Welcome to the website of the International University of Health, Exercise and Sports S.A.. This page describes the university’s approach and commitment to the protection of your personal data. In general, the International University of Health, Exercise and Sports S.A.’s website can be used without providing any personal data, however, there are a few pages where you are required to enter personal data, and in these cases, you will be required to give your consent prior to and in order for us to provide you with the services or information you are requesting.
Personal Data is processed in confidence and in line with the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016, (General Data Protection Regulation), the additional requirements by the Luxembourg government, the Law of 1 August 2018 on the organisation of the Commission Nationale pour la Protection des Données (“CNPD”), and the university’s internal policies regarding data protection, Lunex Code of Conduct GDPR. In order to implement the appropriate protection of your personal data, we have undertaken technical and organizational measures to ensure that both our employees and external service providers comply with the applicable legal requirements. Internet-based services, however, can be susceptible to previously unknown security vulnerabilities, so absolute protection at any one time cannot be guaranteed. We do our utmost, though, to address these once they are known. You are welcome to transfer personal data to us by alternative means, e.g. by post, telephone or fax, should you not feel completely comfortable with the level of risk of us processing your personal data online.
a) Personal data
Personal data means any information relating to an identified or identifiable natural person (the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
c) Restriction of processing
Restriction of processing means the marking of stored personal data with the aim of limiting its processing in the future.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.
Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
g) Third party
Third party means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, is authorized to process personal data.
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
2. Name and address of the data controller
The persons responsible for data processing pursuant to the General Data Protection Regulation, other data protection laws in the Member States of the European Union and other provisions relating to data protection are:
International University of Health, Exercise and Sports S.A.
50, avenue du Parc des Sports
Phone: +352 288 494-40
3. Name and address of data protection officer
The data controller’s data protection officer is:
Your trust and the protection of your data are important concerns to us. This is why it is important for us to answer any and all questions relating to how your data is protected and used. If you require any information over and above that provided here or have any comments, please do not hesitate to contact us at any time.
4. Rights of data subjects
a) Right to be informed
You have the right to be informed about whether or not personal data concerning you is being processed by a data controller. Where that is the case, you also have the right to be informed of the particulars of the data processing. The right to be informed encompasses the data in question, the purposes for which it is processed, the categories of personal data being processed, and the recipients or categories of recipient to which the personal data is or has been disclosed. It further encompasses the envisaged period for which the personal data will be stored, the origin of the data if it was not collected from you personally, and the existence of any automated decision-making, including profiling. The right to be informed also includes an entitlement to information about the right to rectification or deletion of personal data, and an entitlement to information about the right to lodge a complaint with a supervisory authority.
b) Right to erasure (right to be forgotten)
You have the right to demand from the controller the immediate erasure of personal data concerning you where the following grounds apply and processing is not necessary:
- The purpose for the collection or processing of the data has ceased to exist, or the data is no longer necessary to this end.
- You have exercised your right to object to the processing of your personal data.
- You have withdrawn your consent to data processing and there are no legal grounds to justify continued processing.
- The erasure arises from a legal obligation.
- There is no legal basis for processing the data.
c) Right to data portability
You have the right to receive any personal data concerning you, which you have provided to us as a data controller, in a structured, commonly used, and machine-readable format. You also have the right to transmit this data to another controller without hindrance from the controller to which the personal data was furnished. This right applies where data was processed automatically in the performance of a contract or on the basis of consent. Furthermore, this right encompasses the entitlement to have the personal data transmitted directly from one controller to another, where technically feasible.
d) Right to object
The right to object includes, on one hand, the option of objecting to the processing of your personal data for marketing purposes. You also have the right to object to processing of personal data that was originally obtained lawfully for other purposes.
e) Right to restriction of processing
Under certain conditions, you have the right to demand that the controller place restrictions on your personal data so as to prevent further processing. For instance, such restrictions can be demanded for the duration of the verification process if the accuracy of the stored data is disputed.
f) Right to rectification
The right to rectification comprises your right as a data subject to demand from us, the controller, the immediate rectification of inaccurate personal data concerning you.
5. Legal basis for processing
6. Transfer to third countries
If we process data in a third country (i.e. in a country outside of the European Union or outside of the European Economic Area) or if data is processed in third countries in connection with the use of services rendered by third parties or disclosed or transferred to third countries, this is done solely for the purpose of fulfilling contractual obligations or in preparation to enter into a contract; on the basis of your consent, a legal obligation, or our legitimate interest. We only process, transfer, or have data processed in a third country in compliance with the provisions of Articles 44 ff of the General Data Protection Regulation (GDPR). Processing is carried out, for example, on the basis of special guarantees, such as the verification of a level of data protection comparable to that guaranteed in the European Union (e.g. EU-US Privacy Shield Framework), compliance with officially recognized contractual obligations or evidence of some other, recognized level of data protection (which goes beyond the voluntary commitment of a “safe harbor” arrangement).
