In the following, we inform you about the processing of your personal data by us and the claims and rights to which you are entitled under the various data protection regulations.
This Privacy Notice applies to trainers, tutors, contact persons and other employees of WPI's Authorized Training Partners (ATPs), as well as to learners (course participants) who use the WPI online learning system (collectively referred to as "users"). It describes how we process personal data within the online learning system across all domains, platforms and devices (desktop, mobile, etc.).
Personal data is any information relating to an identified or identifiable natural person ("data subject"), such as name, address, email and course participation. In this privacy policy, we provide information on how we handle your personal data and what rights you have.
In our privacy notices, we use various other terms that are defined in the EU GDPR / UK GDPR. These include terms such as processing, restriction of processing, profiling, pseudonymization, controller, processor, recipient, third party, consent, supervisory authority and international organization. The corresponding definitions for these terms can be found in Article 4 of the GDPR/UK-GDPR.
Controllers within the meaning of the GDPR are
a) Web Professional Institute Inc ("WPI"), 444 Brickell Avenue Suite 700 Miami, FL 33131, USA
For all questions regarding data protection, please contact
For users in the EU to our EU representative: mip Consult GmbH, Rechtsanwalt Asmus Eggert, Wilhelm-Kabus-Str. 9, 10829 Berlin, Germany, privacy@wpicert.org
Users outside the European Union can contact us directly for all data protection issues at privacy@wpicert.org for all data protection issues.
b) X SIEBEN Wirtschaftstraining GmbH ( "ATP"), Kurze Gasse 7, 2493 Lichtenwörth, Austria, jointly with the WPI pursuant to Art. 26 GDPR in relation to learners (course participants)
WPI and ATP jointly organize the implementation of online training courses in the online learning system provided by WPI. WPI provides the online learning system, learning material and exams for this purpose. ATP supervises and supports the learners (course participants) through trainers and tutors. WPI and ATP are jointly responsible for these processing operations in accordance with Art. 26 GDPR. For the other data processing operations (where there is no joint determination of the purposes and means of individual phases of data processing), WPI and ATP are independent controllers within the meaning of Art. 4 No. 7 GDPR.
In a joint controllership agreement, WPI and ATP have agreed that the data protection obligations of the GDPR will be fulfilled by the parties as described below:
Obligationsunder the GDPR |
Responsible |
|
WPI |
ATP |
|
Art. 26 (2) GDPR: Informing the parties concerned about the essential content of this agreement; Art. 13 GDPR: Duty to provide information when collecting personal data; Art. 14 GDPR: Duty to provide information if the data was not collected from the data subject; Art. 24, 32, 35, 36 GDPR: Specification/documentation of technical and organizational measures, risk assessment, data protection impact assessment and consultation of a supervisory authority, if applicable; Art. 33, 34 GDPR: Notification of data breaches; Art. 28 GDPR: Involvement of processors or sub-processors and their review |
X |
|
Art. 15 GDPR: Processing of requests for information; Art. 16 GDPR: Processing of requests for rectification |
X |
|
Art. 17, 18, 19 GDPR: Processing of requests for erasure, restriction of processing, notification obligation; Art. 20 GDPR: Processing of requests for data portability; Art. 21 GDPR: Processing of objections; Art. 30 GDPR: Maintenance of the record of processing activities |
X |
X |
If necessary, WPI and ATP will inform each other immediately about legal positions asserted by data subjects.
Note: Data protection rights can be asserted at both WPI and ATP regardless of the agreement between WPI and ATP.
As the controller, WPI collects and processes personal data as part of the WPI online learning system. As a company headquartered in Florida (USA), data processing is primarily subject to US law, in particular the Florida Information Protection Act (FIPA). In addition, WPI undertakes to comply with the applicable data protection laws of the user's country of residence:
For users in the European Union or the European Economic Area, the General Data Protection Regulation (GDPR) applies. WPI ensures compliance with the GDPR standards through appropriate technical and organizational measures, even when processing data in the USA.
