Privacy Policy

Please click here for the privacy policy for applicants to a program administered by the German-American Fulbright Commission.

Please click here for the privacy policy for participants in a program of the the German-American Fulbright Commission.


Below, we provide you with information about the collection of personal data when using our website, and when contacting us via a contact form, email, or telephone, during the application process, and in connection with your participation in our events. Personal data refers to all data that can be related to you personally, such as your name, address, email addresses, and user behavior.

I. Name and contact of the responsible entity and data protection officer

1   The responsible entity according to Article 4(7) of the EU General Data Protection Regulation (GDPR) is: German-American Fulbright Commission, Lützowufer 26, 10787 Berlin, Germany, Tel.: +49 (0)30-284443-0, Email: info@fulbright.de

2.   Our data protection officer, Ms. Susanne Klein, attorney-at-law, Beiten Burkhardt Services GmbH, Ganghoferstraße 33, 80339 München, can be reached by phone at: +49 (0)69-756095-585 or email at: Susanne.Klein@bbservices.gmbh

II. General information about the collection, transfer and storage of personal data

1.   We process your personal data in accordance with the provisions of the General Data Protection Regulation (GDPR), the Federal Data Protection Act (BDSG), and all other relevant laws.

2.   The primary purpose of data processing is to establish and fulfill a contractual relationship with you. When you contact us via email, a contact form, or telephone, the information you provide (your email address, possibly your name, and telephone number) is stored by us to answer your inquiries. The primary legal basis for this is Article 6(1)(b) of the GDPR. In addition, your separate consent under Article 6(1)(a) and (7) of the GDPR may be used as a legal basis for data processing. We also process your data to fulfill our legal obligations, particularly in the area of trade and tax law. This is based on Article 6(1)(c) of the GDPR. Where necessary, we process your data based on Article 6(1)(f) of the GDPR to protect legitimate interests of ours or third parties.

3.   Your personal data will not be transmitted to third parties for purposes other than those listed below. We only share your personal data with third parties if you have given explicit consent under Article 6(1)(a) of the GDPR, if sharing is necessary for the establishment, exercise, or defense of legal claims under Article 6(1)(f) of the GDPR and there is no reason to believe that you have an overriding legitimate interest in not disclosing your data, if there is a legal obligation to share under Article 6(1)(c) of the GDPR, or if it is legally permissible and necessary under Article 6(1)(b) of the GDPR for the execution of contractual relationships with you.

4.   If we use external service providers for specific functions of our offering or if we wish to use your data for promotional purposes, we will inform you in detail about the respective processes below. We will also provide the specified criteria for storage duration.

5.   We delete your personal data as soon as they are no longer necessary for the purposes for which they were collected. After termination of the contractual relationship, your personal data will be stored as long as legally required. This is regularly determined by legal obligations for proof and retention, which are governed, among other things, by the Commercial Code and the Fiscal Code. The retention periods are up to ten years. In addition, personal data may be retained for the period during which claims can be made against us (statutory limitation period of three or up to thirty years).

III. Collection of personal data on our website

1. Visit to our website

a)   When you visit our website for informational purposes, i.e., without registering or otherwise transmitting information to us, we only collect the personal data that your browser sends to our server. If you want to view our website, we collect data that is technically necessary for us to display our website to you and ensure its stability and security. The data is also stored in the log files of our system. Storage of this data, along with other personal user data, does not occur. This data includes the IP address of the requesting device, date and time of the request, time zone difference to Greenwich Mean Time (GMT), content of the request (specific page), access status/HTTP status code, data volume transferred in each case, website from which the request originates, browser, operating system and its interface, as well as the language and version of the browser software.

b)   The legal basis for the temporary storage of data and log files is Article 6(1)(f) of the GDPR.

c)   The temporary storage of the IP address by the system is necessary to deliver the website to your browser. For this purpose, your IP address must be stored for the duration of the session. The storage in log files is carried out to ensure the functionality of the website. Furthermore, the data serves us for the optimization of the website and to ensure the security of our information technology systems. These purposes also constitute our legitimate interest in data processing under Article 6(1)(f) of the GDPR. An evaluation of the data for marketing purposes does not take place in this context.

d)   The data will be deleted as soon as it is no longer necessary for the purpose of its collection. In the case of data collected for the provision of the website, this is the case when the respective esession is ended. Log files are deleted within 10 days after accessing the website.

e)   For hosting this website, we use the external provider Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen. The aforementioned personal data collected on this website is stored on the hoster's servers. The host will process your data only to the extent necessary to fulfill its contractual obligations. To this purpose, we have entered into a data processing agreement with the hoster, so that they process the personal data exclusively on our behalf and according to our instructions.

2. Use of cookies

a)   Cookies are used on our website. These are small text files that are stored on your device when you visit our site, as far as your device's browser settings allow. The cookie contains information that is related to the specific device being used. We differentiate between cookies that are strictly necessary for the technical functions of the online offering and those cookies that are used for statistical analysis to improve the functionality of our website and tailor it to user behavior.

b)   Technically necessary cookies
By technically necessary cookies, we mean cookies that are essential for the technical provision of the online offering. These include, for example, connection control during an online session (so-called session cookies). These cookies are deleted as soon as the browser session is ended. The data processing carried out due to technically necessary cookies is required for the purposes mentioned in order to safeguard our legitimate interests pursuant to Article 6 para. 1 lit. f) GDPR. The legal basis for the use of technically necessary cookies or similar technologies on your device is § 25 para. 2 No. 2 TDDDG.

c)   Functional cookies
We use various cookies only with your consent, which you can select when you first visit our website through the so-called cookie consent tool. The functions are only activated with your consent and serve in particular to analyze and improve visits to our website, to facilitate operation across different browsers or devices, to recognize you on a return visit, or to embed videos on our website. The legal basis for these data processing activities is your consent in accordance with Article 6 para. 1 lit. a) GDPR. The legal basis for the use of functional cookies or similar technologies on your device is your consent in accordance with § 25 para. 1 TDDDG. You can revoke your consent at any time using the cookie consent tool, without affecting the lawfulness of processing until revocation.

d)   If you do not wish to store cookies on your device or if you want to be notified before a new cookie is created, you can configure your browser accordingly. However, complete deactivation of cookies may result in you not being able to use all functions of our website.

e)   Our website uses the cookie consent technology of CCM19 to obtain your consent within the meaning of Art. 6 Para. 1 lit. a) GDPR to store certain cookies in your browser and to document them in accordance with data protection regulations (so-called cookie banners ). The provider of this technology is Papoo Software & Media GmbH, Auguststr. 4, 53229 Bonn, Germany (hereinafter “CCM19”). When you visit our website, a CCM19 cookie is stored in your browser in which the consent you have given or the revocation of this consent is stored. The cookie has a lifespan of one year. The data collected will be stored for the lifespan of the cookie until you request us to delete it or delete the CCM19 cookie yourself. Mandatory statutory retention periods remain unaffected. We have concluded an order processing agreement with CCM19, so that CCM19 processes any personal data collected via our website exclusively on our behalf and in accordance with our instructions. CCM19's cookie consent technology is used on our website to obtain the legally required consent for the use of cookies. The legal basis for this is Article 6 Paragraph 1 Letter c) GDPR; The legal basis for setting the cookie is Section 25 Paragraph 2 No. 2 TDDDG.

f)   You can access the CCM19 cookie consent tool again at any time and change your consent by clicking on the symbol displayed on every page of this website at the bottom left of the screen and thereby reopen the cookie banner.

