1.1 The personal data processing policy (hereinafter the “Policy”) has been developed in accordance with existing accordance of currently valid legal provisions of Federal Republic of Germany and European Union.
1.2 This Policy establishes the procedure for personal data processing and security measures in Begin Education Marketing GmbH (hereinafter the “Operator”, “Company”) in order to protect human and civil rights and freedoms when processing personal data, including to protect rights to privacy, personal and family secret.
1.3 The following basic terms are used in the Policy:
Automated personal data processing means personal data processing by means of computing equipment;
Blocking of personal data means suspension of personal data processing (except when processing is necessary to specify personal data);
Personal data information system means an aggregate of personal data kept in databases and information technologiesand technical facilities providing for processing thereof;
Depersonalization of personal data means actions as a result of which a specific personal data owner cannot be determined without additional information;
Processing of personal data means any action (transaction) or an aggregate of actions (transactions) taken (carried out) with personal data with or without automated equipment, including collection, recording, systematization, accumulation, storage, specification (update, modification), extraction, use, transfer (distribution, provision, access), depersonalization, blocking, deletion, destruction of personal data;
Personal data means any information directly or indirectly related to a specific or designated individual (personal data owner);
Provision of personaldata means actions aimedat disclosure of personal data to a specific person or group of persons;
Distribution of personal data means actions aimed at disclosure of personal data to the general public (transfer of personal data) or familiarization with personal data by the general public, including publication of personal data in mass media, information and telecommunication networks, or provision of access to personal data in any other manner;
Transborder transfer of personal data means transfer of personal data to the territory of another country to the foreign authority, individual or legal entity.
Destruction of personal data means actions as a result of which contents of personal data in the personal data informationsystem cannot be recovered,and (or) as a result of which physical storage media with personal data are destroyed.
2.1 Personal Data Processing Principles
Personal data are processed by the Operator on the basis of the following principles:
a) legality and fairness;
b) restriction of personal data protection to achievement of specific, pre-set and legal purposes;
c) prevention of personal data protection incompatible with the purposes of personal data processing;
d) prevention of consolidation of databases containing personal data processed for the purposes incompatible with each other;
e) processing only the personal data conforming to the processing purposes;
f) conformity of contents and scope of processed personal data to the claimed processing purposes;
g) processing of personal data excessive with regard to the claimed processing purposes;
h) provision for accuracy, sufficiency and actuality of personal data with regard to the purposes of personal data protection;
i) destruction or depersonalization of personal data upon achievement of the processing purposes or loss of the need for achievement thereof, when the Operator is unable to remedy breaches related to personal data unless otherwise provided for by laws of Federal Republic of Germany and European Union.
2.2 Personal Data Processing Conditions
The Operator processes personal data provided that there is at least one of the following conditions:
a) personal data are processed by consent of the personal data owner to processing of his/her personal data;
b) personal data need to be processed to achieve the purposes stipulated in laws of Federal Republic of Germany and European Union, to discharge, exercise and fulfill functions, powers and obligations imposed on the Operator laws of Federal Republic of Germany and European Union;
c) personal data need to be processed to administer justice, enforce a judicial act, act of anotherauthority or official to be enforced in accordance with the laws of Federal Republic of Germany and European Union on enforcement proceedings;
d) personal data need to be processed to perform the agreement a party to or beneficiary under which is the personal data owner, and to enter into an agreement at the initiative of the personal data owner, or the agreement under which the personal data owner will be a beneficiary or guarantor;
e) personal data need to be processed to exercise rights and legal interests of the Operator or third parties, or in order to achieve socially significant purposes, provided that rights and freedoms of the personal data owner are notbreached in this case;
f) personal data access to which is granted to the general public by the personal data owner or by his/herrequest (hereinafterthe “publicly available personal data”) are processed;
g) personal data subject to publication or mandatory disclosure pursuant to the laws of Federal Republic of Germanyand European Union are processed.
2.3 Confidentiality of Personal Data
The Operator and other persons having access to personal data may not disclose to third parties or distribute personal data without consent of the personal data owner unless otherwise provided for by the laws of Federal Republic of Germanyand European Union.
2.4 Publicly Available Sources of Personal Data
For the purposes of informational support, the Operator mayestablish generally accessible sources of personal data, including reference books and address directories. Publicly available sources of personal data may include, by the owner's consent, his/herfull name, birth date and place, position, contact telephone numbers, e-mail address and other personal data disclosed by the personal data owner.
Data on the owner shall be removed from publicly available sources of personal data any time by request of their owner or by court judgment or by request of other competent government authorities.
2.5 Special Categories of Personal Data
Special categories of personal data related to race, ethnicorigin, political views, religious and philosophical beliefs, health, intimacy may be processed by the Operator in case:
a) the personal data owner has granted written consent to processing of his/her personal data;
b) personal data have been made publicly available by the personal data owner;
c) personal data are processed in accordance with the laws on state social aid, labor laws of Federal Republic of Germanyand European Union;
d) personal data processing is necessary to protect life, health or other vital interests of the personal data owner, or life, health or other vital interests of other persons, and consent of the personal data owner cannot be obtained;
e) personal data are processed for medical prevention purposes, in order to make a medical diagnosis, provide medical and medical social services provided that personal data is processed by the person carrying out medical activity and obliged to maintain patient confidentiality in accordance with the laws of Federal Republic of Germany and European Union;
f) personal data processing is necessary to establish and exercise rights of the personal data owner or third parties as well as in connection with administration of justice;
g) personal data are protected in accordance with the laws on mandatory types of insurance, insurance laws established in Federal Republic of Germany and European Union.
