DE EN

PRIVACY POLICY STUDENTROOM.CH

Version 01.09.2023

I. GENERAL INFORMATION

1. Introductory remarks

The Student Mentor Foundation Lucerne ("SMFL", "we" or "us") operates the studentroom.ch platform as part of its foundation purpose. The purpose of this privacy statement is to explain how we collect, process and use personal data.

You may only disclose personal data of third parties to us if you are authorised to do so and the personal data is correct. We ask you to ensure that the persons concerned are aware of this data protection declaration.

In this privacy policy, we use the feminine and masculine form alternately. The respective designation also includes all other gender designations.

We may change this Privacy Policy at any time without notice. The current version, which applies in each case, is published on our website.

2. Responsible for data protection issues

The responsibility for the content of this privacy policy and for the data processing described lies with:

Student Mentor Foundation Lucerne
Murbacherstrasse 3
6003 Luzern
office(at)studentmentor.ch
Tel.: +41 41 317 22 10

3. EU-Data Protection Representative

For natural persons with simple residence in countries of the European Economic Area (EEA) including the European Union (EU) and the Principality of Liechtenstein as well as for the country-specific supervisory authorities provided for under the GDPR, we designate the following person as EU Data Protection Representative according to Art. 27 GDPR:

VGS Datenschutzpartner GmbH
Am Kaiserkai 69
20457 Hamburg
Deutschland
E-Mail: info(at)datenschutzpartner.eu

4. Terminology

For a better understanding, we would like to start by clarifying the most important terms used in this policy. We adhere to the definitions of terms from the Federal Act of Data Protection (Art. 5 FADP).

Personal data: all information relating to an identified or identifiable natural person.
Data subjects: natural persons about whom data is processed;
processing: any handling of personal data, regardless of the means and procedures used, in particular the acquisition, storage, keeping, use, modification, disclosure, archiving, deletion or destruction of data.
Responsible: a natural person or federal body who, alone or together with others, decides on the purpose and means of processing.
Data processor: a natural person or federal body that processes personal data on behalf of the data responsible.

5. Legal Basis

This Privacy Policy complies with the requirements of the Swiss Federal Law on Data Protection ("FADP") and the associated Ordinance ("DPA") as well as the General Data Protection Regulation of the European Union ("GDPR"). The type and scope of the applicable legislation depends on the individual case. Foreign data protection law is only applied if this is mandatory under the applicable law and only for the data processing processes and persons affected by it.

We comply with the applicable data protection regulations when processing personal data.

The processing of personal data must not unlawfully violate the personality of the persons concerned. For this reason, such data processing must comply with the processing principles of data protection law and/or must be legitimised by a justification. In particular, we are legitimised to process personal data if the processing:

is based on a legal basis
The processing of personal data may be required or legitimised by law (e.g., mandatory retention obligations).
is necessary for the performance of a contract with the data subject or for pre-contractual measures.
The main part of the processing of personal data in our foundation is carried out within the framework of the fulfilment of contractual obligations (in particular the initiation and processing of rental relationships).
is necessary for the protection of legitimate interests on our part or on the part of third parties.
A legitimate interest on our part exists in particular if the processing of personal data takes place within the framework of the purposes stated in section 7 as well as the disclosure of data in accordance with section 15 and the associated objectives.
is based on consent
If the processing of personal data is based on your consent, we will inform you of this separately and transparently. You can revoke your consent with effect for the future at any time using the functions provided for this purpose (e.g., unsubscribe link for newsletters) or by notifying us in writing (cf. Contact listed under points 2 and 3). Upon receipt of your revocation, we will cease the data processing affected by it, unless we can base the processing on another justification.
is necessary to comply with domestic and foreign legal requirements.

