The person responsible within the meaning of the General Data Protection Regulation and other national
Data protection laws of the member states and other data protection laws
Provisions is the:
Dr. Claudia Neusss
Contact details of the contact person under data protection law: see above, can be reached via the e-mail address firstname.lastname@example.org .
General information on data processing
1. Scope of processing of personal data
In principle, we only collect and use personal data from our users to the extent that this is necessary to provide a functional website and our content and services. The collection and use of personal data of our users takes place regularly only with the consent of the user. An exception applies in such cases in which it is not possible to obtain prior consent for actual reasons and the processing of the data is permitted by statutory provisions. The types of data processed are:
- Inventory data (eg, names, addresses).
- Contact information (e.g., email, phone numbers).
- Content Data (e.g., text input, photographs).
- Usage data (e.g. websites visited, interest in content, access times)
- Meta/communication data (e.g. device information, IP addresses).
The website is only aimed at persons over the age of 16 and should only be used by them. We will not intentionally or knowingly process or store any personal information from anyone under the age of 16. As soon as we become aware that we have stored personal data from persons who have not yet reached the age of 16, we will delete them immediately. We would like to ask you to contact us if you become aware that we have stored or process the personal data of persons who have not yet reached the age of 16.
2. Legal basis for processing personal data
Insofar as we obtain the consent of the person concerned for the processing of personal data, Art. 6 para. 1 lit. a EU General Data Protection Regulation (GDPR) as the legal basis. When processing personal data that is required to fulfill a contract to which the data subject is a party, Art. 6 para. 1 lit. b GDPR as the legal basis. This also applies to processing operations that are necessary to carry out pre-contractual measures. Insofar as processing of personal data is necessary to fulfill a legal obligation to which our company is subject, Art. 6 para. 1 lit. c GDPR as the legal basis. If the processing is necessary to safeguard a legitimate interest of our company or a third party and if the interests, fundamental rights and fundamental freedoms of the person concerned do not outweigh the first interest, Art. 6 para. 1 lit. f GDPR as the legal basis for processing.
3. Data Erasure and Retention Period
The personal data of the person concerned will be deleted or blocked as soon as the purpose of storage no longer applies. We will use and retain your personal information for a maximum period of two (2) years from your last interaction with the Company. Storage can also take place if this has been provided for by the European or national legislator in EU regulations, laws or other regulations to which the person responsible is subject. The data will also be blocked or deleted if a storage period prescribed by the standards mentioned expires, unless there is a need for further storage of the data for the conclusion or fulfillment of a contract.
4. Provision of contractual services and contact form
We process inventory data (e.g. names and addresses as well as contact details of users), contract data (e.g. names of contact persons, interest in events) for the purpose of fulfilling our contractual obligations and services in accordance with. Art. 6 para. 1 letter b. GDPR.
When using our online services, we store the IP address and the time of the respective user action. The storage takes place on the basis of our legitimate interests, as well as the user’s protection against misuse and other unauthorized use. In principle, this data will not be passed on to third parties, unless it is necessary to pursue our claims or there is a legal obligation to do so in accordance with Art. Art. 6 para. 1 lit. c GDPR.
We process usage data and content data to enable users to answer inquiries about our offers. This data will not be disclosed to third parties. The data will be deleted after the statutory warranty and comparable obligations have expired. In the case of legal archiving obligations, the deletion takes place after their expiry. Information in any customer account remains until it is deleted.
5. Description and scope of data processing
When our website is accessed, our system automatically collects data and information from the computer system of the accessing computer.
The following data is collected for a limited period of time:
- Information about the browser type and version used
- The user’s operating system
- The user’s internet service provider
- The IP address of the user
- Date and time of access
- Websites from which the user’s system accesses our website
The data is stored in the log files of our system. This data is only required to analyze any disruptions and will be deleted within seven days at the latest. The legal basis for the temporary storage of data and log files is Art. 6 para. 1 lit. f GDPR. The temporary storage of the IP address by the system is necessary to enable delivery of the website to the user’s computer. For this purpose, the IP address of the user must remain stored for the duration of the session. Storage in log files takes place to ensure the functionality of the website. In addition, we use the data to optimize the website and to ensure the security of our information technology systems. An evaluation of the data for marketing purposes does not take place in this context and no conclusions are drawn about your person. Our legitimate interest in data processing according to Art. 6 para. 1 lit. f GDPR. The collection of the data for the provision of the website and the storage of the data in log files is absolutely necessary for the operation of the website. Consequently, there is no possibility of objection on the part of the user.
