Version of 22 January 2019
- Certificate Verification Service,
- E-mail correspondence and
- interactive platform
there are additional privacy statements that can be reached by clicking on the respective name of the functionality in the list above.
The legal bases of data collection and use can be found in Regulation (EU) 2016/679, the Federal Data Protection Act (BDSG), and the Telemedia Act (TMG) and will be specified in more detail below.
2 Name and contact details of the responsible person
Within the meaning of data protection laws, the responsible person for the collection and use of personal data in the operation of the offer is, as far as below other responsible persons and their role are not indicated, Ina Pförtner, Schöneberger road 12, 12163 Berlin, Germany, E-Mail Administrator @ ina-pfoertner. de. This person will be referred to hereinafter as the “provider”.
3 Purposes of processing, legal basis, legitimate interests, recipients
3.1 Access data, server log files, distribution of content
3.1.1 Server log files
The provider as well as on his behalf his webspace provider, the 1 & 1 IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany, telephone +49 721 96 00, collect data on each access to the offer (so-called server log files). Access data includes:
- Name of the retrieved website,
- retrieved file,
- Date and time of the call,
- transferred amount of data,
- Message about a successful call,
- Message about a faulty call,
- Browser type and version,
- the operating system of the user,
- Referrer URL (the previously visited page),
- IP address and
- the requesting provider.
The provider collects access data for evaluations for the purpose of operation, security, and optimization of the offer. The legal basis for using the services of 1 & 1 IONOS SE as processor is Article 28 of Regulation (EU) 2016/679 in conjunction with the corresponding contract concluded with 1 & 1 IONOS SE. The legal basis for the processing is Article 6 (1), first sentence, point (f) of Regulation (EU) 2016/679. The legitimate interest lies in the optimization of the offer, for example, by requesting appropriate computing power from the provider. This is done on the basis of statistical data obtained from the collected data. Another legitimate interest is to know from which pages the users access the offer through links or search results, because conclusions can be drawn for the optimal further design of the offer. In addition, there is an increased need to secure the offer against harmful attacks by third parties. The suppression of such attacks can take place, for example, through the contacting of so-called abuse sites of the providers whose customers trigger attacks by using the infrastructure of these providers. However, the involvement of government agencies, such as IT security authorities and law enforcement authorities, may also serve the purpose. These entities who organize attack defense require the presentation of meaningful log files which contain some of the above data.
The data collected accordingly are exchanged between the provider and the aforementioned web space provider for the aforementioned purposes. If necessary, the provider can also evaluate safety-relevant uses and transmit the relevant data to the authorities responsible for prosecution and IT security. In addition to the aforementioned providers and authorities, these also include bodies involved in the enforcement of civil law claims (especially courts and lawyers). In particular, transmission to the said providers, authorities and other entities shall take place when statistics and evaluations, in particular those compiled by security software, or other facts justify the assumption that accumulated or particularly serious unauthorized uses attributable to a source took place.
A transfer to a third country or an international organization that is not based on an adequacy decision under Article 45 (3) of Regulation (EU) 2016/679 would only take place in exceptional cases in consultation with the competent data protection authority.
The access data will be deleted after nine weeks, unless they have to be maintained exceptionally because of a continuing legitimate interest, such as to secure evidence. In this case, they will be deleted if the legitimate interest in keeping them ceases.
3.1.2 Use of the distribution service CloudFlare
The information transmitted between the user’s browser and the offer during the transfer of information will be transmitted on behalf of the provider through the network of CloudFlare, Inc., 665 3rd St. # 200, San Francisco, CA 94107, United States of America. This data includes all content that users provide to the provider through the interface of the offer, such as comments entered and sent, their IP address and operating system, and the browser software used. CloudFlare offers a worldwide distributed Content Delivery Network with DNS. The purpose of the described use of the data is the use of this network. CloudFlare is thus able to analyze the traffic between users and the websites of the provider, for example, to detect and ward off attacks on the services of the provider. In addition, CloudFlare may store cookies for optimization and analysis (see the explanation below about cookies) on the user’s computer.
The purpose of this processing of data is the provision of faster and more reliable transmissions of web content of the offer to users, in particular with shorter load times, and an improvement of the security of the offer, in particular by the fact that CloudFlare recognizes attacks. The legal basis for using the services of CloudFlare as a processor is Article 28 of Regulation (EU) 2016/679 in conjunction with the corresponding contract concluded with CloudFlare. The legal basis for the processing is Article 6 (1), first sentence, point (f) of Regulation (EU) 2016/679. The justified interest lies in the achievement of the stated purpose of the data processing (fast delivery of the content, security).
