Data Protection PolicyThe following data protection policy outlines the type, scope and purpose of processing of personal data (hereafter referred to as “data”) performed in connection with our online services, linked web pages, functions and content, as well as external platforms, e.g. our presence on social media platforms (hereafter referred to “online services”). With regard to terminology used in this policy, e.g. “processing” or “controller”, please refer to the definitions provided in Art. 4 of the EU’s General Data Protection Regulation (GDPR).
Ulrike Lippe (press and public relations officer)
Forschungsverbund Marbach Weimar Wolfenbüttel
Geschäftsstelle am Wissenschaftskolleg zu Berlin
Dr. Sonja Asal
Forschungsverbund Marbach Weimar Wolfenbüttel
Types of processed data:
- Personal and master data (e.g. names, addresses)
- Contact data (e.g. email addresses, telephone numbers)
- Content data (e.g. text entries, photos, videos)
- Usage data (e.g. visited web pages, interest in content, access times).
- Meta-/communication data (e.g. device information, IP addresses)
Categories of persons affected by data processing
Visitors and users of our online services (hereafter summarily referred to as “users”)
Purpose of processing
- Provision of online services, functions and content
- Contact and communication with users
- Security measures
- Online tracking analysis/marketing
“Personal data” is defined as all information that makes reference to identified or identifiable natural persons (hereafter referred to as “data subjects”). A natural person is regarded as identifiable if he/she can be directly or indirectly identified by means of an ID (e.g. a name), an ID number, location data, an online ID (e.g. cookie) or by one or more specific characteristics which convey the physical, physiological, genetic, psychological, financial, cultural or social identity of this natural person.
“Processing” is defined as any procedure conducted with or without automated assistance, or any sequence of procedures conducted in connection to personal data. The term is broadly applicable and includes practically every case of data handling.
“Pseudonymisation” refers to the processing of personal data in such a way that the data can no longer be assigned to any specific data subject without the provision of further information, whereby this information is specially safeguarded and is subject to organisational measures which ensure that the personal data cannot be assigned to an identified or identifiable natural person.
“Profiling” refers to any type of automated processing of personal data with the aim evaluating, analysing or predicting distinctive aspects related to a natural person, especially those related to work performance, financial situation, health, personal preferences, reliability, geographical location or changes in location of this natural person.
The term “responsible controller” distinguishes the natural or legal person, agency, organisation or other entity which is entitled to make decisions alone or in consultation with others concerning the purposes and means of processing personal data.
The term “processor” distinguishes a natural or legal person, agency, organisation or other entity who/which processes personal data on behalf of the responsible controller.
In accordance with Art. 13 GDPR, we provide the following information on the legal basis of our data processing activities. If the legal basis is not explicitly stated in the provisions below, the following applies: The legal basis for obtaining consent from the data subject is provided in Art. 6 (1 a) and Art. 7 GDPR; the legal basis for processing data necessary for rendering services and performing contractual obligations, as well as responding to inquiries is provided in Art. 6 (1 b) GDPR; the legal basis for processing data necessary for compliance with our legal obligations is provided in Art. 6 (1 c) GDPR; the legal basis for processing data necessary for pursuing our legitimate interests is provided in Art. 6 (1 f) GDPR. In cases for which processing is necessary to protect the vital interests of the data subject or of another natural person, Art. 6 (1 d) GDPR serves as the legal basis.
In accordance with Art. 32 GDPR and taking into account the latest standards in technology, the costs of implementation and the nature, scope, context and purposes of processing as well as the varying likelihood and severity of threats to the rights and freedoms of natural persons, we undertake to implement appropriate technical and organisational measures to ensure a level of security appropriate to the given risk.
These measures serve to ensure the ongoing confidentiality, integrity and availability of data by monitoring its physical availability, as well as the respective access, input, transmission, storage and erasure of such data. In addition, we have implemented measures which protect the rights of our users, ensure personal data is erased, and counteract threats to the security of personal data. Furthermore, we take data protection into account when developing or selecting hardware, software and processing methods in accordance with the data protection principles by technical design and privacy-friendly defaults (Art. 25 GDPR).
