Data protection


The requirements of the EU General Data Protection Regulation apply (hereinafter referred to as: GDPR). Please read our Privacy policy carefully. 

The following Privacy policy informs you about the type and scope of the processing of so-called personal data by ISM International School of Management GmbH (hereinafter referred to as: ISM). Which data are processed in detail and how they are used depends largely on the services you have requested or agreed upon. Therefore, not all parts of this information will apply to you. Personal data describes data which can or will be directly or indirectly attributed to you.

Data processing by ISM can essentially be divided into two categories:

1. For the purpose of contract processing, all data required for the performance of a contract with ISM will be processed. If external service providers are also involved in the performance of the contract, for example transport companies, your data will be passed on to them to the extent necessary in each case.

2. When you access the ISM website/application, various information is exchanged between your device and our server. These types of information may include personal data. The information collected in this way is used, among other things, to optimise our website or to display advertising in the browser of your device. 

According to the provisions established in the GDPR, you have various rights which you can assert against us. These include, among other things, the right to object to selected data processing, in particular data processing for advertising purposes. The possibility of objection is highlighted in the print.

The websites are hosted on external servers within Europe and are therefore subject to the security regulations applicable in Europe, the legal basis for this are agreements on order processing according to Article 28 GDPR.

If you have any questions about our privacy policy, you can contact us at any time at


This privacy policy applies to data processing by ISM International School of Management GmbH, Otto-Hahn-Strasse 19, 44227 Dortmund, and for the following websites or applications:,,,,,, and

You have the right to access any personal information that we have saved about you free of charge and, if appropriate, you have the right to correct, block or delete these data. If you have any questions about the collection, processing or use of your personal data, information, correction, blocking or deletion of data as well as revocation of granted consent or objection to a specific use of data, please contact us directly:

We have appointed Mr. Marc Althaus as our external company data protection officer, who continuously works towards compliance with data protection regulations and carries out regular checks. You can find the contact options here:


Contact form:

Dipl.-Kfm. Marc Althaus
Frapanweg 22
22589 Hamburg (Germany)


3.1 Accessing our website/application

When you visit our website/application, the browser used on your device automatically sends information to the server of our website/application and temporarily stores it in a so-called log file. We do not have any influence over this process. The following information is recorded without any action on your part and is stored until it is automatically deleted after seven days: 

1.   IP address of the requesting internet-enabled device,

2.   Date and time of access,

3.   Name and URL of the file requested,

4.   Website/application from which the access was made (referrer URL),

5.   Browser used and, if applicable, the operating system of your internet-enabled computer

6.   Name of your access provider

7.   Language, country, city

8.   Screen resolution

9.   Demographic characteristics: Age, gender

10. Search term

The legal basis is Article 6 para. 1 lit. f) GDPR. Our legitimate interests are derived from the reasons we collect data which are listed below. We would like to reiterate that we are not able to draw any conclusions about your identity from the data collected and that we do not draw them either.

We only use the IP address on your end device and the data listed above for the following reasons: 

1.   To ensure that it is possible to establish a connection with the website easily;

2.   To ensure comfortable use of our website/application,

3.   To evaluate system security and stability, as well as

4.  for administrative purposes.

We also use so-called cookies, tracking tools and targeting processes for our website/application. Please refer to Section 3.3.4 for more detailed information on the processes that are involved and how your data are used for these purposes.

If you have consented to the so-called geolocalisation in your browser or in the operating system or other settings of your device, we do not use this function. If necessary, however, you will receive individual services based on your current location from the search engines or other online service providers you use.

3.2 Conclusion, implementation or termination of a contract

3.2.1 Data processing for the conclusion of a contract

The object of activity of ISM is the provision of services and the distance selling of goods, the retail trade within the scope of the officially issued permits and the serial production of the goods offered. In this respect, we only process data that are necessary for the conclusion, performance or termination of the contract. These include:

1.   Surname/Maiden name

2.   First name

3.   Place of birth

4.   Country of birth

5.   Date of birth

6.   Gender

7.   Nationality

8.   Address(es)

9.   Email address(es)

10. Date of starting membership

11.        Invoicing and payment details

12.        Telephone number(s)

13.        Study program

14.        Other programs booked (e.g. preliminary courses)

15.        Registration for exams

16.        Test results

17.        Study contract

18.        If available, additional documents for the study contract

The legal basis for this is Article 6 para. 1 lit. b) GDPR. If we do not use your contact details for advertising purposes (see 3.3 below), we will save the data collected for the execution of the contract until the statutory or possible contractual warranty and guarantee rights have expired. After this period has expired, we keep the information of the contractual relationship required by commercial and tax law for the periods specified by law. For this period (usually ten years from the conclusion of the contract) the data will only be processed again in the event of a review by the tax authorities.

