Privacy Policy

Approach to Data Protection

We place great importance on ensuring the security of your data both in our systems and in the way our staff handle this private information every day. The topic is governed by group policies on IT infrastructure, business continuity, and information security, including data security. These policies are aligned with the EU and German regulations and with industry best practices. Consequently, we apply high standards both in terms of staff professionalism and in terms of IT system integrity in order to protect data. Dealing with personal and confidential information is a central part of the ProCredit Code of Conduct and regular training is provided to all our staff on data security and privacy-related risks and procedures.

ProCredit Academy GmbH implement the requirements required for personal data protection set forth in the European General Data Protection Regulation (“GDPR”). Following, we inform you about the data processing on this website.

1. Controller of Data Processing and Contact Person

The contact person and so-called controller for the processing of your personal data when you visit this website within the meaning of the GDPR is:

ProCredit Academy GmbH,
Hammelbacher Strasse 2,
64658 Fürth-Weschnitz,
Federal Republic of Germany

Tel.: +49 (0) 625320080
Email: pca.info@procredit-group.com

2. Data Protection Officer

If you have any questions about data protection in connection with the use of our website, you can also contact our data protection officer at any time. They can be contacted at the above-mentioned postal address and e-mail address (keyword: ‘Attn. data protection officer’). We would like to expressly point out that if you use this email address, the content will not be viewed exclusively by our data protection officer. If you wish to exchange confidential information, please contact us first via this email address to ask for direct communication.

3. Purposes and Legal Basis of Data Processing

We process your data for the following purposes and legal basis:

• Provision and maintaining of our website and its functionality, including the storage of server logfiles for ensuring IT security (Art. 6 (1)(b) and (f) GPDR),
• Provision of videos, podcasts and other media content on our website (Art. 6 (1)(f) GDPR),
• Offering the contact form and answering email, phone and other requests from website visitors (Art. 6 (1)(b) and (f) GDPR),
• Offering an application form and processing of job applications for selection and decision on recruitment (Art. 6 (1)(b) GDPR),
• Provision of a consent management platform and documentation of given consent, including usage of cookies (“cookieyes-consent” for 1 year) (Art. 6 (1)(f) GDPR, § 25 (2) No. 2 TDDDG),
• Tracking of user behaviour and recognizing you on further visits for statistics as well as the development and optimization of our website, including usage of JavaScript, cookies (“_ga” and “_ga_*” for 2 years) and pixel (Art. 6 (1)(a) GDPR, § 25 (1) TDDDG),
• Operation of social media pages and their aggregated statistics (Art. 6 (1)(a) and (f) GDPR).

Therefore, the following data can be processed:

• Connection data (e.g. HTTP header information, IP address, user agent),
• Device data (e.g. information about the browser, device and operation system),
• Contact data (e.g. name, email, phone),
• Communication data (e.g. within the contact form),
• Application data (e.g. CV, cover letter),
• Usage data (e.g. visited sites, clicked links, duration of visit, previous visited website),
• Consent decision.

4. Recipients of Your Data

The data collected by us will only be forwarded if there is a legal basis for this under data protection law in the specific case, in particular if

• you have given your explicit consent (Art. 6 (1)(a) GDPR),
• this is permitted by law and required for the performance of a contract with you or for the implementation of pre-contractual measures taken at your request (Art. 6 (1)(b) GDPR),
• we are legally obliged to disclose your data, in particular if this is necessary for legal prosecution or enforcement due to binding requirements, official enquiries, court orders and legal proceedings (Art. 6 (1)(c) GDPR), or
• the disclosure is necessary to safeguard our interests or for the assertion, exercise or defence of legal claims and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data (Art. 6 (1)(f) GDPR).

Some of the data processing may be carried out by our service providers, such as IT service providers who maintain our website and provide its content (e.g. Volentio JSD Limited, Suite 2a1, Northside House, Mount Pleasant, Barnet, England, EN4 9EB, United Kingdom), analytics providers (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland), or group companies. If we forward data to our service providers, they may only use the data to fulfil their tasks. The service providers have been carefully selected and commissioned by us. They are contractually bound by our instructions, have suitable technical and organisational measures in place to protect the rights of the data subjects and are regularly monitored by us.