Collaboration with processors and third parties
If in the course of processing your data, we should disclose, transmit or allow external persons or firms (processors or third-parties) to gain access to your data, this will only occur on the basis of legal regulations (e.g. when a third party requires data to fulfil contractual terms in accordance with Art. 6 (1 b) GDPR), either by the user’s consent, for the purpose of complying with legal obligations, or in pursuit of our legitimate interests (e.g. when using external service providers, web hosts etc.).
If we commission a third party to process data on the basis of a “data processing agreement”, this will occur in compliance with Art. 28 GDPR.
Transmission of data to third countries
If we process data in a third country (i.e. outside of the European Union (EU) or the European Economic Area (EEA)), or if data is processed by, disclosed or transmitted to third parties in connection to using third-party services, this will only occur if necessary for meeting our (pre-)contractual obligations, if you have provided your consent, for the purpose of complying with legal obligations, or in pursuit of our legitimate interests. Insofar as data transfer does not require special legal or contractual permission, we only process or allow data to be processed in a third country if the specific provisions stipulated in Art. 44 ff GDPR apply. This means that data processing will only take place in accordance with guarantees contained in officially recognised data protection standards which correspond to those of the EU (e.g. the “Privacy Shield” in the USA) or with specific, officially recognised contractual obligations (so-called “standard contractual clauses”).
Rights of data subjects
The data subject has the right to obtain confirmation whether his/her personal data is being processed, and if so, what the nature of this data is, together with additional information and a copy of the data in accordance with Art. 15 GDPR.
In accordance with Art. 16 GDPR, the data subject has the right to have incomplete personal data completed or incorrect data rectified.
In accordance with Art. 17 GDPR, the data subject has the right to have his/her data immediately erased, or in accordance with Art. 18 GDPR, have the processing of personal data restricted.
In accordance with Art. 20 GDPR, the data subject has the right to obtain all data he/she has provided us, and demand that this data be shared with other website controllers.
In accordance with Art. 77 GDPR, the data subject has the right to lodge a complaint with the responsible supervisory authority.
Right to withdraw consent
The data subject has the right to withdraw previously granted consent to process personal data with immediate effect for the future in accordance with Art. 7 (3) GDPR.
Right to object
In accordance with Art. 21 GDPR, the data subject has the right to object at any time to having his/her personal data processed with immediate effect for the future. The objection can apply to data processing for direct marketing purposes.
Cookies / Right to object to direct marketing
“Cookies” are small files saved on the user’s computer. Cookies may contain a variety of data. The primary purpose of cookies is to store information about the user (or the device on which the cookie is saved) during and, in some cases, after the user’s visit to a website. Temporary cookies, also called “session cookies” or “transient cookies”, are erased as soon as the user leaves a website and closes his/her browser. Such cookies may contain information regarding the contents of an online shopping cart or one’s login status, for example. “Permanent” or “persistent” cookies remain saved on the user’s computer even after the browser is closed. These cookies may contain the user’s login status for up to several days after visiting a specific website. They may also contain information about the user’s interests which could be used for marketing purposes and tracking analysis. “Third-party cookies” are those which originate from external providers in contrast to those created by the controller of the visited website, which would be designated as “first-party cookies”.
As we employ both temporary and permanent cookies, we wish to inform you about our data protection policy with regard to cookies.
If you do want to have cookies saved on your computer, we recommend deactivating such cookies by selecting the respective option in your browser settings. Cookies already saved on your system can be erased in the same manner. By deactivating cookies, you may not be able to take full advantage of our online services.
Erasure of data
All the personal data we process is either erased or is subject to processing restrictions in accordance with Art. 17 and 18 GDPR. If not explicitly stated otherwise in this data protection policy, we erase all stored personal data as soon as the purpose of storage is no longer necessary, and its erasure does not prevent compliance with our legal obligations regarding data storage. If your data cannot be erased due to other requirements or legal regulations, we shall restrict its processing. This means that your data may not be transmitted, shared or processed for any other purposes. This applies, for example, to data which must be stored for commercial or tax-related reasons.
In accordance with legal regulations in Germany, in particular §§ 147 (1) AO, 257 (1, 1 & 4) HGB, such data must be kept for a period of ten years (e.g. accounts, records, status reports, invoices, trade books, tax-relevant documents etc.), and in accordance with § 257 (1, 2 & 3) HGB, for a period of six years (e.g. commercial letters).
