I. Preliminary remarks
The Operator takes the protection of your data very seriously and complies with the data protection laws. These laws serve the protection of natural persons with regard to the processing of personal data, which is any information relating to an identified or identifiable natural person. Such data will be processed only to the extent that is required for the performance of any contract or the provisioning and improvement of the Platform. The processing for the performance of the contract is effected only if you initiate or complete a contract with the Operator. In this respect, reference is made to the User Contract. The processing for provisioning and improvement is carried out only if it is provided below or with separate consent, ordered by government authorities or court order or otherwise provided by law. The data is processed by the Operator only in the Member States of the European Union (EU). In particular, the data processing Internet servers of the Operator are located in the Member States of the EU. There is generally no transfer to a third country or an international organization.
II. Data processing
Your data will be processed both independent of and dependent on a form. Form-dependent data represents data entered in a form on the Platform. Form-independent data is data that you also leave behind on the servers of the Operator without entering it in a form. You may also leave behind form-independent data on the servers of the Operator when you use an app or the web page of a customer of the Operator. This data, however, is processed by the Operator only on behalf of its customer responsible for the processing of data. You may find the data privacy notice of this customer on the respective app or website
1. Form-dependent processing
The data you enter in a form on the Platform is processed when using the form, in particular after submitting the form. This includes contact details and, if you are a customer of the Operator, your customer account data. Personal data that you provide on a designated form is generally transmitted in encrypted form to the server of the Operator.
a) Contact form
If you contact the Operator via a form, the data entered in the contact form will be encrypted on the server of the Operator and transmitted to the Operator by email. There is no further automated processing of your personal data in this respect. The personal data transmitted about your person will be used only for processing your request. If the request is in connection with data processing that the Operator carries out on behalf of a customer, the Operator will transmit your request in encrypted form to the respective customer. Responses are generally sent by email, which will also be transmitted in encrypted form insofar as your mail service provider supports this feature. After final processing of the request, your personal data that you entered in the contact form or in a response to the operator will be deleted. This does not apply if the data is still required for the performance of the contract or statutory retention obligations. In this respect, however, the processing of your data is restricted.
b) Customer account
A customer account will be set up for you as a customer of the Operator. In this respect, the data provided in the User Contract and, if applicable, subsequently entered in forms in the customer account, in particular your contact and campaign data, will be stored on the servers of the Operator. You may view the stored data at any time in the customer account as well as edit and complete it by means of the forms in the settings. You can, of course, also personally contact the Operator for example by using the aforementioned email address. The same applies to the erasure of the customer account. However, your data may be erased only if it is no longer required for the performance of the contract or is not subject to statutory retention obligations. In the meantime, the processing of your data is restricted and, in particular, the customer account will be locked.
2. Form-independent processing
The data that the operator requires for the provision or improvement of the Platform is processed independent of a form. This may include in particular browser cookies, mobile identifiers and access protocols, the data being generally transferred in encrypted form.
a) Browser cookies
b) Mobile identifier
It is also possible to deliver advertising in mobile applications (apps) via the Platform. For this purpose, the apps may use a mobile identifier that is provided by the operating system of your device (Apple iOS or Google Android). This identifier ultimately corresponds with the advertising ID from a cookie. This means that the identifier can be assigned to advertising categories in order to customise the advertising in the apps appropriately to target groups and interests. However, the categories always apply to a larger group of people. Therefore, the Operator cannot identify you as a person by means of the identifier as such or by the assigned categories. Customers for which the operator delivers the advertising may also use the identifier and assign their own ID to advertising categories. In this respect, however, the respective customer is responsible for the processing of data. The Operator itself cannot read, modify or delete the identifier. However, you may prevent the use of the identifier by selecting the appropriate settings in the app or your operating system. In this case, you may not be able to use all the features of the app or system. The same also applies to changing or deleting the identifier depending on the application and operating system. Reference is made to the data privacy statements of the respective app and your system for details.
