Skip to main content
Data Protection

Privacy Policy

Last updated: February 2026

1. Data Controller

Health Innovation University of Applied Sciences Brebacher Weg 15, Haus 2 12683 Berlin, Germany Phone: +49 030259309220 Email: info@hi-university.de

2. Data Protection Officer

ISiCO GmbH Email: datenschutz@hi-university.de If you have any questions about how your personal data is processed or about data protection in general, please contact our Data Protection Officer.

3. Server Log Files

The hosting provider of this website automatically collects and stores information in so-called server log files, which your browser transmits to us. These include: • Browser type and version • Operating system used • Referrer URL • Hostname of the accessing computer • Time of the server request • IP address This data is strictly necessary to enable you to visit the website, to keep our systems functional and secure, and to carry out general administrative maintenance of our website. Connection data is also stored in internal log files for the purposes described above, limited in time and scope to what is strictly necessary, so we can identify the cause of and respond to repeated or malicious access attempts that jeopardise the stability and security of our website. The data is collected on the basis of Art. 6(1)(f) GDPR. We have a legitimate interest in the technically error-free presentation and security of our website.

4. Contact and Recall

If you send us inquiries by email, WhatsApp message or via the contact form, the details from your inquiry, including the contact data you provide there, will be stored by us for the purpose of processing the inquiry and any follow-up questions. Processing is based on your consent (Art. 6(1)(a) GDPR), on our legitimate interests (Art. 6(1)(f) GDPR), or on the performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR). Our legitimate interests are to receive and answer your inquiries and to simplify our application process.

4.1 Contact Form and Recall Scheduler

If you use our contact form or our recall scheduler, we use JotForm of JotForm Ltd., 25 Cabot Square, London E14 4QZ, United Kingdom. We then process the following data: • Core data: e.g. first name, surname • Contact data: e.g. email address, telephone number • Study data: e.g. interest in study courses • Communication data: e.g. date and time for recall, message • Device and connection data: e.g. HTTP header information, user agent, information about your device, operating system and browser The following cookies are stored on your device: • "userReferer" (1 month): stores the previous domain • "guest" (1 month): stores the applicant's identifier For the transfer to the United Kingdom, an adequacy decision applies.

4.2 WhatsApp

If you contact us via WhatsApp for student advisory service, in the application process or for other reasons, we use the telecommunications provider WhatsApp Ireland Limited, Merrion Road, Dublin 4, D04 X2K5, Ireland to handle the communication. Your messages are end-to-end encrypted and only visible to you and us. During our communication, we can see your phone number, your profile name, picture and info, depending on your WhatsApp settings. The controller of your data is WhatsApp Ireland Limited, both for the communication via messages and for the further processing of usage data, device data and location data. Where we extract information from our communication into our own databases, we become the controller of that data. More information about WhatsApp's data processing is available at: https://www.whatsapp.com/legal/privacy-policy-eea.

5. Applications

You can apply for university places via our application management system JotForm. The provider is JotForm Ltd., 25 Cabot Square, London E14 4QZ, United Kingdom. For the transfer to the United Kingdom, an adequacy decision applies. The purpose of collecting your data is to select candidates in the approval process. To receive and process your application, we process in particular the following personal data: • Core data: e.g. first name, surname, date of birth, address • Contact data: e.g. email address, telephone number • Study data: e.g. course of study • Application data: e.g. references, qualifications, CV, training, experience, approval application • Device and connection data: e.g. HTTP header information, user agent, information about your device, operating system and browser The legal basis for processing your application data is Art. 6(1)(e) GDPR in conjunction with § 6(1) no. 1 BerlHG. Where we have to fulfil legal duties, the legal basis is also Art. 6(1)(c) GDPR. The technical processing of device and connection data on the JotForm website is based on Art. 6(1)(f) GDPR. We have a legitimate interest in offering a modern application platform. We store your personal data once we receive your application. If we accept your application, we will store the application data for as long as is necessary for the purposes of your study and to the extent that legal provisions require us to retain it. More information about JotForm's data processing is available at: https://www.jotform.com/privacy/. The following cookies are stored on your device: • "userReferer" (1 month): stores the previous domain • "guest" (1 month): stores the applicant's identifier

6. Necessary Tools

The use of necessary tools is based on Art. 6(1)(b) GDPR (performance of a contract or preparations for concluding a contract) or Art. 6(1)(f) GDPR (legitimate interests). We have legitimate interests in ensuring a secure and stable website visit with content and information that loads correctly, in detecting and preventing misuse, and in fulfilling the legal requirements for consent management. Besides the tools mentioned below, the following cookie is stored on your device: • "NEXT_LOCALE" (1 year): determines the preferred visitor's language and stores the user's selected language.

