Data Protection Declaration

Data Protection Declaration

This Data Protection Declaration is intended to inform you about the type of personal data (referred to as ‘data’ from here on) we process, the scope in which we do this and for what purpose, within our online offering and its associated websites, functions and content, as well as external online presences such as our social media profile (jointly referred to as ‘online offering’ from here on). With regards to the used terminology, for example ‘processing’ or ‘controller’, please refer to the definitions in Article 4 of the EU General Data Protection Regulation (GDPR).

Controller
Stiftung VCP Rheinland-Pfalz/Saar
Stadtgrabenstraße 25 a
67245 Lambsheim
Germany

Phone: +49 (6322) 21955
Fax +49 (6322) 9250

Email: landesbuero@vcp-rps.de
www.vcp-rps.de

Types of processed data:
• Inventory data (e.g. names, addresses)
• Contact details (e.g. email addresses, phone numbers)
• Content data (e.g. text content, photographs, videos)
• Usage data (e.g. visited websites, interests in content, access time)
• Metadata/Communication data (e.g. device information, IP addresses)

Purpose of data processing
• To provide our online offering, its functions and contents.
• To reply to contact enquiries and communication with users.
• Security measures.
• Measurement of reach/marketing.

Used terminology
‘Personal data’ means any information relating to an identified or identifiable natural person (called ‘data subject’ hereafter); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. a cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The term ‘processing’ is extensive and effectively encompasses all handling of data.
The ‘controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Relevant legal basis
In accordance with Article 13 of the GDPR, we herewith inform you of the legal basis of our data processing. The following applies where the legal basis is not stated in this Data Protection Declaration: The legal basis for obtaining consent is Article 6 Section 1 Letter a and Article 7 of the GDPR; the legal basis for processing to provide our services and execute our contractual activity as well as responding to enquiries is Article 6 Section 1 letter b of the GDPR; the legal basis for processing to comply with our legal obligations is Article 6 Section 1 letter c of the GDPR; and the legal basis for processing to protect our legitimate interests is Article 6 Section 1 letter f of the GDPR. Should vital interests of the data subject or of another natural person necessitate the processing of personal data, Article 6 Section 1 letter d of the GDPR forms the legal basis.

Security measures
We ask that you acquaint yourself with our Data Protection Declaration regularly. We will adapt our Data Protection Declaration if any changes to the way we process data render this necessary. We will inform you as soon as any changes necessitate an act of cooperation (e.g. obtain consent) or any other individual notification.

Collaboration with processors or third parties
If we, within the scope of our data processing, disclose data to other persons or organisations (processors or third parties), transfer data to them or otherwise grant access to data, this will only take place on a legal basis (for example if a transfer of data to third parties, such as a payment service provider, is necessary as per Article 6 Section 1 letter b of the GDPR to fulfil a contract), if you have consented, if a legal obligation makes this necessary, or on the basis of our legitimate interests (for example with employment of a representative, web hosts, etc.).

If we commission third parties to process data based on a ‘data processing agreement’, this will happen on the basis of Article 28 of the GDPR.

Transfer to a third country
If we process data in a third country (i.e. outwith the European Union (EU) or the European Economic Area (EEA)) or if this takes place within the scope of using third party services or disclosure, or rather transfer of data to a third party, this only takes place if it happens to fulfil our (pre-)contractual obligations, based on your consent, based on a legal obligation or based on our legitimate interests. Subject to legal or contractual permissions, we only process or have the data processed in a third country if the specific conditions of Article 44 et seq. of the GDPR apply. This means processing takes place for example based on special guarantees such as the officially recognised establishment of an EU equivalent level of data protection (e.g. for the USA via the ‘Privacy Shield’) or adherence to officially recognised special contractual obligations (so called ‘standard contractual clauses’).

Rights of the data subject
You have the right to obtain confirmation as to whether or not personal data concerning you is being processed and to access the personal data as well as further information and a copy of the data as per Article 15 of the GDPR.

As per Article 16 of the GDPR, you have the right to have incomplete personal data concerning you completed and to obtain rectification of inaccurate personal data concerning you.

As per Article 17 of the GDPR, you have the right to obtain the erasure of personal data concerning you without undue delay or rather alternatively as per Article 18 of the GDPR to obtain a restriction of processing.

As per Article 20 of the GDPR, you have the right to receive the personal data concerning you, which you have provided to us and you have the right to demand transmission of this data to another controller.

Furthermore, as per Article 77 of the GDPR, you have the right to lodge a complaint with the relevant supervisory authority.

Right of withdrawal
As per Article 7 section 3 of the GDPR, you have the right to withdraw your consent at any time with future effect.

