulation can be found here: www.facebook.com/legal/terms/page_controller_addendum
Jointly responsible for processing Facebook Fanpage Insights are:
Facebook Ireland Ltd.

2.10 Analysis Tools and Advertising

2.10.1 Google Tag Manager

This website uses the "Google Tag Manager" service. The Tag Manager is a tool for managing so-called tags, which are used in tracking in online marketing. The Tag Manager is a cookie-less domain and does not process any personal data itself; it is used solely to manage other services, e.g., Google Analytics, etc. If you have deactivated at the domain or cookie level, this will remain in effect for all tracking tags implemented with Google Tag Manager. The use of Google Tag Manager is based on Art. 6 (1) a GDPR; consent can be revoked at any time.
Further information on the Tag Manager can be found at: marketingplatform.google.com/intl/de/about/analytics/tag-manager/use-policy/

2.10.2 Google Analytics

This website uses features of the web analytics service Google Analytics. The provider is Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google Analytics uses so-called "cookies." These are text files stored on your computer that enable an analysis of your use of the website. The information generated by the cookie about your use of this website is usually transferred to a Google server in the USA and stored there.
The storage of Google Analytics cookies is based on Art. 6 (1) a GDPR; consent can be revoked at any time.
IP Anonymization

We have activated the IP anonymization function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transferred to a Google server in the USA and shortened there. On behalf of the operator of this website, Google will use this information to evaluate your use of the website, to compile reports on website activity, and to provide other services related to website use and internet use to the website operator. The IP address transmitted by your browser as part of Google Analytics will not be merged with other data from Google.
Browser Plugin

You can prevent the storage of cookies by setting your browser software accordingly; however, we would like to point out that in this case, you may not be able to use all functions of this website to their full extent. You can also prevent Google from collecting and processing the data generated by the cookie and related to your use of the website (including your IP address) by downloading and installing the browser plugin available at the following link: tools.google.com/dlpage/gaoptout.
Objection to Data CollectionYou can prevent your data from being collected by Google Analytics by setting this in the Cookie Consent Manager or by clicking on the following link. An opt-out cookie will be set that prevents the collection of your data on future visits to this website: Disable Google Analytics.
For more information on how Google Analytics handles user data, please refer to Google's privacy policy: support.google.com/analytics/answer/6004245.
Order Data Processing

We have concluded a contract with Google for order data processing and fully implement the strict requirements of the German data protection authorities when using Google Analytics.
Demographic Features in Google Analytics
This website uses the "demographic features" function of Google Analytics. This allows reports to be created that contain statements about age, gender, and interests of site visitors. These data come from interest-based advertising by Google as well as from visitor data from third-party providers. These data cannot be assigned to a specific person. You can deactivate this function at any time via the ad settings in your Google account or generally prohibit the collection of your data by Google Analytics as described in the item "Objection to data collection."

2.10.3 DoubleClick

This website uses Google's DoubleClick service. This service uses cookies to show you advertisements relevant to you. This is done using a pseudonymous identification number (p-ID), which is assigned to your browser. Through this p-ID, the service can recognize which advertisements have already been displayed to you and which have been accessed. The cookies used do not contain any personal data.

The cookies serve to display advertisements across websites by enabling Google to identify the pages you have visited. The information generated by the cookies is transferred by Google to a server in the USA for evaluation and stored there. Google only transfers data to third parties due to legal regulations or within the framework of order data processing. Google will not combine your data with other data collected by Google.

2.10.3 DoubleClick

This website utilizes the DoubleClick service provided by Google. This service uses cookies to show you relevant advertisements. This is done through a pseudonymous identification number (p-ID) that is assigned to your browser. Through this p-ID, the service can recognize which ads have been displayed to you and which have been accessed. The cookies used do not contain any personal data. Rather, the cookies serve to place advertisements across websites by enabling Google to identify the pages you have visited. The information generated by the cookies is transmitted to a server in the USA by Google for evaluation and storage.

Data will only be transferred to third parties by Google due to legal requirements or within the scope of order data processing. Under no circumstances will Google combine your data with other data collected by Google.

The use of this service is based on Article 6(1)(a) of the GDPR; consent can be revoked at any time. You can prevent the use of cookies by making the appropriate settings in your browser. However, such a setting may lead to the website not being fully functional.

Further information on data protection at Google can be found here: policies.google.com/technologies/ads

To prevent the execution of JavaScript code from DoubleClick altogether, you can install a JavaScript blocker (e.g., www.noscript.net or www.ghostery.com).

2.10.4 Google Conversion Tracking

This website uses Google Conversion Tracking, an analysis service provided by Google Inc. ("Google"). Google AdWords sets a cookie with a lifespan of 30 days on your computer if you arrived at this website via a Google advertisement. The information collected through the cookie allows AdWords customers to create conversion statistics. AdWords customers can thus determine the total number of users who have clicked on their advertisement and were redirected to a page tagged with a Conversion Tracking Tag. However, they do not receive any information that allows users to be personally identified. If you wish to prevent the tracking process, you can block or reject cookies from the domain googleadservices.com in your browser.

2.10.5 Google Remarketing

This website uses the Remarketing feature within the Google AdWords service, a service provided by Google Inc. ("Google"). Google Remarketing is a technology that allows individuals who have previously visited this website to be targeted again with advertisements on this website and on other websites within the Google Display Network (on Google itself, so-called "Google Ads" or on other websites).

The display of the ads is done by reading cookies (third-party DoubleClick cookies) set during the first visit to the website. The cookies are used to uniquely identify a web browser on a specific computer and not to identify a person. Personal data is not stored. If you do not wish to receive interest-based advertising, you can manage cookies for these purposes in the Ad Preferences Manager or deactivate them through the deactivation page of the NAI (Network Advertising Initiative). Further information can be found in Google's privacy policy policies.google.com/privacy.

2.10.6 Hotjar

This website uses Hotjar. The provider is Hotjar Ltd., Level 2, St Julians Business Centre, 3, Elia Zammit Street, St Julians STJ 1000, Malta, Europe (Website: www.hotjar.com). Hotjar is a tool for analyzing your user behavior on our website. With Hotjar, we can record, among other things, your mouse and scroll movements and clicks. Hotjar can also determine how long you have lingered with the cursor at a particular spot. From this information, Hotjar creates so-called heat maps that show which areas of the website are preferably viewed by website visitors. Hotjar uses cookies for this purpose.

