Privacy Policy / Datenschutzerklärung

1) Overview of Data Protection

As a purchaser of Expath’s online workshop, certain information about you will be collected and stored. This information, according to the General Data Protection Regulation, or GDPR, is called “personal data”. Personal data is essentially any data related to you or that could personally identify you in any way, directly or indirectly. At Expath, we take the protection of your data seriously by following GDPR regulations. In general, Expath collects and processes personal data exclusively to fulfill legal and contractual obligations. The following will provide you with a clear overview of what data we collect from you, what we do with that data, and what rights you have under GDPR regulations.

2) Data Controllers

A “data controller” or “data processor” is a person or company who collects and processes personal data. Because we collect your information, Expath is a data controller and data processor. Expath’s information is as follows:

Expath Training & Consulting GmbH (Expath)

Jansastraße 9

12045 Berlin, Germany

Email: info@expath.de

Phone: +49 (0) 30 880 63 605

Under GDPR, Expath is required to appoint a designated Data Protection Officer (DPO) that you may contact for further questions about Expath’s protection of your data. Expath’s DPO and his contact information is listed below:

Stephan Brenner

Torstraße 117

10119 Berlin, Germany

Email: stephan.brenner (at) expath.de

Phone: +49(0) 30 437 73 678

3) Data Collection

Expath may collect and store the following information from you:

• Order Information
• What you purchased
• Date and time of purchase
• Hardware Use
• Date and time of online workshop purchase
• Number of times you log into the online workshop
• Electronic ID Data
• IP address
• Internet service provider
• Browser used
• Financial Identification
• PayPal email address
• Personal Identification Data
• Name
• Email address
• Inferred Data*
• Current employer, Hobbies and interests

*[During your interactions with Expath, you may give us information that implies other information. We call this “inferred data”. Specific information is not stored.]

4) Data Usage

Expath uses, or processes, your personal data in a few ways. There are several processes that are directly relevant to you as an online workshop purchaser. These processes are listed below, with descriptions of what they entail.

• Accounting/Finance
• These processes include invoice creation and management, bookkeeping, and fulfillment of legal financial obligations.
• Information Technology
• These processes include website optimization and maintenance of online security, including cloud-based software.

Specific information about you is required for specific processes. The relevant data used in each process is listed below:

• Accounting/Finance Processes 
• Order Information
• Hardware Use
• Financial Identification
• Personal Identification Data
• Information Technology
• Hardware Use
• Electronic ID Data

5) Retention & Storage

All personal data stored by Expath is kept for 10 years and then deleted, according to our legal obligations. Your data is securely stored by Expath in local storage sites and in different sub-processors. A sub-processor is any business, contractor, or organization that assists us, the data controller or main processor, in processing your personal data.

The storage sites and sub-processors we use to collect and process your data are listed below, with descriptions and their security characteristics:

• Digital Access Pass (WordPress Plugin)
• Overview: A WordPress plugin that acts like a virtual shopping cart which allows users to pay by various means (bank, credit card, and PayPal) through a website. It also prevents non-members from accessing certain parts of the website (for example, full-length online workshops).
• Security Characteristics:
• In order to process online payments through our website, Expath uses the WordPress plugin Digital Access Pass (Wicked Cool Plugins, 9661 Deer Trail Dr. San Diego, CA 92127).
• Digital Access Pass is a “shopping cart” plugin that allows website administrators to become digital vendors by selling online products. You’ll interact with Digital Access Pass if you pay for anything through our website, regardless of the method (bank, credit card, PayPal).
• We do not share sensitive information, such as your financial details, to Digital Access Pass. However, Digital Access Pass collects some information automatically. This data includes your name, contact information (email address), postcode, internet preferences, and any other information relevant to customer surveys or marketing.
• Digital Access Pass does not share your data with any third parties. Expath is not involved in Digital Access Pass’ methods of processing your data.
• Further information on the purpose and scope of data collection and processing by Digital Access Pass can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Expath Email Server (Hetzner)
• Overview: An email server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics:
• Our website’s data backups are stored on a physical server in Germany, called Hetzner (Hetzner Online, GmbH Industriestr. 25 91710 Gunzenhausen, Germany).
• All data generated automatically by visiting/using Expath’s website is stored through Hetzner’s web service as a backup. This information usually is stored in a cookie, or a small text files that your internet browser stores on your computer. Information stored via Hetzner from cookies includes your name, contact information, and electronic data (e.g. your computer’s IP address). Hetzner uses this information to regulate internal processes, personalize browsing to your preferences, and for marketing purposes.
• Hetzner may forward your data to their service partners to optimize their services. When required by law, Hetzner will transmit your data to relevant government authorities.
• Expath is not involved in any of these processes. If you object to Hetzner’s use of your data, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Hetzner Online can be found in Hetzner’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Expath Website (Hetzner)
• Overview: A website server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics: See above (#2).
• Google Analytics
• Overview: A web analytics service operated by Google that tracks and reports website traffic. Expath uses this to track and improve site performance and user experience.
• Security Characteristics:
• Expath uses Google Analytics, a web analytics service. It is operated by Google (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
• Google Analytics works through the use of cookies. Cookies are text files that are stored on your computer which allow an analysis of your use of our website. This information is usually transmitted to a Google server in the USA and stored there. Google Analytics cookies are stored based on Art. 6 (1) (f) DSGVO.
• Under instructions from Expath, Google will use this information to analyze your use of our website, compile reports on activities on the website, and to provide us with further services relating to use of the platform and internet usage. The IP address transferred by your browser when Google Analytics is used is not connected to any other information Google may possess about you.
• We have activated the IP anonymization feature on this website for Google Analytics. Your IP address will be shortened by Google within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the United States. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google.
• We do not share Google Analytics data without the customer’s authorization (including authorization via settings in the product user interface), or as otherwise expressly permitted under the terms of their Google Analytics agreement, except in limited circumstances when required by law.
• You can prevent cookies from being stored by selecting the appropriate settings in your browser. However, we wish to point out that doing so may mean you will not be able to enjoy the full functionality of our website. You can also prevent the data generated by cookies about your use of the website (including your IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available here.
• Further information on the purpose and scope of data collection and processing by Google can be found in Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Lexoffice
• Overview: An online accounting software based in Germany. This is used by Expath for all invoicing and financial reporting.
• Security Characteristics:
• In order to manage invoices for clients, Expath uses Lexoffice (Haufe Service Center GmbH & Co. KG, Munzinger Strasse 9 79111 Freiburg, Germany).
• Expath uses Lexoffice to store invoices and all payments made to and from Expath. We use Lexoffice to fulfill our legal obligation to maintain a double-entry bookkeeping system. Double book-keeping essentially means we cross-reference our online transaction information with created invoices coming to or from Expath.
• A variety of personal data is stored by Expath in Lexoffice. Personal data is all stored in payment information you send or give to us, as well as in invoices. This information is never sent to Lexoffice or other third parties. Lexoffice never has access to data we store on its server.
• If you visit Lexoffice’s website for any reason, your electronic information (e.g. information found in digital cookies such as your IP address and browser used) may be stored. Expath is not associated with Lexoffice’s website, nor are we involved in their methods of data processing.
• Further information on the purpose and scope of data collection and processing by Lexoffice can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Local physical hard-drive
• Overview: Non-removable, encrypted hardware storage devices used for local file storage.
• Security Characteristics:
• All physical hard drives exist within computers running Windows 10 Professional and have been encrypted using BitLocker software. Thus, data cannot be accessed if hard drives are removed. Accessing hard drives requires individual user login data for the respective computer.
• PayPal
• Overview: A US-based online payment system that supports money transfers and is an electronic alternative to checks and money orders.
• Security Characteristics:
• Expath accepts payments via PayPal (PayPal Holdings, Inc., S.à.r.l & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg).
• PayPal is an online payment processor that supports online money transfers and serves as an alternative to physical checks and money orders. Expath uses PayPal so you can pay for our online services, such as our online workshop, languages, and coaching sessions.
• If you select payment via PayPal, the payment data (credit card number, bank information, etc.) you provide will be supplied to PayPal based on Art. 6 (1) (a) (Consent) and Art. 6 (1) (b) DSGVO (processing for contract purposes). Other information PayPal collects include any information you give them if you choose to register for an account (name, contact information, etc.) or any information you give them if you check out as a guest. PayPal also collects electronic information about your computer, including your IP address, browser used to purchase our services, etc. PayPal collects this data for a variety of reasons, including marketing purposes, to manage internal business needs, to prevent fraud, and to comply with legal obligations.
• PayPal may share your data with select third parties. These parties include other corporations associated with PayPal, companies that perform services for PayPal, with other financial institutions, with legal entities when necessary, and with other users, merchants or provider involved in your transaction. This data is shared for fraud prevention, internal management, protection of personal interests, and is always shared only with your consent. You have the option to revoke your consent at any time with future effect. This action does not affect the processing of data previously collected.
• Expath is not involved in PayPal’s actions regarding your personal data.
• Further information on the purpose and scope of data collection and processing by PayPal can be found in PayPal's Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Tresorit
• Overview: An online cloud storage service based in Switzerland and Hungary emphasizing enhanced security and data encryption. This is Expath’s primary data server.
• Security Characteristics:
• Expath uses Tresorit (Tresorit AG Minervastrasse 3, 8032 Zurich) to store a variety of sensitive and non-sensitive documents including but not limited to relocation documents, invoices, and client contact information.
• Tresorit is an online cloud storage program that focuses on privacy and security. Tresorit uses end-to-end encrypted storage, which means Tresorit will never have access to documents uploaded into its server. Other security features Tresorit boasts include encryption at rest and in transit, zero-knowledge authentication, 2-step verification, and HIPAA compliance.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Vimeo
• Overview: An ad-free open video platform based in the US.
• Security Characteristics:
• We have included Vimeo videos in our online workshops, which are stored at https://vimeo.com/de/ and can be played directly from our website.
• Vimeo will be informed if you have accessed the corresponding subpage of our website. In addition, electronic information such as your IP address will be transmitted. This is independent of whether Vimeo provides a user account through which you are logged in or whether no user account exists. Vimeo stores your data as a user profile and uses it, possibly for the purposes of advertising, market research and/or the design of its website according to demand. In particular (even for users who are not logged in), such an evaluation can lead to demand-oriented advertising and – depending on the offer of the provider – to information of other users of the social network about your activities on our website. You have the right to object to the creation of these user profiles, and you must contact Vimeo to exercise this right.
• Further information on the purpose and scope of data collection and processing by Vimeo can be found in Vimeo’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Wordfence Security
• Overview: A WordPress plugin, firewall, and malware scanner that protects websites located on a WordPress domain from a variety of digital threats.
• Security Characteristics: In the interest of protecting our website, Expath uses a WordPress plugin called Wordfence Security (Defiant, Inc., 800 5th Ave Street 4100, Seattle, WA 98104, USA). Wordfence is a firewall and malware scanner that protects websites located on a WordPress domain from a variety of digital threats. It is essential to have some form of firewall when you have a commercial website – Expath.de is constantly under attack by malicious bots and hackers. In order to distinguish malicious visitors from friendly ones, Wordfence uses and collects cookies. These cookies contain your IP address. Wordfence uses this information to distinguish which users have access privileges and also ensure a website’s firewall is set up accordingly.To help you understand which cookies the Wordfence sets to collect your data, we have provided the guide below. Wordfence currently sets three cookies.
• wfwaf-authcookie-(hash) What it does: This cookie is used to perform a capability check of the current user before WordPress has been loaded. Who gets this cookie: This is only set for users that are able to log into WordPress. How this cookie helps: This cookie allows the firewall to detect logged in users and allow them increased access. It also allows Wordfence to detect non-logged in users and restrict their access to secure areas. The cookie also lets the firewall know what level of access a visitor has to help the firewall make smart decisions about who to allow and who to block.
• wf_loginalerted_(hash) What it does: This cookie is used to notify Wordfence admin when an administrator logs in from a new device or location. Who gets this cookie: This is only set for administrators. How this cookie helps: This cookie helps site owners know whether there has been an admin login from a new device or location.
• wfCBLBypass What it does: Wordfence offers a feature for a site visitor to bypass country blocking by accessing a hidden URL. This cookie helps track who should be allowed to bypass country blocking. Who gets this cookie: When a hidden URL is visited, this cookie is set to verify the user can access the site from a country restricted through country blocking. This will be set for anyone who knows the URL that allows bypass of standard country blocking. This cookie is not set for anyone who does not know the hidden URL to bypass country blocking. How this cookie helps: This cookie gives site owners a way to allow certain users from blocked countries, even though their country has been blocked.
• Expath has entered into a “data processing agreement” with Wordfence. This agreement essentially states that Wordfence will protect your data and will not share it with any third parties. For more information about this processing agreement, click here.
• Further information on the purpose and scope of data collection and processing by Wordfence Security can be found in Wordfence’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.

Depending on what it’s being used for, different types of data will be stored in different sub-processors. The following list shows where each category of your personal data is stored:

• Order Information
• Lexoffice, Local physical hard-drive, PayPal, Tresorit (up to June 2019)
• Hardware Use
• Lexoffice, Local physical hard-drive, PayPal, Tresorit (up to June 2019)
• Electronic ID Data
• Digital Access Pass (WordPress Plugin), Google Analytics, Vimeo, Wordfence Security (WordPress Plugin).
• Financial Identification
• Lexoffice, Local physical hard-drive, PayPal, Tresorit (up to June 2019)
• Personal Identification Data
• Lexoffice, Local physical hard-drive, PayPal, Tresorit (up to June 2019)
  

6) Third Parties

In order to perform certain processes, we may transmit some of your personal data to third parties. A third party is a person, organization, or public authority that isn’t you or Expath. The third parties we send your information, the data they receive, and the reason for transmission are listed below:

• Auditors
• Personal Data Transmitted: Order Information, Financial Identification, Personal Identification
• Purpose of Transmission: Meet Legal Obligations

Your data will not be transmitted for any other purpose unless you have given your express permission to do so. Your data will not be disclosed to third parties for advertising purposes without your express consent.

2) Data Controllers

A “data controller” or “data processor” is a person or company who collects and processes personal data. Because we collect your information, Expath is a data controller and data processor. Expath’s information is as follows:

Expath Training & Consulting GmbH (Expath)

Jansastraße 9

12045 Berlin, Germany

Email: info@expath.de

Phone: +49 (0) 30 880 63 605

Under GDPR, Expath is required to appoint a designated Data Protection Officer (DPO) that you may contact for further questions about Expath’s protection of your data. Expath’s DPO and his contact information is listed below:

Stephan Brenner

Torstraße 117

10119 Berlin, Germany

Email: stephan.brenner (at) expath.de

Phone: +49(0) 30 437 73 678

3) Data Collection

Expath may collect and store the following information from you:

• Applicant Data
• Professional Career
• Professional Qualifications
• Professional Experience
• References
• Interview date & time
• Educational Career
• Current Employer
• Immigration (non-EU citizens)
• Personal details (nationality and native language)
• Biometric Identification
• Signatures
• Hardware Use
• Date and time of emails sent to and from Expath, date and time that SmartRecruiters platform was used to apply or send emails
• Electronic ID Data
• IP Address
• Browser used
• Location of internet provider
• Use of Media and Means of Communication
• Email address
• Personal Identification Data
• Name, email address
• Data on Presence and Absence
• Freelance orientation training attendance
• Teacher training attendance (freelance teacher applicants)
• Location Data
• Time and location of mandatory orientation training
• Employee Development
• Freelance orientation training
• Incidental Data*

• Images/Photographs, Data about minors, Sex, Age, Date of Birth, Marital status & Family, Family members, Hobbies, interests, and leisure activities, Public mandates and offices, Memberships, Ethnic origin/Race, and Physical traits.

*[During your correspondence with Expath, especially during the application process, you may provide us information we don’t require. We call this “incidental data”. This information typically can’t be separated from other required information you provide us. We do not use this information for any processes listed below.]

4) Data Usage

Expath uses, or processes, your personal data in a few ways. There are several processes that are directly relevant to you as an applicant. These processes are listed below, with descriptions of what they entail.

• Employee Hiring Process
• These processes include hiring new employees and fulfilling legal/contractual obligations for employee applicants.
• Freelance Teacher Management
• These processes include the hiring process, language course management, scheduling, communication with teachers, and fulfillment of contractual and legal obligations.
• Freelance Coach Management
• These processes include the hiring process, relocation services management, scheduling, communication with coaches, and fulfillment of contractual and legal obligations.
• Specific information about you is required for specific processes. The relevant data used in each process is listed below:
• Employee Hiring Process
• Applicant Data
• Biometric Identification
• Hardware Use
• Use of Media and Means of Communication
• Personal Identification Data
• Freelance Teacher Management
• Applicant Data
• Biometric Identification
• Hardware Use
• Electronic ID Data
• Use of Media and Means of Communication
• Personal Identification Data
• Data on Presence and Absence
• Location Data
• Employee Development
• Freelance Coach Management
• Applicant Data
• Biometric Identification
• Hardware Use
• Electronic ID Data
• Use of Media and Means of Communication
• Personal Identification Data
• Data on Presence and Absence
• Location Data
• Employee Development

5) Retention & Storage

All personal data stored by Expath is kept for 10 years and then deleted, according to our legal obligations. Your data is securely stored by Expath in local storage sites and in different sub-processors. A sub-processor is any business, contractor, or organization that assists us, the data controller or main processor, in processing your personal data.

