Data Protection Declaration
As of September 16, 2023
Table of Contents
- Controller
- Overview of Processing
- Relevant Legal Bases
- Security Measures
- Transfer of Personal Data
- International Data Transfers
- Rights of Data Subjects
- Use of Cookies
- Provision of the Online Offering and Web Hosting
- Blogs and Publishing Media
- Contact and Inquiry Management
- Audio Content
- Presences on Social Networks (Social Media)
- Plugins and Embedded Functions and Content
Controller
Relevant Legal Bases
Relevant legal bases according to the GDPR: Below you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Furthermore, specific legal bases may be applicable in individual cases and will be communicated to you in the data protection declaration.
- Consent (Art. 6(1) sentence 1 lit. a) GDPR) – The data subject has given consent to the processing of their personal data for one or more specific purposes.
- Performance of a contract and pre-contractual inquiries (Art. 6(1) sentence 1 lit. b) GDPR) – Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract.
- Legitimate interests (Art. 6(1) sentence 1 lit. f) GDPR) – Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
National data protection regulations in Germany: In addition to the provisions of the GDPR, national data protection regulations apply in Germany. This includes, in particular, the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG). The BDSG contains special provisions on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission, as well as automated decision-making in individual cases, including profiling. In addition, data protection laws of the individual federal states may apply.
Reference to the applicability of the GDPR and Swiss DPA: These data protection notices serve to provide information in accordance with the Swiss Federal Data Protection Act (Swiss DPA) as well as the General Data Protection Regulation (GDPR). For this reason, please note that, due to the broader geographical scope and comprehensibility, the terms of the GDPR are used. In particular, instead of the terms “processing” of “personal data,” “overriding interest,” and “particularly sensitive personal data” used in the Swiss DPA, the terms “processing” of “personal data,” “legitimate interest,” and “special categories of data” used in the GDPR are used. However, the legal meaning of the terms is determined within the scope of the Swiss DPA.
Overview of Processing
The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.
Types of Data Processed
- Inventory data.
- Contact data.
- Content data.
- Usage data.
- Meta, communication, and procedural data.
Categories of Data Subjects
- Communication partners.
- Users.
Purposes of Processing
- Provision of contractual services and fulfillment of contractual obligations.
- Contact inquiries and communication.
- Security measures.
- Reach measurement.
- Conversion measurement.
- Management and response to inquiries.
- Feedback.
- Marketing.
- Profiles with user-related information.
- Provision of our online offering and user-friendliness.
- Information technology infrastructure.
Security Measures
In accordance with legal requirements and taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the different likelihoods and severities of the threat to the rights and freedoms of natural persons, we take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data as well as access, input, transmission, securing the availability, and their separation. Furthermore, we have established procedures to ensure the exercise of data subject rights, the deletion of data, and responses to the threat to data. We also take data protection into account in the selection of hardware, software, and procedures, in accordance with the principle of data protection, through technology design and data protection-friendly settings.
Transmission of Personal Data
As part of our processing of personal data, it may occur that the data is transmitted to other entities, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include, for example, IT service providers or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data.
International Data Transfers
Data Processing in Third Countries: If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if processing takes place as part of the use of third-party services or the disclosure or transfer of data to other individuals, entities, or companies, this is only done in accordance with legal requirements. If the level of data protection in the third country has been recognized through an adequacy decision (Art. 45 GDPR), this serves as the basis for data transfer. Otherwise, data transfers only take place if the level of data protection is otherwise secured, particularly through standard contractual clauses (Art. 46(2)(c) GDPR), explicit consent, or in the case of contractual or legally required transfer (Art. 49(1) GDPR). Furthermore, we will inform you of the basis for the transfer to third countries with each individual provider from the third country, with adequacy decisions taking precedence as the basis. Information on third-country transfers and existing adequacy decisions can be found on the EU Commission’s information page: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_en.
EU-US Trans-Atlantic Data Privacy Framework: As part of the so-called “Data Privacy Framework” (DPF), the EU Commission has also recognized the level of data protection as safe for certain companies from the USA within the framework of the adequacy decision of July 10, 2023. The list of certified companies, as well as further information on the DPF, can be found on the website of the US Department of Commerce at https://www.dataprivacyframework.gov/. We will inform you in our data protection notices which service providers we use are certified under the Data Privacy Framework.
Rights of Data Subjects
Rights of data subjects under the GDPR: As data subjects under the GDPR, you have various rights, particularly arising from Articles 15 to 21 of the GDPR:
- Right to Object: You have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is based on Article 6(1)(e) or (f) GDPR, including profiling based on those provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing.
- Right to Withdraw Consent: You have the right to withdraw your consent at any time.
- Right to Information: You have the right to obtain confirmation as to whether or not personal data concerning you are being processed and to receive information about these data, as well as further information and a copy of the data according to legal requirements.
