Privacy Policy
scroll down →
Privacy Policy
Responsible Owner:
Bibiana Jimenéz
Privacy Policy
This Privacy Policy provides information on the nature, scope, and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the associated websites, functions, and content, as well as external online presences, such as our social media profiles (hereinafter collectively referred to as the “online offering”).
With regard to the terminology used, such as “processing” or “controller,” reference is made to the definitions set forth in Article 4 of the General Data Protection Regulation (GDPR).
Categories of Processed Data:
Inventory data (e.g., names, addresses).
Contact data (e.g., email addresses, telephone numbers).
Content data (e.g., text entries, photographs, videos).
Usage data (e.g., websites visited, interest in content, access times).
Meta/communication data (e.g., device information, IP addresses).
Categories of Data Subjects
Visitors and users of the online offering (hereinafter collectively referred to as “users”).
Purposes of Processing
Provision of the online offering, its functions, and content.
Responding to contact inquiries and communicating with users.
Implementation of security measures.
Reach measurement / marketing.
Definitions
“Personal data” shall mean any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., a cookie), or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing” shall mean any operation or set of operations which is performed on personal data, whether or not by automated means. The term is to be interpreted broadly and encompasses practically any handling of data.
“Pseudonymisation” shall mean the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” shall mean any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements.
“Controller” shall mean the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” shall mean a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Applicable Legal Bases
In accordance with Article 13 of the General Data Protection Regulation (GDPR), we hereby inform you of the legal bases for our data processing activities. Unless the legal basis is specifically stated within this Privacy Policy, the following shall apply:
The legal basis for obtaining consent is Article 6 (1) (a) and Article 7 GDPR. The legal basis for processing data for the performance of our services, the execution of contractual measures, and the response to inquiries is Article 6 (1) (b) GDPR. The legal basis for processing data in order to comply with legal obligations is Article 6 (1) (c) GDPR. The legal basis for processing data for the purposes of our legitimate interests is Article 6 (1) (f) GDPR.
In cases where the vital interests of the data subject or another natural person require the processing of personal data, Article 6 (1) (d) GDPR shall serve as the legal basis.
Security Measures
In accordance with Article 32 of the General Data Protection Regulation (GDPR), and taking into account the state of the art, the costs of implementation, as well as the nature, scope, context, and purposes of processing, and the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Such measures shall include, in particular, safeguarding the confidentiality, integrity, and availability of data by controlling physical access to the data, as well as access relating to the data, input, disclosure, availability safeguards, and their segregation. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to data security incidents. In addition, we take the protection of personal data into account during the development and selection of hardware, software, and procedures, in accordance with the principle of data protection by design and by default (Article 25 GDPR).
Cooperation with Processors and Third Parties
Where, in the course of our processing activities, we disclose data to other persons or companies (processors or third parties), transmit such data to them, or otherwise grant them access to the data, this shall only take place on the basis of a legal authorization (e.g., where the transfer of data to third parties, such as payment service providers, is necessary for the performance of a contract pursuant to Article 6 (1) (b) GDPR), where you have given your consent, where a legal obligation so provides, or on the basis of our legitimate interests (e.g., when using agents, web hosting providers, etc.).
Where we engage third parties to process data on the basis of a so-called “data processing agreement” (Auftragsverarbeitungsvertrag), this shall be done in accordance with Article 28 GDPR.
Transfers to Third Countries
Where we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)), or where such processing occurs in the context of the use of third-party services or the disclosure or transfer of data to third parties, this shall only take place where it is necessary for the performance of our (pre-)contractual obligations, on the basis of your consent, pursuant to a legal obligation, or on the basis of our legitimate interests.
Subject to statutory or contractual authorizations, we process or arrange for the processing of data in a third country only where the specific requirements set out in Articles 44 et seq. GDPR are fulfilled. This means, for example, that processing shall take place on the basis of appropriate safeguards, such as an officially recognized determination of an adequate level of data protection equivalent to that of the EU (e.g., for the United States under the “Privacy Shield”) or compliance with officially recognized specific contractual obligations (so-called “Standard Contractual Clauses”).
Rights of Data Subjects
You have the right to request confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, to request access to such data, as well as further information and a copy of the data in accordance with Article 15 GDPR.
You have the right, in accordance with Article 16 GDPR, to request the completion of personal data concerning you or the rectification of inaccurate personal data concerning you.
In accordance with Article 17 GDPR, you have the right to request the erasure of personal data concerning you without undue delay, or, alternatively, in accordance with Article 18 GDPR, to request the restriction of the processing of such data.
