The purpose of this privacy policy is to inform users of the SOS IB platform (students, teachers/professors, administrators) and other individuals (hereinafter: "individual") about the purposes, legal bases, security measures, and rights of individuals regarding the processing of personal data that is processed during the use of the SOS IB platform (hereinafter: platform). The platform was developed by the VŠR College of Accounting and Finance Ljubljana (hereinafter also: VŠR) as part of the Erasmus+ project "Simulation of Sustainable International Business."

We value your privacy, which is why we always protect your data carefully.

We process personal data in accordance with the applicable Slovenian and European data protection laws and other legislation that provides the legal basis for personal data processing (General Data Protection Regulation, Personal Data Protection Act - ZVOP-2).

Any changes to this document will be published on our website. By using the website, you confirm that you are aware of the entire content of the privacy policy.

Due to the nature of personal data processing during the use of the platform, VŠR mostly acts as a data processor. The role of the data controller is taken by the organization, such as a college, university, or company that decides to use the platform (hereinafter: contractual party). This privacy policy only applies to the processing of personal data during the use of the platform, or when VŠR acts as a data processor. The privacy policy applicable when VŠR acts as a data controller is available at: https://www.vsr.si/varstvo-osebnih-podatkov/. VŠR acts as the data controller when processing personal data of students enrolled at VŠR and the personal data of employees or collaborators who work with VŠR under other contractual agreements.

1) Introduction

VŠR has developed a platform aimed at international collaboration among students, professors, and other experts from various fields (hereinafter: teacher). The platform enables teachers and other experts to create simulations. Once the simulation is prepared, the teachers can include their students or other learners. If desired, other experts may also participate.

2) Personal Data

Personal data refers to any information related to an identified or identifiable individual; an identifiable individual is one who can be directly or indirectly identified, especially by reference to an identifier such as a name, identification number, location data, online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that individual. The personal data processed depends on the individual's role. In general, we process the data you provide and the data about how you use the platform.

3) Purposes and legal bases for data processing

VŠR collects and processes personal data based on the following legal grounds:

• Processing is necessary for compliance with a legal obligation.
• Processing is necessary for the performance of a contract to which the individual is a party or to take steps at the request of the individual before entering into a contract.
• Processing is necessary for the purposes of legitimate interests
• The individual has given consent for the processing of their personal data for one or more specific purposes.
• Processing is necessary to protect the vital interests of the individual or another person.

3.1) Performance of a contract

For the purpose of performing the contract, VŠR may process personal data to conclude and perform the contract, such as maintaining and providing the software (platform), preparing offers, participating in various projects, etc. Without certain data, VŠR cannot enter into a contract or provide services or deliver goods according to the contract, as it does not have the necessary data to execute the tasks. On this basis, VŠR processes only and exclusively the personal data necessary to conclude and properly perform contractual obligations.

The legal basis for data processing is the contract. The retention period is until the purpose of the contract is fulfilled or up to 6 years after the termination of the contract, unless a dispute arises between the contractual party and VŠR regarding the contract. In such cases, VŠR retains the data for 10 years after the final court decision, arbitration, or settlement, or, if no dispute occurred, 6 years from the day of peaceful resolution of the dispute.

By confirming the general terms or by entering into another agreement, it is understood that VŠR and the contractual party are in a contractual relationship. The contractual party designates a person to manage the profile of the contractual party and invite other employees or individuals with whom they collaborate into the platform. This role is referred to as the institution's administrator.

An institution or administrator can enter (or communicate by other means) only the email addresses of those users for whom they have the appropriate legal basis under Article 6 of the General Data Protection Regulation and other relevant legislation.

a) Institution’s administrator profile

The institution’s administrator receives a link to the platform via the email provided by the institution. The following required data is entered into the administrator's profile: first and last name. An optional short personal description can also be added. These details are visible to other users. The platform will send notifications to the provided email about activities on the platform.

