Data protection

2. Responsibility for data privacy matters
Unless otherwise communicated in individual cases, the ETH Alumni Association, Rämistrasse 101, 8092 Zurich, Switzerland , Tel.: +41 44 632 51 00, is responsible for the content of this data privacy statement and for the data processing described.

Your contact for matters relating to data privacy at the ETH Alumni Association is:

ETH Alumni Association Office
Herr Bernhard Hohl
Rämistrasse 101
8092 Zurich
Switzerland

Tel.: +41 44 632 51 00

3. EU data privacy officer
The following person is designated as the EU data privacy officer in accordance with Art. 27 of the GDPR for individuals with a single residence in countries within the European Economic Area (EEA), including the European Union (EU) and the Principality of Liechtenstein, as well as for country-specific regulatory bodies designated in line with the GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Germany

4. Terminology
By way of introduction and to aid understanding, we wish to clarify the key terminology used below. In this respect, we are following the definitions of terms provided in Swiss data privacy law.

• Personal data: any information which relates to an identified or identifiable natural person.
• Data subject: natural persons whose data is processed.
• Process: any handling of personal data, regardless of the tools and methods applied, in particular collection, recording, storage, use, alteration, disclosure, archiving, deletion or destruction of data.
• Controller: individual or public authority, who or which, alone or jointly with others, determines the purposes and means of the processing.
• Processor: individual or public authority, who or which processes personal data on behalf of the controller.

5. Legal basis for data processing
This data privacy statement conforms to the requirements of the Swiss Federal Act on Data Protection (DSG), the associated Data Protection Ordinance (DSV) as well as the General Data Protection Regulation (GDPR) of the European Union. The type and scope of applicable legislation depends on the individual case in question. Foreign data privacy law only applies if the applicable law is mandatory and only to the data processing processes and people affected by it.

When processing personal data, we follow the data privacy requirements applicable in that particular case

The processing of personal data must not unlawfully harm the character of the data subject. Such data processing must therefore satisfy the processing principles of data privacy legislation and/or must be legitimately possible on the basis of a justification. In particular, we have justification to process personal data if the processing:

• has a legal basis.
  The processing of personal data may be required or justified by law (e.g. statutory archiving obligations).
• is required to fulfil a contact for the data subject or for pre-contractual measures.
  Most of the processing of personal data undertaken within our company involves the fulfilment of contractual obligations (e.g. administration of members)
• is required to protect legitimate interests on our part or that of third parties.
  Legitimate interests on our part apply in particular when we process personal data within the context of Item 7 of the stated purposes as well as the disclosure of data in accordance with Item 9 and the associated objectives.
• is based on consent.
  If the processing of personal data is based on your consent, we will provide you with separate and transparent information of this. You can withdraw your consent to data processing going forward using the functions provided for this purpose (e.g. unsubscribe link in newsletters) or by notifying us in writing (see contacts provided above in Items 2 and 3). Once your consent has been revoked in this way, we will cease to process the relevant data unless we are able to base doing so on another form of justification.
• is required to comply with domestic and foreign statutory provisions.

6. Collection and processing of personal data
Depending on the services you use and the relationship that exists between you and us, we process the following categories of personal data:

• master data: e.g. title, surname, first name, sex, date of birth, address and contact details such as address, phone numbers, e-mail addresses, preferred language, customer numbers, user names, financial information.
• contractual data: e.g. information relating to initiation, conclusion, processing, administration and termination of contracts/membership between you and us, information relating to advertising [refer also to Item 17 below], history of interactions, financial and payment information such as credit rating, information relating to the enforcement of claims, bank details.
• studies and qualifications: e.g. course studied, discipline, start date, end date, matriculation number (no performance records etc.)
• communication data: e.g. master data, contract data, content of communications from written, electronic and verbal correspondence (including social media posts and messages), details from surveys, information relating to the time, location, type etc. of communication, proof of identity, metadata.
• behavioural and transactional data: e.g. relating to use of our website, involvement in activities, events, contests and surveys, use of electronic means of communication.
• technical data: e.g. IP addresses, device IDs, details relating to the devices and applications you use and their settings, Internet providers you use, user names, passwords [as hash values], information relating to 2-factor authentication, log data, time and approximate locations with regard to using our products and services.
• marketing data: e.g. information relating to personal preferences and interests, signing up to and removal from newsletters, content of marketing correspondence.
• visual and sound recordings: e.g. recordings of phone and video conference conversations [only if this has been announced and agreed to in advance], recordings relating to membership and personal events.

