CODE Applicant Privacy Policy
1. Introduction
CODE University of Applied Sciences (“CODE”, “we”, “our”, “us”) is committed to being clear and transparent about data protection, protecting privacy and the rights of data subjects. We want to ensure that applicants (“you”, “your”) know what data we collect, why we collect it, and how it is processed. We also aim to be clear about data collection, storage, usage and your rights to assure you that we would not use your data in a way you would not want or expect us to.
2. Data Controller
This privacy policy is applicable to data processing by CODE University of Applied Sciences and its legal entity:
CODE Education GmbH
Managing Director: Reimar Müller-Thum
Lohmühlenstr. 65
12435 Berlin
Our data protection officer is heyData GmbH, Kantstr. 99, 10627 Berlin, www.heydata.eu, E-Mail: datenschutz@heydata.eu.
This policy applies to all CODE applicants regardless of their intended study program.
Data Collection and Processing
Why We Process Your Data
We need to collect, store and process personal data for a number of administrative and legal reasons and to ensure that both you and we can meet our contractual obligations. As a University of Applied Sciences all procedures listed below are also in compliance with the § 6 BerlHG.
As per the General Data Protection Regulation (GDPR), this also forms the legal basis under which we process your data, more specifically:
a) GDPR Art. 6, Par. 1(b): processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
b) GDPR Art. 6, Par. 1(c): processing is necessary for compliance with a legal obligation to which the controller is subject;
c) GDPR Art. 6, Par. 1(f): processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Additionally, data may also be processed under GDPR Art. 6, Par. 1(a): the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
Reasons for processing your data include:
a) Administering your applicant record from recruitment, to application and admissions;
b) Providing applicant services, including issuing an invitation letter to an Admission Day (visa purposes), issuing an admission letter, managing mitigating circumstances and providing non-application support, including wellbeing services;
c) Assuring and maintaining application process quality and standards;
d) Ensuring regulatory and statutory requirements are met;
e) Administering students’ finances, including the exchange of information and data with CHANCEN eG;
f) Processing queries, complaints, appeals, and disciplinary actions;
g) Publishing basic information to students, staff, and partners;
h) Ensuring the safety of all applicants and prevent crime;
i) Enabling recruitment, admissions and research teams to determine admissions outcomes, evaluate and adjust application process and selection criteria as well as conduct a scientific or historical research based on statistics information;
j) Preparing and conducting internal and external compliance audits;
k) Ensuring regulatory and legal requirements, including regular reporting to German authorities, are met.
Who Has Access to Your Data and How Is It Shared?
Access to your data in our databases and systems is limited to employees of CODE and only for the purposes outlined in section 3.1. Further, access to various data sets and subsets is linked to employee’s role and responsibilities, and is rooted in the data minimisation principle expressed in Article 5, Par. 1(c) of the GDPR and Article 4, Par. 1(c) of the Regulation (EU) 2018/1725.
CODE does not sell data of applicants to third parties. CODE does also not share your data with third parties for marketing purposes.
3.1.1 Sharing Your Data with CODE Students
Should you be invited to an Admission Day, limited personal information will be shared with CODE students, who are part of a Selection Commission on that day. Specific information is listed below in point 3.1.2.
3.1.2 Sharing Your Data for the Purposes of Participating in an Admission Day
Should you be invited to the Admission Day, your data will be made available to a Selection Commission, which consists of three academic and two student representatives elected by us and the Student Body, as well as to our relevant partners CHANCEN eG.
The following information is processed and shared with the Selection Commission:
a) Your full name;
b) Age;
c) Country of origin;
d) Application Documents: CV, written application and exemplary work;
e) Other personal details you might have shared with us in your written application or exemplary work.
Members of a Selection Commission gain access to these earliest a week before the Admission Day. Their access is revoked after the deliberations have been concluded and the latest at the end of the Admission Day.
3.1.3 Sharing Your Data with Third Parties
Factory GmbH
For you to be able to either visit CODE campus or participate in an onsite Admission Day, we need to ensure you have temporary access to the Factory Berlin.
Factory Berlin is an ecosystem of over 3,500 members from all over the world located on two campuses in Berlin. Access to them is restricted to members and their guests only. CODE’s campus is based in Factory Berlin Görlitzer Park (GP) and to reach it, the reception of the Factory GP needs to be informed about it beforehand.
To enter the Factory Berlin premises we share these personal information with reception of the Factory Works GmbH Görlitzer Park:
a) Your full name.
Factory GmbH’s privacy policy can be found here
Other Third Parties
We might also share some of your personal information with third parties involved in your application, including visiting lecturers, partners and/or external facilities used for during your application process to CODE.