The storage sites and sub-processors we use to collect and process your data are listed below, with descriptions and their security characteristics:

• Expath Email Server (Hetzner)
• Overview: An email server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics:
• Our website’s data backups are stored on a physical server in Germany, called Hetzner (Hetzner Online, GmbH Industriestr. 25 91710 Gunzenhausen, Germany).
• All data generated automatically by visiting/using Expath’s website is stored through Hetzner’s web service as a backup. This information usually is stored in a cookie, or a small text files that your internet browser stores on your computer. Information stored via Hetzner from cookies includes your name, contact information, and electronic data (e.g. your computer’s IP address). Hetzner uses this information to regulate internal processes, personalize browsing to your preferences, and for marketing purposes.
• Hetzner may forward your data to their service partners to optimize their services. When required by law, Hetzner will transmit your data to relevant government authorities.
• Expath is not involved in any of these processes. If you object to Hetzner’s use of your data, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Hetzner Online can be found in Hetzner’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Google Analytics
• Overview: A web analytics service operated by Google that tracks and reports website traffic. Expath uses this to track and improve site performance and user experience.
• Security Characteristics:
• Expath uses Google Analytics, a web analytics service. It is operated by Google (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
• Google Analytics works through the use of cookies. Cookies are text files that are stored on your computer which allow an analysis of your use of our website. This information is usually transmitted to a Google server in the USA and stored there. Google Analytics cookies are stored based on Art. 6 (1) (f) DSGVO.
• Under instructions from Expath, Google will use this information to analyze your use of our website, compile reports on activities on the website, and to provide us with further services relating to use of the platform and internet usage. The IP address transferred by your browser when Google Analytics is used is not connected to any other information Google may possess about you.
• We have activated the IP anonymization feature on this website for Google Analytics. Your IP address will be shortened by Google within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the United States. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google.
• We do not share Google Analytics data without the customer’s authorization (including authorization via settings in the product user interface), or as otherwise expressly permitted under the terms of their Google Analytics agreement, except in limited circumstances when required by law.
• You can prevent cookies from being stored by selecting the appropriate settings in your browser. However, we wish to point out that doing so may mean you will not be able to enjoy the full functionality of our website. You can also prevent the data generated by cookies about your use of the website (including your IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available here.
• Further information on the purpose and scope of data collection and processing by Google can be found in Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Google Calendar
• Overview: A time management and scheduling calendar service developed by Google.
• Security Characteristics:
• Expath uses Google Calendar (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to keep track of both language school and relocation services scheduling.
• Google Calendar is a time-management and scheduling calendar service developed by Google which allows users to create and edit events. Expath uses Google Calendar internally to schedule appointments, coaching sessions, and list client availability. Information about you typically included in our private Google Calendar includes your name, times available, and a summary of services you requested from us.
• Expath shares information stored in Google Calendar with all Expath employees and coaches. We do not share your data with any third parties from Google Calendar. Expath also does not use Google Calendar to integrate your calendar with ours for scheduling purposes.
• Data uploaded to Google Calendar is encrypted. Google does not have access to unencrypted data, and uses all encrypted data for internal maintenance and advertising purposes. Google does not share any data available on Google Calendar with third parties.
• Further information on the purpose and scope of data collection and processing by Google can be found in the Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Google Drive
• Overview: A file storage and synchronization service developed by Google. This is used by Expath as an alternate file server, especially in cases where files need to be shared or co-edited externally.
• Security Characteristics:
• In order to keep track of your contact information (including names, emails, phone numbers, etc.) Expath uses Google Drive (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
• Google Drive a file storage and synchronization service developed by Google. Google Drive allows users to store files on their servers, synchronize files across devices, and share files.
• Expath creates files in Google Drive with your contact information. This information is never transferred to third parties, and is accessible only by certain Expath employees.
• Google encrypts all files created in Google Drive. This means that no one but us can view what’s inside these files. Google uses AES-256, a secure encryption algorithm without any currently feasible attacks, to encrypt files. Furthermore, Google splits data within each file into chunks, and then encrypts each chunk of data with a specific data key. Only after this process takes place is data stored by Google.
• Expath is not involved in the storage or processing of files stored in Google Drive by Google.
• Further information on the purpose and scope of data collection and processing by Google can be found in the Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.

• Local physical hard-drive
• Overview: Non-removable, encrypted hardware storage devices used for local file storage. These usually are located in our local computers.
• Security Characteristics:
• All physical hard drives exist within computers running Windows 10 Professional and have been encrypted using BitLocker software. Thus, data cannot be accessed if hard drives are removed. Accessing hard drives requires individual user login data for the respective computer.
• Physical Copies
• Overview: A paper copy of a document stored in a binder in one of Expath’s offices.
• Security Characteristics:
• All binders are kept in a locked cabinet or closet in our office, which is itself locked when not staffed.
• Tresorit
• Overview: An online cloud storage service based in Switzerland and Hungary emphasizing enhanced security and data encryption. This is Expath’s primary data server.
• Security Characteristics:
• Expath uses Tresorit (Tresorit AG Minervastrasse 3, 8032 Zurich) to store a variety of sensitive and non-sensitive documents including but not limited to relocation documents, invoices, and client contact information.
• Tresorit is an online cloud storage program that focuses on privacy and security. Tresorit uses end-to-end encrypted storage, which means Tresorit will never have access to documents uploaded into its server. Other security features Tresorit boasts include encryption at rest and in transit, zero-knowledge authentication, 2-step verification, and HIPAA compliance.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Wordfence Security
• Overview: A WordPress plugin, firewall, and malware scanner that protects websites located on a WordPress domain from a variety of digital threats.
• Security Characteristics: In the interest of protecting our website, Expath uses a WordPress plugin called Wordfence Security (Defiant, Inc., 800 5th Ave Street 4100, Seattle, WA 98104, USA). Wordfence is a firewall and malware scanner that protects websites located on a WordPress domain from a variety of digital threats. It is essential to have some form of firewall when you have a commercial website – Expath.de is constantly under attack by malicious bots and hackers. In order to distinguish malicious visitors from friendly ones, Wordfence uses and collects cookies. These cookies contain your IP address. Wordfence uses this information to distinguish which users have access privileges and also ensure a website’s firewall is set up accordingly.To help you understand which cookies the Wordfence sets to collect your data, we have provided the guide below. Wordfence currently sets three cookies.
• wfwaf-authcookie-(hash) What it does: This cookie is used to perform a capability check of the current user before WordPress has been loaded. Who gets this cookie: This is only set for users that are able to log into WordPress. How this cookie helps: This cookie allows the firewall to detect logged in users and allow them increased access. It also allows Wordfence to detect non-logged in users and restrict their access to secure areas. The cookie also lets the firewall know what level of access a visitor has to help the firewall make smart decisions about who to allow and who to block.
• wf_loginalerted_(hash) What it does: This cookie is used to notify Wordfence admin when an administrator logs in from a new device or location. Who gets this cookie: This is only set for administrators. How this cookie helps: This cookie helps site owners know whether there has been an admin login from a new device or location.
• wfCBLBypass What it does: Wordfence offers a feature for a site visitor to bypass country blocking by accessing a hidden URL. This cookie helps track who should be allowed to bypass country blocking. Who gets this cookie: When a hidden URL is visited, this cookie is set to verify the user can access the site from a country restricted through country blocking. This will be set for anyone who knows the URL that allows bypass of standard country blocking. This cookie is not set for anyone who does not know the hidden URL to bypass country blocking. How this cookie helps: This cookie gives site owners a way to allow certain users from blocked countries, even though their country has been blocked.
• Expath has entered into a “data processing agreement” with Wordfence. This agreement essentially states that Wordfence will protect your data and will not share it with any third parties. For more information about this processing agreement, click here.
• Further information on the purpose and scope of data collection and processing by Wordfence Security can be found in Wordfence’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
  
  
• Yoast
• Overview: A search engine optimization WordPress plugin.
• Security Characteristics:
• Expath uses Yoast (Yoast BV, Don Emanuelstraat 3 6602 GX Wijchen, the Netherlands), a search engine optimization WordPress plugin, in order to advertise our website and services on Google.
• Yoast uses web analytics tools to analyze how users use our website. These tools use cookies, which collect internet log information and visitor behavior in an anonymous form. Such information typically will include your IP address. Your IP address and other information stored in cookies will then be transmitted to Google by Yoast, which is used to evaluate visitor use of our website and to compile statistical reports on website activity. This helps Yoast provide recommendations for search optimization and regulate internal functions of their own website. Yoast never allows any third parties access to your personally identifiable information.
• Expath is not involved in Yoast’s methods of processing your data. If you object to Yoast using your data for any reason, please contact Yoast directly.
• Further information on the purpose and scope of data collection and processing by Yoast can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• SmartRecruiters
• Overview: SmartRecruiters is an enterprise talent acquisition suite. It is an online platform that enables potential hires for freelance and employment positions at Expath to upload their application materials and communicate with Expath, and to track their hiring progress and it allows Expath to manage their applicant pool and recruitment processes. Note that regardless of application method (email, SmartRecruiters, post, etc.), your data will be uploaded to the SmartRecruiters platform.
• Security Characteristics:
• Expath uses SmartRecruiters to collect and manage applications, post job advertisements, communicate with applicants and schedule interviews. Alternatively, applicants may apply via email and not use the SmartRecruiters platform.
• Please see SmartRecruiters privacy and data security policy here: https://www.smartrecruiters.com/legal/candidate-privacy-policy/may-14-2019/

Depending on what it’s being used for, different types of data will be stored in different sub-processors. The following list shows where each category of your personal data is stored:

• Applicant Data
• Expath Email Server (Hetzner), Google Drive (coaches), Local physical hard-drive, Physical copy, Tresorit, SmartRecruiters
• Biometric Identification
• Expath Email Server (Hetzner), Local physical hard-drive, Physical copy, Tresorit, SmartRecruiters
• Hardware Use
• Expath Email Server (Hetzner) , SmartRecruiters
• Electronic ID Data
• Google Analytics, Wordfence Security (WordPress Plugin), Yoast, SmartRecruiters
• Use of Media and Means of Communication
• Expath Email Server (Hetzner) , SmartRecruiters
• Personal Identification Data
• Expath Email Server (Hetzner), Google Drive (coaches), Local physical hard-drive, Physical copy, Tresorit, SmartRecruiters
• Data on Presence and Absence
• Google Calendar, Google Drive, Local physical hard-drive, Tresorit, SmartRecruiters
• Location Data
• Google Calendar, Local physical hard-drive, Tresorit
• Employee Development
• Google Calendar, Google Drive (coaches), Local physical hard-drive, Tresorit (teachers)
• 
  

6) Third Parties

In order to perform certain processes, we may transmit some of your personal data to third parties. A third party is a person, organization, or public authority that isn’t you or Expath. The third parties we send your information, the data they receive, and the reason for transmission are listed below:

• Auditors
• Personal Data Transmitted: All data
• Purpose of Transmission: Legal obligations

1) Overview of Data Protection

As an internal language course participant at Expath, certain information about you will be collected and stored throughout your interactions with us. This information, according to the General Data Protection Regulation, or GDPR, is called “personal data”. Personal data is essentially any data related to you or that could personally identify you in any way, directly or indirectly. At Expath, we take the protection of your data seriously by following GDPR regulations. In general, Expath collects and processes personal data exclusively to fulfill legal and contractual obligations. The following will provide you with a clear overview of what data we collect from you, what we do with that data, and what rights you have under GDPR regulations.

2) Data Controllers

A “data controller” or “data processor” is a person or company who collects and processes personal data. Because we collect your information, Expath is a data controller and data processor. Expath’s information is as follows:

Expath Training & Consulting GmbH (Expath)

Jansastraße 9

12045 Berlin, Germany

Email: info@expath.de

Phone: +49 (0) 30 880 63 605

Under GDPR, Expath is required to appoint a designated Data Protection Officer (DPO) that you may contact for further questions about Expath’s protection of your data. Expath’s DPO and his contact information is listed below:

Stephan Brenner

Torstraße 117

10119 Berlin, Germany

Email: stephan.brenner (at) expath.de

Phone: +49(0) 30 437 73 678

3) Data Collection

Expath may collect and store the following information from you:

• Class Information
• Start and end date of class and lessons
• Current Employer (For company-reimbursed classes)
• Data on Presence and Absence
• Attendance sheets (optional)
• Letter of Attendance (upon request)
• Orders
• Course ordered
• Date and time of purchase
• Images/Photographs (with permission)
• Hardware Use
• Online Purchase Information: date and time of purchase, type of device used
• Emails: Date and time of emails sent and received
• Electronic ID Data
• IP Address
• Browser Used
• Location of internet service provider
• Financial Identification
• Bank Users: bank name, bank account number, IBAN, BIC
• Credit Card Users: last four digits of card number, type of card, card expiration date
• PayPal Users: PayPal email address
• Personal Identification Data
• Name
• Phone number, email address
• Location Data
• Location of course purchase
• Incidental Data*
• Hobbies, interests, and leisure activities, Lifestyle, Marital Status, Family Members, Data about minors

*[During your correspondence with Expath, you may provide us information we don’t require. We call this “incidental data”. This information typically can’t be separated from other required information you provide us. We do not use this information for any processes listed below.]

4) Data Usage

Expath uses, or processes, your personal data in a few ways. There are several processes that are directly relevant to you as an internal language course participant. These processes are listed below, with descriptions of what they entail.

• Accounting/Finance
• These processes include invoice creation and management, bookkeeping, and fulfillment of legal financial obligations.
• Language Student Booking
• These processes include language course management, communication with students, class grouping, and lesson scheduling.
• Quality Control
• These processes include evaluation and assurance of the quality and performance of all Expath employees and freelancers.
• Information Technology
• These processes include website optimization and maintenance of online security, including cloud-based software.
• Marketing/Sales
• These processes include marketing Expath’s services to potential customers and clients and managing sales activities.

Specific information about you is required for specific processes. The relevant data used in each process is listed below:

• Accounting/Finance Processes
• Class Information
• Current Employer
• Orders
• Financial Identification
• Personal Identification Data
• Language Student Booking
• Class Information
• Current Employer
• Data on Presence and Absence
• Hardware Use
• Personal Identification Data
• Location Data
• Quality Control
• Personal Identification Data
• Information Technology
• Hardware Use
• Electronic ID Data
• Marketing/Sales
• Images/Photographs
  

5) Retention & Storage

All personal data stored by Expath is kept for 10 years and then deleted, according to our legal obligations. Your data is securely stored by Expath in local storage sites and in different sub-processors. A sub-processor is any business, contractor, or organization that assists us, the data controller or main processor, in processing your personal data.

