Certible Privacy Policy
About this Document
This document is divided into the following sections:
- A general section including definitions,
- The privacy policy for candidates in the context of exam registrations and subsequent retention periods
- The privacy policy for website visitors,
- Privacy policy for our profiles on social media platforms
Certible and Privacy
We greatly appreciate your interest in our company. Privacy protection is of particularly high priority for the management of Certible GmbH. The use of Certible GmbH’s website is generally possible without providing any personal data. We do not use cookies, do not conduct profiling, and do not allow third parties to conduct profiling. If a data subject wishes to register for one of our company’s services via our website, the processing of personal data will become necessary. If the processing of personal data is necessary and there is no legal basis for such processing, we generally obtain the consent of the data subject.
The processing of personal data, such as the name, address, email address, or telephone number of a data subject, is always carried out in accordance with the General Data Protection Regulation (GDPR) and in compliance with the country-specific data protection regulations applicable to Certible GmbH. Through this privacy policy, we would like to inform about the nature, scope, and purpose of the personal data we collect, use, and process. Furthermore, data subjects are informed of their rights through this privacy policy.
Certible GmbH, as the controller, has implemented numerous technical and organizational measures to ensure the most complete protection possible for personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection cannot be guaranteed.
1. Definitions
The privacy policy of Certible GmbH is based on the terms used by the European legislature and regulator when issuing the General Data Protection Regulation (GDPR). Our privacy policy should be easy to read and understand for the public as well as for our customers and business partners. To ensure this, we would like to explain the terminology used first.
a) Personal Data
Personal data means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
b) Data Subject
Data subject means any identified or identifiable natural person whose personal data is processed by the controller.
c) Processing
Processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
d) Restriction of Processing
Restriction of processing means the marking of stored personal data with the aim of limiting their processing in the future.
e) Profiling
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
f) Pseudonymization
Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
g) Controller or Data Controller
Controller or data controller means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
h) Processor
Processor means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
i) Recipient
Recipient means a natural or legal person, public authority, agency, or other body to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients.
j) Third Party
Third party means a natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who, under the direct authority of the controller or processor, are authorized to process personal data.
k) Consent
Consent means any freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which they, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to them.
2. Name and Address of the Data Controller
The controller within the meaning of the General Data Protection Regulation, other data protection laws applicable in Member States of the European Union, and other provisions related to data protection is:
Certible GmbH Löwelstraße 20/2-3 1010 Vienna Austria Phone: +4313483993 Mail: privacy@certible.com Website: https://www.certible.com
3. Collection of General Data and Information
The website of Certible GmbH collects a series of general data and information with each access to the website by a data subject or automated system. This includes (1) the date and time of access to the website, (2) the method of page access (GET/POST/HEAD), and (3) the requested webpage. The following data is NOT collected in these log files: (a) browser types and versions, (b) the operating system used by the accessing system, (c) the website from which an accessing system reaches our website (so-called referrers), and (d) the Internet Protocol address (IP address). Additionally, Certible GmbH uses AWS CloudFront, a Content Delivery Network (CDN) service, to improve website performance, including content delivery.
If registration for an examination is made through our registration system, the IP address used will be stored in the registration record, as this can serve to prevent attacks on our information technology systems.
When using general data and information, Certible GmbH does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the contents of our website correctly, (2) ensure the long-term functionality of our information technology systems and the technology of our website, and (3) provide law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. This anonymously collected data and information, including that managed by AWS CloudFront, is stored separately from any personal data provided by a data subject.
3.1 Analytics
Certible GmbH uses Matomo Analytics to analyze website usage. Matomo is a privacy-friendly open-source software that enables us to evaluate access to our website. All collected data remains entirely under our control and is not shared with third parties. IP addresses are anonymized before storage, ensuring no conclusions can be drawn about individual users.
Matomo uses only technically necessary cookies:
MATOMO_SESSID: A temporary session cookie containing a random identifier that prevents CSRF security issues when users opt out of tracking._pk_testcookie: A temporary test cookie used to check whether cookies are enabled in the browser. It is automatically deleted when the browser is closed.
You can opt out of Matomo tracking at any time:
Note: Also if you clear your cookies, delete the opt-out cookie, or if you change computers or Web browsers, you will need to perform the opt-out procedure again.
