The following information explains how we process personal data in connection with your use of our website. Personal data means any information relating to an identified or identifiable natural person, such as name, address, e-mail address, online identifiers, or location data. This notice is intended to inform you about our processing activities and to fulfil our legal obligations, in particular pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation: “GDPR”), including the obligation to provide information about the identity and contact details of the controller and the contact details of the designated Data Protection Officer.
The “controller” is the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. As controller, we bear responsibility for ensuring that the processing of your personal data on this website is carried out in compliance with applicable data protection law, and in particular with the GDPR. The controller for this website is:
ISCC System GmbH, Hohenzollernring 72, D-50672 Cologne, Germany
Tel.:+49-221-50802010
https://contact.iscc-system.org/support/home
Responsible persons: Andreas Feige, Dr. Norbert Schmitz
If you wish to exercise your rights under the GDPR (such as the right of access, rectification, erasure, restriction of processing, or data portability) or if you have questions regarding specific processing activities described in this notice, please contact the con-troller directly using the contact details above.
When you visit our website, we process personal data in various ways. We explain below which data we process, for what purposes, on which legal basis, and for how long we retain it. Where we use cookies or similar technologies that store information in or access information from your terminal device, we indicate this separately and refer to Section 25 of the German Telecommunications and Digital Services Data Protection Act (TDDDG).
Comprehensive information about the cookies we use can be found in the individual settings below. You can withdraw your consent at any time. By clicking “Accept”, you consent to all cookies. By clicking “Save”, you consent to your individual settings. You can access your cookie settings at any time and manage your preferences.
These technologies are used by advertisers to serve advertisements that are relevant to your interests.
The LinkedIn Insight Tag is a JavaScript tag used by ISCC to measure the effectiveness of LinkedIn advertising campaigns, to retarget website visitors, and to gain insights into the professional characteristics of visitors to our website.
LinkedIn Insight Tag (JavaScript pixel); third-party cookies set by LinkedIn Ireland Unlimited Company in the terminal device of the end user.
When the LinkedIn Insight Tag is activated following your consent: IP address (truncated after collection); browser type and version; device information and operating system; referrer URL; URL of the visited page; timestamp; LinkedIn member data (hashed e-mail address, if you are logged into a LinkedIn account at the time of your visit); events and conversion data (e.g. page views, form interactions).
The processing of your personal data in connection with the LinkedIn Insight Tag is carried out on the basis of your consent pursuant to § 25(1) TDDDG and Art. 6(1)(a) GDPR. The storage of information in the terminal device of the end user or access to information already stored in the terminal device is only permissible if the end user has consented on the basis of clear and comprehensive information. The information provided to the end user and the consent must comply with Regulation (EU) 2016/679. The LinkedIn Insight Tag is only activated after you have given your consent via our cookie settings. You may withdraw your consent at any time with effect for the future by accessing our cookie settings. The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal.
We store your personal data processed in connection with the LinkedIn Insight Tag for as long as you have given your consent and for as long as this is necessary for the purposes described above, or for as long as we are entitled or obliged to retain it pursuant to statutory retention obligations.
LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland, acts as an independent controller in respect of the personal data it processes via the LinkedIn Insight Tag. Data may also be processed by LinkedIn Corporation, 1000 W. Maude Avenue, Sunnyvale, CA 94085, USA. Personal data is transferred to the United States of America; the transfer is safeguarded by Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR. Where LinkedIn Corporation holds certification under the EU-US Data Privacy Framework, the transfer is additionally carried out on the basis of the adequacy decision issued by the European Commission pursuant to Art. 45 GDPR (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023).
Data collected via the LinkedIn Insight Tag is processed and stored on the infrastructure of LinkedIn Ireland Unlimited Company within the European Economic Area and, where applicable, on the servers of LinkedIn Corporation in the United States of America (see Recipients above).
YouTube is used to embed videos from ISCC on the website.
Provision of video content (e.g. explainer videos, event recordings, presentations) directly on our website; improvement of the user experience by enabling video playback without leaving the website. Technologies Used Youtube iframe.
Upon loading (after consent): IP address; browser and device information; referrer URL; unique identifiers. Upon playback and/or if signed into a Google account: viewing behaviour and interaction data (e.g. video progress); Google account data (if logged in).
The processing of your personal data in connection with the embedding of YouTube videos on our website is carried out on the basis of your consent (Art. 6(1)(a) GDPR; § 25(1) TDDDG). The storage of information in the terminal device of the end user or access to information already stored in the terminal device is only permissible if the end user has consented on the basis of clear and comprehensive information. YouTube videos embedded on our website are only loaded and played back after you have given your consent via our cookie settings. Without the processing of your personal data, it is not possible to display the embedded video content. You may withdraw your consent at any time with effect for the future by accessing our cookie settings. The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal.
Up to 2 years.
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data transfer to the USA on the basis of the EU–US Data Privacy Framework (adequacy decision pursuant to Art. 45 GDPR) and Standard Contractual Clauses (Art. 46(2)(c) GDPR).