c) Access protocols
The use of the platform and the advertising delivery are statistically analysed. For this purpose and in order to prevent abuse of the Platform, the Operator creates an access protocol. The number of accesses to the Platform and the retrieval of stored advertising are stored in the protocol. This includes data that is transmitted when establishing a connection between your browser and the Platform. In other words, this includes your IP address, the time of your access or retrieval, the ID in a Platform cookie or the mobile identifier, which address (URL) was accessed, whether the access was successful and the size of the data transferred by the Platform. Insofar as your browser transmits the corresponding data, the previous address (referrer) as well as information about the used operating system and browser (e.g. saved version) is also stored. You may prevent the transfer of this data by adjusting the settings of your browser, however. The protocols are also statistically analysed for customers that use the Platform for advertising delivery. The analysis shows which advertising was delivered and when and to which web page or which app. This means that the logged data is visible only to a limited extent. In particular, the last octet of the IP address are redacted. Such an analysis therefore does not allow the identification of your person. To prevent abuse, the protocols are encrypted and stored separately from the statistics. The protocols are decrypted and merged with other data only in definite cases of suspected abuse. In such cases the Executive Board and the Data Protection Officer of the Operator, and possibly the affected customer, are consulted. The logs will be deleted as soon as they are no longer necessary to prevent abuse. At the latest, they are deleted three months after the end of the calendar month in which the data was logged.
d) Social networks
e) Embedded content
III. Joint processing
We work with service providers to improve the user experience of the website and to get a better understanding of the users of our site. In addition, these providers may assist us with promotional activities. We allow certain partners, subject to your consent, to collect data on this website through the cookies described above. With some of these partners, we are joint data controllers within the meaning of data protection law (Art. 26 GDPR). This joint control relates to the collection and transfer of data to us. The following partners and we are currently joint controllers
Piwik Pro GmbH – Kurfürstendamm 21, 10719 Berlin – Data privacy
We and our partners have divided certain tasks and activities among ourselves as part of our joint control. The allocation is as follows:
The partners provide us with a technical solution (herein Tag), which we install on our offers. This Tag enables the collection of the data described in more detail above. In addition, our partners support us, in particular in the processing of data subject inquiries.
We take over the collection of consents and/or the implementation of transparency requirements towards you. We pass this information on to the partner in order to communicate the scope and permissibility of the data processing. This also includes this information about the cooperation with partners.
In particular, we and the partners will ensure that the necessary data security is in place. Both we and our partner will also fulfil our reporting and notification obligations individually, but will support and inform us to the extent necessary.
You can exercise your rights as a data subject described below both towards us and towards our partner. We and our partner are liable for any processing that does not comply with the provisions of the GDPR in accordance with Art. 82 GDPR.
Do any questions on the subject of joint responsibility remain? We would be happy to provide you with further information on our cooperation with specific partners.
IV. Your rights
If you are affected by processing of your personal data, you have rights vis-à-vis the party responsible for the data processing in accordance with data protection regulations. You can contact the Operator at any time in order to assert these rights for example by email to the aforementioned address. The same applies in the case of other questions regarding data protection by the Operator. In addition to the Operator, you may also contact the Data Protection Officer of the Operator: Attorney-at-Law Daniel Raimer, LL.M. at the Law Offices of Daniel Raimer in Düsseldorf. The contact details of the Data Protection Officer are available on his website’s Imprint page. If the data processing is carried out on behalf of a customer of the Operator, please do not hesitate to contact this customer at any time; reference is made to the imprint of the respective app and/or website that you use for the customer’s contact information. When initiating contact concerning advertising on the Internet, you should specify the following information in order to permit a classification:
When contacting the party in a different context, please also specify the information that may facilitate classification in the respective context (e.g. your customer number if you are a customer).
1. Right of revocation
You have the right to revoke any consent to data processing at any time. Revoking your consent will not affect the lawfulness of the processing carried out until the revocation of the consent.
2. Right of objection
For reasons arising from your specific situation, you have the right to object to the processing of personal data relating to you that is necessary to carry out a task in the public interest or to safeguard the legitimate interests of the Operator. The Operator will cease processing the personal data unless the Operator can provide legitimate and compelling reasons for the processing that outweigh your interests, rights and freedoms or the processing serves the establishment, exercise or defence of legal claims.
If your data is processed for direct marketing purposes, you have the right to object to the data processing for the purpose of such advertising at any time. If you object to the processing for purposes of direct marketing, your personal data will no longer be processed for these purposes.
