Objective of this data protection declaration
The University of Applied Sciences of the Grisons (hereinafter also referred to as “we” and “us”) collects and processes personal data that concerns you or other people (“third parties”). We use the terms “data” and “personaldata” synonymously in this document.
In this data protection declaration, we describe what we do with your data when you visit www.fhgr.ch and use our services. If necessary, we will notify you promptly and in writing of additional processing activities not mentioned in this data protection declaration.
If you transfer or otherwise disclose to us data about other people, such as family members, employees etc., we shall assume that they have authorised you to do so and that this data is correct. By transferring data regarding third parties to us, you confirm that this is the case.Please also ensure that these third parties are informed about this data protection declaration.
We take the protection of your data very seriously. We treat your data as confidential and process it in accordance with the legal data protection regulations and this data protection declaration.
This data protection declaration is based on the provisions of the EU General Data Protection Regulation (GDPR), the Cantonal Data Protection Act of the Grisons (CDPAG), the Swiss Data Protection Act (DPA) and the revised Swiss Data Protection Act (revDPA). Whether and to what extent these laws apply depends on the individual case.
The responsible body in the sense of the data protection laws is:
University of Applied Sciences of the Grisons
You can also use these contact details to exercise your rights (see below).
Revised data categories
The provider of this website collects and stores information that your browser transfers to us automatically in server log files. Specifically:
- browser type and browser version
- operating system used
- referrer URL
- hostname of the computer used
- time of the server request
This data cannot be associated with a specific person. This data is not merged with other data sources. We reserve the right to check this data if we become aware of concrete evidence of unlawful use.
If you send us an enquiry via our contact form, your details from the contact form, including the contact details you provide in the form, shall be stored by us for as long as is required to process it for the purposes of dealing with the enquiry and for use in the case of follow-up queries. We will not pass this data on without your consent.
If you wish to receive the newsletter offered on this website, we require an e-mail address from you, as well as information that enables us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. No further data is collected. We use this data exclusively for the purpose of sending the information requested and do not pass it on to third parties.
You may revoke your consent for us to store the data as required for processing as well as your consent for us to store and use the e-mail address to send the newsletter at any time using the unsubscribe link in the newsletter.
We use third-party e-mail marketing services to send our newsletter. Our newsletter therefore contains what is known as a web beacon or similar technical means. A web beacon is an invisible 1x1 pixel-size graphic that is linked to the user ID of the relevant newsletter subscriber. This pixel is only activated when the pictures in the newsletter are displayed. Appropriate services enable us to evaluate whether e-mails containing our newsletter have been opened. The click behaviour of newsletter recipients can also be recorded and evaluated. We use this data for statistical purposes and to optimise the newsletter in terms of its content and structure. This enables us to better align the information and offers in our newsletter with the interests of our readers. The web beacon is deleted if you delete the newsletter. The data is stored by us for as long as is necessary for processing. To prevent tracking pixels in our newsletter, please configure your mail client in such a way that HTML is not displayed in messages.
Purpose of data processing
We process your data for the purposes explained below. These purposes and the objectives behind them constitute the legitimate interests of ourselves and, where applicable, third parties. Below, you will find further information on the legal bases.
We process your data for purposes in connection withour communications with you, in particular to answer queries, for registering for University of Applied Sciences of the Grisons events, for exercising your rights, and to contact you in the event of follow-up queries. To do this, we use communication data and master data in particular, as well as registration data associated with the services you use. We store this data in order to document our communications with you, for training purposes, for quality assurance and for enquiries.
We process data for the initiation, administration and performance of contractual relationships.
We process data for marketing purposes and to maintain relationships, for example to send our customers and other contractual partners personalised advertising about our services. This may take the form of newsletters, news e-mails and other regular forms of contact (electronic, postal, telephone), may take place via other channels for which we have your contact information, as well as take place in the context of individual marketing campaigns (e.g. events, competitions). You can decline such forms of contact at any time, or refuse or revoke your consent for us to contact you for advertising purposes. With your consent, we can better tailor our online advertising to you. We also want to enable our contractual partners to approach our customers and other contractual partners for advertising purposes.