- Right to Rectification: You have the right, in accordance with legal requirements, to request the completion of personal data concerning you or the rectification of inaccurate data concerning you.
- Right to Erasure and Restriction of Processing: You have the right, in accordance with legal requirements, to demand the immediate erasure of personal data concerning you or, alternatively, to demand a restriction of processing of the data.
- Right to Data Portability: You have the right to receive the personal data concerning you, which you have provided to us, in accordance with legal requirements, in a structured, commonly used, and machine-readable format or to request the transmission of this data to another controller.
- Complaint to a Supervisory Authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement, if you believe that the processing of personal data concerning you violates the provisions of the GDPR.
Use of Cookies
Cookies are small text files or other storage records that store information on devices and retrieve information from devices. For example, to store the login status in a user account, the contents of a shopping cart in an e-shop, the accessed content, or the functions used in an online offering. Cookies can also be used for various purposes, such as functionality, security, and convenience of online offerings, as well as for creating analyses of visitor traffic.
Consent Information: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users unless it is not legally required. Consent is not required, in particular, when storing and retrieving information, including cookies, is absolutely necessary to provide users with a telemedia service (i.e., our online offering) expressly requested by them. Cookies that are absolutely necessary typically include cookies with functions related to displaying and ensuring the functionality of the online offering, load balancing, security, storing user preferences and choices, or similar purposes related to providing the main and ancillary functions of the online offering requested by users. Revocable consent is clearly communicated to users and contains information about the respective cookie usage.
Information about Data Protection Legal Bases: The data protection legal basis on which we process users’ personal data using cookies depends on whether we request users’ consent. If users consent, the legal basis for processing their data is the consent provided. Otherwise, data processed using cookies based on our legitimate interests (e.g., in economically operating our online offering and improving its usability) or, if required to fulfill our contractual obligations, if the use of cookies is necessary to fulfill our contractual obligations. We will provide information about the purposes for which we process cookies as part of this data protection declaration or within the scope of our consent and processing processes.
Storage Duration: With regard to the storage duration, the following types of cookies are distinguished:
- Temporary Cookies (also known as Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their end device (e.g., browser or mobile application).
- Permanent Cookies: Permanent cookies remain stored even after closing the end device. For example, login status can be saved, or preferred content can be displayed directly when the user revisits a website. Likewise, data collected through cookies can be used for audience measurement. Unless we provide users with explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and can be stored for up to two years.
General Information on Revocation and Objection (Opt-Out): Users can revoke their consents at any time and object to processing in accordance with legal requirements. For this purpose, users can restrict the use of cookies in their browser settings (which may also limit the functionality of our online offering). Objection to the use of cookies for online marketing purposes can also be declared through the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
- Legal Basis: Legitimate interests (Art. 6(1)(f) GDPR). Consent (Art. 6(1)(a) GDPR).
Additional Information on Processing Operations, Procedures, and Services:
- Processing of Cookie Data Based on Consent: We use a procedure for cookie consent management, within the framework of which users’ consents to the use of cookies or the processing and providers mentioned within the cookie consent management procedure can be obtained, managed, and revoked by users. The consent declaration is stored in order to avoid having to repeat the query and to be able to prove the consent in accordance with legal requirements. Storage can be done server-side and/or in a cookie (so-called opt-in cookie or similar technologies) in order to associate the consent with a user or their device. Subject to individual information about providers of cookie management services, the following information applies: The duration of consent storage can be up to two years. A pseudonymous user identifier is created, and information about the scope of the consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and used end device, is stored; Legal Basis: Consent (Art. 6(1)(a) GDPR).
Provision of the Online Offering and Web Hosting
We process user data to provide them with our online services. For this purpose, we process the user’s IP address, which is necessary to transmit the content and features of our online services to the user’s browser or device.
- Processed Data Types: Usage Data (e.g., visited web pages, interest in content, access times). Meta, Communication, and Process Data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)). Security measures.
- Legal Bases: Legitimate Interests (Art. 6 (1) (f) GDPR).
Additional Information on Processing Operations, Procedures, and Services:
- Collection of Access Data and Log Files: Access to our online offering is logged in the form of “server log files.” Server log files may include the address and name of the accessed web pages and files, date and time of access, transferred data volumes, message about successful access, browser type and version, the user’s operating system, referrer URL (previously visited page), and, as a rule, IP addresses and the requesting provider. Server log files can be used, on the one hand, for security purposes, e.g., to avoid overloading the servers (especially in the case of abusive attacks, so-called DDoS attacks), and, on the other hand, to ensure the load and stability of the servers; Legal Bases: Legitimate Interests (Art. 6 (1) (f) GDPR). Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data whose further storage is necessary for evidence purposes is excluded from deletion until the final clarification of the respective incident.
