Discounts

    Articles and pages

      Privacy policy

      1. Contents

      2. Introductory provisions

      2.1. Purpose of the Principles
      2.2. Basic rules for the processing of personal data, categories of data controllers
      2.3. Data controller, data processor and contacts
      2.4. Definitions

      3. Cards

      3.1. Processing of personal data and different types of cards
      3.2. Cards with an ISIC Association licence – purpose of processing and further information
      3.3. Retention period for personal data relating to cards
      3.4. Online verification and verification of the cardholder’s identity
      3.5. Cards and other activities of holders under the age of 7 – confirmation by a parent or guardian
      3.6. Online verification of photos
      3.7. Use of cards for discounts

      4. Conclusion of a contract with eduverify regarding the purchase of a card 

      4.1. Order form for purchasing a card, order enquiry, abandoned basket function

      5. ISIC App profile and provision of selected marketing information

      5.1. Purpose and further information
      5.2. Competitions on social media and on the website
      5.3. Consent to receive newsletters

      6. Visiting and using the website

      6.1. Online advertising and cookies
      6.2. Social media tools
      6.3. Use of contact details published on the website

      7. Legitimate interest of eduverify in protecting its rights

      8. Compliance with legal obligations

      9. Necessary technical reports, service reports, reports on the provision of services and concluded contracts

      10. Rights, submission of requests

      10.1. Method of processing your requests
      10.2. Withdrawal of consent
      10.3. Right to access, transparent information, procedures for exercising rights
      10.4. Right to rectification
      10.5. Right to erasure (‘right to be forgotten’)
      10.6. Right to restriction of processing
      10.7. Obligation to notify regarding the rectification or erasure of personal data or the restriction of processing
      10.8. Right to data portability
      10.9. Right to object
      10.10. Automated individual decision-making, including profiling
      10.11. Right to lodge a complaint with a supervisory authority

      11. Final provision

      2.1. Purpose of the principles

      On the following pages, you will find comprehensive information and conditions regarding the protection of personal data.

      The purpose of this document is to explain all the conditions for the processing of personal data in the context of our activities. Whenever the data subject gives us their consent to process personal data, or is informed about the processing of personal data when giving consent, we also refer to these guidelines, which contain detailed information on all processing purposes we carry out on behalf of the data subject. If the data subject has any questions regarding these principles, they may contact the addresses listed below for clarification.

      These principles apply to the data controller eduverify.

      2.2. Basic rules for the processing of personal data, categories of data controllers

      Just as we take great care and interest in the cards and their possible uses, we also take the protection of the personal data provided by their holders seriously.

      We collect only the personal data that we actually require for the specified purposes. We do everything we can to provide the best possible service to cardholders, not only in Austria but also in all other countries where the cards can be used.

      We do not, as a rule, pass on personal data to third parties unless this is necessary. In such cases, we will inform you of the necessity of this transfer. If we do pass on data to third parties, we will always inform you of this. To ensure all our activities run smoothly, we use the following suppliers or categories of data processors: accountants, delivery companies, auditors, legal advisers, IT service providers, webmasters, marketing agencies, card manufacturers, storage providers, and companies offering additional card-related services.

      GTS ALIVE Group s.r.o., ID No. (IČ): 09296727, with its registered office at Na Maninách 1092/20, Holešovice, 170 00 Prague 7, registered in the Commercial Register of the Municipal Court in Prague, Section C, Entry No. 334013 (“GTS Alive Group”), is a data processor.

      2.3. Controller, processor and contacts

      Unless otherwise stated, the data controller for the processing of personal data is eduverify GmbH, with its registered office at Marxergasse 42/2,1030 Vienna, registered in the Commercial Register of the Vienna Local Court under number FN 573114 s.

      Contact:

      Telephone: +49 (0)40 / 41 46 49 – 0
      Email: hallo@isic.at
      Post: eduverify GmbH, Marxergasse 42/2, 1030 Vienna.

      Enquiries regarding the processing of personal data should be addressed to:

      Solicitor Frank Henkel (external data protection officer of the controller)
      Email:datenschutz@isic.de
      Post: Wandsbeker Zollstraße 5, 22041 Hamburg

      Enquiries regarding the processing of personal data for the ISIC app should be addressed to:

      Email dataprotection@isic.org 
      Post: ISIC Association, Nytorv 5, DK-1450, Copenhagen, Denmark. Attn: Privacy Officer.

      2.4. Definitions

      eduverify = eduverify GmbH mit Sitz in der Marxergasse 42/2 in 1030 Vienna. Registered in the Commercial Register of the Vienna Local Court under number FN 573114 s, which is the operator of the website and also the controller of personal data, unless otherwise specified in these principles. eduverify is the exclusive representative for the issuance of ISIC, ITIC and IYTC cards for Austria, authorised by a certificate from the ISIC Association (CVR 26746760, Nytorv 5, 1450 Copenhagen, Denmark).

      Rules = Rules for the use of cards, which you can find at here.

      Principles = these principles for the protection of personal data.

      User = Visitors to the website who are also data subjects.

      Website = Website https://isic.at

      Card = any international ISIC, IYTC or ITIC card in digital form or as a plastic card, which may be issued by a university or school, eduverify or another authorised distributor.

      Renewal of validity = extension of the card’s validity to the new validity period of the card.

      ISIC App Profile = The holder’s personal account in the ISIC App mobile application.

      ISIC App = Name of the mobile application used to display a card and offering additional optional functions.