6.1 CookieBot

This website uses the consent management platform (CMP) CookieBot to gather, manage and change consent decisions for optional website tools. The provider is Usercentrics A/S, Havnegade 39, 1058 Copenhagen, Denmark. The CMP generates a banner that informs you about data processing on our website and lets you consent to all, some or none of the data processing activities that use optional tools. Your decision is stored on your device. The banner appears on your first visit and when you revisit your settings to change them or withdraw your consent. It also appears on subsequent visits if you have disabled the storage of cookies or if the cookies have been deleted or expired. More information about CookieBot's data processing is available at: https://www.cookiebot.com/en/privacy-policy/. The following cookie is stored on your device: • "CookieConsent" (1 year): stores the user's consent decision.

6.2 ImageKit

This website uses ImageKit to deliver images and videos reliably, quickly and securely. The provider is ImageKit Private Limited, Block A, WeWork Eldeco Center, Shivalik Colony, Malviya Nagar, New Delhi 110017, India. When content is loaded, a connection is established with ImageKit's domains, so common connection data such as your IP address and HTTP header information are transferred to ImageKit in India and the USA. Where data is transferred to India, the transfer is governed by Standard Contractual Clauses. Where data is transferred to the USA, the transfer is governed by an adequacy decision, as ImageKit Inc., Christiana Corporate Business Center, 200 Continental Drive, Suite 401, Newark, DE 19713, USA is certified for the EU-US Data Privacy Framework. More information about ImageKit's data processing is available at: https://imagekit.io/privacy-policy-new/.

6.3 Google Tag Manager

This website uses Google Tag Manager. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager is used exclusively to manage website tools by integrating so-called website tags. A tag is an element embedded in the source code of our website to execute a tool, for example via scripts. Where these are optional tools, Google Tag Manager will only integrate them with your consent. Google Tag Manager uses JavaScript and generally does not require cookies. Google collects information about which tags are embedded on our website to ensure stability and functionality when using Google Tag Manager. Google Tag Manager does not store any personal data beyond what is required to establish a connection; in particular, it does not store data on usage behaviour or pages visited. Your data may be transferred to a Google server of Google LLC in the USA. Google LLC is certified for the EU-US Data Privacy Framework, so the transfer to the USA is governed by an adequacy decision. More information about Google's data processing is available at: https://business.safety.google/privacy/.

6.4 Google reCAPTCHA

Some of our forms use the security and bot detection tool reCAPTCHA. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. reCAPTCHA prevents automated software (known as bots) from carrying out malicious activities on the website; it checks whether the input is actually from a human user. To do this, reCAPTCHA uses JavaScript and stores cookies and information in your device's local storage. The following data in particular is processed: • Referrer URL (the address of the page from which the visitor came) • IP address • Cookies set by Google • Snapshot of the browser window • User input behaviour (e.g. answering the reCAPTCHA question, input speed in form fields, the order in which input fields are selected, number of mouse clicks) • Technical information: browser type, browser plug-ins, browser size and resolution, date, language setting, styling instructions (CSS) and scripts (JavaScript) Google also reads cookies from other Google services such as Gmail, Search and Analytics. If you do not want this data linked to your Google account, you must log out of Google before visiting a page on which we have integrated reCAPTCHA. The data is sent to Google in encrypted form. Google's analysis determines the format in which the captcha is displayed on the page. The use of reCAPTCHA is statistically analysed in an aggregated, anonymised form. According to Google, your data is not used for personalised advertising or any other purpose except for security, threat detection and prevention. Your data may be transferred to a Google server of Google LLC in the USA. Google LLC is certified for the EU-US Data Privacy Framework, so the transfer is governed by an adequacy decision. More information about Google's data processing is available at: https://business.safety.google/privacy/. The following cookie is stored on your device: • "_GRECAPTCHA" (180 days): protection against bots and malicious traffic. The following local storage elements are stored on your device: • "_grecaptcha": protection against bots and malicious traffic • "rc::a": protection against bots and malicious traffic • "rc::f": protection against bots and malicious traffic • "rc::b" (session): protection against bots and malicious traffic • "rc::c" (session): protection against bots and malicious traffic More information about these stored items is available in our CMP.