In accordance with legal regulations in Austria, in particular §§ 132 (1) BAO, such data must be kept for a period of seven years (e.g. accounts, records/invoices, accounts, statements, business documents, income and expense reports, etc.), for 22 years for documents related to property and real estate, and ten years for documents related to electronically provided services, telecommunication, radio and television services rendered to non-business entities in EU member states and for the Mini-One-Stop-Shop (MOSS).
Provision of our statutory and business services
We process the data of our supporters, interested parties, clients and other persons in accordance with Art. 6 (1 b) GDPR, provided that we offer them contractual services or are engaged with them in an existing business relationship or are the recipient of their services or payments. Furthermore, we process personal data in accordance with Art. 6 (1 f) GDPR on the basis of legitimate interests, e.g. if administrative tasks or public relations activities necessitate such processing.
The processed data, as well as the type, scope, purpose and necessity of processing, are defined by the underlying contractual relationship. This data includes personal and master data (e.g. names, addresses), contact data (e.g. email addresses, telephone numbers), contract data (e.g. services, content and information received, names of contacts) and payment data if fees are charged for delivered services or products (e.g. bank details, payment history etc.).
We erase data as soon as it is no longer required for our statutory and business purposes. Erasure of data is determined in accordance with the respective tasks and contractual relations. In the case of business-related data processing, we store data for as long as might be relevant for completing the business transaction, also with respect to meeting guarantee and liability claims. The necessity of maintaining such data is assessed every three years; assessments are subject to compliance with statutory data retention requirements.
Comments and contributions
If a user chooses to leave a comment or other contribution on our website, we reserve the right to store his/her IP address for seven days based on legitimate interest in accordance with Art. 6 (1 f) GDPR. This is done to protect ourselves in case a comment or contribution contains illegal or improper content (insults, forbidden political propaganda etc.). In such cases, we may be held liable for the comment or contribution, for which reason we wish to discover the identity of the author in question.
Furthermore, we reserve the right on the basis of legitimate interest to process user information for the purpose of recognising spam in accordance with Art 6 (1 f) GDPR.
All data provided in connection with comments and contributions, including personal, contact and website information, are stored permanently until the user files an objection.
Hosting and email delivery
The hosting services we use provide the following services to our customers: Infrastructure and platform services, computing capacity, storage space and database services, email delivery, IT security services and technical maintenance, all of which serve to ensure the operation of our online services.
In this context, we or our hosting provider (commissioned to perform these tasks on our behalf based on a third-party processing agreement) process personal and master data, contact data, content data, contract data, usage data and meta- and communication data provided by our clients, interested parties and visitors to our website. The collection of this data is pursuant to our legitimate interests in providing efficient and secure online services in accordance with Art. 6 (1 f) GDPR in combination with Art. 28 GDPR.
Access data and server log files
In pursuit of our legitimate interests as provided in Art. 6 (1 f) GDPR, we or our hosting provider collect and store data on every access query made to content saved on our server (so-called “server log files”). These log files contain the name of the accessed web page, file, date and time of the query, transmitted amount of data, report on whether the query was successful, the browser type and version, the user's operating system, referrer URL (i.e. previously visited page), IP address and the querying provider.
For security reasons (e.g. for investigating cases of possible misuse of fraud), log file data is saved for a period of 7 days max., after which time it is erased. Data retained as evidence in criminal investigations is exempt from erasure until the respective case is conclusively clarified.
Tracking analysis with Matomo
As part of the Matomo tracking analysis software and in keeping with our legitimate interests (e.g. analysing, optimising and efficiently operating our online services as provided in Art. 6 (1 f) GDPR), we process the following data: user’s browser type and version, user’s operating system, country of origin, date and time of the server query, number of visits, length of time the user spends on our website, and the clicked external links. The user’s IP address is anonymised before it is saved.
Users can withdraw their consent to having anonymised data collected by Matomo with immediate effect for the future by clicking on the provided link below. In such cases, Matomo places an “opt-out cookie” onto the user’s browser which prevents it from collecting any data during their visit to our website. If users delete all cookies in their browser, the opt-out cookie will also be erased, which means they will have to reactivate the opt-out cookie during their next visit.
The data logs are erased within a period of six months.
We integrate videos via the video sharing platform “YouTube”, owned and operated by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Privacy statement: https://www.google.com/policies/privacy/, Opt-Out: https://adssettings.google.com/authenticated.Created by RA Dr. Thomas Schwenke using Datenschutz-Generator.de