For users in the United Kingdom, the UK Data Protection Act 2018 and the UK GDPR apply. The requirements set out therein are ensured by appropriate protective measures.
For users in Switzerland, the Swiss Data Protection Act (nDSG) applies. WPI ensures compliance with Swiss data protection requirements through appropriate safeguards.
Regardless of the location of the user, WPI guarantees a high level of data protection by
Implementing state-of-the-art security standards
Regularly reviewing and updating the protective measures
Transparent documentation of data processing procedures
Consideration of the strictest applicable data protection regulations
In general, WPI and ATP collect information directly from you, e.g. data that you enter into the learning platform or that is generated as part of your course participation. We also collect some information automatically, including data about your device and the services you interact with or use.
In addition, WPI collects personal data from trainers, tutors, contact persons and other ATP personnel from direct business interactions (information you provide during our business relationship), from internal sources (information from colleagues or business partners who are already in contact with us) and, where necessary and legally permissible, from publicly available sources (commercial registers, media, websites) and from third parties (credit agencies, business partners). If we collect personal data from third-party sources, we will inform you separately about this collection.
The type of information collected depends on how you use our services.
Relevant personal data includes
User account data |
In order to use certain services (e.g. to attend a course), you need a user account. To create a user account, we need
When you update your user profile, we may collect and store the data you provide, e.g:
As a trainer, tutor, contact person or other ATP personnel, WPI may also collect the following information from you:
|
Course dates |
When you register for and participate in courses, we collect certain data, e.g. courses started and completed, certificates of achievement (online tests, project work) as well as certificates of participation and certificates. We also store the role with which you are authorized. This data on authorizations and roles is necessary for the system to function. Learners (course participants) and teachers can be divided into groups, and groups can be combined into groupings. User activity in the system also generates usage and content data. Learners are usually assigned the role of "participant". The actions of the "Participant" are limited to the rights of this role. If another role is assigned in exceptional cases, the possible actions correspond to the rights of this role. |
Usage data / log file data |
The system logs the following data for each action: session ID, user ID, user agent, IP address, date and time of access, actions performed and course affected. In addition, the system stores the time of the first login to the system, the last access to the system and the last access to a course as well as the last IP address used in the user history. |
Content data |
Users, in particular learners (course participants), can create content in their user profile and at the level of the assigned courses (e.g. comments, votes, tasks, tests or in the context of uploaded resources or work materials, e.g. files). The resulting certificates of achievement and the certificates confirming them are stored in our system. Within the learning system, you can add further data, in particular address data, to your profile. The provision of this data is not mandatory for the purposes of training and is therefore voluntary. If this data is provided, this is done on the basis of the data subject's consent. The information on consent applies, see "Your rights" below. |
Data for communication and support |
We process your data to facilitate communication and collaboration between users and us, in particular to prepare, organize and conduct training courses, provide training content and monitor learning progress. Usage data is also processed for system administration and maintenance, technical monitoring, troubleshooting and the investigation of security incidents. |
We process personal data for the following purposes and on the following legal bases:
1) Insofar as you have given us consent to process personal data for specific purposes, in particular to contact you (e.g. via our web forms or by e-mail to process and handle your request), the lawfulness of this processing is based on your consent in accordance with Art. 6 para. 1 sentence 1 lit. a GDPR, Art. 6 para. 1 lit. a UK GDPR, Art. 31 para.1 alternative 1 nDSG.
Consent that has been granted can be revoked at any time.
Please note that the revocation is only effective for the future. Processing that took place before the revocation is therefore not affected by the revocation. You can withdraw your consent at any time by contacting us using the contact details above.
2) For the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract (Art. 6(1)(b) GDPR), Art. 6(1)(b) UK GDPR, Art. 31(2)(a) nDSG in particular:
For trainers/tutors, contact persons and other personnel of the Authorized Training Partner (ATP):
Processing and management of personal data in ATP agreements
Personal data required for invoicing and payment processing
Sending information in the context of courses and certifications
For learners (course participants):
Participation in further education courses
Certification process
Sending information in the context of courses and certifications
3) To fulfill legal obligations (Art. 6(1)(c) GDPR), Art. 6(1)(c) UK GDPR, Art. 31(1)(3) nDSG, in particular tax reporting obligations and audits, as well as to comply with statutory retention periods.