6. Newsletter Service
If you register for our newsletter service, we collect and process your personal data, in particular your e-mail address, for sending information about news. The registration for our newsletter service takes place via the so-called double opt-in procedure. The double opt-in procedure requires two registration steps: In the first step, the interested party has to register for the newsletter service on our website (first opt-in). In the second step, the interested party has to confirm their registration for the newsletter service (second opt-in). For the purpose of confirmation, a confirmation message with a confirmation link will be sent to the e-mail address entered during registration. Only after activating the confirmation link will the interested party be included in the mailing list for the newsletter service. If you no longer wish to receive our newsletter service, you can use the unsubscribe link in the emails sent to you. We would like to inform you as follows about our “newsletter2go” service, which is used as a service provider for sending the newsletter:
If you subscribe to our newsletter, you agree to the receipt and the procedures described below.
The newsletter is sent by the German shipping service provider newsletter2go . You can read the data protection regulations of the shipping service provider here see.
The shipping service provider is based on our legitimate interests acc. Art. 6 para. 1 lit. f DSGVO and an order processing contract acc. Art. 28 para. 3 sentence 1 GDPR.
The shipping service provider can use the data of the recipients in pseudonymous form, i.e. without assignment to a user, to optimize or improve their own services, e.g. for technical optimization of the dispatch and the presentation of the newsletter or for statistical purposes. However, the shipping service provider does not use the data of our newsletter recipients to write to them themselves or to pass the data on to third parties.
7. Linking to Youtube
We reserve the right to link to videos on www.youtube.com. We would like to point out that user data can be processed outside of the European Union. This can result in risks for the user, because it could make it more difficult to enforce the user’s rights, for example. With regard to US providers who are certified under the Privacy Shield, we would like to point out that they undertake to comply with the data protection standards of the EU.
The processing of the personal data of the users takes place on the basis of our legitimate interests in effective information of the users and communication with the users acc. Art. 6 para. 1 lit. f. GDPR. For a detailed description of the respective processing and the possibility of objection (opt-out), we refer to the following linked information from the provider. Also in the case of requests for information and the assertion of user rights, we would like to point out that these can be asserted most effectively with the providers. Only the providers have access to the data of the users and can take appropriate measures and provide information directly.
8. Rights of the data subject
If personal data is processed by you, you are the data subject within the meaning of the GDPR and you have the following rights vis-à-vis the person responsible:
1. Right to information
You can request confirmation from the person responsible as to whether personal data relating to you is being processed by us.
If such processing is present, you can request information from the person responsible for the following information:
- the purposes for which the personal data are processed;
- the categories of personal data being processed;
- the recipients or categories of recipients to whom your personal data has been or will be disclosed;
- the planned duration of the storage of the personal data concerning you or, if specific information on this is not possible, criteria for determining the storage duration;
- the existence of a right to rectification or erasure of personal data concerning you, a right to restriction of processing by the person responsible or a right to object to this processing;
- the existence of a right of appeal to a supervisory authority;
- all available information about the origin of the data if the personal data are not collected from the data subject;
- You have the right to request information as to whether your personal data is being transmitted to a third country or to an international organization. In this context, you can request information about the appropriate guarantees in accordance with Art. 46 GDPR to be informed in connection with the transfer.
2. Right to Rectification
You have a right to correction and/or completion to the person responsible if the processed personal data concerning you is incorrect or incomplete. The person responsible must make the correction immediately.
3. Right to restriction of processing
Under the following conditions, you can request the restriction of the processing of your personal data:
- if you contest the accuracy of the personal data concerning you for a period that enables the person responsible to check the accuracy of the personal data;
- the processing is unlawful and you refuse to delete the personal data and instead request that the use of the personal data be restricted;
- the person responsible no longer needs the personal data for the purposes of processing, but you need them to assert, exercise or defend legal claims, or
- if you object to the processing pursuant to Art. 21 para. 1 GDPR and it is not yet certain whether the legitimate reasons of the person responsible outweigh your reasons.
If the processing of the personal data concerning you has been restricted, this data – apart from its storage – may only be used with your consent or to assert, exercise or defend legal claims or to protect the rights of another natural or legal person or for reasons of important public interest of the Union or a Member State are processed.
If the restriction of processing has been restricted according to the above conditions, you will be informed by the person responsible before the restriction is lifted.
4. Right to erasure
a) Obligation to delete
You can request the person responsible to delete the personal data concerning you immediately, and the person responsible is obliged to delete this data immediately if one of the following reasons applies:
- The personal data concerning you are no longer necessary for the purposes for which they were collected or otherwise processed.