You are not obliged to consent to the embedding of YouTube videos. The use of embedded video content on our website is entirely voluntary. Without your consent, YouTube videos will not be loaded or displayed; however, all other content and functions of our website remain fully accessible. You may manage or withdraw your consent at any time via our cookie settings.
These technologies are used to analyse how visitors interact with our website in order to improve its content, functionality, and user experience. The storage of information in your terminal device or access to information already stored in your terminal device requires your consent pursuant to § 25(1) TDDDG, unless an exemption under § 25(2) TDDDG applies. You can manage or withdraw your consent at any time via our cookie settings.
Matomo (On-Premise) is an open-source web analytics platform operated on ISCC's own server infrastructure, hosted by Timme Hosting GmbH & Co. KG in Frankfurt, Germany. No data is transferred to third parties in connection with the use of Matomo. The services contain statistical analysis of website usage (e.g. page views, session duration, entry and exit pages, browser type, approximate geographiclocation); improvement of website content and user experience; evaluation of the effectiveness of our online presence.
Matomo tracking code (JavaScript); first-party tracking cookies; IP anonymisation.
Matomo collects data including: anonymised IP address, pages visited and time of visit, referring website (referrer URL), browser type and version, operating system, screen resolution, and approximate geographic location (country/city level).
The processing of your personal data in connection with Matomo (On-Premise) is carried out on the basis of your consent pursuant to § 25(1) TDDDG and Art. 6(1)(a) GDPR. The storage of information in the terminal device of the end user or access to information already stored in the terminal device is only permissible if the end user has consented on the basis of clear and comprehensive information. The information provided to the end user and the consent must comply with Regulation (EU) 2016/679. Matomo tracking cookies are only set after you have given your consent via our cookie settings. You may withdraw your consent at any time with effect for the future by accessing our cookie settings. The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal.
We store your personal data processed via Matomo for as long as you have given your consent and for as long as this is necessary for the statistical analysis and improvement of our website, or for as long as we are entitled or obliged to retain it pursuant to statutory retention obligations.
Timme Hosting GmbH & Co. KG acts as a processor pursuant to Art. 28 GDPR.
All data processed via Matomo is stored exclusively on ISCC's server infrastructure, hosted by Timme Hosting GmbH & Co. KG in Frankfurt, Germany. No data is transferred to third countries.
Genially is an online platform for the creation and display of interactive content. ISCC uses Genially to embed interactive content elements – including the interactive table of contents – directly on its website.
Genially iframe embed (JavaScript-based)
IP address; browser type and version; device information; referrer URL; user interaction data within the embedded Genially content
The processing of your personal data in connection with the embedding of Genially content on our website is carried out on the basis of your consent pursuant to § 25(1) TDDDG and Art. 6(1)(a) GDPR. The storage of information in the terminal device of the end user or access to information already stored in the terminal device is only permissible if the end user has consented on the basis of clear and comprehensive information. The information provided to the end user and the consent must comply with Regulation (EU) 2016/679. Genially content is only loaded after you have given your consent via our cookie settings. You may withdraw your consent at any time with effect for the future by accessing our cookie settings. The withdrawal of your consent does not affect the lawfulness of the processing carried out on the basis of your consent prior to its withdrawal.
We store your personal data processed in connection with Genially for as long as you have given your consent and for as long as this is necessary for the provision of the interactive content, or for as long as we are entitled or obliged to retain it pursuant to statutory retention obligations.
Genially Web S.L., Calle Conde de Peñalver 38, 28006 Madrid, Spain, acts as a processor pursuant to Art. 28 GDPR.
Data processed in connection with Genially is stored on the server infrastructure of Genially Web S.L. within the European Union. No personal data is transferred to third countries.
The following services are strictly necessary for the operation of the website. No consent is required where the storage of or access to information in the terminal device is strictly necessary for the provider of a digital service to provide a service explicitly requested by the user (§ 25(2) No. 2 TDDDG). These services cannot be deactivated.
WordPress is the Content Management System (CMS) on which our website is based. We use WordPress to manage and deliver the content of our website; as controller, we determine the purposes and essential means of the data processing. WordPress is operated as open-source software (wordpress.org), self-hosted on the server infrastructure of our hosting provider, Timme Hosting GmbH & Co. KG, which processes personal data on our behalf as a processor.
The processing of personal data in connection with WordPress serves the following purposes: management and delivery of website content and provision of a technically functional website; administration of user accounts for editors and administrators; protection of the technical infrastructure against unauthorised access and disruptions, including external attacks, taking into account the state of the art.
PHP-based server-side application; MySQL/MariaDB database; WordPress session cookies, which store information in the terminal device of the end user. No consent is required for these cookies pursuant to § 25(2) No. 2 TDDDG, as the storage of information in the terminal device is strictly necessary for the provision of the digital service explicitly requested by the user.
