Types of processed data
Inventory data (e.g., personal master data, names, or addresses).
Contact data (e.g., email, phone numbers).
Content data (e.g., text inputs, photographs, videos).
Usage data (e.g., visited websites, interest in content, access times).
Meta/communication data (e.g., device information, IP addresses).
Categories of data subjects
Visitors and users of the online offering (Hereinafter, we also collectively refer to the affected individuals as "users").
Purpose of processing
Provision of the online offering, its functions, and content.
Responding to contact inquiries and communicating with users.
"Personal data" refers to all information relating to an identified or identifiable natural person (hereinafter referred to as the "data subject"). An identifiable natural person is one who can be identified directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific characteristics expressing the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
"Processing" encompasses any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and practically includes any handling of data.
"Pseudonymization" involves processing personal data in a way that the data can no longer be attributed to a specific data subject without additional information, provided that this additional information is stored separately and is subject to technical and organizational measures ensuring that the personal data is not assigned to an identified or identifiable natural person.
"Profiling" is any form of automated processing of personal data that involves using this personal data to evaluate certain personal aspects relating to a natural person, particularly to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements of that natural person.
The term "controller" refers to the natural or legal person, authority, agency, or other body that alone or jointly with others determines the purposes and means of processing personal data.
"Processor" is a natural or legal person, authority, agency, or other body that processes personal data on behalf of the controller.
Relevant Legal Bases
The legal basis for obtaining consent is Article 6(1)(a) and Article 7 of the GDPR.
The legal basis for processing to fulfill our services, carry out contractual measures, and respond to inquiries is Article 6(1)(b) of the GDPR.
The legal basis for processing to fulfill our legal obligations is Article 6(1)(c) of the GDPR.
In cases where the vital interests of the data subject or another natural person necessitate the processing of personal data, Article 6(1)(d) of the GDPR serves as the legal basis.
The legal basis for the necessary processing to perform a task carried out in the public interest or in the exercise of official authority vested in the controller is Article 6(1)(e) of the GDPR.
The legal basis for processing to safeguard our legitimate interests is Article 6(1)(f) of the GDPR.
The processing of data for purposes other than those for which they were collected is determined by the provisions of Article 6(4) of the GDPR.
The processing of special categories of data (as per Article 9(1) of the GDPR) is governed by the provisions of Article 9(2) of the GDPR.
In accordance with legal requirements and considering the state of the art, implementation costs, the nature, scope, circumstances, and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement suitable technical and organizational measures to ensure a level of protection appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as the related access, input, disclosure, availability, and separation of data. Furthermore, we have established procedures to guarantee the exercise of data subject rights, deletion of data, and response to data breaches. Additionally, we consider the protection of personal data in the development or selection of hardware, software, and procedures, in accordance with the principles of data protection by design and by default.
Collaboration with Data Processors, Joint Controllers, and Third Parties
If, in the course of our processing, we disclose, transmit, or otherwise grant access to data to other individuals and companies (data processors, joint controllers, or third parties), this is only done on the basis of legal permission (e.g., if data transmission to third parties, such as payment service providers, is necessary for contract fulfillment), with the user's consent, as required by legal obligations, or based on our legitimate interests (e.g., when using agents, web hosts, etc.).
If we disclose, transmit, or otherwise grant access to data to other companies within our corporate group, this is done for administrative purposes as a legitimate interest and, beyond that, on a basis compliant with legal requirements.
Transfers to Third Countries
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA), or the Swiss Confederation) or this occurs within the utilization of third-party services or disclosure/transmission of data to other individuals or companies, this is done only when necessary to fulfill our (pre)contractual obligations, based on your consent, due to legal obligations, or based on our legitimate interests. Subject to explicit consent or contractually required transmission, we process or allow data processing only in third countries with recognized data protection standards, including those certified under the "Privacy Shield" by U.S. processors or based on special guarantees, such as contractual obligations through EU Commission-approved standard data protection clauses, certifications, or binding corporate rules (Art. 44 to 49 GDPR, EU Commission information page).
Rights of Data Subjects
You have the right to request confirmation as to whether or not data concerning you is being processed and to obtain information about such data, along with additional details and a copy of the data in accordance with legal requirements.In line with legal requirements, you have the right to request the completion of your personal data or the correction of inaccuracies in the data concerning you.
Subject to legal requirements, you have the right to request the immediate deletion of data concerning you or, alternatively, to request a restriction of data processing.You have the right to request, in accordance with legal requirements, that the data concerning you, which you have provided to us, be received and transmitted to other controllers. Furthermore, in accordance with legal requirements, you have the right to lodge a complaint with the relevant supervisory authority.