It is therefore the intention of the provider to transfer the personal data mentioned to a third country, namely the United States of America. An adequacy decision by the European Commission is in force, the scope of which includes the intended transmission to CloudFlare.
The data will be deleted if the purpose of its processing is fulfilled and CloudFlare no longer has any further legitimate interest in its storage.
3.1.3 Delivery of AMP content
The provider also distributes some of his content as Accelerated Mobile Pages (AMP). It may therefore happen that, for example, after a Google search with their smartphone, users read content from the provider on the Internet, and such content is not provided from the servers of the provider. Instead, the pages might be delivered directly from the third-party cache, such as the third party cache Google uses. Users may notice this by discovering that the URL from which they have called the specific page does not reflect the domain name of the provider (ie its Internet addresses), but instead, for example, the domain name of Google. Google will not change the source code of the site of the provider. The provider has not commissioned such handling by Google and is therefore not responsible for any data protection issues involved in it.
When contacting the provider (for example, by contact form or e-mail), details concerning the user are collected and stored. In addition to the contents of the message, technical data such as the transmission path, communication paths involved in the transmission, and IP addresses are also automatically transmitted and stored. Such data is processed to check whether the provider will respond to the message and, if necessary, to develop and send a response. The legal basis for the processing is Article 6 (1), first sentence, point (f) of Regulation (EU) 2016/679. The legitimate lies in enabling the provider to process the request, as well as, in the event that follow-up questions, to take the possibility of recourse to the original request. If a dialogue has emerged, the provider can store the relevant communication in the same manner as he is entitled to store correspondence on paper, for example, with penpals or business partners. The deletion takes place at the latest after eleven years.
3.4 Integration of services and content of third parties
It may happen that content from third parties, such as videos from YouTube, maps from Google Maps, RSS feeds or graphics from other websites are included in this online offer. This always presupposes that the providers of this content (hereinafter referred to as “third party provider”) perceive the IP address of the users. Because without the IP address they could not send the contents to the browser of the respective user. The knowledge of the IP address is thus required for the presentation of this content. We endeavor to use only those content whose respective providers use the IP address only for the delivery of the content. However, we have no influence on it, if the third party providers store the IP address for statistical purposes, for example. As far as we know, we will inform users about it. In this case, the data-gathering and thus responsible body is not us but the third-party providers concerned.
3.5. Google Analytics
This offer partly uses Google Analytics, a web analytics service provided by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (“Google”). To this end, the operator has signed a contract with Google for ordered data processing. Google Analytics uses so-called “cookies”, text files that are stored on the computer of a user, and allow an evaluation of the use of the pages by users. The information generated by the cookie about the use of these pages by the users are usually transmitted to a large computer (server) of Google, and stored there.
The purpose of Google’s collection and processing of data on behalf of the provider is to use this information transmitted to evaluate users’ use of the website to compile anonymous reports on website activity, in order to draw conclusions for the optimal further design of the website, and to provide other services related to website activity and internet usage to the provider.
To achieve this purpose, the following information is collected by Google Analytics on behalf of the provider using the data collected:
- Data to distinguish individual users from others’ offers, in order to differentiate first time from repeat visits,
- Number and time of previous uses of the offer,
- Origin of use, ie in particular, via which links or search terms users have found to offer and
- Start and end time of use.
For this purpose, Google also processes the fact that the domain of the provider is concerned.
A so-called IP anonymization is activated. This means that the IP address of the users of Google (within member states of the European Union or other parties to the Agreement on the European Economic Area) will be shortened before being stored by Google. Only in exceptional cases, the full IP address will be sent to a Google server and shortened there. The IP address submitted by the browser within the context of the use of Google Analytics will not be merged with any other data provided to Google.
The legal basis for using Google’s services as a processor is Article 28 of Regulation (EU) 2016/679 in conjunction with the corresponding processing contract with Google. The legal basis for the processing is Article 6 (1), first sentence, point (f) of Regulation (EU) 2016/679. The legitimate interest lies in the achievement of the stated purpose of data processing (anonymous usage statistics and reporting), and in drawing conclusions for the optimal further design of the offer.
It is the intent of the provider to transfer the personal data in question to a third country, namely the United States of America. An adequacy decision by the European Commission is in force, that covers the intended transfer by Google.