The storage sites and sub-processors we use to collect and process your data are listed below, with descriptions and their security characteristics:

• Commerzbank
• Overview: A universal bank with an online banking system.
• Security Characteristics:
• In order to make and receive payments via bank, Expath uses Commerzbank (Commerzbank AG, Kaiserplatz 60261 Frankfurt am Main, Germany).
• When making a transaction via bank with Expath, Commerzbank collects a few types of personal data. This data includes your name, address, contact data, place of birth, nationality, date of transaction, legitimization data (ID cards), and authentication data (signatures). Contractual data, like payment orders, advertising data, and information about your financial status may also be stored by Commerzbank.
• Commerzbank uses this data for a variety of reasons. Most of these reasons relate to internal management and analysis of service functionality. Other reasons include the prevention and investigation of criminal acts, advertising or marketing (which can be limited by you if you object to this), and legal accountability.
• Commerzbank may transfer your information to third parties. These third parties must comply with GDPR regulations, as well as contractual and statutory obligations. Data is transferred to Commerzbank’s service providers and agents in categories such as banking services, IT services, logistics, printing services, telecommunication, collection of receivables, consultation, and sales and marketing.
• You can object to any of these processes by contacting Commerzbank directly. Expath does not take part in the data processing mentioning above, and does not control what Commerzbank does with your data.
• Further information on the purpose and scope of data collection and processing by Commerzbank can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Edoobox
• Overview: An online booking system where clients can register for courses and pay immediately.
• Security Characteristics:
• Data of internal language course participants is recorded in and managed by Edoobox (Etzensperger Informatik AG, Kirchweg 24, CH-3366 Bettenhausen, Switzerland). This service provider uses your personal information solely for the purpose of performing the service you requested from Expath – participating in a language course. Personal data will not be disclosed. A transfer takes place only
• (i) if a participant or organizer gives his explicit consent;
• (ii) if, in the opinion of the service provider, there is a legal obligation to disclose;
• (iii) if necessary to protect the safety of other Edoobox users;
• (iv) if necessary to enforce the terms and conditions or the rights of the service provider, or the like. To make investigations, our employees are required to observe secrecy and to comply with the provisions of the applicable data protection laws.
• Further information on the purpose and scope of data collection and processing by Edoobox can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Expath Email Server (Hetzner)
• Overview: An email server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics:
• Our website’s data backups are stored on a physical server in Germany, called Hetzner (Hetzner Online, GmbH Industriestr. 25 91710 Gunzenhausen, Germany).
• All data generated automatically by visiting/using Expath’s website is stored through Hetzner’s web service as a backup. This information usually is stored in a cookie, or a small text files that your internet browser stores on your computer. Information stored via Hetzner from cookies includes your name, contact information, and electronic data (e.g. your computer’s IP address). Hetzner uses this information to regulate internal processes, personalize browsing to your preferences, and for marketing purposes.
• Hetzner may forward your data to their service partners to optimize their services. When required by law, Hetzner will transmit your data to relevant government authorities.
• Expath is not involved in any of these processes. If you object to Hetzner’s use of your data, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Hetzner Online can be found in Hetzner’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Expath Website (Hetzner)
• Overview: A website server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics: See above (#2).
• Dropbox
• Overview: A cloud-based file hosting service used as Expath’s file server. Phased out since 2018.
• Security Characteristics:
• Before 2018, purchases of Expath services were recorded in invoices via Dropbox (Dropbox, Inc. 333 Brannan St, San Francisco, CA 94107).
• Dropbox is a file hosting software that Expath used to store a variety of finance-related documents (invoices). Dropbox processes this information, and collects certain data for marketing purposes and to optimize their services.
• Expath is not involved in Dropbox’s data processing and no longer actively uses Dropbox.
• Further information on the purpose and scope of data collection and processing by Dropbox can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Google Analytics
• Overview: A web analytics service operated by Google that tracks and reports website traffic. Expath uses this to track and improve site performance and user experience.
• Security Characteristics:
• Expath uses Google Analytics, a web analytics service. It is operated by Google (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
• Google Analytics works through the use of cookies. Cookies are text files that are stored on your computer which allow an analysis of your use of our website. This information is usually transmitted to a Google server in the USA and stored there. Google Analytics cookies are stored based on Art. 6 (1) (f) DSGVO.
• Under instructions from Expath, Google will use this information to analyze your use of our website, compile reports on activities on the website, and to provide us with further services relating to use of the platform and internet usage. The IP address transferred by your browser when Google Analytics is used is not connected to any other information Google may possess about you.
• We have activated the IP anonymization feature on this website for Google Analytics. Your IP address will be shortened by Google within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the United States. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google.
• We do not share Google Analytics data without the customer’s authorization (including authorization via settings in the product user interface), or as otherwise expressly permitted under the terms of their Google Analytics agreement, except in limited circumstances when required by law.
• You can prevent cookies from being stored by selecting the appropriate settings in your browser. However, we wish to point out that doing so may mean you will not be able to enjoy the full functionality of our website. You can also prevent the data generated by cookies about your use of the website (including your IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available here.
• Further information on the purpose and scope of data collection and processing by Google can be found in Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Google Drive
• Overview: A file storage and synchronization service developed by Google. This is used by Expath as an alternate file server, especially in cases where files need to be shared or co-edited externally.
• Security Characteristics:
• In order to keep track of your contact information (including names, emails, phone numbers, etc.) Expath uses Google Drive (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
• Google Drive a file storage and synchronization service developed by Google. Google Drive allows users to store files on their servers, synchronize files across devices, and share files.
• Expath creates files in Google Drive with your contact information. This information is never transferred to third parties, and is accessible only by certain Expath employees.
• Google encrypts all files created in Google Drive. This means that no one but us can view what’s inside these files. Google uses AES-256, a secure encryption algorithm without any currently feasible attacks, to encrypt files. Furthermore, Google splits data within each file into chunks, and then encrypts each chunk of data with a specific data key. Only after this process takes place is data stored by Google.
• Expath is not involved in the storage or processing of files stored in Google Drive by Google.
• Further information on the purpose and scope of data collection and processing by Google can be found in the Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Lexoffice
• Overview: An online accounting software based in Germany. This is used by Expath for all invoicing and financial reporting.
• Security Characteristics:
• In order to manage invoices for clients, employees, and freelancers, Expath uses Lexoffice (Haufe Service Center GmbH & Co. KG, Munzinger Strasse 9 79111 Freiburg, Germany).
• Expath uses Lexoffice to store invoices and all payments made to and from Expath. We use Lexoffice to fulfill our legal obligation to maintain a double-entry bookkeeping system. Double book-keeping essentially means we cross-reference our online transaction information with created invoices coming to or from Expath.
• A variety of personal data is stored by Expath in Lexoffice. Personal data is all stored in payment information you send or give to us, as well as in invoices. This information is never sent to Lexoffice or other third parties. Lexoffice never has access to data we store on its server.
• If you visit Lexoffice’s website for any reason, your electronic information (e.g. information found in digital cookies such as your IP address and browser used) may be stored. Expath is not associated with Lexoffice’s website, nor are we involved in their methods of data processing.
• Further information on the purpose and scope of data collection and processing by Lexoffice can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Local physical hard-drive
• Overview: Non-removable, encrypted hardware storage devices used for local file storage. These usually are located in our local computers.
• Security Characteristics:
• All physical hard drives exist within computers running Windows 10 Professional and have been encrypted using BitLocker software. Thus, data cannot be accessed if hard drives are removed. Accessing hard drives requires individual user login data for the respective computer.
• PayPal
• Overview: A US-based online payment system that supports money transfers and is an electronic alternative to checks and money orders.
• Security Characteristics:
• Expath accepts payments via PayPal (PayPal Holdings, Inc., S.à.r.l & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg).
• PayPal is an online payment processor that supports online money transfers and serves as an alternative to physical checks and money orders. Expath uses PayPal so you can pay for our online services, such as our online workshop, languages, and coaching sessions.
• If you select payment via PayPal, the payment data (credit card number, bank information, etc.) you provide will be supplied to PayPal based on Art. 6 (1) (a) (Consent) and Art. 6 (1) (b) DSGVO (processing for contract purposes). Other information PayPal collects include any information you give them if you choose to register for an account (name, contact information, etc.) or any information you give them if you check out as a guest. PayPal also collects electronic information about your computer, including your IP address, browser used to purchase our services, etc. PayPal collects this data for a variety of reasons, including marketing purposes, to manage internal business needs, to prevent fraud, and to comply with legal obligations.
• PayPal may share your data with select third parties. These parties include other corporations associated with PayPal, companies that perform services for PayPal, with other financial institutions, with legal entities when necessary, and with other users, merchants or provider involved in your transaction. This data is shared for fraud prevention, internal management, protection of personal interests, and is always shared only with your consent. You have the option to revoke your consent at any time with future effect. This action does not affect the processing of data previously collected.
• Expath is not involved in PayPal’s actions regarding your personal data.
• Further information on the purpose and scope of data collection and processing by PayPal can be found in PayPal's Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Physical Copies
• Overview: A paper copy of a document stored in a binder in one of Expath’s offices.
• Security Characteristics:
• All binders are kept in a locked cabinet or closet in our office, which is itself locked when not staffed.
• Social Media
• Overview: Facebook is an online American-based social media and networking service used by Expath as a marketing and communication tool. Twitter is an American online news and social networking service where users post and interact with messages, or “tweets”.
• Security Characteristics:
• Expath currently uses the following social websites: Facebook (Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA) and Twitter (Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA).
• Facebook or Twitter may save the data collected about you as user profiles and use these profiles for the purposes of advertising, market research and/or demand-oriented design of its website. In particular, such analysis may be used to display demand-oriented advertising and to inform other users of the social network about your activities on our website in connection with the plug-in’s offer. You have the right to object to the creation of these user profiles. In order to do so, you must contact Facebook or Twitter to exercise this right.
• Through these plug-ins, Expath intends to offer you the possibility to interact with social networks and other users. The legal basis for the use of the plug-ins is Art. 6 para. 1 S. 1 lit. f GDPR, whereby our legitimate interest is the provision of an interactive and user-friendly web offer.
• Expath has no influence on the data collected or processed by Facebook and Twitter. If you object to the collection or processing of your data by Facebook or Twitter, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Facebook and Twitter can be found in Facebook's Privacy Policy and Twitter’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Sofortüberweisung/Klarna
• Overview: A bank payment service that allows cashless payment of products and services through the Internet as an intermediary for online banking transfers.
• Security Characteristics:
• Expath uses Sofortüberweisung (SOFORT GmbH, Fußbergstraße 1, 82131 Gauting, Germany), a bank payment service that allows cashless payment of products and services through the Internet. Sofortüberweisung uses a technical procedure by which you immediately receive a payment confirmation upon using their services. This enables us to deliver services to the customer (you) immediately after ordering.
• If you choose to pay for a service through a bank transfer, your data will be transmitted to Sofortüberweisung. By selecting this payment option, you agree to the transmission of personal data required for payment processing.
• The information sent to Sofortüberweisung initially includes your bank account PIN and TAN number. Sofortüberweisung then carries out a transfer to Expath after technical verification of your account status and retrieval of additional data to check the account assignment. You are then automatically informed of the execution of the financial transaction.
• Personal data exchanged with Sofortüberweisung includes your first name, last name, address, email address, IP address, telephone number, mobile phone number, and data necessary for payment processing. The transmission of this data is necessary for payment processing and fraud prevention. The personal data exchanged between Sofortüberweisung and Expath is then transmitted by Sofortüberweisung to economic credit agencies. This transmission is intended for reference purposes and creditworthiness checks. Sofortüberweisung also provides personal data to affiliated companies, service providers, and subcontractors as far as is necessary for the fulfillment of contractual obligations or data in order to be processed.
• You are able to revoke consent to the handling of personal data at any time from Sofortüberweisung. A revocation shall not have any effect on your personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.
• Expath has no influence on the data collected or processed by Facebook and Twitter. If you object to the collection or processing of your data by Facebook or Twitter, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Sofortüberweisung can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Stripe
• Overview: A credit card processing software that allows individuals and businesses to make and receive payments over the Internet.
• Security Characteristics:
• Expath uses Stripe (Stripe, Inc. 510 Townsend Street Francisco, CA 94103, USA), a credit card processor, to help you conveniently pay for a variety of our services.
• If you choose to pay for a service with your credit card, your data will be transmitted to Stripe. By selecting this payment option, you agree to the transmission of personal data required for payment processing.
• The information sent to Sofortüberweisung initially includes your (or the cardholder’s) name, card number, card expiration date, CVC code, and billing address. Stripe then processes the transaction and you are then automatically informed that the financial transaction has been completed. This information is received and stored directly by Stripe, and is not stored by us during the financial transaction.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Tresorit
• Overview: An online cloud storage service based in Switzerland and Hungary emphasizing enhanced security and data encryption. This is Expath’s primary data server.
• Security Characteristics:
• Expath uses Tresorit (Tresorit AG Minervastrasse 3, 8032 Zurich) to store a variety of sensitive and non-sensitive documents including but not limited to relocation documents, invoices, and client contact information.
• Tresorit is an online cloud storage program that focuses on privacy and security. Tresorit uses end-to-end encrypted storage, which means Tresorit will never have access to documents uploaded into its server. Other security features Tresorit boasts include encryption at rest and in transit, zero-knowledge authentication, 2-step verification, and HIPAA compliance.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• TutorCruncher
• Overview: A business management software for tutoring companies.
• Security Characteristics:
• In order to manage our external language courses, Expath uses TutorCruncher (TutorCruncher The Food Exchange New Covent Garden Market SW8 5EL United Kingdom).
• TutorCruncher is a business management software for tutoring companies. If you are a participating in an external language class in any capacity, we request you or your company upload certain information to TutorCruncher for us to organize language classes, scheduling purposes, and invoice creation.
• TutorCruncher utilizes cookies to customize user experience for their website. When visiting their website, TutorCruncher collects data about your device and the services you use on the website. They use this information for website optimization and service providing. Expath is not involved in the information TutorCruncher collects from individual users.
• Further information on the purpose and scope of data collection and processing by TutorCruncher can be found in TutorCruncher’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Visual Form Builder (WordPress Plugin)
• Overview: A WordPress plugin used to create contact forms for a website.
• Security Characteristics:
• In order to provide contact forms and feedback forms on our website, Expath uses the WordPress plugin Visual Form Builder (M2 Development, LLC, 507 Amherst Avenue Terrace Park, OH 45174, USA).
• Visual Form Builder is a plugin that allows Expath to build and manage forms for our website. When filling out a contact form or a feedback form on our website, your clients will include your name to identify you. This information is then sent to our email server (Hetzner) from Visual Form Builder’s platform.
• Visual Form Builder does not collect information about you, nor does it transmit any information to third parties. We use Visual Form Builder as a platform to collect your information and never transmit this information to employees at Visual Form Builder.
• Further information on the purpose and scope of data collection and processing by Visual Form Builder can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Wordfence Security
• Overview: A WordPress plugin, firewall, and malware scanner that protects websites located on a WordPress domain from a variety of digital threats.
• Security Characteristics: In the interest of protecting our website, Expath uses a WordPress plugin called Wordfence Security (Defiant, Inc., 800 5th Ave Street 4100, Seattle, WA 98104, USA). Wordfence is a firewall and malware scanner that protects websites located on a WordPress domain from a variety of digital threats. It is essential to have some form of firewall when you have a commercial website – Expath.de is constantly under attack by malicious bots and hackers. In order to distinguish malicious visitors from friendly ones, Wordfence uses and collects cookies. These cookies contain your IP address. Wordfence uses this information to distinguish which users have access privileges and also ensure a website’s firewall is set up accordingly.To help you understand which cookies the Wordfence sets to collect your data, we have provided the guide below. Wordfence currently sets three cookies.
• wfwaf-authcookie-(hash) What it does: This cookie is used to perform a capability check of the current user before WordPress has been loaded. Who gets this cookie: This is only set for users that are able to log into WordPress. How this cookie helps: This cookie allows the firewall to detect logged in users and allow them increased access. It also allows Wordfence to detect non-logged in users and restrict their access to secure areas. The cookie also lets the firewall know what level of access a visitor has to help the firewall make smart decisions about who to allow and who to block.
• wf_loginalerted_(hash) What it does: This cookie is used to notify Wordfence admin when an administrator logs in from a new device or location. Who gets this cookie: This is only set for administrators. How this cookie helps: This cookie helps site owners know whether there has been an admin login from a new device or location.
• wfCBLBypass What it does: Wordfence offers a feature for a site visitor to bypass country blocking by accessing a hidden URL. This cookie helps track who should be allowed to bypass country blocking. Who gets this cookie: When a hidden URL is visited, this cookie is set to verify the user can access the site from a country restricted through country blocking. This will be set for anyone who knows the URL that allows bypass of standard country blocking. This cookie is not set for anyone who does not know the hidden URL to bypass country blocking. How this cookie helps: This cookie gives site owners a way to allow certain users from blocked countries, even though their country has been blocked.
• Expath has entered into a “data processing agreement” with Wordfence. This agreement essentially states that Wordfence will protect your data and will not share it with any third parties. For more information about this processing agreement, click here.
• Further information on the purpose and scope of data collection and processing by Wordfence Security can be found in Wordfence’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.

Depending on what it’s being used for, different types of data will be stored in different sub-processors. The following list shows where each category of your personal data is stored:

• Class Information
• Edoobox, Expath Website (Hetzner)
• Current Employer (For company-reimbursed classes)
• Edoobox, Dropbox (purchases before 2018), Lexoffice
• Data on Presence and Absence
• Expath Email Server (Hetzner), Physical copy
• Orders
• All Purchases: Edoobox, Lexoffice, Local physical hard-drive, Physical copy, Tresorit, Dropbox (purchases before 2018)
• Bank Users: Commerzbank, Sofortüberweisung/Klarna
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Images/Photographs
• Expath Website (Hetzner), Physical copy, Social Media
• Hardware Use
• Purchases: Edoobox, Lexoffice, Local physical hard-drive, Tresorit
• Bank Users: Commerzbank, Sofortüberweisung
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Emails: Expath Email Server (Hetzner)
• Electronic ID Data
• Edoobox, Google Analytics, Wordfence Security (WordPress Plugin)
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Financial Identification
• All Purchases: Physical copy
• Bank Users: Commerzbank, Sofortüberweisung/Klarna
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Personal Identification Data
• All Clients: Edoobox, Lexoffice
• Company Clients: TutorCruncher
• Bank Users: Commerzbank, Sofortüberweisung/Klarna
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Refunds: Google Drive
• Location Data
• Edoobox, Local physical hard-drive, Tresorit
• PayPal Users: PayPal

6) Third Parties

In order to perform certain processes, we may transmit some of your personal data to third parties. A third party is a person, organization, or public authority that isn’t you or Expath. The third parties we send your information, the data they receive, and the reason for transmission are listed below:

• Auditors
• Personal Data Transmitted: all data
• Purpose of Transmission: Fulfill Legal Obligations
• Language Teachers
• Personal Data Transmitted: Class Information, Data on Presence and Absence, Personal Identification Data
• Purpose of Transmission: Language Course Management, Communication with teachers

1) Overview of Data Protection

As an external language course participant at Expath, certain information about you will be collected and stored over the course of your interactions with Expath This information, according to the General Data Protection Regulation, or GDPR, is called “personal data”. Personal data is essentially any data related to you or that could personally identify you in any way, directly or indirectly. At Expath, we take the protection of your data seriously by following GDPR regulations. In general, Expath collects and processes personal data exclusively to fulfill legal and contractual obligations. The following will provide you with a clear overview of what data we collect from you, what we do with that data, and what rights you have under GDPR regulations.