Right to object
As per Article 21 of the GDPR, you have the right to object at any time to the future processing of personal data concerning you. The objection can in particular be made against the processing for the purposes of direct marketing.

Cookies and right to object regarding direct marketing
‘Cookies’ are small files which are being saved on users’ computers. Different information can be saved within cookies. A cookie’s primary function is to save a user’s (or the device’s on which the cookie is saved) information during or also after a visit within an online offering. Temporary cookies, or ‘Session-cookies’/’transient cookies’, are cookies which are deleted after a user leaves an online offering and closes their browser. For example, the contents of a shopping cart in an online shop or a login status can be saved within such a cookie. ‘Permanent’ or ‘persistent’ cookies are cookies which continue to be saved even after closing the browser. For example, the login status can be saved when the user visits these after several days. Likewise, the users’ interests can be saved in such a cookie which are being used for measurement of reach or marketing purposes. ‘Third-party-cookies’ are cookies which are being offered by providers different to the person responsible who is operating the online offering (otherwise, if they are just the responsible person’s cookies, these are called ‘first-party-cookies’).

We can use temporary and permanent cookies and are informing you about this within the scope of our Data Protection Declaration.

If the users do not want cookies to be saved on their computers, they are asked to deactivate the relevant options within their browsers’ system settings. Saved cookies can be deleted in the browser’s system settings. The exclusion of cookies can result in functional limitations of this online offering.

A general objection to the use of cookies which are used for online marketing purposes can be declared via the US site http://www.aboutads.info/choices/ or the EU site http://www.youronlinechoices.com/ for a variety of services, particularly in case of tracking. Furthermore, the saving of cookies can be achieved through switching them off in the browser settings. Should that be the case, please note that it is possible that not all functions of the online offering can be used.

Erasure of data
As per Articles 17 and 18 of the GDPR, the data processed by us is deleted or its processing is restricted. If not explicitly stated otherwise within this Data Protection Declaration, the data we save is deleted as soon as it is no longer necessary for its intended purpose and no legal obligation for retention excludes this. If the data is not deleted because it is required for other and legally permissive purposes, its processing is restricted. This means the data is blocked and not processed for other purposes. For example, this applies to data which has to be stored because of commercial or fiscal law.

In keeping with legal obligations in Germany, the storage takes place in particular for 10 years as per §§147 section 1 AO, 257 section 1 number 1 and 4, section 4 of the German Commercial Code (HGB) (books, recordings, situation reports, vouchers, trading books, documents required for taxation, etc.) and for 6 years as per §257 section 1 number 2 and 3, section 4 of the German Commercial Code (commercial letters).

In keeping with legal obligations in Austria, the storage takes place in particular for 7 years as per §132 section 1 of the Federal Fiscal Code (BAO) (accounting records, receipts/invoices, accounts, receipts, business papers, income and expenditure statements, etc.), for 22 years in relation to property/plots and for 10 years for documents related to electronically rendered services, telecommunication, broadcast or television services which are rendered to non-entrepreneurs in EU member states and for which the Mini-One-Stop-Shop (MOSS) is utilised.

Hosting
The hosting services we are utilising serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services as well as technical maintenance services which we deploy for the purpose of operating our online offering.

In doing so, we, or our hosting provider process inventory data, contact data, content data, contract data, usage data, users’, interested parties’ and visitors’ meta- and communications data of this online offering based on our justified interest in an efficient and secure provision of this online offering as per article 6 section 1 letter f of the GDPR in conjunction with article 28 of the GDPR (contract with a processor).

Collection of access data and logfiles
We, or our hosting provider, collects data about each access to the server on which this service is located (so called server log files) based on our legitimate interests as per article 6 section 1 letter f of the GDPR. Access data includes the name of the accessed website, file, date and time of accessing, transferred data volume, notice of successful accessing, browser type and version, the user’s operating system, referring URL (the previously visited site), IP address and the accessing provider.

Logfile information is saved for the duration of a maximum of 7 days for security purposes (for example to detect abuse or defraudation) and deleted thereafter. Data which is required to be stored further for evidence purposes is exempt from deletion until the respective incident’s final clarification.

Provision of our statutory and business appropriate services
We process our members’, supporters’, interested parties’, clients’ or other persons’ data in accordance with article 6 section 1 letter b of the GDPR if we offer them contractual services or if we operate within the scope of existing business relationships (for example with our members) or if we ourselves are recipients of services and benefits. Apart from that we process concerned people’s data according to article 6 section 1 letter f of the GDPR based on our legitimate interests, for example where administrative tasks or public relations are concerned.