4. Registration for a Certification Examination
The data subject has the option to register for a certification examination on the controller’s website by providing personal data. Which personal data is transmitted to the controller is determined by the respective input mask used for the registration. The personal data entered by the data subject is collected and used according to the purposes described in the above section and is subject to the deletion periods described in Deletion Periods.
Through registration on the controller’s website, the IP address assigned by the Internet Service Provider (ISP) to the data subject, the date, and the time of registration are also stored. The storage of this data takes place against the background that this is the only way to prevent misuse of our services, and, if necessary, to make it possible to investigate committed crimes. In this respect, the storage of this data is necessary to secure the controller. This data is not passed on to third parties unless there is a statutory obligation to pass on the data or if the transfer serves criminal prosecution purposes.
The registration of the data subject, with voluntary disclosure of personal data, serves the controller to offer the data subject the service of personal certification, which by its nature can only be offered to users who disclose this personal data. Registered persons are free to modify the personal data specified during registration at any time or to have it completely deleted from the controller’s data stock, unless an invoice has already been issued or an examination has been conducted. If an invoice has already been issued or a service has been provided, the deletion periods described in Deletion Periods apply.
The controller shall, at any time upon request, provide information to each data subject about which personal data about the data subject is stored. Furthermore, the controller shall correct or delete personal data at the request or indication of the data subject, insofar as there are no statutory retention obligations to the contrary. A competent employee of the controller is available to the data subject in this context as a contact person; please contact us via email at privacy@certible.com.
5. Contact Possibility via the Website
The website of Certible GmbH contains information required by law that enables quick electronic contact with our company as well as direct communication with us, which includes an email address and telephone number. If a data subject contacts the controller by email, the personal data transmitted by the data subject is automatically stored. Such personal data transmitted on a voluntary basis by a data subject to the controller is stored for the purpose of processing or contacting the data subject. This personal data is not passed on to third parties.
6. Routine Erasure and Blocking of Personal Data
The controller processes and stores personal data of the data subject only for the period necessary to achieve the purpose of storage or where provided for by European legislators or other legislators in laws or regulations to which the controller is subject.
If the storage purpose ceases to apply or if a storage period prescribed by European legislators or another competent legislator expires, the personal data is routinely blocked or erased in accordance with legal requirements.
7. Rights of the Data Subject
a) Right of Access
Every data subject shall have the right granted by European legislators to obtain from the controller free information about their personal data stored at any time and a copy of this information. Furthermore, European directives and regulations grant the data subject access to the following information:
- the purposes of processing
- the categories of personal data concerned
- the recipients or categories of recipients to whom the personal data has been or will be disclosed, in particular recipients in third countries or international organizations
- the planned period for which the personal data will be stored
- the existence of the right to request rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
- the existence of the right to lodge a complaint with a supervisory authority
- where the personal data is not collected from the data subject: any available information as to their source
- the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) of the GDPR and, at least in those cases, meaningful information about the logic involved, as well as the significance and envisaged consequences of such processing for the data subject
Furthermore, the data subject shall have the right to obtain information about whether personal data is transferred to a third country or to an international organization. Where this is the case, the data subject shall have the right to be informed of the appropriate safeguards relating to the transfer.
If a data subject wishes to avail themselves of this right of access, they may contact us via privacy@certible.com.
Right to Confirmation
Each data subject shall have the right granted by European legislators to obtain from the controller confirmation as to whether or not personal data concerning them is being processed. If a data subject wishes to exercise this right of confirmation, they may contact us via privacy@certible.com.
b) Right to Rectification
Each data subject shall have the right granted by European legislators to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
If a data subject wishes to exercise this right to rectification, they may contact us via privacy@certible.com.
c) Right to Erasure (Right to be Forgotten)
Each data subject shall have the right granted by European legislators to obtain from the controller the erasure of personal data concerning them without undue delay where one of the following grounds applies and to the extent that processing is not necessary:
- The personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed.
- The data subject withdraws consent on which the processing is based according to Article 6(1)(a) GDPR or Article 9(2)(a) GDPR, and where there is no other legal ground for the processing.
- The data subject objects to the processing pursuant to Article 21(1) GDPR and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) GDPR.
- The personal data has been unlawfully processed.
- The personal data must be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.