For public visitors: IP address (see also Section 1.3.6, Server Log Files); session data stored in technically necessary cookies. For logged-in administrators and editors: username, e-mail address, role, login timestamp; these categories of data and the retention period applicable to them are determined by us as controller.
The processing of personal data in connection with the operation of WordPress is carried out on the basis of our legitimate interest (Art. 6(1)(f) GDPR): we pursue the legitimate interest of operating a technically functional and secure website; the processing is necessary for this purpose; and we have weighed our interest against your interest in the confidentiality of your personal data, our interest prevails, in particular because the processing is limited to what is strictly necessary for the operation and security of the website. For session cookies set in your terminal device, no consent is required pursuant to § 25(2) No. 2 TDDDG, as the storage is strictly necessary for the provision of the digital service explicitly requested by you.
Session cookies are deleted upon browser close.
We do not disclose your personal data to any recipients unless such disclosure is directly necessitated by the operation of the website. Timme Hosting GmbH & Co. KG (see Section 1.3.2) acts as processor pursuant to Art. 28 GDPR and stores data exclusively on our behalf on its server infrastructure.
All personal data processed in connection with WordPress is stored exclusively on the servers of Timme Hosting GmbH & Co. KG; a data processing agreement pursuant to Art. 28 GDPR including appropriate technical and organisational security measures has been concluded.
Timme Hosting GmbH & Co. KG is our web hosting provider. Timme Hosting stores the data of our website exclusively on our behalf on its server infrastructure and does not pursue its own purposes in relation to the content hosted. It does not determine whether the data it hosts constitutes personal data, nor does it process data in any other way than storing it on its servers. Timme Hosting therefore acts as a processor within the meaning of Art. 28 GDPR, and a data processing agreement has been concluded accordingly.
The processing of personal data in connection with Timme Hosting serves the following purposes: provision and operation of the technical infrastructure required to make our website available; storage of all data processed in connection with the use of our website; ensuring the technical availability, integrity, and security of the website and its data.
Server infrastructure and storage systems operated by Timme Hosting; technical and organisational security measures implemented by Timme Hosting to ensure a level of security appropriate to the risk, including as appropriate the pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services, the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.
The categories of personal data stored on the server infrastructure of Timme Hosting correspond to all data processed in connection with the use of our website, as described in the respective sections of this Privacy Notice. The scope of data processed by Timme Hosting as processor is determined by us as controller.
The processing of personal data in connection with the operation of our website via Timme Hosting is carried out on the basis of our legitimate interest (Art. 6(1)(f) GDPR). We have weighed our interest in operating a technically functional, secure, and available website against your interest in the confidentiality of your personal data, and our interest prevails.
We store personal data on the server infrastructure of Timme Hosting for as long as this is necessary for the purposes described in the respective sections of this Privacy Notice, or for as long as we are entitled or obliged to retain it pursuant to statutory retention obligations.
Timme Hosting GmbH & Co. KG acts as processor pursuant to Art. 28 GDPR. Should Timme Hosting engage sub-processors, this requires our prior specific or general written authorisation. Any sub-processors must be bound by equivalent data protection obligations to those set out in the data processing agreement between ISCC and Timme Hosting. We do not disclose your personal data to any further recipients in connection with the hosting of our website.
All personal data processed in connection with the use of our website is stored exclusively on the server infrastructure of Timme Hosting.
Jungmut is our website maintenance and development provider. Jungmut has access to our server infrastructure and website database to the extent necessary for technical maintenance, updates, and further development of the website.
Technical maintenance, updates, and further development of the website and the Timme Hosting server; bug fixing and troubleshooting; implementation of new features and plugins; monitoring of technical performance.
No extern technologies are used.
In the course of website maintenance and development activities, Jungmut may have access to personal data stored on the server and in the website database, solely to the extent necessary for the performance of its maintenance tasks. This may include server log files, user account data of website administrators and editors, and form data.
The processing of personal data in connection with website maintenance by Jungmut is carried out on the basis of our legitimate interest (Art. 6(1)(f) GDPR). We have weighed our interest in maintaining and developing a technically functional and secure website against your interest in the confidentiality of your personal data, and our interest prevails. Jungmut acts as a processor within the meaning of Art. 28 GDPR and processes personal data exclusively on our behalf and in accordance with our documented instructions.
Jungmut's access to personal data is limited to the duration of the maintenance relationship and to individual maintenance tasks on an as-needed basis. We store personal data processed in connection with website maintenance for as long as this is necessary for the performance of the maintenance tasks, or for as long as we are entitled or obliged to retain it pursuant to statutory retention obligations.
We do not disclose your personal data to any recipients unless such disclosure is directly necessitated by the provision and maintenance of the website. Jungmut acts as processor pursuant to Art. 28 GDPR and is bound by documented instructions. Jungmut has access to data stored on the servers of Timme Hosting (see Section 1.3.2).
All personal data processed in connection with Jungmut is stored exclusively on the servers of Timme Hosting GmbH & Co. KG; a data processing agreement pursuant to Art. 28 GDPR including appropriate technical and organisational security measures has been concluded.