      Cardholder = the user of any card; the cardholder is also the data subject. For the sake of simplicity, the person applying for the card is also considered to be the cardholder.

      GDPR = Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

      Personal data = any information relating to an identified or identifiable data subject. A data subject is considered identified or identifiable if they can be identified, directly or indirectly, in particular by reference to an identification number, to an identification code or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity. Examples of personal data include email addresses or mobile phone numbers. Information regarding purchasing preferences in conjunction with a surname may also constitute personal data. The processing of personal data is necessary for the issuance of a card.

      Special categories = data revealing the data subject’s national or ethnic origin, political opinions, trade union membership, religious or philosophical beliefs, criminal convictions, health status and sex life, as well as the data subject’s genetic data (formerly known as sensitive data).

      Processing = any operation or set of operations which the controller or processor carries out on personal data, whether by automated means or otherwise. The processing of personal data includes, in particular, the collection, storage on data carriers, provision, editing or alteration, retrieval, use, transmission, dissemination, disclosure, retention, exchange, sorting or combination, blocking and erasure.

      Purpose = the reason why eduverify processes personal data.

      Category of personal data = specific personal data that we require for processing; for example, first name, surname and date of birth are categories of identification data, whilst an email address is a category of contact data.

      3.1. Processing of personal data and different types of cards

      On the following pages, you will find comprehensive information and terms regarding the processing of personal data for all holders and applicants of our cards (plastic and digital). Personal data for individual cards may be processed differently, depending on the card’s function, the school at which it is issued, and other specific features. The functions of each card are described in detail in the rules.

      These guidelines describe the processing of personal data for the following cards:

      Cards with an international licence from the ISIC Association

      • ISIC (International Student Identity Card),
      • IYTC (International Youth Travel Card),
      • ITIC (International Teacher Identity Card).

      3.2. Cards with an ISIC Association licence – Purpose of processing and further information

      The purpose of processing personal data is to fulfil the order and to enable the card to be issued and used.

      By completing the relevant application form, the holder applies for the card to be issued. The card can only be issued if the holder provides the administrator with the necessary personal data. This processing is necessary for the card to be issued. The holder’s personal data will only be used for the purpose of issuing the card and enabling its use. The holder’s personal data will only be used as follows:

      • to issue the card;
      • to produce the plastic card;
      • to verify student status, the validity of the card and eligibility for discounts/benefits;
      • to send information that the holder absolutely needs to use the card, e.g. notifications regarding the expiry date (by post or electronically);
      • to use additional functions enabled by the specific types of cards in accordance with the rules and the relevant application;

      Where necessary within the scope of this service to fulfil the contract, to exercise rights or to fulfil obligations arising from the contract, service notifications will be sent to you via the contact channels you have selected. Further information can be found in Section 9 of these guidelines.

      When the cardholder uses the card to access benefits, the data is processed in accordance with Section 3.7 of these guidelines.

      The legal basis for the processing is the performance of a contract pursuant to Article 6(1)(b) of the GDPR.

      Legitimate interests: Once the specified retention period has expired, certain key documents must be retained to a limited extent. Selected key data or documents (e.g. records of card application requests) are retained in the event of an inspection by the supervisory authority, to defend against claims, or to assert our rights in accordance with Section 7 of the Data Protection Act 2018.

      Recipient: ISIC Association – The non-profit membership organisation that manages the international ISIC, ITIC and IYTC cards; only limited data is shared to enable the use of the card abroad (worldwide). Information on the processing of personal data by the ISIC Association can be found here.

      An overview of all eduverify business partners where the cardholder can claim a discount/benefit and make a purchase can be found here.

      For this processing, the processors listed in Section 2.2 of these guidelines at are used.

      Transfer to third countries outside the EU: In the event of a transfer of personal data outside the EU, standard protection is ensured by an adequacy decision or by standard contractual clauses for the protection of personal data adopted by the European Commission.

      To ensure the benefits of the ISIC Association, it works with partners listed here – these partners are sent confirmation of the card’s validity, including the possible transfer of this confirmation to a third country (this only occurs at the cardholder’s request for use with a specific service provider; the transfer to a third country may therefore, at the cardholder’s discretion, also take place in a country where there is no decision on an adequate level of protection pursuant to Article 45 of the GDPR and no appropriate safeguards pursuant to Article 46 of the GDPR; in this case, the transfer to such a country takes place solely for the purpose of fulfilling the contract to enable the use of the card’s benefits, specifically to the extent of providing data regarding the validity of the card – YES/NO).

      The ISIC Association processes personal data via a data processor in a third country – ISIC Service Office DOO (“ISO”), ID No. 21520209, with its registered office at Sterine Novaka 1, 11000, Belgrade, Republic of Serbia, only to the extent necessary (first name, surname, date of birth, photo, card number, card type, validity (from, to, issue date), issuer, name of school) and Amazon Web Services Inc. (“Amazon”), 410 Terry Avenue North, Seattle, WA 98109, United States, for cloud services. As appropriate safeguards, we have adopted standard contractual clauses in accordance with Article 46 of the GDPR. Further information on this subject can be found here.

      Voluntary provision of data: The provision of personal data is voluntary; however, without this data, it is not possible to conclude and fulfil a contract for these services. No card can be issued without the provision of personal data.

      3.3. Retention period for personal data relating to cards

      The cardholder’s personal data is processed for the duration of the card’s validity or for the period associated with the respective processing purpose as set out in the application for the card, i.e. for the period during which the cardholder is entitled to use the services and benefits associated with the card, or has the right to renew the card for a new period.