Furthermore, we can determine how long you stayed on a page and when you left it. We can also determine at what point you have abandoned your entries in a contact form (so-called conversion funnels). In addition, direct feedback from website visitors can be obtained with Hotjar. This function serves to improve the web offers of the website operator.

The use of Hotjar and the storage of Hotjar cookies are based on Art. 6 (1) f DSGVO. The website operator has a legitimate interest in analyzing user behavior to optimize both its web offering and its advertising.

If you wish to deactivate data collection by Hotjar, click on the following link and follow the instructions there: www.hotjar.com/opt-out. Please note that Hotjar deactivation must be carried out separately for each browser or device.

More information about Hotjar and the data collected can be found in Hotjar's privacy policy at the following link: www.hotjar.com/privacy. We have entered into a contract for order processing with Hotjar to implement strict European data protection regulations.

2.10.7 LinkedIn Insight Tags

We use Insight Tags from the social network LinkedIn on our site. This is offered by LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA (hereinafter "LinkedIn"). LinkedIn Insight Tags are snippets of JavaScript code that have been integrated into our website. The so-called Insight Tags enable us to analyze our web presence on our website. The collected data is anonymized. We use LinkedIn Insight Tags to design our website according to demand and promote it (legitimate interest according to Art. 6 (1) f DSGVO).

You can prevent the execution of the JavaScript code required for LinkedIn Insight Tags by adjusting the settings of your browser. To prevent the execution of JavaScript code altogether, you can also install a JavaScript blocker, such as the browser plugin NoScript (www.noscript.net) or Ghostery (www.ghostery.com).

More information on handling user data can be found in LinkedIn's privacy policy at www.linkedin.com/legal/privacy-policy.

2.10.8 Facebook Pixel, Custom Audiences, and Facebook Conversion

Within our online offering, the so-called "Facebook Pixel" of the social network Facebook, operated by Facebook Inc., 1 Hacker Way, Menlo Park, CA 94025, USA, or if you are resident in the EU, Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"), is used due to our legitimate interests in the analysis, optimization, and economic operation of our online offering.

With the help of the Facebook Pixel, Facebook can determine our online offering's visitors as the target audience for displaying advertisements (so-called "Facebook Ads"). Accordingly, we use the Facebook Pixel to show our Facebook Ads only to Facebook users who have shown interest in our online offering or who exhibit certain characteristics (e.g., interest in specific topics or products determined by the visited websites), which we transmit to Facebook (so-called "Custom Audiences"). With the Facebook Pixel's help, we also want to ensure that our Facebook Ads correspond to users' potential interest and do not appear annoying.

Such evaluation occurs especially (even for non-logged-in users without a corresponding account) to provide demand-based advertising and inform other social network users about your activities on our website. With the Facebook Pixel's help, we can also track the effectiveness of Facebook ads for statistical and market research purposes by seeing whether users were redirected to our website after clicking on a Facebook ad (so-called "Conversion").

The data processing by Facebook is carried out within the framework of Facebook's Data Use Policy. Accordingly, general notes on displaying Facebook Ads can be found in Facebook's Data Use Policy: www.facebook.com/policy. Specific information and details about the Facebook Pixel and how it works can be found in Facebook's help section: www.facebook.com/business/help/651294705016616.

2.11 YouTube Videos

Our website also embeds videos from the YouTube platform. YouTube is operated by YouTube LLC., 901 Cherry Ave., San Bruno, CA 94066, USA; YouTube is a subsidiary of Google Inc. If you activate the playback of YouTube content, YouTube/Google will receive the information that you have accessed the corresponding subpage of our website. If you are logged into Google, this data will be directly associated with your account. If you do not want the association with your profile on YouTube, you must log out before activating the button. YouTube/Google also stores data even if you do not have a Google account, including: IP address, search queries, browser, and operating system version.

YouTube/Google stores this data as user profiles and uses them for advertising, market research, and/or needs-based design of its website. Such evaluation is carried out in particular (even for non-logged-in users without a corresponding account) to provide needs-based advertising and to inform other users of the social network about your activities on our website.
The use of YouTube is in the interest of an attractive presentation of our online offers. This represents a legitimate interest within the meaning of Art. 6 (1) f GDPR. If appropriate consent has been obtained, processing will be carried out exclusively on the basis of Art. 6 (1) a GDPR; consent may be revoked at any time.

Further information on data processing and privacy notes by YouTube/Google can be found at: policies.google.com/technologies/product-privacy and www.google.de/intl/en/policies/privacy.
The information collected by YouTube may be fully or partially sent to a server in the USA and stored there. To ensure an adequate level of data protection, so-called standard contractual clauses have been concluded in accordance with Art. 46 GDPR. Further information can be found here: ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en

2.12 Newsletter (Campaign Monitor and Mailchimp)

On our website, you have the option to subscribe to newsletters. To receive our newsletters, we need your email address and possibly additional mandatory information (name, institution, position in the company), which are marked.

To verify that you are the owner of the email address and agree to receive the newsletter, you will receive a confirmation email in which you must click a link to definitively receive the newsletter.
The newsletter is sent via "Campaign Monitor" or "Mailchimp." Data processing is based on your consent (Art. 6 (1) a GDPR). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations already carried out remains unaffected by the revocation.

The newsletter subscription can be revoked at any time. For this purpose, a corresponding link to unsubscribe from the newsletter can be found in every newsletter. If the newsletter subscription is lawfully revoked, your personal data collected during the registration process will subsequently be deleted.

With the help of the newsletter tools used, we can analyze our newsletter campaigns. When you open a newsletter, a file contained in the email (so-called web beacon) connects to the newsletter provider's servers in the USA. This can determine whether a newsletter message has been opened and which links have been clicked on, if any. Although this information can be technically assigned to individual newsletter recipients, it is not our intention to monitor individual users. The evaluations help us recognize the reading habits of our users and adapt our content to them, or send different content according to the interests of our users.

