Online Certificate Verification Privacy

Online Certificate Verification Privacy Policy

Last update:  30 June 2018

1 Scope of application

This privacy statement informs users about the nature, scope and purpose of collecting and using personal data for the functionality certificate verification service (the “service”).

The legal basis for data collection and use can be found in regulation (EU) 2016/679, the German Federal Privacy Act (BDSG) and the Tele-Media Act (TMG) and are further specified below.

2 Name and contact details of the person responsible

Unless further responsible persons and their role are indicated below, within the meaning of the data privacy law, the person responsible for the collection and use of personal data during the operation of the service is Ina Pförtner, Schöneberger Strasse 12, 12163 Berlin, Germany , e-mail Administrator@ina-pfoertner.de. This person is referred to hereinafter as the “provider”.

3 Purposes of processing, legal basis, legitimate interests, beneficiaries

3.1 Storage of certificate data

The provider stores the following data on issued certificates for language services:

  • An identification mark of the person who received the certificate.
  • An identification mark of the certificate.
  • A unique code to identify the certificate.
  • The fact whether the certificate was sent by e-mail or not.
  • The time when the certificate was issued.
  • The contents of the certificate (course, course duration, etc.), like it is also contained in the certificate itself.

When the verification page specified on the certificate is used, the following data is displayed to the verifying user:

  • If the code does not match a valid certificate: an appropriate message.
  • If the code belongs to a valid certificate: The following data, as also contained in the certificate: name of the participant, and the course name.

The legal basis for processing of those data is Article 6 (1), first sentence, lit f of Regulation (EU) 2016/679. The legitimate interest of the provider in processing is to prevent the use of counterfeit certificates, supposedly issued on the provider’s behalf, in order to prevent the provider’s reputation to be compromised. As documents in a copied or scanned form currently use to be submitted for job and other application procedures, technical instruments for document protection alone do not form an equally effective safeguard. Therefore, the now established online verification procedure has been chosen.

Since the documents could be used as proof of performance even decades later, there is currently no provision for the deletion of the data.

3.2 Access data, server logfiles, distribution of content

3.2.1 Server log files

The provider as well as on his behalf his web space provider, Strato AG, Pascalstrasse 10, 10587 Berlin, Germany, telephone + 49 (0) 30 300 146 0, collect data about each access to the service (so-called server log files). Access data includes:

  • The domain “in-port.de”.
  • An anonymized client IP: To detect from where your servers may be attacked, Strato AG collects IP addresses. It stores them for a maximum of seven days. They are then anonymized. For data protection reasons, however, the provider can only view the IP addresses in the logfile anonymously from the outset.
  • The date and time when the visitor visited our website.
  • A request line, that is, the path of the destination address without the domain.
  • A status code corresponding to the definitions of the Internet Assigned Numbers authority, such as “200” for OK – the page was called correctly, or “404” for “Page not found”.
  • The size of the response bodies: the size of the downloaded data.
  • The so-called referer: This is the indication of which page a visitor to the website came from.
  • The “user agent” sent by the calling computer: This record contains information about the type and version of the browser and the operating system that a visitor is using.

On the basis of the log data, Strato AG, Berlin, on the one hand, creates a statistic evaluation, which can also be viewed by the provider. In addition to statistical analysis, Strato AG also stores this data in order to optimize its services and to detect and prevent attacks.

The legal basis for the use of the services of Strato AG as a processor is article 28 of Regulation (EU) 2016/679 in connection with the corresponding contract concluded with Strato AG. The legal basis for processing is Article 6 (1), first sentence (f) of Regulation (EU) 2016/679. The legitimate interest lies in the optimization of the offer, for example, by the requirement of appropriate processing power at the provider. This is done on the basis of statistical data obtained from the collected data. Another legitimate interest is to know from which pages the users access the service via links or search results, because it can draw conclusions for the optimal further design of the service. There is also a need to secure the offer from harmful attacks by third parties. The elimination of such attacks can be done, for example, by the contacting of so-called abuse agencies of the providers, whose customers trigger attacks by using the infrastructure of these providers. However, the involvement of government agencies, such as IT security authorities and law enforcement authorities, may be useful. These contact shots for attack prevention require the submission of informative logfiles with the above data.