Borlabs is the Consent Management Platform (CMP) used to obtain, document, and manage user consent for cookies and similar technologies on our website. The CMP displays the cookie consent banner upon the first visit to our website and ensures that non-essential technologies are activated only after the required consent has been obtained pursuant to § 25(1) TDDDG. The provider of digital services remains responsible for fulfilling information obligations and for compliance with the requirements for the validity of consent under Regulation (EU) 2016/679.
The CMP is used for the following purposes: obtaining and documenting user consent for the storage of or access to information in the user's terminal device pursuant to § 25(1) TDDDG; ensuring demonstrability of consent pursuant to Art. 7(1) GDPR; enabling or blocking other services depending on the user's consent decision; providing users with the ability to review, change, and withdraw their consent settings at any time.
First-party persistent cookie to store the consent decision (consent cookie).
Consent status per category (accepted / rejected); date and time of the consent decision; version of the Privacy Notice in effect at the time of consent; A controller must be able to prove that a data subject has consented in a given case; accordingly, documentation includes a record of the consent workflow at the time of the session and a copy of the information presented to the user at that time.
The consent cookie itself is strictly necessary for the functioning of the consent management system. No consent is required for the consent cookie pursuant to § 25(2) No. 2 TDDDG, as the storage of information in the terminal device is strictly necessary for the provider of a digital service to supply a service explicitly requested by the user. The processing of consent documentation data is carried out on the basis of Art. 6(1)(c) GDPR, as the controller bears the burden of proof to demonstrate the data subject's consent pursuant to Art. 7(1) GDPR. In addition, we process certain data on the basis of our legitimate interest (Art. 6(1)(f) GDPR). We have weighed our interest in demonstrable compliance with applicable data protection law against your interest in the confidentiality of your personal data, and our interest prevails.
The consent cookie is stored for as long as is necessary to retain your consent decision. After the processing activity to which the consent relates has ended, proof of consent should be kept no longer than strictly necessary for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims pursuant to Art. 17(3)(b) and (e) GDPR.
Timme Hosting GmbH & Co. KG acts as processor pursuant to Art. 28 GDPR.
All personal data processed in connection with Borlabs is stored exclusively on the servers of Timme Hosting GmbH & Co. KG; a data processing agreement pursuant to Art. 28 GDPR including appropriate technical and organisational security measures has been concluded.
Our website uses TLS encryption (Transport Layer Security) for all data transmissions between your browser and our web server in order to enable the secure use of our digital services and to protect communications against access by third parties. This is recognisable by the "https://" prefix. SSL/TLS encryption is a technical security measure implemented to protect personal data transmitted in connection with the use of our website.
The purpose of TLS encryption is to enable users to use our digital services in a manner protected against access by third parties. In addition, the encryption serves to ensure a level of security appropriate to the risk, in particular confidentiality, integrity, and availability of processing systems and services. The use of an encryption method recognised as secure constitutes a technical and organisational measure within the meaning of Art. 32 GDPR and § 19(4) TDDDG, which requires providers of digital services to apply an encryption method recognised as secure as a specifically identified technical and organisational measure.
Transport Layer Security (TLS) protocol, an encryption method recognised as secure, taking into account the state of the art.
TLS encryption does not independently collect or process personal data beyond what is technically necessary to secure the connection.
The use of TLS encryption is carried out on the basis of our legal obligation to implement appropriate technical and organisational measures pursuant to Art. 32 GDPR, which requires the controller to implement measures including, as appropriate, the encryption of personal data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. In addition, § 19(4) TDDDG requires providers of digital services to apply an encryption method recognised as secure as a specifically identified technical and organisational measure to ensure the security of their digital services. The use of TLS encryption therefore also serves our legitimate interest (Art. 6(1)(f) GDPR) in providing a technically secure website.
TLS encryption does not result in the independent storage of personal data. In accordance with the principle of storage limitation, data is only retained for as long as necessary for the purposes for which it is processed.
We do not disclose your personal data to any recipients in connection with the use of TLS encryption. Timme Hosting GmbH & Co. KG (see Section 1.3.2) provides and manages the TLS certificate as part of the hosting infrastructure.
All personal data processed in connection with TLS Encryption is stored exclusively on the servers of Timme Hosting GmbH & Co. KG; a data processing agreement pursuant to Art. 28 GDPR including appropriate technical and organisational security measures has been concluded.
When you access our website, our web server automatically records technical access data and creates server log files. Server log files are technically necessary for the secure and stable operation of the website. They do not serve marketing or tracking purposes.
The processing serves to ensure the security of the processing, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
Web server log functionality (server-side); no cookies are set in the terminal device of the end user in connection with server log file processing; no client-side storage within the meaning of § 25 TDDDG.
Server log files may contain personal data, in particular where online identifiers such as IP addresses enable identification. The following categories of data are recorded: IP address of the accessing device (in full, at time of access); date and time of the access; name and URL of the file accessed; website from which the access was made (referrer URL); browser type, version, and operating system of the accessing device; HTTP status code (success or error message); volume of data transferred.
