Introduction
With the following privacy policy, we want to inform you about the types of your personal data (hereinafter also referred to as “data”) we process, for what purposes, and to what extent. The privacy policy applies to all processing of personal data carried out by us, both in the context of providing our services and especially on our websites, mobile applications, and external online presences, such as our social media profiles (hereinafter collectively referred to as “online offerings”).
The terms used are not gender-specific.
Date: October 4, 2022
Data Controller
Quirin H. Zießler Lower Hindenburgstr. 6 91611, Lehrberg Germany
Email Address: quirin@ziessler.com Imprint: ziessler.com/imprint/
Overview of Processing
The following overview summarizes the types of data processed and the purposes of their processing, as well as the individuals concerned.
- Types of Processed Data
- Inventory data.
- Contact data.
- Content data.
- Usage data. Meta-/communication data.
- Categories of Data Subjects
- Communication partners.
- Users.
Purposes of Processing
- Provision of contractual services and customer service.
- Contact inquiries and communication.
- Security measures.
- Reach measurement.
- Management and response to inquiries.
- Feedback.
- Marketing.
- Profiles with user-related information.
- Provision of our online offering and user-friendliness.
- Information technology infrastructure.
Relevant Legal Bases
Below, you will find an overview of the legal bases of the GDPR on which we process personal data. Please note that, in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or establishment. Furthermore, in specific cases, more specific legal bases may be relevant, and we will inform you of these in the data protection declaration.
- Contractual Performance and Pre-contractual Inquiries (Art. 6(1)(b) GDPR) Processing is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures requested by the data subject.
- Legitimate Interests (Art. 6(1)(f) GDPR) Processing is necessary to protect the legitimate interests of the data controller or a third party, except where the interests or fundamental rights and freedoms of the data subject requiring the protection of personal data prevail.
In addition to the data protection regulations of the General Data Protection Regulation (GDPR), national data protection regulations apply in Germany. This includes, in particular, the Law for the Protection against the Misuse of Personal Data in Data Processing (Bundesdatenschutzgesetz – BDSG). The BDSG contains specific regulations regarding the right to information, the right to deletion, the right to object, the processing of special categories of personal data, processing for other purposes, and transmission as well as automated decision-making on an individual basis, including profiling. Furthermore, it regulates data processing for employment purposes (§ 26 BDSG), especially concerning the establishment, execution, or termination of employment relationships and the consent of employees. In addition, data protection laws of individual federal states (Landesdatenschutzgesetze) may also apply.
Security measures
In accordance with legal requirements, and taking into account the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include, in particular, ensuring the confidentiality, integrity, and availability of data by controlling physical and electronic access to the data, as well as access, input, disclosure, availability, and separation of the data in question. We have also established procedures to ensure the exercise of data subject rights, data deletion, and responses to data breaches. Furthermore, we consider data protection in the development or selection of hardware, software, and procedures, in accordance with the principle of data protection, through technology design and data protection-friendly default settings. TLS encryption (https): To protect the data you transmit via our online offering, we use TLS encryption. You can recognize such encrypted connections by the prefix https:// in your browser’s address bar.
Transfer of Personal Data
In the course of our processing of personal data, it may happen that the data is transferred to other entities, companies, legally independent organizational units, or individuals or disclosed to them. Recipients of this data may include service providers responsible for IT tasks or providers of services and content that are integrated into a website. In such cases, we comply with legal requirements and, in particular, conclude appropriate contracts or agreements with the recipients of your data to protect your data.
