The following data protection notices contain information on the processing of personal data by Constellation Academy digital GmbH, Beuthstrasse 8, 10117 Berlin (“CAd” or “We”), as the controller within the meaning of the General Data Protection Regulation (“GDPR”).

These data protection notices apply to the use of the website accessible at www.studioco.berlin and the content available there (“Website”).

Information about the cookies used on the Website and the platform can be found in our Cookie Policy.

1. Controller and contact details of our data protection officer

CAd is the controller within the meaning of data protection law for the processing of personal data in connection with the Website. Our contact details are as follows:

Beuthstrasse 8, 10117 Berlin

datenschutz@constellation.academy

CAd is currently not obliged to appoint a data protection officer. Of course, we are still committed to and happy to address this topic. For any questions regarding data protection, please contact us at datenschutz@constellation.academy or use the contact details provided above.

2. Purposes of data processing

Personal data is mainly processed for the purpose of operating the Website and providing registered users with access to the services. Further information on data processing in connection with the Website and the platform can also be found in our Cookie Policy.

2.1 Data Processing

Data processing in connection with the Website includes:

(a) Processing upon visiting the Website,

(b) Conducting non-binding analyses of training needs,

(c) Analyzing user behavior to improve the Website, the platform, and our platform services.

(a) Visiting the Website

When you visit the Website, certain data is automatically collected. We process the data collected in this way (i) to enable you to visit the Website, (ii) to ensure a secure and proper operation of the Website, and (iii) to further develop the Website technically and to identify and fix any functional errors if necessary.

(b) Analysis of user behavior

The data collected when visiting the Website may also be processed by us to conduct reach and similar analyses regarding your use of the Website, in particular by means of cookies (if you consent to the data processing via the cookies we use for this purpose).

3. Categories of personal data; legal bases; obligation to provide data

3.1 Data Processing in Connection with the Website

When you visit the Website and for the purpose of analyzing user behavior, we process personal data such as IP address, information about the browser and operating system used, and the date and time of access – on the basis of our overriding legitimate interests pursuant to Art. 6(1)(f) GDPR or on the basis of consent pursuant to Art. 6(1)(a) GDPR.

3.2 Necessity of Providing Data

Certain data is automatically collected and processed, for instance partly through the cookies used on our Website (please refer to our Cookie Policy for more details). The provision of this data is neither legally nor contractually required, but in some cases (e.g., technically necessary cookies) it is required in order to enable the use of the Website or the services. Specifically, in the case of technically necessary cookies, the Website would not function properly, so the use of such technically necessary cookies cannot be prevented. In other cases (i.e., for non-essential cookies), you do not have to provide personal data and can refuse the use of these cookies. You will not suffer any disadvantages if you do not wish to provide your personal data for processing via non-essential cookies. Certain functionalities of the Website may then not be available to you.

The provision of the data mentioned in Section 3.1 for analyses of training needs is voluntary and neither legally nor contractually required. Users are free not to use the option of a free and non-binding analysis of their training needs and development potential, without suffering any disadvantages.

4. Recipients of the personal data

In addition to us, the following recipients may have access to your personal data processed in connection with the Website and the services.

4.1 Service Providers

We have engaged the following types of service providers to process your personal data on our instructions: hosting service providers (operation of the platform), IT service providers (IT support, IT development), database service providers, and financial accounting.

4.2 Customers

If users use the platform as employees of a CAd customer, that customer may gain access to certain user data via the admin account. This specifically includes: employee’s name, assigned courses, and courses attended.

4.3 Third Parties

Where necessary in individual cases to defend or enforce legal claims, e.g., to sanction violations of our Terms and Conditions or contractual agreements, or to investigate abuse or fraud attempts, we may transfer your personal data to government entities and authorities (e.g. law enforcement agencies, courts, and other authorities). We may also be required to make such disclosures, for example, in order to comply with legitimate requests and inquiries from law enforcement agencies.