Right of Withdrawal
You have the right to revoke consent given with effect for the future.
Right to Object
You may object to the future processing of data concerning you at any time in accordance with legal requirements. The objection can be made, in particular, against processing for direct marketing purposes.
Cookies and Right to Object to Direct Marketing
As "cookies," we refer to small files that are stored on users' computers. Cookies can store various information. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit within an online offering. Temporary cookies, also known as "session cookies" or "transient cookies," are cookies that are deleted after a user leaves an online offering and closes their browser. Such a cookie may store the contents of a shopping cart in an online store or a login status. "Permanent" or "persistent" cookies are those that remain stored even after the browser is closed. For example, the login status can be stored if users visit the site after several days. In such a cookie, users' interests can also be stored for reach measurement or marketing purposes. "Third-party cookies" are cookies provided by providers other than the entity operating the online offering (otherwise, if they are only the operator's cookies, they are referred to as "first-party cookies").
If users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in their browser's system settings. Stored cookies can be deleted in the system settings of the browser. Please note that disabling cookies may lead to limitations in the functionality of this online offering.
Deletion of Data
If the data is not deleted because it is required for other and legally permissible purposes, its processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
In addition, we process
Contract data (e.g., subject matter of the contract, duration, customer category).
Payment data (e.g., bank details, payment history)
from our customers, prospects, and business partners for the purpose of providing contractual services, service and customer care, marketing, advertising, and market research.
Provision of Statutory and Business Services
We process the data of our members, supporters, interested parties, customers, or other individuals in accordance with Art. 6(1)(b) GDPR, if we offer them contractual services or act within an existing business relationship, for example, towards members, or if we ourselves are recipients of services and donations. Furthermore, we process the data of affected individuals in accordance with Art. 6(1)(f) GDPR based on our legitimate interests, for example, in the case of administrative tasks or public relations.
The data processed in this context, the type, scope, and purpose and the necessity of their processing are determined by the underlying contractual relationship. This generally includes inventory and master data of individuals (e.g., name, address, etc.), as well as contact details (e.g., email address, phone, etc.), contract data (e.g., services used, communicated content and information, names of contact persons), and, if we offer paid services or products, payment data (e.g., bank details, payment history, etc.).
We delete data that is no longer required for the provision of statutory and business purposes. This is determined in accordance with the respective tasks and contractual relationships. In the case of business processing, we retain the data for as long as it is necessary for the transaction, as well as in terms of any warranty or liability obligations that may arise. The necessity of retaining the data is reviewed every three years; otherwise, the legal retention obligations apply.
Hosting and Email Sending
The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email sending, security services, and technical maintenance services that we use for the purpose of operating this online offering.
In this context, we, or our hosting provider, process inventory data, contact data, content data, contract data, usage data, and meta- and communication data of customers, prospects, and visitors to this online offering based on our legitimate interests in an efficient and secure provision of this online offering in accordance with Art. 6(1)(f) GDPR in conjunction with Art. 28 GDPR (conclusion of a data processing agreement).
Collection of Access Data and Log Files
We, or our hosting provider, collect data about every access to the server on which this service is located based on our legitimate interests within the meaning of Art. 6(1)(f) GDPR (server log files). The access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address, and the requesting provider.
Log file information is stored for security reasons (e.g., to investigate misuse or fraudulent activities) and for tracking and resolving technical issues for a maximum period of six months, after which it is deleted. Data whose further storage is necessary for evidentiary purposes is exempt from deletion until the final clarification of the respective incident.
Google will use this information on our behalf to evaluate the use of our online offering by users, to compile reports on activities within this online offering, and to provide us with further services related to the use of this online offering and internet usage. Pseudonymous user profiles can be created from the processed data.
We use Google Analytics only with IP anonymization enabled. This means that the IP address of users is shortened by Google within member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases is the full IP address transmitted to a Google server in the USA and shortened there.
The IP address transmitted by the user's browser is not merged with other Google data. Users can prevent the storage of cookies by setting their browser software accordingly; users can also prevent the collection of data generated by the cookie and related to their use of the online offering to Google, as well as the processing of this data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
If we ask users for consent (e.g., as part of a cookie consent), the legal basis for this processing is Art. 6(1)(a) GDPR. Otherwise, users' personal data is processed based on our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Art. 6(1)(f) GDPR).
As far as data is processed in the USA, we would like to point out that Google is certified under the Privacy Shield agreement and thereby assures compliance with European data protection law (https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active).
Created with Datenschutz-Generator.de by RA Dr. Thomas Schwenke