Privacy Policy
This Privacy Policy describes the nature, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering, including the associated websites, functions, content, as well as our external online presence, such as our social media profile (hereinafter collectively referred to as the “online offering”). Definitions of terms used in this Privacy Policy can be found in the “Definitions” section below and are based on Article 4 of the General Data Protection Regulation (GDPR).
Controller
Büro für Diskriminierungskritische Arbeit Stuttgart e.V.
Burgenlandstr. 15
70469 Stuttgart
Germany
Tel: +49 (0711) 2372682
Legal responsibility pursuant to German Press Law (v.i.S.d.P.): Eden Mengis, Susanne Belz
Legal notice (Imprint): https://bfda.de/impressum/
Data protection inquiries to: verwaltung@bfda.de
Types of Data Processed
– Inventory data (e.g. names, addresses)
– Contact data (e.g. email addresses, telephone numbers)
– Content data (e.g. text entries, photographs, videos)
– Usage data (e.g. websites visited, interest in content, access times)
– Metadata/communication data (e.g. device information, IP addresses)
Categories of Data Subjects
Visitors and users of the online offering (hereinafter collectively referred to as “users”).
Purposes of Processing
– Provision of the online offering, its functions and content
– Responding to contact requests and communication with users
– Security measures
– Reach measurement/marketing
Definitions
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”). A natural person is considered identifiable if they can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier (e.g. cookie), or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
“Processing” means any operation or set of operations performed on personal data, whether or not by automated means. The term is broad and covers virtually any handling of data.
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures ensuring that the personal data is not attributed to an identified or identifiable natural person.
“Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning work performance, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.
The “controller” is the natural or legal person, public authority, agency, or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
A “processor” is a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Applicable Legal Bases
In accordance with Article 13 GDPR, we inform you of the legal bases for our data processing activities. Unless otherwise stated in this Privacy Policy, the following applies:
– The legal basis for obtaining consent is Article 6(1)(a) and Article 7 GDPR.
– The legal basis for processing data for the performance of our services, contractual measures, and responding to inquiries is Article 6(1)(b) GDPR.
– The legal basis for processing data to fulfill legal obligations is Article 6(1)(c) GDPR.
– The legal basis for processing data to safeguard our legitimate interests is Article 6(1)(f) GDPR.
– If processing personal data is necessary to protect vital interests of the data subject or another natural person, Article 6(1)(d) GDPR serves as the legal basis.
Security Measures
In accordance with Article 32 GDPR and taking into account the state of the art, implementation costs, the nature, scope, context and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access, input, disclosure, availability and separation of data. We have also established procedures to ensure the exercise of data subject rights, deletion of data and responses to data breaches. Furthermore, we take the protection of personal data into account during the development or selection of hardware, software and processes, in accordance with the principles of data protection by design and by default settings (Article 25 GDPR).
Cooperation with Processors and Third Parties
If, within the scope of our processing activities, we disclose data to other persons or companies (processors or third parties), transfer data to them, or otherwise grant them access to the data, this is done only on the basis of legal permission (e.g. if the transfer of data to third parties such as payment service providers is necessary for contract performance pursuant to Article 6(1)(b) GDPR), your consent, a legal obligation, or our legitimate interests (e.g. use of contractors or web hosts).
Where we commission third parties to process data on the basis of a so-called “data processing agreement,” this is done on the basis of Article 28 GDPR.
Transfers to Third Countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this occurs in the context of using third-party services or disclosing or transferring data to third parties, this is done only where necessary to fulfill our (pre-)contractual obligations, on the basis of your consent, a legal obligation or our legitimate interests.
Subject to legal or contractual permissions, we process or have data processed in a third country only where the special requirements of Articles 44 et seq. GDPR are met. This means, for example, processing on the basis of specific safeguards, such as an officially recognized determination of a level of data protection equivalent to that of the EU (e.g. for the USA through the “Privacy Shield”) or compliance with officially recognized contractual obligations (so-called “Standard Contractual Clauses”).