7. Cooperation with external data processors and third parties
If, during our processing operations, data is disclosed, transferred, or otherwise made available to other persons and enterprises (external data processors, affiliates of the COGNOS Group, or other third parties), this is always done for a lawful purpose (e. g. when the transfer of payment data to the relevant company within the corporate group is required to fulfill contractual obligations or when address data is transferred to the delivery service for the purpose of sending course materials requested by you, pursuant to Article 6 (1) lit. b GDPR), on the basis of consent, a legal obligation, a legitimate interest, or as necessary for the performance of a data processing contract pursuant to Article 28 GDPR.
8. SSL encryption
We use state-of-the-art HTTPS encryption to ensure that your data is protected during online transfer.
A cookie is a small data file which is transferred from the web server to your device when you browse our website. Cookies only contain information which we or a third party send to your computer; cookies cannot access private data. Accepting cookies does not give us access to your personal information.
Various data is saved in cookies. This is done primarily to store information on the user during or after a visit to a website. There are two main types of cookies: temporary and permanent. Temporary cookies are deleted when the user leaves the website. Permanent cookies remain after the browser has been closed and are used to measure audience reach and analyze user behavior. Some cookies do not originate from the entity responsible for the website, but from third parties. This website uses temporary and permanent cookies. We will explain how these work in this privacy notice.
10. Access data
When you visit our website, access data relating to this event is saved in a log file either by us or by our hosting provider. We collect usage data in connection with your visit, which is saved temporarily for statistical purposes and subsequently deleted. This data is collected for internal purposes only and is not transferred to third parties.
The data includes:
- IP address of the device from which the request is sent
- Date and time of the request
- Access method/function requested by the end device
- Input values transferred by the end device from which the request is sent (e.g. file name)
- Web server access status (file transferred, file not found, command not executed, etc.)
- Name of file requested and data volume transferred
- URL from which the file was requested/the desired function was initiated.
We collect this data on the basis of our legitimate interest in the proper functioning of our IT systems as well as in the interest of data security (investigating cyber-attacks). The stored data is anonymized at the earliest possible opportunity (by deleting the last octet in the IP address) or deleted entirely, and is used solely for the purpose of identifying or tracking unauthorized access or attempts to access the web server. This does not apply to data which must remain stored for evidence purposes . This data does not undergo further evaluation, except for statistical purposes where the data is anonymized. The data is not allocated to specific individuals. Individual user profiles are not created. The data collected in this way is used solely within the scope of the EU GDPR.
11. Collection of user data
In some areas of our website we request certain data that can be unambiguously assigned to you as an individual. This is the case, for example, when you order information material or apply for a place of study with us.
We only collect the data required for the purpose at hand, e.g.:
- Mailing address
- Telephone number
- Email address
- Consent to collection and processing of personal data
For applications for a place on a study program, the following information is also collected:
- Date of birth
- Place of birth
- Country of birth
- University entrance qualifications
The data input masks show exactly what information is required. Data is always encrypted prior to being transferred. Data that you provide under the Request information and Apply now sections of our website is processed using the CRM software solution Salesforce, among other applications. This software is hosted at a location that does not fall within the scope of the EU GDPR. In this regard, the contractual obligations on the part of the provider, which go beyond the minimum requirement to provide a voluntary commitment in the form of a “safe harbor” arrangement and the test certificates provided (see also: trust.salesforce.com/trust) are evidence of an appropriate level of protection. The data collected here is used solely for the purpose of sending information material, for the purpose of direct marketing based on confirmed opt-in, or, in the case of applications for study programs, for the steps required to enter into a contract. Your data is transferred solely to the selected delivery service provider, which in turn uses your personal data for the sole purpose of performing the contract. As you enter your data, access data generated by the provider, such as IP address and date and time of registration, are logged in order to prevent misuse of our services and to help investigate potential offenses. Data will not be transferred for any other purpose, unless a legal obligation to do so exists (for more on this, see Section 10. Access data).
Where data is entered on our website, this is always done on a voluntary basis and solely for the purpose of offering services that require user registration. The relevant data log files can be changed or deleted entirely at any time, provided doing so does not conflict with statutory data retention requirements. Information on your data records will be provided on request. Our data protection officer is at your disposal to assist with this.