If one of the above reasons applies and a data subject wishes to request the erasure of personal data stored by Certible GmbH, they may contact us via privacy@certible.com. A competent employee of Certible GmbH will ensure that the erasure request is complied with immediately.
Where Certible GmbH has made the personal data public and is obliged pursuant to Article 17(1) GDPR to erase the personal data, Certible GmbH, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform other controllers processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data, as far as processing is not required. A competent employee of Certible GmbH will arrange the necessary measures in individual cases.
Privacy Policy for Candidates
Purposes of Data Use
The personal data of candidates (name, address, email address, student status, company name, and VAT ID number/UID number) is used by Certible for the following purposes:
- Planning and evaluation of the examination as well as processing and archiving the examination result
- Transmitting the examination result to the candidate via email
- Creation and sending of an invoice (*company name & VAT ID/UID number are not mandatory fields for registration)
- Contact with applicants regarding verification of entry requirements (work experience, certificates, etc.)
- Contact with candidates to inform about any changes (such as time or location of an examination)
In case of passing the examination, the above data is additionally used for the following purposes:
- Printing of the certificate (and copies if necessary)
- Shipping of the certificate
- Possibility of online verification for the certified person (on certible.com)
Deletion Periods
Video Recordings for Remote Examinations
Certible is obligated to supervise examination participants to ensure compliance with the applicable examination regulations. Supervision occurs exclusively in real-time unless the certification scheme owner requires recording of the examination session.
Currently (for remote examinations since January 1, 2023), recordings only take place for ISTQB Certified Tester certifications with Certible.
Recordings are under no circumstances shared with third parties and are only used in one of these two cases:
- Appeal against termination of an examination by Certible due to violations of examination regulations or due to the behavior of the examination supervisor. More information can be found under Examination Support.
- Complaint by the examination participant about the behavior of the examination supervisor.
For failed examinations, recordings are retained for the duration of the appeal period against termination of an examination or due to the behavior of the examination supervisor and then deleted.
For passed examinations, recordings are retained until the end of the following day after the examination and then deleted, unless the examination participant submits a formal complaint about the behavior of the examination supervisor.
Use, Storage and Deletion of Your Personal Data
The data you enter will be used by us exclusively for the following purposes and will be deleted after the periods specified below:
Attribute: Title (optional), Form of Address, Name, Student Status
Purpose: We need this information to address you correctly, so our examination supervisors know whom to expect at the examination date, and we know who to issue an invoice to (if not paid by third parties, i.e., registration with voucher). Additionally, we use this data for the certification process and, in case of passing, for issuing the certificate. Since most schemes require proof of certified persons, in case of passing, Name (as well as Examination Scheme, Date, Examination Location) will be transmitted to the respective creator of the certificate (“Scheme Owner”). For details, please refer to the section “Data Transmission to Certification Scheme Owners After Completed Certification Examination”
Attribute: Address (Either private address and/or company address) including City, Postal Code, and Country
Purpose: We need this data for issuing an invoice (if the examination fee was not paid by third parties), and in case of passing, for shipping the printed certificate.
Attribute: Company and VAT ID Number/UID Number
Purpose: If you want a company invoice, we need this information for correct invoicing; the VAT ID number is needed for issuing a “Reverse Charge” invoice. If the company headquarters is not in Austria, the VAT ID number must be provided to avoid double taxation. Please do not provide this information if we should not issue a company invoice.
Attribute: Email Address
Purpose: We need this email address for sending registration confirmation, payment confirmation, invoice, for inquiries about admission requirements (e.g., Foundation Level certificates for Advanced Level certifications), transmission of examination results and possible delivery of a digital certificate, as well as for queries regarding the planned examination and questions or requests as part of the certification process.
Attribute: Phone Number
Purpose: In the rare case that time or location of the examination changes at short notice, or if you are not present at the planned examination start, our examination supervisor may need to contact you, for example, to decide whether to wait for you. Being able to reach you is therefore very important to us, which is why this is a mandatory field. If you still don’t want us to be able to reach you by phone for this purpose, please enter a “0” instead of your phone number. Please do not enter a randomly chosen phone number that could belong to someone else.
Deletion Timing
When a particular attribute is deleted depends on whether the examination was passed or not and whether an invoice was issued to you. The following table shows the duration until deletion from the day of the examination.
