XPLORE Data Privacy

Privacy policy

Learning Management System XPLORE

(hereinafter LMS XPLORE)

The LMS XPLORE is a learning management system and part of the learning infrastructure of UnternehmerTUM GmbH. It is based on the software of cirqus UG (haftungsbeschränkt), Schopenhauerstraße 6, 85579 Neubiberg.

By using the LMS XPLORE, personal data about the users is stored. Pursuant to Art. 13 of the EU General Data Protection Regulation (hereinafter GDPR), we are obliged to explain what types of personal data are processed for what purpose, on what legal basis this is done, who has access to the data and what rights the users have with regard to the processing of the data.

1. Definitions

This data protection declaration is based on the terms defined below:

• personal data: Personal data means any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

• Data subject: The data subject is any identified or identifiable natural person whose personal data are processed by the controller.

• Processing: Processing means any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

• Restriction of processing: Restriction of processing is the marking of stored personal data with the aim of limiting their future processing.

• Controller: the controller is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its designation may be provided for under Union or Member State law.

• Processor: A processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

• Recipient: a recipient is a natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not a third party. However, public authorities that may receive personal data in the context of a specific investigation task under Union or Member State law shall not be considered as recipients.

• Third party: a natural or legal person, public authority, agency or other body other than the data subject, the controller, the processor and the persons who, under the direct responsibility of the controller or the processor, are authorised to process the personal data.

• Consent: Consent means any freely given specific and informed indication of the wishes of the data subject, in the form of a statement or other unambiguous affirmative act, by which the data subject signifies his or her agreement to personal data relating to him or her being processed.

2. Responsible

The person responsible is the:

UnternehmerTUM GmbH
Lichtenbergerstr. 6
85748 Garching b. Munich
Germany

Tel.: 089-18 94 69-0
E-Mail: [email protected]
Website: www.unternehmertum.de

3. Data Protection Officer

The data protection officer of the controller is:

Alexander Stolberg-Stolberg
SVF Attorneys at Law
Oberanger 30
80331 Munich
Germany

Tel.: 089 210 25 120
Email: [email protected]
Website: www.svf-law.de

Any data subject may contact our data protection officer directly at any time with any questions or suggestions regarding data protection.

4. Categories of data

In the LMS XPLORE, the categories of personal data of users specified below are processed.

(1) Stock data

In the user profile of the LMS XPLORE the name of the person as well as his e-mail address are stored.

(2) Course data

The LMS XPLORE stores for which courses and with which role users are authorized. Users gain access to a course by joining it on their own or by getting added to it by an instructor. These data on authorizations and roles are necessary for the functioning of the system.

(3) Usage data

Usage data is generated by the activities of users in the system. Which actions they can perform depends on their roles. For each action within the LMS XPLORE, the system automatically logs the following data:

• Name
• E-mail address of the user
• IP address of the calling device
• Date and time of the action
• Source of the call
• Action (incl. description)
• Invoked Content.

(4) Content data

Content data is also created by the users themselves and depending on their role. The following content categories can be created in the process: PLEASE ADD

5. Purpose of the data processing

(1) The processing of personal data in the LMS XPLORE is carried out in accordance with Art. 5, Para. 1, lit. b and c DSVGO for a specific purpose and under the condition of data minimization. Inventory, course, usage and content data are processed for the purpose of providing, organizing and implementing teaching content.

(2) The usage data is also used for the purpose of administration and maintenance of the system, technical controlling, troubleshooting of technical problems or clarification of security incidents.

6. Duration of storage

(1) Art. 5, para. 1, lit. e DSVGO stipulates that a storage period linked to the fulfilment of the respective purpose must be specified for the personal data processed, after which the data must be deleted.

(2) The controller shall therefore process and store personal data of the data subject only for the time necessary to achieve the purpose of the storage or where provided for by the European Directive and Regulation or other legislator in laws or regulations to which the controller is subject.

(3) If the purpose of the storage no longer applies or if a storage period prescribed by the European Directive and Regulation or another competent legislator expires, the personal data will be routinely blocked or deleted in accordance with the statutory provisions.

7. Data transfer

Personal data will not be disclosed to third parties or used for purposes other than those specified here, subject to legal provisions. A transfer of the personal data specified above from the LMS XPLORE to third countries is not intended.

8. Zoom

Individual learning contents are carried out using the online video tool ZOOM. “Zoom” is a service provided by a provider from the USA. A processing of personal data therefore also takes place in a third country. We have concluded an order processing agreement with the provider of “Zoom” that meets the requirements of Art. 28 GDPR.

An appropriate level of data protection is guaranteed on the one hand by the conclusion of the so-called EU standard contractual clauses. As a supplementary protective measure, we have also configured our Zoom so that only data centres in the EU, the EEA or secure third countries such as Canada or Japan are used to conduct “online meetings”.

As far as you access the website of “Zoom”, the provider of “Zoom” is responsible for the data processing.

If we record individual contents of the XPLORE Session in order to make them available to participants for later retrieval, we will transparently inform you of this in advance and - if necessary - ask for your consent.

However, calling up the website is only necessary to download the software for using “Zoom”. You can find further information here: https://zoom.us/privacy

9. Your rights

Every data subject has the right to

• to information according to Article 15 GDPR
• the right of rectification under Article 16 of the GDPR
• the right to erasure in accordance with Article 17 GDPR
• the right to restriction of processing pursuant to Article 18 of the GDPR
• the right to object under Article 21 of the GDPR, and
• the right to data portability from Article 20 GDPR.

The restrictions according to §§ 34 and 35 BDSG apply to the right of information and the right of deletion. In addition, there is a right of appeal to a competent data protection supervisory authority (Article 77 GDPR in conjunction with & 19 BDSG).

You can revoke your consent to the processing of personal data at any time. Please note that the revocation is only effective for the future. Processing that took place before the revocation is not affected by this.

10. Legal basis

11. a) 6 I lit. a GDPR serves as our legal basis for processing operations in which we obtain consent for a specific processing purpose.

12. b) If the processing of personal data is necessary for the performance of a contract to which the data subject is a party, the processing is based on Art. 6 I lit. b GDPR. The same applies to such processing operations that are necessary for the implementation of pre-contractual measures, for example in cases of inquiries about our products or services.

13. c) If our company is subject to a legal obligation through which the processing of personal data becomes necessary, such as for the fulfilment of tax obligations, the processing is based on Art. 6 I lit. c GDPR.

14. e) Individual processing operations may be based on Art. 6 I lit. f GDPR if none of the aforementioned legal bases apply and the processing is necessary to safeguard a legitimate interest, provided that the interests, fundamental rights and freedoms of the data subject are not overridden.

11. Amendment of this data protection notice

We revise this data protection notice in the event of changes to data processing or other occasions that make this necessary. You will always find the current version on this website.