Privacy Policy of Begin Education Marketing GmbH
Effective Date: 21 February 2018
Last Updated: 10 December 2024
1. General Provisions
1.1 This Privacy Policy (hereinafter, the "Policy") has been developed in compliance with the General Data Protection Regulation (GDPR) of the European Union, the Federal Data Protection Act (BDSG) of Germany, and other applicable data protection laws.
1.2 The purpose of this Policy is to define how Begin Education Marketing GmbH (hereinafter, the “Operator” or the “Company”) processes and protects personal data, ensuring the fundamental rights and freedoms of individuals, particularly the right to privacy.
1.3 Key terms used in this Policy align with definitions in GDPR, including:
- Personal Data: Any information relating to an identified or identifiable natural person.
- Processing: Any operation performed on personal data, including collection, recording, storage, and destruction.
- Data Subject: The individual whose personal data is processed.
- Controller: The entity determining the purposes and means of processing personal data (the Operator in this case).
2. Principles of Personal Data Processing
2.1 Lawfulness, Fairness, and Transparency
Personal data is processed lawfully, fairly, and in a transparent manner in relation to the data subject.
2.2 Purpose Limitation
Data is collected for specified, explicit, and legitimate purposes and not processed further in a manner incompatible with those purposes.
2.3 Data Minimisation
Data processed is adequate, relevant, and limited to what is necessary for the purposes of processing.
2.4 Accuracy
Efforts are made to ensure that personal data is accurate and kept up to date. Inaccurate data is rectified or deleted without delay.
2.5 Storage Limitation
Data is retained only for as long as necessary to fulfil the purposes for which it was collected unless otherwise required by law.
2.6 Integrity and Confidentiality
Appropriate technical and organisational measures are implemented to ensure the security of personal data, including protection against unauthorised access or processing.
2.7 Accountability
The Operator takes responsibility for ensuring compliance with these principles and can demonstrate such compliance when required.
3. Legal Basis for Processing Personal Data
3.1 The Company processes personal data under one or more of the following lawful bases, as defined by GDPR (Article 6):
- Consent given by the data subject (Article 6(1)(a)).
- Necessity for the performance of a contract or to take steps prior to entering a contract (Article 6(1)(b)).
- Compliance with a legal obligation (Article 6(1)(c)).
- Legitimate interests pursued by the Company or a third party, provided they do not override the interests or fundamental rights of the data subject (Article 6(1)(f)).
3.2 Special categories of personal data (such as health data, biometric data, or data revealing racial or ethnic origin, political opinions, or religious beliefs) are not collected or processed by the Company, unless:
- Explicit consent has been obtained from the data subject (Article 9(2)(a)).
- Processing is necessary for compliance with legal obligations in the fields of employment, social security, or public health (Article 9(2)(b), (g), (h)).
3.3 Where the processing relies on consent as the legal basis, the Company ensures that:
- Consent is obtained in a clear and unambiguous manner.
- The data subject is fully informed about the purpose of the processing and their rights, including the right to withdraw consent at any time.
3.4 The Company does not engage in automated decision-making or profiling that produces legal effects or similarly significant impacts on the data subject, except where explicitly permitted by GDPR (Article 22).
4. Data Subject Rights
Data subjects have the following rights under GDPR:
- 4.1 Right to Access (Article 15): Individuals can request confirmation of whether their personal data is being processed and access to that data.
- 4.2 Right to Rectification (Article 16): Individuals can request correction of inaccurate or incomplete personal data.
- 4.3 Right to Erasure ("Right to Be Forgotten") (Article 17): Individuals can request deletion of their data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected.
- 4.4 Right to Restriction of Processing (Article 18): Individuals can request a temporary suspension of processing in specific cases.
- 4.5 Right to Data Portability (Article 20): Individuals can request a copy of their data in a structured, commonly used, and machine-readable format for transfer to another controller.
- 4.6 Right to Object (Article 21): Individuals can object to data processing based on legitimate interests, public interest, or direct marketing.
- 4.7 Rights Related to Automated Decision-Making (Article 22): Individuals can request human intervention and challenge decisions made solely by automated processing.
- 4.8 Right to Withdraw Consent (Article 7(3)): Consent can be withdrawn at any time without affecting the lawfulness of processing conducted prior to withdrawal.
- 4.9 Right to Lodge a Complaint (Article 77): Individuals can lodge complaints with a supervisory authority, such as the Federal Commissioner for Data Protection and Freedom of Information (BfDI) in Germany.
5. Data Security and Breach Notification
5.1 The Company implements organisational and technical measures to safeguard personal data, including:
- Access control and encryption.
- Regular audits and vulnerability assessments.
- Use of firewalls, antivirus software, and intrusion detection systems.
5.2 In the event of a personal data breach, the Company will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (Article 33 GDPR).
- Inform affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms (Article 34 GDPR).
6. Consent Management
6.1 Consent is obtained in a clear and transparent manner. Data subjects are informed of:
- The specific purposes for processing.
- Their right to withdraw consent at any time.
6.2 Records of consent are maintained to demonstrate compliance with GDPR.
7. International Data Transfers
7.1 Personal data is transferred outside the European Economic Area (EEA) only if adequate safeguards are in place, such as:
- EU-approved Standard Contractual Clauses (SCCs).
- Binding Corporate Rules (BCRs).
- Adequacy decisions by the European Commission.
7.2 Data subjects are informed of the transfer, its risks, and the safeguards in place.
8. Contact and Complaints
Begin Education Marketing GmbH
Address: Breite Str. 9, 14199 Berlin
Phone: +49 (30) 3080-7313
Email: info@begingroup.com
Supervisory Authority
Federal Commissioner for Data Protection and Freedom of Information (BfDI)
Address: Graurheindorfer Straße 153, 53117 Bonn, Germany
Phone: +49 (0)228 997799-0
Fax: +49 (0)228 997799-5550
Email: poststelle@bfdi.bund.de
Website: https://www.bfdi.bund.de
© 2024 Begin Education Marketing GmbH. All rights reserved.