7. Optional Tools

The use of optional tools is based on Art. 6(1)(a) GDPR (consent). You can withdraw your consent at any time in our consent management platform (CMP), which you can open by clicking the clip icon in the bottom-left corner.

7.1 Google Analytics

This website uses functions of the web analytics service Google Analytics. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Analytics uses JavaScript and pixels to collect information from your device, and so-called "cookies" to store information on your device. This is used to analyse your usage behaviour, create user profiles, recognise you on later visits and improve our website. We use the information to evaluate your use of the website and to compile reports on website activity for the website operators. The information about your use of this website is usually transferred to a Google server of Google LLC in the USA and stored there. Google LLC is certified for the EU-US Data Privacy Framework, so the transfer is governed by an adequacy decision. IP anonymization is activated on this website. As part of the evaluation, Google Analytics also uses artificial intelligence such as machine learning for the automated analysis and enrichment of the data. Data analysis is carried out automatically using artificial intelligence or on the basis of specific, individually defined criteria. Your user logs generated during your visit are stored for a maximum of 14 months. More information about Google's data processing is available at: https://business.safety.google/privacy/. The following cookies are stored on your device: • "_ga" (2 years): recognises and differentiates visitors via a user ID to track visitor behaviour and device information • "_ga_MVLRY3F5KV" (2 years): maintains the tracking information of the current session More information about these stored items is available in our CMP.

7.2 Google Ads

This website uses Google Ads provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. In Google Ads, customer actions defined by us (such as clicking on advertisements, page views, downloads) are recorded and analysed using "Google Ads Conversion Tracking". We use "Google Ads Remarketing" to display personalised advertising messages for our products on Google's partner websites. Both services use cookies, JavaScript, pixels and other technologies for this purpose. The data collected is used to create user profiles and match them to advertising target groups. Google also processes the data to improve and further develop its own products and services, for aggregated statistical analysis of conversions, and to improve the quality and accuracy of conversions. The information about your use of this website is usually transferred to a Google server of Google LLC in the USA and stored there. Google LLC is certified for the EU-US Data Privacy Framework, so the transfer is governed by an adequacy decision. If you use a Google account, Google may, depending on the settings in your Google account, link your web and app browsing history to your Google account and use information from your Google account to personalise advertisements. If you do not want this information linked to your Google account, you must log out of Google before visiting our website. If you have not consented to the use of Google Ads, Google will only display general advertising that has not been selected on the basis of information collected about you on this website. In addition to withdrawing your consent, you also have the option to disable personalised ads in Google's advertising settings: https://myadcenter.google.com/. More information about Google's data processing is available at: https://business.safety.google/privacy/. The following cookies are stored on your device: • "_gcl_au" (90 days): conversion tracking of ads, measuring the effectiveness of advertising campaigns, storing ad clicks • "test_cookie" (15 minutes): testing the possibility to store cookies • "IDE" (390 days): recognises and differentiates visitors via a user ID, records interaction with advertising, displays personalised advertising The following local storage elements are stored on your device: • "_gcl_ls": stores time stamps for conversion tracking of clicks on ads to optimise the relevance of advertising More information about these stored items is available in our CMP.

7.3 YouTube

This website uses embedded YouTube videos provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. YouTube may store information such as local storage and session storage on your device, and may execute JavaScript that accesses information on your device. We have enabled YouTube's enhanced privacy mode. According to YouTube's own documentation, this means that Google receives less usage data and does not personalise video recommendations or advertisements. Cookies are no longer stored. However, information is still stored in your device's local storage and session storage, in particular information relating to video settings and playback, which can be accessed by Google. When you visit our website, Google receives information indicating that you have accessed the relevant page on our website. This happens regardless of whether you are logged in to YouTube. Google also uses this data for advertising, market research and to tailor their services to your needs. If you access YouTube on our website while logged into your YouTube or Google profile, Google may also link this event to your respective profiles. If you do not want this to happen, you must log out of Google before visiting our website. The information about your use of this website is usually transferred to a Google server of Google LLC in the USA and stored there. Google LLC is certified for the EU-US Data Privacy Framework, so the transfer is governed by an adequacy decision. More information about Google's data processing is available at: https://business.safety.google/privacy/. The following local storage elements are stored on your device: • "yt-icons-last-purged": stores the time of the last icon refresh • "ytidb::LAST_RESULT_ENTRY_KEY": saves the last video searched for • "yt-player-user-settings": saves player settings • "yt-player-volume": saves the volume of the video • "yt-player-bandwidth": saves the bandwidth of the connection • "yt-player-caption-sticky-language": saves subtitle settings • "yt-html5-player-modules::subtitlesModuleData::module-enabled": saves whether subtitles are activated • "yt-player-quality": saves the resolution / quality of the video • "yt-player-performance-cap": stores a possible cap on the resolution due to the bandwidth of the connection • "yt-player-performance-cap-active-set": stores a possible cap on the resolution due to the bandwidth of the connection • "yt-maw-player::recent-custom-speed": saves the playback speed The following session storage elements are stored on your device: • "yt-player-caption-language-preferences": saves the language of the subtitles • "yt-player-volume": saves the volume of the video More information about these stored items is available in our CMP.

