Data Protection Declaration
With the following data protection declaration, we would like to inform you about the types of your personal data (hereinafter also referred to as “data”) that we process, for what purposes and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both as part of the provision of our services and, in particular, on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “online offer”).
The terms used are not gender-specific.
Status: September 20, 2021
- Responsible Person
- Processing overview
- Relevant legal bases
- Security measures
- Transmission of personal data
- Data processing in third countries
- Deletion of data
- Provision of the online offer and web hosting
- Contact and inquiry management
- Modification and updating of the data protection declaration
- Rights of the data subjects
- Definition of terms
Prof. Dr. Sven Klimpel
60438 Frankfurt am Main
Vertretungsberechtigte Personen: Dr. Dorian D. Dörge.
Overview of Processing
The following overview summarizes the types of processed data and the purposes of their processing, referring to the affected individuals.
Types of processed data
- Master data (e.g., names, addresses).
- Content data (e.g., inputs in online forms).
- Contact data (e.g., email, phone numbers).
- Meta/communication data (e.g., device information, IP addresses).
- Usage data (e.g., visited websites, interest in content, access times).
Categories of affected individuals
- Communication partners.
- Users (e.g., website visitors, users of online services).
Purposes of processing
- Providing our online offer and user-friendliness.
- Direct marketing (e.g., via email or postal mail).
- Contact inquiries and communication.
- Provision of contractual services and customer support.
Relevant legal bases
- Consent (Art. 6(1)(a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
- Performance of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
- Legitimate interests (Art. 6(1)(f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
National data protection regulations in Germany: In addition to the data protection regulations of the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains special provisions, in particular, on the right to access, the right to erase, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for the purposes of employment (Section 26 BDSG), in particular with regard to the establishment, performance, or termination of employment relationships and the consent of employees. In addition, data protection laws of the individual German states may apply.
We take appropriate technical and organizational measures, in accordance with legal requirements and taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, to ensure a level of security appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, disclosure, availability, and separation. We have also established procedures to ensure the exercise of data subject rights, deletion of data, and responses to data breaches. Furthermore, we take into account the protection of personal data in the development or selection of hardware, software, and procedures in accordance with the principle of data protection, by design and default.
SSL encryption (https): To protect your data transmitted via our online services, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.
Transfer of personal data
In the course of our processing of personal data, it may happen that the data is transferred to other places, companies, legally independent organizational units or persons or disclosed to them. Recipients of such data may include service providers or providers of services and content that are integrated into a website and perform IT tasks. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data that serve to protect your data.
Data transfer within the organization: We may transfer personal data to other parts of our organization or grant them access to such data. If this transfer is for administrative purposes, the transfer of the data is based on our legitimate business and economic interests, or if it is necessary for the fulfillment of our contractual obligations, or if there is consent from the data subjects or a legal permission.
Datenverarbeitung in Drittländern
Sofern wir Daten in einem Drittland (d.h., außerhalb der Europäischen Union (EU), des Europäischen Wirtschaftsraums (EWR)) verarbeiten oder die Verarbeitung im Rahmen der Inanspruchnahme von Diensten Dritter oder der Offenlegung bzw. Übermittlung von Daten an andere Personen, Stellen oder Unternehmen stattfindet, erfolgt dies nur im Einklang mit den gesetzlichen Vorgaben.
Vorbehaltlich ausdrücklicher Einwilligung oder vertraglich oder gesetzlich erforderlicher Übermittlung verarbeiten oder lassen wir die Daten nur in Drittländern mit einem anerkannten Datenschutzniveau, vertraglichen Verpflichtung durch sogenannte Standardschutzklauseln der EU-Kommission, beim Vorliegen von Zertifizierungen oder verbindlicher internen Datenschutzvorschriften verarbeiten (Art. 44 bis 49 DSGVO, Informationsseite der EU-Kommission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
The data we process will be deleted in accordance with legal requirements as soon as their processing permissions are revoked or other permissions are no longer valid (e.g. if the purpose of processing such data no longer exists or they are not necessary for the purpose).
If the data is not deleted because it is required for other legally permissible purposes, its processing will be limited to those purposes. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be kept for commercial or tax reasons or whose storage is necessary for the assertion, exercise, or defense of legal claims or for the protection of the rights of another natural or legal person.
Our data protection information may also contain further information on the storage and deletion of data that applies primarily to the respective processing.
Cookies are text files that contain data from visited websites or domains and are stored by a browser on the user’s computer. A cookie primarily serves to store information about a user during or after their visit within an online offering. The stored information may include, for example, language settings on a webpage, login status, a shopping cart, or the position where a video was watched. We also include other technologies that fulfill the same functions as cookies (e.g. when user data is stored based on pseudonymous online identifiers, also referred to as “user IDs”).
