Data Protection Declaration by and Declaration of Consent for Goethe-Institut e.V.

Goethe-Institut e.V., Oskar-von-Miller-Ring, 18, 80333 Munich ("Goethe-Institut" or "we"), as the operator of the website www.goethe.de (the "Website"), is the controller of the personal data of the users ("you") of the Website as defined in the EU General Data Protection Regulation (GDPR) and the German data protection laws, in particular the Federal Data Protection Act (BDSG) and the German Telecommunications and Digital Services Data Protection Act (TDDDG).

Contents

  1. Use of the Website for information purposes
  2. Data collection and use for the execution of the contract
  3. Registration and Goethe.de account
    a) Data about your person and contents created by you
    b) Personalised marketing
    c) Data publication
    d) Data exchange between the language course management system and the Goethe.de account
    e) Deletion
  4. Cookies and other web analysis technologies
  5. Data collection and use for direct marketing purposes
    a) Postal advertising
    b) Email-Newsletter
  6. Our social media presence on Facebook, Instagram and TikTok
    a) Data processing on our own responsibility
    b) Data processing in shared responsibility with Meta und Tiktok
    c) Contact for questions relating to data protection
    d) Meta and TikTok privacy policies
  7. Social plugins, widgets and embedded videos
    a) Use of Spotify and Soundcloud widgets
    b) Content from social media platforms
        such as X, Instagram und Facebook
    c) YouTube and Vimeo Plugins
  8. WhatsApp Business
  9. Data transfer to other Goethe-Institutes
  10. Data security
  11. Your rights and how to contact us
  12. Right of objection

The Goethe-Institut takes the protection of your data very seriously. In this privacy notice, we would like to inform you, in a transparent manner, about which personal data ("your data") we collect, process and use about you when you visit our Website or use the Goethe-Institute's online services.  
    
 

1. Use of the Website for information purposes

You can visit our Website and use some of our online services without providing any personal information. Whenever you access a web page, the web server automatically stores access data in server log files, which are automatically communicated by your browser, such as the name of the requested file, the last website visited, the date and time of access, the browser used, the amount of data transferred, the IP address, the requesting provider, etc. In the context of data processing on our behalf, a third-party provider renders the services relating to hosting and displaying the Website for us. This service provider has its registered place of business in a country within the European Union or the European Economic Area.

For the purpose of reducing our Website’s loading time, we also use a content delivery network ("CDN"), in which the Website is delivered via the web server of a CDN provider, which works for us in the context of commissioned data processing. Access data is also collected accordingly on the provider's web servers.

All access details are stored for a period of 7 days. This data is analysed exclusively in order to ensure a fault-free operation of the Website and for a fault analysis. The use of a CDN provider and the procedure described here serve to safeguard our overriding legitimate interest in our Website displaying correctly in accordance with Art. 6 (1) sentence 1 f) GDPR.    

 2. Data collection and use for the execution of the contract

We collect personal data if you provide us with this information when contacting us (e.g. via a contact form or email), when registering for a user account ("Goethe.de account") or in the course of your booking, for example when booking a course or examination. Specifically which data is collected and which information is mandatory and which is voluntary can be seen in the respective input forms.

In these cases, we collect and process the data provided by you in order to execute the respective contract, for example to carry out a placement test with regard to your language courses or a language course including a subsequent examination, and to process your enquiries in accordance with Art. 6 (1) sentence 1 b) GDPR. If you have expressly consented to the processing of special categories of data in accordance with Art. 9 (2) a) GDPR, we will collect your health data (e.g. allergies) exclusively for the purpose communicated to you when you gave your consent.

When you book a course or examination, your personal data will be processed in our central language course management system, to which other Goethe Institutes generally have access, unless access is not permitted under local law. This is done to process the contract in accordance with Art. 6 (1) sentence 1 b) GDPR and to safeguard our overriding legitimate interest in valid information and correct data records when a course is booked in accordance with Art. 6 (1) sentence 1 f) GDPR. Insofar as personal data is processed in countries outside the European Union or the European Economic Area in this respect, we have taken measures in the relevant Goethe Institutes to ensure an adequate level of data protection in the respective host country.