8. Newsletter, information material and events

You can request information material and you can sign up for online information events about our university and study courses. We use your email address to send you the requested material, to perform your registration, and to send you ongoing emails with similar information about our university, study courses, further events and news, as well as related reminders. You can opt out of these emails and notifications at any time. Your interaction (opening and clicks on links) with the newsletter is recorded and analysed on an aggregated level. We use the following service providers: • MailerLite Limited, Ground Floor, 71 Lower Baggot Street, Dublin 2, D02 P593, Ireland (subscribepage.io, *.mlcdn.com, *.mailerlite.com) • Google reCAPTCHA (see above) Data processing is based on your consent (Art. 6(1)(a) GDPR). You can withdraw this consent at any time by unsubscribing from our mailing list. The following cookies and local storage elements are stored on your device: • "mailerlite_session_id" (7 days): stores the session ID • "ml_guid": stores the user ID More information about these stored items is available in our CMP.

9. Study portals

We use different portals and platforms during your studies, where your personal data is processed for purposes such as course management, internal communication, eLearning and other university-related purposes. The legal basis for this processing is Art. 6(1)(e) GDPR in conjunction with § 6(1) no. 1, 2 BerlHG, to perform your studies and for university organisation. The technical processing of device and connection data on the respective platform is based on Art. 6(1)(f) GDPR. We have a legitimate interest in offering modern digital platforms and services.

9.1 Campus Portal (Simovative)

For the management of student and staff data, we use the campus management system from Simovative GmbH, Landsberger Straße 110, 80339 Munich, Germany. Personal data such as name, address, grades, ECTS points, certificate of study, performance overview, completed modules and course schedules are stored in this system.

9.2 Moodle

For studies, course management, communication and eLearning, we use the open-source platform Moodle. The following data may be processed during your usage of Moodle: • Account data: e.g. login name, password, date and time of registration • Core data: e.g. first name, surname • Contact data: e.g. email address • Profile data: e.g. city, country • Study data: e.g. courses, role • Content and communication data: e.g. uploaded documents, forum posts, comments, messages • Device and connection data: e.g. HTTP header information, user agent, information about your device, operating system and browser You can add, change or delete information in your Moodle profile, and you can delete your account completely at any time. The following cookies are stored on your device: • "MoodleSession" (session): stores a session ID and keeps the login • "MoodleID": stores the user ID / name and recognises the user • "EU_COOKIE_LAW_CONSENT" (1 month): stores the consent decision The following local storage elements are stored on your device: • "1266510711/core_iconsystem/*": stores icon information • "1266510711/core_str/*": stores text fields and button wording • "1266510711/core_template/*": stores HTML code and CSS style • "1266510711/media_videojs/*": stores media text fields wording • "1266510711/sUserLogintime": stores the login time More information about these stored items is available in our CMP.

9.3 Intranet

The following cookie is stored on your device: • "PHPSESSID" (session): keeps the session and login status.

10. Social Media

We maintain online presences on social media platforms in order, among other things, to communicate with interested persons and students and to provide information about our university and university places.

10.1 Processing for advertising purposes

Users' data is generally processed by the relevant social media platforms for market research and advertising purposes. This enables user profiles to be created based on users' interests. For this purpose, cookies and other identifiers are stored on the data subjects' devices. Based on these user profiles, advertisements are then displayed within the social media platforms and on third-party websites. Please refer to the privacy policy of the respective social media platform for the legal basis of the data processing carried out by the social media provider on their own responsibility. You can also find further information on the respective data processing activities and the options for objecting via the links below.