Data Processing in Third Countries
If we process data in a third country (i.e., outside the European Union (EU) or the European Economic Area (EEA)) or if data processing occurs in the context of using third-party services or the disclosure or transfer of data to other individuals, entities, or companies, this only takes place in compliance with legal requirements. Subject to explicit consent or the contractual or legal requirement for data transfer, we process or allow data to be processed in third countries with recognized data protection standards, contractual obligations through EU Commission standard data protection clauses, in the presence of certifications, or binding corporate rules (Art. 44 to 49 GDPR, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
Löschung von Daten
Die von uns verarbeiteten Daten werden nach Maßgabe der gesetzlichen Vorgaben gelöscht, sobald deren zur Verarbeitung erlaubten Einwilligungen widerrufen werden oder sonstige Erlaubnisse entfallen (z.B. wenn der Zweck der Verarbeitung dieser Daten entfallen ist oder sie für den Zweck nicht erforderlich sind). Sofern die Daten nicht gelöscht werden, weil sie für andere und gesetzlich zulässige Zwecke erforderlich sind, wird deren Verarbeitung auf diese Zwecke beschränkt. D.h., die Daten werden gesperrt und nicht für andere Zwecke verarbeitet. Das gilt z.B. für Daten, die aus handels- oder steuerrechtlichen Gründen aufbewahrt werden müssen oder deren Speicherung zur Geltendmachung, Ausübung oder Verteidigung von Rechtsansprüchen oder zum Schutz der Rechte einer anderen natürlichen oder juristischen Person erforderlich ist. Unsere Datenschutzhinweise können ferner weitere Angaben zu der Aufbewahrung und Löschung von Daten beinhalten, die für die jeweiligen Verarbeitungen vorrangig gelten.
Use of Cookies
Cookies are small text files or other storage mechanisms that store information on end devices and retrieve information from end devices. For example, they store information such as the login status in a user account, the contents of a shopping cart in an e-shop, accessed content, or used features of an online offering. Cookies can also be used for various purposes, such as ensuring the functionality, security, and convenience of online offerings and for analyzing visitor flows.
Consent Information: We use cookies in accordance with legal requirements. Therefore, we obtain prior consent from users, unless it is not legally required. Consent is not necessary, in particular, when storing and retrieving information, including cookies, is absolutely necessary to provide users with a telemedia service (our online offering) that they expressly request. Revocable consent is clearly communicated to users and includes information on the respective use of cookies.
Information on Data Protection Legal Bases: The legal basis on which we process user’s personal data using cookies depends on whether we request consent from users. If users consent, the legal basis for processing their data is the declared consent. Otherwise, data processed using cookies based on our legitimate interests (e.g., the efficient operation of our online offering and improving its usability) or if the use of cookies is necessary to fulfill our contractual obligations. We will inform users about the purposes for which we process cookies in this privacy policy or as part of our consent and processing procedures.
Storage Duration: With regard to the storage period, the following types of cookies are distinguished:
- Temporary Cookies (also: Session Cookies): Temporary cookies are deleted at the latest after a user leaves an online offering and closes their end device (e.g., browser or mobile application).
- Persistent Cookies: Persistent cookies remain stored even after closing the end device. For example, login status can be saved, or preferred content can be displayed immediately when the user revisits a website. Data collected from users through cookies can also be used for reach measurement. If we do not provide explicit information about the type and storage duration of cookies (e.g., as part of obtaining consent), users should assume that cookies are permanent and can have a storage duration of up to two years.
- General Information on Withdrawal and Objection (Opt-Out): Users can revoke their consent at any time and also object to processing in accordance with the legal requirements under Art. 21 GDPR. Users can also declare their objection via their browser settings, e.g., by deactivating the use of cookies (which may also limit the functionality of our online services). An objection to the use of cookies for online marketing purposes can also be made through the websites https://optout.aboutads.info and https://www.youronlinechoices.com/.
Additional Information on Processing Procedures, Processes, and Services:
- Processing of Cookie Data Based on Consent: We use a cookie consent management process, within which users’ consents to the use of cookies and the processing mentioned in the cookie consent management process are obtained and managed and can be revoked by users. The consent declaration is stored so that it does not need to be repeated and to be able to prove consent in accordance with legal obligations. Storage can be done server-side and/or in a cookie (so-called opt-in cookie, or using comparable technologies) to be able to associate consent with a user or their device. Subject to individual information from the providers of cookie management services, the following information applies: The duration of consent storage can be up to two years. A pseudonymous user identifier is created, and the time of consent, information about the scope of consent (e.g., which categories of cookies and/or service providers), as well as the browser, system, and end device used, is stored.
Provision of the Online Offering and Web Hosting
We process user data to provide our online services. To do this, we process the user’s IP address, which is necessary to transmit the content and functions of our online services to the user’s browser or device.