In addition, technical information is collected (e.g., time of retrieval, IP address, browser type, and operating system). These pieces of information cannot be assigned to the respective newsletter recipient. They are used solely for statistical analysis of newsletter campaigns. This information is used to technically improve the services based on the technical data or the target groups and their reading behavior based on their access locations (which can be determined using the IP address) or access times.
If you do not want analysis by the newsletter tools, you must unsubscribe from the newsletter. We provide a corresponding link in each newsletter message for this purpose. Furthermore, you can unsubscribe from the newsletter directly on the website.

After you unsubscribe from the newsletter distribution list, your email address may be stored to prevent future mailings in a so-called suppression list. The data from this list is used only for this purpose and is not merged with other data. This serves both your interest and our interest in complying with legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 (1) f GDPR). The storage in the suppression list is not limited in time.

You can object to the storage if your interests outweigh our legitimate interest. We also point you to the objection possibilities in data collection for advertising purposes on the websites optout.aboutads.info and www.youronlinechoices.com/uk/your-ad-choices (for the European area).
The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us until you unsubscribe from the newsletter and will be deleted from both our servers and the servers of the respective service provider after unsubscribing from the newsletter.

Data stored with us for other purposes (e.g., email addresses for the member area) remain unaffected by this.
The email address with which you have registered for the newsletter is used with the help of the software Zapier (see below) to provide you with information in the form of advertisements for the university, for example, via Facebook, Instagram, or LinkedIn, etc. For the use of Custom Audiences, see above.

The use is in our legitimate interest in accordance with Art. 6 (1) f GDPR. Our legitimate interest lies in increasing the awareness of the university, promoting public events, and attracting new students to our study offers. You can object to storage if your interests outweigh our legitimate interest.

2.12.1 Campaign Monitor

Campaign Monitor is a newsletter distribution platform of the company Campaign Monitor Pty Ltd., 11 Lea Avenue, Nashville, TN 37210 USA. The email addresses of our newsletter recipients, as well as the aforementioned data, are stored on the servers of Campaign Monitor in the USA, and possibly in Germany and Australia. Campaign Monitor uses this information to send and evaluate the newsletters on our behalf. Campaign Monitor does not use the data of our newsletter recipients for its own purposes or to pass them on to third parties. We have entered into contractual agreements with Campaign Monitor that ensure data protection compliance.

The processing of data entered into the newsletter registration form is carried out exclusively on the basis of your consent (Art. 6 (1) a GDPR). The collection of the email address of the data subject serves to deliver the newsletter. The collection of other personal data during the registration process serves to prevent misuse of the services or the email address used.
The subscription to the newsletter can be revoked at any time. For this purpose, a corresponding link to unsubscribe from the newsletter can be found in every newsletter. If the newsletter subscription is lawfully revoked, your personal data collected during the registration process will subsequently be deleted.

Further information on data processing and privacy notes by Campaign Monitor can be found at: www.campaignmonitor.com/trust/privacy-hub/

2.13 MailChimp

Individual departments of the university use the MailChimp service for sending newsletters. The provider is the Rocket Science Group LLC, 675 Ponce De Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. MailChimp is a service that can organize and analyze, among other things, the sending of newsletters. If you enter data for the purpose of receiving newsletters (e.g., email address), they will be stored on MailChimp's servers in the USA.

MailChimp commits to comply with EU data protection requirements. Information on GDPR compliance and data processing security can be found here: mailchimp.com/de/gdpr/ and here: mailchimp.com/about/security/.
MailChimp's privacy policy can be viewed here: mailchimp.com/legal/privacy/. You can exercise your rights here: mailchimp.com/privacy-rights/
We have entered into a so-called "Data-Processing-Agreement" with MailChimp, in which we oblige MailChimp to protect our customers' data and not to pass it on to third parties. This contract can be viewed at the following link: mailchimp.com/de/legal/data-processing-addendum/

2.14 Zapier

To provide our prospective students with the best possible customer experience, we use the software Zapier. Zapier allows us to link data from different databases, e.g., to show people who have subscribed to our newsletter relevant advertisements on social media, or to provide people who have registered for an event with automated additional information. Depending on the functionality, Zapier may also collect various personal data. The automated and thus time-efficient and error-free design of our processes represents our legitimate interest according to Art. 6 (1) f GDPR.
Zapier is a service of Zapier Inc., 548 Market St #6241, San Francisco, CA 94104, USA. When using Zapier, it cannot be ruled out that data will be transferred to Zapier's servers in the USA. We have concluded an agreement with Zapier for order processing. In addition, data processing is secured by the EU standard contractual clauses (https://cdn.zappy.app/339fd09f640a83ad81caa5c04f172f83.pdf). Further information on data protection at Zapier can be found at: zapier.com/privacy/

2.15 Contact Forms and Registration for Events

For the creation of registration masks, inquiries, or contact forms, we use various form services, as well as for the creation of application and registration forms, e.g., for university events.
Depending on the purpose of the form, the content may include the following data: company, name, email address, phone number, application data. The contents are only processed and stored when you submit a form. Additionally, certain information (e.g., the IP address) is transmitted to the respective provider. It may also be that the provider used places cookies on your device if you have consented to the storage of third-party cookies.
The use of the services has the purpose of facilitating registration and application processes and handling inquiries, as well as professionally designing and evaluating surveys. Use is based on our legitimate interest according to Art. 6 (1) f GDPR. At the university, we use the following tools for form design.

2.15.1 WuFoo

WuFoo is a US web form application provided by SurveyMonkey Europe UC, 2nd Floor, 2 Shelbourne Buildings, Shelbourne Road, Dublin, Ireland. We point out that when using a WuFoo form, the data is transferred to our service provider WuFoo in the USA.
We have concluded a contract with WuFoo for order processing in accordance with Art. 28 GDPR. You can find more information about WuFoo and data protection at SurveyMonkey at www.surveymonkey.com/mp/legal/privacy/.

