Privacy policy for app.schülerausweis.de
Introduction to this privacy policy for app.schülerausweis.de
At www.schulfotograf.energy-imaging.de , we provide a detailed privacy policy that relates specifically to the app.schülerausweis.de platform. This information is intended for data protection officers, schools and other interested parties who wish to find out about the processing of personal data in connection with our digital student ID card.
This privacy policy applies exclusively to app.schülerausweis.de and concerns students, teachersand all other persons who create or manage a digital student ID via this platform. It provides a comprehensive description of what data is processed, how it is protected and what rights users have under the GDPR.
Privacy policy for app.schülerausweis.de
1. responsible person and general information
The protection of your personal data is a top priority for us. This privacy policy informs you about the processing of personal data in the context of the use of app.schülerausweis.de and the associated services.
1.1 Person responsible for data processing
Susanne Henkel
app.schülerausweis.de by Energy-Imaging: The experts for school marketing
Schubertstrasse 21
40699 Erkrath
E-mail: datenschutz@energy-imaging.de
If you have any questions about data protection, you can contact us at any time. You will find the contact form below.
1.2 Legal basis for processing
There are several legal basesfor the digital student ID card that regulate the processing of personal data. As our company acts as a processor for the schools, the GDPR (General Data Protection Regulation) and specific state regulations in Germany are particularly relevant.
1.2.1 Legal basis according to the GDPR
The GDPR forms the general legal basis for the processing of personal data in the EU.
Important articles of the GDPR:
- Art. 6 para. 1 lit. b GDPR (performance of a contract)
→ Processing is permitted because it is necessary for the performance of the contract between the school and the student or the legal guardian (e.g. provision of the student ID card). - Art. 6 para. 1 lit. e GDPR (public interest)
→ Schools are public institutions, and student ID cards are used for identification in the school environment andpossibly for discounts (e.g. local transport). - Art. 6 para. 1 lit. a GDPR (consent)
→ If the student ID card is used voluntarily or has additional functions (e.g. digital payment function, library access), the consent of the students or parents may be required. - Art. 28 GDPR (order processing)
→ Your company is a processor and may only processdata on behalf of and in accordance with the instructions of the school. An order processing contract (AVV) is required.
1.2.2 State regulations in Germany
Each federal state has its own school laws and data protection regulations that must be observed. Important aspects:
- School laws of the federal states → Most federal states regulate student ID cards as a school organizational measure (legal basis for schools).
- DSG-EKD & KDG → If a church school is involved, the Data Protection Act of the Protestant Church (DSG-EKD) or the Catholic Data Protection Act (KDG) may apply.
1.3 Purpose of the data processing
- Creation and provision of digital student ID cards for Apple Wallet, Google Wallet and PassWallet
- Storage and verification of student ID cards for schools
- Optional production of student ID cards in credit card format
- Ensuring the functionality, security and administration of the platform
2 Personal data collected and processed
2.1 Processed data categories
| Data category | Purpose of the processing |
|---|---|
| Surname, first name | Identification of the person |
| Date of birth | Age verification |
| Student ID (from school administration) | Unique assignment in the system |
| Photo of the pupil | Display on the student ID card |
| E-mail address | Invitation to create the student ID, status updates, security-relevant information |
| Usage data (IP address, login times, device type) | System and security monitoring |
2.2 Duration of storage and deletion
- Data is only stored for as long as required by law.
- If a student ID card is deactivated, it is rendered invalid.
- Data in Google Wallet is overwritten via an API to avoid invalid entries.
- Photos and identity data are no longer displayed in the event of deletion and the person concerned receives a notification by e-mail.
3 Data processing and services used
We have concluded data processing agreements (DPAs) with the following providers in accordance with Art. 28 GDPR
- Mittwald (hosting & server infrastructure)
- Brevo (e-mail dispatch)
- Google (Google Wallet & Google Analytics)
- WebUntis (interface to school administration, if used)
- HubSpot (support & CRM system, if the support case is initiated)
- Vidyard (hosting of video content / support)
- United Domains (domain management and SSL certificates)
3.1 Hosting & server infrastructure
Our servers are operated by Mittwald CM Service GmbH & Co.