Rights of Data Subjects
You have the right to request confirmation as to whether data concerning you is being processed and to obtain information about such data, as well as further information and a copy of the data in accordance with Article 15 GDPR.
In accordance with Article 16 GDPR, you have the right to request the completion of data concerning you or the correction of inaccurate data concerning you.
In accordance with Article 17 GDPR, you have the right to request the immediate deletion of data concerning you or, alternatively, pursuant to Article 18 GDPR, to request the restriction of processing of the data.
You have the right to receive the data concerning you that you have provided to us in accordance with Article 20 GDPR and to request its transmission to another controller.
Furthermore, pursuant to Article 77 GDPR, you have the right to lodge a complaint with the competent supervisory authority.
Right to Withdraw Consent
You have the right to withdraw consent granted pursuant to Article 7(3) GDPR with effect for the future.
Right to Object
You may object at any time to the future processing of data concerning you in accordance with Article 21 GDPR. In particular, you may object to processing for direct marketing purposes.
Cookies and Right to Object to Direct Advertising
“Cookies” are small files that are stored on users’ computers. Different types of information can be stored within cookies. A cookie primarily serves to store information about a user (or the device on which the cookie is stored) during or after their visit to an online offering.
Temporary cookies, also known as “session cookies” or “transient cookies,” are deleted after a user leaves an online offering and closes their browser. Such a cookie may, for example, store the contents of a shopping cart in an online store or a login status.
“Permanent” or “persistent” cookies remain stored even after the browser is closed. For example, the login status can be saved when users revisit the site after several days. Likewise, users’ interests may be stored in such cookies for audience measurement or marketing purposes.
“Third-party cookies” are cookies offered by providers other than the controller operating the online offering (otherwise, if they are only the controller’s own cookies, they are referred to as “first-party cookies”).
We may use temporary and permanent cookies and provide information about this in the context of this Privacy Policy.
If users do not wish cookies to be stored on their computer, they are asked to disable the corresponding option in their browser system settings. Stored cookies can be deleted in the browser settings. Excluding cookies may result in functional limitations of this online offering.
A general objection to the use of cookies employed for online marketing purposes can be declared for many services, particularly in the case of tracking, via the US website AboutAds.info http://www.aboutads.info/choices/ or the EU website Your Online Choices. http://www.youronlinechoices.com/ Furthermore, cookie storage can be prevented by disabling cookies in the browser settings. Please note that, in this case, not all functions of this online offering may be available.
Deletion of Data
The data processed by us will be deleted or restricted in accordance with Articles 17 and 18 GDPR. Unless expressly stated otherwise within this Privacy Policy, data stored by us will be deleted as soon as it is no longer required for its intended purpose and no statutory retention obligations prevent deletion. If the data is not deleted because it is required for other legally permissible purposes, its processing will be restricted. This means the data will be blocked and not processed for other purposes. This applies, for example, to data that must be retained for commercial or tax law reasons.
According to legal requirements in Germany, retention periods are generally:
– 10 years pursuant to Sections 147(1) AO and 257(1) Nos. 1 and 4, (4) HGB (books, records, management reports, accounting records, commercial books, tax-relevant documents, etc.)
– 6 years pursuant to Section 257(1) Nos. 2 and 3, (4) HGB (commercial correspondence)
According to legal requirements in Austria, retention periods are generally:
– 7 years pursuant to Section 132(1) BAO (accounting documents, invoices, accounts, receipts, business papers, income and expenditure records, etc.)
– 22 years in connection with real estate
– 10 years for records relating to electronically supplied services, telecommunications, radio, and television services provided to non-business customers in EU member states for which the Mini-One-Stop-Shop (MOSS) system is used
Provision of Our Statutory and Business Services
We process the data of our members, supporters, interested parties, customers, or other persons in accordance with Article 6(1)(b) GDPR where we offer contractual services to them or act within the framework of existing business relationships, e.g. with members, or where we ourselves are recipients of services and benefits. Otherwise, we process the data of data subjects pursuant to Article 6(1)(f) GDPR on the basis of our legitimate interests, e.g. where administrative tasks or public relations work are concerned.