3. Additional features and offers of our website

a)   In addition to the purely informational use of our website, we offer various services that you can use if interested. For this purpose, you usually need to provide further personal data, which we use to provide the respective service and for which the principles of data processing mentioned above apply.

b)   In some cases, we rely on external service providers to process your data. These providers have been carefully selected and commissioned by us, they are bound by our instructions, and are regularly monitored.

c)   Furthermore, we may share your personal data with third parties when participation in activities, contests, contract conclusions, or similar services are offered jointly with partners. Further information on this can be obtained when providing your personal data or below in the description of the respective offer.

d)   If our service providers or partners are located in a country outside the European Union (EU) or the European Economic Area (EEA), we will inform you about the implications of this circumstance in the description of the respective offer.

4. Use of contact forms

a)   We collect your personal data when you voluntarily provide it to us through our contact forms. In doing so, we gather the information that arises during the course of contact. This notably includes names and contact details provided, as well as the date and reason for the contact. The personal data you provide are used solely for the purpose of delivering the requested products or services and corresponding with you. If you initiate contact with us and express interest in an offer, your personal data will be processed for the purpose of initiating a contract pursuant to Article 6 para. 1 lit. b) GDPR. Otherwise, your inquiry will be processed to fulfill our legitimate interest in appropriately handling and responding to your request, based on Article 6 para. 1 lit. f) GDPR. Your data is transmitted to us via email through our provider. Unfortunately, if you do not provide this information, we will be unable to establish contact with you or address your request.

b)   The data will be deleted as soon as they are no longer necessary to achieve the purpose of their collection. For personal data from the input fields of the contact form, this is the case when the respective conversation with you has concluded. A conversation is considered concluded when it can be inferred from the circumstances that the matter in question has been conclusively resolved. To the extent that the shared data are subject to tax and commercial retention obligations, they will be stored for the duration of the legal retention periods and then deleted, unless you have consented to longer storage or further processing of the data is necessary for asserting, exercising, or defending legal claims.

5. Use of our newsletter

a)   You can subscribe to our newsletter, through which we inform you about our current interesting offers, by registering for the newsletter on our website and providing your consent for the associated data processing. The advertised goods and services are specified in the consent declaration.

b)   For subscribing to our newsletter, we use the double opt-in procedure. This means that after your registration, we will send an email to the provided email address, in which we ask for confirmation that you are the owner of the specified email address and wish to receive the newsletter. In addition, we store your used IP addresses and the times of registration and confirmation. The purpose of this procedure is to confirm your registration and, if necessary, to clarify any potential misuse of your personal data.

c)   The mandatory information for sending the newsletter is solely your email address. Providing further data is voluntary and is used to address you personally. After your confirmation, we store your email address for the purpose of sending the newsletter. The legal basis is your consent according to Article. 6 para. 1 lit. a) GDPR.

d)   You can revoke your consent to receiving the newsletter and unsubscribe at any time. You can withdraw your consent by clicking on the link provided in each newsletter email, by sending an email to info@fulbright.de, or by sending a message to the contact information provided in the imprint.

e)   For sending the newsletters, we use rapidmail. The provider is rapidmail GmbH, Wentzingerstraße 21, 79106 Freiburg, Germany. The data you enter for the purpose of receiving the newsletter is stored on the servers of rapidmail in Germany. There is no transmission of data to third countries. The data stored by us as part of the consent for the purpose of the newsletter will be stored by us until you unsubscribe from the newsletter, and after unsubscribing, it will be deleted from both our servers and the servers of rapidmail. Data that has been stored by us for other purposes remains unaffected. Further information can be found in rapidmail's data security notices at: https://www.rapidmail.de/datensicherheit.

6. Integration of YouTube videos

a)   Our website may also include content (such as videos) from the YouTube platform. This service is operated by YouTube, a subsidiary of Google. For data processing in the European region, Google Ireland Limited, Gordon House, Barrow Street Dublin 4, Ireland, is responsible.

b)   We use embedded YouTube videos in extended privacy mode. This means that YouTube does not store cookies for a user who views a website with an embedded YouTube video player but does not click on the video to start playback.

c)   Only when you expressly consent to the use of YouTube, the videos will be loaded and played. In this case, Google sets various cookies and may also receive your IP address along with information about the respective video and your use of playback functions. The lifespan of the cookies is up to 8 months and can be found in detail in the list in the cookie banner. If you are simultaneously logged into your YouTube account, this information can also be directly associated with your personal profile. You can prevent this by logging out of your YouTube account beforehand.

d)   YouTube also statistically evaluates video views and provides us with reports on these evaluations, which only contain general information about views, such as the total number of views. We do not receive detailed information about individual users in this regard. Therefore, we assume that YouTube's analysis of video views does not involve a more detailed analysis of individual users. YouTube automatically and independently performs data analysis without our ability to disable or influence it, or gain detailed insights into the analyzes.
e)   An overview of the cookies used by Google can be found at https://policies.google.com/technologies/cookies?hl=en.

f)   For further information on how YouTube and Google handle user data and process this data, please refer to YouTube's Privacy Policy at: https://www.google.com/intl/en/policies/privacy.

g)   If you consent to the use of cookies and data processing by YouTube, the legal basis for this is § 25 (1) of the TDDDG and Article 6 (1) sentence 1 lit. a) of the GDPR. You can withdraw your consent at any time through the cookie banner, without affecting the lawfulness of the processing until the withdrawal.

h)   In connection with the above-mentioned functions, YouTube may transmit the processed data to servers outside the EU, particularly to Google LLC in the USA, if necessary for the provision of these services. For the USA, there is an adequacy decision by the EU Commission within the EU-U.S. Data Privacy Framework, certifying certified companies with an adequate level of data protection according to the GDPR. Google LLC is certified under the EU-U.S. Data Privacy Framework and is also listed in the Data Privacy Framework List maintained by the U.S. Department of Commerce. When transmitting data to servers of Google LLC in the USA, a consistently high level of data protection is ensured. If such data transfer to the USA occurs, it is based on Article 45 (1) sentence 1 of the GDPR.