- You revoke your consent, on which the processing pursuant to Art. Art. 6 para. 1 lit. a or Art. 9 para. 2 lit. a GDPR and there is no other legal basis for processing.
- You lay acc. Art. 21 para. 1 DSGVO objection to the processing and there are no overriding legitimate reasons for the processing, or you submit acc. Art. 21 para. 2 DSGVO objection to the processing.
- The personal data concerning you have been processed unlawfully.
- The deletion of the personal data concerning you is necessary to fulfill a legal obligation under Union law or the law of the Member States to which the person responsible is subject.
- The personal data concerning you was collected in relation to information society services offered pursuant to Art. 8 para. 1 GDPR.
b) Information to third parties
Has the person responsible made the personal data concerning you public and is he/she acc. Art. 17 para. 1 GDPR, he shall take appropriate measures, also of a technical nature, taking into account the available technology and the implementation costs, to inform those responsible for data processing who process the personal data that you, as the person concerned, want them to delete all links to such personal data or copies or replications of such personal data.
The right to erasure does not exist if processing is necessary
- to exercise the right to freedom of expression and information;
- to fulfill a legal obligation that requires processing under Union or Member State law to which the controller is subject, or to perform a task that is in the public interest or in the exercise of official authority vested in the controller;
- for reasons of public interest in the field of public health pursuant to Art. 9 para. 2 lit. h and i as well as Art. 9 para. 3 GDPR;
- to assert, exercise or defend legal claims.
5. Right to Information
If you have asserted the right to correction, deletion or restriction of processing against the person responsible, he is obliged to inform all recipients to whom the personal data concerning you have been disclosed of this correction or deletion of the data or restriction of processing, unless this proves to be impossible or involves a disproportionate effort.
You have the right vis-à-vis the person responsible to be informed about these recipients.
6. Right to data portability
You have the right to receive the personal data concerning you that you have provided to the person responsible in a structured, common and machine-readable format. In addition, you have the right to transmit this data to another person responsible without hindrance by the person responsible for providing the personal data, provided that
- the processing is based on consent acc. Art. 6 para. 1 lit. a GDPR or Art. 9 para. 2 lit. a GDPR or on a contract acc. Art. 6 para. 1 lit. b GDPR is based and
- the processing is carried out using automated procedures.
In exercising this right, you also have the right to have the personal data concerning you transmitted directly from one person responsible to another person responsible, insofar as this is technically feasible. The freedoms and rights of other people must not be impaired by this.
The right to data portability does not apply to the processing of personal data that is required to perform a task that is in the public interest or in the exercise of official authority that has been assigned to the controller.
7. Right to Object
You have the right, for reasons arising from your particular situation, to object at any time to the processing of your personal data, which is based on Art. 6 para. 1 lit. e or f GDPR to file an objection; this also applies to profiling based on these provisions.
The person responsible no longer processes the personal data relating to you unless he can demonstrate compelling legitimate grounds for the processing which outweigh your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims.
If the personal data concerning you is processed in order to operate direct advertising, you have the right to object at any time to the processing of your personal data for the purpose of such advertising; this also applies to profiling insofar as it is associated with such direct advertising.
If you object to the processing for direct marketing purposes, the personal data relating to you will no longer be processed for these purposes.
In connection with the use of information society services, you have the option – notwithstanding Directive 2002/58/EC – to exercise your right to object by means of automated procedures that use technical specifications. You can send an e-mail to our data protection officer.
8. Right to revoke the declaration of consent under data protection law
You have the right to revoke your declaration of consent under data protection law at any time. The revocation of the consent does not affect the legality of the processing carried out on the basis of the consent up to the point of revocation.
9. Automated individual decision-making including profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This does not apply if the decision
- is necessary for the conclusion or performance of a contract between you and the person responsible,
is permitted on the basis of Union or Member State legislation to which the person responsible is subject and these legislation take appropriate measures
- contain to protect your rights and freedoms as well as your legitimate interests or
- takes place with your express consent.
However, these decisions must not be based on special categories of personal data pursuant to Art. 9 para. 1 GDPR, unless Art. 9 para. 2 lit. a or g GDPR applies and appropriate measures have been taken to protect your rights and freedoms and your legitimate interests.
With regard to the cases referred to in (1) and (3), the person responsible shall take appropriate measures to safeguard your rights and freedoms and your legitimate interests, including at least the right to obtain human intervention on the part of the person responsible, to express his or her point of view and to challenge the decision.
10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the member state of your place of residence, your place of work or the place of the alleged infringement, if you believe that the processing of your personal data is contrary to violates the GDPR.
