Privacy
This data protection declaration clarifies the nature, scope and purpose of the processing of personal data (hereinafter referred to as “data”) within our online offering and the associated websites, functions and content as well as external online presences, e.g. our social media profile (collectively referred to as “online offering”).
With regard to the terminology used, e.g. “processing” or “responsible”, we refer to the definitions in Article 4 of the General Data Protection Regulation (GDPR).
Responsible
Karlsruhe Greeter
c/o. Hans-Peter Krämer
Ringstraße 33
75228 Karlsruhe
+49 157 55797453
info@karlsruhe-greeters.de
www.irgendwo-greeter.de
Types of data processed:
- Inventory data (e.g., names, addresses).
- Contact information (e.g. e-mail, telephone numbers).
- Usage data (e.g. websites visited, interest in content, access times).
- Meta / communication data (e.g. device information, IP addresses).
Categories of persons affected
Visitors and users of the online offering (In the following, we refer collectively to data subjects as “users”).
Purpose of the processing
- Providing the online offer, its functions and content.
- Responding to contact requests and communicating with users.
- Security measures
Terms used
“Personal data”
means information that identifies an identified person or an identifiable natural person (hereinafter referred to as “data subject”); a natural person is considered identifiable if he or she can be identified directly or indirectly, in particular by association with an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or with one or more particular characteristics, are the expression of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
“Processing”
means any process carried out with or without the aid of automated procedures or any such process involving personal data. The term covers a wide range and covers practically any handling of data.
“Pseudonymization”
means the processing of personal data in such a way that the personal data can no longer be attributed to a specific person without additional information, provided that such additional information is kept separate and is subject to technical and organizational measures that the personal data is not attributed to an identified or identifiable natural person.
“Profiling”
means any kind of automated processing of personal data which involves the use of such personal data to evaluate certain personal aspects relating to a natural person, in particular aspects relating to that natural person’s performance at work, economic situation, health, personal preferences interests, reliability, behaviour, location or site.
“Controller”
means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data
“Processor”
means a natural or legal person, public authority, agency or body that processes personal data on behalf of the Controller.
Relevant legal basis
In accordance with Art. 13 DSGVO, we inform you about the legal basis of our data processing. Unless the legal basis is mentioned in the privacy policy, the following applies: The legal basis for obtaining consent is Article 6(1)(a) and Article 7 DSGVO, the legal basis for processing for the provision of our services and the performance of contractual measures and responding to requests is Article 6(1)(b) DSGVO, the legal basis for processing for compliance with our legal obligations is Article 6(1)(c) DSGVO and the legal basis for processing for the protection of our legitimate interests is Article 6(1)(f) DSGVO. In the event that essential interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) lit. d DSGVO as the legal basis.
Security measures
In accordance with Art. 32 GDPR, we take into account the state of the art, the implementation costs and the nature of the scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons; appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
Measures include, in particular, ensuring the confidentiality, integrity and availability of data by controlling physical access to the data as well as its access, input, disclosure, availability and segregation. We also have procedures in place to ensure data subject rights, data deletion, and data vulnerability. In addition, we consider the protection of personal data as early as the development or selection of hardware, software and procedures in accordance with the principle of data protection through technology design and data protection-friendly default settings (Article 25 of the GDPR)
Cooperation with subcontractors and third parties
If, in the course of our processing, we disclose, transfer or otherwise grant access to data to other persons and companies (contract processors or third parties), this will only be done on the basis of a legal permission (e.g. if a transfer of data to third parties, e.g. payment service providers, in accordance with Art. 6 (1) lit. b DSGVO, which are necessary for the performance of the contract), you have consented to a legal obligation or due to our legitimate interests (e.g. the use of agents, web hosts, etc.).
Insofar as we commission third parties with the processing of data on the basis of a so-called “data processing contract”, this is done on the basis of Art. 28 DSGVO.
Transfers to third countries
If we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)) or if this is done in connection with the use of third-party services or the disclosure or transfer of data to third parties, this is only done if it is to fulfill our (pre)contractual obligations based on your consent, on a legal obligation or for legitimate interests. Subject to legal or contractual authorizations, we process or handle data in a third country only under the specific conditions of Art. 44 et seq. DSGVO. That processing, for example, on the basis of specific guarantees, such as the officially recognized level of data protection (e.g., for the USA by the Privacy Shield) or compliance with officially recognized special contractual obligations (so-called “standard contractual clauses”).
Rights of data subjects
- You have the right to request confirmation as to whether such data is being processed and to obtain information about such data and to obtain further information and copying of the data accordingly. 15 GDPR.