You can submit your objection to the processing of cookies for advertising purposes via the following link:
Doing so will create an opt-out cookie. This cookie prevents your browser from storing cookies with an advertising ID or otherwise assigning you to advertising categories. An already existing Operator ID will be deleted. As a result, customers of the Operator may also no longer be able to assign a separate ID or advertising categories to you. The use of the opt-out cookie requires, of course, that the corresponding settings in your browser do not prevent the storage or deletion of cookies, so after deleting an opt-out cookie you would also need to resubmit the objection. If an opt-out cookie is set in your browser, you can also undo this again via the following link:
Furthermore, the Operator considers it to be an objection to data processing for advertising purposes if you activate the do-not-track option in your browser settings. If you prevent the use of a mobile identifier in the settings of your mobile device (smartphone/tablet), it is no longer used for advertising delivery via the app(s) of the respective device. This setting does not affect cookies that are stored in the browser of the same device. You would thus need to submit separately an objection to the processing of such cookies (e.g. by using the above linked advertising preference management via the browser of the device).
Your right to contact the Operator or its customers personally will, of course, remain unaffected.
3. Right of appeal
You have the right to file a complaint with a supervisory authority if you are of the opinion that the processing of your personal data violates statutory regulations. The responsible authority at the location of the Operator is the state representative for data privacy and information freedom Baden-Württemberg in Stuttgart. The contact details are available on their web page. Your right to file a complaint with another supervisory authority, in particular in the Member State of your residence, place of work or the location of the alleged violation, will remain unaffected. Furthermore, the right of appeal will not be affected by any other administrative or judicial appeal.
4. Right to be informed
You have the right to request a confirmation by the Operator concerning whether your personal data is processed; if this is the case, you have the right to be informed about this data and the following information: (a) the processing purposes; (b) the categories of personal data that are processed; (c) the recipients or categories of recipients to whom the data has been disclosed or will be disclosed; (d) the planned duration for which the data is stored, or if this is not possible the criteria for the definition of this term; (e) your rights under the data protection legislation; (f) if the data is not collected from you, all available information about the origin of the data; (g) the existence of an automated decision-making including profiling and meaningful information about it. For the most part, you can already infer the information from this Data Privacy Statement. In addition, you can naturally contact the Operator for example at the aforementioned email address at any time. On request the Operator will provide you with a copy of the personal data that is subject to the processing. However, this applies only if it does not affect the rights and freedoms of other persons. If you submit the request electronically, your information will be provided in a standard electronic format unless you specify otherwise.
5. Right to rectification
You have the right to request the immediate rectification of inaccurate personal data pertaining to you from the Operator. Taking into account the purposes of processing, you also have the right to demand the completion of incomplete personal data including by means of a supplementary declaration.
6. Right to erasure
You have the right to request the immediate erasure of inaccurate personal data pertaining to you from the Operator. The Operator will immediately erase such data unless one of the following reasons applies: (a) the data is no longer required for the purposes for which the data was collected or processed in any other way; (b) you revoke your consent on which the processing was based and there is a lack of any legal basis for the processing; (c) you object to the processing and there are no overriding legitimate reasons for the processing or your objection concerns direct marketing; (d) your personal data has been unlawfully processed; (e) the erasure is required to fulfil a legal obligation to which the Operator is subject or (f) the data was collected from an offer of information society services that was directly aimed at a child on the basis of the child’s consent.
The right to erasure will not apply if the processing is required for the following: (a) to exercise the right to freedom of expression and information; (b) in order to fulfil a legal obligation; (c) to perform a task in the public interest or (d) for the establishment, exercise or defence of legal claims. If this is the case, you may request the restriction of processing.
7. Right to restrict processing
You have the right to request the restriction (blocking) of processing from the Operator if any of the following conditions apply: (a) you dispute the accuracy of your personal data, namely for a period that allows the Operator to verify the accuracy of this data; (b) the processing is unlawful and you reject the erasure of your data and instead request the restriction of the use of data; (c) the Operator no longer needs the personal data for the purposes of processing but instead for the establishment, exercise or defence of legal claims or (d) you objected to the processing, as long as it is not clear whether the legitimate reasons of the Operator override yours. The consideration of legitimate reasons is not required in the case of objection to the processing for direct marketing purposes.