The data collected accordingly will be exchanged between the provider and the aforementioned web space provider for the aforementioned purposes. The provider may also, if necessary, evaluate security-related uses and transmit the relevant data to the authorities responsible for the prosecution and defence. This includes, in addition to the aforementioned providers and authorities, bodies that are turned on to enforce civil rights (in particular courts and lawyers). A transmission to the aforementioned providers, authorities and other bodies shall take place in particular when statistics and evaluations, which are created in particular by security software, or other facts justify the assumption that a source or a sample Heaped or particularly serious unauthorised uses occurred.

A transfer to a third country or an international organisation which is not based on an adequacy decision pursuant to article 45 (3) of Regulation (EU) 2016/679 shall only be carried out in exceptional cases in accordance with the competent supervisory authority.

The access data will be deleted after nine weeks, if it is not exceptionally necessary to keep it on the basis of a continuing legitimate interest, such as evidence protection. In this case, they will be deleted if the legitimate interest has elapsed.

3.2.2 Use of the distribution service CloudFlare

The information transmitted between the user’s browser and the service is forwarded on behalf of the provider via the network of CloudFlare, Inc., 665 3rd St. #200, San Francisco, CA 94107, United States of America. This data includes all content that users tell the provider about the interface of the service, such as entered and sent comments, their IP address and the operating system and browser used. CloudFlare offers a globally distributed Content delivery network with DNS. The purpose of the described use of the data is the use of this network. CloudFlare is thus able to analyze the traffic between the user and the provider’s web pages, for example, to detect and fend off attacks on the provider’s services. In addition, CloudFlare may store cookies for optimization and analysis (see the explanation below for cookies) on the user’s computer.

The purpose of the data processing is the faster and more reliable transmission of web content of the service to users, especially with shorter loading times, and an improvement in the security of the service, especially by recognizing CloudFlare attacks. The legal basis for the use of CloudFlare’s services as a processor is article 28 of Regulation (EU) 2016/679 in conjunction with the relevant contract concluded with CloudFlare. The legal basis for processing is Article 6 (1), first sentence (f) of Regulation (EU) 2016/679. The legitimate interest is to achieve the stated purpose of data processing (fast delivery of content, security).

It is the intention of the provider to transmit the aforementioned personal data to a third country, namely the United States of America. To this end, there is a decision of adequacy by the European Commission from which the intended transmission to CloudFlare is covered by the object.

The data will be deleted if the purpose of its processing is fulfilled and CloudFlare has no further legitimate interest in its storage.

Additional information can be found in the privacy policy of CloudFlare.

3.3 Contact Us

When contacting the provider (for example by contact form or e-mail), the information of the user is collected and stored. In addition to the contents of the message, technical data such as the transmission path, communication channels and IP addresses involved in the transmission are automatically transmitted and stored. The data is processed to check whether the provider will respond to the contact and to develop and send a response if necessary. The legal basis for processing is Article 6 (1), first sentence (f) of Regulation (EU) 2016/679. The legitimate interest consists first in the processing of the request and in the event that connection issues arise, the possibility of recalling the request. If a dialogue has arisen, the provider can revoke the corresponding communication as well as he is entitled to cancel correspondence on paper for example with pen pals or business partners. The deletion takes place at the latest after eleven years. 

3.4 Cookies

Cookies are small files that make it possible to store specific information related to the device on the user’s access device (such as a PC computer, smartphone, or tablet). They are used for the user-friendliness of websites and thus for the users (e.g. Storage of the fact that a user has booked in with his user account). On the other hand, they serve to capture the use of these pages, to calculate how many users did so in a particular way, and to evaluate these results in order to improve the service. Users can influence the use of cookies. Most browsers have an option to restrict or completely prevent the storage of cookies.

You can manage many ad cookies from companies via the US side http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/de/praferenzmanagement/.