7. Origin of data
Firstly, we collect personal data directly from you as the data subject. In particular, this data includes master, contract, communication and marketing data. Such personal data is collected during the course of the initiation and processing of business relationships and use of our services. If you provide us with data relating to other people, you must ensure that you are authorised to do this and that the data is correct. The people in question must also be made aware of this data privacy statement in advance.

We may also obtain your personal data from ETH Zurich, the ETH Zurich Foundation and other people involved. Please refer to Item 16 below with regard to this.

We may also collect personal data relating to you ourselves or in an automated manner or derive it from data we already hold. In particular, this includes behavioural and transactional data as well as technical data.

Finally, we also collect personal data from third parties, provided that this is permitted by law. Such third parties include people from your social circles, business partners, insurance companies, banks, regulators, official bodies, courts, parties and their legal representation within the context of legal disputes etc. We may also collect personal data from public sources (e.g. information offices, social media).

8. Purpose of data processing
We process the collected data in order to comply with our legal, contractual and statutory obligations towards members, interested parties, graduates, business partners, applicants, staff, regulators and other people involved.

We also process the collected data to allow us to provide and improve the products, goods and services you want, to manage your usage and desired access to our products, goods, services and information, to maintain our legal relationship with you, to carry out advertising and marketing (provided that you have agreed to your personal data being used for this purpose), to monitor and improve the performance of what we offer you, to enforce legal claims or to challenge them, to detect, prevent or explain illegal activities and for us to generally run operations (in particular IT, website etc.). We only collect, use and disclose your personal data if permitted and/or prescribed by law or if you have agreed to this.

9. Period over which we process personal data
We will continue to process your personal data for as long as we are obliged to do so by law (e.g. storage and archiving obligations) or our legitimate interests require this (e.g. enforcement of or defence against claims, assurance of IT security) or for as long as required for the purpose for which your data is collected or storage is required for technical reasons. In terms of contacts and membership, the data is usually stored for the period of the contractual relationship or membership plus any statutory storage periods extending beyond this (usually 10 years).

This may mean that your personal data or extracts thereof have to be stored for several years after the contractual relationship between you and us or your membership has come to an end. If your personal data is no longer needed for the above purposes, it is thoroughly deleted or made anonymous wherever possible.

In certain cases and based on your consent for this, we keep your personal data for longer (e.g. job applications which are still pending).

10. Disclosure of personal data to third parties
10.1. General
Within the context of the activities of the association, if permitted and required by law, we may disclose certain personal data to third parties. These third parties process your personal data either on our behalf (processors), under joint responsibility with ourselves or under their own responsibility. Such third parties include:

• ETH Zurich
• ETH Zurich Foundation
• affiliate organisations
• our service providers (including processors), such as banks, IT providers, external consultants, specialists, lawyers, legal protection insurance companies etc.
• business partners (sales partners, suppliers, partners etc.)
• domestic and foreign regulators, official bodies and courts
• other parties involved in administrative and legal proceedings
• other third parties required for us to achieve the purpose for which the respective data is being processed

Within the scope of application of the GDPR, personal data is disclosed in this way to third parties either in order to initiate and fulfil a contract (Article 6 Paragraph 1 (b) of the GDPR) or on the basis of our legitimate interest (Article 6 Paragraph 1 (f) of the GDPR).

10.2. Disclosure of personal data abroad
We usually process and store personal data in Switzerland and in the European Economic Area (EEA). However, in certain cases we may also disclose personal data to service providers and recipients who are located outside this area or process personal data outside this area, basically anywhere in the world. We have to anticipate the disclosure of personal data in all countries where the service providers that we use and their sub-contractors are located (the USA in particular). The same applies to our affiliate organisations.

We take appropriate actions to ensure that statutory requirements are met in such cases. More specifically, we hold a suitability resolution from the regulators responsible. Should there be no such resolution, personal data is disclosed on the basis of appropriate guarantees (in particular, standard contractual clauses approved by the European Commission and the Swiss Federal Data Protection and Information Commissioner [EDÖB]) or there are exemptions for certain situations (fulfilment of contracts, law enforcement abroad etc.) or we ask for your express consent to such disclosure.

11. Data security
In order to protect your data, we take state-of-the-art technical and organisational security measures.