Furthermore, we process your data for market research purposes to help us improve our services and operations.
We can also process your data for security purposes and to facilitate access controls.
We process personal data to comply with laws, directives and recommendations from authorities and our internal rules (compliance).
We can process your data for other purposes, for example in the context of our internal processes and administration or for training and quality assurance purposes.
Basis for processing personal data
Personal data is an umbrella term for all information that refers to a specific or identifiable person. A data subject is a person whose personal data is processed. Processing refers to any form of handling personal data, regardless of the tools and procedures used, in particular the retention, disclosure, collection, deletion, storage, amendment, destruction and use of personal data.
By using this website, you confirm that you consent to the collection, processing and use of data as described below. This website can be visited without registration. In this case, data such as pages accessed and the name of the file and date and time that it was accessed, may be recorded on the server for statistical purposes without this data being directly connected to you as an individual. Personal data, in particular your name, address and e-mail address, are collected on a voluntary basis wherever possible. Your data is not transferred to third parties without your consent.
We process personal data in line with the cantonal and federal data protection law of Switzerland. We also – provided and to the extent that the EU GDPR applies – process personal data in accordance with the following legal bases in conjunction with Art. 6 (1) GDPR:
- Consent (Art. 6 (1) (a) GDPR) – the data subject has given consent to the processing of his or her personal data for one or more specific purposes.
- Contract fulfilment and queries prior to contract conclusion (Art. 6 (1) (b) GDPR) – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Legal obligation (Art. 6 (1) (c) GDPR) – processing is necessary for compliance with a legal obligation to which the controller is subject.
- Protection of vital interests (Art. 6 (1) (d) GDPR) – processing is necessary in order to protect the vital interests of the data subject or of another natural person.
- Public interest (Art. 6 (1) (e) GDPR) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Legitimate interests (Art. 6 (1) (f) GDPR) – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
- Application process as a pre-contractual or contractual relationship (Art. 9 (2) (b) GDPR) – where special categories of personal data in the sense of Art. 9 (1) GDPR (e.g. health data such as disability information or ethnicity) are requested from applicants so that the controller or the data subject may carry out their obligations and exercise specific rights in the field of employment and social security and social protection law, this data may be processed pursuant to Art. 9 (2) (b) GDPR in the case of protecting the vital interests of the applicants or other persons pursuant to Art. 9 (2) (c) GDPR, or for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services pursuant to Art. 9 (2) (h) GDPR. In the case of the disclosure of special categories of data based on voluntary consent, this data is processed on the basis of Art. 9 (2) (a) GDPR.
Duration of data processing
We process your data for as long as it is required for the purposes of our processing, to meet our legal storage obligations and to fulfil our legitimate interests for documentation and evidential purposes, or where storage is a technical necessity. Further information on the storage and processing duration for specific data can be found in the individual data categories and the cookie categories below. Where no legal or contractual obligations apply, we delete or anonymise your data once the storage or processing duration has expired in line with our usual processes.
In accordance with the legal regulations and taking into account the latest technology, implementation costs and the type, scope, circumstances and purposes of the processing, as well as the various likelihoods of occurrence of a threat to the rights and freedoms of natural persons, we take suitable technical and organisational measures in order to ensure a level of protection appropriate to the level of risk.
In particular, these measures include ensuring confidentiality, integrity and availability of data by controlling physical and electronic access to the data, as well as the access, input, further disclosure, safeguarding of availability and separation thereof. We have also established procedures that ensure that data subjects’ rights are observed, that data is deleted, and that threats to the data are responded to. Furthermore, we consider the protection of personal data when developing and selecting hardware, software and processes by integrating the principle of data protection into our technology design and using data protection-friendly default settings.