Some of your data will also be processed and shared in order for us to meet our statutory requirements, because it is in the public interest or because it is required for a third party’s interest.
In this context, your personal data may be processed and shared as follows:
a) To meet one of our statutory requirements by sharing your data, including data from the time before you joined CODE, anonymously with the Federal Statistical Office of Germany (Statistisches Bundesamt);
b) To monitor CODE’s performance as a higher education provider;
c) To improve and enhance the management of CODE;
d) To monitor and promote equality and diversity;
e) To seek legal advice.
The following personal information may be shared with third parties for the purposes listed above:
a) Your full name;
b) Your study program;
c) Any additional information you published in your profile(s) on any of our communication tools;
d) Anonymised equal opportunities monitoring data;
e) Anonymised feedback given by you to CODE.
Details about information we are required to share with the Federal Statistical Office of Germany can be found on their website
Additional information may be shared with third parties in cases where we need to establish, exercise or defend legal claims. Please also see more details about other third parties in the paragraphe 11 “Tools & IT-Environment”.
We might also verify documents by other educational institutions with them. It is our legitimate interest to be sure that you meet our study requirements. In this case, we share your name and the information that you applied to us. The legal basis is art. 6 para. 1 s. 1 lit. f GDPR.
4. Equal Opportunities Monitoring
CODE is committed to creating and maintaining a diverse, inclusive, positive and supportive environment for its applicants and students.
In order to monitor this, we may collect equal opportunities monitoring information at the point of application.
Any such information will stay confidential and is kept separate from the application and only available to relevant employees. It is not taken into account when considering candidates for a place on a program of study at CODE.
Anonymous statistics are shared more widely across CODE and with third parties both in an effort to monitor equal opportunities, to ensure statutory requirements have been met or because it is required for a third party’s legitimate interest.
5. Data We Hold, How We Collect It, and How We Store It
We are legally required to hold some types of information to fulfil our statutory obligations. Other types of information need to be held by us to perform our contract.
We will hold your personal information on our systems for as long as it is necessary for the relevant activity, or as long as it is set out in any relevant contract you hold with us. The specifics are listed in the point 6 Data Retention. Other information is required in order for us to fulfil our contractual obligations.
5.1 Data Held About You
CODE holds data about you in order to process your application, perform its duties and for the performance of a contract.
This information is collected at the point of enquiry or any stage of the application process using online forms.
We may collect the following types of data:
a) Personal details as they appear on your passport: first name, last name, maiden name, middle name, date of birth, place of birth, title, gender, nationality, status as an applicant to CODE;
b) Contact details: (permanent) address, personal email address, phone number (mobile);
c) Details related to program of study applied for: start date, course of study, intended degree and current student status;
d) Details related to the application process and regulations: admissions decisions as well as information on payment modality;
e) Application documents like written application, exemplary work and other documents you decide to share with us during the admission process;
f) Any information provided as part of your written application (in which you may choose to include personal information), details about proficiency in English, education history, including predicted and actual results and qualifications awarded.
g) We also ask you to upload a CV as part of your application.
h) Finally, as outlined in section 4, we collect personal data to enable equal opportunities monitoring. This includes your gender, title and pronouns.
Finally, additional data may be collected and stored by providers of third party applications used by CODE, including its only application system. This may include IP geolocation of users, any location information contained there, and any actions taken by a user while signed into their account, including a timestamp, which may be stored in an activity log.
5.2 Overview of Type of Personal Data Collected During Respective Steps of the Application Process:
Advice to potential students
In case you are not yet sure whether you want to apply to CODE, we provide an applicant advice service. For a smart and fast way to give advice to potential applicants, we are using email. To reply to your request and help you to find the answers you need, we are storing and processing the following data:
a) First and last name;
b) Personal Email address;
c) And if applicable:
– Application Documents;
– Age;
– Nationality;
– Relevant Study Program(s);
– Other personal information and documents you choose to share with CODE at this point in time.
Data usage and storage in the application management system
To register for our application management system each applicant has to set up a user account. A user account consists of at least the following information:
a) First name;
b) Last name;
c) Personal Email address.
Application relevant data
Depending on the stage of the application process you are at, we require and store the following personal data:
a) Full name as it appears on your passport;
b) Preferred name or Nickname;
c) Personal EMail address;
d) Birthdate;
e) Place of birth;
f) Nationality;
g) Phone number;
h) Timezone;
i) Address: street and house number, Zip code, City;
j) Country of residence
k) Application Documents: CV, relevant certificates, written application and exemplary work
l) Study Program;
m) Study start;
n) Payment choice;
o) Higher Education Entrance Qualification, including the issuing body and date.
