Responsible data protection officer
Nietzsche Street 21
53177 Bonn, Germany
Contact data protection officer: firstname.lastname@example.org
Types of data processed:
- Contact data (e.g. e-mail, name).
- Usage data (e.g., websites visited, interest in content, access times).
- Meta/communication data (e.g. device information, IP addresses).
Categories of data subjects
Visitors and users of the online offer (hereinafter referred to as “users”).
Purpose of processing
- Provision of the online offer, its functions and contents
- Answering contact requests and communicating with users
- safety precautions
- Reach measurement/Marketing
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”). An identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or one or more specific characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
“processing” means any operation carried out with or without the aid of automated processes, or set of operations, involving personal data. The term is broad and covers practically every handling of data.
“Pseudonymisation” of the processing of personal data in such a way that the personal data can no longer be attributed to a specific data subject without additional information, provided that such additional information is kept separately and is subject to technical and organisational measures ensuring that the personal data are not attributed to an identified or identifiable natural person.
“Profiling” means any automated processing of personal data consisting of the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects relating to the work performance, economic situation, health, personal preferences, interests, reliability, conduct, whereabouts or movements of that natural person.
The “controller” is the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
“processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Applicable legal bases
According to art. 13 DSGVO I inform you about the legal basis of my data processing. If the legal basis is not mentioned in the data protection declaration, the following applies: The legal basis for obtaining consent is Art. 6 para. 1 lit. a and Art. 7 DSGVO, the legal basis for processing to fulfil my services and carry out contractual measures as well as answer inquiries is Art. 6 para. 1 lit. b DSGVO, the legal basis for processing to fulfil my legal obligations is Art. 6 para. 1 lit. c DSGVO, and the legal basis for processing to safeguard my legitimate interests is Art. 6 para. 1 lit. f DSGVO. In the event that vital interests of the data subject or another natural person necessitate the processing of personal data, Art. 6 para. 1 lit. d DSGVO serves as the legal basis.
In accordance with Art. 32 DSGVO, I shall take appropriate technical and organisational measures to ensure a level of protection appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, extent, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons.
Such measures shall include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to, access to, inputting, disclosure, securing and separation of data. I have also established procedures to ensure the exercise of data subjects’ rights, the erasure of data and the response to data breaches. Furthermore, I take into account the protection of personal data as early as the development or selection of hardware, software and procedures, in accordance with the principle of data protection through technology design and data protection-friendly presettings (Art. 25 DSGVO).
Cooperation with contract processors and third parties
If I disclose data to other persons and companies (contract processors or third parties) in the course of processing, transfer them to them or otherwise grant them access to the data, this will only be done on the basis of a legal permission (e.g. if a transfer of the data to third parties, such as payment service providers, pursuant to Art. 6 Para. 1 lit. b DSGVO is necessary to fulfill the contract), you have consented, a legal obligation provides for this or on the basis of legitimate interests (e.g. when using agents, web hosts, etc.).
If I entrust third parties with the processing of data on the basis of a so-called “order processing contract”, this is done on the basis of Art. 28 DSGVO.
Transfers to third countries
If I process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in the context of the use of third-party services or disclosure or transfer of data to third parties, this will only occur if it is done to fulfil my (pre)contractual obligations, on the basis of your consent, a legal obligation or on the basis of our legitimate interests. Subject to legal or contractual permissions, I process or leave the data in a third country only if the special requirements of Art. 44 ff. of the German Data Protection Act are met. DSGVO. I.e. the processing takes place e.g. on basis of special guarantees, like the officially recognized statement of a data protection level corresponding to the EU (e.g. for the USA by the “Privacy Shield”) or observance of officially recognized special contractual obligations (so-called “standard contract clauses”).
Rights of data subjects
You have the right to request confirmation as to whether the data in question will be processed and to be informed of this data and to receive further information and a copy of the data in accordance with Art. 15 DSGVO.
You have accordingly. In accordance with Art. 16 DSGVO, you have the right to request the completion of data concerning you or the rectification of incorrect data concerning you.
Pursuant to Art. 17 DSGVO, you have the right to demand that the data concerned be deleted immediately or, alternatively, to demand that the processing of the data be restricted pursuant to Art. 18 DSGVO.
You have the right to demand that the data concerning you which you have provided to us be received in accordance with Art. 20 DSGVO and that it be transferred to other responsible parties.
Pursuant to Art. 77 DSGVO, you also have the right to file a complaint with the competent supervisory authority.
right of withdrawal
You have the right to revoke consents granted pursuant to Art. 7 para. 3 DSGVO with effect for the future.
right of objection
You may object at any time to the future processing of the data concerning you in accordance with Art. 21 DSGVO. In particular, you may object to the processing of your data for the purposes of direct marketing.
Cookies and right of objection in the case of direct advertising
Cookies” are small files that are stored on the user’s computer. Different data can be stored within the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after the user’s visit to an online service. Temporary cookies, or “session cookies” or “transient cookies”, are cookies that are deleted after a user leaves an online offer and closes his browser. The content of a shopping basket in an online shop or a login status, for example, can be stored in such a cookie. Cookies are referred to as “permanent” or “persistent” and remain stored even after the browser is closed. For example, the login status can be saved if users visit it after several days. The interests of the users who are used for range measurement or marketing purposes can also be stored in such a cookie. Third party cookies” are cookies that are offered by providers other than the person responsible for operating the online service (otherwise, if they are only the latter’s cookies, they are referred to as “first party cookies”).