- Processed Data Types: Usage data (e.g., visited web pages, interest in content, access times); Meta-/communication data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of our online offering and user-friendliness; Information technology infrastructure (operation and provision of information systems and technical equipment (computers, servers, etc.)); Security measures.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
- Additional Information on Processing Procedures, Processes, and Services:
- Provision of Online Offer on Rented Storage Space: For the provision of our online offering, we use storage space, computing capacity, and software that we rent or otherwise obtain from a server provider (also referred to as “web hoster”); Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
- Collection of Access Data and Log Files: Access to our online offering is logged in the form of so-called “server log files.” Server log files may include the address and name of the accessed web pages and files, date and time of access, transmitted data volumes, message about successful access, browser type and version, the user’s operating system, referrer URL (the previously visited page), and usually IP addresses and the requesting provider.
Server log files can be used for security purposes, such as avoiding server overload (especially in the case of abusive attacks, known as DDoS attacks), and for ensuring server performance and stability; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Data Deletion: Log file information is stored for a maximum of 30 days and then deleted or anonymized. Data that needs to be retained for evidentiary purposes is exempt from deletion until the respective incident is finally resolved.
Blogs and Publication Media
We use blogs or similar means of online communication and publication (hereinafter referred to as “publication medium”). User data is only processed for the purposes of the publication medium to the extent necessary for its display and communication between authors and readers or for security reasons. For other information on the processing of visitors to our publication medium, please refer to the information in these privacy notices.
- Processed Data Types: Master data (e.g., names, addresses); Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta-/communication data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Provision of contractual services and customer service; Feedback (e.g., collecting feedback via online forms); Provision of our online offering and user-friendliness; Security measures; Management and response to inquiries.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
- Additional Information on Processing Procedures, Processes, and Services:
- Comments and Posts: When users leave comments or other posts, their IP addresses may be stored based on our legitimate interests. This is done for our protection in case someone leaves illegal content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we may be held liable for the comment or post and are therefore interested in the author’s identity. Furthermore, we reserve the right to process user information for the purpose of spam detection based on our legitimate interests.
On the same legal basis, we reserve the right to store users’ IP addresses for the duration of surveys and to use cookies to prevent multiple votes.
The information about the person provided in the comments and posts, as well as any contact and website information and the content-related information, are permanently stored by us until the user objects; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
Contact and Inquiry Management
When contacting us (e.g., via contact form, email, phone, or social media) and within existing user and business relationships, the information of the inquiring individuals is processed to the extent necessary to respond to inquiries and any requested measures.
- Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta-/communication data (e.g., device information, IP addresses).
- Data Subjects: Communication partners.
- Purposes of Processing: Contact inquiries and communication; Management and response to inquiries; Feedback (e.g., collecting feedback via online forms); Provision of our online offering and user-friendliness.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Fulfillment of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR).
- Additional Information on Processing Procedures, Processes, and Services:
- Contact Form: When users contact us through our contact form, email, or other communication channels, we process the data provided to us in this context to address the matter communicated; Legal Bases: Fulfillment of a contract and pre-contractual inquiries (Art. 6(1)(b) GDPR), Legitimate interests (Art. 6(1)(f) GDPR).
Web Analysis, Monitoring, and Optimization
Web analysis (also referred to as “reach measurement”) is used to evaluate visitor traffic to our online offering and may include pseudonymous values that cover behavior, interests, or demographic information about visitors, such as age or gender. Reach analysis allows us to, for example, identify when our online offering or its features or content are most frequently used or revisited. It also enables us to determine which areas need optimization. In addition to web analysis, we may also use test procedures to test and optimize different versions of our online offering or its components. Unless otherwise stated below, profiles, i.e., data combined for a usage process, can be created for these purposes, and information can be stored in and retrieved from a browser or an end device. Information collected includes, in particular, visited web pages and elements used there, as well as technical details such as the browser used, the computer system used, and information about usage times. If users have consented to the collection of their location data, either to us or to the providers of the services we use, location data can also be processed. User IP addresses are also stored. However, we use an IP masking procedure (i.e., pseudonymization through the shortening of the IP address) to protect users. In general, clear user data (e.g., email addresses or names) is not stored in the context of web analysis, A/B testing, and optimization, but rather pseudonyms. This means that we and the providers of the software used do not know the actual identity of users, only the information stored in their profiles for the respective procedures.