Additional information that might be collected for marketing purposes
a) Source
b) Marketing Channel
c) Marketing Channel: Other
Please see more details about our systems in the paragraph 11 “Tools & IT-Environment”.
5.3 Data Storage
Data about applicants is stored in various databases and systems used by CODE to conduct its business. Access to those databases is secure and restricted to CODE employees who require it to perform their duties.
Some of these databases and systems used are provided and hosted by a third-party provider who will publish their own privacy policies.
CODE is committed to reviewing privacy and data protection policies of providers of third-party systems on a regular basis.
Portable data storage devices (including, but not limited to USB flash drives, magnetic tapes and optical discs) are not used to store, process or transfer personal information, but may be used to store and transfer other types of data.
6. Data Retention
Your personal data is processed and retained as per this policy for the duration specified in the guidelines on the retention of applicant data and record.
Our guidelines on the retention of applicant data and records:
A. Account created:
a) Never confirmed: your personal data and the account will be deleted after two weeks since registration;
b) Confirmed, but a written application was never submitted: your personal characteristics will be stored in an anonymous form, without your name or any other identifying factors. This statistical data record does not allow any type of inference to the actual person and serves solely as a basis for statistical evaluations. Whereas your actual account and all personal data will be deleted within four weeks after closing a current application process.
B. Unsuccessful application:
a) At first or the second step of the application process: personal data, application documents and results are retained for no more than three years for purposes listed in but not limited to the admission regulations, evaluation, research and possible complaints, claims or lawsuits. Paper documents will be safely deleted one year after the application process. These data are stored on a dedicated reporting server.
Whereas, data stored in our application reporting databases will be deleted from our system no later than three years after the intended application process closes.
b) Invited to participate in the final stage of the application process: personal data, application documents and results are stored for not more than five years for specific purposes only, which include but are not limited to statistical, admission process, study program evaluation , historical research and possible complaints, claims or lawsuits purposes. These data are stored on a dedicated reporting server.
Whereas, data stored in our reporting databases will be deleted from our system no later than three years after the intended application process closes.
C. Successful application:
a) Who don’t enrol: personal data, application documents and results are stored for not more than five years for specific purposes only, which include but are not limited to statistical, admission process, study program evaluation, historical research and possible complaints, claims or lawsuits purposes. These data are stored on a dedicated reporting server.
Whereas, data stored in our reporting databases will be deleted from our system no later than three years after the intended application process closes.
b) Who enrol: the Data Privacy for students at CODE applies, you will be informed about it upon signing the study contract.
All data related to personal characteristics used for statistical and comparative research will be anonymised before transferring them to the reporting server.
The master copy of data will not be deleted before the expiry of the retention period. Supplementary copies (e.g. Excel downloads, or working files) will be deleted before the retention period if they no longer serve a purpose.
Data extracted from master systems and stored in local drives or email will be destroyed after use to avoid unnecessary duplication, and to ensure data is not held for any longer than necessary. Excluded: Retention guidelines for maintaining transactional records, for example retention of requests for transcripts.
7. Updating Your Data
It is important to us that we always hold the most-up-date information about you and to ensure that you can exercise your ‘right to rectification’ under GDPR Article 16. To update your data held by CODE, please send an email to admissions@code.berlin.
Once a request has been received, it is normally processed within 14 days.
8. Getting in Contact with You
Our communications are normally sent to your personal email or alternatively via our communication tool, and most communications are only sent out electronically. In some instances, however, we may also contact you by phone (mobile or home). In some cases, we will also contact you by post.
Applicants may restrict the usage of their personal email address as outlined in section 9.3.
You may opt out of receiving the CODE newsletter, emails about events, webinars or info sessions, which might prepare for your studies at CODE, but it is necessary for CODE to communicate with you about matters pertaining to your application, support and welfare for the performance of a contract.
If you prefer not to receive our newsletter, emails about events, webinars or info sessions, you can opt out by emailing dataprivacy@code.berlin.
9. Your Rights
9.1 Right to Access
Under GDPR Article 15, you have the right to access the personal and supplementary information held about you by us.
To access this information, please email dataprivacy@code.berlin.
Information will be provided at the latest within one month of receipt.
9.2 Right to Erasure
At the point where we no longer need to process your data for the performance of a contract, you have the right to ask us to stop processing your personal data. Please note that this does not apply if you are a current student or recently finished the program of study and await graduation. If you choose to exercise this right, we will delete most of your personal data held by us.