Furthermore, the above-mentioned data will be forwarded to foreign partner universities as part of your compulsory semester abroad. 

3.2.2 Identity, creditworthiness and transmission to credit agencies and debt collection agencies

If necessary, we can check your identity with the help of information from service providers. The legal basis for this is Article 6 para. 1 lit. b) and lit. f) GDPR. The authorisation to do this arises from the protection of your identity and the avoidance of attempted fraud at our expense. The circumstance and the result of our inquiry will be added to your customer account or your guest account for the duration of the contractual relationship.

In the course of the ordering process, we also check your creditworthiness so that we can show you only the payment methods that you can use. For this purpose, we transmit the following types of data to so-called credit agencies that cooperate with us: Name, address, date of birth. The legal basis for this is the consent declared by you below within the meaning of Article 6 para. 1 lit. a) GDPR:

I hereby consent to ISM checking my creditworthiness. I am aware that the check takes place at the beginning of the ordering process and that I can revoke my consent at any time.

You can revoke your consent at any time with effect for the future by sending a declaration to the address given under “Contact”. The revocation of the consent does not affect the legality of the personal data processed up to the revocation. If you do not want to give the above consent, please advise us accordingly before you initiate the conclusion of your purchase or use the option of ordering as a guest. In this case, however, we can only offer you payment methods that are not associated with a credit risk for ISM. The circumstance and the result of our inquiry will be saved in your customer account for the duration of the contractual relationship.

If you have already shopped with us, the data we have stored about you can be supplemented with so-called score values. Scoring is understood to mean the creation of a forecast about future events on the basis of collected information and past experience. On the basis of the data stored about you, you are assigned to statistical groups of people who had similar entries in the past. The underlying method used is a well-founded, tried and tested, mathematical-statistical method for forecasting risk probabilities.

In the event of a delay in payment, if the other legal requirements are met, we shall transmit the necessary data to a company commissioned to assert the claim. The legal bases for this are both Article 6 para. 1 lit. b) and Article 6 para. 1 lit. f) GDPR. The assertion of a contractual claim is to be regarded as a legitimate interest within the meaning of the second regulation. If the other legal requirements are met, we also transmit information about the delay in payment or a possible bad debt loss to credit agencies that cooperate with us. The legal basis for this is Article 6 para. 1 lit. f) GDPR. The legitimate interest required for this arises from our interest as well as the interest of third parties in reducing contractual risks for future contracts.

In order to collect our outstanding claims, we transfer this function to a debt collection company and, in this context, pass on the necessary data to the debt collection company commissioned by us. This first checks the legality of the claims submitted for collection and then sends a reminder of the defaulting invoice in writing or, if necessary, by telephone. If payment is refused, the debt collection company shall initiate the judicial dunning procedure if necessary. There is also the possibility of enforcement as well as the seizure of usable objects.

3.2.3 Transmission of the data to partner companies

ISM transmits the data collected in the application process for a study place (pursuant to 3.2.1) as a résumé with attachments to qualified partner companies in order to support dual or part-time students in the run-up to their studies in the search for a dual or partner option. The data shall only be transmitted to partners exclusively for the application process. These data shall be deleted after the application process or studies have ended, unless there are longer statutory retention periods.

3.3 Data processing for advertising purposes

3.3.1 ISM and third party advertising purposes

If you have concluded a contract with us, we will manage you as an existing customer. In this case, we process your contact details in order to send you information about new and similar products and services. From time to time we will send your postal contact details to our carefully selected contractual partners as service providers so that they can inform you about new and similar products from ISM.

3.3.2 Interest-based advertising

So that you only receive information that is of supposed interest to you, we categorise and add further information to your customer profile. Both statistical information and information about yourself (e.g. basic data from your customer profile) are used for this. The aim is to send you advertising that is solely oriented towards your actual or supposed needs and therefore not to bother you with useless advertising.