By using cookies, the pseudonymous content of which is sent to Google with each page view of the offer, and which are stored on the computer of the user, data is stored as follows: One cookie is used to distinguish the users and sessions. This cookie will be active for two years. Another cookie is active for 10 minutes and is used for preventing excessive bandwidth usage for analysis. Another cookie remains active for 30 minutes and is used to identify a new session or a new visit to the offer. Yet another cookie, which remains active for six months, is used to determine the way how the user arrived at the offer.
Users can prevent cookies from being stored by setting their browser software accordingly. Users may also prevent the collection by Google of the data generated by the cookie and related to its use of the website (including its IP address) and the processing of such data by Google by downloading the browser plug-in available at the following link and install: http://tools.google.com/dlpage/gaoptout?hl=en.
User- and event-level data that is stored with cookies, user IDs and advertising IDs (e.g. DoubleClick cookies, IDFA, Android Advertising ID) are stored for 14 months. Once a month, data that reaches the end of the retention period is automatically deleted. The retention period of the UserID will not be reset on every new event that is triggered by an individual user.
For more information about Google’s use of the Google data, hiring and opt-out options, please visit Google’s websites: https://www.google.com/intl/en/policies/privacy/partners/ (“Google’s use of your data when you use Our Partners’ Websites or Apps “), http://www.google.com/policies/technologies/ads (” Use of Data for Advertising “), http://www.google.com/settings/ads (” Managing Information, that Google uses to show you ads “) and http://www.google.com/ads/preferences/ (” Determine which ads Google shows you “).
According to information provided by Google, AMP pages are always processed by Google Analytics using anonymised IP addresses, and opt-outs are always observed via browser add-ons or cookies.
The provider also uses Google Analytics to analyze data from AdWords and the double-click cookie for statistical purposes. These cookies remain active for 24 hours. If users do not want this usage, they can opt out via the Ads Preferences Manager (https://adssettings.google.com/authenticated?hl=en).
3.5.2 Cross-Device Usage of Audience Data Based on Prior Approval of a Device User with Google Account Enabled
If a user has consented to Google in linking Google’s web and app browsing history to their Google Account and using information from their Google Account to personalize ads they see on the web, Google will use the data of a user logged in to Google along with Google Analytics data to create and define cross-remarketing audience lists (see below). The same applies if users use a device on which a Google Account is enabled, if such device is assigned to this account during use, and if someone (for example, a family member using the same device as the user) uses this device while logged into that account. Google Analytics will track Google-authenticated IDs of these users to support the tracking feature described. Person-related information held by Google is then temporarily linked to the Google Analytics data generated when you visit this site to create audiences.
“Remarketing” means that visitors or customers of one website are specifically addressed on other websites by content-related advertising on such other websites, based on which websites have previously been used by the user as a visitor or customer. For example, users who read numerous articles about cars might also get ads for cars on a site the subject of which is carpets. Remarketing works device-independent, regardless of which device and viewer (browser) a user who is logged into his or her Google Account uses, because the uses are stored in the database of the Google Account of the logged-in user and not (only) on the device or browser currently used.
The purpose of the data collection is thus the more targeted delivery of ads, which are probably of relevance for the individual user of the offer (personalized ads). This makes it possible to achieve higher ad revenue with fewer, but more appropriate ads than by neglecting personalization. In the end, there are fewer ads provided on websites, which are then optically more focused on the actual content than otherwise. Thus, irrespective of the user’s consent to Google, the provider has a legitimate interest in collecting and processing data, which is why Article 6 (1), first sentence, (f) of Regulation (EU) 2016/679 forms the legal basis for such data processing.
3.6 Google reCAPTCHA
The data necessary for the provision of the reCAPTCHA service are therefore collected in Google’s own responsibility to the user, and the provider of this website only grants access to that third-party application, and, thus, does not transmit any data to Google on own accord.
3.7 Google Fonts
When pages from from the offer are called and retrieved, fonts may be downloaded from the company Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA, with respect to users maintaining their habitual residence outside the European Economic Area and Switzerland, and of Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland, with respect to users maintaining their habitual residence in the European Economic Area or Switzerland (“Google”) (cf. the page https://www.google.com/webfonts/). Google Webfonts are transferred to the cache of your browser to avoid multiple loading. If the browser does not support or prevents access to Google Webfonts, content is displayed in a standard font. To download the Google Webfonts, your browser transfers to Google the IP address which you use the Internet from, so that the fonts can be delivered there. The information which of our web pages you have visited will also be transferred to the server operated by Google. Again, Google collect the necessary data on their own responsibility, and the provider of this offer only initiates this retrieval of data by the device that you use. In this context, the provider (Ina Pförtner) does not transmit any data to Google on own accord.