The data processed in this context, the manner, extent, purpose and necessity of its processing determine themselves based on the underlying contractual relationship. Part of this are persons’ basic inventory and master data (e.g. name, address, etc.), as well as contact data (e.g. e-mail address, phone, etc.), the contract data (e.g. the used services, disclosed contents and information, contact persons’ names) and if we offer paid for services or products, payment data (e.g. bank details, payment history, etc.).

We delete data which is no longer required for providing our statutory and business appropriate purposes. This is determined based on the respective tasks and contractual relationships. In case of contractual processing, we store the data for as long as it might be relevant for business processing as well as with regard to possible warranty or liability duties. The necessity of the storage of the data is reviewed every three years; the legal retention obligations apply otherwise.

Contacting
When contacting us (e.g. via contact form, e-mail, telephone or via social media), we process the user’s details to deal with the contact enquiry and its management as per Article 6 section 1 letter b of the GDPR.
The user’s details can be saved on a customer relationship management system (‘CRM system’) or a similar enquiry management system.

We delete enquiries if they are no longer necessary. We review the necessity every two years; furthermore the legal archiving obligations apply.

Akismet anti-spam checks
Our online offer uses the service ‘Akismet’ which is being offered by Automattic Inc., 60 29th Street #343, San Francisco, CA 94110, USA. The usage takes place based on our legitimate interests according to article 6 section 1 letter f of the GDPR. With the help of this service real humans’ comments are being distinguished from spam comments. For this purpose, all comment data is sent to a server in the USA where it is analysed and saved for four days for comparison purposes. The data is saved beyond that time if a comment is classified as spam. This information includes the entered name, the email address, IP address, content of the comment, the referrer, information about the used browser as well as computer system and the time of entry.

Further information on the collection and use of data through Akismet can be found in Automattic’s data protection notice: https://automattic.com/privacy/.

Users are welcome to use pseudonyms or forgo entering a name or email address. They can prevent the transfer of data completely by not using our comment system. This would be a pity but unfortunately we do not see an alternative which would be as effective.

Measurement of reach using Matomo
The following data is processed within the framework of Matomo’s analysis of reach based on our legitimate interests (this means interest in the analysis, optimisation and economical operation of our online offering according to article 6 section 1 letter f of the GDPR): the browser type and version you are using, the operating system you are using, your country of origin, date, and time of the server request, number of visits, the length of your stay on the website as well as the external links you used. Users’ IP addresses are anonymised before they are saved.

Matomo uses cookies which are saved on the users’ computers and which facilitate the analysis of the usage of our online offering by the users. In doing so, pseudonym user profiles of the user can be generated from the processed data. The cookies have a storage period of one week. The information about your use of this website generated through the cookie is only saved on our server and is not transferred to third parties.

Users can object to the anonymised data collection through the programme Matomo at any time with effect for the future by clicking the below link. In this case, a so called opt-out-cookie is placed in your browser which results in Matomo not collecting any more session data. If users delete their cookies, this also results in the deletion of the opt-out-cookie, meaning it has to be re-activated by the users.

The logs with the users’ data are deleted after 6 months at the latest.

Online presence on social media
We maintain online presences in social networks and on social platforms to communicate with the therein active customers, interested parties and users and to be able to inform them via this medium of our services. When accessing the respective networks and platforms, the relevant providers’ terms and conditions and data handling policies apply.

If not otherwise stated within our data protection declaration, we process the users’ data if they communicate with us within social networks and platforms, for example if they write posts within our online presences or send us messages.

Integration of third party services and content
We utilise content or service offers by third parties within our online offering based on our legitimate interests (this means interest in the analysis, optimisation and economical operation of our online offering according to article 6 section 1 letter f of the GDPR) to integrate their content or services such as, for example, videos or font types (consistently called ‘contents’ hereafter).

This always requires that the third parties offering these contents use the users’ IP addresses as they cannot send the contents to their browsers without it. The IP address is therefore necessary to display these contents. We endeavour to only use contents whose respective third party providers only use the IP address to deliver the contents. Furthermore, third party providers can use so called pixel-tags (invisible graphics, also referred to as ‘web beacons’) for statistic or marketing purposes. Information like the visitor traffic on the pages of this website can be analysed using the ‘pixel-tags’. In addition, the pseudonym information can be saved in cookies on the users’ device and can contain technical information on the browser and operating system, referring websites, visiting times and information on the usage of our online offering amongst other things, as well as being connected to such information from other sources.

Youtube
We integrate the platform ‘Youtube’s’ videos from the provider Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA. Data protection declaration: https://www.google.com/policies/privacy/ , Opt-Out: https://adssettings.google.com/authenticated .