7. Text-to-Speech Service ReadSpeaker

a)   We use ReadSpeaker for the proper provision of content on our website. ReadSpeaker is a text-to-speech service for internet content provided by ReadSpeaker GmbH, Am Sommerfeld 7, 86825 Bad Wörishofen, Germany.

b)   When you click the "Listen" link, the text or text passage of the website, along with your IP address and access URL, is transmitted to a ReadSpeaker server. An audio file is generated there and streamed back to your IP address. Technical log data is automatically deleted by ReadSpeaker no later than 30 days. ReadSpeaker does not collect or store any other personal data. ReadSpeaker only logs the number of clicks the read-aloud function generates. Except for general temporary web server logs, no user-specific data is collected, logged, or documented. Data is not shared, and data processing takes place exclusively within the EU.

c)   ReadSpeaker uses two technical cookies to provide the service. A technical session cookie is used to check if the script is loaded when the website loads. The cookie is only set after ReadSpeaker has been activated, i.e., after an interaction with the player has occurred. This cookie is used to inform ReadSpeaker that a user has activated the text-to-speech service on the website. This cookie is deleted again after you close your browser (so-called session cookies). Another cookie is used to store setting changes in the settings menu. The cookie has a default lifespan of 4 days. This cookie is used to store the settings of individual users so that they do not need to reapply their preferred settings on every page they navigate to. If the ReadSpeaker function is not activated, no cookies are stored on your device when you visit the website.

d)   The legal basis for providing the text-to-speech service on our website is our legitimate interest pursuant to Article 6(1)(f) GDPR, where our legitimate interest lies in an enhanced and user-oriented provision of content on our website. The legal basis for setting the necessary cookies by ReadSpeaker when the user interacts with the service is § 25(2) No. 2 TDDDG.

e)   We have entered into a data processing agreement with ReadSpeaker to ensure that ReadSpeaker processes the personal data obtained within the scope of the reading service exclusively on our behalf and according to our instructions.

8. Login for Selection Committees

a)   We offer a protected area on our website for the evaluators who are involved in the selection of applicants for a Fulbright scholarship and who support us in this capacity by assisting in the selection of suitable applicants for our scholarships (referred to as "Login for Selection Committees "). In this protected login area, after logging in, evaluators will find information about the selection process, application documents of scholarship applicants, and relevant evaluation forms.

b)   In order to log into the protected area, evaluators must enter their username and a self-selected password. We provide the initial access credentials, but the password must be individualized directly thereafter. Evaluators are required to keep their access credentials to the protected login area confidential and must not share them with third parties. Furthermore, by clicking the corresponding button before logging in evaluators must commit to maintaining data protection and data confidentiality with regard to applicant data. Without this commitment, login is not possible.

c)   When using the protected login area for selection committees, in addition to the evaluator's access credentials (including confirmation of the commitment to data confidentiality) and general log data due to website usage (see Section III 1), activities within the login area are recorded. Accordingly, we can track which documents evaluators have viewed and/or downloaded in the login area, and associate this with the respective evaluators. In addition, the login and logout times (i.e. leaving the protected area) are also recorded and temporarily stored. These data are not shared with external third parties (except for our hosting service provider, see Section III. 1 e).

d)   Processing of the aforementioned data is necessary to ensure an efficient scholarship selection process. To this purpose, it is necessary to provide evaluators with the necessary documents for applicant selection online, while complying with the required data security measures. The processing of personal data is thus necessary to safeguard our legitimate interests as well as the legitimate interests of applicants in a prompt selection decision. There is no evident overriding of the evluators´ interests in excluding data processing as they voluntarily agree to participate in the selection process and also have an interest in receiving the relevant documents and materials for evaluation in the most time-efficient yet secure manner to submit their assessment. The data processing activities associated with this are therefore based on Article 6(1)(f) of the GDPR.

e)   For the processing of personal data of scholarship applicants, whose application documents are made available for review or download by evaluators in the protected login area, the separate "Data Privacy Notice for Applicants for Participation in a Program of the German-American Fulbright Commission" applies.

9. Mapline

a)   We use the interactive mapping services from Mapline on our website, operated by Mapline Inc., PO Box 749, Pleasant Grove, UT 84062, USA (hereinafter referred to as "Mapline"). By providing these maps, we aim to enhance the user experience on our website and make it easier for you to find the locations of our projects and initiatives. If you are interested in one of our scholarship programs, the tool allows you to view the participating (higher) educational institutions and their availability.

b)   When you access our website, no connection to Mapline's servers is initially established. Instead of the embedded map, you will initially see only a preview image. A connection to Mapline is only made after you explicitly consent to the use of Mapline.

c)   Mapline uses map data from OpenStreetMap. OpenStreetMap is a project of the OpenStreetMap Foundation ("OSMF"), 132 Maney Hill Road, Sutton Coldfield, West Midlands B72 1JU, United Kingdom, which collects freely usable geodata and makes it available in a database for free use. When connecting to display the maps, the following data is transmitted to OpenStreetMap servers: IP address, browser and device used, operating system, the website from which you were redirected to the OSMF page (referring web page), as well as the date and time of your visit to the website. If you have a user account with OpenStreetMap and are logged in when visiting our website, additional data transmitted to OpenStreetMap servers includes: User ID, email address associated with your account, and blocked content and associated messages. OSMF may transfer your data to third parties if required by law or if third parties process these data on behalf of OSMF. It is technically possible that recipients could identify at least some users based on the received data. We have no control over the processing of personal data and user profiles by OpenStreetMap for other purposes. For more information on data protection related to OpenStreetMap, please refer to OSMF’s privacy notice at https://wiki.osmfoundation.org/wiki/Privacy_Policy.

d)   Mapline processes the data collected when the map is activated for its own purposes in accordance with its privacy policy. Data may be stored in usage profiles by Mapline and processed for purposes such as product improvement, development of new products, measuring the effectiveness of certain advertisements and market research, as well as personalizing content and advertisements. For this purpose, Mapline also uses third-party cookies. You can find information about the cookies used and their lifespan in the cookie banner listing.

e)   For more information on data processing by Mapline, please refer to Mapline’s privacy notice at https://mapline.com/privacy-notice/.

f)   If you consent to the use of cookies and data processing by Mapline, the legal basis for this is § 25 (1) TDDDG and Article 6 (1) (a) GDPR. You can withdraw your consent at any time using the checkbox above the map, without affecting the legality of processing up to the point of withdrawal.

g)   In connection with the above functions, the processed data may also be transferred to servers outside the EU, particularly to Mapline's servers in the USA. There is no consistently high level of data protection in the USA. Therefore, additional risks may arise from transferring data to servers in the USA, such as difficulties in enforcing your rights regarding this data. If data is transferred to the USA, such transfer is based on your consent under Article 49 (1) (a) GDPR, which you grant by consenting to the integration of Mapline's external content.

