As a part of the certification, we, as the institution responsible for the Data processing, will store Personal Data for the duration that is necessary to reach the defined purposes and to comply with legal obligations. Hereinafter we are going to inform you about which Personal Data is being processed and in which way this will happen. We will furthermore inform you about your rights in regards to this matter.
Personal Data, as defined in to Art. 4 No. 1 General Data Protection Regulation (GDPR), means any information relating to an identified or identifiable natural person.
1. Name and Contact Information of the Data Processor as well as Fraunhofer’s Data Protection Officer
zur Förderung der angewandten Forschung e.V.
80686 Munich, Germany,
Fraunhofer Personnel Certification Body
Fraunhofer Institute for Applied Information Technology FIT
53757 Sankt Augustin, Germany
Phone: +49 2241 14-3773
Fax: +49 2241 14-3702
Fraunhofer’s Data Protection Officer can be reached at the address above, at the attention of the Data Protection Officer as well as at email@example.com.
You can contact our Data Protection Officer at any time with your questions regarding our Data Protection or your rights regarding your Personal Data.
Alternatively, you can directly address the Fraunhofer Personnel Certification Body.
2. Processing of Personal Data and Purposes of the Processing
a. Registration for the certification check
When you fill out the registration form for the certification check, we collect various Personal Data concerning the participating person. We hereby mean name, surname, information regarding the the contracting party/your employer and the invoice address (e.g. company, contact person, department, contact information). The latter can differ from the participant’s information but is linked to the personal information of the participant. These statements are mandatory to pass a certification.
The collection of this Personal Data takes place
- to identify our contracting party;
- for the justification and execution of the contractual relationship concerning the certification;
- to control the credibility of the provided Data;
- to contact you or the affiliate in case of queries and the organization of the certification process or in case of amendments to the certification process.
If a Participant, who becomes an affiliate, fills out the form, the data processing is based on Art. 6 I 1 b GDPR and is necessary for the fulfilment of the contract as well as for pre-contractual arrangements (e. g.to edit the application).
If a Participant does not act as the contracting party itself, the data processing is based on Art. 6 I 1 f GDPR and is necessary to protect our legitimate interests. The purposes mentioned are legitimate interests in terms of the provision mentioned above.
As a principal, the Personal-Data that is collected during the application, will be stored and deleted after the regular limitation period of three years starting at the end of the year in which the contract and the concerned certification was concluded.
Furthermore, we are obliged by Art. 6 I 1 c GDPR to store Personal Data for 6 to 10 years because of legal duty to preserve records (especially according to § 147 AO). The period of preservation starts at the end of the year the invoice is dated. In this case, the storage is only for legal matters and only to the extent necessary to comply with legal duties.
There will no storage beyond the already mentioned one, unless you agree to it according to Art. 6 I 1 a GDPR.
b. Voluntary disclosure and verification of admission requirements
We collect additional Personal Data of the disclosing Participant in addition to his/her name (Address and birth date) on a voluntary basis. However, the disclosure of such information is mandatory if you intend to apply for a certification.
The collection of this Data is needed
- to identify the Participant;
- to secure the identity of the Participant in the future, if necessary;
- to contact the Participant in case of queries, amendments to the certification process or to remind the Participant of the term of the certification; and
- to enable us to pass a transparent and lawful certification.
In order to get the certification, the Participant needs to prove that he/she fulfills all admission requirements. For this purpose, the Participant has to submit copies of corresponding credentials and qualifications (e.g.: diploma and employment reference).
With the request of a person interested in participating, the data processing is started based on Art. 6 I 1 b GDPR and is necessary to conduct pre-contractual arrangements (verification of admission requirements), provided the person acts as the contracting party.
Otherwise data processing is based on our and the participant’s interest to assure the transparency of a lawful certification, according to Art. 6 I 1 f GDPR. In addition, data processing is necessary to allow a certification in order with DIN EN ISO/IEC 17024.
Furthermore, the Participant can voluntary disclose, how he/she came to know of Fraunhofer’s certification activities. We use this information to evaluate and enhance our marketing measures. This Data Processing is based on Art. 6 I 1 f GDPR and is necessary to protect our legitimate interests. The purposes mentioned are legitimate interests in terms of the above-mentioned provision.
In case a person does not fulfill all admission requirements, we will delete the Personal Data collected from the voluntary disclosure and from further records, as soon as we have determined that the participant has failed to pass the certification process.
In case of a temporary valid certification (which will be usually be granted for a 3 year period), we will store the data from the voluntary disclosure for up to one year after the termination, from further records that prove the fulfillment of all admission requirements and examination materials. During the validity period the storage takes place in both our interests to prove the lawfulness of the certification. After the validity period the storage takes place to make a recertification possible for you.