The data processed in this context, the type, scope, purpose, and necessity of processing are determined by the underlying contractual relationship. This generally includes personal master data (e.g. name, address, etc.), contact data (e.g. email address, telephone number, etc.), contract data (e.g. services used, communicated content and information, names of contact persons), and, where we offer paid services or products, payment data (e.g. bank details, payment history, etc.).
Wir löschen Daten, die zur Erbringung unserer satzungs- und geschäftsmäßigen Zwecke nicht mehr erforderlich sind. Dies bestimmt sich entsprechend der jeweiligen Aufgaben und vertraglichen Beziehungen. Im Fall geschäftlicher Verarbeitung bewahren wir die Daten so lange auf, wie sie zur Geschäftsabwicklung, als auch im Hinblick auf etwaige Gewährleistungs- oder Haftungspflichten relevant sein können. Die Erforderlichkeit der Aufbewahrung der Daten wird alle drei Jahre überprüft; im Übrigen gelten die gesetzlichen Aufbewahrungspflichten.
Contacting Us
When contacting us (e.g. via contact form, email, telephone, or social media), the user’s information is processed for handling the contact inquiry and its processing pursuant to Article 6(1)(b) GDPR. User information may be stored in a Customer Relationship Management System (“CRM system”) or a comparable inquiry organization system.
We delete inquiries if they are no longer required. We review the necessity every two years. Furthermore, statutory archiving obligations apply.
Hosting and Email Services
The hosting services we use serve to provide the following services: infrastructure and platform services, computing capacity, storage space and database services, email dispatch, security services, and technical maintenance services used for the operation of this online offering.
In doing so, we or our hosting provider process master data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties, and visitors to this online offering on the basis of our legitimate interests in the efficient and secure provision of this online offering pursuant to Article 6(1)(f) GDPR in conjunction with Article 28 GDPR (conclusion of a data processing agreement).
Collection of Access Data and Log Files
We, or our hosting provider, collect data about every access to the server on which this service is located on the basis of our legitimate interests within the meaning of Article 6(1)(f) GDPR (so-called server log files). The access data includes the name of the retrieved webpage, file, date and time of retrieval, amount of data transferred, notification of successful retrieval, browser type and version, the user’s operating system, referrer URL (the previously visited page), IP address, and the requesting provider.
Log file information is stored for security reasons (e.g. to investigate misuse or fraud) for a maximum period of 7 days and then deleted. Data whose further retention is required for evidentiary purposes is exempt from deletion until the respective incident has been conclusively clarified.
Online Presences on Social Media
We maintain online presences within social networks and platforms in order to communicate with customers, interested parties, and users active there and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and data processing policies of the respective operators apply.
Unless otherwise stated within this Privacy Policy, we process users’ data where they communicate with us within social networks and platforms, e.g. by posting on our online presences or sending us messages.
Integration of Third-Party Services and Content
Within our online offering, we use content or service offerings from third-party providers on the basis of our legitimate interests (i.e. interest in the analysis, optimization, and economic operation of our online offering within the meaning of Article 6(1)(f) GDPR) in order to integrate their content and services, such as videos or fonts (hereinafter collectively referred to as “content”).
This always requires that the third-party providers of such content process users’ IP addresses, since they could not send the content to users’ browsers without the IP address. The IP address is therefore required for displaying this content. We endeavor to use only such content whose respective providers use the IP address solely for the delivery of the content.
Third-party providers may also use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. Through such “pixel tags,” information such as visitor traffic on the pages of this website can be analyzed. The pseudonymous information may also be stored in cookies on users’ devices and may include technical information about the browser and operating system, referring websites, visit times, and other information regarding the use of our online offering, as well as being linked with such information from other sources.