10. hCaptcha

a)   This website uses the hCaptcha service provided by Intuition Machines Inc., 350 Alabama St, San Francisco, CA 94110, USA (hereinafter referred to as "hCaptcha"), which protects the website from spam and abuse.

b)   The hCaptcha service aims to prevent abusive activities (e.g. data input in a contact form) carried out by automated software on the website. This is ensured through verification that the input is actually from a natural person. Verification involves collecting and processing data such as the page address where the captcha is used, the user's IP address, user input behavior (e.g. answering the hCaptcha question, input speed into form fields, order of selecting input fields, etc.), browser, browser size and resolution, browser plug-ins, date, language settings, website display instructions (CSS), website scripts (JavaScript), and mouse or touch events within the website.

c)   When hCaptcha is used in "invisible mode," the analyzes run entirely in the background once a website visitor enters a website with hCaptcha enabled; this analysis starts automatically. Website visitors are not separately informed that an analysis is taking place. The data collected during the analysis is transmitted to the hCaptcha provider.

d)   hCaptcha may store cookies in your browser to conduct the analysis. These are text files stored on your computer that allow an analysis of your website usage. The aforementioned data and cookies are usually deleted by hCaptcha after 30 days. You can also prevent the storage of cookies by adjusting your browser software settings; however, we would like to note that in this case you may not be able to fully use our website and might not be able to use certain forms.

e)   The legal basis for using reCAPTCHA is our legitimate interest pursuant to Article 6(1)(f) of the GDPR. We have a legitimate interest in protecting our website from abusive automated reconnaissance and spam. The legal basis for setting cookies by hCaptcha is § 25(2) No. 2 TDDDG.

f)   For more information about hCaptcha, please refer to the privacy policy and terms of use at the following links: https://www.hcaptcha.com/privacy and https://hcaptcha.com/terms.

g)   By default, hCaptcha stores analysis data in the EU. However, in connection with the aforementioned functions, hCaptcha might transfer personal data to the USA. Transferring data to servers in the USA may therefore entail additional risks; for example, enforcing your rights regarding these data might be more challenging. For data transfers to the USA, we have entered into a data processing agreement with hCaptcha according to Article 28 of the GDPR, as well as the EU Commission's standard data protection clauses, which also outline the implementation of appropriate protective measures for the specific case. This commitment by hCaptcha ensures that European data protection standards are maintained even for transfers to third countries like the USA. If data is transferred to the USA or another third country, such a third-country transfer is based on Article 46(2)(c) of the GDPR.

11. Data security

a)   During your website visit, we utilize the widely recognized SSL (Secure Socket Layer) protocol in conjunction with the highest level of encryption supported by your browser. Typically, this involves 256-bit encryption. If your browser does not support 256-bit encryption, we revert to using 128-bit v3 technology instead. You can recognize whether an individual page of our website is transmitted securely by the closed depiction of the padlock symbol in your browser's status bar.

b)   Furthermore, we employ appropriate technical and organizational security measures to protect your data against accidental or intentional manipulation, partial or complete loss, destruction, or unauthorized access by third parties. Our security measures are continually improved to align with technological advancements.

IV. Collection of personal data when contacting us via email, post and phone

1. Collection of personal data from network partners and interested parties

a)    We collect your personal data as a network partner or prospect only if you provide them to us voluntarily via email, post, or phone. In such cases, we capture the information that arises during the contact. This includes, in particular, names and provided contact details, date, and reason for the contact. The personal data you provide will only be used for the purpose of providing you with the requested products or services (legal basis: Article 6(1)(b) GDPR), or for other purposes for which you have given your consent (legal basis: Article 6(1)(a) GDPR), as described in this privacy policy. You have the option to revoke your consent for the processing of personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

b)    You are not obligated to provide the aforementioned personal data. However, the data provided may be necessary for the conclusion of a contract. Without the provision of data, communication, contract conclusion, or contract fulfillment may not be possible.

c)    Transmission of data relevant in individual cases occurs based on legal provisions to public authorities in the presence of superior legal regulations, to external service providers, other contractors, and other external entities where you have given your consent, or where transmission is permissible for the fulfillment of a contract or due to overriding interests. There is no intention to transmit your data to recipients in a third country (non-EU/EEA member state) or an international organization.

d)    The data will be deleted as soon as they are no longer necessary for achieving the purpose of their collection. For the provided personal data, this is the case when the respective conversation with you has concluded. A conversation is deemed concluded when it can be inferred from the circumstances that the relevant matter has been conclusively resolved. To the extent that the provided data are subject to legal retention obligations related to taxation and commercial law, they will be stored for the duration of these retention obligations and then deleted, unless you have consented to longer storage or further processing of the data is necessary for asserting, exercising, or defending legal claims. The legal basis for processing personal data for the purpose of fulfilling legal archiving and retention obligations is Article 6(1)(c) GDPR, otherwise Article 6(1)(f) GDPR.

2. Collection of personal data from applicants

a)    We collect your personal data as an applicant only if you provide them to us voluntarily via email, post, or phone. This applies to both applications for advertised positions and unsolicited applications. In such cases, we capture the information that has been communicated during the application process. This includes, in particular, your name, date of birth, contact details, interests, qualifications, as well as educational and professional backgrounds. The personal data you provide will only be used for the purpose of conducting the application process. The legal basis is Article 6(1)(b) GDPR and Article 88 GDPR in conjunction with Section 26(1) sentence 1 BDSG.

b)    You are not obligated to provide the aforementioned personal data. However, the data provided are necessary for the execution of the application process and may also be required for a future contract conclusion following the completion of the application process. Without the provision of data, communication, execution of the application process, or contract conclusion may not be possible.

c)    Transmission of data relevant in individual cases occurs based on legal provisions or a contractual agreement. Access to your personal data in the application process is limited to the employees of the HR department, management personnel, and the respective department head. Your personal data will not be transmitted to third parties. There is no intention to transmit your data to recipients in a third country (non-EU/EEA member state) or an international organization.

d)    The data will be deleted as soon as they are no longer necessary for achieving the purpose of their collection. Therefore, we retain your data for six months after communicating the rejection decision to you and subsequently delete them, in case of rejection. If you have given consent for longer storage, the retention period is two years. Afterward, we will either delete your data or seek your consent again. You have the option to withdraw your consent for the processing of personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

V. Revocation of or objection to the processing of your data

1.    If you have provided consent for the processing of your data, you can revoke it at any time in accordance with Article 7(3) GDPR. The legality of processing based on consent prior to its withdrawal will not be affected by the revocation.

2.    In cases where we rely on the legal basis of Article 6(1)(e) GDPR (performance of a task carried out in the public interest) or Article 6(1)(f) GDPR (legitimate interests) for the processing of your personal data, you have the right to object to the processing at any time based on reasons arising from your particular situation. If you exercise such an objection, please provide the grounds why we should not process your personal data as we have been doing. Upon receiving a substantiated objection, we will assess the situation and either cease or adjust the data processing or provide compelling legitimate grounds for the continuation of processing (Article 21(1) sentence 1 GDPR).

3.    You can, of course, also object to the processing of your personal data for purposes of direct marketing and related data analysis at any time. You can inform us of your objection to advertising using the following contact details:
German-American Fulbright Commission, Lützowufer 26, 10787 Berlin, Germany, phone: +49 30-284443-0, Email: data-protection@fulbright.de

VI. Additional rights

1.   You have the right, in accordance with Article 15 of the GDPR, to request information about the personal data we process concerning you. In particular, you can obtain information about the purposes of processing, the categories of personal data involved, the categories of recipients to whom your data has been or will be disclosed, the envisaged storage period, the existence of the right to rectification, deletion, restriction of processing, or objection, the existence of a right to lodge a complaint, the source of your data if not collected from us, and the existence of automated decision-making, including profiling, and, where applicable, meaningful information about its details.