The role of the institution’s administrator is to add or invite teachers from their institution to the platform (by entering their email addresses in the appropriate field). In a similar way, the administrator can also invite or add students to the platform. The administrator can nominate more administrators from the teachers of their institution present in the platform. The administrator can also manage the profile of the contractual party (institution). The profile of the institution contains the following required data: institution name, country, Erasmus OID, study programs, courses offered by the institution, ISCED fields, website, administrator email, and a description. Optionally, a photo or logo can also be added. An inactive administrator profile is automatically deleted after three years of inactivity, provided no other teacher from the same institution has been added to the platform, or if the institution has no other administrator. Before the profile is permanently deleted, the administrator will be notified and given a deadline to prevent automatic deletion.

b) Teacher profile

The teacher receives an invitation to create an account on the platform via the email address entered by the institution’s administrator. If a teacher prefers to sign up with a different email address, they should ask the institution's administrator to invite them via the preferred email (the email will be visible to other users). The platform will send notifications to this email about activities on the platform. The teacher’s profile includes the following required data: first name, last name, email address, and details about the courses (including ISCED fields) they teach. Users can optionally upload their photograph and add a short personal description. All this personal information is publicly visible to other individuals on the platform (administrators, teachers, and students). Teachers can invite students to the platform by entering their email addresses in the appropriate field.

Process of creating a simulation template

Teachers create various simulations for students on the platform. During the process of creating a new simulation, the teacher can either create a completely new simulation or use existing public templates as a guide. During the creation of a simulation, the teacher inputs details such as the name of the template, a short description, the text of the template, template roles, study level, relevant educational fields, relevant courses, tasks, expected generic and specific learning outcomes, attachments, etc. Drafts are private, meaning that only the teachers invited by the creator can see and edit the draft (collaboration agreement on the draft) alongside the creator. Once the draft is completed, the author of the draft or template publishes it (i.e., changes it to a "public template"). After public publication, all teachers and administrators on the platform can view it (deleting or editing by others is not possible).

Simulation templates

Information about public simulation templates (name, type, creators, authors, ISCED fields) is visible to all teachers. The description of the simulation and its author(s) and creator are also visible. The author and creator can be the same person, but not necessarily. Filters allow sorting through all simulations by keywords. The purpose of templates is to be publicly visible to all teachers on the platform. All teachers can copy and modify a copy of the template. By copying a template, a new simulation is created, which, upon publication, is visible to other teachers in its modified or new form. The authors of the template will always be listed under the templates.

The simulation template can be deleted by its creator. If the creator deletes their profile, the template will remain on the platform unless manually deleted by the creator before profile deletion. If the template remains on the platform after the creator's profile is deleted, the creator’s name will be anonymized, but the author’s name will remain. If the author does not wish to be listed on the simulation template, they should notify the creator. If this is not possible, they can contact the platform developer at the email address mentioned above.

Joining a simulation

In the "join simulation" tab, information about all simulations being prepared for teaching use is visible (name, relevant study level, leading institution, lead teacher, participating teachers, relevant ISCED fields, relevant courses, possible actions, etc.). Filtering by keywords is available for all simulations. By clicking on “Show suggested simulations” the simulations are filtered by teacher’s courses’ ISCED fields. A teacher can submit a request to join a simulation, and the lead teacher can invite other teachers to participate in the simulation.

Active simulations

Users can review their active simulations, i.e., simulations in which they are currently involved. Within each simulation instance, tasks or roles within the simulation are defined. Attachments are also included. Students are added to the simulation through being assigned a role in the simulation. Teacher can only add students from their own institution. The personal data of individuals involved in a particular simulation instance is visible to other participants (lead teacher, participating teachers, and students). The following personal data of participants is visible within the simulation instance: first and last names, and email addresses. Assignments (that students must complete) are also defined within each simulation instance. Each assignment includes a detailed description, options to create specific tasks, task assignment, optional comments, etc. Both teachers and students can create tasks within assignments, upload documents to them, and add comments visible to all participants. Teachers can provide feedback on each completed task.

Upon completion of the simulation, the lead teacher assesses the group (the simulation run) as a whole, and then each teacher can (optionally) assess their own students individually (using grades, descriptive feedback, or both).