Server location: Germany
Data transfer to third countries: None
Security measures taken by Mittwald:
- ISO 27001-certified data centers
- Intrusion Detection & Prevention System (IDS/IPS)
- DDoS protection
- Daily backups with encrypted storage
- Physical access controls to the data centers
3.2 Authentication & access control
- 2-factor authentication (2FA) for school administrators
- Password protection according to BSI standard
- No export of personal data by school administrators
3.3 Storage & processing of student photos
- Photos are stored encrypted on our servers in Germany
- Apple Wallet: Storage takes place locally on the student's smartphone. Apple has no access to the content of the student ID card.
- PassWallet (German provider): Runs analogous to Apple Wallet.
- Google Wallet: Storage takes place on Google servers within the EU under DSGVO/GDPR standards.
3.4 Analyses & error monitoring
- Google Analytics (GDPR-compliant with IP anonymization)
- Mittwald error management & security monitoring
3.5 Sending emails (Brevo)
Emails are sent via Brevo (formerly Sendinblue).
Server location: EU
AVV is available.
Purpose of the e-mail dispatch:
- Invitation to create the student ID card
- Double opt-in (DOI) confirmation e-mail
- Provision of the digital student ID card
- Notification of deleted student photo by school administration
- Updates on new functions or changes, if applicable
- Customer satisfaction surveys, if applicable
3.6 Payment service provider (Stripe - if used)
- Processing in EU servers (GDPR-compliant)
- Tokenized payment processing (no storage of credit card data)
3.7 Support & contacting (HubSpot)
- Only if the student actively submits a support request
- Server location: Germany (from 1.4.2025)
- No automatic storage of personal data without a request
- AVV is available.
3.8 API interfaces & third-party integrations
- WebUntis (optional, if school uses this)
- Vidyard (hosting of video content for support & explanatory videos)
- United Domains (management of domain names and SSL certificates)
4. rights of the users according to GDPR
The General Data Protection Regulation (GDPR) grants data subjects extensive rights to control and protect their personal data. The following rights can be exercised at any time
4.1 Right of access (Art. 15 GDPR)
Data subjects can request full information about the processing of their personal data.
We are obliged to provide a full response within one month of the request.
📌 Technical implementation:
- Data is stored in a secure database and can be provided upon written request.
- Requests are recorded in a logging system.
- Identity verification takes place via 2-factor authentication (2FA).
4.2 Right to rectification (Art. 16 GDPR)
If stored data is incorrect or incomplete, data subjects can request that it be corrected.
📌 Technical implementation:
- Users can correct their email address, first name(s), surname(s), date of birth, class name and photos in the school administration.
- Only school administrators have limited editing rights to make changes.
- All changes are logged to prevent manipulation.
4.3 Right to erasure ("to be forgotten", Art. 17 GDPR)
Users have the right to have their personal data erased if
- The data is no longer required for the original purpose.
- They withdraw their consent.
- There is an objection to the processing.
📌 Technical implementation:
- Data is deleted from the active database.
- Google Wallet entries are overwritten by an API.
- Backups are overwritten after 30 days.
4.4 Right to restriction of processing (Art. 18 GDPR)
If users do not wish their data to be deleted but no longer want it to be processed, they can request a restriction.
📌 Technical implementation:
- Data is transferred to a "read-only" format.
- Automatic blocking mechanisms prevent processing.
4.5 Right to data portability (Art. 20 GDPR)
Users have the right to receive their data in a structured, commonly used and machine-readable format (e.g. JSON or CSV).
📌 Technical implementation:
- Data provision in JSON or CSV.
- Identity verification required (2FA and in writing).
4.6 Right to object (Art. 21 GDPR)
If processing is based on legitimate interests (Art. 6 para. 1 lit. f GDPR), a data subject may object.