      After the card’s expiry, personal data will be stored for a period of 3 months for the following reasons:

      • to extend the card’s validity;
      • to verify that the card has not been misused and to check the card’s expiry date within the network of eduverify’s business partners;
      • to send the holder information regarding the expiry of the card’s validity, details on how to obtain a new card, and information regarding the inability to continue using the card;
      • to verify the validity of the card’s licence number and to register the holder in the event of a new card being issued.

      The validity period of individual cards is also set out in detail in the rules. The validity period and retention period may vary; specifically, the retention period may be longer for the reasons mentioned above, for example due to the possibility of renewing the card.

      If the cardholder no longer wishes to use the card, they undertake to notify eduverify of this in accordance with the rules. In this case, processing for this purpose will cease.

      Categories of personal data concerned: We process only such personal data as the cardholder provides to us, transmits to us or enters in the relevant application form. For the production and operation of the ISIC, ITIC and IYTC cards, we process the holder’s photograph, first name and surname, the date of issue and other personal data of the holder, depending on the type of card. The personal data shown on the card also varies depending on the type of card, whereby the following applies:

      • ISIC and ITIC cards contain: identification and contact details (first name, surname, date of birth, photograph), card details (validity, licence number, name of the school);
      • The IYTC card contains: identification and contact details (first name, surname, photo), card details (validity, licence number);

      For the purposes of use and functionality, we maintain a database of cardholders in which we store personal data for verification purposes (in particular the card number, date of issue, expiry date, details regarding card renewal, and information about the chip, if applicable).

      Source of the personal data: The source of the data is always the cardholder, unless they instruct the school/organisation/issuer to pass the data directly to eduverify.

      3.4. Online verification and verification of the cardholder’s identity

      Purpose: If you give us your voluntary and explicit consent, we will verify and check your identity when you purchase your card online (or for the use of a digital card) by comparing it with a scan of your photo ID. The copy (scan) may only be provided by the holder of the identity document in question. The scan of the photo ID will be used solely for the purpose of verifying the holder’s identity. The identity verification process involves checking the photo on the ISIC, ITIC or IYTC card against the photo on the photo ID and verifying the details on the ISIC, ITIC or IYTC card against the details on the photo ID. Following verification, eduverify will immediately and securely destroy the copy (scan) of the photo ID.

      The retention period for the scan used for identity verification is a maximum of 14 days from the date of verification of the holder’s identity. The relevant copy is then securely destroyed.

      The legal basis is consent pursuant to Article 6(1)(a) of the GDPR, which may be withdrawn.

      Voluntary provision of personal data: The holder is not obliged to give their consent if they do not agree to do so. In this case, the holder can be identified by means of a scan of a notarised document. A person’s identity and photograph may also be verified by means of a notarised declaration confirming that the holder depicted in the photograph and their personal data correspond to the details on the relevant identity document. In this case, the legal basis for retaining the certificate is legitimate interest, with the certificate being retained for a maximum period of 5 working days following the identity verification. The holder has the right to object to this processing.

      Without a verified identity, it is not possible to use the services of a digital card.

      Recipients: The processors referred to in the provisions of Section 2.2.

      3.5. Cards and other activities of holders under the age of 7 – Confirmation by a parent or guardian

      Purpose: Where a holder under the age of 7 applies for a card (including a digital card), the processing of personal data is lawful only if and to the extent that the relevant consent has been given or authorised by a person who has parental responsibility for the child. Therefore, eduverify requires the consent of this cardholder’s legal representative; furthermore, the legal representative’s personal data is stored for the purpose of verifying that person’s identity and recording the consent.

      Legal basis for processing: Performance of a contract pursuant to Article 6(1)(b) of the GDPR, compliance with a legal obligation pursuant to Article 6(1)(c) of the GDPR, and legitimate interests pursuant to Article 6(1)(f) of the GDPR.

      Legitimate interests: Selected key data or documents (e.g. records of consents given) are retained for potential review by a supervisory authority, to defend against claims or to exercise our rights in accordance with Section 9.

      Recipients: Categories of processors specified in the provisions of Section 2.2.

      When personal data is transferred outside the EU, uniform protection is ensured by an adequacy decision or, where applicable, by standard contractual clauses adopted by the European Commission for the protection of personal data.

      Retention period: Until the holder reaches the age of 7 and for a further 3 years thereafter.

      Categories of personal data concerned: Identification and contact details, authorisation-related records (and/or documents) and associated documentation (if any).

      Voluntary provision of data: The provision of personal data is voluntary; however, without the provision of personal data, it is not possible to conclude and fulfil a contract for these services. Without the provision of personal data, it is not possible to issue a card.

      3.6. Online verification of photos

      Purpose: When a cardholder provides us with a photograph to be displayed on their card, we must verify the photograph to ensure that it depicts the cardholder, that the person in the photograph is not wearing sunglasses or headgear, that the quality of the photograph is sufficient to identify and verify the person when the card is used, and that the head is not covered. For this purpose, we must process the holder’s personal data.