Archiving simulations, deletion, and anonymization of personal data

Completed simulations, along with the data shared within the simulations (information on participants, tasks, comments, uploaded documents, etc.), are stored in the simulation archive. Simulations are moved to the archive after grades are assigned and are available to all participants involved in the simulation. Archived simulations, along with the data contained in the simulation, are deleted in accordance with the instructions of the controller, or if no such instructions exist, after 6 years.

An inactive teacher profile is automatically deleted after three years of inactivity. Before the profile is permanently deleted, the teacher will be notified and given a deadline to prevent automatic deletion of the profile. After the profile is permanently deleted, reactivation is not possible. The teacher can create a new user account through the regular procedure. Even after profile deletion, certain data may remain on the platform (data in archives and the stated authorship of simulation templates).

Certain data can be anonymized before deletion from the simulation archive. Anonymization is performed based on user activity. The data of individuals who delete their profile (or whose profiles are deleted due to inactivity) will be archived in simulations in such a way that the following data will be anonymized: first and last names, institution, courses, photograph, description, email address, login details, IP address. The content shared by the user (e.g., comments) will not be deleted but will appear as "anonymous user." Anonymization will not be performed within shared documents. In private messages, the individual's name will be anonymized, but the content of the messages will remain.

The contractual party (controller) can inform VŠR of a different retention period for personal data or request the deletion of data.

Search engine

The platform also allows you to search for other teachers according to the entered search requirements. Depending on the search command, teachers' data such as (first and last name, institution, description, subjects, photo and email address) will be displayed. It is also possible to contact within the platform. The administrator can nominate teachers to administrators through search results.

The search for institutions is also enabled in a similar way. Depending on the search command, the institution's data such as country, Erasmus ID, website, study programs, subjects, teachers and administrators, photo or logo will be displayed.

c) Student profile

The student receives an invitation to create an account on the platform via the email address entered into the platform by the teacher or the institution’s administrator. If the student prefers to sign up with a different email address, they should ask the administrator or teacher of the institution to invite them using another email address. The platform will send notifications about platform activities to the provided email address. The student’s profile will include the following required data: first name, last name, and courses. The student can add a personal description, but this will not be visible to other users. For students participating in the same simulation, the following information is visible to other participants (teachers and students): first name, last name, email address, and the name of the teachers with whom they are collaborating. If the student is not part of the simulation, they can only see the description of the simulation, without details about the participants (other students or teachers).

The student’s profile enables participation in ongoing simulations of the teacher or the administrator of the contractual party.

Archiving simulations, deletion, and anonymization

Once the final grade is assigned, the simulation is moved from active status to the archives of all participants involved in the simulation. The simulation archives store grades and completed simulations, along with the data shared within the simulations (information about participants, tasks, comments, uploaded documents, etc.). Archived simulations, along with the data they contain, are deleted in accordance with the instructions of the controller (organization), or, if no such instructions exist, after 6 years. Certain data may be anonymized before being deleted from the simulation archive. Anonymization is performed based on user activity. The data of individuals who delete their profiles (or whose profiles are deleted due to prolonged inactivity as described) will be archived in simulations in such a way that the following data will be anonymized: first and last name, institution, courses, photograph, description, email address, login details, and IP address. Content shared by the user (e.g., comments) will not be deleted but will be visible as "anonymous user." Anonymization will not be applied within shared documents (e.g., if the student writes their name in a document shared within a simulation).

Archived simulations, along with the data they contain, will be deleted in accordance with the controller's instructions, or, if no instructions are provided, after 6 years.

The contractual party (controller) can notify VŠR of a different data retention period or request data deletion.

3.2) Legitimate Interest

VŠR may process personal data based on legitimate interests it pursues. Legitimate interests include, for example, platform upgrades and improvements. VŠR can thus collect and process user data, which is necessary to analyse the operation of the platform for the purpose of preparing internal analyses/reports and implementing upgrades or platform improvements. However, this is not permissible if such interests are outweighed by the interests or fundamental rights and freedoms of the individual to whom the personal data pertains, which require the protection of personal data. In cases where legitimate interest is used, VŠR conducts an assessment in accordance with Slovenian and European legislation.