- Accordingly, you have. Art. 16 GDPR the right to request that the data concerning you be completed or that the incorrect data concerning you be corrected.
- According to art. 17 DPA, you have the right to request that the relevant data be deleted without undue delay, or alternatively a restriction of the processing of data according to art. 18 DPA.
- You have the right to request that the data concerning you that you have provided to us, in accordance with Art. 20 GDPR and request its transfer to other data controllers.
- You have the right to lodge a complaint with the competent supervisory authority pursuant to Art. 77 DSGVO.
Right of withdrawal
You have the right to revoke consent with effect for the future in accordance with Article 7 (3) of the DSGVO.
Right to object
You may, in accordance with the provisions of Article 21 of the GDPR object at any time. The objection can be raised in particular against processing for direct marketing purposes.
Cookies and right to object to direct mail
“Cookies” are small files that are stored on users’ computers. Various information can be stored in the cookies. A cookie is primarily used to store information about a user (or the device on which the cookie is stored) during or after his or her visit to an online site. Temporary cookies or “session cookies” or “transient cookies” are cookies that are deleted after a user leaves an online service and closes his browser. In such a cookie, for example, the content of a shopping cart in an online store or a login status is stored. The term “permanent” or “persistent” refers to cookies that remain stored even after the browser is closed. Thus, for example, the login status is stored when users revisit it after a few days. Likewise, such a cookie can store the interests of users, which are used for reach measurements or marketing purposes. A “third-party cookie” refers to cookies offered by providers other than the person responsible for the online offer (otherwise, cookies are referred to only as “first-party cookies”).
We may use these temporarily and clarify this as part of our privacy policy.
A general objection to the use of cookies used for online marketing purposes can be found on the US side of many services, especially in the case of so-called tracking on http://www.aboutads.info/choices/ or the EU side http://www.youronlinechoices.com/ . In addition, saving cookies can be achieved by turning them off in the browser settings. Please note that it may not be possible to use all functions of this online offer.
Deletion of data
The data processed by us will be processed or deleted or restricted in its processing in accordance with the provisions of Articles 17 and 18 DSGVO. Unless explicitly stated otherwise in this Privacy Policy, the data we store will be deleted as soon as it is no longer needed for its purpose and the deletion does not conflict with any legal retention requirements. Unless the data is deleted because it is needed for other legitimate purposes, its processing is restricted. The data is blocked and will not be processed for other purposes. This applies, for example, to data that must be retained for economic or tax reasons.
We delete requests when they are no longer needed. We review the need every two years; In addition, the legal archiving obligations apply.
Hosting and emailing,
The hosting services we use are intended to provide the following services: Infrastructure and platform services, computing capacity, storage and database services, e-mail delivery, security services and technical maintenance services We use for the purpose of operating this online service.
Here, we or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta and communication data of customers, interested parties and visitors of this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer pursuant to Art. 6 para. 1 lit. f DSGVO in conjunction with. Art. 28 DSGVO (conclusion of contract)
Collection of access data and log data
We collect on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO data on each access to the server on which this service is located (so-called server log files). The access data includes the name of the accessed website, file, date and time of access, amount of data transferred, notification of successful access, browser type and version, user’s operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Log file information is stored for security purposes (for example, to investigate abusive or fraudulent activities) for a maximum of 7 days and then deleted. Data whose further storage is required for evidentiary purposes is exempt from deletion until final clarification of the respective incident.
Introduction
With the following data protection declaration, we would like to inform you about the types of your personal data (hereinafter also referred to as “data” for short) that we process, for what purposes and to what extent. The data protection declaration applies to all processing of personal data carried out by us, both as part of the provision of our services and, in particular, on our websites, in mobile applications and within external online presences, such as our social media profiles (hereinafter collectively referred to as “Online Offer”).
The terms used are not gender-specific.
Status: June 21, 2022
Responsible
Hans-Peter Krämer / Greeters Karlsruhe
Ringstraße 33
75228 Karlsruhe
Germany
E-mail address:
info@karlsruhe-greeters.de
Imprint:
Overview of processing operations
The following overview summarizes the types of data processed and the purposes of their processing, and refers to the data subjects.
Types of data processed
– Inventory data.
– Contact data.
– Content data.
– Usage data.
– Meta/communication data.
Categories of data subjects
– Communication partners.
– Users.
Purposes of processing
– Arranging free tours (“greets”).
– Contact requests and communication.
– Management and response to requests.
– Feedback.
