Data protection statement

Status: September 26, 2024

Preamble

The information in this data protection applies to the processing of personal data on our offer at https://um.lecturio.com as well as any offered apps. It informs you about the scope of the processing, the processing, recipients, legal bases, storage periods, and your rights.

I. Definition of terms

1. Personal data (data of a data subject)

Personal data are all information relating to an identified or identifiable natural person (“data subject”, “you” or “user”).

2. Processing

The processing of personal data is, in particular, the collection, storage, use, and transmission of such data.

3. Responsible person

The responsible person is the natural or legal person, authority, institution, or other body that alone or jointly with others decides on the purposes and means of processing personal data.

4. Processor

A processor is a natural or legal person, authority, institution, or other body that processes personal data on behalf of the person responsible.

5. Third parties

A third party is a natural or legal person, authority, institution, or other body, apart from the data subject, the person responsible, the processor, and the persons who are authorized to transfer the personal data under the direct responsibility of the person responsible or the processor to process.

6. Platform

This website and any connected mobile iOS and Android apps are combined as a platform or offer.

7. Administrator

An administrator is a natural person who manages the platform on the basis of extensive access rights to the system. Administrators plan, configure, and manage users and content on the platform.

II. General information on data processing and mandatory information

1. Name and address of the person responsible

The person responsible within the meaning of Art. 4 Paragraph 7 GDPR and other national data protection laws of EU member states as well as other data protection regulations is:

Below ("Responsible", “we", “us")

2. Contact details of the data protection officer

You can contact our data protection officer as follows:

Below ("data protection officer")

3. Access to the platform

Website: https://um.lecturio.com

4. Legal basis for the processing of personal data

When processing personal data for which we obtain the consent of the data subject, Article 6 (1) (a) GDPR serves as the legal basis. When processing personal data that is required to fulfill a contract to which the data subject is a party, Article 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures. When processing personal data that is necessary to fulfill a legal obligation to which our company is subject, Article 6 (1) (c) GDPR serves as the legal basis. When processing personal data that is necessary to safeguard a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the first-mentioned interest, Article 6 (1) (f) GDPR serves as the legal basis for processing.

5. Data deletion and storage duration

The personal data of the data subject will be deleted, anonymized, or processing restricted as soon as the purpose of storage no longer applies. Storage can also take place if this has been provided for by the European or national legislator in Union regulations, laws, or other provisions to which the person responsible is subject.

III. Provision of the website and creation of log files

Every time our website and the corresponding sub-pages are accessed, our system automatically collects data and information from the system of the calling device (computer, smartphone, tablet, etc.). The following data is collected:
  1. Information about the browser type and the version used
  2. The user\'s operating system The user\s
  3. IP address
  4. Date and time of access
  5. Access status / http status code
  6. Websites from which the user\'s system reached our website
  7. Websites that are accessed by the user\'s system via our website
This data is also stored in the log files of our system. Storage of this data together with other personal data does not take place. The temporary storage of the IP address by the system is necessary to enable the website to be delivered to the user’s device. For this, the IP address must be saved for the duration of the session. The storage in log files takes place in order to ensure the functionality of the website. We use the collection and use of the information stored in the log files to improve our services, to avert danger in the event of attacks on our information technology systems, to protect against license abuse, to anonymize the evaluation for statistical purposes, and to prosecute law enforcement authorities in the event of a cyberattack provide necessary information. An evaluation of the data for marketing purposes does not take place in this context. Our legitimate interest in data processing according to Art. 6 Para. 1 lit.f GDPR also lies in these purposes. The data collected for the provision of the website will be deleted when the respective session has ended. The log files are stored for a period of up to five years.

IV. Use of cookies

Our website uses technically necessary cookies. Cookies are small text files with configuration information that are sent from our web servers to your browser when you visit our website and are held by it on your computer for later retrieval. This cookie contains a characteristic string of characters that enables the browser to be clearly identified when the website is called up again. The following cookies are used on our website:

Cookie designation Purpose / function Lifetime
lssn This is a session cookie. This saves a so-called session identifier (session ID). This is used to assign several requests from a user to his or her session on our website so that the user does not have to log in again on every subpage or re-enter other information that has already been entered. Duration of the browser session
lctrk This cookie contains a visitor ID that is used to assign the "visitor" (videos viewed, solved quiz questions) to a user account when this user registers as a new visitor. 2 years
lctii This cookie contains an identification token that assigns the user\'s access to our organization. 2 years
lctalc This cookie contains an auto-login key. It is only set if the "Stay logged in" check box is checked when the user logs in. This means that the user is automatically logged in when the website is opened again, even after the session has expired and/or the browser window has been closed. 2 years
lctlk This login key cookie contains a token that is assigned to a user. This token is used by the auto login to log in the correct user. It is only set if the "Stay logged in" check box is checked when the user logs in. 2 years
prc This cookie stores the language selected by the user. Duration of the browser session
The purpose of using the cookies listed above is to simplify the use of our website. Some functions of our website cannot be offered without the use of cookies. For this, it is necessary that the browser is recognized after a page change within our website. Our legitimate interest in the processing of personal data in accordance with Art. 6 Para. 1 lit. f GDPR lies in these purposes. The legal basis for the processing of personal data using cookies, which are necessary to provide the contractually agreed services, is Art. Para. 1 lit. b GDPR. Users have full control over the use of cookies. Cookies are automatically deleted after the functional / storage period specified above has expired. Most browsers are preset to automatically accept cookies. Users can also deactivate or restrict the transmission of cookies by changing the settings in their browser. Cookies that have already been saved can be deleted at any time. This can also be done automatically. If cookies are deactivated for our website, it is possible that not all functions of the website can be used to their full extent.