10.2 Processing for statistical purposes

As part of operating our online presences, we may have access to information such as statistics on the use of our online presences, which are provided by the social media platforms. These statistics are aggregated and may include, in particular, demographic information (e.g. age, gender, region, country) as well as data on interaction with our online presence (e.g. likes, subscriptions, shares, viewing of images and videos) and the posts and content shared via these platforms. This may also provide insight into users' interests and which content and topics are particularly relevant to them. We may use this information to adapt the design, activities and content of our online presence and to optimise it for our audience. Please refer to the list below for details and links to the data from social media platforms that we, as operators of the online presence, can access. The collection and use of these statistics are generally subject to joint responsibility. Where this applies, the relevant agreement is listed below. The legal basis for data processing is Art. 6(1)(f) GDPR, based on our legitimate interest in providing effective information and communication to users, or Art. 6(1)(b) GDPR, to stay in touch with our students and keep them informed, as well as to carry out pre-contractual measures with interested persons.

10.3 Access to publicly available information

If you have an account on a social media platform, we may be able to view information you have made publicly available (e.g. your username) and media (e.g. images and videos) when we visit your profile. The social media platform may also allow us to contact you, for example via direct messages or via posted content. The content of communications via the social media platforms and the processing of content data are the responsibility of the social media platform as a messaging and platform service. For this processing, please refer to the privacy policy of the respective social media platform.

10.4 Processing of publicly available information

Once we transfer personal data from you into our own systems or process it further, we are responsible for it. Processing then takes place for the purpose of implementing pre-contractual measures and fulfilling a contract in accordance with Art. 6(1)(b) GDPR, or to follow our legitimate interests in accordance with Art. 6(1)(f) GDPR, in order to contact interested persons or students.

10.5 Privacy rights

Please note that data protection enquiries are most effectively addressed to the relevant social media provider, as only these providers have access to the data and can take appropriate action directly. You are, of course, also welcome to contact us with your enquiry. In that case, we will process your enquiry and forward it to the social media provider.

10.6 Social media platforms used

Below is a list of the social media platforms on which we maintain online presences: • Facebook and Instagram (Meta Platforms Ireland Ltd., Merrion Road, Dublin 4, D04 X2K5, Ireland). Joint controller agreement: https://www.facebook.com/legal/terms/page_controller_addendum. Statistics information and contact: https://www.facebook.com/legal/terms/information_about_page_insights_data. Privacy notice: https://www.facebook.com/privacy/policy/ and https://privacycenter.instagram.com/policy/. Opt-out information: https://accountscenter.facebook.com/ and https://de-de.facebook.com/help/instagram/2885653514995517. • YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland). Privacy notice: https://policies.google.com/privacy. Opt-out information: https://myadcenter.google.com/. • LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland). Joint controller agreement, statistics information and contact: https://www.linkedin.com/legal/l/page-joint-controller-addendum. Privacy notice: https://www.linkedin.com/legal/privacy-policy. Opt-out information: https://www.linkedin.com/mypreferences/g/guest-retargeting-opt-out.

11. Data recipients

We will only disclose the data we have collected if there is a legal basis under data protection law for doing so in the specific case, in particular if: • you have given your explicit consent in accordance with Art. 6(1)(a) GDPR • the disclosure is necessary pursuant to Art. 6(1)(f) GDPR to follow our interests or to establish, exercise or defend legal claims, and there is no reason to assume that you have an overriding legitimate interest in preventing the disclosure of your data • we are legally obliged to disclose the data pursuant to Art. 6(1)(c) GDPR, in particular where this is necessary for the purposes of legal proceedings or enforcement due to binding requirements (e.g. in the context of a tax audit by the tax authorities), official enquiries, court orders and legal proceedings • this is permitted by law and is necessary, pursuant to Art. 6(1)(b) GDPR, for the performance of contractual relationships with you or for the implementation of pre-contractual measures taken at your request • the transfer is allowed in accordance with Art. 6(1)(e) GDPR in conjunction with § 6a BerlHG Some data processing may be carried out by our service providers. In addition to the service providers mentioned in this privacy policy, these may include, in particular: • Data centres that host our website and databases • Software providers • IT service providers who maintain our systems • Agencies • Consultancy firms Where we transfer data to our service providers, they may use the data solely for the purpose of fulfilling their tasks. We have carefully selected and commissioned these service providers. They are contractually bound by our instructions, have appropriate technical and organisational measures in place to protect the rights of data subjects, and are regularly monitored by us. Agreements are always concluded with external consultants and auditors to ensure the confidentiality of the data. In addition, we may transfer your personal data to other recipients who process your personal data under their own responsibility. These may include, in particular: • Postal service providers • Banks and payment service providers • Tax advisers, solicitors or auditors • Credit reference agencies • Public bodies such as government departments and courts

