This policy is valid for the following websites that are owned and operated by CEPA Customized Educational Programs Abroad GmbH (hereafter “CEPA”): https://www.cepa-abroad.org and https://news.cepa-abroad.org/. Our websites have been created predominantly to inform faculty members, administrative staff, students, and parents about our services as well as our current and future programs.
The data CEPA collects online:
When you visit our website, you may provide us with two different types of information: personal information that is collected on a volunteer basis and website-use information collected on an aggregate basis.
- Personal information you choose to provide through forms: Contact form, brochure order form, request for proposal forms (google forms) – You may provide us with your full name, email address, university / college information, and (in some cases) your phone number and position/department. You also have the option to submit additional comments about your individual interests and needs. CEPA may retain the content of all submitted forms and resulting correspondence together with your name and email address in our database to process your requests and communicate with you.
- Newsletter sign-up – You may also provide us with your full name, email address, and university / college name in order to receive email newsletters from us. We use MailChimp as one of our bulk email services to send email communications. A data processing addendum has been signed. Recipient lists, including email addresses, are stored on MailChimp servers in the USA for the purposes of email newsletter distribution. MailChimp participates in and has certified its compliance with the EU-U.S. Privacy Shield Framework, which commits subscribers to adhering to European standards of data protection. You have the option to unsubscribe from these newsletters at any time by clicking the unsubscribe link in the footer of any email you receive from us or by contacting our office at firstname.lastname@example.org.
- Website-use information: CEPA uses web server logs to collect information regarding how our website is being used. Such collected information may include, but may not be limited to, your IP address, browser type, the date and time of your visit, the pages viewed, and your total time spent on our website. This information will be used to improve our website so that we can maintain our high-quality service as well as provide general statistics related to website usage. This automatically-collected data is used only on an aggregated, anonymous basis and never in conjunction with, or linked to, any information concerning your personal identity.
The data CEPA collects through forms after the booking agreement has been signed and returned:
Generally, the type of personal information we collect is the information that is needed to facilitate program arrangements and bookings as well as to arrange travel related services and/or products on your behalf.
Therefore, we typically process the following types of personal information:
- emergency contact information (such as name, email address, cell phone number);
- passport details;
- information about dietary requirements and relevant health issues (if any); and
- any other details corresponding to your travel arrangements or required by relevant service providers
Sharing data with third parties:
Your personal information may be stored and processed in any country where we operate or in which we engage with service providers. These include, but may not be limited to, incoming agencies, hotels, airlines, bus companies, and insurance companies that we employ in order to fulfill your program requirements and reservations. By using CEPA services, you understand that your information will be transferred and used only in conjunction with your specific study abroad program. We only provide these companies with data that they require to perform their specific service.
Your information may also be provided to public authorities such as customs or immigration if required by them, or as required by law. Your information is shared under the jurisdiction of applicable laws and regulations. We do not sell or otherwise market your personal data to third parties.
How you can control your data:
You may request access to all information concerning your personal identity that we collect in our database by emailing us at email@example.com. You have the right to rectify any information that you find to be inaccurate. You may also request that we delete personal data from our database.
Occasionally, information that you request to be deleted will be retained in certain files for a period of time in the framework of our legal retention. In addition, some types of information may be stored longer or indefinitely on “back up” systems or within log files due to technical constraints, or financial or legal requirements.
How long your data will be retained:
We will retain your personal data for as long as needed or permitted with regards to the purpose(s) for which it was obtained, in consistency with applicable law, and for statutory claims limitation periods where your personal information may be relevant to any possible liability we may have to you.
We are required by law to keep certain records of the collected data for a period of at least 6 years (business letters or documents pursuant to section 257 (1) HGB) or for 10 years (tax-relevant documents in accordance with section 147 (1) AO).
We use encryption (SSL) to protect data transmitted to and from our website. Wherever CEPA collects personal data, we seek to use reasonable technical and organizational security measures to protect all information within our organization from loss, misuse, unauthorized access, disclosure, alteration, hacking attacks, destruction or any other problems which may occur. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. We cannot accept responsibility for any unauthorized access or loss of personal data that is beyond our control.
Confidentiality of processing:
CEPA ensures that any person or entity that is authorized to process customer data will do so under an appropriate obligation of confidentiality.
Security Incident Response:
In the event of a security incident, CEPA will notify affected customers without undue delay and will provide timely information relating to the security incident as it becomes known or as is reasonably requested.
Credit card transactions through the CIC Est are processed directly on the CIC Est bank website in an encryption mode. CIC Est takes care of encrypting the digits of your credit card number and all the information submitted during the transaction, so that all the transaction details are encrypted and secured.
Payments through Flywire: Flywire will utilize administrative, technical and physical measures that conform to generally recognized industry best practices to protect the confidentiality, integrity and accessibility of customer data. Any electronic transmission or exchange of data with the platform will be conducted via secure means (using HTTPS, SFTP, or an equivalent protocol).
At no time can CEPA access your bank account or credit card details.
Last updated: March 2019