In collaboration with our hosting providers, we endeavour to protect our databases as effectively as possible from external access, loss, misuse and fraud.
This website uses SSL/TLS encryption for security reasons and to protect the transmission of confidential content such as the enquiries you send to us as the website operator. You can determine if your connection is encrypted by looking at the address bar in your browser – “http://” becomes “https://” and a padlock icon will appear.
When SSL or TLS encryption is activated, the data you transfer to us cannot be read by third parties. Please note that data transmission via the internet (e.g. via e-mail) may be subject to gaps in security. It is not possible to ensure that the data is completely secured from access by third parties.
Rights of data subjects
Exercising your rights
You can exercise any of your rights by contacting the responsible body named above.
Right to be informed
Each data subject whose personal data is processed has the right to receive information from us on the personal data stored about them, and to receive a copy of this information free of charge at any time. They have a right to be informed about:
- the purposes for which the data is processed
- the categories of personal data processed
- the recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organisations
- if possible, the duration for which the personal data is to be stored or, if this is not possible, the criteria for determining this duration
- the existence of a right to correction or erasure of the personal data relating to them, or to limit its processing by the controller, or a right to object to this processing
- the existence of a right to lodge a complaint with a supervisory authority
- if the personal data was not collected from the data subject, all available information as to the origin of the data
Furthermore, the data subject has a right to be informed as to whether personal data is transferred to a third country or an international organisation. If this is the case, the data subject also has the right to receive information about the appropriate guarantees relating to this transfer.
Right to rectification
Each data subject whose personal data is processed has the right to request the immediate rectification of incorrect personal data concerning them. Taking into account the purposes of the processing, the data subject further has the right to request the completion of incomplete personal data – including by means of a supplementary declaration.
If you would like to exercise this right to rectification, you can contact our data protection advisor at any time.
Right to erasure (right to be forgotten)
Each data subject whose personal data is processed has the right to request that we delete personal data relating to them immediately, provided one of the following reasons applies:
- the personal data was collected for such purposes or processed in such a way that it is no longer required
- the data subject revokes their consent upon which the processing was based, and there is no other legal basis for the processing
- the data subject appeals against the processing for reasons relating to their personal circumstances, and there are no overriding legitimate reasons for the processing, or, in the case of direct advertising and associated profiling, the data subject objects to the processing
- the personal data was processed unlawfully
- the deletion of the personal data is necessary to fulfil a legal obligation in accordance with the applicable law to which the controller is subject
- the personal data was collected in relation to information society services that were offered directly to a minor
Right to restrict processing
Each data subject whose personal data is processed has the right to request that we restrict the processing of the data if one of the following conditions is met:
- the accuracy of the personal data is disputed by the data subject, in which case the processing may be restricted for a period that allows the controller to verify the accuracy of the personal data
- the processing is unlawful, the data subject declines the erasure of the personal data and instead requests that the use of the personal data is restricted
- the controller no longer requires the data for the purposes of the processing, however the data subject requires it to establish, exercise or defend legal claims
- the data subject has lodged an appeal against the processing for reasons relating to their personal circumstances, and it has not yet been determined whether the controller’s legitimate reasons override those of the data subject
Right to data portability
Each data subject whose personal data is processed has the right to receive the personal data relating to them in a structured, standard and machine-readable format. They also have the right to have this data transferred to another controller where the statutory requirements are met.
Furthermore, the data subject has the right to request that the personal data be transferred directly from one controller to another controller, provided this is technically feasible and this does not affect the rights and freedoms of other persons.
Right to object
Each data subject whose personal data is processed has the right to object to the processing of their personal data at any time for reasons relating to their personal circumstances.
In the event of an objection, we will cease processing the personal data, unless we can demonstrate compelling, justifiable reasons in favour of the processing that override the interests, rights and freedoms of the data subject, or where the processing serves in establishing, exercising or defending legal claims.