2) Data Controllers

A “data controller” or “data processor” is a person or company who collects and processes personal data. Because we collect your information, Expath is a data controller and data processor. Expath’s information is as follows:

Expath Training & Consulting GmbH (Expath)

Jansastraße 9

12045 Berlin, Germany

Email: info@expath.de

Phone: +49 (0) 30 880 63 605

Under GDPR, Expath is required to appoint a designated Data Protection Officer (DPO) that you may contact for further questions about Expath’s protection of your data. Expath’s DPO and his contact information is listed below:

Stephan Brenner

Torstraße 117

10119 Berlin, Germany

Email: stephan.brenner (at) expath.de

Phone: +49(0) 30 437 73 678

3) Data Collection

Expath may collect and store the following information from you:

• Class Information
• Class start date and end date
• Current Employer (Company clients)
• Data on Presence and Absence
• Attendance sheets
• Letters of participation
• Orders (One-on-One clients)
• Date and time of purchase
• Hardware Use
• Date and time of emails
• Financial Identification (One-on-One Clients)
• Bank Users: bank name, bank account number, IBAN, BIC
• Credit Card Users: last four digits of card number, type of card, expiration date
• PayPal Users: PayPal email address
• Use of Media and Means of Communication
• Email address, Phone number
• Personal Identification Data
• Name, title
• Address
• Phone number, email address
• Location Data (One-on-One Clients)
• Current location in Berlin
• Incidental Data*
• Data about minors, Marital status, Family Members, Hobbies and interests, Lifestyle

*[During your correspondence with Expath, you may provide us information we don’t require. We call this “incidental data”. This information typically can’t be separated from other required information you provide us. We do not use this information for any processes listed below.]

4) Data Usage

Expath uses, or processes, your personal data in a few ways. There are several processes that are directly relevant to you as an external language course participant. These processes are listed below, with descriptions of what they entail.

• Accounting/Finance (One-on-One Clients)
• These processes include invoice creation and management, bookkeeping, and fulfillment of legal financial obligations.
• Language Student Booking
• These processes include language course management, communication with students, class grouping, and lesson scheduling.
• Quality Control
• These processes include evaluation and assurance of the quality and performance of all Expath employees and freelancers.

Specific information about you is required for specific processes. The relevant data used in each process is listed below:

• Accounting/Finance Processes
• Orders
• Financial Identification (One-on-One Clients)
• Personal Identification Data
• Language Student Booking
• Class Information
• Current Employer (Company Clients)
• Data on Presence and Absence
• Hardware Use
• Use of Media and Means of Communication
• Personal Identification Data
• Location Data (One-on-One Clients)
• Quality Control
• Hardware Use
• Personal Identification Data
  

5) Retention & Storage

All personal data stored by Expath is kept for 10 years and then deleted, according to our legal obligations. Your data is securely stored by Expath in local storage sites and in different sub-processors. A sub-processor is any business, contractor, or organization that assists us, the data controller or main processor, in processing your personal data.

The storage sites and sub-processors we use to collect and process your data are listed below, with descriptions and their security characteristics:

• Commerzbank
• Overview: A universal bank with an online banking system.
• Security Characteristics:
• In order to make and receive payments via bank, Expath uses Commerzbank (Commerzbank AG, Kaiserplatz 60261 Frankfurt am Main, Germany).
• When making a transaction via bank with Expath, Commerzbank collects a few types of personal data. This data includes your name, address, contact data, place of birth, nationality, date of transaction, legitimization data (ID cards), and authentication data (signatures). Contractual data, like payment orders, advertising data, and information about your financial status may also be stored by Commerzbank.
• Commerzbank uses this data for a variety of reasons. Most of these reasons relate to internal management and analysis of service functionality. Other reasons include the prevention and investigation of criminal acts, advertising or marketing (which can be limited by you if you object to this), and legal accountability.
• Commerzbank may transfer your information to third parties. These third parties must comply with GDPR regulations, as well as contractual and statutory obligations. Data is transferred to Commerzbank’s service providers and agents in categories such as banking services, IT services, logistics, printing services, telecommunication, collection of receivables, consultation, and sales and marketing.
• You can object to any of these processes by contacting Commerzbank directly. Expath does not take part in the data processing mentioning above, and does not control what Commerzbank does with your data.
• Further information on the purpose and scope of data collection and processing by Commerzbank can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Edoobox
• Overview: An online booking system where clients can register for courses and pay immediately.
• Security Characteristics:
• Data of internal language course participants is recorded in and managed by Edoobox (Etzensperger Informatik AG, Kirchweg 24, CH-3366 Bettenhausen, Switzerland). This service provider uses your personal information solely for the purpose of performing the service you requested from Expath – participating in a language course. Personal data will not be disclosed. A transfer takes place only
• (i) if a participant or organizer gives his explicit consent;
• (ii) if, in the opinion of the service provider, there is a legal obligation to disclose;
• (iii) if necessary to protect the safety of other Edoobox users;
• (iv) if necessary to enforce the terms and conditions or the rights of the service provider, or the like. To make investigations, our employees are required to observe secrecy and to comply with the provisions of the applicable data protection laws.
• Further information on the purpose and scope of data collection and processing by Edoobox can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Expath Email Server (Hetzner)
• Overview: An email server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics:
• Our website’s data backups are stored on a physical server in Germany, called Hetzner (Hetzner Online, GmbH Industriestr. 25 91710 Gunzenhausen, Germany).
• All data generated automatically by visiting/using Expath’s website is stored through Hetzner’s web service as a backup. This information usually is stored in a cookie, or a small text files that your internet browser stores on your computer. Information stored via Hetzner from cookies includes your name, contact information, and electronic data (e.g. your computer’s IP address). Hetzner uses this information to regulate internal processes, personalize browsing to your preferences, and for marketing purposes.
• Hetzner may forward your data to their service partners to optimize their services. When required by law, Hetzner will transmit your data to relevant government authorities.
• Expath is not involved in any of these processes. If you object to Hetzner’s use of your data, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Hetzner Online can be found in Hetzner’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Expath Website (Hetzner)
• Overview: A website server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics: See above (#2).
• Lexoffice
• Overview: An online accounting software based in Germany. This is used by Expath for all invoicing and financial reporting.
• Security Characteristics:
• In order to manage invoices for clients, employees, and freelancers, Expath uses Lexoffice (Haufe Service Center GmbH & Co. KG, Munzinger Strasse 9 79111 Freiburg, Germany).
• Expath uses Lexoffice to store invoices and all payments made to and from Expath. We use Lexoffice to fulfill our legal obligation to maintain a double-entry bookkeeping system. Double book-keeping essentially means we cross-reference our online transaction information with created invoices coming to or from Expath.
• A variety of personal data is stored by Expath in Lexoffice. Personal data is all stored in payment information you send or give to us, as well as in invoices. This information is never sent to Lexoffice or other third parties. Lexoffice never has access to data we store on its server.
• If you visit Lexoffice’s website for any reason, your electronic information (e.g. information found in digital cookies such as your IP address and browser used) may be stored. Expath is not associated with Lexoffice’s website, nor are we involved in their methods of data processing.
• Further information on the purpose and scope of data collection and processing by Lexoffice can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Local physical hard-drive
• Overview: Non-removable, encrypted hardware storage devices used for local file storage. These usually are located in our local computers.
• Security Characteristics:
• All physical hard drives exist within computers running Windows 10 Professional and have been encrypted using BitLocker software. Thus, data cannot be accessed if hard drives are removed. Accessing hard drives requires individual user login data for the respective computer.
• PayPal
• Overview: A US-based online payment system that supports money transfers and is an electronic alternative to checks and money orders.
• Security Characteristics:
• Expath accepts payments via PayPal (PayPal Holdings, Inc., S.à.r.l & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg).
• PayPal is an online payment processor that supports online money transfers and serves as an alternative to physical checks and money orders. Expath uses PayPal so you can pay for our online services, such as our online workshop, languages, and coaching sessions.
• If you select payment via PayPal, the payment data (credit card number, bank information, etc.) you provide will be supplied to PayPal based on Art. 6 (1) (a) (Consent) and Art. 6 (1) (b) DSGVO (processing for contract purposes). Other information PayPal collects include any information you give them if you choose to register for an account (name, contact information, etc.) or any information you give them if you check out as a guest. PayPal also collects electronic information about your computer, including your IP address, browser used to purchase our services, etc. PayPal collects this data for a variety of reasons, including marketing purposes, to manage internal business needs, to prevent fraud, and to comply with legal obligations.
• PayPal may share your data with select third parties. These parties include other corporations associated with PayPal, companies that perform services for PayPal, with other financial institutions, with legal entities when necessary, and with other users, merchants or provider involved in your transaction. This data is shared for fraud prevention, internal management, protection of personal interests, and is always shared only with your consent. You have the option to revoke your consent at any time with future effect. This action does not affect the processing of data previously collected.
• Expath is not involved in PayPal’s actions regarding your personal data.
• Further information on the purpose and scope of data collection and processing by PayPal can be found in PayPal's Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Physical Copies
• Overview: A paper copy of a document stored in a binder in one of Expath’s offices.
• Security Characteristics:
• All binders are kept in a locked cabinet or closet in our office, which is itself locked when not staffed.
• Sofortüberweisung/Klarna
• Overview: A bank payment service that allows cashless payment of products and services through the Internet as an intermediary for online banking transfers.
• Security Characteristics:
• Expath uses Sofortüberweisung (SOFORT GmbH, Fußbergstraße 1, 82131 Gauting, Germany), a bank payment service that allows cashless payment of products and services through the Internet. Sofortüberweisung uses a technical procedure by which you immediately receive a payment confirmation upon using their services. This enables us to deliver services to the customer (you) immediately after ordering.
• If you choose to pay for a service through a bank transfer, your data will be transmitted to Sofortüberweisung. By selecting this payment option, you agree to the transmission of personal data required for payment processing.
• The information sent to Sofortüberweisung initially includes your bank account PIN and TAN number. Sofortüberweisung then carries out a transfer to Expath after technical verification of your account status and retrieval of additional data to check the account assignment. You are then automatically informed of the execution of the financial transaction.
• Personal data exchanged with Sofortüberweisung includes your first name, last name, address, email address, IP address, telephone number, mobile phone number, and data necessary for payment processing. The transmission of this data is necessary for payment processing and fraud prevention. The personal data exchanged between Sofortüberweisung and Expath is then transmitted by Sofortüberweisung to economic credit agencies. This transmission is intended for reference purposes and creditworthiness checks. Sofortüberweisung also provides personal data to affiliated companies, service providers, and subcontractors as far as is necessary for the fulfillment of contractual obligations or data in order to be processed.
• You are able to revoke consent to the handling of personal data at any time from Sofortüberweisung. A revocation shall not have any effect on your personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.
• Expath has no influence on the data collected or processed by Facebook and Twitter. If you object to the collection or processing of your data by Facebook or Twitter, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Sofortüberweisung can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Stripe
• Overview: A credit card processing software that allows individuals and businesses to make and receive payments over the Internet.
• Security Characteristics:
• Expath uses Stripe (Stripe, Inc. 510 Townsend Street Francisco, CA 94103, USA), a credit card processor, to help you conveniently pay for a variety of our services.
• If you choose to pay for a service with your credit card, your data will be transmitted to Stripe. By selecting this payment option, you agree to the transmission of personal data required for payment processing.
• The information sent to Sofortüberweisung initially includes your (or the cardholder’s) name, card number, card expiration date, CVC code, and billing address. Stripe then processes the transaction and you are then automatically informed that the financial transaction has been completed. This information is received and stored directly by Stripe, and is not stored by us during the financial transaction.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Tresorit
• Overview: An online cloud storage service based in Switzerland and Hungary emphasizing enhanced security and data encryption. This is Expath’s primary data server.
• Security Characteristics:
• Expath uses Tresorit (Tresorit AG Minervastrasse 3, 8032 Zurich) to store a variety of sensitive and non-sensitive documents including but not limited to relocation documents, invoices, and client contact information.
• Tresorit is an online cloud storage program that focuses on privacy and security. Tresorit uses end-to-end encrypted storage, which means Tresorit will never have access to documents uploaded into its server. Other security features Tresorit boasts include encryption at rest and in transit, zero-knowledge authentication, 2-step verification, and HIPAA compliance.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• TutorCruncher
• Overview: A business management software for tutoring companies.
• Security Characteristics:
• In order to manage our external language courses, Expath uses TutorCruncher (TutorCruncher The Food Exchange New Covent Garden Market SW8 5EL United Kingdom).
• TutorCruncher is a business management software for tutoring companies. If you are a participating in an external language class in any capacity, we request you or your company upload certain information to TutorCruncher for us to organize language classes, scheduling purposes, and invoice creation.
• TutorCruncher utilizes cookies to customize user experience for their website. When visiting their website, TutorCruncher collects data about your device and the services you use on the website. They use this information for website optimization and service providing. Expath is not involved in the information TutorCruncher collects from individual users.
• Further information on the purpose and scope of data collection and processing by TutorCruncher can be found in TutorCruncher’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Visual Form Builder (WordPress Plugin)
• Overview: A WordPress plugin used to create contact forms for a website.
• Security Characteristics:
• In order to provide contact forms and feedback forms on our website, Expath uses the WordPress plugin Visual Form Builder (M2 Development, LLC, 507 Amherst Avenue Terrace Park, OH 45174, USA).
• Visual Form Builder is a plugin that allows Expath to build and manage forms for our website. When filling out a contact form or a feedback form on our website, your clients will include your name to identify you. This information is then sent to our email server (Hetzner) from Visual Form Builder’s platform.
• Visual Form Builder does not collect information about you, nor does it transmit any information to third parties. We use Visual Form Builder as a platform to collect your information and never transmit this information to employees at Visual Form Builder.
• Further information on the purpose and scope of data collection and processing by Visual Form Builder can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.

Depending on what it’s being used for, different types of data will be stored in different sub-processors. The following list shows where each category of your personal data is stored:

• Class Information
• Company Employees & One-on-One Clients: TutorCruncher
• Self-Booking Employees: Edoobox
• Current Employer (Company clients)
• All Company Employees: Lexoffice, TutorCruncher
• Self-Booking Employees: Edoobox, Expath Website (Hetzner)
• Data on Presence and Absence
• Expath Email Server (Hetzner), Local physical hard-drive, Physical copy, Tresorit
• Orders (One-on-One clients)
• All Purchases: Lexoffice, TutorCruncher
• Bank Users: Sofortüberweisung/Klarna
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Cash Users: Local physical hard-drive, Physical copy, Tresorit
• Hardware Use
• Expath Email Server (Hetzner)
• Financial Identification (One-on-One Clients)
• All Purchases: Expath Email Server (Hetzner) Lexoffice, TutorCruncher
• Bank Users: Commerzbank, Sofortüberweisung/Klarna
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Use of Media and Means of Communication
• Expath Email Server (Hetzner), TutorCruncher
• Personal Identification Data
• All Clients: TutorCruncher
• Self-Booking Employees: Edoobox
• One-on-One Clients: Lexoffice, Local physical hard-drive, Tresorit
• Bank Users: Commerzbank, Sofortüberweisung
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Location Data (One-on-One Clients)
• Expath Email Server (Hetzner)
  

6) Third Parties

In order to perform certain processes, we may transmit some of your personal data to third parties. A third party is a person, organization, or public authority that isn’t you or Expath. The third parties we send your information, the data they receive, and the reason for transmission are listed below:

• Auditors
• Personal Data Transmitted: all data
• Purpose of Transmission: Fulfill Legal Obligations
• Language Teachers
• Personal Data Transmitted: Class Information, Current Employer (Company Clients), Data on Presence and Absence, Use of Media and Means of Communication, Personal Identification Data, Location Data (One-on-One Clients)
• Purpose of Transmission: Language Course Management, Communication with teacher

1) Overview of Data Protection

As a relocation client at Expath, certain information about you will be collected and stored over the course of your relationship with us. This information, according to the General Data Protection Regulation, or GDPR, is called “personal data”. Personal data is essentially any data related to you or that could personally identify you in any way, directly or indirectly. At Expath, we take the protection of your data seriously by following GDPR regulations. In general, Expath collects and processes personal data exclusively to fulfill legal and contractual obligations. The following will provide you with a clear overview of what data we collect from you, what we do with that data, and what rights you have under GDPR regulations.