– Provision of our online offer and user-friendliness.
Relevant legal bases
The following is an overview of the legal basis of the GDPR on the basis of which we process personal data. Please note that in addition to the provisions of the GDPR, national data protection regulations may apply in your or our country of residence or domicile. Furthermore, should more specific legal bases be relevant in individual cases, we will inform you of these in the data protection declaration.
– Consent (Art. 6 para. 1 p. 1 lit. a. DSGVO) – The data subject has given his/her consent to the processing of personal data relating to him/her for a specific purpose or purposes.
– Performance of a contract and pre-contractual requests (Art. 6 (1) p. 1 lit. b. DSGVO) – Processing is necessary for the performance of a contract to which the data subject is party or for the performance of pre-contractual measures carried out at the data subject’s request.
– Legitimate interests (Art. 6 (1) p. 1 lit. f. DSGVO) – Processing is necessary for the purposes of the legitimate interests of the controller or a third party, unless such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.
In addition to the data protection regulations of the General Data Protection Regulation, national regulations on data protection apply in Germany. These include, in particular, the Act on Protection against Misuse of Personal Data in Data Processing (Federal Data Protection Act – BDSG). In particular, the BDSG contains special regulations on the right to information, the right to erasure, the right to object, the processing of special categories of personal data, processing for other purposes and transmission, as well as automated decision-making in individual cases, including profiling. Furthermore, it regulates data processing for employment purposes (Section 26 BDSG), in particular with regard to the establishment, implementation or termination of employment relationships as well as the consent of employees. Furthermore, state data protection laws of the individual federal states may apply.
Security measures
We take appropriate technical and organizational measures in accordance with the legal requirements, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the different probabilities of occurrence and the extent of the threat to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk.
The measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical and electronic access to the data as well as access to, input of, disclosure of, assurance of availability of and segregation of the data. Furthermore, we have established procedures to ensure the exercise of data subjects’ rights, the deletion of data, and responses to data compromise. Furthermore, we already take the protection of personal data into account during the development or selection of hardware, software as well as procedures in accordance with the principle of data protection, through technology design and through data protection-friendly default settings.
Shortening of IP address: If IP addresses are processed by us or by the service providers and technologies used and the processing of a complete IP address is not necessary, the IP address is shortened (also referred to as “IP masking”). In this process, the last two digits or the last part of the IP address after a period are removed or replaced by wildcards. The shortening of the IP address is intended to prevent or make it significantly more difficult to identify a person by their IP address.
SSL encryption (https): To protect your data transmitted via our online offer, we use SSL encryption. You can recognize such encrypted connections by the prefix https:// in the address line of your browser.
Transmission of personal data
We only pass on personal data to the greeters we use when arranging greet requests.
Data processing in third countries
If we process data in a third country (i.e., outside the European Union (EU), the European Economic Area (EEA)) or the processing takes place in the context of using third-party services or disclosing or transferring data to other persons, entities or companies, this will only be done in accordance with legal requirements.
Subject to express consent or contractually or legally required transfer, we only process or have data processed in third countries with a recognized level of data protection, contractual obligation through so-called standard protection clauses of the EU Commission, in the presence of certifications or binding internal data protection regulations (Art. 44 to 49 DSGVO, information page of the EU Commission: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection_de).
Deletion of data
The data processed by us will be deleted in accordance with the legal requirements as soon as their consents permitted for processing are revoked or other permissions cease to apply (e.g. if the purpose of processing this data has ceased to apply or it is not necessary for the purpose). If the data are not deleted because they are required for other and legally permissible purposes, their processing will be limited to these purposes. That is, the data is blocked and not processed for other purposes. This applies, for example, to data that must be retained for reasons of commercial or tax law or whose storage is necessary for the assertion, exercise or defense of legal claims or for the protection of the rights of another natural or legal person.
Our data protection notices may also contain further details on the retention and deletion of data, which take priority for the respective processing operations.
Provision of the online offer and web hosting
In order to provide our online offer securely and efficiently, we use the services of one or more web hosting providers from whose servers (or servers managed by them) the online offer can be accessed. For these purposes, we may use infrastructure and platform services, computing capacity, storage space and database services, as well as security services and technical maintenance services.
The data processed as part of the provision of the hosting offer may include all information relating to the users of our online offer, which is generated as part of the use and communication. This regularly includes the IP address, which is necessary to deliver the content of online offers to browsers, and all entries made within our online offer or from websites.
– Types of data processed: Content data (e.g. entries in online forms); Usage data (e.g. web pages visited, interest in content, access times); Meta/communication data (e.g. device information, IP addresses).