      We also use the services of a photo verification provider, namely Google Ireland Limited, incorporated under Irish law, company number: 368047, with its registered office at Gordon House, Barrow Street, Dublin 4, Ireland (hereinafter “Google”). We have entered into a data processing agreement with Google, the text of which is availabl here. Google’s service is called Google Cloud Vision, and we have entered into an agreement in this regard, the content of which can be found here, with an overview of the service here and information on the processing of personal data here. Google Cloud Vision works as follows: As soon as a user uploads a photo, the service checks, amongst other things, whether a person is in the photo, whether the person in the photo is not wearing sunglasses or headwear, and whether the quality of the photo is sufficient for its intended use. The verification carried out by Google Cloud Vision does not include identity checks or the processing of biometric personal data or other special categories of data.

      Categories of personal data concerned: Photos and parameters for evaluating photos – compliance with passport photo requirements (verification of the face and its orientation, headwear, etc.), network identifiers, logs, verification results, data relating to the controller’s internal control, data relating to the use of Google Cloud Vision.

      Retention period: The data used for the internal verification and control of photos is deleted immediately after validation and in any event within 24 hours. The retention period of a photo refers to the period during which the photo is used on a card, i.e. it corresponds to the retention period of the personal data on the card in accordance with this policy. The service provider Google’s access to the photo is limited to the time required for the use of the service and the review of the photo in accordance with the specified criteria.

      The legal basis is the performance of a contract pursuant to Article 6(1)(b) of the GDPR and the legitimate interest pursuant to Article 6(1)(f) of the GDPR. It is possible to object to the legitimate interest.

      Legitimate interests: Selected key data or documents (e.g. records of consents given) are retained for potential review by a supervisory authority, to defend against claims or to exercise our rights in accordance with Section 7.

      Recipients: Categories of data processors specified in the provisions in Section 2.2.

      Where personal data is transferred to countries outside the EU, an adequate level of protection is ensured by an adequacy decision or, where applicable, by standard contractual clauses adopted by the European Commission for the protection of personal data.

      The Google Cloud Vision Service is provided by Google Ireland Limited. Access from outside the EU is possible for the use of the service; standard contractual clauses are used to ensure sufficient safeguards, and where third countries are subject to an adequacy decision, these decisions also apply. Further information on this subject can be found here.

      Source of personal data: Personal data is always collected by the data controller.

      Voluntary provision of data: The provision of personal data is voluntary; however, without the provision of personal data, it is not possible to conclude and fulfil a contract for these services. Without the provision of personal data, it is not possible to issue a card.

      Providing a photo is optional; however, without providing and verifying a photo, it is not possible to use a card.

      3.7. Use of cards for benefits

      Purpose: When the card (whether physical or digital) is used for benefits, the associated data is processed to enable the use of benefits, verify eligibility and maintain the relevant records. The reason for processing personal data is therefore to verify eligibility and enable the cardholder to claim discounts and benefits.

      Categories of personal data concerned: Data relating to the card and the holder, data essential for claiming benefits (discounts, privileges), transaction data, date and time of individual transactions, data relating to the provider of the benefit, data for verifying the benefit, logs, network and other identifiers, statistical data.

      Retention period: two years from the verification of the benefit.

      The legal basis is the performance of the contract (Article 6(1)(b) GDPR) and the legitimate interest pursuant to Article 6(1)(f) GDPR. An objection may be lodged against the legitimate interest.

      Legitimate interests: Selected key data or documents (e.g. records of consents given) are retained in the event of an inspection by the supervisory authority, to defend against claims or to assert our rights in accordance with Section 7.

      Recipients: Category of commissioned processors in accordance with paragraph 2.2.

      If the card issued is an ISIC/ITIC or IYTC, personal data will be transferred to the non-profit organisation ISIC Association, Denmark, for the purpose of registration and to ensure international benefits (for further information, see section 3.3).

      To ensure the benefits of the ISIC Association, the Association works with partners listed here – these partners are sent confirmation of the card’s validity, including the possible forwarding of this confirmation to a third country (this only occurs at the cardholder’s request for use with a specific service provider; the transfer to a third country may therefore, at the cardholder’s discretion, also take place in a country where there is no decision on adequate protection pursuant to Article 45 of the GDPR and no appropriate safeguards pursuant to Article 46 of the GDPR; in this case, the transfer to such a country takes place solely for the purpose of fulfilling the contract to enable the use of the card’s benefits, specifically to the extent of the transfer of data regarding the validity of the card – YES/NO).

      The ISIC Association processes personal data via a data processor in a third country – ISIC Service Office DOO, ID No. 21520209, with its registered office at Starine Novaka 1, 11000, Belgrade, Republic of Serbia, only to the extent necessary (first name, surname, date of birth, photograph, card number, card type, validity (from, to, date of issue), issuer, name of school) (“ISO”) and Amazon Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109, United States (“Amazon”) for cloud services. We have adopted standard contractual clauses in accordance with Article 46 of the GDPR as appropriate safeguards. Further information on this subject can be found here.

      Source from which the personal data originates: Service providers, data subjects.

      Voluntary nature of data provision: The provision of personal data is voluntary; however, without this data, it is not possible to conclude and fulfil a contract for these services. Without the provision of personal data, no card can be issued.

      4.1. Order form for the purchase of a card, order enquiry, abandoned basket function:

      Purpose: If a holder uses our online order form to purchase a card directly from eduverify and submits a card purchase enquiry, we process the holder’s personal data for the purpose of handling the enquiry, processing the order and ensuring the entire purchase process in accordance with the Terms and Conditions. To ensure the purchase of a ticket, identity verification and the conclusion of the contract, the ordering process includes verification of the holder’s age, identity verification and verification of eligibility to purchase a ticket. To facilitate the purchase, a feature for abandoned shopping baskets, simplified identification and, where applicable, the pre-filling of the holder’s personal data are provided. For persons under the age of 7, a parent or guardian is also required to confirm the contract and, where applicable, give their consent.