The legal basis for the aforementioned processing is Article 6 para. 1 lit. f) GDPR. The processing of existing customer data for our own advertising purposes or for third-party advertising purposes is to be regarded as a legitimate interest.

3.3.3 Right to object

You can object to data processing for the aforementioned purposes at any time for the respective communication channel separately and with effect for the future. For this purpose, an email or a letter to the contact details mentioned under 1. is sufficient.

If you file an objection, the contact address concerned will be blocked for further advertising data processing. We would like to point out that in exceptional cases, advertising material may still be sent after your objection has been received. This is due to technical reasons and does not mean that we will not implement your objection. Thank you for your understanding.

3.3.4 Cookies - general information

We use so-called cookies in our systems on the basis of Article 6 para. 1 lit. f GDPR. Our interest in optimising our website is to be regarded as justified within the meaning of the aforementioned regulation. Cookies are small files that your browser automatically creates and that are stored on your device (laptop, tablet, smartphone, etc.) when you visit our site. Cookies do no damage to your end device, do not contain viruses, Trojans or other malware. Information is stored in the cookie that results in each case in connection with the specifically used terminal device. However, this does not mean that we immediately become aware of your identity. Using cookies means that the use of our website will be more pleasant for you. For the purpose of user-friendliness, we use permanent cookies that are stored on your device for a period of 30 days. If you visit our site again to use our services, it will automatically be recognised that you have already been with us and the inputs and settings you have made are also recognised, so that you do not have to re-enter them.

On the other hand, we use cookies to record the use of our website statistically and to evaluate it for the purpose of optimising our offer as well as to display information specially tailored to you. When you return to our website, these cookies enable us to recognise automatically that you have already been to our website. These cookies are automatically deleted after a period of 30 days. Most internet browsers accept cookies automatically. However, you can configure your browser so that no cookies are stored on your computer or that a message always appears before a new cookie is set. Complete deactivation of cookies, however, may result in you being unable to use all the functions of our website. The storage time of the cookies depends on their purpose and is not the same for all of them. Cookie consent with Usercentrics

This website uses the cookie consent technology from Usercentrics to obtain your consent to the storage of certain cookies on your device or to the use of certain technologies and to document them in compliance with data protection regulations.

Operator of Usercentrics:

Usercentrics GmbH
Rosental 4
80331 München

Information on data protection from Usercentrics can be found here:

When you enter our website, the following personal data are transferred to Usercentrics:

Usercentrics also saves a cookie in your browser in order to be able to assign the consent you have given or to be able to revoke it. The data collected in this way will be stored until you ask us to delete them, delete the Usercentrics cookie yourself or the purpose for data storage no longer applies. Mandatory statutory retention requirements remain unaffected.

Usercentrics is used to obtain the legally required consent for the use of certain technologies. The legal basis for this is Article 6 para. 1 clause 1 lit. c GDPR. Prevent the setting of cookies

If you want to prevent the setting of cookies, you can, in addition to or instead of our cookie consent solution, set cookies on the website in a more general way:

Browser settings

Most browsers are set by default to accept cookies, but you can set your browser to reject cookies or to ask you for confirmation beforehand. The help function in the menu bar of most web browsers explains how you can prevent your browser from accepting new cookies, how you can have your browser inform you when you receive new cookies, or how to delete all cookies that have already been received and block the browser for all others.

If you reject cookies, however, this may mean that part of our website (and services from other websites) are not available and therefore some functions cannot be used. Cookies also usually have to be activated in order to be able to object to the use of programs/applications (because of the setting of your objection (opt-out cookies). 

3.3.5 Google Analytics

For the purpose of needs-based design and ongoing optimisation, we use Google Analytics, a web analysis service provided by Google Inc. (“Google”), on the basis of Article 6 para. 1 lit. f GDPR. In this context, pseudonymised usage profiles are created and cookies are used. Information about your use of this website created by the cookie such as 

1.   browser type/version,

2.   operating system used,

3.   referrer URL (the previously visited website),

4.   the host name of the accessing computer (IP address)

5.   time of the server request,

are transferred to a Google server in the USA and stored there. This information is used to evaluate the use of the website in order to generate reports on website activity and to provide further services relating to website use and internet use for the purposes of market research and to enable these web pages to be developed in line with needs-based requirements. This information may also be transferred to third parties, provided this is legally required, or to the extent that such third parties process the information. Your IP address will never be merged with any other Google data. The IP addresses are anonymised so that an assignment is not possible. The retention period of the data sent by you and linked to cookies, user IDs or advertising IDs is 14 months. For each new activity, the period is set to the current duration plus the specified retention period.

