Privacy policy for the messenger service schul.cloud

Introduction

The schul.cloud messenger is a communication service offered by stashcat GmbH, headquartered in Hanover. The service is specifically intended for educational institutions such as schools, which can use the messenger internally and, for example, in dealing with classes or grades. All relevant data protection regulations, in particular the regulations of the Telemedia Act (Telemediengesetz, TMG) and the General Data Protection Regulation (GDPR) are adhered to. In the following, we would like to give you some information on the type, scope and purpose of the processing of personal data within schul.cloud. With regard to the terms used, such as "processing" or "controller", we refer to the definitions in Art. 4 of the General Data Protection Regulation (GDPR).

Table of Contents:
1. WHO IS RESPONSIBLE FOR DATA PROCESSING ON THE SCHUL.CLOUD MESSENGER?
2. HOW IS DATA PROCESSED ON THE SCHUL.CLOUD MESSENGER?
3. PURPOSES OF DATA PROCESSING
4. LEGAL BASIS FOR DATA PROCESSING
5. SECURITY MEASURES
6. TRANSFER OF DATA TO THIRD PARTIES
7. CROSS-BORDER DATA TRANSFERS OUTSIDE THE EU
8. PERIOD FOR STORAGE AND DELETION OF DATA
9. CHANGES AND UPDATES TO THIS PRIVACY POLICY
10. RIGHTS OF DATA SUBJECTS
11. RIGHT TO COMPLAIN TO THE REGULATOR

 

1. Who is responsible for data processing within the schul.cloud messenger?

Responsible controller in terms of personal data protection is the provider of this offer (hereinafter the "Provider"):
stashcat GmbH 
Hamburger Allee 2-4 
30161 Hanover 
Germany 
Tel.: 0511/675190
Email: hello@stashcat.com

If you have any privacy concerns, please contact stashcat GmbH directly, providing sufficient information to identify yourself (e. g. name, email address or name of your institution). 
You can contact the provider on privacy questions at this email address: privacy@stashcat.com 
For the purpose of optimal implementation of the statutory privacy requirements, stashcat GmbH is supported and advised by an external Data Protection Officer. He is:

Sebastian von der Au
EDV-Unternehmensberatung Floß GmbH
Hopfengarten 10
33775 Versmold
Tel 05423/96490-0
Fax 05423/96490-60
Email: info@floss-consult.de

For the provision of the schul.cloud messenger, stashcat GmbH uses the services of data processors. A list of the data processors and their processing activities can be found under point 6. All data processors of stashcat GmbH are contractually bound. In this context, heinekingmedia GmbH handles the receipt of support requests for stashcat GmbH, subject to instructions. The appropriate contact data for this company are:
Email (support requests): support@heinekingmedia.de

 

2. How is data processed within the schul.cloud messenger?

The provider provides software (hereinafter "schul.cloud") over the internet (web application/desktop application/mobile applications for iOS and Android), which enables direct messenger communication between users. The next section explains who is affected by this data processing, and in which way, to which extent and for which purposes this data processing takes place.
The persons affected by the data processing are the users of the schul.cloud communication platform (hereinafter the "Users"). They are usually:

  • Administrative members and teachers of the educational institution using the messenger 
  • Students of the educational institution using the messenger 
  • Parents on the side of the principal, who are given a schul.cloud access
  • The schul.cloud messenger is available as a web browser interface, as a desktop app for Windows or Mac, and as a mobile app for iOS and Android. With the integrated real-time messenger, direct communication over the platform is possible. There is an integrated file storage that can be used by each user as a personal cloud. A separate account is created for each user with the appropriate permission level, which entitles them to use the platform. Voice and video telephony are also possible. Voice and video calls are not recorded.
  • The following types of personal data are processed:
  • Surname and first name 
  • Email address 
  • User role (administrator, user, guest) 
  • Photo (optional) 
  • Video image and sound (optional)
  • Location data (optional)
  • Communication data: As soon as a user interacts or communicates on the platform, communication data is generated, which is required for the use of the platform. This includes information about the user's activity on the platform (e. g. information about membership in a channel), which is stored in the system. The storage of this data is necessary because otherwise it would not be possible to use the messenger. The communication data also includes the entry and departure date. 
  • Visited channels: For the purpose of communication exchange and submission of protocols in electronic form, visited channels are formed by course participants, through which information is exchanged. In addition, tasks or information can be distributed to individual persons in such channels.  
  • Required metadata (mostly device information) for the use of schul.cloud: 
    • Web server log files
      • Time
      • IP address
      • Request URI
      • HTTP response code
      • HTTP response size in bytes
      • User-agent string
      • Push tokens (Apple/Google)
    • Email log files
      • Time
      • Type of email sent
      • Receiver
      • Sender

Stashcat GmbH does not use purely automated processing to take decisions - including profiling - about users of the schul.cloud messenger service.