The supervisory authority to which the complaint was lodged will inform the complainant about the status and the results of the complaint, including the possibility of a judicial remedy in accordance with Art. 78 GDPR.
1.1 The data available in the company is of great value for the company and the smooth processes in the company. This data must therefore be protected against unauthorized access and other threats.
1.2 At the same time, the company’s customers, partners and employees expect that the data entrusted to the company will be given special protection and that they will be handled with care.
1.3 The company also acknowledges its responsibility for the careful handling of personal data as part of its social commitment.
2. Objective of Company Policy
2.1 This company guideline is intended to create uniform standards for data protection in the company and communicate them externally.
2.2 By complying with the standards defined in this company policy, the company meets its data protection obligations and ensures that the interests and rights of the data subjects are adequately taken into account.
2.3 Compliance with this company policy is a prerequisite for the secure exchange of personal data within the company.
3. Scope of Company Policy
3.1 This company policy applies to any processing of personal data, including the initial collection of data, its storage and use, as well as its disclosure within the company and transmission to third parties. 3.2 If lower requirements result from the legal provisions, the provisions of these company guidelines apply.
II. Principles of data processing
4. Permissibility of data processing
4.1 For each data processing operation, it must be checked whether the intended processing of data is permissible. If there are doubts about the admissibility, the data protection officer should be contacted.
4.2 The admissibility of data processing can result from various aspects. First of all, admissibility can result from the fact that the person concerned has consented to the data processing. Data processing can also be permissible without the consent of the person concerned if a legal basis for authorization is relevant. If there is no consent and no legal basis for authorization, data processing is inadmissible.
5. Statutory authorization bases
5.1 The processing of personal data may be necessary for the establishment or performance of a contract with the data subject.
5.2 A necessity and authorization for data processing can also arise due to a legal obligation of the company. In this respect, a request for information from investigative authorities can be considered as a basis for authorization.
5.3 The processing of personal data is also permissible if it is required to assert, exercise or defend legal claims in court. The same applies to safeguarding vital interests.
5.4 Finally, data processing is conceivable in cases where processing is necessary for the fulfillment of a contract or where the company has legitimate interests and at the same time there is no reason to assume that the data subject’s legitimate interest in the exclusion of data processing prevails. The result of such a balancing of interests should be recorded in writing.
6. Consent and Logging
6.1 Consent from the data subject is sufficient as a basis for data processing if the data subject has been adequately informed beforehand and has subsequently given their consent to the intended data processing clearly and on a voluntary basis.
6.2 Sufficient information can be assumed if the main data processing procedures are explained in an understandable way and, in particular, the purpose for which the data is processed is explained. The person concerned should be informed that their consent can be revoked freely. In addition, it must be ensured that declarations of consent are visually highlighted and differentiated from other declarations. Coupling the consent with other declarations should be avoided.
7. Purpose Limitation
7.1 Personal data may only be processed for the purpose for which it was originally collected. If consent is obtained from the data subject, the specific purpose must be indicated. There must always be a legitimate purpose for data processing.
7.2 If data processing is to take place later for a different purpose, consent must also be obtained for this or there must be a legal basis for authorization if the new purpose of data processing is not already compatible with the original purpose.
8.1 When processing personal data, the principle of proportionality must be observed. The principle of proportionality is observed when data processing is suitable for achieving a legitimate purpose. Furthermore, no milder, equally suitable means of achieving the intended purpose may be available. Finally, it must be checked whether the data processing does not conflict with overriding legitimate interests of the data subject.
8.2 As a milder means, e.g. the processing of aggregated data or other data without personal reference can be considered.
9. Data Minimization
9.1 Data processing in the company must be organized in such a way that as little personal data as possible is processed. If personal data is no longer required, it should be deleted.
9.2 When collecting data, it must be ensured that only the data that is absolutely necessary is requested by default and that all other data is collected on a voluntary basis. Default settings and specifications for data subjects should be as privacy-friendly as possible.
9.3 For the data stored in the company, it must be determined for which period of time storage or storage is to take place. Statutory retention requirements must be observed here. After the retention period or storage period has expired, the data must be deleted, ideally using an automated process.
10. Direct collection and information of the data subject
10.1 For reasons of transparency, personal data should be collected directly from the data subject if possible. A survey from third parties should be considered if there are legitimate reasons for this, for example the procedure is in the interest of the person concerned or direct survey would only be possible with disproportionate effort.
10.2 The data subject must always be informed if personal data about them is being processed. As part of the information, all relevant details that are important for the data subject and the exercise of their rights are to be communicated.