After the respective contract has been executed or your user account has been deleted, your data will be blocked for further use and deleted after the expiry of the mandatory retention periods under tax and commercial law. If retention obligations under tax or commercial law do not apply to individual pieces of data, these will be deleted immediately after the respective contract has been executed. The only exceptions to this are if you have expressly consented to further use of your data or we reserve the right to use your data for another purpose that is permitted by law and about which we inform you below.

Your account data in connection with our learning platform will be automatically deleted after three years of non-use.

For the purpose of checking authenticity and issuing replacement certificates, data relating to the examinations you have taken will be stored and used in the central examination archive (for a maximum of 10 years). This will be done on the basis of the performance of the contract in accordance with Art. 6 (1) b) GDPR.   

Data transfer for contract execution
In order to perform the contract, we will pass on your data to the company commissioned with the delivery, insofar as this is necessary for the delivery of ordered goods or the provision of ordered services.

Depending on which payment service provider you select in the order process, we will pass on the payment data collected for this purpose to the bank entrusted with the payment and, if applicable, to the payment service provider commissioned by us or to the selected payment service for the processing of payments. In some cases, the selected payment service providers also collect this data themselves if you set up an account with them. In this case, you must log in to the payment service provider with your access details during the ordering process. The data privacy notice of the respective payment service provider applies in this respect. When you make a booking in our online shop, the payment data you enter will go directly to the commissioned payment service provider. We will have no access to this data at any time.

Insofar as the payment service provider processes your personal data for the purpose of processing payments, e.g. for the processing of credit card payments, as a controller as defined in Art. 4 (7) GDPR, we will provide you with information that the payment service provider must provide in accordance with Art. 13 and Art. 14 GDPR.
The data privacy notices of our payment service providers can be found here:

Paymentwall
PayPal
Nuvei
Worldline

In the course of executing our contracts with you, for example for the provision of language courses, we will sometimes pass on your data to service providers, who will process it on our behalf and within the framework of a contract existing between the Goethe Institute and the respective service provider for commissioned data processing. Such a service provider may, for example, be the provider of software that the Goethe Institute uses to execute the contract.     

3. Registration and Goethe.de account

If you wish to leave comments or make posts, communicate with other users, take part in online courses, use learning platforms, purchase products from the online shop, borrow digital media, book courses or examinations, or use our online services for reference libraries (researching or reserving books, renewing, etc.), you need to register and create a “Goethe.de account”. For the registration, we will process your login data (email address and password), which will give you access to personalised offers from the Goethe Institute, the consents you have given, as well as your country and your preferred language.   

a) Data about your person and contents created by you
In the context of creating the Goethe.de account, only the data that we require to carry out our services or execute any contractual relationship with you is mandatory.

In the context of the execution of this user agreement, we will collect and process the data provided by you for the following purposes in accordance with Art. 6 (1) sentence 1 b) GDPR
  • to check your application for a Goethe.de account
  • to provide the free services in which you participate (blogs, forums, comment function, self-presentation, communities, chats, etc.)
  • to fulfil our obligations from contracts that we have with you (provision of the online courses, the learning platform and the digital media in the context of a lending service, delivery of products from the online shop, execution of courses and examinations, library lending agreements).
You can voluntarily provide further personal information and post content (so-called user generated content) such as a photo of you, texts in the form of blog or forum posts, discussion posts, etc. Specifically which data is collected and which information is mandatory and which is voluntary can be seen in the respective input forms. We process the voluntarily provided data in order to protect the overriding shared interest in a diverse exchange within the framework of our platform in accordance with Art. 6 (1) sentence 1 (f) GDPR.     

b) Personalised marketing
For marketing purposes, we also use the data you provide in your user account for a personalised design of our Website and online services, e.g. a personal homepage and a profile area in which we present offers that will suit you. This serves to safeguard our overriding legitimate interest in the optimal marketing of our services in accordance with Art. 6 (1) sentence 1 f) GDPR. Provided that the corresponding consent has been requested (e.g. consent to the storage of cookies), the data will be processed exclusively on the basis of Art. 6 (1) a) GDPR; the consent can be revoked at any time.  