V. User account and activities in the user account

The data that was submitted to us during registration, in particular surname, first name and email address, are saved to the user’s user account. In addition, other information about the user account provided by the user is saved, e.g. in account settings, notes made for lectures, as well as information that can also be viewed by other users, such as reviews and, if necessary, discussions with other course participants. Furthermore, the system records learning progress data, which includes, for example, which course content has been viewed, which quiz questions have been answered, the test results of completed tests, and other similar information when using our platform. In particular, this learning progress data may be accessible by the administrators of your employer or your university/teaching institution. In no case will data on your learning progress be passed on to unauthorized third parties. We save the data on your user account as long as the user account exists. The legal basis for processing the data is Article 6 (1) (a) GDPR.

VI. Recipients of personal data

Our platform utilizes various programs and service providers to ensure optimal functionality and user experience. The full list of programs and service providers used for processing your personal data can be found in the Lecturio Data Protection Statement, Data Privacy Statement | Lecturio. Lecturio GmbH ("Lecturio"), Käthe-Kollwitz-Straße 1, 04109 Leipzig, serves as a processor for us and provides the technical platform.

VII. Rights of the data subject

If your personal data are processed as a data subject, you have the following rights:
  • the right to information according to Art. 15 GDPR
  • the right to correction according to Art. 16 GDPR
  • the right to erasure ("right to be forgotten") according to Art. 17 GDPR
  • the right to restriction of processing according to Art. 18 GDPR
  • the right to information according to Art. 19 GDPR
  • the right to data portability according to Art. 20 GDPR
  • the right not to be subject to an automated decision according to Art. 22 GDPR
  • the right to revoke your consent to the processing of personal data in accordance with Art. 7 Para. 3 GDPR.using
To assert these rights, please contact the data protection officer or the responsible person via the contact details provided. There is no right to deletion if the data may not be deleted due to a legal obligation or if it has to be processed due to a legal obligation, and data processing is necessary to assert, exercise, or defend legal claims. In accordance with Art. 77 GDPR, you have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU member state or other state of your place of residence, your place of work or the place of the alleged violation, if you are of the opinion that the processing of your personal data violates applicable data protection law.

VIII. Right of objection

Insofar as we process your data on the basis of legitimate interests in accordance with Art. 6 Para. 1 lit. f GDPR, you have the right to object to the processing of your data on grounds relating to your particular situation, or if the objection is directed against direct marketing. In the latter case, you have a general right to object, which we will implement without requiring any reasons.

IX. Incident Response and Breach Notification

In the event of a data breach, our organization follows a comprehensive incident response plan to ensure swift and effective handling of the situation. The procedures include immediate containment and assessment of the breach to understand its scope and impact. Upon identifying a breach, we promptly secure our systems to prevent further unauthorized access. We conduct a thorough investigation to determine the nature of the breach, the data affected, and the potential risk to data subjects. Notification is a critical component of our incident response. Within 72 hours of becoming aware of the breach, we notify the relevant supervisory authority in accordance with Article 33 of the GDPR, providing detailed information about the breach, its consequences, and the measures taken to mitigate the effects. If the breach poses a high risk to the rights and freedoms of individuals, we also inform the affected data subjects without undue delay, as stipulated by Article 34 of the GDPR. The notification includes clear and specific details on the nature of the breach, the likely consequences, and the measures we have taken or will take to address the breach and protect the individuals involved.

X. International Data Transfers

Our organization ensures that any transfer of personal data to countries outside the European Union (EU) is conducted in full compliance with GDPR requirements to protect the privacy and rights of data subjects. We utilize several transfer mechanisms to safeguard data during international transfers, including Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs). Binding Corporate Rules are internal policies adhered to by our multinational organization, approved by European data protection authorities, that ensure adequate protection of personal data transferred outside the EU. These rules establish a framework for data protection compliance across all our global operations, ensuring consistent application of GDPR principles. Standard Contractual Clauses, provided by the European Commission, are contractual commitments that bind the parties involved in the data transfer to comply with specific data protection obligations. By incorporating SCCs into our data transfer agreements with third-party service providers and partners, we ensure that any personal data leaving the EU is afforded the same level of protection as within the EU. Additionally, we continuously monitor the legal landscape and adapt our practices to comply with any new regulations or guidelines issued by data protection authorities. This proactive approach ensures that our international data transfers remain secure and compliant, safeguarding the privacy and rights of our data subjects at all times.

XI. Up-to-dateness and changes to this data protection information

This data protection information is currently valid and was last updated on September 26th, 2024. Due to the further development of our platform or due to changed legal or official requirements, it may be necessary to change this data protection information. You can call up and print out the current data protection information on our platform at any time.

XII. Miscellaneous

Should individual provisions of this data protection declaration be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions. The same applies in the case of gaps.