2) Data Controllers

A “data controller” or “data processor” is a person or company who collects and processes personal data. Because we collect your information, Expath is a data controller and data processor. Expath’s information is as follows:

Expath Training & Consulting GmbH (Expath)

Jansastraße 9

12045 Berlin, Germany

Email: info (at) expath.de

Phone: +49 (0) 30 880 63 605

Under GDPR, Expath is required to appoint a designated Data Protection Officer (DPO) that you may contact for further questions about Expath’s protection of your data. Expath’s DPO and his contact information is listed below:

Stephan Brenner

Torstraße 117

10119 Berlin, Germany

Email: stephan.brenner (at) expath.de

Phone: +49(0) 30 437 73 678

3) Data Collection

Expath collects and stores the following information from you on a need-to-know basis:

• Employment Information
• Current employer
• Work responsibilities
• Wage, salary, income, and wealth
• Working hours
• Termination of employment
• Resume Information
• Professional Career
• Professional Qualifications
• Professional Experience
• Educational Career
• Property Information
• Information about your rental property for apartment searches
• Data on Presence and Absence
• Your availability
• Orders
• What services you purchased from Expath
• Date ordered
• Images/Photographs
• Passport pictures
• Biometric Identification (Signatures)
• Passports, work permits, etc.
• Data About Family Members (for family relocation)
• Data about minors
• Marital status
• Hardware Use
• Date and time of emails
• Immigration Data
• Visas
• Work permits
• Financial Identification
• Bank users: IBAN, bank name, bank account number, BIC code
• Credit Card users: last four digits of card, type of card, card expiration
• PayPal users: PayPal email address
• Use of Media and Means of Communication
• Email address
• Phone number
• Public Identification Data
• Passport number, Sozialversicherungsnummer
• Personal Details
• Passport Information: Age, sex, date of birth, place of birth, nationality
• Personal Identification Data
• Name, title
• Email address, phone number
• Address
• Travel Plans
• Date of arrival in Germany
• Incidental Data*
• Data about sexuality, Hobbies, interests, and leisure activities, Marital chronology, Ethnic origin/Race, Physical traits

*[During your correspondence with Expath, especially during the visa/work permit application process, you may provide us information we don’t require. We call this “incidental data”. This information typically can’t be separated from other required information you provide us. We do not use this information for any processes listed below.]

4) Data Usage

Expath uses, or processes, your personal data in a few ways. There are several processes that are directly relevant to you as a relocation client. These processes are listed below, with descriptions of what they entail.

• Accounting/Finance
• These processes include invoice creation and management, bookkeeping, and fulfillment of legal financial obligations.
• Relocation Client Booking
• These processes include relocation services management, scheduling, and communication with relocation clients.
• Quality Control
• These processes include evaluation and assurance of the quality and performance of all Expath employees and freelancers.

Specific information about you is required for specific processes. The relevant data used in each process is listed below:

• Accounting/Finance Processes
• Orders
• Financial Identification
• Personal Identification Data
• Relocation Client Booking
• Employment Information
• Resume Information
• Property Information
• Data about Presence and Absence
• Orders
• Images/Photographs
• Biometric Identification (Signatures)
• Data About Family Members (for family relocation)
• Hardware Use
• Immigration Data
• Use of Media and Means of Communication
• Public Identification Data
• Personal Details
• Personal Identification Data
• Travel Plans
• Quality Control
• Use of Media and Means of Communication
• Personal Identification Data
  

5) Retention & Storage

All personal data stored by Expath is kept for 10 years and then deleted, according to our legal obligations. Your data is securely stored by Expath in local storage sites and in different sub-processors. A sub-processor is any business, contractor, or organization that assists us, the data controller or main processor, in processing your personal data.

The storage sites and sub-processors we use to collect and process your data are listed below, with descriptions and their security characteristics:

• Commerzbank
• Overview: A universal bank with an online banking system.
• Security Characteristics:
• In order to make and receive payments via bank, Expath uses Commerzbank (Commerzbank AG, Kaiserplatz 60261 Frankfurt am Main, Germany).
• When making a transaction via bank with Expath, Commerzbank collects a few types of personal data. This data includes your name, address, contact data, place of birth, nationality, date of transaction, legitimization data (ID cards), and authentication data (signatures). Contractual data, like payment orders, advertising data, and information about your financial status may also be stored by Commerzbank.
• Commerzbank uses this data for a variety of reasons. Most of these reasons relate to internal management and analysis of service functionality. Other reasons include the prevention and investigation of criminal acts, advertising or marketing (which can be limited by you if you object to this), and legal accountability.
• Commerzbank may transfer your information to third parties. These third parties must comply with GDPR regulations, as well as contractual and statutory obligations. Data is transferred to Commerzbank’s service providers and agents in categories such as banking services, IT services, logistics, printing services, telecommunication, collection of receivables, consultation, and sales and marketing.
• You can object to any of these processes by contacting Commerzbank directly. Expath does not take part in the data processing mentioning above, and does not control what Commerzbank does with your data.
• Further information on the purpose and scope of data collection and processing by Commerzbank can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Expath Email Server (Hetzner)
• Overview: An email server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics:
• Our website’s data backups are stored on a physical server in Germany, called Hetzner (Hetzner Online, GmbH Industriestr. 25 91710 Gunzenhausen, Germany).
• All data generated automatically by visiting/using Expath’s website is stored through Hetzner’s web service as a backup. This information usually is stored in a cookie, or a small text files that your internet browser stores on your computer. Information stored via Hetzner from cookies includes your name, contact information, and electronic data (e.g. your computer’s IP address). Hetzner uses this information to regulate internal processes, personalize browsing to your preferences, and for marketing purposes.
• Hetzner may forward your data to their service partners to optimize their services. When required by law, Hetzner will transmit your data to relevant government authorities.
• Expath is not involved in any of these processes. If you object to Hetzner’s use of your data, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Hetzner Online can be found in Hetzner’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Google Calendar
• Overview: A time management and scheduling calendar service developed by Google.
• Security Characteristics:
• Expath uses Google Calendar (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to keep track of both language school and relocation services scheduling.
• Google Calendar is a time-management and scheduling calendar service developed by Google which allows users to create and edit events. Expath uses Google Calendar internally to schedule appointments, coaching sessions, and list client availability. Information about you typically included in our private Google Calendar includes your name, times available, and a summary of services you requested from us.
• Expath shares information stored in Google Calendar with all Expath employees and coaches. We do not share your data with any third parties from Google Calendar. Expath also does not use Google Calendar to integrate your calendar with ours for scheduling purposes.
• Data uploaded to Google Calendar is encrypted. Google does not have access to unencrypted data, and uses all encrypted data for internal maintenance and advertising purposes. Google does not share any data available on Google Calendar with third parties.
• Further information on the purpose and scope of data collection and processing by Google can be found in the Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Google Drive
• Overview: A file storage and synchronization service developed by Google. This is used by Expath as an alternate file server, especially in cases where files need to be shared or co-edited externally.
• Security Characteristics:
• In order to keep track of your contact information (including names, emails, phone numbers, etc.) Expath uses Google Drive (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
• Google Drive a file storage and synchronization service developed by Google. Google Drive allows users to store files on their servers, synchronize files across devices, and share files.
• Expath creates files in Google Drive with your contact information. This information is never transferred to third parties, and is accessible only by certain Expath employees.
• Google encrypts all files created in Google Drive. This means that no one but us can view what’s inside these files. Google uses AES-256, a secure encryption algorithm without any currently feasible attacks, to encrypt files. Furthermore, Google splits data within each file into chunks, and then encrypts each chunk of data with a specific data key. Only after this process takes place is data stored by Google.
• Expath is not involved in the storage or processing of files stored in Google Drive by Google.
• Further information on the purpose and scope of data collection and processing by Google can be found in the Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Lexoffice
• Overview: An online accounting software based in Germany. This is used by Expath for all invoicing and financial reporting.
• Security Characteristics:
• In order to manage invoices for clients, employees, and freelancers, Expath uses Lexoffice (Haufe Service Center GmbH & Co. KG, Munzinger Strasse 9 79111 Freiburg, Germany).
• Expath uses Lexoffice to store invoices and all payments made to and from Expath. We use Lexoffice to fulfill our legal obligation to maintain a double-entry bookkeeping system. Double book-keeping essentially means we cross-reference our online transaction information with created invoices coming to or from Expath.
• A variety of personal data is stored by Expath in Lexoffice. Personal data is all stored in payment information you send or give to us, as well as in invoices. This information is never sent to Lexoffice or other third parties. Lexoffice never has access to data we store on its server.
• If you visit Lexoffice’s website for any reason, your electronic information (e.g. information found in digital cookies such as your IP address and browser used) may be stored. Expath is not associated with Lexoffice’s website, nor are we involved in their methods of data processing.
• Further information on the purpose and scope of data collection and processing by Lexoffice can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Local physical hard-drive
• Overview: Non-removable, encrypted hardware storage devices used for local file storage. These usually are located in our local computers.
• Security Characteristics:
• All physical hard drives exist within computers running Windows 10 Professional and have been encrypted using BitLocker software. Thus, data cannot be accessed if hard drives are removed. Accessing hard drives requires individual user login data for the respective computer.
• NitroPro & Smallpdf
• Overview: NitroPro is a software that allows users to convert digital file types into PDF format. Smallpdf is a software that allows users to compress digital files.
• Security Characteristics:
• When compiling your documents to send to local immigration authorities (such as Berlin’s BIS), Expath uses NitroPro (Nitro Software, Inc. of 150 Spear St STE 1500, San Francisco CA 94105) and Smallpdf (Smallpdf GmbH, Zurich).
• NitroPro is a software that allows Expath to convert other digital file types into PDF format. This conversion is necessary for us to submit your documents to local immigration offices. NitroPro allows users to upload and manipulate documents to their server, but does not change the content of these documents themselves. NitroPro is able to see the contents of these documents. Data may be used to recommend services to us to improve our experience with NitroPro.
• Further information on the purpose and scope of data collection and processing by NitroPro can be found in NitroPro’s Privacy Policy. There you will also find more information about your rights as well as options to protect your privacy.
• Smallpdf is a software that allows Expath to compress digital files. This process is also necessary for us to submit your documents to local immigration offices. Smallpdf allows users to upload many documents at the same time to compress them into one file, but Smallpdf does not change the content of these documents. Smallpdf deletes all files uploaded to their server for purposes of compression after one hour, meaning any documents uploaded to Smallpdf are inaccessible to Smallpdf.
• Further information on the purpose and scope of data collection and processing by Hetzner Online can be found in Smallpdf’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• PayPal
• Overview: A US-based online payment system that supports money transfers and is an electronic alternative to checks and money orders.
• Security Characteristics:
• Expath accepts payments via PayPal (PayPal Holdings, Inc., S.à.r.l & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg).
• PayPal is an online payment processor that supports online money transfers and serves as an alternative to physical checks and money orders. Expath uses PayPal so you can pay for our online services, such as our online workshop, languages, and coaching sessions.
• If you select payment via PayPal, the payment data (credit card number, bank information, etc.) you provide will be supplied to PayPal based on Art. 6 (1) (a) (Consent) and Art. 6 (1) (b) DSGVO (processing for contract purposes). Other information PayPal collects include any information you give them if you choose to register for an account (name, contact information, etc.) or any information you give them if you check out as a guest. PayPal also collects electronic information about your computer, including your IP address, browser used to purchase our services, etc. PayPal collects this data for a variety of reasons, including marketing purposes, to manage internal business needs, to prevent fraud, and to comply with legal obligations.
• PayPal may share your data with select third parties. These parties include other corporations associated with PayPal, companies that perform services for PayPal, with other financial institutions, with legal entities when necessary, and with other users, merchants or provider involved in your transaction. This data is shared for fraud prevention, internal management, protection of personal interests, and is always shared only with your consent. You have the option to revoke your consent at any time with future effect. This action does not affect the processing of data previously collected.
• Expath is not involved in PayPal’s actions regarding your personal data.
• Further information on the purpose and scope of data collection and processing by PayPal can be found in PayPal's Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Physical Copies
• Overview: A paper copy of a document stored in a binder in one of Expath’s offices.
• Security Characteristics:
• All binders are kept in a locked cabinet or closet in our office, which is itself locked when not staffed.
• ReloTalent
• Overview: A cloud-based relocation management software that focuses on company and employee relocation.
• Security Characteristics:
• Expath uses ReloTalent to manage relocation clients’ requests and needs, as well as store a variety of sensitive documents (ReloTalent Pte. Ltd 14 Rue d'Uzès 75002 Paris, France).
• ReloTalent is a relocation management software that focuses on company employee relocation. When using ReloTalent’s website, your IP address and other information stored in cookies will be recorded by ReloTalent. ReloTalent stores certain personal data for marketing, legal, and internal management purposes. This information is not collected by Expath, and is processed solely by ReloTalent.
• Expath requests that you upload a variety of sensitive documents to ReloTalent. This information is password-protected, meaning no one except you, your coach, your company, and us can see this information. This information not used by ReloTalent for other purposes not listed above. Personal data can be deleted at any point on ReloTalent’s website.
• Expath is not involved in the processing of your data by ReloTalent. If you object to the collection or processing of your data by ReloTalent, please contact them directly.
• Further information on the purpose and scope of data collection and processing by ReloTalent can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Skype
• Overview: A telecommunications application that specializes in providing video chat and voice calls between computers, tablets, mobile devices, etc. via the Internet. Skype is primarily used by coaches and coaching clients.
• Security Characteristics:
• In order to communicate with remote coaches, clients, and corporate clients face-to-face, Expath uses Skype (Skype Technologies S.A.R.L., Microsoft Corp., 23-29 Rives de Clausen L-2165 Luxembourg City, Luxembourg).
• Skype collects various data when you use their services. This data includes your name, contact data (email, phone number, etc.), credentials, demographic data you provide, interactions through Skype, and images you upload to their platform. Skype uses this information for marketing purposes, customer support, content personalization, safety, communication purposes, and for legal compliance.
• Expath is not involved in any of these processing methods. If you object to the collection or use of your data by Skype, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Sofortüberweisung can be found in Microsoft's Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Sofortüberweisung/Klarna
• Overview: A bank payment service that allows cashless payment of products and services through the Internet as an intermediary for online banking transfers.
• Security Characteristics:
• Expath uses Sofortüberweisung (SOFORT GmbH, Fußbergstraße 1, 82131 Gauting, Germany), a bank payment service that allows cashless payment of products and services through the Internet. Sofortüberweisung uses a technical procedure by which you immediately receive a payment confirmation upon using their services. This enables us to deliver services to the customer (you) immediately after ordering.
• If you choose to pay for a service through a bank transfer, your data will be transmitted to Sofortüberweisung. By selecting this payment option, you agree to the transmission of personal data required for payment processing.
• The information sent to Sofortüberweisung initially includes your bank account PIN and TAN number. Sofortüberweisung then carries out a transfer to Expath after technical verification of your account status and retrieval of additional data to check the account assignment. You are then automatically informed of the execution of the financial transaction.
• Personal data exchanged with Sofortüberweisung includes your first name, last name, address, email address, IP address, telephone number, mobile phone number, and data necessary for payment processing. The transmission of this data is necessary for payment processing and fraud prevention. The personal data exchanged between Sofortüberweisung and Expath is then transmitted by Sofortüberweisung to economic credit agencies. This transmission is intended for reference purposes and creditworthiness checks. Sofortüberweisung also provides personal data to affiliated companies, service providers, and subcontractors as far as is necessary for the fulfillment of contractual obligations or data in order to be processed.
• You are able to revoke consent to the handling of personal data at any time from Sofortüberweisung. A revocation shall not have any effect on your personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.
• Expath has no influence on the data collected or processed by Facebook and Twitter. If you object to the collection or processing of your data by Facebook or Twitter, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Sofortüberweisung can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Stripe
• Overview: A credit card processing software that allows individuals and businesses to make and receive payments over the Internet.
• Security Characteristics:
• Expath uses Stripe (Stripe, Inc. 510 Townsend Street Francisco, CA 94103, USA), a credit card processor, to help you conveniently pay for a variety of our services.
• If you choose to pay for a service with your credit card, your data will be transmitted to Stripe. By selecting this payment option, you agree to the transmission of personal data required for payment processing.
• The information sent to Sofortüberweisung initially includes your (or the cardholder’s) name, card number, card expiration date, CVC code, and billing address. Stripe then processes the transaction and you are then automatically informed that the financial transaction has been completed. This information is received and stored directly by Stripe, and is not stored by us during the financial transaction.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Tresorit
• Overview: An online cloud storage service based in Switzerland and Hungary emphasizing enhanced security and data encryption. This is Expath’s primary data server.
• Security Characteristics:
• Expath uses Tresorit (Tresorit AG Minervastrasse 3, 8032 Zurich) to store a variety of sensitive and non-sensitive documents including but not limited to relocation documents, invoices, and client contact information.
• Tresorit is an online cloud storage program that focuses on privacy and security. Tresorit uses end-to-end encrypted storage, which means Tresorit will never have access to documents uploaded into its server. Other security features Tresorit boasts include encryption at rest and in transit, zero-knowledge authentication, 2-step verification, and HIPAA compliance.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Visual Form Builder (WordPress Plugin)
• Overview: A WordPress plugin used to create contact forms for a website.
• Security Characteristics:
• In order to provide contact forms and feedback forms on our website, Expath uses the WordPress plugin Visual Form Builder (M2 Development, LLC, 507 Amherst Avenue Terrace Park, OH 45174, USA).
• Visual Form Builder is a plugin that allows Expath to build and manage forms for our website. When filling out a contact form or a feedback form on our website, Expath requests that you include certain personal data, including your name and contact information. This information is then sent to our email server (Hetzner) from Visual Form Builder’s platform.
• Visual Form Builder does not collect information about you, nor does it transmit any information to third parties. We use Visual Form Builder as a platform to collect your information and never transmit this information to employees at Visual Form Builder.
• Further information on the purpose and scope of data collection and processing by Visual Form Builder can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• WhatsApp
• Overview: A freeware, cross-platform messaging service owned by Facebook that allows users to send and receive text and voice messages.
• Security Characteristics:
• In order to communicate with clients, partners, and freelancers, Expath uses WhatsApp (WhatsApp Inc., Mountain View, California, USA).
• WhatsApp is a freeware, cross-platform messaging service owned by Facebook that allows users to send text and voice messages. When you interact with Expath via WhatsApp, WhatsApp collects and stores certain types of data from you. This information includes your WhatsApp account information (your profile name, phone number, etc.), your connections, usage and log information, device location information, device and connection information, and cookie information (e.g. IP address). This information is kept for service maintenance, safety and security, and commercial messaging. WhatsApp does not store or retain your messages, or messages sent to you by Expath.
• WhatsApp may share some of your data with third-parties. These parties include WhatsApp’s service providers and other Facebook products, if you use them. Expath is not involved in the collection or transmission of your data by WhatsApp.
• Further information on the purpose and scope of data collection and processing by Visual Form Builder can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Freshdesk
• Overview: Freshdesk is a cloud-based customer support software and helpdesk solution.
• Security Characteristics:
• In order to manage customer service requests from customers, Expath employs Freshdesk for their most efficient processing (Freshworks 2950 S. Delaware Street, Suite 201, San Mateo CA 94403, USA)
• If you email us a customer service request or send it to us through one of our webforms, this information is forwarded to the Freshdesk platform. Freshdesk data is securely hosted through Amazon Web Services in dedicated virtual private clouds with perimeter security, role-based access controls and encryption. For complete information on how Freshdesk processes your data, please take a look at Freshworks Data Processing Addendum to its Terms of Service.
• Freshdesk utilizes cookies to customize user experience for their website. When visiting their website, Freshdesk collects data about your device and the services you use on the website. They use this information for website optimization and service providing. Expath is not involved in the information Freshdesk collects from individual users.
• Further information on the purpose and scope of data collection and processing by Freshdesk can be found in the Freshworks Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.