c) Data publication
Some of the data you store when you use your Goethe.de account is visible to other users. This includes, for example, your name or username, your posts, including the date and time of creation, your group memberships, your friends, your learning lists, your files, your online status, your ratings, the length of your membership, your gender and your guestbook entries. Publication of the data is required in accordance with Art. 6 (1) sentence 1 b) GDPR to enable us to provide you with the contractually agreed functions of our platform.
 

 
d) Data exchange between the language course management system and the Goethe.de account
So that you can view the course and examination information in your Goethe.de account, a data exchange (pairing) takes place between our course and examination management software and your Goethe.de account. In accordance with Art. 6 (1) sentence 1 (f) GDPR, this serves to safeguard our legitimate interest in linking the data records to make a uniform master data management possible for the Goethe Institute and to give you an overview of the courses and examinations you have booked in your Goethe.de account.    

e) Deletion
If you do not confirm your registration within 7 days, your Goethe.de account will be deleted along with the data you provided during registration. If you confirm the registration, a user account will be created as explained here. This does not apply to Goethe.de accounts that were created as part of a booking in the online shop. These will be permanent unless you request that they be deleted. You can delete your Goethe.de account and the data you have stored there at any time, either by sending a message to the contact described below or by using a function that is provided for this purpose in the user account.  

4. Cookies and other web analysis technologies

To make visiting our Website attractive and to enable the use of certain functions, we use cookies and other web analysis technologies on various pages. You can find all the information about these and your settings options in the privacy settings .   

5. Data collection and use for direct marketing purposes

 
a) Postal advertising
We reserve the right to use your first and last name and your postal address for our own marketing purposes, e.g. to send you interesting offers and information on our products by post. This serves to safeguard our overriding legitimate interest in addressing our clients through advertising in accordance with Art. 6 (1) f) GDPR. You can object to the storage and use of your data for these purposes at any time by sending a message to datenschutz@goethe.de.     

b) Email newsletter
If you have subscribed to one of our newsletters, we will process your name, your email address and data in order to send the ordered newsletter to the specified email address and to address you by name, and information about your use of the newsletter in order to understand what information interests you or does not interest you and thus to improve and personalise the content of our newsletter.

In order to obtain information about your use of our newsletter, some of our newsletters contain a “web beacon”, i.e. a pixel-sized file that is loaded by the server used to open the newsletter. We use it to collect technical information such as your browser and your operating system, your IP address, the time at which you received and opened the newsletter and which links in the newsletter you clicked on.

Your data will be processed on the basis of your consent in accordance with Art. 6 (1) sentence 1 (a) GDPR. Consent is voluntary. You can revoke your consent at any time with effect for the future. This ends your newsletter subscription automatically. If no consent is required, your data will be processed on the basis of our legitimate interest in direct marketing in accordance with Art. 6 (1) sentence 1 f) GDPR in conjunction with Section 7 (3) German Act against Unfair Competition (UWG). In the event of business relationships in which the newsletter is part of the contractual service, the legal basis will be Art. 6 (1) (b) GDPR.

If you have not granted separate consent, we will pass on your data to other recipients only if this is permitted or required by German or European law. In the context of mailing the newsletter, it is, for example, possible that newsletter service providers that we have entrusted with support tasks will have access to your data. To ensure that these partners meet their data protection obligations, we set detailed contractual stipulations for handling your data.

Data will only be transmitted to a third country if the European Commission has ascertained that the country in question has an adequate level of data protection, or if the “standard data protection clauses” published by the European Commission (https://eur-lex.europa.eu/legal-content/DE/TXT/?uri=CELEX:32021D0914) have been agreed with the recipient.    

6. Our social media presence on Facebook, Instagram and TikTok

In this section, we will inform you about data processing in connection with your visit to our TikTok, Facebook and Instagram pages (collectively referred to as our “Social Media Pages”).

Within the European Economic Area (EEA), TikTok is a service offered by TikTok Technology Limited, 10 Earlsfort Terrace, Dublin, D02 T380, Ireland (hereinafter referred to as “TikTok”). If you are resident in the United Kingdom, you will have a contract with TikTok Information Technologies UK Limited, 4 Lindsey Street, Barbican, London, EC1A 9HP, United Kingdom. Both companies and other regional entities worldwide are owned by Bytedance Ltd. at P.O. Box 31119 Grand Pavilion, Hibiscus Way, 802 West Bay Road, Grand Cayman, KY1 - 1205 Cayman Islands.