6. Categories of personal data

Depending on the services you use and the respective relationship between you and us, we process the following categories of personal data specifically:

Master data: e.g.: Form of address, surname, first name, gender, date of birth and contact data such as address, telephone numbers, e-mail addresses, language, user names, financial information, information on academic studies.
Contract data: e.g., information relating to the initiation, conclusion, processing, administration and termination of contracts between you and us, information in connection with job applications [see also section 13 below], interaction history, financial and payment information such as creditworthiness, information in connection with the enforcement of claims, bank data.
Communication data: e.g.: Master Data, Contract Data, Communication Content from written, electronic and verbal correspondence, Survey Data, Information on time, place, nature etc. of communication, Proof of Identity, Boundary Data.
Behavioural and transactional data: e.g. relating to your use of our website and booking tool, your visit to our sites, participation in events, functions and surveys, use of electronic communication channels.
Technical data: e.g. IP addresses, device IDs, details of the devices and applications you use and their settings, internet provider you use, usernames, passwords [as hash values], information in connection with 2-factor authentication, log data, time and, if applicable, approximate location in connection with the use of our services.
Image and sound recordings: e.g. recordings of telephone and video conference calls [only made after prior announcement and with your consent], recordings of video surveillance systems [see section 14], recordings in connection with tenant and staff events.

7. Origin of the data

To a large extent, we collect personal data directly from you as the data subject. This includes in particular master data, contract data and communication data. The collection of such personal data takes place in the context of the initiation and processing of business relationships as well as the use of our services.

If you provide us with data on other persons (e.g. family members, flatmates, business colleagues, employees), you must ensure that you are authorised to do so and that the data is correct. In addition, the persons concerned must be made aware of this data protection declaration in advance.

We may also collect personal data about you ourselves or automatically or derive it from existing data. This includes in particular behavioural and transaction data as well as technical data.

Finally, we also collect personal data from third parties to the extent permitted by law. Such third parties include, in particular, persons from your environment, business partners, insurance companies, banks, authorities, official agencies, courts, parties and their legal representatives in the context of legal disputes, etc. We may also collect personal data from public records. In addition, we may also collect personal data from public sources (e.g., credit agencies, social media).

8. Purpose of data processing

We offer accommodation for students at universities, colleges of applied sciences and other educational institutions.

We process the data collected in order to fulfil our legal, statutory and contractual obligations towards you and third parties. This includes, in particular, the acceptance (including contact enquiries), administration and processing of rental agreements.

We also process the data we collect to:

ensure communication with you
to provide and improve the products and services you request
to manage your use of and access to our products and services
to maintain our business relationship with you
to monitor and improve the performance of our services
to enforce or defend against legal claims, and to protect ourselves from legal action
to detect, prevent or investigate illegal activities
to ensure compliance with laws and recommendations of domestic and foreign authorities as well as internal regulations ("Compliance") and risk management
to generally ensure our operations (esp. IT, website, etc.) and to ensure administrative processes (e.g., data archiving, accounting, master data maintenance, quality assurance).

9. Processing duration of personal data

We process your personal data for as long as we are legally obliged to do so (e.g., storage and archiving obligations) or as long as our legitimate business interests require (e.g., enforcing or defending claims, guaranteeing IT security) or as long as the purpose of the collection of your data makes it necessary or the storage is technically required. In the case of contracts, the data is generally stored for the duration of the contractual relationship and the statutory retention periods beyond this (generally 10 years).

This may mean that your personal data or extracts thereof must be retained for several years after the end of the contractual relationship between you and us. If your personal data is no longer required for the above-mentioned purposes, it will be deleted or made anonymous as far as possible.

In certain cases, we may retain your personal data for a longer period based on your consent (e.g., job applications that are pending).

10. Disclosure of personal data to third parties

Where legally permissible and necessary, we may also pass on certain personal data to third parties in the context of our foundation activities. These third parties process your personal data either on our behalf (order processor), under joint responsibility with us or on their own responsibility. These include, among others:

Our service providers, such as banks, IT providers, insurance companies, cleaning companies, lawyers, external consultants, trustees, etc.
Business partners
Domestic and foreign authorities, official agencies and courts
Other parties in administrative and legal proceedings
Other third parties who are necessary to achieve the purpose of the respective data processing.

Where necessary, we have signed corresponding processing contracts with our service providers. In these contracts, they undertake to comply with data protection and data security regulations. Furthermore, they may only process personal data in accordance with our instructions. They also grant us comprehensive auditing and control rights as well as the right to information, correction and deletion.

Within the scope of the GDPR, such a transfer of personal data to third parties takes place either for the purpose of initiating and fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) or based on your consent (Art. 6 para. 1 lit. a GDPR). Consent can be revoked at any time with effect for the future.