The following types of cookies and functions are distinguished:
- Temporary cookies (also known as session cookies): Temporary cookies are deleted at the latest after a user has left an online service and closed his browser.
- Permanent cookies: Permanent cookies remain stored even after closing the browser. For example, the login status can be saved or preferred content can be displayed directly when the user visits a website again. Similarly, the interests of users that are used for measuring reach or marketing purposes can be stored in such a cookie.
- First-party cookies: First-party cookies are set by ourselves.
- Third-party cookies (also known as third-party cookies): Third-party cookies are mainly used by advertisers (so-called third parties) to process user information.
- Necessary (also known as essential or absolutely necessary) cookies: Cookies can be absolutely necessary for the operation of a website (e.g. to save logins or other user inputs or for security reasons).
Storage duration: Unless we provide you with explicit information about the storage duration of permanent cookies (e.g. as part of a so-called cookie opt-in), please assume that the storage duration can be up to two years.
- Processed types of data: Usage data (e.g. visited web pages, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Affected individuals: Users (e.g. website visitors, users of online services).
- Legal basis: Consent (Art. 6 para. 1 sentence 1 lit. a GDPR), Legitimate Interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Provision of online services and web hosting
In order to provide our online services safely and efficiently, we use the services of one or more web hosting providers, from whose servers (or servers managed by them) our online services can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.
The data processed in the context of the provision of the hosting service may include all information relating to the users of our online services that arises in the course of use and communication. This regularly includes the IP address, which is necessary to deliver the content of online services to browsers, and all inputs made within our online services or on websites.
Collection of access data and log files: We ourselves (or our web hosting provider) collect data on every access to the server (so-called server log files). The server log files may include the address and name of the web pages and files accessed, date and time of access, transferred data volumes, message about successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page) and usually IP addresses and the requesting provider.
“The server log files can be used for security purposes, for example, to avoid server overload (especially in the case of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure the server’s utilization and stability.
- Processed data types: Content data (e.g. entries in online forms), usage data (e.g. visited web pages, interest in content, access times), meta/communication data (e.g. device information, IP addresses).
- Persons affected: Users (e.g. website visitors, users of online services).
- Purposes of processing: Provision of our online offer and user-friendliness, provision of contractual services and customer service.
- Legal basis: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Services and service providers used:
Host Europe GmbH
We use services of Host Europe GmbH to securely host our services. This includes in particular web hosting and associated services, such as the operation of mail services.
Server and network infrastructure
We use the services of a specialized and respected company to operate and maintain our server and network infrastructure (data centers).
Host Europe GmbH; Host Europe GmbH Hansestrasse 111 51149 Cologne,
Contact and inquiry management
When contacting us (e.g. via contact form, email, telephone or via social media) as well as in the context of existing user and business relationships, the details of the inquiring persons are processed to the extent necessary to answer the contact inquiries and any requested measures.
The answering of contact inquiries as well as the management of contact and inquiry data within the scope of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to answer (pre)contractual inquiries and otherwise on the basis of legitimate interests in answering inquiries and maintaining user or business relationships.
- Processed data types: Inventory data (e.g. names, addresses), contact data (e.g. email, telephone numbers), content data (e.g. entries in online forms).
- Persons affected: Communication partners.
- Purposes of processing: Contact inquiries and communication.
- Legal basis: Contract fulfillment and pre-contractual inquiries (Art. 6 para. 1 sentence 1 lit. b. GDPR), legitimate interests (Art. 6 para. 1 sentence 1 lit. f. GDPR).
Rights of Data Subjects
You have various rights as a data subject under the GDPR, which arise in particular from Articles 15 to 21 of the GDPR:
- Right to object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. Where personal data concerning you is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Right to withdraw consent: You have the right to withdraw your consent at any time.
- Right to information: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, access to the personal data and other information as provided by law.
- Right to rectification: You have the right to obtain without undue delay the rectification of inaccurate personal data concerning you or to have incomplete personal data completed, including by means of providing a supplementary statement.
- Right to erasure and restriction of processing: You have the right to obtain without undue delay the erasure of personal data concerning you or to obtain the restriction of processing in accordance with the statutory provisions.
- Right to data portability: You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or on a contract.
- Right to lodge a complaint with a supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the GDPR.
- Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as the “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Controller: The “controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processing: “Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and includes virtually any handling of data, whether collecting, evaluating, storing, transmitting or deleting.