Privacy regulations pupils, students and staff

These Regulations apply to pupils, students and employees within institutions of the Aeres Group. The Regulations describe how the institution deals with privacy and how Aeres pupils, students and employees can assert their rights against the institution.The Regulations are explicitly not intended as a manual on how to implement this within Aeres.


Personal data

Any information concerning an identified or identifiable natural person.

Processing of personal data

Any operation or set of operations relating to personal data, including in any case the collection, recording, organisation, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, alignment, blocking, erasure or destruction of data.


General Data Protection Regulation.

Data subject

The person to whom personal data relates, whether or not represented by their legal representative. In these regulations, this concerns pupils, students and employees.

Special personal data

Personal data that says something about someone's religion, philosophy of life, race, political persuasion or health.

Third party

Any person, not being the data subject, the controller, the processor, or any person under the direct authority of the controller or the processor, who is authorised to process personal data.

Aeres Group Foundation

The responsible educational institution / the competent authority.


The person who processes personal data on behalf of the responsible party, without being subject to the responsible party's direct authority.

Legal representative

If the data subject has not yet reached the age of sixteen, the data subject will be represented by his or her legal representative. This will usually be a parent, but may also be a guardian.

Responsible party

The responsible party determines which personal data are processed and what the purpose of the processing is. This is the (public or private) legal entity to which the above-mentioned foundations belong: the competent authority. In these rules and regulations the term 'controller' refers to the competent authority of the above-mentioned foundations.

Scope and purpose

  1. These regulations set out rules for the processing of personal data of pupils, students and employees of the above-mentioned foundation.
  2. These regulations apply to all personal data of the data subject that is processed by the foundation. The purpose of these regulations is to
  • to protect the privacy of the data subject against incorrect and unintended use of the personal data;
  • to establish which personal data is processed and for what purpose;
  • to guarantee the careful processing of personal details;
  • to safeguard the rights of the person involved.

Purposes of processing personal data

In processing personal data, the above-mentioned foundation adheres to relevant legislation including the General Data Protection Regulation (AVG). 


Paragraph 1 The processing of personal data takes place for:

  • the organisation or provision of education, the supervision of pupils or students, or the provision of study advice;
  • providing or making learning resources available;
  • publishing information on the organisation and teaching materials as referred to under a and b, as well as information on pupils, participants or students as referred to in the first paragraph, on its own website via the channels for which the participant (or his/her parents or guardians if the participant is younger than 16) has given explicit permission;
  • announcing the activities of the institution or institute on its own website;
  • calculating, recording and collecting registration fees and tuition fees for the above-mentioned foundation and contributions or fees for teaching materials and extracurricular activities, including placing claims with third parties;
  • handling disputes and carrying out audits;
  • maintaining contact with former pupils, former participants or former students of the person in charge;
  • implementing or applying any other law.

Paragraph 2 The categories of processing for employees are:

  • applicants;
  • personnel administration;
  • salary administration;
  • severance pay;
  • retirement and early retirement.

Purpose limitation

Personal data shall only be used insofar as such use is compatible with the defined purposes of the processing. The Foundation shall not process more data than necessary to achieve those purposes.

Types of data 

The categories of personal data used by the Foundation are listed in Appendix 1 (bottom of page).

Basis of processing

Personal data is only processed on the basis of:

  1. Consent: in the event that the data subject has given their unambiguous consent to the processing.
  2. Contract: in case the data processing is necessary for the execution of a contract to which the person involved is party, or for taking pre-contractual measures in response to a request from the person involved and which are necessary for the conclusion of a contract.
  3. Legal obligation: in case the data processing is necessary for compliance with a legal obligation to which the above mentioned Foundations are subject.
  4. Vital interest (protection of data subject): the processing of personal data is necessary in order to limit/prevent a serious threat to the health of the data subject.
  5. Public law task: in case the data processing is necessary for the proper fulfilment of a public law task by the relevant administrative body or the administrative body to which the data is provided.
  6. Legitimate interest (balancing of interests): the data processing is necessary for the promotion of a legitimate interest of the responsible party, whereby the interest of processing the data outweighs the privacy interest of the data subject.

Storage terms

The Foundation will not retain the data any longer than is necessary to fulfil the purpose for which it was obtained, unless there is another legal obligation that requires the data to be retained for a longer period.


The Foundation shall only grant access to the personal data contained in the administration and systems of the Foundation to:

  1. The processor and the third party under the direct authority of the Foundation;
  2. The processor who is authorised to process personal data;
  3. Third parties to whom access must be granted by law, granting access only to the data to which access must be granted by law.