All communication via our website is encrypted through the user of the SSL/TLS encryption protocol. However, we would like to point out that even encrypted data transfer via the Internet always involves some security risks. We cannot guarantee that your data will be fully protected from third-party access.

12. Your rights as a data subject
Provided that the requirements of the data privacy legislation applicable in that particular case are met and that no legal exemptions are applicable, you have the following rights with regard to the processing of your personal data:

• on request, to receive, at no cost to you, information about whether we are processing your personal data and if so, what data
• to correct false or incomplete personal data
• to restrict the processing of your personal data
• to block your personal data
• to delete your personal data or make it anonymous
• to data transferability
• to revoke any consent given with regard to the processing of your personal data going forward
• to object to the processing of your personal data.

Please note that these rights may be restricted or excluded in specific individual cases under certain circumstances (e.g. to protect third parties or for reasons associated with trade secrets).

In order to enforce your rights as a data subject or should you have any questions about this data privacy statement and the processes it describes, you can contact the persons/bodies stated in the above Items 2 and 3.

We would be grateful if you could contact us if you believe that your data has been wrongfully processed. Alternatively, you can lodge a complaint with the responsible regulatory body. The regulatory body for data privacy in Switzerland is the external pageSwiss Federal Data Protection and Information Commissioner (EDÖB).call_made In the EU, complaints should be lodged with the respective national data protection authority.

II. Additional information related to selected data processing

13. Processing personal data linked to use of our website
13.1. Cookies
Our website uses what are known as “cookies”. Cookies are small text files, which are either used temporarily for the duration of a session (session cookies) or stored permanently (permanent cookies) on your end device. Session cookies are deleted automatically once your visit is complete. Permanent cookies remain on your end device until you delete them yourself or they are deleted automatically by your web browser (usually at some point between several days and 2 years after the event).

Sometimes, cookies from third-party companies may also be stored on your end device (third-party cookies). These enable us or you to use certain services from third-party companies (e.g. cookies for processing payment services, analysis cookies; see the following Items 13.2 ff. for more details).

Cookies have various functions. Numerous cookies are needed for technical purposes because certain website functions would not otherwise work (e.g. the shopping basket function or displaying videos). Other cookies are used to analyse user behaviour or show advertising (so-called “non-essential cookies”).

You can set your browser to inform you each time cookies are enabled and you can then permit or refuse cookies in each case. You can prevent the acceptance of cookies for certain situations or in general and you can activate the automatic deletion of cookies when you close your browser. On the following pages, you will find explanations of how you can configure the processing of cookies on the most common browsers:

• external pageMicrosofts Windows Internet Explorercall_made
• external pageMicrosofts Windows Internet Explorer Mobilecall_made
• external pageMozilla Firefoxcall_made
• external pageGoogle Chrome für Desktopcall_made
• external pageGoogle Chrome für Mobilecall_made
• external pageApple Safari für Desktopcall_made
• external pageApple Safari für Mobilecall_made

Deactivating cookies may restrict the functionality of this website.

Within the scope of application of the GDPR, personal data is processed using the cookies required for technical reasons on the basis of our legitimate interest (Article 6 Paragraph 1 (f) of the GDPR) in an appealing and secure Internet presence. The use of non-essential cookies and the processing of personal data linked to this are undertaken with your consent (Article 6 Paragraph 1 (a) of the GDPR).

13.2. Website hosting provider
Our website is hosted by ETH Zurich on their servers (server location: Switzerland). Each time you visit our website, the hosting provider automatically collects and stores information (server log files), which are transferred by your browser. This includes the name and URL of the accessed file, date and time of access, volume of data, web browser and web browser version, operating system, the domain name of your Internet provider, the so-called referrer URL (the page from which you accessed our website) and the IP address. This usage data is used to detect technical problems, to ensure security and to statistically evaluate use of our website and thereby allow us to enhance it.

We process this data for the following purposes:

• to ensure that a connection to the website is established smoothly,
• to ensure convenient website usage,
• to analyse system security and stability,
• and for other administrative purposes and in the event of unlawful use of our website or our services.

Within the scope of application of the GDPR, this data is processed on the basis of our legitimate interest (Article 6 Paragraph 1 (f) of the GDPR) in accordance with the purposes listed above.

13.3. Links to other websites
Our website contains hyperlinks to websites belonging to third parties, which we do not operate or monitor. We are not responsible for their content or data privacy practices.

13.4. Communication options
Our website provides various means of getting in touch with us. In addition to the channels listed below, this also includes e-mail, phone and post.