3.5 Google Fonts

When pages are called, fonts are downloaded from the company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, (“Google”) (see also on the page https://www.google.com/webfonts/). Google Webfonts are transferred to the cache of your browser to avoid multiple loading. If the browser does not support or prevents access to Google Webfonts, content is displayed in a standard font. To download the Google Webfonts, your browser transfers the IP address from which you use the Internet to Google, so that the fonts can be delivered there. When this happens, data are sent to the server operated by Google, which contain information on which of our web pages you have visited.  Again, Google collect the necessary data on their own responsibility, and the provider of this website only initiates this data retrieval by the device that you use. In this context, the provider (Ina Pförtner) does not transmit any data to Google itself. As a precaution, it should be noted that the personal data collected from the user is transferred to a third country, namely the United States of America. To this end, there is a decision of adequacy by the European Commission, from which the intended transmission to Google is covered.

4 Obligation to provide data; Consequences of non-deployment

The provision of the aforementioned personal data is neither legally nor contractually required nor necessary for the conclusion of a contract. The person concerned is not obligated to provide the personal data. Non-deployment may have the following consequences outside of these functionalities:

  • Unable to provide the name of the retrieved Web page when the page is invoked: The user cannot access the page because the system cannot determine which page to deliver.
  • Unable to mount the name of the retrieved file: The user cannot retrieval the file because the system cannot determine which file to deliver.
  • Non-deployment of the browser type and version: Because the transmission of the pages is adapted to this, it can result in a wrong or less appealing representation of the retrieved data in the browser.
  • Non-deployment of the user’s operating system: No consequences for the user.
  • Non-delivery of the referrer URL (i.e. the name of the previously visited page): No consequences for the user.
  • Non-provision of the IP address: The user cannot access the page or retrieve the file because the system cannot determine where to deliver the data.
  • Non-delivery of the contents of cookie files: The pages are displayed, but some functions may not work or do not function as desired or optimal; This applies in particular to the graphic quality of the presentation of the contents or the functionality of consecutive pages.
  • Failure to deploy the certificate code to be validated: The certificate’s authenticity cannot be verified.

5 existence of an automated decision-making process

Automatic decision-making does not exist in connection with this service.

6 rights of the persons concerned (users)

In accordance with regulation (EU) 2016/679, users have some rights with regard to the personal data collected, which is given below.

6.1 Right to Information

There is a right to information from the person responsible about the personal data of the persons concerned. For some functionalities, special procedures are set up in the offer, with which you can obtain automated information. These procedures are discussed in the data Protection Declaration on the respective procedure.

You can exercise your right to information from the provider by using the contact form below. Any other, preferably text formal contact possibility, such as e-mail or letter mail, can of course also be used.

6.2 Right to rectification

The person concerned, in particular a user, has the right to request the provider to rectify any incorrect personal data immediately. In addition, the person concerned has the right to demand the completion of incomplete personal data, including by means of a supplementary declaration; However, the purposes of processing must be taken into account when examining and implementing the demand; There is, for example, no supplement for data that is not necessary for processing and therefore would not be collected from the outset.

You can exercise your right to rectify the offer by using the contact form below. Any other, preferably text formal contact possibility, such as e-mail or letter mail, can of course also be used.

6.3 Right to objection

The person concerned shall have the right, for reasons arising from their particular situation, to object at any time to the processing of personal data relating to them, as provided for in article 6 (1) (e) or (f) of Regulation (EU) 2016/679, Appeal This also applies to profiling based on these provisions. However, the provider does not process data on the basis of article 6 (1) (e), but only on the basis of article 6 (1) (f) of Regulation (EU) 2016/679 (“legitimate interest”) where this has been stated above. The provider no longer processes the personal data after an opposition, unless it can prove compelling reasons for the processing that outweigh the interests, rights and freedoms of the person concerned, or the processing shall be used for the assertion, exercise or defence of legal claims. You may exercise your right of objection to the provider by using the contact form below (it is noted that the data protection notices apply to websites). Any other, preferably text formal contact possibility, such as e-mail or letter mail, can of course also be used.

6.4 Right to delete (“right to Vergessenwerden”)

The person concerned, in particular a user, has the right to require the provider to immediately delete personal data concerning him and the provider is obligated to delete personal data immediately, provided that one of the Following reasons:

    • The personal data are no longer necessary for the purposes for which they were collected or processed in any other way.
    • The person concerned revokes the consent to which the processing was based and there is no other legal basis for processing.
    • The person concerned shall, in accordance with the foregoing, object to the processing and there are no overriding reasons for the processing, or the person concerned shall object to the processing for the purposes of the Direct marketing.
    • The personal data has been processed in an unlawful form.
    • The deletion of personal data is necessary for the fulfilment of a legal obligation under union law or the law of the Member States of the European Union to which the person responsible is subject.
    • The personal data were collected in relation to information society services provided in accordance with article 8 (1) of Regulation (EU) 2016/679.