You have the right to receive the personal data concerning you that you have provided to us, in accordance with Article 20 GDPR, and to request the transmission of such data to other controllers.
Furthermore, pursuant to Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.
Right of Withdrawal
You have the right to withdraw any consent given in accordance with Article 7 (3) GDPR with effect for the future.
Right to Object
You have the right to object, at any time, to the future processing of personal data concerning you in accordance with Article 21 GDPR. In particular, such objection may be made against processing for the purposes of direct marketing.
Cookies and Right to Object to Direct Marketing
“Cookies” are small files that are stored on users’ devices. Various types of information may be stored within cookies. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit within an online offering. Temporary cookies, also referred to as “session cookies” or “transient cookies,” are cookies that are deleted after a user leaves an online offering and closes their browser. Such a cookie may, for example, store the contents of a shopping cart in an online shop or a login status. “Permanent” or “persistent” cookies are those that remain stored even after the browser is closed. For example, the login status may be stored when users return after several days. Likewise, such cookies may store users’ interests, which are used for reach measurement or marketing purposes. “Third-party cookies” are cookies offered by providers other than the controller who operates the online offering (otherwise, where only the controller’s cookies are used, these are referred to as “first-party cookies”).
We may use both temporary and permanent cookies and provide information about this within the scope of this Privacy Policy.
If users do not wish cookies to be stored on their devices, they are requested to deactivate the corresponding option in their browser’s system settings. Stored cookies can be deleted in the browser’s system settings. The exclusion of cookies may result in functional limitations of this online offering.
A general objection to the use of cookies employed for online marketing purposes may be declared for a large number of services, especially in the case of tracking, via the U.S. website http://www.aboutads.info/choices/
or the EU website http://www.youronlinechoices.com/
. In addition, the storage of cookies may be prevented by disabling them in the browser settings. Please note that in such a case, not all functions of this online offering may be fully usable.
Erasure of Data
The data processed by us shall be erased or their processing restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated otherwise within this Privacy Policy, the data stored by us shall be deleted as soon as they are no longer necessary for their intended purpose and no statutory retention obligations prevent their erasure. Where the data are not erased because they are required for other legally permissible purposes, their processing shall be restricted. This means that the data shall be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
In accordance with statutory requirements in Germany, data shall in particular be retained for a period of 10 years pursuant to Sections 147 (1) of the German Fiscal Code (Abgabenordnung – AO) and 257 (1) Nos. 1 and 4, (4) of the German Commercial Code (Handelsgesetzbuch – HGB) (books, records, management reports, accounting documents, commercial books, documents relevant for taxation, etc.), and for 6 years pursuant to Section 257 (1) Nos. 2 and 3, (4) HGB (commercial correspondence).
In accordance with statutory requirements in Austria, data shall in particular be retained for a period of 7 years pursuant to Section 132 (1) of the Austrian Federal Fiscal Code (Bundesabgabenordnung – BAO) (accounting records, vouchers/invoices, accounts, documents, business papers, records of income and expenses, etc.), for 22 years in connection with real estate, and for 10 years in relation to documents concerning electronically supplied services, telecommunications, broadcasting, and television services provided to non-taxable persons in EU Member States for which the Mini One-Stop Shop (MOSS) is used.
Provision of Our Statutory and Business Services
We process the data of our members, supporters, interested parties, customers, or other persons in accordance with Article 6 (1) (b) GDPR, insofar as we provide contractual services to them or act within the framework of existing business relationships, e.g., vis-à-vis members, or where we ourselves are recipients of services or contributions. In all other respects, we process the data of data subjects pursuant to Article 6 (1) (f) GDPR on the basis of our legitimate interests, e.g., where this concerns administrative tasks or public relations activities.
The data processed in this context, as well as the nature, scope, purpose, and necessity of their processing, are determined by the underlying contractual relationship. This generally includes personal master and inventory data (e.g., name, address, etc.), contact data (e.g., email address, telephone number, etc.), contractual data (e.g., services used, communicated content and information, names of contact persons), and, where we offer paid services or products, payment data (e.g., bank details, payment history, etc.).
We delete data that are no longer required for the fulfillment of our statutory and business purposes. This is determined in accordance with the respective tasks and contractual relationships. In the case of business processing, we retain the data for as long as they may be relevant for the execution of business transactions, as well as with regard to any warranty or liability obligations. The necessity of retaining the data is reviewed every three years; otherwise, statutory retention obligations shall apply.