4) For the purposes of the legitimate interests pursued by us (Art. 6(1)(f) GDPR, Art. 6(1)(f) UK GDPR, Art. 31(1) Alternative 2 nDSG), namely:
Trainers/tutors, contact persons and other ATP staff:
Optimization of ATP support and relationship management
Maintenance of an ATP contact database as part of "Partner Relationship Management".
Reduction of default risks through consultation with credit agencies
Learners (course participants):
Optimization of the functions and features of the online learning system
Optimization of learning content
Development of new courses and certifications
In general:
Assertion, exercise or defense of legal claims
Market research purposes
Use of cookies and similar technologies: We only use cookies and similar technologies on our website without your consent if this is absolutely necessary for the functionality of the website. This processing is based on our legitimate interest in ensuring optimal website performance and is limited to storing essential information on your device.
5) We use cookies and similar technologies on our website. We store information on your device because this is absolutely necessary in order to make our website available to you, Section 25 (2) No. 2 TDDDG. The data processing is carried out to safeguard our legitimate interest pursuant to Art. 6 para. 1 sentence 1 lit. f GDPR, Art. 6 para. 1 lit. f UK GDPR, Art. 31 para. 1 alternative 2 nDSG in the best possible functionality of the website.
We may disclose your personal data to the following recipients
1) Member companies of our group of companies
Your data may be passed on to member companies of our group of companies if this is necessary for the processing of your inquiries, the administration of contractual relationships or the handling of central corporate functions.
2) Service providers as data processors pursuant to § 501.171(1)(h), (2) Florida Statutes, Art. 28 GDPR, Art. 28 UK GDPR, Art. 9 nDSG
We commission carefully selected service providers for IT, telecommunications, debt collection, consulting, sales and marketing. These processors are contractually bound by our instructions, implement suitable technical and organizational measures and are regularly monitored. They may only process data to fulfill the tasks assigned to them.
3) Third parties
Data may be passed on to third parties if this is
is necessary for contractual purposes (Art. 6(1)(b) GDPR, Art. 6(1)(b) UK GDPR, Art. 31(2)(a) nDSG),
is justified by legitimate business interests (Art. 6(1)(f) GDPR, Art. 6(1)(f) UK GDPR, Art. 31(1)(2) nDSG) or
with your consent.
4) Business transactions
In the event of corporate restructuring, mergers or sales, personal data may be transferred as part of the business assets, always in compliance with applicable data protection laws.
5) Legal requirements
We may share data with:
Legal counsel, law enforcement agencies and affected third parties in the investigation of illegal or abusive behavior,
Public authorities when required by law (law enforcement, administrative and tax authorities)
Note: As a US company, we may be legally obliged to disclose your data to US authorities under certain circumstances, for example in the context of national security or law enforcement requirements. We are subject to the supervision of the US Federal Trade Commission.
All data transfers are carried out in accordance with this data protection notice and the applicable data protection laws.
Insofar as we process your personal data, we will only store your personal data
until you terminate the user contract for our online learning system (without termination, learners' data will continue to be stored so that they have access to their course data and certificates even after the end of the course and employers can check the validity of certificates via a code on the certificate);
Trainers/tutors, contact persons and other ATP personnel: The data collected for the above purposes will only be retained for as long as necessary, in particular we will process and store your personal data for the duration of our or the contract between WPI and the Authorized Training Partner (ATP);
The log file data is stored for a maximum of 4 weeks for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data whose further storage is required for evidentiary purposes is excluded from deletion until the respective incident has been finally clarified;
until you object to the use of your personal data (insofar as we have a legitimate interest in the use of your personal data) or
until you withdraw your consent (insofar as you have consented to the use of your personal data) or
as required by the aforementioned purposes or.