4 Obligation to provide data and consequences of non-provision
The provision of the personal data mentioned is neither legally nor contractually required and also not required for entering into any transaction. Non-provisioning may have the following consequences:
- Not providing the locator of the retrieved web page when the page is called: The user can not access the page because the system can not determine which page should be transmitted.
- Failure to provide the name of the retrieved file: The user can not retrieve the file because the system can not determine which file to submit.
- Non-provisioning of the browser type and version: Because the provisioning of pages is adapted to these technical specifications, it can lead to a false or less appealing representation of the retrieved data in the browser.
- Non-provision of the user’s operating system: no consequences for the user.
- Not providing the referrer URL (ie the name of the previously visited page): no consequences for the user.
- Failure to provide the IP address: The user can not access the page or retrieve the file because the system can not determine where the data should be sent to.
- Failure to provide the name, e-mail address, IP address or message content when using the contact form: the message cannot be sent without providing the contents marked as mandatory in the form.
- Not providing the contents of cookie files: The pages will be displayed, but some functions may not work or may not work as desired or optimal; this concerns in particular the graphical quality of the presentation of the contents or the functionality of successive pages to be built up.
5 The existence of automated decision-making
An automatic decision-making process is related to entries in contact forms. An automated filtering system will check received messages for identifying typical features of spam (unwanted mass automated content with advertising or other inappropriate subjects). The corresponding filter techniques are explained here. The scope of the use of the system and the intended effects for the data subject are that the data subject could be prevented from starting or continuing a communication via the contact form, and that this fact and the information provided using the contact form (user input, IP Address) may be used for future automated decision making in the context of allowing individual messages to be submitted via the contact form. By blocking the use of the contact form following the automated classification of the contact attempt as spam, the opportunity to use this contact function and thus the transmission of the message via the contact form would be omitted. This does not affect any contact through other means, such as e-mail or postal mail. So, in any case, the possibility to contact the provider would never cease to exist.
6 Rights of the persons concerned (users)
Users have some rights under Regulation (EU) 2016/679 with regard to personal data collected, as set out below in further detail. You can exercise your rights by using the contact form below. Any other, preferably textual contact, such as e-mail or mail, of course, can also be used.
6.1 Right to information
6.2 Right to rectification
The data subject, in particular a user, has the right to demand from the provider, without delay, the correction of inaccurate personal data concerning him- or herself. In addition, the data subject has the right to request the completion of incomplete personal data, including by means of a supplementary statement; however, when examining and implementing the request, account must be taken of the purposes of the processing. There is therefore no right to supplement data with other data which are not necessary for the overall data handling processes and therefore would not be collected from the outset.
6.3 Right to object
The data subject has the right, at any time, to object to the processing of personal data relating to him or her under Article 6 (1) sentence 1 (e) or (f) of Regulation (EU) 2016/679 for reasons arising from his or her particular situation ; this also applies to profiling based on these provisions. However, the provider does not process data on the basis of Article 6 (1) sentence 1 (e), but only on the basis of Article 6 (1) sentence 1 (f) of Regulation (EU) 2016/679 (“legitimate interest”), where indicated above. The provider will no longer processes the relevant personal data in the event of an objection, unless the provider can demonstrate compelling legitimate reasons for processing that outweigh the interests, rights and freedoms of the data subject, or as far as the processing serves the assertion, exercise or defense of legal claims . When personal data are processed to operate direct marketing, the data subject has the right to object at any time to the processing of personal data concerning him or her for the purposes of such advertising; this also applies to profiling insofar as it is associated with such direct marketing. If the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for these purposes. Without derogation from of Directive 2002/58 / EC, and in relation to the use of information society services, including this offer, the data subject can exercise his right to object through automated procedures using technical specifications. For example, users can manage the use of many corporate ad cookies through the US website http://www.aboutads.info/choices/ or the EU website http://www.youronlinechoices.com to exercise their right of objection.
6.4 Right to deletion (“Right to be forgotten”)
The data subject, and in particular a user, has the right to require the provider to immediately delete personal data concerning him or her, and the provider is obliged to delete personal data immediately, if one of the following applies:
- The personal data are no longer necessary for the purposes for which they were collected or otherwise processed.
- The data subject withdraws the consent on which the processing was based, and further processing lacks any other legal basis.