12. Transfer to third countries

Where necessary, we may use services provided by companies that are based in so-called third countries (outside the European Union or the European Economic Area) or that transfer personal data to such countries, that is, countries whose data protection standards do not match those of the European Union. Where an adequacy decision by the European Commission (Art. 45 GDPR) exists for these countries, we base the data transfer on this. This applies, for example, to transfers to Argentina, Israel, Japan, Canada, the Republic of Korea, New Zealand, Switzerland, Uruguay or the United Kingdom. In the case of the USA, this applies only insofar as the US recipient has been certified under the EU-US Data Privacy Framework. Where no adequacy decision has been issued for the relevant country, we have taken appropriate measures to ensure an adequate level of data protection for any data transfers. These include the European Union's Standard Contractual Clauses or binding internal data protection policies (Art. 46 GDPR). Where this is not possible, we base the data transfer on the exceptions set out in Art. 49 GDPR, in particular your explicit consent or the necessity of the transfer for the performance of a contract or for the implementation of pre-contractual measures. Where a transfer to a third country is envisaged and no adequacy decision or suitable safeguards are in place, it is possible and there is a risk that authorities in the relevant third country (e.g. intelligence services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. Where we gather your explicit consent, you will also be informed of this.

13. Your Rights under the GDPR

You have the following rights with regard to your personal data:

  • Right of access (Art. 15 GDPR)
  • Right to rectification (Art. 16 GDPR)
  • Right to erasure (Art. 17 GDPR)
  • Right to restriction of processing (Art. 18 GDPR)
  • Right to data portability (Art. 20 GDPR)
  • Right to object to processing (Art. 21 GDPR) at any time on grounds of your particular situation, or in case of processing for direct marketing
  • Right to withdraw consent (Art. 7(3) GDPR) at any time with effect for the future
  • Right to lodge a complaint with a supervisory authority (Art. 77 GDPR)

Exercising your rights

To exercise the rights of Art. 7(3) and Art. 15 to 21 GDPR described here, you can contact us at any time using the contact details provided above. This also applies if you wish to receive copies of guarantees demonstrating an adequate level of data protection. Provided the relevant legal requirements are met, we will comply with your data protection request. You can also exercise your right under Art. 77 GDPR by contacting a supervisory authority in the Member State where you live, where you work, or where the alleged infringement took place. Your requests to exercise data protection rights and our responses to them are retained for documentation purposes for a period of up to three years and, in individual cases where there is a valid reason to assert, exercise or defend legal claims, for a longer period. The legal basis is Art. 6(1)(f) GDPR, based on our interest in defending against any civil claims under Art. 82 GDPR, avoiding administrative fines under Art. 83 GDPR, and fulfilling our accountability obligations under Art. 5(2) GDPR.

14. Data Storage and Deletion

Personal data is only stored for as long as is necessary for the respective processing purpose (see § 6a(8) BerlHG). Once the purpose ceases to apply, the data will be deleted, unless we need the data or have to store it for the purposes of providing evidence in civil proceedings (e.g. three years), due to statutory retention obligations (e.g. up to ten years), or if there is another legal basis under data protection law for the continued processing of your data in a specific individual case. If you have questions about the storage duration of specific data, please contact our Data Protection Officer.

15. Duty to provide data

There is generally no obligation to provide your data. Where the provision of your data is necessary for the conclusion of a contract, for submitting requests, or for contacting us (such as the application form), the relevant input fields are marked as mandatory (usually with an asterisk *). In such cases, without the provision of this data, a contract cannot be concluded, the request cannot be submitted, or the contact cannot be established. Other information not marked as mandatory is voluntary. The provision of such data is not required for the conclusion of a contract, the submitting of a request, or for contacting us, and has no influence on the performance of the contract.

16. Automated decision-making

No automated decision-making, including profiling as defined in Art. 22 GDPR, takes place that produces legal effects or similarly significantly affects you.

17. Changes to this privacy notice

We occasionally update this privacy policy, for example when we make changes to our website or when legal or regulatory requirements change.