Blogs and Publication Media
We use blogs or similar means of online communication and publication (hereinafter “publication medium”). Reader data is only processed for the purposes of the publication medium to the extent necessary for its presentation and communication between authors and readers or for security reasons. For further information on the processing of visitors to our publication medium, please refer to the information in this privacy notice.
- Processed Data Types: Master Data (e.g., names, addresses); Contact Data (e.g., email, phone numbers); Content Data (e.g., entries in online forms); Usage Data (e.g., visited web pages, interest in content, access times). Meta, Communication, and Process Data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of contractual services and customer support; Feedback (e.g., collecting feedback via online form); Provision of our online offering and user-friendliness; Security measures. Management and response to inquiries.
- Legal Bases: Legitimate Interests (Art. 6 (1) (f) GDPR).
Additional Information on Processing Operations, Procedures, and Services:
- Comments and Contributions: When users leave comments or other contributions, their IP addresses may be stored on the basis of our legitimate interests. This is done for our security in case someone leaves unlawful content in comments and contributions (insults, prohibited political propaganda, etc.). In this case, we can be held responsible for the comment or contribution and are therefore interested in the identity of the author.
We also reserve the right to process user data on the basis of our legitimate interests for spam detection purposes.
On the same legal basis, we reserve the right to store users’ IP addresses for the duration of surveys and to use cookies to prevent multiple votes.
The information provided by users in the context of comments and contributions, such as personal information, contact information, and content-related information, will be stored by us permanently until users object;
Legal Bases: Legitimate Interests (Art. 6 (1) (f) GDPR). - Profile Pictures from Gravatar: Profile Pictures – Within our online offering and especially in the blog, we use the Gravatar service.
Gravatar is a service where users can register and store profile pictures and their email addresses. If users leave posts or comments with the respective email address on other online presences (especially in blogs), their profile pictures can be displayed alongside the posts or comments. For this purpose, the email address provided by users is encrypted and transmitted to Gravatar for the purpose of checking whether a profile is stored for it. This is the sole purpose of transmitting the email address. It is not used for other purposes and is subsequently deleted.
The use of Gravatar is based on our legitimate interests, as we offer contributors to posts and comments the opportunity to personalize their contributions with a profile picture.
By displaying the images, Gravatar becomes aware of the IP address of the users, as this is necessary for communication between a browser and an online service.
If users do not want a user image associated with their email address to appear in the comments, they should use an email address that is not stored with Gravatar when commenting. We also point out that it is possible to use an anonymous or no email address at all if users do not want their own email address to be transmitted to Gravatar. Users can completely prevent the transmission of data by not using our comment system;
Service Provider: Aut O’Mattic A8C Ireland Ltd., Grand Canal Dock, 25 Herbert Pl, Dublin, D02 AY86, Ireland; Legal Bases: Legitimate Interests (Art. 6 (1) (f) GDPR);Website: https://automattic.com; Privacy Policy: https://automattic.com/privacy. Basis for Data Transfer to Third Countries: EU-US Data Privacy Framework (DPF).
Contact and Inquiry Management
When contacting us (e.g., by mail, contact form, email, telephone, or via social media) and as part of existing user and business relationships, the information of the inquiring individuals is processed to the extent necessary to respond to the contact inquiries and any requested measures.
- Processed Data Types: Contact details (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Data Subjects: Communication partners.
- Purposes of Processing: Contact inquiries and communication; Administration and response to inquiries; Feedback (e.g., collecting feedback via online form). Providing our online offerings and user-friendliness.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR). Contractual performance and pre-contractual inquiries (Art. 6(1)(b) GDPR).
Further information on processing procedures, procedures, and services:
- Contact Form: When users contact us via our contact form, email, or other communication channels, we process the data provided to us in this context to handle the reported issue; Legal Bases: Contractual performance and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).
Audio Content
We use hosting and analytics services from service providers to offer our audio content for listening or download and to obtain statistical information on the retrieval of audio content.
- Processed Data Types: Usage data (e.g., visited web pages, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Reach measurement (e.g., access statistics, identification of returning visitors); Conversion measurement (measurement of the effectiveness of marketing measures); Profiles with user-related information (creation of user profiles). Providing our online offerings and user-friendliness.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Further information on processing procedures, procedures, and services:
- Spotify: Spotify – Music hosting and widget; Service Provider: Spotify AB, Regeringsgatan 19, SE-111 53 Stockholm, Sweden; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.spotify.com/de. Privacy Policy: https://www.spotify.com/de/legal/privacy-policy/.
Presences on Social Networks (Social Media)
We maintain online presences within social networks and process user data within this framework to communicate with active users there or to provide information about us.
We would like to point out that user data may be processed outside the European Union. This may result in risks for users because, for example, it could make it more difficult to enforce user rights.