      If an email address is provided but the order is not completed, the data subject also consents to the abandoned basket feature, i.e. that we use their personal data to send up to three reminder emails to facilitate the completion of the order – this can be opted out of by emailing hallo@isic.at or via the link in each individual email.

      If the holder repeats a purchase via the order form and is identified via the GTS-Alive systems, it is not necessary for the holder to provide specific proof of identity, as this is already stored internally in the GTS-Alive system.

      If the holder is already a customer of eduverify and the system identifies the holder via an email address, the holder is automatically identified and the data required for the purchase of their card is automatically filled in and assigned to their order.

      If an ISIC is to be purchased for a person under the age of 7, the order can only be placed by that person’s legal guardian. In this case, the purchaser is the holder’s legal guardian, who enters their personal details as well as the data required to purchase the holder’s card into the system. The legal guardian must also prove their identity using an identity document and provide the necessary personal details in order to comply with eduverify’s legal obligation to verify the consent of the person holding parental responsibility. Further information on parental confirmation of the purchase can be found in section 3.5.

      When purchasing a new card, eduverify uses a previous photograph of the holder, provided that no more than five years have passed since the initial order and that, during this period, another product has been used for which the holder’s photograph was required.

      As a card always serves as the holder’s identity document, their identity must be thoroughly verified; this is done through a face-to-face identity check at the issuing offices, or on the basis of consent via a scan of the front of an identity document or through a notarised declaration/certificate. Further information on identity verification can be found in section 3.4.

      Following the conclusion of the contract, personal data will be processed to ensure the fulfilment of the contract, as well as the use of the digital card in the ISIC app and its use for other possible purposes.

      Legal basis: Contract performance pursuant to Article 6(1)(b) of the GDPR, consent pursuant to Article 6(1)(a) of the GDPR, legitimate interest pursuant to Article 6(1)(f) of the GDPR. Consent may be withdrawn at any time. An objection may be lodged against processing based on a legitimate interest.

      Data categories: Identification data, contact details, order-related data and associated communication, ID data, network identifiers and logs, communication, photos, ID card, holder’s settings.

      Recipients: Categories of data processors listed in the provisions of Section 2.2.

      Transfers to third countries outside the EU: eduverify uses the partners listed here to provide the benefits of the card – a message confirming the card’s validity is sent to these partners, which also involves the possible transfer of this message to a third country (this only occurs at the request of the cardholder using the card with a specific service provider); the transfer to a third country may therefore, at the cardholder’s discretion, also take place to a country that is not subject to an adequacy decision pursuant to Article 45 of the GDPR nor to appropriate safeguards pursuant to Article 46 of the GDPR; in this case, the transfer to such a country takes place exclusively for the purpose of fulfilling the contract, to enable the use of the benefits, and is limited to the transfer of the validity data – YES/NO).

      The ISIC Association processes personal data via a data processor in a third country – ISIC Service Office DOO, identification number 21520209, with its registered office at Starine Novaka 1, 11000, Belgrade, Republic of Serbia – only to the extent necessary (first name, surname, date of birth, photograph, card number, card type, validity period (from, to, date of issue), issuer, name of school) (hereinafter ‘ISO’) and Amazon Web Services Inc., 410 Terry Avenue North, Seattle, WA 98109, United States (hereinafter ‘Amazon’) for cloud services. We have implemented standard contractual clauses as appropriate safeguards in accordance with Article 46 of the GDPR. Further information on this subject can be found here.

      Retention period: Throughout the entire ordering process and the validity period of the card (12 months), as well as for three months thereafter, as there is the option to purchase a new card via a simplified procedure. Data may only be retained for a longer period if this is necessary to safeguard a legitimate interest and/or to fulfil a legal obligation under this policy.

      If the order is not completed, personal data will be stored as follows:

      • for a period of 14 days as part of the abandoned basket feature;
      • for a period of one month from the last communication, if the price is not paid;
      • for a period of one month from the last communication, if not all documents required for the conclusion of the contract and the issue of the card are provided.

      Even after the card has expired, the card number is retained for the purpose of ensuring a continuous number sequence.

      Source: Cardholder.

      Obligation to provide personal data: The provision of personal data is voluntary; however, if such data is not provided, the purchase of a card, the conclusion of the contract and the performance of the contract may not be possible in some cases.

      5.1. Purpose and further information:

      The ISIC App profile allows you to view an overview of all your products and other features in accordance with the Terms of Use of the ISIC App profile. Access to the profile is via the ISIC App mobile application. The purpose of the ISIC App profile is to provide a digital card and ensure its use, to store issued cards, to find discounts/benefits in your area and to receive information from the world of ISIC.

      Furthermore, if you give us your consent in your ISIC App profile, you will be shown relevant content, including the receipt of selected commercial communications by electronic means.

      You can find the ISIC App’s terms of use here.

      You can find the ISIC App’s privacy policy here.

      5.2. Competitions on social media and on the website

      Users have the opportunity to take part in competitions organised by eduverify on social media or on the website – provided that the user agrees to the terms and conditions of participation and the associated processing of personal data. Participation in competitions is always voluntary and may be withdrawn at any time.