- Processed Data Types: Usage data (e.g., visited web pages, interest in content, access times); Meta-/communication data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Reach measurement (e.g., access statistics, identification of recurring visitors); Profiles with user-related information (creation of user profiles).
- Security Measures: IP masking (pseudonymization of IP address).
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
- Additional Information on Processing Procedures, Processes, and Services:
- Matomo (without cookies): Matomo is a privacy-friendly web analysis software that is used without cookies. It identifies recurring users using a “digital fingerprint,” which is stored anonymously and changed every 24 hours. The “digital fingerprint” captures user movements within our online offering using pseudonymized IP addresses in combination with user-side browser settings in such a way that conclusions about the identity of individual users are not possible. The data collected from the use of Matomo is only processed by us and is not shared with third parties; Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://matomo.org/.
Social Media Presence
We maintain online presences within social networks and process user data in this context to interact with users active on these platforms or to provide information about us. We would like to point out that user data may be processed outside the European Union. This may pose risks to users because, for example, the enforcement of user rights could be more challenging. Furthermore, user data within social networks is generally processed for market research and advertising purposes. Usage profiles can be created based on user behavior and resulting interests. These usage profiles can, in turn, be used to display advertisements within and outside the networks that presumably correspond to users’ interests. For these purposes, cookies are typically stored on users’ computers, in which user behavior and interests are stored. In addition, data may be stored in user profiles independently of the devices used by users, especially if users are members of the respective platforms and are logged in. For a detailed description of the respective processing methods and opt-out options, please refer to the privacy policies and information provided by the operators of the respective social networks. Even in the case of requests for information and the exercise of data subject rights, we would like to point out that these can be most effectively asserted with the providers. Only the providers have access to user data and can take direct measures and provide information. If you still require assistance, you can contact us.
- Processed Data Types: Contact data (e.g., email, phone numbers); Content data (e.g., entries in online forms); Usage data (e.g., visited web pages, interest in content, access times); Meta-/communication data (e.g., device information, IP addresses).
- Data Subjects: Users (e.g., website visitors, users of online services).
- Purposes of Processing: Contact requests and communication; Feedback (e.g., collecting feedback via online forms); Marketing.
- Legal Bases: Legitimate interests (Art. 6(1)(f) GDPR).
- Additional Information on Processing Procedures, Processes, and Services:
- Instagram: Social network; Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy.
- Facebook Pages: Profiles within the social network Facebook - We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not further processing) of data of visitors to our Facebook page (so-called “fan page”). This data includes information about the types of content that users view or interact with, or actions they take (see “Things you and others do and provide” in Facebook’s data policy: https://www.facebook.com/policy), as well as information about the devices used by users (e.g., IP addresses, operating system, browser type, language settings, cookie data; see “Device information” in Facebook’s data policy: https://www.facebook.com/policy). As explained in Facebook’s data policy under “How do we use this information?” Facebook also collects and uses information to provide analysis services, so-called “Page Insights,” to page operators to provide insights into how people interact with their pages and associated content. We have entered into a special agreement with Facebook (“Information on Page Insights,” https://www.facebook.com/legal/terms/page_controller_addendum), which regulates, among other things, the security measures Facebook must observe, and Facebook has agreed to comply with the rights of data subjects (i.e., users can, for example, direct requests for information or deletion directly to Facebook). The rights of users (in particular, the right to information, deletion, objection, and complaint to the competent supervisory authority) are not restricted by the agreements with Facebook. Further information can be found in the “Information about Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data); Service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Standard Contractual Clauses (Ensuring Data Protection Level in Processing in Third Countries): https://www.facebook.com/legal/EU_data_transfer_addendum; Additional Information: Joint Responsibility Agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data. Joint responsibility is limited to the collection and transmission of data to Meta Platforms Ireland Limited, a company based in the EU. The further processing of the data is the sole responsibility of Meta Platforms Ireland Limited, especially concerning the transfer of data to the parent company Meta Platforms, Inc. in the USA (based on the standard contractual clauses concluded between Meta Platforms Ireland Limited and Meta Platforms, Inc.).