Right to withdraw consent in relation to data protection
Each data subject whose personal data is processed has the right to withdraw consent they have granted to process personal data at any time.
Right to lodge a complaint
Each data subject whose personal data is processed has the right to lodge a complaint with the relevant supervisory authority with regard to unlawful data processing. Responsibility is governed under Art. 6 CDPAG.
We distinguish between the following cookie types and functions:
- Temporary cookies (also known as session cookies): Temporary cookies are deleted when a user leaves a webpage and closes their browser at the latest.
- Permanent cookies: Permanent cookies remain even after the browser is closed. This means that, for example, the user’s login status can be stored, or preferred content can be displayed straight away when the user next visits the website. This type of cookie can also be used to store the interests of users, which can then be used to determine reach or for marketing purposes.
- First-party cookies: First-party cookies are set by us.
- Third-party cookies: Third-party cookies are mainly used by advertisers (third parties) in order to process user information.
- Essential cookies: In some cases, cookies can be essential to the operation of a website (e.g. to store logins or other user inputs or for security reasons).
Duration of storage: Where we do not provide specific information as to the storage duration for permanent cookies (e.g. in the context of a cookie opt-in), please assume that the data may be stored for up to two years.
- Types of data processed: usage data (e.g. websites visited, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Data subjects: users (e.g. website visitors, users of online services).
- Legal bases: consent (Art. 6 (1) (1) (a) GDPR), legitimate interests (Art. 6 (1) (f) GDPR).
Transfer of personal data
In the course of our processing of personal data, it may be that the data is transferred to other bodies, companies, legally independent organisational units or persons, or otherwise disclosed to them. The recipients of this data may include entities such as service providers tasked with IT-based services or providers of services and content that are integrated into a website. In such cases, we observe the legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect the data. Please refer to the services listed under “Marketing and tracking services”.
Use of third-party services
Marketing and tracking services
This website uses Google conversion tracking. If you access our website via an advert placed by Google, Google Ads will set a cookie on your computer. The conversion tracking cookie is set when a user clicks on an advert placed by Google. These cookies remain valid for 30 days and are not used for personal identification. If the visitor accesses certain pages of our website and the cookie has not yet expired, we and Google can detect that the user has clicked on the advert and was forwarded to this page. All Google Ads customers receive an individual cookie. Cookies can therefore not be tracked via the websites of Ads customers. The information collected using the conversion cookie is used to generate conversion statistics for Ads customers who have chosen the conversion tracking service. The customers are told the total number of users who have clicked on their advert and been forwarded to a page with a conversion tracking tag. However, they do not receive any information that would enable them to personally identify users.
If you do not wish to participate in tracking, you can prevent cookies from being set for this purpose either through your browser settings, which deactivates the automatic setting of cookies in general, or by configuring your browser so that cookies are blocked.
Please note that you should not delete opt-out cookies if you want to prevent measurement data from being recorded. If you have deleted all of your cookies in your browser, you will have to set the relevant opt-out cookie again.
This website uses the remarketing function provided by Google Inc. The function is designed to present website visitors with advertising related to their interests within the Google advertising network. A cookie is stored in the website visitor’s browser to enable the visitor to be recognised when they access websites that are part of Google’s advertising network. On these pages, the visitor can be presented with advertising that relates to content that the visitor has previously accessed on websites that use Google’s remarketing function.
Google states that it does not collect any personal data as part of this process. However, if you do not want to be included in Google’s remarketing function, you can deactivate this by configuring the corresponding settings at http://www.google.com/settings/ads.
This website uses Google Analytics, a web analytics service provided by Google Ireland Limited. The Google Analytics data processor and recipient of the data is Google Ireland Limited (hereinafter: Google).
We can use the statistics generated from this data to improve our online offering and make it more interesting for you as a user. This website also uses Google Analytics to analyse user flows across devices that share a single user ID. If you have a Google user account, you can deactivate cross-device analysis of your usage in the account settings under “My data”, “Personal data”.
