Privacy Policy

This privacy policy informs you about the type, scope, and purpose of the processing of personal data (hereinafter referred to as "data") within the scope of our services as well as within our online offering and the associated websites, functions, and content, including external online presences such as our social media profiles (hereinafter collectively referred to as "online offering"). Regarding the terminology used, such as "processing" or "controller," we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).

Stiftung Hochschule für Gestaltung HfG Ulm

Am Hochsträß 10

89081 Ulm

Types of Processed Data

  • Inventory data (e.g., personal master data, names, or addresses).
  • Contact data (e.g., email, phone numbers).
  • Content data (e.g., text entries, photographs, videos).
  • Usage data (e.g., visited websites, interest in content, access times).
  • Meta/communication data (e.g., device information, IP addresses).


Categories of Affected Persons

Visitors and users of the online offering (hereinafter referred to collectively as "users").


Purpose of Processing

  • Provision of the online offering, its functions, and content.
  • Responding to contact requests and communication with users.
  • Security measures.
  • Reach measurement/marketing.


Terminology Used

  • "Personal data" refers to all information relating to an identified or identifiable natural person.
  • "Processing" means any operation or set of operations performed on personal data.
  • "Pseudonymization" refers to processing in a manner that makes it impossible to attribute data to a specific person without additional information.
  • "Profiling" involves automated processing used to evaluate personal aspects.
  • "Controller" refers to the entity responsible for deciding on data processing purposes.
  • "Processor" refers to an entity processing data on behalf of the controller.


Legal Basis for Processing

According to Article 13 GDPR, we inform you of the legal bases for our data processing. Unless explicitly stated otherwise in this privacy policy, the following applies:

  • The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR.
  • The legal basis for processing to fulfill our services and contractual obligations is Article 6(1)(b) GDPR.
  • The legal basis for processing to fulfill legal obligations is Article 6(1)(c) GDPR.
  • If processing is necessary to protect vital interests, Article 6(1)(d) GDPR applies.
  • Processing necessary for public interest tasks or exercising official authority is governed by Article 6(1)(e) GDPR.
  • Processing based on legitimate interests is governed by Article 6(1)(f) GDPR.
  • Processing for other purposes is based on Article 6(4) GDPR.
  • Processing of special categories of data follows Article 9(2) GDPR.


Security Measures

We take appropriate technical and organizational measures to ensure data security. These measures include access control, data integrity, and availability safeguards. Additionally, we consider privacy by design principles in selecting hardware, software, and processing procedures.


Collaboration with Processors, Joint Controllers, and Third Parties

We disclose data to third parties only based on legal permissions, contractual obligations, or legitimate interests.


Data Transfers to Third Countries

Data is processed outside the EU or EEA only when necessary for contractual obligations, user consent, legal requirements, or legitimate interests. Such processing occurs under recognized safeguards such as Privacy Shield certification or EU standard contractual clauses.


User Rights

Users have the right to:

  • Request confirmation of data processing and access to their data.
  • Request correction or completion of inaccurate or incomplete data.
  • Request deletion or restriction of data processing.
  • Receive data and request its transfer to another controller.
  • Lodge a complaint with the supervisory authority.


Right to Withdraw Consent

Users have the right to withdraw previously given consent at any time.


Right to Object

Users can object to the future processing of their data, particularly for direct marketing purposes.


Cookies and Direct Marketing Objection

Cookies are small files stored on user devices. We use both temporary (session) and persistent cookies. Users can configure browser settings to disable cookie storage. Blocking cookies may restrict certain website functions.

Users can object to cookies used for online marketing via:


Data Deletion

Data is deleted when no longer required for its purpose unless legal obligations prevent deletion.


Changes to the Privacy Policy

We regularly update this privacy policy to reflect changes in data processing.


Agency Services

We process client data for contractual services, including consulting, software and design development, marketing, and analysis. Data retention follows legal obligations and contractual agreements.


Administration, Accounting, Office Organization, and Contact Management

We process data for business operations, accounting, and legal compliance. Data disclosure occurs only when necessary, e.g., to financial authorities or auditors.


Business Analytics and Market Research

We analyze transaction, contract, and user data for business and market insights. Analyses are used for business optimization and are not externally disclosed unless anonymized.

Created with Datenschutz-Generator.de by RA Dr. Thomas Schwenke.