The processing of personal data in connection with server log files is carried out on the basis of our legitimate interest (Art. 6(1)(f) GDPR). We have weighed our legitimate interests against the interests or fundamental rights and freedoms of the data subject, and our interest prevails. In conducting this balancing test, we have taken into account in particular that the processing is limited to what is technically necessary for the secure operation of the website, that server log files are not used for marketing or profiling purposes, and that the data is deleted after a short retention period.
In accordance with the principle of storage limitation, server log files are stored only for as long as necessary for the purposes for which they are processed, in a form which permits identification of data subjects for no longer than is necessary for those purposes.
Recipients are disclosed to the extent that personal data is made available to them. Timme Hosting GmbH & Co. KG (see Section 1.3.2) acts as processor pursuant to Art. 28 GDPR and has access to server log files in the course of its hosting activities. We do not disclose server log file data to any further recipients unless we are legally obliged to do so or unless disclosure is necessary for the investigation of a security incident.
All personal data processed in connection with Server Log FIles is stored exclusively on the servers of Timme Hosting GmbH & Co. KG; a data processing agreement pursuant to Art. 28 GDPR including appropriate technical and organisational security measures has been concluded.
When you actively use the functions described in this section, for example by filling in a contact form, creating an account, or subscribing to our newsletter, we process your personal data. Unlike the processing described in Section 1 (Data Processing Technologies on the Website), the processing activities set out below are not triggered automatically upon your visit to our website, but exclusively as a result of a specific action taken by you.
We explain below which personal data we process in connection with each function, for what purposes, on which legal basis, and for how long we retain it. The legal bases for processing are, depending on the function concerned, the performance of a contract or the implementation of pre-contractual measures at your request pursuant to Art. 6(1)(b) GDPR, our legitimate interests pursuant to Art. 6(1)(f) GDPR, compliance with a legal obligation pursuant to Art. 6(1)(c) GDPR, or, where we rely on your consent, Art. 6(1)(a) GDPR.
Where the use of a function involves the storage of information in your terminal device or access to information already stored in your terminal device, this requires your consent on the basis of clear and comprehensive information pursuant to § 25(1) TDDDG. Consent is not required where the sole purpose of the storage of or access to information is the transmission of a message over a public telecommunications network, or where the storage of or access to information is strictly necessary in order for us to provide a digital service expressly requested by you. Where § 25 TDDDG is applicable, we indicate this separately in the relevant subsection below.
Our website provides several contact forms that allow you to send us messages and enquiries directly. The data you enter is transmitted electronically and processed by our team.
Processing and responding to your enquiry; maintaining a record of correspondence for documentation and quality assurance purposes; follow-up communication if required; routing of enquiries to the appropriate team or department within ISCC.
Main contact form: Freshdesk-embedded form (cloud-based SaaS). Additional specific forms: WordPress form functionality, operated on the server infrastructure of Timme Hosting GmbH & Co. KG (see Section 1.3.2).
Data that you enter into the contact form (e.g. name; email address; subject/message content).
Where your enquiry relates to the performance of a contract to which you are a party, or to the implementation of pre-contractual measures taken at your request, the legal basis for the processing is Art. 6(1)(b) GDPR.
In other cases, the processing of your personal data for the purpose of handling your enquiry is carried out on the basis of our legitimate interest (Art. 6(1)(f) GDPR). We have weighed our interest in providing the contact form or a general service e-mail address against your interest in the confidentiality of your personal data, and our interest prevails. Without the processing of personal data, it is not possible to handle your enquiry. The use of the contact form or a general service e-mail address is, moreover, voluntary.
We store your personal data for as long as this is necessary for the handling of your respective enquiry, or for as long as we are entitled or obliged to retain it pursuant to statutory retention obligations.
We do not disclose your personal data to any recipients unless such disclosure is directly necessitated by your request.
You are not obliged to disclose any personal data. The fields marked with * in the contact form are mandatory fields. Without this personal data, your respective enquiry cannot be processed. All other information is voluntary and may facilitate the handling of your enquiry.
ISCC operates a password-protected user portal and certificate management platform – the ISCC HUB – for ISCC-certified entities and certification bodies. Access to the ISCC HUB is restricted to registered users who have entered into a contractual relationship with ISCC.
Authentication and access management for both the ISCC website and the ISCC HUB are handled centrally by Keycloak, an open-source Identity and Access Management (IAM) system.
Authentication of registered users and administrators upon login to the ISCC website and the ISCC HUB; management of user accounts, access rights, and roles; synchronisation of user account data between Keycloak and the website and ISCC HUB.
Keycloak, an open-source Identity and Access Management solution.
User account data (name, e-mail, organisation, role, job title); login credentials (hashed passwords); certificate and audit documentation (uploaded documents, certificate status)
Where the processing of your personal data is necessary for the performance of a contract to which you are a party – in particular the ISCC System User Agreement – or for the implementation of pre-contractual measures taken at your request, the legal basis for the processing is Art. 6(1)(b) GDPR. This applies in particular to the creation and management of your user account in the ISCC HUB and the processing of your certification documentation.