11. Data Security
11.1 It is of great importance for the company that the security of the data is guaranteed at all times. Against this background, the data must be adequately protected against loss, unauthorized access and other dangers.
11.2 It must therefore be ensured that appropriate measures are taken to protect personal data. Protection must be provided by technical and organizational measures.
11.3 For the individual data processing operations, the specific protective measures must be documented and checked for their adequacy.
13. Order Processing
13.1 If service providers of the company process personal data on its behalf or the company processes data as a service provider for third parties, the provisions of Art. 4 No. 7. 8 and 15, Art. 9 para. 2 lit. i) GDPR and Art. 28 GDPR in conjunction with Section 22 Para. 1 Item 1 b) BDSG (new) must be observed. 13.2 The service provider acts on behalf of and also under the responsibility of the company. At the latest when starting work for the company, it must be ensured that a separate agreement on order processing is agreed with the service provider and that compliance with the obligations under the agreement on order processing is then regularly checked. This applies in particular to the “Dropbox” service, which can be used by the company for collaboration and data storage purposes. The Dropbox application is certified under the US Privacy Shield. Further information is available at: https://www.dropbox.com/terms#privacy
IV. Internal Processes
14. Employee Requirements
14.1 All employees of the company are particularly committed to data secrecy. You are to be instructed that it is forbidden to use personal data for private purposes, to transmit them to unauthorized persons or to make them accessible to unauthorized persons. The obligation to data secrecy should take place when you start working for the company. Employees are to be instructed that the obligation to maintain confidentiality continues to apply to the company after the end of their activity.
14.2 Within the company, too, care must be taken to ensure that only those employees who require them to carry out their tasks for the company have access to personal data.
14.3 All employees should be trained in data protection issues at the beginning of their work and regularly thereafter.
V. Rights of data subjects
15. Right to information and data portability
15.1 Upon request, a data subject must be informed whether personal data relating to them is being processed by the company. If this is the case, the person concerned has a right to information about the corresponding personal data. The person concerned should specify the type of data about which they want information.
15.2 The information should be provided in a form and language that the person concerned can understand. When providing information, the existing personal data and the purpose of storage must be communicated. Where available, the origin of the data should also be explained. Information on any recipients of the data, the duration of storage, any automated decision-making and information on the rights of those affected and the right to lodge a complaint with the supervisory authority are also obligatory.
15.3 In addition to the right to information, the data subject also has the right to receive the data stored about them in a structured form so that they can be taken over by another person responsible. However, this right to data transferability only applies to data that has been processed on the basis of consent, to fulfill a contract or as part of automated processing.
15.4 When providing information and fulfilling the right to data portability, it must be ensured that the identity of the data subject is verified. It should also be noted that no personal data of third parties will be disclosed when providing information.
15.5 The data protection officer must be informed of all requests for information or claims for data transferability so that he can coordinate or take over further activities. Unless the data protection officer expressly takes over the processing, the respective specialist department remains responsible for answering the request.
15.6 If an inquiry cannot be answered immediately or a claim cannot be fulfilled immediately, the person concerned must be sent at least interim information in which the expected processing time should be communicated.
16. Erasure and Restriction of Processing
16.1 If a data subject has a legitimate claim, the personal data stored about them must be deleted. A request is justified in particular if there is no basis for the data processing or if the basis has ceased to exist in the meantime. If there is no (longer) basis for the storage of personal data, these are to be deleted regardless of a claim by the person concerned.
16.2 If deletion is not an option, it must be checked to what extent at least the processing of the personal data can be restricted. Processing should be restricted in particular until the admissibility of further data processing has been clarified. If the data subject no longer wishes their data to be used further, a restriction of processing should be considered so that the data subject’s data is not used (again) in the event of a new data collection.
17. Right to Rectification
17.1 Incomplete or incorrect personal data must be corrected at the request of the data subject. The correction is also in the interest of the company, since the entire database should be as correct and of high quality as possible.
17.2 If an employee is aware that data stored by the company is incomplete and incorrect, the employee should inform the relevant specialist department so that a correction can be initiated.
18. Right of Revocation, Objection and Complaint
18.1 Consent given by a data subject to the processing of their data can be revoked at any time. The person concerned must be informed of the possibility of revocation. The revocation applies with effect for the future.
18.2 Insofar as the processing of data is based on a legal basis for authorization, the consent of the person concerned is not required. If the data subject objects to data processing, it must be checked to what extent data processing can be dispensed with in the future. If this is not possible, the data subject must be informed accordingly.