Depending on what it’s being used for, different types of data will be stored in different sub-processors. The following list shows where each category of your personal data is stored:

• Employment Information
• Expath Email Server (Hetzner), Local Physical hard-drive, NitroPro, Physical copy, ReloTalent, Smallpdf, Tresorit, Freshdesk
• Resume Information
• Expath Email Server (Hetzner), Google Calendar, Local physical hard-drive, Tresorit, Freshdesk
• Property Information
• Expath Email Server (Hetzner), Local physical hard-drive, NitroPro, Physical copy, ReloTalent, Smallpdf, Tresorit, Freshdesk
• Data about Presence and Absence
• Google Calendar, Google Drive, Expath Email Server (Hetzner) , Freshdesk
• Orders
• Expath Email Server (Hetzner), Lexoffice, Local physical hard-drive, Physical copy, ReloTalent, Tresorit (up to June 2019) , Freshdesk
• Images/Photographs
• Expath Email Server (Hetzner), Local physical hard-drive, NitroPro, Physical copy, ReloTalent, Smallpdf, Tresorit, Freshdesk
• Biometric Identification (Signatures)
• Expath Email Server (Hetzner), Local physical hard-drive, NitroPro, Physical copy, ReloTalent, Smallpdf, Tresorit, Freshdesk
• Data About Family Members (for family relocation)
• Expath Email Server (Hetzner), Local physical hard-drive, NitroPro, Physical copy, ReloTalent, Smallpdf, Tresorit, Freshdesk
• Hardware Use
• Expath Email Server (Hetzner) , Freshdesk
• Immigration Data
• Expath Email Server (Hetzner), Local physical hard-drive, NitroPro, Physical copy, ReloTalent, Smallpdf, Tresorit, Freshdesk
• Financial Identification
• All: Expath Email Server (Hetzner) , Freshdesk
• Bank Users: Commerzbank, Sofortüberweisung/Klarna
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Use of Media and Means of Communication
• Expath Email Server (Hetzner), Google Drive, Local physical hard-drive, ReloTalent, Skype, WhatsApp, Freshdesk
• Public Identification Data
• Expath Email Server (Hetzner), Local physical hard-drive, NitroPro, Physical copy, ReloTalent, Skype, Smallpdf, Tresorit, WhatsApp, Freshdesk
• Personal Details
• Expath Email Server (Hetzner), Local physical hard-drive, NitroPro, Physical copy, ReloTalent, Smallpdf, Tresorit, Freshdesk
• Personal Identification Data
• Expath Email Server (Hetzner), Local physical hard-drive, NitroPro, Physical copy, ReloTalent, Smallpdf, Tresorit, Freshdesk
• Travel Plans
• Expath Email Server (Hetzner) , Freshdesk
  

6) Third Parties

In order to perform certain processes, we may transmit some of your personal data to third parties. A third party is a person, organization, or public authority that isn’t you or Expath. The third parties we send your information, the data they receive, and the reason for transmission are listed below:

• Business Immigration Services (BIS)
• Personal Data Transmitted: Employment Information, Images/Photographs, Biometric Identification, Data About Family Members (if applicable), Immigration Data, Public Identification Data, Personal Details, Personal Identification Data, Travel Plans
• Purpose of Transmission: Complete Legal Obligations of Visa and/or Work Permit Applications
• Auditors
• Personal Data Transmitted: All data
• Purpose of Transmission: Fulfill Legal Obligations
• Your Freelance Coach
• Personal Data Transmitted: Employment Information, Resume Information, Property Information (if applicable), Data about Presence and Absence, Orders, Images/Photographs, Biometric Identification, Data About Family Members (if applicable), Hardware use, Immigration Data, Use of Media and Means of Communication, Public Identification Data, Personal Details, Personal Identification Data, Travel Plans
• Purpose of Transmission: Fulfillment of Relocation Services and Communication with Coach

1) Overview of Data Protection

As a one-on-one coaching client at Expath, certain information about you will be collected and stored over the course of your relationship with Expath. This information, according to the General Data Protection Regulation, or GDPR, is called “personal data”. Personal data is essentially any data related to you or that could personally identify you in any way, directly or indirectly. At Expath, we take the protection of your data seriously by following GDPR regulations. In general, Expath collects and processes personal data exclusively to fulfill legal and contractual obligations. The following will provide you with a clear overview of what data we collect from you, what we do with that data, and what rights you have under GDPR regulations.

2) Data Controllers

A “data controller” or “data processor” is a person or company who collects and processes personal data. Because we collect your information, Expath is a data controller and data processor. Expath’s information is as follows:

Expath Training & Consulting GmbH (Expath)

Jansastraße 9

12045 Berlin, Germany

Email: info (at) expath.de

Phone: +49(0) 30 880 63 605

Under GDPR, Expath is required to appoint a designated Data Protection Officer (DPO) that you may contact for further questions about Expath’s protection of your data. Expath’s DPO and his contact information is listed below:

Stephan Brenner

Torstraße 117

10119 Berlin, Germany

Email: Stephan.brenner (at) expath.de

Phone: +49(0) 30 437 73 678

3) Data Collection

Expath may collect and store the following information from you:

• Employment Information
• Current employer
• Resume Information
• Professional Career
• Professional Qualifications
• Professional Experience
• Data on Presence and Absence
• Your availability for coaching sessions
• Orders
• What services you requested
• Date of request
• Images/Photographs
• Photos of coaching sessions
• Data about Family (if applicable)
• Data about minors, Marital status, Family members
• Hardware Use
• Date and time of emails sent and received
• Immigration Data
• Visas, work permits
• Financial Identification
• Bank Users: bank name, bank account number, IBAN, BIC
• Credit Card Users: last four digits of card number, type of card, expiration date
• PayPal Users: PayPal email address
• Personal Identification Data
• Name
• Email address, phone number, Skype name
• Travel Plans
• Date of plans to travel to Germany
• Incidental Data*
• Data about sexuality, Marital chronology

*[During your correspondence with Expath, especially during visa/work permit application process, you may provide us information we don’t require. We call this “incidental data”. This information typically can’t be separated from other required information you provide us. We do not use this information for any processes listed below.]

4) Data Usage

Expath uses, or processes, your personal data in a few ways. There are several processes that are directly relevant to you as a coaching client. These processes are listed below, with descriptions of what they entail.

• Accounting/Finance
• These processes include invoice creation and management, bookkeeping, and fulfillment of legal financial obligations.
• Relocation Client Booking
• These processes include relocation services management, scheduling, and communication with relocation clients.
• Marketing/Sales
• These processes include marketing Expath’s services to potential customers and clients and managing sales activities.
• Quality Control
• These processes include evaluation and assurance of the quality and performance of all Expath employees and freelancers

Specific information about you is required for specific processes. The relevant data used in each process is listed below:

• Accounting/Finance Processes
• Orders
• Financial Identification
• Personal Identification Data
• Relocation Client Booking
• Employment Information
• Resume Information
• Data on Presence and Absence
• Orders
• Data about Family (if applicable)
• Hardware Use
• Immigration Data
• Personal Identification Data
• Travel Plans
• Marketing/Sales
• Images/Photographs
• Quality Control
• Personal Identification Data

5) Retention & Storage

All personal data stored by Expath is kept for 10 years and then deleted, according to our legal obligations. Your data is securely stored by Expath in local storage sites and in different sub-processors. A sub-processor is any business, contractor, or organization that assists us, the data controller or main processor, in processing your personal data.

The storage sites and sub-processors we use to collect and process your data are listed below, with descriptions and their security characteristics:

• Commerzbank
• Overview: A universal bank with an online banking system.
• Security Characteristics:
• In order to make and receive payments via bank, Expath uses Commerzbank (Commerzbank AG, Kaiserplatz 60261 Frankfurt am Main, Germany).
• When making a transaction via bank with Expath, Commerzbank collects a few types of personal data. This data includes your name, address, contact data, place of birth, nationality, date of transaction, legitimization data (ID cards), and authentication data (signatures). Contractual data, like payment orders, advertising data, and information about your financial status may also be stored by Commerzbank.
• Commerzbank uses this data for a variety of reasons. Most of these reasons relate to internal management and analysis of service functionality. Other reasons include the prevention and investigation of criminal acts, advertising or marketing (which can be limited by you if you object to this), and legal accountability.
• Commerzbank may transfer your information to third parties. These third parties must comply with GDPR regulations, as well as contractual and statutory obligations. Data is transferred to Commerzbank’s service providers and agents in categories such as banking services, IT services, logistics, printing services, telecommunication, collection of receivables, consultation, and sales and marketing.
• You can object to any of these processes by contacting Commerzbank directly. Expath does not take part in the data processing mentioning above, and does not control what Commerzbank does with your data.
• Further information on the purpose and scope of data collection and processing by Commerzbank can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Expath Email Server (Hetzner)
• Overview: An email server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics:
• Our website’s data backups are stored on a physical server in Germany, called Hetzner (Hetzner Online, GmbH Industriestr. 25 91710 Gunzenhausen, Germany).
• All data generated automatically by visiting/using Expath’s website is stored through Hetzner’s web service as a backup. This information usually is stored in a cookie, or a small text files that your internet browser stores on your computer. Information stored via Hetzner from cookies includes your name, contact information, and electronic data (e.g. your computer’s IP address). Hetzner uses this information to regulate internal processes, personalize browsing to your preferences, and for marketing purposes.
• Hetzner may forward your data to their service partners to optimize their services. When required by law, Hetzner will transmit your data to relevant government authorities.
• Expath is not involved in any of these processes. If you object to Hetzner’s use of your data, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Hetzner Online can be found in Hetzner’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Google Calendar
• Overview: A time management and scheduling calendar service developed by Google.
• Security Characteristics:
• Expath uses Google Calendar (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA) to keep track of both language school and relocation services scheduling.
• Google Calendar is a time-management and scheduling calendar service developed by Google which allows users to create and edit events. Expath uses Google Calendar internally to schedule appointments, coaching sessions, and list client availability. Information about you typically included in our private Google Calendar includes your name, times available, and a summary of services you requested from us.
• Expath shares information stored in Google Calendar with all Expath employees and coaches. We do not share your data with any third parties from Google Calendar. Expath also does not use Google Calendar to integrate your calendar with ours for scheduling purposes.
• Data uploaded to Google Calendar is encrypted. Google does not have access to unencrypted data, and uses all encrypted data for internal maintenance and advertising purposes. Google does not share any data available on Google Calendar with third parties.
• Further information on the purpose and scope of data collection and processing by Google can be found in the Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Google Drive
• Overview: A file storage and synchronization service developed by Google. This is used by Expath as an alternate file server, especially in cases where files need to be shared or co-edited externally.
• Security Characteristics:
• In order to keep track of your contact information (including names, emails, phone numbers, etc.) Expath uses Google Drive (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
• Google Drive a file storage and synchronization service developed by Google. Google Drive allows users to store files on their servers, synchronize files across devices, and share files.
• Expath creates files in Google Drive with your contact information. This information is never transferred to third parties, and is accessible only by certain Expath employees.
• Google encrypts all files created in Google Drive. This means that no one but us can view what’s inside these files. Google uses AES-256, a secure encryption algorithm without any currently feasible attacks, to encrypt files. Furthermore, Google splits data within each file into chunks, and then encrypts each chunk of data with a specific data key. Only after this process takes place is data stored by Google.
• Expath is not involved in the storage or processing of files stored in Google Drive by Google.
• Further information on the purpose and scope of data collection and processing by Google can be found in the Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Lexoffice
• Overview: An online accounting software based in Germany. This is used by Expath for all invoicing and financial reporting.
• Security Characteristics:
• In order to manage invoices for clients, employees, and freelancers, Expath uses Lexoffice (Haufe Service Center GmbH & Co. KG, Munzinger Strasse 9 79111 Freiburg, Germany).
• Expath uses Lexoffice to store invoices and all payments made to and from Expath. We use Lexoffice to fulfill our legal obligation to maintain a double-entry bookkeeping system. Double book-keeping essentially means we cross-reference our online transaction information with created invoices coming to or from Expath.
• A variety of personal data is stored by Expath in Lexoffice. Personal data is all stored in payment information you send or give to us, as well as in invoices. This information is never sent to Lexoffice or other third parties. Lexoffice never has access to data we store on its server.
• If you visit Lexoffice’s website for any reason, your electronic information (e.g. information found in digital cookies such as your IP address and browser used) may be stored. Expath is not associated with Lexoffice’s website, nor are we involved in their methods of data processing.
• Further information on the purpose and scope of data collection and processing by Lexoffice can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Local physical hard-drive
• Overview: Non-removable, encrypted hardware storage devices used for local file storage. These usually are located in our local computers.
• Security Characteristics:
• All physical hard drives exist within computers running Windows 10 Professional and have been encrypted using BitLocker software. Thus, data cannot be accessed if hard drives are removed. Accessing hard drives requires individual user login data for the respective computer.
• PayPal
• Overview: A US-based online payment system that supports money transfers and is an electronic alternative to checks and money orders.
• Security Characteristics:
• Expath accepts payments via PayPal (PayPal Holdings, Inc., S.à.r.l & Cie, S.C.A., 22-24 Boulevard Royal, L-2449 Luxembourg).
• PayPal is an online payment processor that supports online money transfers and serves as an alternative to physical checks and money orders. Expath uses PayPal so you can pay for our online services, such as our online workshop, languages, and coaching sessions.
• If you select payment via PayPal, the payment data (credit card number, bank information, etc.) you provide will be supplied to PayPal based on Art. 6 (1) (a) (Consent) and Art. 6 (1) (b) DSGVO (processing for contract purposes). Other information PayPal collects include any information you give them if you choose to register for an account (name, contact information, etc.) or any information you give them if you check out as a guest. PayPal also collects electronic information about your computer, including your IP address, browser used to purchase our services, etc. PayPal collects this data for a variety of reasons, including marketing purposes, to manage internal business needs, to prevent fraud, and to comply with legal obligations.
• PayPal may share your data with select third parties. These parties include other corporations associated with PayPal, companies that perform services for PayPal, with other financial institutions, with legal entities when necessary, and with other users, merchants or provider involved in your transaction. This data is shared for fraud prevention, internal management, protection of personal interests, and is always shared only with your consent. You have the option to revoke your consent at any time with future effect. This action does not affect the processing of data previously collected.
• Expath is not involved in PayPal’s actions regarding your personal data.
• Further information on the purpose and scope of data collection and processing by PayPal can be found in PayPal's Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Physical Copies
• Overview: A paper copy of a document stored in a binder in one of Expath’s offices.
• Security Characteristics:
• All binders are kept in a locked cabinet or closet in our office, which is itself locked when not staffed.
• Skype
• Overview: A telecommunications application that specializes in providing video chat and voice calls between computers, tablets, mobile devices, etc. via the Internet. Skype is primarily used by coaches and coaching clients.
• Security Characteristics:
• In order to communicate with remote coaches, clients, and corporate clients face-to-face, Expath uses Skype (Skype Technologies S.A.R.L., Microsoft Corp., 23-29 Rives de Clausen L-2165 Luxembourg City, Luxembourg).
• Skype collects various data when you use their services. This data includes your name, contact data (email, phone number, etc.), credentials, demographic data you provide, interactions through Skype, and images you upload to their platform. Skype uses this information for marketing purposes, customer support, content personalization, safety, communication purposes, and for legal compliance.
• Expath is not involved in any of these processing methods. If you object to the collection or use of your data by Skype, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Sofortüberweisung can be found in Microsoft's Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Social Media (Facebook)
• Overview: Facebook is an online American-based social media and networking service used by Expath as a marketing and communication tool.
• Security Characteristics:
• Expath currently uses the following social websites: Facebook (Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA).
• Facebook may save the data collected about you as user profiles and use these profiles for the purposes of advertising, market research and/or demand-oriented design of its website. In particular, such analysis may be used to display demand-oriented advertising and to inform other users of the social network about your activities on our website in connection with the plug-in’s offer. You have the right to object to the creation of these user profiles. In order to do so, you must contact Facebookto exercise this right.
• Through these plug-ins, Expath intends to offer you the possibility to interact with social networks and other users. The legal basis for the use of the plug-ins is Art. 6 para. 1 S. 1 lit. f GDPR, whereby our legitimate interest is the provision of an interactive and user-friendly web offer.
• Expath has no influence on the data collected or processed by Facebook and Twitter. If you object to the collection or processing of your data by Facebook or Twitter, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Facebook and Twitter can be found in Facebook's Privacy Policy.. There you will find more information about your rights as well as options to protect your privacy.
• Sofortüberweisung/Klarna
• Overview: A bank payment service that allows cashless payment of products and services through the Internet as an intermediary for online banking transfers.
• Security Characteristics:
• Expath uses Sofortüberweisung (SOFORT GmbH, Fußbergstraße 1, 82131 Gauting, Germany), a bank payment service that allows cashless payment of products and services through the Internet. Sofortüberweisung uses a technical procedure by which you immediately receive a payment confirmation upon using their services. This enables us to deliver services to the customer (you) immediately after ordering.
• If you choose to pay for a service through a bank transfer, your data will be transmitted to Sofortüberweisung. By selecting this payment option, you agree to the transmission of personal data required for payment processing.
• The information sent to Sofortüberweisung initially includes your bank account PIN and TAN number. Sofortüberweisung then carries out a transfer to Expath after technical verification of your account status and retrieval of additional data to check the account assignment. You are then automatically informed of the execution of the financial transaction.
• Personal data exchanged with Sofortüberweisung includes your first name, last name, address, email address, IP address, telephone number, mobile phone number, and data necessary for payment processing. The transmission of this data is necessary for payment processing and fraud prevention. The personal data exchanged between Sofortüberweisung and Expath is then transmitted by Sofortüberweisung to economic credit agencies. This transmission is intended for reference purposes and creditworthiness checks. Sofortüberweisung also provides personal data to affiliated companies, service providers, and subcontractors as far as is necessary for the fulfillment of contractual obligations or data in order to be processed.
• You are able to revoke consent to the handling of personal data at any time from Sofortüberweisung. A revocation shall not have any effect on your personal data which must be processed, used or transmitted in accordance with (contractual) payment processing.
• Expath has no influence on the data collected or processed by Facebook and Twitter. If you object to the collection or processing of your data by Facebook or Twitter, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Sofortüberweisung can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Stripe
• Overview: A credit card processing software that allows individuals and businesses to make and receive payments over the Internet.
• Security Characteristics:
• Expath uses Stripe (Stripe, Inc. 510 Townsend Street Francisco, CA 94103, USA), a credit card processor, to help you conveniently pay for a variety of our services.
• If you choose to pay for a service with your credit card, your data will be transmitted to Stripe. By selecting this payment option, you agree to the transmission of personal data required for payment processing.
• The information sent to Sofortüberweisung initially includes your (or the cardholder’s) name, card number, card expiration date, CVC code, and billing address. Stripe then processes the transaction and you are then automatically informed that the financial transaction has been completed. This information is received and stored directly by Stripe, and is not stored by us during the financial transaction.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Tresorit
• Overview: An online cloud storage service based in Switzerland and Hungary emphasizing enhanced security and data encryption. This is Expath’s primary data server.
• Security Characteristics:
• Expath uses Tresorit (Tresorit AG Minervastrasse 3, 8032 Zurich) to store a variety of sensitive and non-sensitive documents including but not limited to relocation documents, invoices, and client contact information.
• Tresorit is an online cloud storage program that focuses on privacy and security. Tresorit uses end-to-end encrypted storage, which means Tresorit will never have access to documents uploaded into its server. Other security features Tresorit boasts include encryption at rest and in transit, zero-knowledge authentication, 2-step verification, and HIPAA compliance.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Visual Form Builder (WordPress Plugin)
• Overview: A WordPress plugin used to create contact forms for a website.
• Security Characteristics:
• In order to provide contact forms and feedback forms on our website, Expath uses the WordPress plugin Visual Form Builder (M2 Development, LLC, 507 Amherst Avenue Terrace Park, OH 45174, USA).
• Visual Form Builder is a plugin that allows Expath to build and manage forms for our website. When filling out a contact form or a feedback form on our website, Expath requests that you include certain personal data, including your name and contact information. This information is then sent to our email server (Hetzner) from Visual Form Builder’s platform.
• Visual Form Builder does not collect information about you, nor does it transmit any information to third parties. We use Visual Form Builder as a platform to collect your information and never transmit this information to employees at Visual Form Builder.
• Further information on the purpose and scope of data collection and processing by Visual Form Builder can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• WhatsApp
• Overview: A WordPress plugin used to create contact forms for a website.
• Security Characteristics:
• In order to provide contact forms and feedback forms on our website, Expath uses the WordPress plugin Visual Form Builder (M2 Development, LLC, 507 Amherst Avenue Terrace Park, OH 45174, USA).
• Visual Form Builder is a plugin that allows Expath to build and manage forms for our website. When filling out a contact form or a feedback form on our website, Expath requests that you include certain personal data, including your name and contact information. This information is then sent to our email server (Hetzner) from Visual Form Builder’s platform.
• Visual Form Builder does not collect information about you, nor does it transmit any information to third parties. We use Visual Form Builder as a platform to collect your information and never transmit this information to employees at Visual Form Builder.
• Further information on the purpose and scope of data collection and processing by Visual Form Builder can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Freshdesk
• Overview: Freshdesk is a cloud-based customer support software and helpdesk solution.
• Security Characteristics:
• In order to manage customer service requests from customers, Expath employs Freshdesk for their most efficient processing (Freshworks 2950 S. Delaware Street, Suite 201, San Mateo CA 94403, USA)
• If you email us a customer service request or send it to us through one of our webforms, this information is forwarded to the Freshdesk platform. Freshdesk data is securely hosted through Amazon Web Services in dedicated virtual private clouds with perimeter security, role-based access controls and encryption. For complete information on how Freshdesk processes your data, please take a look at Freshworks Data Processing Addendum to its Terms of Service.
• Freshdesk utilizes cookies to customize user experience for their website. When visiting their website, Freshdesk collects data about your device and the services you use on the website. They use this information for website optimization and service providing. Expath is not involved in the information Freshdesk collects from individual users.
• Further information on the purpose and scope of data collection and processing by Freshdesk can be found in the Freshworks Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.