The basis for our use of Google Analytics is our overriding interest. The IP address determined by Google Analytics from your browser is not merged with other data from Google. Please note that on this website, Google Analytics has been expanded with the code “_anonymizeIp();” to ensure anonymised detection of IP addresses. This means that IP addresses are shortened prior to processing, and that they therefore cannot be linked to a specific person. Where data collected about you could be identifiable to you, this is immediately prevented and the personal data immediately anonymised.
The full IP address will only be transferred to a Google server in the US and shortened there in exceptional cases. On behalf of the operator of this website, Google uses this information to analyse your use of the website, compile reports about website activity and provide further services relating to website and internet usage to the website operator.
This stores an opt-out cookie on your device that prevents the processing of personal data by Google Analytics. Please note that if you delete all cookies on your device, these opt-out cookies will also be deleted, i.e. you will have to set these opt-out cookies again if you want to continue preventing this form of data collection. The opt-out cookies are set for each individual browser and computer/device and therefore must be activated on each browser, computer or other device separately.
The tracking solution fusedeck from Capture Media AG (hereinafter Capture Media) is integrated into this website. Capture Media is a Swiss company based in Zurich that we have commissioned to measure usage of this website with respect to engagement and events. This tracking is anonymous, meaning that no links to a specific or identifiable person can be made.
Capture Media also collects form data on this website through fusedeck. This collection is personal. The forms concerned include corresponding information about data protection. This form of collection complies with the Swiss Data Protection Act (DPA) and, provided and to the extent that it applies, the General Data Protection Regulation (GDPR) of the European Union (EU).
Further information about data protection and the rights of data subjects with regard to fusedeck, including opt-out options, can be found in the data protection declaration and instructions for objections.
Social media services
This website uses functions provided by Facebook Inc., 1601 S. California Ave, Palo Alto, CA 94304, USA. When you access our pages with Facebook plugins, a connection is established between your browser and Facebook’s servers. Data is transmitted to Facebook at this stage. If you have a Facebook account, this data can be connected to it. If you do not want this data to be connected to your Facebook account, please log out of Facebook before visiting our site. Interactions, particularly the use of a comment function or clicking a “Like” or “Share” button will also be shared with Facebook. You can find out more at https://www.facebook.com/about/privacy.
This website uses functions provided by Twitter, Inc., 1355 Market St, Suite 900, San Francisco, CA 94103, USA. When you access our pages with Twitter plugins, a connection is established between your browser and Twitter’s servers. Data is transmitted to Twitter at this stage. If you have a Twitter account, this data can be connected to it. If you do not want this data to be connected to your Twitter account, please log out of Twitter before visiting our site. Interactions, particularly clicking a “Retweet” button, will also be shared with Twitter. You can find out more at https://twitter.com/privacy.
Functions provided by the service Instagram are integrated into our website. These functions are offered by Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA. If you are logged into your Instagram account, you can click on the Instagram button to link the content on our pages with your Instagram profile. This enables Instagram to associate your visit to our pages with your user account. Please note that we as the provider of the pages have no knowledge of the content of the data transferred and its usage by Instagram.
Within our online offering, we implement the marketing services of the social network LinkedIn, owned by LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland (hereinafter: LinkedIn).
These services utilise cookies, which are text files that are stored on your computer. They enable us to analyse your use of our website. For example, they help us to measure the success of our advertising and show users products in which they have previously shown an interest.
They also record data such as information about the operating system, browser, the page accessed before coming to our page (referrer URL), which websites the user has accessed, which offers the user has clicked on, and the date and time of their visit to our website.
The information generated by the cookie about your use of this website is pseudonymised before being transferred to a server owned by LinkedIn in the US and stored there. This means that LinkedIn does not store the name or the e-mail address of the respective user. The data specified above is only assigned to the entity for whom the cookie was created. This does not apply if the user has allowed LinkedIn to process their data without pseudonymisation or has a LinkedIn account.