2.15.2 Google Forms

Google Forms is a service provided by Google as part of the G-Suite package. The provider is Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google").
The data collected with a Google Forms form are stored on the cloud storage, "Google Drive." Additionally, we also collect data and files that you can upload via other forms, which are also stored in Google Drive. There we may also store data that we receive from you by email, messenger services, or other electronic and analog means if necessary for the planning, execution, or processing of surveys or other services performed by us. Your data is usually deleted after the end of the event or survey.
Google's privacy policy can be found at the following link: policies.google.com/privacy.
More information on G-Suite, data security, and privacy can be found at the following links: privacy.google.com/businesses/controllerterms/mccs/, business.safety.google/compliance/.
We have agreed with Google for the use of G-Suite a data processing in accordance with Art. 28 GDPR. Google has committed to the EU standard contractual clauses, thereby committing to comply with the standards and regulations of European data protection law. You can find more information at the following link: business.safety.google/adscontrollerterms/sccs/.

2.15.3 Microsoft Forms

"Microsoft Forms" is a tool from Microsoft 365 (see below) and a service from Microsoft Ireland Operations Limited. User data from the European Union is processed in data centers within the European Economic Area (EEA). However, it may be necessary for the provision of the service and as part of support that data is processed at Microsoft Inc.'s headquarters in the USA. We have concluded a data processing contract with Microsoft under the "Online Service Terms" (OST) according to Art. 28 GDPR. In addition, EU standard contractual clauses are contractually agreed for data transfers to third countries.

Therefore, it cannot be ruled out that US authorities, such as intelligence agencies, will process, evaluate, and permanently store your data located on servers of US service providers for surveillance purposes. We have no influence over these processing activities. Therefore, Microsoft has taken additional technical and organizational measures to protect personal data. In particular, personal data via "Microsoft Forms" is only transmitted encrypted. In addition, Microsoft has contractually committed to fending off as far as possible any requests for surrender from US authorities. Therefore, an adequate level of protection for the processing of personal data by Microsoft can generally be assumed.
More information on data protection at Microsoft can be found at privacy.microsoft.com/de-de/privacystatement.

---

Information on Data Processing at Bucerius Law School According to Articles 13 & 14 of the GDPR

Bucerius Law School - College of Law in Hamburg is a private foundation college for legal science ("BLS") and processes personal data (shortly "data") exclusively on the basis of legal regulations. With this privacy policy, we want to inform you about the processing of your data at our university and the data protection rights and claims you are entitled to under Articles 13 and 14 of the General Data Protection Regulation (GDPR). These privacy notices also apply to Bucerius Education GmbH, the event and further education provider of BLS.

You can find information about the responsible body in the imprint; please refer to the privacy policy for the contact details of the data protection officer.

1. Processing purposes and where the data comes from

We process data from prospective students, applicants, students, doctoral candidates, researchers, employed and external lecturers, sponsors, third-party donors, partner universities, for:
• Implementation of the application for a study place
• Conducting studies, taking exams
• Conducting teaching and research operations
• Employment of employed lecturers and contractual cooperation with external lecturers
• Collaboration with partners, supporters, guest researchers
• Implementation of events, e.g. seminars, summer programs for BLS staff and students, alumni and external parties

Usually, we receive your data from you directly. We also obtain contact details through recommendations or by researching publicly accessible data sources, e.g., the internet. We receive your data (name, contact details) from education service providers, e.g., TOEFL, IELTS, to which you have applied and where you have consented to the data being passed on to us.

We also receive data from people who apply for a (permanent) position at BLS, either directly from them, through recommendations, the Employment Agency, web portals, or recruitment agencies. For the use of form generators for creating application forms, see above.

2. What is the legal basis for processing the data?

We process personal data on the following legal grounds:
• For the fulfillment of (pre-)contractual obligations under Article 6(1) b of the GDPR. We enter into contracts with students and external lecturers. You must provide the personal data collected as part of the contractual collaboration; otherwise, an application or collaboration or study is not possible.
• We process data from employees and applicants for a (permanent) position under § 26 BDSG (Federal Data Protection Act).
• Data processing is also necessary to comply with legal obligations under Art. 6(1) c GDPR: for example, data processing is required under labor law, higher education laws, the Commercial Code, or tax law. You must provide this data to us; otherwise, collaboration is not possible.
• Based on your consent (Art. 6(1) a GDPR), we process your data, e.g., for receiving newsletters, storing applicant data over a more extended period (e.g., employment relationship, freelance staff).
• A balance of interests can be the basis for data processing beyond the actual fulfillment of the contract to protect the legitimate interests of us or third parties (Art. 6(1) f GDPR). Data processing to protect legitimate interests occurs, for example, in the following cases:
o Use of IT structures
o Operation of the website and social media
o Advertising or marketing
o Measures for business control and further development of services
o In the context of legal prosecution;

2.1 Processing of personal data for advertising purposes

You can object to the use of your personal data for advertising purposes at any time. Please use the address provided above or the email address info@law-school.de.
We may, under the legal conditions of § 7 para. 3 UWG (Act Against Unfair Competition), be entitled to use e-mail addresses provided at the conclusion of the contract for direct advertising for our similar services.
If you do not wish to receive advertising via email from us, you can object to the use of your data for this purpose at any time. A notification in text form to info@law-school.de is sufficient for this purpose.

3. Who Receives Your Data?

BLS typically processes your data internally and for its own purposes. If we engage a service provider as a processor, we remain responsible for protecting your data. All processors are contractually obligated to treat your data confidentially and only to process it as part of the service provision.
The processors we commission will receive your data if they need the data to fulfill their respective services. These include, for example, IT service providers that we need for the operation and security of our IT system, as well as software providers for the implementation of our business processes.
As part of contractual cooperation or research projects, personal data may be passed on to project partners or third-party funders. This is in the legitimate interest of all parties involved.
Furthermore, we will transmit your personal data to other recipients outside of BLS, insofar as this is necessary to fulfill our contractual and legal obligations. Under these conditions, recipients of personal data can be:

• Tax Consultants
• Social Insurance Carriers
• Health and Pension Funds
• Tax Authorities
• Third-party Donors
• Professional Associations
• Credit and Financial Service Institutes (e.g., for salary payments)
• Auditors
• State and Federal Statistical Offices (usually anonymized datasets)
• Central Office for Foreign Education (ZAB) or Uni-Assist e.V. (to check if an applicant is eligible for studying in Germany, it may be necessary to transmit the applicant's certificates for an evaluation).
• For excursions, study trips, and events, it is necessary that data is passed on to the respective event provider, e.g., for access control.
Additional data recipients can be those bodies to whom you have given us your consent for data transfer or to whom we are authorized to transmit personal data based on a balance of interests.