We store your personal data for as long as this is necessary for the maintenance of your user account and the performance of the ISCC System User Agreement, or for as long as we are entitled or obliged to retain it pursuant to statutory retention obligations. Upon termination of your contractual relationship with ISCC, your user account will be deactivated and your personal data deleted within unless statutory retention obligations require longer retention.
Timme Hosting GmbH & Co. KG (see Section 1.3.2) acts as a processor pursuant to Art. 28 GDPR and provides the server infrastructure on which Keycloak is operated.
You are not obliged to disclose any personal data.
Mailchimp is used for the newsletter and mailing list. The service (The Rocket Science Group LLC d/b/a Mailchimp, USA) is an e-mail marketing platform used to send newsletters, event invitations, and promotional information to subscribers who have opted in (double opt-in).
Sending newsletters, event invitations, and promotional information; analysis of e-mail campaign performance (open rates, click rates); management of subscriber lists; segmentation for targeted campaigns.
E-mail delivery infrastructure.
E-mail address; name (if provided); Subscription date and time; e-mail open/click statistics; IP address at time of subscription.
The processing of your personal data in connection with our newsletter and mailing list is carried out on the basis of your consent (Art. 6(1)(a) GDPR). By subscribing to the newsletter via the double opt-in procedure, you have expressly consented to receiving our newsletter and to the associated processing of your personal data for that purpose.
We store your personal data for as long as you remain subscribed to our newsletter or mailing list, or for as long as we are entitled or obliged to retain it pursuant to statutory retention obligations. Upon your unsubscription, we will delete your personal data from our active mailing list without undue delay. However, we may retain records of your subscription and the double opt-in confirmation for a further period of up to three years from the date of your unsubscription, insofar as this is necessary to demonstrate that your consent was lawfully obtained and to defend against any related legal claims. This retention serves our legitimate interest in evidencing compliance with applicable data protection law (Art. 7(1) GDPR).
Intuit Mailchimp, 675 Ponce De Leon Ave NE, Atlanta, GA 30308, USA (processor pursuant to Art. 28 GDPR).
Personal data is transferred to the United States of America; as the recipient holds certification under the EU–US Data Privacy Framework, the transfer is carried out on the basis of the adequacy decision issued by the European Commission pursuant to Art. 45 GDPR (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023).
You are not obliged to subscribe to the newsletter or mailing list. Subscription is entirely voluntary. However, without providing your e-mail address and completing the double opt-in process, you cannot receive our newsletter.
Stripe is used for payment processing. Stripe, Inc. (USA) / Stripe Payments Europe, Ltd. (Ireland) is a payment processing service used to process online payments on our website (e.g. certification fees, event tickets).
Processing of online payments; verification of payment details; fraud prevention; invoicing and record-keeping for accounting and tax compliance.
Stripe’s client-side form integration.
Name and billing address; e-mail address; payment information (credit card details, processed and stored directly by Stripe, not by ISCC); transaction amount, date, and time; IP address and device information (for fraud prevention).
The processing of your personal data in connection with the handling of your payment for purchased services is carried out on the basis of Art. 6(1)(b) GDPR, as the processing of payment details is necessary for the performance of the contract concluded with you for the provision of ISCC's services.
In addition, we process and store certain personal data on the basis of Art. 6(1)(c) GDPR in order to comply with statutory retention and documentation obligations to which we are subject, in particular in relation to accounting, invoicing, and tax law. In this regard, accounting documents and commercial correspondence are subject to statutory retention periods of up to ten years pursuant to § 257 of the German Commercial Code (HGB) and § 147 of the German Tax Code (AO).
Furthermore, to the extent that the processing of personal data is strictly necessary for the purposes of preventing fraud, such processing is carried out on the basis of our legitimate interest pursuant to Art. 6(1)(f) GDPR. This does not mean that we rely on Art. 6(1)(f) GDPR as a basis for any processing in connection with fraud prevention; the processing must be strictly necessary and must satisfy both the necessity and balancing tests.
We store your personal data for as long as this is necessary for the performance of the contract and the processing of your payment, or for as long as we are entitled or obliged to retain it pursuant to statutory retention obligations. In particular, accounting documents and commercial correspondence are subject to statutory retention periods of up to ten years pursuant to § 257 of the German Commercial Code (HGB) and § 147 of the German Tax Code (AO). The retention period begins at the end of the calendar year in which the last entry was made in the commercial books, the invoice was issued, or the booking document was created. Accordingly, personal data relating to your payment (such as invoices, payment details, and transaction records) will be retained for the duration of these statutory retention periods.