11. Disclosure of personal data abroad

We generally process and store personal data in Switzerland and the European Economic Area (EEA). In certain cases, however, we may also disclose personal data to service providers and recipients located outside this area or process personal data outside this area, in general in any country in the world. In particular, you must expect personal data to be disclosed to all countries in which the service providers we use and their subcontractors are located (especially the USA).

By taking appropriate measures, we ensure compliance with the legal requirements. Specifically, an adequate ruling from the competent authority is available. In the absence of such a ruling, the personal data is transferred on the basis of suitable guarantees (in particular standard contractual clauses approved by the European Commission and the Federal Data Protection and Information Commissioner [FDPIC]) or there are exceptions for certain situations (contract processing, law enforcement abroad, etc.) or we obtain your express consent.

12. Data security

To secure your data, we maintain technical and organisational security measures in accordance with the current state of the art.

Communication via our website is encrypted using the SSL/TLS encryption protocol. However, we would like to point out that even encrypted data transmission on the Internet always involves security risks. A complete protection of data, against access by third parties cannot be guaranteed.

If you communicate with us by ordinary email, the data is not transmitted in encrypted form and can be viewed and possibly manipulated by third parties. By using unencrypted email, you acknowledge this fact. The transmission of confidential or personal data via unencrypted email is at your own risk.

13. Your rights as a data subject

Provided that the requirements of the applicable data protection law are met and no legal exceptions apply, you generally have the following rights in connection with the processing of your personal data:

to receive, upon request and free of charge, information on whether and, if so, which personal data we process about you
to correct incorrect or incomplete personal data
to restrict the processing of your personal data
to block your personal data
the deletion or anonymisation of your personal data
data transferability
revoke your consent to the processing of your personal data with effect for the future
to object to the processing of your personal data.

Please note that these rights may be restricted or excluded in specific individual cases (e.g., to protect third parties or business secrets).

In order to assert your rights as a data subject or if you have any questions about this data protection declaration or the processing procedures described therein, you can contact the offices mentioned in points 2 and 3 above.

If you believe that your data has been processed unlawfully, we would be grateful if you could contact us directly. Alternatively, you can file a complaint with the supervisory authority responsible for you. The supervisory authority for data protection in Switzerland is the Federal Data Protection and Information Commissioner (FDPIC). In the EU, the complaint must be submitted to the respective national data protection authority.

In order to exercise your data protection rights or if you have any questions about this data protection declaration and the processing procedures described therein, you can contact the offices mentioned in points 2 and 3 above.

II. SUPPLEMENTARY INFORMATION IN CONNECTION WITH SELECTED DATA PROCESSING OPERATIONS

14. Processing of personal data in connection with the use of our website

14.1. Cookies

Our website uses so-called "cookies" and comparable recognition technologies. Cookies serve to make our offer more user-friendly, effective and secure. Cookies are small text files that are sent to your computer and stored there.

In addition to "session cookies", which are automatically deleted at the end of your visit, "permanent cookies" may also be used. These cookies enable us to recognise your browser on your next visit. Such cookies remain stored on your terminal device for a certain period of time (1 year). In addition, you have the option of deleting these cookies at any time.

When visiting our website for the first time, you can select your preference regarding the use of cookies via the cookie banner, whereby the storage of necessary cookies cannot be prevented. If you do not agree to the storage of necessary cookies, please do not visit our website. You can change your cookie preferences at any time using the cogwheel at the bottom left of the footer of our website.

You can also set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. On the following pages you will find explanations of how you can configure the processing of cookies in the most common browsers:

If cookies are deactivated, the functionality of this website may be limited.

We use cookies to carry out the electronic communication process, to provide certain functionalities or to optimise our website (necessary cookies). Within the scope of the GDPR, we store necessary cookies on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR). If consent has been requested for the storage of cookies and comparable recognition technologies, the processing is based on your consent (Art. 6 para. 1 lit. a GDPR). You can revoke your consent (as described above) at any time.

