The schul.cloud messenger is a communication service offered by stashcat GmbH, headquartered in Hanover. The service is specifically intended for educational institutions such as schools, which can use the messenger internally and, for example, in dealing with classes or grades. All relevant data protection regulations, in particular the regulations of the Telemedia Act (Telemediengesetz, TMG) and the General Data Protection Regulation (GDPR) are adhered to. In the following, we would like to give you some information on the type, scope and purpose of the processing of personal data within schul.cloud. With regard to the terms used, such as "processing" or "controller", we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).
Table of Contents:
1. WHO IS RESPONSIBLE FOR DATA PROCESSING ON THE SCHUL.CLOUD MESSENGER?
2. HOW IS DATA PROCESSED ON THE SCHUL.CLOUD MESSENGER?
3. PURPOSES OF DATA PROCESSING
4. LEGAL BASIS FOR DATA PROCESSING
5. SECURITY MEASURES
6. TRANSFER OF DATA TO THIRD PARTIES
7. CROSS-BORDER DATA TRANSFERS OUTSIDE THE EU
8. PERIOD FOR STORAGE AND DELETION OF DATA
10. RIGHTS OF DATA SUBJECTS
11. RIGHT TO COMPLAIN TO THE REGULATOR
Responsible controller in terms of personal data protection is the provider of this offer (hereinafter the "Provider"):
Hamburger Allee 2-4
If you have any privacy concerns, please contact stashcat GmbH directly, providing sufficient information to identify yourself (e. g. name, email address or name of your institution).
You can contact the provider on privacy questions at this email address: firstname.lastname@example.org
For the purpose of optimal implementation of the statutory privacy requirements, stashcat GmbH is supported and advised by an external Data Protection Officer. He is:
Sebastian von der Au
EDV-Unternehmensberatung Floß GmbH
For the provision of the schul.cloud messenger, stashcat GmbH uses the services of data processors. A list of the data processors and their processing activities can be found under point 6. All data processors of stashcat GmbH are contractually bound. In this context, heinekingmedia GmbH handles the receipt of support requests for stashcat GmbH, subject to instructions. The appropriate contact data for this company are:
Email (support requests): email@example.com
The provider provides software (hereinafter "schul.cloud") over the internet (web application/desktop application/mobile applications for iOS and Android), which enables direct messenger communication between users. The next section explains who is affected by this data processing, and in which way, to which extent and for which purposes this data processing takes place.
The persons affected by the data processing are the users of the schul.cloud communication platform (hereinafter the "Users"). They are usually:
Stashcat GmbH does not use purely automated processing to take decisions - including profiling - about users of the schul.cloud messenger service.
As described above, the schul.cloud messenger is mainly used in educational institutions. The provision of this communication platform serves to enable direct and secure communication between users and their organisations within closed communication areas. In addition, the complete internal structure can be mapped on the basis of channels (e.g. for individual classes/grade levels). The goals are to accelerate communication paths, shorten service routes and promote cross-organisational collaboration and simplified file management.
In addition, we inform the users about further purposes of the processing when collecting the respective data.
Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis. Insofar as children are concerned, consent is obtained through the holder of parental responsibility in accordance with Art. 8 (1) GDPR.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Article 6(1)(d) GDPR serves as the legal basis.
If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) lit. f GDPR serves as the legal basis for the processing.
Both stashcat GmbH and its data processors implement and maintain a range of technical and organisational measures to protect the personal data of the messenger users in accordance with the statutory requirements. These measures are taken in accordance with Article 32 of the GDPR, taking into account the state of the art of the technology, the costs of their implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. These measures are intended to ensure a level of protection for the personal data of messenger users that is appropriate to the risk.
The schul.cloud messenger service is provided in a protected high-security data centre in Germany. The communication data of the users usually remain within the jurisdiction of the EU General Data Protection Regulation (GDPR). Only with regard to the use of the translation service in the messenger, it cannot be completely ruled out that a data transfer to the USA will take place through our service provider IBM (in the context of the IBM Watson Language Translator implemented within stashcat). More detailed information is available on this under points 6 and 7. The data centre has the highest standards for failure and access protection.
For the provision of schul.cloud, stashcat GmbH uses the services of data processors. They are contractually bound and subject to the instructions of stashcat. The data processors of stashcat GmbH for the provision of the messenger service are:
In addition, data is only transferred to third parties if stashcat GmbH is required to do so in order to comply with the law, legal procedures or a justified request from authorities or third parties.