Stripe Payments Europe, Ltd., 1 Grand Canal Street Lower, Dublin 2, Ireland; Stripe, Inc., 185 Berry Street, Suite 550, San Francisco, CA 94107, USA. For the purpose of processing your payment, we disclose the required personal data to Stripe. Stripe acts as an independent controller for the processing of payment data, as it independently determines the purposes and means of the data processing required for the provision of its payment services.
Personal data is transferred to the USA. Where the recipient is certified under the EU-US Data Privacy Framework, the transfer is carried out on the basis of the adequacy decision issued by the European Commission pursuant to Art. 45 GDPR (Commission Implementing Decision EU 2023/1795 of 10 July 2023). In addition, or where the recipient is not DPF-certified, the transfer is safeguarded by Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR.
If you wish to make a payment online for the services you have purchased from us, you are required to provide the data necessary for the performance of the payment contract. The processing of payment details is objectively necessary for the performance of the contract concluded with you for the provision of ISCC's services. Without providing your name, billing address, e-mail address, and payment details, we cannot process your payment, and the contract for the purchased services cannot be performed. The provision of this data is therefore a prerequisite for the performance of the contract. All other information is voluntary and may facilitate the processing of your payment.
Hintbox is a cloud-based whistleblower reporting system used by ISCC to operate its internal reporting channel as required by the German Whistleblower Protection Act (Hinweisgeberschutzgesetz — HinSchG). The system enables whistleblowers to submit reports confidentially or anonymously and to communicate securely with ISCC's case handlers. Hintbox uses end-to-end encryption and is hosted on ISO/IEC 27001-certified servers in Germany.
Operation of ISCC's internal reporting channel in compliance with § 12 HinSchG; receipt, documentation, and examination of reports; maintaining contact with the reporting person; case management and documentation; taking appropriate follow-up measures.
Cloud-based SaaS platform; end-to-end encryption of all reports.
Content of the report (description of the alleged violation, category, information about persons involved); date and time of the report; attachments (with metadata automatically removed). Where the reporting person chooses to provide their identity: name and contact details. Case management data: case status, processing history, documentation in compliance with § 8 HinSchG. Data relating to persons who are the subject of a report is processed to the extent strictly necessary for examination and follow-up measures.
The processing of personal data in connection with the receipt and handling of reports submitted via the whistleblowing system is carried out on the basis of Art. 6(1)(c) GDPR, as the processing is necessary for compliance with a legal obligation to which ISCC is subject, in particular the obligation to establish and operate an internal reporting channel pursuant to § 12 HinSchG. In addition, we process personal data on the basis of Art. 6(1)(f) GDPR, as we pursue a legitimate interest in establishing an effective compliance management system.
Documentation is deleted three years after the conclusion of the proceedings, unless a longer retention period is necessary to fulfil the requirements of the HinSchG or other legal provisions.
lawcode GmbH, Universitätsstraße 3, 56070 Koblenz, Deutschland (processor pursuant to Art. 28 GDPR).
You are not obliged to submit a report via Hintbox. The use of the whistleblower reporting system is entirely voluntary. You may choose to submit your report anonymously, without providing any personal contact details. Providing your identity and contact details is voluntary and may facilitate communication with ISCC's case handlers.
Our website displays icons linking to the social media platforms LinkedIn, Instagram, and YouTube. These icons are implemented as simple static hyperlinks. This means that no connection is established to the servers of LinkedIn, Instagram, or YouTube when our website loads, and no personal data is transmitted to these platforms merely by visiting our website.
A connection to the respective social media platform is only established when you actively click on one of the icons. By clicking the icon, you leave our website and are redirected to the respective platform. From that point onwards, the processing of your personal data is carried out solely by the operator of the respective platform in accordance with its own privacy policy. The qualification of a website operator as controller is limited to the operations in respect of which it actually determines the purposes and means of processing. Since we do not determine the purposes and means of any processing carried out by these platforms after you click the link and navigate to them, we are not in a position to determine the purposes and means of subsequent operations involving the processing of personal data carried out by these platforms, and we cannot be considered a controller in respect of those operations.
In accordance with our transparency obligations, information presented to you in respect of the way in which personal data are processed should be concise, transparent, intelligible, and in an easily accessible form, using clear and plain language. We therefore draw your attention to the following: LinkedIn: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland. Privacy Policy: https://www.linkedin.com/legal/privacy-policy
Instagram: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland. Privacy Policy: https://privacycenter.instagram.com/policy
YouTube: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Privacy Policy: https://policies.google.com/privacy
We recommend that you read the privacy policies of any social media platforms you visit before providing any personal data to those platforms or interacting with their services.
You have rights in relation to the personal data we process about you. If you wish to exercise any of the rights described below, you may contact us or our Data Protection Officer at any time. We will handle your request in accordance with applicable data protection law and respond within the legally required timeframes.
You have the right to obtain confirmation from us as to whether personal data concerning you is being processed by us. Where that is the case, you have the right to request access to the following information:
You also have the right to obtain a copy of the personal data undergoing processing. For any further copies requested, we may charge a reasonable fee based on administrative costs.