2.   According to Article 16 of the GDPR, you can promptly request the correction of inaccurate personal data or completion of your personal data stored by us. You have the right, in accordance with Article 17 of the GDPR, to request the deletion of your personal data stored by us, unless processing is necessary for exercising the right of freedom of expression and information, for compliance with a legal obligation, for reasons of public interest, or for the establishment, exercise, or defense of legal claims.

3.   Pursuant to Article 18 of the GDPR, you have the right to request the restriction of the processing of your personal data if the accuracy of the data is contested by you, the processing is unlawful, but you oppose their deletion, or we no longer need the data, but you require them for the establishment, exercise, or defense of legal claims, or you have objected to processing under Article 21 of the GDPR.

4.   You have the right, in accordance with Article 20 of the GDPR, to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, or to request their transmission to another controller.

5.   You also have the right, pursuant to Article 77 of the GDPR, to lodge a complaint with a supervisory authority if you believe that the processing of your personal data by us does not comply with legal requirements.

VII. No automated decision-making (including profiling)

Automated decision-making (including profiling) according to Article 22 of the GDPR does not take place within our organization.

VIII. Invitation Management for Events of the German-American Fulbright Commission

1. Registration for Events

As part of the registration process for our events, personal data is collected. This typically includes your name, address, or email address, and for fee-based events, your banking details as well. The collected personal data is used solely internally for the execution and management of the event. The legal basis for this is Article 6(1)(b) of the GDPR.

2. Photo and video recordings during Events

During the event, the Fulbright Commission or authorized service providers may take photo and video recordings. These recordings may be used for documentation purposes and for public relations in digital and print formats. This may include the publication of recordings on our website, in our social media channels, in our newsletter, or in promotional materials or invitations for future Fulbright Germany events. We will inform you about the specific purposes of using the recordings and the respective legal basis in the invitation or, if necessary, through clearly visible signs at the event venue. If your consent in accordance with Article 6(1)(a) of the GDPR is required for certain data processing activities, we will obtain it separately.

IX. Updates and changes to this privacy policy

1.   This privacy policy is as of August 2023 and is currently valid.

2.   Due to the ongoing development of our website and services or changes in legal or regulatory requirements, it may be necessary to make adjustments to this privacy policy. The most current version of the privacy policy can be accessed and printed by you at any time on the website at https://www.fulbright.de/en/privacy-policy.

Privacy policy for applicants to a program administered by the German-American Fulbright Commission

Please click here for the general privacy policy.

We hereby inform you about the processing of your personal data by the German-American Fulbright Commission (Fulbright Commission) and the rights to which you are entitled under data protection law.

WHO IS the controller FOR DATA PROCESSING AND WHO IS THE DATA PROTECTION OFFICER?

The controller responsible for data processing is

German-American Fulbright Commission (Fulbright Commission)

Lützowufer 26

10787 Berlin

Berlin, Germany

Phone: +49 (0)30-284443-0

E-Mail: info[at]fulbright.de

 

You can reach our data protection officer, Ms. Susanne Klein, Attorney at Law, BEITEN BURKHARDT Services GmbH, Ganghoferstraße 33, 80339 Munich, by phone: +49 (0)69-756095-585 or e-mail: Susanne.Klein@bbservices.gmbh.

 

WHAT CATEGORIES OF DATA DO WE COLLECT AND WHERE DO THEY COME FROM?

We only collect your personal data as an applicant for one of our scholarship programs if you provide it to us voluntarily as part of the application process. We then collect the information provided by you or third parties (e.g. authors of letters of recommendation) as part of the scholarship application. This includes, in particular, your personal master and contact data, interests, qualification data as well as personal, educational and professional backgrounds and your motivation for applying for a scholarship.

 

FOR WHAT PURPOSES AND ON WHAT LEGAL BASIS IS DATA PROCESSED?

We process your personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG) and all other relevant laws.

The primary purpose of data processing is to carry out the scholarship application process with the aim of establishing a scholarship contract with you. The primary legal basis for this is Art. 6 para. 1 b) GDPR. In addition, your separate consent pursuant to Art. 6 para. 1 a), 7 GDPR may be used as the legal basis under data protection law. We also process your data in order to fulfill our legal obligations, in particular in the area of commercial and tax law and general equal treatment. This is done on the basis of Art. 6 para. 1 c) GDPR in conjunction with the applicable statutory provisions. If necessary, we also process your data on the basis of Art. 6 para. 1 f) GDPR in order to protect our legitimate interests or those of third parties (e.g. authorities). These interests may exist, for example, for the assertion of legal claims and defense in legal disputes, ensuring the IT security of our institution and for measures for business management and further development of services and products.

Insofar as you provide us with special categories of personal data as optional information in accordance with Art. 9 para. 1 GDPR as part of your application and we process this data, this is done on the basis of your consent in accordance with Art. 9 para. 2 a) GDPR.

The Fulbright Commission does not use automated decision-making, including profiling, in accordance with Art. 22 para. 1 and 4 GDPR.

 

TO WHOM DO WE TRANSFER YOUR DATA?

Within our institution, only those persons and bodies will receive your personal data who need it to carry out the application and scholarship procedure we have provided and to fulfill our contractual and legal obligations.

We will only pass on your personal data to third parties if you have given your express consent in accordance with Art. 6 para. 1 a) GDPR, if the disclosure in accordance with Art. 6 para. 1 f) GDPR is necessary for the assertion, exercise or defense of legal claims or to safeguard our legitimate interests and there is no reason to assume that you have an overriding interest worthy of protection in not disclosing your data (e.g. to lawyers), if there is a legal obligation to pass on the data in accordance with Art. 6 para. 1 c) GDPR (e.g. to authorities) and if this is necessary in accordance with Art. 6 para. 1 b) GDPR for the implementation of the scholarship application procedure with the aim of establishing a contractual relationship with you (e.g. to selection committees, IT service providers). If it is necessary for the scholarship application process, this also includes the  

  • Processing by our US cooperation partner, the Institute of International Education (IIE) in New York City. The IIE operates the online platform for some of our funding programs, which is used to manage all scholarship applications in the respective programs and is responsible for coordinating the pre-selections for US applicants in these programs;
  • Processing and review of the application data by the Fulbright Foreign Scholarship Board - FFSB in Washington, D.C., which must approve the application before a nomination for program participation can be made.

The data disclosed may only be used by the above-mentioned third parties for the stated purposes.

WHAT APPLIES TO APPLICANTS FOR LONG-TERM PROGRAMS?

The main purpose of our exchange programs is to enable German and US-American scholarship holders to study, teach and research abroad (USA or Germany) for a certain period of time, whereby the stay abroad can last one to four weeks (so-called "short-term programs") or four to ten months (so-called "long-term programs"). If you participate in one of our long-term programs, you are responsible for finding a suitable institution in the host country (e.g. universities, non-university research institutions) for your study, teaching or research project. The respective German or US host institutions are therefore responsible for the data processing associated with your application and registration/admission there.

We work closely with the Pädagogischer Austauschdienst, Graurheindorfer Straße 157, 53117 Bonn, Germany (PAD) for the organization and implementation of certain long-term programs (namely the sponsorship of US "English Teaching Assistants - ETA" and "German Language Teaching Assistants - GLTA"). In these programs, the PAD shares responsibility with the Fulbright Commission for the selection of suitable German and US applicants and for the placement of US applicants proposed for participation in the program at German schools. We have therefore concluded a joint controllership agreement with the PAD in accordance with Art. 26 para. 2 GDPR. We will be happy to provide you with the main contents of this contract on request.