You can prevent the installation of cookies by setting the browser software accordingly; however, we would like to point out that in this case not all functions of this website can be used to their full extent. 

3.3.6 Google Tag Manager

This website uses Google Tag Manager.

Operator of Google Tag Manager:
Google LLC
1600 Amphitheatre Parkway
Mountain View, California 94043 (USA)

This service allows website tags to be managed from an interface. Google Tool Manager only implements tags. That means: No cookies are used and no personal data are collected.

Google Tool Manager triggers other tags, which may collect data. The Google Tag Manager does not access these data. If deactivated at the domain or cookie level, it will remain in effect for all tracking tags as far as they are implemented with the Google Tag Manager. 

3.3.7 Targeting

The targeting measures listed below and used by us are carried out on the basis of Article 6 para. 1 lit f GDPR. By means of the targeting measures we use, we want to make sure that only your actual or supposed interest-oriented advertising is displayed on your devices. It is in both your and our interests not to bother you with advertisements that are of no interest to you. Onsite-Targeting

On our website, cookies are used to collect and evaluate information for the optimisation of advertisements. This information contains, for example, information about which of our courses of study you are interested in. The collection and evaluation takes place exclusively pseudonymously and does not enable us to identify you. In particular, the information will not be merged with your personal data. Based on the information, we can show you offers on our site that are specifically tailored to your interests, as they result from your previous user behaviour. The cookie is automatically deleted after 30 days. Re-Targeting

We also use Ad server re-targeting technologies. This enables us to tailor our online offer to be more interesting. For this purpose, a cookie is set with which interest data are collected using pseudonyms. Based on this information, you will be shown interest-related advertisements for our offers. No personal data are stored and no user profiles with personal data are merged about you. The cookie is stored for a period of 30 days and then automatically deleted. Objection options

You can prevent the targeting technologies explained by means of a corresponding cookie setting in your browser (see also 3.3.4). Facebook custom audience can be deactivated under the following link: 

3.3.8 Hubspot CRM

We use Hubspot CRM on this website. The provider is Hubspot Inc. 25 Street, Cambridge, MA 02141 USA (hereinafter referred to as Hubspot CRM).

Hubspot CRM enables us, among other things, to manage existing and potential customers as well as customer contacts. With the help of Hubspot CRM, we are able to record, sort and analyse customer interactions via email, social media or telephone across different channels. The personal data collected in this way can be evaluated and used for communication with potential customers or for marketing measures (e.g. newsletter mailings). With Hubspot CRM we are also able to record and analyse the user behaviour of our contacts on our website.

The use of Hubspot CRM is based on Article 6 para. 1 lit. f) GDPR. The website operator has a legitimate interest in the most efficient possible customer management and customer communication. If a corresponding consent has been requested, processing takes place exclusively on the basis of Article 6 para. 1 lit. a GDPR; the consent can be withdrawn at any time.

Details can be found in the privacy policy of Hubspot:

The transfer of data to the USA is based on the standard contractual clauses of the EU Commission. Details can be found here:


Pursuant to Article 8 para. 1, the processing of the personal data of children is lawful when the child has reached the age of sixteen. If the child has not yet reached the age of sixteen, this processing is only lawful if and to the extent that this consent is given by the holder of parental responsibility for the child or with their consent. With the consent to the declaration of consent, we assume that you have either reached the age of sixteen or that you have received parental consent. 

4.1 Contact form

4.1.1 Contact form for interested parties

We provide you with contact forms to make it easier for you to contact us and make appointments. This applies to ordering information material, arranging appointments with the student advisory service, as well as registering for the information event and the entrance test.

The data collected include e.g. 

The data collected in this context are stored by us in order to provide you with information about the course and the university on the channels you have selected. The data will be forwarded for further processing within the university. In the event of inactivity on your part, your data will be deleted after 36 months, unless you indicate otherwise.