You can exercise your right to delete (“right to Vergessenwerden”) to the provider by using the contact form below (it is noted that the data protection notices for Web pages apply). Any other, preferably text formal contact possibility, such as e-mail or letter mail, can of course also be used.

6.5 Right to restrict processing

The person concerned, in particular the user, has the right to require the provider to restrict the processing if one of the following conditions is met:

    • The correctness of the personal data is disputed by the person concerned; The restriction of processing is then made for a duration which allows the provider to verify the accuracy of the personal data,
    • The processing is unlawful and the person concerned refuses to delete the personal data and instead requests the restriction of the use of personal data; The legal basis for the wide processing is then article 18 (1) (b) in conjunction with article 6 (1) (a) of regulation (EU) 2016/679,
    • The provider no longer requires the personal data for the purposes of processing, but the person concerned needs it to assert, exercise or defend legal claims or
    • The person concerned has objected to the processing of data used for other purposes than direct marketing, and it is not yet determined whether the legitimate reasons of the provider outweigh those of the person concerned.

If the processing has been restricted in these cases, such personal data, apart from its storage, may only be made with the consent of the data subject or for the assertion, exercise or defence of legal claims or for the protection of the rights Be processed by another natural or legal person or for reasons of an important public interest of the European Union or a Member State.

You may exercise your right to restrict the processing to the provider by using the contact form below (it is noted that the privacy notices for Web pages apply). Any other, preferably text formal contact possibility, such as e-mail or letter mail, can of course also be used.

6.6 Right to Data transferability

The person concerned, in particular the user, has the right to receive the personal data relating to him which she has provided to the provider in a structured, common and machine-readable format, and has the right to use that data to another Without any hindrance by the provider, provided that the person responsible
The processing is based on a consent pursuant to Article 6 (1) (a) or article 9 (2) (a) of regulation (EU) 2016/679 or a contract pursuant to article 6 (1) (b) of Regulation (EU) 2016/679 and processing using automated procedure. In exercising this right of data transferability, the person concerned has the right to obtain that the personal data are transmitted directly by the provider to another person responsible, as far as this is technically feasible. The exercise of this right to transfer data does not affect the right to delete. It must not affect the rights and freedoms of other persons.

You may exercise your right to transfer data to the provider by using the contact form below (it is noted that the data protection notices for Web pages apply). Any other, preferably text formal contact possibility, such as e-mail or letter mail, can of course also be used.

6.7 Right to revoke consent at any time

The person concerned has the right to revoke your consent in a data processing at any time. The revocation of the consent does not affect the legality of the processing due to the consent until the revocation.

You can revoke your consent to the provider by using the contact form below (it is noted that the data protection notices for Web pages apply). Any other, preferably text formal contact possibility, such as e-mail or letter mail, can of course also be used.

6.8 Right of appeal to a supervisory authority

All persons have a right to complain to a supervisory authority.

7 Contact Form

Für die Kontaktaufnahme gelten unsere Hinweise zum Datenschutz, insbesondere dort Nummer 3.2 und 5. Sie müssen nicht Ihren wirklichen Namen verwenden und müssen keine Kontaktdaten, also auch keine E-Mail-Adresse angeben, um mit uns in Kontakt zu treten. Wenn Sie Ihren Namen nicht nennen, können wir Sie gegebenenfalls nicht identifizieren oder richtig anreden. Wenn Sie uns keine Kontaktdaten, insbesondere keine E-Mail-Adresse nennen, können wir Ihnen nicht antworten und bei Rückfragen keine Klärung herbeiführen, was dann dazu führen kann, dass wir auf Ihr Anliegen nicht vollständig eingehen können. Wenn Sie nicht im Feld für den Betreff oder für Ihre Nachricht angeben, welches Anliegen Sie haben, können wir nicht auf Ihr Anliegen eingehen. Die Bereitstellung des Kontaktformulars schließt es nicht aus, dass Sie auch andere Wege verwenden, uns zu kontaktieren.