Regardless of the channel used, we will save and process your request, including all personal data provided, in order to handle the issue you raise. You are responsible for the content you transfer to us.

Within the scope of application of the GDPR, this data is processed either in order to initiate and fulfil a contract (Article 6 Paragraph 1 (b) of the GDPR) or on the basis of our legitimate interest (Article 6 Paragraph 1 (f) of the GDPR) in order to handle requests sent to us.

13.5. Google Inc.
13.5.1. General
Our website uses functions and services provided by Google Inc. Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services in Europe.

In addition to the details provided below, you will find more information about data privacy at Google in the Google data privacy statement: external pagehttps://policies.google.com/privacy.call_made

Within the scope of application of the GDPR, any personal data is processed on the basis of our legitimate interest (Article 6 Paragraph 1 (f) of the GDPR) in an appealing Internet presence and in extending our reach or on the basis of your consent (Article 6 Paragraph 1 (a) of the GDPR).

13.5.2. Services used by Google
Our website uses functions from the web analysis service external pageGoogle Analyticscall_made and external pageGoogle Tag Manager.call_made

We use Google Analytics 4 (GA4) to analyse data traffic on our website. GA4 evaluates usage data and relies to a great extent on artificial intelligence (AI). With GA4, IP addresses are made anonymous as standard. GA4 uses cookies, which allow us to analyse your website usage. The information about how you use this website that is generated by cookies may be transferred to Google servers in the USA and elsewhere, where it is saved. You can prevent Google from collecting the data (including your IP address) generated by the cookie and relating to your website usage as well as the processing of this data by Google by going to the following link and downloading and installing the browser plug-in provided there: external pagehttps://tools.google.com/dlpage/gaoptout?hl=en.call_made

We use the Google Tag Manager for the central integration and management of website tags. Website tags are code snippets of e.g. Google Analytics or Piano Analytics, which we can use to track and follow activities on our website. The Google Tag Manager allows us to efficiently and effectively manage website tags. You will find more information about the Google Tag Manager at: external pageGoogle Tag Manager.call_made

A search function is provided on our website. The queries are transferred to Google servers in a non-personalised form. We forward the search terms used in searches to Google. We also anonymously collect statistics of frequent search terms so they can be used to auto-complete user input. Search terms, which appear in the personal user history, are saved locally in the respective browser.

13.6. Piano Analytics
We use the "Piano Analytics" web analysis service provided by Applied Technologies Internet GmbH, Leonrodstrasse 52-58, 80636 Munich, Germany (AT Internet) and the Google Tag Manager (see previous Item 13.5) to process data, that you leave behind when you visit our website. Both tools are used for the specific statistical evaluation and analysis of usage data. This data may include your (anonymised) IP address, your geographical location, browser type and version, your operating system, the referral source, length of visit, pages accessed and how you navigate through our web pages as well as information about the timings, frequency and patterns relating to how you use our websites. Certain data is transferred directly to Piano Analytics, other data is first sent to the Google Tag Manager. Google Tag Manager does not store any usage data, but instead forwards this to Piano Analytics. In both cases, we make your IP address anonymous before processing so that it can no longer be used to reveal your identity.

ETH Zurich has complete control over tracking using Javascript within the ethz.ch domain. All data remains in the EU. You will find more information about data privacy at AT Internet on their website: external pagehttps://www.atinternet.com/en/data-protection/.call_made

Google provides information about data privacy at Google Services as well as the Google Tag Manager that we use here.

14. Processing personal data linked to use of our MyAlumni platform
14.1. General
ETH Alumni members have a user account on our MyAlumni platform. By signing up, users consent to their personal data being processed within the context described below.

Our MyAlumni platform is hosted by a Swiss hosting provider located in Switzerland.

14.2. Scope of processing of personal data
When the user account is created on the MyAlumni platform, the following personal data is saved:

When the user account is created, personal data is collected in accordance with Item 17 below on the MyAlumni platform. Furthermore, depending on their qualifications and/or place of residency, all members are automatically assigned to an affiliate organisation.