Any data that remains on our database(s) can only be accessed by the Admissions Team and the Student Lifecycle Team for administrative or statistical (anonymous) purposes. Please refer to section 9.3 if you do not want your data to be used for statistical purposes.
To exercise your right to erasure, we suggest that you send us an email at dataprivacy@code.berlin.
You may also make your request verbally by contacting the Data Protection Officer who will confirm your request in writing and pass on your request to relevant members of staff.
Your request will be processed within one month and after having received and processed your request, we will no longer contact you by email, phone or post or any other means.
9.3 Right to Restrict Processing
You have the right to restrict the way in which your data is processed as long as the processing falls outside the performance of a contract.
To exercise your right to obtain your data, we suggest that you send us an email at dataprivacy@code.berlin.
You may also make your request verbally by contacting the Data Protection Officer who will confirm your request in writing and pass on your request to relevant members of staff.
Your request will be processed within one month.
9.4 Right to Data Portability
You have the right to obtain your data held by CODE and reuse it for your own purposes across different environments. Where data processing is performed on the basis of your consent or as part of a contract, you have the right to transfer the data provided by you, unless the rights and freedoms of other persons are impaired.
CODE will ensure that any data transmitted to you is transmitted securely.
To exercise your right to obtain your data restrict processing, we suggest that you send us an email at dataprivacy@code.berlin.
You may also make your request verbally by contacting the Data Protection Officer who will confirm your request in writing and pass on your request to relevant members of staff.
Your request will be processed within one month.
9.5 Right to Object
You have the right to object to your data being used for purposes of scientific/historical research and statistics.
To exercise your right to restrict processing, please email dataprivacy@code.berlin.
You should note, however, that this right may be limited by other statutory or regulatory requirements, such as our obligation to submit a regular report to the Federal Statistical Office of Germany.
9.6 Rights in Relation to Automated Decision Making and Profiling
CODE does not use automated decision making or profiling in the context of its applicants.
We may, however, use your personal information to ensure study groups are diverse and reflect the diverse nature of CODE. This is not done in an automated way and with a view that it benefits the applicant’s experience.
10. Changes to our Privacy Policies
Our privacy policies are reviewed regularly, usually on an annual basis. Updates will be posted on our website.
If we ever make significant changes to the way we process your personal data, we will either clearly highlight this on our website or write to you directly.
Tools & IT-Environment
All of the data listed in the point 5.1. are collected and stored within our tool ecosystem, which consists of:
a) Hubspot and HubSpot, Inc. with its German headquarters (Unter den Linden 26, 10117 Berlin). The provider is HubSpot, Inc., 25 1st Street Cambridge, MA 0214, USA. We have a legitimate interest in managing data in a simple and inexpensive way. Therefore the legal basis of the processing is art. 6 (1) (f) GDPR. More information you can find here https://legal.hubspot.com/de/privacy-policy.
b) Google Workspace for Education. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Dublin, D04e5w5, Ireland. We have a legitimate interest to collaborate, create and store documents in a cost-efficient and effective manner. Therefore the legal basis of the processing is art. 6 (1) (f) GDPR. More information you can find here https://policies.google.com/privacy?hl=de.
c) email management systems
Amazon SES:
We use Amazon SES to send emails. The provider is Amazon Web Services, Inc., 410 Terry Avenue North, Seattle WA 98109, USA. The legal basis of data processing is art. 6 (1) (f) GDPR. Our legitimate interest is to carry out direct marketing measures to increase our recognition and awareness.
The provider processes content, usage, meta/communication data and contact data in the process in the EU. Further information is available in the provider’s privacy policy at privacy policy: https://aws.amazon.com/privacy/.
Other tools: Calendly.
The provider is Calendly LLC, BB&T Tower, 271 17th St NW, Atlanta, GA 30363, USA. The legal basis of data processing is art. 6 (1) (f) GDPR: We have a legitimate interest in providing prospective customers and clients with an easy way to schedule appointments with us. More information you can find here https://calendly.com/pages/privacy.
We have concluded individual contracts with all of the above service providers. Through these contracts, all of the listed service providers assure that they will process the data on our behalf in accordance with the General Data Protection Regulation and will ensure the protection of the rights of the data subjects. When applicable the General Data Protection Regulation is supported by the Standard Contractual Clauses (SCCs).
We take all steps to ensure that the personal information we hold is not lost or misused or subject to unauthorized access, disclosure, or alteration.
To protect your personal information, do not disclose your password to anyone else.
Last updated 09.01.2024