- The data subject objects to the processing in accordance with the above, there are no legitimate grounds for processing, or the data subject objects to processing for direct marketing purposes.
- The personal data were processed unlawfully.
- The deletion of personal data is required to fulfill a legal obligation under Union or national law of the Member States of the European Union to which the person responsible is subject.
- The personal data were collected in relation to information society services offered in accordance with Article 8 (1) of Regulation (EU) 2016/679.
6.5 Right to restriction of processing
The data subject, in particular the user, has the right to require the provider to restrict processing if one of the following conditions is met:
- The accuracy of the personal data is disputed by the data subject; the restriction of processing then takes place for a period of time which allows the provider to verify the accuracy of the personal data,
- the processing is unlawful and the data subject refuses to delete the personal data and instead requests the restriction of the use of the personal data. The legal basis for the continued processing is then formed by Article 18 (1) (b) in conjunction with Article 6 (1) sentence 1 (a) of Regulation (EU) 2016/679.
- the provider no longer needs the personal data for the purposes of the processing, but the data subject requires them to assert, exercise or defend legal claims or
- the data subject has objected to the processing of data used for purposes other than direct marketing, and it is not yet clear whether the legitimate reasons of the provider prevail over those of the data subject.
If the processing has been restricted in such cases, these personal data may only be stored with the consent of the data subject or for the purpose of asserting, exercising or defending legal claims or protecting the rights of another natural or legal person or for important reasons of public interest of the European Union or of a Member State.
6.6 Data transferability
The data subject, and in particular the user, has the right to receive the personal data relating to him or her which have been provided to the provider in a structured, common, and machine-readable format and has the right to transfer that information to another person without hindrance by the provider, provided that the processing is based on a consent pursuant to Article 6 (1) sentence 1 (a) or Article 9 (2) (a) of Regulation (EU) 2016/679 or a contract pursuant to Article 6 (1) sentence 1 (b) of Regulation (EU) 2016/679, and the data are processed using automated procedures. In exercising this right to data portability, the data subject has the right that the personal data are transmitted directly from the provider to another party, where technically feasible. The exercise of this right to transfer data is without prejudice to the right of cancellation. It must not affect the rights and freedoms of others.
6.7 Right to revoke a consent at any time
The data subject has the right to revoke his or her consent to data processing at any time. The revocation of consent does not affect the legality of the processing carried out on the basis of the consent until the revocation.
6.8 Right to complain to a supervisory authority
All persons have a right to complain to a supervisory authority.
7 Information for customers in Australia
If you are a user who lives in Australia, this Section applies to you. We are subject to the operation of the Privacy Act 1988 (“Australian Privacy Act”). Here are the specific points you should be aware of:
Where we say we assume an obligation about Personal Information, we are also requiring our subcontractors to undertake a similar obligation, where relevant.
We will not use or disclose Personal Information for the purpose of our direct marketing to you unless: you have consented to receive direct marketing; you would reasonably expect us to use your personal details for the marketing; or we believe you may be interested in the material but it is impractical for us to obtain your consent. You may opt out of any marketing materials we send to you through an unsubscribe mechanism or by contacting us directly. If you have requested not to receive further direct marketing messages, we may continue to provide you with messages that are not regarded as “direct marketing” under the Australian Privacy Act, including changes to our terms, system alerts, and other information related to your account.
Our servers are primarily located in Germany. In addition, we or our subcontractors, may use cloud technology to store or process Personal Information, which may result in storage of data outside Australia. It is not practicable for us to specify in advance which country will have jurisdiction over this type of off-shore activity. All of our subcontractors, however, are required to comply with the Australian Privacy Act in relation to the transfer or storage of Personal Information overseas.
If you think the information we hold about you is inaccurate, out of date, incomplete, irrelevant or misleading, we will take reasonable steps, consistent with our obligations under the Australian Privacy Act, to correct that information upon your request.
If you are unsatisfied with our response to a privacy matter then you may consult either an independent advisor or contact the Office of the Australian Information Commissioner for additional help. We will provide our full cooperation if you pursue this course of action.
8 Information for customers in California
Under California Law, California residents have the right to request in writing from businesses with whom they have an established business relationship, (a) a list of the categories of Personal Information, such as name, email and mailing address and the type of services provided to the customer, that a business has disclosed to third parties (including affiliates that are separate legal entities) during the immediately preceding calendar year for the third parties’ direct marketing purposes and (b) the names and addresses of all such third parties. To request the above information, please contact us through our contact form or email.