 

3. Purposes of the data processing

As described above, the schul.cloud messenger is mainly used in educational institutions. The provision of this communication platform serves to enable direct and secure communication between users and their organisations within closed communication areas. In addition, the complete internal structure can be mapped on the basis of channels (e.g. for individual classes/grade levels). The goals are to accelerate communication paths, shorten service routes and promote cross-organisational collaboration and simplified file management.  
Usage metadata is used to enable resilience and otherwise technically smooth service provision. In addition, we use data collected from users to inform them about technical updates and security warnings, as well as to manage and process support and other user messages to us. In addition, information is used, on a given occasion, to detect, investigate and prevent fraudulent and other illegal activity. This includes breaches of our terms of use and protecting the rights and property of stashcat GmbH and others. 

In addition, we inform the users about further purposes of the processing when collecting the respective data.

 

4. Legal basis for the data processing

Insofar as we obtain the consent of the data subject for processing operations involving personal data, Article 6 (1) (a) of the EU General Data Protection Regulation (GDPR) serves as the legal basis. Insofar as children are concerned, consent is obtained through the holder of parental responsibility in accordance with Art. 8 (1) GDPR.
When processing personal data that is necessary for the performance of a contract to which the data subject is a party, Art. 6 (1) lit. b GDPR serves as the legal basis. This also applies to processing operations that are necessary for the performance of pre-contractual measures.
Insofar as the processing of personal data is necessary for the fulfilment of a legal obligation to which our company is subject, Art. 6 (1) lit. c GDPR serves as the legal basis.
In the event that vital interests of the data subject or another natural person make it necessary to process personal data, Article 6(1)(d) GDPR serves as the legal basis.
If the processing is necessary to protect a legitimate interest of our company or a third party and the interests, fundamental rights and freedoms of the data subject do not outweigh the former interest, Art. 6 (1) lit. f GDPR serves as the legal basis for the processing.

 

5. Security measures

Both stashcat GmbH and its data processors implement and maintain a range of technical and organisational measures to protect the personal data of the messenger users in accordance with the statutory requirements. These measures are taken in accordance with Article 32 of the GDPR, taking into account the state of the art of the technology, the costs of their implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. These measures are intended to ensure a level of protection for the personal data of messenger users that is appropriate to the risk.
The schul.cloud messenger service is provided in a protected high-security data centre in Germany. The communication data of the users usually remain within the jurisdiction of the EU General Data Protection Regulation (GDPR). Only with regard to the use of the translation service in the messenger, it cannot be completely ruled out that a data transfer to the USA will take place through our service provider IBM (in the context of the IBM Watson Language Translator implemented within stashcat). More detailed information is available on this under points 6 and 7. The data centre has the highest standards for failure and access protection.

 

6. Transfer of data to third parties

For the provision of schul.cloud, stashcat GmbH uses the services of data processors. They are contractually bound and subject to the instructions of stashcat. The data processors of stashcat GmbH for the provision of the messenger service are:

  • MIVITEC GmbH, Wamslerstr. 4, 81829 Munich 
    • Mivitec GmbH is responsible for the provision (hosting) of the schul.cloud platform in the high security centre.
  • 1&1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur 
    • 1&1 IONOS SE handles the distribution of updates for the desktop client and the hosting of videoconferences
  • heinekingmedia GmbH, Hamburger Allee 2-4, 30161 Hanover 
    • heinekingmedia GmbH handles sales and the responses to support inquiries in customer contact
  • IBM Deutschland GmbH, IBM-Allee 1, 71139 Ehningen 
    • IBM Deutschland GmbH provides the translation service IBM Watson Language Translator, which is implemented in schul.cloud, so that customers with different language backgrounds can also communicate with each other. If schul.cloud customers do not wish to use this translation service, they can deactivate it themselves.

In addition, data is only transferred to third parties if stashcat GmbH is required to do so in order to comply with the law, legal procedures or a justified request from authorities or third parties.
There are no other transfers of data to third parties.

 

7. Cross-border data transfers outside the EU

All data collected in schul.cloud is processed on hosting servers located in Germany to ensure trouble-free use of the platform. As a rule, there is no data transfer to foreign countries, neither to companies nor to private individuals. Only with regard to IBM's translation service can it not be completely ruled out that communication data is transferred to third countries (primarily the USA). In the event that data is transferred to the USA, IBM Deutschland GmbH will rely on the EU standard contractual clauses with regard to the parent company and sub-processors. In addition, supplementary safeguards of a technical, organisational and contractual nature such as encryption, access controls and assurances of notification of the data controller in the event of a request from an investigative authority will also be implemented. This is set out in the December 2020 Update to the Annex on Additional Safeguards to EU Standard Contractual Clauses (EU SCCs): www.ibm.com/support/customer/csol/terms/. For this reason, the use of the IBM Watson Language Translator is considered provisionally acceptable after a risk assessment by stashcat GmbH, although the aspects of legality will be subject to repeated review.