- LinkedIn: Social network; Service provider: LinkedIn Ireland Unlimited Company, Wilton Plaza, Wilton Place, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Website: https://www.linkedin.com; Privacy policy: https://www.linkedin.com/legal/privacy-policy; Data Processing Agreement: https://legal.linkedin.com/dpa; Standard Contractual Clauses (Ensuring Data Protection Level in Processing in Third Countries): https://legal.linkedin.com/dpa; Opt-Out Option: https://www.linkedin.com/psettings/guest-controls/retargeting-opt-out.
- Twitter: Social network; Service provider: Twitter International Company, One Cumberland Place, Fenian Street, Dublin 2 D02 AX07, Ireland, Parent Company: Twitter Inc., 1355 Market Street, Suite 900, San Francisco, CA 94103, USA; Legal basis: Legitimate interests (Art. 6(1)(f) GDPR); Privacy policy: https://twitter.com/privacy, (Settings: https://twitter.com/personalization).
Amendment and Update of the Privacy Policy
We kindly request that you regularly inform yourself about the content of our privacy policy. We update the privacy policy whenever changes in the data processing we conduct make it necessary. We will inform you when the changes require your action (e.g., consent) or other individual notification. Please note that if we provide addresses and contact information of companies and organizations in this privacy policy, these addresses may change over time, so we recommend verifying the information before contacting them.
Rights of Data Subjects
As data subjects, you have various rights under the GDPR, particularly stemming from Articles 15 to 21 of the GDPR:
- Right to Object: You have the right to object at any time to the processing of your personal data that concerns you, for reasons arising from your particular situation, based on Article 6(1)(e) or (f) GDPR, including profiling based on these provisions. If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing, including profiling related to such direct marketing.
- Right to Withdraw Consent: You have the right to withdraw any consent you have given at any time.
- Right to Information: You have the right to request confirmation of whether relevant data is being processed and information about this data and a copy of the data, in accordance with legal requirements.
- Right to Rectification: According to legal requirements, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.
- Right to Erasure and Restriction of Processing: In accordance with legal requirements, you have the right to demand that data concerning you be erased without delay, or alternatively, to demand restriction of data processing.
- Right to Data Portability: You have the right to receive data concerning you that you have provided to us, in accordance with legal requirements, in a structured, commonly used, and machine-readable format, or to request its transmission to another data controller.
- Complaint to the Supervisory Authority: Regardless of any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, your place of work, or the place of the alleged infringement if you consider that the processing of personal data concerning you violates the requirements of the GDPR.
Definitions
In this section, you will find an overview of the terminology used in this privacy policy. Many of the terms are taken from the law and are primarily defined in Article 4 of the GDPR. The legal definitions are binding. The following explanations are intended to assist in understanding. The terms are listed alphabetically.
- Personal Data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g., cookie), or one or more specific characteristics identifying the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- Profiles with User-Related Information: The processing of “profiles with user-related information,” or simply “profiles,” includes any type of automated processing of personal data that involves using this personal data to analyze, assess, or predict certain personal aspects related to a natural person (depending on the type of profiling, various information concerning demographics, behavior, and interests, such as interactions with websites and their content, etc., may be involved). Cookies and web beacons are often used for profiling purposes.
- Reach Measurement: Reach measurement (also known as web analytics) is used to evaluate the visitor flow of an online offering and can include the behavior or interests of visitors in specific information, such as content on websites. With reach analysis, website owners can identify, for example, when visitors are accessing their website and what content they are interested in. To conduct reach analysis, pseudonymous cookies and web beacons are often used to recognize returning visitors and obtain more precise analysis of the use of an online offering.
- Controller: The term “controller” refers to the natural or legal person, authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Processing: “Processing” is any operation or set of operations that are performed on personal data, whether or not by automated means. The term is broad and includes almost any handling of data, such as collecting, evaluating, storing, transmitting, or deleting it.
Erstellt mit kostenlosem Datenschutz-Generator.de von Dr. Thomas Schwenke