– Data subjects: Users (e.g. website visitors, users of online services).
– Purposes of processing: provision of our online offer and user-friendliness; information technology infrastructure (operation and provision of information systems and technical devices (computers, servers, etc.).).
– Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).
Further notes on processing processes, procedures and services:
– Collection of access data and log files: we ourselves (or our web hosting provider) collect data on each access to the server (so-called server log files). The server log files may include the address and name of the web pages and files accessed, the date and time of access, data volumes transferred, notification of successful access, browser type along with version, the user’s operating system, referrer URL (the previously visited page) and, as a rule, IP addresses and the requesting provider.The server log files may be used for security purposes, for example, to prevent server overload (especially in the event of abusive attacks, so-called DDoS attacks) and, on the other hand, to ensure the utilization of the servers and their stability; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO); Deletion of data: Log file information is stored for a maximum period of 30 days and then deleted or anonymized. Data whose further storage is required for evidentiary purposes is excluded from deletion until final clarification of the respective incident.
Contact and request management
When contacting us (e.g. by contact form, e-mail, telephone or via social media) as well as in the context of existing user and business relationships, the information of the inquiring persons is processed insofar as this is necessary to answer the contact inquiries and any requested measures.
The response to the contact inquiries as well as the management of contact and inquiry data in the context of contractual or pre-contractual relationships is carried out to fulfill our contractual obligations or to respond to (pre)contractual inquiries and otherwise on the basis of legitimate interests in responding to the inquiries and maintaining user or business relationships.
– Types of data processed: contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
– Data subjects: Communication partners.
– Purposes of processing: provision of contractual services and customer service; contact requests and communication; managing and responding to requests; feedback (e.g. collecting feedback via online form); providing our online offer and user experience.
– Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. DSGVO); Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).
Further guidance on processing operations, procedures and services:
– Contact form: If users contact us via our contact form, e-mail or other communication channels, we process the data communicated to us in this context for the purpose of processing the communicated request. For this purpose, we process personal data in the context of pre-contractual and contractual business relationships, insofar as this is necessary for their fulfillment and otherwise on the basis of our legitimate interests as well as the interests of the communication partners in responding to the requests and our legal retention obligations; Legal basis: Contractual performance and pre-contractual inquiries (Art. 6 para. 1 p. 1 lit. b. DSGVO), Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).
Presence in social networks (social media)
We maintain online presences within social networks and process user data in this context in order to communicate with users active there or to offer information about us.
We would like to point out that user data may be processed outside the European Union. This may result in risks for the users because, for example, it could make it more difficult to enforce the rights of the users.
Furthermore, user data is usually processed within social networks for market research and advertising purposes. For example, usage profiles can be created based on the usage behavior and resulting interests of the users. The usage profiles can in turn be used, for example, to place advertisements within and outside the networks that presumably correspond to the interests of the users. For these purposes, cookies are usually stored on the users’ computers, in which the usage behavior and interests of the users are stored. Furthermore, data independent of the devices used by the users may also be stored in the usage profiles (especially if the users are members of the respective platforms and are logged in to them).
For a detailed presentation of the respective forms of processing and the options to object (opt-out), we refer to the privacy statements and information provided by the operators of the respective networks.
In the case of requests for information and the assertion of data subject rights, we would also like to point out that these can be asserted most effectively with the providers. Only the providers have access to the users’ data and can take appropriate measures and provide information directly. If you still need assistance, you can contact us.
– Types of data processed: contact data (e.g. e-mail, telephone numbers); content data (e.g. entries in online forms); usage data (e.g. websites visited, interest in content, access times); meta/communication data (e.g. device information, IP addresses).
– Data subjects: Users (e.g., website visitors, users of online services).
– Purposes of processing: contact requests and communication; feedback (e.g. collecting feedback via online form); marketing.
– Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO).
Further information on processing, procedures and services:
– Instagram: Social network; Service provider: Instagram Inc, 1601 Willow Road, Menlo Park, CA, 94025, USA; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO); Website: https://www.instagram.com; Privacy policy: https://instagram.com/about/legal/privacy.