5. Transfer to Third Countries

We may use services whose providers are partly located in so-called third countries (outside the European Union or the European Economic Area) or transfer personal data there, i.e. countries whose level of data protection does not correspond to that of the European Union.

• If there is an adequacy decision by the European Commission for these countries, we base the data transfer on this (Art. 45 GDPR). This applies, for example, to transfers to Argentina, Israel, Japan, Canada, the Republic of Korea, New Zealand, Switzerland, Uruguay or the United Kingdom. In the case of the USA, this only applies if the US recipient has certified itself for the EU-US Data Privacy Framework.
• If no adequacy decision has been issued for the country in question, we have taken appropriate safeguards to ensure an adequate level of data protection for any data transfers (Art. 46 GDPR). These include the standard contractual clauses of the European Union or binding corporate rules.
• Where this is not possible, we base the data transfer on derogations for specific situations (Art. 49 GDPR), in particular your explicit consent or the necessity of the transfer for the performance of the contract or for the implementation of pre-contractual measures. If a transfer to a third country is planned and there is no adequacy decision or appropriate safeguards, it is possible and there is a risk that authorities in the respective third country (e.g. secret services) may gain access to the transferred data in order to collect and analyse it, and that the enforceability of your data subject rights cannot be guaranteed. If your explicit consent is obtained, you will also be informed of this.

Transfers to Volentio JSD Limited, Suite 2a1, Northside House, Mount Pleasant, Barnet, England, EN4 9EB, United Kingdom are governed by the adequacy decision for the United Kingdom. Google Ireland Limited transfers data to Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Google LLC is certified for the EU-US Data Privacy Framework, so that this transfer is governed by an adequacy decision for the USA.

6. Duration of Data Storage

In principle, we only store personal data for as long as necessary to fulfil the purposes for which we collected the data. We then delete the data immediately, unless we need the data until the end of the statutory limitation period for evidence purposes for civil law claims, due to statutory retention obligations or there is another legal basis under data protection law for the continued processing of your data in a specific individual case.

Application data: We store your personal data upon receipt of your application. If we accept your application and an employment relationship is established, we will store your application data for as long as it is required for the employment relationship and insofar as statutory regulations justify an obligation to retain it. If we reject your application, we will store your application data for a maximum of three months after rejecting your application, unless you give us your consent to store it for longer.

7. Data Subject Rights

a. Overview of Your Rights

You are entitled to the data subject rights formulated in Art. 7 (3), Art. 15 – 22 GDPR at any time if the respective legal requirements are met:

• Right to withdraw your consent (Art. 7 (3) GDPR);
• Right to object to the processing of your personal data (Art. 21 GDPR);
• Right to access information about your personal data processed by us (Art. 15 GDPR);
• Right to rectification of your incorrect personal data stored by us (Art. 16 GDPR)
• Right to erasure of your personal data (Art. 17 GDPR);
• Right to restriction of processing of your personal data (Art. 18 GDPR);
• Right to data portability of your personal data (Art. 20 GDPR);
• Right not to be subject to a decision based solely on automated processing which produces legal effects or similarly significantly affects you, including, where applicable, the right to obtain human intervention on the part of the controller, to express your point of view and to contest the decision (Art. 22 GDPR).

To assert your rights described here, you can contact us at any time using the contact details given above. This also applies if you wish to receive copies of safeguards to demonstrate an adequate level of data protection. If the respective legal requirements are met, we will comply with your data protection request.

Your requests to assert data protection rights and our responses to them will be stored for documentation purposes for a period of up to three years and, in individual cases, beyond this period if there are grounds for the assertion, exercise or defence of legal claims. The legal basis is Art. 6 (1)(f) GDPR, based on our interest in the defence against any civil law claims pursuant to Art. 82 GDPR, the avoidance of fines pursuant to Art. 83 GDPR and the fulfilment of our accountability obligation pursuant to Art. 5 (2) GDPR.

b. Right to Withdraw and Object

Right to withdraw consent (Art. 7 (3) GDPR)

You have the right to withdraw your consent at any time. As a result, we will no longer continue the data processing that was based on this consent in the future. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

Right to object (Art. 21 GDPR)

General objection: If we process your data on the basis of Art. 6 (1)(f) GDPR (legitimate interests), you can object to the processing at any time on grounds relating to your particular situation.