You have the right to obtain from us without undue delay the rectification of inaccurate personal data concerning you. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
Should your personal data be inaccurate or incomplete, you have the right to rectification and supplementation.
You have the right to obtain from us the erasure of personal data concerning you without undue delay where one of the following grounds applies:
This right does not apply to the extent that the processing is necessary, in particular for compliance with a legal obligation or for the establishment, exercise, or defence of legal claims.
You have the right to obtain from us restriction of processing where one of the following applies:
Where the statutory requirements are met, you may request the restriction of the processing of your personal data.
Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with your consent or for the establishment, exercise, or defence of legal claims, or for the protection of the rights of another natural or legal person, or for reasons of important public interest of the Union or of a Member State.
You have the right to receive personal data processed by automated means where the processing is based on your consent or in fulfilment of a contract, in a structured, commonly used, and machine-readable format. You may also request the transfer of this data to another controller. If you request the direct transfer of data to another controller, this will only be done to the extent technically feasible.
Where processing is carried out on the basis of your consent or within the framework of a contract, you have a right to the transfer of the data you have provided, insofar as the rights and freedoms of others are not thereby impaired.
This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6(1)(e) or (f) GDPR (processing in the public interest or on the basis of legitimate interests), including profiling based on those provisions.
In the event of an objection, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing serves the establishment, exercise, or defence of legal claims.
Where we process your personal data for direct marketing purposes, you have the right at any time to object to such processing; this also applies to profiling insofar as it is related to such direct marketing. We will observe such objection going forward.
The objection may be made informally and should preferably be addressed to our contact details set out below.
Where we process your personal data on the basis of your consent, you have the right to withdraw your consent at any time. A withdrawal of consent takes effect for the future; processing carried out prior to the withdrawal remains unaffected.
The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
To withdraw your consent, please contact us using the contact details provided below or, where applicable, use the opt-out mechanism indicated at the time consent was obtained (e.g., the unsubscribe link in a newsletter).
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
This right does not apply if the decision:
Where decisions based solely on automated processing are taken, we will implement suitable measures to safeguard your rights and freedoms and legitimate interests, including at minimum the right to obtain human intervention on our part, to express your point of view, and to contest the decision.
If there has been a breach of data protection legislation, the person affected may file a complaint with the competent regulatory authorities. The competent regulatory authority for matters related to our data processing is:
Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW)
Kavalleriestr. 2–4 40213 Düsseldorf
Telephone: 0211 / 38424-0 Fax: 0211 / 38424-999
E-mail: poststelle@ldi.nrw.de
You have the right to contact a supervisory authority, in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement.
You may lodge a complaint with the LDI NRW in the following ways:
When lodging a complaint, we recommend that you provide the following information to enable the supervisory authority to process your complaint efficiently:
The lodging of a complaint with a supervisory authority is without prejudice to any other administrative or judicial remedy that may be available to you.
If you have any questions about how we process your personal data, or if you wish to exercise your rights under the GDPR (such as access, rectification, erasure, restriction, or data portability), you may contact our officially designated Data Protection Officer:
Moritz von Gernet
ISCC System GmbH Hohenzollernring 72 D-50672 Cologne Germany
E-mail: privacy@iscc-system.org
Please direct requests pursuant to Art. 15 ff. GDPR (e.g. erasure, access, objection) to the contact details set out under this section.
Alternatively, you may submit your request by post to:
ISCC System GmbH — Data Protection — Hohenzollernring 72 D-50672 Cologne Germany
To enable us to process your request efficiently and without delay, please indicate in your request:
We will not use the personal data you provide in connection with your request for any purpose other than processing your request.
We will handle your inquiry in accordance with applicable data protection laws and respond within the legally required timeframes.
In accordance with Art. 12(3) GDPR, we will respond to your request without undue delay and in any event within one month of receipt of the request. That period may be extended by a further two months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
Where we are unable to take action on your request, we will inform you without delay and at the latest within one month of receipt of the request of the reasons for not taking action and of your right to lodge a complaint with a supervisory authority and to seek a judicial remedy.
We will provide information in response to a request free of charge. Where requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee or refuse to act on the request. In such cases, we will inform you accordingly.
To protect your personal data and prevent unauthorised disclosure, we may need to verify your identity before processing your request. We may ask you to provide sufficient information to confirm your identity. We will not use this information for any purpose other than to verify your identity in connection with your request.
Please note that the rights described in this section are subject to certain statutory limitations and exceptions under applicable data protection law. Where we are unable to fulfil your request in whole or in part, we will inform you of the reasons and your available remedies, including the right to lodge a complaint with the competent supervisory authority (see section 1.9 — Right to Lodge a Complaint with a Supervisory Authority).
Data subjects may contact the Data Protection Officer with regard to all issues related to the processing of their personal data and to the exercise of their rights under the GDPR. The Data Protection Officer can be contacted directly and confidentially.
Our officially designated Data Protection Officer is:
Moritz von Gernet
ISCC System GmbH
Email: privacy@iscc-system.org