You can prevent the storage of these cookies via a corresponding setting in your browser software; however, we advise you that if you do so, you may not be able to use all of the functions of this website to their full extent. You can also prevent your data from being used in this way directly via the LinkedIn website: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
We use LinkedIn Analytics to analyse use of our website and to make regular improvements to it. We can use the statistics generated from this data to improve our online offering and make it more interesting for you as a user. All LinkedIn companies have accepted the Standard Contractual Clauses to ensure that the data required for the development, performance and maintenance of these services is transferred to the US and Singapore lawfully.
On this website, we use social plugins provided by the social network Pinterest, operated by Pinterest Inc., 808 Brannan Street San Francisco, CA 94103-490, USA (hereinafter: Pinterest). When you access a page that contains one of these plugins, your browser establishes a direct connection to the Pinterest servers. The plugin transmits log data to the Pinterest server in the US. This log data contains information such as your IP address, the address of websites you have visited that also contain Pinterest functions, the type and settings of the browser, date and time of the request, your method of using Pinterest, and cookies.
Functions provided by the service YouTube are integrated into this website. YouTube is part of Google Ireland Limited, a company registered and operated under Irish law, headquartered at Gordon House, Barrow Street, Dublin 4, Ireland, which operates the services in the European Economic Area and Switzerland.
This website uses the Google Maps service. This enables us to display interactive maps directly on our website and enables you to use the map function smoothly. When you visit the website, Google receives the information that you have accessed the corresponding subpage of our website. This happens regardless of whether you are logged into a Google-provided user account or if you do not have an account. If you are logged into Google, your data is linked directly to your account. If you do not want your activity to be assigned to your Google profile, you will need to log out before activating the button. Google stores your data as a user profile and uses it for the purposes of advertising, market research and/or need-based design of Google’s own websites. This analysis takes place in particular (even for users who are not logged in) to provide need-based advertising and to inform other users about your activities on our website. You have the right to object to the creation of this user profile, which you will need to contact Google to exercise. For further information as to the purpose and scope of data collection and its processing by Google, as well as further information on your associated rights and configuration options to protect your privacy, please see: https://www.google.com/policies/privacy/.
Google web fonts
This website uses web fonts provided by Google to ensure that fonts are displayed consistently. When you access a page, your browser loads the necessary web fonts into your browser cache in order to show texts and fonts correctly. If your browser does not support web fonts, a standard font from your computer will be used.
Google Tag Manager
Google Tag Manager is a solution with which we can manage website tags via an interface and so integrate functions such as Google Analytics and other Google marketing services into our online offering. The tag manager itself, which implements the tags, does not process any personal data from users. With regard to the processing of users’ personal data, please refer to the following information about the Google services. Use Policy: https://marketingplatform.google.com/about/analytics/tag-manager/use-policy/.
Note about data transfers to the US
As described above, our website uses tools that are provided by companies headquartered in the US. When these tools are active, your personal data can be transferred to the US servers of the respective companies. Please note that the US is not considered a secure third state in the sense of EU and Swiss data protection legislation. If a recipient is located in a country without appropriate statutory data protection, we contractually oblige the recipient to comply with the applicable data protection standards (using the revised Standard Contractual Clauses produced by the European Commission), unless there is already a legally recognised legal framework for safeguarding data protection, and we cannot utilise an exemption clause. One specific exception to this is during legal proceedings abroad, as well as in cases of overriding public interest or where a contractual development requires such a disclosure – if you have consented – or if the matter relates to data that you have made generally accessible, the processing of which you have not objected to.
We can amend this data protection declaration at any time without notice. The current version published on our website applies. Where this data protection declaration forms part of an agreement with you and there is an update, you will be informed of the change via e-mail or in an otherwise appropriate manner.
Questions for the data protection advisor
If you have any questions about data protection, please send us an e-mail or contact the person responsible for data protection at our organisation named at the start of the data protection declaration.