      The legal basis for the processing of personal data for this purpose is consent pursuant to Article 6(1)(f) of the GDPR. Consent may be withdrawn at any time. Participation in a competition is not possible without consent, and the withdrawal of consent terminates participation in a competition.

      The purpose of this processing is to facilitate the organisation of competitions, the proper evaluation, the verification of competition entries and/or submissions, the verification of compliance with the rules, and the delivery of prizes.

      The retention period for personal data for this purpose corresponds to the duration of the respective competition and the following 6 months. In the event of withdrawal of consent or withdrawal from the competition, processing ceases immediately. Upon expiry of the retention period, or in the event of withdrawal of consent or withdrawal from the competition, only a limited number of the most important documents will be retained in accordance with the information provided here for possible review by a supervisory authority.

      Categories of personal data concerned: Participation in a competition, competition entry, identification and contact details, details of the prize and prize presentation, details of related communication.

      Legitimate interests: Exclusively the protection of rights to selected documents, as set out in Section 7.

      Recipients: Categories of data processors listed in the provisions of Section 2.2.

      Where personal data is transferred outside the EU, adequate protection is ensured by an adequacy decision or, where applicable, by standard contractual clauses adopted by the European Commission for the protection of personal data.

      Source: Personal data is collected, depending on the case, from a participant or from the relevant social media platforms.

      Voluntary provision of data: The provision of personal data is voluntary; however, participation in competitions is not possible without the provision of personal data.

      5.3. Consent to receive newsletters

      Purpose: If you give us separate consent to receive newsletters, we will send these to the contact details you have provided.

      For this purpose, only the following categories of personal data are used: the holder’s identification and contact details; details of the holder’s card. We also store network and other identifiers, the date and time of consent, message delivery, message opening and link clicks, relevant logs and associated communications, as well as any enquiries from the holder.

      Retention period: For this purpose, personal data is processed for an indefinite period, but at the latest until your consent is withdrawn. Personal data will no longer be processed once the purpose of the processing no longer applies. After the retention period has expired, only a limited number of the most important documents will be retained in accordance with the information set out here for possible review by a supervisory authority.

      The legal basis for the processing is voluntary consent pursuant to Article 6(1)(f) of the GDPR, which may be withdrawn at any time.

      Consent may be withdrawn at any time – in writing to an address of eduverify or electronically by email. The data subject may request in any individual email to no longer receive electronic marketing communications. In this case, the data subject’s personal data will continue to be processed in accordance with this section, with the exception of the receipt of electronic marketing communications.

      Recipients: The data processors named in the provisions o, Section 2.2.

      Source: Personal data is collected from a data subject, i.e. a data subject.

      Voluntary nature of data provision: The provision of personal data is voluntary; however, without the provision of personal data, it is not possible to receive the newsletter.

      6.1. Online advertising and cookies

      If you visit and use our website solely for information purposes – i.e. if you do not register or otherwise provide us with information – we only collect personal data that your browser transmits to our server and that is technically necessary for us to display our website to you and to ensure its stability and security. Provided you consent, we also use tools to analyse visits to our website. You can find all information regarding the processing of your personal data whilst browsing the website, as well as the use of cookies, in the document “Terms of Use for Cookies and Other Similar Tools”.

      6.2. Social media tools

      To analyse the interests of people who follow our accounts, tailor campaigns to our requirements, or use tools for communicating with users, we use social media tools such as Meta Platforms, Inc. and sponsored posts on Instagram. We use these tools to run performance-based campaigns and analyse visitor behaviour. You can find all information regarding the processing of your personal data when visiting our website and the use of cookies in the Cookie Policy.

      6.3. Use of contact details published on the website

      If you contact us using the contact details published on the website, we will process your personal data for the purpose of handling your enquiry.

      The legal basis for the processing is your consent pursuant to Article 6(1)(f) of the GDPR, which you may withdraw at any time.

      The retention period for the communication corresponds to the duration of the processing of the enquiry plus the following 6 months in case further questions arise. Data will only be retained for a longer period if this is necessary for a legitimate interest or to fulfil a legal obligation.

      Purpose: Where eduverify processes personal data on the basis of consent or for the performance of a contract, it stores the necessary documents to a limited extent, including communications between eduverify and the data subject, in order to defend itself against claims by data subjects or third parties, to protect its rights, to enforce claims and in the event of supervisory authority inspections.

      The data subject is entitled to object to this processing by writing to eduverify’s address or by emailing datenschutz@isic.de.

      Legal basis for processing: The legal basis is the legitimate interest in protecting the rights of the controller pursuant to Article 6(1)(f) of the GDPR.

      Recipients: Courts and other competent authorities, categories of data processors as set out in paragraph 2.2.

      Retention period: For this purpose, personal data will be processed for a maximum of three years after the relevant purpose has ceased to apply, i.e. three years after the withdrawal of consent or after the expiry of the period necessary for the performance of the contract.

      Categories of personal data concerned: The scope of the data stored for this purpose is limited and always restricted to the extent necessary to fulfil the purpose. This includes, in particular, a copy of the application, communication regarding the exercise of rights and the handling of important matters by the controller. In addition, documents which the supervisory authority requires to be presented during an inspection (e.g. records of electronic consents given).

      Source: Data controller.

      Voluntary provision of data: The provision of personal data is generally a contractual requirement or a prerequisite for the chosen activity. Objections may be lodged against its use to safeguard legitimate interests in accordance with the procedures set out in these principles.