Furthermore, user data is usually processed within social networks for market research and advertising purposes. For example, user profiles can be created based on user behavior and resulting interests. These user profiles can in turn be used to display advertisements within and outside of the networks that presumably correspond to the users’ interests. For these purposes, cookies are usually stored on users’ computers in which user behavior and interests are stored. Furthermore, data can also be stored in the user profiles independently of the devices used by the users (especially if the users are members of the respective platforms and are logged in).
For a detailed presentation of the respective processing methods and options for objection (opt-out), we refer to the privacy policies and information provided by the operators of the respective networks.
Even in the case of information requests and the assertion of data subject rights, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to the data of the users and can directly take appropriate measures and provide information. If you still need assistance, you can contact us.
- Processed Data Types: Contact details (e.g., email, telephone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited websites, interest in content, access times). Meta, communication, and process data (e.g., IP addresses, time information, identification numbers, consent status).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Contact inquiries and communication; Feedback (e.g., collecting feedback via online form); Marketing.
- Legal Bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Additional information about processing processes, procedures, and services:
- Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR); Website: https://www.instagram.com.
Privacy Policy: https://instagram.com/about/legal/privacy.
More Information: Joint Data Processing Agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data. Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of data is the sole responsibility of Meta Platforms Ireland Limited, particularly concerning the transmission of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc).
Plugins and Embedded Features and Content
We integrate functional and content elements into our online offering that are obtained from the servers of their respective providers (hereinafter collectively referred to as “third-party providers”). These may include, for example, graphics, videos, or maps (hereinafter collectively referred to as “content”).
The integration always assumes that third-party providers of this content process users’ IP addresses, as they couldn’t send the content to their browsers without the IP address. The IP address is therefore necessary for the display of this content or functionality. We strive to use only those contents whose respective providers use the IP address solely for content delivery. Third-party providers may also use so-called pixel tags (invisible graphics, also known as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information such as visitor traffic to the pages of this website. The pseudonymous information can also be stored in cookies on users’ devices and may include technical information about the browser and operating system, referring websites, visit time, as well as other information about the use of our online offering and may also be linked to such information from other sources.
- Processed data types: Usage data (e.g., visited websites, interest in content, access times); Meta, communication, and process data (e.g., IP addresses, timestamps, identification numbers, consent status); Inventory data (e.g., names, addresses); Contact data (e.g., email, phone numbers). Content data (e.g., entries in online forms).
- Affected individuals: Users (e.g., website visitors, users of online services).
- Purposes of processing: Provision of our online offering and user-friendliness.
- Legal bases: Legitimate interests (Art. 6 para. 1 sentence 1 lit. f) GDPR).
Additional information about processing procedures, procedures, and services:
- Google Fonts (access from the Google server): Access to fonts (and symbols) for the purpose of technically secure, maintenance-free, and efficient use of fonts and symbols with regard to up-to-dateness and loading times, their uniform presentation, and consideration of possible licensing restrictions. The provider of the fonts is informed of the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) is transmitted, which is necessary for the provision of fonts depending on the devices used and the technical environment. This data may be processed on a server of the font provider in the USA – When users visit our online offering, their browsers send HTTP requests to the Google Fonts Web API (i.e., a software interface for accessing fonts). The Google Fonts Web API provides users with the Cascading Style Sheets (CSS) of Google Fonts and then the fonts specified in the CSS. These HTTP requests include (1) the IP address used by the respective user to access the Internet, (2) the requested URL on the Google server, and (3) the HTTP headers, including the user agent describing the browser and operating system versions of the website visitors, as well as the referrer URL (i.e., the webpage where the Google font is to be displayed). IP addresses are neither logged nor stored on Google servers, and they are not analyzed. The Google Fonts Web API logs details of the HTTP requests (requested URL, user agent, and referrer URL). Access to this data is restricted and strictly controlled. The requested URL identifies the font families for which the user wants to load fonts. This data is logged so that Google can determine how often a particular font family is requested. In the Google Fonts Web API, the user agent must adapt the font that is generated for the respective browser type. The user agent is primarily logged for debugging and is used to generate aggregated usage statistics that measure the popularity of font families. These aggregated usage statistics are published on the “Analytics” page of Google Fonts. Finally, the referrer URL is logged so that the data can be used for production maintenance and an aggregated report on the top integrations can be generated based on the number of font requests. According to its own information, Google does not use any of the information collected by Google Fonts to create user profiles or to display targeted advertisements;
Service Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland; Legal Basis: Legitimate Interests (Art. 6 Abs. 1 S. 1 lit. f) GDPR); Website: https://fonts.google.com/; Privacy Policy: https://policies.google.com/privacy; Basis of Third Country Data Transfer: EU-US Data Privacy Framework (DPF). Further Information: https://developers.google.com/fonts/faq/privacy?hl=en.
Created with the free Privacy Policy Generator by Dr. Thomas Schwenke