Facebook and Instagram are services offered by Meta Platforms Ireland Ltd., 2/4 Grand Canal Quay, D02 R890 Dublin, Ireland (hereinafter referred to as “Meta”).     

a) Data processing on our own responsibility
The following information in the present subsection a) relates to the processing of your personal data in the context of your visit to our Social Media Pages to the extent that we are solely responsible for this. For data processing for which we share responsibility with Meta and TikTok, see subsection b).

aa)       Purposes, categories of processed data and legal bases
i.          General interactions on our Social Media Pages
You can use various functions on our Social Media Pages (e.g. messenger, comment function, “like” button, “follow” button, etc.) to interact with us.
We will use your personal data for the purpose of replying to you (Art. 6 (1) sentence 1 b) GDPR). This may – depending on your personal settings – include: your username, your profile picture, the date of the interaction, your age, your gender, the language, other data that is visible to us or contents from comments or messages, as well as contents that you publish on your own profile.
If you use functions on our Social Media Pages to give us feedback (e.g. by rating our services, commenting on or “liking” our posts or sending us private messages), we will process your personal data on the basis of Art. 6 (1) sentence 1 f) GDPR to the extent that the processing is necessary to safeguard our legitimate interests or the interests of third parties and such interests are not overridden by your interests that require the protection of data. Our legitimate interests consist in particular in the enhancement our services and offers, in management and improvement of our business processes and marketing measures, in performance analyses and PR communications, and in the improvement of our customer support.

ii.         Direct communication and private messages
You can also contact us via our Social Media Pages if you have questions about specific services, e.g. courses or events offered by the Goethe Institute. We will answer both private messages (messages) and public messages (posts or comments) that are addressed to us. If we have any questions, we will get in touch. Here too, we will use your personal data for the purpose of replying to you (Art. 6 (1) sentence 1 b) GDPR). Where necessary, we will also use your data to ask for permission to communicate with you outside our Social Media Pages, e.g. by email or text message (Art. 6 (1) sentence 1 c) GDPR).

iii.        Competitions
From time to time, we may offer competitions on our Social Media Pages. If you take part in a competition, you will be informed in the course of the competition about how your data will be processed.

iv.        Social media monitoring
The Goethe Institute analyses the posts published in the social media services outside goethe.de or the social media performance data for the purpose of improving the quality and enhancing the content, optimising the marketing activities and identifying possible risks (e.g. political crises or communications crises affecting the Goethe Institute or the consequences of natural phenomena). The social media listening and analytics tool Talkwalker S.à r.l., 16, Avenue Monterey L-2163 Luxembourg, is used for this.

The actions executed by you in the social media services and information provided via your corresponding profiles, including forums, blogs and online news sites, are recorded and analysed. Only publicly accessible information is processed, which can also include individual quotations or personal data such as your username. The analysis serves to protect our overriding legitimate interest, in accordance with Art. 6 (1) sentence 1 f) GDPR, in the optimisation of our services and in information about and early indications of possible political or natural risks.
The personal data is primarily processed in an aggregated form and to pursue the aforementioned purposes. Personal data of individual data subjects is not processed intentionally. It is largely being anonymised in the course of the data processing, and the data will, of course, not be used for the creation of individual user profiles. It is, however, possible that individual quotations will be recorded and used internally to describe a specific marketing activity of the Goethe Institute.

v.         Hyperlinks to websites operated by other providers
Our Social Media Pages and our data privacy notice contain some links to websites operated by other providers. We are not responsible for the data processing on these websites. Please consult the data privacy policies of the other providers to find out how they handle data protection.

bb)      Deletion of your personal data
If we store your contact details and information about your interactions on our Social Media Pages in our customer relationship management system with your consent, we will delete your personal data as soon as you revoke your consent.
We will process the public information on your profile for as long as this is visible on our Social Media Pages.  