Depending on what it’s being used for, different types of data will be stored in different sub-processors. The following list shows where each category of your personal data is stored:

• Employment Information
• Expath Email Server (Hetzner), Google Calendar, Freshdesk
• Resume Information
• Expath Email Server (Hetzner), Google Calendar, Freshdesk
• Data on Presence and Absence
• Expath Email Server (Hetzner), Google Calendar, Freshdesk
• Orders
• All: Expath Email Server (Hetzner), Google Drive, Freshdesk
• Bank Users: Commerzbank, Sofortüberweisung/Klarna
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Images/Photographs
• Expath Website (Hetzner), Physical copy, Social Media, Freshdesk
• Data about Family (if applicable)
• Expath Email Server (Hetzner), Google Calendar, Freshdesk
• Hardware Use
• Expath Email Server (Hetzner), Freshdesk
• Immigration Data
• Expath Email Server (Hetzner), Google Calendar, Freshdesk
• Financial Identification
• All: Lexoffice, Local physical hard-drive, Tresorit (prior to June 2019), Freshdesk
• Bank Users: Commerzbank, Sofortüberweisung/Klarna
• Credit Card Users: Stripe
• PayPal Users: PayPal
• Personal Identification Data
• Google Calendar, Google Drive, Lexoffice, Local physical hard-drive, Tresorit (up to June 2019), Whatsapp, Freshdesk
• Travel Plans
• Expath Email Server (Hetzner), Google Calendar, Freshdesk

6) Third Parties 

In order to perform certain processes, we may transmit some of your personal data to third parties. A third party is a person, organization, or public authority that isn’t you or Expath. The third parties we send your information, the data they receive, and the reason for transmission are listed below:

• Auditors
• Personal Data Transmitted: all data
• Purpose of Transmission: Fulfill Legal Obligations
• Your Coach
• Personal Data Transmitted: Employment Information, Resume Information, Data on Presence and Absence, Data about Family (if applicable), Hardware Use, Immigration Data, Personal Identification Data, Travel Plans
• Purpose of Transmission: Fulfill Your Relocation Service Needs, Communication with Coach

Your data will not be transmitted for any other purpose unless you have given your express permission to do so. Your data will not be disclosed to third parties for advertising purposes without your express consent.

1) Overview of Data Protection

As a corporate contact working with Expath, certain information about you will be collected and stored over the course of our business interactions. This information, according to the General Data Protection Regulation, or GDPR, is called “personal data”. Personal data is essentially any data related to you or that could personally identify you in any way, directly or indirectly. At Expath, we take the protection of your data seriously by following GDPR regulations. In general, Expath collects and processes personal data exclusively to fulfill legal and contractual obligations. The following will provide you with a clear overview of what data we collect from you, what we do with that data, and what rights you have under GDPR regulations.

2) Data Controllers

A “data controller” or “data processor” is a person or company who collects and processes personal data. Because we collect your information, Expath is a data controller and data processor. Expath’s information is as follows:

Expath Training & Consulting GmbH (Expath)

Jansastraße 9

12045 Berlin, Germany

Email: info (at) expath.de

Phone: +49(0) 30 880 63 605

Under GDPR, Expath is required to appoint a designated Data Protection Officer (DPO) that you may contact for further questions about Expath’s protection of your data. Expath’s DPO and his contact information is listed below:

Stephan Brenner

Torstraße 117

10119 Berlin, Germany

Email: Stephan.brenner (at) expath.de

Phone: +49(0) 30 437 73 678

3) Data Collection

Expath may collect and store the following information from you:

• Contractual Information
• Start and end date of partnership
• Biometric Identification (Signatures)
• Current Employer
• Data on Presence and Absence
• Availability via email
• Hardware Use
• Date and time of emails
• ReloTalent activity log
• Use of Media and Means of Communication
• Email address
• Phone number
• Personal Identification Data
• Name
• Phone number, email address
• Incidental Data*
• Job title, Termination of employment

*[During your correspondence with Expath, you may provide us information we don’t require. We call this “incidental data”. This information typically can’t be separated from other required information you provide us. We do not use this information for any processes listed below.]

4) Data Usage

Expath uses, or processes, your personal data in a few ways. There are several processes that are directly relevant to you as a corporate contact to Expath. These processes are listed below, with descriptions of what they entail.

• Accounting/Finance
• These processes include invoice creation and management, bookkeeping, and fulfillment of legal financial obligations.
• Language Student Booking
• These processes include language course management, communication with students, class grouping, and lesson scheduling.
• Relocation Client Booking
• These processes include relocation services management, scheduling, and communication with relocation clients.
• Information Technology
• These processes include website optimization and maintenance of online security, including cloud-based software.
• Marketing/Sales
• These processes include marketing Expath’s services to potential customers and clients and managing sales activities.
• Specific information about you is required for specific processes. The relevant data used in each process is listed below:
• Accounting/Finance Processes
• Contractual Information
• Current Employer
• Language Student Booking
• Contractual Information
• Current Employer
• Data on Presence and Absence
• Use of Media and Means of Communication
• Personal Identification Data
• Relocation Client Booking
• Contractual Information
• Current Employer
• Data on Presence and Absence
• Use of Media and Means of Communication
• Personal Identification Data
• Information Technology
• Hardware Use
• Marketing/Sales
• Current Employer
• Use of Media and Means of Communication
• Personal Identification Data
  

5) Retention & Storage

All personal data stored by Expath is kept for 10 years and then deleted, according to our legal obligations. Your data is securely stored by Expath in local storage sites and in different sub-processors. A sub-processor is any business, contractor, or organization that assists us, the data controller or main processor, in processing your personal data.

The storage sites and sub-processors we use to collect and process your data are listed below, with descriptions and their security characteristics:

• Expath Email Server (Hetzner)
• Overview: An email server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics:
• Our website’s data backups are stored on a physical server in Germany, called Hetzner (Hetzner Online, GmbH Industriestr. 25 91710 Gunzenhausen, Germany).
• All data generated automatically by visiting/using Expath’s website is stored through Hetzner’s web service as a backup. This information usually is stored in a cookie, or a small text files that your internet browser stores on your computer. Information stored via Hetzner from cookies includes your name, contact information, and electronic data (e.g. your computer’s IP address). Hetzner uses this information to regulate internal processes, personalize browsing to your preferences, and for marketing purposes.
• Hetzner may forward your data to their service partners to optimize their services. When required by law, Hetzner will transmit your data to relevant government authorities.
• Expath is not involved in any of these processes. If you object to Hetzner’s use of your data, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Hetzner Online can be found in Hetzner’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Local physical hard-drive
• Overview: Non-removable, encrypted hardware storage devices used for local file storage. These usually are located in our local computers.
• Security Characteristics:
• All physical hard drives exist within computers running Windows 10 Professional and have been encrypted using BitLocker software. Thus, data cannot be accessed if hard drives are removed. Accessing hard drives requires individual user login data for the respective computer.
• Physical Copies
• Overview: A paper copy of a document stored in a binder in one of Expath’s offices.
• Security Characteristics:
• All binders are kept in a locked cabinet or closet in our office, which is itself locked when not staffed.
• ReloTalent
• Overview: A cloud-based relocation management software that focuses on company and employee relocation.
• Security Characteristics:
• Expath uses ReloTalent to manage relocation clients’ requests and needs, as well as store a variety of sensitive documents (ReloTalent Pte. Ltd 14 Rue d'Uzès 75002 Paris, France).
• ReloTalent is a relocation management software that focuses on company employee relocation. When using ReloTalent’s website, your IP address and other information stored in cookies will be recorded by ReloTalent. ReloTalent stores certain personal data for marketing, legal, and internal management purposes. This information is not collected by Expath, and is processed solely by ReloTalent.
• Expath requests that you upload a variety of sensitive documents to ReloTalent. This information is password-protected, meaning no one except you, your coach, your company, and we can see this information. This information not used by ReloTalent for other purposes not listed above. Personal data can be deleted at any point on ReloTalent’s website.
• Expath is not involved in the processing of your data by ReloTalent. If you object to the collection or processing of your data by ReloTalent, please contact them directly.
• Further information on the purpose and scope of data collection and processing by ReloTalent can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Tresorit
• Overview: An online cloud storage service based in Switzerland and Hungary emphasizing enhanced security and data encryption. This is Expath’s primary data server.
• Security Characteristics:
• Expath uses Tresorit (Tresorit AG Minervastrasse 3, 8032 Zurich) to store a variety of sensitive and non-sensitive documents including but not limited to relocation documents, invoices, and client contact information.
• Tresorit is an online cloud storage program that focuses on privacy and security. Tresorit uses end-to-end encrypted storage, which means Tresorit will never have access to documents uploaded into its server. Other security features Tresorit boasts include encryption at rest and in transit, zero-knowledge authentication, 2-step verification, and HIPAA compliance.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• TutorCruncher
• Overview: A business management software for tutoring companies.
• Security Characteristics:
• Exchange New Covent Garden Market SW8 5EL United Kingdom).
• TutorCruncher is a business management software for tutoring companies. If you are a participating in an external language class in any capacity, we request you or your company upload certain information to TutorCruncher for us to organize language classes, scheduling purposes, and invoice creation.
• TutorCruncher utilizes cookies to customize user experience for their website. When visiting their website, TutorCruncher collects data about your device and the services you use on the website. They use this information for website optimization and service providing. Expath is not involved in the information TutorCruncher collects from individual users.
• Further information on the purpose and scope of data collection and processing by TutorCruncher can be found in TutorCruncher’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.

Depending on what it’s being used for, different types of data will be stored in different sub-processors. The following list shows where each category of your personal data is stored:

• Contractual Information
• Expath Email Server (Hetzner), Local physical hard-drive, Physical copy, Tresorit
• Current Employer
• Expath Email Server (Hetzner), ReloTalent, TutorCruncher
• Data on Presence and Absence
• Expath Email Server (Hetzner)
• Hardware Use
• Expath Email Server (Hetzner), ReloTalent
• Use of Media and Means of Communication
• Expath Email Server (Hetzner), Local physical hard-drive, ReloTalent, TutorCruncher, Tresorit
• Personal Identification Data
• Expath Email Server (Hetzner), Local physical hard-drive, ReloTalent, TutorCruncher, Tresorit

6) Third Parties

In order to perform certain processes, we may transmit some of your personal data to third parties. A third party is a person, organization, or public authority that isn’t you or Expath. The third parties we send your information, the data they receive, and the reason for transmission are listed below:

• Auditors
• Personal Data Transmitted: all data
• Purpose of Transmission: Fulfill Legal Obligations
• Language Teachers
• Personal Data Transmitted: Current Employer, Use of Media and Means of Communication, Personal Identification Data
• Purpose of Transmission: Communication with Teachers

 Your data will not be transmitted for any other purpose unless you have given your express permission to do so. Your data will not be disclosed to third parties for advertising purposes without your express consent.