The approval of the Fulbright Foreign Scholarship Board - FFSB (in Washington, D.C.) is necessary for the approval of your participation in a long-term program. (You are exempt from this requirement if you wish to participate in one of the following long-term scholarship programs for Germans: Travel Scholarship, American Studies Award, Fulbright-Cottrell Award). The FFSB will have access to your application data via the application portal operated by the IIE in order to review and approve your participation. In addition, the IIE also has access to your application documents as part of the operation of the application platform and the first selection round for US applicants, as this is necessary for the implementation of the application procedure. The associated data transfers are therefore necessary to establish the scholarship agreement to be concluded with you (Art. 6 para. 1 b) GDPR).

WHAT APPLIES TO APPLICANTS FOR SHORT-TERM PROGRAMS?

Our transatlantic exchange is complemented by scholarship-supported funding programs for comparatively short periods of time, such as one to four weeks (so-called "short-term programs" or "special programs"). In these short-term funding programs, we cooperate closely with selected partner universities, each of which must process the personal data of applicants and participants in these programs. For the selection of suitable applicants and the implementation of the short-term programs, the Fulbright Commission and the partner universities are joint controllers within the meaning of Art. 26 para. 1 GDPR. If you would like to participate in the "US Administrators in International Education" funding program offered for Americans, you must apply for a scholarship via the application portal operated by IIE and the pre-selection of applicants in the USA coordinated by IIE. The further procedure for this funding program also provides for the examination and approval of participation by the FFSB.

We also work closely with the Pädagogischer Austauschdienst, Graurheindorfer Straße 157, 53117 Bonn, Germany (PAD) for the organization and implementation of short-term programs, which is jointly responsible for the announcement of the short-term program "Diversity and Inclusion in the Classroom" and for the selection of suitable applicants.

We have concluded joint controllership agreements with both the universities concerned and the PAD in accordance with Art. 26 para. 2 GDPR. We will be happy to provide you with the essential contents of these contracts with regard to the partner concerning you (i.e. the specific university or the PAD) on request.

 

WHAT DATA PROTECTION RIGHTS CAN YOU ASSERT AS A DATA SUBJECT?

You have the right to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the categories of personal data, the recipients or categories of recipients to whom your data has been or will be disclosed, the planned storage period, the existence of a right to rectification, erasure, restriction of processing or objection, the existence of a right to lodge a complaint, the origin of your data if it was not collected by us, and the existence of automated decision-making including profiling and, if applicable, meaningful information about its details.

In accordance with Art. 16 GDPR, you can request the immediate rectification of incorrect or completion of your personal data stored by us. In accordance with Art. 17 GDPR, you have the right to request the deletion of your personal data stored by us, unless there are legitimate reasons within the meaning of Art. 17 para. 3 GDPR to prevent deletion.

In accordance with Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it, we no longer need the data but you need it to assert, exercise or defend legal claims or you have objected to the processing in accordance with Art. 21 GDPR.

In accordance with Art. 20 GDPR, you have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another controller.

In accordance with Art. 7 para. 3 GDPR, you have the right to withdraw your consent at any time. This means that we may no longer continue the data processing that was based on this consent in the future. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to object pursuant to Art. 21 para. 1 GDPR

If we process your data to protect legitimate interests, you can object to this processing on grounds relating to your particular situation. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the establishment, exercise or defense of legal claims.

 

WHERE CAN YOU COMPLAIN?

You also have the right under Art. 77 GDPR to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement, about the processing of your personal data by us if you consider that the processing of personal data relating to you infringes the GDPR.

 

HOW LONG YOUR APPLICATION DATA WILL BE STORED?

We delete your personal data, including letters of motivation and recommendation etc., as soon as they are no longer required for the above-mentioned purposes. In order to be able to answer your questions and defend ourselves against any claims in the event that your application is rejected, we will retain your data for a period of three years after the end of the application process (starting at the end of the year in which you were notified of the rejection decision). The data will then be deleted immediately, provided that there are no legitimate reasons preventing the deletion pursuant to Art. 17 para. 3 GDPR.

 

WILL YOUR DATA BE TRANSFERRED TO A THIRD COUNTRY?

In order to carry out the application process, we may transfer your personal data to recipients in a third country (within the meaning of the GDPR, e.g. the USA). This applies in particular to the transfer of application data to the Fulbright Foreign Scholarship Board (FFSB) in Washington, D.C. and to our US cooperation partners, namely the Institute of International Education (IIE) based in New York City. In the case of such a transfer of personal data to recipients outside the EU or the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection and the associated requirements are met by the recipient, other appropriate data protection guarantees (e.g. EU standard contractual clauses) are in place or an exception for the transfer exists in accordance with Art. 49 GDPR. The latter applies in particular to data transfers to the USA, insofar as these are necessary for the implementation of the application procedure, in particular for the approval of your scholarship, and thus for the initiation of the scholarship contract relationship with you (Art. 49 para. 1 b) GDPR).

 

ARE YOU OBLIGED TO PROVIDE YOUR DATA?

You are not obliged to provide the aforementioned personal data. However, communication, the application process or the conclusion of a scholarship contract cannot take place without the provision of the data. In addition, the data provided may be required for the conclusion of a future scholarship contract after the application process has been completed.

 

German-American Fulbright Commission

Berlin, September 2024

Privacy policy for participants in a program of the the German-American Fulbright Commission

Please click here for the general privacy policy.

We hereby inform you about the processing of your personal data by the German-American Fulbright Commission (hereafter referred to as the "Fulbright Commission") and the rights to which you are entitled under data protection law.

 

Who is controller for data processing and who is the data protection officer?

Responsible for data processing is the

German-American Fulbright Commission ("Fulbright Commission")
Lützowufer 26
10787 Berlin
Germany
Tel.: +49 (0)30-284443-0
Email: info@fulbright.de

Our data protection officer, Ms. Susanne Klein, BEITEN BURKHARDT Services GmbH, Ganghoferstraße 33, 80339 Munich, Germany, can be reached by phone: +49 (0)69-756095-585 or email: Susanne.Klein@bbservices.gmbh

 

What categories of data do we collect and where do they come from?

The categories of personal data processed include, in particular, your personally identifiable and contact information (such as title, first name, surname, name suffix, address, (mobile) telephone number, e-mail address, date of birth) and, if applicable, those of the person(s) accompanying you, as well as the contractual data arising during the initiation or execution of the stipend contract (e.g. contact data of institutional contact persons, the financial stipulations of your grant, travel data, visa data, financial data and account information, data on your current occupation and during your stay abroad, health data and other data from the contractual relationship).

As a rule, your personal data will be asked directly from you during the initiation or execution of the contract. In certain circumstances, your personal data may also be collected by other sources with which you have previously deposited your data due to legal regulations (please also see the information below for participants in long-term programs). Additionally, we process – to the extent necessary for the provision of our services – personal data that we have legitimately obtained from publicly accessible sources (e.g. internet, professional networks) or that have been legitimately transmitted to us by third parties.