Subsequently, users are able to add the following personal data to their user accounts:

• maiden name
  
• nationality
• language
• profile picture
• membership of other affiliate organisations

Users can also change the following personal data:

• e-mail address(es)
• sex
• academic title
• first name
• commonly used first name
• surname
• home address (c/o, post box, 1st line of address, town/city, postcode, country)
• phone numbers
• business address (company, additional address information, post box, 1st line of address, town/city, postcode, country)
• preferred postal address

When using the MyAlumni platform, the following personal data is collected:

• time of logging in and out (date, time)
• IP address
• Internet service provider
• operating system and version of Internet browser
• direct messaging conversations between you and your contacts
• clicks on events (click behaviour)

The following personal data can be viewed by other registered members on the MyAlumni platform:

• surname and first name(s)
• affiliate organisations to which you belong
• profile picture
• user ID
• status, indicating that you are or were active on the MyAlumni platform (up to 2 hours after you have logged out)

Within the scope of application of the GDPR, your personal data is always processed on the MyAlumni platform on the basis of our legitimate interest (Article 6 Paragraph 1 (f) of the GDPR) in accordance with the purposes listed below.

The MyAlumni platform is operated and your personal data is thereby processed in order for us to pursue the purpose of the association, to promote networking between alumni and to maintain and boost a sense of belonging with the alma mater. This data is also processed to ensure that a connection is established smoothly, to ensure convenient use of the MyAlumni platform, to analyse system security and stability and for prevention and resolution in the event of unlawful use of the MyAlumni platform or our services.

15. Processing personal data linked to use of our ETH Alumni Knowledge Network
15.1. General
All members are invited to join the ETH Alumni Knowledge Network. We use a platform from Starmind AG, Mühlebachstrasse 169/164, 8008 Zurich, Switzerland, operated using artificial intelligence, for the knowledge network. By signing up, users consent to their personal data being processed within the context described below.

Our knowledge network is hosted by a Swiss hosting provider located in Switzerland.

15.2. Scope of processing of personal data
When the user account is created on the knowledge network, the following personal data is saved:

• surname and first name(s)
• e-mail address
• language
• profile picture
• job title
• employer
• settings in the platform (notifications)

When using the knowledge network, the following personal data is collected:

• questions, solutions and comments that you have created on Starmind
• attachments and online photos that you upload
• feedback, you provide to us or Starmind
• user behaviour (including search terms, usage times, click behaviour)
• device type used
• IP address
• Internet service provider
• operating system and version of Internet browser

The following personal data can be viewed by other registered members on the knowledge network:

• surname and first name(s)
• languageprofile picture
• job title
• employer
• solutions and comments that you have created on Starmind
• attachments and online photos that you upload

You will find more information about data privacy on the knowledge network on the Starmind page: external pagehttps://www.starmind.ai/privacy-policy#data-we-collect-about-youcall_madeexternal pagecall_made

16. Processing personal data linked to sending newsletters
16.1. General newsletter
All interested persons are able to sign up for our newsletter. We use “InxMail”, a newsletter distribution platform belonging to Inxmail GmbH, Wentzingerstr. 17, 79106 Freiburg, Germany.

When you sign up for our newsletter, an e-mail is sent to the e-mail address you provide. This contains a link. Click on this link to confirm that you want to sign up for the newsletter (double-opt-in). If you do not confirm that you wish to sign up within 1 day, your e-mail address will be deleted from the temporary list of people interested in our newsletter. If this happens, you will not be signed up.

When you sign up for the newsletter, we save your e-mail address and the time at which you sign up.

The newsletters have what is known as a “web beacon”, i.e. a pixel-sized file, which is accessed by InxMail servers when you open the newsletter. We can use this “web beacon” to detect how often and when an e-mail is opened. Using click tracking, we can also check which of the links in the e-mail are clicked on. The data collected is not personal, i.e. it cannot be traced back to individuals. The data is used to optimise newsletter distribution and to better adapt the content to the interests of the data subject. This data is held by us and InxMail.

You can deactivate the newsletter service at any time by clicking on the unsubscribe function provided at the bottom of every newsletter.

You can find details here: external pagehttps://www.inxmail.com/data-conditionscall_made and here: external pagehttps://www.inxmail.com/products/legally-compliant-processescall_made.

Within the scope of application of the GDPR, any personal data is processed on the basis of your consent (Article 6 Paragraph 1 (a) of the GDPR). You can withdraw your consent at any time.

16.2. Newsletter for ETH Alumni members
We periodically send a newsletter to active and former ETH Alumni members using their saved e-mail address. The newsletters contain information about association activities, activities of ETH Zurich and the ETH Foundation, career opportunities and offers from our partners for ETH Alumni members.

Recipients can deactivate the newsletter service at any time by clicking on the unsubscribe function at the bottom of every newsletter or via their user profile on the MyAlumni platform.