📌 Technical implementation:
- Data is transferred to an "opt-out" list.
- All future processing is prevented.
4.7 Right to lodge a complaint with the data protection authority
Data subjects can lodge a complaint with the competent data protection authority.
📌 Responsible supervisory authority:
State Commissioner for Data Protection and Freedom of Information North Rhine-Westphalia (LDI NRW)
E-mail: poststelle@ldi.nrw.de
5 Technical & organizational measures for data security
5.1 SSL/TLS encryption
- TLS 1.2+ encryption for all transmissions.
- Regular renewal of certificates.
5.2 Access restriction & authentication
- 2FA mandatory for admins and school administrators.
- BSI-compliant password standards:
- At least 12 characters
- Regular changes required
📌 Access logging:
- All accesses are logged and analyzed regularly.
5.3 Storage & backup strategy
- Data is only stored on servers in Germany (Mittwald).
- Daily backups with emergency recovery systems.
5.4 Logging & monitoring
- Real-time monitoring for anomalies.
- Automatic blocking of suspicious activities.
5.5 Measures against cyber attacks
- Firewall & intrusion detection system (IDS) to detect attacks.
- DDoS protection to safeguard against overload attacks.
6. contact & changes to the privacy policy
We reserve the right to update this privacy policy regularly in order to adapt it to legal requirements or technical changes.
📌 C ontact for data protection inquiries:
Susanne Henkel
Schubertstraße 21, 40699 Erkrath
E-mail: datenschutz@energy-imaging.de
Questions & Answers
How secure is the digital student ID?
The digital student ID card is stored on secure servers in Germany and is subject to the highest data protection standards in accordance with the GDPR. Access is protected by state-of-the-art encryption technology and security mechanisms such as two-factor authentication (2FA).
What data is stored for the creation of the digital student ID?
We store the following personal data for the identification and use of the digital student ID card: Surname, first name, date of birth, student ID from the school administration, photo for the ID card, e-mail address (for access and notifications), usage data (e.g. login times and device type, exclusively for security monitoring)
Who has access to my data?
The personal data is only accessible to authorized school administrators and our system team. Teachers and administrative staff only see the data relevant to the student ID, but not other personal information. Administrators in the school can manage certain data (e.g. update photos). Data is never passed on to third parties or used for advertising purposes.
Where will my data be stored and will it be passed on to third parties?
All data is stored on Mittwald's ISO 27001-certified servers in Germany. The data remains within the EU and is subject to the strict data protection guidelines of the GDPR. Google Wallet stores the digital student IDs on Google servers within the EU - the Google data protection regulations apply. Apple Wallet and PassWallet store the data exclusively on the user's device - Apple and PassWallet have no access to the content. No data is passed on to unauthorized third parties.
Can I delete or deactivate my digital student ID?
Yes, students can request the deletion of their digital student ID at any time. After deactivation, the ID card becomes invalid. In Google Wallet, the entry is automatically overwritten via an API. All personal data will be deleted or anonymized in accordance with legal requirements. Please contact the school administration for deletion
How does authentication work for school administration staff?
Administrative staff are granted access via a secure admin portal with the following protection mechanisms: 2-factor authentication (2FA) is mandatory for school admins. Access is only possible with school login. School administrators do not have access to exportable data, but can only manage individual data records. All changes and accesses are logged and checked regularly.
Questions about data protection? Please contact us!
Do you have questions about the processing of personal data on app.schülerausweis.de or do you need more information about the GDPR compliance of our system?
Use the form below to contact us directly. We are happy to answer inquiries from data protection officers, schools, students and teachers who would like to find out more about the digital student ID card.
📌 Please note:
For general questions about the use of the digital student ID card by students and teachers, we recommend that you first take a look at our FAQs or the privacy policy.
🔐 Data protection notice:
Your request will be transmitted in encrypted form and processed exclusively for the purpose of processing your request. Further information can be found in our privacy policy.