<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1047956452226632&amp;ev=PageView&amp;noscript=1">

Imprint & Privacy Policy

Imprint

Educaro India
SAS Alexandria
No. 15-16, 18A Cross
Dasarhalli Main Road,
Bhuvaneshwari Nagar
Hebbal Kempapura
Bangalore, Karnataka, India 560 025

Represented by:
Leon Schneider

Contact
Phone: +91 80 4211 7197
E-mail: india@educaro.de 

Privacy policy

1. Introduction

1.1 Responsible party

The responsible party according to Art. 4 (7) EU General Data Protection Regulation (DSGVO) is Educaro GmbH, Bolkerstraße 14-16, 40213 Düsseldorf, Germany, e-mail: info@educaro.de. We are legally represented by Leon Schneider, Managing Director.

1.2 Data protection representative

The data protection representative is heyData UG (haftungsbeschränkt), Gormannstr. 14, 10119 Berlin, Germany, www.heydata.eu, e-mail: info@heydata.de.

 2. Security Policy

The primary goal of the protective measures that are implemented on an organizational and on a technical level is to protect Educaro GmbH and its customers from any damage, to ensure the constant ability of the employees, and to prevent data loss. This also includes the safe use of sensitive information.

It is therefore the responsibility of all employees to ensure that Educaro GmbH customers and business partners can expect a high-level quality of security, that has to be ensured according to the business mandate.

The senior management bears the overall responsibility for a sufficient and technically as well as economically appropriate level of security in order to prevent damage to the company and to ensure long-term business success. 

The obligation is placed on subcontracted companies, freelancers, data center partners, and, of course, the company's own employees. The protection of personal data must also be ensured through appropriate technical and organizational measures in accordance with Art. 32 DSGVO. Continuous external monitoring ensures the maintenance and, above all, the constant improvement of the data protection measures. 

This data protection concept aims to present the data protection aspects in a summarised documentation. In the following, the technical and organizational measures for the protection of data are described, which Educaro GmbH takes as standard in order to meet the requirements of Art. 32 DSGVO.

3. Confidentiality (Art. 32 Abs. 1 lit. b DSGVO)

3.1. Access Control

  • The following implemented measures prevent unauthorized access to the data processing facilities:

    Key regulation / key book
    Careful selection of security personnel

3.2.  Admission Control

The following implemented measures prevent unauthorized access to the data processing systems:
  • Authentication with user and password
  • Use of firewalls
  • Use of VPN technology for remote accesses
  • Management of user authorizations
  • Creation of user profiles
  • Key control/key book
  • General instruction to manually lock desktop when leaving the workplace

3.3  Access control

The following implemented measures ensure that unauthorized access to personal data is prevented:

  • Recording of the destruction of data
  • Recording of access to applications (especially when entering, changing, and deleting data)
  • Use of an authorization concept
  • The number of admins is kept as small as possible
  • Management of user rights by system administrators

3.4. Separation control

The following measures ensure that personal data collected for different purposes are processed separately:

  • Separation of productive and test system
  • Logical client separation ( software side)
  • Creation of an authorization concept
  • Determination of database rights

4. Integrity (Art. 32 Abs. 1 lit. b DS-GVO)

4.1. Passing-on control

It is ensured that personal data cannot be read, copied, changed or removed without authorisation during transfer or storage on data carriers and that it is possible to check which parties or agencies have received personal data. The following measures are implemented to ensure this:

  • Setting up VPN tunnels
  • Recording of accesses and retrievals
  • Provision of data via encrypted connections such as SFTP or HTTPS
  • Use of signature procedures

4.2. Input control

The following measures ensure that it is possible to check who has processed personal data in data processing systems and at which time:

  • Logging of the entry, modification, and deletion of data
  • Retention of forms whose data has been transferred to automated processing
  • Traceability of the entry, modification, and deletion of data through individual user names ( non-user groups)
  • Allocation of rights for entering, changing, and deleting data on the basis of an authorization concept

5. Availability and resilience (Art. 32 Abs. 1 lit. b DS-GVO)

The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:

  • Creation of a backup & recovery concept
  • Keeping data backups in a secure, off-site location
  • Separation of operating systems and the associated data

6. Procedures for periodic monitoring, assessment, and evaluation (Art. 32 Abs. 1 lit. d DS-GVO; Art. 25 Abs. 1 DS-GVO)

6.1. Data protection management

The following measures are intended to ensure that the organization meets the basic requirements of data protection law:

  • Use of the heyData platform for data protection management
  • Appointment of the data protection representative by heyData
  • The commitment of employees to data secrecy
  • Regular training of employees in data protection
  • Keeping an overview of processing activities (Art. 30 DSGVO)
  • Carrying out data protection impact assessments wherever necessary (Art. 35 DSGVO)

6.2. Incident-Response-Management

The following measures are intended to ensure that in the event of data protection breaches, the reporting processes are activated:

  • Notification of data protection breaches in accordance with Art. 4 No. 12 of the GDPR to the supervisory authorities (Art. 33 of the GDPR)
  • Involvement of the Data Protection Officer in security incidents and data breaches
  • Use of firewalls

6.3. Privacy-friendly default settings (Art. 25 Abs. 2 DS-GVO)

The following implemented measures take into account the requirements of the principles "Privacy by design" and "Privacy by default":

  • Training of employees in "Privacy by design" and "Privacy by default".
  • No more personal data is collected than is necessary for the particular purpose.