If the processing was restricted, your personal data – apart from being stored – will be processed only with your consent or for the establishment, exercise or defence of legal claims, to protect the rights of any other person or for reasons of substantial public interest. If you have obtained a restriction of processing, you will be informed by the Operator before the restriction is lifted.
8. Right to data portability
You have the right to receive your personal information that you have provided to the Operator in a structured, common and machine-readable format, and you have the right to transmit this data to another responsible person without interference from the Operator provided that the processing is based on your consent or a contract between you and the Operator and the processing is performed by means of automated procedures. In this respect, you have the right to insist that your personal data is directly transmitted from the Operator to another responsible person insofar as this is technically feasible and the rights and freedoms of others are not be affected. Your right to erasure will remain unaffected. This right does not apply to processing that is required for the performance of a task carried out in the public interest.
The Operator will notify all recipients to whom the data has been disclosed of any rectification or erasure of your personal data or a restriction of processing unless this proves impossible or would involve disproportionate effort. The Operator will inform you of such recipients at your request.
If the Operator has made the personal data public and is obliged to erase such data, the Operator will take appropriate measures taking into account the available technology and the implementation costs to inform third parties processing your personal data about your request to erase all links to this data or copies of the data.
V. Final remarks
1. Legal basis
The statutory regulations for data protection can be found in particular in the German Federal Data Protection Act (BDSG) and the Telemedia Act (TMG). As of 25 May 2018, however, the EU General Data Protection Regulation (GDPR) will apply primarily. If you have given explicit consent to the processing of your data, this simultaneously represents the legal basis for data processing for the purposes to which you have consented (Art. 6 (1) (a) GDPR). As far as the processing is necessary for the performance or initiation of a contract, Art. 6 (1) (b) GDPR forms the legal basis. User contracts between you and the Operator entered into or initiated at your request are involved here. In addition, Art. 6 (1) (f) GDPR is the legal basis for the processing of data for safeguarding the legitimate interests of the Operator. This includes the economic interest in the operation of the Platform and, in particular, the delivery of target group-oriented and interest-oriented advertising. There is no automated decision-making including profiling within the meaning of Art. 22 GDPR. In particular, the assignment to advertising features will have no legal effect on you or affect you significantly in a similar way.
2. Protective measures
The Operator will, taking into account the nature, scope, circumstances and purposes of the processing as well as the different probabilities of occurrence and severity of the risks for your rights and liberties, initiate appropriate technical and organizational measures to ensure that the data processing complies with legal requirements. The measures will take into consideration state-of-the-art technology and, in particular, include the encryption of your data. The equipment and systems on which data is processed are protected against unauthorized access both physically and digitally. In particular, the servers of the Operator are password protected. With regular testing and updating of the software, the Operator will prevent security vulnerabilities that could allow abuse of your data. Only those subordinate persons (employees) of the Operator will receive access to personal data who require it for the fulfilment of their tasks and only to the extent required. The employees of the Operator will be instructed in advance with regard to data processing and obligated to maintain confidentiality. With regular backups, the data is protected against loss and can be restored at any time. The default setting of the systems ensures that only personal data required for the purpose of processing will be processed. In doing so, data protection principles such as data minimisation are implemented. In addition, the Operator ensures the confidentiality, integrity, availability and reliability of the systems with technical and organizational measures. The compliance with data protection legislation is regularly reviewed and measures are updated where necessary.
Data transmission and contacting
Insofar as you have consented to the transmission of your data to the operator and to the operator contacting you, the operator will process the transmitted data in order to contact you. The transmission of your data is encrypted. Contact will be made in the context and by the means to which you have consented (e.g. by telephone and / or e-mail). In this respect, the legal basis for data processing is your consent, which you can revoke at any time with effect for the future. Your data will be deleted no later than six months after transmission, unless you have consented to longer storage, the data is still necessary for the performance of a contract or there is another legal basis for further processing. This may involve statutory retention obligations (maximum 10 years from the date of data transmission and, if applicable, contact) or the necessity of the data for the assertion, exercise or defense of legal claims (provided that no claims are in dispute, a maximum of three years from the end of the year of data transmission and, if applicable, contact); in this respect, however, further processing of your data will be restricted and the data will only be stored.