4.1.2 Cooperation with external internet portals

Cooperation with study portals

We work together with the external study portal Studyportals.

Information on the data protection of Studyportals can be found here:

A code from Studyportals is integrated into our application form so that the service (referral of an interested party) from Studyportals to ISM can be billed on a performance-related basis. If you fill out our application form, the following data will be collected from you:

The above data are transmitted to the service provider clickmeter and its host Amazon Web Services and processed there. A transfer to countries outside the EU, in particular the USA may also take place.

Information on data protection from Amazon Web Services can be found here:

You can find information on data protection at clickmeter here:

The purpose of this processing is the performance-related billing of successful placements between Studyportals and ISM. The legal basis for data processing is the service contract and therefore Article 6 para. 1 lit. b) GDPR and the legitimate interest of the ISM according to Article 6 para. 1 lit f) GDPR. ISM has a legitimate interest in maintaining control over the placements actually made via Studyportals.

4.1.3 Contact form for press contacts

For inclusion in our press mailing list, we provide you with a corresponding contact form. Your data will be stored by us for further processing and used for communication purposes. Third-party providers can be used for further processing. The storage of the data by the provider can exceed the scope of this Privacy policy.

4.2 Blog

We provide the email address for reactions to our blog. Your contact details given in the email (at least your name and email address) will be stored within the university to process your request, will be forwarded internally and deleted after processing.

4.3 Whatsapp

We provide Whatsapp as a communication channel with the university. Data that you send us via Whatsapp are stored within the university and are forwarded internally so that we can process your request. Your data will be deleted after processing. We would like to point out that other data protection guidelines and liability regulations apply to the use of third-party providers such as Whatsapp. The storage and use of data by the provider that arise during use may exceed the scope of this Privacy policy. 

Operator of Whatsapp:
WhatsApp Inc.
1601 Willow Road, Menlo Park
California 94025 (USA)

4.4 E-Mail

Data that you send us by email will be stored within the university and will be forwarded internally in order to be able to process your request. Emails are archived within the university within the framework of the statutory retention requirements.

4.5 Possibility of objection

You can revoke the selected contact options at any time.


5.1 Youtube

We use the provider YouTube to embed videos. The videos were embedded in the extended data protection mode. Like most websites, YouTube also uses cookies to collect information about visitors to its website. YouTube uses these, among other things, to collect video statistics, to avoid fraud and to improve user-friendliness. This also leads to a connection being established with the Google DoubleClick network. When you start the video, it could trigger further data processing. We do not have any influence over this. You can find more information about data protection at YouTube in their privacy policy at:

The legal basis for this is Article 6 para. 1 lit. f) GDPR. 

5.2 Media library

If necessary and if not otherwise possible, film contributions are also integrated via media libraries, the legal basis for this is Article 6 para. 1 lit. f) GDPR. We would like to point out that other data protection guidelines and liability regulations apply to the use of third-party providers such as media libraries. The storage and use of data by the provider that arise during use may exceed the scope of this Privacy policy. 

5.3 Zoom

We use the web conference software Zoom to hold courses, online meetings, video conferences and/or webinars (hereinafter referred to as online meetings).

Operator of Zoom:
Zoom Video Communications, Inc.
55 Almaden Blvd, Suite 600,
San Jose, California 95113 (USA)

If you access the Zoom website, the operator of Zoom is responsible for the data processing. Accessing the website is only required for the use of Zoom in order to download the software for using Zoom. You can also use Zoom if you enter the respective meeting ID and any other access data for the meeting directly in the Zoom App. If you do not want to or cannot use the Zoom App, the basic functions can also be used via a browser version, which you can also find on the Zoom website.

Various types of data are processed when using Zoom. The scope of the data depends on what data you enter before or when you participate in an online meeting. The following personal data are processed: 

In order to take part in an online meeting or to enter the “meeting room”, you must at least provide information about your name. If we want to record online meetings, we shall inform you transparently in advance and, if necessary, ask for your consent. The fact of the recording is also displayed in the Zoom App.

If necessary for the purpose of logging the results of an online meeting, we will log the chat content. However, this will usually not be the case. For the purpose of recording and following up online meetings, we can also process the questions asked by webinar participants.