14.2. Website Hosting-Provider

We host our website with a Swiss hosting provider based in Switzerland. With each visit to our website, the hosting provider automatically collects and stores information (server log files) that your browser transmits. This includes the name and URL of the file accessed, the date and time of access, the amount of data, the web browser and web browser version, the operating system, the domain name of your internet provider, the so-called referrer URL (the page from which you accessed our website) and the IP address. This usage data is used to identify technical problems, to ensure security and to statistically evaluate the use of our website and thus also to further develop our offer.

The previously mentioned data will be processed by us for the following purposes:

Ensuring a smooth connection set-up of the website,
Ensuring a comfortable use of our website,
evaluating system security and stability, and
for other administrative purposes and in the event of unlawful use of our website or our services.

We have concluded a processing contract with the hosting provider.
Within the scope of application of the GDPR, the processing of this data is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) according to the purposes listed above.

14.3. Tracking

14.3.1. Google Inc.

Our website uses Google Fonts and Google Maps from Google Inc. For the European area, the company Google Ireland Limited (Gordon House, Barrow Street Dublin 4, Ireland) is responsible for all Google services (hereinafter "Google").

In addition to the following explanations, you will find further information on data protection at Google in the Google data protection declaration:
https://policies.google.com/privacy.

We have concluded a processing contract with Google.

Within the scope of the GDPR, the processing of this data is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR) in an appealing website and in increasing our reach or based on your consent (Art. 6 para. 1 lit. a GDPR). Consent can be revoked at any time with effect for the future.

Google Maps
We use Google Maps on our website to display interactive maps and to create directions. When you call up a web page on our website that has Google Maps integrated, your browser establishes a connection with the Google servers. In addition, Google Maps sets cookies (cf. the above explanations under section 14.1). By using Google Maps, various information (e.g. IP address, addresses entered, date and time of the website visit) can be transmitted to Google servers in the USA.

You can find further information about data processing by Google here:
https://policies.google.com/privacy?hl=en. There you can also change your personal privacy settings in the Privacy Centre. Detailed instructions on managing your own data in connection with Google products can be found here.

General information about Google Maps can be found at: https://www.google.com/intl/en-GB/maps/about/#!/.

Google Fonts
On our website, we use Google Fonts for the uniform display of fonts. The Google Fonts are installed locally. A connection to Google servers does not take place.

You can find more information about Google Web Fonts at:
https://developers.google.com/fonts/faq.

14.3.2. Vimeo

We operate a Vimeo channel and include videos from the Vimeo platform on our website. The operator of the platform is Vimeo.com, Inc., 330 West 34th Street, 5th Floor, New York, New York 10001, USA ("Vimeo").

We use Vimeo to enhance your user experience and to provide you with up-to-date and easy-to-understand information about our offerings and services.

We use Vimeo in extended data protection mode, which according to Vimeo only initiates storage of user information when the video is played. However, the transfer of data to Vimeo partners is not necessarily excluded by the extended data protection mode.

As soon as you start a Vimeo video on our website, a connection is established to the Vimeo servers (and thus also to the USA and worldwide). In this context, Vimeo learns which of our pages you have visited under certain circumstances. If you are logged into your Vimeo account, you also enable Vimeo to assign your surfing behaviour directly to your personal profile. You can prevent this by logging out of your Vimeo account.

Furthermore, after starting a video, Vimeo may store various cookies (cf. section 14.1 above) on your end device or use comparable recognition technologies (e.g. device fingerprinting). In this way, Vimeo can obtain information about you. According to Vimeo, this serves, among other things, to collect video statistics, to improve the user experience and to prevent abusive behaviour.

Where applicable, further data processing operations may be triggered after the start of a Vimeo video over which we have no control.

Where necessary, we have concluded an processing contract with Vimeo. You can find more information here:
https://www.vhx.tv/data-processing.

14.4. Links to other Websites

Our website contains hyperlinks to third-party websites that are not operated or controlled by us. We are not responsible for their content or data protection practices.

14.5. Application process for rental properties

You have the opportunity to apply for vacant rental properties on studentroom.ch. You can find information on the application process on studentroom.ch.