 

For what purposes and on what legal basis is data processed?

We process your personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR/DSGVO), the German Federal Data Protection Act (BDSG) and all other relevant laws.

The primary purpose of data processing is to establish and fulfill a contractual relationship with you. The primary legal basis for this is Art. 6 para. 1 b) GDPR. In addition, your separate consent pursuant to Art. 6 para. 1 a), 7 GDPR may be used as the legal basis under data protection law. We also process your data in order to be able to fulfill our legal obligations, in particular in the area of commercial and tax law. This is done on the basis of Art. 6 para. 1 c) GDPR in conjunction with the applicable statutory provisions. Where necessary, we also process your data on the basis of Art. 6 para. 1 f) GDPR in order to protect our legitimate interests or those of third parties (e.g. public authorities). These interests may arise, for example, for the assertion of legal claims and defense in legal disputes, to ensure our organization’s IT security, simplify application for a German visa, and for measures related to business management and further development of services and products or for the purpose of exchange within the Fulbright network.

If we wish to process your personal data for a purpose not mentioned above, we will inform you in advance.

The Fulbright Commission does not use automated decision-making, including profiling, in accordance with Art. 22 para. 1 and 4 GDPR.

 

To whom do we disclose your data?

We only disclose your personal data to third parties if you have given your express consent in accordance with Art. 6 para. 1 a) GDPR, if the disclosure in accordance with Art. 6 para 1 f) GDPR is necessary for the assertion, exercise or defense of legal claims or to protect our legitimate interests and there is no reason to assume that you have an overriding legitimate interest in not disclosing your data (e.g. to lawyers, consultants, etc.), if there is a legal obligation to do so in accordance with Art. 6 para. 1 c) GDPR (e.g. to tax authorities) and if this is legally permissible and necessary for the implementation or processing of the contractual relationship with you in accordance with Art. 6 para. 1 b) GDPR (e.g. banks, cooperation partners, IT service providers, consultants, agencies, authorities, other program participants).

The data disclosed may only be used by the third party for the stated purposes.

To support you in applying for a necessary visa or residence permit for Germany, we may relay your necessary data to the relevant German authorities as part of a reference letter. This data transfer is necessary to protect our and your legitimate interests (Art. 6 para. 1 f) GDPR). We have a legitimate interest in the smooth implementation of the respective program. Yet, above all, the data transfer serves your interest in simplifying the application for documents necessary to program participation, when it is not apparent that you as a participant have any overriding conflicting interests in the exclusion of this data processing.

We will also share your name and email address with the Fulbrighter Network to enable you to register on the Fulbrighter platform, which gives you access to the global Fulbrighter Network. Only if we forward your name and email address to the Fulbrighter Network will you receive an email from the Fulbrighter Network with a personalized invitation link that you can use to register on the exclusive Fulbrighter platform as a grantee (or as an alumna:us after the end of the Fulbright program). Both we and the Fulbrighter Network have a legitimate interest in attracting a participant as a new alumnae:us. Since the networking of participants and alumnae:i and worldwide exchange are among the essential components of Fulbright programs, and you as a participant benefit directly from this, it is not apparent that your interests conflict with this data transfer and thus our interests prevail. In particular, it should be noted that you are generally free to accept the invitation to the Fulbrighter Network and only voluntarily provide further data as part of your registration. Therefore, the transfer of data is permitted in accordance with Art. 6 para. 1 f) GDPR.

The Fulbrighter Network is operated by the US-UK Fulbright Commission based in London. For more information on data processing by the Fulbrighter Network, including exact contact details, please visit: https://fulbrighternetwork.com/page/privacy

Please note that we are joint controllers with the US-UK Fulbright Commission for certain data processing in connection with the Fulbrighter Network (Art. 26 para. 1 GDPR). This concerns the identification of grantees or alumnae:i who may potentially become new members of the Fulbrighter Network, the addition of such members to the German Fulbright Community within the Network, the administration of the German Fulbright Community within the Network and the provision of functions within the German Fulbright Community in the Network. For this reason, we have concluded a joint controller agreement with the US-UK Fulbright Commission in accordance with Art. 26 para. 2 GDPR. The main contents of this agreement are available here: https://fulbrightcommission.sharepoint.com/:w:/g/Alumni/ET9qRN8lzstHjIAUGM3WttoBppOrGTfu5kJrvp-zAnJxdQ?rtime=wGb--j_720g.

Upon request, we will share your name and email address with the U.S. Embassy in Berlin and U.S. Consulates in Germany. The embassy and consulates would like to include you in their network, share relevant information, or invite you to events. This data transfer is necessary to protect our own legitimate interests and those of the embassy or consulates (Art. 6 para. 1 f) GDPR). As program partners of the Fulbright Commission, the U.S. Embassy and U.S. Consulates have a legitimate interest in remaining in contact with Fulbright program participants. This data transfer is also in our interest since exchange and networking are fundamental to the nature of Fulbright programs. We presume that you also have an interest in remaining in contact with the U.S. Embassy and Consulates, as well as with other program participants. There is therefore no apparent conflict of interest on your part in the exclusion of this data transfer.

 

What applies to participants in long-term programs?

The main purpose of our exchange programs is to enable German and US-American grant holders to study, teach and research abroad (USA or Germany) for a certain period of time, whereby the stay abroad can last up to ten months (so-called "long-term programs"). If you participate in one of our long-term programs, as a grant holder you choose the university, academic or training institution where you would like to spend your stay abroad yourself and apply for a suitable study, teaching/research or training assignment there. The respective German or US universities, academic or training institutions are therefore responsible for the data processing associated with your application and admission there.

For the organization and implementation of certain programs (namely (US) English Teaching Assistants - "ETA" and German Language Teaching Assistants - "GLTA"), we work closely with the Pädagogischer Austauschdienst, Graurheindorfer Straße 157, 53117 Bonn, Germany (PAD), which is responsible for the selection of suitable applicants and the placement of (US) participants at German schools within the framework of joint controllership. We have therefore concluded a joint controller agreement with the PAD in accordance with Art. 26 para. 2 GDPR. We can provide you with the main contents of this contract upon request.

A visa is routinely required for participation in a long-term program. For US participants, we may in individual cases assist you in applying for a German visa and transfer your personal data to the responsible German authorities in the USA for this purpose (see above, in the section "To whom do we disclose your data?"). Conversely, we may also receive your personal data that you have shared with other authorities in connection with your registration for a long-term program (e.g. with immigration authorities for your residence status, with registration offices, with health/accident insurance agencies that we provide for US grant holders in Germany or with which German grant holders must in certain cases additionally enroll themselves at their host university and whose costs we assume as part of the grant benefits, if requirements for this are met).