12. Direct marketing opt-in (email/telemarketing)
If you have expressly consented to email or telemarketing, we will save the data you submit to us, such as your email address and your first and last name. We will use this data solely to send you information on study programs, events, surveys, prize draws run by companies within the COGNOS Group educational network (including LUNEX International University of Health, Exercise and Sports S.A., Carl Remigius Medical School gemeinnützige GmbH, AMD Akademie Mode & Design GmbH, Ludwig Fresenius Schulen GmbH, Thalamus Schulen GmbH, mentor Personal- und Organisationsentwicklung GmbH) and our cooperation partners from the field of education and training. To receive marketing offers by email, the only information required is your email address. The data you provide will be used solely for marketing, advertising, and, to a lesser extent, our own market research purposes. Subscribers can also be informed by email of circumstances that are relevant for service or registration reasons (e.g. changes in the email service or technical matters).
For proper registration, we require a valid email address. To verify that registration has come from the owner of the email address provided, we use a double opt-in process. To this end, we log your email marketing/telemarketing opt-in consent, the confirmation email sent to you, and the reply requested in it. We also ask you to optionally provide your name so that we can address you personally in our communication. No further data is collected.
You may unsubscribe from the mailing list and/or withdraw your opt-in consent at any time. To do so, simply send an email to email@example.com. You will then receive an email confirming the withdrawal of your opt-in consent.
We use web hosting for the following: platform services, computing capacity, data storage, database services, security settings, and technical maintenance and services necessary to the operation of our website. To this end, we or our web hosting service provider process, on the basis of a legitimate interest in providing an online service pursuant to Art. 6 (1) lit. f GDPR in conjunction with Art. 28 GDPR, user, contact, usage, and contract data as well as meta data and communication data relating to interested parties, applicants, students, and visitors to our website.
14. Analysis, market research, and opinion polling
We analyze our pool of data on business processes, contracts, and queries with a view to identifying market trends and customer and user requirements, and effectively running our business operations. To this end, we process user, contact, usage, and contract data as well as meta data and communication data relating to interested parties, applicants, students, and visitors to our website on the basis of our legitimate interest in maintaining and optimizing our business pursuant to Art. 6 (1) lit. f GDPR. Such analyses are performed for the purpose of business assessments, marketing and sales, and market research. They enable us to optimize our website content and services, making them more user-friendly, and help us optimize our business operations. Insofar as possible, data is anonymized for analysis and profiling. Analysis and profiling results are not disclosed to third parties.
15. Contacting us via our website
When using our contact form to send an inquiry, the data you enter including your contact data is saved for the purpose of processing your request and for any follow-up questions. No data is disclosed to third parties. However, should this become necessary in order to process your inquiry, we will obtain your consent in advance.
16. Deletion and blocking of personal data
We process and save your personal data only insofar as necessary for data storage reasons or as required under the provisions of relevant European directives and/or regulations. Data is stored in compliance with any and all applicable retention periods. Under Regulation (EU) 2016/679 of the
European Parliament and of the Council of 27 April 2016 on the protection of natural persons with
regard to the processing of personal data and on the free movement of such data, and Directive 95/46/EC (General Data Protection Regulation) the statutory data retention period is 10 years or as long as is legally required by laws governing safeguarding, employment and education. Your data will be routinely deleted on expiry of said periods, unless required for the performance of a contract or for acts preparatory to a contract.
17. Google Analytics and target group selection
We use Google Analytics based on a legitimate interest in the analysis and optimization of our marketing activities and, thus, also our economic interests pursuant to Art. 6 (1) lit. f. GDPR. We have taken measures to protect your interests in deciding that the interests of the data controller prevail. We also believe that this can help enhance user-friendliness. Further, we have entered into a data processing contract with Google pursuant to Art. 28 GDPR. Under the agreement we have with Google, user data is deleted or anonymized after 14 months. We have activated the anonymize.ip function. This means that prior to data collection, Google removes the last octet of your IP address within EU Member States or in other countries which are party to the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the US and shortened there. Google’s certification under the EU-US Privacy Shield Framework guarantees that it provides a level of data protection comparable to that guaranteed in the European Union.
18. Google Ads conversion tracking
Our website uses Google Ads, an analytics service provided by Google Inc. of 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.