There are no other transfers of data to third parties.
All data collected in schul.cloud is processed on hosting servers located in Germany to ensure trouble-free use of the platform. As a rule, there is no data transfer to foreign countries, neither to companies nor to private individuals. Only with regard to IBM's translation service can it not be completely ruled out that communication data is transferred to third countries (primarily the USA). In the event that data is transferred to the USA, IBM Deutschland GmbH will rely on the EU standard contractual clauses with regard to the parent company and sub-processors. In addition, supplementary safeguards of a technical, organisational and contractual nature such as encryption, access controls and assurances of notification of the data controller in the event of a request from an investigative authority will also be implemented. This is set out in the December 2020 Update to the Annex on Additional Safeguards to EU Standard Contractual Clauses (EU SCCs): www.ibm.com/support/customer/csol/terms/. For this reason, the use of the IBM Watson Language Translator is considered provisionally acceptable after a risk assessment by stashcat GmbH, although the aspects of legality will be subject to repeated review.
The data processed by us will be deleted or restricted in its processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated within the scope of this privacy declaration, the data stored by us will be deleted as soon it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention duties.
If a user leaves the organisation and deletes his schul.cloud account, all personal data will be deleted at the same time. In principle, personal data will be deleted appropriately at the request/instruction of the user/organisation/administrator. The users themselves have the option of independently deleting their uploaded files in the personal file storage.
Anonymisation of the account cannot be carried out by the users themselves, as the assignment of the users on the platform would otherwise not be possible. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.
Users of the schul.cloud messenger service have data subject rights regarding the processing of their personal data, to which they are entitled to exercise in particular under Art. 15-21 GDPR. They can assert these rights as individual users against stashcat GmbH. However, if another organisation (e.g. school or other educational institution) establishes schul.cloud as a communication platform within this organisation, stashcat GmbH is usually the data processor of this organisation. In this case, it is possible to assert these rights directly with this organisation.
Your data subject rights as a user of the messenger are:
Right of access:
You have the right to request confirmation free of charge, in accordance with the statutory requirements, as to whether and which personal data relating to you is being processed. In addition, you can request a copy of the data in accordance with the statutory requirements.
Right to rectify your data:
You have the right to demand the correction of inaccurate personal data in accordance with the statutory requirements. Similarly, you have the right to request the completion of incomplete data in accordance with the statutory requirements.
Right to deletion and restriction of processing:
You have the right to demand the immediate deletion or at least the blocking of your personal data in accordance with the statutory requirements.
Right to data portability:
You have the right to receive the personal data concerning you. You have the right to receive the personal data concerning you in a structured, common and machine-readable format in accordance with the statutory requirements or to demand the transfer of this data to another controller.
Right to revoke the consent you have given:
If the processing of your personal data is based on your consent, you have the right to revoke this consent at any time. Please note that the revocation of your consent may mean a complete deletion of your user account, depending on the context.
Right to object:
Insofar as data processing is based on the legitimate interest under Art. 6 (1) f) GDPR, you have the right to object to the processing of personal data concerning you at any time on grounds relating to your particular situation. In the event of an objection, the controller will check whether interests worthy of protection for the processing outweigh your interests, rights and freedoms, e. g. in the case of assertion, exercise, or defence of legal claims. In the event of an objection relating to direct marketing, the objection will always be met immediately, and processing will cease.
If you wish to exercise your privacy rights directly against stashcat GmbH, or have other privacy-related concerns in the context of the schul.cloud messenger, you can contact us by email at: firstname.lastname@example.org. Otherwise, contact your organisation (e.g. school or other educational institution) directly if it has established our Messenger as a communication platform. stashcat GmbH will then support the organisation concerned in safeguarding the data subject rights in accordance with the statutory requirements.
In the event of infringement of the data protection law, the data subject has a right to complain to the competent data protection supervisory authority. As a rule, the competent authority is the data Protection Officer/Commissioner in the federal state, in which the data processing company has its registered office. The supervisory authority responsible for our company in matters of data protection law is:
Landesbeauftragte für den Datenschutz Niedersachsen
(translated: Data Protection Commissioner of the Federal State of Lower Saxony)
Tel: 0511 120-4500