Contacting Us
When contacting us (e.g., via contact form, email, telephone, or through social media), the user’s information shall be processed for the purpose of handling the contact request and its execution in accordance with Article 6 (1) (b) GDPR. The user’s information may be stored in a Customer Relationship Management system (“CRM system”) or a comparable system for organizing inquiries.
We delete inquiries once they are no longer required. The necessity of retention is reviewed every two years; statutory archiving obligations shall otherwise apply.
Hosting and Email Delivery
The hosting services we utilize serve the purpose of providing the following services: infrastructure and platform services, computing capacity, storage space and database services, email delivery, security services, as well as technical maintenance services, which we use for the operation of this online offering.
In this context, we, or our hosting provider, process inventory data, contact data, content data, contractual data, usage data, as well as meta and communication data of customers, interested parties, and visitors to this online offering on the basis of our legitimate interests in the efficient and secure provision of this online offering pursuant to Article 6 (1) (f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).
Collection of Access Data and Log Files
We, or our hosting provider, collect data on every access to the server on which this service is located (so-called server log files) on the basis of our legitimate interests within the meaning of Article 6 (1) (f) GDPR. The access data include the name of the retrieved webpage, file, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.
Log file information is stored for security reasons (e.g., to investigate misuse or fraudulent activities) for a maximum period of 7 days and is thereafter deleted. Data whose further retention is required for evidentiary purposes are excluded from deletion until the respective incident has been conclusively clarified.
Google Analytics
We use Google Analytics, a web analytics service provided by Google LLC, on the basis of our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Article 6 (1) (f) GDPR). Google uses cookies. The information generated by the cookie regarding the use of the online offering by users is generally transmitted to a server of Google in the United States and stored there.
Google is certified under the Privacy Shield framework and thereby provides a guarantee to comply with European data protection law.
Google will use this information on our behalf to evaluate the use of our online offering by users, to compile reports on activities within this online offering, and to provide us with further services related to the use of this online offering and internet usage. In this context, pseudonymous user profiles may be created from the processed data.
We use Google Analytics only with activated IP anonymization. This means that the IP address of users is truncated by Google within Member States of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be transmitted to a Google server in the United States and shortened there.
The IP address transmitted by the user’s browser will not be merged with other data held by Google. Users may prevent the storage of cookies by adjusting the settings of their browser software accordingly; users may also prevent the collection of data generated by the cookie and relating to their use of the online offering, as well as the processing of such data by Google, by downloading and installing the browser plugin available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en
.
Further information on data use by Google, as well as settings and options for objection, can be found in Google’s privacy policy and in the settings for the display of advertisements by Google.
The personal data of users will be deleted or anonymised after 14 months.
Online Presences on Social Media
We maintain online presences within social networks and platforms in order to communicate with customers, interested parties, and users active there, and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing policies of their respective operators shall apply.
Unless otherwise stated within this Privacy Policy, we process users’ data where they communicate with us within social networks and platforms, for example by posting content on our online presences or by sending us messages.
Integration of Third-Party Services and Content
Within our online offering, we use content or service offerings from third-party providers on the basis of our legitimate interests (i.e., interest in the analysis, optimization, and economic operation of our online offering within the meaning of Article 6 (1) (f) GDPR) in order to integrate their content and services, such as videos or fonts (hereinafter collectively referred to as “content”).
This always requires that the third-party providers of such content process the users’ IP address, as they would not be able to transmit the content to the user’s browser without it. The IP address is therefore necessary for the display of such content. We endeavor to use only such content whose respective providers use the IP address solely for the delivery of the content. Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Through such “pixel tags,” information such as visitor traffic on the pages of this website can be evaluated. The pseudonymous information may also be stored in cookies on the user’s device and may include, among other things, technical information about the browser and operating system, referring websites, time of visit, as well as further information regarding the use of our online offering, and may also be combined with such information from other sources.
Google Fonts
We integrate the fonts (“Google Fonts”) provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: https://www.google.com/policies/privacy/
, Opt-out: https://adssettings.google.com/authenticated
.
Google reCAPTCHA
We integrate the function for detecting bots, e.g., when entering data in online forms (“reCAPTCHA”), provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy Policy: https://www.google.com/policies/privacy/
, Opt-out: https://adssettings.google.com/authenticated
.
Google Maps
We integrate maps from the service “Google Maps,” provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. The processed data may, in particular, include users’ IP addresses and location data, which, however, are not collected without the users’ consent (generally carried out within the settings of their mobile devices). The data may be processed in the United States. Privacy Policy: https://www.google.com/policies/privacy/
, Opt-out: https://adssettings.google.com/authenticated
.
45144 Cologne, German
Cologne- Germany
+49 151 12417910