However, if we are required by law to store your personal data for a longer period, we will process your personal data until the expiry of the relevant retention period.
In addition, we are subject to various recording and retention obligations arising from regulatory requirements. Due to these legal requirements, we are obliged to carry out further temporary storage on the basis of Art. 6 para. 1 lit. c GDPR, Art. 6 para. 1 lit. c UK GDPR, Art. 31 para. 1 alternative 3 nDSG. In accordance with the retention periods provided for in these regulations, we store your data beyond the end of the contractual relationship.
In addition, the preservation of evidence within the framework of the statute of limitations may require further storage. The further storage for a limited period of time is based on Art. 6 para. 1 lit. f GDPR, Art. 6 para. 1 lit. f UK GDPR, Art. 31 para. 1 alternative 2 nDSG, in order to protect our legitimate interests in the assertion, exercise or defense of legal claims.
We collect your personal data directly from you. The servers on which your data is processed are located in the EU. WPI's headquarters are located in the United States. The data WPI collects about you is also processed in the United States.
Note from WPI: As WPI collects the data directly through the WPI website or online learning system, this does not constitute a "transfer" under Chapter 5 of the GDPR. However, as a data controller that collects your data directly in the EU, UK or Switzerland, WPI is fully subject to the standards of the EU General Data Protection Regulation.
Data may also be transferred out of the EU, UK or Switzerland if ATP has its headquarters in a third country or if we use service providers from third countries. In these cases, we use suitable guarantees (e.g. EU standard data protection clauses) to ensure that an appropriate level of data protection is guaranteed. You have the option of obtaining a copy of the EU standard data protection clauses. In certain cases, we will also obtain your express consent for the transfer of data to the USA.
In accordance with Art. 15 GDPR, Art. 15 UK GDPR, Art, 25, 26 nDSG, you have the right to information as to whether personal data concerning you is being processed and, if this is the case, to information about this personal data. In this case, we will provide you with the stored personal data.
You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you and the completion of incomplete personal data in accordance with Art. 16 GDPR, Art. 16 UK GDPR, Art, 28 nDSG.
You have the right to obtain the erasure of personal data concerning you without undue delay in accordance with Art. Art. 17 GDPR, Art. 17 UK GDPR, Art, 28 nDSG. The right to erasure ("right to be forgotten") does not apply without restriction. In particular, erasure cannot be requested if we need to continue processing your personal data for the performance of our contract, for compliance with a legal obligation or for the establishment, exercise or defense of legal claims. The conditions and restrictions of the right to erasure are regulated in detail in Art. 17 GDPR.
You have the right, in accordance with Art. 18 GDPR, Art. 18 UK GDPR, to demand that the processing of your personal data be restricted if one of the requirements of Art. 18 para. 1 GDPR is met. In this case, we may continue to store this data, but only process it under strict conditions. The conditions and restrictions of the right to restriction of processing are regulated in detail in Art. 18 GDPR.
In accordance with Art. 20 GDPR, Art. 20 UK GDPR, Art, 28 nDSG, you have a right to data portability. You may request to receive the personal data you have provided to us, which we process on the basis of the contract between us or your consent by automated means, in a structured, commonly used and machine-readable format. Please note that the revocation is only effective for the future and does not affect the legality of the processing carried out on the basis of the consent until the revocation.
Information about your right to object pursuant to Art. 21 GDPR, Art. 21 UK GDPR
You have the right to object, on grounds relating to your particular situation, at any time to processing of personal data concerning you which is based on Art. 6 para. 1 lit. e GDPR, Art. 6 para. 1 lit. e UK GDPR (data processing in the public interest) and Art. 6 para. 1 lit. f GDPR, Art. 6 para. 1 lit. f UK GDPR (data processing on the basis of a balancing of interests); this also applies to profiling based on these provisions within the meaning of Art. 4 no. 4 GDPR.
If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.
In individual cases, we also process your personal data for direct marketing purposes. You have the right to object at any time to the processing of personal data concerning you for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising. If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.
