Data protection information for applicants
We, the German Academic Exchange Service (Deutscher Akademischer Austauschdienst, DAAD), take protecting personal data and keeping them confidential very seriously. We therefore wish to inform you about the processing of your personal data in the context of sponsoring a project at your institution in which you are involved and also about your rights. Your data will be processed exclusively within the legal framework of the applicable data protection provisions, in particular the General Data Protection Regulation (hereinafter referred to as “GDPR”) and the German Data Protection Act (Bundesdatenschutzgesetz, hereinafter “BDSG”).
Who is responsible for processing my data, and who is the commissioner for data protection?
The controller responsible for processing your personal data is:
Deutscher Akademischer Austauschdienst e.V. (DAAD)
Tel.: +49 228 882 0
Contact details of our commissioner for data protection:
Dr Gregor Scheja
Scheja und Partner Rechtsanwälte mbB
Tel.: +49 228 227 226 0
What data are subject to data protection?
Data protection applies to personal data. Personal data refer to any information relating to an identified or identifiable natural person (known as the data subject). This includes information such as the data subject’s name, postal address, e-mail address or telephone number.
Which of my personal data will be processed?
If you apply on behalf of your institution, we only process the personal data relating to you that are required to complete the application and implement project funding. This may include:
For what purposes and on what legal basis will my personal data be processed?
The following provides you with an overview of the purposes and legal bases for processing your personal data in the context of DAAD project funding:
Data processing for the purposes of performing the contract and complying with DAAD accountability to funding bodies
We process personal data from you that are required in the context of the application process and the affiliation with DAAD as a host institution. The purposes encompassed by the processing include, in particular:
Implementing the application and selection procedure
Preparing and implementing the affiliation as a host institution within the In-Country/In-Region Scholarship Programme
Communications with you as the contact person or applicant for your institution
Monitoring, evaluations and statistical analyses
Auditing evidence of use
Meeting the reporting obligations to the DAAD funding bodies.
If the application from your institution is unsuccessful, we will make your personal data anonymous or delete them within thirteen months after the rejection. During this period, the DAAD may invite your institution to submit another application to become a host institution. If your institution receives funding from DAAD and/or becomes associated with the DAAD as a host institution, we will delete the data when they are no longer required for the purposes stated by us and no other legal bases are applicable, in particular, statutory or contractual retention periods.
Compliance with legal obligations
We may also process your personal data in order to comply with legal obligations arising e.g. from commercial, tax, financial or criminal law. In these cases, the purposes of our data processing follow from the respective legal obligation. Such processing will generally take place in order to comply with state monitoring and information requirements.
Your data will then be processed based on Art. 6 (1) c) of the GDPR.
We will delete your data once our legal obligation to retain them has ended, if no other legal bases for retention, in particular statutory or contractual retention periods, apply.
Will my personal data also be collected from third parties?
We only process the personal data that we collect directly from you in the context of the application process and possible affiliation as host institution.
Will you conduct any automated decision-making or profiling?
We use neither automated decision-making nor profiling as per Art. 22 of the GDPR.
Am I required to provide my personal data?
When submitting the application for your institution, you must provide the personal data required to assess the application and the decision on whether to approve the affiliation as host institution. You must also provide data required to comply with related contractual or statutory obligations or that we are legally required to process. Without this data, we may not be able to assess or approve the application from your institution.
Who has access to my personal data and which recipients will receive them?
Within the DAAD, your personal data will only be accessible to departments and to staff working there that need such access to fulfil their functions or duties.
We will only pass your personal data on to external recipients if there is a legal justification for doing so. External recipients may be:
Commissioned data processors: Service providers that we use for the provision of services in the human resources area or that are entrusted with maintaining our IT systems. We carefully select such processors and regularly screen them to ensure that your personal data are in good hands. These service providers may moreover only process your personal data for the purposes we specify.
Public authorities: public authorities and state institutions, such as ministries, public prosecutors, courts of law and fiscal authorities, to which we may be required to provide personal data in individual cases.
Private agencies: Private agencies to which we transfer your personal data on the basis of a legal provision or your consent, for example, referees, external consultants and evaluators who are not order processors, partner organisations participating in the funding programme and partners from third-party scholarship programmes.
Do you intend to transfer my data to third countries?
In the context of the application process and project funding, your personal data may be transferred to bodies that have their headquarters or data processing locations outside EU member states or states forming part of the EEA. We will ensure before transmission that, outside legally permissible exceptions, the recipient either maintains an adequate level of data protection (e.g. through an adequacy decision by the European Commission, through suitable guarantees such as the recipient’s certification as per the EU-US Privacy Shield or by agreeing what are known as EU Standard Data Protection Clauses from the European Commission with the recipient) or that we have your express consent.
You can request from us a list of recipients in third countries and a copy of the provisions that have been agreed in each case to ensure an adequate level of data protection. To do so, please use the contact details given in section I.1.
For how long will my personal data be stored?
You can find the retention period for your personal data in the relevant chapter on data processing under section IV.
What are my rights as a data subject?
You have the following rights regarding the processing of your personal data:
Right to information
You have the right to obtain confirmation from us as to whether or not we process personal data on you. If we do, you have the right to access your personal data and the right to further information regarding their processing.
Right to rectification
You have the right to demand the rectification of any inaccurate personal data we hold on you and the right to demand that incomplete personal data be completed.
Right to erasure (“Right to be Forgotten”)
Under certain circumstances, you have the right to demand that we erase your personal data. You have this right, for example, if your personal data are no longer required for the purposes for which they were collected or otherwise processed or if your personal data have been unlawfully processed.
Restriction of processing
Under certain circumstances, you have the right to demand that we restrict our processing of your personal data. In this case, we will only store those personal data for which you have given consent or for which the GDPR permits processing. You may, for example, have the right to restrict processing if you have contested the accuracy of your personal data.
If you have provided us with personal data on the basis of a contract or a Declaration of Consent and the appropriate statutory requirements are met, you can demand that we send you the data you gave us in a structured, commonly used and machine-readable format or that we transfer them to a different controller.
Withdrawal of consent
If you have given us your consent to the processing of your personal data, you can withdraw this consent
at any time with future effect. This does not however affect the lawfulness of any processing of your data conducted prior to your withdrawal of consent.
Objection to processing based on “legitimate interests”
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data concerning you based on Art. 6 (1) f) of the GDPR (data processing based on weighing of legitimate interests). If you lodge an objection, we will no longer process your personal data unless we can prove compelling grounds for processing that outweigh your interests, rights and freedoms, or the processing serves the purpose of establishing, exercising or defending legal claims.
Right to lodge a complaint with the supervisory authority
You can also lodge a complaint with the competent supervisory authority if you believe the processing of your data to be unlawful. To do so, you can contact the data protection authority responsible for your place of residence, your place of work or the location of the alleged infringement or you can contact the data protection authority responsible for us. The responsible data protection authority is the supervisory authority of the federal state in which you reside, work or in which the alleged infringement that is the subject of your complaint took place.
Whom can I contact if I have questions or to assert my rights as a data subject?
Should you have any questions about the processing of your personal data or about asserting your rights as a data subject as set out in section XI., numbers 1 to 7, you may contact us free of charge. To do so, please use the contact details specified under section I., number 1. You can moreover always withdraw your consent via the same form of contact that you used to submit your Declaration of Consent.
Should you have any questions about this notice, you may contact email@example.com.
Last revised: 26.11.2019