If you are registered as a user at Zoom, reports on online meetings (meeting metadata, data on telephone dial-in, questions and answers in webinars, survey function in webinars) can be saved on Zoom for up to a month.

The existing option of a software-based “attention monitoring” (“attention tracking”) is deactivated. Automated decision making within the meaning of Article 22 GDPR is not used.

Personal data that are processed in connection with participation in online meetings are generally not passed on to third parties, unless they are intended to be passed on. Please note that content from online meetings as well as from personal meetings is often used to communicate information to customers, interested parties or third parties and is therefore intended to be passed on.

The provider of Zoom necessarily receives knowledge of the above data, insofar as this is provided for in our order processing contract with Zoom.

Zoom is a service provided by a US provider. Processing of personal data also takes place in a third country. We have concluded an order processing contract with the provider of Zoom.

The legal basis for data processing is Article 6 para. 1 lit. b and f) GDPR. Information about data protection at Zoom can be found at:


If you provide us with personal data as part of the application process, you can send them to us online via our application platform. The basis for this is an agreement on order processing. The personal data made available to us are divided into the following data types and data categories for collection, processing or use:

We use the personal data you provide exclusively within the ESO Education Group, to process your application for the advertised position. Only people who are involved in the application process will be informed of your personal data. All employees entrusted with data processing are obligated to maintain the confidentiality of your data. We do not pass on your personal data to third parties unless you have consented to the data being passed on or we are obligated to pass data on due to legal provisions and/or official or judicial orders. With an application, an account is created in our career portal in which you can view and manage your application. During the application process, you have the opportunity to evaluate the application process and our company online with the service provider softgarden e-recruiting GmbH. This feedback can appear on the softgarden and kununu GmbH rating portals.

Your data will be automatically deleted within six months of completing the specific application process. This does not apply if statutory provisions prevent deletion, if further storage is necessary for the purpose of providing evidence or if you have expressly consented to longer storage.

If you decide to be included in the talent pool, the entire Euro-Schools group of companies can access your personal data in the event of job vacancies. You can join the talent pool by agreeing to the invitation of a recruiter or proactively using the “Get in touch” form.



7.1 Data processing for advertising purposes

The processing mentioned under 3.3 causes data to be transmitted to the servers of the providers of tracking and targeting technologies commissioned by us. These servers are located in the USA.

7.2 Data processing at foreign universities

In addition to the processing described under 3.2, we pass on your data to foreign universities based outside the European Union or the European Economic Area, provided that they concern the planning and implementation of a stay abroad in connection with your studies at ISM, which is completed outside of Europe.


8.1 Overview

In addition to your right to revoke the consent you have granted us, you are also entitled to the following rights on the basis of the respective statutory requirements:

1.   Right to information about your personal data stored by us pursuant to Article 15 GDPR,

2.   Right to correct incorrect data or to complete correct data pursuant to Article 16 GDPR,

3.   Right to erasure of the personal data we have stored about you pursuant to Article 17 GDPR,

4.   Right to restriction of processing pursuant to Article 18 GDPR,

5.   The right to data portability pursuant to Article 20 GDPR.

8.2 Right of objection

In accordance with the requirements stipulated in Article 21 section 1 GDPR, it is possible to object to the processing of personal data for reasons that arise from an exceptional circumstance that affects the data subject.

The above general right of objection applies to all processing purposes described in this data protection information, which are processed on the basis of Article 6 para. 1 lit. f) GDPR. Unlike the special right to object to data processing for advertising purposes (see 3.3.3 above), according to the GDPR we are only obligated to implement such a general objection if you give us reasons of overriding importance (e.g. a possible risk for life or health). You can also contact a supervisory authority or the data protection officer.




All data transmitted by you personally, including your payment details, are transmitted using the generally accepted and secure SSL (Secure Socket Layer) standard. SSL is a secure and proven standard that is also used, for example, in online banking. You can detect a secure SSL connection by the s attached to the http (i.e. https://...) in the address bar of your browser or by the lock symbol in the lower area of your browser.

In addition, we use appropriate technical and organisational security measures to protect your data against deliberate manipulation, partial or complete loss or unauthorised access by third parties. Our security measures are continuously improved to meet state-of-the-art requirements. Data exchange between the server and an accessing computer (client) is secured by SSL certificates with the signature algorithm SHA-256. This applies to, and