3.1 Data Transfer to Third Countries
Usually, we do not transfer data to a third country. A transfer only takes place in individual cases based on a decision of adequacy by the European Commission, standard contractual clauses, suitable guarantees, or your explicit consent.

A transfer may take place, for example, to lecturers, partner universities, or third-party funders located in a third country. We will inform you of this on a case-by-case basis.

3.2 Use of PayPal, Donation Receipt
For processing payments, we use PayPal (PayPal (Europe) S.a.r.l. et Cie, S.C.A.). When paying via PayPal, your payment data is forwarded to PayPal (Europe) S.à r.l. et Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg (hereinafter "PayPal") as part of the payment process. PayPal reserves the right to carry out a credit check for the payment methods credit card via PayPal, direct debit via PayPal, or - if offered - "purchase on account" via PayPal. The result of the credit check concerning the statistical probability of default is used by PayPal to decide on the provision of the respective payment method. The credit information may contain probability values (so-called score values). If score values are included in the result of the credit check, they are based on a scientifically recognized mathematical-statistical procedure. Address data is included in the calculation of the score values. Further data protection information, including information on the credit agencies used, can be found in PayPal's privacy policy: www.paypal.com/de/webapps/mpp/ua/privacy-full
The transmission of your data to PayPal is based on Art. 6 (1) b DSGVO (processing to fulfill a contract).

BLS uses the data you provided to PayPal (name, email address, purpose of the transaction, amount, date of payment, comment on payment) also to create a donation receipt. If you do not provide a mailing address to PayPal where we can send the donation receipt, we will request it from you via email. All data used by BLS will be deleted after processing the payment and creating the donation receipt.

4. How Long is Your Data Stored?
Personal data will be deleted as soon as their storage is no longer required for the purposes mentioned above. After the termination of the contractual relationship or study, the personal data of students or employees will be stored as long as BLS is legally obligated to do so or is entitled to do so based on legitimate interests.

The applicable retention obligations arise, among other things, from the provisions of university laws, commercial laws, and tax codes.

Alternatively, personal data can be retained for the period in which claims can be asserted against BLS. In this case, statutory limitation periods ranging from three to thirty years apply.
If we have collected your data as part of an applicant selection process and no studies follow, the data will usually be deleted promptly after the process is completed, at the latest after 6 months, unless there are sufficient reasons for longer-term storage of your data in individual cases.
Data from prospective students are deleted 3 years after the last contact.

Data from applicants for (permanent) positions are usually deleted 6 months after the end of the application process, with longer storage only with the consent of the applicant.

4.1 Notes on the Email Account at Bucerius Law School

At the start of their studies, students receive their email mailbox at Bucerius Law School. Upon graduation with a degree from Bucerius Law School (LL.B., MLB, LL.M, doctorate, habilitation), the graduate retains lifelong access to his/her email mailbox at Bucerius Law School. If the graduate wishes deletion, he/she can contact the university directly and request deletion. The deletion is then regularly carried out at the end of the following summer trimester.

Upon disenrollment WITHOUT a degree from Bucerius Law School, the email mailbox will be locked with the disenrollment. The mailbox will be kept for one year after the end of the disenrollment and then irretrievably deleted at the end of the following summer trimester.

5. Photo and Film Recordings at Bucerius Law School Events

At events hosted by Bucerius Law School, photo and/or film recordings (including sound) ("recordings") are regularly made. If you do not wish to be photographed or filmed, you can approach the photographer or cameraperson directly.

We use the resulting recordings in accordance with Art. 6 (1) f GDPR exclusively for our legitimate purposes of documenting our events, campus life, and public relations. The recordings are used on our website, in our newsletter, as well as in print media and on our social media channels, e.g., Facebook and Instagram. For purely internal purposes, the recordings are stored securely with the media management service Flickr, not publicly accessible, and protected from unauthorized access.

Since we use social media channels, your data may be transferred to entities in countries outside the European Union (so-called third countries) in individual cases based on an adequacy decision or standard contractual clauses (SCC) or another suitable guarantee. There is no other transfer to third parties unless you have given us your consent.
Except for the purposes mentioned above, further use of your recordings does not take place or only with your explicit consent.

The photo and film recordings are stored for as long as necessary for the respective purpose, after which they will be deleted.

All resulting recordings are not merged with other data. We naturally comply with the relevant provisions and standards for the protection of personal data. If you have any questions about this or believe that we have used an image improperly, please contact notice@law-school.de.
Information on your rights as a data subject can be found further down on this website.

6. Notes on Video Surveillance at BLS

Video cameras for monitoring the campus grounds are installed on the premises of Bucerius Law School. The video surveillance of the campus grounds serves to uphold the house rules against unauthorized persons and protect property from vandalism and theft in accordance with Art. 6 (1) f GDPR.

The video cameras record, and the recordings are usually automatically deleted after 72 hours; with pure monitoring cameras (monitoring), there is no recording. The data are stored locally, and generally, no one outside of Bucerius Law School receives the video data. However, should an incident occur, the video data will be secured and forwarded to the police, public prosecutor's office, or other legal institutions as needed or requested to pursue our claims or the claims of third parties. Data transfer to a third country does not take place.

7. General Guidelines for Using Video Services

The video systems for delivering educational content are operated in lecture halls and seminar rooms and serve to convey learning and seminar content to students who cannot attend the event in person. The systems used by BLS are explained further down in the privacy notices.
We would like to provide you with some tips on how to protect yourself and your privacy when using video conferencing tools.

7.1 Basic Settings

The basic settings are preset in Zoom to be privacy-friendly. All meetings and lectures begin with the microphone turned off. The microphone must be actively turned on by the participants. The overlay of email addresses in shared content as a watermark is prevented. A numerical code is set for all meetings as access protection; this is already included in the invitation link.

7.2 Check Privacy Settings and Environment Before Meeting

Please also make sure that no unauthorized persons can follow the video conference and that smart devices, such as voice assistants like Alexa, Siri, etc., are not in the area of application or are active, to prevent unauthorized data processing or recordings.

7.3 Hide Background

To protect your privacy, you can replace your background with an overlay.