b) Data processing in shared responsibility with Meta and TikTok
i.         When you follow our Social Media Pages or click on the “like” button, Meta or TikTok will add your profile to the list of all our “followers” or “friends” and make this available to us. We can only see the public information on your profile. You can decide what personal data is visible on your profile in the settings for the respective profile.
When you visit our Social Media Pages or interact with us there, we will receive statistics about our “followers” or “friends” from Meta or TikTok, respectively.
These may include: your age, gender, location (country and town/city) as well as usage data and technical data, for example the time of your visit, the type of interaction, the duration of the interaction, the interaction frequency, the entry page or the playback time.
We use the statistics to protect our legitimate interests or those of third parties in accordance with Art. 6 Abs. 1 sentence 1 f) GDPR, as we would like to personalise our content and make it more user-friendly, enhance our services and offers and manage and improve our business processes. We also use the statistics for performance analyses and for targeted advertising. In your settings, you have the option of objecting to targeted advertising.
If you are not registered with Facebook, Instagram or TikTok, we will receive no information from Meta or TikTok about your visit or your use of our respective Social Media Page.

ii.         Deletion of your personal data
If we store your contact details and information about your interactions on Facebook, Instagram or TikTok in our customer relationship management system with your consent, we will delete your personal data as soon as you revoke your consent.
We will process the public information on your profile for as long as this is visible on our Social Media Pages.    

c) Contact for questions relating to data protection
For all questions relating to data protection on our Social Media Pages, you can contact datenschutz@goethe.de as well as the contact details provided in the privacy policies of Meta or TikTok, respectively.   

d) Meta and TikTok privacy policies
You can find the TikTok privacy policy at
https://www.tiktok.com/legal/page/eea/privacy-policy/de
You can find the Meta privacy policy at
https://www.facebook.com/privacy/center/.        

7. Social plugins, widgets and embedded videos

Social plugins, widgets and videos from third-party providers are embedded on our Website if you have consented to this in your privacy settings. You can find all the legal information and your settings options in your privacy settings.

In this section, you will find some examples of these technologies in addition to the detailed information in the privacy settings.    

a) Use of Spotify and Soundcloud widgets
On our Website, we use widgets from the Spotify and Soundcloud networks to make our content interactive.   

b) Content from social media platforms such as X, Instagram and Facebook
On our Website, especially in the context of articles by the Goethe Institute, social plugins can be used to display content (posts, comments and/or channels) from X, Instagram and Facebook.

In addition, content from other social networks (e.g. Spotify and Soundcloud) can be displayed using social plugins. Via the social plugins, a direct connection can be established to the servers of the respective network, whereupon data is transmitted to the provider. This can in particular include the following data:
  • Web page visited
  • Browser information
  • Information about the operating system
  • IP address    

c) YouTube and Vimeo Video Plugins
On our Website, content from third parties is integrated via YouTube and Vimeo to make our content interactive.   

8. WhatsApp Business  

We use WhatsApp Business, a service that is provided by WhatsApp Ireland Limited, as a communication channel for replying to external user enquiries. The communication takes place via WhatsApp following a direct contact request from the user.
For this purpose, we only process personal data that users send us with their enquiry or that is displayed by WhatsApp when contact is made (e.g. telephone number, name, profile picture).

To provide this service, WhatsApp Ireland Limited uses other countries, some of which have a registered place of business outside the European Union and the European Economic Area, including WhatsApp LLC and Meta Operations Inc. in the USA.
If personal data is transmitted to countries outside the European Economic Area, Switzerland and the United Kingdom, WhatsApp Ireland Limited has agreed standard data protection clauses, which have been issued by the European Commission for this purpose or are recognised in the Switzerland or the United Kingdom, with the recipients to ensure an adequate data protection level. We will be happy to send you a copy of these agreements on request. Please use the contact details provided below to request one..

We use WhatsApp Business on the basis of our overriding legitimate interest in the provision of a fast means of communication via a global platform. We will delete the personal data collected via WhatsApp Business within four months after replying to your enquiry.    

9. Data transfer to other Goethe-Institutes

Once your Goethe.de account has been set up, administrators of the responsible Goethe Institute abroad will be given access to the data stored in your account. The vast majority of Goethe Institutes are branches of Goethe Institut e.V., which has its registered place of business in Germany, that are not legally independent. Even if we pass on your data to legally independent sponsoring associations, we will ensure that all the requirements for the transmission of your data under data protection law are met.