Objections do not require any special form and there are no costs other than the transmission costs according to the basic rates. If possible, objections should be sent to the above address or by e-mail.
The above-mentioned notifications and measures requested by you will be made available to you in accordance with Art. 12 para. 5 GDPR.
In addition, you have the right to lodge a complaint with a competent data protection supervisory authority:
For Florida (USA): to the Florida Office of the Attorney General
For EU/EEA: to the respective national data protection authority
For UK: to the Information Commissioner's Office (ICO)
For Switzerland: to the Federal Data Protection and Information Commissioner (FDPIC)
We would be pleased if we could resolve your concerns before you contact the supervisory authority and therefore ask you to contact us first with your complaint.
We do not use fully automated decision-making in accordance with Article 22 GDPR, Art. 22 UK GDPR. Should we use these procedures in individual cases, we will inform you of this separately if this is required by law. We do not process your data automatically with the aim of evaluating certain personal aspects (profiling).
You must provide the personal data that is required for the use of our online learning system for technical or contractual reasons. If you do not provide this data, you will not be able to use our learning system.
We ourselves and the service providers we use process personal data on this website and use cookies and similar technologies in this context, such as web storage or web beacons. These technologies can store information on your device or access information that is stored on your device (so-called client-based tracking).
Cookies are stored in the browser on the user's device. They contain information that is stored about a visited page. The cookie is either sent to the browser by the web server or generated in the browser by a script (JavaScript). The web server can read this cookie information directly on subsequent visits to this page or transmit the cookie information to the server via a script on the website. If cookies are set, they generally collect and process certain user information such as browser and location data and IP address values to an individual extent.
Our website only uses technically necessary cookies that are essential for the operation of the website. These cookies ensure basic functions such as navigation on the website and access to secure areas. The website cannot function properly without these cookies.
No separate consent is required for these cookies. The legal basis for the use of these technically necessary cookies is Art. 6 para. 1 lit. f GDPR, Art. 6 para. 1 lit. f UK GDPR, Art. 31 para. 1 alternative 2 nDSG, our legitimate interest in providing a functional and secure website.
For persons residing outside the European Union, the European Economic Area, Switzerland and the United Kingdom, we provide country-specific data protection information:
For California (USA) residents, the California Consumer Privacy Act (CCPA) applies. The CCPA grants you the following specific rights:
Right of access: you can request information about what personal information we collect, use and disclose about you.
Right to erasure: You may request the deletion of your personal information, subject to certain exceptions.
Right to non-discrimination: We will not discriminate against you when you exercise your CCPA rights.
Right to object to sale: We do not sell your personal information for the purposes of the CCPA. If this changes in the future, we will notify you and give you the opportunity to opt out of this sale.
Disclosure pursuant to Cal. Civ. Code 1798.140(d):
No personally identifiable information has been shared for business purposes in the past 12 months
WPI does not sell personal information of individuals under the age of 16
Processing privacy requests:
Response within the statutory time limits
In the event of delays, a written notification with reasons will be sent
Information is provided in writing or electronically on request
Information period: 12 months prior to receipt of request
Processing free of charge (except for abusive requests)
Browser tracking:
WPI does not respond to "Do Not Track" browser settings, but adheres to the standards set forth in this Privacy Notice.
Contact for exercising your rights: privacy@wpicert.org
Further information:
Full CCPA text: https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
California Attorney General's Office: https://oag.ca.gov/privacy/ccpa
For residents of Canada, the provisions of the Personal Information Protection and Electronic Documents Act (PIPEDA) apply. Link: https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/r_o_p/
For residents of Brazil, the provisions of the Lei Geral de Proteção de Dados (LGPD) apply. Link: https://www.gov.br/esporte/pt-br/acesso-a-informacao/lgpd
For users from other countries, the respective local data protection regulations apply.
If you have any questions about the data protection provisions that apply to you, you can contact privacy@wpicert.org at any time.
We regularly update our Privacy Notice to reflect changes in our business practices and legal requirements. We will notify you of any material changes.