      Purpose: Where we are legally obliged to do so, we retain personal data or documents containing such data for the period specified in the relevant legislation. The purpose is to comply with the requirements of applicable legislation, e.g. in the areas of accounting, taxation or advertising regulation.

      Legal basis for processing: Fulfilment of legal obligations pursuant to Article 6(1)(f) of the GDPR.

      Recipients: government authorities, the categories of data processors referred to in section 2.2.

      Retention period: Only the period specified by the relevant legislation, for example, tax records for a period of 10 years.

      Categories of personal data concerned: only the documents specified by the relevant legislation.

      Source: The data controller.

      Voluntary nature of data provision: The provision of personal data is generally a contractual requirement or a prerequisite for the chosen activity. Its use for this purpose is required by law and cannot be influenced by the data subject.

      Purpose: When you enter into a contract with us or we provide a service to you, it is necessary in certain cases to send communications relating to the contract in question in connection with the concluded contract, the fulfilment of our contractual obligations, the provision of the service or delivery of the product, as well as the assertion of rights or claims. These necessary technical notifications, service notifications, notifications regarding the provision of services and concluded contracts (“service notifications”) cannot be declined, as they are important notifications that must be sent in connection with the concluded contract.

      These communications may concern you if you are the cardholder and use the card or the ISIC app, use another service or product, are in the process of negotiating a contract, or have submitted an application for the service in question.

      Legal basis for processing: Processing is necessary for the performance of a contract pursuant to Article 6(1)(b) of the GDPR, to which the data subject is a party, or for the implementation of pre-contractual measures taken at the request of that data subject. Processing is necessary for a legitimate interest, to which the cardholder may object.

      Recipients: Categories of data processors in accordance with paragraph 2.2 of the Principles.

      Retention period: for the duration of the contract/provision of services and beyond only if this is necessary for a legitimate interest or a legal obligation in accordance with these principles.

      Legitimate interests: in accordance with the information set out in Article 9 of the Principles.

      Categories of personal data concerned: information about the data subject and the contract/service/product used by the data subject, data relating to changes to the contract/terms and conditions/principles, data relating to associated communications, data relating to service notifications, network and other identifiers, data regarding the delivery and opening of network messages, data regarding the use of links in the message, statistical data, data regarding the date and time of individual operations.

      Source: The data subject.

      Voluntary provision of data: The provision of personal data is generally a contractual requirement or a prerequisite for the chosen activity. Its use for this purpose is a contractual requirement and, furthermore, a legitimate interest.

      10.1. How your requests are processed

      Your request, enquiry, withdrawal of consent, assertion of a right, request for information or any other request will be processed immediately upon receipt, or within 30 days at the latest in justified cases. This period may be extended by a further two months if necessary, taking into account the complexity and number of requests. The withdrawal of consent to the sending of marketing communications (including by electronic means) will be processed immediately, but no later than within 7 calendar days.

      Where necessary, additional information may be requested in order to match the applicant to a specific data subject. In justified cases, verification of the applicant’s identity may be required to protect the rights of data subjects.

      10.2. Withdrawal of consent

      eduverify always endeavours to comply with any request from a data subject to exercise their rights as quickly as possible, and at the latest within 14 days.

      You may ask us at any time to stop sending promotional communications, either by email to hallo@isic.at or via the link provided in each individual promotional communication.

      If you have any questions regarding the processing of personal data or data security, wish to exercise a right or wish to lodge a complaint, please contact eduverify in writing or by email at datenschutz@isic.de. If you believe that a procedure is not being carried out correctly, you have the right to lodge a complaint with the data protection authority.

      10.3. Right of access, transparent information, procedures for exercising rights

      The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed; if this is the case, they have the right to access this personal data as well as the following information: purposes of processing, categories of data, recipients, duration of processing, existence of a right to rectification, erasure, restriction of processing, right to object, right to lodge a complaint with the supervisory authority, information on the origin of the data. The data subject has the right to receive a copy of the processed data in electronic form, unless otherwise requested. eduverify takes appropriate measures to provide every data subject with all information (e.g. regarding the controller responsible for the processing of personal data and the procedure for such processing) in a concise, transparent, intelligible and easily accessible manner, using clear and plain language, and to provide all communications regarding the processing, particularly where the information is specifically intended for children. The controller shall provide the information in writing or by other means (e.g. in electronic form). Provided your identity is verified by other means, you also have the right to request that this information be provided orally.

      The controller shall not refuse your request to exercise your rights (in particular the right of access) unless they demonstrate that they are unable to verify the identity of the data subject to whom the data in question relates.

      You have the right to receive information from the controller, upon request, regarding the measures taken, without undue delay and in any event within one month of receipt of the request. This period may be extended by a further two months where necessary, taking into account the complexity and the number of requests. The controller will inform you of any such extension within one month of receiving the request, stating the reasons for the delay. If you have submitted the request in electronic form, the information will be provided in electronic form where possible, unless you request another form.

      If the controller does not take the measures you have requested, they will inform you without delay, and at the latest within one month of receiving the request, of the reasons for not implementing the measures, as well as of the possibility of lodging a complaint with the supervisory authority and seeking judicial redress.

      Please note that all such information, communications and measures are provided free of charge. If the requests submitted by the data subject are deemed manifestly unfounded or excessive, in particular if they are submitted repeatedly, the controller may either:

      1. charge a reasonable fee taking into account the administrative costs associated with providing the requested information or communications or with carrying out the requested actions; or
      2. reject the requests. The controller must demonstrate that the request is manifestly unfounded or excessive. If the controller has reasonable doubts as to the identity of the natural person making the request, they may request additional information necessary to confirm the identity of the data subject.