– Facebook pages: Profiles within the social network Facebook – We are jointly responsible with Meta Platforms Ireland Limited for the collection (but not the further processing) of data of visitors to our Facebook page (so-called “fan page”). This data includes information about the types of content users view or interact with, or the actions they take (see under “Things You and Others Do and Provide” in the Facebook Data Policy: https://www.facebook.com/policy), as well as information about the devices users use (e.g., IP addresses, operating system, browser type, language settings, cookie data; see under “Device Information” in the Facebook Data Policy: https://www.facebook.com/policy). As explained in the Facebook Data Policy under “How do we use this information?”, Facebook also collects and uses information to provide analytics services, called “Page Insights,” to Page operators to provide them with insights into how people interact with their Pages and with content associated with them. We have entered into a special agreement with Facebook (“Page Insights Information,” https://www.facebook.com/legal/terms/page_controller_addendum), which regulates in particular which security measures Facebook must observe and in which Facebook has agreed to fulfill the data subject rights (i.e., users can, for example, direct information or deletion requests to Facebook). The rights of users (in particular to information, deletion, objection and complaint to the competent supervisory authority), are not restricted by the agreements with Facebook. Further information can be found in the “Information on Page Insights” (https://www.facebook.com/legal/terms/information_about_page_insights_data); service provider: Meta Platforms Ireland Limited, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland; Legal basis: Legitimate interests (Art. 6 (1) p. 1 lit. f. DSGVO); Website: https://www.facebook.com; Privacy policy: https://www.facebook.com/about/privacy; Standard contractual clauses (ensuring level of data protection for processing in third countries): https://www.facebook.com/legal/EU_data_transfer_addendum; Further information: Shared Responsibility Agreement: https://www.facebook.com/legal/terms/information_about_page_insights_data.
Plugins and embedded functions and content
Information about processing, procedures and services:
– Google Fonts (sourcing from Google server): Obtaining fonts (and symbols) for the purpose of technically secure, maintenance-free and efficient use of fonts and symbols with regard to timeliness and loading times, their uniform presentation and consideration of possible restrictions under licensing law. The provider of the fonts is informed of the user’s IP address so that the fonts can be made available in the user’s browser. In addition, technical data (language settings, screen resolution, operating system, hardware used) are transmitted that are necessary for the provision of the fonts depending on the devices used and the technical environment; service provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA; Legal basis: Legitimate interests (Art. 6 para. 1 p. 1 lit. f. DSGVO); Website: https://fonts.google.com/; Privacy policy: https://policies.google.com/privacy.
Modification and update of the privacy policy
We ask you to regularly inform yourself about the content of our privacy policy. We adapt the data protection declaration as soon as the changes in the data processing carried out by us make this necessary. We will inform you as soon as the changes require an act of cooperation on your part (e.g. consent) or other individual notification.
If we provide addresses and contact information of companies and organizations in this privacy statement, please note that the addresses may change over time and please check the information before contacting us.
Rights of the data subjects
As a data subject, you are entitled to various rights under the GDPR, which arise in particular from Art. 15 to 21 GDPR:
– Right to object: you have the right to object at any time, on grounds relating to your particular situation, to the processing of personal data concerning you which is carried out on the basis of Art. 6(1)(e) or (f) DSGVO; this also applies to profiling based on these provisions. If the personal data concerning you is processed for the purpose of direct marketing, you have the right to object at any time to the processing of personal data concerning you for the purpose of such marketing; this also applies to profiling insofar as it is related to such direct marketing.
– Right to withdraw consent: You have the right to revoke any consent given at any time.
– Right to information: you have the right to request confirmation as to whether data in question is being processed and to information about this data, as well as further information and a copy of the data in accordance with the legal requirements.
– Right to rectification: you have the right, in accordance with the law, to request that data concerning you be completed or that inaccurate data concerning you be rectified.
– Right to erasure and restriction of processing: in accordance with the legal requirements, you have the right to request that data concerning you be erased without delay, or alternatively, in accordance with the legal requirements, to request restriction of the processing of the data.
– Right to data portability: You have the right to receive data concerning you, which you have provided to us, in a structured, common and machine-readable format in accordance with the legal requirements, or to demand its transfer to another responsible party.
– Complaint to the supervisory authority: Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, your place of work or the place of the alleged infringement, if you consider that the processing of personal data relating to you infringes the requirements of the GDPR.
Definitions
This section provides you with an overview of the terms used in this privacy policy. Many of the terms are taken from the law and defined primarily in Art. 4 of the GDPR. The legal definitions are binding. The following explanations, on the other hand, are primarily intended to aid understanding. The terms are sorted alphabetically.
– Personal data: “Personal data” means any information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
– Controller: “Controller” means the natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data.
– Processing: “Processing” means any operation or set of operations which is performed upon personal data, whether or not by automatic means. The term is broad and includes virtually any handling of data, be it collection, analysis, storage, transmission or deletion.