6.4. Assignment Control

The following measures ensure that personal data can only be processed in accordance with the instructions:

  • Written instructions to the contractor or instructions in text form (e.g. by contract processing agreement).
  • Ensuring the destruction of data after termination of the order, e.g. by requesting relevant confirmations
  • Confirmation from contractors that they oblige their own employees to maintain data secrecy (typically in the order processing contract)
  • Careful selection of contractors (especially with regard to data security)

7. Data processing on our website

7.1. Informative use of the website

During the informative use of the website, i.e. when website visitors do not specifically transmit information to us, we collect the personal data that the browser sends to our server in order to ensure the stability and security of our website. This is our justified interest, so the legal basis is Art. 6 para. 1 p. 1 lit. f DSGVO.

These data are:

  • IP-Adress
  • Date and time of the visit
  • Time zone difference from Greenwich Mean Time (GMT)
  • Content of the request (specific page)
  • Access status/HTTP status code
  • Amount of data transferred in each case
  • Website from which the request came
  • Browser
  • Operating system and its interface
  • Language and version of the browser software.

This data is additionally stored in log files. They are deleted when their collection is no longer necessary, no later than after 14 days.

7.2. Webhosting and provision of the website

Our website is hosted on the basis of a contract processing agreement (Art. 28 DSGVO) by GoDaddy.com LLC, Corporate Headquarters 14455 N. Hayden Rd. Hayden Rd, Ste. 226, Scottsdale, AZ 85260 USA (privacy policy: https://de.godaddy.com/legal/agreements/privacy-policy). In doing so, the provider handles the personal data transmitted via the website, e.g. on content, usage, meta/communication data, or contact data. It is our legitimate interest to have a website available, so their legal basis for data processing is Art. 6 para. 1 p. 1 lit. f DSGVO.

7.3.Contact form

When contacting us via the contact form on our website, we store the data requested there and the content of the message.
The legal basis for the data processing is our justified interest in responding to enquiries sent to us. The legal basis for the processing is therefore Art. 6 para. 1 p. 1 lit. f DSGVO.
We delete the data accruing in this context after the storage is no longer necessary or limit the processing if there are legal retention obligations.

7.4. Job advertisements

 

We publish vacancies that are available in our company on our website, on pages linked to the website or on third-party websites.
The processing of the data provided as part of the application is carried out for the purpose of implementing the application procedure. Insofar as this is necessary for our decision to establish an employment contract, the legal basis is Art. 88 (1) DSGVO in conjunction with Section 26 (1) BDSG. We have marked the data required to carry out the application process accordingly or refer to them. If applicants do not provide this data, we cannot process the application.
Further data is voluntary and not required for an application. If applicants provide further information, this is based on their consent (Art. 6 para. 1 p. 1 lit. a DSGVO).

We ask applicants to refrain from providing information on political opinions, religious beliefs and similar sensitive data in their CV and cover letter. They are not required for an application. If applicants nevertheless provide such information, we cannot prevent their processing as part of the processing of the CV or covering letter. Their processing is then also based on the consent of the applicants (Art. 9(2)(a) DSGVO).

Finally, we process the applicants' data for further application procedures if they have given us their consent to do so. In this case, the legal basis is Art. 6 para. 1 p. 1 lit. a DSGVO.

We pass on the applicants' data to the responsible employees in the HR department, to our recruiting processors and to the employees otherwise involved in the application process.

If we enter into an employment relationship with the applicant following the application process, we only delete the data after the employment relationship has ended. Otherwise, we delete the data no later than six months after rejecting an applicant.

If applicants have given us their consent to also use their data for further application procedures, we will not delete their data until one year after receiving the application.

7.5. Appointment booking

Seitenbesucher können auf unserer Website Termine mit uns buchen. Dafür verarbeiten wir neben den eingegebenen Daten Meta- oder Kommunikationsdaten. Wir haben ein berechtigtes Interesse daran, Interessenten eine nutzerfreundliche Möglichkeit zur Vereinbarung von Terminen anzubieten. Deshalb ist Rechtsgrundlage der Datenverarbeitung Art. 6 Abs. 1 S. 1 lit. f DSGVO. Soweit wir für die Vereinbarung ein Tool eines Drittanbieters verwenden, sind die Informationen dazu unter "Tools von Drittanbietern" zu finden.

