c/o Studio Hasenheide
+49 (0) 177 362 1331
Types of data processed
– User data (e.g. names, addresses)
– Contact data (e.g. e-mail addresses, telephone numbers)
– Content data (e.g. text input, photographs, videos)
– Usage data (e.g. visited websites, interest in content, access times)
– Meta-/communication data (e.g. device information, IP addresses)
Visitors and users of my website (I shall hereafter refer to all data subjects collectively as ‘users’).
Purpose of processing
– For the running of my website, including the provision of features and content
– To reply to requests from and communicate with users
– To measure reach/marketing
Definition of terms
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term has a broad meaning and effectively covers all types of data handling.
‘Pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
‘Profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Security of processing
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, I shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the level of risk in accordance with Article 32 GDPR.
These measures notably include the ability to ensure ongoing confidentiality, integrity and availability of data by monitoring physical access to the data as well as related access, submission and transfer of data as well as ensuring its availability and its separation. Furthermore, I have put measures in place that ensure the data subject’s rights, the deletion of data and a response to data that is compromised. The protection of personal data is also a determining factor when developing and/or choosing hardware, software as well as processes in line with the principle of data protection by design and by default (Article 25 GDPR).
Processors and third parties
If data are disclosed or transferred to other persons and businesses (processors or third parties) or these parties are given any other form of access to this data during data processing, this shall only occur insofar as it is legally permitted (e.g. if the data are transferred to a third party, such as a payment provider, in accordance with Article 6 (1)(b) GDPR for the performance of a contract), you have given your consent, it is a legal obligation or is necessary for the purpose of our legitimate interests (e.g. when using a service provider or web hosting services).
If third parties are contracted to process data on the basis of a ‘processing contract’, this shall take place on the basis of Article 28 GDPR.
Transfer of personal data to third countries
Any processing of personal data in a third country (a country outside of the European Union (EU) or the European Economic Area (EEA)) undertaken by me or any such processing that takes place through the engagement of the services of a third party or the disclosure and/or transfer of data to third parties shall only occur as is necessary for me to fulfil my (pre-)contractual duties, providing your consent has been granted, on the basis of a legal obligation or my legitimate interests. Providing permission is legally or contractually granted, I shall process data or permit data to be processed in a third country only if special prerequisites outlined in Article 44 et seqq. GDPR are granted. This means that processing shall occur, for example, on the basis of specific guarantees, such as the officially acknowledged presence of data protection measures that are equivalent to the EU’s measures (such as the ‘Privacy Shield’ in the US) or the observance of specific, officially recognised contractual obligations (‘standard contractual clauses’).
Rights of the data subject
You have the right to obtain from the controller confirmation as to whether or not personal data concerning you are being processed and, where that is the case, to request access to the personal data as well as additional information and a copy of the data in accordance with Article 15 GDPR.
In accordance with Article 16 GDPR, you have the right to have incomplete personal data completed or to request the rectification of inaccurate personal data that concern you.
Pursuant to Article 17 GDPR, you have the right to obtain from the controller the erasure of personal data that concern you without undue delay or, alternatively, to request the restriction of processing of the data in accordance with Article 18 GDPR.
Pursuant to Article 20, you have the right to receive the personal data concerning you, which you have provided to the controller, and have the right to transmit those data to another controller.
Furthermore, you have the right in accordance with Article 77 GDPR to lodge a complaint with the appropriate supervisory authority.
Right to withdraw consent
In accordance with Article 7 (3) GDPR, you have the right to withdraw your consent at any time with future effect.
Right to object
In accordance with Article 21 GDPR, you have the right to object at any time to any further processing of your personal data. In particular, a user can object to the processing of their data for direct marketing purposes.
Cookies and the right to object for direct marketing purposes
If a user does not want cookies to be stored on their computer, they should deactivate the appropriate option in their browser’s ‘system settings’. Saved cookies can be deleted from the ‘system settings’ section of your browser. Opting out of cookies can limit the features available on this website.
The US site http://www.aboutads.info/choices/ or the European site http://www.youronlinechoices.com/ explain how users can opt out of online marketing cookies for a variety of services, especially with regard to tracking. It is also possible to prevent cookies from storing data by deactivating them in your browser’s settings. Please note that this may also restrict the functionality of the website in question.
Erasure of personal data
German legal requirements stipulate that data must be retained, in particular, for 10 years in accordance with Section 147 (1) German Fiscal Code, Section 257 (1) Numbers 1 & 4, (4) German Commercial Code (bookkeeping, records, management reports, accounting receipts, trading books, documentation relevant for tax purposes, etc.) and 6 years in accordance with Section 257 (1) Numbers 2 and 3, (4) of the GCC (business correspondence).
I process the data of my contractual partners and interested parties as well as other clients, customers or contractual partners (collectively referred to as ‘contractual partners’) in accordance with Article 6 (1)(b) GDPR as is necessary to offer my contractual or precontractual services to you as a user. The data processed, the way they are processed, as well as the scope, purpose and necessity of this processing are determined by the underlying contractual relationship.
The processed data include basic data concerning my contractual partners (e.g. names and addresses), contact data (e.g. e-mail addresses and telephone numbers) as well as contractual data (e.g. services provided, contractual terms, contractual communication, names of contractual parties) and payment data (e.g. bank details, payment history).
Generally, I do not process special categories of personal data unless this is necessary for a commissioned or contractual processing.
I process data required in order to justify or deliver my contractual services and shall indicate why this is necessary should this not be evident to the contractual partner. Disclosure of data to external parties or companies shall only occur insofar as is necessary within the terms of a contract. When processing data given to me for the purpose of completing a commissioned job, I shall act in accordance with the instructions given by the commissioning customer as well as the relevant regulatory requirements.
As part of the provision of my online services, I may store IP addresses as well as the times of relevant actions taken by the user. These data are stored on the basis of my legitimate interests as well as those of the user to protect against misuse and other unauthorised use. Generally, these data are not transferred to third parties unless it is required in order to pursue my interests in accordance with Article 6 (1)(f) GDPR or a legal obligation arises in accordance with Article 6 (1)(c) GDPR.
Data shall be deleted when they are no longer required to fulfil a contractual or legal duty of care or to manage any guarantee or similar obligations. The need for data retention will be reassessed every three years; in all other respects, the legal obligations regarding the retention of data shall be observed.
Social media profiles
I maintain profiles on social networks and platforms for the purpose of communicating with clients, interested partners and users active on such networks and platforms and to be able to inform these parties about my services. The terms and conditions and data processing policies of the respective operators shall apply whenever these networks and platforms are accessed.
Using the services and content of third parties
On the basis of my legitimate interests (i.e. interest in analysing, optimising and running my website within the meaning of Article 6 (1)(f) GDPR), I use the content and services of third parties on my website, such as videos or typefaces (hereafter collectively referred to as ‘content’).
In providing this content, the third party is always required to use the IP addresses of its users as this information is needed to enable them to send their content to the user’s browser. The IP address is thus necessary in order to display the content. I take steps to ensure that I only use content from providers who use IP addresses exclusively for the purpose of delivering their content. Third-party providers may also use ‘pixel tags’ (invisible graphics, also referred to as ‘web beacons’) for statistical or marketing purposes. ‘Pixel tags’ may analyse information, such as visitor traffic, on the pages of this website. This pseudonymised information can also be saved in cookies on the user’s device and contain technical information, e.g. concerning the browser and the operating system, referring sites, the length of a visit as well as other details concerning the use of my website, or be merged with similar information from other sources.
Created using the Datenschutz-Generator.de by Dr Thomas Schwenke (solicitor)