 

8. Storage duration and deletion of data

The data processed by us will be deleted or restricted in its processing in accordance with Articles 17 and 18 GDPR. Unless expressly stated within the scope of this privacy declaration, the data stored by us will be deleted as soon it is no longer required for its intended purpose and the deletion does not conflict with any statutory retention duties. 

If a user leaves the organisation and deletes his schul.cloud account, all personal data will be deleted at the same time. In principle, personal data will be deleted appropriately at the request/instruction of the user/organisation/administrator. The users themselves have the option of independently deleting their uploaded files in the personal file storage. 

Anonymisation of the account cannot be carried out by the users themselves, as the assignment of the users on the platform would otherwise not be possible. If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. I.e. the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law.

 

9. Changes and updates to this privacy policy

This privacy policy is subject to future content changes and updates. This may happen because either the statutory requirements, or the way in which we process data of our users, changes. Insofar as such changes require the consent of the users, we will contact them directly and individually.

 

10. Rights of the data subjects

Users of the schul.cloud messenger service have data subject rights regarding the processing of their personal data, to which they are entitled to exercise in particular under Art. 15-21 GDPR. They can assert these rights as individual users against stashcat GmbH. However, if another organisation (e.g. school or other educational institution) establishes schul.cloud as a communication platform within this organisation, stashcat GmbH is usually the data processor of this organisation. In this case, it is possible to assert these rights directly with this organisation.

Your data subject rights as a user of the messenger are:

Right of access:

You have the right to request confirmation free of charge, in accordance with the statutory requirements, as to whether and which personal data relating to you is being processed. In addition, you can request a copy of the data in accordance with the statutory requirements.

Right to rectify your data:

You have the right to demand the correction of inaccurate personal data in accordance with the statutory requirements. Similarly, you have the right to request the completion of incomplete data in accordance with the statutory requirements.

Right to deletion and restriction of processing:

You have the right to demand the immediate deletion or at least the blocking of your personal data in accordance with the statutory requirements. 

Right to data portability:

You have the right to receive the personal data concerning you. You have the right to receive the personal data concerning you in a structured, common and machine-readable format in accordance with the statutory requirements or to demand the transfer of this data to another controller.

Right to revoke the consent you have given:

If the processing of your personal data is based on your consent, you have the right to revoke this consent at any time. Please note that the revocation of your consent may mean a complete deletion of your user account, depending on the context.

Right to object:

Insofar as data processing is based on the legitimate interest under Art. 6 (1) f) GDPR, you have the right to object to the processing of personal data concerning you at any time on grounds relating to your particular situation. In the event of an objection, the controller will check whether interests worthy of protection for the processing outweigh your interests, rights and freedoms, e. g. in the case of assertion, exercise, or defence of legal claims. In the event of an objection relating to direct marketing, the objection will always be met immediately, and processing will cease.

If you wish to exercise your privacy rights directly against stashcat GmbH, or have other privacy-related concerns in the context of the schul.cloud messenger, you can contact us by email at: privacy@stashcat.com. Otherwise, contact your organisation (e.g. school or other educational institution) directly if it has established our Messenger as a communication platform. stashcat GmbH will then support the organisation concerned in safeguarding the data subject rights in accordance with the statutory requirements.

 

11. Right to complain to the competent supervisory authority

In the event of infringement of the data protection law, the data subject has a right to complain to the competent data protection supervisory authority. As a rule, the competent authority is the data Protection Officer/Commissioner in the federal state, in which the data processing company has its registered office. The supervisory authority responsible for our company in matters of data protection law is:
Landesbeauftragte für den Datenschutz Niedersachsen
(translated: Data Protection Commissioner of the Federal State of Lower Saxony)
Prinzenstrasse 5 
30159 Hanover 
Tel: 0511 120-4500
Email: poststelle@lfd.niedersachsen.de
Website: lfd.niedersachsen.de/startseite/

Your data protection is important to us: By default, we do not collect any analysis data from your visit! However, in order to continuously improve our website, we track anynomized website usage data if you agree. You can change the settings for the use of cookies at any time in the footer of the website. For more information, please refer to our Data protection (Web).

Privacy settings

Select the purpose for which this website may use cookies:

Allowed functionality

  • Storage of the progress of contacts

  • the consistent display of page content

  • Storage of your last website visit

Unauthorized functionality

  • Storage of anonymous usage data for analysis purposes

  • Allows sharing pages over social networks

  • display advertising promotions that match your interests

Allowed functionality

  • Storage of the progress of contacts

  • the consistent display of page content

  • Storage of your last website visit

  • Storage of anonymous usage data for analysis purposes

Unauthorized functionality

  • Allows sharing pages over social networks

  • display advertising promotions that match your interests

Allowed functionality

  • Storage of the progress of contacts

  • the consistent display of page content

  • Storage of your last website visit

  • Storage of anonymous usage data for analysis purposes

  • Allows sharing pages over social networks

  • display advertising promotions that match your interests