We may also transfer your personal data to payment service providers, coaches and educational institutions, as well as external advisors such as lawyers, accountants, auditors, and similar third parties acting as controllers, insofar as this is necessary for the provision of our services or the proper operation of our business.

5. International data transfers

We may transfer your personal data to recipients outside the European Union or the European Economic Area (together “EEA”).

Some recipients outside the EEA are located in countries for which the European Commission has decided that these countries provide a level of data protection essentially equivalent to the European level (adequacy decision), for example Switzerland or Canada. In such cases, the transfer is subject to an adequate level of data protection from an EU data protection law perspective (Art. 45 GDPR). In the case of the USA, this also applies to recipients certified under the EU-US Data Privacy Framework.

Certain recipients of your personal data may be located in countries for which the European Commission has not yet issued an adequacy decision. This particularly applies to service providers in the USA not certified under the EU-US Data Privacy Framework. In this case, we have concluded EU Standard Contractual Clauses in accordance with Art. 46(2)(c) GDPR. A copy of these Standard Contractual Clauses can be requested by using the contact details mentioned under Section 1 above.

6. Storage and deletion of data

We will generally store your personal data for as long as permitted or required by applicable law, especially as long as this data is needed for the purposes pursued. For example, the data from the initial location analysis is stored for 7 days so that it can be transferred to the user’s account in the event of registration and used for further consultation. Data in an account is generally deleted three years after the end of the contractual relationship, unless the data is needed to fulfill or defend claims that are not yet time-barred or to comply with legal requirements.

After the end of these periods, we will remove the personal data from our systems and records and/or take steps to properly anonymize the data so that you can no longer be identified from it.

In the event of legal disputes, personal data may be stored until the end of the complete legal resolution, including any appeal periods, and subsequently deleted or archived, insofar as this is permitted under applicable law.

7. Your data protection rights

You have the following rights regarding your personal data:

7.1 Right of access

Pursuant to Art. 15 GDPR, you have the right to request information as to whether we process personal data concerning you; if this is the case, you have the right to request information about such personal data. You have the right to receive a copy of the personal data that is the subject of the processing.

7.2 Right to rectification

Pursuant to Art. 16 GDPR, you have the right to request the correction of inaccurate personal data concerning you. Where appropriate, you also have the right to request the completion of incomplete personal data.

7.3 Right to erasure (“right to be forgotten”)

Under the conditions of Art. 17 GDPR, you can request the deletion of your personal data.

7.4 Right to restriction of processing

Under the conditions of Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data. In this case, the relevant data will be marked and may only be processed by us for certain purposes.

7.5 Right to data portability

Pursuant to Art. 20 GDPR, you have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used, and machine-readable format, and you have the right to transmit such personal data to another entity without hindrance from us.

7.6 Right to object

In certain cases, you have the right to object at any time to the processing of your personal data for reasons arising from your particular situation. If you exercise this right to object, we will no longer process your personal data for these purposes unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or unless the processing serves the establishment, exercise, or defense of legal claims.

7.7 Right to withdraw consent

Where we process your personal data based on your consent, you have the right to withdraw that consent at any time with effect for the future. The withdrawal of consent does not affect the lawfulness of the processing of your personal data before the withdrawal.

7.8 Notification in the event of rectification or erasure

Pursuant to Art. 19 GDPR, we are obliged to notify all recipients to whom we have disclosed your personal data of any rectification or erasure of your personal data or restriction of processing, unless this proves impossible or involves a disproportionate effort. You have the right to be informed about these recipients.

7.9 Right to lodge a complaint

You also have the right to lodge a complaint with a supervisory authority at any time. The contact details for the Berlin data protection authority are as follows:

Berliner Beauftragte für Datenschutz und Informationsfreiheit

Alt-Moabit 59-61

10555 Berlin

8. Changes to these data protection notices

We may change these data protection notices from time to time with effect for the future. The current version of these data protection notices is always available at: constellation.academy/datenschutz.