If the users do not want cookies to be stored on their computer, they are asked to deactivate the corresponding option in the system settings of their browser. Stored cookies can be deleted in the system settings of your browser. The exclusion of cookies can lead to functional restrictions of this online offer.
Deletion of data
The data processed by me will be deleted or their processing restricted in accordance with Art. 17 and 18 DSGVO. Unless expressly stated in this data protection declaration, the data stored by me will be deleted as soon as they are no longer required for their intended purpose and there are no legal obligations to retain them. If the data are not deleted because they are required for other and legally permissible purposes, their processing will be restricted. This means that the data will be blocked and not processed for other purposes. This applies, for example, to data that must be stored for commercial or tax reasons.
According to legal requirements in Germany, data is stored for 10 years in accordance with §§ 147 para. 1 AO, 257 para. 1 nos. 1 and 4, para. 4 HGB (German Commercial Code) (books, records, management reports, accounting records, commercial books, documents relevant for taxation, etc.) and 6 years in accordance with § 257 para. 1 nos. 2 and 3, para. 4 HGB (German Commercial Code) (commercial letters).
Users can create a user account. Within the scope of registration, the required mandatory data will be communicated to the users and processed on the basis of Art. 6 Para. 1 lit. b DSGVO for the purpose of providing the user account. The processed data includes in particular the login information (name, password and an e-mail address). The data entered during registration will be used for the purposes of using the user account and its purpose.
Users may be informed by e-mail of information relevant to their user account, such as technical changes. If users have terminated their user account, their data will be deleted with regard to the user account, subject to a statutory retention obligation. It is the responsibility of the users to secure their data upon termination. I am entitled to irretrievably delete all stored user data.
Within the scope of using my registration and login functions as well as the use of the user account, I save the IP address and the time of the respective user action. The storage is based on my legitimate interests, as well as the user’s protection against misuse and other unauthorized use. This data will not be passed on to third parties unless it is necessary to pursue my claims or there is a legal obligation to do so pursuant to Art. 6 Para. 1 lit. c DSGVO. The IP addresses will be anonymized or deleted after 7 days at the latest.
DISQUS comment function
On the basis of my legitimate interests in an efficient, secure and user-friendly comment management in accordance with Art. 6 Para. 1 lit. f., I hereby set the following as my responsibility DSGVO, the comment service DISQUS, offered by DISQUS, Inc., 301 Howard St, Floor 3 San Francisco, California- 94105, USA. DISQUS is certified under the Privacy Shield Agreement and thus offers a guarantee of compliance with European data protection law: https://www.privacyshield.gov/participant?id=a2zt0000000TRkEAAW&status=Active.
To use the DISQUS comment function, users can log in via their own DISQUS user account or an existing social media account (e.g. OpenID, Facebook, Twitter or Google). DISQS obtains the user’s login data from the platforms. It is also possible to use the DISQUS comment function as a guest without creating or using a user account with DISQUS or one of the specified social media providers.
I merely embed DISQUS with its functions into the website, whereby I can influence the comments of the users. However, the users enter into a direct contractual relationship with DISQUS, within the framework of which DISQS processes the user’s comments and is a contact person for any deletion of the user’s data. I hereby refer to the data protection declaration of DISQUS: https://help.disqus.com/terms-and-policies/disqus-privacy-policy and also point out to the users that they can assume that DISQUS stores not only the comment content but also their IP address and the time of the comment as well as cookies on the user’s computer and can use them to display advertisements. Users may, however, object to the processing of their data for the purpose of displaying advertisements: https://disqus.com/data-sharing-settings.
Comments and Contributions
If users leave comments or other contributions, their IP addresses may be deleted on the basis of our legitimate interests within the meaning of Art. 6 Para. 1 lit. f. of the German Data Protection Act. DSGVO for 7 days. This is done for our security if someone leaves illegal contents (insults, forbidden political propaganda, etc.) in comments and contributions. In this case I can be prosecuted myself for the comment or contribution and am therefore interested in the identity of the author.
Furthermore, I reserve the right, on the basis of my legitimate interests pursuant to Art. 6 Para. 1 lit. f., to take legal action against the author. DSGVO, to process the data of the users for the purpose of spam recognition.
The data provided in the context of comments and contributions will be stored permanently by me until the user objects.
Akismet Anti-Spam Testing
I use the “Akismet” service offered by Automattic Inc, 60 29th Street #343, San Francisco, CA 94110, USA. The use is based on my legitimate interests in the sense of Art. 6 Para. 1 lit. f) DSGVO. With the help of this service, comments of real people are distinguished from spam comments. All comments are sent to a server in the USA, where they are analyzed and stored for four days for comparison purposes. If a comment has been classified as spam, the data is stored beyond this time. This information includes the name entered, the email address, the IP address, the comment content, the referrer, information about the browser used, the computer system and the time of the entry.
Users are welcome to use pseudonyms or to refrain from entering their name or email address. You can completely prevent the transmission of data by not using my comment system. That would be a pity and would be contrary to the meaning of the blog.
Retrieving profile pictures from Gravatar