1) Overview of Data Protection

As a partner or service provider for Expath, certain information about you will be collected and stored over the course of our business relationship. This information, according to the General Data Protection Regulation, or GDPR, is called “personal data”. Personal data is essentially any data related to you or that could personally identify you in any way, directly or indirectly. At Expath, we take the protection of your data seriously by following GDPR regulations. In general, Expath collects and processes personal data exclusively to fulfill legal and contractual obligations. The following will provide you with a clear overview of what data we collect from you, what we do with that data, and what rights you have under GDPR regulations.

2) Data Controllers

A “data controller” or “data processor” is a person or company who collects and processes personal data. Because we collect your information, Expath is a data controller and data processor. Expath’s information is as follows:

Expath Training & Consulting GmbH (Expath)

Jansastraße 9

12045 Berlin, Germany

Email: info (at) expath.de

Phone: +49(0) 30 880 63 605

Under GDPR, Expath is required to appoint a designated Data Protection Officer (DPO) that you may contact for further questions about Expath’s protection of your data. Expath’s DPO and his contact information is listed below:

Stephan Brenner

Torstraße 117

10119 Berlin, Germany

Email: Stephan.brenner (at) expath.de

Phone: +49(0) 30 437 73 678

3) Data Collection

Expath may collect and store the following information from you:

• Contractual Information (e.g. Commission Partners)
• Start and end date of partnership contract
• Biometric Identification (e.g. Commission Partners)
• Current Employer (e.g. University Partners)
• Data on Presence and Absence
• Availability
• Hardware Use
• Date and time of emails sent and received
• Electronic ID Data
• IP address
• Browser used
• Location of internet service provider
• Use of Media and Means of Communication
• Email
• Phone number
• Skype
• Financial Identification
• Bank account number, IBAN number
• Tax number
• Personal Identification Data
• Name
• Contact information (email, phone number, Skype)
• Address of business
• Location Data
• City of operation
• Incidental Data*
• Termination of employment, accidents and complaints

*[During your correspondence with Expath, you may provide us information we don’t require. We call this “incidental data”. This information typically can’t be separated from other required information you provide us. We do not use this information for any processes listed below.]

4) Data Usage

Expath uses, or processes, your personal data in a few ways. There are several processes that are directly relevant to you as a partner or service provider. These processes are listed below, with descriptions of what they entail.

• Accounting/Finance
• These processes include invoice creation and management, bookkeeping, and fulfillment of legal financial obligations.
• Vendor & Partner Management
• These processes include fulfillment of contractual and legal obligations, communication with partners and service providers, legal financial obligations, and outsourcing client services.
• Information Technology
• These processes include website optimization and maintenance of online security, including cloud-based software.
• Specific information about you is required for specific processes. The relevant data used in each process is listed below:
• Accounting/Finance Processes
• Contractual Information (Commission Partners)
• Current Employer
• Financial Identification
• Personal Identification Data
• Vendor & Partner Management
• Contractual Information (Commission Partners)
• Current Employer
• Data on Presence and Absence
• Hardware Use
• Use of Media and Means of Communication
• Personal Identification Data
• Location Data
• Information Technology
• Hardware Use
• Electronic ID Data
• 
  

5) Retention & Storage

All personal data stored by Expath is kept for 10 years and then deleted, according to our legal obligations. Your data is securely stored by Expath in local storage sites and in different sub-processors. A sub-processor is any business, contractor, or organization that assists us, the data controller or main processor, in processing your personal data.

The storage sites and sub-processors we use to collect and process your data are listed below, with descriptions and their security characteristics:

• Commerzbank
• Overview: A universal bank with an online banking system.
• Security Characteristics:
• In order to make and receive payments via bank, Expath uses Commerzbank (Commerzbank AG, Kaiserplatz 60261 Frankfurt am Main, Germany).
• When making a transaction via bank with Expath, Commerzbank collects a few types of personal data. This data includes your name, address, contact data, place of birth, nationality, date of transaction, legitimization data (ID cards), and authentication data (signatures). Contractual data, like payment orders, advertising data, and information about your financial status may also be stored by Commerzbank.
• Commerzbank uses this data for a variety of reasons. Most of these reasons relate to internal management and analysis of service functionality. Other reasons include the prevention and investigation of criminal acts, advertising or marketing (which can be limited by you if you object to this), and legal accountability.
• Commerzbank may transfer your information to third parties. These third parties must comply with GDPR regulations, as well as contractual and statutory obligations. Data is transferred to Commerzbank’s service providers and agents in categories such as banking services, IT services, logistics, printing services, telecommunication, collection of receivables, consultation, and sales and marketing.
• You can object to any of these processes by contacting Commerzbank directly. Expath does not take part in the data processing mentioning above, and does not control what Commerzbank does with your data.
• Further information on the purpose and scope of data collection and processing by Commerzbank can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Digital Access Pass
• Overview: A WordPress plugin that acts like a virtual shopping cart which allows users to pay by various means (bank, credit card, and PayPal) through a website. It also prevents non-members from accessing certain parts of the website (for example, full-length online workshops).
• Security Characteristics:
• Digital Access Pass is a “shopping cart” plugin that allows website administrators to become digital vendors by selling online products. You’ll interact with Digital Access Pass if you pay for anything through our website, regardless of the method (bank, credit card, PayPal).
• We do not share sensitive information, such as your financial details, to Digital Access Pass. However, Digital Access Pass collects some information automatically. This data includes your name, contact information (email address), postcode, internet preferences, and any other information relevant to customer surveys or marketing.
• Digital Access Pass does not share your data with any third parties. Expath is not involved in Digital Access Pass’ methods of processing your data.
• Further information on the purpose and scope of data collection and processing by Digital Access Pass can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Expath Email Server (Hetzner)
• Overview: An email server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics:
• Our website’s data backups are stored on a physical server in Germany, called Hetzner (Hetzner Online, GmbH Industriestr. 25 91710 Gunzenhausen, Germany).
• All data generated automatically by visiting/using Expath’s website is stored through Hetzner’s web service as a backup. This information usually is stored in a cookie, or a small text files that your internet browser stores on your computer. Information stored via Hetzner from cookies includes your name, contact information, and electronic data (e.g. your computer’s IP address). Hetzner uses this information to regulate internal processes, personalize browsing to your preferences, and for marketing purposes.
• Hetzner may forward your data to their service partners to optimize their services. When required by law, Hetzner will transmit your data to relevant government authorities.
• Expath is not involved in any of these processes. If you object to Hetzner’s use of your data, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Hetzner Online can be found in Hetzner’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Expath Website (Hetzner)
• Overview: A website server created by Hetzner, an Internet hosting company and data center operator based in Germany.
• Security Characteristics: See above (#2).
• Google Analytics
• Overview: A web analytics service operated by Google that tracks and reports website traffic. Expath uses this to track and improve site performance and user experience.
• Security Characteristics:
• Expath uses Google Analytics, a web analytics service. It is operated by Google (Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).
• Google Analytics works through the use of cookies. Cookies are text files that are stored on your computer which allow an analysis of your use of our website. This information is usually transmitted to a Google server in the USA and stored there. Google Analytics cookies are stored based on Art. 6 (1) (f) DSGVO.
• Under instructions from Expath, Google will use this information to analyze your use of our website, compile reports on activities on the website, and to provide us with further services relating to use of the platform and internet usage. The IP address transferred by your browser when Google Analytics is used is not connected to any other information Google may possess about you.
• We have activated the IP anonymization feature on this website for Google Analytics. Your IP address will be shortened by Google within the European Union or other parties to the Agreement on the European Economic Area prior to transmission to the United States. The IP address transmitted by your browser as part of Google Analytics will not be merged with any other data held by Google.
• We do not share Google Analytics data without the customer’s authorization (including authorization via settings in the product user interface), or as otherwise expressly permitted under the terms of their Google Analytics agreement, except in limited circumstances when required by law.
• You can prevent cookies from being stored by selecting the appropriate settings in your browser. However, we wish to point out that doing so may mean you will not be able to enjoy the full functionality of our website. You can also prevent the data generated by cookies about your use of the website (including your IP address) from being passed to Google, and the processing of these data by Google, by downloading and installing the browser plugin available here.
• Further information on the purpose and scope of data collection and processing by Google can be found in Google’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Lexoffice
• Overview: An online accounting software based in Germany. This is used by Expath for all invoicing and financial reporting.
• Security Characteristics:
• In order to manage invoices for clients, employees, and freelancers, Expath uses Lexoffice (Haufe Service Center GmbH & Co. KG, Munzinger Strasse 9 79111 Freiburg, Germany).
• Expath uses Lexoffice to store invoices and all payments made to and from Expath. We use Lexoffice to fulfill our legal obligation to maintain a double-entry bookkeeping system. Double book-keeping essentially means we cross-reference our online transaction information with created invoices coming to or from Expath.
• A variety of personal data is stored by Expath in Lexoffice. Personal data is all stored in payment information you send or give to us, as well as in invoices. This information is never sent to Lexoffice or other third parties. Lexoffice never has access to data we store on its server.
• If you visit Lexoffice’s website for any reason, your electronic information (e.g. information found in digital cookies such as your IP address and browser used) may be stored. Expath is not associated with Lexoffice’s website, nor are we involved in their methods of data processing.
• Further information on the purpose and scope of data collection and processing by Lexoffice can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Local physical hard-drive
• Overview: Non-removable, encrypted hardware storage devices used for local file storage. These usually are located in our local computers.
• Security Characteristics:
• All physical hard drives exist within computers running Windows 10 Professional and have been encrypted using BitLocker software. Thus, data cannot be accessed if hard drives are removed. Accessing hard drives requires individual user login data for the respective computer.
• Physical copy
• Overview: A paper copy of a document stored in a binder in one of Expath’s offices.
• Security Characteristics:
• All binders are kept in a locked cabinet or closet in our office, which is itself locked when not staffed.
• ReloTalent (Partners)
• Overview: A cloud-based relocation management software that focuses on company and employee relocation.
• Security Characteristics:
• Expath uses ReloTalent to manage relocation clients’ requests and needs, as well as store a variety of sensitive documents (ReloTalent Pte. Ltd 14 Rue d'Uzès 75002 Paris, France).
• ReloTalent is a relocation management software that focuses on company employee relocation. When using ReloTalent’s website, your IP address and other information stored in cookies will be recorded by ReloTalent. ReloTalent stores certain personal data for marketing, legal, and internal management purposes. This information is not collected by Expath, and is processed solely by ReloTalent.
• Expath uploads your contact information and name to ReloTalent so our clients can contact you for services we don’t provide but you do. This information is password-protected, meaning no one except you, our clients, and we can see your data. This information not used by ReloTalent for other purposes not listed above. Personal data can be deleted at any point on ReloTalent’s website.
• Expath is not involved in the processing of your data by ReloTalent. If you object to the collection or processing of your data by ReloTalent, please contact them directly.
• Further information on the purpose and scope of data collection and processing by ReloTalent can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Skype
• Overview: A telecommunications application that specializes in providing video chat and voice calls between computers, tablets, mobile devices, etc. via the Internet. Skype is primarily used by coaches and coaching clients.
• Security Characteristics:
• In order to communicate with remote coaches, clients, and corporate clients face-to-face, Expath uses Skype (Skype Technologies S.A.R.L., Microsoft Corp., 23-29 Rives de Clausen L-2165 Luxembourg City, Luxembourg).
• Skype collects various data when you use their services. This data includes your name, contact data (email, phone number, etc.), credentials, demographic data you provide, interactions through Skype, and images you upload to their platform. Skype uses this information for marketing purposes, customer support, content personalization, safety, communication purposes, and for legal compliance.
• Expath is not involved in any of these processing methods. If you object to the collection or use of your data by Skype, please contact them directly.
• Further information on the purpose and scope of data collection and processing by Sofortüberweisung can be found in Microsoft's Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Tresorit
• Overview: An online cloud storage service based in Switzerland and Hungary emphasizing enhanced security and data encryption. This is Expath’s primary data server.
• Security Characteristics:
• Expath uses Tresorit (Tresorit AG Minervastrasse 3, 8032 Zurich) to store a variety of sensitive and non-sensitive documents including but not limited to relocation documents, invoices, and client contact information.
• Tresorit is an online cloud storage program that focuses on privacy and security. Tresorit uses end-to-end encrypted storage, which means Tresorit will never have access to documents uploaded into its server. Other security features Tresorit boasts include encryption at rest and in transit, zero-knowledge authentication, 2-step verification, and HIPAA compliance.
• Further information on the purpose and scope of data collection and processing by Stripe can be found in their Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.
• Wordfence Security
• Overview: A WordPress plugin, firewall, and malware scanner that protects websites located on a WordPress domain from a variety of digital threats.
• Security Characteristics: In the interest of protecting our website, Expath uses a WordPress plugin called Wordfence Security (Defiant, Inc., 800 5th Ave Street 4100, Seattle, WA 98104, USA). Wordfence is a firewall and malware scanner that protects websites located on a WordPress domain from a variety of digital threats. It is essential to have some form of firewall when you have a commercial website – Expath.de is constantly under attack by malicious bots and hackers. In order to distinguish malicious visitors from friendly ones, Wordfence uses and collects cookies. These cookies contain your IP address. Wordfence uses this information to distinguish which users have access privileges and also ensure a website’s firewall is set up accordingly.To help you understand which cookies the Wordfence sets to collect your data, we have provided the guide below. Wordfence currently sets three cookies.
• wfwaf-authcookie-(hash) What it does: This cookie is used to perform a capability check of the current user before WordPress has been loaded. Who gets this cookie: This is only set for users that are able to log into WordPress. How this cookie helps: This cookie allows the firewall to detect logged in users and allow them increased access. It also allows Wordfence to detect non-logged in users and restrict their access to secure areas. The cookie also lets the firewall know what level of access a visitor has to help the firewall make smart decisions about who to allow and who to block.
• wf_loginalerted_(hash) What it does: This cookie is used to notify Wordfence admin when an administrator logs in from a new device or location. Who gets this cookie: This is only set for administrators. How this cookie helps: This cookie helps site owners know whether there has been an admin login from a new device or location.
• wfCBLBypass What it does: Wordfence offers a feature for a site visitor to bypass country blocking by accessing a hidden URL. This cookie helps track who should be allowed to bypass country blocking. Who gets this cookie: When a hidden URL is visited, this cookie is set to verify the user can access the site from a country restricted through country blocking. This will be set for anyone who knows the URL that allows bypass of standard country blocking. This cookie is not set for anyone who does not know the hidden URL to bypass country blocking. How this cookie helps: This cookie gives site owners a way to allow certain users from blocked countries, even though their country has been blocked.
• Expath has entered into a “data processing agreement” with Wordfence. This agreement essentially states that Wordfence will protect your data and will not share it with any third parties. For more information about this processing agreement, click here.
• Further information on the purpose and scope of data collection and processing by Wordfence Security can be found in Wordfence’s Privacy Policy. There you will find more information about your rights as well as options to protect your privacy.

Depending on what it’s being used for, different types of data will be stored in different sub-processors. The following list shows where each category of your personal data is stored:

• Contractual Information (e.g. Commission Partners)
• Expath Email Server (Hetzner), Physical copy
• Current Employer (e.g. University Partners)
• Local physical hard-drive, Tresorit
• Data on Presence and Absence
• Expath Email Server (Hetzner)
• Hardware Use
• Expath Email Server (Hetzner)
• Electronic ID Data
• Google Analytics, Wordfence Security (WordPress Plugin)
• Use of Media and Means of Communication
• Digital Access Pass (WordPress Plugin), Expath Email Server (Hetzner), Expath Website (Hetzner), Physical copy, Skype, Tresorit
• Financial Identification
• Commerzbank, Expath Email Server (Hetzner), Lexoffice, Physical copy
• Personal Identification Data
• All: Expath Email Server (Hetzner), Local physical hard-drive, Skype, Tresorit
• Client Service Partners: Digital Access Pass (WordPress Plugin), Expath Website (Hetzner), ReloTalent, Physical copy
• Commission Partners: Physical copy
• Location Data
• Expath Email Server (Hetzner)

6) Third Parties

In order to perform certain processes, we may transmit some of your personal data to third parties. A third party is a person, organization, or public authority that isn’t you or Expath. The third parties we send your information, the data they receive, and the reason for transmission are listed below:

• Auditors
• Personal Data Transmitted: all data
• Purpose of Transmission: Fulfillment of Legal Obligations
• Relocation Clients
• Personal Data Transmitted: Use of Media and Means of Communication, Personal Identification Data, Location Data
• Purpose of Transmission: Outsourcing Client Services, Communication with Clients

Your data will not be transmitted for any other purpose unless you have given your express permission to do so. Your data will not be disclosed to third parties for advertising purposes without your express consent.