3.3) Processing Based on Consent

If VŠR does not have a legal basis derived from law, contractual obligations, legitimate interests, or the protection of the individual’s life, it may request the individual’s consent for data processing. If an individual consents to the processing of their personal data but later wishes to withdraw it, they can request the termination of data processing by submitting a request via email or regular mail to VŠR. The withdrawal of consent does not affect the lawfulness of data processing conducted based on consent before its withdrawal. After receiving a withdrawal or a deletion request, the data will be deleted within 15 days at the latest.

Exceptionally, VŠR may refuse a deletion request for reasons outlined in the General Data Protection Regulation (GDPR).

3.4) Protection of vital interests

VŠR may process personal data when necessary to protect the vital interests of the individual to whom the data pertains. In emergencies, VŠR may check whether the person exists in its database or contact individuals without needing the individual's consent. This applies if it is necessary to protect the vital interests of the individual.

3.5) Legal Basis

If VŠR processes data based on law, it will retain the data for the period prescribed by law. Some data will be stored during collaboration with VŠR, while certain data must be kept permanently.

4) Contractual Processing of Personal Data and Data Transfer

After obtaining prior special or general written permission from the contractual party, VŠR may employ a contractual processor (sub-processor/another processor) for specific processing activities on behalf of the controller. These processors are subject to the same data protection obligations as outlined in the contract or general terms.

The contractual processors VŠR collaborates with primarily include:

• Maintenance service providers for information systems;
• Software and cloud service providers (e.g., Microsoft, Google);
• Contracted service

VŠR maintains a list of all specific contractual processors with whom it cooperates to ensure better oversight and regulation of the contractual relationship.

VŠR and its employees do not transfer personal data to third countries (outside the member states of the European Economic Area – EU member states, plus Iceland, Norway, and Liechtenstein) or international organizations, except to the USA. In such cases, relationships with U.S. processors are governed by standard contractual clauses (model contracts adopted by the European Commission) and/or binding corporate rules (adopted by VŠR and approved by EU supervisory authorities).

5) Cookies

The SOS IB platform's website operates with the help of cookies, which are essential for providing web services and are used to store information about the status of individual web pages, assist in gathering statistics about users, and measure site traffic. When accessing the website, only those cookies necessary for the site's operation (e.g., for the shopping cart) are loaded onto the user's device. Other cookies will only be loaded with the individual's consent. Users can change their cookie settings or delete cookies at any time (instructions are available on individual browser websites).

The website uses the following cookies:

6) Data Protection and Data Accuracy

VŠR ensures information security and the security of its infrastructure (premises and application/system software). Our information systems are protected, among other things, by antivirus programs and firewalls. We have implemented appropriate organizational and technical security measures to protect personal data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, as well as from other unlawful or unauthorized forms of processing. In cases where special types of personal data are transmitted, they are encrypted and password-protected. The individual is responsible for providing their personal data securely and ensuring that the transmitted data is accurate and authentic.

7) Individual’s Rights Regarding Data Processing

An individual whose personal data is processed has the right to request from the controller access to personal data, rectification, or erasure of personal data, or restriction of processing, as well as the right to object to processing and the right to data portability. The individual’s request is handled in accordance with the provisions of the GDPR and applicable data protection laws. The request is decided by the contractual party, and VŠR assists them with the necessary technical and organizational measures as much as possible in fulfilling their obligations.

All of the aforementioned rights and any questions can be addressed by submitting a request to the contractual party, which, as the controller, will decide on the request and give VŠR the appropriate instructions. Individuals may also contact VŠR directly regarding simpler matters. If VŠR is unable to resolve the issue, the request will be forwarded to the contractual party.

An individual has the right to file a complaint regarding the processing of personal data by VŠR with the supervisory authority: the Information Commissioner of the Republic of Slovenia, at the address: Dunajska 22, 1000 Ljubljana (email: gp.ip@ip-rs.si, website: www.ip-rs.si).

This privacy policy is effective from 22. 10. 2024.

Darinka Kamenšek, MSc,
Dean