Security secrecy

  1. The Foundation takes appropriate technical and organisational security measures to prevent personal data from being damaged, lost or unlawfully processed. The measures are also aimed at preventing unnecessary collection and further processing of personal data.
  2. The Foundation ensures that employees have no more access to personal data than is strictly necessary for the proper performance of their work.
  3. The security measures take into account the state of the art and the costs of implementation. In doing so, the Foundation shall take into account the specific risks that may apply to the personal data processed.
  4. Anyone who is involved in the implementation of these regulations and thereby becomes aware of personal data that are confidential or must be kept secret (such as health care data), and to whom an obligation to confidentiality does not already apply on the grounds of profession, position or statutory provision, is obliged to keep those personal data confidential.

Provision of data to third parties

If there is a legal obligation to do so, the Foundation may provide personal data to third parties. The provision of personal data to third parties may also take place with the consent of the person concerned.

Social media

Personal data will not be used in social media without permission. Separate arrangements for the use of personal data in social media have been made in the Foundation's 'social media protocol'.

Rights of involved parties


The AVG provides the data subject with a number of rights. The Foundation recognises these rights and acts in accordance with them.

  • Inspection: Every data subject has the right to inspect the personal data processed by the Foundation that relate to him/her. A request for access is free of  charge.The Foundation may ask for a valid identity document to verify the identity of the applicant.
  • Improvement, supplementation, deletion and blocking: The data subject may request that their personal data be corrected, supplemented, deleted or blocked, unless this proves impossible or would involve an unreasonable effort.
  • Opposition: Insofar as the Foundation uses personal data on the grounds of article 6 under e and f, the data subject may oppose the processing of personal data on the basis of his/her personal circumstances.

Time limit

The Foundation must respond to a request in writing within four weeks of receiving it or reject it in writing, giving reasons. The Foundation may inform the data subject that more time is needed and extend this period by a maximum of 4 weeks.

Execution of request

If the request from the person involved is honoured, the Foundation will ensure that the requested changes are implemented as soon as possible.

Withdrawing consent

Insofar as prior permission is required for the processing of personal data, this permission may be withdrawn by the data subject at any time.


  1. The Foundation shall inform the data subject about the processing of their personal data. If the type of processing requires it, the Foundation will inform each data subject individually about the details of that processing.
  2. The Foundation also informs the data subject - in outline form - about the arrangements made with third parties and processors who receive the data subject's personal data.


  1. If you are of the opinion that the acts or omissions of the Foundation are not in accordance with the AVG or as elaborated in these regulations, you can contact the Data Protection Officer of the aforementioned Foundation via
  2. In accordance with the AVG, the data subject may also turn to the courts or the Authority for the Protection of Personal Data (AP).

Unforeseen situation

If a situation arises that has not been described in these rules, the responsible party will take the necessary measures.

Amendments to rules

After adoption of these rules by the responsible party, they will be offered to the relevant employee participation bodies for information. The responsible party will publish these Rules on the Aeres website (

Final provision

These regulations will be cited as the "privacy regulations for pupils, students and employees" of Aeres and will come into force on July 6, 2022.

Overview of categories of personal data used

Description and listing of categories of Personal Data used:

For example:

  • name, first names, initials, titles, gender, date of birth, address, postcode, place of residence, telephone number and similar data of the person concerned intended for communication; 
  • personal identification number;
  • nationality;
  • data as referred to under a, of the legal representative or caretaker of the pupil;
  • picture, video or audio material in which the pupil concerned can be seen;
  • data concerning the health or welfare of the pupil in so far as this is necessary for the support;
  • data concerning the pupil's religion or convictions, to the extent necessary for Aeres, the education provided or the support to be provided;
  • data concerning the nature and course of the education and support, as well as the study results obtained;
  • Aeres data (including Aeres name, name of care coordinator/mentor/internal supervisor, class/group in which the student is enrolled, date of registration with Aeres, name of person submitting the application to the partnership, Aeres career path and reports from primary and secondary education);
  • reason for the application to the partnership, relevant screening and research data and description of the problem at hand;
  • activities undertaken by Aeres with regard to the participant concerned, as well as the results thereof;
  • existing or (relevant) completed assistance contacts and the names of contact persons;
  • relevant personal data provided by external parties with regard to the reported problems of the participant in question;
  • relevant financial data;