With the help of this online advertising service, ads are run in search engine results and Google’s advertising network so as to be viewed by users who are presumed to have an interest in them. This enables us to deliver more targeted marketing both for and within our online services and show you ads that are presumed to be within your field of interest. When you open our or other websites belonging to Google’s advertising network, Google generates a code that incorporates web beacons, graphics and codes into the website. As a result, cookies or similar technologies are installed on your device, enabling Google to determine which websites are visited and at what times, what subject matter you are interested in, and the technical specifications of your device (operating system, browser). Each user has a different cookie to ensure that there is no possibility of cookies being tracked anywhere other than on the websites of Google Ads advertisers. Each company that uses Google Ads also receives a conversion cookie. This enables Google to produce statistics for each of the advertisers. All that we receive from Google is statistical data in the form of an anonymized dataset of the total number of users who have responded to one of our campaigns by clicking on the relevant ad, taking them to a website containing a web beacon. We receive no information relating to sensitive data or identifiable persons. Google saves and processes this data solely in the form of a pseudonymous profile containing site usage statistics, i.e. with no name or email address. The ads are not shown to a specific person, but are intended for the owner of the relevant cookie, i.e. the respective site usage profile. For this not to apply, Google must obtain express consent from the user not to apply pseudonymization. The data collected in this case is transmitted to servers in the US, where it is stored. Google is certified under the Privacy Shield Agreement, which provides a guarantee of compliance with European privacy laws. For more details, see https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active.
19. Google Remarketing and target group function
20. Google Tag Manager
21. Google Maps
However, this data is not collected without your consent, which is given regularly via your mobile device settings. Your data may also be transmitted to the US. Google’s certification under the EU-US Privacy Shield Framework, https://policies.google.com/?hl=de. However, this data is not collected without your consent, which is given regularly via your mobile device settings. Your data may also be transmitted to the US. Google’s certification under the EU-US Privacy Shield Framework, https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active, guarantees that it provides a level of data protection comparable to that guaranteed in the European Union.
To opt out of data use by Google, the relevant settings can be changed here: https://adssettings.google.com/authenticated.
22. Facebook pixel
23. Social media presence
To be able to communicate with active customers, interested parties, and users, and keep them updated on the latest news and services in a way that is in keeping with the spirit of our age, we maintain a social media presence. To this end, user data can be processed in countries outside of Europe, where different data protection standards apply. We would therefore like to draw your attention to the fact that this can involve certain risks for the user: For instance, data processing is subject to different requirements in terms of transparency or legal enforcement. User data is also used for market research and advertising purposes. In addition, the data collected, e.g. on user behavior, may be used to deliver targeted content or services or to create user profiles based on the user’s interests. These are in turn used to run targeted, interest-based ads both on social media and through other channels. This information is often collected with the help of cookies installed on user devices and subsequently analyzed according to specific criteria. The individual profile data saved on social media sites can also be linked to the data saved with the help of cookies. Providers certified under the EU-US Privacy Shield Framework are obligated to comply with EU data protection regulations.
The maintenance of a presence on social media and the resulting processing of personal data take place pursuant to Art. 6 (1) lit. f. GDPR on the basis of our legitimate interest in effective, up-to-date information on and communication with users and interested parties. Where consent to data processing has been obtained, processing takes place pursuant to Art. 6 (1) lit. a and Art. 7 GDPR. For details of the individual policies on data processing and opt-out options, we ask that you refer to the individual providers’ specifications. Please note that the most effective way to enforce user rights and obtain information is through the individual providers themselves. Only they hold the relevant databases and have the technical and organizational means to this end. We are happy to assist you further with this where necessary.
Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland)
- Opt-Out: https://www.facebook.com/settings?tab=ads und http://www.youronlinechoices.com,
- Privacy Shield Framework: https://www.privacyshield.gov/participant?id=a2zt0000000GnywAAC&status=Active.
Instagram (Instagram Inc., 1601 Willow Road, Menlo Park, CA, 94025, USA)
Twitter (Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA)
- Opt-Out: https://twitter.com/personalization,
- Privacy Shield Framework: https://www.privacyshield.gov/participant?id=a2zt0000000TORzAAO&status=Active.
Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany)
LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland)
- Opt-Out: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out,
- Privacy Shield Framework: https://www.privacyshield.gov/participant?id=a2zt0000000L0UZAA0&status=Active.
23. Integration of third party services and content
Within our offer on our websites, blogs maintained by us as well as presences in social media, we integrate content and services from third parties on the basis of our legitimate interests in optimisation and economic operation and the interest in analysis in accordance with Art. 6 para. 1 lit. f GDPR. The integration and display of these services requires the perception of the IP address, as information is transmitted to the browser in this case. As far as we can see, we only try to include content from those providers who use the IP address only for the purpose of delivering the content. However, third party providers may collect data for statistical or marketing purposes by using so-called pixel tags or web beacons. In addition, cookies can be set on your end device which collect information about your operating system, the history of the websites visited, times of access and metadata. Under certain circumstances, this pseudonymous user data can also be merged with information from other sources.
Youtube (Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA)
- Opt-Out: https://adssettings.google.com/authenticated
Date: Jul 14, 2020