Objection to direct marketing: If we process your data for direct marketing purposes, you can object to the processing at any time without giving reasons.

Assertion of your rights

If you wish to exercise your right of withdrawal or objection, simply send an informal message to the contact details above.

c. Right to Lodge Complaints

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). You can lodge this complaint, for example, with a supervisory authority in the Member State of your place of residence, your place of work or the place of the alleged infringement. In Hessen, our registered office, the competent supervisory authority can be reached on its website: https://datenschutz.hessen.de/.

8. Obligation to Provide Your Data

There is generally no obligation to provide your data.

If the provision of your data is necessary for the conclusion of a contract or in advance of a possible conclusion of a contract (e.g. for an application), for making contact or for using other services and functions (e.g. for the contact form), the corresponding input fields are marked as mandatory (usually with an asterisk (*)). In this case, any contract cannot be concluded, the specific service cannot be provided or the function cannot be used without the data provided.

Other information not marked as mandatory fields is voluntary. The entry of such data is then not necessary for the conclusion of any contract, for the provision of the service or for the use of the function and has no influence on the fulfilment of the contract.

9. Automated Decision-Making

Automated decision-making including profiling (Art. 22 GDPR) with legal or similar significant effects does not take place.

10. Social Media Pages

We maintain social media pages in social networks in order to communicate with customers and interested persons and to provide information about our services.

a. Processing for Advertising Purposes of the Social Network Providers

User data is generally processed by the relevant social networks for market research and advertising purposes. This allows user profiles to be created based on the interests of users. Cookies and other identifiers are stored on the devices of the data subjects for this purpose. These user profiles are then used, for example, to display adverts within the social networks as well as on third-party websites. The legal basis for the data processing carried out by the social networks on their own responsibility can be found in the privacy notice of the respective social network. The links below will also provide you with further information on the respective data processing and the options to opt-out.

b. Processing for Statistical Purposes

As part of the operation of our social media pages, we may have access to information such as statistics on the use of our social media pages provided by the social networks. These statistics are aggregated and may include, in particular, demographic information (e.g. age, gender, region, country) and data on interaction with our social media pages (e.g. likes, subscriptions, shares, viewing of images and videos) and the posts and content distributed via it. This may also provide information about the interests of users and which content and topics are particularly relevant to them. This information can also be used by us to adapt the design and our activities and content on the social media pages and to optimise it for our audience. Please refer to the list below for details and links to the social network data that we can access as the operator of the social media pages. The collection of usage data and creation of these statistics is generally subject to joint responsibility. Where this applies, the relevant contract is listed below.

c. Access to Publicly Available Information

If you have an account with the social network, it is possible that we can see your publicly available information (e.g. your user name) and media (e.g. images and videos) when we access your profile. In addition, the social network may allow us to contact you. This can take place, for example, via direct messages or posted contributions. The content of communication via the social network and the processing of communication data is the responsibility of the social network as a messenger and platform service. For this processing, we refer to the privacy notice of the respective social network.

d. Data Subject Rights

We would like to point out that data protection requests can be made most efficiently with the respective provider of the social network, as only these providers have access to the data and can take appropriate measures directly. You can of course also contact us with your request. In this case, we will process your enquiry and forward it to the provider of the social network.

e. Social Network Providers

Below is a list with information on the social networks on which we operate social media pages:

YouTube (Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland) – privacy notice: https://policies.google.com/privacy, opt-out option: https://www.google.com/settings/ads.

Instagram (Meta Platforms Ireland Ltd, Merrion Road, Dublin 4, D04 X2K5, Ireland) – joint controller agreement: https://www.facebook.com/legal/terms/page_controller_addendum, information about the data processing: https://www.facebook.com/legal/terms/information_about_page_insights_data, privacy notice: and https://privacycenter.instagram.com/policy/, opt-out option: https://en-gb.facebook.com/help/instagram/2885653514995517?cms_id=2885653514995517;

LinkedIn (LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland) – joint controller agreement and information about the data processing: https://legal.linkedin.com/pages-joint-controller-addendum, privacy notice: https://www.linkedin.com/legal/privacy-policy, opt-out option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out;

11. Changes to This Privacy Notice

We may update this privacy policy from time to time, for example, if we customise our website or if legal or regulatory requirements change.