In addition to a certificate, every Participant receives an unlimited valid attestation that proves he/she successfully participated in a certification test. We store the attestation as well as its content longer than the validity period of the certificate in order to be able to confirm the content of the attestation after the termination of the certificate.
In case of an unlimited valid certificate, we store the certificate as well as the attestation up to 30 years.
c. Approach in order to recertify
We use email-addresses we received from voluntary disclose, to contact a person whose certificate is about to expire. The approach takes place to inform this person about the expiration as well as the possibility of a recertification.
This Data Processing is based on Art. 6 I 1 f GDPR. It is justified by our interest to provide a recertification and because of your interest to use the possibility of a simplified recertification.
If the person is not interested in a recertification, we will delete the Personal Data at the latest one year after termination of the certificate.
3. Application of information concerning the lawfulness of a certificate
It is possible to obtain information concerning the entitlement of a person that has passed the certification successfully, if the number of the certificate is given (e.g. from potential employer of the mentioned person). To identify the mentioned person, it is necessary to ask for the name, birthday and place of birth. We will compare this information with the Personal Data stored concerning this person (name, birthday, place of birth). Afterwards we confirm the lawfulness positively or negatively, without passing any Personal Data.
The comparison is based on Art. 6 I 1 f GDPR. It is used to prevent the misuse of our certificates, so it is necessary to protect our legitimate interest according to the above-mentioned provision.
4. No Transfer of Personal Data
A principle of Fraunhofer’s handling of Personal date is that your Personal Data will not be transferred to third parties. However, a transfer is possible, in case
- you granted us your consent according to Art. 6 I 1 a GDPR; or
- we have a legal duty to transfer the Data according to Art. 6 I 1 c GDPR; or
- of a confirmation of lawfulness according to Section 3.
A transfer of Personal Data to a third state (outside of EU) or to an international organization is excluded.
5. Rights of affected Persons
You have the right to
- revoke your consent at any time according to Art. 7 III GDPR. As a consequence, we are no longer entitled to process Data, that was based on your consent;
- request information about the processing of your Personal Data according to Art. 15 GDPR. You can request information about the purposes of processing, category of Personal Data, category of recipients, who receive your Personal Data or will receive it in the future, proposed time of storage, the existence of a right to correct, delete or limit the processing or to revoke, the existence of a right of appeal, the origin of your Personal Data, in case they were not collected from us, as well as the existence of automatic decision making, including profiling and as appropriate expressive information concerning the details;
- request immediate correction of incorrect or incomplete Personal Data according to Art. 16 GDPR;
- request deletion of all of your Personal Data according to Art. 17 GDPR, as long as the processing is not necessary to exercise the right of free speech and information, to fulfill a legal duty, because of reasons of public interest or to plead, exercise or to defend legal claims;
- request restriction of the processing of your Personal Data according to Art. 18 GDPR, as far as you deny the correctness of your Personal Data. You also have the right to request restriction of the processing of your Personal Data, in case the processing is unlawful, provided that you do not want your Personal Data deleted and we do not need your Personal Data anymore, but you need them to plead, exercise or defend legal claims or you entered an objection against the processing according to Art. 21 GDPR;
- to receive your Personal Data, that you provided, in a structured, usual and machine-readable format or to request the transmission to another authority according to Art. 20 GDPR;
- to complain to regulators according to Art. 77 GDPR. Usually you can turn to the regulator of your place of residence, your place of work or place of business of our contracting party.
Information concerning your right of objection according to Art. 21 GDPR
You have the right to revoke your agreement to the processing of your Personal Data based on Art. 6 I e GDPR (Data Processing based on public interest) and Art 6 I f GDPR (Data Processing based on weighing of interest) at any time; this includes a profiling according to Art. 4 IV GDPR.
If you revoke your agreement, we will no longer process your Personal Data, except we can provide compulsory legitimate reasons for the processing. This reasons need to outweigh your interests, rights and freedoms or the processing serves the possibility to plead, exercise or defend legal claims.
If you revoke your agreement to the processing of Personal Data for direct advertising, we will immediately such processing. In this case you do not have to give a special reason. The same applies to profiling, as long as it is connected to such direct advertising.
To make use of your right of objection, you can send an email to firstname.lastname@example.org.
6. Data safety
We use suitable technical and organizational safeguard measures to protect your Personal Data against random or willful manipulation, partial or complete loss, destruction or unauthorized access of third parties. Our safeguard measures will be improved according to technological process.
The Personal Data, collected and process during the certification process, will only be stored by the Fraunhofer – Personnel Certification Body. They will not be transferred to other departments of Fraunhofer, not even within Fraunhofer FIT.
7. Currency of this data protection information
This data protection information dates from October 2018.