On the one hand, the data processing serves the purpose of the administrative processing of user data, e.g. rectification/blocking/deletion or assignment of roles and authorisations within the system. The legal basis is the performance of the contract in accordance with Article 6 (1) sentence 1 f) GDPR. Furthermore, in accordance with Art. 6 (1) sentence 1 f) GDPR, this serves to safeguard our overriding legitimate interest in valid information and correct data records in our system. On the other hand, user data (in an anonymised form) can be used to improve our Website. In accordance with Art. 6 (1) sentence 1 f) GDPR, this serves to safeguard our overriding legitimate interest in optimising our services.

Insofar as personal data is transferred to a Goethe Institute in a third country and no adequacy decision has been issued by the European Commission in accordance with Art. 45 (1) GDPR, the data transfer is carried out on the basis of standard data protection clauses issued by the European Commission as appropriate guarantees in accordance with Art. 46 (2) c) GDPR. Copies of the EU standard data protection clauses can be found on the European Commission's website at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_de .

If you are excluded from a Goethe-Institute examination for a reason specified in the examination regulations (PDF, 365 kB) and the Goethe Institute then bans you from taking examinations within the Goethe Institute examination portfolio worldwide, your data will be passed on to the Goethe Institute examination centres (see Section 2 of the examination regulations) worldwide and to examination centres for the Austrian Language Diploma (ÖSD) for the purpose of enforcing this measure (control of compliance with an imposed examination ban) and processed there for this purpose. This will take place on the basis of the execution of the joint contract for the provision of an examination in accordance with Art. 6 (1) b) GDPR. If personal data is processed in countries outside the European Union or the European Economic Area in this respect, this will also be based on the necessity of the transfer for the execution of this contract.   

10. Data security

We take technical and organisational measures to secure our Website and other systems against loss, destruction, access, modification or distribution of your data by unauthorised persons, for example using SSL encryption when you create the Goethe.de account or subsequently log in.  

11. Your rights and how to contact us

As a data subject, you have the following rights:
  • in accordance with Art. 15 GDPR, the right to obtain access to your personal data processed by us to the extent described therein;
  • in accordance with Art. 16 GDPR, the right to obtain the immediate rectification of incorrect or incomplete personal data stored by us;
  • in accordance with Art. 17 GDPR, the right to obtain the erasure of your personal data stored by us, unless further processing is necessary
    • for exercising of the right of freedom of expression and information;
    • for compliance with a legal obligation;
    • for reasons of public interest, or
    • for the establishment, exercise or defence of legal claims
       
  • in accordance with Art. 18 GDPR, the right to obtain restriction of the processing of your personal data, where
    • the accuracy of the data is contested by you;
    • the processing is unlawful, but you oppose its erasure;
      we no longer need the data, but you require it for the establishment, exercise or defence of legal claims, or
    • you have lodged an objection to the processing pursuant to Art. 21 GDPR;
  • in accordance with Article 20 GDPR, the right to receive your personal data that you provided to us in a structured, commonly used and machine-readable format or to request that the data be transferred to another controller;
  • in accordance with Article 77 GDPR, the right to lodge a complaint with a supervisory authority. As a rule, you can contact the supervisory authority of your habitual residence, place of work or our company’s registered office.

If you have any questions about the collection, processing or use of your personal data, if you want to obtain access to or request the rectification, restriction of processing or erasure of data, or if you want to revoke any consents granted, object to a specific use of data or assert your right to data portability, please contact our company data protection officer:

The Data Protection Officer
Goethe-Institut e.V.
Oskar-von-Miller-Ring 18
80333 München
datenschutz@goethe.de
 

12. Right of objection

Insofar as we process personal data as explained above in order to safeguard our overriding legitimate interests, you can object to this processing with effect for the future. If the processing is for direct marketing purposes, you may exercise this right at any time as described above. If the processing is for other purposes, you have the right to object only if there are grounds for this arising from your particular situation.

After exercising your right of objection, we will not process your personal data further for these purposes, unless we can provide evidence of compelling legitimate grounds for the processing that override your interests, rights and freedoms or for the establishment, exercise or defence of legal claims.

This does not apply if the processing is for direct marketing purposes. In this case, we will not process your personal data further for this purpose.