Furthermore, the approval of the Fulbright Foreign Scholarship Board (FFSB) is required for your participation in a long-term program. (You are exempt from this requirement if you are participating in one of the following scholarship programs for Germans: Travel Grant, American Studies Award, Fulbright-Cottrell Award). In order to approve your participation, the FFSB receives access to your grant file, which also contains your personal data. In addition, we grant our US cooperation partner, the Institute of International Education (IIE), access to your grant file because this is necessary in the application process for US grant holders and for German grant holders’ support during their stay in the USA. Finally, in the event of problems, the US Department of State (Bureau of Educational and Cultural Affairs - ECA) may also have access to grant data in order to resolve difficulties in the practical implementation of the study, teaching/research or training project to be funded. The associated data transfers are therefore always necessary for the implementation of the grant agreement concluded with you (Art. 6 para. 1 b) GDPR).

If you are a US grant holder participating in one of our long-term programs in Germany, you must join the Fulbrighter Network in order to receive the information and documents relevant to the grant program, which are (only) provided in protected areas on the Fulbrighter platform for US grantees. In this case, the transfer of data is necessary for the implementation of the program and thus for the completion of the contract with you (Art. 6 para. 1 b) GDPR).

 

What applies to participants in short-term programs?

Our transatlantic exchange is complemented by stipend-supported funding programs for comparatively short periods of time, such as several weeks (so-called "short-term programs" or "special programs"). For these short-term programs, we cooperate closely with universities in the USA and Germany, each of which must process the personal data of applicants and participants in these programs. For the selection of suitable applicants and the implementation of short-term programs, we and the universities are joint controllers as defined in Art. 26 para. 1 GDPR.

We also work closely with the Pädagogischer Austauschdienst, Graurheindorfer Straße 157, 53117 Bonn, Germany (PAD) for the organization and implementation of short-term programs, which is responsible for the announcement of the short-term program "Diversity and Inclusion in the Classroom" and for the selection of suitable applicants as part of our joint controllership.

We have concluded joint controller agreements with both the universities concerned and the PAD in accordance with Art. 26 para. 2 GDPR. We can provide you with the essential contents of the agreement with a particular partner (i.e. the specific university or the PAD) upon request.

 

Will pictures of me be published?

We have an interest in occasionally publishing pictures of grant holders taken in connection with our grant programs or while participating in one of our own Fulbright events on the Internet. As a rule, we will obtain your separate consent for this. This applies in particular to images in which the focus is on your person. If we publish images in which you may also be depicted in order to serve our legitimate interests, for example to convey an impression of the events we organize, you naturally have the right to object in accordance with Art. 21 para. 1 GDPR (see the rights of an affected party below for details).

Please note that we are only responsible for the publication of images that were taken within our sphere of responsibility, in particular at Fulbright events organized by us, and that are published on our publication channels (e.g. the German-American Fulbright Commission’s website and social media presence).

If pictures of you are taken and published by German or US program partners, host institutions, fellow grant holders or other persons during your grant stay, this is beyond our sphere of influence and responsibility. In your own interest, we therefore recommend that you act responsibly when taking pictures or, if pictures of you are published (especially on the Internet), that you clarify the legality of their publication with the respective responsible party (e.g. host organization, operator of social media profiles, etc.).

 

What data protection rights can you assert as an affected party?

You have the right to request information about your personal data processed by us in accordance with Art. 15 GDPR. In particular, you can request information about the processing purposes, the categories of personal data, the recipients or categories of recipients to whom your data have been or will be disclosed, the planned storage period, the existence of a right to rectification or erasure of personal data, restriction of and opposition to processing of personal data, the existence of a right of complaint, the origin of your data if it was not collected by us, as well as the existence of automated decision-making, including profiling and, if applicable, meaningful information about the details involved in such processing.

In accordance with Art. 16 GDPR, you can request the prompt rectification of incorrect data or completion of your personal data stored by us. In accordance with Art. 17 GDPR, you have the right to request the deletion of your personal data stored by us, unless there are legitimate reasons as defined in Art. 17 para. 3 GDPR to prevent deletion.

In accordance with Art. 18 GDPR, you have the right to request the restriction of the processing of your personal data if the accuracy of the data is disputed by you, the processing is unlawful but you refuse to delete it, we no longer need the data but you need it to assert, exercise or defend legal claims or you have lodged an objection to its processing in accordance with Art. 21 GDPR.

In accordance with Art. 20 GDPR, you have the right to receive your personal data that you provided to us in a structured, commonly used and machine-readable format or to request that it be transferred to another responsible party.

According to Art. 7 para. 3 GDPR, you have the right to revoke your consent to us at any time. As a result, we may no longer continue the data processing based on this consent in the future. The revocation of consent shall not affect the lawfulness of the processing based on consent before its revocation.

Right to object according to Art. 21 para. 1 GDPR

If we process your data to protect legitimate interests, you may object to its processing on grounds relating to your particular situation. We will then no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves to establish, exercise or defend legal claims.


If we are jointly responsible with one of our partners, you may assert your rights listed here with any responsible party, i.e. with both us and our partners.

 

Where can you lodge a complaint?

You also have the right under Article 77 GDPR to lodge a complaint about our processing of your personal data with a supervisory authority, in particular in the member nation of your habitual residence, place of work or place of the alleged violation, if you believe the processing of your personal data violates the GDPR.

 

How long will your data be stored?

We delete your personal data as soon as they are no longer required for the above-mentioned purposes. After termination of the contractual relationship, your personal data will be stored as long as we are legally obliged to do so. This regularly results from legal obligations to provide evidence and retain data, which are regulated in the German Commercial Code (Handelsgesetzbuch) and German Fiscal Code (Abgabenordnung), among others. Storage periods are up to ten years. In addition, personal data may be stored for the period during which claims can be exercised against us (statutory limitation period from three to up to thirty years).

 

Will your data be transferred to a third country?

We transfer your personal data to recipients in a third country (e.g. the USA) or to an international organization in order to fulfill the purposes described in this privacy notice or execute the contractual relationship with you. This applies in particular to the transfer of grant data to the Fulbright Foreign Scholarship Board (FFSB) and our cooperation partners, namely the Institute of International Education (IIE), as well as US (partner) universities and host institutions at which you carry out your study, teaching/research or training project. In the case of such a transfer of personal data to recipients outside the EU or the European Economic Area (EEA), the transfer will only take place if the third country has been confirmed by the EU Commission to have an adequate level of data protection and the associated requirements are met by the recipient, other adequate data protection safeguards (e.g. EU standard contractual clauses) are in place or there is an exception for the transfer in accordance with Art. 49 GDPR. The latter applies in particular to data transfers to the USA, insofar as these are necessary for the fulfillment of the grant contract with you (Art. 49 para. 1 b) GDPR); this may include data transfers to the extent necessary to hotels or other accommodation in the USA in order to provide you with adequate accommodation during your participation in the program.

 

Are you obliged to provide your data?

You must provide us with those personal data that are necessary for the initiation and execution of a contractual relationship and for the fulfillment of the associated contractual obligations, or that we are legally required to collect. Without this data, we will not be able to conclude and execute the contract with you.The provision of images during your participation in one of our programs is not required and therefore not mandatory. You may, however, provide us with images on a voluntary basis so that we may publish them, or we may use images in which you are also depicted in order to protect our legitimate interests. In this case, you naturally have the right to object.