      The information to be provided to you may be supplemented by standardised symbols to provide an overview of the intended processing in an easily recognisable, understandable and clear manner. If the symbols are presented in electronic form, they must be machine-readable.

      10.4. Right to rectification

      You have the right to have eduverify rectify any inaccurate personal data concerning you without undue delay. Taking into account the purposes of the processing, you also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

      10.5. Right to erasure (‘right to be forgotten’)

      You have the right to have the controller erase personal data concerning you without undue delay, and the controller is obliged to erase the personal data without undue delay where one of the following grounds applies:

      1. The personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
      2. if you withdraw the consent on the basis of which the data was processed, and there is no other legal basis for the processing;
      3. if you object to the processing (in accordance with the “right to object” set out below) and there are no overriding legitimate grounds for the processing;
      4. if the personal data has been processed unlawfully;
      5. the personal data must be erased in order to comply with a legal obligation under Union law or the law of a Member State to which the controller is subject;
      6. the personal data was collected in connection with the provision of information society services in relation to a person under the age of 7, where, in accordance with applicable legislation, the consent of the person exercising parental responsibility is required for the processing. Where the controller has made personal data public and is obliged to erase it pursuant to the ‘right to erasure’ referred to above, the controller shall, taking into account available technology and the cost of implementation, take reasonable steps, including technical measures, to inform controllers processing such personal data that the data subject requests them to delete all links to, or copies or replicas of, that personal data.

      The foregoing shall not apply where the processing is necessary:

      1. for the exercise of the right to freedom of expression and information;
      2. for compliance with a legal obligation which requires processing under Union or Member State law to which the controller is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
      3. for reasons of public interest in the area of public health;
      4. for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, in so far as the exercise of the right referred to above is likely to render impossible or seriously impair the achievement of the objectives of the aforementioned processing;
      5. for the establishment, exercise or defence of legal claims.

      10.6. Right to restriction of processing

      You have this right in the following cases:

      1. if you contest the accuracy of the personal data, for the period necessary to allow the controller to verify the accuracy of the personal data;
      2. where the processing is unlawful and you oppose the erasure of the personal data and request the restriction of its use instead;
      3. the controller no longer needs the personal data for the purposes of the processing, but you require it for the establishment, exercise or defence of legal claims;
      4. you have objected to the processing, as long as it has not yet been established whether the controller’s legitimate grounds override your legitimate grounds. If processing has been restricted in accordance with the above-mentioned ‘right to restriction of processing’, such personal data may, apart from storage, only be processed with your consent or for the establishment, exercise or defence of legal claims, for the protection of the rights of another natural or legal person, or for reasons of an important public interest of the Union or of a Member State.

      If you have obtained the restriction of processing, the controller will inform you in advance that the restriction of processing is being lifted.

      10.7. Obligation to notify regarding the rectification or erasure of personal data or the restriction of processing

      The controller shall inform the individual recipients to whom the personal data have been disclosed of any rectification or erasure of the personal data or any restriction of processing, unless this proves impossible or involves a disproportionate effort. The controller shall inform you of these recipients at your request.

      10.8. Right to data portability

      You have the right to receive the personal data concerning you, which you have provided to the controller, in a structured, commonly used and machine-readable format, and the right to transmit this data to another controller without hindrance from the controller to whom the personal data was provided, provided that the processing is based on consent or a contract and the processing is carried out by automated means.

      When exercising your right to data portability, you have the right to have personal data transmitted directly from one controller to another, provided this is technically feasible. Exercising the above-mentioned ‘right to data portability’ does not affect the above-mentioned ‘right to erasure’. This right does not apply to processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

      10.9. Right to object

      On grounds relating to your particular situation, you have the right to object at any time to the processing of personal data concerning you. The controller shall no longer process the personal data unless it demonstrates compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims.

      Where personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for this purpose; this also includes profiling insofar as it is related to direct marketing.

      If you object to processing for direct marketing purposes, the personal data will no longer be processed for these purposes.

      In connection with the use of information society services, you may exercise your right to object by automated means using technical specifications. Where personal data are processed for scientific or historical research purposes or for statistical purposes, you have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you, unless the processing is necessary for the performance of a task carried out in the public interest.

      The above-mentioned ‘right to data portability’ must not adversely affect the rights and freedoms of others.

      10.10. Automated individual decision-making, including profiling

      You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

      eduverify does not base any of its decisions solely on automated processing.

      10.11. Right to lodge a complaint with the supervisory authority

      You can submit a complaint to the at any time. The supervisory authority responsible for the processing of personal data is:

      Österreichische Datenschutzbehörde
      Barichgasse 40-42, 1030 Vienna
      Telefon: (+43 1 52 152-0)
      E-Mail: dsb@dsb.gv.at

      If you have any questions for us, please do not hesitate to contact us via the contact details provided above.

      The processing of personal data is subject to the laws of the Republic of Austria. Any dispute that cannot be settled amicably shall be decided by the competent court in Austria.

      eduverify is entitled to amend the guidelines with effect from the date of entry into force of the notice, i.e. from the date specified in the notice or a later date stated in the notice.

      Version of the guidelines: 1 June 2026

      hallo@isic.at
      +49 40 414649-0
      Mo - Th 10:00 - 14:00
      Service
      Business
      Community
      © 2026 ISIC