Newsletters are either sent out directly via the MyAlumni platform or using InxMail.

Within the scope of application of the GDPR, this data is processed either in order to initiate and fulfil a contract (Article 6 Paragraph 1 (b) of the GDPR) or on the basis of our legitimate interest (Article 6 Paragraph 1 (f) of the GDPR) in providing our association members with appropriate information.

17. Processing personal data between the ETH Alumni Association, ETH Zurich and the ETH Zurich Foundation
Once students have graduated from their course, provided that the data subjects have given their consent, ETH Zurich forwards the following personal data about the graduates to the ETH Alumni Association:

• title, surname and first name(s), commonly used first name
• sex
• date of birth
• shipping address (c/o, 1st line of address, town/city, postcode, country code)
• matriculation number
• alternative/parents’ address (1st line of address, town/city, postcode, country code)
• phone numbers (for shipping and alternative address as well as mobile number)
• e-mail address(es)
• academic title, department (including code), course, discipline, start date
• date of issue of graduate certificate
• flag as to whether graduate is still matriculated or not

The data subjects are contacted by the ETH Alumni Association within 30 days. All data subjects can ask for their data to be deleted from the alumni personal database. The ETH Alumni Association manages the data provided and subsequently makes it available to ETH Zurich again.

Further details of the provision of data are regulated in agreements between the two ETH institutions.

Within the framework of membership, in addition to the data stated above, the ETH Alumni Association may also process the following data:

• invoice and payment data (service and settlement dates)
• date of death
• languages
• profile picture
• groups to which the data subject belongs
• information relating to membership (contact, status, data privacy settings, publications/newsletters ordered)
• information about events (registrations, attendance)
• credentials (user name and password hash)
• past communication
• identifiers and log data
• comments

The ETH Alumni Association may share the above member data with the ETH Zurich Foundation too. The ETH Zurich Foundation only uses this data to fulfil the purpose of the foundation, namely to promote research and teaching at ETH, for example, by sending out mailings asking for donations by e-mail, post and other communication channels. Further details of the provision of data are regulated in agreements between the two ETH institutions.

The data processing described is undertaken in the spirit of the purpose of the foundation to promote networking amongst alumni and to maintain and boost a sense of belonging with the alma mater.

Within the scope of application of the GDPR, this data is processed either in order to initiate or fulfil a contract (Article 6 Paragraph 1 (b) of the GDPR) or on the basis of our legitimate interest (Article 6 Paragraph 1 (f) of the GDPR) in the spirit described above. Finally, data processing is also required to perform tasks in the public interest (Article 6 Paragraph 1 (e) of the GDPR).

18. Processing personal data from business partners and their employees
As part of our collaborations with our business partners, depending on the individual business case, we process the following data:

• contact information (first name, surname, title, position, function, address, phone number, e-mail address etc.)
• information about the company in question
• all information, which arises during the project in question or the underlying contractual relationship
• the information you make available to us
• payment data (service and settlement dates)
• personal data, which is collected from publicly available sources (e.g. social networks, websites, information offices etc.)

We process this personal data for the purpose of:

• making contact and communicating with our business partners
• pricing, planning, carrying out and managing the business relationship with our business partners
• complying with legal requirements and compliance specifications
• settling legal disputes, enforcing contractual claims as well as exercising and defending legal claims

Within the scope of application of the GDPR, this data is processed either in order to initiate and fulfil a contract (Article 6 Paragraph 1 (b) of the GDPR) or on the basis of our legitimate interest (Article 6 Paragraph 1 (f) of the GDPR) in order to handle requests sent to us.

19. Processing personal data from applicants
We receive applications by e-mail. We treat your data in the strictest of confidence. Your personal data is only forwarded to those people within our association who are tasked with processing your application.

We process the personal data provided to us as part of your application and that collected during the application process provided that this is necessary for us to reach a decision on whether to conclude and execute an employment contract. This includes:

• general information relating to your person (surname, first name, address, contact details, date of birth, marital status)
• information about your school, professional and personal qualifications
• information, which we have collected during the application process (e.g. as part of assessments)
• further information that you have shared with us in the context of your application.

We process this personal data for as long as we need to in order to reach a decision on your application. It will be deleted a maximum of six months after the end of the application process provided that it does not have to be or may be stored for longer by law or that you have not agreed to it being stored for a longer period.

Should the application process result in employment, your application documents will be carried over into your personnel file.