Processing of special categories of personal data shall be terminated immediately if the reasons for processing thereof have been remedied unless otherwise established by laws of Federal Republic of Germany and European Union.
Personal data on criminal record may be processed by the Operator only in the cases and in accordance with the procedure that are established by laws of Federal Republic of Germanyand European Union.
2.6 Biometric Personal Data
Data characterizing physical and biological features of a person on the basis of which his/her identity may be established, i.e. biometric personal data, may be processed by the Operator only by written consent of their owner.
2.7 Delegation of Personal Data Processing to Another Person
The Operator may delegate personal data processing to another person by consent of the personal data owner unless otherwise provided for by laws of Federal Republic of Germanyand European Union, on the basis of the agreement executed with this person.
The person processing personal data under the Operator's instruction shall comply with the personal data processing principles and rules established by laws of Federal Republic of Germany and European Union.
2.8 Transborder Transfer of Personal Data
The Operator shall ensure that another country where personal data are supposed to be transferred provides for adequate protection of rights of personal data owners before such transferis commenced.
Transborder transfer of personal data to other states that do not provide for adequate protection of rights of personal data owners may be carried out in case of:
a) written consent of the personal data owner to transborder transfer of his/her personal data;
b) performanceof the agreementa party to which a personal data owner is.
3.1 Consent of the Personal Data Owner to Processing His/Her Personal Data
A personal data owner takes a decision on provision of his/her personal data and grants consent to processing thereof at his/her free will and for his/her own benefit. Consent to personal data processing may be granted by the personal data owner or his/her representative in any form allowing to confirm that it has been granted unless otherwise prescribed by laws of Federal Republic of Germany and European Union.
3.2 Rights of the Personal Data Owner
A personal data owner has the right to receive from the Operator information related to processing of his/her personal data unless this right is restricted by laws of Federal Republic of Germany and European Union. A personal data owner may demand from the Operator to specify his/herpersonal data, block or destroy them in case his/her personaldata are incomplete,obsolete, inaccurate, illegally obtained, or are not necessary for the claimed processingpurpose, and may also take legal measures to protect his/her rights.
Personal data processing in order to promote commodities, works, services on the market by direct contacts with a potential consumer by communication means as well as for the purposes of election campaigns is allowed only by prior consent of the personal data owner. This personal data processing is deemed carried out without prior consent of the personal data processing unless the Company proves that consent has been obtained.
The Operator shall immediately cease to process personal data for the abovementioned purpose by request of the personal data owner.
Decisions entailing legal consequences with regard to the personal data owner or otherwise related to his/herrights and legal interests may not be accepted on the basis of automated personal data processing only, unless otherwise provided for by laws of Federal Republic of Germany and European Union, or there is written consent of the personal data owner.
If a personal data owner supposes that the Operator processes his/her personal data in breach of laws of Federal Republic of Germany and European Union or otherwise infringes on his/her rights and freedoms, the personal data owner mayappeal from actions or omission of the Operator to the Designated Authorityfor Protection of Rights of Personal Data Owners or to court.
A personal data owner has the right to protection of his/her rights and legal interests, including to be compensated for lossesand (or) moral damages judicially.
Security of personal data processed by the Operator is provided for by taking legal, organizational and technical measures in pursuance of Federal Republic of Germany and European Union on personal data protection.
In orderto prevent unauthorized access to personal data, the Operator takes the following organizational and technical measures:
a) appointment of officials in charge of organization of personal data processing and protection;
b) restriction of the group of persons having access to personal data;
c) familiarization of owners with requirements of laws of Federal Republic of Germany and European Union and regulations of the Operator to personal data processing and protection;
d) organization of accounting, storage and treatment of data media;
e) identification of personal data security threats in the course of processing thereof, formation of threat models on the basis thereof;
f) development of the personal data protection system on the basis of the threat model;
g) check of readiness and efficiency of use of information protection means;
h) control of user access to information resources and information processing software and hardware;
i) registration and accounting of actions of users of personal data information systems;
j) use of anti-virus and recoverytools of the personal data protection system;
k) where necessary, application of firewalling, intrusion detection, security analysis and cryptographic informationprotection tools;
l) organization of access control within the Operator's territory, security of premises containing technical personal data processing tools.
Other rights and obligations of the Operator as a personal data operator are established by the laws of Federal Republic of Germanyand European Union on personal data.
The Operator's employees guilty of breach of the provisions governing personal data processing and protection are financially, disciplinarily, administratively, civilly and criminally liable in accordance with the laws Federal Republic of Germany and European Union.
Begin Education Marketing GmbH
Breite Str. 9, 14199 Berlin
+49 (30) 3080-7313