As part of the application process, we process the following personal data:

Details of the desired rental property (address, room no., floor, flat share size, rent incl. service charges, desired move-in date, floor plan).
form of address
First name and surname
Street and no.
Postcode and town
e-mail address
Telephone number
Date of birth
Nationality
Civil Status
Education and training
Start of studies
Duration of studies
Place of study
Enrolment / Certificate of study
Message
Consents

After receiving your reservation request, the management will check your request and inform you of the decision by e-mail. If no tenancy agreement is concluded, your reservation request will be deleted after 6 months as part of the application process. If a tenancy agreement is concluded, your personal data will be processed in accordance with section 15 below.

Within the scope of application of the GDPR, the processing of this data is carried out for the purpose of initiating or fulfilling a contract (Art. 6 para. 1 lit. b GDPR).

14.6. Communication options

14.6.1. General information

We offer various ways to contact us on our website. In addition to the channels listed below, these also include e-mail, telephone and post.

Regardless of the channel used, your enquiry, including all personal data transmitted by you, will be stored and processed by us for the purpose of processing your request. You are responsible for the content you submit.

Within the scope of the GDPR, this data is processed either for the purpose of initiating and fulfilling a contract (Art. 6para. 1 lit. b GDPR) or on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in processing the requests sent to us.

14.6.2. Contact form

You have the option of using a contact form to get in touch with us. The following data can be collected and transmitted:

form of address
First name and surname
Street and no.
Postcode and town
e-mail address
Mobile
message

Mandatory information is marked with an asterisk (*).

Within the scope of the GDPR, this data is processed for the purpose of initiating or fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) for processing the enquiries addressed to us.

15. Processing of personal data within the framework of the rental relationship

Within the scope of the tenancy, we process the following personal data:

Information provided by you as part of the application process (see section 14.5 above).
Information on the tenancy agreement
Bank and payment information
Information in connection with the use of the ICT infrastructure
We process this personal data for the purpose of:
Fulfilment of our contractual rights and obligations
Promoting, planning, implementing and managing the relevant contractual relationship with our tenants
Adherence to legal and compliance requirements
Settlement of legal disputes, enforcement of contractual claims and the exercise and defence of legal claims.

Within the scope of the GDPR, this data is processed either for the purpose of fulfilling a contract (Art. 6 para. 1 lit. b GDPR) or on the basis of our legitimate interest (Art. 6 para. 1 lit. f GDPR) in providing our services.

16. Processing of personal data of applicants

We accept applications by post, e-mail and in person. We may also work with external partners (e.g., job portals and employment agencies) as part of the recruitment process. In this case, please also note the data protection information of these partners. We treat your data as strictly confidential. Your personal data will only be passed on within our foundation to persons who are entrusted with processing your application.

We process the personal data sent to us as part of your application and the personal data collected as part of the application process, insofar as this is necessary to decide on the conclusion and implementation of an employment contract. This includes:

Master data (surname, first name, address, contact details, date of birth, civil status, etc.)
Information on your educational, professional and personal qualifications
Information that we have collected as part of the application process (e.g., as part of assessments)
Other information that you have provided to us in connection with your application.

We process your personal data in this regard for as long as is necessary for the decision on your application. It will be deleted a maximum of six months after the end of the application process, unless longer storage is legally required or permitted or you have not consented to longer storage. If your personal data is collected by an external partner (e.g., job portals and employment agencies) as part of the application process, the storage period will be governed by their data protection information.

If an employment relationship is established following the application process, your application documents will be transferred to your personnel file.

17. Processing of personal data in the context of video surveillance

We monitor part of our premises (Eichhof and Schweighof) by means of video surveillance. The monitored areas are marked accordingly.

Video surveillance is used for the following purposes:

• Protection of persons and infrastructure
• Exercising our property rights
• Preservation of evidence
• Clarification of criminal offences

If images are recorded, they are usually deleted after 120 hours at the latest. Longer storage only takes place if this is necessary for the enforcement of legal claims or the prosecution of criminal offences.

We may use external service providers to carry out video surveillance. Under certain circumstances, the video recordings may also be viewed by external security personnel. In case of suspicion of a criminal offence, for the enforcement of civil law claims or if there is a legal obligation, the video recordings may be transmitted to the competent authorities (e.g., law enforcement agencies).

Within the scope of the GDPR, the processing of this data is based on our legitimate interest (Art. 6 para. 1 lit. f GDPR).

For more information about data protection on Vimeo, please see their privacy policy at: https://vimeo.com/privacy.