The values in the Passed column indicate after what time after the examination the respective attributes will be deleted if the examination was passed; the values in the Not Passed column indicate after what time the respective attributes will be deleted if the examination was not passed. These periods may vary due to invoice issuance, see the following section.
| Attribute | Passed | Not Passed |
|---|---|---|
| Name (incl. title and form of address) | 10 years | 14 months |
| Phone Number | 1 day | 1 day |
| Email Address | 7 years | 14 months |
| Address, Postal Code, City | 14 months | 2 months |
| Country | 14 months | 14 months |
| Student Status | 14 months | 14 months |
| Examination Location | 14 months | 14 months |
| Examination Country | 7 years | 7 years |
| Examination Date | 10 years | 10 years |
| Examination Scheme | 10 years | 10 years |
| Examination Result | 10 years | 10 years |
Invoice Based on Your Registration Data
If we have issued an invoice based on your registration data, we must retain the following attributes for 7 years according to legal requirements:
Name, if applicable Student Status (if the chosen examination scheme provides for a student discount, the student status is visible in the form of the student discount shown on the invoice), Examination Location, Examination Date and Examination Scheme as well as those Email Address(es), Address (including City, Postal Code, Country), Company and VAT ID Number/UID Number provided in the billing data step.
No Invoice to You, i.e., Billing by Third Parties
If you have received a voucher from a training provider or your employer, we must show which service we have provided as part of the billing process. As part of the invoice, we must therefore retain the attributes Name, Examination Location, Examination Date and Examination Scheme for 7 years according to legal requirements.
Data Transmission to Third Parties
Certible transmits personal data to third parties in two and only two cases:
1. Certification Scheme Owners After Completed Certification Examination
Certible is obligated to transmit data about examinations of a certification scheme to the respective scheme owner:
IREB
International Requirements Engineering Board (IREB) e.V., Mahlbergstr. 25, 76189 Karlsruhe, Germany - Contact: Website ⤴
- Examination not passed: no personal data is transmitted
- Examination passed:
Examination Level,ID,First Name,Last Name,Examination Date
iSAQB
International Software Architecture Qualification Board e. V., Donnersbergweg 4, 67059 Ludwigshafen am Rhein, Germany - Contact: Website ⤴
- Examination taken:
Examination Level,Examination Date,Country,Training Provider,Examination Location,Examination Language,Passed yes/no,Student Status,Retake yes/no - Examination passed: additionally
ID,First Name,Last Name
UXQB
UXQB – International Usability and User Experience Qualification Board e.V., Burgmauer 10, D-50667 Köln - Contact: Website ⤴
- Examination taken:
Examination Level,Examination Date,Country,Training Provider,Examination Location,Examination Language,Passed yes/no,Student Status,Retake yes/no - Examination passed: no additional personal data - specifically not the name - is transmitted.
ISTQB / Austrian Testing Board
Austrian Testing Board (ATB), Hauptstrasse 240/4, 2391 Kaltenleutgeben, Austria - Contact: Website ⤴
- Examination taken:
Examination Level,Examination Date,Country,Training Provider,Examination Location,Examination Language,Passed yes/no,Student Status,Retake yes/no - Examination passed: no additional personal data - specifically not the name - is transmitted.
ICPMSB
ICPMSB e.V. c/o UFIT AG, Industriestr. 1, 67141 Neuhofen, Germany - Contact: Website ⤴
- Examination taken:
Examination Level,Examination Date,Country,Training Provider,Examination Location,Examination Language,Passed yes/no,Student Status,Retake yes/no - Examination passed: additionally
First Name,Last Name
ITEDAS
itedas.org, Owner Gerd Bauer, Reginbaldstr. 12, 81247 München - Contact: Website ⤴
- Examination taken:
Examination Level,Examination Date,Country,Training Provider,Examination Location,Examination Language,Passed yes/no,Student Status,Retake yes/no - Examination passed: no additional personal data - specifically not the name - is transmitted.
2. Invoicing
If the examination registration is made using a voucher provided by a training institute or company, then any invoice to this company will contain the attributes First Name, Last Name, Date, Examination Location (where applicable) and Examination Type.
This privacy policy was initially created using the Privacy Policy Generator GDPR ⤴ of the German Society for Data Protection, in cooperation with the law firm for Media Law ⤴ WILDE BEUGER SOLMECKE | Attorneys at Law from Cologne and has since been significantly modified and expanded.