7.4 No Content with High Protection Requirements

Content that requires high protection should not be exchanged via video services. Explicitly excluded is the use when special categories of personal data are processed (“sensitive data”, e.g., health data).

7.5 Recording of Meeting Contents and Lectures

Automatic storage of chat communications and whiteboard contents is prevented. Manual storage by the host is possible.
The default settings are defined so that the automatic recording of meetings and lectures is generally disabled. Recording can be triggered by the host. When recording, the copyrights and personal rights of those affected must be observed.

A warning is always displayed at the start of recordings. The fact of the recording is indicated to the participants by a symbol.

Before starting the recording, you can also reject the recording by clicking on "Leave Meeting." You should do this promptly. If you do not leave the meeting, your activities will be recorded from the start of the recording.

7.6 Publication of Meetings on Social Networks

The default settings are defined so that there is no automatic publication on social networks.

8. Guidelines for Using Microsoft 365

We use Microsoft 365 to conduct our office work as well as for communication for teleconferences, online meetings, video conferences, and online collaboration.
Our legitimate interest lies in simplifying IT processes, internal and external communication, handling inquiries, increasing efficiency, and promoting collaboration across the company.
Microsoft 365 is a service provided by Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, Ireland.
When using Microsoft 365, personal data is also processed. For this purpose, we have concluded a data processing agreement with Microsoft. A corresponding data processing agreement is included in the Online Service Terms (OST).
www.microsoft.com/de-de/servicesagreement
www.microsoft.com/en-us/licensing/product-licensing/products
www.microsoft.com/de-de/trust-center/privacy/data-access

8.1 Categories of Processed Data and Legal Bases

When using Microsoft 365, Microsoft processes a variety of data.
• Data for functionality
• License data
• Diagnostic data (telemetry)
• Technical support
• Continuous improvement
• Processing for Microsoft's legitimate business activities
The exact personal data processed depends on the individual case:
• Your IP address, with which access to the Microsoft 365 applications is made. The legal basis for this is Art. 6 (1) f GDPR.
• The username (access data for the Microsoft 365 applications), information about you that identifies you as a user, sender, recipient of data within the Microsoft 365 world. Data within the so-called multi-factor authentication that you have stored in your Microsoft Account (e.g., optionally the (private) mobile number). The legal basis for this is Art. 6 (1) b.
• Additional voluntary data (such as a profile picture you have stored) are also visible in your profile at any time. This information is visible in your profile and particularly in Outlook for you and other Microsoft 365 users at all times and can be individually customized by you. The legal basis for this is Art. 6 (1) a GDPR.
• Usage data: This includes communication content (text, audio, video), files created by you or others. This depends on the application used in Microsoft 365 (Teams). The legal bases for this are Art. 6 (1) b and f GDPR.

8.2 Recipients of Data

Your personal data will only be passed on without your express prior consent in the cases explicitly mentioned in this privacy policy and only if it is legally permissible or required.

8.3 Data Transfers to Third Countries

In general, data processing outside the European Union (EU) does not take place, as we have restricted our storage location to data centers in the European Union.
Exceptions to this include telemetry or diagnostic data, the support hotline, and possible additional data that are processed by Microsoft outside the EU.
Furthermore, due to legal obligations, personal data may be transferred or disclosed to third parties (especially authorities), including third countries (USA) with a different level of data protection.
To achieve the required secure level of data protection, in addition to internal organizational measures, the so-called standard contractual clauses (SCC) were concluded with Microsoft, which are part of the Data Protection Addendum (DPA) attached to the aforementioned OST.

8.4 Encryption

Data is encrypted during transmission and in the resting state. This includes messages, files (video, audio, etc.), meetings, and other content. Teams also use TLS and MTLS to encrypt chat messages.

8.5 Storage Duration or Criteria for Determining This Duration

If a user (or an administrator on behalf of the user) deletes the data, Microsoft will ensure that all copies of the personal data are deleted within 60 days.
If a service offered by Microsoft is terminated, the corresponding personal data will be deleted between 60 and 180 days after discontinuation of the service. We generally delete personal data when there is no need for further storage. A need may arise if the data is still required to fulfill contractual services, to check and grant or defend warranty and possibly guarantee claims. Microsoft must then comply with the company administrator's request.
In the case of legal retention obligations, deletion can only be considered after the respective retention period has expired.

9. Microsoft Teams

We use the tool "Teams" to conduct presentations, meetings, collaborative project work, team meetings, conferences, training sessions, and seminars.

9.1 Types of Data

• Activity data
• User data (username, profile picture)
• Audio and video data
• Contact data
• Meeting data (topic, participant IP addresses, device/hardware information)
• User data (files for collaborative editing, chat data)
The legal basis for data processing during the conduct of "online meetings" is Art. 6 (1) b GDPR, insofar as the meetings are conducted within the framework of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) f GDPR. Our legitimate interest lies in the effective conduct of online meetings.
Recording of audio or video content will only take place with your consent, and you will be informed about this in advance. The legal basis for this is Art. 6 (1) a GDPR.
For more information on the processing of personal data in Microsoft Teams, please refer to the previous sections or visit the following link: learn.microsoft.com/de-de/microsoftteams/teams-privacy.

10. Guidelines for the Use of "Zoom"

We use the "Zoom" tool for telephone conferences, online meetings, video conferences, online lectures, and seminars (hereinafter referred to as "online meetings") as well as for collaboration within the scope of activities at BLS and for fulfilling university tasks (teaching, research, and administration). The use of Zoom for private purposes under the provided licenses is not permitted.

"Zoom" is a video conferencing service provided by Zoom Video Communications, Inc., headquartered in San Jose, California, USA. Zoom is a data processor in terms of data protection, and a data processing agreement is in place. Information on GDPR compliance, data processing, and protection settings in ZOOM can be found here:
explore.zoom.us/de/trust/
safety.zoom.us/de/
explore.zoom.us/de/trust/privacy/
explore.zoom.us/de/gdpr/

10.1 Types of Data Processed

Various types of data are processed when using "Zoom." The extent of the data processed depends on the information you provide before or during your participation in an "online meeting." The default settings in Zoom are privacy-friendly, such as no attention tracking.
User information: First name, last name, phone (optional), email address, password (if "Single-Sign-On" is not used), profile picture (optional), department (optional)
Meeting metadata: Topic, description (optional), participant IP addresses, device/hardware information
For recordings (optional): MP4 file of all video, audio, and presentation recordings, M4A file of all audio recordings, text file of the online meeting chat. Generally, we do not record video conferences. For recording lectures and mandatory attendance logging, see below.
When dialing in by phone: Information about the incoming and outgoing phone number, country name, start, and end time. If applicable, further connection data, such as the IP address of the device, may be stored.