7.6. Third-party tools

7.6.1. YouTube​ Videos

We use the Videos tool from YouTube for videos on our website. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. The provider processes meta/communication data (e.g. device information, IP addresses) and usage data (e.g. web pages visited, interest in content, access times) in the USA. The legal basis of the processing is Art. 6 para. 1 p. 1 lit. a DSGVO. The processing is based on consent. Data subjects can revoke their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of the processing until the revocation. The legal basis for transfer to a country outside the EEA is consent. Further information is available in the provider's privacy policy at https://policies.google.com/privacy.

7.6.2. ​Google Analytics​

We use the Google Analytics tool for analytics. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, D04e5w5, Ireland. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA. The legal basis of the processing is Art. 6 para. 1 p. 1 lit. a DSGVO. The processing is based on consent. Data subjects can revoke their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of the processing until the revocation. The legal basis of the transfer to a country outside the EEA is standard contractual clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed in accordance with the review procedure under Article 93(2) DSGVO adopted standard data protection clauses (Article 46(2)(c) DSGVO), which we have agreed with the provider. The data will be deleted when the purpose of its collection has ceased to apply and there is no obligation to retain it. Further information can be found in the provider's privacy policy at https://policies.google.com/privacy?hl=de.

7.6.3. ​HubSpot​

We use the HubSpot tool for customer relationship management. The provider is HubSpot, Inc., 25 1st Street Cambridge, MA 0214, USA. The provider processes usage data (e.g. websites visited, interest in content, access times) and meta/communication data (e.g. device information, IP addresses) in the USA. The legal basis of the processing is Art. 6 para. 1 p. 1 lit. a DSGVO. The processing is based on consent. Data subjects can revoke their consent at any time by contacting us, for example, using the contact details provided in our privacy policy. The revocation does not affect the lawfulness of the processing until the revocation. The legal basis of the transfer to a country outside the EEA is standard contractual clauses. The security of the data transferred to the third country (i.e. a country outside the EEA) is guaranteed in accordance with the review procedure under Article 93(2) DSGVO adopted standard data protection clauses (Article 46(2)(c) DSGVO), which we have agreed with the provider. The data will be deleted when the purpose for which it was collected no longer applies and there are no retention obligations to the contrary. Further information can be found in the provider's privacy policy at https://legal.hubspot.com/privacy-policy.

8. Data processing on social media platforms

We are represented in social media networks in order to present our company and our services there. The operators of these networks regularly process their users' data for advertising purposes. Among other things, they create user profiles from their online behaviour, which are used, for example, to show advertising on the pages of the networks and elsewhere on the Internet that corresponds to the interests of the users. For this purpose, the operators of the networks store information on user behaviour in cookies on the users' computers. Furthermore, it cannot be ruled out that the operators merge this information with other data. Users can obtain further information and instructions on how to object to processing by the site operators in the data protection declarations of the respective operators listed below. It is also possible that the operators or their servers are located in non-EU countries so that they process data there. This may result in risks for users, e.g. because it is more difficult to enforce their rights or because government agencies have access to the data.

If users of the networks contact us via our profiles, we process the data provided to us in order to respond to the enquiries. This is our justifiable interest, with the legal basis, therefore, being Art. 6 para. 1 p. 1 lit. f DSGVO.

8.1. Facebook

We maintain a profile on Facebook. The operator is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://www.facebook.com/policy.php. One way to object to data processing is via settings for advertisements: https://www.facebook.com/settings?tab=ads.

We are jointly responsible for processing the data of visitors to our profile on the basis of an agreement within the meaning of Art. 26 DSGVO with Facebook. Facebook explains exactly what data is processed at https://www.facebook.com/legal/terms/information_about_page_insights_data.

Data subjects can exercise their rights both against us and against Facebook. However, according to our agreement with Facebook, we are obliged to forward requests to Facebook. Data subjects will therefore receive a quicker response if they contact Facebook directly.

8.2. Instagram

We maintain a profile on Instagram. The operator is Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. The privacy policy is available here: https://help.instagram.com/519522125107875.

8.3. YouTube

We maintain a profile on YouTube. The operator is Google Ireland Limited Gordon House, Barrow Street Dublin 4. Ireland. The privacy policy is available here: https://policies.google.com/privacy?hl=de.

8.4. LinkedIn

We maintain a profile on LinkedIn. The operator is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland. The privacy policy is available here: https://www.linkedin.com/legal/privacy-policy?_l=de_DE. One way to object to data processing is via the settings for advertisements: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.

8.5. Xing

We maintain a profile on Xing. The operator is New Work SE, Dammtorstraße 29-32, 20354 Hamburg. The privacy policy is available here: https://privacy.xing.com/de/datenschutzerklaerung.