Text, audio, and video data: You may have the option to use the chat, question, or polling functions in an "online meeting." In this context, the text inputs you make will be processed to display them and, if necessary, log them in the "online meeting." To enable the display of video and audio playback, the data from your device's microphone and any video camera on your device will be processed for the duration of the meeting. You can disable or mute the camera or microphone at any time using the "Zoom" applications. If necessary for the purpose of logging the results of an online meeting, we will log the chat contents. However, this will generally not be the case.
To participate in an "online meeting" (without registration) or enter the "meeting room," you must provide at least your name or alias.
If you are a registered user with "Zoom," reports on "online meetings" (metadata, data for phone dial-in, questions, and answers in webinars, polling function in webinars) may be stored with "Zoom" for up to one month.
If we intend to record "online meetings" or "online lectures," we will inform you transparently in advance. The fact that a recording is being made will also be displayed in the "Zoom" app. In the case of webinars, we may process the questions asked by webinar participants for the purposes of recording and follow-up of webinars.
Automated decision-making within the meaning of Art. 22 GDPR is not used.

10.2 Legal Basis of Data Processing

The legal basis for data processing in the conduct of "online meetings" and "online lectures" is Art. 6 (1) b GDPR when the meetings are conducted within the framework of contractual relationships. If there is no contractual relationship, the legal basis is Art. 6 (1) f GDPR. In this case, our legitimate interest lies in the effective conduct of "online meetings" and "online lectures."
If personal data of university employees is processed in connection with the use of "Zoom," § 26 BDSG is the legal basis for data processing. If personal data is not necessary for the establishment, implementation, or termination of the employment relationship in connection with the use of "Zoom" but is nevertheless an essential part of using "Zoom," Art. 6 (1) f GDPR is the legal basis for data processing. In these cases, our interest lies in the effective conduct of "online meetings."

10.3 Recipients / Disclosure of Data

Personal data processed in connection with participation in "online meetings" and/or "online lectures" is generally not disclosed to third parties unless expressly intended for disclosure. Please note that content from "online meetings" and/or "online lectures," as with personal meetings, often serve to communicate information with customers, prospects, or third parties and are therefore intended for disclosure.

Other recipients: The provider of "Zoom" will necessarily become aware of the aforementioned data to the extent provided for in our data processing agreement with "Zoom."

10.4 Data Processing Outside the European Union

"Zoom" is a service provided by a company from the USA. Personal data is also processed in a third country. We have concluded a data processing agreement with the provider of "Zoom," which complies with the requirements of Art. 28 GDPR.
A sufficient level of data protection is guaranteed, on the one hand, by the conclusion of the EU standard contractual clauses. As an additional protective measure, we have configured our Zoom settings so that only data centers in the EU, EEA, or secure third countries such as Canada or Japan are used for conducting "online meetings."

10.5 Data Deletion

Data is generally deleted once the purpose of data processing is achieved, and there are no retention requirements. A requirement may arise, in particular, if the data is still needed to fulfill contractual services, check and grant or defend warranty and guarantee claims. In the case of legal retention obligations, deletion is only considered after the respective retention obligation has expired.

Communication content is not stored beyond the communication. Communication-related metadata is deleted as soon as storage is no longer required for the provision or maintenance of the service. Data is deleted 7 days after revocation of consents required for publication and storage of the recording or after the need for publication and storage of the recording has ceased. Locally stored recordings are deleted according to their own deadlines. Locally stored chat messages are deleted if they are older than 30 days.

If you are registered with Zoom as a user, reports on online meetings (meeting metadata, data for phone dial-in, questions, and answers in webinars, polling function in webinars) may be stored with Zoom for up to one month. The account must be deleted as soon as the service is no longer required for task fulfillment, at the latest when employees leave. Users can delete their Zoom user account themselves; the necessary information can be found here: support.zoom.us/hc/de/articles/201363243-Wie-kündige-ich-mein-Konto.

11. Use of Salesforce

Salesforce provides cloud-based CRM solutions that enable businesses to integrate departments such as sales, marketing, and customer service to improve Customer Relationship Management (CRM). We use Salesforce systems to provide our online shop, manage customer data, and conduct application procedures for international prospective students. The data we process in the context of providing your customer account and handling purchases is processed in Salesforce systems. We use Salesforce based on our legitimate interest according to Art. 6 (1) f GDPR. Our legitimate interest lies in simplifying administrative and IT processes, managing and communicating with customers, processing inquiries, increasing efficiency, and efficiently conducting marketing activities.

Salesforce is a multinational corporation with global subsidiaries. The parent company of the corporation is salesforce.com Inc., Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA. Therefore, data transfers to the USA may occur in the context of data processing with Salesforce. Regarding data transfers to the USA, there is no adequacy decision of the EU Commission. However, Salesforce ensures an adequate level of data protection through Binding Corporate Rules (BCR). These are binding internal regulations approved by a European supervisory authority. You can access a copy of the BCR at the following link: compliance.salesforce.com/en/salesforce-bcrs. Additionally, Salesforce ensures an adequate level of data protection through the EU Standard Contractual Clauses. You can access a copy of the clauses at the following link: www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf

If a user (or an administrator on behalf of the user) deletes data, Salesforce will ensure that all copies of personal data are deleted within 60 days. If a service offered by Salesforce is terminated, the corresponding personal data will be deleted between 60 and 180 days after the service is discontinued. We generally delete personal data when there is no longer a need for further storage. A need may arise, in particular, if the data is still required to fulfill contractual services, check and grant or defend warranty and guarantee claims. Salesforce must comply with the request of the company administrator in such cases. In the case of legal retention obligations, deletion is only considered after the respective retention obligation has expired.

12. Your Rights as a Data Subject

If your personal data is processed on our website or within the university, you, as a "data subject," have the following rights:

12.1 Information

You can request information from us about whether personal data concerning you is being processed by us. The right to information is excluded if the data is only stored because it may not be deleted due to legal or statutory retention periods or serves exclusively the purposes of data backup or data protection control, provided that providing information would require a disproportionately high effort and processing for other purposes is excluded by suitable technical and organizational measures.

If the right to information is not excluded in your case and your personal data is processed by us, you can request information about the following:

• Purposes of the processing,
• Categories of personal data processed by you,
• Recipients or categories of recipients to whom your personal data has been or will be disclosed, especially recipients in third countries,
• If possible, the planned duration for which your personal data will be stored, or, if this is not possible, the criteria for determining the storage period,
• The existence of a right to correct or delete or restrict the processing of your personal data concerning you or to object to such processing,
• The existence of a right to lodge a complaint with a supervisory authority for data protection,
• If the personal data was not collected from you as the data subject, the available information about the data source,
• If applicable, the existence of automated decision-making, including profiling, and meaningful information about the logic involved as well as the significance and the envisaged consequences of such processing,
• If applicable, in the case of transfer to recipients in third countries, if there is no adequacy decision by the EU Commission pursuant to Art. 45 (3) GDPR, information about which suitable guarantees pursuant to Art. 46 (2) GDPR are provided for the protection of personal data.

12.2 Correction and Completion

If you determine that we have incorrect personal data concerning you, you can request immediate correction of this incorrect data from us. In the case of incomplete personal data concerning you, you can request completion.

12.3 Deletion

You have the right to request the deletion ("right to be forgotten") of your personal data, provided that the processing is not necessary for exercising the right to freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims, and one of the following reasons applies:

• The personal data is no longer necessary for the purposes for which it was processed.
• The legal basis for the processing was solely your consent, which you have withdrawn.
• You have objected to the processing of your personal data that we have made public.
• You have objected to the processing of non-publicly available personal data, and there are no overriding legitimate grounds for the processing.
• Your personal data has been unlawfully processed.
• The deletion of personal data is necessary to fulfill a legal obligation to which we are subject.

No right to deletion exists if deletion is not possible or only possible with disproportionate effort due to the specific type of storage in the case of lawful non-automated data processing, and if your interest in deletion is minimal. In this case, processing will be restricted instead of deletion.

12.4 Restriction of Processing

You can request the restriction of processing if one of the following reasons applies:

• You contest the accuracy of the personal data. In this case, the restriction can be requested for the duration that allows us to verify the accuracy of the data.
• The processing is unlawful, and you request the restriction of the use of your personal data instead of deletion.
• We no longer need your personal data for the purposes of processing, but you require it for the establishment, exercise, or defense of legal claims.
• You have objected pursuant to Art. 21 (1) GDPR. The restriction of processing can be requested as long as it is not yet clear whether our legitimate grounds override yours.

Restriction of processing means that your personal data will only be processed with your consent, for the establishment, exercise, or defense of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of substantial public interest. Before lifting the restriction, we are obliged to inform you.

12.5 Data Portability

You have the right to data portability if the processing is based on your consent (Art. 6 (1) a or Art. 9 (2) a GDPR) or on a contract of which you are a party, and the processing is carried out by automated means. In this case, the right to data portability includes the following rights, provided that this does not adversely affect the rights and freedoms of others: You can request to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format. You have the right to transmit this data to another controller without hindrance from us, where technically feasible. You may also request that we directly transmit your personal data to another controller, where technically feasible.

12.6 Withdrawal of Consent

You have the right to withdraw your consent at any time with effect for the future. The revocation of consent can be communicated informally by telephone, email, or by postal mail to our address. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. Upon receipt of the revocation, the data processing based exclusively on your consent will be discontinued.

12.7 Right to Object

If the processing is based on Art. 6 (1) e GDPR (performance of a task carried out in the public interest or in the exercise of official authority) or Art. 6 (1) f GDPR (legitimate interests pursued by the controller or a third party), you have the right to object at any time on grounds relating to your particular situation. This also applies to profiling based on these provisions. After exercising your right to object, we will no longer process your personal data, unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defense of legal claims.

You may object to the processing of your personal data for direct marketing purposes at any time. This also applies to profiling related to such direct marketing. After exercising this right to object, we will no longer use your personal data for direct marketing purposes.

You have the option to informally communicate your objection by telephone, email, or postal mail to the address provided above.

12.8 Automated Decision-Making

As a responsible company, we do not use automated decision-making or profiling.

12.9 Complaint

If you believe that the processing of your data violates German or European data protection law, please contact us to clarify any questions. Please contact us either by postal mail (address as stated above) or by email: datenschutz@law-school.de. In case of doubt, we may request additional information to confirm your identity. Additionally, you have the right to lodge a complaint with the supervisory authority of the federal state of Hamburg.

12.10 Further Questions and Information

If you have further questions regarding data protection at BLS, please write to us at info(at)law-school.de, and we will try to address your concerns. We reserve the right to send you notifications about the applicable policies at certain intervals. However, you should regularly visit our website and take note of any changes. Unless otherwise stipulated, the use of all information we have about you is subject to this privacy policy.

The Bucerius Law School Hochschule für Rechtswissenschaft gGmbH strives to settle any disputes arising from consumer contracts out of court. It is, therefore, willing to participate in dispute resolution proceedings of the General Consumer Center for Conciliation / Allgemeine Verbraucherschlichtungsstelle Zentrum für Schlichtung e.V., Straßburger Strasse 8, 77694 Kehl am Rein, www.verbraucher-schlichter.de, E-Mail: mail(at)verbrauch-schlichter.de provided that the consumer has previously asserted the disputed claim against the law school and provided that the claim is within the competence of the Consumer Center.

The European Commission has established a European online dispute resolution platform (OS platform) under http://ec.europa.eu/consumers/odr/. EU Consumers may use the OS platform to resolve disputes arising from online contracts with providers established in the EU. In case there are no language barriers, EU Consumers may also directly make use of the German General Consumer Center for Conciliation, the Allgemeine Verbraucherschlichtungsstelle Zentrum für Schlichtung e.V. (see above).